Archive for November, 2011

Man on hospital data breach charge

A 21-year-old man has been charged with an alleged breach of data protection.

The incident occurred at Edinburgh Royal Infirmary on Wednesday November 16 when a hospital cleaner allegedly used information about a female patient to contact her on Facebook.

NHS Lothian said earlier the man had not breached the hospital’s computer systems.

Jackie Sansbury, chief operating officer at NHS Lothian, said last week: “A full review of our confidential patient record and monitoring system has now been carried out and shows that our systems were not breached by this individual.

“Therefore he had no access to private medical records and information which is protected by a range of complex security systems.

“We understand that this member of contracted staff only gained the patient’s name from an electronic screen for staff showing a floor plan in the treatment area of the accident and emergency department.”

He is scheduled to appear in court at a later date.

Copyright © 2011 The Press Association. All rights reserved.

Article source: http://www.google.com/hostednews/ukpress/article/ALeqM5jH43wRc6uD11xRzBEXiSwKEgqzlQ?docId=N0179901322673760636A

,

No Comments

HIV/AIDS programs focus on SC youths

“There’s a national effort to encourage people (age 18-25) to be tested,” Gaddist said. “We want to invest in people knowing their status.”

Overall, HIV/AIDS rates in South Carolina have fallen in the past decade, from 23.8 new cases diagnosed per 100,000 population in 1999-2001 to 17.4 per 100,000 in 2008-2010, according to DHEC statistics. But rates have risen slightly in younger age groups, specifically ages 13-19 from 8.1 per 100,000 to 12.6 and ages 20-29 from 37.2 per 100,000 to 41.6.

The council’s mobile testing van makes frequent stops at colleges, including USC, Benedict, Allen, Columbia, S.C. State, Vorhees, Morris and Coastal Carolina. Those visits “have been very fruitful,” Gaddist said.

The reality is that nearly 15,000 people are known to be living with HIV/AIDS in South Carolina, and DHEC estimates that one new infection occurs in the state every nine hours.

“Most people in the early stages of HIV infection have no symptoms,” said Janet Tapp, director of DHEC’s STD/HIV Division. “Early diagnosis can link people to services that will help them stay healthy longer .. and help prevent transmission to others.”

The S.C. HIV/AIDS Council uses several methods to get past the tendency of college kids to avoid concerns about their health. They encourage council internships, thus recruiting young people with professional health care aspirations to get the message out to other students.

The council also uses Facebook and Twitter, and it takes the testing van to nightclubs several times each year. Popular bars agree to allow the van to park outside on busy nights.

“They’re concerned about their clientele,” Gaddist said. “By being outside the clubs, we get (young people) where they are and expose them to the information.”

Council workers hand out pamphlets with information about HIV, a virus that weakens immune systems and can lead to AIDS, a complex illness that once meant an early death but now can be managed with medication. The most common methods of transmission between adults are through sexual contact or shared use of needles.

Recognizing their message can be a downer to college kids heading out to a bar, council workers often resort to incentives. For instance, kids who get tested outside bars in the winter might get a raffle ticket for a pair of gloves or a coat.

The council, formed in 1994, relies on a variety of funding sources, most of which have been reduced or eliminated in recent years. The state Legislature this year cut all funding for Project FAITH, an effort to encourage HIV prevention and testing through churches.

But the council’s work recently was buoyed when it was one of 34 organizations nationally selected for a $300,000 grant from the federal Centers for Disease Control and Prevention to focus prevention and testing efforts among young gay men. That is one group where the incidence of HIV is growing in South Carolina, from 457 cases in 1999-2001 to 691 in 2008-2010, according to DHEC statistics.

That increase, and the jump among young people in general, doesn’t bode well for the future.

“This state cannot afford to not keep this disease in check,” Gaddist said. “If we don’t put more emphasis on this, we’re laying a foundation for much greater problems. One of our goals for 2012 is to reopen a conversation with our Legislature about prevention programs.”

Article source: http://www.heraldonline.com/2011/11/30/3562585/hivaids-programs-focus-on-sc-youths.html

, ,

No Comments

Amazon Assures Congress It Guards User Privacy on Silk Browser, Kindle Fire

In a letter to Congress, Amazon assured lawmakers that its
Silk Web browser used by the Kindle Fire tablet doesn’t violate user privacy.

