Security watchers have discovered a Trojan that uses built-in Windows functionality to overwrite security software and compromise systems.
The malware - which poses as an antivirus update - uses Windows input method editor (IME)to inject a system, technology that normally creates a means for users to enter characters not supported with their input device. For example, PC users with a 'Western' keyboard would take advantage of the technology to input Chinese or Japanese characters.
Security firm Websense, which has written a detailed write-up of the malware, explained: "The trojan can install itself as an IME, then it kills any running antivirus processes and deletes the installedantivirus executablefiles. The original executable file of this trojan disguises itself as an antivirus update package."
As Websense notes, the attacks show that malware writers have begun using Windows input methods to infect vulnerable systems.
Apple has barred a developer from its App Store following reports that iTunes accounts were hacked and used to fraudulently inflate sales figures for certain applications.
It emerged yesterday that 40 out of the top 50 applications in the US App Store's e-books category were from a single publisher.
Suspicions were raised when a number of reviews stated that iTunes account holders did not knowingly purchase the applications, leading to speculation that the accounts had been compromised.
Apple has now confirmed that Thuat Nguyen, the developer of the applications, has been barred from the App Store.
"Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including fraudulent purchase patterns," said an Apple spokesman.
Nguyen is a Vietnamese developer whose applications, while popular on the US App Store, were seemingly unappreciated on his native App Store.
Further questions regarding the legality of the content were raised, suggesting that Apple had missed an opportunity to block the application prior to its App Store debut.
Apple was quick to allay any privacy fears, saying that developers "do not receive any iTunes confidential customer data when an app is downloaded".
The firm also issued a statement to calm the fears of iTunes accounts holders who may have had their accounts compromised.
"If your credit card or iTunes password is stolen and used on iTunes, we recommend that you contact your financial institution and inquire about cancelling the card and issuing a chargeback for any unauthorised transactions," it read.
Apple also advised users to change their passwords "immediately".
The advice seems to centre around shutting the stable door after the horse has bolted, and it is vital that the App Store does not become home to such scams.
Copyright v3.co.uk
A group of researchers upset about Microsoft's handling of flaws have launched a campaign to publically disclose security vulnerabilities within the company's products.
Known as the Microsoft-Spurned Researcher Collective, the group reported a denial of service vulnerability for Windows Vista and Server 2008.
Along with the report came a warning from the group of further zero-day vulnerability disclosures.
"MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer," the message read.
The group says that the effort is the result of frustrations over Microsoft's dealings with security researchers, including the company's handling of a flaw reported by researcher Tavis Ormandy.
In a statement provided to V3.co.uk, Microsoft response communications group manager Jerry Bryant said that the company was currently investigating the reported vulnerability, which it believes to only be exploitable by those with local access to, or code already running on, the targeted system.
"To minimise risk to computer users, Microsoft continues to encourage responsible disclosure," Bryant said of the company's dealings with researchers.
"Reporting vulnerabilities directly to vendors helps to ensure that potentially affected customers receive high-quality, comprehensive updates before cybercriminals learn of a vulnerability, and work to exploit it."
Copyright v3.co.uk
A planned presentation about ATM security at the Hack in the Box conference in Amsterdam last week was cancelled following legal pressure from vendors.
Italian ethical hacker Raoul Chiesa intended to explain how vulnerabilities and security shortcomings that that cyber criminals were using to break into ATMs as part of his Underground Economy presentation at Hack in the Box. However, this talk was cancelled at the last minute in favour of a presentation on Side Channel Analysis on Embedded Systems by Job de Haas, Softpedia reports.
Oddly Chiesa had made the cancelled presentation at other security conferences without incident. The slides were even available online. The talk focused on security flaws that have been well understood among banking security experts, if not among the general public, for years. ENISA report, ATM Crime: Overview of the European situation and golden rules on how to avoid it, and published in September 2009, draws heavily from Chiesa's research.
Chiesa advises both ENISA and the Global Crimes Unit of the United Nations Interregional Crime & Justice Research Institute (UNICRI), as illustrated here.
It's not the first time ATM suppliers have taken action to block presentations on ATM security flaws at security conferences. Most famously, a presentation of ATM security by Barnaby Jack was pulled from last year's Black Hat, only to be re-instated for next month's show, a development at least eased if not enable when Jack left the employment of Juniper Networks to work for IOActive Labs.
It remains to be seen whether ATM vendors will once again move to block Jack's "Jackpotting" presentation this year. The software-based hack involves fooling ATM machines into spewing out more money than requested, an approach Jack himself compares to the cash machines hack carried out by John Connor in Terminator 2, AFP reports.
A U.S. Army intelligence analyst suspected of leaking videos and documents to Wikileaks was charged Monday with eight violations of federal criminal law, including unauthorizedcomputer access, and a single count oftransmittingclassified information to an unauthorized third party inviolationof the Espionage Act.
Pfc. Bradley Manning, 22, was charged under the Universal Code of Military Justice with two violations encompassing the eight alleged criminal offenses, and two non-criminalviolationsof Army regulations governing the handling of classified information and computers.
According to the charge sheet, Manning downloaded a classified video of a military operation in Iraq and transmitted it to a third-party, inviolationof the Espionage Act, 18 U.S.C. 793(e), which involves passing classified information to an uncleared third-party, but not a foreign government.
The remaining criminal charges are for allegedly abusing access to a Secret-level SIPR networkto obtain over 150,000 classified U.S. State Department cables, as well as an unspecified classified Powerpoint presentation. He’s also accused of uploading unauthorized software to the SIPR network, which is used by Departments of State and Defense.
Charge Sheet Redacted) – Manning
See also:
Security researchers irked by how Microsoft responded to Google engineer Tavis Ormany's public disclosure of a zero-day Windows XP Help Center security bug have banded together to form a group called the Microsoft Spurned Researcher Collective*.
The group is forming a "union" in the belief that together they will be better placed to handle flak from Redmond and elsewhere following the publication of security flaws. A statement, published by The Windows Club blog, explains the Collective's stance.
Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective," it said. "MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer.
Supporters of the Collective include Vupen Security, which last week published details of a zero day flaw affecting Windows Vista and Windows Server 2008. The vulnerability creates a means for hackers to crash affected systems. It stems from a security bug in the Windows kernel, and is rated as only a moderate risk bug that doesn't lend itself to remote execution.
The debate about responsible disclosure of security vulnerabilities is as old as software development. Security researchers argue that by disclosing problems they give end-users a chance to act and put pressure to act on software developers, who might otherwise be tempted to ignore the problem. Software developers (including Oracle, Adobe and many others as well as MS) argue that disclosing vulnerabilities in the absence of a fix imperils users.
To some outside either camp the argument hinges on whether a vulnerability is been actively exploited. The length of time a vendor has had to fix a bug - a period that can sometimes run into months - is also an important factor.
Software hobbyists have defied Steve Jobs by creating a hack that allows Flash to run on iPads, albeit with limitations.
Comex - the hacker responsible for the iPad "Spirit" jailbreak - has circumvented Apple's iPad Flash ban by coding an iPad port of Adobe's Flash runtime for Android, TGDaily reports.
The so-called Frash is reportedly capable of rendering most Flash-based programs in Safari. Comex plans to apply the same approach to iPhone and other mobile devices over time.
The technology uses features similar to those found in Chrome to make sure a device keeps running even if the application crashes. Frash is however limited by lack of video and keyboard input support.
Comex is confident of adding keyboard support, but video input is a far trickier proposition that is likely to require reverse engineering, according to the developer.
A demo of Frash in action can be found on YouTube (below).
It is time for user provisioning to shine. For too long, IT departments have isolated account provisioning, making it a standalone process, ignoring how destructive a provisioning mistake can be. But user provisioning, the very act of providing the workforce with network access, is absolutely fundamental to an organisation's security and risk posture.
There are a plethora of scenarios in which poor provisioning can result in upsetting, and massively expensive, data leaks. The best defense against such disasters is to fully understand the significance of provisioning, as well as, preparing for the worst. And the worst can be costly. Last year, Kaiser Permanente was fined US$250,000 after more than 20 employees accessed medical records for Nadya Suleman, known in the media as the "Octomom." But the threat of data leaks isn't, by any stretch, limited to high-profile scenarios involving celebrities.
