Wednesday, November 27, 2013

Backup, Backup, Backup

IT pro says he threw out 7,500 bitcoins, now worth $7.5 million
According to an article in The Guardian today, Howells threw out the hard drive, "rescued from a defunct Dell laptop," this past summer. "And then last Friday he realised that it held a digital wallet with 7,500 Bitcoins created for almost nothing in 2009," the story notes.
Howells, an IT pro, says his mistake likely occurred in mid-July, at which time a single bitcoin was worth about $90. Today, the value of a single bitcoin passed $1,000 for the first time, making 7,500 bitcoins worth $7.5 million.
According to The Guardian story, Howells did not have a backup. The drive he allegedly threw out "contains the cryptographic 'private key' that is needed to be able to access and spend the Bitcoins; without it, the 'money' is lost forever."
Read 5 remaining paragraphs | Comments

Tuesday, November 26, 2013

That is some scary malware!

Dark Reading
CryptoLocker Could Herald Rise Of More Sophisticated Ransomware
A smarter approach to encryption is what separates CryptoLocker from other ransomware -- but that might not last long
Seven hundred and fifty dollars -- that is the amount of money it cost a police department in Massachusetts to regain access to its computer files. The culprit of this kidnap and ransom was the now-infamous CryptoLocker, which locked both images and Microsoft Word documents on the department's computer system.
While precise statistics are hard to come by, researchers at Symantec say they are seeing hundreds of thousands of spam email messages a day distributing the threat, with hundreds of infections per day. Ransomware scams are still in vogue, but where CryptoLocker makes its mark is its use of asymmetric encryption -- and don't be surprised if security vendors are not the only ones taking notice. Other attackers will move in this direction as well.
"It's not a revolution, but a natural evolution," says Lance James, head of intelligence at Vigilant by Deloitte. "Putting it bluntly, I think we expected this sooner and should be surprised it took so long. Yes, others will move in this direction, or they will sell CryptoLocker base code to enable the development of related ransomware, thus spawning in the underground a new widespread standard, if you will, for ransomware."
Unlike other ransomware, CryptoLocker's authors have properly implemented an asymmetric system (2048 bit RSA) and 256 bit AES-CBC using the native Microsoft Windows crypto system, which is the basis for legitimate tools such as BitLocker, he explains.
"Most encryption uses a symmetric [one key] key system or simply locks access to the files but does not fully encrypt the data," James says. "A reverse engineer can simply build tools that recover the key or leverage knowledge of how the software works to unlock the files. Encryption mechanisms found in other ransomware are of a homebrew variety -- they include errors and vulnerabilities that reversers and infosec professionals can identify, thereby enabling the creation of workarounds to neutralize the intent of the ransomeware."
Once on the system, the malware can encrypt files located within shared network drives, USB drives, external hard drives, network file shares, and even some cloud storage drives. If one computer on a network becomes infected, then mapped network drives could become infected as well. CryptoLocker then connects to the attackers' command-and-control server to put the asymmetric private encryption key "out of the victim's reach," according to a warning from US-CERT.
"I wouldn't say it is necessarily any more sophisticated, but perhaps just better executed," notes Chet Wisniewski, senior security adviser at Sophos. "They aren't pretending to be the cops. They are simply encrypting your files, demanding money, and mostly honoring their end of the bargain -- simple, straight to the point of extortion."
Ransomware that was popular early in the year didn't even perform encryption -- it just locked the screen with a "scary law enforcement message and demanded money," he adds.
Ransomware can be a very profitable type of operation. In a paper (PDF) released last year, Symantec estimated that one particular group was extorting nearly $400,000 a month from victims.
Ransomware attacks have been on the uptick for the past several quarters. According to McAfee's third quarter threat report (PDF), more than 312,000 new, unique samples were detected during that three-month period -- less than the previous quarter, but still the second-highest figure the firm has seen.
"Ransomware is not new, but evidently its creators are making money from it, and that is the key to its persistence," observes Roger Thompson, chief emerging threat researcher at ICSA Labs. "In fact, it seems to have replaced fake antivirus as a common form of monetization. I can't remember the last time I saw a fake AV. You'd think that the interaction required to pass money would get more people caught, but I suspect it is a function of small amounts combined with multiple jurisdictions. In other words, it seems too much trouble for the police to be bothered."
The good news, Wisniewski notes, is that businesses and home users can take a number of precautions.
"Keep your antivirus up to date and be sure not to allow EXE files to come in as email attachments," he says. "Block EXE files inside of archives, like ZIP and RAR, at the mail gateway. CryptoLocker is primarily being installed through existing Zeus/ZBot infections, and Zeus comes in through email and drive-by installs on booby-trapped websites. Do your backups. Don't pay the crooks or depend on their honesty to decrypt your files. Ensure the important information in your organization is backed up regularly."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Copyright © 2013 UBM LLC, All rights reserved.

