Archive for September, 2012

Microsoft to make the case for new Exchange version

Monday, September 24th, 2012

Microsoft will lay out the reasons it believes enterprises need to adopt the new version of its Exchange email server at a conference this week devoted to the product.

On Monday, the company focused on security, management and compliance issues, trumpeting a number of new and improved features on Exchange 2013 in these areas.

“This is our first real opportunity to talk about the new Exchange,” said Michael Atalla, Microsoft’s director of product management for Exchange, in an interview after delivering a keynote at the Microsoft Exchange Conference (MEC) in Orlando .

Exchange 2013 is in beta testing and Microsoft hasn’t given an official date for its commercial availability.

Its cloud-based counterpart, Exchange Online, which is part of the Office 365 email and collaboration suite, is also being enhanced in lockstep with Exchange 2013.

The products, which have been available for user testing since July, will have full parity of features, except in the case of functionality that is relevant to have only either on premise or in the cloud, Atalla said.

The new Exchange Online Protection is high on the list of enhancements Microsoft will talk about this week. This cloud-based service provides malware and spam detection and protection. It also offers back-up email queueing for on-premises servers and usage analytics data, such as reporting, auditing and message tracing. Exchange Online Protection, which is an upgrade to Forefront Online Protection for Exchange, also features inbound message blocking, content filtering and transport rules.

The new Exchange comes with a data loss prevention (DLP) capability that automates the detection, monitoring and protection of sensitive content and data on email based on pre-established policies, rules and exceptions. The DLP functionality can trigger a variety of actions, including stopping an outbound message or placing it in a moderation queue. It can also inform end users about potential violations of company policies regarding the type of data and content they’re allowed to send via email, to promote awareness among employees.

“This is an entirely new category in the new Exchange,” Atalla said.

Microsoft has merged the two separate management consoles of Exchange 2010 and the existing Exchange Online, so that IT administrators now have a single Web-based control panel to manage both products, Atalla said. This is particularly useful and relevant as more and more enterprises move from purely on-premise Exchange deployments into hybrid ones, in which some mailboxes and functionality are in Exchange Online and others in Exchange 2013, he said.

“Were evolving Exchange to let administrators manage both the on premise and online versions from a common set of management tools,” he said.

“We see the new Exchange giving customers the opportunity to move to the cloud on their own terms,” Atalla added.

Microsoft also plans to highlight Exchange 2013’s architecture, which allows administrators to keep current and archived messages in the same mailbox infrastructure, as opposed to keeping them in separate repositories. With this “in-place archiving” technology, archived messages are more easily and quickly available to end users, and email management is simplified for administrators, who can address compliance and retention from a single repository, according to Microsoft.

Exchange 2013 also has features to simplify the management of email messages that need to be kept indefinitely in a “tamper proof” manner. Instead of having to move these messages to a separate system, Exchange 2013 administrators can keep them in the same system as the other messages by applying “hold” policies to them, either at the end user, group, mailbox or individual message level.

The new Exchange also has expanded e-discovery features, including the ability of compliance officers to not only search for Exchange messages, calendar entries and contacts, but also SharePoint documents, sites, files, wikis and blogs, as well as Lync instant messaging conversations, Atalla said.

As in other areas of enterprise messaging and collaboration, Microsoft faces a variety of competitors like IBM Lotus, VMware’s Zimbra and Google’s Apps, which is in the process of gaining native email security, archiving and compliance features via an ongoing integration of Postini services and technology.


Oracle Database suffers from “stealth password cracking vulnerability”

Monday, September 24th, 2012

A weakness in an Oracle login system—used in the company’s databases which grant access to sensitive information—makes it trivial for attackers to crack user passwords and gain entry without authorization, a researcher has warned.

The issue has been dubbed the “Oracle stealth password cracking vulnerability,” by the researcher who discovered it, and the problem stems from a session key the Oracle Database 11g Releases 1 and 2 sends to users each time they attempt to log on, according to a report published Thursday by Threatpost. The key leaks information about a cryptographic hash used to obscure the plaintext password. The hash, in turn, can be cracked using off-the-shelf hardware, free software, and a variety of attack methods that have grown increasingly powerful over the past decade. Proof-of-concept code exploiting the weakness can crack an eight-character alphabetic password in about five hours using standard CPUs.

