Wednesday, 11 September 2013

Managed Malicious Java Applets Hosting Service Spotted in the Wild

In a series of blog posts, been profiling the tactics and DIY tools of novice cybercriminals, whose malicious campaigns tend to largely rely on social engineering techniques, on their way to trick users into thinking that they’ve been exposed to a legitimate Java applet window. These very same malicious Java applets, continue representing a popular infection vector among novice cybercriminals, who remain the primary customers of the DIY tools/attack platforms that we’ve been profiling.
In this post, I’ll discuss a popular service, that’s exclusively offering hosting services for malicious Java applets.

Sample screenshot of the service:
Malicious_Java_Applet_Hosting_Exe_Customer_Social_Engineering
For a one time fee of $20, the service offers detailed statistics about how people ran the applet hosted on their server, as well as the ability to clone a popular website to be later on automatically embedded with a custom malicious Java applet on it. The service is also offering managed rotation of typosquatted domains to its prospective customers, in an attempt to make it easier for them to operate their campaigns.
Based on our initial analysis on the service’s operations, we can easily conclude that its operators lack the experience and motivation to run it, compared to that of sophisticated bulletproof hosting providers, like the ones we’ve already profiled in the past. Nevertheless, its public availability has already empower multiple novice cybercriminals with the hosting services necessary to achieve their malicious objectives.
Although we believe that this a short-term oriented market niche international underground market proposition, we’ll continue monitoring its development.

Web-based DNS amplification DDoS attack mode supporting PHP script spotted in the wild

The idea of controlling multiple, high-bandwidth empowered servers for launching DDoS attacks, compared to, for instance, controlling hundreds of thousands of malware-infected hosts, has always tempted cybercriminals to ‘innovate’ and seek pragmatic ‘solutions’ in order to achieve this particular objective.
Among the most recent high profile example utilizing this server-based DDoS attack tactic is Operation Ababil, or Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters attacks against major U.S financial institutions, where the use of high-bandwidth servers was utilized by the attackers. This indicates that wishful thinking often tends to materialize.
In this post, we’ll take a peek inside what appears to be a command and control PHP script in its early stages of development, which is capable of integrating multiple (compromised) servers for the purpose of launching distributed denial of service attacks (DDoS) taking advantage of their bandwidth.
More details:

Sample screenshots of the administration panel of the PHP script:
DIY_Web_Server_DNS_Amplification_DDoS_Bot DIY_Web_Server_DNS_Amplification_DDoS_Bot_01 DIY_Web_Server_DNS_Amplification_DDoS_Bot_02 DIY_Web_Server_DNS_Amplification_DDoS_Bot_03
Currently, the PHP script supports four types of DDoS attack tactics, namely DNS amplification, spoofed SYN, spoofed UDP, and HTTP+proxy support. The script also acts as a centralized command and control management interface for all the servers where it has been (secretly) installed on. It’s currently offered for $800.
Just like we’ve seen in numerous other cybercrime-friendly underground market releases, in this case, the author of the PHP script is once again forwarding the responsibility for its use to potential customers, and surprisingly, in times when fake scanned IDs continue getting systematically abused by cybercriminals, is expressing his trust in the user legitimization methods applied by his payment processor of choice – WebMoney.
We believe that this tool will eventually get abused by its customers, and we’ll continue to monitor its future development.

Microsoft Crushes 47 Bugs On Patch Tuesday

Image via Flickr user Dan Dickinson
Yesterday, Microsoft issued 13 security bulletins covering some 47 bugs in a slightly-larger-than-usual Patch Tuesday. Among these, four were listed as critical and the rest marked as important. Get ready to update!
Interestingly, a fourteenth update relating to a denial-of-service issue in .NET was announced last week but has been held back for further testing. Perhaps Microsoft wishes to avoid some of the confusion from last month's patch Tuesday, where one update had to be pulled after release.
Internet Explorer and Social Engineering
Microsoft addressed ten vulnerabilities with a cumulative update to Internet Explorer, affecting versions six through 10. This means that just about everyone will be touched by these changes, which is for the best as some of these bugs allowed remote code execution.
"The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer," wrote Microsoft. "An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user." This is another great argument for never using an account with administrator priveleges for day-to-day work.
Microsoft Word and Excel will see updates addressing a file format vulnerability, where a specially crafted Office file could be used to execute code on a victim's computer. "Microsoft only rates these vulnerabilities as 'important' because they require the target to cooperate," writes Qualy's CTO Wolfgang Kandek. "However, attackers have proven time and again that they have the necessary social engineering techniques to overcome that obstacle with ease."
In fact, the reports we've seen put social engineering at the top of the major threats against users, as are tainted files like those addressed with these Office updates. These files are incredibly dangerous because they look legitimate, and we've seen how they've been used to great effect in advanced persistent threat attacks .
Outlook and Others
The popular 2007 and 2010 versions of Microsoft Outlook were also patched this month, fixing a particularly nasty vulnerability. "An attacker can exploit the certificate parsing algorithm by signing an e-mail and nesting over 256 certificates in the signature," explained Kandek. "The attack causes a buffer overflow, even if just visualized in Outlook's preview pane."
Though Microsoft says the outlook attack is difficult to pull off, it's dangerous since the victim doesn't have to do anything in order for the attack to succeed.
In addition to these, Microsoft released critical patches for Sharepoint 2003, 2007, 2010 and 2013, as well as Microsoft Visio. The patches labeled important cover OLE, Windows theme files, Microsoft Access, Office IME Chinese, Kernal-Mode drivers, Windows Service Control Manager, FrontPage, and Active Directory.

