13 total posts
Beware Scare Tactics for Mobile Security Apps
It may not be long before your mobile phone is beset by the same sorts of obnoxious, screen-covering, scaremongering ads pimping security software that once inundated desktop users before pop-up blockers became widely-used.
Richard M. Smith, a Boston-based security consultant, was dining out last Friday and browsing a local news site with his Android-based smart phone when his screen was taken over by an alarming message warning of page errors and viruses. Clicking anywhere on the ad took him to a Web site peddling SnapSecure, a mobile antivirus and security subscription service that bills users $5.99 a month. [Screenshot: Mobile Ad for SnapSecure]
"This particular ad takes over the entire screen on my Android phone, so it gives the impression of being rather ominous," Smith said, noting that it was the second time in as many days that he'd encountered the rogue ad. He further explained that the ad just appeared when he browsed to view a new story, and that he hadn't clicked on an ad or anything unusual.
Michael Subhan, vice president of marketing for SnapSecure, said the company traced the ads back to some rogue marketing affiliates that have since been banned from its advertising program.
Continued : http://krebsonsecurity.com/2012/06/beware-scare-tactics-for-mobile-security-apps/
EMET exploit mitigation tool reports the cause of a crash
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) now notifies users when a process has been stopped (crashed) because a protective mechanism was activated by the hardening tool. The new feature was introduced with the recent 3.0 release of EMET, which is also designed to be easier to use in enterprise environments.
When the alert window is displayed above the system tray area, this alerts users that an attacker may have tried to exploit a vulnerability in the named process - but it isn't hard evidence of an actual attack. EMET will also write these and other alerts, information and errors into the Windows Application log.
Administrators can now deploy the tool across a network using Group Policies or the System Center Configuration Manager (SCCM). EMET 3.0 can import and export "Protection Profiles" with customised settings for common Microsoft and third-party applications, and three default configuration profiles are included. The company says that EMET has also been tested under the Windows 8 Consumer Preview.
Continued : http://www.h-online.com/security/news/item/EMET-exploit-mitigation-tool-reports-the-cause-of-a-crash-1621983.html
Syrian rebels targeted using commercial Skype trojan
Syrian activists are coming under attack from a new Trojan, based on a commercial spyware application.
Targeted attacks surreptitiously install the BlackShades Trojan onto compromised machines, an advisory by the EFF and Citizen Lab warns. The Trojan is been distributed in via compromised Skype accounts of Syrian activists in the form of a ".pif" file purporting to be an important new video that is actually a malicious executable file. Opening the file on a Windows machine drops a key-logger onto infected machines.
The use of remote surveillance software against activists has been going on amidst the conflict in Syria since February, if not earlier.
Previous attacks have involved a phishing campaign targeting the YouTube or Twitter credentials of high profile Syrian opposition figure and malware tainted files posing as documents regarding the foundation of a Syrian revolution leadership council. Another attack punted infected documents supposedly detailing a plan to assist the city of Aleppo.
Continued : http://www.theregister.co.uk/2012/06/20/syrian_skype_trojan/
Also: Syrian Dissidents Hit By Another Wave of Targeted Attacks
European aeronautical supplier's site infected with 0-day
European aeronautical supplier's website infected with "state-sponsored" zero-day exploit
Earlier today, SophosLabs determined that the website of a European aeronautical parts supplier had been hacked, and a malicious attack planted on it which exploited a zero-day Microsoft security vulnerability that has not yet been patched.
We were alerted to the security problem when a Sophos customer attempted to visit the affected website, and received a warning message that a file on the site was infected by code which attempts to exploit the vulnerability in Microsoft XML Core Services which could allow Remote Code Execution (CVE-2012-1889).
SophosLabs experts determined that the hacked website had been breached, and cybercriminals had planted the following four files into a subdirectory:
Just one glance at the the filenames, and the use of the same critical zero-day vulnerability, should make clear the similarities to the incident we reported yesterday of an attack against a European medical company's website.
In both cases, the exploit is allowing what is known as a drive-by install: you can become infected simply by visiting a website with Internet Explorer.
So, what's going on?
Continued : http://nakedsecurity.sophos.com/2012/06/20/aeronautical-state-sponsored-exploit/
Hacker uses malware built-in chat to toy with researchers
Malware researchers investigating a Trojan linked in a gaming forum as a how-to video for Diablo III got a surprise when the hacker started chatting with them—through a feature in the malware. Franklin Zhao & Jason Zhou of antivirus company AVG were looking for keylogging code in the malware with a debugger after downloading it to a virtual machine when a chat box popped up. The hacker asked, in Chinese, "What are you doing? Why are you researching my Trojan?"
The malware gave the hacker the ability to monitor the victim's screen, mouse, and keyboard input. It also provided access to other devices. The hacker apparently was online when the two researchers started poking around his code, and he decided to intervene. "I would like to see your face, but what a pity you don't have a camera," he typed to the researchers, as they tried to engage him in conversation. Eventually, he tired of the cat-and-mouse game and remotely shut down their virtual machine.
6 Biggest Breaches Of 2012 So Far
Now that we're just about at the halfway point of the year, it is just as good of a time as any to take stock of the data breach environment and start gathering up lessons from others' missteps.
There's plenty to choose from. According to the Privacy Rights Clearinghouse, during the first half of 2012, we have seen 266 breaches that affect more than 18.5 million records. Dark Reading poured through the records and picked a breach for each month of 2012 so far to highlight as the most important exposures to learn from in the first half of the year.
Time Of Disclosure: January 2012
Records Breached: 24 million records including names, email addresses, phone numbers, last four digits of credit card numbers and encrypted passwords
Incident: A hacker gained access through a Zappos server into the company's internal network to snag personal information that could be used to phish Zappos customers.
Lessons Learned: While there may be no such thing as a good breach, many experts believe Zappos stands as a role model in reducing risk factors following a breach. For one, the encryption the company used for its passwords passed muster. Secondly, the company clearly had an incident response and notification plan in place and used it. In an era where it is not a question of if but when a breach will hit, these are two huge factors to consider.
2. University of North Carolina
Time Of Disclosure: February 2012
Continued : http://www.darkreading.com/insider-threat/167801100/security/news/240002408/6-biggest-breaches-of-2012-so-far.html
DNSChanger: The Blackout is Coming!
From the Symantec Security Response Blog:
Malware called DSNChanger has been, and continues to be, in the news and for very good reason. A whole lot of people stand to lose their Internet connectivity if they don't take action before July 9. One of our concerned customers posed Symantec Security Response a number of questions recently in regards to what this threat is, how it works, and what it ultimately means to them (and other users like them). The following are the questions put to us with our responses.
Norton User: What is this DNSChanger making news at the moment?
Symantec Security Response: It is malware that changes the Domain Name System (DNS) settings on the compromised computer, hence the name.
NU: What are these DNS settings and how do they affect me?
SSR: DNS is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other. When you enter a domain name into your Web browser address bar, your computer contacts DNS servers to determine the IP address for the website. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer's network configuration. [Screenshot]
Continued : http://www.symantec.com/connect/blogs/dnschanger-blackout-coming
CVE-2012-0217 (MS12-042) applies to other environments too
From SANS ISC:
A week ago we covered MS12-042 ("Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)") on the monthly Microsoft patch update cycle. This Microsoft advisory includes two vulnerabilities: CVE-2012-0217 and CVE-2012-1515 (VMware related).
Unfortunately, the official CVE-2012-0217 only makes references to Microsoft Windows OS, but other environments are also affected by this local privilege escalation vulnerability associated to 64-bit Intel processors. From the US-CERT note: "Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape." In particular, it affects FreeBSD or Xen (RedHat, SUSE, etc).
More details at "Vulnerability Note VU#649219: SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware".
Evolved Banking Fraud Malware: Automatic Transfer Systems
From TrendLabs Malware Blog:
Banks and other financial institutions have put in stricter controls in an attempt to minimize losses that phishing attacks cause. Cybercriminals have not taken this sitting down by producing a new tool to automate online banking fraud — automatic transfer systems (ATSs).
With ATS, however, attackers have taken things to the next level. Instead of merely passively stealing information, ATSs allow cybercriminals to instantly carry out financial transactions that could deplete users' bank accounts without their knowledge. No longer needing user intervention to key in user names and passwords, ATSs allow cybercriminals to automatically transfer funds from victims' accounts to their own ones without leaving traces of their presence.
This research paper contains our preliminary research on ATSs. In the process of conducting research, we were able to find key aspects of ATS attacks, determine some known targets, and dig into the murky underground engaged in producing and selling ATSs.
Our full findings can be seen in the research paper, "Automating Online Banking Fraud," which you may download by clicking the image below:
Continued : http://blog.trendmicro.com/evolved-banking-fraud-malware-automatic-transfer-systems/
New generation of bank Trojans can make invisible transfers
"Man in the Browser" Attack Automates Bank Fraud
Automatic Transfer System Evades Security Measures, Automates Bank Fraud
Twitter account hack epidemic - Don't fall for "CNBC" spam!
On June 6, the same day that the infamous LinkedIn password breach was widely reported, there seems to have quietly begun an epidemic of Twitter account hacking.
That afternoon, I got a direct message (DM) from someone I follow saying "You don't need any prior experience!" followed by a link. I have followed this Twitter user for three years and had never received spam from him before.
I replied and soon found out that the person still had control of his account. He changed his password on Twitter (and LinkedIn, on my recommendation) and I suggested he revoke authorization for any apps that he may have recently connected with his Twitter account.
That seemed to have resolved the problem. For him, anyway.
Over the next couple weeks, I received three more direct messages from followers whose accounts had been hacked, each containing a link to a similar site:
Continued : http://nakedsecurity.sophos.com/2012/06/20/twitter-account-hack-cnbc-spam/
MLB.Com Found Serving Fake Antivirus Via Network Ad
MLB.Com Found Serving Fake Antivirus Via Malicious Network Ad
Just days after several large Web-based organizations united to fight malicious online ads, MLB.com was spotted serving malicious ads and directing visitors to Rouge Anti-Virus.
Rogue Anti-Virus applications actually generate decent income for some of the criminals who spread them, as they are paid for getting someone to install it, and will sometimes take a cut of the fee if someone registers it.
Once installed on a system the Rogue AV hinder performance, block access to various websites and security applications, as well as open the system for further malicious downloads. If the fake software is registered, not only is there a loss of money, but any personal information submitted during the registration process should be considered compromised too.
In the past, several high profile sites have fallen victim to malicious advertising techniques, where criminals register accounts on legit ad networks, going to far as to run legit ads for a while, and then once in rotation, the legit ads are traded for malicious ones. Once this happens, anyone visiting the domain that happens to come across the ad will be redirected to Rogue AV or any other malicious content the criminal chooses.
Continued : http://www.securityweek.com/mlbcom-found-serving-fake-antivirus-malicious-network-ad