Monday, 18 November 2013

Windows 8.1 – security improvements

The release of Windows 8.1 includes a host of improvements, both cosmetic (welcome back, Start button) and “under the hood” improvements.  A new white paper, titled Windows 8.1 Security – New and Improved, looks at the some of the most anticipated—and controversial—security features of this new “.1″ point release of Windows 8, including:
  • Updated biometric security framework:  Support for fingerprint recognition has been greatly improved, and we can expect to see fingerprint readers appearing in more Windows devices.
  • InstantGo device manageability:  In combination with new hardware from Microsoft partners, this new low-power mode of operation allows for always-on, always connected device scenarios, which translates into always managed for Information Technology and Security departments.
  • Pervasive Device Encryption:  If the hardware supports it, your drive(s) will be transparently encrypted by Windows 8.1.  We take a look at what this means for users.
  • Windows Defender:  Find out what’s new in the updated version of Microsoft’s free anti-malware program.
The white paper also takes a look at Windows 8 (and 8.1)’s adoption rate, discusses new risks introduced by Windows 8.1, and looks at whether or not IT shops and users should upgrade.
The white paper is available in two formats, and can be found in both the ESET Threat Center’s White Papers section (portrait formatting) and We Live Security’s White Papers section (landscape formatting).

“Tens of millions” at risk from Filecoder due to “mass email spam event” targeting small businesses, British police agency warns

Tens of millions of computer users are at risk from Filecoder due to a “mass spamming event”,  detailed in an alert from Britain’s National Cyber Crime Unit.
The malware, identified by ESET as Win32/Filecoder, is transmitted via emails that appear to come from banks and financial institutions, the National Cyber Crime Unit warns.
“The emails may be sent out to tens of millions of UK customers, but appear to be targeting small and medium businesses in particular. This spamming event is assessed as a significant risk,” the NCU warned, as reported by The Register.
“The emails carry an attachment that appears to be correspondence linked to the email message (for example, a voicemail, fax, details of a suspicious transaction or invoices for payment),” the agency warns.
Filecoder works by encrypting the user’s files, displaying a countdown timer, and demanding a ransom of 2 bitcoins (approx $946), the NCU said. The British agency says that it “would never endorse the payment of ransom to criminals and there is no guarantee that they would honour the payments in any event.”
Lee Miles, Deputy Head of the NCCU says “The NCA are actively pursuing organised crime groups committing this type of crime. We are working in cooperation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public.”
The Register describes the encryption Filecoder uses as “virtually unbreakable” in its report.
The British agency’s warning follows a message from the U.S. Computer Emergency Response Team (US-CERT) a warning of an “increasing number” of infections with Cryptolocker, as reported by We Live Security here.
ESET Malware Researcher Robert Lipovsky says, “We’ve noted a significant increase in Filecoder activity over the past few summer months,” in a detailed blog post where Lipovsky says, “We hope to answer the many questions we’re getting about this issue.
Lipovsky’s report on We Live Security showed countries that were being targeted with the malware – delivered via drive-by downloads and email attachments, among other common infection methods. At the time, Russia, Spain and Italy were the site of most infections.
US-CERT’s warning said that in the U.S., the malware, “appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices,” the agency said.  “ In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.
“To decrypt files, you need the private key,” the Trojan warns users, “The single copy of the private key is on a secret server. The server will destroy the key after the time specified in this window. After that, nobody will be able to restore the files.”
PC Authority said that on 1 November, a variant of the Trojan allowed users to recover “past deadline” by paying an even bigger sum – 10 bitcoins, or $3,000.

The malware affects Windows users running Windows 7, Vista and XP.
The threat is not an empty one, Lipovsky says, “Unfortunately, in most cases, recovering the encrypted files without the encryption key is nearly impossible.”

With quick action, users can sometimes recover data – but the best defense is caution. A guide to how to defend against ransomware is here. The most important advice is to back up data, according to Lipovsky.
“If they have backups, than the malware is merely a nuisance,” says ESET researcher Robert Lipovsky. “So, the importance of doing regular backups should be strongly reiterated.