Reuters: Snowden stashed “doomsday” cache as insurance policy against harm

Crypto scheme protecting data resembles creation of a "bad sci-fi writer."

US and British intelligence officials are concerned former National Security Agency contractor Edward Snowden has stored an online "doomsday" cache of extraordinarily sensitive classified information that will be unpacked in the event he is arrested or physically harmed, according to a report published Monday.
The article, headlined Spies worry over "doomsday" cache stashed by ex-NSA contractor Snowden, cited seven current and former US officials as well as other sources briefed on the matter who spoke on the condition they not be identified. The report claimed the cache contained documents generated by the NSA and other agencies that include previously unpublished names of US and allied intelligence personnel. One of the sources described the documents as an insurance policy against arrest or harm.
Ars was unable to confirm the claims in the article, and some of the reported details sounded technically implausible, at least as they were described.
"The data is protected with sophisticated encryption, and multiple passwords are needed to open it, said two of the sources, who like the others spoke on condition of anonymity to discuss intelligence matters," Reuters reported. "The passwords are in the possession of at least three different people and are valid for only a brief time window each day, they said. The identities of persons who might have the passwords are unknown."
The article stated later: "One former senior US official said that the Chinese and Russians have cryptographers skilled enough to open the cache if they find it."
Strong cryptography generally works using known algorithms and protocols that have been extensively tested. Cryptographers generally frown on the use of time-based locks because they're often vulnerable to attacks that manipulate the underlying clock. Snowden is widely regarded as possessing strong operational security skills, making it unlikely he would rely on such a mechanism. The reference to multiple passwords in the possession of at least three people being required to open the document suggested a server is somehow involved, raising even more questions. It also stands to reason that any truly sophisticated and strong cryptography couldn't be cracked by Chinese or Russian agents.
The description sounded as if it was "re-written by bad sci-fi writer," University of Pennsylvania security and cryptography expert Matt Blaze wrote in a tweet shortly after the article was published. "I assume the documents are in a booby-trapped attaché case with a flashing countdown timer," he added later. Blaze and other security experts speculated the technical details could have been part of a misinformation campaign. Another possibility is that the accuracy of some of the technical details was eroded in the process of reporting or writing the article, either by sources, the journalists, or both.
In the days immediately following the initial publication of documents leaked by Snowden, Guardian columnist Glenn Greenwald said the former contractor distributed encrypted copies of thousands of documents to "several" people. Greenwald said Snowden "has taken extreme precautions to make sure many different people around the world have these archives to insure the stories will inevitably be published," adding "if anything happens at all to Edward Snowden, he told me he has arranged for them to get access to the full archives." At the time, Greenwald went on to say that he had possession of thousands of documents provided by Snowden and that they may or may not constitute the totality of what Snowden took.
Reuters said officials believe the "doomsday" cache is stored and encrypted separately from the material Snowden provided to media outlets. Besides containing the names of US and allied intelligence personnel, Monday's report said the encrypted data also included "information about the CIA—possibly including personnel names—as well as other US spy agencies such as the National Reconnaissance Office and National Geospatial-Intelligence Agency, which operate US image-producing satellites and analyze their data."

Monday, November 25, 2013

If all of the known National Security Agency surveillance wasn't enough, the organization infected 50,000 computer networks with malware that could "steal sensitive information" according to new slides published by the Danish paper, NRC.
The information published this weekend is another revelation courtesy of leaker Edward Snowden. The 50,000-figure comes from a 2012 presentation slide explaining how the NSA acquired information worldwide. It described an initiative called "Computer Network Exploitation" (CNE), which NRC reports as "the secret infiltration of computer systems achieved by installing malware." The slide shows CNE's reach spans five continents worldwide.
As CNET noticed, an NSA webpage for job applicants describes the CNE strategy as well as other "Computer Network Operations." The CNE function includes "enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks," according to the page.
Read 1 remaining paragraphs | Comments