North Korean hackers snoop on South Korean military with Kimsuky Trojan

North Korean flag
An espionage campaign believed to stem from North Korea targeting numerous South Korean government and military departments has been uncovered by Kaspersky Lab researchers.
The researchers reported linking a number of targeted attacks hitting 11 organisations based in South Korea and two entities in China. Targets include the Sejong Institute, Korea Institute for Defense Analyses (KIDA), South Korea's Ministry of Unification, Hyundai Merchant Marine and the supporters of Korean unification.
The attacks reportedly started appearing on 3 April and use an "unsophisticated" Trojan spy program called Kimsuky. Vitaly Kamluk, chief malware expert in Kaspersky Lab's global research and analysis team, told V3 the malware is particularly interesting as it has an atypical focus on collecting Hangul Word Processor (HWP) files and includes code that disables security tools from prominent South Korean security firm, AhnLab.
“Technical analysis of the malware gives us an idea that we have encountered work of amateur virus-writers. Besides the unsophisticated spy program, which communicated with its ‘master’ via a Bulgarian public e-mail server, there are a lot of malicious programs involved in this campaign, but strangely, they each implement a single spying function,” he said.
“For example, the Kimsuky malware contains a dedicated malicious program designed for stealing HWP files. Also, there is a special module responsible only for disabling the system firewall and security tools from AhnLab, a South Korean anti-malware company. One more interesting feature of this malware is that the attackers are using a modified version of the legitimate software – the TeamViewer remote access application – to serve as a back door to get access to any files from the infected machines.“
The focus on HWP file collection indicates that the attack is bespoke designed to steal military and government documents. HWP is a common file format used by South Korean agencies, which currently use the Hancom Office bundle word processing application as opposed to Microsoft's more common Word application.
Kamluk said upon further analysis they discovered two pieces of evidence suggesting that the attack is of North Korean origin. “First of all, profiles of the targets speak for themselves – South Korean universities conducting research on international affairs and producing defence policies for government, a national shipping company, and support groups for Korean unification. Secondly – a compilation path string containing Korean words (for example, some of them could be translated as English commands ‘attack’ and ‘completion’,” he said.
He added that the firm was able to link the campaign to two email address, which appeared to originate to IP addresses within ranges of the Jilin Province Network and Liaoning Province Network in China, a region that acts as a base for internet service providers (ISPs) believed to have strong ties with North Korea.
“Third – two email addresses to which bots send reports on status and transmit infected system information via attachments – iop110112@hotmail.com and rsh1213@hotmail.com – are registered with the following ‘kim’ names: ‘kimsukyang’ and ‘Kim asdfa’,” he said.
“Even though this registration data does not provide hard data about the attackers, the source IP-addresses of the attackers fit the profile: there are 10 originating IP-addresses, and all of them lie in ranges of the Jilin Province Network and Liaoning Province Network in China. The ISPs providing internet access in these provinces are also believed to maintain lines into parts of North Korea.”

Beijing To Crack Down On Social Media 'Slanderous Rumors'

A new interpretation of existing law would make writing a defamatory post that's read by more than 5,000 people or shared by more than 500 punishable by up to 10 years in jail

Privacy is Dead. The NSA Killed it. Now What?

