Remote Backup Software Powering Successful
Online Backup Services for More Than 20 Years Brandable, Scalable, Full-Featured, Customizable, Complete Solution

Internet Security News
Breaking news and updates in Internet security
Last Updated: November 20th, 2008 13:59:10 CST -0600

Microsoft Announces Free PC Security Product
If you heard a deafening swallowing sound sometime in the past day or so, we can explain its origin. The corporate makers of security software must have collectively gulped when Microsoft announced its plans to offer a free consumer security product.

Microsoft Announces Free PC Security Product

"Morro," as the product's called at the moment (probably named after Morro Castle), is supposed to take care of a lot of stuff. Viruses, spyware, rootkits, and Trojans are all on its kill list. It should require little in the way of bandwidth and computing resources, too, giving Microsoft an "in" with the growing netbook audience.

Amy Barzdukas, Microsoft's senior director of product management for the Online Services and Windows Division, explained in a statement how Microsoft got the idea for Morro, saying, "Customers around the world have told us that they need comprehensive, ongoing protection from new and existing threats, and we take that concern seriously."

She then continued, "This new, no-cost offering will give us the ability to protect an even greater number of consumers, especially in markets where the growth of new PC purchases is outpaced only by the growth of malware."

So when does the rush of consumers getting Morro and software makers going out of business begin? Not for a while. Windows Live OneCare is scheduled to remain on sale through June 30th, 2009, and it's during the phasing out of this product that Morro is supposed to become available for download.

What's more, Morro may not achieve omnipresence even then. Since Microsoft has only advertised it as a security solution for Windows XP, Windows Vista, and Windows 7, a few people are sure to be left out in the cold. Internet Explorer's also mentioned, which might mean Firefox users will be ignored.

Then there are the intentional gaps and potential for problems to consider. In regards to that first subject: encryption, firewalls, password protection, parental controls, and backup programs haven't been addressed.

Still, Morro's introduction looks to be a revolutionary moment in the PC security solution industry. Like that first collective gulp, listen for the sound of Tylenol bottles being opened as the end of June draws closer.

Google Unveils Calculators To Promote Security Products
The economy's nasty condition is making people rethink all sorts of things: whether trucks and SUVs are cooler than clown cars, whether steak is that much better than ramen, and so on. Google wants to help when it comes time to decide whether to embrace its security offerings.

Google Unveils Calculators To Promote Security Products

To see how much security measures of some sort can help a business, Google's introduced a simple Return on Investment Calculator. Users can see an estimate of how much time/money's wasted on spam by entering stats relating to employees, workdays, salaries, and spam messages. Expect big numbers if you start typing away.

But as for the matter of choosing Google's products instead of something else, there's an entirely separate tool. The Total Cost of Ownership Calculator compares the expense of on-premise solutions to Google Message Security over the course of three years.

Here, you can probably expect to see some stark differences, too. On the Official Google Enterprise Blog, Amanda Kleha mentions a situation in which a law firm found that, "[w]ith the hourly rate of their lawyers . . . choosing Google Message Security paid for itself in 1 day."

The tools make for an interesting combination. IT people who are worried about layoffs may regret their existence, but lots of companies are liable to appreciate Google's effort to both get their business and save them some money.

McColo Takedown = Street Justice?
When McColo was stopped in its tracks last week, most of the online world cheered. The rhyme and reason behind the development mattered little in light of seeing less spam. Only now, there's at least some question of whether or not things went through the right channels.

McColo Takedown = Street Justice?

No official ruling against McColo was involved, after all. Law enforcement officials weren't even in figurative sight, since a tip from The Washington Post was what spurred McColo's service providers to take action. McColo didn't get a chance to respond, and it might have just been oblivious to all the spammy activity.

There's also a concern over what could be considered collateral damage. If not all of McColo's customers were involved in "bad" stuff, some of them must rightly view the situation they've been placed in as being rather unfair.

Individuals participating in a Slashdot discussion tended to agree that what happened to McColo is not a case of vigilantism, however, since McColo's service providers were just informed of TOS violations.

And even if what happened last week can be called vigilantism, we should all remember that movie audiences tended to side with the Charles Bronson-type characters in "Death Wish" and similar movies.

Are You Ready For… Black Monday?
Security experts from PC Tools have pinpointed November 24 as potentially the peak of malicious activity for 2008. They reached their conclusion on the specific date after analyzing well over 500,000 machines from around the world.

