Monday, 21 October 2013

Skycure Hacked My iPhone To Prove They Can Protect It

Skycure Earlier today, I let Skycure founder Yair Amit remotely seize control of my iPhone to prove a point. It worked. The scariest part was that it didn't require my device to jailbroken, I just had to be convinced to tap a few buttons.
Configured For Attack
The attack Amit used on my device has been covered already on his company's blog, but that didn't make it any less unnerving. It started with a large, friendly button on a website. I tapped it, the view immediate jumpt to the iPhone's Settings application where I was prompted to install a new configuration profile.
I'll pause right here to say that config profiles are useful for changing VPN settings, email settings, and so on for a large number of devices.That said, there's probably no need for the average user to install one. Though I was complicit in the installation, Amit pointed out that most users could be convinced to do the same with a little social engineering; perhaps by offering free video streaming or free Wi-Fi.
Once installed, Amit could see everything I typed on his screen. He could also force my web browser to visit different websites (in this case, the relatively benign Bing). Then, he politely asked if he could access the Facebook app on my phone. I said yes and, unbidden, the app launched on my screen. The next part was really scary: Amit was then able to login to Facebook in a browser, on his computer as me.
Amit said that if he were an attacker, he could now learn a lot about me and even impersonate me. Gaining access to social media and email is a critical step for attackers to spread malware or initiate scams because people inherently trust these systems.
He said that in some ways, the same was true for iOS. Referring to Apple's walled garden approach, Amit said, "in this case, perfection is bad for security because people trust everything they're doing." Most people, he argued, probably wouldn't think twice about installing a config profile because they trust their iOS devices so much.
I asked him if he'd seen this kind of attack in the wild. "We see it happening," he said, calling it the worst problem facing iOS device today.
Skycure's Solution
Before he completely scared the pants off me, Amit explained what the new software from Skycure actually does to keep you safe. On Android, most security applications simply scan apps to check for malware. Skycure, on the other hand, keeps tabs on network traffic, looking for potentially malicious communications.
There's a whole business IT end to their service, but the most interesting part is on the phone. Instead of watching your actual network traffic, they use a "honey pot" approach which mimics the traffic of applications like Mail. If it detects anything untoward, it secures your communications with VPN—or other remediation tactics. And, thankfully, it can remove nasty config profiles.
Amit explained that their dynamic approach means that your Internet connection won't always be throttled by VPN, and your battery won't be unnecessarily taxed either. Also, it lets your communications stay private by mimicking network traffic, instead of monitoring it. They also crowdsourced data on attacks, so that they could identify infected networks or geographic areas (like airports) that attackers frequently use.
Skycure is targeted at businesses, which means I won't be reviewing it any time soon. But it sounds like a remarkably smart way to lock down threats on the iOS platform. Hopefully we'll be seeing this kind of protection come down to the consumer level.
Stay Safe
If you're worried that you might have installed a config profile in the past (I was surprised to find one that I couldn't identify), it's easy to check. Open the Settings app, tap General, and then scroll all the way down. At the bottom you should see a block of three options above Reset: iTunes  Wi-Fi Sync, VPN, and Profile.
Profile Settings
Don't see Profile? Great news: you don't have any configuration profiles installed on your device. If you do see the page, open it up and try to remember what these are for. If any of them seem suspicious, you can easily delete them by tapping the big red Remove button.
Of course, the best way to avoid this attack is to simply not install configuration profiles from anyone you don't really trust. Or at all. If you ever see a website asking to install one on your device, don't do it!

U.K users targeted with fake ‘Confirming your Sky offer’ malware serving emails

British users, watch what you execute on your PCs! Over the last week, cybercriminals have launched several consecutive malicious spam campaigns targeting users of Sky, as well as owners of Samsung Galaxy devices, into thinking that they’ve received a legitimate MMS notification to their email address. In reality though, these campaigns ‘phone back’ to the same command and control botnet server, indicating that they’re related.

