Tuesday, 17 September 2013

Kaspersky Lab Honored with AV-Test 2013 Innovation Award

AV-Test Innovation 2013 Award received by Eugene Kaspersky
Based in Magdeburg, Germany, independent security testing lab AV-Test runs a wide variety of ongoing tests to identify which antivirus products do the best job. Among other things, AV-Test researchers measure how well each product defends against attack by malicious software, evaluate how much of an impact it has on system performance, and analyze components that contribute to good usability. In between their regular reports, they stepped back to consider which product has the most innovative technology. Kaspersky Lab earned this honor, receiving the AV-Test Innovation Award for 2013.
Every security product must block malware attacks and, if necessary, root out malware that's already taken up residence; that's the baseline. Kaspersky was honored specifically for going beyond the basics with the secure online transaction technology found in Kaspersky Internet Security (2014) and other Kaspersky products.
In a press release announcing the award, AV-Test lauds Kaspersky's secure browser, which kicks in automatically for known financial sites and other sensitive sites. The secure browser "precisely examines all websites, blocks phishing websites and protects the browser from being accessed by other programs on the PC." It blocks keylogging and screen scraping, keeping all external programs from accessing browser data. AV-Test also praised the vulnerability scanner built into Kaspersky products, noting that the PC "can only be sealed off from malware and hackers when all updates have been installed."
Independent of any specific product, Kaspersky's researchers work hard to "detect and deactivate botnets and spambots." For example, earlier this year Kaspersky researchers released a report on the well-hidden Red October campaign. This spy campaign hoovered up hundreds of terabytes of data over a period of five years. (Yes, that figure was more impressive when the report came out in January; it's since been eclipsed by our own government's universal surveillance.)
CEO and co-founder Eugene Kaspersky accepted the award in person, in Magdeburg, Germany. For more details, check the AV-Test website.

Chinese hacking group Hidden Lynx unmasked after string of attacks

A hacker group believed to be behind some of the most successful spear phishing and watering hole campaigns in history has been linked to China.
Symantec researchers Stephen Doherty, Jozsef Gegeny, Branko Spasojevic, Jonell Baltazar reported uncovering evidence linking the group to China after examining forensic evidence of a recent attack on security firm Bit9 in the company's Hidden Lynx: Professional Hackers for Hire threat report. "Much of the attack infrastructure and tools used during these campaigns originate from network infrastructure in China," said the report.
The Symantec researchers added that forensic analysis of the group indicates the group boasts at least 50 skilled members capable of creating advanced, dangerous attacks and has been operating since at least 2009.
"They have the capability to attack many organizations with concurrently running campaigns. They operate efficiently and move quickly and methodically. Based on these factors, the Hidden Lynx group would need to be a sizeable organisation made up of between 50 and 100 individuals," read the report.
"The Hidden Lynx group makes regular use of zero-day exploits and has the ability to rework and customise exploits quickly. They are methodical in their approach and they display a skillset far in advance of some other attack groups also operating in that region."
The researchers highlighted the group's track record in creating and mounting sophisticated watering hole and spear-phishing attacks on Bit9 customers and involvement in the Voho hacking campaign as proof of its capabilities. "The group's tools, tactics and procedures are innovative and typically cutting edge. They use custom tools and techniques that they tailor to meet their objectives and maximise their chance of success," said the report.
The Voho campaign was originally discovered by the security firm RSA in 2012. It saw the group target hundreds of companies in numerous industries including technology, banking, healthcare, defence as well as numerous and government agencies.
Symantec said despite tracking the group to China it is unclear what, if any, links they have to the country's government and current evidence suggests they are little more than cyber mercenaries for hire.
"This broad range of targeted information would indicate that the attackers are part of a professional organisation. They are likely tasked with obtaining very specific information that could be used to gain competitive advantages at both a corporate and nation state level," read the report.
"It is unlikely that this organisation engages in processing or using the stolen information for direct financial gain. Their mode of operation would suggest that they may be a private organisation of ‘hackers for hire', who are highly skilled, experienced professionals whose services are available for those willing to pay.
Symantec is the latest in a long sea of security firms to link hacking groups to China. Security firm Mandiant reported linking the Comment Crew team to a Chinese military unit based in Shanghai's Pudong district. The group is believed to have mounted attacks on over 141 companies. The Chinese government has consistently denied any involvement in the attacks, arguing cybercrime is an international problem.

