After all the debate about disclosing security vulnerabilities within software, Google is trying to reshape the process for fixing bugs. There has always been discussion on whether or not responsible disclosure was actually responsible or not, but it came to a head (at least from a media standpoint) last month with the Microsoft/Tavis Ormandy occurance. Google Pushing To Redefine ‘Responsible Disclosure’ This post from the Google Online Security Blog discusses what Google would like to see changed in the current “responsible disclosure” model. Currently, when a security researcher finds a vulnerability in a piece of software, that researcher is supposed to inform the software vendor privately of the risk. The bug is not supposed to be released to the public until a fix is released. According to Google’s blog post, “The emotionally loaded name suggests that it is the most responsible way to conduct vulnerability research - but if we define being responsible as doing whatever it best takes to make end users safer, we will find a disconnect. We’ve seen an increase in vendors invoking the principles of “responsible” disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that time frame, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers. The important implication of referring to this process as “responsible” is that researchers who do not comply are seen as behaving improperly. However, the inverse situation is often true: it can be irresponsible to permit a flaw to remain live for such an extended period of time.” This does not seem like the best system to have in place for protection of the end user. Basically, this is saying that because security researchers are not allowed to release details of a bug to the public until there is a fix, there is no reason for the vendor to take action. It also takes notice of the fact that by using the term ‘responsible’ disclosure, it is barring anyone from breaking with the mold by labeling them as irresponsible. Despite what it may seem like, Google is not trying to plunge us into a state of anarchy by proposing a full-disclosure method of dealing with bugs. They want to find a balance, where end users receive security updates in a timely manner, and software vendors have enough time to provide those fixes to the users. Their suggestion? A 60 day window between being informed of the vulnerability and having a fix available to to the public. In this situation, everybody wins.

Here is the original:
Google Pushing to Redefine ‘Responsible Disclosure’

The majority of consumer websites remain vulnerable to online fraud, even as a growing number of businesses put online safety measures in place, according to a new survey by the Online Trust Alliance (OTA). Majority Of Consumer Websites Need Improved Security The annual survey of best practices to help protect consumers from forged email, phishing sites and malware found of the 1,200 companies analyzed, only 113 qualified to be named to the OTA Online Safety 2010 Honor Roll. Sites were evaluated based on their usage of email authentication standards and Extended Validation SSL Certificates (EV SSL) and the presence of malware. While 92 percent of the companies failed to adopt best practices, 14 percent Internet Retail 500, 13 percent of the top 100 financial institutions and 6 percent of the Fortune 500 passed. Only 3 percent of the top consumer government sites made the grade, while 29 percent of OTA members passed. Highlights from the survey include: *Over 26 percent of the Internet Retail 500 and top 100 financial services companies have adopted EV SSL certificates. *Government agencies adoption of email authentication remains stagnant at 32 percent, while over 60 percent of their sites and/or email have been spoofed in the past four months. *The largest retailers and business continue to show the highest level of adoption of email authentication with 76 percent of the Internet Retail 100 and 54 percent of the Internet Retail 500. *”While major corporations, banks, governmental agencies and industry working groups talk about best practices, the majority are failing to adopt, risking demands for added regulations,” said Craig Spiezle, Executive Director and President of the OTA.

Original post: 
Majority Of Consumer Websites Need Improved Security

Google and the other companies that were affected by Operation Aurora had some commendable security measures in place, according to a new report from McAfee; you might consider them the virtual equivalents of steel doors with reinforced hinges. However, it turned out that the companies might have left their internal safe doors unlocked. McAfee: Intellectual Property Poorly Guarded In Aurora Attacks George Kurtz, McAfee’s CTO, explained late yesterday on the McAfee Security Insights Blog that he discovered some problems with respect to the companies’ source code configuration management systems (SCMs). Enough problems to call them “inherently insecure,” in fact, as he found that attackers were able to “siphon out source code or, worse, modify and add code.” Kurtz then continued, “SCMs are used by software engineers to manage their projects and are used to store source code, the crown jewels of any tech company.” And as you might suppose, leaving one’s intellectual property exposed isn’t the best way to run a business. In response, McAfee is taking a closer look at how SCMs should be secured, and Perforce, which is a popular management system, has been scrutinized in what’s supposed to be the first in a series of white papers. These lessons should benefit a wide range of individuals and companies, considering that many organizations have probably modeled their security systems after what Google, Adobe, Rackspace, and other corporations hit by Operation Aurora have in place. Hopefully an Operation Aurora 2 will become impossible as a result. Or at the least, perhaps some less organized and skilled hackers will be repelled. Meanwhile, efforts to identify the people behind Operation Aurora haven’t progressed much since the last time we discussed them. A security company called Damballa did issue a statement earlier this week alleging that the hackers used a “garden variety botnet” and were “more amateur than average,” but Google has disputed this claim.

