Feed aggregator

Critics Upset as Microsoft Conducts Email Search in Leak Investigation

Threatpost for B2B - Mon, 03/24/2014 - 12:55

Late last week it emerged that Microsoft had searched through the contents of a French blogger’s Hotmail account in order to track down the source of a leak of proprietary information from the Redmond, Wash., tech giant.

The Electronic Frontier Foundation and transparency advocates have expressed stark disapproval of the entire situation. The EFF is even suggesting that Microsoft’s actions here constitute a direct violation of the Electronic Communications Privacy Act (ECPA).

The saga began when a Microsoft employee named Alex Kibkalo allegedly stole protected information pertaining to Microsoft’s Activation Server Software Developer’s Kit (SDK) and emailed it – via Hotmail, which is owned and operated by Microsoft – to a French blogger.

Around August 2012, Microsoft became aware that someone had leaked the SDK after the blogger in question – who is not named in the criminal complaint filed against Kibkalo in September 2012 – began posting screenshots of unreleased Windows operating system features. Microsoft’s Trustworthy Computing Investigations (TWCI), the division of the company tasked with protecting it against both external and internal threats, launched an investigation accordingly.

In early September 2012, an unnamed person contacted former president of the Windows Division of Microsoft, Steven Sinofsky. This source had been contacted by the blogger in order to confirm that the code he had received was in fact proprietary Microsoft code. In an interview with the TWCI, the source indicated that the blogger had contacted the source via Hotmail.

According to the complaint (which was acquired by the Register), “After confirmation that the data was Microsoft’s proprietary trade secret, on September 7, 2012 Microsoft’s Office of Legal Compliance (OLC) approved content pulls of the blogger’s Hotmail account.”

Upon examining the contents of the blogger’s email account, Microsoft found Kibkalo’s correspondence with the blogger. The company then provided all of this information to the FBI, who then arrested Kibkalo and charged him with the theft of trade secrets.

Microsoft published a response to the emergence of these facts, noting that it would make certain changes to its policies, but ultimately defending its right to search the contents of its users’ communication without legal oversight.

“Courts do not, however, issue orders authorizing someone to search themselves, since obviously no such order is needed,” wrote John Frank, deputy general counsel and vice president of legal and corporate affairs. “So even when we believe we have probable cause, there’s not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises.”

Frank goes on to claim that the company acted within its terms of service by conducting “a limited review of this third party’s Microsoft operated accounts,” which the company only undertakes in “the most exceptional circumstances” after “[applying] a rigorous process before reviewing such content.”

Frank also notes the company’s understanding of public concern regarding their actions, and thus, the company says it will adhere to the following policies moving forward:

  • Microsoft will not conduct a search of customer email and other services unless the circumstances would justify a court order, if one were available.
  • To ensure compliance with the standards applicable to obtaining a court order, Microsoft will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. It will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As a new and additional step, the company will then submit this evidence to an outside attorney who is a former federal judge. It will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.
  • Even when such a search takes place, it is important that it be confined to the matter under investigation and not search for other information. Microsoft says it will continue to ensure that the search itself is conducted in a proper manner, with supervision by counsel for this purpose.
  • Finally, the company believes it is appropriate to ensure transparency of these types of searches, just as it is for searches that are conducted in response to governmental or court orders. The company therefore will publish as part of its bi-annual transparency report the data on the number of these searches that have been conducted and the number of customer accounts that have been affected.

“Unfortunately, this new policy just doubles down on the Microsoft’s indefensible and tone-deaf actions in the Kibkalo case,” says EFF legal fellow, Andrew Crocker. “It begins with a false premise that courts do not issue orders in these circumstances because Microsoft was searching ‘itself,’ rather than the contents of its user’s email on servers it controlled.”

Had the company believed it had probable cause to search one of its users’ Hotmail accounts, Crocker continues, Microsoft could have easily presented its case to the FBI and acquired a proper search warrant.

“To be sure, the process described in Microsoft’s statement bears more than a passing resemblance to a standard criminal investigation, with a prosecutorial team building a case and then presenting it to an ostensibly neutral third party, a retired federal judge no less,” Crocker writes. “Let’s call it Warrants for Windows!”

Crocker admits that while this search may have revealed criminal activity, it was also conducted in Microsoft’s own self-interest, and, therefore, sets an extremely dangerous precedent.

Time Warner Reports Fewer Than 250 National Security Orders

Threatpost for B2B - Mon, 03/24/2014 - 11:51

Time Warner Cable has joined a half-dozen telecommunications and technology companies that, in the past six months, have published their first transparency report on government and law enforcement requests for user data and content.

Since the Edward Snowden leaks began last June, transparency reports have become a provider’s best vehicle for communicating with customers and the industry about how much data they are legally compelled to share with the government and authorities. Companies have also gone to great lengths to increase the degree of transparency they can have to dispel any perception that a provider might be complicit in any intelligence agency surveillance activity.

