When Adobe last week issued an advisory about a dangerous zero-day attack based on an unpatched Adobe Reader vulnerability that was being exploited in the wild to try and seize control of both PCs and Macs, it credited Lockheed Martin for sounding the alarm about it.
It's not the first time Lockheed Martin has been known to have come under cyberattack, as happened in May in connection with the RSA SecurID-related advanced persistent threat as we've learned this year. But this week, Lockheed Martin -- perhaps not unlike a modern-day version of Paul Revere -- has done a huge public good in coming forward with reliable information. Once again, U.S. defense contractors are being targeted.
READ MORE: 2011's biggest security snafus
"This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system," Adobe states in its Dec. 6 advisory.
However, Adobe said it might be into the week of Dec. 12 in which it can issue all the necessary version patches for Adobe Reader 9.x and Acrobat 9x for Windows for this zero-day. Addressing the issue in Adobe Reader X and Adobe Reader X for Windows, Adobe states, "Adobe Reader X Protected Mode and Adobe Acrobat X Protected Mode would prevent an exploit of this kind from executing," and thus Adobe is currently planning to address the issue in the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for Jan. 10, 2012. The Mac versions, as well as Acrobat Reader 9.x for Unix, would also be part of the Jan. 10, 2012, scheduled update, according to the Adobe advisory.
"This is the changing face of what we're seeing. Adobe is not a security company. They're not built to release the patches right away," says Bradley Anstis, vice president of technical strategy at M86 Security. "But this is clearly a targeted attack as a zero-day."
Symantec, in its analysis of the threat, which it links to so-called Sykipot malware, says "the attacks have been long-running, persistent, and targeted, which leads us to believe what whoever is behind the attacks is after data that includes design, financial, manufacturing or strategic planning information. The use of multiple zero-day vulnerabilities over time and the long list of command and control servers also leads us to the conclusion that an organized, skilled group of attackers, not just a single individual, is behind the attacks."
A number of vendors, like M86 Security, claim to detect zero-days through techniques in their products that implement behavior-based rules to detect unusual software-behavior patterns and block attack vectors. But as for Lockheed Martin, the intended victim sounding the alarm, Anstis says, "It's a very good trend."
Microsoft patch happy
Brace for Microsoft's Patch Tuesday next week when Microsoft will patch 20 vulnerabilities in Windows, Internet Explorer, Office and Windows Media Player. Also anticipated is a plug for the Duqu Trojan and various other SSL and TLS weaknesses.
From Computerworld: They're all over the map," said Andrew Storms, director of security operations at nCircle Security, describing the wide range of Microsoft products slated for patching. "It looks like a big cleanup, where they're trying to get as much as they can off their plate before the end of the year." Three of the 14 updates were tagged with Microsoft's "critical" label, the highest threat ranking in its four-step system, while the remaining 11 were marked "important," the second-highest rating.
Anonymous attack on HBGary Federal didn't ruin us, says CEO
Few will forget the devastating online attack by Anonymous in February on HBGary Federal after its then-CEO Aaron Barr publicly said he was infiltrating the shadowy hactivist group online and thus earned the group's swift punishment. Last week we caught up with HBGary CEO Greg Hoglund to ask how the Sacramento-based security firm and the separate company, HBGary Federal, set up as an independent operation with Barr as its CEO in 2009, had fared in the aftermath of the assault by Anonymous. The Anonymous attack hadn't ruined HBGary, Hoglund said. But HBGary Federal, once called a "sister company," is now more like an estranged and distant relative ...
The CNET download uproar
Gordon Lyon, a.k.a. Fyodor, is fiercely complaining about CNET and its download service for wrapping installers around the Nmap security tool. Not only is this equivalent to wrapping malicious code around a security tool he says, "taking someone's work, even if it is open source and free, and using it as a drawing card for your own unrelated commercial purposes, is just plain unfair." He rightly points out that "the worst thing is that users will think we [Nmap Project] did this to them!" The impact of the CNET wrapper, according to Lyon, is "the next time the user opens their browser, they find their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs!"
PICTURE THIS: Steve Jobs gets bronzed
This is a real issue, not a tempest in a teapot. Ms. Smith, privacy columnist, writes, "The same bundled-with-crapware download happened to Wireshark, until the Wireshark open source director sent a cease and desist letter to CBS." CBS owns CNET. Ms. Smith says CNET has so far only responded to her inquiries about this by saying, "We value your comments and have forwarded them on to our managers. Our goal is to make C/Net an easy to use, friendly and safe site that helps people find and learn about the latest tech and consumer electronics."
Desktop virtualization security
This week Kurt Roemer, chief security strategist at Citrix, made the strong case for desktop virtualization as a basis for security in protecting sensitive data. While we tend to hear a lot more about virtualization for servers, it seems that desktop virtualization is also ramping up pretty quickly, with a survey of 1,100 information-technology managers indicating 91% of them either already have desktop virtualization implemented (the study didn't specific what vendor software) or will have by the end of 2013. 33% have already deployed desktop virtualization to a significant level and a further 58% plan to do so before the end of 2013.
Changes coming to the CISO position?
Security analyst Jon Oltsik last week offered a prediction of how the position of chief information security officer (CISO) is likely to evolve in 2012, based on his knowledge and continuous interaction with CISOs in business and government today. Oltsik comments that for a CISO at a large Fortune 500 company today, the role isn't "sustainable" because "CISOs are being pulled in two opposing directions."
One direction, he says, is basically toward managing risk and IT-based business processes that would be the realm of the "chief security officer" interacting with the organization's compliance, legal, public relations and physical security teams. The other direction he says is for a "chief information security technology officer" that would be similar to a chief technology officer. This type of role calls for someone who is not as business-oriented per se, but does "know the IT and security architecture and infrastructure inside and out." Oltsik says these two functional areas would have to work together, but could evolve into separate disciplines in an academic context.
Notable security happenings
• Executives from Microsoft and Google on Thursday gave a glimpse into the size of their privacy organizations, which are required for the companies to try to avoid running foul of complicated U.S. privacy regulations and prepare for changes coming to privacy laws around the globe. Microsoft has 40 people fully dedicated to working on privacy issues and another 400 who might spend some time on privacy, said Michael Hintze, associate general counsel at Microsoft.
• In Channelnomics, Larry Walsh writes about McAfee's recent action cutting its workforce 3% since Intel acquired the security firm.
• There were disputed elections in Russia last week and amid accusations of election fraud, protesters are fired up both on the streets and the Web. The Wall Street Journal writes that the Russian social-networking website called VKontakte, which is part-owned by Mail.Ru Group, said Russia's Federal Security Service (FSB) asked it to block the online activities of political protest groups. Pavel Durov, founder of VKontakte, is quoted as saying publicly his site as a rule would not block the protestors. A spokeswoman for VKontakte is quoted as saying VKontakte got a written request from the FSB to shut down groups that encourage people to "trash the streets, to organize a revolution." But the company reportedly said it wouldn't be fair to shut down opposition groups just because a few people are calling for violence and it would only make sense to block the violent users. According to the WSJ, the VKontakte spokeswoman also said the FSB was not exerting pressure, threats or "rudeness."
Read more about wide area network in Network World's Wide Area Network section.