Feed aggregator

76M Households, 7M Businesses Impacted in JPMorgan Chase Breach

Threatpost for B2B - Fri, 10/03/2014 - 12:54
A securities filing on Thursday revealed that up to 76 million households and seven million small businesses, far more than initially thought, were implicated in the cyber attack that hit JPMorgan Chase over the summer.

Threatpost News Wrap, October 3, 2014

Threatpost for B2B - Fri, 10/03/2014 - 12:35
Dennis Fisher and Mike Mimoso talk about the Bash Shellshock bug nightmare and the BadUSB code release.

Google Changes SafeSearch Option for Administrators

Threatpost for B2B - Fri, 10/03/2014 - 09:07
Google is removing a feature that allowed administrator to require their users to employ a search option that removes explicit content from search results. The decision is tied to the fact that the option required the use of an unsecured connection to Google, something that the company said allowed it to become a target for […]

Virus Bulletin 2014: new times, same challenges

Secure List feed for B2B - Fri, 10/03/2014 - 08:11

During the last week of September the antimalware industry got together in one of the oldest and most legendary information security conferences in the world, the 24th Virus Bulletin International Conference (VB2014), held in the beautiful Seattle, USA. Kaspersky Lab was there to present and share a wide range of ongoing research topics with the security community.

In the first day of the conference we were shown over and over how the Linux operating it's not so malware free any more. Dismantling the myth, we had several talks on the topic, amongst them "Ebury and CDorked. Full disclosure" and "Linux-based Apache malware infections: biting the hand that serves us all" brought attention to non-traditional malware, and how the Apache web server is caught in the middle of this *nix world, becoming an efficient platform for attacking and infecting unsuspecting clients.

My colleague Santiago Pontiroli presented about the current "bitcoin bonanza" and how cybercrime is quickly targeting cryptocurrencies and their users. While sharing some of the most interesting malware samples that target bitcoin and other alternative currencies, the audience got an overview of the benefits that digital currencies offer to Latin American countries and the reasons behind criminals' activity.

The icing on the first day's cake was the presentation shared by Patrick Wardle who covered "Methods of malware persistence on Mac OS X", again showing us that not everything in the malware ecosystem is about Microsoft.

With so many good talks to attend in the second day, sometimes making the right decision was rather difficult. A very interesting presentation by Jérôme Segura, regarding Technical Support Scams, demonstrated in detail how to build a honeypot to catch these scammers while emphasizing the importance of user awareness and education.

I presented a one year research about the attacks against "boletos", an old and very popular payment system from Brazil based in printed documents and a barcode, showing how local bad guys have adapted their trojans to change them, redirecting payments to their accounts, and stealing millions of dollars in the process.

It was the turn for my colleague David Jacoby to present an extremely funny (yet informative) presentation on how he hacked his own home, exploiting different vulnerabilities on networked devices such as Smart TVs, printers, NAS, etc. Interactively demonstrating how exposing these devices to attacks would mean compromising an entire home network, all the presentation was displayed with funny GIFs and (interestingly enough) the slides were hand crafted with MS Paint.

Security Researchers from Microsoft gave us a run down on .NET malware analysis with their last minute paper ".NET malware dynamic instrumentation for automated and manual analysis". As malware developers are increasingly relying on high level programming languages for their malicious creations, tools like the one presented in this talk will become essential for malware analysts looking to become proficient in .NET malicious applications study.

And the last Kaspersky presentation was from Vicente Diaz on "OPSEC for security researchers". Working as a security researcher nowadays is not an easy task, especially now that we no longer deal only with technical aspects. The global picture of the security landscape these days features new actors including governments, big companies, criminal gangs and intelligence services. That puts researchers in some tricky situations.

The closing panel was funny and informative, with David Jacoby bringing awareness to the community on how disclosure of important vulnerabilities (like Heartbleed, and now the infamous Shellshock) should be handled, and what roles do vendors play in this scenario. After the keynote address by Katie Moussouris of HackerOne on "Bounties and standards and vuln disclosure, oh my!", the final panel left us with a cohesive feeling for the conference, bringing into the spotlight what the industry as a whole should be facing in terms of vulnerabilities disclosure and the same challenges we had to protect connected devices, the Internet of Things, crypto currencies and payment systems.

Times change but the same challenges remain, one thing is clear, we are still here to protect the user and fight against cybercrime.

OPSec for security researchers

Secure List feed for B2B - Fri, 10/03/2014 - 06:00

Being a security researcher nowadays is no easy task, especially as we are no longer dealing with purely technical matters. Today's global security landscape includes several new actors including governments, big companies, criminal gangs and intelligence services. This puts researchers in a difficult situation.

According to one of many definitions of OPSec:

"Operational security identifies critical information to determine if friendly actions can be observed by adversaryintelligence systems"

We are hearing reports of researchers facing threats from criminal gangs, or being approached by state intelligence services. Others have found themselves under surveillance or had their devices compromised when on the road.

How can we minimize these risks? What can we do to avoid leaking information that could put us in an uncomfortable situation in the future?

Sometimes we are the public faces of a research project, but at other times we don't want to be in a visible position.

The golden rule in Operational Security is using silence as a defensive discipline. If you don't really need to say something, then keep quiet. When you need to communicate with someone, do it in a secure way that doesn't compromise the content of your message and, if possible, doesn't generate metadata around it.

This is an incredibly difficult objective to accomplish: it's a natural instinct to want to impress others and on many occasions we will face adversaries who are well trained in obtaining the information that they want. We all like to tell interesting stories.