Guardian.co.uk states that "the number of people shopping online this Christmas is expected to grow again this year, with internet sales in the UK alone predicted to hit £13.16bn - an increase of 15% over 2007."

It should be noted that November 28 will be the busiest shopping day of the year, a day so popular in fact that it even has its own name, "Black Friday".

So logically thinking… the increase of malicious attacks, spam, spyware, and everything else evil should be expected to climb just mere days before people start entering in their private data for online purchases.

Spam and all the other wrongdoing of others shouldn't sway anyone from shopping online, as this stuff is going on everyday. Just remember to use your common sense… if something sounds fishy, it probably is.

Safari Update May Add Equal Measures Security, Instability
It seems that the newest version of Safari is operating under the motto "better safe or sorry." The Safari 3.2 update is supposed to have fixed several vulnerabilities, but at the same time, users are reporting frequent crashes.

Safari Update May Add Equal Measures Security, Instability

Let's start with the positive stuff. A full 11 issues have been addressed, so we won't dwell on them all, but Kelly Fiveash writes, "Safari 3.2 comes with an update to Webkit - which is the framework that underpins Apple's browser - that restricts the types of URLs that can be launched through the plug-in interface."

Also, "The firm has also stitched together a hole in Safari's JavaScript handling of array indices to prevent random code execution and it's also fixed a bug with its form field. The browser previously had a flaw in its autocomplete feature, which meant that disabling it didn't guarantee data wouldn't be stored."

As for the negative side effects, things appear to be limited to those annoying crashes.

Downloading Safari 3.2 is probably worth users' while, then (and fans of other browsers won't get to tease them too much). Just don't download it while you've got some time-sensitive task in your lap, and perhaps make sure that you can get back to the previous version, regardless.

Microsoft Fixes Flaw After Seven Years
If you've ever forgotten an appointment, anniversary, or birthday, you know that being late by even a little bit can be terribly awkward. It almost seems worth it to get an arm or leg set in plaster just so you have a proper excuse. Now Microsoft's trotted out its version of a cast story to explain a seven-year patch delay.

Microsoft Fixes Flaw After Seven Years

Microsoft security bulletin MS08-068 addresses a flaw in the Microsoft Server Message Blog protocol, and in a post on the Microsoft Security Response Center, Christopher Budd acknowledged, "We've received some questions from customers about MS08-068 and its relationship to an issue that was first discussed in 2001, called the SMBRelay attack. Specifically, we've gotten some questions about why, in 2008, we're releasing an update that addresses an issue first discussed in 2001."

Budd, a security communications program manager, then stated, "[W]e could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable."

So, according to Budd (and/or Microsoft, since it's hard to believe someone would volunteer to be the messenger), Microsoft kept tinkering with things, and finally figured out a way to address the issue without bringing everything else to a halt. And, the Security Response Center post implies, perhaps people shouldn't complain too much, since implementing SMB signing remains a better idea than applying MS08-068.

Take or leave the explanation as you see fit.

Skype Scrambles After Breach And Censorship Revelations
American companies operating in China have what might be considered a tradition of getting in trouble over privacy and censorship, and Skype, the Internet communications company, is the latest to encounter hot water. Its president has done his best to explain the situation.

Skype Scrambles After Breach And Censorship Revelations

As Josh Silverman wrote, "In China, TOM is the majority local partner in our joint venture that brings Skype functionality to Chinese citizens." Skype - and anyone who bothered to listen to an old announcement - has known for some time that TOM obeyed Chinese laws requiring them to block messages containing certain terms.

The problems began when it turned out that TOM stored the messages; there's a real concern about what government authorities might have seen them. And what's more, a security breach may have exposed the messages to all other sorts of people.

Silverman wrote, "We were very concerned to learn about both issues and after we urgently addressed this situation with TOM, they fixed the security breach. In addition, we are currently addressing the wider issue of the uploading and storage of certain messages with TOM."

Still, Skype's reputation has taken a big hit due to these developments, and we may see the security and censorship issues have a similar effect on the eBay property's growth.

Defense Companies Hit By Malicious Code
Some security stories relate to fairly harmless issues, but this one might go well beyond "whoops." It seems that LIGNex1 and Hyundai Heavy Industries, two Korean companies that construct things for the military, have had malicious code planted within their computer systems.