Friday, November 22, 2013

Some cyber security experts recommend shutting Obamacare site

Photo
Wed, Nov 20 2013
(Reuters) - President Barack Obama's HealthCare.gov site is riddled with security flaws that put user data of millions of people at risk and it should be shut down until fixed, several technology experts warned lawmakers on Tuesday.
The testimony at a congressional hearing could increase concerns among many Americans about Obama's healthcare overhaul, popularly known as Obamacare. Opinion polls show the botched rollout of the online marketplace for health insurance policies has hurt the popularity of the effort.
The website collects personal data such as names, birth dates, social security numbers, email addresses and other information that criminals could use for a variety of scams.
In a rapid "yes" or "no" question-and-answer session during a Republican-sponsored hearing by the House of Representatives Science, Space and Technology Committee, Republican Representative Chris Collins of New York asked four experts about the security of the site:
"Do any of you think today that the site is secure?"
The answer from the experts, which included two academics and two private sector technical researchers, was a unanimous "no."
"Would you recommend today that this site be shut down until it is?" asked Collins, whose party is opposed to Obamacare and has sought to capitalize on the failures of the website since it opened for enrollment on October 1.
Three of the experts said "yes," while a fourth said he did not have enough information to make the call.
"The privacy and security of consumers' personal information are a top priority," White House spokesman Jay Carney said after the hearing.
"When consumers fill out their online marketplace applications they can trust that the information that they are providing is protected by stringent security standards."
HealthCare.gov allows consumers to shop for insurance plans under Obama's Affordable Care Act, which passed in 2010 and mandated that Americans have health insurance. It also created new marketplaces to buy and sell policies.
The portal has been bedeviled by technical glitches and reports of security bugs, although officials say they are making progress with repairs and that it should be accessible to the "vast majority" of consumers by November 30.
"The Obama administration has a responsibility to ensure that the personal and financial data collected by the government is secure," said Representative Lamar Smith, the Texas Republican who chairs the House science panel.
"Unfortunately, in their haste to launch the HealthCare.gov website, it appears the administration cut corners that leaves the site open to hackers and other online criminals," he said.
CODE 'INDEFENSIBLE'
The experts said the site needed to be completely rebuilt to run more efficiently, making it easier to protect. They said HealthCare.gov runs on 500 million lines of code, or 25 times the size of Facebook, one of the world's busiest sites.
"When your code base is that large it's going to be indefensible," Morgan Wright, CEO of a firm known as Crowd Sourced Investigations, said in an interview after testifying at the hearing.
"Do you want to defend the Great Wall of China or a very small line?"
David Kennedy, head of computer security consulting firm TrustedSec LLC and a former U.S. Marine Corps cyber-intelligence analyst, gave lawmakers a 17-page report that highlights the problems with the site and warned that some of them remain live.
The site lets people know invalid user names when logging in, allowing hackers to identify user IDs, according to the report, which also warns of other security bugs.
Avi Rubin, director of the Information Security Institute at Johns Hopkins University and an expert on health and medical security, said he needed more data before calling for a shutdown of the site.
"Bringing down the site is a very drastic response," he told Reuters after the hearing.
But he would not use it because he is concerned about security bugs that have been made public, he said.
In written testimony, Kennedy said it would take a minimum of seven to 12 months to fix the problems with the site shut down, given the site's complexity and size.
In October, a September 27 government memorandum surfaced in which two Department of Health and Human Services officials said the security of the site had not been properly tested before it opened, creating "a high risk."
HHS spokeswoman Joanne Peters said then that steps were taken to ease security concerns after the memo was written, and that consumer data was secure.
Peters said on Tuesday the government has been making improvements to the site as it has learned of specific problems. In late October technicians fixed a security bug in the password reset function, she said.
(Reporting by Jim Finkle in Boston and Alina Selyukh in Washington; Additional reporting byMark Felsenthal; Editing by Ross Colvin and Grant McCool)

From: http://www.reuters.com/article/2013/11/20/us-usa-healthcare-security-idUSBRE9AI0NR20131120

How the FBI found Miss Teen USA’s webcam spy

RAT user "cutefuzzypuppy" wasn't all that cute.

RATer's moniker was "cutefuzzypuppy."
Aurich Lawson / Thinkstock
The sextortionist who snapped nude pictures of Miss Teen USA Cassidy Wolf through her laptop's webcam has been found and arrested, the FBI revealed yesterday. 19-year old Jared James Abrahams, a California computer science student who went by the online handle "cutefuzzypuppy," had as many as 150 "slave" computers under his control during the height of his webcam spying in 2012.
Watching all of those webcams to see when a young woman changes her clothes takes a serious time commitment, and Abrahams made one; he "was always at his computer," according the FBI complaint against him. Abrahams yesterday turned himself in after the complaint was unsealed, and a federal judge released him on a $50,000 bond.