For example, earlier this year, the U.S. Department of Justice relaxed the reporting rules for companies, allowing them more flexibility in sharing how many National Security Letters and requests made for customer data and content under the Foreign Intelligence Surveillance Act (FISA).

Time Warner’s transparency report, released on Friday, revealed that the giant cable and Internet provider received between 0 and 249 national security-related orders on the same range of customer accounts between January 2013 and June 2013. Organizations are not permitted to release the exact number of National Security Letters and FISA orders they receive, but may report them in ranges of 250. Prior to January, companies could report only in buckets of 0-999, leading companies such as Google, Facebook, Twitter, Yahoo and Microsoft to sue the government looking for more transparency. The January decision came in exchange for the companies’ withdrawal of their respective legal action.

“We believe helping our customers understand how often information about our customers is being requested is important,” Time Warner said in a statement Friday.

The company’s transparency report covered the entirety of 2013; Time Warner filed in the neighborhood of 12,000 requests last year, affecting close to 16,000 customer accounts. The vast majority of requests came via subpoenas (82 percent). Court orders made up 12 percent of requests, and search warrants 4 percent. The remainder of the requests were emergency requests, pen register/trap and trace orders, and wiretap orders.

Time Warner reported that it disclosed user content in 3 percent of requests. Subscriber information, also known as non-content requests, was provided in 77 percent of requests while no data was disclosed in 20 percent of requests. Non-content requests are limited to a customer’s name, address, phone number and IP address, Time Warner said. The company said it provides “meaningful notice” to customers if their information is requested by the government unless explicitly told not to.

“Time Warner Cable carefully reviews each order to ensure that it is a lawful request,” the company said. “If there is any question about the validity or scope of a request, we challenge it in the same manner we challenge all demands for customer information.”

WhiteHat Releases Aviator Browser for Windows

Threatpost for B2B - Mon, 03/24/2014 - 10:37

The privacy and anonymity of users’ online communications has been at the forefront of many discussions in the tech community and the general public in the last year as more and more information has leaked out about the NSA’s methods and how the agency collects vast amounts of user data. Keeping Web sessions private and secure can be a daunting task, especially for users who may not be so familiar with how to lock down their browsers, but WhiteHat Security is trying to make that process simpler with the release of a beta version of its Aviator browser for Windows.

Aviator is built on the Chromium code base, like Google Chrome, and is designed with security, privacy and anonymity in mind from the beginning. The browser, by default, doesn’t allow any tracking of users’ movements on the Web and WhiteHat doesn’t have any partnerships with advertisers or tracking companies. It also has DuckDuckGo set as the default search engine, a major change from most other browsers, which typically have Google or Bing as the default. DuckDuckGo doesn’t save any search history data from users or perform any tracking.

The disconnection from ad networks is a big part of the security and privacy model for Aviator. The browser doesn’t simply block ads, the way that many browser extensions do. Instead, the browser doesn’t make any connections to ad networks at all, which stops a large part of the tracking done on Web pages and also prevents potentially malicious ads from running. This difference also makes the browser faster than many of the other major browsers.

“We’re going to do some tests to see exactly what the difference is, but it doesn’t make all of those outbound connection requests so you can tell how much faster it is when you use it,” said Robert Hansen, director of product management at WhiteHat.

WhiteHat released a Mac OS X version of Aviator in October, and it has since been downloaded tens of thousands of times, company officials said. But users immediately began asking for a Windows version, along with Android and other platforms. Aviator was developed as an internal project at WhiteHat for employee use, and eventually the company made the decision to release it to the general public. Because the browser doesn’t include ads or partnerships with ad companies, WhiteHat is considering different revenue models for the browser.

“Therefore, some of our efforts will also be directed towards determining how to sell this in a way that does not involve profiting from our users’ information as many other browsers are in the unfortunate business of doing. As the saying goes, ‘if you aren’t paying for it, you’re the product’,” Hansen wrote in a blog post.

“That said, we want to make sure that all of our existing users of WhiteHat Aviator know that they will continue to get the browser for free, forever.”

Image form Flickr photos of Missyleone.

Attackers Picking Off Websites Running 7-Year-Old Unsupported Versions of Linux

Threatpost for B2B - Fri, 03/21/2014 - 15:19

The risks presented by unsupported operating systems are being called out in a large-scale attack on hundreds of websites.

Hackers have hit web servers running a version of the Linux 2.6 kernel released seven years ago. The result is a multistage attack where compromised websites are spiked with JavaScript that redirects users to a second site where additional malware is served.

“It is possible that attackers have identified a vulnerability on the platform and have been able to take advantage of the fact that these are older systems that may not be continuously patched by administrators,” said Martin Lee, a researcher with Cisco, who wrote about the compromises.

