Video Screencast Help
Security Response
Showing posts in English
Marc Fossi | 04 Oct 2006 07:00:00 GMT | 0 comments

It’s that time of year when the kids goback to school and the leaves start changing colors. In some parts ofthe world (like where I live) the air starts to get cool and the sky isgray in anticipation of snow and freezing temperatures. The thought ofthis approaching cold front might be enough to send some people to seekout an alternate reality online.

One of these online alternate reality worlds, Second Life,reported a data breach in September. Apparently, one of their databasescontaining customer information was breached. The attackers managed toget users’ names and addresses, as well as encrypted credit cardnumbers. While the unencrypted data may not be too much to worry about,users should still make sure to change their passwords. Hopefully, thecredit card numbers were encrypted using a strong algorithm.

Maybe you’ve already been playing around in one of the variousonline worlds, but you feel...

Zulfikar Ramzan | 03 Oct 2006 07:00:00 GMT | 0 comments

Markus Jakobsson is a computer science professor at Indiana University and has done some excellent work on understanding phishing attacks. I’ve blogged about some of Markus’ research in the past and I thought I’d share some information about some recent work of his that focuses on the question: What causes people to fall for phishing attacks?

Markus and his group completed a study at Indiana University where the subjects were shown various types of stimuli, such as Web pages and emails. Some of these were legitimate and others were based on phishing attacks. The subject group was asked to rate (on a scale of one to five) how authentic the stimulus was. If a participant marked a score of one, it was thought that the stimulus was taken from a phishing attack. A score of five meant that it appeared legitimate.

To make things...

John McDonald | 02 Oct 2006 07:00:00 GMT | 0 comments

It is often said that an antivirus (AV) product is only as good as its most recent signature update; however, that's not strictly true. Even if your AV definition set is months out of date, it will still protect you from some of the worst viruses and worms of all time: Mydoom, Netsky, Bugbear, Sasser, Klez, Sobig, and Nimda, for example. On the other hand, the statement does hold some truth. While an AV product won’t protect a computer from every new threat right from the moment that threat is unleashed into the wild, most AV companies are very quick to add protection for new threats and make that updated protection available to their customers—usually within hours. Given that most threats spread relatively slowly (with a few notable exceptions, such as Slammer (W32.SQLExp.Worm), but that only affected certain systems running specific software), the timely release of...

Symantec Security Response | 29 Sep 2006 07:00:00 GMT | 0 comments

Update: On September 30,2006, Symantec Security Response received reports that theWebViewFolderIcon ActiveX control vulnerability is being activelyexploited in the wild.

Shortly following the out-of-band patch for the VML vulnerabilityearlier this week, Microsoft is releasing yet another out-of bandadvisory. The latest advisory, released today (September 29, 2006),addresses an ActiveX vulnerability in Microsoft Windows.

The vulnerability is a buffer overflow in the MicrosoftWebViewFolderIcon ActiveX control, which, if successfully exploited,will allow an attacker to perform remote code execution on the victimmachine. Failed attempts would likely result in browser crashes.Proof-of-concept exploit code is available publicly.

In order to carry out an attack, the attacker would need to employsome form of social engineering (such as emails, instant messages, orbanner ads) and try to convince potential victims to click on linksthat would lead...

Dave Cole | 29 Sep 2006 07:00:00 GMT | 0 comments

Now that all of the hard work has been done by everyone else compiling the stats and the 100+ page report, it’s time for a glance at the tea leaves. (Typical product manager.) ;-) This blog will serve as a very abbreviated recap of the Future Watch section of the latest ISTR, which looks ahead to the short-term horizon for what we think some of the main issues will be. This isn’t the "toaster is infected with a worm which jumped there from a flawed RFID chip” type of stuff; rather, it’s the patterns that we see forming that are either right around the corner, or are already showing signs of being a clear pattern. Your toaster is safe for now. :-)

While the ISTR report itself discusses both Windows Vista and Web 2.0 issues in the Future Watch section, I’m going to pass on those topics here, as we’ve already provided in-depth coverage of both in previous blogs. (You can find these blogs in the...

