Feed aggregator

Threatpost News Wrap, September 5, 2014

Threatpost for B2B - Fri, 09/05/2014 - 11:05
Dennis Fisher and Mike Mimoso discuss the Apple iCloud mess, extending its 2FA system to the cloud, and the fallout from the possible Home Depot data breach.

Apple Plans to Extend 2FA to iCloud

Threatpost for B2B - Fri, 09/05/2014 - 09:34
In the wake of the iCloud photo theft scandal, Apple’s CEO said the company plans to extend its two-factor authentication system to logins to the iCloud service from mobile device. The change will come when iOS 8.0 comes out later this month. The change will give users the option of enabling a second layer of authentication […]

Gaps in corporate network security: ad networks

Secure List feed for B2B - Fri, 09/05/2014 - 08:42

'Malvertising' is a relatively new term for a technique used to distribute malware via advertising networks, which have long since become a popular medium among cybercriminals. In the past four years, hundreds of millions of users have fallen victim to 'viral' advertising, including visitors to major media sites, such as NY Times, London Stock Exchange, Spotify, USNews, TheOnion, Yahoo!, and YouTube. The complicated situation with ad networks even prompted the United States Senate Permanent Subcommittee on Investigations to conduct an in-depth inquiry, which produced recommendations on stepping up security and increasing the responsibilities of advertising platform owners.

At the turn of the year 2.5 million Yahoo users were attacked. Soon after the incident, a company called Fox IT published a detailed analysis of the attack. Curiously, according to Fox IT, not all Yahoo! users were affected by the attack – only residents of European countries, primarily Romania, the UK and France. Fox IT analysts believe that the attackers probably used targeted advertising mechanisms, i.e., they paid for 'impressions' served to a certain audience from the countries mentioned above. Here is an illustration of how attacks are conducted via ad networks: an overall attack organization diagram (on the left-hand side) and a specific example of the attack against Yahoo! users (on the right-hand side).

In the past, we have written about targeted attacks conducted via trusted websites (so-called watering-hole attacks) and social engineering on social networks and in IM clients. Specifically, we wrote that a cybercriminal has to do two things in order to implement a watering-hole attack: first, compromise a trusted website and second, surreptitiously inject malicious scripts into the site's code. Successful attacks via social networks or IM clients also make certain demands of cybercriminals – at the very least, to win the users' trust and increase the chances of them clicking on links sent by the attackers.

What sets attacks via ad networks apart is that in these attacks the cybercriminals do not have to compromise websites or gain the trust of potential victims. All they have to do is find an ad provider from which to buy 'impressions' or become a provider themselves (like BadNews). The remaining work, related to distributing malicious code, will be done by the ad network –the trusted site itself will download malicious scripts to its page via iframe.

Moreover, users don't even have to click on the ads – as part of its attempt to display a banner on the web page, the browser executes the banner's SWF/JS code, which automatically redirects the user to a site hosting the landing page of a popular exploit pack, such as Blackhole. A drive-by attack will follow: the exploit pack will attempt to choose an appropriate exploit to attack a vulnerability in the browser or its plugins.

The problem of ad networks being used to distribute malware and conduct targeted attacks (taking advantage of their targeted advertising capabilities) does not only affect those who use browsers to access websites. It also applies to users of applications that can display adverts, such as IM clients (including Skype), email clients (Yahoo! included), etc. And, most importantly, the problem affects the huge number of mobile app users, since these apps also connect to ad networks!

Essentially, mobile applications are different in that the SDKs commonly used for embedding adverts into apps (such as AdMob, Adwhirl etc.) do not support the execution of arbitrary code supplied by ad providers, as is the case with website advertising. In other words, only static data is accepted from the server supplying ads, including images, links, settings etc. However, cybercriminals can also create SDKs, just like media companies. The former offer developers higher per-click rates than their legitimate competitors. This is why developers of legitimate mobile software embed malicious 'advertising' code – essentially backdoors – into their apps. Moreover, legitimate SDKs may have vulnerabilities enabling the execution of arbitrary code. Two such cases were identified late last year – one involving the HomeBase SDK, the other involving AppLovin SDK.

Source: http://researchcenter.paloaltonetworks.com

The question "How should a corporate network be protected against attacks conducted via ad networks?" does not have a simple answer, particularly if you keep in mind possible targeted attacks. As we mentioned before, protection needs to cover not only workstations (browsers, IM clients, email clients and other applications that have dynamic advertising built into them), but also mobile devices that can access the corporate network.

Clearly, protecting workstations requires at least a Security Suite class anti-malware solution, which must include:

  • protection against vulnerability exploitation;
  • advanced HIPS with access restriction features, as well as heuristic and behavioral analysis (including traffic analysis);
  • tools for monitoring the operating system (System Watcher or Hypervisor) in case the system does get infected.

For more reliable protection of workstations, it is prudent to use application control technology, collect statistics (inventory) on the software used on the network, set up updating mechanisms and enable Default Deny mode.

Unfortunately, compared to the protection of workstations, mobile device protection is still in the early stages of evolution. It is extremely difficult to implement a full-scale Security Suite or Application Control solution for mobile devices, since that would require modifying firmware, which is not always possible. This is why Mobile Device Management (MDM) technology is currently the only effective tool for protecting mobile devices that connect to the corporate network. The technology can control which applications are allowed to be installed on a device and which are not.

Cybercriminals have used ad networks to distribute malware for years. At the same time, the advertising market is rapidly growing, branching out into new platforms (large websites, popular applications, mobile devices), attracting new advertisers, partners, intermediaries and aggregators, which are intertwined into an extremely tangled network. The ad network problem is one more example showing that rapid technology development is not always accompanied by the corresponding evolution of security technologies.