The second malicious site in this attack, Lee said, is serving up a click fraud scam where the victim’s browser displays a number of ads. He also suspects the attackers are loading a Trojan on compromised machines at this point as well.

The attack ramped up Monday and Tuesday of this week, Cisco said, noting that 400 distinct hosts were infected on each day and more than 2,700 URLs have been used in the attack, some of them legitimate websites that have fallen victim. Most of the web servers hit in this campaign were in the United States, Germany and Spain.

“This large scale compromise of an aging operating system highlights the risks posed by leaving such systems in operation. Systems that are unmaintained or unsupported are no longer patched with security updates,” Lee said. “When attackers discover a vulnerability in the system, they can exploit it at their whim without fear that it will be remedied.”

Lee also points out there are similarities to this attack and some used by the defunct Blackhole exploit kit, but it’s unlikely these are Blackhole compromises. Instead, he said, they could be part of a Mesh Network attack described by Sucuri in January.

Coincidentally, Cisco’s report comes a few days after research published by Imperva about exploits surfacing a few months ago for a two-year-old PHP vulnerability. Close to 20 percent of sites on the web are vulnerable to the bug in PHP versions 5.4.x, 5.3.x before 5.4.2 or 5.3.12.

“Not only are we seeing a vulnerability used after it was released so long ago, but what we’re seeing is attackers and professional hackers understanding what vendors understand—people just don’t patch,” Imperva director of security research Barry Shteiman said. “They can’t or won’t or are not minded to fix these problems.”

PHP is found on nearly 82 percent of websites today; these attacks target sites where PHP is running with CGI as an option, creating a condition that allows for code execution from the outside. Shteiman said the vulnerability affects a built-in mechanism in PHP that protects itself from exposing files and commands. A configuration flaw allows hackers to first disable the security mechanism, which in turn allows a hacker to run remote code or arbitrarily inject code.

These two attack campaigns should put system administrators on notice about inventorying unsupported operating systems and bringing patch levels up to par.

“Large numbers of vulnerable unpatched systems on the internet are tempting targets for attackers. Such systems can be used as disposable one-shot platforms for launching attacks,” Cisco’s Lee said. “This makes it all the more important that aging systems are properly maintained and protected.”

NSA Targets Sys Admins to Infiltrate Networks

Threatpost for B2B - Fri, 03/21/2014 - 13:27

The latest set of Snowden documents reveal details on perhaps the biggest no-brainer from the National Security Agency’s point of view during these nine months of leaks: the targeting of system administrators.

Classified presentations, documents and notes portray the NSA as confident and unrelenting in their ability to build a database of personal email and social media activity correlated to network and system administrators worldwide. Those reconnaissance efforts would aid the NSA in hacking the sys admins’ work computers that ultimately could be tapped at a moment’s notice by the agency’s QUANTAM program.

QUANTAM involves the use of hacking tools to inject malware onto a target’s system. In the past, the NSA has used these techniques to hack computers by injecting malware implants posing as legitimate Facebook traffic. The malware gives agency analysts a foothold on a compromised machine for the exfiltration of data and system information.

The latest documents, entitled “I hunt sys admins” were written two years ago by an official whose job it is to hack into foreign networks via weaknesses in routers, said a report in The Intercept. The publication said it is keeping the author’s identity a secret. The documents specify the agency’s hunt not only for infrastructure credentials, but also network topology, access lists that detail which machines are allowed access to which resources, and other network configuration intelligence.

“Up front, sys admins generally are not my end target. My end target is the extremist/terrorist or government official that happens to be using the network some admin takes care of,” the document said. “Sys admins are a means to an end.”

These ventures are by law supposed to be limited to foreign targets only, but in the past, the agency’s dragnet surveillance efforts around phone call metadata, for example, has also snared activity of Americans, whose data is not supposed to be targeted or collected without a warrant or court order.

Much like advanced hackers who scour social networks and discussion forums for any scrap of usable insight into a target, the NSA, too, is adept at Facebook creeping. The author, for example, writes in the documents that in order to get computer network exploitation (CNE) access to the admin, a webmail or Facebook account is a better first step than spamming the target.

“There’s a couple ways you could try this: dumpster-dive for alternate selectors in the big SIGINT (signals intelligence) trash can, or pull out your wicked Google-fu to see if they’ve posted on any forums and list both their official and non-official emails in a signature block,” the author wrote.

The how-to written by this unnamed person is littered with arrogance, snark and hacker jargon—even a swipe at the quality of content presented at the Black Hat and Def Con security conferences. There are detailed instructions on a number of techniques for finding personal accounts and using those to hack upstream to the agency’s ultimate target should the need arise. The NSA was also interested in building a database of sys admin contact information that could be utilized by its elite Tailored Operations Unit (TAO).