Androids destroyed: Hacking contest pays out $50,000 “bug bounties” for successful attacks on Nexus 4 and Galaxy S4

A hacking contest paid out $117,500 in prizes this week for exploits against handheld devices – and the biggest winner was “Pinkie Pie”, an under-21 hacker who used drive-by attacks to take over a Samsung Galaxy S4 and a Nexus 4, both of which run Android.
Ars Technica described Mobile Pwn2Own as “making sport out of serious security bugs,” in its report, and said that Pinkie Pie’s hacks relied on vulnerabilities in Google’s Chrome Browser.
Pinkie Pie’s hacks drew applause from the audience – using a malicious site to compromise the devices, and then executing code on both the Nexus 4 and Samsung Galaxy S4, according to The Register’s report.
Heather Goudey, a senior security content developer at HP, which sponsors the contest, wrote, “Within minutes, we had witnessed a successful exploit on two different devices and were ready to pay $50,000 USD for the privilege. Pinkie Pie compromised Chrome on both a Nexus 4 and a Samsung Galaxy S4 just for good measure.”
“The exploit took advantage of two vulnerabilities – an integer overflow that affects Chrome and another Chrome vulnerability that resulted in a full sandbox escape. The implications for this vulnerability are the possibility of remote code execution on the affected device.”
Cybercriminals are increasingly targeting Android devices, with malware detections rising in China and the West, according to a We Live Security report.

Microsoft Silverlight users at risk from Angler exploit kit

Digital security padlock red image
Hackers are using the Angler exploit kit to automatically spread malware using a vulnerability in the Microsoft Silverlight service.
Malwarebytes senior security researcher Jerome Segura uncovered the attack targeting a vulnerability in Microsoft Silverlight versions 5 and below, warning that it has the potential to infect millions of PCs with malware.
"The flaw, which exists in versions prior to 5.1.20125.0, allows attackers to execute arbitrary code on the affected systems without any user interaction," he said.
"Upon landing on the exploit page, the Angler exploit kit will determine if Silverlight is installed and what version is running. If the conditions are right, a specially crafted library is triggered to exploit the Silverlight vulnerability. As with all exploit kits, leveraging vulnerabilities is just an intermediary step for the real motive: pushing malware onto the victim's machine."
Silverlight is a Microsoft service similar to Adobe Flash, which is used for rich internet applications. The Silverlight web plugin is used by several popular services, including Netflix, which currently boasts over 40 million global users. Segura said he expects hackers to add the Silverlight vulnerability to other exploit kits in the very near future.
"We can expect this CVE [common vulnerability and exposure system] to be integrated into other exploit kits soon, so it is important to make sure you patch all your machines now," he said. "If you don't need Silverlight – or other plugins – simply remove it altogether as that will help to reduce your surface of attack."
Exploit kits are hack tools traded on cyber black markets, which let users automatically mount cyber attacks on known vulnerabilities to spread a variety of malware. The kits have been used in several recent high-profile attacks.
Earlier this year hackers were spotted using the Blackhole exploit kit to mount a sophisticated phishing scam, sending out bogus malware-ridden emails claiming to be from high-profile companies such as Facebook and LinkedIn. Malwarebytes also discovered new ransomware being spread by the Neutrino exploit kit, targeting Java with a fake Skype file.

UK SMEs warned of ransomware email scam demanding Bitcoin payments

UK SMEs have been warned about a ‘significant risk’ from a plague of spam ransomware emails claiming to be from banks and other financial institutions.
The National Crime Agency (NCA) issued the alert over the weekend, explaining that it had seen a spike in emails with attachments that look like voicemails, faxes or payment invoices.
In fact the email contains malware called Cryptolocker, which encrypts files and the network the machine is attached to. It then demands a payment of two Bitcoins – worth around £530 – to remove it.
The NCA said firms should not pay this ransom as it was unlikely to have any effect. Lee Miles, deputy head of the National Cyber Crime Unit (NCCU) within the NCA said the organisation was working hard to bring those behind the scam to justice.
"The NCA are actively pursuing organised crime groups committing this type of crime,” he said. We are working in co-operation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public."
The NCA urged firms to be vigilant against the threat by making sure staff are informed of the scam, that antivirus software is up to date and that backups of important files are stored off networks in case the worst should happen.
Criminal focus on SMEs has increased in 2013, with reports earlier this year citing the cost of some attacks on firms as reaching as high as £65,000 per incident.