Oracle engineers have corrected the problem in version 12 of the authentication protocol, but they have no plans to fix it in version 11.1, security researcher Esteban Martinez Fayo told Threatpost. Even in version 12, the vulnerability isn’t removed until an administrator changes the configuration of a server to use only the new version of the authentication system. Oracle representatives didn’t respond to an e-mail seeking comment for this story.

There are no overt signs when an outsider has targeted the weakness, and attackers aren’t required to have “man-in-the-middle” control of a network to exploit it. That’s because the session key is sent whenever a remote user sends a few network packets or uses standard Oracle desktop software to contact the database server. All an attacker needs is a valid username on the system and a rudimentary background in password cracking.

The best way to prevent attacks that exploit the vulnerability is to install the patch and make the necessary configuration changes. Even those who continue to use vulnerable systems can take precautions that will go a long way. Passwords for all users should be randomly generated and contain a minimum of nine characters, although 13 or even 20 characters is better. The strategy here is to create a passcode that will take months or years to crack using brute-force methods, which systematically guess every possible combination of letters, numbers, and symbols.

More coverage of the Oracle Database weakness from Dark Reading is here.


W3C announces plan to deliver HTML 5 by 2014, HTML 5.1 in 2016

Monday, September 24th, 2012

Breaking the spec up into smaller pieces will allow swifter standardization.

The World Wide Web Consortium (W3C), the group that manages development of the main specifications used by the Web, has proposed a new plan that would see the HTML 5 spec positioned as a Recommendation—which in W3C’s lingo represents a complete, finished standard—by the end of 2014. The group plans a follow-up, HTML 5.1, for the end of 2016.

Under the new plan, the HTML Working Group will produce an HTML 5.0 Candidate Recommendation by the end of 2012 that includes only those features that are specified, stable, and implemented in real browsers. Anything controversial or unstable will be excluded from this specification. The group will also remove anything known to have interoperability problems between existing implementations. This Candidate Recommendation will form the basis of the 5.0 specification.

In tandem, a draft of HTML 5.1 will be developed. This will include everything from the HTML 5.0 Candidate Recommendation, plus all the unstable features that were excluded. In 2014, this will undergo a similar process. Anything unstable will be taken out, to produce the HTML 5.1 Candidate Recommendation, and an HTML 5.2 draft will emerge, with the unstable parts left in.

This will then continue, for HTML 5.3, 5.4, and beyond.

Previously, HTML 5 wasn’t due to be completed until 2022 (yes—a decade from now). The Candidate Recommendation was due to be delivered around now, with much of the next ten years spent developing an extensive test suite to allow conformance testing of implementations. The new HTML 5.1 will be smaller as a number of technologies (such as Web Workers and WebSockets) were once under the HTML 5 umbrella but have now been broken out into separate specifications. It will also have less stringent testing requirements. Portions of the specification where interoperability has been demonstrated “in the wild” will not need new tests, and instead testing will focus on new features.

HTML 5’s standardization has been a fractious process, with many arguments and squabbles as different groups with different priorities struggled to find common ground. The new plan notes that the “negative tone of discussion has been an ongoing problem” and says that the Working Group will need to be better to combat anti-social behavior. The proposed plan was, however, not universally welcomed. Some Working Group members were unhappy with the proposed treatment of their particular areas of expertise.

For Web developers, the impact of the new plan may be limited; developers are already used to working from draft specifications on a day-to-day basis. The most immediate consequence is those pieces deemed stable enough for inclusion in version 5.0 should acquire a richer test suite. In turn, that will help browser developers track down (and, with luck, remedy) any remaining bugs and incompatibilities.


Iran blamed for cyberattacks on U.S. banks and companies

Monday, September 24th, 2012
Iran recently has mounted a series of disruptive computer attacks against major U.S. banks and other companies in apparent retaliation for Western economic sanctions aimed at halting its nuclear program, according to U.S. intelligence and other officials.

In particular, assaults this week on the Web sites of JPMorgan Chase and Bank of America probably were carried out by Iran, Sen. Joseph I. Lieberman (I-Conn.), chairman of the Homeland Security and Governmental Affairs Committee, said Friday.

“I don’t believe these were just hackers who were skilled enough to cause disruption of the Web sites,” said Lieberman in an interview taped for C-SPAN’s “Newsmakers” program. “I think this was done by Iran and the Quds Force, which has its own developing cyberattack capability.” The Quds Force is a special unit of Iran’s Revolutionary Guard Corps, a branch of the military.

Lieberman said he believed the efforts were in response to “the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions.”