Sample screenshot of the spamvertised attachment:
UK_United_Kingdom_Spam_Malware_Social_Engineering_Sky_Email_Fake_Rogue_MaliciousDetection rate for the Sky themed sample: MD5: d880cd5e3fe803c17f4208552ec22698 – detected by 27 out of 48 antivirus scanners as Trojan.Win32.Sharik.qgi
Detection rate for the Samsung Galaxy themed fake MMS sample: MD5: d08c957a004becd0a2404db99d334484 – detected by 24 out of 47 antivirus scanners as Trojan.Win32.Sharik.qgd; VirTool:Win32/CeeInject.gen!KK
Once executed, both samples phone back to a known C&C - networksecurityx.hopto.org.
Related malicious MD5s known to have phoned back to the same C&C server (networksecurityx.hopto.org) since the beginning of the month:
MD5: fa6ad32857e52496893d855e4c87fdc4
MD5: 0754bc0afadf12dcc16185552940a7a2
MD5: c18820db216be9dd45dd71bf4af12221
MD5: c6fc5304b1bc736d26b8d30291d7c233
MD5: 47789cd37bb80db557df461193230864
MD5: c738137d1c3092db0c7f07c829d08c62
MD5: edc52b2493ff148eb595a8931d177b52
MD5: 4d5745981507951a002900509a429295
MD5: af72bac81d90baf692022a2d3bd8cec3
MD5: 0220a490bdaa10c41318f86bb768bc74
MD5: 56dbfb5c1056a9c1c2f37be65d7f2832
MD5: 3d2263abc97d4297c0952c77a41c5db3
MD5: 54c33ecd97185aee6376e1a6aed610f2
MD5: d9c76155f76c4d3d42883ad7c1ca7544
MD5: 207cb51b0777793d0834afdaca41e415
MD5: e4be05e0ec44699f6a7be546e717acb3
MD5: ccd83b51f9733b81bfe556a6315c1a12
MD5: 380a79055e5de4f5f9b4aa5d82e482d5
MD5: a1e6fa2128ed6e0245c86e2d903dfe73
Related C&C server domains from malicious MD5s also known to have phoned back to networksecurityx.hopto.org:
1micro-update.no-ip.org
ahfgluqmcovghpmum.com
aqazrrwmzrvrvoshpi.com
arnvmiypge.com
bhlnvwlfbtre.com
bitvaisemrvzcjbrxpxq.com
brcpaqtlpwq.com
bunzvlesey.com
cdqvfoezutpworgjg.com
chbqrhunxg.com
daobcnqwefamhdfcs.com
eefifitiwwrvd.com
ejpcazebx.com
ezqjymdipjt.com
fdedkrmamntcyaine.com
fidqorildzpt.com
fktihyjhkomdxqkucg.com
fwlxulxb.com
giaddkbzcyaoim.com
gqfpcgbklmmskixc.com
hbrtrminyxb.com
idsuyvhdboaybaprf.com
ioxjbplzwgrinyike.com
iqhbyacfnea.com
jfzgufuwikakyza.com
jhkkssojlwnyjgnsslm.com
kbvmxwjxtvncddaiyb.com
kiovxfffze.com
ktlwxakbho.com
kydtaywfsfrsppvb.com
legcljdgpczw.com
lgsfbhyyrrnalpcbqkob.com
lldpoyrzfi.com
lxynmytvhgyiv.com
micro-update.no-ip.org
obhmbdjxkgmzw.com
oynrnyhmikxd.com
pjgwxsqwbdqh.com
psxfoalsn.com
qcoupmtycgogwblu.com
qtermfciofx.com
raxlendajlubxdhq.com
tccboqhpciznru.com
thnebevjzumnwfkyqwsa.com
update.microsoft.com.nsatc.net
upijkzzgohsviiufgwj.com
vdlkjuqdauwcpdxaybqm.com
vltnftcjrzrxnhfwgf.com
wchdbyuteue.com
xaftdwovbbtvt.com
xbmqunsmgty.com
ykvmiyfbbaqgryd.com
yqmodbxjxgczajstz.com
ytnxvxnlumzvtdelo.com
yyuihmtl.com
zbtgaqubvmmvvcx.com
zjwceimakuvaieqxzdi.com
zlndqawvrrbjhavidol.com
zlohhvqhqgyvbhbhe.com
zmfcmghjbpbxwn.com
zoyvmgsykc.com
zpqwczqatnmmb.com
ztvqcrxbvqd.com