“Who better to target than the person that already has the keys to the kingdom,” the author wrote. “Many times, as soon as I can see a target show up on a network, one of my first goals is ‘Can we get CNE access to the admins on that network in order to get access to the infrastructure the target is using.”

Cisco Patches AsyncOS Code Execution Vulnerability

Threatpost for B2B - Fri, 03/21/2014 - 12:15

Cisco fixed serious vulnerabilities this week in its email and content security management products that could have let an attacker execute code with the privileges of the root user.

The company pushed a fix for its AsyncOS Software in both its Email Security Appliance (ESA) and the Content Security Management Appliance (SMA) products Thursday. According to an advisory, until patched all versions of the products are considered vulnerable as they both run a version of AsyncOS that could be exploited through FTP.

“The vulnerability is due to insufficient validation of the SLBL database file. An attacker could exploit this vulnerability by substituting a valid SLBL database file with a tampered file,” the advisory says.

That file could be rigged to include shell code that could later be executed, provided that FTP and Safelist/Blocklist (SLBL) are enabled, in turn granting the attacker the right to execute arbitrary code on the system with the privileges of the root user.

While users could disable both the FTP service and the SLBL service – this could prevent the SLBL database with getting replaced with a malicious one – there are no real workarounds.

Updates that resolve the vulnerability can be obtained through Cisco’s regular update channel.

Cisco’s ESA allows email management and incorporates antivirus and encryption while SMA aggregates employees run-time data and helps oversee the company’s email products and its web security appliances.

Siemens Patches Security Vulnerabilities in ICS Equipment

Threatpost for B2B - Fri, 03/21/2014 - 11:43

P { margin-bottom: 0.08in; }A:link { }
-->Industrial control systems manufacturer, Siemens, has released new versions of its SIMATIC S7-1200 CPU family, resolving six security vulnerabilities in that product, and its SIMATIC S7-1200 PLC (programmable logic controller), resolving an addition two vulnerabilities there.

These patches are critical enough to have warranted alerts on the Industrial Control Systems Cyber Emergency Response Team’s website.

All six of the bugs in the SIMATIC S7-1200 CPU family are remotely exploitable and affect all product versions prior to V4.0. The vulnerabilities – on out of date systems – could potentially give an attacker the ability to perform denial-of-service attacks by deploying specially crafted HTTP(S), ISO-TSAP, or Profinet network packets. Beyond this, the integrated Web server in this product is also vulnerable to cross-site request forgery and privilege escalation attacks. Each of the attacks is exploitable over the network without authentication.

The SIMATIC S7-1200 PLC systems are vulnerable to a pair of improper input validation vulnerabilities that are also remotely exploitable. Again, a knowledgeable attacker could exploit these bugs to perform a DoS attack.

As is generally the case, the impact of all of the bugs listed is almost entirely dependent on the way each specific system is implemented.

Ralf Spenneberg of OpenSource Training, Lucian Cojocar of EURECOM, Sascha Zinke from FU Berlin’s work team SCADACS, and Positive Technologies’ researchers Alexey Osipov and Alex Timorin discovered the six holes in Siemens’ SIMATIC S7-1200 CPU family. You can read a more detailed description of those bugs here.

Professor Hartmut Pohl the Swedish Defence Research Agency uncovered the flaws in Siemens’ SIMATIC S7-1200 PLC. You can read more about these vulnerabilities here.

SCADA software, ICS equipment, and critical infrastructure systems are perpetually vulnerable. Worse yet, as the maintainers of operating systems get better and better at security, making it more difficult for attackers to write successful exploits, these people will turn to softer targets. So woeful is the state of critical infrastructure security, that some experts are asking if it is time to establish an ICS security specialist certification.

Analysis: BitGuard: a system of forced searches

Secure List feed for B2B - Fri, 03/21/2014 - 06:00
In the past year, many users have been forced to deal with an extremely aggressive multi-component system BitGuard which is difficult to completely remove without professional assistance, although technically it comes with uninstallers.

Comcast Issues First Transparency Report

Threatpost for B2B - Thu, 03/20/2014 - 16:03

P { margin-bottom: 0.08in; }A:link { }
-->Another day, another transparency report from a company trying to put some distance between itself and the United States’ broad surveillance apparatus. Today’s report comes from Comcast, the largest Internet service provider in the U.S., who “takes customer privacy very seriously, and [holds] it in the highest regard.”

The company says their report adheres to the Justice Department’s newer and more relaxed reporting guidelines. Thus, they report their reception of National Security Letters (NSLs) and Foreign Intelligence Surveillance Act (FISA) orders and warrants as well as the corresponding numbers of customer accounts affected in bands of 1000. These guidelines, Comcast says, requires them to report FISA orders and warrants with a six month delay, so this report covers only the first six months of 2013.

