April 2013 - Posts
Several protective practices are shared as follows:
QUOTE: Several Twitter accounts belonging to the United Kingdom's Guardian were hit by the Syrian Electronic Army over the weekend, and last week, Associated Press, CBS News, and BBC were also hacked. SEA threatened to keep up its attacks because Twitter keeps suspending its account. Several of the recommendations fall under basic Security 101 and are tips anyone should follow, for both their personal accounts as well as shared ones.
Twitter encouraged users to change passwords and select strong passwords and be on the lookout for suspicious communications or that may be a part of a spear phishing campaign. All organizations, not just media, should be aware of potential phishing attacks. "These incidents appear to be spear phishing attacks that target your corporate email. Promoting individual awareness of these attacks within your organization and following the security guidelines below is vital to preventing abuse of your Twitter accounts," the memo said.
Since Twitter uses email for password resets and official communications, users need to keep their email accounts secure, first by selecting strong (and different!) passwords. If two-factor authentication is available on the email account, it should be enabled, Twitter suggested. Users should never send passwords via email, even internally, Twitter warned. That way, attackers can't find the password of the account through someone else's archived messages.
Initially, saw this as a POC against simulation software and certainly a wakeup call to promote safety. However, Hugo's comments are worth noting below ... He noted software exploits and vulnerabilities, that with the right delivery system that could be potentially manipulated. While there are limitations on what can be accomplished, there are many mitigating controls that make this impractical currently. Still industrial automation and especially remote control systems must be as secure as possible.
QUOTE: After reading some of the news related to my talk at HITB 2013, I am writing this post with the goal of clarifying some misunderstandings, probably due to the lack of time I had during the talk, because I omitted details or other reason. Some of the most common wrong statements I have seen are related to:
- The Android application: No, the Android application I developed cannot attack an airplane by itself. This application is just a user interface that send commands to the base station and receives feedback. Without the base station, and all the other hardware shown on the slides, the application is by itself useless.
- The flight simulator: I did not found the vulnerabilities in the flight simulator; I found all the vulnerabilities on real software and hardware of on-board aircraft systems.
- ACARS exploitation: No, I did not attack ACARS, neither ADS-B. I just used those protocols to send and receive information to/from the aircrafts. Exploits and payloads are delivered using those protocols but I don't attack them. That would be like saying that an exploit attacks TCP just because it is delivered via the network.
- Real airplanes: No, none of my tools or code can be used directly against real aircrafts. I did and kept it this way on purpose, but the vulnerabilities I found apply to real aircraft systems and code.
- Old hardware: For my research I targeted both old FMS models (dating back from the 70s) as well as some of the newest ones (two or three years old).
- Exploitability: I understand the skeptical community saying "this is not possible because ACARS does not offer commands for doing X or Y". Once again, I only used ACARS as a communication channel and my research targeted the FMS. So, have you ever heard of memory corruption? Also, when I mentioned "No rootkit" I was referring to the fact that hiding is currently not necessary so it was not implemented, not that the post-exploitation did not include hooking.
A counter-response is noted in this thread, which documents some key safety controls that make the scenario shared very difficult to achieve (and these type comments, led to the points above)
Intego security notes benefits of outbound protection where malware attempts to connect to the Internet from an infected computer. By definition, all firewalls offer in-bound protection, and there are additional benefits in detecting and preventing malware from phoning home
QUOTE: The other day, we mentioned that the OS X application firewall provides only inbound protection. I imagine there are some of you who are wondering what exactly that entails, and more specifically, how that differs from what’s in Intego’s products. Well, guess no more! Here’s a handy explanation about the difference between incoming and outgoing firewall protection.
As you may imagine, inbound protection protects you from threats that originate outside of your Mac and try to get in. There are many types of automated or direct attacks that this type of protection is useful to combat, and this is the type of protection that OS X’s application firewall provides.
But arguably the more important component, from an anti-malware perspective, is outbound protection. Outbound protection alerts you to attempts to connect out from your machine. There are a lot of legitimate processes on your machine that do need to connect out (such as to get email, surf the web, get or update settings, etc.) but if there is unknown malware on your machine, you want to be able to prevent it from connecting out to send data or to alert its controller.
While there was some initial misreporting, Commercial airlines contain special hardware and software that would prevent a situation as described in article. With that said, everyone must constantly plan security appropriately in airlines, power plants, automobiles, or other things which could be potentially manipulated from the outside
QUOTE: Aviation officials have taken a skeptical view of claims that it's possible to hijack a commercial aircraft using a smartphone, with both the US Federal Aviation Administration (FAA) and the European Aviation Safety Administration (EASA) issuing statements to the effect that it simply couldn't happen. On Wednesday, Spanish security researcher Hugo Teso gave a presentation at the Hack in the Box conference in Amsterdam in which he claimed he had developed an Android app that could allow him take control of an airplane by feeding misinformation into its in-flight communications systems.