Jeremy Hammond on state-sponsored hacktivism

Jeremy Hammond was sentenced to 10 years in federal prison, during the process he declared that FBI directed my attacks of Anonymous on foreign governments.

Jeremy Hammond, the popular Anonymous hacktivist considered the principal responsible for the disclosure of thousands of emails from the private intelligence firm Stratfor was sentenced on Friday to 10 years in federal prison.
The judge Preska also imposed a further three-year period of probationary supervision once Hammond is released from jail that includes extraordinary restrictive measures to prevent him to hack again, his internet activity will be monitored, and of course his person, to avoid contact with groups of hacktivists and with the hacking community. The Guardian reported:
“Hammond’s 10-year sentence was the maximum available to the judge after he pleaded guilty to one count of the Computer Fraud and Abuse Act (CFAA) relating to his December 2011 breach of the website of the Austin, Texas-based private intelligence company Strategic Forecasting, Inc. Delivering the sentence, Preska dismissed the defendant’s explanation of his motivation as one of concern for social justice, saying that he had in fact intended to create “maximum mayhem”. “There is nothing high-minded and public-spirited about causing mayhem,” the judge said.” 
But who are hacktivists like Sabu and Hammond? Let’s start from the consideration that these guys are cyber experts, they are hackers and for this reason are considered precious professionals especially for intelligence and government agencies … there is a unique big problem, they work on the wrong side and law enforcement has to do all the possible to convince them to the collaboration.
Is it possible that FBI and US intelligence have tried to infiltrate Anonymous to influence its operations?
In August former LulzSec leader Sabu (Hector Xavier Monsegur) was accused by the hacker Jeremy Hammond to have incited state-sponsored attacks for the U.S. Government, Hammond also declared in a Manhattan court that he was directed by an FBI informant to break into the official websites of several governments around the world.
The revelation is not surprising, why destroy a so powerful movement when it is possible to become its ally and take advantage of its offensive capabilities?
Jeremy Hammond revealed a federal court for the southern district of New York,  “Sabu” had requested him to target a list of websites, including those of many foreign countries, that were vulnerable to attack.
Jeremy Hammond referred specifically Brazil, Iran and Turkey before being stopped by judge Loretta Preska that requested to secretate the deposition.
“I broke into numerous sites and handed over passwords and backdoors that enabled Sabu – and by extension his FBI handlers – to control these targets,” told the court.
Jeremy Hammond added that when he and Sabu attacked web sites belonging to foreign governments they provided detailed instruction on how to crack into the targets of one particular unidentified country to other members of the collective that supported the attack.
“I don’t know how other information I provided to [Sabu] may have been used, but I think the government’s collection and use of this data needs to be investigated,” “The government celebrates my conviction and imprisonment, hoping that it will close the door on the full story. I took responsibility for my actions, by pleading guilty, but when will the government be made to answer for its crimes?”added to the court
The process revealed another uncomfortable truth on the borderline activities of the US Government, after the questionable surveillance program and the revelation of the hacking platform codenamed FOXACID, Jeremy Hammond has reported how the FBI has instrumented the offensive capabilities of groups of hacktivism like Anonymous.
The situation is surreal, Jeremy Hammond was sentenced Friday to 10 years in prison for stealing internal emails from Stratfor while US authorities has used similar methods against government without being judged nor condemned it.
Free Jeremy Hammond
The Hammond’charges against FBI are heavy, it would be a very serious fact that the U.S. Government had used the hacktivists to hit other states, I understand the way US Government is trying to discourage hackers and whistleblowers for homeland security but I expect a yardstick fair.
Let’s consider also that US retaliation strategy against hackers could trigger a war without winner that could really advantage foreign state-sponsored hackers.
Jeremy Hammond declared he had been motivated to join Anonymous because of a goal to “continue the work of exposing and confronting corruption”. [He had been] “particularly moved by the heroic actions of Chelsea Manning, who had exposed the atrocities committed by US forces in Iraq and Afghanistan. She took an enormous personal risk to leak this information – believing that the public had a right to know and hoping that her disclosures would be a positive step to end these abuses.”
As sustained by Hammond,  very questionable is also the role of unregulated private intelligence firms like Stratfor,  the young hacker has serious responsibility and he has to pay for this but in a proportional way, the intelligence has been operating for many years in an uncontrolled way and surveillance programs like PRISM are the demonstration.
I afraid that this witch hunt will exacerbate the tones of a difficult dispute between the government and hacktivists, foreign governments could benefit of the attacks that will occur for sure in the next days, recent memo issued by the FBI demonstrates that Anonymous have the capabilities to infiltrate US networks, but consider also that state-sponsored hackers could do the same or can syphon data stolen by Anonymous.
Margaret Kunstler, Hammond’s lead defense lawyer, commented the verdict with these statements:
[maximum punishment was] “not a great surprise”.
I was not surprised too but I believe that the Hammond’s case could be the starting point of new dangerous cyber tensions, on a technical point of view IT community has lost a skilled professional for the next year, but as I always remark you cannot stop an ideology with arrests and convictions.

