Friday, April 23, 2010

FW: [CCCNews] CCCNews Newsletter - dated 2010 April 23




Date: Fri, 23 Apr 2010 21:00:00 +0530
From: sysman01@mtnl.net.in
Subject: [CCCNews] CCCNews Newsletter - dated 2010 April 23
To: sysman01@mtnl.net.in

 NEWS LETTER
Centre for Research and Prevention of Computer Crimes, India
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)

April 23, 2010

Editor - Rakesh Goyal (rakesh@sysman.in)



In today's Edition -                                                                             (This is a news-letter and not a SPAM)
*Direct Circulation - 93,000+

HALT : McAfee antivirus update paralyses Windows XP machines
RESEARCH : Researchers aim to smarten Web app security scanners
TIGHT : White House Tightens Cybersecurity Reporting Needs
TREND : Hancock Breach Reveals New Trend
IT Term of the day
Quote of the day
 

* Direct Circulation in 4 Google groups (control-computer-crimes@googlegroups.com and IT-Sec-NSE@googlegroups.com) and 2 more groups
Approved Organizations can get a two months free fully functional E-Secure-IT subscription, providing focused IT-Security and Industry Business Risk Intelligence Alerts at: http://2mthsfree.e-secure-it.com/
 

 P Please don't print this newsletter unless you really need to. Save Tree. 
SAY NO TO PLASTIC WATER BOTTLES. 



--
You received this message because you are subscribed to the Google Groups "control-computer-crimes" group.
To post to this group, send email to control-computer-crimes@googlegroups.com.
To unsubscribe from this group, send email to control-computer-crimes+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/control-computer-crimes?hl=en.


--Forwarded Message Attachment--

CCCNews-Newsletter-2010-04-23

IT and Related Security News Update from

Centre for Research and Prevention of Computer Crimes, India

(www.cccnews.in)

Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)

April 23, 2010


Today�s edition ��

 

HALT : McAfee antivirus update paralyses Windows XP machines

RESEARCH : Researchers aim to smarten Web app security scanners

TIGHT : White House Tightens Cybersecurity Reporting Needs

TREND : Hancock Breach Reveals New Trend

IT Term of the day

Quote of the day

 

(Click on heading above to jump to related item. Click on �Top� to be back here)

 

Top


HALT : McAfee antivirus update paralyses Windows XP machines

Endless reboots after critical system file quarantined

By Gregg Keizer

Computerworld US

22 April 10

http://news.techworld.com/security/3221271/mcafee-antivirus-update-paralyses-windows-xp-machines/?olo=rss

 

A flawed McAfee antivirus update sent enterprise administrators scrambling today as the new signatures quarantined a crucial Windows system file, crippling an unknown number of Windows XP computers, according to messages on the company's support forum.

 

The forum has since gone offline.

 

McAfee confirmed it had pushed the faulty update to users earlier today. "McAfee is aware that a number of customers have incurred a false positive error due to incorrect malware alerts on Wednesday, April 21," said company spokesman Joris Evers in an email reply to questions. "The problem occurs with the 5958 virus definition file (DAT) that was released on April 21 at 2:00pm GMT+1 (6:00am Pacific)."

 

According to users on McAfee's support forum, today's update flagged Windows' "svchost.exe" file, a generic host process for services that run from other DLLs (dynamic link libraries).

 

"HOW THE F*** do they put a DAT out that kills a *VITAL* system process?" asked Jeff Gerard on one thread. "This is goddamn ridiculous," added Gerard, who identified himself as a senior security administrator with Wawanesa Mutual Insurance Company of Winnipeg, Manitoba, in Canada. "Great work McAfee! GRRRRRRRRRRR."

 

As of 3:30pm ET, McAfee's support forum was offline, with a message reading "The McAfee Community is experiencing unusually large traffic which may cause slow page loads. We apologize for any inconvenience this may cause."

 

Both users and McAfee said that the flawed update had crippled Windows XP Service Pack 3 (SP3) machines, but not PCs running Vista or Windows 7. "Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3," acknowledged Evers.

 

Affected PCs have displayed a shutdown error or blue error screen, then gone into an endless cycle of rebooting, users claimed.

 

McAfee reacted by warning users not to download today's update if they haven't already, and by posting recovery instructions and a signature update to suppress the defective one seeded to users earlier. "Apply the EXTRA.DAT to all potentially affected systems as soon as possible," the company recommended.

 

"For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine." Unfortunately, those instructions and the suppression EXTRA.DAT update file are not currently available, again because McAfee's support site has gone dark.

 

Instead, users can reach the instructions and EXTRA.DAT file from elsewhere on McAfee's site.

