It’s the big buzz right now: Intel is acquiring McAfee!

A lot of people are asking why.  Goodness knows that was my first thought too.  It answered itself pretty quickly though.  I mean how many motherboards these days come with heat, fan speed, and voltage monitoring built into the hardware and BIOS?  How many come with hard drive checking and detailed memory checking as well?  Heck, I’ve even seen some with crappy antivirus that I wouldn’t trust in the past.  So as a selling point, an antivirus that you could trust makes a kind of sense.

More than that though, one of my favorite features of old nVidia motherboards was the built-in hardware firewall with a web interface.  A personal firewall that doesn’t eat up all of my PC’s resources?  It was a great idea as far as I was concerned.

And what eats more resources today than anti-virus, anti-spyware, firewall, email, etc. protection suites all rolled into one?  Some of those are real beasts!  As McAfee well knows, since their antivirus is one of the most resource consuming monstrosities out there.  So if anyone can hardware-accelerate your malware defenses, who better than Intel?

Heck, with virtualization and abstraction layers abounding as new means of defending your computer from hackers, again, who better a partner than Intel to add some hefty unique specialized hardware into your northbridge?

Okay, so I guess AMD might have been a good second choice.  Maybe even nVidia a third.  But we all know that if you want to reach the world at large, you aim at Intel.  So who better than to sell yourself out to than Intel directly?

And these days Intel is looking to bundle everything they possibly can into their CPUs and chipsets.  From 3D graphics now even going into CPUs, to memory controllers (finally catching up with AMD there), to disk security, to serious RAID disk controllers, it’s all being packed up and bundled in.  So it comes as no surprise then that Intel is looking to bundle in one more specialized bit of hardware – the Malware Defense Unit.  (Or something equally trite.)

Whatever makes them happy.

And maybe it’ll even work out well for them.  It certainly makes a kind of sense.

My only concern is that I’ve personally never been a McAfee fan in the first place.  Every time I’ve used their software, it’s sucked up valuable resources.  Sure, it protects you, but at what cost?  And then look at Intel’s idea of 3D graphics acceleration.  It’s hardly top-notch.  And while their RAID disk controllers are okay, they’re not exactly the ones I go to when I need something professional either.  So is that the kind of aim that Intel is going to take with their new security division as well?  Is their Onboard McAfee going to just be another, “It’s better than nothing, but for anything serious I’m still replacing it,” product?  That might work great for casual users and small offices, but I can’t see Intel’s usual approach to anything not directly CPU related winning over any serious business buys.

But hey, I guess that’s a worry for another day.  First we have to see what Intel even does with McAfee in the first place.

One does have to wonder though …

I mean with CPUs having so many cores these days, not to mention Intel’s famous HyperThreading…  Then you add in to that the virtualization being built into CPUs as well…  Does anyone really need hardware acceleration to run their PC’s security suite anymore?  Seems to me processors these days can do it all with plenty to spare, so much so that you’d probably never even notice a resource hog anymore.

With so many unused cores in most desktops you could probably even do software RAID without noticing.

But maybe that’s just me.

Here’s an interesting attack vector: get your mark to listen to music to hack them.  Sounds silly?  Well it isn’t.

Apple just recently fixed this “binary planting” vulnerability in their iTunes for Windows application.  A remote attacker merely has to plant a malicious DLL using a specific name in the same network share as a media file and as soon as someone comes along to listen to that media file, BAM!  iTunes would load that laced DLL to play the music and execute goodness only knows what evil.

Many sysadmins are sighing with a bit of relief as this attack vector does require a network share to pull off, which is not something they intend to allow hackers to do this on their networks.  But, need I remind you of the Web Client service, enabled by default, with features like WebDAV, which allows remote network shares, as in internet-based, as in not safely behind  your intranet?

Fortunately, besides disabling these features, you also have options like  firewalls to stop the evil WebDAV and likewise outbound traffic.

Also of good news is that Apple has fixed this security hole in iTunes.

But!

Was iTunes the only hole needing to be patched?  Not according to H.D. Moore of Metasploit, who says that about 40 applications are exploitable in Windows because of the way in which Windows loads “safe” file types from network locations.  A problem which affects not only the older and less-secure Windows XP, but even Windows Vista and Windows 7.

So be warned.  Be wary.  And secure those PCs please.

If you think surfing the internet is a scary thing to do, what with so many malicious websites out there ready to infect your computer (or smartphone) then try being a website owner.

Network Solutions, Happily Providing Website Owners With Malware Since…

Take, for example, anyone running a website hosted by Network Solutions.  Turns out that one of their widgets, there to make your website construction easier, was actually infected with malware!

What’s worse, Network Solutions is neither apologizing for infecting your websites, nor even saying how their widget got infected in the first place.  They just tell you to delete it.  Oh.  How informative.  How helpful.

Initial reports based on Google and Yahoo searches estimate anywhere between half a million and five million domains may have been infected.  Network Solutions, of course, denies any such numbers as being so high, but as of yet has failed to provide its own numbers to back that up.

SQL Vs. Apple … And A Whole Lot Of Others

An SQL attack has hit approximately half a million legitimate webpages with database commands that attempt to hide malware exploit links into the webpage code.  Of those infected is included the ever famous Apple, who’s iTunes podcast promotion pages were identified as hit.  Fortunately Apple was quick to clean up their infections.

