Mar 2 2011 3:25PM GMT
Posted by: Robert Westervelt
smartphone attacks,
Android malware,
mobile malware
The Android applications contained hidden Trojan called DroidDream that attempted to gain root access to the smartphone to view sensitive data and download additional malware.
Google has pulled at least 21 free applications from its Android Market late Tuesday after software developers found hidden malware aimed at gaining access to sensitive data.
The free applications included variety of games and were removed after bloggers questioned hidden malcode in them that attempted to gain root access to the user’s smartphone. Google removed the apps and references to their publisher, Myournet. within minutes of being informed of the problem.
According to Aaron Gingrich, who writes for the Andoid Police blog, the apps contained a variety of hidden features, including the ability to contact a remote server to download more malware.
“I asked our resident hacker to take a look at the code himself, and he’s verified it does indeed root the user’s device,” Gingrich wrote.
“But that’s just the tip of the iceberg: it does more than just yank IMEI and IMSI. There’s another APK hidden inside the code, and it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID. But that’s all child’s play; the true pièce de résistance is that it has the ability to download more code. In other words, there’s no way to know what the app does after it’s installed, and the possibilities are nearly endless.”
The malware has been analyzed by mobile malware researchers at Lookout Inc. Called DroidDream, the malware has been discovered in more than 50 applications in the official Andoid Market. In an update on the Lookout blog, the company said Google is actively working on the issue. The Lookout DroidDream blog post also lists all the affected applications.
We originally reported that Google removed the apps from devices, but we recently learned that the remote removal system has not yet been engaged for these applications because they are under active investigation.
Up until now malware has been surfacing on apps on third-party Android app repositories. Google and Apple have removed Android and iPhone apps in the past for failing to comply with certain standards. While both mobile giants check apps for software quality and interaction with the smartphone OS, experts point out that they do not closely scrutinize applications for hidden malicious code and other security issues.
Feb 23 2011 2:34PM GMT
Posted by: Robert Westervelt
HBGary hack,
HBGary Federal,
authentication,
Password management,
SQL injection
Website errors and poor authentication processes appear to be the biggest technical lessons learned from the HBGary Federal hacking fiasco, according to Bojan Zdrnja of Croatia-based security consultancy INfigo.
Writing in the SANS Institute’s Internet Storm Center Diary, Zdrnja highlights some common security mistakes made by HBGary Federal that his team frequently come across during penetration tests. These are mistakes that are frequently mentioned by security experts, repeatedly mentioned in reports in nearly every security media outlet and highlighted by security education firms.
SQL injection vulnerabilities:
“HBGary unfortunately had a vulnerable Web application which allowed attackers to retrieve information directly from the back-end database – this information included MD5 hashes of passwords of users, that had access to the administration web interface.”
SearchSecurity has a SQL injection protection Learning Guide on how to protect your website from SQL injection errors.
Manual inspection has given way to some pretty popular automated tools that can detect these common errors (Web application scanners). In addition automated toolkits have made it easy for cybercriminals to find and exploit SQL injection errors. There are security technologies that can defend against these automated attacks – a properly deployed and tuned Web application firewall (WAF) would do the trick. I say properly deployed, because I hear about many companies installing a WAF for PCI compliance, but failing to really use it for its intended purpose.
Poor authentication processes:
HBGary Federal used the same passwords to access different systems. This made it easier for members of the “Anonymous” group to access connected systems and ultimately steal email messages and other files. In addition, the passwords were used for other – outside – social networks, such as Twitter and LinkedIN.
There are a plethora of two-factor authentication options, one time password tokens and other methods that can be used by firms to keep systems locked down and make it more difficult for fraudsters to access systems.
While it’s understandable that some firms don’t need the added secure password measures and wouldn’t want to disrupt business processes with them, it’s painfully troubling that firms that work with government agencies or deal with other sensitive data clearly aren’t deploying these authentication measures. Safeguarding intellectual property – the lifeblood of every company – begins with the most basic security steps. Requiring some kind of hardened password protection to gain access to critical systems should be part of the foundation of any security program.
Zdrnja:
“The attackers used social engineering to attack a system administrator of another system (rootkit dot com) – an obvious weak spot since he/she holds “all the keys to the kingdom” … The attackers sent a carefully crafted e-mail, asking the administrator to open SSH on a weird port and set the root password to something he knows…”
That kind of change management, according to Zdrnja, is a big NO NO, but is probably all too common at enterprises.
