December 2012 - Posts
While Mozilla Firefox and other products have been implemented with good security controls throughout the years, major improvement programs are planned for coming year:
https://blog.mozilla.org/security/2012/12/20/rebooting-security-engagement-at-mozilla/
QUOTE: We recently announced a reboot of our efforts to engage with security contributors at Mozilla. Today our strongest and most lasting contributor relationships are with individuals searching for bug bounties. While this program has been very successful, this model sets up a relationship where the only tangible contribution is a bug that may or may not result in a bounty. Instead we want to encourage growth in knowledge from those willing to learn, the creation of open source tools for security work and recognize the natural asymmetric challenges of an open source project that competes with closed source offerings.
Three new areas of focus in 2013:
1. Contributor & Security Contributor
2. Security Champions
3. Security Mentors
Facecrooks Security note this new Facebook scam offering of free Disney tickets:
http://facecrooks.com/Scam-Watch/Get-4-FREE-Disneyland-Tickets-Merry-Christmas-Facebook-Scam.html
Scam Message: Get 4 FREE Disneyland Tickets (Merry Christmas)
Scam Type: Survey Scam / Bogus Offer
Trending: December 2012
Why it’s a Scam: Clicking the wall post link takes you to the following page. Step 1 requires you to share a message to your Facebook profile. This is how the scam is spreading so quickly on Facebook. Think before you click, so you aren’t willingly spreading scams and spam messages to your friends. Step 2 requires you to comment on the page, and step 3 requires you to like the scam page. All three of these actions are designed to spread this scam virally across Facebook. Look at how successful the ruse is – almost 6.5 million likes so far!
This new warning encourages users to avoid key targeted attacks in progress affecting older versions of their browser. Key Microsoft resources for Microsoft Advisory 2794220 are noted below:
http://technet.microsoft.com/en-us/security/advisory/2794220
http://blogs.technet.com/b/msrc/archive/2012/12/29/microsoft-releases-security-advisory-2794220.aspx
http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx
QUOTE: In this particular vulnerability, IE attempts to reference and use an object that had previously been freed. The components of an exploit for such a vulnerability are typically the following:
* Javascript to trigger the Internet Explorer vulnerability
* Heap spray or similar memory preparation to ensure the memory being accessed after it has been freed is useful
* A way around the ASLR platform-level mitigation
* A way around the DEP platform-level mitigation
We’ve analyzed four exploits, all the targeted attacks we have seen. They are all very similar:
* Obfuscated Javascript to trigger the vulnerability
* Flash ActionScript-based heap spray
* ASLR bypass using either Java6 MSVCR71.DLL or Office 2007/2010 hxds.dll
* DEP bypass via chain of ROP gadgets (different ones depending on ASLR bypass)
Trend Labs forecasts more targeted attacks are anticipated in 2013
http://blog.trendmicro.com/trendlabs-security-intelligence/what-kind-of-targeted-attacks-will-we-see-in-2013/
QUOTE: In his 2013 predictions, our CTO Raimund Genes predicts that there will be increasing sophistication in malware attacks, not necessarily in the technical aspects of the malware itself but in the deployment of an attack. Moreover, he believes that such attacks will increasingly have a destructive capacity and that it will be challenging to determine attribution. Building on these points, I predict the following trends for 2013:
* There will be an increasing specificity in targeted attacks, especially as knowledge of some of the noisier APT campaigns is increasingly publicized.
* While we are used to targeted attacks that are motivated by espionage, 2013 will see a rise in attacks with a destructive capacity.
* In 2013, there will be an increasing recognition that social, political and economic indicators must be used in conjunction with technical indicators to fully assess and analyze targeted attacks.
With limited staff in place, targeted attacks during the holidays are a concern for enterprise security
http://securitywatch.pcmag.com/none/306309-businesses-worry-about-christmas-day-attacks
QUOTE: Are businesses more susceptible to attack over major holidays? With so many organizations running skeleton crews as employees take time off to be with their friends and families, many people seem to think so. In an online survey of 270 security and IT professionals, about 57 percent said their companies may be more vulnerable to security attacks during major holidays such as Christmas or New Year's. Breaking down by job function found that 61 percent of security professionals were concerned, compared to 54 percent of business stakeholders. The survey, which was conducted between Nov. 8 and Nov. 19, was commissioned by nCircle and conducted by Dimensional Research.
