Lionytics: April 2015

Thursday, 30 April 2015

Botnets linked to breaches

Data breaches that result in the loss of large volumes of information continue to make the headlines. One of the ways companies can guard against attack is by understanding what makes them vulnerable.

Security ratings firm BitSight has performed an analysis of the risk factors that make up its BitSight Security Ratings against publicly disclosed data breaches. What emerges from its study is the important role which botnets play in attacks.

The report notes that, `Although a botnet compromise may not always equate to data loss, it invariably means that one or many protective controls have failed and that at least some data or system confidentiality, integrity, or availability is at risk`.

For each area of risk BitSight assigns an overall letter grade (A-F), indicating the company`s performance relative to others. The grade takes into account factors such as frequency, severity, and duration (for events) as well as record quality, evaluated based on industry-standard criteria.

The study shows that BitSight botnet grades -- which are a component of the top-level security rating -- can serve as a key metric in predicting the likelihood of a breach. Among companies with botnet grades of A, the percentage having breaches was only 1.7 percent; for those with a B or lower grade, the incidence of breaches was more than twice as high at 3.7 percent.

Looked at by industry, financial companies are most likely to have an A botnet grade (74 percent) and those in the education sector the least (23 percent, with 33 percent getting the lowest F rating). Retail, healthcare and utilities all fall somewhere in between with around 50 percent getting A scores.

The report concludes that, `The implications for organizations across industries are that botnet infections cannot be ignored. Companies with poor botnet grades have been breached far more often than those with good grades, and actions should be taken to mitigate these risks`.

Read original article

Breakthrough 3D fingerprint authentication

The mobile revolution has touched nearly every facet of modern life. Reaching for our smartphones or tablets is now often the first—or only—step we take for everything from depositing a check and ordering groceries to keeping track of our pets and children. With so much sensitive data shared among these devices and various sites, robust mobile security is more important than ever.

As an industry leader, Qualcomm Technologies is committed to providing a comprehensive solution for mobile security. Doing that means staying ahead of the curve as technology quickly advances. That's why we're proud to announce Qualcomm Snapdragon Sense ID 3D fingerprint technology, the latest in cutting-edge biometric fingerprint authentication. Snapdragon Sense ID is the first comprehensive mobile biometric solution based on ultrasonic technology.

t's a step up from traditional fingerprint authentication, which relies on capacitive touch-based sensors. Our ultrasonic-based technology is engineered to capture three-dimensional acoustic detail within the outer layers of skin, enabling superior image quality for more accurate capture and recognition of unique and subtle fingerprint characteristics. The resulting image data is much less likely to be spoofed, which is a common challenge for capacitive-based sensors.

Snapdragon Sense ID has a number of distinct advantages over legacy capacitive touch based fingerprint solutions:

More Accurate and Consistent

Capacitive touch-based sensors use electrical current to create an image of the user's fingerprint. Because of the limitations of capacitive sensors, only a surface-level impression of the fingerprint is captured. Instead, using high-frequency sound waves, Snapdragon Sense ID can create a highly detailed 3D image of the unique and subtle features of a user's fingerprint by penetrating the outer layers of the skin. In effect, these sound waves fill the intricate nooks and crannies of the skin, resulting in an incredibly detailed map of the ridge endings, bifurcations, and even sweat pores that make each individual fingerprint so unique.

Snapdragon Sense ID ultrasonic technology is designed to scan through common contaminants like sweat, lotion, and condensation. This means a more consistent and accurate scan, even when you`re on the go.

Cooler Devices

Snapdragon Sense ID is also designed to scan through most device materials, including device cover glass, aluminum, stainless steel, sapphire, and plastics. This opens up opportunities for device manufacturers to create sleek new phone designs and to place the fingerprint sensor in new areas of the device.

More Secure

Because Snapdragon Sense ID can create a more accurate map of the fingerprint, it enables improved biometric authentication. Snapdragon Sense ID technology is more difficult to spoof—or to trick the scanner into authenticating a copy of the user's fingerprint —than capacitive-based solutions, which only reflect the outer surface of the fingerprint.

Security and user privacy is enhanced by Snapdragon Sense ID also because of its integration with the FIDO (Fast IDentity Online) Universal Authentication Framework (UAF) biometrics standard. FIDO helps to facilitate secure online communication among connected devices, including mobile devices with Snapdragon Sense ID and any number of online services that also utilize the FIDO standard.

Another way that Snapdragon Sense ID and FIDO are designed to help secure your personal data is by enabling secure authentication on the device, rather than up in the cloud. Qualcomm Security Solutions are all made to protect personal data on device and to do as much security-related processing on the device as possible, so your personal data never has to leave the well-protected Qualcomm SecureMSM foundation. Snapdragon Sense ID is designed to authenticate you there on your device and send the trusted authentication signal using the FIDO protocol to the other FIDO enabled services.

More Convenient

Most likely all of us have experienced forgetting our password and not being able to access an account when we really needed to. Having to remember multiple usernames and passwords is a hassle. Snapdragon Sense ID is designed to help address that problem by providing a much more convenient password-less user experience. Users don't need to remember every password, instead they just tap their finger to the phone.

More Comprehensive

Incorporating the Qualcomm Biometric Integrated Circuit (QBIC), custom sensor technology, algorithms managed by Qualcomm SecureMSM technology, Nok Nok Lab's S3 Authentication Suite, and the FIDO UAF standard, Snapdragon Sense ID truly is the mobile industry`s first comprehensive ultrasonic fingerprint solution.

Availability

Snapdragon Sense ID 3D fingerprint technology is designed to be compatible with Snapdragon 400 series, 600 series and 800 series processors and is first being introduced in the Snapdragon 810 and 425 processors. You can expect to see Snapdragon Sense ID in commercial devices in the second half of 2015.

Read about the full suite of Qualcomm Security Solutions, and if you`re at Mobile World Congress, swing by our booth (Hall 3, booth #3E10) to see Snapdragon Sense ID 3D fingerprint technology in action. We`ll be showing an image quality demo, a demo of how ultrasonic technology powers through device cover glass, and a demonstration of the FIDO UAF protocol implementation for a prototype healthcare access scenario.

Read original article

The end of Server 2003

As the day Microsoft kills Server 2003 draws closer, it seems that panic is slowly creeping under the skin of many IT professionals.

Ade Foxall, CEO of Camwood and co-author of the newly launched industry report, `Server 2003 is dead. What are you going to do?` says the death of Server 2003 will represent the `biggest security threat of 2015`.

The 12-year-old operating system still runs on more than 11 million servers around the world, and in less than six months, Microsoft will stop providing security updates.

Camwood research states that the lack of industry awareness leaves the majority of businesses dangerously unprepared and at risk.

The lack of awareness is blamed on the media – Camwood research suggests that discussion of Server 2003 has been extremely limited within the IT community: Analysing 5,000 IT publications and their news coverage – Server 2003 got only five per cent of media space compared to Windows XP, which was also left for dead by Microsoft.

Commenting on this finding, Ade Foxall said, `After the recent migration away from Windows XP, IT departments should be more aware than ever of the dangers of using an out-of-date platform. And yet, the lack of awareness surrounding Server 2003 is about to pose an unprecedented security threat to businesses all over the world.

For Anyone that still wants to use Windows Server 2003 after the cut off date next July, the cost of custom support could run into the hundreds of thousands per year and with the average migration taking around 200 days there's never been a better time to start moving over.

Read original article

Hackers plunder 5 million

It`s one thing to have your personal bank account hacked, you may lose a few dollars or worse a small fortune. However you would expect corporate accounts to have added security, preventing such a devastating event. That`s clearly not the case. While we`ve seen point-of-sale systems hacked and customer data stolen, this time it was actually a company bank account that was robbed.

Irish airline Ryanair had its corporate account plundered by hackers to the tune of $5 million, or €4.6 million. The money apparently disappeared from accounts used to fund the fueling of the company`s planes, not a cheap task and perfect for not immediately ringing alarm bells.

This isn`t an entirely new scenario, as security researchers at IBM discovered malware designed with this intent. `IBM Security has identified an active campaign using a variant of Dyre malware that has successfully stolen more than $1 million from targeted enterprise organizations`, states John Kuhn of IBM.

The Ryanair breach was discovered late last week and reported in The Irish Times, who received a brief statement from company -- `Ryanair confirms that it has investigated a fraudulent electronic transfer via a Chinese bank last week`. No further word is expected because of pending legal action.