The Silk browser will only aggregate browsing activity
across all users and browsing activity would not be linked to individual Kindle
fire users, Paul Misener, vice-president for global public policy at Amazon,
wrote in a two-page
response to questions
from Rep. Edward Markey (D-Mass). Markey’s office
released the copy of the Nov. 3 letter on the Congressman’s Website on Nov. 29.

Markey’s Oct.
14 letter to Jeff Bezos
, CEO of Amazon, asked for clarification on how the Silk
Web browser on the Kindle Fire tablet would protect user privacy while routing
all user traffic through Amazon Web Services. User privacy needs to be
protected and safeguards are in place so that consumers know how their personal
information is being used, Markey said. The Kindle Fire, announced in
September, started shipping mid-November.

“Amazon’s responses to my inquiries do not provide
enough detail about how the company intends to use customer information, beyond
acknowledging that the company uses this valuable information,” Markey
said, adding that he plans to ask additional questions.

To speed up the user’s Web browsing experience on the Kindle
Fire, Amazon has implemented the SPDY protocol to route all requests through
its cloud infrastructure, which caches various parts of Websites, pre-renders
and pre-fetches content, and performs some server-side processing. The Silk
browser can be switched to “off-cloud” mode to behave like a regular
Web browser with Web requests hitting target servers directly, but the redirect
through Amazon servers is the default behavior.

With Web requests from Kindle Fire users routing through
Amazon, the online retail giant would have access to a treasure trove of data
on users’ Internet activity. Misener likened the process to the type of Web
acceleration performed by “Internet service providers and similar services
that enable access to the Web.”

Markey was concerned about what kind of information was
being cached and what Amazon was going to do with the information. “Consumers
may buy the new Kindle Fire to read ‘1984’, but they may not realize that the
tablet’s ‘Big Browser’ may be watching their every keystroke when they are
online,” Markey said in the initial letter.

Amazon will cache Web content on its servers only if the
Website owner has enabled caching on the site through caching headers and only
the content that has been explicitly identified, the company said in its
letter. All encrypted SSL traffic will continue to go directly from the tablet
to the Website servers and not pass through Amazon’s infrastructure, Misener
wrote, quoting the Silk
browser FAQ
almost verbatim. This means private data, such as login
information into banking Websites, will not be visible to Amazon.

Misener also wrote that Silk encrypts all Web traffic
between the Fire and the Amazon Web Services infrastructure, “even where
traditional browsers would not encrypt.”

“This means you actually gain some privacy and security
when using unencrypted public WiFi at the airport, cafe or hotel,” wrote
Chester Wisniewski, a senior security advisor at Sophos, wrote on the Naked
Security blog.

Web addresses will be logged for 30 days and will not be
associated with specific customers, Amazon wrote in the letter. Amazon had
previously told the Electronic
Frontier Foundation
the logs will contains only the URL, a timestamp and a
session identifier token. This will give Amazon only aggregate information
about Internet browsing habits, but the company did not specify how it will be
used beyond saying it had no plans to sell or rent the data.

“Customer information is an important part of our
business and an important driver of customer experience and future
invention,” Amazon said.

The
Silk Terms and Conditions
said the Kindle Fire would send crash reports to
Amazon with identifiers such as IP and MAC addresses. Misener said these
reports are not associated with the aggregate browsing history. Amazon has
previously assured the EFF there was no way to associate the logged information
with a particular user or account.  

Amazon is collecting a “massive amount of
information” and it has a responsibility to be transparent, Markey said.

Markey, co-chairman of the bipartisan Congressional Privacy
Caucus and a senior member of the Energy and Commerce Committee, introduced the
“Do Not Track Kids Act” bill in the House of Representatives to
protect online privacy of children and teens earlier this year.

 






Article source: http://feeds.ziffdavisenterprise.com/~r/RSS/eweeksecurity/~3/LDBASD_bsY8/

,

No Comments

Security firm: Santa’s Workshop hacked, Naughty/Nice data stolen

Santa’s Workshop is the latest victim of a high-profile, high-value data breach following an intrusion that allowed thieves to make off with the contents of Christmas-critical data including the highly sensitive Naughty/Nice list for 2011, according to a press release posted yesterday by New York-based database security and intrusion-prevention software developer Application Security, Inc.

