53rd week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 53rd week of 2009. I am Jay Johnson and these are the headlines:

Adobe predicted as top 2010 hacker target (pause)
Hacking into GSM gets more easier while
Microsoft IIS vulnerability leaves users open to remote attack (pause)
Serious web vulnerability found in 8 million Flash files and Finally
Smartphone attacks, rogue antivirus, cloud computing breaches are top security concerns for the year 2010

And now for this week's newswire details
Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers in 2010, surpassing Microsoft Office applications, a security vendor predicted this week.Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot," security vendor McAfee said in its "2010 Threat Predictions Hackers usually target the most widely used products in order to achieve the maximum impact. For a long time that has made Microsoft their primary target. But the software giant has tightened security in its recent OS releases, leading hackers to look for additional targets. Mozilla's Firefox browser and Apple's QuickTime software have also faced new attacks. There was some good news, however. The security firm sees law enforcement having more successes next year in its pursuit of cybercriminals, thanks to closer cooperation and improved skills at international crime-fighting agencies.

(pause)
On Sunday 27th of December at the 26th Chaos Communication Congress (26C3) in Berlin, security researchers published open source instructions for cracking the A5/1 mobile telephony encryption algorithm and for building an IMSI catcher that intercepts mobile phone communication. The Global System for Mobile Communications (GSM) standard for digital mobile phone networks, which is used by around four billion people in 200 countries, is quite insecure, explained cryptography expert Karsten Nohl in front of a large audience of hackers. While this has been known in academic circles since 1994, the evidence now produced leaves "no more room for playing hide and seek" said Nohl. According to Nohl, even the GSMA industry association, who is behind GSM, saw itself forced to offer tips on how to proceed after receiving the first indications of the newly discovered vulnerabilities. Nohl said the association pointed out that the main security aspect of GSM was not the encryption standard itself, but the method for changing the transmission channels used. Therefore, a hacker would need a receiving station and a program for processing the raw data. It appears the GSMA didn't realize that such a computer system can already be built by using the free OpenBTS software to set up a GSM base station. This system can be used to intercept large portions of a network operator's communication spectrum and two such devices allow attackers to track down the channel changes and the secret key, said Nohl. According to the researcher, a corresponding implementation is currently being developed.

(pause)
A researcher has identified vulnerability in the most recent version of Microsoft's Internet Information Services that allows attackers to execute malicious code on machines running the popular web server. The bug stems from the way IIS parses file names with colons or semicolons in them, according to researcher Soroush Dalili. Many web applications are configured to reject uploads that contain executable files, such as active server pages, which often carry the extension ".asp." By appending ";.jpg" or other benign file extensions to a malicious file, attackers can bypass such filters and potentially trick a server into running the malware. Microsoft's Security Response Center (MSRC) says it is investigating the vulnerability and has so far not found evidence of any attackers actively exploiting the hole to compromise a server. According to the vendor, the required conditions present an obstacle for successful attacks: Attackers must have authenticated themselves on a server and possess read as well as upload privileges to a directory which, in turn, must allow the execution of code.

(pause)
A security researcher has identified more than 8 million Adobe Flash files that make the websites hosting them vulnerable to attacks that target visitors with malicious code. The Flash files are contained on a wide variety of sites operated by online casinos, news organizations, banks, and professional sports teams. They make the pages where they reside susceptible to XSS, or cross-site scripting, attacks that have the potential to inject malicious code and content into a visitor's browser and in some cases steal credentials used to authenticate user accounts. The researcher, who goes by the moniker MustLive, said the Flash files contain poorly written ActionScript used to count the number of times a banner has been clicked and typically contain the clickTAG or url parameters. Google searches here and here identified a total more than 8.3 million of them on sites hosted by the New York Giants football team, Praguepost and ParadaisPoker. Because Google results are often abbreviated, the actual number is probably higher.

(pause)
The rise of the Conficker worm and Heartland Payment Systems' enormous data breach were two defining security events in 2009. What's in store for 2010? "It's going to get worse," says Patrik Runald, senior manager of security and research at Websense, who argues there has not yet been a year when things got better in terms of security and the wider Internet. Criminals have been mastering botnets, phishing scams and fake antivirus software sales, and 2010 will bring new waves of attacks that exploit fresh targets. Specifically, smartphones such as the Apple iPhone and those based on Google's Android operating system will be in attackers' line of sight for 2010. While a handful of malware attacks have surfaced of late against "jailbroken" iPhones (ones whose owners have deliberately disabled Apple controls), it's only the beginning. Most of the attacks have been built around the Windows environment. But the trend in 2010 will be more attention to others, such as Linux and Mac. An emerging security concern in 2010 is the potential for cyber-criminals to abuse cloud computing, says Tom Cross, X-Force advanced research manager at IBM. It's already starting to happen, he says, though incidents aren't yet getting much publicity.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.