According to security blog Hot For Security, this money was transferred out through a Chinese bank, and Irish authorities are now looking into the matter. It illustrates that nobody is entirely safe online, not even the big corporate players.

Read original article

Costa Coffee Hacked

Costa Coffee, which runs a chain of coffee shop, has removed the ability to access Coffee Club Card accounts online after an unusual activity detected on its Coffee Club card's members accounts.

Costa Coffee informed its Coffee Club Card members via E-mail that its loyalty scheme, under which people get 5 p of credit for spending every pound in the store and unlimited free Wi-Fi, got hacked.

It said that unusual activity was noticed on about 1 in every 5000 accounts (0.02%).

According to the E-mail, Costa Coffee had conducted a full security review and temporarily disabled its online Club Card account. As a result, people cannot change their password as of now

The E-mail said that the company has already contacted those customers whose accounts have been affected. Along with that, the officials are resetting account passwords of every Coffee Club member as an additional precaution.

The account password will be reset in the next few days. They will confirm via email once the procedure gets completed.

Moreover, Costa Coffee is all set to introduce a new format for password to further optimise security and protect public Coffee Club points.

The E-mail said, `We apologise for any inconvenience this causes but it's very important to us that your points and registration details remain safe. We thank you for your patience.`

While opening an account on Costa Coffee Club, it will ask for name, email, birthday, phone number, physical address and password.

The officials suggested that the password must be between 8 and 15 characters and include at least 1 uppercase letter, 1 lowercase letter, and 1 number. They suggested that people should avoid common words while choosing passwords

Read original article

No patch for DLink

Home and small-office routers from manufacturers including Trendnet and D-Link are vulnerable to attacks that allow attackers anywhere in the world to execute malicious code on the devices, according to an advisory issued over the weekend.

The remote command-injection bug affects routers that were developed using the RealTek software development kit. That includes routers from Trendnet and D-Link, according to the developer who discovered the vulnerability. There`s no comprehensive list of manufacturers or models that are affected, though more technical users may be able to spot them by using the Metasploit framework to query their router. If the response contains `RealTek/v1.3` or similar, it`s likely vulnerable.

The remote code-execution vulnerability resides in the `miniigd SOAP service` as implemented by the RealTek SDK. Security researcher Ricky `HeadlessZeke` Lawshae reported it to HP`s Zero Day Initiative (ZDI) in August 2013. ZDI, which uses such vulnerability information to block attacks in its line of intrusion prevention services, then reported it to officials inside RealTek. After 20 months of inaction, the HP division disclosed it publicly even though no fix has been released.

`Given the stated purpose of Realtek SDK, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines,` ZDI officials wrote in an advisory published Friday. `Only the clients and servers that have a legitimate procedural relationship with products using Realtek SDK service should be permitted to communicate with it.`

ZDI officials went on to recommend the use of a firewall to block outside connections. Other researchers said that turning off a router`s universal plug and play may also prevent exploits.

Read original article

Wednesday, 29 April 2015

NetNanny Certification problems

NetNanny, the popular content control software has been found to be using a shared private key and root certificate authority which leaves it open to HTTPS spoofing and intercept.

`The certificate used by NetNanny is shared among all installations of NetNanny,` said Garret Wassermann, a vulnerability analyst at CERT. He added that ` the private key used to generate the certificate is also shared and may be obtained in plain text directly from the software.`

An attacker can easily exploit this limitation to generate new certificates just by accessing the software. The spoofed certificate signed by NetNanny would appear to be trustworthy and might lead the user to a malicious site which is faking as a secure HTTPS site. Moreover, the attacker could intercept HTTPS traffic o carry out man in the middle attacks in the affected system without browser certificate warnings being triggered by the system.

The software, launched in 1995 is widely used by parents to filter internet services for their children. Presently the version 7.2.4.2 has been found to be vulnerable, as warned by CERT but other builds might be affected as well.Questions regarding a fix on the issue remains unanswered by ContentWatch, the dedeveloping company.

The users are strongly advised to remove NetNanny or at least remove the bogus certificates created by the service or to disable SSL filtering and manually remove certificates from there

Read original article

WordPress Patchesy XSS Flaw

WordPress has released a security update for a zero-day flaw discovered in versions 4.2 and earlier of its popular blogging platform which could allow hackers to remotely control the server.

The stored cross site scripting (XSS) vulnerability allows an unauthenticated attacker to inject JavaScript into WordPress comments, triggering the script when the comment is viewed, according to Finnish researcher, Jouko Pynnönen.

He explained in a blog post on Sunday:

`If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors. Alternatively the attacker could change the administrator's password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.`

The vulnerability is apparently similar to one discovered by Cedric Van Bockhaven last year and only just patched by WordPress last week after 14 months.

That flaw worked by using invalid characters to truncate the comment, resulting in malformed HTML which an attacker can manipulate.

This newly discovered one uses `an excessively long comment` to achieve the same effect.

`In these two cases, the injected JavaScript apparently can`t be triggered in the administrative Dashboard so these exploits seem to require getting around comment moderation e.g. by posting one harmless comment first,` explained Pynnönen.

WordPress has released a patch for the flaw, and in the meantime, admins are urged to disable all comments.

However, there were harsh words from the Klikki Oy researcher – who claimed the blogging giant had `refused all communication attempts,` even when made via intermediaries such as CERT-FI and HackerOne.

WordPress is, of course, no stranger to security alerts, although most of the vulnerabilities discovered in its platform usually reside with plug-ins.

Just last week, security firm Sucuri warned of multiple WordPress XSS plug-in vulnerabilities due to misuse of the popular add_query_arg() and remove_query_arg() functions.

`The difference between these two latest vulnerabilities and what we`ve grown used to handling is the fact that these particular vulnerabilities target the core WordPress CMS engine, as opposed to targeting particular plug-ins,` said Rapid7 engineering manager, Todd Beardsley.

`Since these vulnerabilities affect default installations of WordPress, they naturally have a much wider reach, both on the public internet and in internal, intranet installations.`

Read original article

SSL Bug Exposes iOS

Security researchers are warning of another major vulnerability in iOS library AFNetworking, exposing users of over 25,000 apps to man-in-the-middle (MITM) attacks.

The flaw was discovered after an earlier version, 2.5.1, was patched to address a bug which allowed it to accept self-signed certificates, according to SourceDNA.

The group explained:

`A few weeks ago, we found that version 2.5.2 did fix this issue, but there was another flaw nearby in the same code. Domain name validation could be enabled by the validatesDomainName flag, but it was off by default. It was only enabled when certificate pinning was turned on, something too few developers are using.

This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the internet. Because the domain name wasn`t checked, all they needed was a valid SSL certificate for any web server, something you can buy for $50.`

The researchers were doubly shocked to see that the flaw in question had been reported and fixed the day after the previous SSL bug was addressed, but no-one noticed it had been left out of the 2.5.2 update.

The developer has now released 2.5.3 to address this issue, which all AFNetworking developers are urged to upgrade to.

Public-key or certificate-based pinning for apps is also advised as an `extra defense` as neither of the SSL bugs affected apps using pinning.

`This also shows that a bug is not truly fixed until it has made it into a release and into your apps and out to the app stores,` said SourceDNA. `Developers need to track the code in their apps to be sure patches aren`t lost along the way.`

Mobile security vendor Appthority claims in a new report that 'stale apps' represent a major risk to enterprise security because users often fail to update their apps to newer versions which address serious vulnerabilities.

Read original article

Energy Firms Exposed

Former NSA boss Keith Alexander has warned that Western energy companies are unprepared for a potentially catastrophic cyber-attack on their systems.

General Alexander, who also served as head of US Cyber Command for four years, claimed on the sidelines of the IHS CERAWeek event last week that the sector needs something akin to an integrated air defense system to keep it safe in cyberspace.

`The greatest risk is a catastrophic attack on the energy infrastructure. We are not prepared for that,` he added, according to The Telegraph.

A `doomsday` scenario would be one in which oil refineries, power stations and the electric grid were all taken out in a quick fire cyber-attack, possibly in combination with an attack on the banking system.

The four-star retired general added that five countries are skilled at the highest level in fighting cyber warfare: the US, UK, Russia, Israel and Iran.

Iran has already been pegged by security firm Cylance as `the new China,` in a report which claimed state-backed operatives made off with information which could enable successful attacks on SCADA systems in the future.