Defense Companies Hit By Malicious Code

So you know the (potential) scale of the problem: LIGNex1 deals with missiles, radar, and communications systems. Hyundai Heavy Industries is the world's largest shipbuilder. And it was the National Security Research Institute that found the malicious code. This sounds like the start of some near-apocalypse novel by Tom Clancy, right?

As for who planted the code, how they did it, and what files were affected, details are scarce right now. Chalk it up to government secrecy or (and this is a slightly scarier possibility) true ignorance at the same level.

Anyway, as reported by SC Magazine UK, a National Security Research Institute representative said, "The research institute suspects the culprits are Chinese or North Korean hackers but doesn't know specifically what information they stole. In the worst case, the blueprints of missiles and Aegis ship could have been stolen."

There are a few silver linings and good signs in all of this, however. One came as the spokesperson acknowledged, "It's shocking that our major defense industries are open to attacks from hackers and that our missiles are vulnerable to theft by cyber terrorists. A general review of our cyber security system is needed."

And in all honesty, having the blueprints to something doesn't necessarily mean that a person or country can build it. There are matters of resources and skill to consider, even as spy satellites presumably keep an eye on large factories and shipbuilding facilities.

Finally, at least the blueprints secrets were (maybe) stolen from companies connected to a close ally like South Korea, instead of a government less willing to cooperate with the U.S.

So, assuming we aren't all soon destroyed in either an economic or military sense, things at Korean defense companies may be better in the long term. And hopefully defense corporations located elsewhere in the world will also learn from this development.

After Airport Stop, Kevin Mitnick Shares Travel Tips
The next time you have to take off your shoes and belt at an airport, keep in mind that things could be much worse. You might get detained and questioned for four hours, for example, which is something hacker-turned-security-consultant Kevin Mitnick recently experienced on a return trip from Colombia.

After Airport Stop, Kevin Mitnick Shares Travel Tips

People and companies needn't worry too much that Mitnick's fallen back to the proverbial dark side; accusations weren't really made, and charges were never brought. As told by Elinor Mills, his detainment instead seems like a cautionary tale about wrongful accusations and the defensive measures traveling computer owners should take.

Mills writes, "Agents from the Immigrations Customs Enforcement arrived to question him. They asked why he was in Atlanta and he told them; he was there to moderate a panel at a security conference sponsored by the American Society for Industrial Security. Asked for proof, he fired up a laptop to show them the itinerary in his e-mail. But when he clicked 'yes' to have Firefox clear his private data--an automatic response to a default setting--the agents snatched the laptop away from him, thinking he was deleting evidence."

So be careful about every click and keystroke, for one thing. Otherwise, "To protect his privacy and that of his clients, Mitnick encrypts all the confidential data on his laptops, transmits it over the Internet for storage on servers in the U.S., and wipes it from the computer before returning from any international trips, just in case officials decide to search or seize his equipment. He also encrypts his hard drive. And now, he says he is going to keep a 'clone' of his MacBook at home so he will have an exact duplicate of it if it is ever seized."

Depending on what sort of stuff you keep on your computers - and whether or not laws about laptop searches are changed - these steps may be worth imitating. The average business traveler isn't as likely to get stopped as Kevin Mitnick, of course, but the story seemed worth relating.

Oracle WebLogic Hit With Zero-Day Exploit
A workaround emerged from Oracle as news circulated of a remotely exploitable flaw, without requiring authentication, involving the WebLogic platform.

Both the WebLogic Server and WebLogic Express products, acquired by Oracle when the company purchased BEA, suffer from the newly disclosed vulnerability.

SANS Internet Storm Center said the problem stems from the Apache Connector used by the products. A WebLogic advisory noted the flaw could be exploited without authentication.

Sites using Apache servers that are already configured with the mod_security module are protected from this vulnerability by the default core ruleset, according to the advisory. Using mod_security with the WebLogic plug-in for Apache serves as one workaround suggested by Oracle.

The other workaround calls for an edit to httpd.conf and a restart:

It is possible to configure Apache and avert this vulnerability by rejecting certain invalid requests. To do so, add the following parameter to the httpd.conf file and restart Apache:

LimitRequestLine 4000

See: Apache LimitRequestLine documentation for more information

Note: This parameter limits the maximum URL length to less than 4000 bytes.