U.S. officials suspect Iran was behind similar cyberattacks on U.S. and other Western businesses here and in the Middle East, some dating as far back as December. A conservative Web site, the Washington Free Beacon, reported that the intelligence arm of the Joint Chiefs of Staff said in an analysis Sept. 14 that the cyberattacks on financial institutions are part of a larger covert war being carried out by Tehran.

Unlike the cyberattacks attributed to the United States and Israel that disabled Iranian nuclear enrichment equipment, experts said, the Iranian attacks were intended to disrupt commercial Web sites. Online operations at Bank of America and Chase both experienced delays this week.

In a previously undisclosed episode, Iranian cyberforces attempted to disrupt the Web sites of oil companies in the Middle East in August by routing their efforts through major U.S. telecommunications companies, including AT&T and Level 3, according to U.S. intelligence and industry officials. They spoke on the condition that their names not be used because they were not authorized to speak to the press.

The effort did not cause serious disruptions, but it was the largest attempted denial-of-service attack against AT&T “by an order of magnitude,” said an industry official. A distributed denial-of-service, or DDOS, attack is designed to overload a Web site and block access to the server or site.

The U.S. intelligence community is increasingly concerned about Iran’s improving capability to mount attacks. Director of National Intelligence James R. Clapper Jr. told Congress in February that “Iran’s intelligence operations against the United States, including cyber capabilities, have dramatically increased in recent years in depth and complexity.”

“The Iranians aren’t very good yet,” said one U.S. intelligence official, who spoke on the condition of anonymity because of the topic’s sensitivity. “But they’re getting better rapidly, and they’re motivated to get better rapidly because they believe they’ve been attacked, and they have.”


British government agency hoards addresses as IP well runs dry

Thursday, September 20th, 2012

Europe has tapped out its supply of Internet addresses in its assigned range, but some tech prospectors believe they’ve found some IPv4 gold—a full block of 16,777,216 addresses that isn’t used to connect to the Internet. But the British government agency that owns the block of addresses (referred to in IP networking as a /8 block) has no intentions of giving it up, even though almost none of the addresses will ever be publicly accessible. That has inspired an electronic petition campaign on a House of Commons website to convince British lawmakers to auction off the address block.

John Graham-Cumming, a programmer for CloudFlare and technology book author, pointed out the address block (from to in a recent blog post, noting that it was apparently unused. Based on a Network World article from May, he estimated the block coud be worth as much as $1.5 billion on the open market, given that it’s essentially the last unused block of its size.

The Department of Works and Pensions, which was assigned the block by RIPE NCC (Réseaux IP Européens Network Coordination Centre), acknowledged its ownership of the address block in a response to a Freedom of Information request made by James Marten on behalf of the public watchdog site last December. The addresses—or at least about 80 percent of them—are in use, according to a letter from DWP spokesman Phil Tomlinson on behalf of the department’s IT group, but none are intended to be accessed from the public Internet. The remainder are being used as the basis for a proposed Public Services Network—a private government intranet.

That would make the addresses ripe, so to speak, for conversion to a private network, and for the addresses to be freed up for other use. However, Tomlinson wrote, “DWP have no plans to release any of the address space for use on the public Internet.” The reason, he claimed, was that readdressing the existing systems already configured with addresses from the block would be too expensive. “DWP are aware that the worldwide IPv4 address space is almost exhausted, but knows that in the short to medium term there are mechanisms available to ISPs that will allow continued expansion of the Internet, and believes that in the long-term a transition to IPv6 will resolve address exhaustion,” he wrote; besides, the address pool would only last a few months.


Vulnerability in Internet Explorer could allow remote code execution

Wednesday, September 19th, 2012

Microsoft is investigating public reports of a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9. Internet Explorer 10 is not affected. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability. Applying the Microsoft Fix it solution, “Prevent Memory Corruption via ExecCommand in Internet Explorer,” prevents the exploitation of this issue. See the Suggested Actions section of this advisory for more information.

A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. In addition, we are actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability.

Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software.

Mitigating Factors:

  • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.
  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.

Source:  technet

Experts urge prep for Microsoft’s cert-blocking update

Wednesday, September 12th, 2012

Scan networks for too-short keys, audit systems, test Oct. update before it rolls out, urge security pros

Microsoft yesterday delivered two security updates that patched two vulnerabilities in Visual Studio Team Foundation Server and System Center Configuration Manager.

