January 2014 - Posts
As ZIP files are difficult to process by Anti-Spam security tools and even by some AV defense systems, SPAM attacks continue to use approach and users should be careful if files of this type are received unexpectedly
QUOTE: After a long hiatus, spammers are once again using an old trick, where they attach a .zip file to trick the user into executing the compressed malware. The chart below shows the number of spam messages with .zip attachments over the last 90 days in Symantec’s Global Intelligence Network (GIN). While these examples have different file names and MD5s, they all carry the same malware, identified by Symantec as Trojan.Zbot. This Trojan has primarily been designed to steal confidential information from the compromised computer. It appears that the large attack has subsided for now, as the spam volume returned to normal levels after January 10, but it is just a matter of time before spammers organize another large campaign. Users should keep their antivirus software up-to-date and should not open attachments from unknown sources.
Credit card holders should carefully check statements and if directly notified of breach, they should change their account information. FBI notes these sophisticated attacks most likely impacted more than 3 major retailers.
QUOTE: Target hack likely to just be the beginning. The FBI has warned US retailers to prepare for more cyber attacks after discovering about 20 hacking cases in the past year that involved the same kind of malicious software used against Target in the holiday shopping season. The US Federal Bureau of Investigation distributed a confidential, three-page report to retail companies last week describing the risks posed by "memory-parsing" malware that infects point-of-sale (POS) systems, which include cash registers and credit-card swiping machines found in store checkout aisles.
Details can be found in this informative research report issued by Microsoft security:
QUOTE: In our previous posts in this series, we described various mitigation improvements that attempt to prevent the exploitation of specific classes of memory safety vulnerabilities such as those that involve stack corruption, heap corruption, and unsafe list management and reference count mismanagement. These mitigations are typically associated with a specific developer mistake such as writing beyond the bounds of a stack or heap buffer, failing to correctly track reference counts, and so on. As a result, these mitigations generally attempt to detect side-effects of such mistakes before an attacker can get further along in the exploitation process, e.g. before they gain control of the instruction pointer.
Another approach to mitigating exploitation is to focus on breaking techniques that can apply to many different classes of memory safety vulnerabilities. These mitigations can have a broader impact because they apply to techniques that are used further along in the process of exploiting many vulnerabilities. For example, once an attacker has gained control of the instruction pointer through an arbitrary vulnerability, they will inherently need to know the address of useful executable code to set it to. This is where well-known mitigations like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) come into play – both of which have been supported on Windows for many releases now. When combined, these mitigations have proven that they can make it very difficult to exploit many classes of memory safety vulnerabilities even when an attacker has gained control of the instruction pointer.
Yahoo quickly took action on all known security breaches from 3rd party sites, by resetting passwords. When any security breach takes place it is beneficial for all users to reset passwords
QUOTE: Users of Yahoo mail should be aware of a security issue with the email service. Yahoo acknowledged that it has identified a “coordinated effort” by some person or group to gain “unauthorized access” to accounts. The company didn’t state how many accounts were affected, but it turns out that those impacted have been prompted to reset their passwords.
Yahoo was clear to state that it has no evidence that the attempted hacking attack came as a result of its systems being compromised. It turns out that malicious computer software was the culprit that helped someone obtain names and email addresses from affected accounts’ most recent sent emails. The company said that it was likely from a third-party database that featured the list of usernames and passwords. So what’s being done? Yahoo is resetting passwords and implementing second sign-in verification. The company is also working with federal law enforcement agencies to find out who is responsible. Additional measures are also being implemented to help secure Yahoo’s systems.
Investigators are piecing together more of the puzzle, as security forensic analysis continues:
QUOTE: US retailer Target said on Wednesday that the theft of a vendor's credentials helped cyber criminals pull off a massive theft of customer data during the holiday shopping season in late 2013. It was the first indication of how networks at the third largest US retailer were breached, resulting in the theft of about 40 million credit and debit card records and 70 million other records with customer information such as addresses and telephone numbers. "The ongoing forensic investigation has indicated that the intruder stole a vendor's credentials, which were used to access our system,"
Corporations should perform Network Vulnerability assessments and internal PENTESTs on quarterly basis for security exposures. Annually, a highly experienced security firm can perform more in-depth testing as needed. Corporations must actively search for weaknesses in their security defenses, as the bad guys are actively engaged in the same process. It's always better for security team to discover and mitigate these risks before any damages occur.