Darkleech campaign targets Java to spread Reveton ransomware

Security padlock image
The Darkleech campaign responsible for compromising thousands of websites has resurfaced, targeting Java and Adobe vulnerabilities to spread the Reveton ransomware.
Security firm FireEye reported being alerted to the latest wave of Darkleech attacks in a public blog post after its own web url was being targeted. "We were notified by several security researchers that a fireeye[.]com/careers HR link was inadvertently serving up a drive-by download exploit," read the post.
"It turns out, this attack was not targeted and it was not a watering hole attack. Instead, this campaign appears to be a recent wave of the Darkleech malware campaign, where third-party Horde/IMP Plesk Webmail servers were vulnerable to attack and used to serve up Java exploits that ultimately drop yet another ransomware named Reveton (similar to Urausy)."
Malware research engineer at FireEye Josh Gomez told V3 the attack is a development on the traditional Darkleech operation, and uses a multi-stage process to redirect users to malware-ridden websites.
"Darkleech itself is mainly responsible for getting you to the page that does the actual exploitation. Think of it as a crook who jumps out of some dark alley as you are trying to walk to the store. You are minding your own business when he pops out and says, ‘Hey, come here, go this way, this is the way to the store.' Next thing you know, you follow his lead and end up getting robbed and assaulted by masked men in that alley," he said.
"The next stage is where the actual attack takes place, systems become exploited and subsequently infected. The URL that Darkleech tries to get the victim to load is typically that of a site hosting the Blackhole Exploit Kit. The Blackhole Exploit Kit is a professional framework for automatically exploiting weaknesses in vulnerable browsers, as well as vulnerable versions of Java and Adobe software, such as Adobe Reader."
Gomez said the new attack will likely be a headache for businesses, as the criminals' infection method can circumvent many traditional cyber defences and can be used to spread a multitude of other malware when combined with tools such as the Blackhole Exploit Kit. "This type of attack can affect users and business by subverting perimeter security defences and allowing dangerous malware to enter the enterprise," he said.
"In the case of Darkleech plus Blackhole campaigns, we primarily see click-fraud Trojans (ZeroAccess), downloaders (that download other malware, such as Pony), credential-stealing banking Trojans (Zbot/Zeus) and ransomware-style malware where a user's computer can be locked and held hostage until a ‘ransom' is paid to unlock it."
The FireEye researcher said businesses should to be extra vigilant with their update cycles and reassess whether they need to run Java.
"To defend against this sort of attack, enterprises and users should maintain up-to-date versions of web browsers as well as Java and Adobe reader versions. If Java is not needed, it can be disabled to mitigate Java-based attacks. Also, having up-to-date perimeter security solutions as well as host antivirus and intrusion prevention systems on the endpoint itself can help prevent falling victim," he said.
Darkleech is a malicious module designed to target Apache (web) servers. It is already believed to have turned thousands of websites hosted on Apache into malware-spreading tools. Worse still, the tool is known to be available on numerous cyber black markets for as little as $1,000.

Brazil hackers mistake NASA for NSA in spying payback

BRASïLIA - Hackers have hit back in retaliation for US cyber-spying on Brazil but mistook the US space agency NASA for the National Security Agency (NSA), a news website reported here Tuesday.
"Some activists decided to protest this US practice but it seems that they picked the wrong target," a specialized blog of the Brazilian news portal Uol said.
"They hacked NASA's web page and left the message: Stop spying on us," it said.
The hackers' message also called on the United States not to attack Syria.
A NASA spokesman confirmed that a Brazilian hacker group last week posted a political message on a number of NASA websites.
"At no point were any of the agency's primary websites, missions or classified systems compromised," said NASA spokesman Allard Beutel.
"We are diligently taking action to investigate and reconstitute the websites impacted during web defacement incident," he said.
The attack followed recent disclosures that the NSA spied on Brazilian President Dilma Rousseff's email communications and on the state-run energy giant Petrobras.
The disclosures were based on documents obtained by former US intelligence contractor Edward Snowden.
Brasilia slammed the alleged spying as "unacceptable" and demanded explanations from Washington.
Rousseff, who spoke by telephone with US President Barack Obama about the affair late Monday, was expected to announce Tuesday whether she will go ahead with a state visit to Washington that had been planned for October 23.