But security experts essentially ignored the updates — with some telling users they could delay deploying them — and again hammered home the message that enterprises should use the small slate to prepare for a potentially disruptive update Microsoft has scheduled for October.

Microsoft’s pair of updates — tagged as MS12-061 and MS12-062 — were both rated “important,” the company’s second-highest threat ranking, and could be used by attackers to acquire elevated rights to a compromised system.

“These can safely be postponed until it’s convenient to install them, maybe next month when Microsoft releases its October Patch Tuesday updates,” said Wolfgang Kandek, CTO of Qualys, in an interview yesterday.

“I agree, there’s no need to patch these immediately,” said Amol Sarwate, manager of Qualys’ vulnerability research lab.

Instead, said Kandek, Sarwate and other security professionals, Microsoft customers should use the next month to audit their networks for soon-to-be-crippled digital certificates, and to test the changes set to hit Windows Update on Oct. 9.

The move was triggered by the discovery of Flame, the sophisticated espionage tool uncovered by Kaspersky Lab. Flame infiltrated networks, scouted out the landscape, and pilfered information. Among its tricks was what one researcher called the “Holy Grail:” It spoofed Windows Update to infect completely-patched Windows PCs.

Microsoft reacted by killing off some of its own certificates and beefing up Windows Update’s security. It also decided to harden the Windows certificate infrastructure by blocking access to certificates with keys shorter than 1,024 bits.

“With something that’s this big of a change, everyone should be testing the [Oct. 9] update,” urged Jason Miller, manager of research and development at VMware.

Microsoft first offered the update last month, posting it as a manual download on its Download Center, so it is available for testing.

Kandek recommended IT administrators scan their networks for digital certificate keys shorter than 1,204 bits. “For internal sites and other services that use certificates such as mail servers and VPNs, we recommend using a scanning tool with SSL support, which all major scanners include,” Kandek said.

“The audit is going to be the big thing,” said Miller. “But it’s the amount of time to fix [and uncovered problems] that could be drastic.”

Most experts expected some fallout from next month’s key-crippling update, but were cautiously optimistic that disruptions would impact a small number of firms and websites.

“I don’t think there will be a lot of companies that are negatively affected,” predicted Miller, “but some will be crippled.”

Kandek and Sarwate of Qualys concurred.

“There are very few [affected] keys out there, for a number of reasons,” argued Kandek. “Certificate authorities have been giving out these keys [longer then 1,204 bits] for a while now. Basically, it they will be very old certificates obtained some time ago.”

Certificates are generally valid for just one or two years, said Kandek, although there are exceptions. During Qualys’ survey of website certificates, for example, the company found some keys that were valid for either three or five years.

“Embedded devices might be at risk,” explained Sarwate. “Kiosks running an embedded version of Windows, for example, might not be updated with new certificates very often.”

The most likely enterprise problem areas, added Miller, include VPN, or “virtual private network,” gateways that workers use to establish a secure offsite connection with the company’s network. Another potential trouble spot: Email servers.

“We recommend installing [Microsoft’s update] on a limited number of internal machines in your organization this month to gather feedback on potential impacts,” Kandek said.

IT administrators can, of course, back out the update if they later uncover problems they can’t solve before Oct. 9. “You can remove that security update if necessary, and redeploy it later,” said Miller.

Windows 8, which reached RTM (release to manufacturing) last month, and has been handed to enterprises for deployment, has the shorter-certificate blocking already in place.

“If anything, the most important thing is to get the word out,” said Miller. “Microsoft has been talking about this since June, but I recently talked to two [IT administrators] and they had no idea that this was coming.”

Microsoft will distribute the certificate key update on Oct. 9 through Windows Update and WSUS (Windows Server Update Services). Enterprise IT administrators can use WSUS or other patch management consoles, to block the update from reaching some or all PCs and servers.


Rogue Microsoft Services Agreement emails lead to latest Java exploit

Monday, September 3rd, 2012

Hackers created a malicious version of a legitimate Microsoft email announcement

Hackers are distributing rogue email notifications about changes in Microsoft’s Services Agreement to trick people into visiting malicious pages that use a recently circulated Java exploitto infect their computers with malware.

“We’re receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences,” Russ McRee, security incident handler at the SANS Internet Storm Center, said Saturday in a blog post.

The rogue email messages are copies of legitimate notifications that Microsoft sent out to users to announce changes to the company’s Services Agreement that will take effect Oct. 19.