New IBM system adds “robust” security to smartphone banking and shopping

Cybercriminals are already targeting mobile banking apps as a “way in” to customer accounts – as witnessed in ESET’s discovery of a new, advanced Trojan, Hesperbot.
But a new IBM system may help secure smartphones – by using near-field communications chips (NFC) for an additional layer of security.
It’s the first system to allow “two-factor” security for smartphones, according to a CNET report.
“When you use your phone to access the service, the phone is no longer the second factor,” said Diego Ortiz-Yepes, a mobile security scientist at IBM Research.“Our two-factor authentication technology based on the Advanced Encryption Standard provides a robust security solution with no learning curve.”
“One billion mobile phone users will use their devices for banking purposes by 2017  - which  makes for an increasingly opportune target for hackers,” IBM said in a statement.
Many new smartphones ship with the chips, but payment systems using NFC – a radio system designed for short range communication – have failed to catch on, partially due to security concerrns. IBM claims its new system – which requires a card (such as a payment card or employee ID card) and an NFC device – is much more secure.
“The user simply holds the contactless smartcard next to the NFC reader of the mobile device and after keying in their personal identification number (PIN), a one-time code would be generated by the card and sent to the server by the mobile device,” the company says.
“The IBM technology is based on end-to-end encryption between the smartcard and the server using AES (Advanced Encryption Standard) scheme. Current technologies on the market require users to carry an additional device, such as a random password generator, which is less convenient and in some instances less secure.”
IBM scientists in Zurich claim that the system has the advantage of familiarity – many users already use two-factor authentication, for instance to log in to a corporate network.
The system is available from today for any  NFC-enabled Android 4.0 device. Future updates will add other NFC-equipped devices.
Financial watchdogs have warned this year that the increasing use of banking apps – often on unprotected smartphones poses an “important risk” to consumers .
The Financial Conduct Authority, a British watchdog is to investigate the risks posed by banking apps, according to a report by This is Money – particularly malicious apps that pose as genuine banking apps.