 

"The faulty update has been removed from McAfee download servers for corporate users, preventing any further impact on those customers," Evers said. "We are not aware of significant impact on consumer customers and believe we have significantly limited such occurrence."

 

The company has yet to produce an updated signature definition file to replace the one that crippled computers. A month ago, a BitDefender update clobbered 64-bit Windows machines.

 

In 2005, Trend Micro released a flawed signature update that slowed PCs to a crawl, and McAfee is far from the first antivirus vendor to ship a flawed signature update. In May 2007, a Symantec definition file crippled thousands of Chinese computers when the software mistook two critical Windows .dll files for malware.

 

McAfee is working on helping customers affected by the rogue update, said Evers. "McAfee apologises for any inconvenience to our customers," he added.

 

Top


RESEARCH : Researchers aim to smarten Web app security scanners

By Robert Westervelt

SearchSecurity.com

22 Apr 2010

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1510446,00.html?track=sy160&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+techtarget%2FSearchsecurity%2FSecurityWire+%28SearchSecurity+%3A+Security+Wire+Daily+News%29

 

BOSTON -- Two application security experts are working on a way to improve the testing of Web applications by incorporating application data flow maps and other information typically used by software quality assurance testers.

�������������������������������������

Rafal Los and Matt Wood of Hewlett-Packard Co.'s Web Security Research Group presented a set of new testing processes Wednesday at SOURCE Boston 2010. They said the new processes they proposed are currently far too complicated to implement, but will eventually be incorporated in an automated tool.

 

"We're trying to take the human element and move it more into the scanners," Wood said.

 

For far too long, penetration testers hunting for vulnerabilities in Web applications have been losing ground. Web application security scanners have improved the time to detect and identify the location of bugs in JavaScript, AJAX and other modern coding techniques, but more sophisticated applications results in far less attack surface being tested, Los said.

 

"Security analyst tools today aren't equipped properly to test highly complex applications," Los said. "The more complex Web apps get, the less effective automation becomes unless we do something. This is that something."

 

The two researchers developed what they call an execution-flow-based approach to application security testing. They use data from QA testers to fully map the Web application's attack surface to better understand how an application functions and more importantly, how data flows through it. Once security testers have the data, they could quickly drill down into a particular area and identify vulnerabilities that pose more risk, Los said.

 

"QA teams generally know the app; they test for known stuff that is supposed to be there," Los said. "They can tell you that they covered the entire application -- all the functionality."

 

The researchers call their processes a radical testing methodology in which data requirements and functional paths are used to create an execution-flow diagram to understand the key business logic of an application. The process will result in function-based automated testing. The technique helps testers identify actions that change the application's document flow or actions that could change the state of the application. Indirect flows, external data that can modify the document state, are also incorporated.

 

For example, in a payment page, "when a user selects American Express or Visa a QA guy will know the user's selection results in a different action within the application," Wood said. "The scanners are not going to know." Since a scanner can only identify errors in a small portion of the attack surface, feeding them application flow data could help "smarten" the scanner and improve the overall test.

 

Using flow-based threat analysis, pen testers can determine that two vulnerabilities in an area of an app that handle credit cards should take a higher priority than vulnerabilities in a product viewing area. The processes could also help boost the credibility of security testers, the researchers said. Security teams typically are given an application to test in a very short time frame.

 

"If you have 24 hours and 2.5 million lines to functionally test, how are you going to get that done?" Los asked.

 

Top


TIGHT : White House Tightens Cybersecurity Reporting Needs

By Kenneth Corbin

April 22, 2010

http://www.esecurityplanet.com/features/article.php/3878086/White-House-Tightens-Cybersecurity-Reporting-Requirements.htm

 

As the Obama administration continues its efforts to update and strengthen the federal government's defenses against cyber threats, the White House has issued new rules that will require agencies to monitor their IT systems for intrusions and vulnerabilities in real time.

 

A memo (PDF format) released this week by the Office of Management and Budget lays out new requirements for agencies to set up automated threat-monitoring feeds that automatically gather data from security management tools -- enabling admins to gather real-time data on attacks and other dangers.

 

"We are shifting the focus from old-styled, paper-based reports to real-time electronic data that feed directly and immediately into security monitoring and alert systems," Federal CIO Vivek Kundra said in a post on the White House blog.

 

Agencies' real-time information will also be funneled monthly to a central Web platform dubbed CyberScope.

 

The new directive updates the reporting requirements for federal agencies laid out in the 2002 Federal Information Security Management Act (FISMA). Federal IT managers have long balked at the costly and time-consuming FISMA provisions, which call for centralized reporting on a quarterly basis, rather than monthly. Critics have argued that FISMA has done more to create unnecessary red tape than it has to enhance information security.