Image via Flickr user lyudagreen
The NSA sees and knows everything we do online, it seems, and each time we adjust to the latest loss of privacy, the next revelation leaves us gasping again. Edward Snowden's exfiltrated NSA documents first pointed to PRISM, a program that was designed to capture information about terrorist communication but that clearly overstepped into monitoring innocent citizens. Pretty bad, huh?
But really, we thought, with such an absolute ocean of information, they couldn't really find anything about one single person... could they? It turns out that the XKeyScore tools lets analysts sift and sieve telecommunications data to find anybody, or anything, they want. And it doesn't stop there.
Secure Communication?
The simple urge to communicate privately is not in itself any evidence of wrongdoing (though some might argue otherwise). If you really, really want to communicate both electronically and securely, you'll need to use a very special service, like Lavabit, the service used by Edward Snowden and many others in the security community.
Alas, Lavabit is no more. Its owner abruptly shut down the service and destroyed its infrastructure. It's assumed that this was a response to a government demand for access; since such demands come with a gag order the owner couldn't offer details. A similar service offered by Silent Circle self-destructed shortly thereafter.
In terms of providing secure communication, these two services must have been doing something right... If you do seek a truly secure email service, you'll want to choose one that has no exposure in the U.S.
Encryption Isn't the Answer
The NSA has vast computational resources, good enough to break many cryptographic systems using brute force attacks or other computation-based attacks. However, it turns out they don't need to expend that kind of effort, due to some devious planning ahead. A project code-named BullRun with over ten times PRISM's budget has worked for years to ensure the NSA a back door into popular cryptographic systems, according to a report from The Guardian.
John Gilmore, a founder of the Electronic Frontier Foundation and (according to BoingBoing's Cory Doctorow) a "cypherpunk; significant contributor to GNU/Linux and its crypto suite; and all-round Internet superhero," reported in detail about the NSA's sabotage of the Internet Protocol Security (IPsec).
According to Gilmore's post, NSA agents explicitly lied to other members of security working groups and deliberately promoted an insecure IPsec standard. "To this day, no mobile telephone standards committee has considered or adopted any end-to-end (phone-to-phone) privacy protocols," said Gilmore. "This is because the big companies involved, huge telcos, are all in bed with NSA to make damn sure that working end-to-end encryption never becomes the default on mobile phones."
It's not clear exactly how far the NSA's subversion of popular crypto systems extends; we only know what's been revealed to date. And hey, you might think, maybe it's OK; they are the good guys, right? Well, perhaps. But when a cryptography algorithm or other security system has a back door built into it, you can guarantee the bad guys will find their way in.
Gilmore's account of the NSA's IPsec sabotage pointed out that they deliberately made it too complex for proper analysis; a promised simplification never happened. In practical fact, keeping the details of a security system secret or obscuring the details with complexity isn't effective. Open source cryptographic algorithms are subject to scrutiny from a world of experts, so in theory any flaw, weakness, or back door will be exposed... eventually.
Rock the Vote
It's clear that agencies of our government can monitor all of us in general, looking for trends, and can winkle out specific secrets beyond any individual's ability to hide. All I can think is, at least we're nominally a democracy. The stated aim of this surveillance is to head off the possibility of another horrific terror attack, not to actively invade the privacy of citizens. And yet, that could change. The giant corporations that exercise so much political power would surely love to get a handle on the NSA's technology, for example.
There's nothing you or I can do to put the genie back in the bottle. Universal electronic surveillance is here to stay, and we haven't seen everything yet. The best we can hope for is to keep the government in check by electing sane, sensible candidates. I know, I know, the fact that they want political office isn't a good indicator of mental stability, but make the best choice you can. And when someone like Edward Snowden lifts the curtain to let us know what's really going on, consider the possibility that he deserves our thanks.

Mobile Threat : Fantasy Football Dangers, Spousal Spyware, and Trojan 'Bloons'

Image via Flickr user Tiago A. Pereira Every week we talk to leaders in the field of Android security about the threats they're seeing in the wild. This week we take a look at three different kinds of questionable apps: some that transmit your password unencrypted, one that's a Trojan version of a popular game, and several that spy on your spouse.
Bloons TD 5 Trojan
Fans of tower defense games are probably familiar with the Bloons series, where you take the role of monkey commandos bent on destroying parades of balloons. F-Secure says that on the Chinese third-party Baidu app store a Trojanized version of the game has been masquerading as the real deal.
Not all apps are available internationally, which drives some users to seek out not-so-legal alternatives. Other downloaders simply don't want to pay full price for popular apps. Whatever the reason, the bad guys know that a free version of a must-have game will get some downloads.
The Trojanized Bloons TD 5 requests a slew of extra device permissions that the original does not require. These include the ability to view fine-grain location information, install shortcuts, and access alert windows, among others.
It gets worse: F-Secure says that the Trojan app downloads executable content from a malicious website.  "The content can be anything," said F-Secure. "It's up to the malware author."
Just another reminder that you should always, always, always download legit, for-pay copies of apps.
Unencrypted Fantasy Football Passwords
From Bitdefender, we received a tip on four apps that transmit unencrypted user data—specifically passwords. "In our opinion, it is unacceptable for any app, regardless of its purpose, to transmit personal data without encryption," Bitdefender told SecurityWatch. "It is particularly dangerous to people who use the same passwords for the apps as for social networking, email, and other sensitive accounts."
Among these were a card game app called Texs HoldEm Poker Deluxe Pro, a ticket booking assistant called Wizzair Search and Price Alerts, and an alternative reality game called Watch Dogs Live. The most interesting, and disconcerting, of the apps profiled by Bitdefender was the popular CBS Sports Fantasy Football app, which has been downloaded between 100,000 and 500,000 times and carries a great deal of authority with the CBS name.
If the password is not encrypted on the device before it's sent to servers for authentication, then it's relatively easy for attackers to intercept the authentication information. But the risk isn't that your Fantasy Football account might be compromised (though I am sure that's a big deal for some), rather that attackers could find other accounts where you've reused the same password and username combination.
Spyware For Jealous Lovers
Appthority tipped us to three pieces of spyware, which is effectively legal-ish malware. The applications can do a number of things, from tracking calls and texts to finding the precise location of the device. What's interesting about them is that they're marketed towards individuals who want to spy on their significant others.
Several of these apps are available on Google Play are merely downloaders which, once installed, retrieve packages of spyware, install them on the target device, and then hide their presence. Boyfriend Tracker, for instance, downloads the MSpy package and can send call logs, SMS texts, e-mails, contact information, recorded audio, recorded video, geo-location, and Facebook chat logs to MSpy servers.
Similarly, an app called "SMS, Whatsapp & Locate Spy" downloads the spytomobile software package to gather most of the same information as MSpy. The SpyBubble app, on the other hand, uses its own spying software to gather info from infected devices and is disconcertingly targeted at parents, spouses, and employers.
Not only are these spy apps gross and invasive, but they place the personal information of the victims on the server of another company. Before you think about installing one of these on someone's phone, consider that whatever information is gleaned will also be stored by a third party.
Avoiding these applications is tricky, since they require someone to take hold of your phone and install them. Our traditional advice for avoiding malware simply doesn't apply when someone wants to infect your device. The best course of action would be to set up a device passcode and not share it with anyone—perhaps even change it periodically. Fortunately, many of these apps will get caught by security software, so be sure to scan your device often.
Alternatively, you can invest the time and effort into a healthy, communicative relationship which doesn't require installing dangerous spyware onto phones.

