The new zero-day vulnerability in Adobe Reader may have some people wondering if there’s a way to use Portable Document Format (PDF) files more safely. The answer is yes: you can reduce your risk in using PDF files. Here’s how.

First of all – and this can’t be stressed enough – keep your PDF reader up to date. Many popular PDF readers incorporate some sort of autoupdate function to make this easier for you. Be careful about downloading “updates” from unknown download sites, as frequently these turn out to be malicious. Use the built-in autoupdate feature or download directly from the developer’s website instead.

In addition, we won’t mention the usual bits of advice like don’t open suspicious files or websites, etcetera. Let’s assume that if an attack does occur, it will be by a reasonably non-obvious method, like Blackhole spam runs.

You can be exposed to malicious PDF files in many ways, but broadly speaking they can be categorized as either in the browser or out of it. In the browser attacks are just that – PDF files opened within browsers using either external add-ons or the browser’s own capabilities. Exploit kits are an example of how users can be exposed to PDF files in their browser.

By contrast, here is an example of out of the browser attacks: files which are saved onto the computer from a mail client or the browser and then opened in the PDF reader itself.

What you can do in the first case is reduce your usage of plug-ins to open PDF files. Both Google Chrome and Mozilla Firefox can use integrated PDF readers that make relying on external apps unnecessary. (For Chrome, it comes built-in; for Firefox it has to be downloaded as a separate add-on. To use these, it may be necessary to disable any plugins installed by PDF readers. The way to do this differs from browser to browser.

Read the rest of this entry »

Recently, ISACA surveyed more than 1,500 infosec professionals as part of their 2012 Advanced Persistent Threat (APT) Awareness Study. The findings are an interesting mix of the good and the bad.

The ISACA survey results indicate that a majority of professionals are familiar or strongly familiar with APTs, with almost all (96.2%) being at least “somewhat” familiar. This means that at the very least, APTs are already “on the radar” of security professionals and are a known risk.

Many professionals believe that their organizations are at risk from APTs. Almost two-thirds – 63.0% – believe that their organization are likely or very likely to be the targets of an APT in the future. More than a fifth (21.6%) of those surveyed belong to organizations that have been hit with an APT.

The risks of APTs are also correctly identified. The top three risks identified by those surveyed were:

• Loss of intellectual property
• Loss of personal information of employees or customers
• Damage to the company’s reputation

However, the other findings also bring up some serious concerns. For example, more than half – 53.4% – of those surveyed said that APTs are “similar” to conventional threats. While this may be true on the surface, there are fundamental differences between APTs and conventional threats. They have different goals and capabilities; understanding these is important to defending against either type of threat. The number may also suggest that majority still believe that traditional security solutions will identify an APT, which is simply untrue.

Read the rest of this entry »

For those concerned about their privacy, last week was an important one. January 28th was Data Privacy Day, with many organizations releasing transparency reports that highlighted how and with whom user information is being shared. For example, both Google and Twitter made public their transparency reports, highlighting how they responded to official requests for user information. These reports indicate which governments have been requesting data from these sites, how often these requests are made, and how often any data is actually turned over.

These requests come as studies show that users are becoming more concerned about their privacy in general. An independent Ponemon study found that users in the United States are more concerned than ever before about the privacy of their personal information, with 78% of respondents agreeing. At the same time, fewer users feel that they do have control of their information, with only 35% agreeing with the statement.

Read the rest of this entry »

The past few months have been a busy one for Blackhole spam attackers. The last time we discussed Blackhole spam runs, we noted that it had returned from its New Year break and was hitting users again. Previously, we’d reported in September about how a new version of the Blackhole Exploit Kit had been introduced by attackers into the underground. Since September we observed upgrades and new developments in this area, which this post will tackle.

Upgrade to Blackhole Exploit Kit 2.0

Cybercriminals have stopped using the older 1.x version of the Blackhole Exploit Kit entirely and moved to version 2.0 since last September. Most significantly, the URLs no longer have the eight-character-long random strings that were a key part of the 1.x version. These strings made discovering and monitoring websites that were connected to various spam runs easier for researchers.

New vulnerabilities have also been added to the Blackhole Exploit Kit as they have been made “public”. For example, the recent Java zero-day was added to BHEK’s arsenal within days of the vulnerability becoming known to the security industry.

Clearly, these cybercriminals are continuously enhancing this toolkit to evade detection as well as to generate profit from users. Accordingly, Blackhole Exploit Kit was used to distribute known information stealing malware such as ZeuS and Cridex variants.

Increased Usage of Different Infection Chains

One development we have seen is that different browsers are receiving different infection chains, with more distinct differences from browser to browser. For example, there are situations where users running Chrome may receive malicious files, but Firefox and Internet Explorer do not.

Why this is being done remains unclear. It’s possible that this is being done to lower the profile of these threats; this makes sense in combination with the next development. What is clear is that this makes analysis by researchers and security vendors more complicated. It increases the number of test cases that have to be looked at thus increasing the effort that must be dedicated to any individual attack.

Read the rest of this entry »

With Java going through another embarrassing zero-day vulnerability recently, it has become a common bit of advice for users to “uninstall Java”.

In general, this is sound advice. If possible, users should uninstall Java if they don’t need it. Unfortunately, for many users this simply isn’t an option. Many enterprises have custom apps built on the Java platform. Consumers may also need access to Java for banking sites (many of which are Java-based) or software (Minecraft needs Java to run.)

So, how can you use Java safely? First, the Java threat largely comes from malicious applets that come from malicious websites. If you have Java installed because an application needs it, then you can disable Java in your browser(s) without affecting your user experience.

It used to be that you would have to do this on a browser-by-browser basis, but that isn’t the case anymore. In the current version of Java, you can do this in the Java Control Panel. Instructions on how to access this can be found here. Applets in webpages will no longer work, but Java apps will continue to run without any problems.

What if you need Java for a website, like an internal company site or your bank?

Read the rest of this entry »