On Monday, Adobe released a patch a vulnerability in its Adobe Reader software (v 8.1 or earlier, v. 7.0.9 or earlier) exposed by U.K.-based researcher Petko Petkov. The vulnerability makes it possible for the spread of malicious PDF files resulting in Windows machines being taken over, security controls disabled and additional malware files downloaded.

Although the patch was issued on Monday, problems persist in the wild, since many users don't remember to update their Adobe reader software regularly (guilty as charged!). Symantec has identified the threat as Trojan.Pidief.A. The rogue PDF document is attached to spammed e-mail, and arrives with a filename such as YOUR_BILL.pdf or INVOICE.pdf, said Symantec.

Here are few suggestions by Symantec to protect yourself

- Apply the Adobe issued patches
- Block the delivery of PDF files in email.
- Issue advisory to employees to avoid reading or executing PDF files from unknown or untrusted sources.
- Block access to the network and IP address involved in this attack.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

First, it was Paris Hilton's cell phone. Then some mischievious hacker compromised Carrie Underwood's MySpace account. Now Ann Coulter, the controversial conservative talking head, joins a growing list of celebrities, including Madonna who have been "victimized" by hackers.

Apparently, hackers have cracked Ann Coulter's website and posted a fake message offering apologies for her recent comments and announcing her retirement as media talking head. Here's the fake message -

An Open Letter to Readers by Ann Coulter October 15, 2007

Dear Readers,

I've been participating in a charade for nearly eleven years, now. Quite frankly, I'm sick of it. You have all been a part of a sick joke that I began considering shortly after first getting on the air. At first, it was quite interesting to see how people would react when I would use twisted logic and poorly masked bigotry.

But eleven years is a long time to be living a fake life, and I can no longer tolerate this falsity. Even someone as fake as I tires out eventually.

Here's the truth, I don't care what people believe. Jews don't need to be "made perfect" as I so arrogantly proclaimed to Editor & Publisher not a half week ago. I don't even care if people are Muslim. Granted, I don't know much about the religion or the people, but they are people. This is something that we cannot forget, they are in an abhorrent situation. These people are in need of education. Perhaps if we did not participate in causing them misery, they would not hate us so.

In fact, does it really matter whether we are Christian, Jewish, Muslim, Atheist, or even Pagan? We are one nation. One. We should not let petty differences separate us, we are all American, and should act in that manner.

And with that, my precious viewers, I bid you adieu. My career as a media figurehead is over.

Signed,

Ann Coulter

P.S. - Oh, and Bill O'Reilly is also just acting.

[From the hackers:] Haha, did it again. Oh, those silly web admins...they just embarrass themselves.

(Admins, check for an e-mail address in the CMS. Find it. I know you will.)

It's tough being a celebrity these days. Never mind the paparazzi, now hackers are out to get you.

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

On the hype scale, social networking is red hot! Facebook, MySpace, Linkedin are all examples of the force multiplying, networking effect of Web 2.0. Yet as Peter Schoof reported last week, there is healthy debate on whether these sites should be permitted in the corporate environment.

Social networking sites pose yet another security issue for security managers today, courtesy of the Web 2.0 model. While some of these social networking sites like Linkedin have distinct business applicability and value, other sites clearly emphasize the purely “social” part of the equation.

Should security or IT managers even be concerned about whether employees are accessing these sites? Here are couple of things to consider -

1. Social networking sites are increasingly targets for new exploits, especially cross-site scripting attacks. Like many Web 2.0 sites, social networking apps are ripe for client side attacks. For instance, in November,2006, a MySpace targeted CSS exploit replaced the navigation menu, enabling an attacker to redirect the user to a spoofed web page.

2. Social networking sites can be a platform to launch attacks. Because social networking sites drive traffic, it can be an effective launch point for various attacks targeting other platforms or components. Over a year ago, an online banner advertisement running on MySpace used a Windows security flaw to infect more than a million users with spyware related to Windows Meta Files.

3. Social networking sites can lead to compromise of privacy or proprietary information. What you do on a site is information that social networking apps control and could expose. Case in point - last year, Facebook added a feature called News Feeds that exposed privacy and behavioral information about account users...without their explicit consent. The outrage from its users were expected and the problem was addressed but it's a clear lesson to all users.

4. Social networking sites may be costing businesses millions of $$$ in employee productivity. According to recent studies, due to the result of social networking's overwheming popularity, many of these sites are becoming a source of loss productivity as employees spend time visiting these sites during work hours. As reported in this article, a study commissioned by a UK law firm noted that Facebook is costing British firms 130 million pounds ($264M) in lost productivity every single day.

Should companies be blocking social networking sites as a matter of practice? Perhaps not. But there's certainly ample reason to be concerned from a security perspective.

Posted by andreyee in web 2.0 | Permalink | Comments (0) | TrackBacks (0)

The emergence of Web 2.0 is one of the greatest challenges for corporate security managers today. One primary reason it poses such difficulty for the traditional security model is the unregulated way Web 2.0 applications are deployed and used in the corporate environment. It’s what some have termed the “consumerization of IT” – the trend of end-users employing web 2.0 tools/applications at home and then bringing those same tools into the corporate environment.

Examples? Instant messaging, Skype are just two peer-to-peer (P2P) technologies that have found traction in the consumer world but are increasingly used in the corporate environment. More apps/tools are being used everyday without the awareness, much less consent of security managers. The reality is that most security organizations have little to no ability to limit or monitor its use and sometimes the implications to security can be staggering. For instance, P2P file sharing tools like LimeWire and BearShare have been implicated in a number of highly publicized security breaches where proprietary and privacy data has been compromised.

Needless to say, ignoring this web 2.0 problem won’t make it go away. If anything, the notion of unregulated, unmonitored deployment of web 2.0 apps will only increase and so will the security issues surrounding its use.

Next post, how corporations deal with social networking sites...

Posted by andreyee in web 2.0 | Permalink | Comments (0) | TrackBacks (0)