Verizon to Pay Largest Ever Consumer Privacy Settlement

Threatpost for B2B - Thu, 09/04/2014 - 14:24
Verizon pays largest ever consumer privacy settlement to the FCC for depriving customers of information about Verizon’s marketing practices and their personal privacy right to opt-out.

Patch Tuesday Includes Another IE Update; Vuln Disclosures Up

Threatpost for B2B - Thu, 09/04/2014 - 14:07
Microsoft announced four bulletins are scheduled for the September Patch Tuesday release, along with new research on public vulnerability disclosures.

Feared Home Depot Breach Sparks More Interest in Backoff PoS Malware

Threatpost for B2B - Thu, 09/04/2014 - 12:07
Security experts are digging into point-of-sale malware, Backoff in particular, as speculation rages on about how hackers pulled off the Home Depot data breach.

One in Five Massachusetts Residents Breached in 2013

Threatpost for B2B - Thu, 09/04/2014 - 12:04
Roughly one in five Massachusetts residents were affected by a data breach last year, according to numbers released today by the Commonwealth.

Some Cable Modems Found to Leak Sensitive Data Via SNMP

Threatpost for B2B - Thu, 09/04/2014 - 10:43
Cable modems sold by two manufacturers expose a wide variety of sensitive information over SNMP, including usernames and passwords, WEP keys and SSIDs. Researchers who discovered the vulnerabilities say they’re trivially exploitable and plan to release Metasploit modules for them later this month. The broadband modems, manufactured by Netmaster and ARRIS, leak the sensitive information […]

Neverquest Trojan Adds New Targets, Capabilities

Threatpost for B2B - Thu, 09/04/2014 - 09:52
Researchers have found some recent modifications to the Neverquest banking Trojan that indicate the malware is no longer just targeting online banking sites, but also is going after social media, retailers and some game portals. The new changes also give the Trojan the ability to insert extra fields into targeted Web forms in order to steal […]

CERT/CC Enumerates Android App SSL Validation Failures

Threatpost for B2B - Wed, 09/03/2014 - 15:14
The CERT Coordination Center at Carnegie Mellon today released a list of Android applications hosted on Google Play and Amazon that it says fail to validate SSL certificates over HTTPS.

WordPress Plugins Bogged Down with CSRF, XSS Vulnerabilities

Threatpost for B2B - Wed, 09/03/2014 - 15:08
A handful of bugs, mostly XSS and CSRF vulnerabilities, have been plaguing at least eight different Wordpress plugins as of late.

Twitter Launches Bug Bounty Program

Threatpost for B2B - Wed, 09/03/2014 - 15:08
Twitter is the latest major Internet company to establish a bug bounty program, and has put no upper limit on the bounty that a researcher can earn for reporting a vulnerability. The company announced on Wednesday that it will operate its bounty program through the HackerOne platform, a bug bounty system that enables vendors to […]

Protecting yourself against the celebrity iCloud hackers

Secure List feed for B2B - Wed, 09/03/2014 - 14:51

The biggest security news of the week is the leaked photos of many celebrities. Many people, especially the involved celebrities, wondered how such a hack could take place.

The initial statement by the attacker was that the iCloud was hacked. This prompted Apple into their we-do-not-really-comment-until-we-have-done-our-research mode. Today, they released a statement on the incident:

https://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html

For me the most interesting quote is: "accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet."

Apple is thus well aware of the problems that arise with these forms of authentication. The more interesting is their advice: strong passwords and two-step-verification.

Strong passwords are, according to Apple, passwords with a minimum of 8 characters, with some additional requirements. Interesting enough they do not enforce of all their suggestions. A password such as "Password1" is acceptable, even though it can be easily guessed.

Their other advice, using two-factor-authentication is somewhat flawed. For instance, it does not protect your iCloud backups (see this post). Also, two-step-verification is not available in every country. If you use, for example, a Romanian or a Croatian telephone number, then bad luck. Considering that Google offers two factor authentication for such countries as well, one might wonder why Apple didn't implement it as well. Could it be the cost of the SMSes?

So how to protect yourself properly? My colleague Alex Savitsky wrote an excellent article about this.

To summarize:

  • Use strong and unique passwords that are easy to remember and hard to crack (for instance, a phrase in your native language with "spaces" in it, a number and a special char)
  • If available in your country, enable two-factor authentication
  • iPhone users may want to disable iCloud photo Stream / photo Sharing. Additionally iPhone users may want to delete the backup of their photos / iPhone in the iCloud.

Photo courtesy of my colleague Dmitry Bestuzhev - https://twitter.com/dimitribest/status/506820178320322560

And remember - if you don't want your private photos to get leaked, better not take them in the first place!

Home Depot Urges Credit Monitoring Vigilance

Threatpost for B2B - Wed, 09/03/2014 - 10:06
Home Depot is telling customers to closely monitor bank and credit card accounts for fraud as it continues to investigate what could be a massive data breach.

Firefox 32 Debuts With Public-Key Pinning, Several Security Fixes

Threatpost for B2B - Wed, 09/03/2014 - 09:08
Mozilla has released Firefox 32, the latest version of its browser, which now supports public-key pinning and also includes fixes for several critical security vulnerabilities. The move to support public-key pinning is an important one for Firefox, as it helps protect users against man-in-the-middle attacks that rely on forged certificates. The feature binds a set […]
Syndicate content