Read more from the original source: 
McAfee: Intellectual Property Poorly Guarded In Aurora Attacks

Although the three men believed to be behind the Mariposa botnet were recently identified and arrested by Spanish authorities, it looks like they may avoid serving any jail time for their online trespasses. Spain’s cybercrime laws are quite weak at the moment. Jail Sentences Not Certain For Mariposa Botnet Authors According to Brian Krebs , Captain Cesar Lorenzana, who works for the Spanish Civil Guard, explained that prison sentences typically aren’t associated with deeds committed from behind a keyboard. Plus, some things simply aren’t against the law. “In Spain, it is not a crime to own and operate a botnet or distribute malware,” he said. “So even if we manage to prove they are using a botnet, we will need to prove they also were stealing identities and other things, and that is where our lines of investigation are focusing right now.” Furthermore, Krebs wrote, “[T]he men are all free on their own recognizance. . . . [T]hey are free to hoover up as much stolen data as they please, as the Mariposa working group has not yet been able to shutter the Web sites that served as the repository for personal and financial data stolen from people whose systems were ensnared by the bot.” The good news is that Spain is trying to modernize its laws, so even if the Mariposa’s authors get off this time, they (and/or other cybercriminals) shouldn’t be in the clear forever.

See original here: 
Jail Sentences Not Certain For Mariposa Botnet Authors

This may turn into an unplug-your-computer-and-pay-for-everything-with-cash kind of day for some security experts. NetWitness announced this morning that it’s discovered a new ZeuS botnet affecting 75,000 systems in 2,500 organizations. Social networks, financial systems, and government organizations are all thought to have been compromised. New Kneber Botnet Tied To 75,000 Systems In a formal statement, NetWitness explained how it originally came across the problem, indicating that it “first discovered the Kneber botnet in January during a routine deployment of the NetWitness advanced monitoring solutions.” Then, “Deeper investigation revealed an extensive compromise of commercial and government systems that included 68,000 corporate login credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials, 2,000 SSL certificate files, and dossier-level data sets on individuals including complete dumps of entire identities from victim machines.” This means that the Kneber botnet has moved well beyond a straightforward focus on banking information. Also, as you might have guessed after seeing such large numbers, Kneber has managed to infect systems all over the world. And here’s one more disconcerting piece of information: machines infected with Kneber were infected with another botnet, Waledac, more often than not, which would seem to point to the existence of an alliance between hackers. Anyway, different organizations still appear to be in the process of determining how much damage has been done; it’s too early, in other words, to say what measures will be taken as a result of NetWitness’s announcement. Perhaps there’s at least some small amount of comfort to be had in the fact that this new threat is hardly a fraction of Conficker’s size.

View original post here:
New Kneber Botnet Tied To 75,000 Systems

The physical sources of the online attacks that targeted Google, Yahoo, Adobe, and many other organizations have been fairly well pinpointed, according to a new report. The supposed starting points: computers at two Chinese schools. Google Attack Traced To Chinese Schools This information comes courtesy of John Markoff and David Barboza (along with their unnamed sources). They identified Shanghai Jiaotong University and the Lanxiang Vocational School as the schools investigators have linked to the hacks. This seems to have been determined with a high degree of certainty. Unfortunately, it remains unknown who was behind the attacks, and individuals, companies, and governments all remain under suspicion. Apparently one school has ties to the Chinese military, so Chinese authorities could be involved. But the attackers did try to steal corporate trade secrets, so no one’s ruled out industrial espionage as a motive. And, somewhat randomly, a Ukrainian professor has also turned up on the investigators’ radar. It’s impossible to say whether the list of suspects will ever be further narrowed (and at this point, it almost looks unlikely that we’ll ever see a perpetrator named). Perhaps the investigation has led to increased cooperation among the companies that were attacked, at least.

Read the original:
Google Attack Traced To Chinese Schools