Wednesday 10 July 2013

Microsoft updates security policy in Patch Tuesday rollout

Microsoft logo
Microsoft has rolled out a new security policy that will require third-party developers to patch vulnerabilities in order to keep their software available on the company's online markets.
The company said that its new policy would apply to developers offering products for the Windows Store, Azure Marketplace, Office Store and Windows Phone Store services. Under the plan, developers will have 180 days from being notified by Microsoft of a critical or important security issue.
While the severity of a security flaw varies from case to case, Microsoft generally reserves the 'critical' label for remote code execution vulnerabilities that can be exploited with little or no user notification. Flaws rated 'important' often include remote code execution, denial of service and elevation of privilege vulnerabilities.
The company noted that in cases where a flaw is being actively targeted in the wild it may remove the software immediately and work with the developer to patch the vulnerability.
The policy comes alongside the July edition of the company's monthly security update. The Patch Tuesday release includes six fixes for critical vulnerabilities in Microsoft's own platforms including Internet Explorer, Windows, .NET and Silverlight.
Microsoft said that two of the updates should be considered a higher priority for administrators to test and deploy. The update for the Kernel Mode Driver will address a flaw in Windows, while the Internet Explorer patch addresses a number of security issues in Microsoft's web browser.
This continues the trend we’ve seen in recent Patch Tuesdays with Internet Explorer receiving fixes for lots of memory corruption vulnerabilities,” explained Marc Maiffret, chief technology officer at security firm BeyondTrust.
These vulnerabilities will be used in drive-by attacks where attackers set up malicious web pages and use social engineering tactics to draw users to the malicious pages. It is imperative that this patch gets rolled out as soon as possible.”
Other updates in the July release include critical fixes for Office, Visual Studio, Lync and a number of Windows components. A seventh bulletin, rated as 'important' by Microsoft, addresses an elevation of privilege error in the Microsoft Security Software package

Snowden Incident Returns Spotlight to Employee Danger

Edward Snowden, the leaker currently stuck in Russia who disclosed a wide range of secrets about US government surveillance and spying, has changed the conversation about cybersecurity. Not because of the documents he released, but as a reminder of the vulnerability organizations have to the threat of insiders with access to large swathes of information and system components.
It’s a lesson that was the talk of the cyber community following the WikiLeaks disclosures through the alleged actions of Bradley Manning that faded as experts began to focus on the growing threat of foreign governments, particu­larly China. It is back in vogue because of the volume and sensitivity of information Snowden has made public.
Some of the fallout from the Manning case, such as the banning of thumb drives and other external media from sensitive systems, has been walked back in some instances in the name of practicality. One of the problems, as is the case with any security issue, is you can’t make a network truly safe from an insider.
“It’s akin almost to insider attacks in Afghanistan,” Army Gen. Martin Dempsey, chairman of the US Joint Chiefs of Staff, said during a late June speech. “Well, the answer is that you can’t prevent it. You can mitigate the risk, and what I’d like you to take away from this conversation about the incident with Snowden is you can’t stop someone from breaking the law 100 percent of the time. You just can’t stop that from happening.”
Dempsey did, however, suggest steps to reduce the threat of insiders to Defense Department networks, including cutting the number of people in positions like Snowden’s.
“I think systems administrators is the right place to begin to clean this up because they have such ubiquitous access, and that’s how he ended up doing what he did,” he said. “We really need to take advantage of thin client and cloud technology, to dramatically reduce the number of systems administrators that we have managing programs, which will make it both more effective and safer.”
That approach carries risk because fewer individuals will have access concentrated in their hands, said Jeff Moulton, director of information operations at Georgia Tech Research Institute.
“What they’ve done now is rather than mitigating the threat, they’ve increased the likelihood of a catastrophic impact from a threat,” he said. “It’s not going to help. It introduces other problems, like the broader access of the cloud.”
One idea suggested by several cyber experts, including Moulton, is to adopt nuclear launch security as a guide. When it comes to the use of nuclear weapons, two separate individuals have to provide authentication before a weapon can be used. Not only does this prevent accidents, but it guarantees that a second person will be monitoring the activity of the first.
In the cyber realm, this could be achieved by requiring two people to provide their security credentials before either could access certain kinds of documents or segments of the network control system.
“Is it time consuming? Perhaps,” Moulton said. “But what’s more time consuming, doing this or armchair quarterbacking?”
Still, there will always be a residual threat from insiders, which is why deterrence is key, said Ian Wallace, a visiting fellow with the Brookings Institution and a former official with the British Ministry of Defence.
“The insider threat will always exist, and it will be next to impossible to stop it completely,” Wallace said. “But there are also plenty of ways in which that can be deterred. Not the least of those is the traditional deterrent of getting caught and prosecuted, something which is even more likely with the emergence of companies doing big data analysis of behavior on their own systems.”
Wallace cautioned that all of this attention on the insider threat may be misguided. Statistically, insider attacks are exceedingly rare, even if the data that is lost or the risk to systems from a determined insider is significant.
“All of the evidence that I have heard from the best cybersecurity firms suggests that the main threat is still the remote threat, for three compelling reasons: the risk of being caught is much less, it is much more scalable, and at present it is still, sadly, relatively easy for a sophisticated and determined intruder to get into all but the best protected systems,” Wallace said.
In the hunt for solutions to the insider threat, one of the big questions is how to detect intent from an employee ahead of a problem. In much the same way that concerns have surfaced about what radicalized the Boston bombing suspects and whether it could have been detected earlier, experts are studying how to discover the intentions of insider threats sooner.
That can take the form of such mundane facts as the speed at which an employee types. Changes in the rate of typing can indicate mood, a tip that further inquiry might be needed.
But to gain that type of data, a certain degree of invasiveness is required, and some superficial profiling of behavior is employed.
That creates all kinds of legal and ethical questions but may be a necessity for large organizations with many people to monitor, Moulton said.
“You can’t monitor everybody all the time,” he said. “Look at what the casinos do. They profile, but that’s a really difficult word. Are we prepared to profile?”
Dempsey emphasized that some actions would be taken to improve the system, but he described a certain degree of risk acceptance.
“You can certainly increase the scrutiny in terms of their background investigations, you can reduce the number of them you get, there are different degrees of oversight in place,” he said. “But at some point, if somebody is going to break the law and commit an act of treason, I don’t know what he’ll eventually be charged with or espionage, they’re going to be able to do that.”