The second golden rule is that OPSec does not work retrospectively, so we should very careful about what we are doing now if we don't want it to come back and bite us in the future.

In terms of OPSec, every security analyst should aspire to being just another guy in the line. If we attract too much attention to ourselves, surveillance could easily escalate beyond electronic means – and that is basically game over. In today's world of massive surveillance, standing out will alert the attention of anyone who can access the relevant data. And in today's world of information leakage and "big internet companies", it´s difficult to know exactly who has access to which data:

(example of data leaked from an aggregator and published as a service)

There are some interesting examples of how anomalies have been detected from metadata and then successfully used in investigations (http://en.wikipedia.org/wiki/Abu_Omar_case). And then there is the routine application of this in mass surveillance and data mining.

So what can we do?

The first rule of implementing OPSec is don´t try to accomplish more than you can. The fact is bad OPSec might be worse than no OPSec at all.

The main feature needed for effective OPSEC is not technical, but psychological: be meticulous, and maintain a healthy level of paranoia.

However electronic surveillance is obviously much more common and every bit of information will be there forever. Let´s look at our minimum toolset to avoid leaking information and thin about some basic tips.

Encryption

Obviously we should use as much encryption as possible. But remember that there is an inherent weakness. Once your keys are compromised, all the info that was encrypted in the past is compromised with them. As time passes, the likelihood of your keys being compromised will grow. So it's much better to use IM with OTP.

Today's big question: what is happening with TrueCrypt, the most popular encryption software?

According to the Audit project, there is no obvious flaw or backdoor. However a couple of months ago we saw this:

There are still many open questions, but you can find a trusted TrueCrypt repository at: https://github.com/AuditProject/truecrypt-verified-mirror

Email

Email simply leaves too much metadata, even when the message is encrypted with PGP (by the way, use keys bigger than 2048). IM with OTP is better.

External providers cannot be trusted.

IM

Pidgin and Adium seem to be ok. But remember not to log your chats and don't overlook the non-technical factor: you don´t know who is on the other side of the conversation (even when you have verified the key).

TOR

I'd definitely recommend using an anonymizing network to shake off most of the groups that could track you. However it cannot be considered truly "secure" in the sense that most of output nodes are controlled by people that can correlate their logs with the source of the connection. We saw an example of this in the Harvard bomb:

http://www.theverge.com/2013/12/18/5224130/fbi-agents-tracked-harvard-bomb-threats-across-tor

Also TOR has been the target of many attack attempts, like this recent one:

So don´t blindly trust TOR for anything very sensitive, but use it for your daily activities. Never reveal your true IP.

Telephone

A total nightmare in terms of OPSec. The simple recommendation is to get rid of it! But this won't happen.

At least don´t do anything sensitive with it, instead use burner phones, and don´t use them at  home or work.

Conclusions

Perfect OPSec is almost impossible. However implementing basic OPSec practices should become second nature for every researcher. Once you internalize the need to apply OPSec you will be more careful and hopefully, avoid rookie mistakes like talking too much and bragging about your research.

The most important things, beyond any tool, are being meticulous, applying the right level of OPSec according to your situation and understanding what you can actually hope to achieve.

This is just a brief introduction to a complex topic, but we hope it could be a useful eye-opener, especially for our fellow security researchers.

Researcher Takes Wraps off Two Undisclosed Shellshock Vulnerabilities in Bash

Threatpost for B2B - Fri, 10/03/2014 - 04:00
Researcher Michal Zalewski published details on two recently discovered Shellshock vulnerabilities in Bash.

Serious Hypervisor Bug Fix Causes Unexpected Cloud Downtime

Threatpost for B2B - Thu, 10/02/2014 - 14:17
A number of cloud service providers like Amazon Web Services and Rackspace had to shut some systems down over the weekend to address a critical Xen security vulnerability.

Release of Attack Code Raises Stakes for USB Security

Threatpost for B2B - Thu, 10/02/2014 - 13:11
Two researchers published attack code exploiting weaknesses in USB similar to the BadUSB research presented at this year's Black Hat conference.

Second Same-Origin Policy Bypass Flaw Haunts Android Browser

Threatpost for B2B - Thu, 10/02/2014 - 09:49
There is another same-origin policy bypass vulnerability in the Android browser in versions prior to 4.4 that allows an attacker to steal data from a user's browser.

Joomla Re-Issues Security Update After Patches Glitch

Threatpost for B2B - Wed, 10/01/2014 - 13:49
A security update for the Joomla content management system was pulled and re-issued after problems with the first set of patches for a remote file inclusion and denial of service vulnerability were discovered.

VMware Begins to Patch Bash Issues Across Product Line

Threatpost for B2B - Wed, 10/01/2014 - 13:43
VMware issued a progress report on fixes for four different types of products as they relate to the Bash vulnerability.

Xsser Trojan Spies on Jailbroken iOS Devices

Threatpost for B2B - Wed, 10/01/2014 - 12:32
An iOS espionage Trojan has been discovered spying on jailbroken Apple devices, primarily used against pro-democracy protestors in Hong Kong.

Schneider Electric Fixes Remotely Exploitable Flaw in 22 Different Products

Threatpost for B2B - Wed, 10/01/2014 - 10:01
There's a remotely exploitable directory traversal vulnerability in more than 20 individual products from Schneider Electric that can enable an attacker to gain control of an affected machine.

DARPA Working on Provably Secure Embedded Software

Threatpost for B2B - Wed, 10/01/2014 - 09:19
DARPA is working on a new kind of software that is provably secure for specific properties.
Syndicate content