Hesperbot – technical analysis: part 2/2

Hesperbot – Technical Analysis: Part 2/2

Win32/Spy.Hesperbot  is a new banking trojan that has been targeting online banking users in Turkey, the Czech Republic, Portugal and the United Kingdom. In this 3rd Hesperbot blog post we’ll look at the most intriguing part of the malware – the way it handles network traffic interception. The malware spreading campaigns and their victims, and an technical overview of the malware architecture, its mobile component and other features are covered in three blog posts: Hesperbot – A New Advanced Banking Trojan in the Wild, Hesperbot Technical Analysis Part 1/2 and Hesperbot Technical Analysis Part 2/2. You can download the comprehensive whitepaper here.

Network Interception and Web-injects

Other well-known banking trojans such as Zeus and SpyEye are able to intercept and modify HTTP and HTTPS traffic by hooking WinSock functions (send, WSASend, etc.) and the higher-level WinInet functions (HttpSendRequest, InternetReadFile, etc.). As the web-injects, form-grabbing and other shenanigans performed by these banking trojans take place inside the affected browser, the method has collectively been labeled as the ‘Man-in-the-Browser’ attack. Win32/Spy.Hesperbot, however, takes a different approach, which is not very common, but has, in fact, already been used by the Gataka banking trojan. A good technical analysis of Win32/Gataka by my colleague Jean-Ian Boutin can be found here.
The network traffic interception and HTML injection functionality in Win32/Spy.Hesperbot is accomplished by the plug-in modules nethk, httphk and httpi working together.
Diagram
Figure 1 – Relations between network interception modules