Coping with new realities
The reality of today's collaborative, global, 24-hour business world has unlocked more provisioning pitfalls than ever. Organisations typically juggle multiple business partnerships, consultants who work alongside full-time staff, "road warriors," remote employees and those who are connected from home after-hours and on the weekends.
And for many organisations, force reductions have been the grim reality, especially over the past two years. When an organisation cuts back its workforce, its risk for data leaks soars because disgruntled employees are the most likely instigators. This is why deprovisioning workforce accounts, or removing them from the network, is so critical.
Unlimited risk potential
Even among disgruntled employees, there are those who pose an even greater risk than others. For instance, a sales employee could wreak havoc around disclosing confidential customer data. While this has major business consequences, it usually can be traced and, in most cases, contained.
However, a dismissed IT employees has what insurances companies call unlimited risk potential. They can bring the entire IT infrastructure to a halt. This can cost an organisation a staggering amount of money and shake customer and employee confidence to the core.
Yet, it is often tricky to know which employees are truly disgruntled and might compromise the company's data. The easy solution for this would be to apply the same deprovisioning process for all dismissed employees. But this one-size-fits-all scenario doesn't work, as more organisations are transitioning full-time staff to consultants or part-time status, rather than outright relieving them of their employment.
When faced with this scenario, too many organisations simply freeze the full-time employee's access credentials and then reactivate them once the employee comes back on board as a consultant or part-time. But this isn't safe or advisable. Instead, it is best to completely remove the full-time credentials and then create a new identity that only allows limited network accessibility.
Another aftermath of the recession has been increasing merger-and-acquisition activity in nearly all sectors. When folding another workforce into an organisation, it becomes critical to wrinkle out compatibility and provisioning issues right away. The same is true for short-term business partnerships. In these cases, the most feasible option is to grant the partnering organisation temporary network access, whether it's through their existing VPN infrastructure or a site-to-site tunnel. However, it is critical that when this relationship ends to terminate these connections. You absolutely do not want another company to access your network once your business with them has completed.
Limiting vulnerability
Obviously, the organisations most vulnerable to headline-making data leaks are those that handle the most sensitive data, like health care organisations, financial services, and the retail sector. With organisations dealing with so many moving parts that have emerged rather suddenly, IT departments are not always adequately caught up.
For instance, in 2007, hackers broke into retailer TJX's system, exploiting vulnerabilities in the company's network and Wi-Fi system. The colossal breach affected at least 90 million accounts, and the fraud-related loss on Visa cards alone ranged from a whopping US$69 million to US$83 million. The retailer has since strengthened its network, but in this case, it was too late to rectify the damage already done.
Manageability is key to success
Not only should organisations ensure that their IT security is equipped to handle high-volume, complex, and tiered provisioning, but also that their remote branches have the same high-level security as the headquarters. Retailers often pour the vast majority of their IT resources into the corporate headquarters, forgetting that the retail outlets are where customers are physically entrusting the organisation with their personal data.
Tiered provisioning also becomes crucial for health care organisations, especially now that patients are interacting electronically with more medical professionals than ever. Patients are seeing doctors, nurses, physician's assistants, lab techs, among others who need access to their files. But in a tiered provisioning system, not all of these players would get equal access to a patient's file. For instance, a lab tech only requires contact to a certain portion of a patient's file, while, perhaps a nurse requires more extensive access, but often not as comprehensive as the doctor.
Of course, data breaches aren't limited to these scenarios. There are scores of unknown breaches that happen from employees who innocuously log into the network from unprotected family or public computers, or even while tapping into their mobile devices from unsecured wireless networks and hotspots. While organizations should strive to ultimately eliminate all of these provisioning dangers, targeting the most likely and most identifiable is a prudent - and vigilant - place to start.
Secure Computing Magazine
Apple's App Store appears to have fallen victim to a concerted effort by a developer to illegitimately elevate demand for his applications, according to reports.
The applications in question, Vietnamese comic books, have taken 40 of the top 50 positions in the US App Store.
Such demand is not particularly suspicious, but the applications are nowhere to be seen on their native Vietnamese App Store, suggesting that something is awry.
Further questions are being raised because two of the reviews state that the rightful account holder did not willingly purchase the applications, and that their accounts had been hacked.
Discussions on the MacRumours forums appear to confirm that accounts have been hacked on a large scale in order to buy the Vietnamese comic book apps.
It is the promotion afforded to Nguyen's applications on the top 50 that has led to complaints from fellow App Store developers, according to a post on developer Alex Brie's blog.
"This is having a negative impact on our apps, which are being pushed down in the rankings and losing visibility, plus it makes for a bad user experience," one developer is quoting on the site as saying.
This is the first such incident to occur on Apple's App Store which has, until now, remained free from security issues.
The manipulation of sales charts is likely to be watched closely by other developers, however, who rely on the free advertising it brings to bolster sales.
Google's Android Market, on the other hand, has had slightly more negative publicity in the past few months.
A rogue application disguised as an authentic banking app was removed in January after it turned out to be a phishing scam, and just last month Google was forced to remotely remove two suspect applications from Android users' devices.
Apple had not responded to a request for comment at the time of writing.
Copyright v3.co.uk
Enterprise Security for Endpoints is software solution compromised of Trend Micro's OfficeScan suite of modules, as well as a series of plug-ins, which customers can enable depending on the level of protection required.
\The solution consists of a backend server product, centralised web-console for administration and various client endpoint packages. The client and server software both run on Microsoft Windows and the client agents can also be installed on Macs and some mobile operating systems.
Installation was quick. We were using the web-based administrative console in a matter of minutes. The console interface communicates to the management server through a series of ActiveX controls for a more granular and interactive experience.
Overall administration is incredibly easy and we found everything we were looking for without any problems. From a management perspective, the solution has all the enterprise features, such as reporting, notifications, role-based access control and more.
Deploying agents to client machines is also easy. Agents can be fetched from a URL or pushed using the management console. Trend has opted to take a plug-in approach to its solution. At the very heart of Enterprise Security for Endpoints is Trend's extensive malware protection, but other features are available as well.
An intrusion defense firewall plug-in is available, which adds a granular firewall and HIPS protection to endpoints. This includes controlling access to removable media and protecting web browsing and monitoring for non-compliant application use.
The solution also integrates with Cisco NAC, which provides host integrity and compliance checking. Additionally, Trend provides real-time cloud-based threat intelligence and distributes the reputation data to the client endpoints. All of the features are controlled through an easy-to-use policy management interface.
Overall, we were impressed with the ease of use, management features and endpoint protection options for the solution.
Documentation is available via PDF documents or accessed through the server console itself. We found all of the information to be helpful, especially an accompanying best practice deployment guide.
Standard maintenance is included with the purchase of the product and includes phone and email support during business hours (12-hour day). Three additional support levels are also available. We award this product our BEST BUY.
Secure Computing Magazine
Rumours spread across the internet yesterday that YouTube had been hacked.
According to Chris Boyd, malware researcher at Sunbelt Software, a cross-site scripting (XSS) vulnerability allowed people to perform all manner of interesting things on video pages, starting with the ability to block fresh comments that soon moved into the realms of scrolling text.
Specifically hit was videos featuring Canadian teen singer Justin Bieber, however other random videos were also hit.
Rumours also spread across micro-blogging site Twitter, with its front page advising users not to ‘watch any YouTube videos or comment (on) them today, there's a virus! Spread!'
Boyd said: “Advising people to steer clear until the problem is fixed? That's good. Lots of people running around telling lots more people that there's a ‘virus'? That's not so good.
“Even hours after it's been fixed, people continue to talk about ‘getting infected' by a nonexistent virus and there's a lot of unscheduled scans now taking place.”
He commented that the Chinese Whispers-style misinformation clouding the actual attack was pretty interesting, and if the exploit had been discovered by a professional moneymaking outfit, there could have been all sorts of subtle attacks taking place for a long time – not good, given the apparent simplicity of the attack.
Speaking to techie-buzz.com, Jay Nancarrow a spokesman for YouTube's owner Google, said in a statement: “We took swift action to fix an XSS vulnerability on YouTube that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We're continuing to study the vulnerability to help prevent similar issues in the future.”