The mass media company claims to have received 19,377 subpoenas in the first half of 2013. Subpoenas, the report states, typically seek basic customer account information like names and addresses of customers based on telephone numbers or Internet Protocol (IP) addresses associated with accounts.

The company reported receiving 3,893 general court orders, including 93 pen register and trap and trace orders and just two wiretap requests. Court orders, the report indicates, are signed by a judge and seek more detailed – often historical – information than can be obtained through a subpoena. General orders are those that don’t seek a pen register and trap and trace, which essentially seeks incoming and outgoing call information in real time, or wiretaps, which seek real-time access to the contents of those communications.

They also received 253 content warrants and 1,080 non-content warrants. In all, Comcast received 24,698 total criminal requests.

In addition to these, the company is reporting that it received 961 emergency requests. Such requests differ from those listed above in that they are expedited, generally involving an emergency that poses risk of death or serious physical injury to any person. In these cases, Comcast says that it requires the law enforcement officer to provide “a written certification” describing the imminent risk of danger. Comcast claims it then uses that information to verify emergency requests when possible.

Comcast reported between 0 and 999 requests for all of the following categories: NSLs received and customer accounts affected, content-related FISA orders and warrants and customer accounts affected, and non-content-related FISA orders and warrants and customer accounts affected.

“Like all U.S. businesses, we must respond to valid government requests for customer information made in subpoenas, orders, warrants, and other legal processes,” Comcast said in its report. “Before we respond, we review every request carefully to ensure it is authorized by law and is valid.”


EA Games Site Hacked to Steal Apple IDs

Threatpost for B2B - Thu, 03/20/2014 - 15:58

Hackers were able to compromise a server belonging to Electronic Arts Games this week and rig one of its websites to resemble an Apple log-in page to dole out phishing attacks.

U.K.-based security firm Netcraft discovered the hacked site on Tuesday and informed EA, which blocked it on Wednesday.

Researchers with the firm speculate that a vulnerability in an outdated version of the PHP app WebCalendar, which was also being hosted on the same server, was used as an attack vector. That vulnerability allows attackers to modify settings and execute arbitrary code in the 2008 version (1.2.0) of the calendar.

“In this case, the hacker has managed to install and execute arbitrary PHP scripts on the EA server,” Paul Mutton, a security tester with the firm wrote Wednesday.

From there, the attacker could view the calendar’s contents, its source code and any other data on the server.

The fact that the calendar app was outdated naturally made EA’s system a target.

“The mere presence of old software can often provide sufficient incentive for a hacker to target one system over another, and to spend more time looking for additional vulnerabilities or trying to probe deeper into the internal network.”

Victims who stumbled across the site were encouraged to input their Apple ID and password, then their full name, credit card number, its expiration date, verification code, date of birth and so on. Only after entering all their information the victim was then sent to a legitimate Apple website, https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/.

BitSight, a Cambridge, Mass.-based security rating service, claims that EA’s system may have been riddled with vulnerabilities for up to a year. The service’s CTO purports seeing multiple servers associated with EA under control for the last 12 months.

“Likely under the control of an external adversary, these machines were used to communicate with botnet command and control servers, distribute malware, and participate in DDoS attacks,” Stephen Boyer, the firm’s co-founder and CTO said Thursday.

As it is this is the second problem for EA during the past week. Netcraft also acknowledges in its write up that a phishing site aiming to extort users of the company’s Origin platform surfaced online a week ago. That site, while not hosted on an EA server, is still trying to glean EA users’ credentials, including “email addresses, passwords and security question answers.”

While EA has allegedly blocked the Apple phishing site, it’s unclear if it’s aware of the Origin phishing site. Email inquiries to the company were not immediately returned on Thursday.

Additional vulnerabilities in EA’s Origin platform were identified around this time last year as well. Researchers with ReVuln, Luigi Auriemma and Donato Ferrante, published a paper last March in which they discussed how easy it could be to remotely run malicious code on users’ machines through Origin and one of the company’s games, Crysis 3.

Bitcoin Transaction Malleability Flaw Resolved

Threatpost for B2B - Thu, 03/20/2014 - 15:57

The so-called transaction malleability software issue blamed for the dissolution of Bitcoin exchange Mt. Gox has been patched.

Also, the Bitcoin-QT reference client was also rebranded to Bitcoin Core, in order to clear confusion users might have had between the Bitcoin network and software. Bitcoin Core 0.9.0 was made available yesterday that included new features as well as security updates.

Transaction malleability is technically not a flaw in the software, according to a number of experts, including those inside Mt Gox. Users had the ability to change the transaction identifier accompanying any Bitcoin transaction under certain conditions.