When the administrator opened SSH and changed the password, it was game over.
Feb 17 2011 10:49PM GMT
Posted by: Carolyn E.M. Gibney
SAN FRANCISCO — While it may not be a security pro’s worst nightmare, it certainly wouldn’t be considered a pleasant dream. In 2009, David Compton, system administrator for Aspire of Western New York, a non-profit that serves people with developmental disabilities at over 50 group homes and field locations, got a call from someone in the finance department. The employee’s machine was slow and refused to load certain applications.
When Compton went to check out the computer, he said the first thing he noticed was that “the antivirus was disabled. Then I realized I couldn’t boot the computer into safe mode. That’s when I knew we had a problem.”
At an RSA Conference 2011 session entitled, “Aspire to a Network Free of Malicious Programs,” Compton explained that was the start of an episode during which he and his crew of “two and a half” security pros were “running around, cleaning up machines” for the next 110 hours. In the end, Compton had to “rebuild five servers, and about 50 workstations” to get rid of what turned out to be the nefarious Sality virus.
Nine months later, a rogue antivirus outbreak hit the organization, affecting more workstations, not only at the main location where the malware was believed to have penetrated the network first, but also at many of the various field offices and group homes as well. To top it off, the antivirus Aspire was using at the time wasn’t picking up the infections. Compton would “scan a machine that I knew was infected, and [the antivirus] would say, ‘Nope, it’s clean.’”
One of the most difficult aspects of the malware recovery process lied in the clientele Aspire serves. According to Compton, it was hard to explain security principles to a variety of computer users at 44 group homes who, in many cases, were just learning what computers were and how to use them, making the organization particularly susceptible to recurring infections.
What Compton thought was a problem specific to his organization, however, he later learned was systemic. He related that, over the course of the clean-up process, he discovered that many other computers for non-profit organizations were experiencing similar rates of infection, due, at least in part, to the overall strain on resources that the non-profits faced.
We were “using freeware to protect against malware,” he said.
Largely as a result of the turmoil, however, Compton was able to convince Aspire managers that investing in a commercial-grade endpoint security product was essential. After the infections, Compton said, everyone at the company was “very unsatisfied with the current endpoint security” posture.
Feb 17 2011 12:44AM GMT
Posted by: Michael S. Mimoso
HP,
ArcSight,
Bill Veghte,
Fortify,
TippingPoint
SAN FRANCISCO — When HP announced last September its intent to acquire SIM leaders ArcSight, it was a pretty startling $1.5B deal. Not only had another security company fallen off the map into the hands of a tech giant, but interesting questions started to arise about how HP would make ArcSight fit into its overall IT service and application management strategy. ArcSight wasn’t the only security company in HP’s crosshairs; Fortify had already been scooped in August to go along with the acquisition of TippingPoint as part of the Nov. 2009 3Com deal.
This under-construction security ecosystem being put together by HP is starting to take shape, and now executive VP of HP software and solutions Bill Veghte is spreading the word. Shortly before his keynote today at RSA Conference 2011, Vegthte explained how HP wants to build a platform that combines data sets from IT operations and security to provide security managers with more business context to help them make decisions. Leveraging the ArcSight platform with service and application management views provided by HP OpenView, he says, will build a risk platform CISOs can use to enhance their mission.
The question, however, becomes twofold: Is HP slowly shifting security responsibilities away from the CISO by moving operations and security data into the same bucket; and as SIMs are historically complex tools that require significant human capital investments to adequately implement and analyze, how does adding more data to that equation not exponentially increase that complexity?
Veghte fights that notion, adding that ArcSight’s ability to handle tens of millions of events and its ubiquity with large enterprise and government installations helps lessen the complexity issue. “This has to be about security first. We see this as an opportunity to enable the CISO to make better risk decisions with more context,” he said. “If you’re a large financial services organization, and you’re seeing a performance degradation in a trading application, is it a hardware failure, a load issue, or are you under attack? If we can aggregate all of that data, put it in context, and visualize it, that’s an enormous opportunity.”
Feb 15 2011 11:22PM GMT
Posted by: Marcia Savage
In the face of heightened cyberthreats, the Pentagon is pursuing a multi-pronged defense strategy that includes a reliance on private sector participation, William J. Lynn, III, U.S. Deputy Secretary of Defense, said in a keynote Tuesday at RSA Conference 2011.
“To this point, the disruptive attacks we’ve seen are relatively unsophisticated in nature. In the future, more capable adversaries could potentially immobilize networks on a wide scale for a much longer time,” he said.
