Friday, 8 November 2013

iOS App Vulnerability Could Let Attackers Hijack Your Apps

From Skycure
During a Main-in-the-Middle attack, someone hijacks your connection to a secure site, receiving everything sent by either party and passing it along, possibly with malicious changes. But a MITM attack ends when you disconnect from the network. Not so any longer says Yair Amit from Skycure (the guys who hacked my iPhone). They've apparently uncovered a vulnerability that can permanently change the behavior of apps in iOS.
Meet the HTTP Request Hijacking Attack
Skycure calls it a HTTP Request Hijacking Attack and it begins, Amit said, with a MITM attack. While you're connected to the malicious network, the attacker monitors your traffic and looks for apps retrieving information from servers. Then the attacker intercepts that request and sends a 301 HTTP status code back to the application. This is a permanent redirection error, and tells the browser that the server it's looking for has been permanently moved to another location.
All the vulnerable apps, Amit explained, will cache the change made by the 301 code and continue to connect to the redirected server for the foreseeable future. In a non-malicious scenario, this is great for users since it means faster and more reliable connections. But when the attacker sends his 301 error, it forces the application to start loading information from his server.
The implications are interesting. Amit pointed out that many news and stocks applications don't have URL bars, so it's not clear to the user where the information is coming from. In the case of a compromised news application, Amit said, "now you're reading fake news from the attacker."
Such an attack could be subtle, maybe feeding fake stories or inaccurate stock information to manipulate the market. Or an attacker could conceivably mirror all the information from a news app's server but inject malicious links for phishing, or worse.
Widespread But Unused
The scariest thing Amit told me wasn't what the attack could do, but how widespread it was. Because it's so simple, thousands of apps appear to be affected. So many, that Skycure says that the only way to only way to responsibly disclose the vulnerability was to describe it publicly without revealing the names of affected apps.
The good news is that Amit says his team hasn't seen this particular attack used in the wild. The implication, of course, is that developers should move quickly to update their apps and resolve the issue before someone starts using it. Any developers out there should head over to Skycure for suggestions on how to improve their apps.
Staying Safe
The best thing users can do is to keep their apps up to date, as developers are likely to begin implementing fixes across vulnerable apps. If you think you've already been hit by this particular attack, you should un-install the suspect application and then reinstall it from the App Store.
Avoiding this attack in the future is easier in theory than it is in practice. "It is always safer to not to connect to [unsecured] WiFi networks, but at the end of the day we always do," said Amit. Sometimes, it's not even an issue of convenience as phones are can connect to Wi-Fi networks without user actions. Amit explained, saying that AT&T customers automatically connect to AT&T networks. He also pointed out that if an attacker used malicious profiles, as Skycure did when they hacked my iPhone, not even an SSL connection could stop the attack.
The onus, according to Skycure, is on developers to build their apps to avoid the problem in the first place. And hopefully soon, since the information on the vulnerability is now available.

NSA Tangled Up In Russian Ransomware Threats

Blue Coats NSA Ransomware 2 Is the NSA demanding that you pay up for a cybercrime? How outrageous is that? Luckily, the NSA isn't actually behind any of this. This is just another scamto get your money involving fake law enforcement. In a recent blog post, IT security company Blue Coat addressed last week's attacks on visitors to the php.net Web site. Their investigation revealed that one of the sneakier ransomware applications wrote ransom notes to victims using personal information the victims believed was from the NSA.
Ransomware apps don't seem to be very creative lately. Most follow the same pattern: victims receive what appears to be an official notification that they've committed a cybercrime, usually including child pornography. In order to get out of this latest ransomware mess, the scam demands the victim pay $300 through an untraceable payment card.
We Know Where You Live
Based primarily in Russa, ransomware gangs use geolocations of victims' IP addresses to deliver fake warnings with names and logos of nations' law enforcement organizations. For instance, if you're in Australia or Canada, the threats you receive could include images of blue heelers or mounties to make the threat look all the more real. At the top of US victims' screens are NSA and Central Security Service logos.
Once installed, the malware visits Google or MSN to see if the computer is online. After it successfully connects, it performs an initial check-in with its home base by sending some data to a server in Ryazan, Russia, a city southeast of Moscow. The malware then uploads a chunk of encrypted data to the Web server xaraworkbook.us.
Continued Contact
Check-ins to Web servers continues about once every five minutes. The check-in connections all have a ransomware affiliate ID and the infected computer's profile information. Interestingly, the particular file paths mentioned in the ransomware notice don't exist in Windows XP.
You might think it's unlikely that you'll ever be victim to one of these scams, but it's always better to be safe than sorry. Invest in and regularly update antivirus software such as Norton AntiVirus (2014) or one of our other Editors' Choice antivirus products. Be smart about protecting your personal data because you never know what cybercriminals have up their sleeves next.

New ‘inkblot’ passwords could be safe – even AFTER a big breach, researchers claim