The Naughty/Nice database included details of the 2011 naughty/nice track record for millions of children and adults as well as their names, street addresses, email addresses and other contact information.

The user data, paired with logistical data such as Santa’s secret delivery routes and methods, lists of requests from both children and adults, presents designated for those on the right side of the Naughty/Nice divide and details of what the Naughty did to deserve their lumps of coal.

Data so complete could be used either to harass or prevent Santa’s own progress at Xmas, North Pole sources confirmed. It could also be used to identify the Nice who are scheduled to receive the best presents and target them for post-Xmas burglaries or mail theft.

Details from the Naughty list could be used either to blackmail those on the list, or to prequalify those who are the right kind of Naughty as potential targets for hackers seeking mates or dates for themselves.

“Our entire organization has been compromised,” according to a quote within the release that was attributed to a Mrs. Claus, COO for Santa’s Workshop.”Due to the sensitive nature of the data jeopardized by this breach, Santa’s Workshop and its thousands of employees face the very real prospect of being shut down.”

Only hackers with no sense of conscience, propriety, or fear of being naughty-listed could have been so crass as to attack Santa’s Workshop during the final run-up to Xmas, raising the annual stakes in the race to save Christmas.

Suspects include disgruntled database admin Hermey– the malcontent-elf-turned-dentist portrayed in Rudolph the Red Nosed Reindeer – the allegedly non-human, yeti-like mythical creature known as The Grinch as well as the hacktivist group Anonymous, the leading Usual Suspect scapegoat for high-profile digital crimes, at least within the U.S. and Britain.

Internet is new source of Xmas peril

Though considered a generally benign, non-controversial holiday – unlike European Druidic rites that form the basis of much of its imagery – Christmas is discovered to be under threat in every one of hundreds of childrens’ Christmas-season TV specials every year.

Somehow Christmas is always saved in the end, but that involves only threats presented on television.

A more concrete threat to Santa comes in the form of the annual, highly detailed, resource-intensive effort by NORAD to track Santa from initial takeoff to final landing during his annual 24-hour gift-delivery marathon. NORAD is a U.S. military agency responsible for monitoring locations, takeoff and flight of intercontinental ballistic missiles and helping direct anti-missile weapons systems.

The details and data NORAD provides on Santa’s location, speed and direction are more than sufficient for military or terrorist organizations to target the flying sleigh with anti-aircraft weapons, though no such attempt at direct attack has yet been attributed to the exposure by NORAD.

Threats to Christmas coming via the Internet are relatively new, especially threats involving peculiarly digital schemes and techniques such as remote-access digital espionage and sabotage, according to Xmas security analysts.

Efforts by Santa’s Workshop to keep up with the times by automating its supply chain, shifting to a cloud-computing infrastructure, digitizing the collection and analysis of naughty/nice data and even logistical planning for the big annual trip itself all made the Workshop more vulnerable to a new generation of skulking culprits and new vectors of attack, at least compared to the days when all data was hand-written on vellum using quill pens filled with red or green ink, Santa security specialists said.

Even Application Security, which announced the breach and claims to have been contracted to investigate the incident, identify the culprits and repair the damage appears to be trying to exploit the potential Xmas disaster for its own benefit.

The company announced it will conduct a webinar series in which its intrusion-prevention experts will present their analysis of some of the record number of high-profile data breaches during 2011 in order to map out best practices and advice to help other companies avoid being victimized.

The series “will explore some of the most common attack methods, the patterns and warning signals that can be readily detected and tips for how organizations can stop attempts to compromise sensitive data assets,” the obviously self-serving announcement read.

AppSec did not describe whether details of the attack on Santa’s Workshop would be presented in the webinars, whether AppSec analysts would reveal clues to the identity of the culprits, or whether the free webinars would include any cookies and milk for the participants.

The webinars will be held daily from 2 p.m. to 2:30 p.m. from Monday, Dec. 12 through Friday, Dec. 15.