Wednesday, November 20, 2013

cybercriminalsShopping online from the office places the corporate network at risk. Credit: Kostenko Maxim
The season of giving is also primetime for cybercriminals to do a lot of taking. Enterprise security managers know this all too well as the number of suspicious activity reports increase this time of year as attacks seek to gain access to the network.
Attacks increase during the holidays as millions of Americans take to the Internet to find and buy the perfect gifts. It’s a concern for IT because many of us do at least some online shopping from the office, or use devices tied to corporate networks to do it. In fact, a Salesforce.com survey found last year that half of all workers queried expected to spend some time shopping online while at work, Scott Grebe, a Dell security specialist, said during a webinar last week.
Even more money is expected to be spent online this year. Some forecasts predict an online spending increase of 15 percent, which sounds about right when you consider that shoppers last year spent a combined $1.5 billion on Cyber Monday, up 17 percent from the year prior, Grebe said.

Phishing and malvertising 

Some cybercriminals exploit unsuspecting workers by phishing, or sending phony email messages, to enter corporate systems. Simply clicking on a link in one of these emails could set off a chain reaction that can make a network vulnerable.
Another common means of entry is malvertising, which works the same way, but what gets clicked is an online ad that is often hard to identify as being malicious as many malvertisments appear on legitimate websites. The New York Times was attacked this way several years ago.
Complicating matters further is the growing prevalence of bring-your-own-device programs, mobile retail and opinions among employees that they should be able to use their personal devices for shopping — even when they’re connected to the corporate network.
“There’s a great propensity now for consumers to purchase, review and look up products online from a mobile device,” Grebe said.

Protective measures

But companies can take five steps to reduce the chance of an attack penetrating the network, said Grebe. They are: 
  1. Educate employees how to recognize suspicious email.
  2. Establish strong policies for passwords.
  3. Apply updates and patches promptly and reliably.
  4. Add IPS and anti-malware.
  5. Use content filtering and application control

Author information

Nick Clunn
Nick Clunn
Contributor at Tech Page One
Nick Clunn is a journalist covering the tech beat and an adjunct professor at Montclair State University. He lives in New Jersey, where he had worked as a staff writer for several leading daily newspapers and websites.
The post Cybercriminals see holidays as season of stealing appeared first on Tech Page One.
Diagram showing how Tomdep receives commands and spreads to new machines.
Researchers have identified new self-replicating malware that infects computers running theApache Tomcat Web server with a backdoor that can be used to attack other machines.
Java.Tomdep, as the backdoor worm has been dubbed, is Java Servlet-based code that gives Apache Tomcat platforms malicious capabilities. It causes infected machines to maintain Internet relay chat (IRC) communications with attacker servers located in Taiwan and Luxembourg. The control servers send commands and receive progress reports to and from the infected machines. Affected platforms include Linux, Mac OS X, Solaris, and most supported versions of Windows.
In a blog post published Wednesday, Takashi Katsuki, a researcher at security firm Symantec, said Java.Tomdep appears to be designed to harness the huge amounts of bandwidth and computing power available to Web servers for use in denial-of-service attacks against other machines. Unlike Darkleech and other malware targeting Web servers, there's no indication that it's used to attack end users visiting websites. Katsuki explained:
Read 2 remaining paragraphs | Comments

Thursday, November 14, 2013

A vastly larger percentage of the world's Web traffic will be encrypted under a near-final recommendation to revise the Hypertext Transfer Protocol (HTTP) that serves as the foundation for all communications between websites and end users.
The proposal, announced in a letter published Wednesday by an official with the Internet Engineering Task Force (IETF), comes after documents leaked by former National Security Agency contractor Edward Snowden heightened concerns about government surveillance of Internet communications. Despite those concerns, websites operated by Yahoo, the federal government, the site running this article, and others continue to publish the majority of their pages in a "plaintext" format that can be read by government spies or anyone else who has access to the network the traffic passes over. Last week, cryptographer and security expert Bruce Schneier urged people to "make surveillance expensive again" by encrypting as much Internet data as possible.
The HTTPbis Working Group, the IETF body charged with designing the next-generation HTTP 2.0 specification, is proposing that encryption be the default way data is transferred over the "open Internet." A growing number of groups participating in the standards-making process—particularly those who develop Web browsers—support the move, although as is typical in technical deliberations, there's debate about how best to implement the changes.
Read 8 remaining paragraphs |