A new “inkblot” password system could provide a near-unbreakable layer of security for high-value information such as bank accounts – even if the password leaks as part of a large-scale site breach. The system relies on users describing patterns of blots, then matching descriptions to patterns – and should be foil the automated programs used by cybercriminals, the researchers say.
Scientists at Carnegie Mellon University devised their GOTCHA system as an additional layer of protection for “high-value” accounts, such as bank accounts or medical records. They have challenged other researchers to break it using AI.
Users are shown a series of ink blots, and describe them with a Rorschach-test-style phrase – for instance, “tree with leaves falling” or “evil clown”  – the phrases are stored. When a user wants to access the account, they’re shown the blots AND their descriptions, but in random order – to get in, they match them.
“These are puzzles that are easy for a human to solve, but hard for a computer to solve, even if it has the random bits used to generate the puzzle,” said Jeremiah Blocki, a Ph.D. student who worked on the system.
The automated password-crunchers used by hackers may find the word-association more troublesome, the researchers hope. While passwords such as “123456” are very easy to crack – two million Adobe users relied on that password, as reported by We Live Security – computer programs can evaluate 250 million hashes a second, according to RedOrbit.
Even complex passwords will “fall” in the end. The blots, however, should be more indigestible to computers.
Even long, complex passwords are vulnerable to the latest “brute force” programs employed by cybercriminals – once a site has been breached, cybercriminals have a long time to “guess” passwords. But guessing GOTCHAs in this way would be impossible, the researchers claim.
“To crack the user’s password offline, the adversary must simultaneously guess the user’s password and the answer to the corresponding puzzle,” Datta said. “A computer can’t do that alone. And if the computer must constantly interact with a human to solve the puzzle, it no longer can bring its brute force to bear to crack hashes.”
As Network World Reports, the researchers have challenged others to crack the passwords/puzzles using AI. You can find the GOTCHA Challenge here.
The only problem, the researchers say, is to make people remember their own passwords. In theory, it’s easy – once they’ve described an inkblot, that description is stored – they don’t have to memorize it, merely pick it from a list.
However, when the researchers performed a user study with 70 participants, where each user was asked to describe 10 inkblots with creative titles, such as “evil clown” or “lady with poofy dress,” of the 58 participants who participated in the second round of testing, one-third correctly matched all of the inkblots and more than two-thirds got half right ten days later.
Blocki said that the user study may have had design flaws – including low “financial incentives”. The difficulty in identifying patterns could also be overcome by forcing users to use longer descriptions, such as “a happy guy on the ground protecting himself from ticklers,” he said.

How can domestic violence survivors protect their privacy?

