December 2010 - Posts
Improved mobile computing security will most likely be a focal point for 2011. The ISC highlights a new Trojan that is installed from an infected game or application. There are some prompts that may be prevent access to the Android O/S. When installing any mobile or PC application, every prompt should be reviewed carefully and users should exit out if security could be potentially compromised.
Android malware enters 2011
QUOTE: One thing a lot of security researchers have been predicting for years is rise in mobile malware. However, due to mobile phones with low power, a lot of operating systems, closed environments and many other reasons we haven’t seen any significant mobile malware until this year.
And just in time for 2011 a new trojan for Android has been found by a company called Lookout. While Android trojans have been very popular, this one was pretty advanced and that is why it caught everyone’s attention. The most important characteristic of this trojan is that it has botnet capabilities. This means that the trojan connects to a C&C server in order to retrieve commands and enables an attacker in effectively controlling the infected phone.
So how does the trojan gets installed in the first place? The attackers managed to infect some Android games which are hosted on various sites. The user simply goes to install such a game and gets infected. However, keep in mind that the installer will warn the user that the application wants to access sensitive parts of the phone as well as capabilities to send SMS messages, make phone calls etc.
That being said, we know that most users will just click on yes (remember UAC on Vista?) – and I’m afraid that statistics for users blindly clicking on yes is even worse on mobile phones since there are many more users and security awareness is much, much lower.
The Stuxnet worm was one of the most sophisticated attacks during 2010. Below are informative links highlighting the most recent analysis:
A Four-Day Dive Into Stuxnet’s Heart
Report Strengthens Suspicions That Stuxnet Sabotaged Iran’s Nuclear Plant
QUOTE: The sophisticated worm, which many computer experts believe was created as a specific attempt to sabotage Iran’s nuclear power plant centrifuges, has written a new chapter in the history of computer security. Written to affect the very Siemens components used at Iran’s facilities, some analysts have even speculated it may have been the work of a state, rather than of traditional underground virus writers.
The new CCSK designation may help individuals receive specialized training for implementing cloud computing solutions for their organization. While the CCSK is too new for wide spread recognition, continuing education is always beneficial. Companies investing in their security team training in this area may also receive some good ideas for implementing this growing trend in a more secure manner than going in on an unplanned basis.
QUOTE: The Cloud Security Alliance’s Certificate of Cloud Security Knowledge (CCSK) is now open for testing. The industry’s first user certification program for secure cloud computing, the CCSK is designed to ensure that a broad range of professionals with responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud.
As cloud computing is being aggressively adopted, it is critical that the industry provide training and certification of professionals to assure that cloud computing is implemented responsibly with the appropriate security controls. The Cloud Security Alliance (CSA) has developed a widely adopted catalogue of security best practices, the Security Guidance for Critical Areas of Focus in Cloud Computing, V2.1. The CCSK provides evidence that an individual has successfully completed an examination covering the key concepts of the CSA guidance and ENISA whitepaper.
Mozilla took quick and effective action to resolve a password exposure for their site as documented below:
Mozilla Adons user accounts - minor exposure of passwords fixed
QUOTE: On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our web bounty program. We were able to account for every download of the database. This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.
The database included 44,000 inactive accounts using older, md5-based password hashes. We erased all the md5-passwords, rendering the accounts disabled. All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts. SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009.
It is important to note that current addons.mozilla.org users and accounts are not at risk. Additionally, this incident did not impact any of Mozilla’s infrastructure. This information was also sent to impacted users by email on December 27th.
When Facebook users click on a malicious link, it may alter Profile settings that need to be repaired and better secured as noted in link below:
How to Clean Up Your Facebook Account After Getting Scammed
QUOTE: Have you clicked the link to a Facebook message like that? Typically it brings you to a survey at which you're asked to install an application. If you follow all the instructions you'll end up spreading the same things to your friends. This sort of thing is really common on Facebook. Thanks to Graham Clueley for writing a blog and video on how to clean your profile up after making such a mistake. Here's the video.
The Internet Storm Center reports increase in Malware Domains ending in IN
Malware Domains 2234.in, 0000002.in & co
QUOTE: Those of you watching the malware universe have no doubt noticed the recent increase of malicious sites with ".in" domain names. The current set of names follow the four-digit and seven-digit pattern. Passive DNS Replication like RUS-CERT/BFK shows that a big chunk of these domains currently seems to point to 22.214.171.124 (AS24965) and 126.96.36.199 (AS50877). The former Netblock is in the Ukraine (where else), the latter likely in Moldavia. Both show up prominently on Google's filter (AS24965,AS50877), Zeustracker, Spamhaus (AS24965,AS50877) and many other sites that maintain filter lists of malicious hosts.
Avoid these emails that appear to come from iTunes. It directs users to a fake website, where and a Java scripting exploit can infect PCs that are not up-to-date on security.