"The FAA is aware that a German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer," the agency wrote, making something of a muddle of the facts. The statement went on to explain that although Teso may have been able to exploit aviation software running on a simulator, as he described in his presentation, the same approach wouldn't work on software running on certified flight hardware.
Lookout Mobile security warns of a major new Android malware family called "Bad News" that uses highly advanced techniques to spread and manipulate infected smartphones
QUOTE: Lookout has discovered BadNews, a new malware family, in 32 apps across four different developer accounts in Google Play. According to Google Play statistics, the combined affected applications have been downloaded between 2,000,000 – 9,000,000 times. We notified Google and they promptly removed all apps and suspended the associated developer accounts pending further investigation. All Lookout users are protected against this threat.
BadNews masquerades as an innocent, if somewhat aggressive advertising network. This is one of the first times that we’ve seen a malicious distribution network clearly posing as an ad network. Because it’s challenging to get malicious bad code into Google play, the authors of Badnews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny.
Badnews has the ability to send fake news messages, prompt users to install applications and sends sensitive information such as the phone number and device ID to its Command and Control (C&C) server. BadNews uses its ability to display fake news messages in order to push out other types of monetization malware and promote affiliated apps. During our investigation we caught BadNews pushing AlphaSMS, well known premium rate SMS fraud malware, to infected devices.
BadNews is a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behavior. If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred.
Facecrooks security notes a newer version of this hoax was found to be circulating
QUOTE: The same rumors and hoaxes tend to circulate on Facebook time and again. There’s the classic viral message claiming that Facebook is going to begin charging users to access the site, and another popular rumor asserting that if you merely re-post a viral message, you can prevent Facebook from accessing your data. Another old rumor that apparently still has some legs asserts that Facebook will shut down imminently.
Of course, this hoax is patently absurd; Facebook is a publicly traded company whose stocks goes for almost 27 dollars a share. It’s one of the biggest tech companies in the world; to announce that it’s going to be shut down because the CEO is stressed out is completely ridiculous, but, for whatever reason, people believe it. It’s important to treat everything you read with a healthy dose of skepticism, particularly on the Internet. Facebook isn’t going away anytime soon, and apparently neither are the hoaxes that spread on it.
Google has made some beneficial recent changes as noted below:
QUOTE: Google has made a number of changes to its Android Play Store ecosystem recently. Part of the reason is that Mountain View has been copping lots of flak for the prevalence of malware in unofficial application markets, often in pirated apps. That's a trifle unfair, since one of the attractions of Android over Apple's iOS is that it's actually possible to shop "off-market" if you wish. Sure, there's a greater risk of shooting yourself in the foot if you do, but you're not forced to live dangerously, and even if you do go outside the Play Store, a little caution goes a long way towards keeping you safe. More realistically, however, Google has been criticized for the appearance of malicious apps in its own Play Store.
An interesting article describing risks in using personally owned mobile phones for business use
QUOTE: If you use your personal smartphone or tablet to read work email, your company may have to seize the device some day, and you may not get it back for months. Employees armed with a battery of smartphones and other gadgets they own are casually connecting to work email and other employer servers. It's a less-than-ideal security arrangement that technology pros call BYOD — bring your own device. Now, lawyers are warning there's an unforeseen consequence of BYOD. If a company is involved in litigation — civil or criminal — personal cellphones that were used for work email or other company activity are liable to be confiscated and examined for evidence during discovery or investigation.
The convenience is hard to ignore, as is the personal touch — workers love picking their own phones — but of course, cost savings is the real driving force. Increasingly, companies are requiring workers to supply their own gadgets at their own cost, the way a restaurant might require waiters to purchase their own uniforms. Even if companies reimburse those employees, there can be a big hidden cost for workers — the possibility of losing their phone for days or months while their company combs through it for data relevant to legal action.
Ransomware is a malicious attack that puts a lock on a user's PC, where they cannot easily proceed without paying the charge or removing the malware. A new fake version appears to come from FBI and even has capability to activate a user's webcam. Infected users should never pay this fee and they should seek removal tools to delete these malicious agents.
QUOTE: Computer users around the globe are being hit by a new kind of virus that freezes their computer and accuses them of committing heinous crimes. The threats sound real enough that victims are coughing up $200 to pay a "fine," and virus writer gangs are netting millions, security firms say. In each case, the accusation appears on a pop-up screen while the virus simultaneously disables the computer. The message often shows the user's IP address and city, and sometimes, recent websites visited by the victim. The most alarming version activates the victim’s webcam, takes his or her picture, and displays it on the warning.