Here’s a brief description of each module’s purpose:
  • nethk – used to set up a local proxy, hook socket functions to drive connections through the proxy and hook browser SSL certificate verification functions. Also handles decryption and encryption of HTTPS traffic flowing through the proxy.
  • httphk – used for parsing HTTP traffic intercepted by the proxy
  • httpi – used for screenshots, video capturing, form-grabbing and web-injects according to the configuration file
Now let’s take a closer look at how the modules work together and accomplish their tasks. As mentioned above, the modules expose their functions in a vtable for other modules to use. The program flow in between the modules as each HTTP request or response is intercepted is ensured through callback functions.
nethk
Nethk is the first plug-in module to be loaded by the core module. Win32/Spy.Hesperbot performs a man-in-the-middle attack by creating a local proxy through which it directs all connections from the browser.
2
Figure 2 – Local proxy IP address in Hesperbot code
3
Figure 3 – Internet Explorer connected through Hesperbot proxy
To achieve this, the trojan’s nethk module creates a proxy on a random port at the address 127.0.1.1 and hooks the following functions in mswsock.dll, the lower-level Winsock SPI library:
  • WSPSocket
  • WSPIoctl
  • WSPConnect
  • WSPCloseSocket
The pointers to these functions are modified in the WSPPROC_TABLE. To understand how the proxy redirection works, let’s look at the hooked WSPConnect function.
4
Figure 4 – Hooked WSPConnect API
The browser socket – when trying to connect to a secured online banking website, for example – is connected to the proxy created by Hesperbot instead. In another thread, the legitimate connection to the website is established.
5_Diagramy-03
Figure 5 – Overview of HTTPS traffic interception via Hesperbot’s proxy
An httphk-callback is invoked each time the proxy intercepts a request from the browser, before passing it on to the real server. Likewise, an httphk-callback is invoked each time the proxy intercepts a response from the real server, before passing it on to the browser. The httphk module then works further with the traffic.
There’s also a difference between the handling of HTTP versus HTTPS traffic. In the case of HTTP, the request- or response-data is simply passed to httphk. In the case of HTTPS, nethk first “gets rid of the encryption”. When an HTTPS request from the browser is intercepted (encrypted using its own fake SSL certificate – explained below), it is decrypted, and the decrypted data is passed to httphk through the callback and then encrypted using the real certificate of the server (e.g. bank website), and then sent to the real destination. Reciprocally, when an HTTPS response is received from the server, it’s decrypted using the real certificate, the decrypted data is again passed to httphk and then encrypted using Hesperbot’s fake certificate before being passed to the browser.
In effect, through the man-in-the-middle proxy, Win32/Spy.Hesperbot can access the victim’s outgoing HTTPS communication before it’s encrypted and their incoming HTTPS communication after it’s decrypted. The same effect is essentially accomplished by Zeus’s and SpyEye’s MitB hooks, but this new approach is slightly stealthier.
Now, of course, this malicious proxy redirection should be given away by an invalid certificate for an HTTPS website. The Hesperbot authors thought of this as well. The nethk module carries its own crafted, self-signed SSL certificates and these are substituted for legitimate certificates.
6
Figure 6 – SSL certificates inside nethk binary
7
Figure 7 – Example of Hesperbot’s fake certificates in use. On a clean system, Google’s certificate would displayed here, of course.
In order to trick the browser into believing that the certificate is valid and avoid the display of a warning message, the malicious module also hooks functions responsible for certificate verification. The implementation differs depending on the browser. The following table shows which browsers are supported by Win32/Spy.Hesperbot and which functions are hooked:
graph
 Figure 8 – Certificate verification functions hooked by Hesperbot for various browsers

An interesting feature of the malicious code is that the authors have used hashes instead of using the browser process names directly, so as to complicate analysis and, more importantly, to protect the malware from signature based AV detection.
9
Figure 9 – Code obfuscation in Win32/Spy.Hesperbot – hashes are used instead of process names
The figure below shows the code of the hooked CertVerifyCertificateChainPolicy.
10
Figure 10 – Hooked CertVerifyCertificateChainPolicy API

In the case of an SSL client/server chain policy verification check (other types are neglected and passed on to the original function) the hooked function simply returns a result indicating that the policy check was passed.
httphk
The httphk module is merely responsible for parsing the HTTP protocol data. When the httphk-callback is invoked, it parses HTTP headers and data and fills in an internal structure. This structure will subsequently be accessed by the httpi module.
Again, httphk exposes two callback functions for invoking httpi: httpi_request_callback and httpi_response_callback.
httpi
This is the main module that actually carries out the modification of the HTTP data, according to the configuration file.
When httpi_request_callback is invoked, the following actions are performed:
  • Video capture and screenshots – The module reads the configuration file and checks the request URL. If specified in the config, video capture and/or creating screenshots is started.
  • Form grabbing – The module checks whether it’s a POST request via the HTTPS scheme and if content-type is either “application/x-www-form-urlencoded” or “text/plain”. If these conditions are true, it’s likely that the user has submitted a login form. If the configuration file specifies that the current URL should be monitored, the data is written to a log.
When httpi_response_callback is invoked, the following happens:
  • HTML injects – First, the trojan checks whether the HTTP response code is 200. Afterwards, the configuration file is read and if there are web-inject entries for the responding web-page, they are inserted into the HTML content.
The figure below shows a decrypted configuration file used in the Portuguese botnet. You may notice the first group of domains – these are ignored by httpi – domains which are of little interest to the bot masters. While stolen Google or Facebook login credentials would be considered valuable to other spying malware, this shows that the perpetrators behind Hesperbot are only interested in online-banking-related data. The targeted bank websites are listed after those that are ignored. The rest of the configuration file contains the HTML code that’s supposed to be injected into the online banking websites.
11
Figure 11 – Decrypted web-inject configuration file used in the Portuguese botnet
It appears that the people who wrote the web-injection scripts speak Russian, as evidenced by source-code comments. Note, however, that the scripts may or may not have been written by the same perpetrators who created the Win32/Spy.Hesperbot malware and/or operate the botnets. Web-inject scripts are often shared and reused – this is made possible when a similar format is being used by different malware families – and specialization among cybercriminals is commonplace.
Authors:
Anton Cherepanov
Robert Lipovsky
List of MD5s
3d71bc74007a2c63dccd244ed8a16e26
ce7bcbfad4921ecd54de6336d9d5bf12
f8ef34342533da220f8e1791ced75cda
1abae69a166396d1553d312bb72daf65
83b74a6d103b8197efaae5965d099c1e
91c5a64e6b589ffcfe198c9c99c7d1f0
ae40a00aad152f9113bc6d6ff6f1c363
27d8098fe56410f1ac36008dbf4b323e
8a9cb1bb37354dfda3a89263457ece61
ff858b3c0ea14b3a168b4e4d585c4571
1243812d00f00cef8a379cb7bc6d67e7
1e1b70e5c9195b3363d8fb916fc3eb76
4cf7d77295d64488449d61e2e85ddc72
5410864a970403dae037254ea6c57464
64a59d4c821babb6e4c09334f89e7c2d
1f7b87d5a133b320a783b95049d83332
028a70de48cd33897affc8f91accb1cd
4cc533ef8105cbec6654a3a2bc38cb55
59427cfb5aa31b48150937e70403f0db
c8ee74ada32ea9040d826206a482149e
d3c7d6d10cd6f3809c4ca837ba9ae2e8
  Article by :Author Robert Lipovsky, We Live Security