QUOTE: Proactive network security should be the norm rather than the exception, and to understand why, think about the risks: What would happen if your network or PCs went down for hours? Days? The answer could range from inaccessible files to a near-complete business standstill. A network security audit follows nearly the same methodology as an attack. First, the attacker scans the network to determine IP addressing of networks and hosts. An attacker would start from the outside and work his way in by uncovering IP addresses from DNS queries. You've got a head start because you already know your IP addressing scheme; it's just a matter of conducting a quick scan (also called a sweep) to determine which IP addresses are in use.
There are many ways to go through the audit. I like to use a combination of free and commercial tools. The best known free network scanning tools are Nmap and Nessus. Of those two, Nmap is easier to install and use, but Nessus has better reporting. Also check out McAfee's SuperScan network scanning tool.Commercial tools I like include GFI LANguard and the eEye 1505 Security Management Appliance. If you're willing to spend the money, in return you'll get more information about each vulnerability and its remediation – not to mention more polished interfaces, more capabilities, and better reporting.
Security is one of the most commonly mentioned barriers preventing companies from taking advantage of cloud computing. Yet some experts say the cloud could and should be more secure than in-house IT. So how should organizations considering cloud services ensure they maintain security, and what are the key issues to protect data?
1. Taking a risk-based approach to cloud security
2. Identifying what to put in the cloud
3. Identifying data risks in the cloud
4. Take into account your other IT systems
5. Choosing a secure cloud provider
COBIT standards are among recommended IT best practices that can help meet these stringent audit requirements. The 3rd of 4 articles in JAN 2014 newsletter is very timely. All 4 articles are excellent guidelines for security and audit professionals in corporate setting.
Supporting PCI DSS 3.0 Compliance With COBIT 5
By Stefan Beissel, Ph.D., CISA, CISSP
The Payment Card Industry Data Security Standard (PCI DSS) aims to improve the security of cardholder data and is required when cardholder data or authentication data are stored, processed or transmitted. The implementation of enabling processes from COBIT 5 can support compliance to PCI DSS1. COBIT 5 assists enterprises in governance and management of enterprise IT (GEIT) in general and, at the same time, supports the need to meet security requirements with enabling processes and management activities. The mapping of COBIT 5 enabling processes to PCI DSS 3.0 security requirements facilitates the simultaneous application of COBIT 5 and PCI DSS 3.0 and helps create synergies within the enterprise
PCI DSS 3.0 -- PCI DSS was released by the PCI Security Standards Council (PCI SSC), a panel of five global payment brands—American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. PCI DSS also includes requirements for data security and related audit methods. In particular, the primary account number (PAN) is the defining factor in the applicability of PCI DSS requirements.
Link for full JAN 2014 newsletter
Kaspersky Labs warns of WC 2014 email, phishing, and social media attacks
QUOTE: The storm of phishing and malware attacks using the theme of the World Cup continues – some months ago we registered several malicious campaigns with this theme. To diversify the attacks and attract more victims, Brazilian cybercriminals decided to invest their efforts to spread fake giveaways and fraudulent websites selling tickets for the games at very low prices, tickets that in fact do not exist.
As PC Magazine reflects 2013 was a record setting year for Security Breaches:
QUOTE: Target, Neiman Marcus, and Adobe. This past year was pretty rough for them. Was there anything they could have done to avoid the mess of security breaches? Well, yes actually. According to the Online Trust Alliance (OTA)'s latest report, these companies should've had better security controls and practices in place.
What Was Discovered - OTA's findings included a number of noteworthy statistics. The non-profit estimated that over 740 million records were exposed in 2013 alone, making it the worst year for data breaches to date. Out of all these attacks, a whopping 89 percent could have been prevented if companies had simply employed basic, effective security measures.
Companies, Pay Attention! - Other useful tips include the use of email authentication to check on inbound email and avoid malicious, phishing emails. Companies should encrypt all sensitive information in order to better protect it. Keeping detailed logs is crucial to determine the severity of a security breach on a company. It's important for companies and organizations to back up and protect their logs from attack. Each company should additionally have an incident response team and develop a Data Incident Plan.