"They are saying, 'we know who you are, where you are, and what you were doing,'" said John Harrison, a security researcher with Symantec. "They attempt to scare the heck out of you." The victim is then offered an option: pay a fine within 72 hours, and the charges will be dropped, while the computer will be restored.
The ISC is capturing social engineering attacks and have close to 200 incidents documented
QUOTE: We are trying to better understand how common "Fake Tech Support" calls are, and what they are trying to achieve. If you received a call that claims to provide tech support, or another service, only to extract information from you or to trick you into installing malware on your system, please use the form below to report any details.
SUMMARY OF DATA CAPTURED
Facecrooks security warns of a new APPLICATION SCAM which is circulating inviting users to change their Facebook settings to support 8 different colors. Members who invoke this scam will send it to all contacts and may compromise their personal information
QUOTE: Anytime the URL starts off with apps.facebook.com/app_name_here, you should know that Facebook didn’t develop the app. Scammers often try to trick users by promoting apps promising Facebook features, upgrades, etc. If an unsuspecting user installs the application, this will allow them to spam their scam messages to all of your friends. Do you really want to let an unknown (scam) developer have this much access to your Facebook information? These scams are known to use multiple Facebook apps to spread virally across Facebook. Anytime you install a third party Facebook application, you give the application developer access to your personal data. Always be very selective on the apps you install, and only install them from well-known, trusted sources.
As noted below, PC Magazine recently noted key anti-virus tools in recent article:
* Best Cleanup -- the free Malwarebytes utility excels at cleanup
* Best Installation Experience -- Malwarebytes, Webroot, and Bitdefender are among those that took a five-star rating
* Best Free Antivirus -- Malwarebytes is free, but it's cleanup-only. For ongoing protection, so you won't have to come clean up again next week, consider AVG.
* Best Ongoing Protection -- Norton excels at blocking access to malicious and fraudulent websites. AVG and Webroot were among those that detected almost every threat
As noted in the security awareness post by Facecrooks security, Facebook users should always be careful of what they post on social networking sites
QUOTE: At this point in the history of social media, virtually everyone understands that what they say or do online can come back to haunt them. A shocking statistic was revealed this week by The American Academy of Matrimonial Lawyers. They found that 81 percent of their members had used evidence from Facebook and other social networking sites. The use of Facebook evidence in divorce hearings goes beyond just proving infidelity, though there’s plenty of that. According to a study by the Pew Internet and American Life Project, about one in five adult Facebook users use the site for flirting. Lawyers also peruse the site to provide evidence of anger issues, drug problems, or items that could prove useful to their case.
While it may be a sign of the times that everyone from the police to divorce attorneys is mining Facebook for evidence, there are simple steps every user can take to protect their information. Total Divorce, the group that illustrated the link between Facebook and divorce proceedings, recommends keeping your distance from Facebook if you’re going through a divorce. Don’t post all over Facebook about how bad your ex is, and try to keep your circle of friends separate as well. That angry message you dash off at 3 a.m. might just end up biting you in court.
Numerous users were impacted by this cyber attack and should change their accounts to use strong passwords immediately
QUOTE: LivingSocial, the second-largest daily deal company behind Groupon Inc, said on Friday that it was hit by a cyber attack that may have affected more than 50 million customers. The company said the attack on its computer systems resulted in unauthorized access to customer data including names, email addresses, date of birth for some users, and "encrypted" passwords.
LivingSocial stressed that customer credit card and merchants' financial and banking information were not affected or accessed. The company also does not store passwords in plain text. "We are actively working with law enforcement to investigate this issue," the company, part-owned by Amazon.com Inc, wrote in an email to employees.
PC Magazine warns of a new exploit that can allow hackers to unlock phones exposing private data and creating opportunities for misuse of the account.
QUOTE: The Viber messaging app has been gathering momentum on Google Play, but a new exploit might give users pause. Just a few days ago, the security company Bkav announced that it has found a way to gain full access to Android phones using the popular Viber messaging app. Unlike the Samsung lockscreen issue we reported on earlier, this attack doesn't take any fancy finger work. Instead, all it needs is two phones, both running Viber, and a phone number.
Here's how it works. The victim phone is locked, but it has Viber installed and set up. The attacker phone sends a message to the victim, which brings up an alert window on the lockscreen. One of the unique features of Viber is that you can respond even while the phone is locked, and activating the Viber keyboard is the next step in the attack. Once the keyboard is active on the victim phone, the attacker sends another message. This time, press the back button on the victim phone, and suddenly you have full access to the victim phone.
According to Bkav, the issue stems from the way Viber interacts with the Android lockscreen. BKav's security division director Nguyen Minh Duc explained on the company's website, "the way Viber handles to popup its messages on smartphones' lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear."
