Security Bites podcast

Criminals may have found a way to get you to click on malware without you even knowing. Worse, they might also be able to open the microphone or Webcam on your PC to eavesdrop.

Called Clickjacking, the process allows the attacker to trick you the user into clicking on something only briefly visible on the screen. While it's mostly a problem for the browser makers, it also affects Adobe Flash, Microsoft Silverlight, and Sun's Java.

Although clickjacking, which may contain up to half dozen specific vulnerabilities, has been around for years, it has recently come to the attention of online criminals and security researchers alike.

One of those researchers is Jeremiah Grossman, CTO of WhiteHat Security. Robert Vamosi of CNET News spoke with him by phone.

Grossman recommends users of Firefox consider using the NoScript plug-in and set it to forbid IFrame content. More details on configuring NoScript to block this attack can be found here. Additional US-CERT tips for securing other browsers can be found here.

According to a report this week from Verizon Business, risk factors for data breaches vary industry to industry and defy a "cookie cutter" approach to security, which is why Verizon has revisited an earlier report. The goal of both the new and the prior report is to offer detailed insight into how data breaches occur, so that companies can address the problems within their specific industry.

The June 2008 report spanned four years and included more than 500 forensic investigations involving 230 million compromised records. The new report uses that same data but drills down within four key industries: financial services, tech, retail, and food and beverage. The four constitute 82 percent of all the attacks in the original Verizon report.

Verizon found the attacks on the financial industry tend to be sophisticated. A majority come from outside hackers, although a healthy amount could also be attributed to insiders who have been granted access to the data. Retail and food and beverage, which includes restaurants and grocery stores, are the polar opposite. In both retail and food, less sophisticated attacks are used and are often the result of a compromised third-party vendor.

Bryan Sartin, co-author of the report and director of investigative response for Verizon Business security solutions, talks with CNET News' Robert Vamosi about some of the investigations Verizon has done into thefts by third parties, and the possible ties to organized crimes and terrorism.

Listen now: Download today's podcast

This week Tom Rusin, president and chief executive officer of Affinion's North America operation, is Robert Vamosi's guest. His company monitors the criminal underground for several thousand banking institutions by lurking in carder chat rooms.

"Carders" are the people who buy, sell, and trade online the credit card data stolen from phishing sites or from large data breaches at retail stores. Affinion is global, with offices in more than a dozen countries. And over the years they have provided a wealth of information to the U.S. Secret Service and the FBI. A few weeks ago, Affinion identified .Mac users who found themselves victims of a phishing scam.

"Any piece of info is priceless to these people," says Rusin.

Listen now: Download today's podcast

It may seem trivial to you what applications are on your desktop, but from a business or organization's perspective, it can be a serious matter. If an application provides unfiltered access to the outside world, this could create regulatory issues. Certain desktop applications can also indirectly or directly introduce malware inside the perimeter through file sharing. At the very least, some applications simply take away bandwidth (for example, streaming audio or video).

In its second report on Application Usage and Risk, Palo Alto Networks finds that 56 percent of the desktop applications surveyed use HTTP. Use of port 80, which the server uses to listen to requests from a Web client, makes it hard for organizations to filter or firewall the content.

Chris King, who appeared on Security Bites last April, talks this week with CNET News' Robert Vamosi about the report's findings, including the hidden risks in running Microsoft SharePoint or Lotus Notes.

To see all the risks associated with several hundred common desktop applications, Palo Alto Networks provides an online Applipedia.

Listen now: Download today's podcast

Google has entered the browser space. Chrome, its browser still in beta, is based on the open source Webkit project. Some will recognize Webkit as the foundation for another browser, Apple Safari. But Chrome also borrows heavily from Mozilla Firefox and Microsoft Internet Explorer, giving this new browser an old and familiar feel.

There is, however, innovation.

Tabs are arrayed atop the browser instead of in the traditional toolbar. And users can drag and drop the tabs on the desktop outside the browser. There is also a way to make an icon for GMail and Google Calendar on your desktop.

Deep down, Google has also upgraded how the browser handles Javasript. Gone are the days when Java applets simply gave you dancing babies on a Web page. Today we're running robust applications.

Joining CNET News' Robert Vamosi this week is Billy Hoffman, manager of HP's Web security group. Hoffman, along with Bryan Sullivan, also co-authored AJAX Security.

In this podcast, Hoffman offers what he thinks Google did right with Chrome, and what could be trouble down the road.