A major security breach of Yahoo email accounts has been reported and personally changed all my passwords immediately to a new STRONG & SECURE password. All users should do this immediate as hackers can use a hijacked account to reset passwords used for banking, credit cards, or other sensitive accounts. For example, they can go to your bank and request a password reset, which will be emailed back and allow potential to make fraudulent transactions. It's a best practice to routinely change email passwords at beginning of every quarter and make sure they are different from any other account.
QUOTE: Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails. What we’re doing to protect our users
1. We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.
2. We are working with federal law enforcement to find and prosecute the perpetrators responsible for this attack.
3. We have implemented additional measures to block attacks against Yahoo’s systems.
HOW TO CHANGE YAHOO ACCOUNT & EMAIL PASSWORD
QUOTE: (from confirmation email on password changes) Your password for this account has recently been changed. You don’t need to do anything. This message is simply a notification to protect the security of your account. Please note: your new password may take a while to activate. If it doesn’t work on your first try, please try it again later
You can always change your password by doing the following:
1. Sign in to any Yahoo! service
2. Click on any "My Account" link
3. Choose "Change Password"
Excellent & comprehensive security checklist for protection of corporate email resources
QUOTE: Your email server is the collaboration hub for your business, so the availability, integrity, and confidentiality of the information that flows through it is of paramount concern. We’ve got a very basic security checklist here, although you can get more information on groupware security from CERT (Computer Emergency Response Team) and SANS (the SysAdmin, Audit, Network, Security) Institute.
* Use antivirus software
* Use anti-spam software
* Deploy your groupware server in the DMZ
* Limit the size of attachments
* Limit the size of user mailboxes
* Disable all unnecessary services
* Minimize the number of administrators
* Disable relaying
* Monitor your system
* Read security bulletins
* Perform regular backups
* contact the ISP responsible for repeated attacks
* Educate users
AVG has developed a PrivacyFix application which supports Facebook, Google & LinkedIn privacy setting tunings with user friendly approach
QUOTE: Playing its part in that has been security firm AVG, who have this week unveiled its PrivacyFix Family application which promises to keep families connected and safe while keeping their data secure on Facebook. The most interesting aspect of the launch is AVG’s use of Facebook social graph which broke cover a year ago. The feature harvests the social network’s vast data reserves to provide users and third parties with in-depth intelligence, and AVG claims it is the first company to use the feature for a privacy application.
AVG's system enables users to share Facebook privacy setting with each other even if they are not friends. Pegged for a full launch in the Facebook App Center later this year, PrivacyFix Family intends to keep the family unit connected and protected from snoopers and troublesome users. AVG claims the app will also encourage Facebookers not to ‘overshare’ and become targets for online miscreants using social profiling.
FakeOff is a new Facebook application which compares photos and posts to highlight suspected fake accounts
QUOTE: An Israeli tech company has developed an app, FakeOff, which can help users detect fake Facebook profiles. The app builds a list of “suspects” for investigation, uses an algorithm to analyze their information, gets results of their fakery on a 1-10 score, and even scans a suspect’s profile to see if they’re using someone else’s photos.
“Recent statistics show that at least 10 per cent of about 1.35 billion Facebook users are not authentic. Besides, there are millions of users who create fake identities and appear as regular users,” said the app’s creator, Eliran Shachar. “Twenty-four per cent of investigations conducted in the app return as fake. A fake profile can be very complex and some of the fakes that we help the users find is only for their eyes so we can’t know the final result from the photo scan results, but the user easily can.”
With examples of stolen identities and imposter profiles seemingly popping up every day, technology like this could provide a valuable self-policing mechanism for Facebook users to identify fraudsters in their own midst. The app has been live for about two months and has about 15,000 users, so clearly people see a value in this kind of security and protection.
AVAST and Facecooks security warn of new popular Facebook threat actively circulating
QUOTE: By now, we are all familiar with Facebook scams that claim to give your Newsfeed a designer look. Remember Facebook Red or Facebook Black? Those pretty themes ended up spreading spam and malicious links via online surveys and fake videos. Today, the AVAST Virus Lab experts discovered a unique variety– the Facebook Music Theme Scam. The Facebook Music Theme Scam is supposed to change the theme and add a song to your Facebook page.That script continued adding auto-likes, resulting in some of the pages harvesting over 1 million likes. As we told you in a previous blog post about Facebook scams, the goal of like-harvesters is to increase the value of Facebook pages so they can be sold on the underground markets to other scammers to peddle questionable products and services and distribute additional scams.