A prompt to save the world: new security features against malware in AutoCAD

A little over a year ago we published our research on the ACAD/Medre worm, a malicious program that not just spread itself through Autodesk AutoCAD files and also send AutoCAD files via email servers located in China to a series of e-mail accounts. From looking at our LiveGrid™ telemetry, it appeared to be a case of industrial espionage because of the high concentration of detections in Peru. The paper was presented as a “last-minute presentation” in Virus Bulletin 2012, in Dallas.
A year after that presentation, security researchers from Autodesk, along with Microsoft,  announced new features in AutoCAD to prevent malware in a presentation at Virus Bulletin 2013 in Berlin. In their paper, the researchers identify the main threats facing AutoCAD, including the ACAD/Medre worm. While it may just be a coincidence that Autodesk’s presentation on improvements to AutoCAD security comes a year after ESET’s ACAD/Medre one, it is still worth looking at this new presentation to see if worms like ACAD/Medre may continue to flourish in the new versions of Autodesk’s programs.
The improvements made ​​by Autodesk were distributed in two stages: First, with AutoCAD 2013 Service Pack 1, significant improvements were made, aimed at preventing the execution of malware. Subsequently, the improvements made to security were built into AutoCAD 2014.
So, with that in mind, just what are the improvements Autodesk made to AutoCAD? The most important one is related to the way in which AutoCAD handles its executable files, which use a .FAS or .LSP filename extension, and are used by virtually all malicious code for these platforms. In AutoCAD version 2013 SP1, new system variables have been introduced which can be configured to block the execution of these files, or to select trusted directories for their execution. So, if a business takes advantage of these features, a trusted directory could be defined for executable files that have been developed by the company, while denying everything else, such as files received from third parties and which may well contain malicious code like ACAD/Medre. These variables, AUTOLOADPATH and AUTOLOAD, configure AutoCAD’s security to prevent threats from being loaded from untrusted directories. It is also possible to load AutoCAD from the command line using the “/nolisp” parameter, which sets the LISPENABLED variable to zero and runs AutoCAD in a kind of “safe mode” so that if any malicious LISP code is run, it will be unable to perform any actions when AutoCAD starts.
For AutoCAD 2014, some new options have been introduced. First of all, the names of some variables and command line parameters have changed:
  • the AUTOLOADPATH variable is now called TRUSTEDPATHS
  • the AUTOLOAD variable is now called SECURELOAD
  • the /nolisp option is now called /safemode
In addition to the features introduced in AutoCAD 2013 Service Pack 1 (with new names), the 2014 edition also includes a new option amidst the existing ones for executable files:
  • Always run executable files.
  • Run the executable files only from the trusted paths.
  • (New) Always run the executable files from trusted paths, but display a warning when run from another location.
In the next picture you can see these options in the AutoCAD 2014 configuration:
autocad
By making use of the new option, AutoCAD 2014 users will be prompted whether or not to run the executable file when an AutoCAD file is opened from an untrusted location:
smallwarning
At the Virus Bulletin talk, after showing these features, Microsoft’s presenters showed tests performed with six variants of AutoCAD malware, including ACAD/Medre, which they identify as Blemfox), making use of the different settings offered by new versions of AutoCAD. In AutoCAD 2013, the results of the tests are quite evident:
  • The six variants of malware ran on AutoCAD 2013 with no service pack installed, or when SP1 was installed with default parameters .
  • No malware variant ran on AutoCAD 2013 SP1 when AUTOLOAD and AUTOPATH parameters were used, or the software was run with “/nolisp” parameter.
As seen in the demonstration, AutoCAD’s new options are effective in stopping existing malware, but the default settings are not optimal in terms of safety. During the talk, it was explained that safer defaults were not enabled by default because (1) this instance is being used to test the suitability of the features for the 2014 release; (2) AutoCAD malware is not a massive issue (which is actually true); and (3) many users of AutoCAD make use of the functionality.  This old security vs. usability dilemma is not unique to AutoDesk; it took several generations of operating system for Microsoft to disable functionality exploited by AUTORUN.INF-spreading worms like Conficker in Windows.
Tests using AutoCAD 2014 were more conclusive, since users are now prompted by default asking if they want to execute additional code or not. Threats are only executed when the user allows them to execute via the prompt and all malware was successfully blocked when the users chose “the right” option. Of course, this has both positive and negative points of view. On one hand, by using non-default configurations or denying execution when prompted, known malicious code for AutoCAD could not be run on this version. On the pessimistic side, will users deny the execution of safe code because a prompt warned them? The experiences with Microsoft’s UAC varies in that the security depends on the user making the right click. How safe is this feature? Of course this is a relative concept, and one that is always subject to decisions of the part of the user. Therefore, the importance of raising awareness about potential security issues inside the program is a must.
While writing this post I thought about some of those phrases that are repeated daily and quite clearly describing what happens. There is a phrase alleged to be from Don Quixote by Miguel de Cervantes Saavedra (actually the phrase does not appear in this book in Spanish-speaking countries) that says something along the lines of “…dogs bark, it is a sign that we are riding” [on horses, of course]. The phrase refers that when you are riding a horse, it is good to listen for the dogs, as it is a sign that you are moving forward. At the end of the day, we are glad that published research results in software companies improving the safety of their products. It is important that product security is continueously evaluated and enhanced to mitigate new threats but also to prevent new ones.
“Better than nothing” is another phrase often heard daily? I thought about this while listening to the presentation: If security depends solely on the user choosing the right option, is it good or bad security?  Although it sounds right, the phrase is pretty true: It’s still better than nothing. In previous versions of AutoCAD, security was dependent on the user and it and was impossible to block these kind of threats in the software where the only defense is to rely on malware detection.
While security purists would prefer that the default settings completely deny the execution of all executable files, the counterarguments to this approach that were presented by Autodesk are quite convincing: the relatively small number of existing malware families and infection reports do not justify such strong security measures that they begin to limit functionalities in the product. Undoubtedly, while making this concession of security to usability, it is still important to be on the lookout for new threats that may arise, continue providing protection against these threats and create awareness among users so that they know the difference that one simple click that can make between being infected or not infecting their system.  As Spider-Man’s Uncle Ben told him, “With great power there must also come – great responsibility!”
Sebastián Bortnik
Education & Research Manager for ESET Latin America
Sources:
- “A Panoply of Protection: new security and anti-malware measures in AutoCAD”, Virus Bulletin Paper by Eileen Sinnott (Autodesk) and Raymond Roberts & Jakub Kaminsky (Microsoft).
- About Protecting Against Malicious Code: http://docs.autodesk.com/ACD/2014/ENU/index.html?url=files/GUID-9C7E997D-28F8-4605-8583-09606610F26D.htm,topicNumber=d30e104297

Adobe hackers behind breach at PR Newswire – but company claims “no fake releases” have gone out