There was no mention of China by Alexander, although current NSA boss Michael Rogers went on record last year as claiming Beijing could launch attacks causing `catastrophic failure` in the water and energy sectors.

Lars Thoresen, CSO of NTT Com Security, argued that SCADA systems have historically been protected by virtue of `security by obscurity` and by being cut off from the internet.

That's not the case now and although security gaps are being addressed, developers have not yet reached `methodological proficiency when it comes to building security features into the core functionality of systems,` he told Infosecurity by email.

`The attack capability of various groups is substantial, and coupled with the fact that some of them (ISIS) have gained physical access to several SCADA networks in Iraq and other places, there exists a potential for access to remotely linked installations outside their physical control,` he added.

`To sum up, the world in which SCADA systems operate has changed, and the SCADA systems have (in our experience) been generally slow to respond.`

John Shaw, VP of product management at the Sophos Enduser Security Group, told Infosecurity that the government needs to help critical infrastructure companies invest in more sophisticated tools and training.

`There is a real challenge for the energy sector. To stay secure involves keeping security software and patches constantly up to date, but running critical infrastructure safely means minimizing change. So in reality, energy control systems that are the most critical to protect are often run on computers that are never or very rarely patched or updated,` he added.

`Because of this, they carry way more vulnerabilities than the computers we typically use at home.`

The solution is investment in `whitelisting and lockdown` as well as memory and content scanning to reduce the avenues of attack, and technologies and human resources to spot signs of compromise, Shaw explained.

Read original article

Tuesday, 28 April 2015

Millions of passwords found

The Metropolitan Police Department said Friday that the IDs and passwords of as many as 5.06 million people who use online shopping and other websites have been found on computer servers it seized in relation to alleged unauthorized access through proxy servers (See below) by a Chinese group.

There are traces that show the personal information of about 60,000 people was used to log into online shopping sites, the MPD said.

As a Chinese fraud group is suspected of having obtained the data unlawfully for shopping and other purposes, the MPD is investigating whether the unauthorized access has caused damage while urging users to take precautions such as by changing passwords.

The volume of personal information stolen online in this case is one of the largest ever seen in the nation. The MPD said that the information relating to the 60,000 individuals was data held by three companies.

The Yomiuri Shimbun has learned that two of the firms are major online shopping mall operator Rakuten, Inc. and LINE Corp., which operates a free call and messaging app.

According to the MPD, the IDs and passwords were stored on the computer servers of Sun Techno, a proxy server operator in Toshima Ward, Tokyo. The police raided the company's office in November.

About 7.85 million IDs and passwords registered as membership details on Japanese sites were stored separately in 150 files.

If it is assumed that there are no users in common between the sites, the information for about 5.06 million individual users can be considered to have been affected. Some of the data includes names, birthdays and credit card numbers. Who stole the information remains unknown.

Computer code that automatically attempts unauthorized access to online shopping sites to check whether the IDs and passwords can be used, which includes content written in Chinese, was found on the proxy servers.

The MPD found signs that the code had been used to check whether the personal credentials were valid. Information held by the three companies for about 60,000 customers was made into a list that was stored in a different file, it said.

Analysis has shown that the list was created during a period from September, two months before the MPD search, to shortly before the search.

The MPD said users of the proxy servers had gained access to the servers from China. It suspects a Chinese fraud group illegally used the proxy servers in Japan to conceal its identity when gaining unauthorized access to Japanese online shopping sites.

No financial damage from the illegal use of the IDs and passwords has been reported to police, but the MPD has asked the companies to check whether purchases and use of points were made using stolen user information.

A LINE official said: `It is greatly regrettable that our customer information was leaked illegally and could be used inappropriately. We'd like to implement safety measures and make efforts to improve our services.`

Meanwhile, a Rakuten official said, `As we have yet to obtain accurate information about the investigation, we have no information to provide.`

Read original article

FTC Censures Nomi

Score one for consumer privacy: The Federal Trade Commission has censured Nomi Technologies for tracking mobile shoppers without their consent. In fact, the FTC said that Nomi collected information on about nine million mobile devices within the first nine months of 2013.

Nomi's technology allows retailers to track consumers' movements through retail stores. The FTC said in its complaint that it misled consumers with promises in its privacy policy that it would provide an in-store mechanism for consumers to opt out of that; and it also said that Nomi failed in its promise that consumers would be informed when locations were using Nomi's tracking services.

The complaint is the FTC's first against a retail tracking company.

`It's vital that companies keep their privacy promises to consumers when working with emerging technologies, just as it is in any other context,` said Jessica Rich, director of the FTC's Bureau of Consumer Protection, in a statement. `If you tell a consumer that they will have choices about their privacy, you should make sure all of those choices are actually available to them.`

Nomi, according to the complaint, places sensors in its clients' stores that collect the MAC addresses of consumers' mobile devices as the devices search for Wi-Fi networks. MAC addresses are unique 12-digit identifiers that are assigned to individual mobile devices. Although Nomi `hashes` the MAC addresses prior to storing them, the hashing process still results in an identifier that is unique to a consumer's mobile device and can be tracked over time.

The complaint alleges that Nomi tracked consumers both inside and outside their clients' stores, tracking the MAC address, device type, date and time the device was observed, and signal strength of consumers' devices. In reports to clients, Nomi provided aggregated information on how many consumers passed by the store instead of entering, how long consumers stayed in the store, the types of devices used by consumers, how many repeat customers enter a store in a given period and how many customers had visited another location in a particular chain of stores.

The company's privacy policy however said that it `pledged to… always allow consumers to opt out of Nomi's service on its website, as well as at any retailer using Nomi's technology.` While the company did provide an opt-out on its website, the complaint alleges that no such option was available at retailers using the service, and that consumers were not informed of the tracking taking place in the stores at all.

Under the terms of the settlement with the FTC, Nomi will be prohibited from misrepresenting consumers' options for controlling whether information is collected, used, disclosed or shared about them or their computers or other devices, as well as the extent to which consumers will be notified about information practices.

Read original article

Concerns Over Network Rail

Security experts have warned that a state-of-the art train signaling system being installed on Britain's railway network could be vulnerable to cyber-attack.

Professor David Stupples, who specializes in network and radio systems at City University London, told the BBC that hackers could cause a `nasty accident` or `major disruption` by targeting the European Rail Traffic Management System (ERTMS) currently being tested by Network Rail.

The advanced system, which has apparently been installed elsewhere with no reported incidents thus far, is expected to be up and running and managing major UK train routes by the 2020s.

It will put computers in charge of train speeds and other parameters which could theoretically be hacked and altered, especially by malicious insiders, said Stupples.

`The weakness is getting malware into the system by employees. Either because they are dissatisfied or being bribed or coerced,` he told the broadcaster.

`It`s the clever malware that actually alters the way the train will respond. So, it will perhaps tell the system the train is slowing down, when it`s speeding up.`

A Network Rail spokesman claimed the organization is fully aware the risk of cyber-attacks will increase as it installs more digital technology across the network.

`We work closely with government, the security services, our partners and suppliers in the rail industry and external cybersecurity specialists to understand the threat to our systems and make sure we have the right controls in place,` he added.

The Department of Transport claimed that security is under `constant review` by the government in order to stay on top of any cyber-related challenges.

David Flower, EMEA managing director at Bit9 + Carbon Black, argued that Network Rail must improve its cyber defenses to feature always-on, continuous monitoring and recording on every endpoint.

`Protecting each endpoint device in this way not only allows organizations to detect any breach much faster, but the replay will allow them to track the 'kill chain' left by successful attackers, better understand the level of risk exposure, and defend against future threats,` he added.

Piers Wilson, product manager at Huntsman Security, argued that the key will be for Network Rail to spot that an attack has occurred before its effects are apparent.

`With insider threats, there may be very little evidence, beyond some small changes in system behavior, that security has been breached until it is too late. Similarly, attackers are always becoming more sophisticated and developing new ways to penetrate defenses,` he added.

`As a result, there is every chance that an attack will be completely new, and its effects and warning signs completely unknown, before it actually affects the signaling network.`

Malwarebytes malware intelligence analyst, Chris Boyd, argued that systems such as this are built with redundancy in mind, and would allow investigators to spot any malicious insiders fairly easily.

`We may as well ask why they wouldn`t just perform a malicious act without the aid of an advanced piece of malware. We could also debate the likelihood that someone with access to these systems would obtain malware like this, or understand how to use it,` he added.