See original article on scmagazineus.com
Secure Computing Magazine
The first UK seller to be prosecuted for artificially inflating prices by bidding on his own eBay auctions has been told to pay 5,000 in fines and costs, and ordered to do 250 hours community service.
Judge Peter Benson at Bradford Crown court said he would have jailed minibus firm owner Paul Barrett, 39, if his record were not clean and the sums of money involved had been larger, PA reports.
Barratt pleaded guilty to using two logins to drive up the price of items including vehicles, mobile phones and a digital camera. He used the same contact details and IP address to create each account, the court heard.
He was investigated by Trading Standards after a buyer complained he had been sold a clocked minibus.
eBay today welcomed the sentence.
We are extremely pleased with Paul Barrett's sentence," said spokeswoman Vanessa Canzini.
"While this case was not solely about shill bidding, we hope that it highlights how seriously we consider the practice of artificially increasing prices. This practice is not only prohibited on eBay as it damages the integrity and fairness of trading on our site, but it is also illegal.
"We continue to invest over 6 million every year in industry leading technology to proactively detect shill bidding. We will always work closely with law enforcement agencies to ensure that, on the rare occasion someone attempts to follow in Barretts footsteps, they will be stopped and will face the consequences.
Judge Benson said: "This sort of conduct strikes at the heart of that trust which is vital if this very, very useful commercial medium is to continue to operate successfully."
A gang of Ukrainian scammers were sentenced to a total of 40 years in prison on Friday for a a multi-million pound tax scam.
The gang created thousands of fake identities and then used them to claim tax rebates from the Inland Revenue.
In total they submitted 1,600 online self-assessment tax returns and claimed 8m in rebates.
The cash went on flash cars, holidays and parachuting trips and renting properties in London.
Anyone for sky-diving?
Shiny new motors
Seven properties in Brentford, west London were raided in July 2009. Officers found 360,000 in cash, a samurai sword and air pistol.
The gang was highly organised with each member dealing with one aspect of the fraud. So one address had hundreds of bank cards while another was used for National Insurance applications, and a third was used for storing cash.
Those'll do nicely
Pick a card, any card
The gang included: Yuriy Brovarsky, Henfield Road, London SW9. Pleaded guilty to conspiracy to cheat the public revenue and sentenced to five years. Krzsyzstof Damian Giers, Brentford, London. Sentenced to four years for conspiracy to cheat the public revenue. Artur Jan Karwicki. London W7, got five years for the same offence, and Olegs Parkov of W7 got four and half years.
Seven others got sentences ranging from 21 months to four years' imprisonment.
The HMRC release is here.
Compromised Apple App Store accounts have been abused by rogue developers to boost their ranking and increase their sales.
Hijacked accounts were reportedly used to buy multiple copies of previously obscure Vietnamese-language eBooks, in an apparent bid to game the iTunes ranking system.
The eBooks concerned have been pulled from Apple's store and the account of seller Thuat Nguyen of mycompany has been suspended, Mac Rumours reports.
During the apparent attack 42 of the top 50 books listed in iTunes came from Nguyen, Endgadget reports.
The manipulation had a negative effect on the rankings of legitimate application and content developers, who were first to raise the alarm over the apparent malfeasance on Saturday after noticing that their apps had fallen straight off the charts.
Early reports are split over the extent of the apparent scam. Mac Rumours reckons that a small number of accounts were breached, probably as the result of a phishing attack. However, TNW Apple reports that the scam involved apps from several developers in different countries. It reckons the Apple App store is full of account pilfering and laundering App Farms.
Whatever the extent of the problem it wouldn't hurt to follow TNW's security advice for App Store users here. The FAQ provides far more detailed security tips than Apple's reported advice that anyone who suspects problems with their account ought to change their password.
The first UK seller to be prosecuted for artificially inflating prices by bidding on his own eBay auctions has been told to pay 5,000 in fines and costs, and ordered to do 250 hours community service.
Judge Peter Benson at Bradford Crown court said he would have jailed minibus firm owner Paul Barrett, 39, if his record were not clean and the sums of money involved had been larger, PA reports.
Barratt pleaded guilty to using two logins to drive up the price of items including vehicles, mobile phones and a digital camera. He used the same contact details and IP address to create each account, the court heard.
He was investigated by Trading Standards after a buyer complained he had been sold a clocked minibus.
eBay today welcomed the sentence.
We are extremely pleased with Paul Barrett's sentence," said spokeswoman Vanessa Canzini.
"While this case was not solely about shill bidding, we hope that it highlights how seriously we consider the practice of artificially increasing prices. This practice is not only prohibited on eBay as it damages the integrity and fairness of trading on our site, but it is also illegal.
"We continue to invest over 6 million every year in industry leading technology to proactively detect shill bidding. We will always work closely with law enforcement agencies to ensure that, on the rare occasion someone attempts to follow in Barretts footsteps, they will be stopped and will face the consequences.
Judge Benson said: "This sort of conduct strikes at the heart of that trust which is vital if this very, very useful commercial medium is to continue to operate successfully."
Compromised Apple App Store accounts have been abused by rogue developers to boost their ranking and increase their sales.
Hijacked accounts were reportedly used to buy multiple copies of previously obscure Vietnamese-language eBooks, in an apparent bid to game the iTunes ranking system.
The eBooks concerned have been pulled from Apple's store and the account of seller Thuat Nguyen of mycompany has been suspended, Mac Rumours reports.
During the apparent attack 42 of the top 50 books listed in iTunes came from Nguyen, Endgadget reports.
The manipulation had a negative effect on the rankings of legitimate application and content developers, who were first to raise the alarm over the apparent malfeasance on Saturday after noticing that their apps had fallen straight off the charts.
Early reports are split over the extent of the apparent scam. Mac Rumours reckons that a small number of accounts were breached, probably as the result of a phishing attack. However, TNW Apple reports that the scam involved apps from several developers in different countries. It reckons the Apple App store is full of account pilfering and laundering App Farms.
Whatever the extent of the problem it wouldn't hurt to follow TNW's security advice for App Store users here. The FAQ provides far more detailed security tips than Apple's reported advice that anyone who suspects problems with their account ought to change their password.
A gang of Ukrainian scammers were sentenced to a total of 40 years in prison on Friday for a a multi-million pound tax scam.
The gang created thousands of fake identities and then used them to claim tax rebates from the Inland Revenue.
In total they submitted 1,600 online self-assessment tax returns and claimed 8m in rebates.
The cash went on flash cars, holidays and parachuting trips and renting properties in London.
Anyone for sky-diving?
Shiny new motors
Seven properties in Brentford, west London were raided in July 2009. Officers found 360,000 in cash, a samurai sword and air pistol.
The gang was highly organised with each member dealing with one aspect of the fraud. So one address had hundreds of bank cards while another was used for National Insurance applications, and a third was used for storing cash.
Those'll do nicely
Pick a card, any card
The gang included: Yuriy Brovarsky, Henfield Road, London SW9. Pleaded guilty to conspiracy to cheat the public revenue and sentenced to five years. Krzsyzstof Damian Giers, Brentford, London. Sentenced to four years for conspiracy to cheat the public revenue. Artur Jan Karwicki. London W7, got five years for the same offence, and Olegs Parkov of W7 got four and half years.
Seven others got sentences ranging from 21 months to four years' imprisonment.
The HMRC release is here.
Hackers and pranksters began exploiting a newly discovered scripting flaw on YouTube on Sunday, provoking rumours that a virus was spreading on the site.
The cross-site scripting flaw (XSS) on the video-sharing website created a means for hackers to post JavaScript code in the comments sections of videos. The flaw meant that this JavaScript code was run on the machines of surfers viewing the same video clip.
Predictable enough, pranksters at 4Chan have begun using the vulnerability to redirect surfers looking for Justin Bieber video clips to goatse or false reports that the irksomely clean-cut Canadian singer had died in a car crash. Denizens of 4Chan are separately trying to rig an online poll to encourage Beiber to play North Korea in an upcoming tour.
In other cases the flaw has become the fodder of comment spam.
Google iced the problem hours after it first appeared, techie-buzz.com reports.