It is not often that we cover subject matter in a computer security blog that require a “trigger warning”, but today is one of those days. The following blog deals with potentially difficult information regarding protecting people who have been the victims of domestic abuse or stalking that could trigger an extreme reaction in people who’ve been traumatized by similar experiences.
_____
Domestic violence is not something that gets discussed much in information security circles, for a variety of possible reasons, but there are few people that need advice on assuring their online safety more urgently than victims of stalking and domestic abuse. How exactly do the particular information security needs of people in these situations differ from the norm? What can people do to protect themselves when there is a known and persistent threat? After looking into this, I am left with as many questions as answers.
Before we get into the meat of this article, let me provide a frame of reference: I will be focusing on those victims of domestic abuse and stalking that have escaped the situation, and are now looking to avoid further contact with their abusers. The subtleties of getting protection while still in the environment in which domestic abuse is taking place go more into the realm of psychology than simple computer security concerns. And because there is so much more to be explored on this particular subject, think of this article less as something prescriptive, and more of an open-ended discussion. If you have experience on this subject, I welcome you to add your voice to the comments to help educate me as well as other readers.
Digital Privacy
Before discussing specific security recommendations, it’s important to point out that any computing devices (that is to say, both laptops and desktops as well as phones and tablets) that predate exiting the domestic violence situation should be considered compromised, and should ideally be replaced, or at least restored to factory default if at all possible. This will decrease the possibility of spyware or other tracking software being present on the device. You may wish to back up (and encrypt) your data to an external hard drive or remote location first.
It is obvious that all those things that security advocates are wont to say to help people protect their data applies far more acutely to those who are trying to hide themselves from a determined and potentially violent individual. Let us quickly cover those security basics that are even more essential to victims of abuse:
  • Regularly updated software
    Most Spyware installations now exploit vulnerabilities in software to install more silently, but you can help combat this by updating and patching your operating system and any applications on your computer as soon as possible. The latest versions of the major operating systems are set by default to at least alert you to both application and OS updates. And over time, operating systems are including more and more security features to help alert you to and/or combat attacks.
  • Network and on-disk encryption
    The best way to protect your data from prying eyes is to make more of it unreadable to outside parties. And the best way to do this is to encrypt as much as you can both data that is saved on your hard disk, and data that you send out of your machine, via email, web or other methods. There are tools to help you encrypt email, and to ensure more of your web sessions are encrypted. There are also chat clients that allow you to exchange encrypted messages with your contacts. You can use a VPN client to give yourself an additional layer of security. And many of these things are available for free or low cost.
  • A comprehensive security suite
    Spyware is easily found or purchased online, which will allow an attacker to view keystrokes, web-surfing history, and potentially to eavesdrop on      audio or video capabilities on a victim’s computer. A reputable anti-malware product is a good idea, but it would also be advisable to have at least a software or hardware firewall as well, regardless of what operating system you use. You may also wish to look into supplementing your security suite with an application whitelist as well, which limits allowed applications to a specific list of approved software.
  • Good password hygiene
    Most of our online life revolves around logging in to various sites and services. It is also one of the most easily breached parts of our digital identity. Whether you use a password manager or come up with a system to create a strong, memorable and unique password for each of your various online accounts, be sure to change those passwords regularly.
Everyday activities are fraught
Whether an intruder’s motivation is financial or personal – as in the case of domestic abuse –  anyone looking to gain another’s data has two main ways to go about it: by force, or by social engineering. Gaining data by force would include approaches like direct attacks (either physical or digital), such as the use of malware or hacking into online accounts. Social engineering is a term sometimes applied to any way an attacker can convince someone to give them access to data. The target may be either the victim himself or herself, or a third party.
The advice given above is primarily intended to protect against direct attacks like malware, and hacking, and to a lesser extent phishing. Technology and good common sense will not necessarily protect you against every sort of direct attack, but it can lessen the risk considerably or at least make it far more difficult and time-consuming for the attacker.
However, not all our data is within our control, and this is where things can get very problematic and complicated. We are all required to provide a variety of personal information in our day-to-day lives – everywhere from the car service center to the accountant. Unfortunately, once the data is out of our hands, it is also out of our control. Many companies have data retention policies and are strict about giving out customers’ information, but many other places do not. Fortunately, the places where it is most important to keep your contact information up to date are also the ones that are most likely to have strict policies.
This is where there are more questions than answers. There is plenty of advice out there for people who are trying to protect themselves after a domestic violence incident. The variety of tips and techniques are seemingly endless, but they boil down to a few basic ideas:
  • Relocate
    Put physical distance between yourself and your abuser. If you move to another state, make sure your restraining order covers this situation. Be      aware that different countries may have different laws regarding domestic violence, or restraining/protection orders. In some instances you may be able to pursue protection orders that cross national borders, depending on the countries in question.
  • In the US, apply to the address confidentiality program in your state
    Programs exist to allow people who have been victims of certain types of crimes to have a confidential mailing address, separate from their      physical address. Check this list of address confidentiality programs in the US to see if you are eligible.
  • Open a post office box to receive mail
    Ideally, you should have a place to receive mail and use for certain accounts and services, which is not your home address. Be aware that this is not useful for all services, especially those that require your home address, such as certain types of insurance.
  • Close accounts that you both have access to
    Regardless of how innocuous the account access might seem, if a joint account contains any personal information or historical activity, this could be used by an abuser for social engineering purposes. It is best to close existing accounts and start with no history from previous accounts. This applies equally to accounts like phone service or store loyalty programs or digital accounts such as email or social networking sites.
  • Be aware of location-tracking
    If you open new accounts on various services, be aware that many social media  sites actively share your location, or it may be leaked when you      “check in” to a physical location, or share a photo with GPS location data embedded in it.  Set the privacy options for any services you use to their highest settings, and disable the storing GPS location data in pictures. Also, carefully consider the levels of risk associated with using online services:  It may be safer to stay offline.
  • Be aware of your surroundings, both physically and digitally
    As you go about your daily routines, both in the physical world and the digital one, it is important to be aware and mindful of your surroundings.      What information are you intentionally giving out? What information are you (or others, on your behalf) inadvertently giving out or leaving lying      around? Who can see where you are, where you are going, or where you have been?
  • Guard your data
    Once you are aware of what data you have to be gleaned, take steps to keep it protected while it is in your care (such as with encryption, or being      judicious with app permissions) and be cautious about who you give information out to. Whenever possible, give out only information that does      not link to your home address.
  • Avoid web sites and services administered or moderated by the abuser
    If your abuser regularly accesses (or even helps administrate or moderate) a web site you both use, stop accessing it, as they may have access to      server logs which contain your network connection’s IP address. IP addresses can be geo-located in order to determine approximately where a computer is located. This also includes online games, as in-game communications and actions may reveal your location as well.
  • Block all contact from the abuser
    Email and messaging account traffic can similarly be used by an abuser to gather location data on their victim, so wherever possible block accounts known to be used by him or her. You may also wish to block accounts used by friends or family of the abuser.
The advice here is solid in theory, but in practice things can be significantly more difficult. Keeping this in mind, you may be able to be proactive against some of the hurdles you may face. Having legal paperwork including your restraining or protection order may make it easier to get hefty fees or objections waived when you try to cancel accounts or withhold certain information.
And other well-meaning people may undo your efforts to keep your information private, if they are not aware of your situation. In a case in Sweden, a woman and her two children left their abuser, but the abuser posted a plea on Facebook and asked people to share his request to help him find his children, resulting in the protected identities of the mother and children being blown. As we often advise in security circles, no protection is 100% secure. But the more ways you manage to cover your risks, the more time and space you can gain to allow you to resurrect damaged defenses.
Additional Protection
There are additional steps you can take if you are looking for a more thorough change of identity, though be aware that these changes will not give you a completely clean slate, one that is unattached to your old identity. The National Network to End Domestic Violence website debunks some of the myths surrounding the process of changing your name and social security number.
You may also wish to try to remove as much of your presence from the Internet as possible. While it is not entirely feasible to completely remove your digital presence, you can certainly reduce it. This Gizmodo article lays out instructions for removing your presence from some of the more popular social networks.
Some final thoughts
The more real and physical the possible danger against which we are recommending protection, the more scary it is as a writer to provide a list that could potentially be (or in this case necessarily is) incomplete. This article barely scratches the surface of things to consider. Due to the huge volume of legal requirements and permutations, there are an almost infinite number of things you can (and potentially should) do to protect yourself from an abuser. Ideally this is something you should discuss with a lawyer or a social worker, so that you can thoroughly cover ways to keep yourself safe.
Here are some additional resources, should you wish for further information on the subject:
  • http://www.staysafeonline.org/data-privacy-day/privacy-and-domestic-violence/
  • http://www.surviving-domestic-violence.com/
  • http://epic.org/privacy/dv/
  • http://www.nnedv.org/internetsafety.html
  • http://www.mincava.umn.edu/categories/888

Low Quality Assurance (QA) iframe campaign linked to May’s Indian government Web site compromise spotted in the wild

Webroot-" We’ve intercepted a currently trending malicious iframe campaign, affecting hundreds of legitimate Web sites, that’s interestingly part of the very same infrastructure from May, 2013′s analysis of the compromise of an Indian government Web site. The good news? Not only have we got you proactively covered, but also, the iframe domain is currently redirecting to a client-side exploit serving URL that’s offline. Let’s provide some actionable intelligence on the malicious activity that is known to have originated from the same iframe campaign in the past month, indicating that the cybercriminal(s) behind it are actively multi-tasking on multiple fronts.

