Thursday 30 September 2010

Security Digest #13

This month's highlight: Copyright! Srsly! And versatility too.


SDL Goes CC

The Microsoft Security Development Lifecycle team announced last month that all of the SDL documentation publicly released to date, and other SDL process content presently available to the development community, would become so under a Creative Commons licence.

Here is the specific licence chosen by the MS SDL team. Basically, you can do just about anything with any and all of the resources in the Security Development Lifecycle, except sell them.

Bravo, MS-SDL! Although you probably don't realise how much of my recent work you've obsoleted with this (nonetheless extremely welcome) move. Now I can just replace my own carefully edited SDL guidelines with your originals. Cheers for that.


Antivirus Versus Versatility

Via: ZDNet, others.

In what Kaspersky Lab's Ryan Naraine called "a startling disclosure", Microsoft revealed that four separate zero-day security vulnerabilities, two of which remained unpatched at the time of writing, were exploited by the hackers behind the recent Stuxnet worm attack. Affected systems were brought under the complete control of the attacker, through the exploitation of two, still unpatched, Elevation of Privilege vulnerabilities, by the sophisticated malware.

During the process of patch creation, as well as its preceding research phase, Microsoft worked closely with Kaspersky Lab, who discovered two of the three new zero-day exploits. Initially, Microsoft say, the old Conficker attack vector (vulnerability MS08-067, from October 2008) was targeted; this was backed up by the deployment of a Print Spooler Service zero-day, and a new Windows shortcut (LNK) defect.

Ongoing International Sabotage

This type of combination of attack vectors is rare and likely to remain so. Although the tools to automate it are starting to appear, many experts and researchers believe Stuxnet to be the work of a wealthy nation state, designed ultimately to attack supervisory control and data acquisition (SCADA) systems. More specifically, it appears to be aimed at certain Siemens Simatic SCADA system software, like that used in Iranian nuclear facilities, where more than half the infected sites are found.

With continuing speculation of an Israeli cyberstrike against Iran's burgeoning nuclear programme, and the latter country's recent pleas for outside help fighting the sustained and worsening attacks on its most important military and industrial centres, it's clear this story hasn't yet run its full course.


Google Malware

The Google Code project is Google's official developer site, a fantastic repository-style resource featuring APIs, developer tools and various other technical kit. Including, as the media discovered just this month, the facilities to host and distribute several kinds of malicious Web-based code.

The publication of that already widely known fact (see: Zscaler, cnet/McAfee) to a wider audience was what prompted Websense to look more closely at what's on offer there. One juicy offering they discovered was r57shell, a notorious PHP-based Web console, which has been on open display in Google's window since November 2007. Websense points out that...
This variant was developed by the black-hat community and is also known to be backdoored, which means that some versions are planted with backdoor code, so users of this software themselves are exposed to an attack.
The report, The Ultimate BlackHat Tool Kit hosted by Google Code, includes screenshots of the r57shell source code, which should be of considerable utility to the budding anarchists among you.


Interesting times, Mister Bond.

No comments:

Post a Comment