"We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago," said Google. "Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. Were continuing to study the vulnerability to help prevent similar issues in the future."
The appearance of the vulnerability sparked rumours on Twitter and elsewhere that a virus was spreading across YouTube. A blog post by Chris Boyd of Sunbelt - containing screenshots - charts the genesis of this rumour, which is just the sort of thing that's likely be used in new anti-virus (scareware) scams.
Security watchers at the Internet Storm Centre note that the vulnerability on YouTube might potentially have been used for all manner of hacking attacks, including password stealing scams.
"They [hackers] could steal your YouTube cookies, which probably doesn't mean much to them, but they could also post various JavaScript code that will execute in your browser, in the context of YouTube," an ISC handler writes. "I've seen nasty XSS attacks that are used to fake whole login screens and we know how many people use [the] same passwords for multiple accounts."
Malware-pushing scammers appear to be stepping up their use of telephone-based pitches, resulting in an increase in reports from the UK of high-pressure cold calls designed to trick people into installing rogue antivirus products and other nasties.
Over the past few weeks, at least two people close to The Reg including reporter Bill Ray, who has seen his share of scams have received the dire warnings that their PCs are riddled with malware that can be purged with just a few clicks directed by the person on the other end. On Friday, antivirus provider Eset UK, citing an increase in the calls, warned computer users to remain vigilant.
The pitches vary, but they generally involve a professional-sounding person who may be calling from a phone center who warns that malware has been detected and is now attacking other computers. Skeptical receivers may be asked to open the Windows event viewer for proof of infection before ultimately being asked to give the caller remote access through logmein123.com or other services. Eventually, the scammers will install rogue antivirus software or other malware that is extremely difficult to remove.
The scammers are undaunted when would-be victims say they don't need help from a perfect stranger calling over the phone from heaven knows where.
Turn your computer on and in a few clicks we can sort it out for you, one caller told a family member of Paul Young, an IT employee at Sophos, another UK-based antivirus provider. The scammer knew her name and number even though her phone wasn't listed. Shortly after hanging up, she received another call from someone claiming to be working for a different company, who used slightly different tactics.
Of course, when Young inspected the PC later, he found no signs of any infection.
The scam has been going on for more than a year, but other than the domain names, supportonclick.com, go4sapling.com and metsupport.com, researchers say they know little about the people behind the calls.
Once upon a time, malware pushers thrived off of vulnerabilities built into Microsoft Windows and the applications that ran on top of it. As software companies have gotten better at locking down their products, crooks resorted to popups designed to trick marks into installing the malicious wares. Now, with the cost of calls at an all-time low, it's only natural the scams would move to cold calls.
Eset says the scammers charge up to 79 to install the malware, which often masquerades as titles from legitimate antivirus providers.
Many third-party Windows applications are failing to utilise two important security features that could prevent certain code execution attacks, according to a report released Thursday by Secunia.
Researchers at the Danish vulnerability tracking firm recently investigated whether some of the most popular third-party applications used two built-in Windows security features, known as Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR).
DEP, first introduced in the Windows XP Service Pack 2 in August 2004, makes part of the memory nonexecutable and, as a result, renders the exploit development process more complex and time consuming.
ASLR, introduced with the release of Windows Vista in early 2007, randomises memory space and significantly lowers the chances for certain code execution attacks to succeed.
These two defensive measures, used by most Microsoft applications, are overlooked by many third-party application developers even though they are simple to implement, the report states.
The defenses do not negate the need for patching or prevent all code execution attacks, but can in some cases prevent the exploitation of vulnerabilities, and in other cases, make successful exploitation much less likely, Thomas Kristensen, CSO of Secunia, told SCMagazineUS.com Thursday.
“These protective mechanisms are something that Microsoft has been promoting a lot regarding Windows 7 and Vista,” Kristensen said. “It's definitely something that software developers should be aware of, so why they haven't deployed them is difficult to answer.”
Some of the most popular third-party Windows programs, including Sun Java JRE, Apple Quicktime, VLC Media Player, OpenOffice.org, Google Picasa, Foxit Reader, Winamp and RealPlayer, do not currently use DEP or ASLR, the researchers found.
“The ones that should be the most motivated to use this are the big vendors who frequently get vulnerability reports,” Kristensen said. “So we fear implementation would be even worse for the vendors we didn't look at.”
On the positive side, some applications have, over time, become compatible with DEP, including Mozilla Firefox and Apple's iTunes and Safari. However, the overall implementation process has been slow and inconsistent between operating system versions, the report states. Even worse, ASLR support has been improperly implemented by “almost all vendors,” the report states.
The two security defenses must be used in concert for the best impact, Kristensen said.
“By combining DEP and ASLR, you raise the bar and make it significantly more difficult to exploit many of these vulnerabilities,” he said.
Of the 16 applications analyzed, Google Chrome was the only to utilize both DEP and ASLR, Kristensen said. A Google spokesman told SCMagazineUS.com on Thursday that the company also plans to enable these features in an upcoming release of Picasa.
“Going forward, I would hope that more vendors use these defensive mechanisms,” Kristensen said. “It would make it significantly harder to exploit common vulnerabilities in these products and that would help secure the end users.”
See original article on scmagazineus.com
Secure Computing Magazine
Adobe is on the defensive following the discovery of a security loophole previously believed to have been patched by the company.
The flaw, which exists in the Reader and Acrobat components, could allow an attacker to remotely execute a malicious application through code embedded in a PDF file by manipulating a warning dialogue.
Adobe had earlier issued a patch to address the vulnerability by instituting a blacklist which could block executable files from being launched. Researchers are reporting, however, that the protections can be circumvented.
Bkis security researcher Le Manh Tung has reported that by simply adding quotation marks will allow for Adobe's protections to be circumvented and for an attacker to once again post a misleading warning dialogue.
"With the quotes added, Adobe Reader will not block the execution," wrote Tung in a blog post.
"Adobe Reader version 9.3.3 has fixed the fake warning massage, but the threat of exploit code execution still remains."
Adobe has acknowledged the report and has issued a blog posting of its own on the matter. Director of product security and privacy Brad Arkin said that the company was keeping the launch component active, but would also look at updating the blacklist to protect against future attacks.
"While blacklist capabilities alone are not a perfect solution to defend against those with malicious intent, this option reduces the risk of attack, while minimising the impact on customers relying on workflows that depend on the launch functionality," Arkin wrote.
Copyright v3.co.uk
IBM has agreed to acquire BigFix, an IT compliance and management firm based out of California.
The company said that the acquisition would improve IBM's datacentre management and enterprise software offerings. BigFix's compliance software tools allow administrators to set and manage policies for up to 500,000 corporate PCs.
Additionally, IBM sees the policy management tools offered by BigFix as helping to boost security and energy efficiency by allowing companies to remotely manage user policies and set automatic shutdown times.
"BigFix automates some of the most time-intensive IT tasks across the most complex global networks, helping save organisations significant amounts of time, labor, and expense,” said IBM Tivoli software general manager Al Zollar.
"BigFix’s real-time visibility and control for globally distributed computing devices will complement IBM’s existing smarter datacentre offerings and strengthen our ability to build security into the fabric of the enterprise."
Following the close of the transaction, currently slated for the third quarter of 2010, BigFix will become part of IBM's software group.
As BigFix is a privately held company, terms of the deal were not disclosed.
Copyright v3.co.uk
A former IT worker for the Bank of New York has admitted to stealing personal information of 2,000 employees and using it to steal more than $1m from charity bank accounts, city prosecutors said.
Adeniyi Adeyemi, 27, used his position as a contract computer technician at the bank's headquarters to steal the personal identifying information of 2,000 employees, most of whom worked in the IT department. Over an eight-year span, he used the information to set up dummy bank accounts in the employees' names and then transfer stolen funds from at least 11 charities throughout the world.
Adeyemi used publicly available routing numbers for the charities to initiate wire transfers through financial sites such as ETrade and Fidelity and deposit them into the dummy accounts. To better cover his tracks, he then transferred the funds to a second layer of dummy accounts, according to a press release issued by the New York City District Attorney.