The global press release distribution firm PR Newswire has admitted to a large-scale breach, in which usernames and passwords were stolen – but claims hackers have not sent out “fake” releases, which can be used to manipulate financial markets or cause other disruption.
The breach was uncovered by security reporter Brian Krebs, and reported on his blog, Krebs on Security. Krebs says that the breach is tied to the attackers who broke into Adobe’s systems – the stolen data was found on the same servers that hosted source code stolen from Adobe.
Krebs says that the stolen data appears to date from March. PR Newswire is alerting affected customers and initiating password resets. Ten thousand accounts were on the database, and these appear to be firms in Europe, the Midle East and Africa, Krebs said.
PR Newswire says that the data has not been used to send out “fake” press releases – a highly powerful tool in the hands of criminals.
Last week, Cision AB, a press-release company, published a “completely false” release about Samsung buying a small biometrics firm. The news was republished around the world, and shares in the company soared. The case is currently being investigated by police, according to a report by Engadget.
“There has been no major fallout, but the ramifications could have been serious. If a hacker compromised a PR Newswire account and began disseminating false information, it could seriously affect the share price of the related firm,” said TechWeekEurope in a report.
“PR Newswire has protocols and redundancies in place that are designed to minimize the risk of distributing fraudulent press releases, including both technological and human safeguards prior to issuing any release,” the company said in a statement.
“The database contains approximately 10,000 records; however, there is only a minority of active users on this database. Those users represent an even smaller number of customers, as each customer generally has multiple usernames. PR Newswire decided to implemented a mandatory password reset for all customers with accounts on this database as a precautionary measure.”
The data stolen from PR Newswire was tiny in comparison to the breach suffered by Adobe, which ESET researcher Stephen Cobb described as “unprecedented” – not only did the attackers gain access to 2.9 million usernames and encrypted passwords, source code was also stolen for Adobe products.
Cobb said that this attack was, “pretty much unprecedented” in terms of the potential risks it posed.
“We have seem previous breaches of customer information that were bigger than this, but if, as Brian Krebs suggests, the source code of Adobe Acrobat has been compromised, that would be pretty much unprecedented.”
“According to Adobe’s own figures, there are hundreds of millions of instances of Adobe Reader and Acrobat, across all major computing platforms, including Windows, Mac, iOS and Android,” Cobb says. Access to the source code could be a major asset for cybercriminals looking to target those platforms.
Krebs claims that Adobe and PR Newswire are by no means the only companies targeted by this group – and says further revelations are forthcoming.

Indonesia overtakes China as leading source of cyberattacks, Akamai reports

Cyberattacks seem to be a growth industry in Indonesia, with the region having pushed China off the top spot as the leading source of attack traffic in the last quarter, according to internet services provider Akamai.
In the second quarter of 2013, Indonesia nearly doubled its attack traffic from 21% to 38% of the global total. The attacks are measured by hidden “agents” maintained by Akamai, concealed across the internet – which log connection attempts.
 Between them, China and Indonesia now account for nearly half the attack traffic in the world. China generates 33%.
 According to PC world, the rise of Asia-Pacific as a source of attacks has been rapid – Asia Pacific now accounts for 89% of attacks, compared to 56% in the fourth quarter of 2012.
 Akamai acknowledged that it is difficult to track where attacks originate from, “as the source IP address may not represent the nation in which the attacker resides.For example, an individual in the United States may be launching attacks from compromised systems anywhere in the world.”
The rapid rise of Indonesia as a source of attacks is highly unusual, according to a Bloomberg report.
Less than a year ago, the country accounted for just 1% of global attacks. Akamai also noted that the speed of the average internet connection in Indonesia had increased 125% in the last quarter. Bloomberg commented that this could allow cybercrime to “run rampant.  Tifatul Sembiring, the country’s IT minister, said that cybersecurity would become a national priority, according to Bloomberg.
In Akamai’s last report, for the first quarter of 2012, author David Belson cautioned against drawing conclusions about the Indonesian figures, ““Its entirely possible that the system that’s contacting Akamai is being used as a proxy or a waypoint by an attacker that is located somewhere else. So in Indonesia, for instance, it may be the case that for some reason there are a number of end-user systems that have been compromised and are under the control of a hacker in Russia or somewhere else,” says Belson.
The United States remained in third, despite dropping from 6,9% to 8.9%.
DDoS attacks also rose, according to the company, “In the second quarter of 2013, Akamai customers reported 318 attacks, a 54 percent increase over the 208 reported in the first quarter. At 134 reported attacks, the Enterprise sector continued to be the leading target of DDoS attacks, followed by commerce, media, hi-tech and public sector.”
Akamai also noted the actions of the Syrian Electronic Army, saying that the high-profile attacks all followed a similar pattern, “The attacks all employed similar spear-phishing tactics in which internal email accounts were compromised and leveraged to collect credentials to gain access to targets’ Twitter feeds, RSS feeds and other sensitive information.”