Mt. Gox’s demise was a perfect storm of software issues and policy failures that caused the Japanese company to lose hundreds of millions of dollars worth of the digital currency.

The problems began when users complained to Mt. Gox that transactions and funds were being conducted under altered identifiers. A report in the Guardian said hackers had managed to edit the identifiers and then lodge a complaint with Mt. Gox, which would then initiate the transaction a second time, sending more currency to the thief.

According to release notes posted on Github, the transaction malleability issue was addressed by tightening transaction rules preventing “mutated transactions” from being relayed or mined. Bug fixes also addressed incorrect balances being reported for mutated transactions, among other fixes.

The hack and subsequent demise of Mt. Gox negatively affected the value of the electronic currency, which hovered not too long ago at more than $1,000 per Bitcoin; as of today, Bitcoin Exchange lists one Bitcoin at $591.99.

According to sources quoted by the Guardian, the transaction malleability issue was compounded by lax accounting at Mt. Gox, forcing the exchange to go under. The Guardian said a document released by entrepreneur Ryan Selkis also hurried Mt. Gox to the end.

“MtGox has allegedly never conducted a single audit of its customer deposits,” Selkis is quoted, “and it is believed that [Gox CEO Mark] Karpeles may have been the only one within the company to have knowledge of how to actually tap the exchange’s cold storage. It remains unclear exactly how this type of storage leak could have happened over a multi-year period without any knowledge on the part of the executives at MtGox.”

As Bitcoin became a full-fledged phenomenon, hackers took notice too. Malware attacks surfaced targeting Bitcoin wallets credentials on a number of platforms including Mac OS X. The OS X CoinThief Trojan, for example, masqueraded as a phony Bitcoin ticker app on a number of popular download sites.

Another attack involved a phony Bitcoin utility called Bitcoin Alarm which was purportedly a tool for alerting Bitcoin owners of shifts in the currency’s value.

And prior to Mt. Gox, the Sheep Market suffered a $106 million loss when hackers walked off with 96,000 Bitcoins. Attackers hijacked the marketplace’s domain name system (DNS) servers and routed incoming traffic through a set of servers under their control. This allowed them to spoof member accounts and steal the currency.

Google Encrypts All Gmail Connections

Threatpost for B2B - Thu, 03/20/2014 - 13:56

Perhaps no company has been as vocal with its feelings about the revelations about the NSA’s collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users’ sessions. The biggest of those changes landed Thursday when the company switched its Gmail service to HTTPS only, enforcing SSL encryption on all Gmail connections.

The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers. Those two modifications mean that Gmail messages are encrypted from the time they leave a user’s machine to the time they leave Google’s infrastructure. This makes life much more difficult for anyone–including the NSA–who is trying to snoop on those Gmail sessions.

“Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email. Gmail has supported HTTPS since the day it launched, and in 2010 we made HTTPS the default. Today’s change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers—no matter if you’re using public WiFi or logging in from your computer, phone or tablet,” Nicolas Lidzborski, Gmail Security Engineering Lead, wrote in a blog post.

“In addition, every single email message you send or receive—100 percent of them—is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail’s servers, but also as they move between Google’s data centers—something we made a top priority after last summer’s revelations.”

Google was in the process of encrypting the links between its data centers last year before the news broke that the NSA had the ability to tap those links and gather email messages and other data. That revelation enraged Google security engineers, and the company accelerated its plans to encrypt the links between data centers.

Gmail users have had the option to enable HTTPS only as the default connection option for more than four years. But the typical user may not have known that option was available. Now, users don’t need to think about it; they’re connections to Gmail will always be encrypted by default.

Malicious iOS Tor Browser in Apple App Store

Threatpost for B2B - Thu, 03/20/2014 - 13:50

P { margin-bottom: 0.08in; }
--> An iOS Tor Browser hosted for download on Apple’s notoriously restrictive App Store is reportedly a fake. Worse yet, not only is the application said to be illegitimate, but also allegedly malicious.

According to a support ticket opened by a Tor Project volunteer operating under the handle Phobos, this iOS Tor Browser in the App Store is “full of adware and spyware.”

Threatpost reached out to the Tor Project’s Runa Sandvik and asked of there was any way to confirm that the app did indeed contain adware and spyware.

“Yes, but that would involve using the app and analyzing what it does,” Sandvik responded. “One could also attempt to reverse engineer it.”

Phobos submitted a complaint with Apple regarding the application on Dec. 26. Apple responded shortly thereafter, saying they would give the app’s developer a chance to defend the app. Since that time, more than three months ago, it seems there has been no further response from Apple. As far as we can tell, the malicious application remains available for download.

As recently as six weeks ago, Phobos indicated on the ticket that they would attempt to contact Apple again.