iframe URL: karenbrowntx.com – 98.124.198.1
Client-side exploits serving redirector: hxxp://ww2.taylorgram.com/main.php?page=3081100e9fdaf127 – known to have responded to 31.171.133.163 and most recently to 184.168.221.20
The same URL is also known to have been dropping malicious software on the hosts of affected PCs on 2012-06-12, in particular MD5: 923324a0282dd92c383f8043cec96d2d
Known to have responded to the same IP (98.124.198.1) are also the following malicious domains:
00ridgeroad.com
0703fdsf.info
09woman.com
100chaparralbv.com
100chaparralbvmartensville.com
10269ruefrederick-olmsted.com
1066sunrisedrive.com
1069colquittavenue.com
110010thavregina.com
1127alexandria.com
1143gladstone.com
114rmerganser.com
1176andrade.com
1180englishtownrd.com
11910route28.com
120-waterstone.com
120riverbank.com
121stationstreet.com
1266mainst.com
1397goyeau4sale.com
We’re also aware of the following malicious MD5s that have used the same IP as C&C server during October, 2013:
MD5: b26c30b512471590cfd2481bceea1b86
MD5: 6e4d7c9e1d935b18340064cabe60ee59
MD5: d0a76dd2bb62c54791a90453884aaeb4
MD5: 5c4b38b7e7bba69eafca7508dea8a940
MD5: 5b057c5838794fe7314ead6cb8ab7a08
MD5: b17279f38e0c2ab76ed6ef929385bd6b
MD5: d5bd9375e2693f5d6f48653c5d98960c
MD5: d181371ce3456363c0ae9628e0366569
MD5: 1e5eca486655233da67081d495e599d2
MD5: dfe79429195841e8819e845535220ac7
MD5: ad48514853d7a07f61b21a7729f2256d
Known to have responded to the same IP (184.168.221.20) are also the following malicious domains:
100crowns.net
12inchskinz.com
17tidalshore.com
1800truckad.com
1pel.com
2000golfcart.com
2013snipefd.com
2174saturn.com
24498pescadero.com
2951central306.info
2getloan.net
30minutesaweek.us
365ing.com
3psillc.com
400kmmm.com
40hourmonth.com
4159alameda.info
4kpublisher.com
4kx2k.org
6005nkimball402.info
We’re also aware of the following malicious MD5s that have phoned back to the same IP:
MD5: 1776790a93de6cdb273c4d43e751ea60
MD5: f7a6f099db2e38ddfefd33700e413477
MD5: f4a56cc617de5a502c89ad616d90239c
MD5: f0ea6bacdc21c909ae253dc028ac3b81
MD5: ef35106c249da0b44b11e514b7279c0a
MD5: e8dad0602a29670397c4d12ee14c11d0
MD5: e6cfa22910624ed26e1269a88cfa21ea
MD5: e6b79746a444b1ad3d6c006f812c756e
MD5: e4fbe5f7471acdba51f8e78c66e62f06
MD5: e2995b8ce1ec3ac62c72dd5a6a76e992
MD5: dc292733ea7a3e22edd86091a1f25a90
MD5: d3b802d899fe7a6be78f90e1526590a4
MD5: d3c02d615e3996def378956b24363e51
MD5: d2f98464214fca25e0e2892192642171
MD5: d282ef4d97993dae7c131fe654ca5466

New vendor of ‘professional DDoS for hire service’ spotted in the wild

In a series of blog posts, we’ve highlighted the emergence of easy to use, publicly obtainable, cracked or leaked, DIY (Do It Yourself) DDoS (Distributed Denial of Service) attack tools. These services empower novice cybercriminals with easy to use tools, enabling them to monetize in the form of ‘vendor’ type propositions for DDoS for hire services. Not surprisingly, we continue to observe the growth of this emerging (international) market segment, with its participants continuing to professionalize, while pitching their services to virtually anyone who’s willing to pay for them. However, among the most common differences between the international underground marketplace and, for instance, the Russian/Easter European one, remain the OPSEC (Operational Security) applied — if any — by the market participants knowingly or unknowingly realizing its potential as key differentiation factor for their own market propositions.
Case in point, yet another newly launched DDoS for hire service, that despite the fact that it’s pitching itself as anonymity and privacy aware, is failing to differentiate its unique value proposition (UVP) in terms of OPSEC.
Sample screenshot of the landing page:
DDoS_For_Hire_Rent_On_Demand_Cybercrime_Market_Underground Let’s discuss the (business) interaction that most commonly takes place between a buyer and seller of such type of services. On the majority of occasions, thanks to the fact that the vendor seeks to efficiently supply what the market demands, basic OPSEC rules, ones sometimes visible in Russian/Eastern European providers, are ignored. For instance, the service we’re discussing in this post not only has its site publicly searchable, it also features a YouTube advertisement. Combined with the fact that it’s also soliciting customer inquiries through a GMail account — no public PGP key offered — results in a situation where a potential customer would think twice before contacting the vendor. Moreover, these (international) underground market propositions usually tend to acquire less technically sophisticated customers who’d often seek their assistance in taking down a gaming server, or not surprisingly, launch a Denial of Service attack against a “friend’s” Internet connection. In comparison, the Russian/Eastern European vendors would usually prefer to stay beneath the radar, and will vet potential customers based on multiple factors — that includes the actual target — before launching an attack on their behalf.
Not surprisingly, we’re also aware of several malicious MD5s that are known to have been downloaded from the same IP that’s known to have once responded to the service’s domain:
MD5: a7298ee33c26c21f4f179e4c949c817e
MD5: a315bbe9a50271832112cc3172a9ecbc
MD5: 571950ec60be81e033f8b516c7230dfe
We expect to continue observing an increase in such types of ‘DDoS for hire’ propositions, largely thanks to the ease of obtaining the necessary tools required to convert a botnet into a vendor-oriented type of underground market service, and will continue to monitor this market segment.