Adeyemi also used the stolen employee data to steal directly from his co-workers by changing the contact information with their banks and taking control of their online accounts. In all, his scheme netted $1.1m, prosecutors said. To prevent his scheme from being detected, he structured transfers to be just below the $10,000 threshold that requires financial institutions to report the transactions to authorities.
Adeyemi pleaded guilty to grand larceny, money laundering, and computer tampering. Sentencing is scheduled for July 21.
Many popular software applications have avoided including security protection mechanisms built into the latest versions of Windows. The omission leaves these applications at greater risk of hacker attack, according to a study by security patching and notification firm Secunia.
Two key security mechanisms in Windows - DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) - are designed to make it hard for hackers to develop reliable exploits even in cases where security bugs are present in Windows applications. DEP, first added to Windows with XP Service Pack 2 in August 2004, is designed to prevent the execution of writable memory. ASLR, which debuted with Vista, further complicates the process of creating reliable exploits.
But the safety mechanisms only come into play in cases where software applications fail to support the security mechanisms. Secunia's study on the most popular non-Microsoft applications installed on Windows users' systems, based on statistics from its PSI security patching tool, shows that the vast majority of 16 popular utilities analysed fail to support either DEP or ASLR.
Java, Apple Quicktime, Foxit Reader, Google Picasa, OpenOffice.org, RealPlayer and VLC Player all fail to integrate either DEP or ASLR. Browser makers - Mozilla Firefox, Chrome, Opera - do a rather better job of applying DEP but this integration is inconsistent between different Windows platforms and not reliably extended to ASLR.
Similar criticism applies to Adobe apps, a prime target for hacker attacks over recent months.
"DEP and ASLR support, although usually trivial to implement, is overlooked by a large number of application developers," Salin Rad Pop, a senior security specialist at Secunia, writes. "Some developers have over time made their applications compatible with DEP, but overall the implementation process has proven slow and uneven between OS versions."
"ASLR support is on the other hand improperly implemented by almost all vendors, allowing return-into-libc techniques to likely succeed in their applications or in browsers designed to be otherwise ASLR compliant."
Secunia reckons the failure to apply Microsoft's security protections has become a major reason why hackers have turned their sights against attacks against third-party applications, rather than Windows, a major trend in the vulnerability and exploit arena over the last two or three years.
"While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms. If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attacker's choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable," Secunia concludes.
Secunia's study can be found here (pdf).
Hosting company Bulletproof Networks and Whirlpool have decided to pull the plug on an official investigation into those responsible for distributed denial of service attacks levelled against the broadband forum this week.
The attacks, which took Whirlpool offline for two days this week, were set to be escalated to the Australian Federal Police after Bulletproof informed NSW Police.
But after evading further attacks using a reverse proxy hosted at Amazon.com, Whirlpool and Bulletproof have decided not to proceed with the investigation.
In a prepared statement, Bulletproof chief operating officer Lorenzo Modesto told iTnews it had decided to "suspend investigations for the moment as a sign of goodwill."
Whirlpool founder Simon Wright later told iTnews in an interview that the "effort involved to follow through the investigation would mean a large amount of work.
"All that work would probably be to find a schoolkid at the other end who is upset he got banned from forums for using bad language," Wright said. "All that effort over a kid. At the end of the day, the benefit wouldn't scale to the effort."
Security analyst James Turner commented that it was a "classic" dilemma for the IT industry. Attributing the work of security commentator Bruce Schneier, Turner said there is a "cost asymmetry" involved in protecting any network.
"It costs very little to direct a very concerted attack, but it is quite expensive for a target to defend themselves," he said. "The economics are badly in favour of the attacker."
Wright agreed wholeheartedly.
"You can boil it down further," he said. "It is easier to destroy than to create. Causing chaos in any sphere is easy to do, creating a web site or community, hosting it, that takes a hell of a lot more effort."
The volume of HTTP packets used in the attack was "absolutely outrageous", Wright noted.
"It was the kind of volume that could take down banks - very few companies could be prepared for this," he said. "You would need so much excess infrastructure to cope."
Should the police be involved?
While he feels that "reporting criminal activity to the relevant authorities is the right thing to do", Turner said he understood the difficulty any not-for-profit would have in justifying the resources required to assist in a lengthy investigation.
Wright told iTnews it would be unfair to say that Whirlpool or Bulletproof has capitulated to the attacker(s). The investigation would "still be happening" if the DDoS attacks continued, he said.
"If [the attacker] was willing to pursue it, they would leave us no choice," he said. "We can't accept the situation of the site being down. We would have been pushing ahead with an investigation, with every avenue we could think of."
Turner said DDoS attacks are becoming increasingly common, and more Australian organisations need to be frank with their peers and go public after an attack.
"I firmly believe that Australian organisations do need to declare when they have been attacked," he said. "It is really important.
"Security professionals only have access to attack information from vendor reports, which are inherently self-serving. There is very little information to go on in the wider industry.
"If organisations are reasonably confident as to how an attack was orchestrated or who was responsible, they should go to the media," he said.
"They might think that they should keep quiet because they are alone - but that is probably not the case."
For now, the Whirlpool problem is resolved. Wright described Bulletproof's solution as "inspired".
"They did exactly what they should have done," he said. "Bulletproof's first step was and should be to ensure the integrity of their network.
"Whirlpool was the target, we didn't get to go back online straight away, but that's understandable. We had to cop it. I'd still recommend Bulletproof."
A 22-year-old woman jailed two days in November after being arrested for filming two brief snippets of a motion picture is lashing back at the theater, claiming its manager demanded her arrest despite the police department’s reluctance.
In a civil suit lodged in Illinois federal court, Samantha Tumpach claims local police and the Motion Picture Association of American recommended against arresting her. A felony theater-filming charge carrying up to three years in prison was subsequently dropped.
The woman filed suit Monday, claiming emotional distress and malicious prosecution on behalf of Muvico Theaters, whose manager allegedly demanded her arrest in a bid to win a financial reward. The MPAA, and the National Association of Theater Owners offers $500 rewards (.pdf) to movie house workers who catch pirates.
The first person arrested for filming in a U.S. theater, a federal and state crime in most states, was a 19-year-old woman who pleaded guilty to a misdemeanor in 2007. Jhannet Sejas paid a $71 fine for filming 20 seconds of Transformers in a Virginia theater. Regal Entertainment Group pushed for her prosecution.
On Tumpach’s camera, the authorities found a host of pictures she took in the theater of her friends and sister, in addition to two clips of the motion picture Twilight: New Moon, according to the suit. One was 114 seconds long. The other was 85 seconds, the suit said.
One of the snippets was captured in hopes of filming Tumpach’s “favorite actor taking his shirt off,” according to the suit.
The lawsuit, which seeks $50,000 in damages, claims the woman did not film with intent to pirate the movie, that instead she was having fun with her friends and family at a birthday party at the Rosemont, Illinois theater.
“Samantha, in the open theater area and in plain view of others, was subsequently placed under arrest, handcuffed and was walked through the theater and out to the officers’ vehicle where she was placed in the rear seat of the squad car, while numerous theater guests witnessed, pointed and gasped as Samantha cried with fright, humiliation and shame,” (.pdf) the suit said.
The suit claims that, once local officers took the woman to the station, they called the MPAA for guidance. The suit says the MPAA recommended destroying the footage and releasing her.
Linda Colangelo, a spokeswoman for Muvico Theaters based in Fort Lauderdale, Florida, was not immediately prepared to comment.
See Also:
A security researcher says he can force Adobe Systems' widely used PDF readers to execute potentially malicious commands despite an emergency security fix the company released earlier this week.
The update Adobe added to its Reader and Acrobat applications contained a patch designed to prevent attackers from using the apps to launch potentially dangerous commands or files on end users' machines. But Le Manh Tung, a senior security researcher at Viet Nambased Bkis Internet Security, said he can bypass the fix by doing nothing more than putting quotation marks around the command he wants a targeted machine to remotely execute.
The weakness was first demonstrated by researcher Didier Stevens and later expanded by Jeremy Conway and others. Adobe had said it wanted to find a way to eliminate the threat without removing powerful functionality relied on by some users.