The special focus on security is a beneficial approach for Oracle. Security improvements are taking a higher priority than new functions and features. This is a wise strategic approach and am hopeful that security will be strengthened as a result
QUOTE: Security vulnerabilities related to Java running inside web browsers have lately received a lot of public attention. Here at Oracle we’ve mounted an intense effort to address those issues in a series of critical-patch update releases, the most recent of which we posted earlier this week. We’ve also upgraded our development processes to increase the level of scrutiny applied to new code, so that new code doesn’t introduce new vulnerabilities.
Looking ahead, Oracle is committed to continue fixing security issues at an accelerated pace, to enhance the Java security model, and to introduce new security features. This work will require more engineer hours than we can free up by dropping features from Java 8 or otherwise reducing the scope of the release at this stage. As a consequence of this renewed focus on security the Java 8 schedule, with a GA release in early September, is no longer achievable.
Executive summary and detailed reports are available as follows:
QUOTE: This year's DBIR combines the expertise of 19 organizations from around the globe. Discover stats that might surprise you—from the percentage of espionage-related attacks to the astonishing length of time it often takes to spot a security breach.
* 47,000+ Security Incidents Analyzed.
* 621 Confirmed Data Breaches Studied.
* 19 International Contributors.
* 6th Consecutive Year.
This false news alert adversely impacted stock market for couple of minutes today.
QUOTE: A tweet posted on the Associated Press account Tuesday reporting two explosions at the White House was bogus and is the result of a hack, the news organization said. "Breaking: Two Explosions in the White House and Barack Obama is injured," said a tweet posted around 1 p.m. ET to the AP's Twitter feed.
The @AP account has since been suspended on the site. "This was a bogus tweet ... the account has been hacked," Paul Colford, director of media relations at the AP, confirmed. "We will advise more as soon as possible," he said in an email. The AP Twitter feed "was hacked," CBS News also said in a tweet. "Disregard any AP tweets about disturbance at WH or injuries," it read.
The Dow Jones industrial average dropped more than 150 points upon launch of the bogus tweet, but the market immediately recovered when word spread it was the result of a hack. About a 150 point drop in stock market occurred at 1 pm EDT and loss was fully regained about a minute later
Some interesting statistics in volume 14 of Microsoft's SIR report
QUOTE: Yesterday, Microsoft released volume 14 of its Security Intelligence Report (SIR v14) which includes new threat intelligence from over a billion systems worldwide. I am reaching out as I thought your readers might have interest in hearing your perspectives on how the threat landscape is evolving based on data and analysis from the report.
* New research showed that, on average, computers without AV protection were 5.5 times more likely to be infected
* Figures reveal a surprising conclusion: one in 500 PCs that do have up-to-date protection will get hit by malware regardless (e.g., zero-day)
* The study also found that 25%, or an estimated 270 million computers worldwide were not protected by up-to-date antivirus software
* In the second half of 2012, 70% of threats affecting enterprises were associated with malicious or compromised websites.
* Enterprises were more likely to encounter the iFrame redirection technique than any other malware family tracked in 4Q 2012.
* One specific iFrame redirection family called IframeRef, increased fivefold in the fourth quarter of 2012 to become the number one malicious technique encountered by enterprises worldwide. IframeRef was detected nearly 3.3 million times in the fourth quarter of 2012.
* Surprisingly, the Windows version with the highest number of unprotected PCs was not Windows XP—it was the RTM edition of Windows 7.
* Windows 8 has Windows Defender antivirus protection built in and turned on by default. Even so, apparently 8% of users turned it off. That's still by far the lowest rate of unprotected PCs for any Windows version.
* Windows 8? Well, as noted it has the lowest number of unprotected computers, and also the lowest infection rate over all. Only 0.8 of 1,000 computers running 32-bit Windows 8 were infected, and 0.2 percent of those running 64-bit Windows 8. The lesson is clear. Don't just keep your existing Windows version updated; upgrade to the latest version, or the latest version your PC can handle.
SIR VOLUME 14 - FULL REPORT
As in past major events, please watch out for fraud, scams, and malware attacks. It is recommended to only donate to mainstream official sites (e.g., American Red Cross). I continue to prayfully remember all who were impacted yeserday.
QUOTE: Twitter can be an amazing tool in the wake of a tragedy. However, it can also be used by amazing tools, like the guy who created a fake Boston Marathon twitter promising to donate $1 for Boston Marathon victims for every retweet. Astute Twitterers noticed that the account was brand new, wasn't verified and had a suspicious dearth of followers. They quickly started calling it out for callously exploiting a tragedy, and the account (with its creator still unknown) has since been suspended. Thank you, Twitter, for consistently providing a platform for the best and worst of humanity, and good on you,
More Posts Next page »