Fake iTunes email isn't a phish, it's a 'sploit
QUOTE: An email making the rounds makes the innocent claim that “it is possible that your account password has been stolen”. Actually, no. The site serves a malicious script. Nevertheless, the exploits served are six to eight months old — CVE-2010–0886 (a Java exploit) and CVE-2010-1885 (a cross-site scripting method that exploits a vulnerability in Windows Help). Downloading the latest version of Java and insuring you’re up-to-date on Windows patches will protect against any attack.
F-Secure offers an informative post related to the growing trend of Facebook and other social networking SPAM.
Social Networking SPAM - Comprehensive Q&A by F-Secure
A new vulnerability in Internet Explorer has been discovered. While exploits have not spread into the wild yet, users should be cautious in visiting any unusual and potentially malicious websites
Microsoft Security Advisory (2488013)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
QUOTE: This exploit has been discussed over the last day or so on full disclosure and a number of other sites. Metasploit already has a module available for it (just search for CSS & IE). The issue manifests itself when a specially crafted web page is used and could result in remote code execution on the client.
Microsoft's EMET provides an easy-to-use configuration tool for developing improved PC security:
Microsoft EMET - Enhanced Mitigation Experience Toolkit v2.0
QUOTE: Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET allows users to manage these technologies on their system and provides several unique benefits:
1. No source code needed: Until now, several of the available mitigations (such as Data Execution Prevention) have required for an application to be manually opted in and recompiled. EMET changes this by allowing a user to opt in applications without recompilation. This is especially handy for deploying mitigations on software that was written before the mitigations were available and when source code is not available.
2. Highly configurable: EMET provides a higher degree of granularity by allowing mitigations to be individually applied on a per process basis. There is no need to enable an entire product or suite of applications. This is helpful in situations where a process is not compatible with a particular mitigation technology. When that happens, a user can simply turn that mitigation off for that process.
3. Helps harden legacy applications: It’s not uncommon to have a hard dependency on old legacy software that cannot easily be rewritten and needs to be phased out slowly. Unfortunately, this can easily pose a security risk as legacy software is notorious for having security vulnerabilities. While the real solution to this is migrating away from the legacy software, EMET can help manage the risk while this is occurring by making it harder to hackers to exploit vulnerabilities in the legacy software.
4. Ease of use: The policy for system wide mitigations can be seen and configured with EMET's graphical user interface. There is no need to locate up and decipher registry keys or run platform dependent utilities. With EMET you can adjust setting with a single consistent interface regardless of the underlying platform.
5. Ongoing improvement: EMET is a living tool designed to be updated as new mitigation technologies become available. This provides a chance for users to try out and benefit from cutting edge mitigations. The release cycle for EMET is also not tied to any product. EMET updates can be made dynamically as soon as new mitigations are ready
While Windows 7 and Office 2010 are much more secure than prior operating systems, it's still essential to ensure a new PC is updated for all Microsoft security patches, as well as all other vendor software, (e.g., Adobe Flash). This should be done immediately, along with setting up complex passwords, limited accounts, and other safety measures.
December 2010 - Very Large Security release
Windows Update Site
(Choose the new Microsoft update to also include Office and other Microsoft products)
This application will open up your entire Facebook account allowing spammed messages to be sent from it to all your contacts. There are no applications that can truly show you "who looked at your Facebook account". Instead, this dangerous application opens up your Facebook security so that the bad guys can LOOK and USE your account. Avoid installing ANY Facebook application unless you are sure it's safe.
Creeper Tracker Pro creeps around on Facebook
QUOTE: Is it time to examine another Facebook scam? ... Why yes, it is ... This website takes the form of the familiar “find out who is watching you” wheeze so beloved by scammers everywhere. Something to note: although it claims “1,601,636 people like this”, that’s just part of the background graphic (it’s completely fake). Checking out the application page tied to this one tells us they have “15,034 monthly users” which doesn’t really tally with over a million Likes, does it? Anyway, hitting the Login button and filling in your details will prompt you to give the “application” access to your profile
A good list of recommendations to improve privacy controls:
Kim Komando - Top 10 Privacy Tips for 2010
QUOTE: I looked back through the Privacy tips from 2010 and selected the 10 most-read. There's a wide variety of topics covered here. And they're all important for your privacy. Make sure you're protected from these threats!
1. 5 Facebook privacy settings you need to know about now
2. How to let nosy guests on your PC or Mac during holidays
3. What you reveal to Web sites
4. How Flash cookies threaten your privacy
5. Free tools to erase data for good
6. How to check a Website for proper security during e-commerce
7. Avoid rogue security software
8. Keep your passwords safe in one place
9. Protect your data before sending computers in for repairs
10. How to remove keyloggers from your computer
An interesting discussion and humorous flowchart can be found in the link below. I'm friends with both of our children and they are also Facebook contacts as well. The key for any user is to not share information or photos in this highly public setting, that they may regret later. Even deleted entries should show up later when prospective employers conduct Internet searches, so everyone should remain cautious. Privacy settings must also be set to high for additional protection.