On Thursday, Tung published this proof-of-concept, showing how a booby-trapped PDF file can still be used to override settings designed to block the auto-launch feature and open the Windows calculator. It works by using the command calc.exe rather than calc.exe. His blog post is here.
Tung said a related vulnerability, which allowed an attacker to alter the warning Adobe displays before a command is executed, appears to be patched properly. That means it will be harder to trick a victim into clicking the Open button, which is required for an exploit to be successful. Still, with Adobe's apps installed on well over 90 percent of computers, we're sure there are users who would fall prey to scams.
It's unclear if attackers can bypass the setting to execute only code that's already installed on a targeted machine, or if they can also embed malicious payloads into PDF files as before. An Adobe spokeswoman wasn't immediately available for comment, and neither were Tung nor Stevens.
Romanian authorities have arrested 50 individuals accused of using off-the-shelf software to monitor cellphone communications of their spouses, competitors, and others, according to news reports.
The Romanian Directorate for Investigating Organized Crime and Terrorism also arrested Dan Nicolae Oproiu, a 30-year-old IT specialist who allegedly sold the spyware for as much as $580 over the internet. Officials claim his software was available for handsets running the iPhone, Blackberry, Symbian, and Windows Mobile operating systems, and came in Light, Pro, and Pro-X versions that offered varying levels of services.
According to Softpedia, Oproiu's customers included businessmen, doctors, and engineers, in addition to a judge, government official, police officer and former member of Parliament. They were rounded up earlier this week in simultaneous raids throughout the country. There is evidence that detective agencies and private investigators also illegally used the spyware.
The publication goes on to speculate that Oproiu was reselling FlexiSPY, a package that's long been marketed to people who want to catch cheating spouses, stop employee espionage, protect children, and bug meeting rooms. The Pro-X version allows a user to listen to calls in real-time, surreptitiously read SMS, call logs, and email, and convert the targeted phone into a remote bugging device that can secretly capture the sounds in its immediate vicinity.
More about the arrests are in garbled Google translations here and here.
IBM continued today with its strategy of making relatively small but strategic acquisitions in software and services as it picked up BigFix, which makes a slew of management and security tools for the data center.
Some of BigFix's products, particularly in power management, asset discovery, and server provisioning, overlap with existing Tivoli products in IBM's Software Group or Systems Director tools from its Systems and Technology Group. But a far larger number of BigFix products in its systems lifecycle management, security configuration and vulnerability management, and endpoint protection categories are missing from the Software Group portfolio. IBM's Global Services has been partnering with BigFix to install its products in data centers and Big Blue decided it wanted BigFix all to its big self.
BigFix was founded in 1997 by David Hindawi, who is currently the company's chairman of the board. Because BigFix is privately held, IBM did not divulge the financial details of the acquisition. The deal is expected to close in the third quarter, and BigFix's 18 products will be tucked up underneath the Software Group wing, below the Tivoli-colored feathers.
BigFix made a name for itself distributing a freebie security alert that penny-pinching businesses often used in lieu of for-fee products to sniff around their PCs to alert them to what patches were necessary to get the machines up to date in terms of security patches.
This free service was a loss leader for paid-for products, but once BigFix was established and could live without it, the freebie security patch advisory was canceled in the summer of 2007.
BigFix currently has 200 employees, 120 resellers, and more than 700 customers, some of whom are managing as many as 100,000 endpoints using the BigFix tools. IBM says that the BigFix tools can scale to 500,000 endpoints, all from a single pane of glass and able to assess what among those machines are not in compliance with security rules and patch them "in a matter of minutes," according to Big Blue. Personally, I would like to see that claim put to the test on Patch Tuesday.
Misconceptions about the nature of cybercrime are affecting the fight against online economic skulduggery.
Widespread beliefs that e-crooks are likely to be either "geeks with glasses" or digital pranksters are well wide of the mark, according to researchers from Trend Micro, which reckons the majority of cybercrooks would be indistinguishable from the man in the street.
Cybergangs are located around the world. Russia, the Ukraine and China are well known havens for hackers, helped by the difficulty of getting foreign complaints against economic crime to local law enforcement taken seriously. Other countries including Turkey, Brazil and Estonia also commonly crop up as the home of hackers in cybercrime investigations.
Different gangs have differing skill sets. The most technical adept specialise in writing customisable, cybercrime toolkits (such as the Zeus Trojan).Others broker the sale of malware or stolen personal information while other groups specialise in spam distribution or the administration of networks of compromised systems (botnets).
What all the groups have in common is sophisticated business models, often featuring affiliates and ideas about bonuses and incentives stolen from the mainstream world of software development and applied to cybercrime. For example, many gangs outsource aspects of cybercrime to more specialised groups.
The result is groups specialising in coding working with others whose skills lie in finding vulnerabilities. Meanwhile, other gangs manage botnets or mines personal data, while others get their hands dirty in actually carrying out identity theft or financial fraud. The average team size typically ranges from one to five people, according to Trend.
Malware and social engineering tricks are used to harvest a variety of accounts, which are traded through underground markers. Average prices range from $4 for an eBay account to 50 debit cards for $170. Twitter, iTunes, eBay, email, Skype and gambling accounts have also become commodities in black market sales forums.
"Most people are simply unaware that their identities have real financial value, individually details are sold incredibly cheaply but the whole economy has a huge turnover," explained Rik Ferguson, a senior security advisor at Trend Micro.
"Identity theft has consequences far beyond the here and now. It can affect your financial record for life."
Enterprises as well as consumers are at risk of ID theft, especially in the case of compromised banking accounts, where corporates are not entitled to the guarantees against suffering the cost of financial crimes commonly offered to consumers.
Programming groups sell their malware for anywhere between $500 and $10,000, with the highest prices charged for customised version of the Zeus banking Trojan. Trend Micro researchers cite underground sources in speculation that ZeuS programmers earn more than $800,000 per year.
The potential earnings of botnet herders may be even higher than this, depending on how successful they are at maintaining a network of infected proxies and selling their services to unscrupulous third parties. Some gangs have even begun using Twitter, Facebook and YouTube accounts to promote their services and malware kits.
Researchers at security firms have to turn detective in order to piece together a picture of who cybergangs are and how they operate. Researchers working on the bigger picture try to make sense of the complex business relationships behind attacks to better protect their customers by detecting whole malware families (kits/packs) rather than individual malicious files.
Threats commonly operate on several different layers. For example, a spam email may link to a malicious website that exploits a vulnerability to drop a Trojan on a compromised PC. This compromised machine awaits instruction from botnet herders who may have only a tenuous, indirect relationship with the original malware coders.
Since cybercrime is global, the only effective way to tackle this crime is to enforce collaboration across law enforcement agencies in different countries and continents, Trend argues. However, international co-operation is frustrated by the fact many police forces often intervene only when there's enough evidence to suggest there is a single entity that happens to be located within their jurisdiction behind criminal activity.
David Sancho, a security researcher at TrendLabs who compiled the report, warns that a growing number of individuals attracted by the prospect of making a quick buck with minimum effort or risk are getting lured into cybercrime.
"There are a few well-financed outfits with big operations that cover everything from phishing to fake antivirus deployment to mass-mailing marketing front-ends and botnet operations back-ends," Sancho told El Reg, adding there are probably no more than two dozen such operations worldwide.
"Then there's a set of people who jump on the malware badwagon and create their own botnets with underground tools, phishing kits or whatnot. We calculate these to be a few hundreds. The entry level [cost] is so low though that this number is growing."
Workshop We tried to get through this workshop without using the five letter C-word, but we could not quite make it to the end. There are good reasons for considering whether cloud will have an impact on security - not least because it is being discussed so much that you need to know if there is any substance behind the hype.
What's the hype? We need to recognise that the term cloud is used to refer to a multitude of things. It may mean hosted services using shared, co-located or multi-tenant resources an evolution of hosting.
Also vendors are using the word when speaking about using internal IT resources in highly virtualised, dynamic pools. This is an internal, private cloud. This is a similar path to the adoption of other IT service delivery models such as managed services and outsourced IT.
Our main finding is that you don't need to panic. Over the past few weeks weve been researching just how fast this wave is due to wash ashore, and to put it bluntly were not talking about a tsunami here. Mass adoption of the hosted service cloud model is a long way off, and while the internal, dynamic IT model may come sooner (thank virtualisation for that), there is no need to worry: but there will be problems to solve.