Apple’s fingerprint-reading iPhone 5S – a new dawn for biometric security?

Apple introduced biometric security to iPhone for the first time with the launch of its new iPhone 5S, featuring what Apple describes as an “intelligent” and “accurate” laser fingerprint sensor.
The Touch ID sensor is built into the gadget’s home button, and uses a laser-cut sapphire crystal to take high-resolution images of users’ fingers, and “intelligently analyze” them for identification.
The system allows users to unlock their phones with one finger – and make secure purchases, at least from its own iTunes Store, App Store and iBooks Store. Leaks from other mobile firms such as HTC suggest that top-end Android models could soon offer fingerprint authentication built into hardware.
Previous biometric systems built into cellphones such as Motorola’s Atrix were widely criticized as being unreliable. Apple claims its system improves over time, and is secure enough for online purchases.
“All fingerprint information is encrypted and stored securely in the Secure Enclave inside the A7 chip on the iPhone 5s; it’s never stored on Apple servers or backed up to iCloud,” the company said in a statement.
“iPhone 5s is the most forward-thinking smartphone in the world, delivering desktop class architecture in the palm of your hand,” said Philip Schiller, Apple’s senior vice president of Worldwide Marketing. “iPhone 5s sets a new standard for smartphones, packed into its beautiful and refined design are breakthrough features that really matter to people, like Touch ID, a simple and secure way to unlock your phone with just a touch of your finger.”
Some observers were skeptical, though. Stephen Ebbett, global director of gadget insurer Protect Your Bubble, said, “As rumoured, Apple’s iPhone 5S introduces Touch ID, utilising touch-based fingerprint sensors – but this could turn out to be more a gimmick than an impenetrable security measure at this stage.
“Being able to use fingerprint security login for iTunes purchases is a nice touch, if it works. And with the rise of wireless payment technology, the mobile space is crying out for better security.
But while biometrics are typically seen as more robust than password protection – sweat, dirty pockets, hot and cold environments, sun exposure, and other factors can affect the sensitivity and working conditions of the sensor surface.”
“Earlier gadgets that have sported fingerprint scanners proved temperamental, and mobile fans will have to wait until they can get their fingers on the 5S to determine if Apple can deliver biometric functionality that is vastly improved.”

Twitter faces fruit invasion as weight-loss spammers invade via Hootsuite

Twitter has been hit by a wave of spam promising “pure garcinia cambogia” – a vegetable extract often used in weight loss supplements.
The link – promising a “free Groupon of garcinia cambogia” spread on both Twitter and Facebook, and was spread via celebrity accounts such as Jane Fonda’s, according to TechCrunch. Other users reported seeing the same message on Facebook, which led to the attack being traced to Hootsuite – a “social media dashboard” which allows users to post to both.
The link led to a bogus Groupon page, offering a deal on the herbal supplement. The URL was modified to look similar to a “real” Groupon page. TechCrunch said it was, “a classic phishing tactic that the attackers hope will net either Groupon login details or more likely financial information when they go to order said supplement.”
Twitter quickly added a warning of unsafe content to the link on its web version.
Hootsuite said in a statement, “Today, less than .01% of HootSuite’s user base (approximately 7000 HootSuite users) were affected. In this case, the unauthorized users accessed HootSuite through a third-party application using OAuth.”
Hootsuite said that “Hootsuite itself has not been compromised or hacked,” but that people had logged in to Hootsuite using user IDs and passwords acquired elsewhere.
Hootsuite said, “Likely, people are using the same password for both HootSuite and the other social network or online service,” and directed customers towards a best practices blog, “to help educate users on how to create a more secure password.”
“In response, we’ve temporarily disabled access to OAuth from the affected third-party online service, and will continue to deploy efforts to keep our users safe. We ask that customers who experience an unauthorized post to one of their social accounts to change their username and password on all their online accounts that use that same username and password.”

