Thursday, April 30, 2009

AV Industry: Trend Micro buys Third Brigade

Trend Micro buys Third Brigade
http://www.itnews.com.au/News/102128,trend-micro-buys-third-brigade.aspx
By Shaun Nichols
30 April 2009 01:46PM

Security giant Trend Micro is aiming to increase its enterprise security presence by acquiring enterprise specialist Third Brigade for an undisclosed sum.

The companies said that the deal was made with server security in mind.

Third Brigade specialises in datacentre security and Trend hopes that the deal will bolster its arsenal in both the physical and virtualised server markets.

"Trend Micro has been a pioneer and global leader in server protection software for over ten years," said Trend chief executive Eva Chen.

"This acquisition underscores our commitment to maintaining that leadership position, and accelerates our ongoing efforts to deliver innovative new solutions that are uniquely suited to dynamic datacentres, as they expand from physical to virtual and public/private cloud-computing environments."

The company said that it also hopes to parlay Third Brigade's intrusion prevention systems (IPS) into its own enterprise offerings.

The two companies have previously had a deal which includes embedding the Third Brigade IPS in Trend Micro's Intrusion Defense Firewall product.

The two companies said that they hope to finalise the deal by the end of June.

Third Brigade specialized in Host Intrusion Prevention Systems (HIPS).

Tuesday, April 7, 2009

Enrique Salem takes over at Symantec

By Shaun Nichols
7 April 2009 02:16PM

Symantec's new chief executive has officially taken over..

The security and storage firm said that former chief operating officer Enrique Salem had formally assumed the chief executive and company president roles.

Outgoing chief John Thompson is remaining with the company as board chairman.

The move was first announced in November, but the official transition was delayed until the end of the company's fiscal year on April 4.

"Through that process, Enrique emerged as the right person to lead the company and I am confident in his ability to continue to drive the success of our team," Thompson was quoted as saying in November.

Salem will be the company's first new chief executive in more than ten years, rising to the position from the chief operating officer role.

Salem had first joined Symantec as a lead engineer when the company acquired Norton Computing in 1990. He later became the company's first chief technology officer before leaving in 1999 to join Ask Jeeves.

Salem returned to the company in 2004 when Symantec purchased Brightmail.

Copyright © 2009 vnunet.com

Wednesday, April 1, 2009

New BIOS attack renders antivirus useless

By Iain Thomson
27 March 2009 10:45AM
A new form of attack that installs a rootkit directly onto a computer’s BIOS system would render antivirus software useless researchers have warned.

Alfredo Ortego and Anibal Sacco of Core Security Technologies explained that the attack was possible against almost all types of commonly used BIOS systems in use today.

The two devised a 100 line Python script that could be flashed onto the BIOS to install a rootkit. Because the BIOS software activated before any other program on a computer when it starts up then normal antivirus software would be unable to detect it.

“We tested the system on the most common types of BIOS,” said Ortega.

“There is the possibility that newer types of Extensible Firmware Interface (EFI) BIOS may be resistant to the attack but more testing is needed.”

The attack is only possible if the attacker already has full administrative control of the target PC, but this is possible through a standard virus infection. Once that is achieved the malware operator would be able to flash a rootkit directly onto the BIOS.

Even if the initial virus was detected and removed the computer would still be under remote control. Even a full wipe of the hard drive and complete reinstallation of the operating system would not remove it they warned.

If a sophisticated rootkit was put onto the BIOS it could be even more difficult for an administrator to debug the system, said Ivan Arce, chief technology officer at Core Security Technologies.

“You’d need to reflash the BIOS with a system that you know has not been tampered with,” he said.

“But if the rootkit is sophisticated enough it may be necessary to physically remove and replace the BIOS chip.”

The attack vector is also usable against virtual systems the researchers said. The BIOS in VMware is embedded as a module in main VMware executable and thus could be altered.

However it is possible to protect against this attack by locking down the BIOS chip from flash updates, either by password protecting the system against unauthorised changes or physically.

“The best approach is prevention, preventing the virus from flashing onto the BIOS,” said Sacco.

“You need to prevent flashing of the bios, even if it means pulling out jumper on motherboard.”

Copyright © 2009 vnunet.com

Monday, March 30, 2009

Conficker worm threatens April Fools' chaos

March 30, 2009

Article link
The fast-moving Conficker computer worm, a scourge of the internet that has infected at least 3 million PCs, is set to spring to life in a new way on Wednesday - April Fools' Day.

That's when many of the poisoned machines will get more aggressive about "phoning home" to the worm's creators over the internet. When that happens, the bad guys behind the worm will be able to trigger the program to send spam, spread more infections, clog networks with traffic, or try and bring down websites.

Technically, this could cause havoc, from massive network outages to the creation of a cyberweapon of mass destruction that attacks government computers. But researchers who have been tracking Conficker say the date will probably come and go quietly.

More likely, these researchers say, the programming change that goes into effect April 1 is partly symbolic - an April Fools' Day tweaking of Conficker's pursuers, who for now have been able to prevent the worm from doing significant damage.

"I don't think there will be a cataclysmic network event," said Richard Wang, manager of the US research division of security firm Sophos. "It doesn't make sense for the guys behind Conficker to cause a major network problem, because if they're breaking parts of the internet they can't make any money."

Previous Internet threats were designed to cause haphazard destruction. In 2003 a worm known as Slammer saturated the internet's data pipelines with so much traffic it crippled corporate and government systems, including ATM networks and 911 centres.

Far more often now, internet threats are designed to ring up profits. Control of infected PCs is valuable on the black market, since the machines can be rented out, from one group of bad guys to another, and act as a kind of illicit supercomputer, sending spam, scanning Web sites for security holes, or participating in network attacks.