`Developers of attacks such as these certainly wouldn`t be giving them away, and I suspect a rail worker probably couldn`t afford it – never mind find where it would be on sale in the first place.`

Read original article

Magento Flaw Exploited

Malicious actors are attempting to hijack online shops by exploiting a recently disclosed critical vulnerability in Magento, the popular e-commerce platform owned by eBay.

According to Sucuri, the attacks, traced back to a couple of Russian IP addresses, started within 24 hours after the details of the vulnerability were published by researchers.

The security hole identified and reported by Check Point researchers in January, dubbed the `Shoplift bug,` is comprised of a chain of vulnerabilities that can be exploited by a remote attacker to execute PHP code on affected servers. The flaws are an authentication bypass (CVE-2015-1398), a SQL injection (CVE-2015-1397), and a remote file inclusion (CVE-2015-1399).

In the attacks spotted by Sucuri, the attackers are exploiting the SQL injection vulnerability to create admin accounts, which they will likely leverage at a later time to hijack the affected Magento-powered shops. The administrator accounts created by the malicious actors are named vpwq or defaultmanager, experts said.

Magento released an update to address the vulnerability on February 9. However, last week, just days before Check Point published a blog post detailing its findings, more than 50% of Magento websites had still not been patched.

Byte, a Dutch company that specializes in Magento hosting, reported that roughly 140,000 websites had been vulnerable as of April 14. On Thursday, Byte reported that there had still been nearly 100,000 unpatched websites.

While so far it seems that the Shoplift bug has only been exploited to create admin accounts, experts warn that malicious actors could leverage it to take full control of affected websites and steal customer information, including payment card data.

`The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system,` Check Point researchers explained. `This attack is not limited to any particular plugin or theme. All the vulnerabilities are present in the Magento core, and affects any default installation of both Community and Enterprise Editions.`

The security firm has published a video to demonstrate how an attacker could exploit the remote code execution vulnerability to significantly lower the price of an expensive item.

Read original article

Login Vulnerability

German business software company SAP has patched a vulnerability in SAP Adaptive Server Enterprise (ASE) that allows an unauthorized user to access the database server.

SAP ASE is a relational database management solution designed for high-performance transaction-based applications involving a large volume of data and a large number of users.

A vulnerability (CVE-2014-6284) was identified in this piece of software by Martin Rakhmanov, a senior researcher in Trustwave's SpiderLabs team. The issue was reported to SAP back in January 2014.

`SAP ASE ships with a login named 'probe' used for the two-phase commit probe process, which uses a challenge and response mechanism to access Adaptive Server. There is a flaw in implementation of the challenge and response mechanism that allows anyone to access the server as 'probe' login,` Trustwave said in an advisory.

Researchers have pointed out that `probe` is not a privileged account. However, there are some other vulnerabilities that can be exploited by attackers to elevate privileges and gain database administrator rights once they gain access to the server. By using a combination of the login vulnerability and a privilege escalation flaw, an attacker could take complete control of the affected database server, Trustwave said.

The security firm has published proof-of-concept (PoC) code for the vulnerability on GitHub.

The flaw affects SAP ASE versions 12.5, 15.0, 15.5, 15.7, and 16.0. SAP addressed the issue with the release of ASE 15.7 SP132 (released on February 5) and ASE 16.0 SP01 (released on March 20).

SAP has published its own advisory for the security bug, but it's only accessible to registered users.

Researchers often find vulnerabilities in SAP solutions. In February, Onapsis published advisories for five flaws affecting SAP BusinessObjects and SAP HANA (High-Performance Analytic Appliance).

Read original article

Critical HTTPS bug

At least 25,000 iOS apps available in Apple`s App Store contain a critical vulnerability that may completely cripple HTTPS protections designed to prevent man-in-the-middle attacks that steal or modify sensitive data, security researchers warned.

As was the case with a separate HTTPS vulnerability reported earlier this week that affected 1,500 iOS apps, the bug resides in AFNetworking, an open-source code library that allows developers to drop networking capabilities into their iOS and OS X apps. Any app that uses a version of AFNetworking prior to the just-released 2.5.3 may expose data that`s trivial for hackers to monitor or modify, even when it`s protected by the secure sockets layer (SSL) protocol. The vulnerability can be exploited by using any valid SSL certificate for any domain name, as long as the digital credential was issued by a browser-trusted certificate authority (CA).

`The result is an attacker with any valid certificate can eavesdrop on or modify an SSL session initiated by an app with this flawed library,` Nate Lawson, the founder of security analytics startup SourceDNA, told Ars. `The flaw is that the domain name is not checked in the cert, even though the cert is checked to be sure it was issued by a valid CA. For example, I can pretend to be `microsoft.com` just by presenting a valid cert for `sourcedna.com.``

Lawson estimated that the number of affected iOS apps ranged from 25,000 to as high as 50,000. SourceDNA has provided a free search tool that end users and developers can query to see if their apps are vulnerable. To make it harder for attackers to exploit the vulnerability maliciously, SourceDNA isn`t providing a comprehensive list of vulnerable apps.

A quick check found that apps from Bank of America, Wells Fargo, and JPMorgan Chase were likely affected, although some of those reports may be false positives. It`s possible that some apps flagged by SourceDNA use custom code or secondary measures such as certificate pinning that prevents attacks from working. Apps from Microsoft, meanwhile, remained vulnerable to the HTTPS-crippling bug reported earlier.

Read original article

Monday, 27 April 2015

WiFi security chokes

A bug has just been announced in an open source program called wpa_supplicant.

Many of us use this program on a regular basis, often without even realising it.

Android devices, for example, include it as part of the operating system distribution; support for Wi-Fi enabled devices on Linux almost always relies on it.

That`s because it`s software that deals with finding, connecting to, and authenticating against Wi-Fi access points that use WPA security.
Why use WPA?

If you`ve followed Naked Security`s advice, you`ll long ago have switched from an open access point, or from WEP security (WPA`s precursor), to WPA or WPA2.

Open access points are risky because anyone passing by can connect, and effortlessly listen in to your network traffic.

If you do online banking using HTTPS, you`ll be safe, but a lot of the other things you do online will be wide open for what`s known as sniffing – eavesdropping and recording the data going past on the network.

Sniffed data can then be mined for interesting information like email addresses, usernames, instant messages, passwords; indeed, anything that isn`t properly encrypted.

WEP is worse than risky: it encrypts all your traffic with a secret password, so it`s supposed to be secure, but it isn`t.

Because of a fault in the underlying algorithms used in WEP, you can work backwards from the encrypted data to the password, using cracking software that takes typically takes just a few minutes to run.

That means you need to use WPA, and, as mentioned above, on Androids and many Linuxes, that means wpa_supplicant, even though that`s probably not obvious.

Buffer overflow

Unfortunately, wpa_supplicant turned out to have a buffer overflow.

That`s where you send the program some data – in this case, a network name – but deliberately make it super-long.

If the program doesn`t check that the data is going to fit (perhaps on the assumption that no-one would ever bother with a network name like AAAAAATHISISLONGERTHANTHIRTYTWOCHARACTERSSOWATCHOUT), then other important data stored nearby in memory may be corrupted, and the program will probably crash.

With a mixture of analysis and deduction, crooks may be able to figure out how to orchestrate the crash in such a way that they trick your computer into running some other fragment of code of their own choosing.

Often, that gives them full access to your computer, just as if they were logged in themselves, in an outcome that`s known as RCE, or remote code execution

Read original article

10 top ten malware threats

Though we're constantly being warned about the threat offered by new malware it seems that, for Windows systems at least, the old favorites continue to catch us out.

The latest threat report from security company F-Secure shows that Conficker continues to be the number one Windows threat, kept alive by the number of unpatched legacy systems still around.

Android is still the main target for mobile malware, with 61 new families discovered compared to only three for iOS. The fastest growth has been in malware that sends premium SMS messages. Ransomware is still growing too, the Koler and Slocker trojans being the largest ransomware families on Android.

Mikko Hypponen, F-Secure's Chief Research Officer says, `Criminals use ransomware to extort people by locking them out of their own devices unless they pay a ransom. Because of virtual currencies, it's becoming a lot easier for criminals to use ransomware, making it more profitable and more useful for them. For end users, ransomware is now the most prominent type of digital threat`.