The company also promised “prizes” for participants, though these turn out mostly to be copies of one of five Christmas movies – none of which contain any significant instructional hacking or digital security content – or an AppSec T-shirt.

Anyone who attends all the seminars will be entered in a drawing for an Apple iPad.

There is no indication from AppSec whether winners of the iPad, shirts or movies will have to qualify as Nice in order to be eligible to win.

Read more of Kevin Fogarty’s CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Article source: http://www.itworld.com/security/229063/security-firm-santas-workshop-hacked-naughtynice-data-stolen

,

No Comments

TCNJ reports breach in student database – The Star-Ledger

tcnj.jpgThe College of New Jersey in 2006.

EWING — Officials at The College of New Jersey this week reported an unintentional data breach in the On-Campus Student Employment System, an in-house system designed to store information about students applying for on-campus jobs.

According to a notice sent to students and faculty Monday, a vulnerability in the system was identified Nov. 2 by a student who applied for a position and accidentally viewed the personal information of 12 other students. The student reported the incident, officials said, and the system flaw was repaired within hours.

“Though there is no indication that any of the additional 12,815 records contained in the system were accessed by any unauthorized individual,” the statement read, “the possibility exists that the database could have been accessed through this vulnerability.”
In accordance with the “New Jersey Identity Theft Protection Act,” TCNJ officials notified the State Police, which to date has not found any evidence that data had been extracted from the system.

Notification letters have been sent to all students whose information could have been exposed, and the school has contacted the 12 known individuals whose information was breached. Those included in the database have been offered a one-year membership to a credit monitoring service, and a toll-free hotline was established.

Those affected who wish to speak with someone at TCNJ are encouraged to contact College Relations at (609) 771-2218.

The in-house system was built in 2002.

Contact David Karas at (609) 989-5731 or [email protected]

Follow the Times of Trenton on Twitter.

Article source: http://www.nj.com/mercer/index.ssf/2011/11/tcnj_reports_breach_in_student.html

,

No Comments

AVMA PLIT announces insurance for data breaches

AVMA PLIT announces insurance for data breaches

Printer-friendly version

The AVMA PLIT announced in October that it is now making available insurance coverage for data breaches, a relatively new offering in the marketplace.

The Trust, which provides professional liability insurance for veterinarians, defines a data breach as an event in which personally identifiable information in electronic or paper format is at risk of exposure.

Data breaches include loss, theft, accidental release, or accidental publication of personally identifiable information. Such information includes full names, Social Security numbers, bank account numbers, email addresses, driver’s license numbers, and credit and debit card numbers.

Insurance for data breaches provides coverage for legal and forensic services, public relations and crisis management, notification expenses, and defense and liability expenses. Preventive risk management resources also are available.

Coverage for data breaches is available through PLIT-sponsored business insurance carriers as an endorsement to a package policy or as a stand-alone policy.

Return to top

Article source: http://www.avma.org/onlnews/javma/dec11/111215i.asp

,

No Comments

SafeStick Helps Firms Avoid Data Breach and Protect Personal Information as …

SafeStick Helps Firms Avoid Data Breach and Protect Personal Information as Required by the DPA

IT Governance Ltd, the one-stop shop for information security and data protection compliance products, is reminding organisations that failure to encrypt confidential data, stored on USB sticks and laptops, is a breach of the Data Protection Act (DPA).

November 29, 2011 /24-7PressRelease/ — IT Governance Ltd, the one-stop shop for information security and data protection compliance products, is reminding organisations that failure to encrypt confidential data, stored on USB sticks and laptops, is a breach of the Data Protection Act (DPA).

A recent report from Big Brother Watch uncovered ‘more than 1,000 incidents across 132 local authorities, including at least 35 councils which have lost information about children and those in care’. A total of 435 of these cases involved the loss or theft of unencrypted USB sticks, laptops or mobile devices.

Speaking to the SCO Online, the ICO’s Acting Head of Enforcement, Sally Anne Poole, stated that the ICO’s position on encryption is clear:

“All personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted. This is one of the most basic security measures and is not expensive to put in place – yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily”.