While it's hard to tell if there are more Web attacks, such as denial of service, hacked Web applications, or network breaches, during major holidays (since criminals also like to celebrate the holidays too), there are more malware and malicious e-mail based attacks during this period. Cyber-criminals like to craft their phishing and spam campaigns that are specific to the holiday to increase the likelihood of the recipient falling for the scam. In a recent interview with SecurityWatch, former New York City Mayor Rudy Giuliani called the holidays a "gold mine" for identity theft.
ESET Security highlights a new bootkit called Gapz, which uses sophisticated techniques to infect and hide in vulnerable systems:
http://blog.eset.com/2012/12/27/win32gapz-new-bootkit-technique
QUOTE: This new bootkit technique allows the malware to execute its code before the OS loader receives control, using only a few modifications to the VBR (highlighted as “BIOS Parameter Block modification” in the figure above). This brand new technology was seen for the first time in the latest modification of the Win32/Gapz bootkit. (You can read about its sophisticated dropper in a recently published blog The latest modification of the Win32/Gapz bootkit infects the VBR of the active partition. What is remarkable about this technique is that only a few bytes of the original VBR are affected. This makes the threat stealthier. The essence of this approach is that Win32/Gapz modifies the “Hidden Sectors” field of the VBR while all the other data and code of the VBR and IPL remain untouched.
Malware symptoms and prevention techniques are shared below:
https://blog.lookout.com/blog/2012/12/27/if-your-phone-is-hacked/
QUOTE: Here are a few questions to ask yourself to identify if your device is being overrun by malware:
1. Notice unfamiliar charges on your phone bill?
2. Is your phone acting crazy? If your phone starts acting crazy, strangely opening and closing apps, or sending text messages by itself, your phone might be compromised.
3. Is your battery draining extremely fast? Battery drain can be because malware apps can run constantly in the background, it is inevitable that they will run down your battery much faster than normal.
Keeping your phone safe from malware is easy if you take the right precautions when downloading apps. Follow these simple tips to keep your mobile experiences safe and sound:
1. Keep the software on your device up to date.
2. Be careful around third-party app stores.
3. Be careful where you click. Some malware comes embedded in drive-by-download website links that automatically download a malicious app to your device without your prior approval.
4. Download a mobile security app to protect you. Downloading a security app, like Lookout, that has app and link scanning capabilities will help you be safer and better protected on your mobile device.
As a contract between two parties must be fully understood, the article notes that deceptive fine print may be less apt to stand up in court in the future.
http://redtape.nbcnews.com/_news/2012/12/21/16048353-annoying-fine-print-may-not-even-be-legal
QUOTE; Consumers hate fine print, but emotions rarely carry the day in courtrooms. So corporations have been having a field day with barely readable terms and conditions for some time. In fact, fine-print writers have been emboldened by a recent Supreme Court decision in which the court took their side. But in a new book titled “Boilerplate,” author and lawyer Margaret Jane Radin is taking aim at the intellectual and legal basis of fine print, trying to put a serious dent in the legal argument behind it. "I don't think there's a contract, ever, when something is just dropped on us," Radin said, "especially when there is no option to vote with your feet as a consumer, when there are no alternatives.”
Radin’s point is that contracts, by definition, involve two equal parties that negotiate terms, while fine print is issued on a "take-it-or-leave-it" basis. (Just try to negotiate a lower early termination fee or strike out any clause when you sign a cellphone agreement.) In layman's terms, fine print is merely a list of bad things that can happen to you, the consumer. You might get hit with a penalty fee; your service might be terminated; your right to join a class-action lawsuit is surrendered.
