Feed aggregator

Traffic Networks Company Patches Sensor Vulnerabilities

Threatpost for B2B - Mon, 09/08/2014 - 14:23
A company in charge of manufacturing sensors used in traffic control systems has patched a series of previously disclosed bugs that could’ve opened the products up to exploits.

New Timing Attack Could De-Anonymize Google Users

Threatpost for B2B - Mon, 09/08/2014 - 14:00
A new timing attack has been disclosed that could de-anonymize Google users under particular conditions. Google acknowledged the issue but said it would fix it because the risk is low.

Salesforce Warns Customers of Dyreza Banker Trojan Attacks

Threatpost for B2B - Mon, 09/08/2014 - 13:02
Salesforce.com is warning its customers that the Dyreza banker Trojan is now believed to be targeting some of the company’s users. The Trojan, which has the ability to bypass SSL, typically goes after customers of major banks, but seems to be expanding its reach. Dyreza is relatively new among the banker Trojan crowd and it […]

OpenSSL Publishes its Security Policy

Threatpost for B2B - Mon, 09/08/2014 - 11:10
The OpenSSL Project yesterday for the first time made the OpenSSL security policy public.

Israeli Think-Tank Site Serves Sweet Orange Exploit

Threatpost for B2B - Mon, 09/08/2014 - 10:14
Drive-by malware downloads have been spotted on the website of a prominent Israel think-tank, the Jerusalem Center for Public Affairs. The attacks seems to target bank credentials.

‘Kyle and Stan’ Malvertising Network Targets Windows and Mac Users

Threatpost for B2B - Mon, 09/08/2014 - 10:02
A malvertising network that has been operating since at least May has been able to place malicious ads on a number of high-profile sites, including Amazon and YouTube and serves a unique piece of malware to each victim. The network, dubbed Kyle and Stan by the Cisco researchers who analyzed its activities and reach, comprises […]

Mozilla 1024-Bit Cert Deprecation Leaves 107,000 Sites Untrusted

Threatpost for B2B - Fri, 09/05/2014 - 14:03
Data compiled from Rapid7's Project Sonar scan found 107,000 websites running 1024-bit CA certificates that will soon be untrusted as Mozilla announces it will no longer support the shorter, weaker keys.

Threatpost News Wrap, September 5, 2014

Threatpost for B2B - Fri, 09/05/2014 - 11:05
Dennis Fisher and Mike Mimoso discuss the Apple iCloud mess, extending its 2FA system to the cloud, and the fallout from the possible Home Depot data breach.

Apple Plans to Extend 2FA to iCloud

Threatpost for B2B - Fri, 09/05/2014 - 09:34
In the wake of the iCloud photo theft scandal, Apple’s CEO said the company plans to extend its two-factor authentication system to logins to the iCloud service from mobile device. The change will come when iOS 8.0 comes out later this month. The change will give users the option of enabling a second layer of authentication […]

Gaps in corporate network security: ad networks

Secure List feed for B2B - Fri, 09/05/2014 - 08:42

'Malvertising' is a relatively new term for a technique used to distribute malware via advertising networks, which have long since become a popular medium among cybercriminals. In the past four years, hundreds of millions of users have fallen victim to 'viral' advertising, including visitors to major media sites, such as NY Times, London Stock Exchange, Spotify, USNews, TheOnion, Yahoo!, and YouTube. The complicated situation with ad networks even prompted the United States Senate Permanent Subcommittee on Investigations to conduct an in-depth inquiry, which produced recommendations on stepping up security and increasing the responsibilities of advertising platform owners.

At the turn of the year 2.5 million Yahoo users were attacked. Soon after the incident, a company called Fox IT published a detailed analysis of the attack. Curiously, according to Fox IT, not all Yahoo! users were affected by the attack – only residents of European countries, primarily Romania, the UK and France. Fox IT analysts believe that the attackers probably used targeted advertising mechanisms, i.e., they paid for 'impressions' served to a certain audience from the countries mentioned above. Here is an illustration of how attacks are conducted via ad networks: an overall attack organization diagram (on the left-hand side) and a specific example of the attack against Yahoo! users (on the right-hand side).

In the past, we have written about targeted attacks conducted via trusted websites (so-called watering-hole attacks) and social engineering on social networks and in IM clients. Specifically, we wrote that a cybercriminal has to do two things in order to implement a watering-hole attack: first, compromise a trusted website and second, surreptitiously inject malicious scripts into the site's code. Successful attacks via social networks or IM clients also make certain demands of cybercriminals – at the very least, to win the users' trust and increase the chances of them clicking on links sent by the attackers.