The 4 Biggest News Media Outlet Hacks Ever

If it seems like the list below is dominated by recent events, that is for good reason: Major media outlets have increasingly poured resources into their websites and social media accounts, which have in turn become the target of hackers worldwide. And 2013 was a banner year for attacks on major media outlets, led by a wave of website and social media attacks from the Syrian Electronic Army which, more than being a nuisance to the organizations and users they have affected, have been indicative of the very bare minimum of inconvenience and destruction cyber warfare poses.
media_title_EN
Fox News: In a way, these were the quaint old days of online media attacks. On July 4th, 2011, a message announcing the assassination of President Barack Obama was posted on Fox News’ Twitter account. Once again, this quickly turned out to be the erroneous announcement. The Secret Service launched an investigation of the incident, which was supposedly carried out by a group called Script Kiddies. “Fox News was selected because we figured their security would be just as much of a joke as their reporting,” one Script Kiddies member reportedly told Stony Brook University’s Think magazine.
NBC: An attack on NBC.com in February, 2013 potentially put visitors to the site in danger. That’s because attackers loaded the NBC.com site with the Citadel Trojan, banking malware that could potentially have been automatically transferred to the systems of anyone who visited the site, a tactic known as ‘drive-by downloading.’ The attack caused the site to be temporarily blacklisted by Google, and it also popped up on other NBC sites that day including the website for “Late Night with Jimmy Fallon.”
AP: In April of 2013 hackers overtook the Twitter account of Associated Press and posted a false message that briefly caused a social media panic and sent the stock markets tumbling: “Breaking: Two Explosions in the White House and Barack Obama is injured.” It turned out to be completely false, but it caused a $130 million drop on the S&P until the White House quickly released a statement flatly denying the claim, at which point the markets bounced back. It also was among the first introductions on the worldwide stage of the Syrian Electronic Army, a group of online attackers sympathetic toward Syrian President Bashar al Assad. It wasn’t the first — or the last — big media takedown by SEA, either. Prior to this it had hit the BBC, NPR and Reuters, among others. The AP attack was made possible by information gained from targeted phishing emails sent to AP reporters, which contained bogus links that the reporters clicked through on. The lesson? Never click on links unless you are beyond certain you know who sent them to you.
Twitter/New York Times: Arguably the greatest takedown of a media outlet ever was actually a two-for-one special perpetrated by the SEA in August, 2013. Two weeks after it hacked the Washington Post’s website it carried out perhaps the two biggest media attacks of all time in the same day when it crashed the website of the New York Times and temporarily took over Twitter’s domain. “Hi @Twitter, look at your domain, its owned by #SEA:)” the SEA announced on its own Twitter page. The Twitter attack resulted in trouble with access to images and some general user access and lasted about 90 minutes, but the company said no user information was compromised. The NYT hack lasted for hours, during which time the company kept posting news stories on its Facebook page. Other media outlets were hit by SEA that day too, including Huffington Post UK. Of course, this was hardly the SEA’s first time striking media outlets, and is a mere suggestion of what could occur when political/activist attacks turn into full-on cyber warfare.