This article shares an awareness to keep high standards in safeguarding privacy at every website you are a member of (e.g., Facebook, Twitter, email, etc.)
http://redtape.nbcnews.com/_news/2012/12/19/16023208-angry-with-instagram-these-invisible-data-brokers-sell-your-privacy-every-day
QUOTE: Instagram's abrupt change of terms this week created a predictable Internet chatter bomb, as Web users erupted in anger that the firm might violate their privacy and property rights. Sadly, there is no such outrage at companies which buy and sell our privacy as their business model — and much less interest in promising efforts to rein them in.
What do they know about you and when did they buy it? The Federal Trade Commission this week joined a series of other agencies, groups, and elected officials now banging on the door of the nation's largest data collection firms, demanding to know just how much of U.S. consumers' lives are tracked by these firms.
Firms you've probably never heard of with names like Axciom, Intellius, Datalogix, and RapLeaf acquire, store, and sell hundreds of pieces of information about you to voracious marketers hungry for an advertising edge. On Tuesday, the Federal Trade Commission announced it had opened an inquiry into the business practices of those four firm and five others like them.
"Many data brokerage companies are engaging in business practices without consumer knowledge or consent — including the collection, use, and sale of personal information about the American public," said Rep. Ed Markey, D-Massachusetts, in a statement supporting the FTC’s action.
For those receiving a new phone during Christmas and holiday season, some great safety tips are found in this link:
http://securitywatch.pcmag.com/none/306312-got-a-new-phone-for-christmas-don-t-forget-these-safety-tips
Summary of key security guidelines and excellent link below:
1. The Mobile Device is a Computer
2. Stick with Official Channels
3. Stick with Secure Networks
4. Slow and Steady With the Apps
5. Use FCC Checklist below as guide
EXCELLENT LIST BELOW:
http://www.fcc.gov/smartphone-security
This popular complementary browser has been further strengthened as noted below:
http://securitywatch.pcmag.com/none/306341-google-acts-against-malicious-chrome-extensions
QUOTE: Google's latest steps will make it harder for malicious developers trying to exploit Chrome users via browser extensions. Extensions are plugins for Google Chrome and allow developers to add extra functionality to the Web browser. Many Chrome extensions are supremely useful, such as Ghostery, which quickly and easily detects and blocks Web trackers tagging your movements across the Web, the goo.gl URL shortener, and ViewThru, which displays the full URL when mouse-overing a shortenend link. Others, like the "Change Your Facebook Color" extension pointed out by Webroot, are privacy-violating scams peeping at the browsing history and data from other Web sites. Spam-spewing extensions also exist
AV-Test recently published test results for leading AV security suites as noted in following link:
http://securitywatch.pcmag.com/none/306431-security-suite-endurance-test-winners
QUOTE: Once you settle on your preferred security suite, most likely you'll stick with it for the long haul. It's important to choose a tough, effective suite. Researchers at AV-Test evaluated 17 major security suites over a period of 22 months and just published their results as "The Ultimate Endurance Test for Internet Security Suites." Each suite underwent ten rounds of testing under various Windows versions between January 2011 and October 2012, so in most cases the tests spanned multiple product versions. Bitdefender Internet Security earned the highest score, but others weren't far behind.
For safe mobile phone experiences, users should be careful with every application they install (esp. non-mainstream apps which promise free games or other services)
http://securitywatch.pcmag.com/none/306149-sms-botnet-spamsoldier-lures-victims-with-fake-games
https://blog.lookout.com/blog/2012/12/17/security-alert-spamsoldier/
As botnets go, the Android SMS botnet was "an unsophisticated attack," Andrew Conway, a security researcher with Cloudmark, wrote on the company blog Dec. 16. An SMS message offering free games or other scams tricks users into downloading a malicious app from a third-party app store onto their Android devices. Once installed, the app can send SMS spam messages to other users without the user's permission or knowledge.
Lookout Mobile Security has dubbed this family of malware SpamSoldier and noted that the malicious app takes steps to hide its stealthy activities. The icon is removed from launcher so the user doesn't know the app is running, outgoing spam texts are not logged, and incoming SMS replies are intercepted so that the user "remains blissfully unaware," said Lookout's senior product manager Derek Halliday.