What sets attacks via ad networks apart is that in these attacks the cybercriminals do not have to compromise websites or gain the trust of potential victims. All they have to do is find an ad provider from which to buy 'impressions' or become a provider themselves (like BadNews). The remaining work, related to distributing malicious code, will be done by the ad network –the trusted site itself will download malicious scripts to its page via iframe.

Moreover, users don't even have to click on the ads – as part of its attempt to display a banner on the web page, the browser executes the banner's SWF/JS code, which automatically redirects the user to a site hosting the landing page of a popular exploit pack, such as Blackhole. A drive-by attack will follow: the exploit pack will attempt to choose an appropriate exploit to attack a vulnerability in the browser or its plugins.

The problem of ad networks being used to distribute malware and conduct targeted attacks (taking advantage of their targeted advertising capabilities) does not only affect those who use browsers to access websites. It also applies to users of applications that can display adverts, such as IM clients (including Skype), email clients (Yahoo! included), etc. And, most importantly, the problem affects the huge number of mobile app users, since these apps also connect to ad networks!

Essentially, mobile applications are different in that the SDKs commonly used for embedding adverts into apps (such as AdMob, Adwhirl etc.) do not support the execution of arbitrary code supplied by ad providers, as is the case with website advertising. In other words, only static data is accepted from the server supplying ads, including images, links, settings etc. However, cybercriminals can also create SDKs, just like media companies. The former offer developers higher per-click rates than their legitimate competitors. This is why developers of legitimate mobile software embed malicious 'advertising' code – essentially backdoors – into their apps. Moreover, legitimate SDKs may have vulnerabilities enabling the execution of arbitrary code. Two such cases were identified late last year – one involving the HomeBase SDK, the other involving AppLovin SDK.

Source: http://researchcenter.paloaltonetworks.com

The question "How should a corporate network be protected against attacks conducted via ad networks?" does not have a simple answer, particularly if you keep in mind possible targeted attacks. As we mentioned before, protection needs to cover not only workstations (browsers, IM clients, email clients and other applications that have dynamic advertising built into them), but also mobile devices that can access the corporate network.

Clearly, protecting workstations requires at least a Security Suite class anti-malware solution, which must include:

  • protection against vulnerability exploitation;
  • advanced HIPS with access restriction features, as well as heuristic and behavioral analysis (including traffic analysis);
  • tools for monitoring the operating system (System Watcher or Hypervisor) in case the system does get infected.

For more reliable protection of workstations, it is prudent to use application control technology, collect statistics (inventory) on the software used on the network, set up updating mechanisms and enable Default Deny mode.

Unfortunately, compared to the protection of workstations, mobile device protection is still in the early stages of evolution. It is extremely difficult to implement a full-scale Security Suite or Application Control solution for mobile devices, since that would require modifying firmware, which is not always possible. This is why Mobile Device Management (MDM) technology is currently the only effective tool for protecting mobile devices that connect to the corporate network. The technology can control which applications are allowed to be installed on a device and which are not.

Cybercriminals have used ad networks to distribute malware for years. At the same time, the advertising market is rapidly growing, branching out into new platforms (large websites, popular applications, mobile devices), attracting new advertisers, partners, intermediaries and aggregators, which are intertwined into an extremely tangled network. The ad network problem is one more example showing that rapid technology development is not always accompanied by the corresponding evolution of security technologies.

Verizon to Pay Largest Ever Consumer Privacy Settlement

Threatpost for B2B - Thu, 09/04/2014 - 14:24
Verizon pays largest ever consumer privacy settlement to the FCC for depriving customers of information about Verizon’s marketing practices and their personal privacy right to opt-out.

Patch Tuesday Includes Another IE Update; Vuln Disclosures Up

Threatpost for B2B - Thu, 09/04/2014 - 14:07
Microsoft announced four bulletins are scheduled for the September Patch Tuesday release, along with new research on public vulnerability disclosures.

Feared Home Depot Breach Sparks More Interest in Backoff PoS Malware

Threatpost for B2B - Thu, 09/04/2014 - 12:07
Security experts are digging into point-of-sale malware, Backoff in particular, as speculation rages on about how hackers pulled off the Home Depot data breach.
Syndicate content