VMware released a series of updates to address the OpenSSL vulnerability known as Heartbleed in its products in April, but many organizations still haven’t secured their installations, virtualization management firm CloudPhysics reported on Monday.

Based on machine metadata collected from virtualized datacenters, CloudPhysics determined that 57% of VMware vCenter servers and 58% of VMware ESXi hypervisor hosts are still vulnerable to Heartbleed attacks.

“This is a remarkably high percentage given that ESX run the majority of business critical VMs in the world. I speculate that IT teams are more lax about patching ESXi since those machines are typically behind the firewall and not easy to reach from the outside world,” Irfan Ahmad, CTO and co-founder of CloudPhysics, wrote in a blog post.

“However, that laxity doesn’t make the delay in patching a good idea,” he added. “For one thing, insider attacks continue to be a major source of breaches. Another consideration is that if outside attackers do manage to infiltrate a low privilege service inside your firewall, you have just given them carte blanche to attack your most sensitive data.”

According to Ahmad, 40% of the organizations in CloudPhysics’ dataset have at least one vCenter server or ESXi host running a vulnerable version of OpenSSL. By May, over 25% of vCenter servers and ESXi hosts had been patched, but over the next two months, the rate at which organizations were applying the updates had slowed down.

Shortly after the existence of the Heartbleed bug came to light, there were roughly 600,000 vulnerable systems. A couple of months later, Errata Security reported that the number was down to 300,000. However, some experts predict that it will take months, possibly even years, until all systems are patched.

“If insiders, or attackers via insiders, exploit the Heartbleed vulnerability through an untraceable attack they can gain access to mission-critical systems. With the window for the exploit being so large, combined with the current slowness of patching, the severity of an already serious problem is exacerbated,” Ron Zalkind, CTO of cloud data protection company CloudLock, told SecurityWeek.

“Maintaining patches is always prudent, but with an exploit like Heartbleed, its importance cannot be overstated. We strongly encourage organizations to immediately patch their systems per guidance from VMware, with a particular focus on systems that are the most significant to their businesses.”

Eric Chiu, founder and president of cloud control company HyTrust, points out that the traditional approach to security has been to protect the perimeter, which has bred a long-standing misconception that systems within an organization’s datacenter don’t need to be protected.

“However, breaches are not only happening more often and getting bigger, but they’re also primarily happening from the inside. Attackers are using social engineering, phishing, malware and other attack techniques to steal employee or I.T. credentials in order to gain access to networks. Once in, they can move forward, backward or laterally, and siphon large amounts of sensitive data without ever being detected. Given that virtualization is a ‘concentration’ of systems and data, the result is a higher concentration of risk. If an attacker is able to pose as a virtualization admin, for example, that could ultimately be ‘game over’ for a victim company,” Chiu told SecurityWeek.

“Bottom line, organizations need to shift their security strategy from that of just an ‘outside-in’ approach, to an ‘inside-out’ model. They should assume attackers are already inside, in which case access controls, audit logging, alerts and data encryption are important—if not critical… especially in ensuring a secure cloud environment.”

Related: Heartbleed Vulnerability Still Beating Strong

Related: Recovering from Heartbleed: The Hard Work Lies Ahead

Tags:

• NEWS & INDUSTRY
• Cloud Security
• Vulnerabilities

BEIJING  – Chinese state broadcaster CCTV has accused US technology giant Apple of threatening national security through its iPhone’s ability to track and time-stamp a user’s location.

The “frequent locations” function, which can be switched on or off by users, could be used to gather “extremely sensitive data”, and even state secrets, said Ma Ding, director of the Institute for Security of the Internet at People’s Public Security University in Beijing.

The tool gathers information about the areas a user visits most often, partly to improve travel advice. In an interview broadcast Friday, Ma gave the example of a journalist being tracked by the software as a demonstration of her fears over privacy.

“One can deduce places he visited, the sites where he conducted interviews, and you can even see the topics which he is working on: political and economic,” she said.

The frequent locations function is available on iOS 7, the operating system used by the current generation of iPhones released in September 2013. “CCTV has only just discovered this?” said one incredulous Chinese microblogger.