Spear Phishing Attacks Target Energy Industry Enterprises with SCADA Systems

While the energy industry may fear the appearance of another Stuxnet on the systems they use to keep oil and gas flowing and the electric grid powered, an equally devastating attack could come from a much more mundane source: phishing.
Rather than worry about exotic cyber weapons like Stuxnet and its big brother, Flame, companies that have Supervisory Control and Data Acquisition (SCADA) systems -- computer systems that monitor and control industrial processes -- should make sure that their anti-phishing programs are in order, say security experts.
"The way malware is getting into these internal networks is by social engineering people via email," Rohyt Belani, CEO and co-founder of the anti-phishing training firm PhishMe, said in an interview.
"You send them something that's targeted, that contains a believable story, not high-volume spam, and people will act on it by clicking a link or opening a file attached to it," he said. "Then, boom, the attackers get that initial foothold they're looking for."
In a case study cited by Belani, he recalled a very narrow attack on a single employee working the night shift monitoring his company's SCADA systems.
The attacker researched the worker's background on the Internet and used the fact he had four children to craft a bogus email from the company's human resources department with a special health insurance offer for families with three or more kids.
The employee clicked a malicious link in the message and infected his company's network with malware. "Engineers are pretty vulnerable to phishing attacks," Tyler Klinger, a researcher with Critical Intelligence, said in an interview.
He recalled an experiment he conducted with several companies on engineers and others with access to SCADA systems in which 26 percent of the spear phishing attacks on them were successful.
Success means that the target clicked on a malicious link in the phishing mail. Klinger's experiment ended with those clicks. In real life, those clicks would just be the beginning of the story and would not necessarily end in success for the attacker.
"If it's a common Joe or script kiddie, a company's [Intrusion Detection Systems systems will probably catch the attack," Klinger said. "If they're using a Java zero-day or something like that, there would be no defense against it."
In addition, phishing attacks are aimed at a target's email, which are usually located on a company's IT network. Companies with SCADA systems typically segregate them from their IT networks with an "air gap."
That air gap is designed to insulate the SCADA systems from the kinds of infections perpetrated by spear phishing attacks. "Air gaps are a mess these days," Klinger said. "Stuxnet taught us that."
"Once you're in an engineer's email, it's just a matter of cross-contamination," he added. "Eventually an engineer is going to have to access the Internet to update something on the SCADA and that's when you get cross-contamination."
Phishing attacks on SCADA systems are likely rare, said Raj Samani, vice president and CTO of McAfee's EMEA.
"I would anticipate that the majority of spear phishing attacks against employees would be focused against the IT network," Samani said in an interview. "The espionage attacks on IT systems would dwarf those against SCADA equipment."
Still, the attacks are happening. "These are very targeted attacks and not something widely publicized," said Dave Jevans chairman and CTO of Marble Security and chairman of the Anti-Phishing Work Group.
Jevans acknowledged, though, that most SCADA attacks involve surveillance of the systems and not infection of them. "They're looking for how it works, can a backdoor be maintained into the system so they can use it in the future," he said.
"Most of those SCADA systems have no real security," Jevans said. "They rely on not being directly connected to the Internet, but there's always some Internet connection somewhere."
Some companies even still have dial-in numbers for connection to their systems with a modem. "Their security on that system is, 'Don't tell anybody the phone number,'" he said.

Syrian Electronic Army attacked most major Qatar websites

Syrian Electronic Army attacked most major Qatar websites to protest against the support of the government to the rebels against Assad.

The Syrian Electronic Army (SEA) has hit a new series of targets in a large hacking campaign against high profile Qatar based websites. The Syrian Electronic Army is considered one of the most active and dangerous group of hacktivists due the large number of high profile companies and government entities it has attacked with success, including Facebook, Twitter, Google, The Financial Times, The Guardian, the Associated Press, Aljazeera, numerous Government and Military websites and The White House.
Starting at about 1.54am local time, the Syrian Electronic Army posted the following message on Twitter:
Qatar is #down 
and  immediately after the group started to shut down government and private websites.
Syrian Electronic Army Qatar is down
A huge quantity of domains having an extension .qa was attacked including the ones of Qatar’s Ministry of Information and Communication (ictQatar), the Supreme Education Council, the Emiri Diwan, and even Google.com.qa.
It seems that The Syrian Electronic Army gained access to the Qatar Domain Registrar (portal.registry.qa) and modified the DNS records to redirect the targeted websites to servers controlled by the group. The hackers posted on Twitter the following image to demonstrate that they have gained the access to the Domain Registrar of Qatar:
Syrian Electronic Army Registry Zone Info
These servers were used to show defacement pages with the images of the Syrian President Assad and the group’s symbol.
Syrian Electronic Army defaced page
The list of the targeted websites is posted on Twitter by the members of the Syrian Electronic Army:
  • moi.gov.qa
  • facebook.qa
  • gov.qa
  • vodafone.qa
  • aljazeera.net.qa
  • google.com.qa
  • ooredoo.com.qa
  • diwan.gov.qa
  • qaf.mil.qa
  • mofa.gov.qa
A so huge list is really shocking in my opinion and demonstrates how much dangerous could be state-sponsored operations against private enterprises that must be supported by respective government cyber strategies.
Why Syrian Electronic Army attacked Qatar?
The Syrian Electronic Army has targeted Qatar government many times due to the support it provides to the rebels inside Syria that desire to overthrow the President Al-Assad’s regime.
Last April the group hacked FIFA’s Twitter accounts to publicly accuse Qatar of buying the 2022 World Cup, the attack was anticipated by the hack of Qatar Foundation’s social media accounts.
Fortunately DNS attacks like these ones have a limited impact, typically victims are able to regain control of their websites a few hours after such offensive.