However, in the malicious versions of the emails, the correct links have been replaced with links to compromised websites that host attack pages from the Blackhole exploit toolkit.

Blackhole is a tool used by cybercriminals to launch Web-based attacks that exploit vulnerabilities in browser plug-ins like Java, Adobe Reader or Flash Player, in order to install malware on the computers of users who visit compromised or malicious websites.

This type of attack is known as a drive-by download and is very effective because it requires no user interaction to achieve its goal.

Blackhole was recently updated to include a new exploit for Java 7 that appeared online last Monday. The links in the rogue Microsoft Services Agreement notifications point to Blackhole-infected websites make use of the new Java exploit to install a variant of the Zeus financial malware, McRee said.

Oracle released Java 7 Update 7 on Thursday to address the vulnerabilities targeted by this exploit.

The malicious Java applet used in this attack is detected by only eight of the 42 anitivirus engines available on the VirusTotal file scanning service. The Zeus variant has a similarly low detection rate.

The technique of creating malicious versions of legitimate email messages sent by trusted companies is very old. However, its continued use by cybercriminals suggests that it is still efficient.

“This email is a legitimate announcement regarding updates to the Microsoft Services Agreement and Communication Preferences,” a Microsoft program manager for supporting mail technologies who identifies herself as Karla L, said on the Microsoft Answers website in response to a user inquiring about the authenticity of the email message.

However, she later acknowledged the existence of reports about malicious emails that use the same template. “If you received an email regarding the Microsoft Services Agreement update and you’re reading your email through Hotmail or, the legitimate email should have a Green shield that indicates the message is from a Trusted Sender,” she said. “If the email does not have a Green shield, you can mark the email as a Phishing scam.”

Hovering over the links in the legitimate version of the email should point to locations on the domain. Anything else should be treated as suspicious.

Reviewing the email headers can also offer clues whether the email is legitimate. For example, some samples of this rogue email message come from an IP address in China, McRee said.


Huge natural gas producer severs Website, email after malware attack

Saturday, September 1st, 2012

Attack comes amid malware campaign directed at energy companies

One of the world’s biggest producers of liquefied natural gas has been hit by a malware attack that has taken down its website and e-mail servers. This is the second documented computer attack to hit a large energy company this month.

Officials with Qatar-based RasGas first identified an “unknown virus” on Monday and took their website and e-mail servers offline in response, Bloomberg News and other news agencies reported on Thursday morning, citing company representatives. Operational systems weren’t affected and production and deliveries remain intact. A joint venture between Qatar Petroleum and ExxonMobil, RasGas exports about 36.3 million tons of liquefied natural gas per year.

News of the attack comes four days after Saudi Aramco, the world’s largest oil producer, confirmed it was the victim of a separate malware attack that took down 30,000 workstations. The assault against the Saudi Arabia-based company was launched on August 15 as the malware entered through its network of personal computers. Oil production wasn’t affected, company officials have said.

The attacks come as security researchers are tracking a malware campaign directed at unspecified companies in the energy industry. “Shamoon,” as the trojan has been dubbed, wreaks havoc on its victims by attempting to permanently wipe the hard drives of the computers it infects and prevents them from restarting. In a blog post, Symantec researchers said that the Shamoon malware, which also goes by the name “Disttrack,” struck at least one unnamed company in the energy industry.

A separate advisory by Israel-based Seculert said that Shamoon attacked “several specific companies in a few industries.” The Seculert post went on to say the wiping function was only one of two stages found in the malware. Company researchers speculate the disk erasure may have been put in place to remove traces of the other action, which may have been surveillance or data theft.

So far, there’s no confirmation that Shamoon is the same malware that struck either RasGas or Saudi Aramco.

“Usually, targeted attacks are being used against companies at the same vertical,” Seculert CTO Aviv Raff wrote in an e-mail to Ars. “So it is not surprising to see such an attack against another company in the oil and energy industry. I believe that if it’s indeed the same attack, they are probably using this to cover their tracks of the actual intended action against RasGas.”

He said a non-disclosure agreement bars him from naming the companies affected or identifying their industries.

Based on the information that is publicly available, the attacks on RasGas and Saudi Aramco appear to be major inconveniences rather than catastrophic events. Assuming that’s truly the case, the unsung heroes are the engineers who separated e-mail and Web servers from critical energy production and delivery systems. With confirmation of attacks against two of the world’s biggest energy producers, it’s worth investigating how and if all companies in this industry are designing their systems to withstand such campaigns.