Data protection and compliance experts, IT Governance, recommend the use of the CESG-approved SafeStick which is an enterprise-level secure USB with encryption hardware: www.itgovernance.co.uk/products/3641. It is the preferred government and enterprise USB stick, and the one chosen by the UK’s National Health Service (NHS), with over 1 million already in use.

The SafeStick makes it easier for organisations to ensure that their confidential data is protected (www.itgovernance.co.uk/products/3641). It includes lockdown protection and remote wipe, so confidential data will never be exposed. Moreover, any personal information saved on it is protected, as required by the DPA.

The encryption function of the SafeStick is also in line with the ISO27001 control A.10.7.1. It specifically deals with management of removable media and any organisation implementing this control must (amongst other things) use encrypted memory sticks.

Organisations can order the SafeStick online here: www.itgovernance.co.uk/products/3641. Bulk volumes can be purchased directly from the friendly and helpful IT Governance service centre team on telephone number +44 (0)845 070 1750. Larger organisations can make purchases with a purchase order either by telephone, or by e-mail to [email protected]

FOR FURTHER INFORMATION

Desi Aleksandrova

Marketing Executive

+44 (0) 845 070 1750

[email protected]

NOTES TO EDITORS

IT Governance Ltd is the one-stop-shop for books, tools, training and consultancy for governance, risk management and compliance. It is a leading authority on data security and IT governance for business and the public sector. IT Governance is ‘non-geek’, approaching IT issues from a non-technology background and talking to management in its own language. Its customer base spans Europe, the Americas, the Middle East and Asia. More information is available at www.itgovernance.co.uk.

Press release service and press release distribution provided by http://www.24-7pressrelease.com

Article source: http://www.einnews.com/247pr/249824

,

No Comments

Patients Sue Sutter Health Over Data Breach Involving 4.24 Million People

Sutter Health, a hospital system in Northern California, faces two class-action lawsuits from patients for leaving the information of 4.24 million people vulnerable to exposure.

During the weekend of Oct. 15-16, a rock was thrown through the window of Sutter’s administrative offices in Sacramento, Calif., and then a desktop PC along with monitors, mice and keyboards were stolen, Nancy Turner, a spokesperson for Sutter Health, told eWEEK.

Although no medical data or Social Security numbers resided on the PC, the computer did store some personal information, Sutter Health reports.

The PC theft exposed personal information for about 3.3 million patients of Sutter Physician Services (SPS) from 1995 to January 2011, including name, address, date of birth, phone number and email addresses (for those that provided them). SPS provides billing and managed care services for health care providers affiliated with Sutter.

Meanwhile, information regarding medical diagnoses and procedures for about 943,000 Sutter Medical Foundation patients from January 2005 to January 2011 also was exposed in the breach. Sutter Medical Foundation is a network of doctors working in Placer, Sacramento, Solano, Sutter, Yolo and Yuba counties.

The law firm Harris Rubel filed a suit on Nov. 16 against Sutter Medical Foundation and Sutter Physician Services on behalf of patient Javier Garcia, claiming that the health organization didn’t effectively secure patients’ data.

“Securing equipment and encrypting data were not a priority for Sutter, and now patients will have to worry about what medical or insurance information is out there for others to view,” attorney Alan Harris said in a statement.

Since 2007, Sutter had been encrypting laptops and BlackBerry devices, but had only recently begun encrypting desktops, according to Turner. The priority was to encrypt the portable devices first, Turner said.

“We were in the process of encrypting the desktops when this theft occurred,” she said. Although the stolen PC was unencrypted, it was password-protected, Turner noted.

Robert Buccola of law firm Dreyer Babich Buccola Wood filed another suit on Nov. 21 in Sacramento Superior Court on behalf of patient Karen Pardieck, the Sacramento Bee reports. The lawsuit is asking for $1,000 for each affected individual plus attorneys’ fees.

Sutter reported the theft to police on Oct. 17 immediately after discovering the theft. The Sacramento Police Department is investigating.

The health system sent letters to patients beginning on Nov. 15 at a rate of 150,000 a day to notify them of the PC theft and data breach, Turner said. As of Nov. 29, all letters had been mailed, and patients should receive them by Dec. 5, she added.