When it comes to spreading malware social networking sites are popular, using routes such as Kilim, a family of browser extensions that post unwanted content (messages, links, 'Likes,' etc) to the user's Facebook account and alter browser settings. Kilim is ranked second in the top 10 threats.

Looked at geographically, most threats reported by F-Secure users in the second half of 2014 originated from Europe and Asia, but in the last six months the company saw more activity reported in South America.

The top 10 threats identified by F-Secure in the second half of 2014 are:

1. Conficker/Downadup – a worm exploiting a vulnerability in Windows to spread via the web, network shares and removable media.

2. Kilim – Browser extension that posts unwanted content to Facebook.

3. Sality – A virus family that infects exe files and hides its presence to kill processes, steal data and perform other actions.

4. Ramnit – Infects EXE, DLL and HTML files. Variants may also drop a file that tries to download more malware from a remote server.

5. Autorun – A family of worms that spread mostly via infected removables and hard drives, and can perform harmful actions like stealing data and installing backdoors.

6. Majava – A collection of exploits against Java vulnerabilities, a successful attack can, among other things, give the attacker total system control.

7. Rimecud – A family of worms that spreads mostly via removable drives and instant messaging. Can install a backdoor that allows a remote attacker to access and control the system.

8. Anglerek – A collection of exploits for multiple vulnerabilities. At worst can give the attacker total system control.
9. Wormlink – Specifically-crafted shortcut icons used to exploit the critical CVE-2010-2568 vulnerability in Windows to gain system control.

10. Browlock – A police-themed ransomware family that steals control of the users' system, allegedly for possession of illegal materials then demands payment of a 'fine' to restore normal access.

Read original article

Cloud Security Certification

The new certification, known as Certified Cloud Security Professional, or CCSP, is designed as an international standard for professional-level knowledge of the design, implementation and management of cloud environments.

(ISC)², also known as the International Information Systems Security Certification Consortium, and CSA developed CSSP to help meet a need for cloud security professionals that have the required knowledge and skills to audit, assess and secure cloud infrastructures.

`The industry needs qualified IT professionals who understand how cloud services must be securely implemented and managed,` says Hong Kong-based Clayton Jones, managing director-Asia Pacific, at (ISC)2.

(ISC)2`s Global Information Security Workforce Study determined that 73 percent of nearly 14,000 respondents believed that cloud computing will require information security professionals to develop new skills. Cloud computing was also the top area of infosec with growing demand for education and training within the next three years.

`CCSP is for professionals in cloud security roles accountable for protecting enterprise architectures,` says Singapore-based Aloysius Cheang, managing director-APAC, at the Cloud Security Alliance. `Specialized skills will be required to close the gap between increasing cloud adoption and high levels of security concerns.`

The 2015 Cloud Security Spotlight study by CSA found that security is the biggest perceived barrier to cloud adoption. Nine out of 10 organizations surveyed were concerned about public cloud security. `This is due to lack of skills in handling cloud security risks,` Cheang says.

Validating Security Skills

The new certification validates practical know-how skills for professionals whose day-to-day responsibilities involve cloud security architecture, design, operations and service orchestration, Jones and Cheang say. CCSP builds upon existing certifications and education programs, including (ISC)²`s Certified Information Systems Security Professional, of CISSP, and CSA`s Certificate of Cloud Security Knowledge, or CCSK.

`The objective is to create incentives for infosec professionals to obtain CCSK and CCSP, creating a workforce with mastery over the broadest cloud security body of knowledge,` Cheang says.

To apply for the new CCSP exam, applicants must have a minimum of five years` experience in IT, of which three must be in information security and one in cloud computing.

All candidates must demonstrate capabilities in each of the six domains:
•Architectural concepts and design requirements;
•Cloud data security;
•Cloud platform and infrastructure security;
•Cloud application security;
•Operations; and
• Legal and compliance.

The CCSP exam will be available at PearsonVUE testing centers worldwide beginning July 21. Training seminars begin June 8 in the U.S and will be launched in the Asia-Pacific region in the third quarter of the year.

`The cloud certification program will help security-focused professionals align themselves with emerging security paradigms in cloud environments,` says Singapore-based Siddharth Deshpande, principal analyst at Gartner.

Gartner`s 2015 CIO Agenda survey revealed that 64 percent of organizations in Asia Pacific and Japan will either consider cloud-based `infrastructure as a service` as a first option or a serious option when considering new infrastructure projects, while 61 percent would consider `software as a service.`

What Differentiates This Credential?

(ISC)2 and CSA acknowledge other cloud-related certifications are available, but they contend that most are vendor-specific and address information security nominally at a theoretical level. `The differentiator is CCSP and CCSK are vendor-neutral, reflecting overall industry best practices,` Cheang says.

Read original article

Sunday, 26 April 2015

Google amass more data

As Google dives into the Wi-Fi and cellular network services business, some are wondering just where the company is headed.

Google, known for its dominant search engine and Android operating system, has been stretching boundaries with newer projects like autonomous cars and robotics. Now it`s competing with the likes of wireless carriers like Verizon and AT&T in the data and cellular market.

It`s not all positive, however: Security issues and problems with some existing products leave room for

While the latest Google move may look confusing, Project Fi is feeding Google`s long-term strategy -- getting more data about its users that it can turn into ad sales and greater revenue.

`I`m not sure they`re trying to become a big-time wireless player,` said Brian Haven, an analyst with IDC. `But by becoming a wireless service, it allows Google to gain a lot more data from new end points with users. Data is what drives them. Regardless of whether or not they can generate a nice revenue stream, the data will still feed into the other things they do.`

Earlier this week, Google announced that it`s working with Sprint and T-Mobile to come out with its own wireless network, dubbed Project Fi.

The company is asking would-be customers to sign up online for an invite to what it calls an Early Access Program for the service; Fi will only be available to Nexus 6 smartphone users at the start.

The service is gaining attention not just because it`s a new venture but because it`s coming in at a low cost -- $20 a month for talk, text, Wi-Fi tethering and international coverage, with a $10-per-gigabyte fee for cellular data.

This, said independent industry analyst Jeff Kagan, is a strange move for Google, and one that only time will prove out.

`To tell you the truth I don`t get it yet,` Kagan said. `I was expecting more. I was expecting a big, innovative new-thinking approach that could transform the industry, but that`s not what we got. Maybe it will eventually grow into that, but what we got was a disappointment.... Will this work? To me, this is a big question mark.`

However, Kagan also noted that this is Google being Google.

The company, which makes most of its money on search and related advertising, is known for trying out various ideas and technologies. Not all of them work out, but Google doesn`t seem afraid to try.

For instance, in the past few years, Google has bought at least eight robotics companies, including well-known Boston Dynamics. Google also has been quite publicly working on computerized wearables, Google Glass, while also test driving its own autonomous cars.

None of these ventures is directly tied to search, which is what made Google a household name. But that doesn`t mean they don`t fit into the company`s long-term plans.

Read original article

Petraeus Gets Probation

Former CIA boss and head of US forces in Iraq and Afghanistan, David Petraeus, has escaped with just two years' probation and a $100,000 fine despite admitting handing over classified military material to his biographer.

Petreaus struck a deal with prosecutors to get out of a jail term, pleading guilty to mishandling classified information. He was facing charges which could have landed him a stretch of several years in the slammer.

Acting US Attorney Jill Westmoreland Rose issued the following brief statement on Thursday:

`David Petraeus appeared before US Magistrate Judge David Keesler of the Western District of North Carolina today and admitted to the unauthorized removal and retention of classified information and lying to the FBI and CIA about his possession and handling of classified information. Petraeus was sentenced to a two-year probationary term and was ordered to pay $100,000 fine. I want to thank my colleagues at DOJ National Security Division, the Charlotte FBI office for leading the investigation, as well as all our investigative partners for their work on the case.`

Petraeus had handed over binders of material – including the identities of undercover officers, military strategy, code words and info from White House National Security Council meetings – to his biographer Paula Broadwell, according to court records seen by Reuters.

His wrongdoing would never have come to light had it not been for an email harassment case the FBI was called to investigate by Petraeus' friend, Jill Kelley.

It transpired that the threatening emails led back to US Army Reserve officer Broadwell, with whom Petraeus was having an affair. He was subsequently forced to resign as head of CIA just a year into the job.

Although magistrate judge David Keesler raised the fine from $40,000 on account of the gravity of the offence, the sentencing was not welcomed by all.