Source code for proprietary spam bot offered for sale, acts as force multiplier for cybercrime-friendly activity

In a professional cybercrime ecosystem, largely resembling that of a legitimate economy, market participants constantly strive to optimize their campaigns, achieve stolen assets liquidity, and most importantly, aim to reach a degree of efficiency that would help them gain market share. Thus, help them secure multiple revenue streams. Despite the increased transparency on the Russian/Easter European underground market — largely thanks to improved social networking courtesy of the reputation-aware cybercriminals wanting to establish themselves as serious vendors — certain newly joining vendors continue being a victim of their market-irrelevant ‘biased exclusiveness’ in terms of the unique value propositon (UVP) presented to the community members. Moreover, in combination with the over-supply of DIY malware/botnet generating tools, next to the release of leaked/cracked source code, positions them in a situation where they can no longer command the high prices for their products/service, like they once did. That’s mainly because the competition is so fierce, that it inevitably results in the commodinitization of these underground market items.
What happens when this commoditization takes place? What are cybercriminals doing with the leaked/cracked source code for sophisticated malware/botnet generating tools? Why would a cybercriminal purposely offer the source code of his malware ‘release’ for sale, especially given that he can continue enjoying its proprietary nature, meaning, a supposedly lower detection rate? Let’s discuss these scenarios through the prism of a recently offered source code of a proprietary spam bot written in Delphi. The bot relies primarily on compromised/automatically registered email accounts as the primary propagation vector for upcoming (malicious) spam campaigns.

Sample screenshots of the administration panel of the spam bot, relying on compromised Web shells as C&Cs:
Spam_Bot_Malware_Malicious_Software_Cybercrime_Source_Code Spam_Bot_Malware_Malicious_Software_Cybercrime_Source_Code_03 Spam_Bot_Malware_Malicious_Software_Cybercrime_Source_Code_02


Spam_Bot_Malware_Malicious_Software_Cybercrime_Source_Code_04 Spam_Bot_Malware_Malicious_Software_Cybercrime_Source_Code_05 According to the seller of this spam bot, the actual binary is around 56kb in size, and the C&C is PHP/MySQL based. The seller also offers his personal advice, which is to consider relying on compromised Web shells for accessing the command and control infrastructure. The price? $300. A logical question emerges – why would a cybercriminal who’s apparently already making money from his custom coded spam bot, be selling its source code, rather than continuing to operate beneath the radar? Three possibilities – noise generation,  exit strategy, or underground multitasking in action since the seller didn’t mention that he’s selling one copy of the source code, exclusively, to the first potential buyer. Noise generation can be best described as a strategy used by cybercriminals to draw attention away from an initial malicious ‘release’. The idea is to avoid the attention of the security industry/law enforcement, who’d now have to pay attention to copycats that would emerge through tweaking and modifying the original source code. Although not necessarily feasible in a greed dominated cybercrime ecosystem, an exit strategy may result in the seller offering unlimited access to the source code to multiple parties, in an attempt to exit the market segment, while still securing a revenue stream for himself. The multitasking scenario is a variation of the noise generation strategy, where the seller of the source code will continue improving and using it, in between selling access to others so that they can do the same.
Consider going through the following research/posts on the topic of source code and malicious software:
The bottom line? We expect that the Russian/Eastern European underground marketplace would continue to dynamically evolve in terms of Quality Assurance, localization, cybercrime-as-a-service type of managed propositions, and overall, stick the well proven efficiency-oriented mentality that’s driving everyone’s business models.

GCHQ, MI6 and MI5 chiefs say secret PRISM snooping powers must remain to beat terrorism

Houses of Parliament
The heads of the UK's three security agencies have lashed out at the government and media over the recent snooping scandal, claiming that their operations must remain secret in order to be effective against criminals and terrorists.
During a briefing with the Parliamentary Intelligence and Security Committee(ISC), the heads of GCHQ, the Security Service (MI5) and Secret Intelligence Service (MI6) defended their internet surveillance activities, despite the ongoing criticism.
GCHQ director Sir Iain Lobban argued during questioning that UK intelligence agencies have consistently acted within the law when mounting cyber operations. "A government's first duty is to protect its people. Doing this means some protective measures have to be secret, but that doesn't mean they're unaccountable," he stated.
"I believe certain methods should remain secret. Secret doesn't mean sinister. It feels strange to say we have nothing to hide as we work in secrecy, but we have people above us, we have our masters. We are subject to the law and I'm sure that's true of my sister agencies as well. There are very good safeguards in place."
MI5 director general Andrew Parker added that any ill will by the general public should fall on the government's shoulders. as the decision to allow or disallow operations similar to PRISM rests with politicians.
"Openness is something we've been on the road towards for some time and these are issues for ministers to lead on," he said.
"The constant and real issue for us is ensuring the work we do is lawful and that our staff can be assured what they're doing is lawful. The arrangements there are parliamentary. It may be more helpful to bring that to light, to make clear all these arrangements rely on the parliament and the public."
MI6 chief Sir John Sawers, mirrored Parker's sentiment saying, "The law is for you, the parliamentarians."
The intelligence chief's comments follow a ruling by the the committee that GCHQ's use of the US's National Security Agency (NSA) PRISM data was not illegal.
Despite the ruling, many privacy groups have expressed ongoing concerns about how UK intelligence agencies collect data. The concerns led the ISC to expand the scope of its investigation into whether new privacy legislation is required in the wake of the PRISM scandal.
Lobban moved to further allay these concerns, promising that GCHQ agents only analyse data on potential terrorists or criminals.
"We do not spend our time listening to calls or reading emails from the majority of UK citizens, it would not be legal, we do not do it. It would be wonderful if terrorists used one form of communication and everyone else used another, but they don't and we have to do detective work," he said
"If you would let me use an analogy about how we operate. Think that we're in an enormous hay field trying to find needles. We're collecting hay from areas we can get access to that might have the needles we're looking for. When we get that haystack full of potential needles we're aware there will be plenty of hay that is from innocent people – we draw that information to get the needles, we don't touch the rest of the hay."
MI5's Parker argued that, although they would follow any new laws about how they collect data, increased transparency could further damage their ability to protect the country.
"The reason things are secret isn't because we are embarrassed or scared to put them to the public, it's because we have to. If we make them public we can lose operational advantage. There will always be secrets. That's why the oversight mechanics are in secret," he said.
Lobban said the documents leaked by whistleblower Edward Snowden to the media have already hampered the agencies' ability to combat hostile groups.
"We have seen chat about specific terrorist groups discussing how to avoid what they now see as vulnerable communication methods. I am not happy compounding the damage by giving specific details in public," he said.
Sawers supported Lobban's claim. He said: "The leaks from Snowden have been very damaging. Our adversaries are rubbing their hands with glee. The alerting of targets and adversaries makes it more difficult to acquire the information they – our officers – need to defend this country."
Lobban said this development is troubling, as the cyber threat facing UK industry is growing.
"We're seeing attacks against the businesses that keep Britain going, things like communications, transport, healthcare and energy. We're seeing theft of intellectual property from over 20 industrial sectors," he claimed.
The comments mirror those of many security professionals. Ex-Navy Seal and Silent Circle chief executive Mike Janke told V3 that intelligence agencies will always go as far as the law lets them and it is up to governments to set limits on their powers.