“We’ve been telling folks (that) patients would be receiving letters no later than Dec. 5 in case there’s a delay in finding the patient,” Turner said. Sutter didn’t notify patients sooner because the health system was trying to determine the contents of the PC, she added.

“People felt that 30 days was not adequate and that they should have been notified as soon as possible,” she said.

“We had a dedicated team of people working to determine exactly what was on the computer, and that took some time,” Turner explained. “If we had notified them before we had found out that information, that wouldn’t have managed [patients'] anxiety at all.”

As part of its response to the breach, Sutter has set up a toll-free number (855-770-0003) for concerned patients to obtain information.

Pat Fry, president and CEO of Sutter Health, expressed regret regarding the incident in a video on the company’s Web site. “We take our responsibility for providing quality care extremely seriously, and that includes protecting our patients’ personal and medical information,” Fry said.

Federal laws under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act require health organizations to notify individuals within 60 days of a data breach.

The Sutter data breach is the latest incident involving health organizations losing data.

In fact, 71 percent of health care organizations have suffered at least one data breach within the past year, according to a study by Veriphyr, a software-as-a-service data-analytics application provider.

On Sept. 29, Tricare, a health care services provider to active and retired military personnel, disclosed that its contractor, Science Applications International Corporation (SAIC), had potentially exposed data for 4.9 million patients when backup tapes were stolen from a car in San Antonio, Texas.




Article source: http://www.eweek.com/c/a/Security/Patients-Sue-Sutter-Health-Over-Data-Breach-Involving-424-Million-People-413481

,

No Comments

Keep Your Smartphone Secure And Free From Mobile Hackers

With the number of smartphone users rising and apps becoming ever more popular, it has been overlooked by many the possibility of becoming a victim from mobile hackers or even malware.

For many it’s still hard to believe the power that smartphone’s on the current market have. Most handsets are more powerful than desktops that were in use only 10 years ago. Because of this it would appear impossible that similar vulnerabilities that computers face on a day to day basis would become a problem on their mobile phone.

Smartphones are now part of everyday life that includes online banking, business calls and many other applications it’s easy to see why hackers and scams try to capture the valuable information that we all carry around with us, at all times.

What Are The Threats?

Smartphone users tend to have increased activity for internet usage. With the possibility of clicking a malicious link to using the handset to insert bank details, there are many simple ways that appear to be harmless but could in fact place important information into the hackers hands.

Another recent activity carried out by hackers is by creating apps that can be downloaded for free on the many different app stores that will have a virus included within the app download. Once the app is installed and opened the virus will become active. There are apps that currently cause anyone who downloads them to send texts to a premium rate service, costing up to £6 per message, without the user knowing. This kind of scam appears to be prevalent and has shocked many bill payers at the end of the month.

Simple Security Steps

To help avoid all the current scams and being targeted there are many different kinds of techniques that can help prevent from having eye watering bills at the end of each month.

Firstly, only ever download or buy apps from official and reputable app stores. This will help dramatically reduce the likeness of becoming a victim of any kind of scam, since this is one of the easiest ways for hackers to access handsets.

Also, never attempt to jailbreak the smarthphone at any time, doing so can help anyone run unauthorised software on the handset but this unauthorised software may be infected with malicious software. Usually from an unknown source. Not forgetting that it will null the phone’s manufacturers warranty.

Never use an unsecured WI-FI hotspot to access personal or private information and be wary that by using these hotspots every smartphone may be vulnerable to hackers trying to receive data from the handset. And remember to always turn of the WI-FI and Bluetooth whenever not in use as not only will this prevent access to hackers but will also greatly increase the phones battery life.

Another way to remain secure is to install a virus software programme. By doing so can help review current app permissions and make sure there is no unexplained activity in the background and also help create further peace of mind.

Lastly, always remember to view each monthly bill to ensure there is no suspicious activity that may be similar to that of any malicious activity being present.

Therefore with such great advances in technology creating major time saving techniques, it would appear impossible to live without smartphones. From mapping out your travels on holiday, sourcing a near by restaurant wherever you are and achieving cheap calls to Spain and many other countries within a few actions. Just remember to keep it secure and free from any attempt of hacking.