The dispute is not the first time Apple has been embroiled in controversy in China, where its products are growing in popularity in a marketplace dominated by smartphones running Google’s Android operating system.

Apple lost a lawsuit against a Chinese state regulator over patent rights to voice recognition software such as the iPhone’s “Siri” just this week.

In March 2013 the Californian company was notably the target of criticism orchestrated by the Chinese media on behalf of consumers, who were critical of poor after-sales service.

And in 2012 the US firm paid $ 60 million to settle a dispute with another Chinese firm over the iPad trademark.

The privacy scare also reflects mutual distrust between the US and China after a series of allegations from both sides on the extent of cyber-espionage.

Leaks by former US government contractor Edward Snowden have alleged widespread US snooping on China, and this month it was reported Chinese hackers had penetrated computer networks containing personal information on US federal employees.

Apple did not immediately respond when contacted by AFP for comment.

Related: Obama Not Allowed an iPhone for Security Reasons

Related: NSA Tracks Mobile Phone Locations Worldwide

Tags:

• NEWS & INDUSTRY
• Privacy
• Mobile & Wireless

OpenDNS has enhanced its cloud-based network security service Umbrella with new capabilities designed to protect organizations against targeted attacks, the company announced on Tuesday.

The company says its monitoring systems are capable of detecting malicious traffic from the first stages of a potential targeted attack by comparing customers’ traffic to activity on OpenDNS’s global network. By providing predictive intelligence on the attackers’ network infrastructure, OpenDNS enables organizations to block attacks before any damage is caused.

Many organizations are capable of identifying single-stage, high-volume cyberattacks, but the “noise” generated by these types of attacks makes it more difficult to detect highly targeted operations, the company explained.

According to OpenDNS, its services address this issue by providing real-time reports on global activity and detailed information for each significant event. The reports can be used by enterprises to identify ongoing or emerging targeted attacks based on whether or not the threats have a large global traffic footprint, or if they’re detected for the first time.

In order to make it easier for security teams to investigate an incident, OpenDNS provides information on the users, devices and networks from which malicious requests are sent. Information on the attackers’ infrastructure can be useful for predicting future threats and for blocking components that are being prepared for new attacks. 

“Enterprises today are challenged to keep up with the volume of attacks that are targeting their networks. Not only is the efficacy of today’s security tools declining, but when they do identify a threat they lack the context that is critical to blocking it,” said Dan Hubbard, CTO of OpenDNS. “The ability to determine the relevance and prevalence of an attack is key to prioritizing response, remediating infected hosts, and understanding the scope of the threat.”

The new capabilities are available as part of the Umbrella service based on a per user, per year subscription.

Tags:

• Network Security
• NEWS & INDUSTRY
• Malware

SEOUL – North Korea has doubled the number of its elite cyber warriors over the past two years and established overseas bases for hacking attacks, a report said Sunday.

The North’s cyber war unit now has 5,900 personnel, compared with 3,000 two years ago, the South’s Yonhap news agency said.

“The communist country operates a hacking unit under its General Bureau of Reconnaissance, which is home to some 1,200 professional hackers,” a military source was quoted as saying.

North Korean hackers have launched cyber attacks through overseas bases in countries such as China, the source said.

In recent years, hackers have used malware deployments and virus-carrying emails for cyber attacks on South Korean military institutions, commercial banks, government agencies, TV broadcasters and media websites.

Investigations into past large-scale cyber assaults have concluded that they originated in North Korea.

The North has denied any involvement and accuses Seoul of fabricating the incidents to fan cross-border tensions.

South Korea has increased its Internet security budget to train experts since it set up a special cyber command in 2010, amid growing concern over its vulnerability.

Related: North Korea Jump Significantly: Solutionary

Related: South Korea’s ‘Top Gun’ Cyber Warriors

Related: New Disk Wiping Malware Used in Attacks Against South KoreaCyber-Attacks From 

Tags:

• Cyberwarfare
• NEWS & INDUSTRY

Microsoft announced plans today to release six security bulletins as part of this month’s Patch Tuesday.