Tuesday, November 12, 2013

18 hours, $33K, and 156,314 cores: Amazon cloud HPC hits a “petaflop”

One point twenty-one petaflops?!
Universal Pictures
What do you do if you need more than 150,000 CPU cores but don't have millions of dollars to spend on a supercomputer? Go to the Amazon cloud, of course.
For the past few years, HPC software company Cycle Computing has been helping researchers harness the power of Amazon Web Services when they need serious computing power for short bursts of time. The company has completed its biggest Amazon cloud run yet, creating a cluster that ran for 18 hours, hitting 156,314 cores at its largest point and a theoretical peak speed of 1.21 petaflops. (A petaflop is one quadrillion floating point operations per second, or a million billion.)
To get all those cores, Cycle's cluster ran simultaneously in Amazon data centers across the world, in Virginia, Oregon, Northern California, Ireland, Singapore, Tokyo, Sydney, and São Paulo. The bill from Amazon ended up being $33,000.
Read 14 remaining paragraphs | Comments

Stuxnet has infected a Russian nuclear plant and the space station

Stuxnet has infected a Russian nuclear plant and the space station

The problem with creating Stuxnet, the world's most sophisticated malware worm, is that it could eventually go rogue. Which is precisely what has happened. The US- and Israeli-built virus has spread to a Russian nuclear plant — and even the International Space Station.
Stuxnet is an incredibly powerful computer worm that was created by the United States and Israel to attack Iran's nuclear facilities. It initially spreads through Microsoft Windows and targets Siemens industrial control systems. It's considered the first malware that both spies and subverts industrial systems. It's even got a programmable logic controller rootkit for the automation of electromechanical processes.
Let that last point sink in for just a second. This thing, with a little bit of coaxing, can actually control the operation of machines and computers it infects.
For more on Stuxnet, I highly encourage you to watch this sobering TED talk by Ralph Lagner where he describes it as "a 21st century cyber weapon."

This thing is seriously badass, and now it's on the loose. Speaking to journalists in Canberra, Australia, last week, Eugene Kaspersky — the head of the anti-virus and cyber protection firm with the same name — was tipped off about the damage by a colleague who works at the Russian plant.

Monday, November 11, 2013

Scott Adams' Secret of Success: Failure

Scott Adams' Secret of Success: Failure

What's the best way to climb to the top?
Be a failure.

Oct. 12, 2013 8:50 p.m. ET


"Dilbert" creator Scott Adams talks to WSJ editor Gary Rosen about how to draw lessons, skills and ideas from your failures—and why following your passion is asking for trouble.
If you're already as successful as you want to be, both personally and professionally, congratulations! Here's the not-so-good news: All you are likely to get from this article is a semientertaining tale about a guy who failed his way to success. But you might also notice some familiar patterns in my story that will give you confirmation (or confirmation bias) that your own success wasn't entirely luck.
Let me start with some tips on what not to do. Beware of advice about successful people and their methods. For starters, no two situations are alike. Your dreams of creating a dry-cleaning empire won't be helped by knowing that Thomas Edison liked to take naps. Secondly, biographers never have access to the internal thoughts of successful people. If a biographer says Henry Ford invented the assembly line to impress women, that's probably a guess.If you're just starting your journey toward success—however you define it—or you're wondering what you've been doing wrong until now, you might find some novel ideas here. Maybe the combination of what you know plus what I think I know will be enough to keep you out of the wood chipper.
But the most dangerous case of all is when successful people directly give advice. For example, you often hear them say that you should "follow your passion." That sounds perfectly reasonable the first time you hear it. Passion will presumably give you high energy, high resistance to rejection and high determination. Passionate people are more persuasive, too. Those are all good things, right?
Here's the counterargument: When I was a commercial loan officer for a large bank, my boss taught us that you should never make a loan to someone who is following his passion. For example, you don't want to give money to a sports enthusiast who is starting a sports store to pursue his passion for all things sporty. That guy is a bad bet, passion and all. He's in business for the wrong reason.
My boss, who had been a commercial lender for over 30 years, said that the best loan customer is someone who has no passion whatsoever, just a desire to work hard at something that looks good on a spreadsheet. Maybe the loan customer wants to start a dry-cleaning store or invest in a fast-food franchise—boring stuff. That's the person you bet on. You want the grinder, not the guy who loves his job.
For most people, it's easy to be passionate about things that are working out, and that distorts our impression of the importance of passion. I've been involved in several dozen business ventures over the course of my life, and each one made me excited at the start. You might even call it passion.
The ones that didn't work out—and that would be most of them—slowly drained my passion as they failed. The few that worked became more exciting as they succeeded. For example, when I invested in a restaurant with an operating partner, my passion was sky high. And on day one, when there was a line of customers down the block, I was even more passionate. In later years, as the business got pummeled, my passion evolved into frustration and annoyance.
On the other hand, Dilbert started out as just one of many get-rich schemes I was willing to try. When it started to look as if it might be a success, my passion for cartooning increased because I realized it could be my golden ticket. In hindsight, it looks as if the projects that I was most passionate about were also the ones that worked. But objectively, my passion level moved with my success. Success caused passion more than passion caused success.
So forget about passion. And while you're at it, forget about goals, too.
Just after college, I took my first airplane trip, destination California, in search of a job. I was seated next to a businessman who was probably in his early 60s. I suppose I looked like an odd duck with my serious demeanor, bad haircut and cheap suit, clearly out of my element. I asked what he did for a living, and he told me he was the CEO of a company that made screws. He offered me some career advice. He said that every time he got a new job, he immediately started looking for a better one. For him, job seeking was not something one did when necessary. It was a continuing process.
This makes perfect sense if you do the math. Chances are that the best job for you won't become available at precisely the time you declare yourself ready. Your best bet, he explained, was to always be looking for a better deal. The better deal has its own schedule. I believe the way he explained it is that your job is not your job; your job is to find a better job.
This was my first exposure to the idea that one should have a system instead of a goal. The system was to continually look for better options.