`A slap on the wrist is the most one could say about what can barely be called a sentence for what could have been treated as serious crimes including espionage,` argued Julian Assange lawyer, Michael Ratner.

Read original article

Hacker Fleeced by FBI

Warrantless Search and Seizure

When the plane landed in Syracuse, Roberts was hauled away by FBI agents who interrogated him for four hours about his activities while in-flight. Knowing his rights, Roberts declined to voluntarily surrender his encrypted digital devices. Thus, eventually the agents simply took them.

This is precisely the sort of thing the fourth amendment was written to protect against. It reads, verbatim:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The officers who have seized the property will now have to swear to tell the truth at some point — that they believed that Roberts' devices contained evidence of criminal activity. Preservation of evidence is, no matter how one views it, protected by several higher court rulings throughout American history.

Read original article

Google amass more data

Saturday, 25 April 2015

Galaxy S5 could leak fingerprints

I'm usually not the paranoid one in a relationship, but the fingerprint scanner on smartphones always used to freak me out.

And now, a pair of researchers from security firm FireEye breathes new life into my paranoia, as they claim hackers can steal your fingerprint data before it gets encrypted in the device. One of the potentially dangerous devices, 'leaking' fingerprints is the Samsung Galaxy S5.

The security researchers have found a way to intercept a person's biometric data after it is captured by the built-in scanner, but before it becomes encrypted.

Tao Wei and Yulong Zhang from FireEye are will discuss their findings at this week's RSA conference in San Francisco. However, the flaw is only present in the older version of the Android operating system, 4.4 KitKat and earlier, so those using Android 5.0 should be safe.

That's why the duo advises anyone having an older version of Android and a fingerprint scanner on the same device to update as soon as possible, before it's too late.

The vulnerability means that a hacker can access the kernel, or core, of the Android operating system.

Once inside they can monitor all data sent to and from the phone, as well as data recorded by the handset's built-in sensors, including the fingerprint scanner.

`If the attacker can break the kernel the core of the Android operating system, although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint`, Zhang told Forbes. `You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want`.

Tom Armstrong, UK Manager at Dashlane, offered the following comment: `On paper, biometrics seems like a great way to secure a device because there's the assumption that fingerprints can't be stolen. The Samsung Galaxy S5 leak is case and point that this is not true. It can be hacked and the issue is there is no going back -- you can't replace your stolen iris, or in this case, fingerprint. The lesson we can learn from this is that biometric authentication, alone, is not fool proof. It should be used as an additional authentication layer, alongside strong or randomly generated passwords that can be changed very quickly in the event of a breach`.

Read original article

Russians hacked Pentagon

The news channel quoted Defence Secretary Ash Carter, saying that the Department of Defense suffered a cybersecurity breach after Russian hackers infiltrated an unclassified defense computer network earlier this year.

The Department of Defense managed to react quickly and get rid of the attackers within 24 hours, but to Carter, speaking to a group at Stanford University, that was not enough to feel safe: `I still worry about what we don't know because this was only one attack` he said.

A Pentagon official told Fox News that the Russian hacking of the Department of Defense was `totally separate` from recent hacks at the White House and State Department earlier this month and in March, respectively.

Russian hackers broke into the unclassified networks of the White House itself last October. This past March, media revealed the networks at the State Department had also been breached.

The news came a day after it was revealed that the US military will, for the first time ever, include cyber warfare as an option in conflicts with enemies.

A 33-page Pentagon cybersecurity strategy says the Defence Department `should be able to use cyber operations to disrupt an adversary's command and control networks, military-related critical infrastructure and weapons capabilities.`
Carter, who was sworn in last February, said one way the department is responding is to be more transparent about cyber security.

`I think it will be useful to us for the world to know that, first of all, we're going to protect ourselves, we're going to defend ourselves,` said Carter recently.

Read original article

Millions of passwords found

The Bad News For Infosec

The legal argument behind the $10 million Class Action lawsuit and subsequent settlement is a gross misrepresentation of how attackers operate.

Central to the recent Target data breach lawsuit settlement was the idea that cyber attacks are mechanistic and follow a prescribed course or chain of events. The judge hearing the case ruled that Target is liable for not mounting an adequate defense against the 2013 cyber attack that exposed some 40 million customer debit and credit card accounts. Unfortunately, the ruling also may have serious repercussions for many of us in the security profession.

Judge Paul A. Magnuson's ruling is dangerously flawed and a gross misrepresentation of how attackers operate; it ignores the fact that the breach was conducted by actual people. Preventing one event in a supposed chain will not stop a breach. Attackers will simply find another way to achieve their goal. The challenge is to identify that a targeted attack is under way and then rip the attackers out of the network.

Here are three examples of where the ruling went wrong:

Misunderstanding #1: Targeted attacks are not linear processes
The data breach lawsuit argued: `The fundamental premise of kill chain security is that hackers must proceed through seven steps to plan and execute an attack. While the hackers must complete all of these steps to execute a successful attack, the company has to stop the hackers from completing just one of these steps to prevent completion of the attack and data loss…`

This is old-school, breach prevention thinking. While it is useful to categorize the different phases of an attack, assuming linearity is wrong.

The fact is that taking additional preventive actions would not necessarily have neutralized the Target attack. For example, the court points to a flaw of not blocking uploads to servers with a Russian domain. Taking this precaution would not have saved Target from the breach. The attacker could have set up US-based servers through Amazon Web Services at minimal cost. This is a good example of a dynamic, human-led attack, rather than something that is static.

Additionally, the legal contention that since the FireEye malware detection system and Symantec endpoint protection system identified suspicious activity, Target should have caught it and taken immediate action. Would detecting and removing specific malware have prevented the attack? No! It would only have neutralized one step. This was months after the attackers infiltrated the network. At this point, the attackers had numerous footholds inside Target. They could have easily chosen some other exfiltration tactics not detectable by Symantec or FireEye.

Listing the weak links compromised in an attack is easy ex post facto. But there were probably hundreds of other steps that the attackers planned, attempted and failed, taking instead the actual steps that were eventually successful. The attack was not an act of prescribed step-by-step mechanization.

Misunderstanding #2: Breaches can be prevented
The simple reality is that targeted breaches cannot be prevented in advance. The phrase `entirely preventable data breach` was stated as fact in the legal case, but it is a fiction. Unfortunately, much of the security industry suffers the same delusion.

When analyzing a data breach or a penetration test scenario, we always find weak points that can and should be strengthened. We also know that penetration tests always succeed, because they are run by well-trained, sophisticated attackers who are able to circumvent whatever specific security controls are in use given enough time and incentive. We simply need to accept as an industry that there will always be a way in to a network, and then a foothold can be established. There is no single step that can be taken in advance that would eliminate all breaches.

Misunderstanding #3: Breaches are identified by the malware
It's clear that once the targeted attacker is through the perimeter, all preventative efforts become irrelevant. By definition, prevention systems that look for malware and other intrusions have only one chance to detect the `technical artifact` that they are built to identify, and if they miss that chance then the attacker gains a foothold in the network. But malware is generally only a small part of an active breach and may not be involved at all. And `intrusion` is only the first moment of a breach, whereas actual damage can take months to materialize.

Assuming that not all intrusions can be detected, the defender must then focus on the large volume of reconnaissance and lateral movement inside the breached network – the active part of the breach. This is the time after the initial intrusion and the resulting theft or damage – and usually lasts for months.

While the initial breach to Target's network could not have been prevented, the attackers' movement within the network could have been detected as the intruders explored the network and established points of control. In order to detect targeted attackers during this active attack phase, however, we as an industry needs to change the way we think about breach detection.

Read original article

100000 Sites At Risk

Criminals are exploiting an extremely critical vulnerability found on almost 100,000 e-commerce websites in a wave of attacks that puts the personal information for millions of people at risk of theft.

The remote code-execution hole resides in the community and enterprise editions of Magento, the Internet`s No. 1 content management system for e-commerce sites. Engineers from eBay, which owns the e-commerce platform, released a patch in February that closes the vulnerability, but as of earlier this week, more than 98,000 online merchants still hadn`t installed it, according to researchers with Byte, a Netherlands-based company that hosts Magento-using websites. Now, the consequences of that inaction are beginning to be felt, as attackers from Russia and China launch exploits that allow them to gain complete control over vulnerable sites.