Discovered Open URL Redirection flaw in Facebook

Researcher Dan Melamed recently discovered an open url redirection flaw in Facebook that allowed to have a link redirect to any website.

A Facebook Open URL Redirection vulnerability is the last discovery of security expert Dan Melamed that reported it in a recent post.
Dan is an old acquaintance of Security Affairs, he revealed in July a Critical Facebook vulnerability that allowed account hacking, in August he discovered 2 Facebook vulnerabilities related to the Fanpage Invite of the popular social network and a few weeks later he found a Critical Pinterest Exploit threatens the privacy of millions of users.
About a week ago, he made another interesting discovery, he has found an open url redirection vulnerability in Facebook that allowed him to have a link redirect to any website without restrictions.
Open URL Redirection
An open URL Redirection flaw is generally used to convince a user to click on a trusted link which is specially crafted to take them to an arbitrary website, the target website could be used to serve a malware or for a phishing attack.

An Open URL Redirection url flaw in Facebook platform and third party applications also exposes the user’s access token at risk if that link is entered as the final destination in an Oauth dialog.
The Facebook Open URL Redirection vulnerability is present in the way Facebook manages the “url” parameter, for example the following URL

always redirects to the Facebook homepage, but it is sufficient to manipulate the “url” parameter assigning a random string:
In reality the above URL generated a unique “h” variable and passed the url parameter to Facebook’s Linkshim (l.php):
Once noted the redirection process, Dan Melamed explored the way to exploit the mechanism to bypass the restrictions on redirection and load an arbitrary link. Dan discovered that simply removing the http:// part of the target destination it was able to redirect a Facebook link elsewhere without any restrinction.
The Facebook’s Linkshim (l.php) interprets the link the same as making possible the redirection.
Facebook informed Dan that because the redirection occurs through the l.php method, the social networking platform is able to apply a proper filter from redirecting using automatic spam and malware analysis.
It is easy to understand that despite Facebook filters target url,  it could not detect all malware/spam campaign addressed “and by the time a link is banned, an attacker would have already moved on to another link.”
Following a video Proof of Concept of the open URL Redirection flaw:
Facebook quick fixed the vulnerability after the Dan’s report and the payout for the bug is $1,000.
Pierluigi Paganini

FBI warns of US government networks violated by Anonymous

The FBI is warning that members of the Anonymous hacking collective have violated networks belonging to multiple government agencies stealing sensitive data