We can see the potential security impact of both with a quick glance at your feedback from a couple of weeks ago.
As we can see, along with the usual suspects of regulatory changes and the use of mobile devices, virtualisation of the IT infrastructure is expected to become a factor. Nearly 20% of respondents expected virtualisation to have a security impact, and more than 10% of readers report that the use of externally hosted services will also affect their approach to security. This means that several of the many definitions of cloud computing will be influencing security.
The first challenge is the data itself, be it internal to the business or external to the corporate firewall. Whatever the threats, any measures taken to counter them will need to ensure that data is only available to applications or users as defined by the organisations access policy. Weve covered some of the more elementary challenges around data protection and governance in external cloud systems in a previous workshop. We looked at virtualisation and security a week or two ago too.
Most fundamentally, only those whose role requires them to have access to the data should be able to see it and manipulate it. This leads us to a broader problem. Theres a simple principle involved namely, that the further away your data is from your centre of control, the more at risk it will be.
Picture this: Even in static IT environments, information security can be problematic; in virtualised, internal cloud systems that can be provisioned rapidly, the challenge is bigger. If your IT facilities are not running on your own hardware, managed by your own administrators, the challenge is increased. If you are utilising many cloud providers for different IT services, the difficulty is exponentially greater.
To complicate matters further, the old IT considerations of multi-vendor interoperability, support and integration also apply. The harder things are to manage, the harder they are to secure.
One approach to tackling cloud security could be to encrypt all data and store the access keys in another location. Of course, managing and securing the keys then becomes the most important problem to solve. But this can help solve many data privacy problems - and possibly even some geographical limitations covering where data can and cannot go. It might be the only long-term solution that avoids over-complicating operational oversight, but encryption can cause as many problems as it solves.
Security is only one element of risk management and governance, and its worth considering it within the broader context. For example, if you are using external cloud resources, look at how the data and any intellectual property invested in the processing engines employed to manipulate data can be moved to other third party cloud providers, or back into the enterprise, if you need to do that. You could call this Cloud Escrow.
How do you cope with security in hosted systems, or using dynamic approaches to IT. Let us know about the problems you found, and how you solved them.
Cybercrooks have developed regionally-targeted banking Trojans that are more likely to slip under the radar of anti-virus defences.
Detection rates for regional malware vary between zero and 20 per cent, according to a study by transaction security firm Trusteer. This company markets browser security add-ons to banks, which offer them to consumers as a way of reducing the risk of malware on PCs resulting in banking fraud.
Trusteer cites two pieces of regional malware targeted at UK banking consumers. Silon.var2, crops up on one in every 500 computers in the UK compared to one in 20,000 in the US. Another strain of malware, dubbed Agent-DBJP, was found on one in 5,000 computers in the UK compared to one in 60,000 in the US.
The Zeus Trojan is the most common agent of financial fraud worldwide. The cybercrime toolkit is highly customisable and widely available through underground carder and cybercrime forums. Trusteer has identified two UK-specific Zeus botnets, designed to infect only UK-based Windows and harvest login credentials of only British banks from these compromised systems.
Trusteer reckons the crooks behind the attack are using UK-centric spam lists and compromised websites to spread the malware while staying under the radar of security firms. It compares this process to the shift from mass assaults to targeted strikes in corporate espionage-motivated attacks such as Operation Aurora, which struck Google and other hit-tech firms last year.
"Unlike known malware kits such as Zeus, Torpig, and Ambler which simultaneously target hundreds of banks and enterprises around the world and are on the radar of all security vendors, regional financial malware such as Silon.var2 and Agent.DBJP are highly targeted," said Mickey Boodaei, Trusteer's chief exec.
"In the UK, each campaign would usually focus on three to seven banks and target them for a period of six to nine months and then morph and change the list of targets, usinga new more advanced version of the malware.
Regionally-targeted malware has also cropped up in South Africa and Germany over recent months. A strain of malware called Yaludle, almost unseen outside Germany, has been used to target the online banking credentials of German surfers. Trusteer is urging banks to share information on targeted attacks locally as well as working with regulators and local law enforcement agencies to shut down command and control servers associated with regionally-targeted malware. The firm, naturally enough, also wants to persuade more banks to use its Rapport secure browsing software as a way of providing an extra defence against fraud.
Trusteer's Rapport browser lock-down technology is offered as a voluntary download by 50 banks worldwide, including NatWest and HSBC in the UK. The technology is offered alongside a remote forensics service, called Flashlight, designed to allow banks to diagnose whether a client's PC has been infected with malware following incidents of suspected fraud. Flashlight allows banks to collect samples, identify cybercrime command servers and block further attacks.
Silon, DBJP, and other regional financial malware have been identified through Trusteer's Flashlight service and analysis and investigation results have been shared between participating banks, explained Amit Klein, CTO of Trusteer. "If a bank in a specific region experiences fraud from a new piece of regional malware there is an 80 per cent chance that other banks in the same region will experience in the near future similar losses from this malware," he added.
Replacing text puzzles featuring distorted letters with videos as a roadblock against the automated creation of web accounts can reduce user frustration while offering improved security, according to a Canadian start-up.
CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) have been used for some years to prevent the automated sign-ups to webmail accounts and the like. Users typically have to identify distorted letters depicted in an image. Over the years miscreants have devised techniques to break the process in order to create ready-to-spam accounts from reputable providers that are far less likely to be automatically blocked.
The sign-up for new accounts is automated, but solving the CAPTCHA puzzles themselves is tasked to the human cogs in 21st century sweatshops, often based in India, where workers are paid as little as $4 a day to defeat security checks.
Canadian firm NuCaptcha aims to rewrite the rules of account validation checks with a new video-based CAPTCHA system. Users are asked to identify moving text on a video background. The firm also offers a voiceover audio option for the partially sighted or colour-blind.
The technology is designed to work on a range of computing devices including hardware that doesn't support Flash, such as iPads, ReadWrite Web reports.
NuCaptcha reckons the technology is easier to use than traditional text-based CAPTCHAs, which have a 25 per cent registration abandonment rate, according to one recent academic study. The firm also claims to be able to detect automated attempts to solve its puzzles, throttling the speed of videos and making puzzles trickier to solve in cases of suspected abuse, as explained below.
Animation enables NuCaptcha to increase security features such as closely packing letters together; creating text that is very difficult for software, specifically Optical Character Recognition, (OCR) to solve compared to current products in the field. In contrast, the animation makes the CAPTCHA far easier for humans to solve, because humans are attuned to perceiving motion.In addition, the NuCaptcha Platform utilizes behavioral intelligence to deliver very easy CAPTCHAs to legitimate users and increasingly difficult CAPTCHAs to attackers.
The first product on the NuCaptcha Platform, NuCaptcha Basic, a freemium security service for websites and blogs that offer up to 25,000 CAPTCHAs per month, was launched on Wednesday.
More details of the technology can be found on the NuCaptcha website here.
Apple has announced that it is to end support for applications that were developed and compiled for its iOS 2.x.
As a push for adoption of the recently launched OS 4, cultofmac.com has reported that the iOS developer newsfeed has encouraged developers to rebuild their apps in Xcode targeting iOS 3.x or later.
It said: “Make sure that your applications are compatible with iOS 4. All new applications and updates to existing applications must be built with iPhone SDK 4. In addition, the App Store will no longer support applications that target iOS 2.x.”
Apple released iOS 4 as a free update for all iPhone 3G, iPhone 3GS and the second and third generation iPod touch devices. The iOS is fully compatible with all of these devices with the exception of the iPhone 3G and second generation iPod touch, which do not support all of iOS 4's features.
According to the US Computer Emergency Response Team (US-CERT), iOS 4 was released to address multiple vulnerabilities across several packages that may have allowed an attacker to execute arbitrary code, cause a denial-of-service condition, disclose sensitive information, bypass security restrictions or conduct cross-site scripting attacks. It encouraged users and administrators to review Apple article HT4225 and update to iOS 4 as necessary to help mitigate the risks.