"You better have an unlimited message plan or your phone bill may come as a bit of a shock," Conway wrote on Cloudmark's blog.
To ensure real folks are using resources, rather than a malcious program, CAPTCHA controls continue to become more complex and may even challenge users with math problems. This is to keep automated spam agents from joining email or forum groups. As the article notes, this is also challenging for users to invoke these resources.
http://www.nbcnews.com/technology/technolog/why-captchas-are-getting-harder-read-1C7657741
The CAPTCHA system was invented around 2000 by a team of researchers at Carnegie Mellon University in Pittsburgh. The team came up with the CAPTCHA acronym, which stands for "Completely Automated Public Turing Test to Tell Computers and Humans Apart." (It's not a perfect acronym.) According to the Carnegie Mellon website, the first CAPTCHAs were developed for Yahoo to prevent automated programs from rapidly setting up free email accounts, which would in turn be used to pump out spam.
Then I was confronted with a "CAPTCHA" — one of those hard-to-read, squiggly collection of letters and numbers that ensure you're a real person and not a "bot" trying to game the system. "To tell you the truth, they are getting harder to read, even for me, but the 'bots' that leave spam on your site are getting better at recognizing the CAPTCHAs as well," Lyons said. "When we first started using them, a functional CAPTCHA just used a couple of funny fonts and some lines through the text to make it hard for machines to read. Then the bots got smarter, and [now] we are all struggling with reading the CAPTCHAs."
While a number of humorous links and photos are circulating on Facebook and in email, please be careful and avoid selections of any suspicious items
http://www.komando.com/tips/index.aspx?id=13792
QUOTE: If you haven't been paying attention to the news for the last year, or haven't been visiting my always-updated Breaking Tech News page, you might not know that the world is supposed to end tomorrow. At least that's what some people believe based on sensationalized and inaccurate information about the Mayan calendar
My rule is if you aren't sure, don't click. Whatever cool pictures or information you might miss isn't worth the risk of accidentally grabbing a virus instead. It goes without saying - but I'm going to say it anyway - that you should have up-to-date security software installed to catch viruses and other dangers before they infect your system. If you don't have security software, you can download excellent free programs from my Security Center.
Some excellent tips on safety and techniques to ensure gifts go to the folks who are in need
https://isc.sans.edu/diary/A+Consumer+s+Guide+to+Spotting+Fake+Charities/14737
QUOTE: Earlier in the week we've mentioned that people should be on the lookout for "fake" charities trying to exploit the Sandy Hook tragedy. About 150 or so domains have been registered that are "suspect" and about a dozen I can safely say are fraudulent. Some basic steps we already know about how to deal with this:
* Only deal with charities that are already known to you (i.e. the Red Cross) or that you have a personal relationship (your church or church-related organization, local civic group, etc).
* Don't donate to charities simply by clicking on an e-mail; affirmatively go to website to donate directly.
* Always be sure to check for real contact information, if you don't see anything, don't donate.
That said, let's say you find a website and you want to "verify" whether it is suspect or not. There are several things you can do. Advance warning, this is US-centric mostly because I don't know "charity" laws in other countries, if someone would like to clue me in how to do similar in other countries, feel free to contact me directly.
1. Check the domain registration using WHOIS. On online WHOIS tool is here. If it is a "private registration", it is suspect and move along.
2. Check with the IRS whether the organization is, in fact, tax exempt. Their lookup tool is here. If the website doesn't have an organization name, it's suspect. If they are talking to you, try to get their tax ID (or FEIN) number. Ask for a copy of their IRS Form 990 (which they are required to disclose). Many states also require charities to register themselves and you can search those filings online as well.
3. Check with Guidestar which is sort of a Consumer Reports / Better Business Bureau for charities.
The ISC notes several new related domains have been registered and also warns that some may be potentially fake. My own thoughts and prayers continue for all who were impacted.
https://isc.sans.edu/diary/Watch+for+Newtown+Connecticut+scam+sites+/14716
QUOTE: Following the tragic events in Newtown Connecticut last week several new domain names related to those events have been registered. I have little doubt that many of these site are owned by charitable and caring individuals or organizations who want to assist families in their time of need. Other sites may belong to political organizations who will attempt to further their side of an argument as a result of this tragedy. Still other sites will undoubtedly belong to scammers who will capitalize on peoples desire to help by establishing fake charities. I spent a few hours going through many of the newly registered domains. So far most of the sites are still under construction with very little to look at. I expect that will change over the next few days.