Plenty of other websites have been hacked by this SQL vuln as well, obviously.  The continued SQL database injection attacks are frequently changing enough that tjey jave yet to be stopped.

Adobe – Chilly Towards A Hot ColdFusion Vuln

Adobe’s ColdFusion application server saw a recent update to patch a security hole that it labeled as “important”. But just how important was patching this exploit?  Well a number of researchers now claim that it should have been labeled “critical” because the vuln could actually let hackers seize control of servers in a “full system compromise”.  It not only allows someone to manipulate the system files, but to also upload scripts and even mess around with the database natively.  As holes go, it really doesn’t get worse than that.

Fortunately, Adobe did patch the hole.  But downplaying the importance of the vulnerability may lead to less people upgrading to the fix as they should.

Disney – Sued For Spying On Your Kids?

Walt Disney’s internet subsidiary, Walt Disney Internet Group, and several partners such as Clearspring Technologies and Warner Bros. Records, are being sued in the US District Court of Los Angeles for allegedly using Adobe Flash Player cookies to track highly personal information about users, the majority of whom are minors.  The Locally Shared Objects (LSOs) otherwise known as Flash Cookies, have supposedly been gathering detailed user information over long periods of time since at least 2007, in ways that, are claimed, violate the sites’ privacy policies.   These LSOs were left behind, and used to respawn deleted browser cookies, becoming “zombie cookies” which allegedly were used to re-identify users to continue tracking them without warning or knowledge thereof.

False rumors have been spread that an upcoming European tour of Guns N’ Roses was canned, thanks to a bit of Twitter hacking of Axl Rose’s account.  The tweet from Axl that all was over was, of course, not really from Axl at all.  And he might have even been able to catch it and prevent the spread, had he ever been using his Twitter account instead of, well, doing anything more entertaining than tweeting.  But, alas, he actually has a life.  And so the hack went uncontested long enough for people to believe it.  It’s nice to see someone on Twitter actually busy with real life for a change.  But it’s also a good reminder that if you choose to have an online presence, maybe you should at least log in every once in a while.  Or just let it drop entirely if you’re too busy to take it seriously.

Smartphones, most of us want one.  The apps.  The ability to not just text, but email.  Music.  Camera.  There’s almost nothing that a good smartphone can’t do.

Including being a security problem.

I’ve already told you how Symbian smartphones have been turned into a mass-mailing zombie network. But let me tell you, that’s only the beginning.

Palm Pre phones are prone to a vulnerability in receiving malicious messages that can compromise them with a backdoor which can allow hackers to record and transmit audio, effectively “bugging” your Palm Pre, as well as the usual theft of stored data.

Also, Apple has only just recently patched critical security holes in its iOS.  One allowed hackers to install malicious apps on iPhones, iPads, and iPod Touches through poisoned PDF files which, by default, open automatically.

Another let attackers break out of the iOS security “sandbox” to access the root account, allowing unlimited access to the device.  This flaw, by the way, was the one used by jailbreaking software to let your iPhone be used how you want it to be used.  So don’t go thinking that this fix was entirely driven by just security over at Apple.

So there you have it, your smartphone is becoming more and more just another computer for hackers to attack.  They contain the same security risks as any Mac or PC.  Be conscious and use good security practices, even with your cute little phones, or you just might be caught unaware by a nasty ol’ hacker.

TippingPoint has long been a proponent of information technology security, especially known for its Zero Day Initiative bug-hunt rewards program in which security researchers can earn thousands of dollars by revealing new vulnerabilities to TippingPoint, who in turns contacts the faulted software developers to get them to patch the holes in their code.

But a recent perusal in the ZDI database for high-risk vulns still sitting unpatched after more than a year after disclosure has grated on some nerves.  Some of those privately disclosed security holes have even gone as many as three years without being fixed by their respective software vendors.  And that’s just no good.

TippingPoint had been trying to be responsible, keeping the disclosure of the bugs private, giving their creators time to fix them to keep everyone safe without going full disclosure and letting the hackers also know of these vulnerabilities.  But after seeing too many software companies sit upon their laurels and do nothing about their holes, TippingPoint has had enough.

The new ZDI police will still be to privately contact software companies, but to only give them six months of privacy to correct their flaws.  After that six months, if no extension is agreed upon, TippingPoint will turn around and give full disclosure of the bug to the world at large, giving third parties an opportunity to fix the holes that a software vendor refused to act upon.

While many proponents (including myself) laud this tough-on-bugs approach, opposition to the “full disclosure” method (such as Microsoft, of course, inventors of security through obfuscation) argue that set timescales don’t work because some bugs take longer to fix and test than others, and that hackers can also use the disclosed information to make their job of getting into your computer easier.

And these are valid points.  But then, that’s probably why TippingPoint in fact has a method in place to file for an extension to that six month timeline.  TippingPoint seems to make it clear that if Microsoft can make a convincing argument on why they can’t fix their security hole in a mere six months, TippingPoint will be more than happy to extend that timeline to give them all of the privacy they need.

Meanwhile, there’s the other end of the spectrum.  Recently Google has expressed a policy similar to this new one from TippingPoint, but with a mere 60 days, just two months, of privacy, a much tougher deadline to meet.