Microsoft protects Windows Azure users against PRISM with self-managed encryption key capability

Cloud computing
Microsoft is helping business to better protect their data held on its Windows Azure cloud computing service by enabling them to manage their own encryption keys. The move is part of a collaboration with security firm Thales.
The deal will see Thales deploy its nShield hardware security modules (HSMs) inside Microsoft's Azure data centres. The technology will be used to improve security for Microsoft Rights Management service (Windows Azure RMS).
With the Thales HSMs, business users of Windows Azure will be able to independently generate and manage the encryption keys used to protect information flowing on, or stored in the cloud. This technique, dubbed bring your own key (BYOK), means that if a government agency wanted to view it, they would have to go directly to the customer.
The move follows concerns about US cloud providers' involvement in the National Security Agency's (NSA) PRISM campaign. The campaign was revealed earlier this year when ex-CIA analyst Edward Snowden leaked documents to the press, proving that the NSA was covertly gathering vast amounts of data from companies such as Microsoft, Google, Apple, Facebook and Yahoo.
The revelation led to concerns about the security of US-based cloud services. The Information Technology and Innovation Foundation (ITIF) estimates that PRISM will cost the US cloud computing industry $22-$35bn in lost revenue over the next three years.
Microsoft partner group program manager Dan Plastina said he expects the BYOK offering to help in the firm's ongoing battle to assure customers that their data is safe on Azure.
"The Microsoft Rights Management service helps customers safeguard their data, both inside and outside of the organisation," he said.
"As a result of our collaboration with Thales, our customers can generate and upload their own master keys to a cloud-based HSM and keep complete control over their keys, giving them confidence that their data is protected."
Microsoft is not the only cloud service provider to offer customers the ability to manage their own encryption keys. Amazon already offers a similar capability with the AWS CloudHSM feature for customers of its Virtual Private Cloud service.

Microsoft Office, Windows Server and Lync exploits linked to Operation Hangover hackers

Security padlock image
Security experts have linked recent targeted attacks hitting Microsoft's Office, Lync and Windows Server services to two groups of hackers.
FireEye researchers have linked the attacks to the group behind the notorious Operation Hangover attacks and a new criminal cyber-cartel codenamed Arx.
"A zero-day vulnerability was recently discovered that exploits a Microsoft graphics component using malicious Word documents as the initial infection vector. Our analysis has revealed a connection between these attacks and those previously documented in Operation Hangover," FireEye disclosed in a post on its blog.
"However, we have found that another group also has access to this exploit and is using it to deliver the Citadel Trojan malware. This group, which we call the Arx group, may have had access to the exploit before the Hangover group did."
The attacks were revealed by Microsoft's Trustworthy Computing (TwC) division on Wednesday. Microsoft has since released a temporary fix for the vulnerabilities while it works on a more permanent solution.
The FireEye researchers said the two groups had very different motives and goals when targeting the exploits. The use of the exploits by the Hangover hackers is believed to be a simple extension of the group's previous information-stealing activities.
"Information obtained from a command-and-control server (CnC) used in recent attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan," FireEye said.
"It appears that when the target systems successfully checked in to the CnC server, the server could push down an executable file to be executed on the targeted system. The result of that action was recorded in Result.txt.
"We obtained a number of these second-stage executables listed in the Result.txt output from a Hangover-linked CnC server. These executables included a variety of tools including a reverse-shell backdoor, a keylogger, a screenshot grabber and a document exfiltration tool."
Operation Hangover was uncovered in May, when security researchers spotted a number of data-stealing attacks targeting the Apple Mac OS X operating system. The campaign targeted numerous big-name companies including Norwegian telecommunications provider Telenor.
The Arx Group by contrast was listed as having more basic criminal goals. "Malware linked to the Arx group is usually sent out in [fake] ‘Swift Payment' emails. These emails are common in spam campaigns and typically drop banking Trojans and other crimeware," read the FireEye post.
FireEye's findings have been supported by other security providers. Competitor Symantec reported uncovering similar evidence linking the attacks to the Hangover group in a blog post. "After analysing the payloads being used in this attack, we have identified that the targeted emails are part of an attack campaign known as Operation Hangover," read the post.
Targeted attacks have been a growing problem facing the security community, which has led many government agencies and security providers to call for increased attack data-sharing between businesses.
Symantec pledged to create a new centralised information-sharing big data hub to help customers spot and pre-empt custom-built malware used in targeted attacks at the RSA Conference held in Amsterdam in October.