`The vulnerability is actually comprised of a chain of several vulnerabilities that ultimately allow an unauthenticated attacker to execute PHP code on the Web server,` Netanel Rubin, a malware and vulnerability researcher with security firm Checkpoint, wrote in a recent blog post. `The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system.`

Becoming your e-commerce admin

Attacks observed by Web security firms Incapsula and Sucuri are exploiting the bug to create new administrator accounts inside the Magento databases of vulnerable e-commerce sites. According to Sucuri, the exploits then go dormant, presumably so attackers can later access the databases to steal the personal information of customers.

`The code is leveraging SQL injection (SQLi) and inserting a new admin_user to the database,` Sucuri CTO Daniel Cid wrote of one recent attacks in a blog post published Thursday. `If you suspect you have been compromised, look for the usernames vpwq or defaultmanager as it seems to be the ones being used by this specific group so far.`

The attacks began on Monday, with fewer than 1,000 attempts against sites that are protected by Incapsula. They plateaued on Wednesday with a little under 1,500 attempts that day and continued into Thursday at about the same rate. On Wednesday, Checkpoint released detailed technical details about the vulnerability. Isreal-based Checkpoint first privately reported the vulnerability to eBay engineers in January. Checkpoint researchers have been encouraging e-commerce sites that use Magento to install the update ever since a patch became available in February.

The attacks are coming from the IP addresses 62.76.177.179 and 185.22.232.218, which are both based in Russia. Cid said web administrators who are concerned their sites are compromised should also check their logs for these addresses. Still, that method isn`t fool-proof. According to Incapsula, attacks are also coming from addresses located in China, and it wouldn`t be surprising for attacks to become more widespread in the coming days.

The vulnerability gives unauthorized attackers full control of a vulnerable website. That means they could dump the contents of databases to obtain customers` credit card data, e-mail and home addresses, phone numbers, and other personal information. Even when websites properly encrypt a database, attackers could still add hard-to-find scripts that behind the scenes pilfer sensitive customer data during the brief window it`s being processed in an unencrypted format. Attackers could also exploit the Magento vulnerability to booby-trap vulnerable websites with malware infects the computers of visitors.

The vulnerability can also be exploited to change the prices a Web merchant charges for specific items. The following video, for example, shows Checkpoint researchers commandeering a laboratory server to obtain for free a luxury watch that normally sells for more than $100,000.

Read original article

Friday, 24 April 2015

Cybercrime gets smarter

There are 85,000 new malicious IPs launched every day and the top phishing targets are technology companies and financial institutions.

These are among the findings of a new report from threat intelligence and security company Webroot. The Webroot 2015 Threat Brief provides the latest cyber threat trends collected from tens of millions of users and over 30 security technology partners.

The report finds that the United States accounts for 31 percent of malicious IP addresses, followed by China with 23 percent and Russia with 10 percent. Overall, half of malicious IP addresses are based in Asia.

It shows a 30 percent chance of Internet users falling for a zero-day phishing attack in the course of a year, and indicate a more than 50 percent increase in phishing activity in December 2014, most likely due to the holiday season.

On average, there are nearly 900 phishing attempts detected per financial institution, but over 9,000 attempts detected per technology company. The top five technology companies impersonated by phishing sites are: Google, Apple, Yahoo, Facebook and Dropbox. Looked at by country, the US is by far the largest host of phishing sites, with over 75 percent being within its borders.

Looking at mobile systems the report finds that, on average, only 28 percent of apps on the Android platform were trustworthy or benign, a drop from 52 percent in 2013. Almost half were rated moderate or suspicious, and over 22 percent were unwanted or malicious. Trojans make up the vast majority of malicious threats, averaging 77 percent for 2014.

`Webroot has seen a continued rise in the number of malicious URLs, IP addresses, malware, and mobile applications used to enable cybercriminals to steal data, disrupt services, or cause other harm,` says Hal Lonas, chief technology officer at Webroot. `With more breaches at major retailers, financial institutions and technology companies in the headlines and scores of other, smaller breaches in 2014, the trend shows no signs of slowing down. The Webroot 2015 Threat Brief highlights the need for highly accurate and timely threat intelligence to help organizations assess the risk of incoming data, reduce the volume of security incidents, and accelerate response to successful attacks`.

2014 has also seen more sophisticated techniques being used to attack PCs. These include the Poweliks registry exploit which doesn`t require extra components to deliver infections like ransomware. Webroot also discovered five new families of potentially unwanted applications, each demonstrating new social engineering techniques and complexity.

Read original article

Conficker remains top threats

Though we`re constantly being warned about the threat offered by new malware it seems that, for Windows systems at least, the old favorites continue to catch us out.

The latest threat report from security company F-Secure shows that Conficker continues to be the number one Windows threat, kept alive by the number of unpatched legacy systems still around.

Android is still the main target for mobile malware, with 61 new families discovered compared to only three for iOS. The fastest growth has been in malware that sends premium SMS messages. Ransomware is still growing too, the Koler and Slocker trojans being the largest ransomware families on Android.

Mikko Hypponen, F-Secure`s Chief Research Officer says, `Criminals use ransomware to extort people by locking them out of their own devices unless they pay a ransom. Because of virtual currencies, it`s becoming a lot easier for criminals to use ransomware, making it more profitable and more useful for them. For end users, ransomware is now the most prominent type of digital threat`.

When it comes to spreading malware social networking sites are popular, using routes such as Kilim, a family of browser extensions that post unwanted content (messages, links, `Likes,` etc) to the user's Facebook account and alter browser settings. Kilim is ranked second in the top 10 threats.

Looked at geographically, most threats reported by F-Secure users in the second half of 2014 originated from Europe and Asia, but in the last six months the company saw more activity reported in South America.

The top 10 threats identified by F-Secure in the second half of 2014 are:

1 Conficker/Downadup -- a worm exploiting a vulnerability in Windows to spread via the web, network shares and removable media.

2 Kilim -- Browser extension that posts unwanted content to Facebook.

3 Sality -- A virus family that infects exe files and hides its presence to kill processes, steal data and perform other actions.

4 Ramnit -- Infects EXE, DLL and HTML files. Variants may also drop a file that tries to download more malware from a remote server.

5 Autorun -- A family of worms that spread mostly via infected removables and hard drives, and can perform harmful actions like stealing data and installing backdoors.

6 Majava -- A collection of exploits against Java vulnerabilities, a successful attack can, among other things, give the attacker total system control.

7 Rimecud -- A family of worms that spreads mostly via removable drives and instant messaging. Can install a backdoor that allows a remote attacker to access and control the system.

8 Anglerek -- A collection of exploits for multiple vulnerabilities. At worst can give the attacker total system control.

9 Wormlink -- Specifically-crafted shortcut icons used to exploit the critical CVE-2010-2568 vulnerability in Windows to gain system control.

10 Browlock -- A police-themed ransomware family that steals control of the users' system, allegedly for possession of illegal materials then demands payment of a `fine` to restore normal access.

Read original article

Banking Botnets Bounce Back

Banking botnets became more widespread, resilient and evasive in 2014, resisting takedowns and arrests to target over 1,400 financial institutions in more than 80 countries, according to Dell SecureWorks.

The firm's Counter Threat Unit revealed in its latest annual Top Banking Botnets report that as banks improve their defenses and law enforcement seeks to disrupt, the cyber gangs behind these botnets have been hard at work improving their resilience.

Although activity from Zeus and its variants decreased in the latter half of 2014, Dyre, Gozi/Vawtrak, and Bugat v5 were ramped up.

Botnet masters have also increasingly been looking to anonymity networks lke Tor and I2P and other tools like P2P networks and domain generation algorithms (DGAs) to hide themselves and make shutdowns more difficult for the white hats, the report claimed.

Proving their adaptability, cyber-criminals have also shifted focus slightly, towards Asian banks with weaker account security.

However, 90% of banking trojans discovered were found targeting US banks, with financial institutions in the UK, Germany, Italy, Spain, and Australia also affected.

It's not just banks at risk now, either.

The report claimed attackers have broadened their remit to include websites for corporate finance and payroll services, stock trading, social networking, email services, employment portals, entertainment, hosting providers, phone companies, and dating portals.

Spam, downloaders and drive-by attacks are just some of the methods used to infect machines, with most trojans using port 80 or 443 for communicating with their C&C servers, Dell said.

On the plus side, the CTU said it didn't see much innovation in fraud techniques in 2014 and early 2015. But it warned that `traditional solutions` are ineffective against modern banking trojans.