John McAfee: The reports of my demise are greatly exaggerated

mcafee-and-dogs
Sneak was alarmed to read that his favourite travel blogger and security expert John McAfee is no longer of this earth.
Thank the antivirus heavens then that reports of his demise have been greatly exaggerated.
Sneak knows this because he has seen the proof and read the evidence. He is looking at a picture of McAfee – and two canine friends – now, and you can take it from us, this is no Weekend at Bernie's style jape.
McAfee, who has carved out a niche as an on-the-run virus expert to watch, has tweeted the proof himself.
"I felt fine when I went to bed last night. I had such great plans. ‘RIP John McAfee'," he said.
"For those wondering if im dead the answer is... 'The Media is killing me, but somehow im still tweeting" #NotDeadYet," he posted.
The more keen-eyed among us might notice the expression on the darker dog's face. Let's assume it's all in good fun.
While he was "dead" McAfee was the subject of an online report that claimed he had died after a cocaine binge in a casino.
Sneak was stunned to hear this – since it does not sound true to form for his security hero – and almost updated a McAfee subscription in celebration after hearing he was indeed alive and well.
McAfee has added another update. Having completed his daily check he is happy to assure us that, thankfully, all is still in working order.

Detica armours critical infrastructure against military hack attacks

Tilbury power station - photo RWE npower
BAE Systems Detica has unveiled its IndustrialProtect cyber-defence tool, promising that it will protect critical infrastructure areas from the latest wave of targeted attacks.
Detica lists IndustrialProtect as being tailor-made to protect the industrial control systems of critical infrastructure organisations, such as power plants, oil refineries and automated manufacturing plants, from hackers. IndustrialProtect is different to most protection tools as it integrates into the systems at a component level, being physically built into the hardware.
Detica claims the hardware integration makes IndustrialProtect significantly more effective against sophisticated attacks, offering IT managers a host of advanced powers. These include the ability to segment parts of the network without breaking critical business processes, and the power to block unauthorised systems from exchanging information.
The tool will also offer enhanced monitoring powers to IT administrators, allowing them to check that the integrity of information is preserved from source to destination. It also gives wider transparency of other systems connecting to the industrial controls.
Using these capabilities Detica claims IndustrialProtect is able to verify the identity of the individual or system that is sending information. It can also confirm the information received has not been tampered with while in transit, ensuring any attempt at cyber sabotage is blocked.
David Garfield, managing director of cyber security at Detica, said businesses involved in critical infrastructure areas need upgraded cyber defences to ward off the recent influx of sophisticated, targeted attacks active in the wild.
"National Critical Infrastructure organisations are increasingly concerned about securing their business critical operations. The larger and more diverse the organisation, the greater the number of network vulnerabilities for cyber attackers to exploit. IndustrialProtect addresses key areas where traditional approaches are proving ineffective, simultaneously enabling efficient business processes and protecting against the modern cyber threat," he said.
"This is the first time this type of solution has been available for organisations in the critical national infrastructure. It provides a means to enable information flows that greatly increase business efficiency and operational effectiveness while protecting critical operational networks from attack."
Attacks on critical infrastructure have been a growing concern within the security community. The concerns reached boiling point in 2010 when the Stuxnet worm was discovered attempting to physically sabotage Iranian nuclear power plants. Since then numerous government agencies have warned about the inevitable emergence of further cyber-sabotage tools. Most recently the US Department of Defense issued a public report warning that Chinese hackers have the skills and tools to take down critical infrastructure.

GCHQ begins search for next Alan Turing with code-tracking ‘Can You Find it' race

detective-footprints
The UK GCHQ has launched a Can You Find It challenge designed to help the government agency find and recruit the next generation of cyber security code experts.
The initiative is set to launch on Wednesday on the official Can You Find It website. The race will task participants to crack a series of cryptic codes to find and follow clues littered around the internet to find "the ultimate final answer".
The challenge is open to anyone and offers a variety of prizes to those who solve the riddle. These include the chance to enter a prize draw for a Google Nexus 7 or Raspberry Pi and, for very skilled participants, a potential job offer from a security agency with a salary between £26,000 and £60,000.
Can You Find It is part of the UK's wider cyber security strategy and follows on from 2012's Can You Crack It campaign. The Can You Crack It campaign ran throughout 2012 and attracted over 95 million hits to its website from over 3.2 million unique users. The campaign also resulted in 170 participants being considered for roles within intelligence agencies.
GCHQ's head of resourcing, Jane Jones, said initiatives like Can You Find it and Can You Crack it are essential steps in the UK's ongoing bid to recruit the next generation of security professionals.
"The twenty-first century is confronting us with online threats that are difficult and dangerous, so we want employees who have evolved with the ever-changing digital world and therefore have the right skills to combat these challenges. It's a puzzle but it's also a serious test – the jobs on offer here are vital to protecting national security," she said.
Recruiting skilled cyber professionals has been an ongoing goal of the UK government since it launched its cyber strategy in 2011. Despite the success of cyber strategy initiatives, many private and public sector bodies have warned that the UK is still suffering a major cyber skills shortage. The UK National Audit Office (NAO) issued a report warning despite the government's efforts, the skills gap will last a further 20 years and cost the nation £27bn per annum.