Article source: http://cmvlive.com/technology/gadgets/keep-your-smartphone-secure-and-free-from-mobile-hackers

, ,

No Comments

Cyber-Attackers Successfully Exploiting Java Flaw in Outdated Software

Cyber-attackers
continue to target vulnerabilities in Java, even the ones that Oracle has
already patched, because end-user systems aren’t being properly updated,
Microsoft warned.

“Between
one-third and one-half” of all attacks detected and blocked by Microsoft’s
security software from the beginning of July 2010 to the end of June 2011 were
Java-based, Tim Rains, a director of Microsoft’s Trustworthy Computing group,
wrote Nov. 28 on the Microsoft Security blog. Microsoft’s anti-malware
technologies blocked more than 27.5 million Java exploits over a 12-month
period, many of which had been patched at least a year ago, Rains said.

Microsoft
researchers have noted in previous Security Intelligence Reports that attacks
targeting Java exploits have been increasing, and they surpassed
Adobe-related attacks
in volume last year. The latest volume of the
Microsoft Security Intelligence Report, volume 11, found that the most commonly
observed type of exploits in the first half of 2011 targeted Oracle’s Java Runtime
Environment (JRE), Java Virtual Machine (JVM) and Java SE in the Java
Development Kit (JDK).

“Attackers
have been aggressively targeting vulnerabilities in Java because it is so
ubiquitous,” Rains said, noting that Oracle claims over 3 billion devices
run Java.

The
most commonly blocked attack in the first half of 2011 exploited a JRE bug
discovered and patched in March 2010. The exploits first appeared during the
fourth quarter of 2010, at least six months after the patch was released, and
increased “tenfold” in the first quarter of 2011, according to Rains.
The second most commonly blocked exploit relied on a JVM flaw that allowed an
unsigned Java applet to gain elevated privileges outside the Java sandbox and
exists in JVM 5 up to update 22 and in JVM 6 up to update 10. It was patched in
December 2008. Others on the list included a JVM bug patched by Sun
Microsystems in November 2009 and a different JRE flaw patched by Oracle in
March 2010.

“Once
attackers develop or buy the capability to exploit a vulnerability, they
continue to use the exploit for years, presumably because they continue to get
a positive return on investment,” Rains said, noting that this tactic is
not unique to Java flaws, but in “all prevalent software.”

System
administrators and users should regularly update Java and keep up with the
updates, Rains said. Some environments may have systems running different
versions of Java, as well.

Some
security experts recommend not installing Java by default and limiting the
installation to only those systems that actually require it. “Most people
aren’t using Java these days, and it reduces the attack surface for exploits
delivered over the Internet,” said Chester Wisniewski, a senior security
adviser at Sophos. “Less software plugged” into the browser means
less chances for an attack to succeed, he said.

Security
analyst and writer Brian Krebs recently uncovered an instance of malware exploiting
an already patched Java flaw, with the resulting exploit being bundled with a
crimeware kit available for sale on criminal underground forums.

The
new Java exploit is being distributed as a free add-on to existing owners of
the BlackHole crimeware kit, or priced at $4,000 for new owners. A three-month
license for the crimeware kit itself costs $700, and hosted servers running the
malware toolkit are also available, according to the post on Krebs on Security.

Java
exploits are “notoriously successful” when bundled with commercial
exploit packs, according to Krebs. Cyber-attackers can use the BlackHole kit,
which extensively uses Java flaws, to launch malicious Websites that can
download malware on unsuspecting site visitors running an outdated version of Java,
he said. Even though it is a relatively new malware toolkit, BlackHole has
become one of the more popular exploit kits this year, according to security
experts.

This
particular vulnerability exists in the Java Runtime Environment Component in
older versions of Oracle Java, namely Oracle Java SE JDK and JRE 7 and Java 6
Update 27 and earlier. Users with the latest version of Java, such as Java 6
Update 29 or Java 7 Update 1, are not affected. Oracle patched this flaw in
mid-October with 19 other script engine bugs.






Article source: http://feeds.ziffdavisenterprise.com/~r/RSS/eweeksecurity/~3/RDxDjQknhQQ/

,

No Comments