Hacking – Give me 10 minutes to hack the Nasdaq

It is very easy to hack the Nasdaq according the security expert Kolochenko that reported numerous vulnerabilities in the official website of the exchange.

Just 10 minutes could be sufficient for an attacker to hack the Nasdaq Stock Market, this is the alert provided by Ilia Kolochenko, head of Swiss information security company High-Tech Bridge.  The security expert repeatedly warned Nasdaq.com on the risk related to a cyber attack against one of most important stock exchanges. The hackers could hit the financial world in various ways, targeting clients and trading platforms has revealed a few months ago by security firm Group-IB.  That hackers could steal sensitive data for victims as alerted Kolochenko, the expert highlighted that the Exchange has done nothing to preserve the security of its customers.
“A good hacker can get full access to Nasdaq.com in a couple of days with the ability to do almost whatever he wants, such as push an announcement that Facebook shares have dropped 90%, [which] could cause havoc on the stock exchange.” “It is quite frightening when you think about it. I discovered these vulnerabilities in just 10 minutes with a Firefox browser without any special tools or software.” “What is shocking is their attitude and ignorance of notifications, especially taking into consideration their recent technical failure,” said Kolochenko
The intruders could hack the Nasdaq website gaining its complete control, once compromised cyber criminals could serve a malware, steal user’s browser history and cookies and perform phishing attacks. The warning arrived in concomitance with the Nasdaq’s trading stop caused, according official sources, by a “technical glitch” that shut it down for three hours on 22th August.
According many computer experts the incident could hide a concerning truth, it could be caused by a politically motivated cyber attack, it is not a mystery that stock exchange is considered a critical infrastructure and for this reason privileged targets of state-sponsored attacks.  At about the same time as the Nasdaq’s technical problem, the Syrian Electronic Army hit The New York Times’ website.
The cyber security expert Kolochenko was able to inject some code into the website without being detected.
“This means anyone could inject arbitrary HTML code into Nasdaq.com to display a fake Web form demanding credit card numbers and other personal information or to inject malware to infect PC users. The only limit is the hacker’s imagination.”
Code injection is just a way to hack the Nasdaq, Kolochenko found another vulnerability would allow hackers to hijack a Nasdaq.com website visitors to malicious websites that serve malware designed to steal sensitive information.
The menace is also for the same employees of the stock exchange that could be easy victims of a spear phishing attack, Kolochenko sustains that another possibility to hack the Nasdaq is to send a unique link in a private message to Nasdaq technical support or administrators waiting for its click to steal confidential information from the victim’s browser.
The representatives of Stock Exchange refused the Kolochenko’s allegations for leak of security to protect official website:
“We take all information security matters seriously. We work with leading security vendors and have a trained and professional team that evaluates all credible threats across our digital assets,” said the Nasdaq spokesman.
Security of web services such as the stock exchanges must be approached with serious consideration
Despite it is not a mystery that with a Cross-Site Scripting (XSS) an attacker is able to inject malicious code in the page of a vulnerable website the number of successful attacks still increase. Vulnerable websites expose company owners and its clients to concrete risks to be hacked … the provocatory title I have chosen is “Give me 10 minutes to hack the Nasdaq” is far from fantasy!
With an XSS attack the hackers can “phish” website visitors stealing their data, exploiting a SQL injection flaw it is possible to access to the entire database of a company with serious consequences.
Last “ENISA Threat Landscape” report issued early 2013 identified and listed the top threats and their trends, and concluded that drive-by exploits have become the top web threat. Top 3 menaces according the ENISA report are:
To draw a picture of a current security landscape the document contemplates data relates 120 recent reports, released from 2011 and 2012, from the security industry, CERTs, standardization bodies and other independent parties.

