Talk about throwing out the baby with the bath water. The Financial Times reported on Monday that Google has begun telling new employees that they are no longer able to request Windows PCs, giving them the choice of Mac or Linux systems. Google has long offered its employees their choice of work operating system but will no longer do so. According to a Google employee, any exceptions will require will require CIO approval. [ I find that assertion questionable though ].

Google is apparently making this decision in response to the hacking attacks on late last year in China. The attackers  used vulnerabilities  in Microsoft’s Internet Explorer 6 to go after Google’s intellectual property, believed to be source code.  One could argue that if they had updated their browsers, the attacker would have had to find other vectors for attacks.

Could this be a strategic move by Google to prove that an Enterprise can survive WITHOUT Microsoft? With Google’s Chrome OS on the horizon, this may just be the warm-up act.

Source: http://www.ft.com/cms/s/2/d2f3f04e-6ccf-11df-91c8-00144feab49a.html

German’s official cyber-security response team is advising surfers not to use Firefox pending the release of a patch to defend against a critical unpatched vulnerability. This is the second time in two months that Germany has taken such a step. Earlier in January, the German government issued a similar warning to IE users. I did a post about it titled Germany warn users against Internet Explorer.

The zero-day vulnerability in the latest full version 3.6 of Firefox was discovered by security researcher Evgeny Legerov last month.  Legerov controversially offered to sell exploit code he developed.  Mozilla acknowledged the security vulnerability on Thursday and promised the the next version of 3.6.2, due at the end of the month, would plug the hole.

I have to applaud the German government for taking such a proactive approach to online security of it’s citizens. I have to wonder what would be the response to such an approach my the US government here. As to the advice given, I’m of two minds really. Whereas home users are at liberty to switch browsers as often as their underpants, corporate users may not have that luxury. Whole scale software migrations in a corporate setting is no small undertaking. Ig it were, I doubt Google would have gotten hacked for using IE6.

Vulnerabilities in all browsers are discovered over time. Corporate users, does the musical browser approach really work even if it were possible? I think not. My advice: Test and Upgrade as soon as is feasible.

Microsoft has released a preview of the new version of Internet Explorer, IE 9.It can be downloaded  from http://ie.microsoft.com/testdrive/Default.html.

I’m sure we will soon start seeing phishing emails and malicious sites being set up around this so if you are interested, be sure to download it from the REAL Microsoft, huh.

Not impressed? Here’s Microsoft’s response, or should I call it a presponse.

“The Platform Preview is an early look at the Internet Explorer 9 platform so some features are incomplete, some may change, and some may be added…..We ask that you refrain from providing feedback on features where noted that they are either partially implemented or not available. We are aware of their condition and will provide updates in future releases. Similarly, for known issues, we are aware of their existence and are actively working on them. Thank you for your interest in the Internet Explorer Platform Preview!”

Microsoft Corp. today warned of a critical vulnerability in Internet Explorer that is already being exploited by hackers; it was the company’s second such admission in the past two months.

Internet Explorer 6 and its 2006 successor, IE7, contain a vulnerability that can be used by attackers to inject malicious code into a Windows PC. The oldest and newest of Microsoft’s supported browsers, IE 5.01 and IE8, respectively, are not vulnerable to such attacks.

“At this time, we are aware of targeted attacks attempting to use this vulnerability,” Microsoft acknowledged in an advisory posted simultaneously with two security updates that patched eight bugs in Windows and Office. Elsewhere, Microsoft said that the vulnerability had been publicly disclosed.

Source: http://www.computerworld.com/s/article/9168138/Microsoft_warns_of_new_IE_bug_attacks_under_way

If it sounds like a horror movie….well, that’s because is really is. Microsoft is reporting yet another Internet Explorer bug.

In the latest episode of this never-ending saga, there is an unpatched bug in VBScript that hackers can use to drop malware on 32-bit Windows XP machines running IE 7 and 8. I know what you are saying: ” But we told them to upgrade from the nine year old IE6! ”

According to Microsoft’s Senior Security Communications Manager Lead Jerry Bryant, an exploit “was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 [or help] key in response to a pop up dialog box.”

Is it time to change your browser? Maybe the EU has it right.

Microsoft has been ordered to introduce the browser “ballot box” following a ruling by the European Commission that Microsoft’s practice of pre-installing Internet Explorer on every new computer was anti-competitive. The Commission accepted Microsoft’s offer of rolling out the ballot box across its range of Windows machines, which it believes will make it easier for computer users to choose an alternative browser to Internet Explorer. See ballot below:

The ballot box will be pushed to Windows users running XP, Vista and Windows 7, via an automatic software update, and will only be shown to computer users who are not already running a different default browser. The list of offered browsers are:

* Avant
* Google Chrome
* Mozilla Firefox
* Flock
* GreenBrowser
* Internet Explorer
* K-meleon
* Maxthon
* Opera
* Apple Safari
* Sleipnir
* SlimBrowser

I’m not sure how I feel about this. Competition is always good however users savvy enough to care already know they can download and run any of these browsers. I agree with Microsoft on the point that this will just add to the confusion of many users.

The open source engine that forms the basis for Google’s Chrome has spawned an ostensibly new browser, Comodo’s cleverly named ‘Dragon’. Internet Explorer might be the most used, Firefox the most fashionable and Google allegedly the fastest, but firewall and tools outfit Comodo says that its new browser has enough tweaks to make it marginally the most secure. Based on Chromium project code, Dragon can give warnings regarding the type of SSL digital site certificate and whether any present provide enough security. In the case of domain SSL certificates, which can be bought through a wide range of agencies around the globe, the answer is almost certainly not.

The browser is also configured to transfer as little data to websites as possible, in particular on software errors the company says would normally be transmitted for troubleshooting purposes. This could betray a user’s browsing history.