 

Kundra singled out the State Department, which over the past six years has spent $133 million in the production of 95,000 pages of security documentation about its core IT systems, amounting to about $1,400 per page.

 

"As we move away from the old-style reports and into a more real-time system of security data feeds, we are implementing solutions that actually help to protect the country rather than simply generate paperwork," Kundra said.

 

The new reporting requirements are the result of an interagency task force formed in September 2009 to reshuffle the metrics agencies use to evaluate the security of their systems.

 

More broadly, the directive fits into the administration's work to revamp the federal government's efforts in the cybersecurity arena. The White House dispatched several top IT and security officials to serve on the FISMA task force, including Howard Schmidt, President Obama's cybersecurity coordinator, whose position the administration created in response to the comprehensive security review Obama commissioned last February.

 

Separately, Obama's proposed fiscal 2011 budget boosts funding for certain federal cybersecurity programs, and the Department of Homeland Security and other agencies are actively recruiting security experts.

 

On the military side, Lt. Gen. Keith Alexander, the President's nominee to head the newly created Cyber Command in the Pentagon, recently came up for his confirmation hearing in the Senate, a proceeding that had long been delayed over concerns about the authority and scope of the new unit, particularly with regard to the execution of cyber attacks against hostile groups or foreign governments.

 

At that hearing, Alexander, who currently serves as director of the National Security Agency, reminded the Senators that critical government systems are constantly probed and threatened by a broad range of intruders.

 

Kundra echoed that concern in announcing the new FISMA requirements, arguing that the fast-moving nature of the threats and attacks obligates the government to take a more nimble approach.

 

"Without question, the threat is real, and our response must match it in intensity, security and creativity," he said.

 

The OMB memo directs agencies to complete their FISMA reporting through the CyberScope platform by Nov. 15. Beginning Jan. 1, 2011, agencies will be required to update CyberScope with new threat information each month.

 

DHS will act as the coordinating agency, offering logistical support to help IT managers with their monitoring and reporting programs, and evaluating their progress on responding to the new directive.

 

Top


TREND : Hancock Breach Reveals New Trend

Fraudsters Swapping Out POS Devices, Stealing Card Data

Linda McGlasson

April 19, 2010

http://www.bankinfosecurity.com/articles.php?art_id=2436&opg=1

 

The Hancock Fabrics data breach continues to raise new questions about the security of point of sale (POS) devices at retail stores.

 

In March, the national fabric store chain publicly confirmed the breach it suffered last summer, sending an open letter to its customers, revealing: "PIN pad units at a limited number of Hancock Fabrics stores were stolen and replaced with visually identical, but fraudulent, PIN pad units. This may have allowed criminals to capture - or "skim" -- payment card data during transactions."

 

Hancock didn't reveal the locations or number of stores where point of sale scanners were compromised -- nor the number of customers who had their card data taken -- but at least 140 reports from customers in California, Wisconsin and Missouri show the pervasive nature of the fraud.

 

The lesson here: It is relatively easy for fraudsters to tamper with or even swap out POS PIN Entry Device (PED) pads, and these types of incidents are likely to increase, putting retailers, consumers and banking institutions at risk of future card-related fraud.

 

"These incidents are part of an ongoing trend where criminals are targeting non-PCI and PED-compliant point of sale terminals with devices installed to capture cardholder data," says Mike Urban, Sr. Director of Fraud Solutions at FICO.

How it Happens

 

Typically, this crime begins when criminals target a single store, or -- as in the case of Hancock Fabrics -- multiple stores in various locations.

 

Urban describes how a gang of these criminals will go into a store. "They will feign illness to draw people away from a point of sale terminal in order to make the switch. It is a brazen act - almost to the point of opening the cash register - to swap out a POS terminal during business hours. In these cases, the criminals work together to create a cover of the terminal swapping activity."

 

While some would think that a store clerk or other employees wouldn't be duped so easily, PCI expert Dr. Anton Chuvakin notes that it isn't a huge social engineering feat to do a swap. "It's fairly easy in many cases," he says. "They'll come in, distract personnel and replace the equipment."

 

Even a more likely scenario would be that the criminals replace the pad when people just aren't around. "How many times have you gone into a retail store later in the evening and no one was at the checkout area?" he asks.

 

An unsettling trend in this type of crime is that some criminals have resorted to collusion with employees, or even used threats of violence to get the PEDs replaced, says PCI and security expert Branden Williams, Director of the Security Consulting Practice at RSA, the security division of EMC.