Symantec Security Response | 29 Sep 2006 07:00:00 GMT | 0 comments

Yesterday, Microsoft announced the results of a commissioned analysis of anti-phishing solutions (http://www.3sharp.com/projects/antiphishing/gone-phishing.pdf). Being an active member of the anti-phishing community, we were surprised that the report did not look at Symantec's new heuristic anti-phishing protection features. These are included in Norton Internet Security 2007 and the upcoming Norton Confidential.

For many reasons, we are excited about these advanced anti-phishing capabilities, but were disappointed that 3Sharp LLC, the company that conducted the analysis on behalf of Microsoft, did not include at least one of our solutions in the comparison mix. Our underlying heuristic detection technology comes from WholeSecurity, a leading innovator of behavioral security solutions that Symantec acquired in October 2005. WholeSecurity learned early on that the...

Hon Lau | 28 Sep 2006 07:00:00 GMT | 0 comments

This year will probably go down in historyas the year of Microsoft Office vulnerabilities. Never before have weseen such a high level of activity around the discovery andexploitation of vulnerabilities in the Microsoft Office applicationsuite. Ever since the uncovering of a series of vulnerabilities acrossthe range of Microsoft Office applications in early March of this year,we have seen a considerable pickup in activity. We have been receivinga steady stream of new malicious code that uses zero-day exploits forone or more of the applications that make up this suite. Just toreinforce this point, on September 27, 2006, we received samples of newmalware that uses yet another Microsoft PowerPoint zero-dayvulnerability. We have added detection for this new Trojan as Trojan.PPDropper.F.

“Why the sudden interest in Office applications?” some might ask.Well...

Zulfikar Ramzan | 28 Sep 2006 07:00:00 GMT | 0 comments

A “CAPTCHA” (completely automated publicTuring test to tell computers and humans apart) is one of those puzzlesyou are sometimes asked to solve when signing up for a free emailaccount or similar services. These puzzles involve distorted imagesthat are sometimes enough to thwart an automated computer program thatis trying to sign up for free email accounts, giving it the impressionthat it is dealing with a human. Well, an "enterprising" human found aclever way to cheaply solve a lot of CAPTCHAs.

His ideawas to post a project ad on the site www.getafreelancer.com, to see howmuch it would cost him to hire someone to solve CAPTCHAs for a 50-hourweek. Within a week, he received 58 bids, ranging from $30 to $100(with the average bid being $57) before the site administratorcancelled the ad. Assuming (very conservatively) that it would takesomeone 30 seconds, on average, to solve a single...

David McKinney | 27 Sep 2006 07:00:00 GMT | 0 comments

We have just released the 10th edition of the Symantec Internet Security Threat Report (ISTR). For the past five years, Symantec has been tracking the various trends in Internet security—involving malicious code, vulnerabilities, and Internet attacks—and compiling them twice a year into the ISTR. In my experience working as a vulnerability analyst, moderating Bugtraq, and contributing to the ISTR, there is one thing that is certain: vulnerabilities are on the rise. For the period affecting the current ISTR X release, we logged 2,249 new vulnerability records into our database, which is also a new high for the most new vulnerabilities in any given six-month period. The previous high was 1,912 new vulnerability records, which was reported in the second half of 2005. As usual, the majority of these vulnerabilities affect Web-based applications (68%-69%).

Not only are there more vulnerabilities, there are more affected vendors than ever before. In light of the ISTR release...

Andrea Lelli | 26 Sep 2006 07:00:00 GMT | 0 comments

We have seen malicious code steal a lot of information in the past: bank credentials and certificates, email accounts, IM passwords, online gaming accounts; but, that was not enough! Now, satellite shared accounts are going to have a turn.

There is a service out there called "cardsharing" that allows you to use the subscription rights of one satellite smartcard on multiple satellite receivers. Using this service, the receivers download the smartcard key information from the Internet or a LAN instead of the original smartcard, which will allow simultaneous viewing of satellite television on several receivers.

A cardsharing user needs to install a couple of computer programs on their local hard drive (WinCSC and ProgDVB), which store a configuration file containing the legitimate account data required to access the satellite service. All of the information is stored in plain text format and the configuration file contains the username and password of the...