Apple iMessage vulnerable to MITM attack

Quarkslab researchers Cyril Cattiaux has revealed Apple lied when it claimed it could not intercept iMessages sent by its users.

Quarkslab researchers Cyril Cattiaux revealed that it is possible to break encryption implemented in Apple's iMessage application due the presence of a weakness in the key management process. The announcement was made during  the Hack in the Box conference in Malaysia this week.
Cattiaux, aka pod2g, is known because it has developed a iOS jailbreak, this time they sustain that iMessage encryption is vulnerable to eavesdropping attack despite Apple always declared a secure end-to-end encryption.
"For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data," Apple declared in a statement on its website.
According the researchers Apple is able to access the content of iMessage app changing the key anytime they need, it should be noted that they confirm there's no evidence that Apple or the NSA are analyzing also iMessage content despite it is technically possible.
"Apple's claim that they can't read end-to-end encrypted iMessage is definitely not true," they said. Apple has no reason to do so. But what of intelligence agencies?" they said.
It is clear the reference to the case PRISM and the revelation made by Snowden on the collaboration offered by Apple to NSA for surveillance activities. When the user sends a iMessage to someone, he takes the receiver's public key from Apple, and encrypts the message. Once the message is received by  recipient he is able to decrypt the message with his private key according classic asymmetric encryption scheme. Apple acts as a Certification Authority of any PKI architecture, public keys were managed on a server called ESS that could be not publicly inspected. The researchers created its own bogus Certification Authority and inserted its reference into the iPhone Keychain to be able to access to SSL encrypted traffic acting as a proxy. Cattiaux noted that Apple ID and password was being transmitted in clear text during iMessage transmission. Apple actually controls public key repository this means that it could perform a MITM to intercept users' messages.
iMessage mitm
They exploited the lack of mechanisms to tell devices to trust a given certificate,  for PUSH and iMessage servers, allowing a fake certificate authority to be added to the user Keychain.  iMessage MITM
 
"Firstly, it means that Apple [and intelligence agencies] can replay our password using for instance our email on many websites. Secondly, it also means that anyone capable of adding a certificate and able to [proxy] the communications can get user's Apple ID and password, thus get access to include accounts, backups" and app purchasing.
There is the concrete risks that enterprise IT managers when assigning Apple devices with mobile device management platforms could intercept sensitive Apple user account details including iCloud usernames and passwords.
"If the device is connected to iPhone Configuration Utility, Apple's enterprise solution for management of iPhones, a trusted CA (Certificate Authority) is added. The consequence is that all subsequent certificates signed by that CA will be trusted to create the SSL communication. It means all companies using that are able to retrieve their employee's AppleID and password by simply [proxying] the SSL communication."
A possible implementation that could dispel the doubts about the good faith of Apple is to store user's public keys locally within iOS, avoiding centralized management by Apple.
I suggest to read the interesting analysis published in the blog post of the researchers

Qatar websites targeted by Syrian Electronic Army (SEA)

Several Qatar-based websites were hacked into and shut down by an online group of cyber criminals supporting Syrian President Bashar Al Assad.
A number of Qatar websites with the domain name .qa were taken offline for several hours, with the Syrian Electronic Army (SEA) claiming responsibility.
Some of the websites targeted include government portals, the Ministry of Interior, the Supreme Education Council, facebook.qa, google.com.qa, and several Qatar based new sites.
“Qatar is #down” the SEA tweeted on Saturday.
SEA gained access to the domains by hacking into the registrar managed by Qatar’s Ministry of Information and Communication (ictQatar).
“It was a temporary hitch and the hackers could not do any serious harm,” ictQatar said in a statement.
In the past, SEA has hacked FIFA’s Twitter account, Qatar Foundation’s social media accounts and the Al Jazeera news channel’s website.
The SEA has also disrupted the websites of US media and internet companies and this summer threatened to step up such hacking if Washington took military access against Damascus.
Thus far, the SEA's most disruptive act was in April when it broke into the Twitter account of the Associated Press and sent fictional tweets about explosions at the White House. The false messages sent the stock market into a downward spiral that, for a short time, erased more than $100 billion in value.
The SEA, which has its servers based in Russia, has also targeted the Huffington Post and New York Times websites this summer by gaining access to MelbourneIT, an Australian internet service provider that sells and manages domain names.