“Maybe we need to bypass their process, since it’s been weeks and they’re still putting users at risk?” chimed in another user on the ticket. “Or said another way, when do we start involving our personal contacts at Apple? And when do we start making a public fuss?”

The time for a public fuss apparently came yesterday:

“I think naming and shaming is now in order,” a third user said on the ticket. “Apple has been putting users at risk for months now.”

Following that, a number of prominent Tor advocates spoke up about the issue on Twitter.

It probably goes without saying that adware and spyware really undercut the efficacy of an application with the stated purpose of “empowering other apps to use the Internet more securely” and helping users “defend against a form of network surveillance that threatens the personal freedom and privacy.”

Much more seriously, the Tor Network provides cover for a wide spectrum of users – from activists to cybercriminals – who can’t afford to have their traffic monitored. In the most extreme cases, the traffic anonymization service that Tor provides is the only thing standing between an individual and persecution or even prosecution.

If you believe you need or just want to anonymize your Web surfing – for whatever reason – the best option is to download the Tor Browser Bundle directly from the Tor Project website.

Weakness in Android Update Service Puts All Devices at Risk for Privilege Escalation

Threatpost for B2B - Thu, 03/20/2014 - 12:34

The first deep look into the security of the Android patch installation process, specifically its Package Management Service (PMS), has revealed a weakness that puts potentially every Android device at risk for privilege escalation attacks.

Researchers from Indiana University and Microsoft published a paper that describes a new set of Android vulnerabilities they call Pileup flaws, and also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges.

The vulnerability occurs in the way PMS handles updates to the myriad flavors of Android in circulation today. The researchers say PMS improperly vets apps on lower versions of Android that request OS or app privileges that may not exist on the older Android version, but are granted automatically once the system is updated.

The researchers said they found a half-dozen different Pileup flaws within Android’s Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said.

An attacker could use a malicious application to exploit this situation to access data on the device such as user credentials, activity logs, SMS data. The researchers also said a successful attack could also give a hacker control of new signature and system permission, leading to a deeper level of trouble.

The paper, “Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating,” was written by Luyi Xing, Xiaorui Pan, Kan Yuan and XiaoFeng Wang of Indiana University Bloomington and Rui Wang of Microsoft. The frequency of Android updates—estimated to be on average of every 3½ months— and the fragmentation of the Android market make it close to impossible to adequately secure devices, the researchers said.

“Every few months, an update is released, which causes replacement and addition of tens of thousands of files on a live system. Each of the new apps being installed needs to be carefully configured to set its attributes within its own sandboxes and its privileges in the system, without accidentally damaging existing apps and the user data they keep,” the researchers wrote. “This complicates the program logic for installing such mobile updates, making it susceptible to security-critical flaws.”

Pileup flaws, short for privilege escalation through updating, ramp up the permissions given to malicious apps once Android is updated without raising an alarm to the user. “Through the app running on a lower version of Android, the adversary can strategically claim a set of carefully selected privileges or attributes only available on the higher OS version,” the researchers wrote.

The paper said customized versions of Android, such as those developed by device makers and carriers, are especially vulnerable to Pileup attacks. The researchers said manufacturers are purposely conservative with regard to updates so as not to interfere with the user experience. Users who have apps currently installed, for example, expect them to work seamlessly after OS updates and upgrades; that means data and features must transfer. An attacker can get a seemingly benign app on a device that requests privileges not present on the lower OS version. Generally, the Package Management Service must compare the privileges present between updates and will generally grandfather in existing permission requests so as not to interfere with functionality.

“A third-party package attribute or property, which bears the name of its system counterpart, can be elevated to a system one during the updating shuffle-up where all apps are installed or reinstalled, and all system configurations are reset,” the paper said. “Also, when two apps from old and new systems are merged as described above, security risks can also be brought in when the one on the original system turns out to be malicious.”

Upon an OS upgrade, the PMS will install new and existing system apps, including third-party apps, and will register the permissions they declare. That means for a malicious app, the PMS recognizes all the permissions it requests and those are silently granted because it supposes that permissions with an existing app have already been approved by the user.

All of the issues have been reported to Google, the researchers said; Google has already patched one of the six vulnerabilities.

As for the team’s SecUP scanner, it inspects Android APKs already installed on a device, identifying those that are likely to cause privilege escalations during an update, the paper said. SecUP is made up of a number of components, including a vulnerability detector, exploit opportunity analyzer and a risk database, in addition to the scanner app, the paper said.

“The detector verifies the source code of PMS (from different Android versions) to identify any violation of a set of security constraints, in which we expect that the attributes, properties (name, permission, UID, etc.) and data of a third-party app will not affect the installation and configurations of system apps during an update,” the researchers wrote. “A Pileup flaw is detected once any of those constraints are breached.”