Listen now: Download today's podcast

A few weeks ago, the Dutch High Tech Crime Unit identified and arrested a 19-year-old Dutch man who allegedly was operating a botnet known as Shadow. This botnet, unlike more recent examples, used IRC, meaning its traffic was easier to trace than the Web-based command and control traffic used today by most new botnets. Shadow would infect users via Windows Live Messenger or MSN Messenger.

What's unusual here is that the crime unit then asked Kaspersky Lab to provide the identified victims, people who had unknowingly allowed their computers to become compromised, with instructions on how to neutralize the malware on their systems. While antivirus companies and law enforcement work together all the time, rarely has law enforcement been concerned about cleaning up a victim's machine.

This week CNET's Robert Vamosi spoke by phone with Roel Schouwenberg, senior antivirus researcher at Kaspersky, who happens to be based in the Netherlands, about the Shadow botnet.

Listen now: Download today's podcast

Iron Chef returns to Black Hat. No, its not the Food Network import from Japan broadcasting live, but the Fortify edition featuring lead security researchers as they struggle against the clock to find vulnerabilities. This year, the secret ingredient is open-source code.

Brian Chess, chief scientist at Fortify Software, and Jacob West, who manages Fortify Software's Security Research Group, tell CNET's Robert Vamosi that one team will use static analysis while the other will use fuzzing. Chess confirmed that Charlie Miller and Jacob Honoroff will be on the fuzzing team, and Sean Fay and Geoff Morrison from Fortify will make up the static analysis team.

Fortify says the Black Hat audience and co-hosts West and Chess will provide running commentary and encourage the competitors. Ultimately, the audience will judge the results based on originality of created tools, presentation of the number of bugs, and creativity of using the tools when searching for vulnerabilities. At the end, a winner will be named.

Listen now: Download today's podcast

Click here for full coverage of Black Hat 2008.

From gadgets that slide-show pictures of vacations past to calendars that show events in the future, Google Gadgets look cool. But they also have the potential to contain vulnerabilities like anything else within Web 2.0.

By design, Google Gadgets allow scripted code to be uploaded by the end user, creating interesting new attack vectors for those with malicious intent.

CNET's Robert Vamosi talked with Robert Hansen (aka Rsnake), chief executive of SecTheory, and Tom Stracener (aka Strace) of Cenzic. Both will be presenting a talk called "Xploiting Google Gadgets: Gmalware and Beyond" at the annual Black Hat conference in Las Vegas next week.

During the talk, they plan to disclose a zero-day vulnerability in Google Gadgets that will make Gmalware (Gmodules-based malware) a significant threat.

For years, one of the arguments for using open-source software instead of proprietary software held that open source was more secure. After all, having thousands of eyes looking at the code can't but help find and mitigate potentially dangerous bugs. A new report from Fortify challenges that assertion.

Open-source software can be found in over half of the enterprises today. And open source code can be found within the Mac OS 10 operating system. But how are open source vulnerabilities and, more importantly, their patches handled?

This week a report from Fortify found that, while vulnerabilities exist and are reported within the open-source community, not every open-source project had a clearly defined contact or security alias. Nor was it clear what the process would be for issuing a patch, or how the projects conduct their own vulnerability assessments. The report looked at several known open-source projects such as JBoss and Tomcat.

CNET's Robert Vamosi spoke by phone with Roger Thornton, CTO at Fortify about the report and its findings.

Listen now: Download today's podcast

To put it simply, the concept of "white listing" is to define a set of software, a set of vendors, and allow only those trusted applications or files from those vendors to run on your machine. If a file or application is not approved, it will not run. This is the opposite of how we've blocked malware from our machines in the past.

In 2007, Symantec detected more than 1 million viruses, with two-thirds created within the calendar year. Loading 1 million antivirus signatures or even a percentage of that if generic signatures are used is a pretty serious undertaking. The idea here is that maybe we should only be loading signatures for the good files.

So far, the idea is only being implemented in the enterprise space. Still, it's a interesting idea. On the desktop it's already being used to stop spam, so why not use white lists to block malware as well?

Massachusetts-based Bit9 has created one of the largest catalogs of "known good" and "known bad" applications. Its Global Software Registry (GSR) serves as the policy enforcement center for Bit9's enterprise offerings. Recently, desktop antivirus vendor Kaspersky announced a partnership with Bit9 that will allow it to use the GSR in its upcoming desktop products in 2009.

This week on the Security Bites podcast, CNET's Robert Vamosi talks with Tom Murphy, chief strategy officer for Bit9, about white listing and its potential for the future.

Listen now: Download today's podcast