It’s not impossible to imagine attacks on military networks or critical infrastructure that could cause severe economic damage or even loss of life, Lynn said. The nation must prepare for the likelihood that a cyberattack will be part of a conventional attack, he said. Al-Qaida hasn’t yet launched a cyberattack but it has vowed to, he adds.
“We stand at an important junction of development of cyberthreats… most malicious actors haven’t laid their hands on the most harmful capabilities. But this situation won’t last forever,” he said. “We need to develop stronger defenses before this occurs. We have a window of opportunity to gird our networks against more serious threats.”
For the past two years, the Defense Department has deployed specialized defenses to defend military networks, officially recognizing cyberspace as a domain of warfare, he said. The Pentagon’s cyberstrategy relies on “active defenses” — a more dynamic approach that Lynn described as operating at network speed and using sensors to stop malicious code before it executes.
The military is also working to build collective defenses with its allies to cooperatively monitor networks for cyberdefense, he said. But a major part of the strategy is working with the private sector through information sharing and working with key technology companies to improve cybersecurity, he said. To that end, the Defense Department announced an expanded IT exchange program that Lynn said will allow for exchange of IT and security personnel between government and industry.
It also is adding half a billion dollars in funding for research into cloud computing, encryption and virtualization technologies, Lynn said.
“Over the long term, we must develop technology that reverses the advantage of those seeking to steal our secrets and cause us harm. … The challenge we face today in cybersecurity — it’s global in scope and requires government working closely with industry.”
Feb 15 2011 6:05PM GMT
Posted by: Michael S. Mimoso
RSA Conference 2011,
Ron Rivest,
Adi Shamir,
Len Adleman,
RSA Lifetime Achievement Award
SAN FRANCISCO — It’s pretty tough to get a cynical, often paranoid, group of people to rise in unison in approval. It’s pretty tough, however, not to extend a standing ovation to cryptography and security pioneers Ron Rivest, Adi Shamir and Len Adleman, the R, S and A in RSA Security. The trio that developed the algorithm at the heart of a company and the security industry were honored this morning at RSA Conference 2011 with the RSA Lifetime Achievement Awards.
Rivest, Shamir and Adleman stood while conference founder and the award’s namesake Jim Bidzos rattled off an endless list of accomplishments and contributions to the security industry aside from the RSA algorithm. The announcement was preceded by a 20-minute video on the making of the RSA cryptosystem and included poignant memories and comments from friends, family and colleagues of all three men, in addition to their insights.
“We have indeed been fortunate to stand on the shoulders of giants,” said RSA executive chairman Art Coviello.
The Rivest, Shamir, Adelman paper of 1977 “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems” is the foundation for security in ecommerce; more than one billion digital certificates are validated daily in support of transactions carried over SSL, Bidzos said.
Rivest has been a professor at MIT for 35 years was one of the developers of the MD hash functions, as well as the RC4 algorithm. He is currently focusing his efforts on machine learning and electronic voting research and policy development. Shamir wrote the seminal paper “How to Share a Secret” and received the Pope’s Piux XI gold medal. The three current deans of Israel’s top technology institutes were Shamir students–at the same time. Adleman, meanwhile, is also an MIT professor known for breaking the Knapsack cryptosystem, as well as for the creation of DNA computing.
Jan 31 2011 9:12PM GMT
Posted by: Michael S. Mimoso
CIS,
Cyber Foundations,
James Langevin,
SANS Institute
The Center for Internet Security’s US Cyber Challenge today kicked off an online competition to identify high school students possibly interested in cybersecurity career. The Cyber Foundations competition is part of US Cyber Challenge’s overall goal of finding 10,000 Americans interested in pursuing cybersecurity as practitioners or researchers.
Rep. James Langevin (D-Rhode Island) will formally kick off the program tomorrow at a high school in his home state. Langevin heads the Congressional Cyber Caucus.
Cyber Foundations will provide tutorials and training material developed by the SANS Institute to high school students who register before Feb. 18. Registrants will then be able to take three quizzes in March and April, testing their knowledge and aptitude on networking, operating systems and system administration. Statewide winners will get cash prizes of up to $100 ; winners will be announced April 30.
This is one of several similar initiatives sponsored through USCC, a division of CIS. USCC conducts competitions and camps nationwide to help individuals sharpen their cybersecurity skills and provide them with opportunities at internships and employment.