Earlier this year, Microsoft likened using Internet Explorer 6 to ‘drinking out of date milk' as part of an encouragement campaign for users to upgrade to IE8.
See original article on scmagazineus.com
Secure Computing Magazine
Days after Google announced a new strategy for its search services in mainland China, the company is reporting a partial block.
The Google status page on mainland China is currently showing a partial block the service, which has been fully accessible in previous days. The company said that it had narrowed down which searches were being blocked, but declined to speculate on the cause.
"It appears that search queries produced by Google Suggest are being blocked for mainland users in China," a company spokesperson said.
"Normal searches that do not use query suggestions are unaffected."
The block comes days after the company rolled out a new policy for its search service in China.
Google chief legal officer David Drummond said in a blog posting that the company had begun looking for alternative ways of presenting the search site should China decline the upcoming renewal of Google's Internet Content Provider licence.
Drummond said that the company would be replacing the Google.cn splash page with a redirect to the Google.hk site.
Copyright v3.co.uk
Would-be whistle-blowers hoping to leak documents to Wikileaks are facing a potentiallyfrustratingsurprise. Wikileaks’ submission process, which had been degraded for months, completely collapsed over two weeks ago and remains offline, in a little-noted break-down at the world’s most prominent secret-spilling website.
Wikileaks founder Julian Assange. (Photo: Martina Haris, via Wikimedia Commons)
Despite a surge in mostly-laudatorymedia portraying Wikileaks as a fearless, unstoppable outlet for documents that embarrass corporations and overbearing governments, the site has published only 12 documents since thebeginningof the year, the last one four months ago. And on June 12, Wikileaks’ secure submission page stopped working after the site failed to renew its SSL certificate, a basic web protection that costs less than $30 a year and takes only hours to set up.
Wikileaks still prominently displays a link on its homepage to a securesubmission form for whistleblowers to upload documents. But the page doesn’t load.The site’sdonation page remains reliably available.Wikileaks’ headJulian Assange declined to comment.
Launched in 2007, Wikileaks was thrust into renewed internationalprominencethis month after the Army confirmed it had arrested anintelligenceanalyst based in Iraq on suspicion of leaking classified information. Bradley Manning, 22, has been held for five weeks without charges at an Army base in Kuwait, while the U.S. investigates claims he made to an ex-hacker that he’d leaked two videos and several classified documents to Wikileaks, as well as an unfiltered database of 260,000 diplomatic cables.
Among the documents Manning claimed to have leaked was a classified U.S. embassy cable that appeared on Wikileaks on February 18. That, in fact, was the last new document to appear at Wikileaks.org, though on April 5 Wikileaks made headlines when it released aclassified video of a 2007 Apachehelicopterattack inBaghdadthat killed a number of innocent civilians andinjuredtwo children. The video, which Manning took credit for in his online chats, andin discussionswith a real-life friend, was published on another domain calledCollateralMurder.com.
Wikileaks released the Apache video during a six-month fundraising drive in which Wikileaks’ archive was unavailable. By the time the site relaunched in May, careful observers had noted that its much-hailed cryptographic security had beendegraded. Wikileaks’system to upload documents using the anonymizing service Tor had stopped working by February, though there’s no indication of that status on Wikileaks’ page explaining how to securely submit documents. Wikileaks has also stopped supporting secure downloads from the site over HTTPS, meaning users downloading from the site are vulnerable to eavesdropping.
Wired.com spoke via instant messenger with Ben Laurie, a noted security expert who has served as a de facto security press person for Wikileaks, and who is listed on Wikileaks’s advisory board. When asked if it seemed odd that the most basic security features are missing from Wikileaks’ website, Laurie said, “I agree. I was not aware.”
By policy, Wikileaks does not publish a PGP key that would allow people interested in leaking documents or otherwise helping the site communicate securely by e-mail. The site still offers a “secure” chat room, but that uses a security certificate that isn’t issued by a trusted third party.
A May profile in the New Yorker reported that Wikileaks had been receiving about 30 document submissions a day when it was fully operational. With its Tor Hidden Service down, and now its SSL submission page missing, the average Wikileaks leaker would seem to be blocked. For his part, Manning claimed to have direct contact with Assange that allowed him priority access. “Long term sources do get preference,” he wrote in a chat with ex-hacker Adrian Lamo, who turned him in.
If Wikileaks’ issues are financial, the site may yet surmount them. The organization recently announced that it has decrypted a U.S. video of the notorious 2009 Garani air strike inAfghanistan — another one of the leaks Manning claimed credit for in his chats with Lamo. Wikileaks has promised to release the video shortly, a move that could give its fundraising an added boost, even if it doesn’t help with Wikileaks’ lack of transparency over itssecurity woes.
See Also:
Kraken, a large and difficult-to-detect botnet that peaked in 2008 and was dismantled by early 2009, is back, and anti-virus solutions are struggling to detect it, according to researchers at Georgia Tech Information Security Centre.
The botnet reappeared in April and, as of last week, was made up of more than 318,000 unique IP addresses, or about half its 650,000 maximum size in 2008, Paul Royal, research scientist at the Georgia Tech centre told SCMagazineUS.com on Wednesday.
Machines infected by Kraken malware primarily are being used to send spam, and a single member of the botnet is capable of sending more than 600,000 unwanted emails in a 24-hour period, he said. All of the spam is promoting male enhancement or erectile dysfunction products.
Kraken malware is being installed onto already compromised computers by another, larger botnet, which uses so-called “butterfly” bot malware to operate, researchers said. The butterfly bot malware, which was also used to construct the Mariposa botnet, is up for sale as a kit on the criminal black market.
It is currently unclear whether those behind the Kraken botnet are the same group as those operating the botnet that installs Kraken, Royal said. Most likely, the groups are different.
Meanwhile, the original Kraken botnet infiltration and takedown was the result of concerted industry effort, Royal said. The hosting provider that Kraken operators were using disrupted the botnet's command-and-control (C&C) domain and by early 2009, all of Kraken's original C&C domains went offline.
“The reuse of Kraken, to me, implies a potential trend of efficient malcode [malicious software code] reuse,” Royal said. “Efficient malcode takes time to develop. Like every piece of software, it has to go through several iterations and as a result, is expensive to replace. So regardless of age, provided the operators can make it appear as benign to AV [anti-virus] tools, they will continue finding uses for it.”
The notorious Storm Worm botnet recently made a similar resurgence.
The Kraken bot malware uses a common technique to avoid detection, known as obfuscation or packing, whereby the malicious portion of the program code has been made to appear as seemingly benign data, Royal said.
The technique, used by most modern malware today, is intended to prevent traditional AV from being able to recognise the malicious portion of the code or detect the threat.
Royal said that as of last week, the Kraken bot malware is poorly detected by the top three AV companies, which hold at least 70 percent of the AV market, meaning the majority of users are not protected from this threat even with up-to-date AV software.
Joshua Talbot, security intelligence manager at Symantec Security Response, told SCMagazineUS.com in an email Wednesday that the company classifies the botnet as Backdoor.Spakrab and does indeed detect it.
“Symantec's stance is that this botnet never really died out, but has in reality continued to exist and infect users,” Talbot said. “In fact, Symantec updated our signatures for this threat family just a couple of weeks ago.”
Additionally, David Marcus, director of security research and communications at McAfee, told SCMagazineUS.com in an email Wednesday that McAfee has had detection for this threat since June 12 and has been keeping it “very current.”
However, Royal said that last week he ran a sample of the malware through VirusTotal's online virus and malware online scanner and it was not detected by either McAfee or Symantec.
“McAfee and Symantec probably detect older versions of Kraken, but the VirusTotal results clearly indicate a dearth of detections for recent Kraken samples,” Royal said.
Symantec's Talbot added that Kraken relies on a large numbers of unique malicious files to evade detection, and is a “prime example” of why traditional signature-based solutions are no longer enough to catch all threats.
“In this case, our reputation-based security technology classifies such malicious files as bad, based on automated feedback gathered from our tens of millions of opt-in end users,” Talbot said.
“These malicious files are prevented from running on a user's machine, not necessarily because traditional signatures detected them, but because they had a sufficiently poor reputation rating.”
See original article on scmagazineus.com
Secure Computing Magazine