Although identical to Google’s Chrome in terms of look and feel, delving into the options tab reveals this subtly different outlook. The crash report checkbox found in Chrome is missing, although it has to be said that the latter can be unchecked on the former and is not mandatory. The other security features such as control over cookies are all from Chrome.

Read the full article

Is your banking practices putting your business at risk? Protect your small business accounts from cybercriminals. The Wall Street Journal offers the following suggestions for small businesses seeking to ward off an attack:

Defend your Computer

Hackers often take aim at small firms’ computers because they are easier to infiltrate than banks’ systems. One common mode of attack is to send a “spear phishing” email containing an infected file or a link to a malicious Web site to employees with access to the firm’s financial accounts. Once the employee opens the attachment or goes to the Web site, malware is installed on the computer that allows criminals to access banking logins and passwords. While up-to-date antivirus software offers substantial protection against malware, it isn’t 100% effective.

Accessing your bank account through a computer that isn’t used for anything else—no email or Web surfing—and isn’t connected to the local network offers strong protection, says William Nelson, president of the Financial Services Information Sharing and Analysis Center, an industry group that collects and shares threat data.

Another option is to use an obscure computer operating system such as Ubuntu or Web browser such as Opera because attackers rarely create malware for them, security experts say.

If you use Microsoft Corp.’s Internet Explorer browser, make sure you have the latest version, IE 8, which includes security features to help prevent attacks. Consider using Explorer in “protected mode,” which restricts files that try to install on a computer without the user’s consent, and set your “Internet zone security” to “high,” which disables some of Explorer’s less-secure features, according to Microsoft.

Protect your Accounts

Ask your bank to set up “dual controls” on your account so that each transaction requires the approval of two people—a good guard against fraud, security experts say. Establish a daily limit on how much money can be transferred out of your account, and require that all transfers be prescheduled by phone or confirmed via phone call or text message. If possible, impose restrictions on adding new payees, security experts say.

Check bank balances and scheduled payments at the end of every workday, rather than the beginning, and immediately contact your bank if anything is amiss. Banks use the Automated Clearing House system to transfer funds to payees’ banks. These transfers usually aren’t paid until the next morning, so timely action could halt the completion of a fraudulent transaction, Mr. Nelson says.

Shop for a Bank

Review your agreement with your bank and know what rights you may be waiving by not using certain security measures. While agreements between banks and commercial customers typically absolve banks of responsibility for fraud losses, the bank down the street may offer better protections, so shop around. Also, consider adding insurance coverage for fraud losses.

Many banks, concerned about damage to customer relationships, have stepped up their defenses against cyberattacks, rolled out new protections for customers and begun sharing more threat information with each other and law enforcement, Mr. Nelson says.

An emerging motivator may be a growing number of lawsuits by small companies claiming their banks didn’t have “commercially reasonable” security.

A judge in a closely watched case involving a self-employed couple’s personal and commercial accounts said in refusing to grant a summary judgment that a jury might find fault with the adequacy of the bank’s defenses, which the plaintiffs argued weren’t state of the art at the time of the theft. The case—Shames-Yeakel vs. Citizens Financial Bank—was settled in late December under confidential terms. The plaintiff’s lawyer, John Soumilas of Francis & Mailman PC in Philadelphia, says he pursued the case as one of consumer-identify theft, where protections are ample.

Still, David D. Johnson, a digital-media lawyer at Jeffer, Mangels, Butler & Marmaro LLP in Los Angeles who wasn’t involved in the case, says the judge’s action suggests that “a bank can’t simply rest on its laurels, on its security measures that worked last year,” and avoid liability. The judge declined to comment, and Citizens Financial didn’t return a call for comment.

Reach Out

Connect with law-enforcement agencies before an incident occurs, suggests Mr. Henry. He says small businesses should consider joining the FBI’s InfraGard, a group of businesses, academic institutions and state and local law-enforcement agencies that seek to ward off cyberattacks and other threats by sharing information and intelligence.

He also urges companies to report all computer crimes immediately to the FBI. The agency has relationships with law-enforcement organizations around the world that are starting to bear fruit, he says, pointing to the recent arrest of 120 people tied to Romanian groups that allegedly stole money from U.S. companies and citizens.

“In the cases where we have put hands on somebody, it was the result of a victim company raising their hand and saying this happened,” Mr. Henry says. “If they hit you today, they’re hitting the guy down the street tomorrow.”

If you are a Firefox user, as I am, you probably have one or more “add-ons” installed to enhance your browser capabilities. For example, I have add-ons installed to show the ip address and country location of the web servers I connect to. I also have another to block all scripts from running in my browser by web servers unless i explicitly allow it. These add-ons help protect my computer while browsing the web.

From Trend Micro Countermeasures Blog:

I just received an email from some guy called Willie Hickey. Aside form having an extremely amusing name, Mr. Hickey was offering me some very urgent advice[..]

The message reads…

“Hey, some jerk has posted your pictures (u understand what kind of pictures are there) and sent a link of them to all ur friends. I have already replied back. Said, that he is an idiot. See the link:”.

This little piece of social engineering is obviously designed to arouse fear and doubt in the recipient; “Oh no, not those photos, the zookeeper promised he would destroy the negatives.
Don’t be tempted though to click the link. There are no photos, there is no Willie Hickey.
The link leads to a malicious JavaScript which redirects the browser to a Russian IP address where multiple PDF exploits and an ActiveX exploit are used to push out a variant of the ZeuS crimeware. The sample itself has very low detection rates with only 9 out of 40 detections on VirusTotal.

http://countermeasures.trendmicro.eu/your-guilty-conscience-could-get-you-pwned/