 

While the swapping of POS devices is easy to do, it is not as scalable as remote hacking. "A small amount of research can yield a short term gain by capturing a few cards, or even long term gains if the merchant is not uniquely keying each device," Williams says.

 

The types of devices being targeted for this are the older PIN pads, which are very simple devices. "They're much like a peripheral (mouse, keyboard, etc.) and this is the same effect as inserting a PS/2 or USB keystroke logger," says David Shackleford, a security expert at Sword & Shield, a computer and network security firm in Atlanta, GA. Shackleford says he would not be surprised to see more of these incidents "at merchants with weak physical security and store policies that were still using older technology."

 

Data at Risk

 

Once the device has been swapped, the amount of data to be stolen is related to the amount of time the compromised terminal is in place at the retail location. "It also depends on the number of cards that transact during that time. It can run into thousands of cards," says FICO's Urban.

 

In most of the POS terminal compromises Urban says he has seen in the U.S. that the data is stored on the POS terminal until the terminal is swapped back out. "But there is a trend where card compromising devices will broadcast data via Bluetooth or other wireless protocols," he says.

 

In the case of Hancock Fabrics, the type of pad used wasn't clear. "It's likely that the pads included a swipe reader and numeric keys, which means they could capture full track data and PINs, says Shackleford. "The false pads would have a fair amount of physical storage, and could likely hold a good number of debit and credit card numbers," he says.

 

It is conceivable that the data captured can be Track 2 data plus the user's PIN, "which means the criminal may be able to manufacture fake debit cards," says Chuvakin. This data with full access to bank account withdrawal up to a daily limit of $500 could inflict real damage to individual victims - with banking institutions then footing the bill to replace cards and/or monitor accounts.

Prevention, Education

 

The Hancock Fabrics breach points to several steps that retailers can take to prevent this kind of crime from happening to them:

 

* Ensure PCI Compliance -- Making sure all POS terminals are PCI compliant, using Derived �Unique Key Per Transaction (DUKPT). "Securely install terminals with unique hardware as a deterrent, and visibly inspect them along with the registers every day," recommends Urban.

 

* Educate Employees -- Security awareness training for all store employees would be a great start, says Shackleford. "Newer pin pads that have more built-in security measures like device tamper resistance can help, but it's important to keep spare PIN pads locked away, and employees should periodically check them while at work to make sure the device ID still matches."

 

* Auditing the PEDs -- on a regular basis, recording them and cross checking the serial numbers. Chuvakin, who recommends retailers follow PED Security Guidelines and review the condition and placement of internal CCTV systems to cover all till areas.

* Watch Your Staff -- The PCI Security Council's PIN Transaction working group also recommends performing background checks on employees, as well as keeping a complete record of any work done on the POS pads by service providers. If a service engineer arrives at the store unannounced to do work on the PEDs, the working group recommends that before any work is performed that their identity be confirmed by contacting the service company.

 

Top


New IT Term of the day


language


A system for communicating. Written languages use symbols (that is, characters) to build words. The entire set of words is the language's vocabulary. The ways in which the words can be meaningfully combined is defined by the language's syntax and grammar. The actual meaning of words and combinations of words is defined by the language's semantics.

 

In computer science, human languages are known as natural languages. Unfortunately, computers are not sophisticated enough to understand natural languages. As a result, we must communicate with computers using special computer languages. There are many different classes of computer languages, including machine languages, programming languages, and fourth-generation languages.

 

Top


Quote of the day


No, no, we are not satisfied, and we will not be satisfied until justice rolls down like waters and righteousness like a mighty stream.

 

Martin Luther King Jr.

(1929-1968)

 

Top

 

Note -

  1. As a member of this group, you get useful information to protect yourself and your IT assets and processes from various Computer and Related Crimes.
  2. If you think that your other friends/colleagues/acquaintances/relatives/foes/enemies also needs this information, forward the mail to them and request them to send their e-mail addresses and names to us with subject as "Subscribe".
  3. If you or someone has become victim of Computer Crimes or has any query on prevention, you are welcome to write to us.
  4. If you are not interested in it and would like to unsubscribe - send a reply mail with subject as "Unsubscribe".
  5. Disclaimer - We have taken due care to research and present these news-items to you. Though we've spent a great deal of time researching these matters, some details may be wrong. If you use any of these items, you are using at your risk and cost. You are required to verify and validate before any usage. Most of these need expert help / assistance to use / implement. For any error or loss or liability due to what-so-ever reason, CRPCC and/or Sysman Computers (P) Ltd. and/or any associated person / entity will not be responsible.

 



The latest auto launches and test drives Drag n' drop

No comments: