Feed aggregator

Cost of Doing APT Business Dropping

Threatpost for B2B - Thu, 02/06/2014 - 12:33

PUNTA CANA–The term APT often is used as a generic descriptor for any group–typically presumed to be government-backed and heavily financed–that is seen attacking high-value targets such as government agencies, critical infrastructure and financial systems. But the range of targets APT groups are going after is widening, as are the levels of talent and financing these groups possess.

One reason for this evolution is that the amount of money that’s required to get into the APT game is no longer prohibitive. Whereas once an aspiring APT crew might need hundreds of thousands or millions of dollars in backing, depending upon their target list and timeline, now smaller, more agile groups can get in on the action for a fraction of that cost.

“The cost of entry for APT is decreasing,” said Costin Raiu, head of the Global Research and Analysis Team at Kaspersky Lab, in a talk on the threat landscape at the company’s Industry Analyst Summit here Thursday. “We’re going to see more surgical strikes and critical infrastructure attacks.”

One example of this phenomenon is the Icefog group. Discovered last fall, the Icefog attackers targeted a variety of organizations and government agencies in Japan and South Korea and researchers believe the group comprised a small number of highly skilled operators who went after select targets very quickly. Raiu estimated that the Icefog campaign probably required an investment of no more than $10,000. By comparison, he said that the NetTraveler campaign likely cost about $500,000, while Stuxnet was in the range of $100 million.

“Icefog is special because it indicates a new trend of cyber mercenaries, maybe five to ten people that are highly skilled,” Raiu said. “They knew what documents they wanted to steal from each machine and they spent only a few minutes on each machine.”

The massive investment required to create, test and deploy the infamous Stuxnet malware, Raiu said, should not be seen as the ceiling for such APT tools.

“If you’re thinking that’s a lot of money, it’s not,” Raiu said. “It’s the cost of several missiles.”

Missiles, of course, can only be used once; APT tools can be deployed any number of times, and by a wide variety of attackers. It’s often the case that tools written by a high-level group will eventually trickle down through the ranks and be used by less-skilled attackers as time passes. That’s part of the democratization process in the attacker community and it’s only going to accelerate.

Blog: Encrypted Java Archive Trojan bankers from Brazil

Secure List feed for B2B - Thu, 02/06/2014 - 10:44
New technique used by Brazilian cybercriminals: Substitution cipher in Jar trojan bankers sent via email and joined by social engineering of course.

Blog: Largest Website in Sweden Spreading Malicious Code

Secure List feed for B2B - Thu, 02/06/2014 - 06:21
The largest website in Sweden spreads malicious code.

Jeremiah Grossman on His New Role as CEO of WhiteHat Security

Threatpost for B2B - Wed, 02/05/2014 - 15:50

Dennis Fisher talks with Jeremiah Grossman, the new interim CEO of WhiteHat Security, about taking on the new role, how things have changed since he was CEO 10 years ago and what the biggest challenges will be.

http://threatpost.com/files/2014/02/digital_underground_143.mp3

*Image via @biatch0‘s Flickr photostream, Creative Commons

Google Broadens Bounty Program to Include Chrome Extensions

Threatpost for B2B - Wed, 02/05/2014 - 15:18

Google has announced it will retool its bounty program and extend its scope to include Chrome apps and extensions branded as “by Google,” including extensions tied to popular products such as Gmail and Hangouts.

According to a post by Google’s Michal Zalewski and Eduardo Vela Nava on the company’s Online Security blog yesterday, the rewards will depend on the permissions and data each extension handles, and the rewards should range from $500 to $10,000.

The move is being done to make sure efforts to keep the extensions secure are rewarded accordingly, something Google believes is relatively easy, providing the company’s security guidelines are followed.

Chrome extensions such as Google Calendar, Google Dictionary, Speed Tracer and Tag Assistant should also fall under Google’s new bounty program.

The two also used the blog to announce that Google has upped the amount of money it will pay to those who contribute to patches for open source projects.

Google announced the experimental rewards program in October in hopes of garnering more insight from the developer community and as a way to improve its Chrome OS and Chrome browser. The program encourages developers to point out bugs in open source projects that are supplemental to Google such as Apache, OpenSSH, OpenSSL and some parts of the Linux Kernel.

Initially the rewards ranged from $500 to $3,133.70.

Now vulnerabilities found in those projects will fetch up to $10,000 for complicated, high-impact improvements, $5,000 for moderately complex patches and between $500 and $1,337 for simple submissions, according to the blog,

These programs continue to be “critical to the health of the internet in recognition of the painstaking work that’s necessary to make a project resilient to attacks,” according to Nava and Zalewski.

Google’s bug bounty programs have become some of the most successful of its kind. Last summer, the Mountainview firm upped the amount of money it paid out for cross site scripting vulnerabilities and bugs in Chromium. The company also announced last summer that it had paid out $2 million in rewards since the program’s inception, a figure that has almost certainly jumped since then.

Per usual, interested parties can submit vulnerabilities to Google via a form on its website.

Government Agencies Failing at Basic Security Hygiene

Threatpost for B2B - Wed, 02/05/2014 - 15:12

A damning report on the security of government computers paints an unflattering picture of lax or non-existent patching efforts, poor password policies, configuration errors and a general lack of confidence that exposes critical services and systems to attack.

The report, “The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure,” was released yesterday by Oklahoma Republican Sen. Tom Coburn, the ranking member of the Homeland Security and Governmental Affairs Committee. Coburn reiterated the risks to financial markets, emergency response and individuals’ information posed these security issues brought to light in the report—the majority of which can be addressed with basic information security hygiene.

“While politicians like to propose complex new regulations, massive new programs, and billions in new spending to improve cybersecurity, there are very basic – and critically important – precautions that could protect our infrastructure and our citizens’ private information that we simply aren’t doing,” Coburn said.

Coburn pointed the finger at the White House for not holding the agencies accountable for proper cybersecurity policies and enforcement. The report referenced President Obama’s Executive Order, signed one year ago, which promised the government and private sector would collaborate on the directive to secure commercially owned critical infrastructure networks.

“It is appropriate for the White House to envision a federal role in protecting privately-owned infrastructure, particularly when that infrastructure undergirds the nation’s economy and society,” Coburn’s report said. “However, for the country’s citizens and businesses to take the government’s effort seriously, the federal government should address the immediate danger posed by the insecurity of its own critical networks.”

A good amount of ire in the report, which was built off data collected in 40 audits, interviews and reporting on government systems done in a dozen agencies, was reserved for DHS, which in 2010 was tasked with leading the effort to secure government computers.

Despite that responsibility, the White House Office of Management and Budget last year rated DHS below government agency averages for the use of up to date antivirus software and other automated detection programs, as well as a lack of email encryption and security awareness training. It also failed to reach a goal of sending 95 percent of DHS internet traffic through Trusted Internet Connections (TICs), sending only 72 percent.

Two years ago, computers at the National Protection and Programs Directorate (NPPD) which houses DHS cybersecurity, were below proper patching levels and were protected by weak passwords. FEMA and ICE immigration servers had missing patches, and Web applications were also vulnerable to remote attacks. In addition, physical security no-no’s were reported, including a number of passwords found written down on desks, unlocked desks, unlocked laptops, and even credit cards left on desks.

DHS was not alone in its troubles. The Nuclear Regulatory Commission had many of the same password and patching weaknesses, but the report points out a general lack of confidence in NRC’s IT staff. Business owners were buying their own computers and setting up their own networks inside agency offices. Workers were also storing data on nuclear facilities’ cybersecurity programs on unsecured shared drives.

“Just about every aspect of that process appears to be broken at the NRC,” the report said. “Problems were identified but never scheduled to be fixed; fixes were scheduled but not completed; fixes were recorded as complete when they were not.”

Computers at the Internal Revenue Service, which arguably stores the most sensitive information on just about every adult in the United States, are vulnerable to the same weaknesses year after year since 2008, the report said. The General Accounting Office, for example, identified 100 vulnerabilities on IRS machines, including a lack of encryption on data transmitted between offices over the Internet.

The Department of Education, which manages $948 billion in student loans, is vulnerable to remote attack on systems accessible to remote workers. The report also identified lax investigations by the department into reported compromises of accounts; only 17 percent of cases were reviewed. In addition, the department was flagged for weak network monitoring and security to the point where hackers were able to set up a rogue connection on the agency’s network behind the firewall.

The Department of Energy, which suffered two intrusions last year resulting in the theft of personal information on past and present government and contract employees, was another offender. The report cites an audit of Western Area Power Administration which handles power needs for 15 states in the central and western parts of the U.S. All 105 computers tested in the audit lacked proper patching, in addition to having public-facing servers configured with default credentials and poor scanning of systems for vulnerabilities so as not to impact performance of services running on those machines.

The Securities and Exchange Commission was not left out. The report said employees were using personal email accounts, including web-based programs such as Gmail, to send information to and from financial institutions. Laptops storing sensitive information were unencrypted and lacking antivirus software. Laptops belonging to the Trading and Markets team dedicated to cybersecurity contained information on vulnerabilities in exchange computers, as well as networking maps that could have facilitated hacks, the report said.

“The investigation also found that members of the team took work computers home in order to surf the web, download music and movies, and other personal pursuits,” the report said. “They also appeared to have connected laptops containing sensitive information to unprotected Wi-Fi networks at public locations like hotels—in at least one reported case, at a convention of computer hackers.”

Details Emerge on Latest Adobe Flash Zero-Day Exploit

Threatpost for B2B - Wed, 02/05/2014 - 12:05

Exploits for a newly reported zero-day vulnerability in Adobe’s Flash Player drop a password-grabbing Trojan that targets the email and social media accounts of users and organizations in China, researchers at Kaspersky Lab said today.

The attacks appear to be an isolated campaign and there is no connection between these exploits and a new advanced espionage campaign called The Mask that Kaspersky researchers are expected to unveil next week at the company’s Security Analyst Summit.

Adobe issued an emergency patch for the zero-day yesterday; CVE-2014-0497 allows an exploit to remotely inject code and control the underlying system hosting the vulnerable software. Flash Player 12.0.0.43 and earlier on Windows and Mac systems are affected as is version 11.2.202.335 on Linux.

Kaspersky Lab researchers Alexander Polyakov and Anton Ivanov reported the bug to Adobe after finding a set of new .swf exploits, said Vyacheslav Zakorzhevsky, head of the vulnerability research group at Kaspersky Lab.

Researchers discovered 11 exploits—for Flash versions 11.3.372.94, 11.3.375.10, 11.3.376.12, 11.3.377.15, 11.3.378.5, 11.3.379.14, 11.6.602.167, 11.6.602.180, 11.7.700.169, 11.7.700.202, 11.7.700.224—all of them unpacked .swf files with identical actionscript code that performs a version check on the victim’s operating system. The exploits work against Flash running on Windows XP, Vista, Windows Server 2003 and 2003 R2, Windows 7 and 7 64-bit, Windows Server 2008 R2, Windows 8 and Windows 8 64-bit, and Mac OS X 10.6.8.

Once the OS check is done, the malware assembles a return-oriented programming (ROP) chain depending on the version of Windows and Flash that is installed. Shellcode specific to the OS version is then generated and the exploit executes, Zakorzhevsky said.

It appears the attacks start with phishing emails in which the victims are sent infected .docx documents that contain an embedded Flash video, Zakorzhevsky said.

“When a document is opened, an embedded flash exploit drops and starts an easy downloader to the disk, which downloads a fully featured backdoor and а Trojan,” Zakorzhevsky said. “Afterwards, the program steals passwords from popular email clients and grabs logins and passwords from Web forms of popular social media and email services.”

Kaspersky could not confirm whether these were targeted attacks, but it is likely. The malicious .docx and Flash files have titles written in Korean and were found on three computers, one in an email attachment opened on a Mac OS X machine, and two in the browser cache of a Windows 7 machine, likely also after the victim opened an email. The browser used on the Windows machine was Chinese, SogouExplorer, and the Mac mailbox was hosted on 163[.]com, a Chinese web-based email provider.

Researchers were able to find only one exploit containing executable files, a downloader, Trojan-Downloader.Win32.Agent.hdzh, encrypted with Microsoft CryptoAPI and hosted on a free hosting service bugs3[.]com. The executables included password stealers for email clients and social media sites including Google, Yahoo, Twitter, Facebook and many others. The backdoor, Backdoor.Win32.Agent.dfdq, connects to one of three command and control servers: sales[.]eu5[.]org; www[.]mobilitysvc[.]com; and javaupdate[.]flashserve[.]net.

Zakorzhevsky said the campaign is ongoing and that researchers have not been able to view documents being sent to the command and control server. Zakorzhevsky said this is likely an isolated campaign and Kaspersky Lab researchers have not been able to link of the malicious Word or Flash files to an existing botnet.

There is also no link to the Mask campaign, researchers said. A post on the Securelist blog this week said The Mask was above Duqu in terms of sophistication and is one of the most advanced threats in the wild.

“The Mask is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products,” the blog post said.

Adobe, meanwhile, urges its customers to update Flash immediately because of the active exploits. A complete rundown of updates in the Adobe advisory:

  • Users of Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 12.0.0.44.
  • Users of Adobe Flash Player 11.2.202.335 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.336.
  • Adobe Flash Player 12.0.0.41 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 12.0.0.44 for Windows, Macintosh and Linux.
  • Adobe Flash Player 12.0.0.38 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 12.0.0.44 for Windows 8.0.
  • Adobe Flash Player 12.0.0.38 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 12.0.0.44 for Windows 8.1.

Image courtesy Siggi Arni.

Blog: CVE-2014-0497 – a 0-day vulnerability

Secure List feed for B2B - Wed, 02/05/2014 - 11:15

A short while ago, we came across a set of similar SWF exploits and were unable to determine which vulnerability they exploited.

Blog: Big box LatAm hack (3rd part – infection by Office files)

Secure List feed for B2B - Tue, 02/04/2014 - 20:21
Cybercriminals from Latin America infect victims via macro-enabled Microsoft Office documents. One of such documents while found in-the-wild had 0 from 48 VirusTotal detection rate!

Tech Giants Update Transparency Reports with FISA Request Numbers

Threatpost for B2B - Tue, 02/04/2014 - 16:34

Google, Microsoft, Facebook, Yahoo and LinkedIn wasted little time in disclosing what they could about requests for customer data made under the secret Foreign Intelligence Surveillance Act.

One week after the Justice Department eased a gag order on reporting of FISA requests, the five tech giants and advocates for greater transparency yesterday published data for the first six months of 2013.

The respective transparency reports are somewhat a victory for the companies, which banded together for much of last year filing lawsuits and signing petitions asking the government to allow them greater transparency on reporting requests for data involving national security. Apple and CloudFlare updated their transparency reports already last week, the same day as the Justice Department’s ruling.

The government finally conceded last week after months of negotiating, giving companies two reporting options. In return, the companies agreed to drop their suits.

The first option brings FISA reporting in line with reporting of National Security Letters in that companies will be able to report the number of FISA orders for content, non-content, as well as the number of customer accounts affected for each in bands of 1,000 requests. The reporting restrictions around National Security Letters were eased last summer and companies are allowed to similarly bundle their reporting.

Reports may be published every six months, however, reporting on national security orders issued against data collected by new company products and services must be delayed two years.

The second option allows companies to report all national security requests, NSLs or FISA orders, and the number of customer accounts affected with exact numbers up to 250 requests, and thereafter in bands of 250.

The companies cried out about the limited reporting options afforded them by the government.

“We were not, for example, permitted to break down the data between conventional law enforcement requests and those related to national security, or indeed even to acknowledge that we had received certain types of national-security related requests at all,” said Facebook general counsel Colin Stretch.

In general, the number of requests reported today involves a tiny percentage of the companies’ respective customers, and the firms hope the updated transparency reports dispel the possibility they may have been secretly cooperating with the government in providing them data on customers’ activity.

“While our customers number hundreds of millions, the accounts affected by these orders barely reach into the tens of thousands.  This obviously means that only a fraction of a percent of our users are affected by these orders,” said Microsoft general counsel Brad Smith. “In short, this means that we have not received the type of bulk data requests that are commonly discussed publicly regarding telephone records.  This is a point we’ve publicly been making in a generalized way since last summer, and it’s good finally to have the ability to share concrete data.”

The requests made each company generally fall within 0-999 for content and non-content requests, as well as National Security Letters. Yahoo, however, is an outlier. The company was the laggard among tech giants in turning on SSL encryption by default last month on its web-based email service. The lag is noteworthy for Yahoo, which is more than three years behind Google’s default implementation of SSL for Gmail. Users of Microsoft’s Outlook.com webmail service have had SSL enabled by default since July 2012 while Facebook made it the default last February.

Experts were quick to criticize Yahoo’s lax encryption implementation for its customers, especially in light of the surveillance carried out by the National Security Agency. SSL, the experts said, should be considered a minimum standard and that other technologies such as Perfect Forward Secrecy and HTTP Strict Transport Security should be implemented as well. Sites and services such as Dropbox, Facebook and Twitter already implement both or plan to in 2014 according to the Electronic Frontier Foundation’s 2013 Encrypt the Web report.

A company-by-company breakdown of requests for the first half of 2013 is as follows:

  • Microsoft:  FISA orders seeking content 0-999; accounts impacted by FISA orders seeking content 15,000-15,999; FISA non-content requests 0-999; accounts impacted by FISA non-content requests 0-999; National Security Letters non-content orders 0-999; accounts impacted by National Security Letters non-content orders 0-999.
  • Yahoo: FISA orders seeking content 0-999; accounts impacted by FISA orders seeking content 30,000-30,999; FISA non-content requests 0-999; accounts impacted by FISA non-content requests 0-999; National Security Letters requests 0-999; accounts impacted by National Security Letters requests 0-999.
  • Facebook: FISA orders seeking content 0-999; accounts impacted by FISA orders seeking content 4,000-4,999; FISA non-content requests 0-999; accounts impacted by FISA non-content requests 0-999; National Security Letters requests 0-999; accounts impacted by National Security Letters requests 0-999.
  • LinkedIn: National Security Letters requests 0-249; accounts impacted by National Security Letter requests 0-249.
  • Google: FISA orders seeking content 0-999; accounts impacted by FISA orders seeking content 9,000-9,999; FISA non-content requests 0-999; accounts impacted by FISA non-content orders 0-999;

PNG Image Metadata Leading to iFrame Injections

Threatpost for B2B - Tue, 02/04/2014 - 16:25

Researchers have discovered a relatively new way to distribute malware that relies on reading  JavaScript code stored in an obfuscated PNG file’s metadata to trigger iFrame injections.

The technique makes it highly unlikely a virus scanner would catch it because the injection method is so deeply engrained in the image’s metadata.

Peter Gramantik, a malware researcher at Securi, described his findings in a blog post Monday.

This particular iFrame calls upon a simple JavaScript file, jquery.js (below) that loads a PNG file, dron.png. Gramantik notes that while there was nothing overly odd with the file – it was a basic image file – what did catch him off guard was stumbling upon a decoding loop in the JavaScript. It’s in this code, in this case the strData variable, that he found the meat and potatoes of the attack.

The iFrame calls upon the image’s metadata to do its dirty work, placing it outside of the browser’s normal viewing area, off the screen entirely, -1000px, according to Gramatik. While users can’t see the iFrame, “the browser itself sees it and so does Google,” something that if exploited could potentially lead to either a drive-by download attack or a search engine poisoning attack.

The payload can be seen in the elm.src part (above) of the data: A suspicious-looking, Russian website that according to a Google Safe Browsing advisory is hosting two Trojans and has infected 1,000-plus domains over the last 90 days.

The strategy isn’t exactly new; Mario Heiderich, a researcher and pen tester at the German firm Cure 53 warned that image binaries in Javascript could be used to hide malicious payloads in his “JavaScript from Hell” con talk back in 2009.

Similarly, Saumil Shah, the CEO at Net-Square described how to embed exploits in grayscale images by inserting code into pixel data in his talk, “Deadly Pixels” at NoSuchCon in Paris last year and at DeepSec in Vienna the year before that.

Still though, it appears Gramantik’s research might be the most thought out example of the exploit to date using this kind of attack vector.

Regardless of how new or old the concept is, Gramantik stresses that it could still be refined and extended to other image files. Because of that the researcher recommends that going forward, IT administrators better understand what files are and aren’t being added and modified on their server.

“Most scanners today will not decode the meta in the image, they would stop at the JavaScript that is being loaded, but they won’t follow the cookie trail,” Gramantik warns in the blog.

Steganography, the science of hiding messages, oftentimes by concealing them in image and media files has been used in several high profile attacks in the past. The actors behind the MiniDuke campaign in 2013 used it to hide custom backdoor code while Shady Rat was found encoding encrypted HTML commands into images to obscure their activity in 2011 .

Emergency Adobe Update Patches Flash Zero-Day

Threatpost for B2B - Tue, 02/04/2014 - 15:21

Adobe today released an out-of-band security update for Flash Player that patches a vulnerability the company said is currently being exploited.

Adobe Flash Player version 12.0.0.43 and earlier for Windows and Mac are affected as is 11.2.202.335 and earlier on Linux.

The vulnerability, CVE-2014-0497, allows an attacker to remotely inject code and take control of the underlying system hosting Flash.

A complete rundown of updates in the Adobe advisory:

  • Users of Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 12.0.0.44.
  • Users of Adobe Flash Player 11.2.202.335 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.336.
  • Adobe Flash Player 12.0.0.41 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 12.0.0.44 for Windows, Macintosh and Linux.
  • Adobe Flash Player 12.0.0.38 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 12.0.0.44 for Windows 8.0.
  • Adobe Flash Player 12.0.0.38 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 12.0.0.44 for Windows 8.1.

The vulnerability was reported by Kaspersky Lab researchers Alexander Polyakov and Anton Ivanov.

Researchers from the company’s Global Research and Analysis Team yesterday said details on a new advanced espionage campaign called The Mask will be unveiled next week at the company’s Security Analyst Summit. A post on the Securelist blog said The Mask was above Duqu in terms of sophistication and is one of the most advanced threats in the wild.

“The Mask is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products,” the blog post said.

Facebook Releases to Open Source its Conceal Android Crypto Library

Threatpost for B2B - Tue, 02/04/2014 - 13:25

Facebook has released to open source its Conceal Java crypto libraries for Android devices.

Conceal, according to Facebook, offers developers a lightweight and efficient crypto library. The social media giant developed Conceal to handle encryption of storage on removable SD cards, something that has a negative performance impact on mobile devices, the company said. It also isn’t the ideal security solution because Android treats SD cards as a publicly accessible directory that any mobile app can read if granted appropriate permissions.

“We saw an opportunity to do things better and decided to encrypt the private data that we stored on the SD card so that it would not be accessible to other apps,” Facebook said in a post. “We created Conceal to be small and faster than existing Java crypto libraries on Android while using memory responsibly.”

Conceal, however, isn’t flexible. It provides default options only to developers, rather than the gamut of encryption algorithms other libraries provide.

“We think this makes sense because encryption can be very tricky to get right,” Facebook said.

Developers will see that Conceal has been released under a BSD license that allows it to be modified. Facebook has built Conceal using parts of the OpenSSL crypto library to keep the file sizes down to a minimum, rather than shipping the whole OpenSSL library.

“We believe providing a smaller library will reduce the friction of adopting state of the art encryption algorithms, make it easier to handle different Android platform versions, and enable us to quickly incorporate fixes for any security vulnerabilities in OpenSSL as well,” Facebook said.

“As is true with many crypto libraries, higher-level wrappers that can offer sane cipher suites and modes are extremely valuable to the developer community,” said Jon Oberheide, CTO at Duo Security. “Developers aren’t (and shouldn’t be) experts in cryptography, so preventing them from shooting themselves in the foot with libraries like Conceal is a very welcome development and boost for mobile app security.”

Conceal uses an offshoot of the AES encryption standard known as AES-GCM which, in addition to encrypting data, simultaneously computes a message authentication code (MAC) of the data. Android devices are limited in capability by their hardware making separate AES and MAC computing inefficient, Facebook said, adding that commonly AES is used to encrypt data and then a MAC message using the HMAC algorithm for example, encrypts that data.

“We found that computing an HMAC takes significant time in the encryption of data,” Facebook said in explaining its decision to go with AES-GCM.

Facebook said that this abstraction also gets around known vulnerabilities in the Android random number generator.

“Specifically, Conceal provides default implementations of key management and stores the key in private SharedPreferences by default,” Facebook said. “It also performs authenticated versioning of the encryption libraries so that if we change the encryption algorithms we use in the future, we can retain both compatibility with previously encrypted data and resistance against cross version attacks.”

Chrome Web Store Beset by Spammy Extensions

Threatpost for B2B - Tue, 02/04/2014 - 12:57

UPDATE: Twelve seemingly legitimate Chrome browser extensions installed by more than 180,000 users are injecting advertisements on 44 popular websites.

According to a Barracuda Labs report, the extensions can be found in the official Chrome Web Store. They advertise themselves and operate as games but also require permission to access “your data on all websites,” so that they can inject advertisements into the user’s browser on any website that person visits. All of the allegedly spammy extensions are registered to the same developer organization: www.konplayer[.]com.

Threatpost attempted to reach out to the people responsible for developing the extensions but was not able to. It appears that some of Konplayer’s extensions have been removed from the Chrome Web Store.

You can see a list of affected websites in the following graphic:

The malicious JavaScript responsible for injecting advertisements isn’t contained directly within the extensions themselves. Instead, the extensions contain a reference URL to www[.]chromeadserver[.]com, which contains the malicious JavaScript. As Barracuda Labs research scientist Jason Ding notes, that domain is made to appear as if it is owned and operated by Google but, of course, it is not.

Barracuda Labs then downloaded and decoded the JavaScript contained on URL referenced above. At first the code seemed benign, but a closer examination revealed that it was responsible for injecting banner advertisements into empty spaces in various positions on popular websites visited by users that had downloaded one of the spam extensions.

In an interview with Threatpost, Ding explained that the permissions sought by these extensions are unnecessary considering that actual purpose of the extensions. Furthermore, the extensions constitute a violation of Google’s terms of service because they mislead users about their purpose. Unfortunately, Ding claims that Google does not have a good way of policing for spam in their Web Store.

“If an extension advertises itself as a game, it should NOT ask for any extra permissions,” Ding told Threatpost. “In most cases, it only need to redirect users to the targeted game websites (which has the game or more games). Or it can ask for the permission for a specific website that the game was hosted at, not the permission ‘Access to data on all website’.”

Ding continued:

“Some other extensions do need the ‘Access to data on all website’ permission, such as the Ads Block extension: of course, it need such permission, so it can remove ads (html elements) for all the websites you are browsing.”

The code used by these extensions is similar to the code used by a group of scammers examined in a prior report issued by Baracuda Labs. Ding believes that the group responsible for Konplayer[.]com is the same group that once distributed their malicious extensions from Playook.info.

The graph below contains the names of the allegedly malicious extensions:

Blog: Abused update of GOM Player poses a threat

Secure List feed for B2B - Tue, 02/04/2014 - 10:58
Several media reported the news on January 7th, 2014, that a PC associated with “Monju” (the Fast Breeder Reactor of the Japan Atomic Energy Agency) was infected by malware and there was a suspicion of information leaks. Some pointed out that the infection had possibly been led by the abuse of the legitimate update of "GOM Player", which made it big news. GOM Player is a free media player with popular video/audio codecs built-in, favored by many Japanese people. It is different from similar free media players in some notable points: it supports major file formats such as AVI, DAT, DivX, MPEG, WMV to name just some; and it officially deploys a Japanese version. Its users are said to be more than 6 million in Japan.

GameOver Zeus Now Using Encryption to Bypass Detection

Threatpost for B2B - Mon, 02/03/2014 - 18:28

Cybercriminals have begun to tweak the way the GameOver Zeus Trojan is being delivered to users’ machines, making it easier for the banking malware to evade detection and steal victims’ credentials.

To get the job done the malware has been working in tandem with the malware Upatre.

For about a week now criminals have been changing the .exe files Upatre downloads to non-executable .enc files. According to a computer forensics expert, this is how the malware, which spreads via spam e-mails and malicious attachments, can avoid being spotted by firewalls, Web filters and other security defenses.

Gary Warner, a director of research in computer forensics at the University of Alabama at Birmingham posted about the trick and included a handful of spam email examples on his Cybercrime & Doing Time blog yesterday.

The file, while encrypted, can still be executed after a user opens a .zip file (found in spam e-mail attachments which initiates a domino effect, downloading the GameOver Zeus file.

The .zip files download the .enc files from the internet, decrypts the file, “placing it in a new location with a new file name, and then causing it both to execute and to be scheduled to execute in the future,” Warner says.

As .enc files aren’t inherently malicious, none of the 50 security programs at VirusTotal, Google’s free detection service, are currently marking attachments carrying them as so.

Warner noticed the trend when a colleague, Brendan Griffin, a malware analyst at the firm Malcovery sent along a series of spam messages, some purporting to come from the Better Business Bureau, Skype and the IRS, among other agencies, spreading the malware.

The behavior has been happening consistently since that time and Warner is stressing that both spam campaigns, GameOver and Upatre, are still very much related and are still being powered by the Cutwail botnet.

Spam emails spreading Gameover, a variant of the Zeus malware, have been making the rounds for two years or so. The F.B.I initially sounded the alarm over bogus emails from the FDIC and NACHA carrying it in 2012 and shortly thereafter the Trojan leveraged the Cutwail botnet to spread the spam messages further.

According to Boldizsár Bencsáth, a researcher at Hungary’s CrySys Lab who helped Warner’s research, technically the .enc file is compressed then XOR’ed with a 32-bit key before Upatre reverses the process, in turn creating the .exe file.

Upatre is the malware that popped up last year and was studied extensively by Microsoft and Dell’s SecureWorks. The malware is basically used to download other malware, and like GameOver, is also primarily spread via spam.

Bencsáth notes on CrySys’s blog that while the droppers sent out via spam emails are small, he was able to find a small (5k) downloader that he discovered can connect to a server, download the .enc file, decrypt, decompress and execute it, resulting in GameOver.

In addition to Bencsáth, Warner also gives a tip of the hat to GoDaddy’s William MacArthur and Dell Secure Works’ Brett Stone-Gross, who also assisted in the research.

Last fall, Microsoft noticed the Cutwail botnet distributing Upatre malware via spam and through exploit kits targeting Java and PDF vulnerabilities to the tune of over one million reported infections, a colossal spike over statistics from prior months.

Pwn2Own Paying $150,000 Grand Prize for Microsoft EMET Bypass

Threatpost for B2B - Mon, 02/03/2014 - 13:53

Microsoft has not been shy in the past nine months about advising users to install and use its Enhanced Mitigation Experience Toolkit (EMET) as a temporary mitigation until zero-day vulnerabilities are patched.

Experts have advised enterprises and smaller organizations to deploy EMET as a proactive security measure; Microsoft has recommended it in a number of recent attacks, including a XP zero-day and another previously unreported vulnerability in Internet Explorer that was abused in watering hole attacks against a number of NGOs.

The tables, however, are about to be turned on EMET. At the upcoming CanSecWest Conference, the popular Pwn2Own contest will include a contest that will test the mettle of EMET. Contest sponsors HP announced late last week a $150,000 grand prize for anyone able to bypass the EMET mitigation on a Windows 8.1 machine and Internet Explorer 11.

“We’re hunting the Exploit Unicorn – not because we think there are a lot of researchers out there who can capture it, but because we think there aren’t,” said HP senior security content developer Angela Gunn.

EMET is a mitigation technology that puts up obstacles that hackers must hurdle in order to exploit a vulnerability, including existing mitigations such as ASLR and DEP. EMET forces applications to use these mitigations native to Windows. Recently, Microsoft added a certificate pinning feature called Certificate Trust to EMET 4.0 that wards off man-in-the-middle attacks, and mitigations that handle return-oriented programming.

“With EMET carrying that kind of burden of protection, researchers are getting more interested in testing its limits, and our grand prize reflects that,” Gunn said. “We may not have any successful contestants, but security researchers thrive on insanely difficult challenges; we’re excited to provide one.”

Gunn said in order for contestants to win the grand prize, in addition to breaking EMET, they must break out of the sandbox in Internet Explorer, then locate new vulnerabilities in Windows to view system information, change data, and control its behavior before moving on to EMET.

In 2012, a researcher beat EMET with a pair of techniques; the mitigation bypass was one of the finalists in the first BlueHat Prize, a competition sponsored by Microsoft to encourage researchers to attack a defensive technology rather than beat a vulnerability brought on by poor coding.

The first Blue Hat Prize of $200,000 was paid out at the 2012 Black Hat Briefings to Vasillis Pappas for his kBouncer ROP mitigation technology that beat out two other ROP submissions. Pappas’ kBouncer technology uses the kernel to enforce restrictions about what processes can do, and prevents anything that looks like return-oriented programming from running.

Last October, Microsoft paid out a $100,000 prize to British researcher James Forshaw for a bypass of Windows memory protections, the second major bounty coming out of Redmond for a mitigation bypass.

The Exploit Unicorn is just one phase of the Pwn2Own contest. HP’s Zero Day Initiative announced the rules and prizes last week, revealing there will be three divisions for the competition: browsers, plug-ins and the grand prize.

Payouts in the browser competition are: $100,000 for Google Chrome on Windows 8.1, 64-bit, and Microsoft Internet Explorer 11 on Windows 8.1 64-bit; $65,000 for Apple Safari on OS X Mavericks; and $50,000 for Mozilla Firefox on Windows 8.1 64-bit.

In the plug-ins competition: payouts are $75,000 for Adobe Reader running in Internet Explorer 11 on Windows 8.1 64-bit and Adobe Flash running in Internet Explorer 11 on Windows 8.1 64-bit; and $30,000 for Oracle Java running in Internet Explorer 11 on Windows 8.1 64-bit.

Chrome Pop-Up to Warn Windows Users of Browser Hijacking

Threatpost for B2B - Mon, 02/03/2014 - 12:13

A rising number of online scams involve the modification of browser settings where a hacker spikes a free download or website with malware. The end result is generally a click-fraud scheme of some kind where the new browser settings might include spiked search engine pages or a new home page enticing the user to click on a link where the attacker would profit from the click.

Google says hijacked settings are Chrome users’ No. 1 complaint, and late last week it enhanced an existing feature in the browser to get a little more in your face about fending off hijacking attempts.

Vice president of engineering Linus Upson said from now on, Windows users will be prompted via a dialog box that appears if Chrome settings have been changed. The warning will ask users if they would like to reset their Chrome settings to their original default.

“You should always be in charge of your own Chrome settings,” Upson said.

The up-front warning is an extension to a feature Google added to Chrome in October which buried the reset option on a settings page.

Google explained in October that its motivation for the reset option was an increase in malware being bundled with software such as video plug-ins, toolbars, or even in more serious instances, alleged security updates.

“These malicious programs disguise themselves so you won’t know they’re there and they may change your homepage or inject ads into the sites you browse,” Upson wrote in October. “Worse, they block your ability to change your settings back and make themselves hard to uninstall, keeping you trapped in an undesired state.”

The reset button was originally placed in the Advanced Settings section of the Chrome settings and was part of a Halloween day update to the browser.

Upson said, however, that users in Google help forums and other feedback mechanisms were complaining that the problem was not abating. The main problem, Upson said last week, was the persistence of these attacks.

“Some hijackers are especially pernicious and have left behind processes that are meant to undermine user control of settings,” Upson said. “So you may find that you’re hijacked again after a short period of time.”

While restoration of Chrome settings to essentially factory defaults will wipe away the malicious entries placed there by the hacker, it will also disable any desired customizations. Extensions, apps and themes a user may have installed on Chrome will become deactivated. They, however, are not uninstalled and can be re-enabled via the Chrome menu under tools and extensions. , Upson said.

Syndicate content