Why US government IT fails so hard, so often

Why US government IT fails so hard, so often

One hint: Windows Server 2003 is still good enough for government work.

The rocky launch of the Department of Health and Human Services' HealthCare.gov is the most visible evidence at the moment of how hard it is for the federal government to execute major technology projects. But the troubled "Obamacare" IT system—which uses systems that aren't connected in any way to the federal IT infrastructure—is just the tip of the iceberg when it comes to the government's IT problems.
Despite efforts to make government IT systems more modern and efficient, many agencies are stuck in a technology time warp that affects how projects like the healthcare exchange portal are built. Long procurement cycles for even minor government technology projects, the slow speed of approval to operate new technologies, and the vast installed base of systems that government IT managers have to deal with all contribute to the glacial adoption of new technology. With the faces at the top of agency IT organizations changing every few years, each bringing some marquee project to burnish their résumés, it can take a decade to effect changes that last.
That inertia shows on agency networks. The government lags far behind current technology outside the islands of modernization created by high-profile projects. In 2012, according to documents obtained by MuckRock, the Drug Enforcement Agency's standard server platform was still Windows Server 2003.

Internet Explorer users face drive-by attacks targeting new 0-day bug (Updated)

Internet Explorer users face drive-by attacks targeting new 0-day bug (Updated)
Researchers have uncovered new, currently unpatched vulnerabilities in multiple versions of Internet Explorer that criminals are actively exploiting to surreptitiously install unusually advanced malware on computers that visit booby-trapped websites.
The vulnerabilities in various configurations of IE versions 7, 8, 9, and 10 running on Windows XP and Windows 7 are separate from the Microsoft Windows and Office graphics flaw that's also under active exploit at the moment. According to researchers at security firm FireEye, the IE-targeted exploits arrive as a classic drive-by attack that's found on at least one breached website located in the US. The attacks are able to bypass security protections Microsoft engineers have gradually added to later versions of their software. The exploits appear to circumvent the measures, at least in part, by exploiting at least two separate flaws. One flaw allows attackers to access and control computer memory, and another leaks system information needed to capitalize on the first bug.
"The memory access vulnerability is designed to work on Windows XP with IE 7 and 8 and on Windows 7," FireEye researchers Xiaobo Chen and Dan Caselden wrote in a post published Friday. "The exploit targets the English version of Internet Explorer, but we believe the exploit can be easily changed to leverage other languages. Based on our analysis, the vulnerability affects IE 7, 8, 9 and 10."
Early analysis suggests the two vulnerabilities work only against machines running IE 8 on XP and IE 9 running on Windows 7. The research into the attacks is in extremely early stages, so it wouldn't be surprising for the range of vulnerable systems to be wider once more analysis has been done.
Read 8 remaining paragraphs | Comments