The Reuters agency reported that members of the hacktivist group of Anonymous  secretly violated U.S. Government networks in multiple agencies and stolen sensitive information. The FBI warned that the hacking campaign began almost a year ago, the hacktivists have exploited a flaw in Adobe applications to compromise the target systems and install software backdoors to maintain the control of the victims computers over the time, the facts dated back to last December.
The alert issued this week by the FBI reveals that the hacking campaign affected the U.S. Army, Department of Energy, Department of Health and Human Services, and other government agencies.
[the attacks are] “a widespread problem that should be addressed.” states the FBI memo.
The memo issued by the FBI also provided useful information for system administrators to discover evidences of Anonymous attacks on their system, it suggests what to look for to determine if their networks are compromised.
anonymous last resort
The nature of the attack led the security experts to believe that Anonymous is conducting a wide range cyber espionage campaign against Government agencies, the hacktivists are still operating under coverage according law enforcement.
“According to an internal email from Energy Secretary Ernest Moniz’ chief of staff, Kevin Knobloch, the stolen data included personal information on at least 104,000 employees, contractors, family members and others associated with the Department of Energy, along with information on almost 2,0000 bank accounts. The email, dated October 11, said officials were “very concerned” that loss of the banking information could lead to thieving attempts.” states Reuters post.
It seems that the hacking campaign was linked to the case of Lauri Love, a British resident indicted on October 28 for allegedly breaking into computers at the Department of Energy, Army, Department of Health and Human Services, the U.S. Sentencing Commission and elsewhere.
Law enforcement sustains that attacks began when Love and other members of the group of hacktivists exploited a security flaw in Adobe’s ColdFusion application, of course Adobe spokeswoman declined any responsibility and declared that similar attacks are possible only if targeted systems are not updated with the latest security patches.
Law enforcement confirmed that some of the stolen information on the latest campaign had previously been disclosed by Anonymous members during the “Operation Last Resort.”
Despite the earlier disclosures, “the majority of the intrusions have not yet been made publicly known,”  “It is unknown exactly how many systems have been compromised, but it is a widespread problem that should be addressed.” the FBI wrote.

The cyber espionage campaigns conducted by Anonymous are the reply to the arrests of popular hackers linked to the collective linked to US retaliation strategy against hackers.
Consider hacktivism a transitory phenomena are dangerous, underestimate the capabilities of groups like Anonymous is a serious error and the FBI memo is a important warning for Governments and IT community … Anonymous is alive and could hit every target in every moment!

Linux backdoor Fokirtor implements covert communication protocol

In May sophisticated attackers breached a large Internet hosting provider and gained access to internal administrative systems using a singular Linux backdoor.

Symantec security researchers have discovered a Linux backdoor, dubbed Fokirtor, that implements a covert communication protocol to hide its presence. The experts revealed that the malicious code was used to compromise a large hosting provider ‬in May.
The Linux backdoor masquerades its traffic within the legitimate one, in particular exploiting traffic of legitimate SSH connections.
The attackers used the Linux backdoor to syphon customer personal information including credentials and emails, the malicious code uses the Blowfish encryption algorithm to encrypt data sent back to the command-and-control servers.
linux backdoor
When the Linux backdoor infects the victim it gathers the following information from the compromised computer:
  • Peer host name and IP address
  • Peer port
  • Password
  • SSH key
  • User name
and encrypts the above information and sends it to the remote attacker.
The Trojan then opens a back door and allows a remote attacker to perform the following actions on the compromised computer: 
  • Steal files from the computer
  • Other malicious activities
According the analysis proposed by Symantec researchers  the choice of implementing a similar Linux backdoor is motivated by the fact that attackers were aware of the advanced level of security of the target, for this reason the cyber criminals needed to remain under coverage avoiding to trigger defense systems with anomalous traffic.
The attackers have disguised the legitimate processes including  Secure Shell (SSH) with their Linux backdoor as described in the post:
“This backdoor allowed an attacker to perform the usual functionality — such as executing remote commands — however, the backdoor did not open a network socket or attempt to connect to a command-and-control server (C&C). Rather, the backdoor code was injected into the SSH process to monitor network traffic and look for the following sequence of characters: colon, exclamation mark, semi-colon, period (“:!;.”). After seeing this pattern, the back door would parse the rest of the traffic and then extract commands which had been encrypted with Blowfish and Base64 encoded.”
Practically the Linux backdoor doesn’t use its own communication channel, instead it exploits particular sequences of character to delimit its traffic within the legitimate data exchanged during an SSH connection.
The Symantec analysts conclude that the Linux backdoor found is different from any other Linux malicious code previously detected, because it suggests the new tactics for further malware.