AV product reviews for the new Windows 8.1 operating system were highlighted in PC Magazine recently
QUOTE: In November's edition of this report, Kaspersky managed a trifecta: six of six possible points in all three categories. Note that testing lab AV-Comparatives named Kaspersky their product of the year for 2013. Kaspersky remains at the top in the latest report, joined by Bitdefender. Bitdefender's improved performance score pulled its total up to a perfect 18 points. Avira pulled its protection score up from 4.5 points to 6.0, putting it in second place overall with 17.5 points. Products from Qihoo and F-Secure tied for third, with 16.5 points total.
In assisting a friend in Texas, this new threat is actively circulating in email and should be avoided
QUOTE: In January 2014, Internet users began receiving e-mails from various funeral homes with attention-getting subject lines such as "Passing of your friend," messages that informed recipients a "dear friend" had passed away and invited them to attend that person's upcoming funeral or memorial service. The messages provided a hyperlink (on the word "here") for readers to click in order to obtain detailed information about the date and location of the service. However, that link actually pointed to a foreign web site and initiated the download of a ZIP file (e.g., FuneralProcession.zip); users who attempted to open and view that ZIP file ended up executing a malicious file (e.g., FuneralProcession.exe) which installed a Trojan on their PCs.
EXAMPLE OF EMAIL LEADING TO MALICIOUS SITE
The xxxxxxxxxxxxxxx Family
Hereby we want to share your sorrow for your dear friend who passed away on Friday, January 10, 2014.
You are cordially invited to express your sympathy in memory of your friend at a celebration of life service that will be held on Monday, January 13, 2014 at the xxxxxxxx Funeral Home, Arkansas.
Please find more detailed information about the memorial service here.
Funeral Home Secretary,
QUOTE: Researchers found that 23.0 percent use a Microsoft product, 15.9 percent rely on avast!, and 8.9 percent run AVG. Microsoft still leads, with over 25 percent of installations. Present on nearly 15 percent of surveyed systems, Malwarebytes is a surprise winner of second place. Note that the basic Malwarebytes Anti-Malware doesn't include real-time protection. Looking at individual products rather than companies, the top five were: Microsoft Security Essentials, avast! Free Antivirus 2014, Windows Defender (a component of Windows 7 and Windows 8), Avira Free AntiVirus (2014), and AVG AntiVirus FREE 2014. Yet again, free products rule.
PC Magazine highlights 5 best practices for Mobile Application developers
QUOTE: Jared Blake, the CTO at Moki, sat down to tell us five simple things developers can do to make their apps better
1: Use HTTPS For Everything
2: Don't Try to Invent Your Own Encryption
3: Clean Up Your Logs
4: Know Your Platform
5: Be Aware of Personal Info and Your Audience
Blake says that developers need to ask themselves if the information their app gathers is something users are going to worry about if it's exposed. If so, the information needs to be carefully secured—or not gathered at all. Consumers Need To Be Aware of safe practices
* They also need to be educated.
* Even information that seems mundane—like a phone number or email address—can reveal a lot about them.
* They also need to understand how apps gather that information
* "Don't just blindly accept those permissions," he said. "Think through them.
* "Do I really want to give an app access to my lockscreen? My contacts?"
* Google's vetting system for the Play store, it's still a very safe place to get your apps.
Investigators are now evaluating "BlackPOS" malware kit that was likely used as a starting "base" for recent massive credit card attacks. It is believed that cyber-thieves ramped up this basic exploit kit (sold for $2000) into a large scale, well-planned, and highly sophisticated attack on Target and other retailers.
QUOTE: The Holiday data breach at TARGET appeared to be part of a broad and highly sophisticated international hacking campaign against multiple retailers, involving the heist of possibly 110 million Credit-Debit cards, and personal information. Target confirmed last weekend that a malicious software was embedded in point-of-sale (POS) equipment at its checkout counters to collect secure data as the credit cards were swiped during transactions.
The Malware called 'BlackPOS' also known as "reedum" or 'Kaptoxa' is an effective crimeware kit, that was created in March 2013 and available in underground sites for $1800-$2000. Investigators from IntelCrawler found a 17-years old hacker who actually developed the BlackPOS crimeware kit. BlackPOS is a RAM-scraping malware totally written in VBScript i.e. It copies credit-card numbers from point-of-sale machines' RAM, in the instant after the cards are swiped and before the numbers are encrypted.
More Posts Next page »