Iran, Sudan using U.S.-made monitoring tools

Apparently skirting U.S. sanctions, Iran and Sudan are using Silicon Valley-made Internet-monitoring devices on government and commercial networks, The Washington Post reported Monday.
It's not known exactly how the tools, from Blue Coat Systems in Sunnyvale, Calif., are being used. Citing computer experts, the Post writes that the products "could empower repressive governments to spy on opponents."
The company specializes in Web surveillance, security, virus detection and content filtering, which are subject to certain export controls.
In 2011, hacktivists discovered Blue Coat's filtering tools by the Syrian government, which experts said had used the technology to censor websites and spy on activists and journalists. The Commerce Department fined a distributor in Dubai nearly $3 million for export violations.
New research by the Citizen Lab at the University of Toronto found more of the company's devices on Syrian networks, as well as in Iran and Sudan. All have been cited for human rights abuses.
The research, which is to be released Tuesday, also found the tools are deployed in countries described as having poor human rights records: China, Bahrain, Saudi Arabia, Thailand, the United Arab Emirates and Ivory Coast.
"Blue Coat has never permitted the sale of our products to countries embargoed by the U.S.," Chief Operating Officer and President David Murphy told the Post. "We do not design our products, or condone their use, to suppress human rights. ... Our products are not intended for surveillance purposes."
He said the company is assisting the U.S. investigation into how a reseller got devices into Syria in 2010 and 2011.
A spokesman for the Treasury Department, which enforces sanctions, said only, "Treasury takes sanctions violations very seriously and has aggressively pursued enforcement actions where violations have occurred."
The Post notes that other U.S. technology companies have faced similar concerns that their products have been used for persecution.
Some experts argue that many of the technologies fall into regulatory gray areas because they have dual or multiple uses.

Hackers accessed Egypt North Sinai police Radio line

An army row officer serving in the North Sinai city of al-Arish was stabbed by unknown assailants on Monday who then fled the scene.
A medical source within the Al-Arish hospital stated that Ahmed Muhammad Mahjub, 37, was injured with multiple stab wounds to his body. He was taken to an operating room before being transferred to a military hospital.
Meanwhile, a group of armed attackers shot a bus outside at a peace keeping base in the southern district of Sheikh Zuweid in North Sinai Monday afternoon, which was set to transport civilian workers to the Al-Joura airport.
Eyewitnesses stated that the attackers later fired upon two buses transporting workers to the airport later Monday night, panicking the workers. No casualties were reported.
Unknown assailants later fired upon an electricity production station using machine guns in southern Sheikh Zuweid on Monday afternoon.
Eyewitnesses from the village said that the assailants were later routed by Egypt’s armed forces, fleeing into the desert.
In an separate case, hackers accessed a North Sinai police telecommunications line, using it to make threats over police radio, calling on all forces to leave Sinai in order to protect their lives.
Sources stated that investigations were currently being conducted to ascertain how the hackers cracked the code, speculating that they stole police equipment or used advanced technology
Security sources denied that the police line was penetrated at all
The United States Emergency Alert System (EAS) in 1997 replaced the older and better known Emergency Broadcast System (EBS) used to deliver local or national emergency information.
The EAS is designed to “enable the President of the United States to speak to the United States within 10 minutes” after a disaster occurs. In the past these alerts were passed from station to station using the Associated Press (AP) or United Press International (UPI) “wire services”, which connected to television and radio stations around the U.S. Whenever the station received an authenticated Emergency Action Notification (EAN), the station would disrupt its currentbroadcast to deliver the message to the public.
DASDEC is one of a small number of application servers that now fill the role of delivering emergency messages to television and radio stations. DASDEC encoder/decoders receive and authenticate EAS messages delivered over National Oceanic and Atmospheric Administration (NOAA) radio or relayed by a Common Alerting Protocol (CAP) messaging peer.
After a station authenticates an EAS message, the DASDEC server interrupts the regular broadcast and relays the message onto the broadcast preceded and followed by alert tones that include some information about the event.
An attacker who gains control of one or more DASDEC systems can disrupt these stations’ ability to transmit and could disseminate false emergency information over a large geographic area. In addition, depending on the configuration of this and other devices, these messages could be forwarded to and mirrored by other DASDEC systems.