McAfee Security 1.1 Available for Mac Users

Last week Information Services and Technology (IS&T) announced support for McAfee Security Suite version 1.1.

McAfee Security 1.1 is the virus protection application recommended by IS&T for users of Macintosh OS X 10.6 (Snow Leopard) and OS X 10.5 (Leopard). It replaces McAfee’s VirusScan and older versions of McAfee Security Suite. It includes performance and security enhancements and provides the most up-to-date virus and malware detection engines.

If you use a Macintosh and do not have McAfee Security 1.1 on your computer, IS&T strongly recommends that you install this software.  You can download it from IS&T’s McAfee Security 1.1 for Macintosh page.

IMPORTANT NOTE: IS&T is recommending to hold off on upgrading to OS X 10.7 (Lion) until supported products by IS&T have been fully tested or have been upgraded to run on the new operating system.

For help with installing or using McAfee Security 1.1, contact the IS&T Help Desk at helpdesk@mit.edu or 617.253.1101. You can also submit a request online.

Oracle Critical Patch Update Advisory July 2011

Oracle released an update advisory this month to address 78 vulnerabilities in various Oracle products and versions. US-CERT recommends that Oracle database administrators apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory – July 2011. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed.

Information Security Mitigation Lists

Last week the Australian Department of Defense released a list of 35 mitigations that are the best hope for stopping or mitigating the targeted attacks that are decimating government and industry around the world. US-CERT (United States Computer Emergency Readiness Team) also released a similar list of recommendations intended to “enhance existing security programs.”

I think any organization can implement all or some of these recommendations depending on the type and amount of information they need to protect. Some of the recommendations are strategic, but others are common measures that we’ve been discussing for years, such as using strong passwords and changing them on a regular basis, filtering email, and making sure all systems have up to date patches and are scanning for viruses.

Take a look for yourself and see if you are already doing any of them in your area.

Apple Patches iOS Security Hole

Apple released iOS 4.3.4 (4.2.9 for those on Verizon) last week to fix a zero-day vulnerability in the software’s PDF-reading capabilities. It is available as a free download to iPhone, iPod Touch and iPad users.

A description of the update says it “fixes (a) security vulnerability associated with viewing malicious PDF files.” That’s the same one used by JailbreakMe.com, a site that allows users to jailbreak their phones without using a computer or any special software, giving the owners a way to install third-party software and make low-level system changes.

The zero-day PDF vulnerability could be used to not only jailbreak a device, but also install malicious applications.

Read the story at CNet.com.

BrowserID: New Sign-In System from Mozilla

Last week Mozilla announced the launch of a prototype of BrowserID, a new sign-in system, for community review. It answers the tough question many web developers face: how do users sign in? The classic way: an email address with a confirmation step demands a user’s time and requires them to remember yet another password. BrowserID is designed to be easier to use, secure, cross-browser supported, decentralized, and respects user privacy.

The system is still highly experimental, and Mozilla would love to get feedback from their users. They have provided a quick tutorial and demo site.

You can find out more at the Mozilla blog or at browserid.org.

ZeuS Variant Targets Android Smartphones

Anti-virus vendors have detected a variant of the ZeuS Trojan horse program that can infect Android smartphones. The malware in this case is a variant of Zitmo, which stands for “Zeus in the mobile;” it pretends to be an online banking security application called Rapport, which is the name of a legitimate application from Trusteer.

Previous variants of the ZeuS online banking Trojan targeted Symbian, Blackberry and Windows Mobile devices. The Android variant does not require any digital certificates and is injected by manual download of an alleged security extension from Trusteer. Once installed, the Trojan masquerades as an online banking activation app. In the background, it listens to all incoming SMS messages and forwards them to a remote web server. That’s a security risk, as some banks now send, via SMS, mTANs (mobile transaction authentication numbers), which is banking-speak for one-time passwords for authenticating transactions.

Criminals need to persuade users to download and install the app. The application gets pushed by malware after it has infected the user’s PC, but not until the user visits a banking website. The risk is relatively small, as not all banks use mTANs and relatively few people use smartphones for banking transactions.

Read the full story at InformationWeek.com.

The Newest Botnet: TDS-4

The talk of the town this week (depending on the town you’re in, I suppose) has been of the “indestructible” botnet known as TDL 4. This botnet has already compromised an estimated 4.5 million Windows-based computers (around half of which are in the U.S.) and is technically quite advanced.

Botnets are among the biggest threat to people, institutions and governments that exist on the internet today. The term botnet refers to both a collection of compromised computers that are controlled by a person or group, and the malicious software that infects those individual computers. While not a new technique, the TDL 4 botnet safeguards itself from removal in a few ways: 1) it infects a computer’s master boot record, allowing it to run before Windows starts up, enabling it to stay under the radar of its host’s antivirus software, 2) it has its own antivirus built in, so it can remove other malware that might be picked up by real antivirus and alert the user that there’s a problem, and 3) its communication with its peers is encrypted and well timed, such that it communicates when the user of the computer is surfing the ‘net.

TDL 4 was termed indestructible by a few security researchers, and it stuck. We’ve seen indestructible botnets before, however… remember when Conficker was going to destroy the internet? Or Bagle back in 2004? The reason why TDL is a little more resilient is because it uses the open Kad peer-to-peer network to communicate, so it doesn’t rely on centralized command-and-control servers for its instructions, and so doesn’t have a single point of failure.

So what’s the point of it? Money. Like most malware created today, its authors are organized and after dollars. All that spam in your mailbox? That’s from a botnet selling pirated software and pharmaceuticals. Your personal data is worth money. The front and back of a credit card as a scanned document will sell for $20. Your PayPal account credentials will net someone 30% of the balance of the account.

The real trick is finding TDL here and now if your computer is infected.  The malware behind TDL 4 can be detected and removed by Kaspersky Lab’s free TDSSKiller, available here.

Nefarious Apps for Android Phones

Think you’re going to download that popular app for free?  Guess again!  Google has been forced to remove scores of malware infested apps from their Market over the past several months.  In many cases, the software masqueraded as a free version of a well-liked game or other app, but in reality included a trojan horse, dialer, or other malware.

Dialer malware can automatically dial or text toll numbers, incurring huge costs for the user and funneling money to the malware’s author.  The most recent dialer for Android phones, discovered in an alternative app market, is known as HippoSMS.  It sends text messages to toll services, then monitors for, and deletes, sms alerts from the phone company regarding the excessive charges.

In addition to monetary loss, some Android malware has been responsible for loss of sensitive data as well, leeching information from text messages and email.

The best way to protect yourself from this threat is to be very careful about which apps you download and avoid using an alternative app market if possible.  As a safety net, you can go to Settings -> Applications and make sure “Unknown sources” is unchecked.  You should carefully research any app from an unknown source before installing it.

Read more about HippoSMS at computerworld.com.

July 2011 Microsoft Security Updates

On Tuesday, July 12, Microsoft plans to issue four security bulletins for Patch Tuesday, addressing a total of 22 flaws.

Three bulletins will address serious flaws in Windows, and the other will address issues with Visio 2003.

Read the full July security bulletin:
<http://www.microsoft.com/technet/security/bulletin/ms11-jul.mspx>