Of the six, two are rated ‘critical’, while three are rated ‘important’ and one is considered ‘moderate.’ The updates are for Microsoft Windows, and Microsoft Server Software and Internet Explorer, with the critical ones targeted at IE and Windows.

It’s the time of year where many people take vacation away from the office but this won’t be the month to push off patching, blogged Russ Ersnt, director of product management for Lumension.

“Datacenter administrators shouldn’t plan to be away too much next week since every bulletin impacts nearly every supported Windows Server version,” he added. “Two of the bulletins even impact Windows Server set to Core mode.”

Wolfgang Kandek, CTO of Qualys, called the IE bulletin the most critical, and noted it affects all versions of the browser from Internet Explorer 6 to Internet Explorer 11.

“This patch should be the top of your list, since most attacks involve your web browser in some way,” he blogged. “Take a look at the most recent numbers in the Microsoft SIR (Security Intelligence Report) report v16, which illustrated clearly that web-based attacks, which include Java and Adobe Flash are the most common.”

Bulletin 3, 4, and 5, he added, are all elevation of privilege vulnerabilities in Windows and affect all versions of Windows.

“They are local vulnerabilities, i.e they cannot be used to achieve code execution remotely through the network, but require that the attacker already haves a presence on the targeted machine as a normal or standard user,” Kandek blogged. “Exploits for these types of vulnerabilities are part of the toolkit of any attacker as they are extremely useful, when the attackers get an account on the machine, say through stolen credentials. In any practical scenario, the attacker then wants to assure continued control of the machine and will need to become administrator of the machine to install their controlling malware. This is where these vulnerabilities come in – we consider these extremely important to fix to help frustrate or slow down attackers once they are on the target machine.”

The final bulletin is rated ‘moderate’ and impacts Microsoft Service Bus for Windows Server, Ernst explained.

“Microsoft Service Bus is a messaging service used by many third-party web applications as well as by Microsoft Azure, so even though this is rated as Moderate, it is probable that this vulnerability would be used in conjunction with other vulnerabilities to target those applications,” he blogged.

The Patch Tuesday updates will be released July 8 at approximately 10 am PT.

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

WASHINGTON – The US National Security Agency has been authorized to intercept information “concerning” all but four countries worldwide, top-secret documents say, according to The Washington Post.

“The United States has long had broad no-spying arrangements with those four countries – Britain, Canada, Australia and New Zealand,” the Post reported Monday.

Yet “a classified 2010 legal certification and other documents indicate the NSA has been given a far more elastic authority than previously known, one that allows it to intercept through US companies not just the communications of its overseas targets but any communications about its targets as well.”

The certification – approved by the Foreign Intelligence Surveillance Court and included among a set of documents leaked by former NSA contractor Edward Snowden — says 193 countries are “of valid interest for US intelligence.”

The certification also let the agency gather intelligence about entities such as the World Bank, the International Monetary Fund, European Union and the International Atomic Energy Agency, the report said.

“These documents show both the potential scope of the government’s surveillance activities and the exceedingly modest role the court plays in overseeing them,” Jameel Jaffer, deputy legal director for the American Civil Liberties Union who had the documents described to him, told the Post.

The report stresses the NSA did not necessarily target nearly all countries but had authorization to do so.

It should come as cold comfort to Germany which was outraged by revelations last year that the NSA eavesdropped on Chancellor Angela Merkel’s mobile phone, as well as about wider US surveillance programs of Internet and phone communications.

Germany’s parliament is investigating the extent of spying by the US National Security Agency and its partners on German citizens and politicians, and whether German intelligence aided its activities.

The privacy issue is a particularly sensitive one in formerly divided Germany.

Ties between Washington and Europe more broadly, as well as other nations such as Brazil, have been strained since the revelations, despite assurances from US President Barack Obama that he is ending spy taps on friendly world leaders.

The Obama administration has insisted the NSA needs tools to be able to thwart terror attacks not just against the United States, but also its allies.

Snowden, a 30-year-old former NSA contractor was granted temporary asylum by Russia last August after shaking the American intelligence establishment to its core with a series of devastating leaks on mass surveillance in the US and around the world.

Tags:

• NEWS & INDUSTRY
• Privacy
• Tracking & Law Enforcement