Hackers are now using mobile apps to launch distributed denial
of service (DDoS) attacks against enterprise clients, according to a new
report from Prolexic Technologies Inc., a security solutions provider focused on protecting against DDoS attacks.
In the fourth quarter of 2013, a team of security engineers at
Prolexic uncovered a case where hackers were targeting a major, unnamed
financial services firm located in Asia using AnDOSid, an Android
operating system app. (Image: Prolexic). AnDOSid app for Android.
The app launched a HTTP POST flood attack, where the number of HTTP
requests becomes so huge, a victim’s server has trouble responding to
them all. When the server begins to rely too heavily on its system
resources, it crashes.
While Prolexic’s report highlighted this specific case, it also noted
this won’t be the last we’ll see of mobile app-enabled DDoS attacks.
It’s simple enough to download an app that will perform a DDoS attack
from an online app store, and any aspiring hacker would be able to use
it, without having any experience in mounting cyber attacks, researchers
wrote.
When the RMS Titanic set sail on her maiden
voyage from Southampton, England, to New York, on April 10, 1912, she
was considered the ultimate passenger liner -- unparalleled in luxury,
size and
In the attack on the financial services firm, the attackers used at
least 12 unique attacks, one of which had a hacktivist message to
recruit others to help them. That means many of the people involved were
volunteers who purposely connected to the command and control server
and joined the botnet. The hackers were then able to control their
devices remotely and kickstart the attack. (Image: Prolexic). Hacktivist message appearing in a DDoS campaign.
“The prevalence of mobile devices and the widespread availability of
downloadable apps that can be used for DDoS is a game changer,” said
Prolexic president Stuart Scholly in a statement.
“Malicious actors now carry a powerful attack tool in the palm of
their hands, which requires minimal skill to use. Because it is so easy
for mobile device users to opt-in to DDoS attack campaigns, we expect to
see a considerable increase in the use of these attack tools in 2014.”
Part of the reason is that it’s easier to launch an attack using a
mobile device is because the apps involved, like AnDOSid, have an
easy-to-use interface. While AnDOSid was originally designed for
security professionals to test their own sites for vulnerabilities, the
attackers leveraged it for this particular attack campaign against the
financial services firm because it provides simple instructions like
“Go” and “Stop” – perfect for directing volunteers. (Image: Prolexic). Low Orbit Ion Cannon, an Android app.
And AnDOSid isn’t the only tool. Prolexic researchers also found a
new app called Low Orbit Ion Cannon, also used to participate in the
same attack campaign on the financial services firm. The app was
available in the Google Play store in December 2013.
“Mobile devices add another layer of complexity. Because mobile
networks use super proxies, you cannot simply use a hardware appliance
to block source IP addresses as it will also block legitimate traffic,”
Scholly said.
“Effective DDoS mitigation requires an additional level of
fingerprinting and human expertise so specific blocking signatures can
be developed on-the-fly and applied in real-time.”
Beyond adding mobile apps to hackers’ weapons arsenal, Prolexic
researchers also noted between 2012 and 2013, they were seeing more
sophisticated attacks reaching a greater number of targets. About a
fifth of these attacks came from the U.S., the biggest source of DDoS
attacks, followed by China, Thailand, the U.K., and South Korea.
Seeing an attack campaign staged by multiple mobile device owners
running at least 12 attacks is something we should expect to see more
often, Prolexic’s team said in their report, writing this particular
case was a “prime example of DDoS attacks today.”
“No longer are they simple attacks, but instead they take a scatter
shot approach, seeking to find any weakness with which to take down a
website in a number of ways,” the report said.
Researchers noted they expect China to eclipse the U.S. as a source
of DDoS attacks in the coming years, as it has a large Internet
population and a foreign policy that encourages government employees to
use the Internet to their country’s advantage.
According to F-Secure, a Trojanized version of Minecraft - Pocket Edition
(or Minecraft PE) is making the rounds on third-party app marketplaces.
Though it costs half as much as the genuine article, it has a few
"enhancements" that players won't like. Worse Than Creepers F-Secure told SecurityWatch
that the phony Minecraft PE is currently available on several Russian
app stores. This isn't surprising as not all third party stores vet
their apps as thoroughly as Google, making some of them havens for malicious applications.
Careful readers will probably remember that cloned versions of
popular apps are nothing new; in fact, it's a common tactic to trick
victims into downloading and installing malicious applications. These
fake apps are generally free, to further entice victims, but this ersatz
Minecraft PE bucks the trend by charging 2.50 Euros for the app—the
real app costs 5.49 Euros.
Charging victims earns the scammers some cash right off the bat, but
that's not all this app does. "The real game is included but it has one
added permission: android.permission.SEND_SMS and the payment system has
been 'enhanced,'" said F-Secure. This critical change means that the
app can use victims' phones to send text messages.
According to F-Secure, the SMS message generated by the app are sent
to so-called "premium rate numbers" in Russia. These might be signing up
victims for pricey subscriptions to services they don't want. The
messages might also be adding money to their phone bill—like those
fundraiser shortcodes used by NPR and the Red Cross, but in this case
used for evil. Interestingly, whoever made the fake app might not own
the numbers the messages are being sent to, but may get a cut from whoever does. Sneakier Than Endermen Mojang, the creators of
Minecraft, are no fools and F-Secure writes that they included some
security measures in their code to prevent this kind of thing from
happening. Unfortunately, the creator of this Trojanized app is clever.
"The original Minecraft includes a check inside the dex code that
verifies the signature that has been used to sign the APK. If it's not
[Mojang's], the code refuses to run," said F-Secure. The phony Minecraft
PE includes a special tool to specifically trick this failsafe, thus
allowing it to work. Guard Your Fortress In Minecraft, if you leave a
hole in our outer defenses, dangerous monsters will find their way into
your home. Likewise, turning off the default restriction on installing
third-party applications on your Android device can allow malware into
your phone.
And searching for free or cracked versions of popular apps is like
asking monsters to come into your home. It's always better to pay the
developers and get the real, secure version of any Android app.
Especially in the case of Minecraft, which is worth every penny. As is
usually the case, it pays to pay.
With recent data breaches at Target, Neiman Marcus
and other popular merchants, using a credit card for shopping is
beginning to seem like a Bad Idea. Near Field Communication (NFC)
payment systems like Google Wallet
were supposed to make credit cards obsolete, but iOS devices don't
support NFC. Even in the Android realm, Google Wallet only works with
specific phones. So what can we do?
Enter the Usher Identity Platform
from MicroStrategy. This all-software solution promises to overcome the
inherent weaknesses of card-based authorization by changing the
front-end payment process. Usher is linked to the user's phone and
authenticated biometrically. According to the press materials, your
credit card number is "dematerialized" and replaced by your mobile
identity.
It's all very forward-looking, but can a system like this really
work? I certainly had my doubts, so I took an opportunity to interrogate
Steve Bruggers, MicroStrategy's VP of Financial Services. How Would It Work? Rubenking: Here's a very basic question. How do I use Usher to pay for, say, a meal if the restaurant has not installed Usher support? Bruggers: Just like you cannot use payment, debit or ATM
cards at an establishment that is not connected to the appropriate
payment or funds transfer network, you would not be able to use Usher at
an establishment that does have a connection to Usher. However, it
should be noted that an Usher-based payment solution is a software
solution and therefore will not require new hardware readers at the
retail establishment, as do EMV smart card solutions. Rubenking: Typically in that restaurant setting I would hand
my card to the server (yes, the server could copy my number at that
point). I certainly would not hand my smartphone to anybody, so what is the flow? How do I pay for lunch with Usher? Bruggers: There are several possible flows for using Usher
to pay at a restaurant. One flow would be for the restaurant to have a
register that can print a QR code on the customer bill. The customer
would pay by scanning the QR code with the Usher client on the
smartphone. Another flow would be for the server to have a mobile
device, integrated with the POS register, that they would bring to the
table and the customer would scan a QR code on the mobile device with
his phone. Rubenking: At the grocery I can pull out my wallet, grab and
swipe my credit card in one motion, and put back my wallet faster than
an old-West gunslinger can draw. How can Usher possibly be as fast and
easy as that? Bruggers: Paying with your phone can be just as fast, and
sometimes faster, than paying with plastic. Paying with plastic often
requires handing your card to the clerk, who then checks the signature,
swipes the card, and then hands it back to the cardholder. Holding the
phone up to be scanned can be a quicker, more seamless process. Paying
with a mobile device is a natural next step in the continuing process of
mobilizing everything we do. Starbucks, for example, is now doing four
million transactions a week with their mobile payment app. How Does It Start? Rubenking: Your
website lists many, many use cases for Usher, but none of them matter in
the end unless you can get a huge number of people using it. How do you
imagine getting past the initial hurdle, where nobody will use it
because it doesn't really work until a huge number of people already use it? Bruggers: The most obvious deployment path for Usher would
be as a private-label digital payment card offered directly by the
merchant, either as a direct debit or a stored value solution. This is
what Starbucks has done with its mobile app and they have seen very
large scale and positive adoption by customers. Obviously Starbucks
continues to accept plastic credit/debit and cash, as would a retailer
using Usher as their private-label payment card.
Consumers will adopt Usher if it gives them a greater sense of trust,
is more convenient, delivers a better shopping experience and saves
them money (either in offers from the merchant or discounts for using
Usher to pay.) That's what the Starbucks experience has proven.
Businesses will adopt Usher if it makes the payment more secure,
reduces costs (both losses from fraud and operating expenses) and grows
revenue by offering a better and safer shopping experience. Rubenking: My father simply won't use a smartphone. If restaurants and stores switch over to Usher, will they lose his business? Bruggers: No, Usher works alongside other payment processes.
Just like there are multiple payment options now (credit, debit, cash,
check, etc.) Usher would be another alternative. Biometric Possibilities Rubenking: On
the website I see the word "biometric" over and over, but I haven't yet
uncovered exactly what sort of biometric authentication is intended. I'm
assuming face or voice, or both, since fingerprint authentication has
never passed the "easy" test. Just what sort of biometric authentication
is planned? Bruggers: Potentially any biometrics that can be captured by
a mobile device could be used to authenticate identity with Usher.
Usher integrates products from biometric vendors. The two primary
biometrics MicroStrategy has been working with are voice and face
recognition. As biometric methods improve and new modalities become
available they all become potential candidates to integrate with Usher. Will It Fly? I think Bruggers hit the nail on
the head with his comment that getting started will require one or more
major merchants to buy into the system, using it as private label
digital payment system. For customers, it will be just one more app, no
big deal to install and use.
I do note that this may not quite be the software-only solution that
was promised. Bruggers mentioned "a register that can print a QR code on
the customer bill" and "a mobile device, integrated with the POS
register." Quite likely either of those would require an investment in
new equipment for restaurant use. Payment at the cash register, as in a
retail store, will probably be a better starting point.
In any case, this is definitely a good time to promote a payment
system that replaces the insecure credit card system. I don't even shop
at Target (or Neiman Marcus, for that matter), yet my bank had to issue a
new card last week. Short of shopping with cash only, a smartphone
solution sounds pretty good.
It's a trifecta of software patches, with Microsoft, Adobe, and Oracle all releasing security updates on the same day.
As expected, Microsoft started off 2014 with a fairly light Patch Tuesday release,
fixing six not-so-critical vulnerabilities across four security
bulletins. On the same day, Adobe issued two critical updates fixing
three critical remote code execution flaws in Adobe Reader, Acrobat, and Flash. A scheduling quirk meant Oracle's quarterly Critical Patch Update
also fell on the same Tuesday, resulting in a huge volume of patches
for IT administrators to deal with. Oracle fixed 144 vulnerabilities
across 40 products, including Java, MySQL, VirtualBox, and its flagship
Oracle database.
"While Microsoft is only releasing four updates, there is plenty of
work for IT administrators due to releases by Adobe and Oracle," said
Wolfgang Kandek, CTO of Qualys.
The Java patches from Oracle should be highest priority, followed by
the Adobe Reader and Flash advisories, and then the Microsoft Word and
XP updates, experts said. Oracle Takes on JavaEven taking into account
that Oracle patches quarterly and is fixing more products, this CPU is
still a record-breaker in the number of issues fixed. Of the 144
security flaws, 82 could be considered critical as they may be exploited
remotely without authentication.
The majority of the vulnerabilities addressed in Oracle's gargantuan
CPU were in Java v7. Oracle fixed 34 remote execution flaws, with
several scoring 10 on the Common Vulnerability Scoring System scale.
CVSS indicates the seriousness of the flaw and the likelihood of the
attacker gaining total control of the system.
Java was one of the most attacked softwares in 2013 and experts
warned it will continue to be a popular target. If you don't use it,
uninstall it. If you need to have Java installed, at least disable it in
the Web browser, since all the attacks thus far have attacked the
browser. If you do access Web applications that require Java, keep it on
a different Web browser than your default one and switch when
necessary. If you don't need it, don't keep it. If you do keep it, patch
immediately.
Oracle also fixed five security flaws in its own Oracle database, one
of which can be exploited remotely, and 18 vulnerabilities in MySQL.
Three of those bugs could be attacked remotely and had the maximum CVSS
score of 10. Server software Solaris had 11 flaws, including one which
could be attacked remotely. The most serious Solaris bug had a CVSS
score of 7.2. The CPU addressed nine issues in Oracle Virtualization
Software, which includes virtualization software VirtualBox, of which
four could be triggered remotely. The maximum CVSS score was 6.2.
If you are running any of these products, it is important to update
them immediately. MySQL is widely used as the back-end system for a
number of popular CMS and forum software, including WordPress and phpBB. Reader and Flash FixesAdobe fixed security
issues in Adobe Flash, Acrobat, and Reader, which if exploited, would
give attackers total control of the target system. The attack vector for
the Acrobat and Reader bug was a malicious PDF file. The Flash flaw
could be exploited by visiting malicious Web pages or opening documents
with embedded Flash objects.
If you have background updates turned on for Adobe products, the
updates should be seamless. Users with Google Chrome and Internet
Explorer 10 and 11 will not have to worry about the new version of Flash
as the browsers will update the software automatically. Light Microsoft UpdateMicrosoft fixed a file
format vulnerability in Microsoft Word (MS14-001) that can be exploited
remotely if the user opens a booby-trapped Word file. It affects all
Microsoft Word versions on Windows, including Office 2003, 2007, 2010,
and 2013, as well as Word document viewers. Mac OS X users are not
affected.
The zero-day vulnerability (CVE-2013-5065) affecting Windows XP and
Server 2003 systems that was discovered in the wild last November has
finally been patched (MS14-002). Although the privilege escalation flaw
in NDProxy cannot be executed remotely, it should be high-priority
because it can be combined with other vulnerabilities. The attacks in
November used a malicious PDF document to first trigger a flaw in Adobe
Reader (which was patched May 2013 in APSB13-15) in order to access the
Windows kernel bug. Microsoft fixed a similar privilege escalation flaw
in Windows 7 and Server 2008 (MS14-003).
"If you are worried about 002 and not 003, you are likely going to
have some problems come April when support ends for Windows XP," Rapid7
said.
On their own these vulnerabilities might not be critical, but
combined they can be much more serious, Trustwave warned. If a campaign
using a malicious Office document executed code targeting the privilege
elevation bug, "then a phishing email to an unsuspecting user would be
all that's necessary," the team said.
While Target is still keeping mum
on how attackers managed to breach its network and hoover up
information belonging to more than 70 million shoppers, we now know that
RAM scraping malware was used in the attack.
"We don't know the full extent of what transpired, but what we do
know is that there was malware installed on our point-of-sale registers.
That much we've established," Target CEO Gregg Steinhafel said in an
interview with CNBC discussing the recent breach. The company initially
said payment card information for 40 million people who shopped at one
of its retail outlets over the holiday season were compromised. Target
said last week that personal information for 70 million people were also
stolen, and that any shopper who came to the stores in all of 2013 were at risk. Unnamed sources told Reuters
over the weekend that the malware used in the attack was a RAM scraper.
A RAM scraper is a specific type of malware which targets information
stored in memory, as opposed to information saved on the hard drive or
being transmitted over the network. While this class of malware is not
new, security experts say there has been a recent uptick in the number
of attacks against retailers using this technique. Attacking MemoryRAM scrapers look inside the
computer's memory to grab sensitive data while it is being processed.
Under current Payment Card Industry-Data Security Standard (PCI-DSS)
rules, all payment information must be encrypted when it is stored on
the PoS system as well as when it is being transferred to back-end
systems. While attackers can still steal the data from the hard drive,
they can't do anything with it if it is encrypted, and the fact that the
data is encrypted while traveling over the network means attackers
can't sniff the traffic to steal anything.
This means there is only a small window of opportunity—the instant
when the PoS software is processing the information—for attackers to
grab the data. The software has to temporarily decrypt the data in order
to see the transaction information, and the malware seizes that moment
to copy the information from memory.
The rise in RAM-scraping malware can be tied to the fact that
retailers are getting better at encrypting sensitive data. "It's an arms
race. We throw up a roadblock and the attackers adapt and look for
other ways to grab the data," said Michael Sutton, vice-president of
security research at Zscaler. Just Another MalwareIt's important to remember
that point-of-sale terminals are essentially computers, albeit with
peripherals such as card readers and keypads attached. They have an
operating system and run software to handle the sales transactions. They
are connected to the network to transfer transaction data to back-end
systems.
And just like any other computer, PoS systems can be infected with
malware. "Traditional rules still apply," said Chester Wisniewski, a
senior security advisor at Sophos. The PoS system can be infected
because the employee used that computer to go to a Web site hosting the
malware, or accidentally opened up a malicious attachment to an email.
The malware could have exploited unpatched software on the computer, or
any of the many methods that result in a computer getting infected.
"The less privilege the store workers have on the point-of-sale
terminals, the less likely they will get infected," Wisniewski said.
Machines that process payments are extra-sensitive and should not allow
Web surfing or installation of unauthorized applications, he said.
Once the computer is infected, the malware searches for specific
types of data in memory—in this case, credit and debit card numbers.
When it finds the number, it saves it to a text file containing the list
of all the data it has already collected. At some point, the malware
then sends the file—usually over the network—to the attacker's computer. Anyone Is a TargetWhile retailers are currently a
target for memory parsing malware, Wisniewski said any organization
handling payment cards would be vulnerable. This type of malware was
initially used in the hospitality and education sectors, he said. Sophos
refers to RAM scrapers as the Trackr Trojan, and other vendors call
them Alina, Dexter, and Vskimmer.
In fact, RAM scrapers aren't specific to just PoS systems. The
cyber-criminals can package up the malware to steal data in any
situation where the information is usually encrypted, Sutton said.
Visa issued two security alerts in April and August last year warning
merchants of attacks using memory-parsing PoS malware. "Since January
2013, Visa has seen an increase in network intrusions involving retail
merchants," Visa said in August.
It's not clear how the malware got onto Target's network, but it's
clear something failed. The malware wasn't installed on just one PoS
system, but on many computers around the country, and "no one noticed,"
Sutton said. And even if the malware was too new for antivirus to detect
it, the fact that it was transferring data out of the network should
have raised red flags, he added.
For the individual shopper, not using credit cards is not really an option. This is why it is important to regularly monitor the
statements and track all transactions on their accounts. "You have to
trust the retailers with your data, but you can also stay vigilant,"
Sutton said.
On any given day, you'll find researchers at AV-Comparatives working hard, putting antivirus
products through a wide variety of tests. Throughout the year, they
summarize and report on the results of these tests. And as each year
ends, they present an overall report on their findings. The latest such
report names Kaspersky as product of the year for 2013.
While the researchers do measure detection rates and such with
precision, for the sake of reporting they define three levels of
success: STANDARD, ADVANCED, and ADVANCED+. A product that doesn't even
reach the STANDARD level is merely TESTED. Each report warns that
despite differences in scores, products with the same rating should be
considered equally good. As the only product to reach ADVANCED+ in every
single test, Kaspersky easily earned the designation product of the
year. Other Top Rated Products The report also praised Bitdefender, ESET, F-Secure Anti-Virus 2014,
Avast, BullGuard, Fortinet, and Avira, naming them "top rated
products." The criterion for getting into this club is quite simple. A
rating of TESTED is worth zero, STANDARD is worth five, ADVANCED is
worth ten, and ADVANCED+ is worth 15. Any product whose scores
totaled 105 or higher made the cut for top rated, as long as it didn't
fail either real-world protection test.
Note that some of the tests are optional. Not all vendors approve of
AV-Comparatives's "retrospective" test, which simulates zero-day threat
detection by forcing products to use old definitions, so some of them
opt out. However, opting out of a test naturally cuts a vendor's total
score; Sophos would have joined the top rated crowd if it had entered
and passed the antiphishing test. Tons of Information The full report
is definitely worth reading if you're trying to decide which security
product will work best for you. It breaks down test results into a
variety of categories, among them file-based detection, real-world
protection, and performance. For each category it assigns gold, silver,
and bronze winner status to one or more participating vendors. You may
want to check the gold winners in the categories that are most important
to your particular needs.
There's also an extremely detailed review of each product's user
interface, complete with screenshots. Researchers considered a variety
of specific user interface features. Are malware alerts clear and
appropriate? Is there a cogent and useful help system? Are essential
functions and status reports easy to find? A summary section reports on
products that demonstrate good user interface design.
Malware in the modern world is complex and ever-changing. I'm
immensely grateful for testing labs like AV-Comparatives, labs that work
hard to keep their tests relevant and up to date. Without their input
it would be really tough to determine which antivirus products do the
best job.
Windows XP reaches its end of life in less than
three months, on April 8th. Microsoft strongly advises everyone to
update to a more modern operating system like Windows 7 or Windows 8.
Good advice, sure, but we know a lot of people will continue to run XP
after its life has officially ended. What kind of options will they have
for antivirus protection? Andreas Marx, CEO of AV-Test,
surveyed nearly 30 major antivirus vendors and found that all of them
planned to support for their products under XP even after XP passes on. Not a Free Pass Make no mistake, if at all
possible you should upgrade any XP systems to a more modern operating
system. Once Microsoft stops patching security holes, XP is going to be
like a target in a shooting gallery. Your antivirus may be able to stop
malware attacks exploiting these unpatched vulnerabilities, but it may
not. Usually there's a partnership between the fully patched operating
system and the antivirus. After April, XP won't be holding up its side
of the deal. A Definite End Perhaps the biggest surprise from
this survey is that Microsoft itself will continue to support Microsoft
Security Essentials (as well as corporate security solutions) on XP
until July 14th, 2015. A blog post
explains that they're doing so "To help organizations complete their
migrations." Extending support as far as antivirus signatures makes
sense, but I didn't see it coming.
Avira, Bitdefender, and Trend Micro told Marx they planned a specific
ending time for supporting antivirus installations on the XP platform.
Avira will end protection on April 8th, 2015; Bitdefender in January of
2016 (2017 for corporate); and Trend Micro on January 30th, 2017. If
you're sticking with XP and using one of these products, you've got time
to plan your exit strategy. Wait and See Well over half of the companies
surveyed said they didn't have specific plans at this time to end
product support for those using XP, but they will support it for at
least two more years. A few offered a different end time, while
reserving the possibility they might extend support. ThreatTrack,
publisher of VIPRE promised support until April 2015 or later. Sophos
will offer support until at least September 30th, 2015, while Norman and
Qihoo will keep going until at least January 2016. Again, any of these
vendors might continue supporting XP for longer, if there's a demand. XP Enthusiasm A few vendors went beyond the "at least a couple years" promised by so many. Kaspersky will continue XP support until at least 2018 (2016 for business). Webroot won't end support until April of 2019, or later. And Norton
hasn't made any decision at all on ending XP support. Of course,
Norton's stance could also mean that they're reserving the right to end
support earlier; we just don't know.
The full article
details just what each vendor said about continued support, and offers
other cogent advice about staying safe after the death of XP. Marx
advises users to drop the no-longer supported Internet Explorer in XP
and use Chrome or Firefox instead; users should switch away from Outlook
Express as well.
So what will it be? Are you really going to leave the undead Windows
XP in charge of your PCs? If circumstances force you to stick with XP,
be aware your risk level will be rising. And choose an antivirus that
will keep supporting you.
We love the cloud because it's easier to spin up a
server to host a Website or run a Web application if someone else takes
care of all the hardware tasks. Well, it appears criminals love
hosting providers, too, especially Amazon and GoDaddy.
Cyber-criminals are using cloud computing for many of the same
reasons legitimate businesses and individuals are, Solutionary found in
its Fourth Quarter 2013 Threat Report (PDF).
Criminals are also hiding their malicious activities behind the
reputations of major hosting providers such as Amazon, GoDaddy and
Google. In fact, of the major Web hosting providers out there,
Solutionary found that Amazon and GoDaddy were the most popular for
hosting malware.
"Now we have to maintain our focus not only on the most dangerous
parts of the Web but also on the parts we expect to be more
trustworthy," said Rob Kraus, director of research in Solutionary's
Security Engineering Research Team. Why Cloud?Shifting to the cloud makes a lot of
sense, since it is quicker to develop a malicious site and bring it
online, as well as cheaper to repeatedly change IP addresses and domain
names to avoid detection. Criminals can use multiple providers and
expand their operations substantially, rather than trying to set up
physical Web servers in multiple locations. For example, the report
found a single malicious domain which was spread across 20 countries, 67
providers, and 199 unique IP addresses to avoid being detected or
blocked.
Malware distributors are "utilizing the technologies and services
that make processes, application deployment and website creation
easier," Kraus said.
Criminals also cover their tracks better and have a higher degree of
success if they rely on major hosting providers. Considering that
organizations frequently filter out traffic using geographic blacklists
and lists of known bad IP addresses, criminals need someplace "safe"
that won't automatically trigger an alert. This is where major hosting
providers come in, as they allow malware distributors to set up shop
within a trusted address space. Organizations which may block traffic
from Ukraine are less likely to block traffic coming from Amazon and
GoDaddy, for example.
Solutionary also pointed out that geographic blacklisting and
blocking strategies are not effective methods to detect and block
malware attacks, since 44 percent of the world's malware is hosted
within the United States to begin with. Piggybacking on Trusted Brands Hiding behind
trusted domains and names is not something new, though. Spammers like
using popular Webmail providers because people automatically trust a
message from @outlook.com or @gmail.com more than one from @50orcdn.com,
for example. Attackers also use Google Docs and Google Sites to create
forms that can trick users into submitting sensitive information or
downloading malware. Cloud storage providers such as Dropbox have been
plagued in the past with criminals taking advantage of free services to
host malware.
Because of Amazon's immense size, it makes sense that it is hosting
more malicious sites than its competitiors. Regardless, it's clear that
attackers are increasingly treating hosting providers as "significant
distribution points," Kraus said.
In Solutionary's report, the researchers found that attackers are
either buying services from major hosting providers directly or
compromising sites already being hosted on these platforms. The users
generally don't know how to take steps to harden their applications,
making them vulnerable to attack. Some providers, such as Amazon with
its Elastic Cloud Compute (EC2) service, charge on the actual bandwidth
being consumed. This means criminals can set up the campaign on a small
scale first, and then expand as necessary.
"The more lucrative the criminal activity, the more funds will be
available to pay for the increasing capacity as it is needed,"
Solutionary noted.
Most cloud providers—especially Amazon—have security policies in
place to shut down malicious sites and accounts as soon as they are
detected. However, when the provider is huge, with hundreds of thousands
of servers and thousands of users firing up new applications each
month, this is a challenging task. As a result, you should not just
assume that traffic coming from certain sites is automatically safe, or
count on the providers to police the activities. It's on you to practice
safe computing by keeping your computer secure and to scrutinize each
site to figure out whether or not it is legitimate.
The
‘magnetic stripe’ credit cards used by American banks should be
replaced with the more secure chip-and-PIN systems standard in Europe
and around the world – and the recent data breaches suffered by Target,
Neiman Marcus and other retailers should be a ‘wake-up call’, according
to JP Morgan’s CEO and other security advocates.
Ed Mierzwinski of the U.S. Public Interest Research Group
says that the breach has captured public interest in the security of
their cards, according to a report by Philly.com,
and says that he believes it may catalyze change,”Congress has begun to
ask questions,” he said. He describes the current system as viewing
fraud as “just a cost of doing business.”
“This cyber-security stuff we’ve now pointed out for a year is a big
deal. All of us have a common interest in being protected, so this might
be a chance for retailers and banks to, for once, work together,” said
JP Morgan CEO Jamie Dimon, according to Business Day Live’s report. Visa and Mastercard have also called for change.
Last week, Dimon described the breach as a “wake-up call”. JP Morgan is the world’s largest issuer of credit cards, according to USA Today’s report, and replaced two million cards in the wake of the breach.
The U.S. accounts for nearly half of the world’s $11.3 billion fraud losses on payment cards,, according to the Nilson Report, an industry newsletter.
“The absence of EMV cards and terminals in the U.S.
contributes to fraud losses. Adoption of EMV at the point of sale is the
strongest defense against counterfeit cards,” Nilson wrote.
In a detailed guide for consumers concerned over the latest breaches ESET’s Lysa Myers writes,
“Have you used a credit or debit card in a store in the last three
months? If you’re like me, you have, possibly numerous times. If so, you
should check all of your credit and debit card accounts today to make
sure there have been no fraudulent charges.” Myers offers advice for
holders of cards with and without PINs.
EMV terminals take various forms, but cards equipped with the
technology are far more difficult to clone, according to Forbes. In Forbes, Adam Tanner points out that even North Korea outpaces America on card security.
“Magnetic stripe card technology is outdated at best––predating the floppy disk by only a year––and hugely insecure at worst,” CNBC commented in a video report on the breaches afflicting American retailers.
Yahoo News UK’s Finance Editor James Andrews says that Europeans find
America’s position puzzling, “Despite inventing the credit card, the US
has generally lagged behind the rest of the world in finding new uses
for plastic. The British invented the ATM in 1967 and the French have
had smartcards and PIN verification since 1992.”
“Chip and PIN isn’t perfect, but has led to a big reduction in card
fraud in the UK and made card cloning and skimming far harder.”
Describing America as an ‘island’ in a world of EMV or
‘Smart Chip’ cards, CNBC pointed out that not only Europe, but also
emerging economies use the more secure EMV system.
Magnetic stripe cards have been used for more than 40
years, having been patented in 1969, speeding up a credit-check process
from “minutes” to “seconds” – previously, retailers had to manually
check card numbers against a book of “bad” cards issued each months,
according to the system’s inventor, Ron Klein, as reported by Yahoo! News.
Gartner analyst Aviva Litan wrote in a blog post,
“Bottom line: it’s time for the U.S. card industry to move to
chip/smart cards and stop expecting retailers to patch an insecure
payment card system.”
Smart Chip cards are not immune to fraud – but the PIN codes and ‘Smart Chips’ makes many forms of card fraud more difficult.
“While the Target breach is serious, consumers divulge the
same information every time they hand their card to a waiter in a
restaurant,” said Paul Schaus, president and CEO of CCG Catalyst
Consulting Group, in USA Today‘s report.
US president Barack Obama has announced a sweep of
reforms designed to curtail and examine the National Security Agency's
(NSA) spying powers, in a bid to win back trust following the PRISM
campaign.
Obama announced he will be issuing a new presidential directive in a
public speech, promising a number of key changes regarding how US
intelligence agencies collect and examine data.
"Today I am announcing a series of concrete reforms," he said.
"First, I have approved a new presidential directive for our
intelligence activities at home and abroad. With it we will now review
decisions about intelligence priorities on an annual basis."
Obama promised the reform will see a number of changes regarding the
way agencies such as the NSA store data and receive clearance to enact
missions. "We will reform procedures to provide greater transparency
about our intelligence activities," he said.
These include the creation of a new independent, non-governmental
panel of advocates to appear at the secret courts that approve or
disapprove operations such as PRISM. There will also be fresh
restrictions put in place by the attorney general, on how requests using
the US Foreign Intelligence Surveillance Act (FISA) and National
Security Letters can be made.
FISA and National Security Letters were used by the NSA to force numerous companies, including Google, Yahoo, Apple and Microsoft, to hand over vast amounts of customer data.
The nature of the requests means the companies are not allowed to
disclose what information was handed over without risking arrest.
Obama promised the reforms would help end this process, but failed to disclose exactly how.
"While investigating threats the FBI relies on National Security
Letters that require companies to hand over information to the
government. We must be more transparent about this," he said.
"I've ordered the attorney general to amend how we use National
Security Letters so this secrecy will not be permanent and will end in
time. We will also allow information providers to give more information
than ever before about what data they've handed to the government."
Obama said the FISA reforms were an essential step in the government's battle to win back international trust following PRISM.
"The new presidential directive will clearly prescribe what we do and
do not do when it comes to our overseas activities. US intelligence
agencies will only use such data to meet specific needs," he said.
"We will also develop safeguards and create a time limit on how long
we can store personal information. People around the world should know
the US is not spying on them."
Obama also said that, despite the reforms being made, at no point did
the NSA overstep its bounds. "As president, a president who looks at
intelligence every morning I can tell you we need to protect against
threats. 9/11 is proof of this," he said.
"The men and women of the intelligence community, including the NSA
constantly follow protocols. They're not using their powers to listen to
you calls or read your private emails. These people are our friends,
our family members, our neighbours."
The US president accused several nations of hypocrisy, arguing that
they are only upset because US operations are more sophisticated and
effective than their own, promising the nation would continue to mount
and develop its cyber operations.
"Many countries, including those that feigned surprise following the
Snowden revelations, are trying to penetrate our networks," he said.
"Our agencies will continue to gather intelligence on foreign
governments' intentions. We will not apologise for doing it better."
The PRISM scandal broke in 2013, when whistleblower Edward Snowden
leaked documents to the press detailing the NSA's spying operations. The
leaks have continued in a steady stream of revelations. Most recently the NSA was shown to have collected and examined 200 million SMS messages per day in 2011.
Europe needs a much harsher regime to fine businesses
that breach data protection laws, as recent penalties handed out to
Google are nothing more than “pocket money” to the company.
EU justice commissioner Viviane Reding said plans to reform the data
protection laws in Europe must be pushed through, otherwise firms will
continue to ride roughshod over the laws as they exist.
She noted that while both French and Spanish authorities have fined Google, the amounts represent a tiny fraction of the company’s income.
“Taking Google's 2012 performance figures, the fine in France
[€150,000] represents 0.0003 percent of its global turnover. Pocket
money,” she said.
“Is it surprising to anyone that two whole years after the case
emerged, it is still unclear whether Google will amend its privacy
policy or not? People need to see that their rights are enforced in a
meaningful way. If a company has broken the rules and failed to mend its
ways, this should have serious consequences.”
Reding said under the new proposals Google would have faced a far
harsher penalty that would make it think twice before ignoring data
protection laws.
“Europeans need to get serious. And that is why our reform introduces
stiff sanctions that can reach as much as two percent of the global
annual turnover of a company. In the Google case, that would have meant a
fine of €731 million ($1bn). A sum much harder to brush off.”
Reding added, though, that a stronger regime for data protection
would not just be a fear tactic to scare businesses into shape, but it
would also help provide them with a competitive edge over rivals.
"Our reform will thus not only open the market to companies, it will
also help them to conquer this market by helping to build citizens'
confidence. And what is more, strong data protection rules will also
give companies with serious privacy policies a competitive edge," she
said.
Data protection reforms within the EU have been debated for some
time, but an agreement between nations has yet to be reached. The UK is concerned that overly proscriptive laws could damage the economy.
Proposals were meant to be in place by 2015 but that date might slip back if member states cannot agree.
The network time protocol is an protocol which allows servers to
request the network time from an specific server. In this case, Schneier
explains how the NTP DDoS attack is used on taking down gaming networks
like the League of Legends.
Q4 has started with a lot of bugs
A lot of League Of Legends users are complaining about network
problems while they try to play a League of Legends match. League of
Legends shut down the ranked matching system multiple times in the last
days.
The NTP method first began to appear late last year. To bring down a
server such as one running "League of Legends," the attackers trick NTP
servers into thinking they've been queried by the "League of Legends"
server.
The NTP servers, thinking they're responding to a legitimate query,
message the "League of Legends" server, overloading it with as many as
100 gigabits per second (Gbps). That's large even for a DDoS attack.
In this way, one small request to an NTP server can generate an
enormous response capable of taking down even high-capacity websites.
We have had the Nicki Minaj malware and now it seems that the hackers
are trying another scene. The facebook post claims that they have an
video of the roller coaster accident in Orlando Park. The title says
that the Orlando Park tried to keep the video hidden and that it has
been leaked now for you to be watched.
Once you click on the link you will be redirected to an website(remove
--cyberwarzone from url) that is hosted in brazil. There you will find
multiple images that try to trick you into believing that it is an
video. You will see fake Facebook comments below the video and as you
already thought - the video is fake.
Now what do these hackers gain when they trick you:
1. They get a lot of traffic to their website, they can monitor this to specifically target people.
2. They can gain access to your Facebook page
3. They get access to a lot of social media accounts as these malware shares itself.
Security researcher Daniel E. Wood discovered a vulnerability in the
Starbucks official iOS app related to the insecure storage of user
data.
10 million Starbucks customers who purchases drinks and food using their Smartphones are exposed to serious risk of data breach.
This
is yet another story in which a poor implementation of minimum security
requirements could have an impact on the end user and it digital identity, just as happened in the Snapchat case.
The official Starbucks iOS app
doesn't encrypting user's data, including your password. The Starbucks
app is usable by the customers to pay products of the popular Coffee
Company, and to perform usual operations available on a banking account
such as control the balance, fund transfer and check transaction
history.
The Security researcher Daniel E. Wood discovered the vulnerability (CVE-2014-0647)
in STARTBUCKS v2.6.1. iOS application, he revealed that the app stores
user's credential details and GPS data in plain text in the following
file:
Once
know the location is quite easy for an attacker, that has physical
access to the handset, to retrieve the user's information accessing 'session.clslog'
file. The attacker once accessed with the file could gain access to the
customer’s amount of money available on the Starbucks account.
As
usual the hack could cause further problem to the clients of Starbucks
that used the app if they share same credential on different web
services, the recommendation for who made purchases is to change it
immediately and adopting a different username and password for every service
If
you are using your email password as the same Starbucks account
password, please change it on first priority.Starbucks has promptly
managed the incident, issuing an official statement to inform the clients and a successily providing an advisory to publicize the availability for an app update.
“UPDATE
(January 16, 2014 09:00 PM P.S.T.): As promised, we have released an
updated version of Starbucks Mobile App for iOS which adds extra layers
of protection. We encourage customers to download the update as an
additional safeguard measure. Read a letter from Curt Garner, Starbucks
chief information officer, regarding customer information and Starbucks
Mobile App for iOS”
The
company remarked that there is no evidence that its customers have been
impacted, but let me suggest you to follow the above suggestions.
"We’d
like to be clear: there is no indication that any customer has been
impacted by this or that any information has been compromised." the
company is asking to its customers to report any suspicious activity or
fraud occurred.
It’s time to consider seriously the security of mobile apps, such flaws represent a serious threat to a user’s security and privacy, the situation is particularly alarming for mobile banking, a sector considered privileged by cybercriminals.
Not
different is the situation for use of mobile application in workspace, a
growing number of application are developed also by enterprise for
internal use, also in this case security is a must and could expose the
company to risk of cyber attack.
Back to the Starbucks app … also enjoy a cup of coffee could be dangerous, inNaples we say: "Excuse me, coffee makes me nervous"
With recent data breaches at Target, Neiman Marcus
and other popular merchants, using a credit card for shopping is
beginning to seem like a Bad Idea. Near Field Communication (NFC)
payment systems like Google Wallet
were supposed to make credit cards obsolete, but iOS devices don't
support NFC. Even in the Android realm, Google Wallet only works with
specific phones. So what can we do?