Once again I decided to publish the conclusions the interesting Web Application Attack report published by Imperva that provides an overview of the principal cyber security events occurred during the last 12 months.
hack the Nasdaq Web Application Attack Report Retailer Incidents

The security of web application is an obligation, following a few recommendations for attack mitigation:
  • Deploy security solutions that prevent automated attacks that are able to differentiate between automated bots and human clients. Security procedures and solutions should be as automated as possible to mitigate an attack volume that is too overwhelming for humans to monitor.
  • Share information and threat intelligence about cyber attacks.
  • Detect and block attacks that target known vulnerabilities.
  • Acquire intelligence on malicious sources to blacklist principal attack sources.
  • Estimate countermeasures on the worst case scenario, not on the average case.

HP extends enterprise services to spot serious security breaches within minutes

An HP logo
HP has unveiled a host of new enhanced enterprise security services and tools, which it claims will let enterprise-size businesses spot security breaches in 12 minutes.
HP announced Supplier Security Compliance Solution and Distributed Denial of Service (DDoS) Protection Services, claiming they will let customers resolve 92 percent of major incidents within two hours of detection. The features fit into HP's existing Managed Security Services (MSS) and Enterprise Services.
MSS chief technologist at HP, Rhod Davies, told V3 the new Supplier Security Compliance Solution builds on the company's experience to help companies become compliant with governments' data handling and security laws.
"This grew out of the deployment of one of HP's biggest UK customers. We've been doing that supplier management for them and it we learned a lot of lessons and have expanded to offer it to our other customers," he said.
He added the compliance tool will also help customers boost security across their supply chain. "Quite a few recent attacks have been not against the organisation itself but against their supplier, because it's easier to get around and in through them. So one of our announcements is a series of consulting services that will help. It starts off by letting you see what the threats are and what controls you should have in place, and ultimately offers you the option to have HP run that supply chain compliance," said Davies.
HP's DDoS Protection Services is a key tool built off DDoS protections technology provider Akamai's platform. "The DDoS is a general application that plugs into our existing managed services. The underlying platform is Akamai's anti-denial of service technology, but we've put a management wrapper around it to make it integrate with the other management services we deliver," he said.
As well as the new services, HP also unveiled its next-generation portfolio of anti-hacker technologies. Key additions include the HP Threat Central, SureStart tools and TippingPoint Next-Generation Firewall (NGFW) services.
Davies explained that HP Threat Central is a community-sourced security intelligence platform designed to increase the amount of threat data being shared by businesses. He added it is an essential step in the firm's ongoing battle to combat the recent wave of advanced attacks being created by cyber criminals.
"We've seen attackers that have their own ecosystem, where they can more or less plug together modules and are specialising in specific forms of attack, and collaborating and sharing information. The attack side has become that much more sophisticated while on the defence side. I think it's fair to say a lot of security professionals live in their own little bunkers and don't exchange information," he said.
"This is partly because they're too busy and partly because they're worried about the information they're trying to protect potentially being shared with the competition. We need to step up the level of collaboration."
The centre is aided by HP's upgraded HP ArcSight and HP Fortify security technologies. The technologies are designed to scan network activity and date to offer customers real-time application-level threat detection. Davies listed HP SureStart, as another key service that will help companies future-proof themselves against attacks on machines basic input/output system (BIOS).
"For quite a while now there have been various security researchers playing with the idea, ‘What could I do if I subverted the BIOS?' Attackers started off targeting the operating system now they're trying to get under it so, seeing what they could do if they get into the BIOS. SureStart is a technology going into our Elite range of PCs and will help protect against subversion of the BIOS. That's a really pointed technology attack and solution," he said.
Finally HP's TippingPoint NGFW is designed to block new risks introduced by cloud and mobile. The expanded tools and services follow a wider push by HP to increase its presence in the enterprise security market. HP recently released its new Fortify Static Code Analyzer 4.0, claiming the tool will improve companies' software security assessment speeds tenfold.