Feb 15, 2010 Security News
For all you Windows users out there, pay attention to this one:
There are indications that the system crashes and the dreaded blue screen of death (BSoD) that many Microsoft Windows users reported suffering after installing this week’s batch of security updates may be caused at least in part by malware infestations on the affected machines.
Patrick W. Barnes, a systems administrator at Cat-man-du, a technology services firm in Amarillo, Texas, said at least three different customers came into his shop with the same blue screen of death after installing Tuesday’s patches on their systems. Barnes said that on closer inspection, he found that each had been previously infected with a rootkit, a set of tools sometimes installed by malware that are designed to hide the presence of the infection on the host system.
For all of Brian Krebs’ good article on this matter, check here.
Jan 18, 2010 Security News
I found this a good summary of the rapidly evolving events concerning the alleged Chinese infiltration of Google’s, and an large number of other corporation’s, IT infrastructure.
Unless you have been living under a rock for the past few days, you probably have heard about some big changes Google has made regarding an attack on its infrastructure. Here is what we know:
- First, the Who and What: Google detected a coordinated attempt by Chinese entities to compromise the accounts of Chinese dissidents. David Drummond, Google’s chief counsel, said, “A primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.” According to George Kurtz at McAfee, the attacks were part of a large-scale, well-organized operation called Aurora. As a result, Google has stopped censoring its search results in China, and has considered pulling out of the country entirely.
- Second, the How: as this story has played out, a second wave of stories emerged about the attack vectors. Microsoft has released a bulletin stating that a zero-day exploit in Internet Explorer 6 and higher was the attack vector. McAfee’s George Kurtz confirms that IE 7 and 8 vulnerabilities were used. iDefense speculated that PDF-phishing may have been a vector too. But it has not been shown definitively to be an attack vector yet.
- Third, the attacks were not just about dissidents. The attacks appeared to be part of a coordinated campaign that targeted the intellectual property of a wide swath of the US industrial base, including Dow Chemical, Symantec, Yahoo!, Northrop Grumman, and Juniper Networks.
Fourth, many affected parties are collaborating on the investigation and post-mortem analysis. Google, Adobe, Microsoft, McAfee, and others are all sharing information about the attack. No doubt the FBI and agencies are in the mix, too.
You can read the entire article here.
Dec 18, 2009 Security News
Lori McVittie at DevCentral writes about a conversation she had with an Amzon EC2 representative concerning the botnet command and control running in EC2:
An e-mail exchange with Kay Kinton, a spokesperson for Amazon, on the subject of Amazon and its recent run-in with the Zeus botnet controller, raised two very interesting and valid points. First, there is a fine balance that must be maintained by providers – cloud or traditional hosting – regarding the privacy of applications and data deployed by customers and monitoring/security. Second, Kay points out that it’s easier in the EC2 environment, at least, to disable botnets once they are discovered.
The second point is one that appears on the surface to be true but I’m not entirely convinced. A cloud provider has complete control over its environment (even if you don’t, making this somewhat of a double-edged sword) and thus they can act immediately to terminate the offending application. True. But in any environment in which you have physical or management network access to an offending application/system it should be easy to terminate an offending application. Perhaps more important about this point is that a cloud computing provider can prevent the launch of another offending application, but again – I’m not sure it’s any easier or more difficult in a cloud computing environment than it would be in a traditional hosting or data center environment.
Now the first point is a bit more subtle and definitely deserves some attention as it potentially pits one customer’s privacy against one (or more) other customers’ security and raises some interesting questions regarding how deeply in the sand such a line should be drawn in a cloud computing environment.
The entire article is here
Dec 12, 2009 Security News
Zbot (Zeus bot) is back again in another variation and is now taking advantage of Amazon EC2 for C&C.
Once a hapless attachment-clicker has opened the infected payload, such as the latest “xmas2.exe” or an infected website, code is injected into the victim’s system processes and then connects to the cloud to download it’s configuration (config.bin).
Read all the gory details here.
Latest Entry