The army of Conficker-infected machines, known as a "botnet," could be one of the greatest cybercrime tools ever assembled. Conficker's authors just need to figure out a way to reliably communicate with it.

Infected PCs need commands to come alive. They get those commands by connecting to websites controlled by the bad guys. Even legitimate sites can be co-opted for this purpose, if hackers break in and use the sites' servers to send out malicious commands.

So far, Conficker-infected machines have been trying to connect each day to 250 Internet domains - the spots on the internet where websites are parked. The bad guys need to get just one of those sites under their control to send their commands to the botnet. (The name Conficker comes from rearranging letters in the name of one of the original sites the worm was connecting to.)

Conficker has been a victim of its success, however, because its rapid spread across the Internet drew the notice of computer security companies. They have been able to work with domain name registrars, which administer website addresses, to block the botnet from dialing in.

Now those efforts will get much harder. On April 1, many Conficker-infected machines will generate a list of 50,000 new domains a day that they could try. Of that group, the botnet will randomly select 500 for the machines to actually query.

The bad guys still need to get only one of those up and running to connect to their botnet. And the bigger list of possibilities increases the odds they'll slip something by the security community.

Researchers already know which domains the infected machines will check, but pre-emptively registering them all, or persuading the registrars to neutralise all of them, is a bigger hurdle.

"We expect something will happen, but we don't quite know what it will look like," said Jose Nazario, manager of security research for Arbor Networks, a member of the "Conficker Cabal," an alliance trying to hunt down the worm's authors.

"With every move that they make, there's the potential to identify who they are, where they're located and what we can do about them," he added. "The real challenge right now is doing all that work around the world. That's not a technical challenge, but it is a logistical challenge."

Conficker's authors also have updated the worm so infected machines have new ways to talk to each other. They can share malicious commands rather than having to contact a hacked Web site for instructions.

That variation is important because it shows that even as security researchers have neutralised much of what the botnet might do, the worm's authors "didn't lose control of their botnet," said Michael La Pilla, manager of the malicious code operations team at VeriSign's iDefense division.

The Conficker outbreak illustrates the importance of keeping current with Internet security updates. Conficker moves from PC to PC by exploiting a vulnerability in Windows that Microsoft Corp. fixed in October. But many people haven't applied the patch or are running pirated copies of Windows that don't get the updates.

Unlike other internet threats that trick people into downloading a malicious program, Conficker is so good at spreading because it finds vulnerable PCs on its own and doesn't need human involvement to infect a machine.

Once inside, it does nasty things. The worm tries to crack administrators' passwords, disables security software, blocks access to antivirus vendors' websites to prevent updating, and opens the machines to further infections by Conficker's authors.

Someone whose machine is infected might have to reinstall the operating system.

AP

Sunday, March 29, 2009

Massive Chinese cyber hack revealed

Reports reveal over 1000 computers were hacked

Phil Muncaster
vnunet.com, 29 Mar 2009


Chinese PCs conducted the cyber espionage

Canadian researchers have revealed an extensive Chinese spying operation, which involved the hacking of over 1000 computers in 103 countries, according to reports in several leading newspapers today.

The new report from the Information Warfare Monitor, a group comprising researchers from Ottawa-based think tank SecDev Group and the University of Toronto's Munk Centre for International Studies, was originally set up to investigate allegations of Chinese snooping on Tibetan exiles.

However, the research ended up uncovering a much larger scale operation, eventually taking ten months to complete.

According to a report in The Independent, the researchers uncovered a network involving 1,295 compromised computers from the ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, and others, and embassies including India, South Korea, Indonesia, Germany and Pakistan.

Computers in the offices of the Dalai Lama in India, Brussels, London and New York, were also compromised.

The network, dubbed GhostNet, used malware to penetrate PCs, conduct covert monitoring and steal files, according to the reports. The malware could also switch on the audio and camera equipment sometimes built-in to PCs in order to monitor those in the same room as those computers, the reports said.

"This report serves as a wake-up call... these are major disruptive capabilities that the professional information security community, as well as policymakers, need to come to terms with rapidly,” the researchers are quoted as saying in The Guardian.

Althought GhostNet is thought to have been controlled from Chinese PCs, the researchers were not able to make any firm link to Chinese government agencies. The team has now notified law enforcement agencies, including the FBI, according to reports.

Wednesday, March 25, 2009

CA cuts one third of its Melbourne developers

By Brett Winterford
25 March 2009

International software vendor CA will make just under one third of its Australian R&D staff redundant as a result of recent acquistions.

Some 31 of the 103 security experts at its Melbourne R&D Lab will be offered alternative positions, outplacement services or severance packages.

CA's Melbourne research and development lab has been responsible for the development of several IAM (Identity and Access Management) solutions including CA Identity Manager and CA Directory, core components of the vendor's IAM portfolio.

The Melbourne Lab has developed new technologies for CA that are patented on a global basis.

CA says the 31 developers are no longer required due to three new acquisitions.

CA acquired ID Focus in October 2008, Eurikify in November 2008 and Orchestria in January 2009.

A spokesperson for CA said these acquisitions created some duplicate roles within the vendor's global R&D operations.

The spokesperson said the Melbourne development labs will continue to develop CA's IAM solutions after the restructure.

Sunday, February 8, 2009

Kaspersky failed to protect their own website from hackers

Full article: Link
Kaspersky is one of the leading companies in the security and antivirus
market. It seems as though they are not able to secure their own data
bases.
Seems incredible but unfortunately, its true.
Alter one of
the parameters and you have access to EVERYTHING: users, activation codes, lists
of bugs, admins, shop, etc.

Global Virus Map