Group-IB Threat Intelligence Report 2012–2013 H1, a must read

Group-IB Threat Intelligence Report 2012–2013 H1 is an excellent analysis on the state and dynamics of today’s market of computer crimes and cyber threats.

Group-IB has recently issued an interesting report titled “Group-IB Threat Intelligence Report 2012 – 2013 H1” on the state and dynamics of today’s market of computer crimes and current cyber threats for the year 2012 and first quarter of 2013. Group-IB is one of the leading international companies that specialize in preventing and investigating high-tech cyber crimes and fraud.
The security firm conducted the investigations supported by experts from computer incidents response center CERT-GIB.  This document examines current information security threats with a look to the trends in the cybercrime ecosystem and providing forecasts for near future (2014-2015).
The Group-IB Threat Intelligence Report starts with an impressive numerical estimation of various cybercrime segments where Russian-speaking criminal groups are actively present.
Russian MArket size Group-IB Threat Intelligence Report

According to Group-IB, there was an average of 44 thefts carried out from online banking systems in 2012.
“The Bank of Russia reports4 that 7870 incidents were recorded in banks in the second half of 2012 alone. Of these incidents, 43.1% were related to illegal transfer of funds via Internet banking. Having said that, the Bank of Russia claims that an average of 28 thefts are committed daily.” states the Group-IB Threat Intelligence Report.
The overall cybercrime market reduced by 6% in 2012, despite it’s texture is in continuous movement, mainly caused by a drop in online bank theft due:
  • Successful operations aimed at dismantling criminal groups
  • Deployment of antifraud solutions by banks
  • Information sharing
  • The emergence of new criminal groups was not able to cause significant growth in this market.
The investigation revealed that the average amount stolen from the bank account of a legal entity in 2012 was 2.5 million rubles, and it is a conservative estimate because real figure is nearly 1.64 million rubles (($54,700) .
During 2012 Group-IB systems recorded a daily average of 150 DDoS attacks in Russia, analyzing principal hacking forum that offers attacks as service the researchers estimated that the average price of DDoS attacks is $100 per day.
But Russian underground is very popular for rent and sale of exploiting packs, an activity that produces earns fro $51.84 million for to cybercrime market.
The Group-IB Threat Intelligence Report contains an entire section on attacks against financial institutions, the experts remarked that the principal problems for the banking are a very low level of security and the habits to hide some incidents where their systems have been compromised or data leakage.
The analysis on vulnerabilities of web applications obtained by Group-IB in the course of providing services on information security audit and penetration testing in the year 2012 revealed that no critical direct web application vulnerabilities were found in 28% of sites investigated, but in 47% of the cases the access to the application data was gained exploiting flaws in third-party software application.
Principal caused of incidents are:
meanwhile principal attach methods used by attackers are
  • Cross-site scripting (XSS);
  • SQL Injection;
  • Cross-site Request Forgery (CSRF);
  • Path Traversal Attack;
  • PHP (Code) injection.
Web App Flaws Group-IB Threat Intelligence Report
Attack vector Group-IB Threat Intelligence Report


The availability on the underground market of source code of malware such as Carberp and ready-to-use web inject packs to be used against hundreds of European, US and Russian banks expose financial institutions to serious risks if they will not implement proper countermeasures. The Group-IB Threat Intelligence Report is full of examples of code used in the attacks, a mine of information for specialists and passionate in the matter.
The study documents also other emerging activities of criminal landscape such as the hackers’ interest in trading systems and impairment of POS terminals.
The document also includes two dedicated sections to describe the activities in dismantling criminal groups and developing laws on combating computer crimes. I found this aspect very intriguing and useful to better understand how researches conducted by security firms are used for real crime persecution and which are the limits of actual law framework for cybercrime.
The Group-IB Threat Intelligence Report is one of the best document I have seen due to the information provided and the organization of the topics … it is a read not to be missed!

Iran Government Migrating from Windows to Linux

Iranian government under new legislation all agencies must plan for migration projects migrating computer operating systems from Windows to Linux. General Manager of Communications and Information Technology said in an Interview today, with irinn.
Mr Shahami said "its much better for us to use an open source software becuase everyone can use it and make changes".
In Iran Communication and Information Technology  organization we use already Linux and we are happy and safe with no costs ,Add Mr Shahami.
Center for Advanced Communications and Information Technology, Sharif University of Technology implement the roleout of migration.