Mobile devices and cyber espionage, principal concerns for governments

The use of mobile devices in government environments concerns the secret service of any states, cyber espionage more often exploits the mobile platforms.

Mobile devices are reason of great concern for governments, they have a great computational capability, huge memories to store our personal data, GPS to follow our movements and are equipped with a camera and microphone to increase our experience in mobility. But all those features could be exploited by attackers for cyber espionage, the problem is well known to governments that are adopting necessary countermeasures especially following the recent revelations about the U.S. surveillance program.
The UK Government has decided to ban iPads from the Cabinet over foreign eavesdropper fears,  it has been requested Ministers to leave mobile in lead-lined boxes to avoid foreign governments to spy on top level government meetings.
The news is reported by the Mail on Sunday, after the Cabinet Office minister Francis Maude made a presentation using his iPads last week (about how the Government Digital Service might save the UK £2bn a year) the Downing Street security staff has dismissed the mobile device to prevent eavesdropping of ongoing discussions.
mobile devices government spy
The measure was adopted to avoid that foreign security services infecting mobile devices are able to capture audio and data from victims, it is known that hostile actors like China, Russia and Iran have the ability to use mobiles in powerful spy tools.
Ministers belonging to sensitive government departments were recently issued with soundproof lead-lined boxes to guard and isolate their mobile devices during official meetings.
The precautions have been taken due the high concern caused by news that German Chancellor Angela Merkel’s personal mobile has been spied by the NSA for years. My personal opinion it that it is not acceptable that the German Federal Intelligence Service has allowed everything, missing the adoption of appropriate protective measures like crypto mobile devices, protected landline and similar. Other governments already have approached the problem to adopt secure devices to prevent bugging and eavesdropping, the British foreign secretary William Hague confirmed his phone has been armored by GCHQ.
Just a week ago it was published the news that delegates at the G20 summit in Russia received malicious computer memory sticks used to serve a malware to spy on the participants and steal sensitive information, let’s remember also that the information leaked on the NSA FoxAcid platform revealed the existence of spy tool kits RADON and DEWSPEEPER able to exploit victims via USB.

Herman Van Rompuy, the President of the European Council, ordered tests to be carried out on the memory sticks  and the results are shocking:
‘The USB pen drives and the recharging cables were able to covertly capture computer and mobile phone data,’ a secret memo said.
Overseas, the situation does not change, even the US fear that the use of the mobile devices can cause them problems,  The Department of Homeland Security and FBI warn public safety departments that their out-of-date Android devices are a security risk, but updating them is not always easy or simple.
The alert cited unspecified “industry reporting” that, “44 percent of Android users are still using versions 2.3.3 through 2.3.7 (Gingerbread)  which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions.”
Google’s own figures on its site for Android developers estimate that percentage at about a third less — 30.7 percent. But it also showed 21.7 percent using versions 4.0.3-4.0.4, called Ice Cream Sandwich, which is also out of date. Less than half – 45.1 percent – are using the latest OS, called Jelly Bean, and of that group, 36.6 percent are using 4.1, and only 8.5 percent are using 4.2, which is the latest OS.
The DHS/FBI document address principal cyber threats to out-of-date Android mobile devices, including SMS Trojans, Rootkits and fake Google Play Domains.
Despite the alert recommends regular updates, running an “Android security suite” and downloading apps only from the official Google Play Store, the update for Android devices can reveal several problems.
“There is a wide variety of Android OEM versions rolled out to a huge number of different handsets, and not all carriers and handset OEMs will allow you to upgrade to the latest version,” “So, the Android versions that can run are restricted per device. Even now it is possible to buy Gingerbread devices that cannot be upgraded to Jelly Bean.” said Mario de Boer, research director, Security and Risk Management Strategies at Gartner for Technical Professionals.
De Boer suggested that the only solution for now is to block the use of Android devices that are not running the latest OS.
“Apply admission control,”"If your Smartphones or tablet is running a vulnerable OS, you cannot get access to the specific service or data.” ”this is hard to accomplish for voice and text, and easier for email and access to files.”
The principal problem related to the use of mobile devices in government environment is that almost every Smartphone is not designed following severe requirements in term of corporate or government security, let’s add that wrong user’s habits aggravate the situation.
It needs a change or mobile devices should be excluded from sensitive contexts.

Belgium opens probe into hacking of Prime Minister Elio Di Rupo's office

Belgian authorities have opened an investigation into two possible hacking incidents at the office of Prime Minister Elio Di Rupo.
The federal prosecutor's office said Wednesday it was too early to tell whether the incidents were aimed at simply sabotaging the premier's computer system or whether they could also be linked to spying.
Wenke Roggen of the prosecution's office said the complaints from the prime minister's office had come in last month.
Recently, some European countries have complained about secret surveillance of their top officials and citizens in the wake of revelations about a far-reaching spying program by the U.S. National Security Agency.
Last week, Finland, another European Union nation, said its computer networks have been widely hacked but said no highly sensitive information was lost.

Google Bot activity abused doing SQL Injection Attacks

Security experts at Securi firm have recently detected a series of SQL Injection attacks conducted abusing of the Google Bot activity.

