HTTP Strict Transport Security becomes Internet standard

November 23, 2012 – 8:18 AM

A Web security policy mechanism that promises to make HTTPS-enabled websites more resilient to various types of attacks has been approved and released as an Internet standard — but despite support from some high-profile websites, adoption elsewhere is still low.

HTTP Strict Transport Security (HSTS) allows websites to declare themselves accessible only over HTTPS (HTTP Secure) and was designed to prevent hackers from forcing user connections over HTTP or abusing mistakes in HTTPS implementations to compromise content integrity.

The Internet Engineering Task Force (IETF), the body responsible for developing and promoting Internet standards, published the HSTS specification as an official standards document, RFC 6797, on Monday. IETF’s Web Security Working Group had been working on it since 2010, when it was first submitted as a draft by Jeff Hodges from PayPal, Collin Jackson from Carnegie Mellon University and Adam Barth from Google.

Source:
http://news.techworld.com/security/3412713/http-strict-transport-security-becomes-internet-standard/?olo=rss

6 Ways To Secure Your Dropbox Account

November 21, 2012 – 7:41 AM

Dropbox is a hugely popular cloud storage service beloved by many. Unfortunately, it’s had a history of security problems, ranging from compromised accounts to once allowing access to every Dropbox account without requiring a password for several hours. If you’re using Dropbox, there are a variety of ways you can secure your account against unauthorized access and protect your files even if someone does gain access to your account.

Source:
http://www.howtogeek.com/129393/6-ways-to-secure-your-dropbox-account/

Blackhole exploits a major problem in October

November 19, 2012 – 9:52 AM

Blackhole, says Christopher Boyd, senior threat researcher at GFI Software, “is the chameleon of internet threats. It simplifies the process of creating cybercrime campaigns and is easily adapted to take advantage of the buzz surrounding major news events and popular brands.” It is also easily adapted to target specific users or specific companies with specific malware.

The Blackhole exploit kit is possibly the most widely used and successful criminal infection kit in use today. It requires that victims first visit a malicious or compromised website containing obfuscated JavaScript. The JavaScript scans the visiting browser looking for potential vulnerabilities, and then attempts to exploit those vulnerabilities. If successful, the visitor will be infected with the malware of choice for this particular Blackhole landing page.

Blackhole campaigns are consequently frequently based around spam emails seeking to socially engineer the target into visiting the malicious landing page. Newsworthy topics, or subjects of interest to a large number of users are often used. This happened in October. Just prior to the release of Windows 8, some users received an email offering a free license. But, comments GFI, “Users who clicked the malicious link and downloaded the accompanying file were hit with a Blackhole exploit and infected with a Cridex Trojan” rather than a free copy of Windows 8.

Skype, the chat and VOIP firm now part of Microsoft, was also used. Statistic Brain reports that there were 31 million Skype users in January 2012; Skype itself now says that at peak times it has 40 million users online. According to GFI, Skype was used as the basis for numerous malicious campaigns in October. One that led to a Blackhole site comprised emails purporting to be Skype voicemail notifications – but instead delivered a Zeus trojan.

Source:
http://www.infosecurity-magazine.com/view/29398/blackhole-exploits-a-major-problem-in-october/

Hackers break into two FreeBSD Project servers using stolen SSH keys

November 19, 2012 – 9:24 AM

Intrusions on two machines within the FreeBSD.org cluster were detected on Nov. 11, the FreeBSD security team said Saturday. “The affected machines were taken offline for analysis. Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precaution,” said a message on the project’s public announcements mailing list. The two compromised servers acted as nodes for the project’s legacy third-party package-building infrastructure, the FreeBSD Project said in an advisory posted on its website. The incident only affected the collection of third-party software packages distributed by the project and not the operating system’s “base” components, such as the kernel, system libraries, compiler or core command-line tools. The FreeBSD security team believes the intruders gained access to the servers using a legitimate SSH authentication key stolen from a developer, and not by exploiting a vulnerability in the operating system.

Source:
http://www.pcadvisor.co.uk/news/security/3411757/hackers-break-into-two-freebsd-project-servers-using-stolen-ssh-keys/?olo=rss

Adobe to fix Flash Player on Patch Tuesdays

November 19, 2012 – 8:47 AM

Adobe has changed its schedule for releasing Flash Player security updates to coincide with Microsoft’s Patch Tuesday schedule. “Microsoft and Adobe are now officially married,” joked Andrew Storms, director of security operations at nCircle Security, a software vendor, in an email. “They started dating when they decided to share the MAPP program,” and once Microsoft agreed to embed Flash into Internet Explorer 10, it was “inevitable” that Adobe would begin following Microsoft’s patch schedule, he said. Under MAPP, or the Microsoft Active Protections Program, Microsoft provides select security vendors with prepatch information to give them time to craft detection signatures for new exploits or malware. In July 2010, Adobe began using MAPP to deliver vulnerability information about its own products to security firms. Microsoft issues its security updates on the second Tuesday of each month. Until now, Adobe has released Flash bug fixes at irregular intervals. The lack of synchronization became an issue after Microsoft announced it would bake Flash Player into IE10 for Windows 8 and its tablet spin-off, Windows RT. Problems surfaced in September when Microsoft said it would not patch IE10 for at least six weeks, even though Adobe had issued updates the previous month that addressed at least one vulnerability that hackers were already exploiting.

Source:
https://www.computerworld.com/s/article/9233747/Adobe_to_fix_Flash_Player_on_Patch_Tuesdays?taxonomyId=17