The analyzer then kicks in and searches Android factory images for places where privilege escalation could happen; that information is stored in the risk database. The scanner app uses that database to check third-party apps and alerts the user to any potential risks.

New Zorenium Bot Boasts Ability to Run on iOS

Threatpost for B2B - Thu, 03/20/2014 - 11:12

UPDATE–The iOS platform has been remarkably resistant to malware infections over the years and attackers interested in mobile devices mainly have focused their efforts on Android. But the developer of a little-known bot that has the ability to run on Linux and Windows machines now has a version that apparently can run on iOS as well.

The Zorenium bot is not one of the brand-name bots that constantly make headlines. The bot is only a few months old and hasn’t yet gained the attention of many researchers. It has many of the same capabilities that other pieces of custom malware have, including from-grabbing, banker Trojan functionality, DDoS and even Bitcoin mining. But it’s Zorenium’s ability to run on recent version of iOS that sets it apart.

“Recently our analysts have been monitoring the advancement of a new threat in the commercial malware theater – the Zorenium Bot. Zorenium a relatively new and unknown bot, which has been up for sale in the underground from January 2014 is getting new features in its March 18th update, including, also, ability to infect iOS devices (version 5-7), alongside its existing capabilities to run on Linux and Windows based machines. Also, in this update, the developers have updated the rootkit to TDL4 (This making it vulnerable to anti TDSS tools),” Tanya Koyfman and Assaf Keren of the SenseCy blog, run by Israeli company Terrogence, wrote in a blog post on the bot.

Zorenium has been advertised on Pastebin and the first version of the bot was available for direct download via a link posted on Twitter in December. The full release notes for the latest version of Zorenium detail the bot’s full functionality, including its banking Trojan capability and its use of the TDL family of rootkits. TDL, also known as Alureon, is a nasty rootkit that has been around for several years and has been used to build a number of large botnets. The most recent version, TDL4, has a number of advanced capabilities, including the ability to bypass some Windows code-signing requirements.

The Zorenium developer boasts in his notes for the bot that the malware is not detected by any major antimalware products and says that the bot’s processes and other components are protected from being stopped or removed through the use of a number of different methods. The developer also says Zorenium can trick users into thinking their machine is shutting down.

“After alot of work, testing and money spent. We can now make the victims believe there SYSTEM is being shutdown on victim input. Thus means zorenium will throw fake images to make the user believe hes shutting down his machine. Zorenium will then shut down the screen to standby mode ( until the Poweron button is initialized ). Whilst the user thinks he or she is shutting down there machine, we can stop (Delay) the CPU Fan, and other fans, which will make a racket making the user believe his or her system is still running,” the notes say.

The base model of Zorenium, without the rootkit and banker Trojan and Bitcoin miner, sells for £350, while the version that includes those modukes goes for £2,000. The Zorenium binary with Tor and P2P capability for command and control sells for £5,000.

The Zorenium malware is related to the Betabot malware, which has been used in attacks against financial institutions and other sites since last year. The FBI issued a warning about Betabot on September, warning consumers that the malware will masquerade as a Windows security warning dialog box.

“Cyber criminals use Beta Bot to target financial institutions, e-commerce sites, online payment platforms, and social networking sites to steal sensitive data such as log-in credentials and financial information. Beta Bot blocks computer users’ access to security websites and disables anti-virus programs, leaving computers vulnerable to compromise,” the FBI warning says.

“Beta Bot infection vectors include an illegitimate but official looking Microsoft Windows message box named ‘User Account Control’ that requests a user’s permission to allow the ‘Windows Command Processor’ to modify the user’s computer settings. If the user complies with the request, the hackers are able to exfiltrate data from the computer. Beta Bot is also spread via USB thumb drives or online via Skype, where it redirects the user to compromised websites.”

The security measures, vertical software development and installation model and exploit mitigations included in iOS have made the platform a difficult target for attackers. There have been a small string of code-execution vulnerabilities found in various versions of iOS, many of them discovered by members of the jailbreak community. Apple has patched those, but users who jailbreak their devices typically don’t update them, because that rolls back the jailbreak and restores the normal operating system.

For Zorenium to run on an iOS device, it likely is running on jailbroken phones, unless the bot uses a previously unknown vulnerability in the operating system.

“According to a release note from the developer of the Zorenium malware, dated of the 18th of March, the new version supposedly is able to run on iOS 5-7 , as well as most Debian platforms and the latest Android tablets. One platform stands out of this list, iOS as there aren’t so many threats to run on it. It is currently unclear wether the apple device needs to be jailbroken or not, in order to be infected. However, considering the fact that the Windows versions of Zorenium were far from being advanced threats, it is most likely that it will only run on the jailbroken device,” said Nicolas Brulez, principal security researcher at Kaspersky Lab.

This story was updated on March 20 to add details from the Zorenium release notes. 

Syndicate content