“If we are to be successful in protecting our critical infrastructure systems from cyber threats—whether intentional attacks or unintentional compromises—we must address our nation’s shortage of skilled cyber security professionals,” said James A. Lewis, director and senior fellow, technology and public policy program at the Center for Strategic and International Studies. “The U.S. Cyber Challenge provides a range of opportunities to identify and nurture talented Americans to meet this national priority.”
Pilot programs were held in Rhode Island, California and Maryland. School systems in Texas, Delaware and Minnesota have also been recently added to the program.
“I’m so proud of our students in Rhode Island who piloted the U.S. Cyber Challenge Cyber Foundations competition last fall, and I look forward to expanded participation from more schools and students,” Langevin said. “By partnering with others in the cyber community, I hope this challenge will grow into a national model for inspiring and harnessing our young cyber talent.”
Jan 14 2011 7:32PM GMT
Posted by: admin
Ransomware
SMS ransomware surfaces in Russia, charges $12 ransom
By Ryan Cloutier, Contributor
The black hat community is always on the lookout for a way to profit from its illicit activities. On the Web, Trojans and worms disguised as freeware present an easy way for even a moderately skilled hacker to capitalize on the naiveté and lack of experience of many internet users.
According to Nart Villeneuve at Trend Labs’ Malware Blog, recent techniques in the field of cybercrime often involve taking a user’s computer hostage. The malware does this by denying users access to their desktop and files until they dial an SMS number and enter a code.
In the latest ransomware campaign detected by Trend Labs, the SMS agency charges the user the equivalent of $12 before giving them the code to free their systems.
Villeneuve said an ongoing campaign has netted the responsible cybercriminal $29,435 over the last five weeks. He goes on to note mathematically this indicates that 2,500 people have paid the hacker’s ransom.
Cybercrime is a serious matter for cybercriminals who run these campaigns much like ordinary businesses and keep financial records for their own reference. In our research, we were able to access a panel that was used to keep track of the specific income generated by at least 60 phone numbers used in ransomware campaigns.
Villeneuve also notes users downloaded the specific file, identified by Trend Micro as WORM_RIXOBOT.A., more than 100,000 times in December. This means there is most likely a great deal of money going to that criminal.
Back in November, UK researchers detected a drive-by attack that encrypted media files and Microsoft Office documents and then demanded a $120 payment to have the files decrypted.
Jan 14 2011 3:27PM GMT
Posted by: admin
website vulnerabilities,
SEO attacks
Several government and educational websites redirect visitors to fake stores.
By Ryan Cloutier, Contributor
Security researchers at ZScaler Inc. have provided a list of government websites that have been hijacked, redirecting visitors to Google searches.
Government web properties are not the only targets of these internet villains, some university websites, including those linked to Harvard, MIT and Stanford have fallen as well. According to Julien Sobrier, a researcher at zScaler, the list of hijacked sites includes:
- Harvard (Alexa rank in US: 875, cxc.harvard.xdu)
- MIT (Alexa rank in US: 963, petar.blog.lcs.mit.xdu, fig.scripts.mit.xdu, hlt.media.mit.xdu)
- Stanford (rank 782, mentalhealth.stanford.xdu, yuba.stanford.xdu, assu.stanford.xdu)
- Fandango (rank 236, www.summermovies.fandango.xom)
There are also governmental sites in the list, from the U.S., China and other countries:
- openworld.gov
- paceflorida.gov
- fpa.tas.gov.au
- ezhouinvest.gov.cn
- perak.gov.my
- misiones.gov.ar
- etc.
In zScaler’s research blog, Sobrier wrote that visitors are redirected to no ordinary Google search results; the results seem to consist entirely of fake online stores. The stores “sell” software at a discounted price. However, they all seem to have odd URLs and some of the sites are running SEO spam topics such as Viagra and U.S. student Visa.
Contemporary wisdom suggests these types of locations will not be kind to your bank accounts, Sobrier said.
Once again spammers have managed to poison search results for popular searches. This specific spam was reported a month ago, but it still shows up in the first page of results for multiple searches.
There also seem to be various domain names for the fake stores. The domain names run the gamut from the seemingly malicious software-supreme.com to the seemingly less threatening sacon.org. All in all the fake stores encompass at least 75 domains and each site looks slightly different.
What makes this attempt unique from your typical black hat attempt to turn Google’s algorithms against the common person is that the search engine optimization is in multiple languages. Usually spam SEO comes in English but this time we are seeing French, German and other varieties.