Read original article

WiFi security bug

In an e-mail today to the Open Source Software Security (oss-security) mailing list, the maintainer of wireless network client code used by Android, the Linux and BSD Unix operating systems, and Windows Wi-Fi device drivers sent an urgent fix to a flaw that could allow attackers to crash devices or even potentially inject malicious software into their memory. The flaw could allow these sorts of attacks via a malicious wireless peer-to-peer network name.

The vulnerability was discovered by the security team at Alibaba and reported to wpa_supplicant maintainer Jouni Malinen by the Google security team. The problem, Malinen wrote, is in how wpa_supplicant `uses SSID information parsed from management frames that create or update P2P peer entries` in the list of available networks. The vulnerability is similar in some ways to the Heartbleed vulnerability in that it doesn`t properly check the length of transmitted data. But unlike Heartbleed, which let an attacker read contents out of memory from beyond what OpenSSL was supposed to allow, the wpa_supplicant vulnerability works both ways: it could expose contents of memory to an attacker, or allow the attacker to write new data to memory.

That`s because the code fails to check the length of incoming SSID information and writes information beyond the valid 32 octets of data to memory beyond the range it was allocated. SSID information `is transmitted in an element that has a 8-bit length field and potential maximum payload length of 255 octets,` Malinen wrote, and the code `was not sufficiently verifying the payload length on one of the code paths using the SSID received from a peer device. This can result in copying arbitrary data from an attacker to a fixed length buffer of 32 bytes (i.e., a possible overflow of up to 223 bytes). The overflow can override a couple of variables in the struct, including a pointer that gets freed. In addition, about 150 bytes (the exact length depending on architecture) can be written beyond the end of the heap allocation.`

The end result is that an attacker could corrupt information in memory, causing wpa_supplicant and Wi-Fi service to crash; a crafted SSID could essentially be used as a denial-of-service attack on affected devices simply by sending out responses to Wi-Fi probe requests or P2P network Public Action messages. But it could also expose memory contents during the three-way handshake of a peer-to-peer network negotiation (the GO negotiation) or potentially allow for the attacker to execute code on the target.

For the most part, these vulnerabilities are difficult to exploit if the target isn`t actively using P2P Wi-Fi connections. While it`s possible that an `evil SSID` could cause denial of service without a P2P network, the greatest security risks involve peer-to-peer activity. A patch for the bug has been posted, and, based on Google`s involvement, it will likely be part of an Android security update shortly. However, the distribution of that fix will depend on Android handset manufacturers and carriers to reach end users.

Read original article

Thursday, 23 April 2015

HarbourTouch Reports Malware Attack

Point-of-sale systems provider Harbortouch Payments has confirmed that it recently identified and contained a malware-related breach that affected `a small percentage` of the merchants that it serves.

`The incident involved the installation of malware on certain point-of-sale systems,` the Allentown, Pa.-based company said in a statement provided to Information Security Media Group. `The advanced malware was designed to avoid detection by the anti-virus program running on the POS system. Within hours of detecting the incident, Harbortouch identified and removed the malware from affected systems.`

Harbortouch says it has hired the forensics investigation firm Mandiant to assist in its ongoing investigation. It did not reveal how much payment card information may have been exposed in the malware attack.

The company says the incident did not affect its own network, and claims it was not the result of any vulnerability in its POS software. `Harbortouch does not directly process or store cardholder data,` it says.

`It`s important to note that only a small percentage of our merchants were affected and over a relatively short period of time,` the company states. `We are working with the appropriate parties to notify the card-issuing banks that were potentially impacted. Those banks can then conduct heightened monitoring of transactions to detect and prevent unauthorized charges. We are also coordinating our efforts with law enforcement to assist them in their investigation.`

Harbortouch declined to provide further details.

A source at one card issuer, who asked to remain anonymous, tells ISMG that MasterCard and VISA sent fraud alerts to issuers this week `that were pretty sizable,` but the alerts did not disclose the party involved. The date range was March 10 to April 14, 2015, according to the source.

POS malware attacks have stolen card data from retailers large and small, ranging from Target, Michaels and Staples to smaller mom-and-pop shops.

Security researchers at Cisco recently issued a warning about a new breed of point-of-sale malware dubbed Poseidon after the Greek god. They say it`s the latest attack code designed to steal credit card numbers immediately after payment cards get swiped through POS terminals

Read original article

Security Flaw in IOS

Researchers have identified a serious vulnerability in at least 1,500 iOS apps. This security flaw has made the apps exploitable by hackers who look for victims to swipe passwords and obtain financial data.

Last month IT security firm SourceDNA discovered a bug that has been fixed in an open-source code update. This bug contained a serious vulnerability and still some app developers have ignored updating their apps to the new version.

The bug was identified in an AFNetworking version released in January as `an open-source code library that allows developers to drop networking capabilities into their apps.`

Reportedly, the vulnerability served as a facilitator of man-in-the-middle attack, which helps hackers gain access to HTTPS encrypted data. HTTPS is an internet security protocol used widely.

Ars Technica described the details of how hackers would attack the apps running 2.5.1 version of AFNetworking as:

`To exploit the bug, attackers on a coffee shop Wi-Fi network or in another position to monitor the connection of a vulnerable device need only present it with a fraudulent secure sockets layer certificate. Under normal conditions the credential would immediately be detected as a counterfeit, and the connection would be dropped. But because of a logic error in the code of version 2.5.1, the validation check is never carried out, so fraudulent certificates are fully trusted.`

SourceDNA scanned and analyzed the entire app database of 1.4million titles in the App Store after identifying the flawed code to see which of the apps are still vulnerable. Few relative apps contained the compromised source code. However, the problem is that popular apps like Movies by Flixster and Rotten Tomatoes were still found to be vulnerable.

Search SourceDNA's iOS Security Report and see if your app is among the list of vulnerable apps.

Read original article

Say Goodbye Passwords

The head of developer advocacy for Paypal and Braintree, Jonathan Leblanc, has an idea that will seem absurd to some, innovative to others and terrifying to still others. The executive of the multi-billion dollar eBay subsidiary suggests in a recent presentation called `Kill All Passwords` that `true integration with the human body` is the way forward.

His premise is that user behavior has historically proven the system of password authentication to be inadequate. Users always seem to opt for easy passwords that can be cracked by brute force with ease, and this is not a problem that will lessen with the advancement of technology. Instead, the inverse is true: desktop computers can now run brute-force programs, given enough time, and guess user passwords. Study after study shows that the majority, not a small minority of users, decide on passwords that are not in any way secure.

Two-factor authentication and encrypted databases have been the primary focus of engineers looking to solve the riddle for some time now, but Leblanc is over that. Why not just attach the account to a user's biometrics, something that won't be imitable for decades to come?

Leblanc's Proposal (or Prediction)

Leblanc begins his presentation by pointing out what this article has already said: too many users are picking poor passwords. Seven percent of users, according to his presentation, use the password `password.` That is staggering when one considers that billions of people are using the web. That creates a huge market in identity theft, easy pickings, and low-hanging fruit.

Only nine of passwords are not from the list of 1000 top passwords, meaning that the overwhelming majority of passwords, despite all the money that has been invested and all the time that has been taken to ensure that users understand the risks of weak passwords, are, in a word, weak. Because of these reasons, Leblanc suggests a near-future where vein recognition, heart rate monitoring, and fingerprint scanning will all be used in concert with improved versions of existing user identification. He lists the following algorithms as being bad for security:

•MD5
•SHA-1
•SHA-2
•SHA-3

And lists the following algorithms as being, in his estimation, good:

•PBKDF2
•BCRYPT
•SCRYPT

The latter algorithm has been used in numerous applications, and is the underpinning of numerous cryptocurrencies, including Litecoin.

Financially speaking, companies, even the most deep-pocketed, will have to decide if solutions such as those Leblanc proposed are viable. After all, issuing or requiring heart monitors of all users could be a difficult task, at least until smart watches become the norm. Culturally, there are certain groups who would never go for such a thing, such as groups who would consider a piece of technology in their blood stream to be an abomination.

No one knows what the future holds, but certainly with more things than ever being done via the Internet, the problem of password security remains a huge concern for millions of companies and individuals. When an account is compromised, so is the data it has sent to received from, in many cases. Lives have been destroyed thanks to weak passwords, and this continues to this day. While some may consider Leblanc's proposals to be ahead of their or simply untenable for ethical reasons, others may see them as the inevitable.

Read original article