Should You Friend Your Parents on Facebook?
The TDDS rootkit family is one of the most advanced malware attacks circulating. This analysis by Kaspersky Labs shares a recent modification to TDL4 to use a new unpatched Windows vulnerability.
TDDS Rootkit - TDL4 Starts Using 0-Day Vulnerability
QUOTE: In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86/x64 (Windows Task Scheduler Privilege Escalation, CVE: 2010-3888). The use of this vulnerability was originally detected when analyzing Stuxnet.
Using an exploit for this vulnerability allows the rootkit TDL4 to install itself on the system without any notification from the UAC security tools. UAC is enabled by default in all the latest versions of Windows. After the Trojan launches in the system, e.g. in Windows 7, its process receives the filtered token (UAC in operation) with the regular user privileges. An attempt to inject into the print spooler process terminates with an error (ERROR_ACCESS_DENIED).
New modifications, however, attempt to use the 0-day exploit to escalate its privileges up to LocalSystem level. TDSS has once again reaffirmed its status as one of the most complex and dangerous malicious programs there is.
Always be careful when you use the ALLOW access function within your Facebook account. This function differs from the LIKE capability and may lead to spam advertising posts on your wall or your friends.
Facebook: be wary of those “requests for permission”
QUOTE: In Facebook, it is important to think about who you give access to. If you give permission to scammers, your account then becomes their spam tool. To illustrate, we followed one of those tiresome posts. Following the link required you to give an account named “world-news” permission to:
-- post messages to your Facebook wall
-- access all Facebook account data
-- log in AS the Facebook account owner.
Had you followed this, here’s what would have appeared on your Facebook wall and on friends’ walls overnight: a post that appeared to be from your account “The earth is a spaceship” with a shortened link. However the link leads to insurance and other advertisements
New image tag attacks may be surfacing as noted in this warning by PC Magazine:
New on Facebook: Image Tag Spam
QUOTE: There's always a new way to misuse complex software systems and Facebook is fertile ground for such things. The latest—at least I haven't seen it before—is image tag spam. This involves tagging a user on an image that contains spam content. That user's friends will get a message that he was tagged, so you want to tag users with lots of friends. The image nearby is a test, but makes the basic point.
So how its it done? After all, you can generally only tag users who are your friends. In this case, the image belonged to a group which my friend didn't "Like" so it seemed out of the blue. We still haven't figured out exactly what happened; Facebook didn't respond to my inquiry on it and the image is still up in spite of my friend reporting it as abusive. But I think that either my one of friend's Facebook friends either did the tagging intentionally or one of them got his account hijacked.
Having used some of these tools for many years, there are many new additions and some recent updates (e.g., AutoRuns, Process Explorer, VM Map, etc). These are great tools to evaluate start-up processing or key system information
Microsoft SysInternals - Master List of Utilities
Microsoft SysInternals - Blog
McAfee Labs highlights the need for improvements in mobile phone browser security.
Mobile Phones - The need to strengthen current browser security
QUOTE: In the last week there have been a few vulnerability disclosures for mobile web browsers. These threats affect a number of smart-phone platforms: Android (Google), WebOS (Palm), and iOS (Apple). Although all three platforms have their own apps and environments, it’s interesting that they’re all vulnerable through the same entry point of the mobile browser.
- Palm WebOS -- XSS and mobile botnets: The researchers found a cross-site scripting (XSS) flaw, a floating-point overflow bug, and a denial-of-service vulnerability. Palm has patched the XSS vulnerability in the upcoming WebOS 2.0 release, but the other two flaws are not yet fixed.
- Apple iOS -- Spoofing sites/phishing: security researcher Nitesh Dhanjani points out the possibility of spoofing websites in Safari on the iPhone. Safari hides the address bar after a site has completely loaded. This lets attackers present their own versions of the address bar that lists a banking or shopping site rather than their own. Dhanjani has provided a proof-of-concept site for the iPhone that masquerades as a banking site.
The FTC's proposed Privacy Plan for 2011 includes a privacy option to eliminate website history tracking within browsers. There are some provisions in the latest editions of Internet Explorer (InPrivate), Chrome (Incognito), Firefox (Private mode), and other browsers. However, this new standard approach could be easier to use than current techniques.
FTC Privacy Plan Includes 'Do Not Track' Browser Option
QUOTE: The Federal Trade Commission on Wednesday unveiled an online privacy proposal that includes a "do not track" suggestion for browsers that would prevent them from collecting a Web user's online history. The "do not track" option would be similar to the agency's "do not call" list. Just like a consumer can choose not to receive calls from telemarketers, they could choose not to be tracked on the Web. As a result, their Web-surfing history would not be sent to third-party sites and their activity would not be used to serve up targeted advertisements, among other things. At this point, the proposal is just a suggestion. The FTC is asking stakeholders to comment on this and other facets of the plan by January, and the agency will release a final proposal sometime next year.
More Posts Next page »