This MarketWatch article shares many best practices for password protection
http://www.marketwatch.com/story/hacker-proof-your-password-2012-12-19
QUOTE: Don’t believe proclamations that the password is dead. Even with increasingly sophisticated software programs able to rapidly burn through an endless array of possible character combinations, the password is not only alive, but as important as ever. “Passwords are the bane of our existence, but they’re here to stay,” says Hilary Schneider, president of LifeLock, an identity-theft protection company.
Think of the password as a mouse trap. As simplistic as it seems, there’s nothing out there more effective and straightforward for accessing sites likes your bank and favorite retailer. “A better system can be developed but it needs to be easy to use before it can have the widespread adoption to abolish the use of the password,” says Cameron Camp, a security researcher for ESET, an antivirus and Internet security provider. “If it’s not convenient, you won’t transact with the bank as much and the bank loses revenue.”
We’ve been told time and again how important it is to have tricky, unique passwords that are known to no one but ourselves. We should make them long and add numbers and symbols to fool the fraudsters combing the Internet for access to our records. And we should always, always have different passwords for each site. But apparently, we’re not listening very well. The annual compilations of “worst passwords ever” are numerous but remarkably similar in their results. Moreover, the top 25 or so passwords are held by an alarmingly large number of people.
Once the Necurs rootkit infects a machine, it can hide itself from the operating system, download additional malware and stop security applications from functioning.
http://blogs.technet.com/b/mmpc/archive/2012/12/06/unexpected-reboot-necurs.aspx
http://www.darkreading.com/risk-management/167901115/security/attacks-breaches/240144203/necurs-rootkit-spreading-quickly-microsoft-warns.html
QUOTE: Necurs is a prevalent threat in the wild at the moment - variants of Necurs were reported on 83,427 unique machines during the month of November 2012. Necurs is mostly distributed by drive-by download. This means that you might be silently infected by Necurs when you visit websites that have been compromised by exploit kits such as Blackhole. So what does Necurs actually do? At a high level, it enables further compromise by providing the functionality to:
1. Download additional malware
2. Hide its components
3. Stop security applications from functioning
In addition Necurs contains backdoor functionality, allowing remote access and control of the infected computer. Necurs also monitors and filters network activity and has been observed to send spam and install rogue security software. Nefariousness aplenty. See our Trojan:Win32/Necurs family write-up for the full details.
Some key vectors for attack next year have been identified by Trend Labs
http://blog.trendmicro.com/trendlabs-security-intelligence/observations-on-the-evolution-of-cyber-tactics-in-2013/
QUOTE: A dramatic shift in the modus operandi of cybercriminals will occur in 2013. I predict five major shifts in attack vectors:
- Man-in-the-browser attacks will flourish as automated transfer system attacks become mainstream due to the advent of mobile banking. Inserting nano-ware into the browser allows for criminals to bypass two factor authentication and thus insert themselves into the encrypted channel. This was seen with the Automatic Transfer System module for Zeus and SpyEye.
- Watering hole attacks will grow in popularity as polluting trusted websites is a far better targeted attack methodology than targeting individual users.
- Mobile malware will metastasize and become more insidious and automated to include proximity attack capabilities.
- Cross platform attacks like Jacksbot will become mainstream.
- Hypervisor attacks on cloud infrastructures will begin in earnest, in order to move closer to data.
As the modus operandi of cybercriminals evolves, so must our defense in depth strategy. Cybersecurity investments must shift towards continuous monitoring and advanced threat protection if we are to civilize cyberspace and sustain Web 3.0. If we build it they will come, but they will not all be righteous. To find out more about our 2013 predictions, check our predictions document titled Security Threats to Business, the Digital Lifestyle, and the Cloud.
More Posts
Next page »