The exploitation of search engines like Google and Bing to conduct an attack represents an optimal choice for hackers that intend to stay hidden during the offensive. No IT administrator would block traffic from the popular search engines, but it must be considered that a legitimate search engine bot could also be abused to attack a targeted site.
google bot crawling
It’s not a paranoid hypotesys on a possible attack scenario, it is exactly what happened a few days ago to a website of a client of Securi security firm. Securi experts began blocking Google’s IP addresses because of the requests originated from them were crafted to perform a SQLi attacks.
The situation appeared paradoxical, Google was conducting a SQL Injection attack against a website, following the logs that demonstrates what happened. To protect the victim’s identity the log has been modified.
66.249.66.138 - - [05/Nov/2013:00:28:40 -0500] "GET /url.php?variable=")%20declare%20@q%
20varchar(8000(%20select%20@q%20=%200x527%20exec(@q)%20-- HTTP/1.1" 403 4439 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
The analysis of origin IPs revealed that the source if the attack was the legitimate Google bot, following the report on one of them:
$ host 66.249.66.138
138.66.249.66.in-addr.arpa domain name pointer crawl-66-249-66-138.googlebot.com.

NetRange:       66.249.64.0 - 66.249.95.255
CIDR:           66.249.64.0/19
OriginAS:       
NetName:        GOOGLE
Which is the attacks schema?
It’s well known the use of Google bot to crawl the Internet and to index the content of the visited websites, every single link embedded in the website is inspected by the crawler independently of its forms and target.
In this scenario, the bot was crawling Site A. Site A had a number of links embedded that had the SQLi requests to the target site, Site B. Google Bot then following links and executes the malicious requests against the Site B starting to inadvertently attack it.
Under these assumptions an hacker could create malicious links on a vulnerable website waiting that Google Bot crawler will inspect them to run malicious strings against another website. The principal advantage of the technique is to conduct an attack totally in a stealthy way, Google Bot will be apparently the unique responsible!
“John goes to his site, Site A, he adds all this awesome content about kittens and cupcakes, but in the process he adds a number of what appear to be benign links that are unsuspecting to the user reading, but very effective to the bot crawling the site. Those links are riddled with RFI and SQLi attacks that allow John to plead ignorance, also allowing him to stay two arms lengths away from Site B. This doesn’t mean he can’t verify success, it just means he doesn’t open himself to early detection by more active scanning and attacks.” the post states.
The security experts at Securi have already advised Google about the possible abuse of its Bot activity, site admin are advised, before to trust any source it is necessary a further level of inspection.

GreatestArcadeHits serves ZEUS ZBOT banking trojan

Intelligence Ian Malloy has discovered an hidden variant of the popular Zeus banking trojan in the GreatestArcadeHits servers.

GreatestArcadeHits.* serves up more than entertainment, in fact they don’t serve up entertainment at all.  Hidden in the application is the infamous ZEUS/ZBOT, a banking trojan that has the capacity to spoof online banking sites to steal credentials in order to drain the victim’s finances.  This comes in the form of a purported Chrome (c) update.
 GreatestArcadeHits server host malware Zeus

 As can be seen from the URL, I was attempting to access my student portal for school when I was redirected automatically.  Now we’ll take a deeper look at the HTML underlying ‘Superfish.’
 GreatestArcadeHits server host malware Zeus 2

luckyleap‘ serves the popup while Superfish handles the redirect.
 GreatestArcadeHits server host malware Zeus 3

Here GreatArcadeHits is found installed without permission, likely from being injected into trusted software.  The initial software download that installed GreatestArcadeHits was from download.cnet.com, a trusted site.
It is unclear who is behind this specific resurgence of the Superfish Zeus/Zbot although Malloy Labs has its suspicions.
“We believe at Malloy Labs that the suspects involved are using legacy code for a reason, they themselves lack the proper tools to develop this type of software so they do what most cyber criminals do and mix and match code with a little HTML injection thrown in to display the infector site.  My only hope is that this is not the same group behind the Zeus/Zbot on Facebook which Eric Feinberg, Frank Angiolelli and myself had found, because the block list would only grow exponentially.   #MalwareMustDie!” said Ian Malloy.
Ian Malloy Intelligence Analyst and member of US-CERT and CSFI-CWD.  CEO of Malloy Labs, studying CYOPS at Utica College.

An Android Trojan Swindles Banking Credentials

Android malware now has a well-established track record of monetary theft, which is typically accomplished by sending text messages to premium rate numbers. At the end of summer we wrote about a new Trojan, which was able to steal from a debit/credit card if the card was bound to a phone number. Cybercriminals never stop inventing new ways to steal money or find the means to access money from unsuspecting victims. A new variation of the aforementioned Svpeng Trojan uses several tricks to phish for credit card numbers and online banking credentials.
trojan
It is worth mentioning that the specific sample we discovered targets Russian users, however, Russia often serves as a testing ground for cybercriminals. Well-proven schemes usually go overseas quite quickly. For now, the malware appears to be interested in U.S., German, Belarusian and Ukrainian victims. Currently the Trojan is configured to mimic popular Russian banks. Upon the launch of the mobile banking app, the Trojan replaces the open window with its own to swindle out the password.
Screen Shot 2013-11-07 at 2.15.15 PM
Another implemented attack is more versatile as it targets Google Play users. When victim launch the Android online market app, the Trojan overlaps Google’s windows with its own and proposes that users add a credit card to the account.
Screen Shot 2013-11-07 at 2.15.27 PM
During three months of the Trojan’s existence, Kaspersky Lab has discovered over 50 modifications of this malware, which means that criminals recognize its high “commercial value”. No doubt, we will see new versions of the Trojan that will able to steal from clients of various banks in multiple countries very soon. The current version spread itself using SMS spam, but other variations might utilize another infection tactic.
To avoid infection, follow the Android user golden rules:
  • Switch off “Allow installation from unknown sources” in security settings
  • Use Google Play, do not use untrusted third-party app stores
  • Before installing a new app, check every permission requested by this app and consider if those permissions are reasonable for that type of app
  • Check app ratings and download counts, avoid applications with low ratings and a small number of downloads