Out in the last few days is an interesting quarterly update report from McAfee.
Topline findings from the second quarter of the year include the following:
- Banking Malware. Malicious parties employ mobile malware that capture usernames and passwords, and then intercept SMS messages containing bank account login credentials to directly access accounts and transfer funds.
- Fraudulent Dating Apps. These apps dupe users into signing up for paid services that do not exist. The profits from the purchases are later supplemented by the ongoing theft and sale of user information and personal data stored on the devices.
- Weaponized Apps. These threats collect a large amount of personal user information (contacts, call logs, SMS messages, location) and upload the data to the attacker’s server.
- Ransomware. The number of new samples in the second quarter was greater than 320,000, more than twice as many as the previous period.
- Attacks on Bitcoin Infrastructure. In addition to disruptive distributed denial of service attacks, victims were infected with malware that uses computer resources to mine and steal the virtual currency.
That last bit, the Bitcoin bit, was kind of interesting, in that the whole Bitcoin kerfluffle has completely fallen off the radar in a remarkably short amount of time. There’s a nice timeline in the report to refresh one’s memory–and I suspect we’ll here more about Bitcoin someday fairly soon. On the other hand, it didn’t seem like McAfee could offer any information that was already generally reported in the news.
On a typical Web page, it’s possible to load a script from another file. Typically, that bit of script will be something you, the site developer, will have put there yourself and it will be loaded from your server.
But it doesn’t have to be that way. It’s possible to load that script from just about anywhere and it’s also possible that someone malicious could use an input field on a form at your site to inject some scripting, or at least a call to invoke a script from elsewhere.
Since that injected script is probably up to no good, it would be nice to ensure that it can’t run. And that’s where the HTML Content Security Policy header comes in. As a new entry on the Neohapsis blog puts it:
CSP functions by allowing a web application to declare the source of where it expects to load scripts, allowing the client to detect and block malicious scripts injected into the application by an attacker.
Sounds good, right? But the Neohapsis folks have found that really getting a handle on CSP takes some practice and some experimentation. So to facilitate this, they’ve created the CSPplayground, which includes a number of things, but in particular includes a bunch of examples of CSP screwups.
I’m fairly sure that the folks at Uniqul are serious–they’ve recently announced a product that uses facial recognition to extract your payments when you buy things. You scan your purchases, it scans your face, and then you or somebody whose face is similar to yours pays for your stuff.
From their PR pitch:
Long gone are the days of having to scour the bottom of your wallet for that missing nickel, having to pick out the applicable bonus and payment card or logging in on mobile phone wallets. Payment is handled simultaneously as your wares are scanned – which means that you will be saving that ca. 30 second payment time every time you pay with Uniqul! In other words the transaction becomes almost instant – all that is required is that you press an OK button on our Point-of-Sale tablet! Face recognition is handled automatically by our algorithms to ensure a high level of security and fast recognition.
I’ll concede, it would be pretty cool not to have to bother with things like mobile phone wallets (as if I had one). It would be cool to save the 30 seconds per transaction. But it would not be cool to have to make the awkward expressions people make when using the product, as shown in their promo video.
Solutionary posted a blog piece late last week that takes at look at incidents originating from North Korean IP addresses. A couple of key findings:
- North Korea has historically generated 34-200 touches per month against Solutionary clients… until February of 2013 when Solutionary recorded 12,473 touches – an 8445% increase over the average during the previous 12 months
- It is important to note that just over 11,000 of these touches were directed against a single financial services entity as part of a prolonged attack, but that the remaining spike of around 1,000 was spread across its client base and was still a relevant number
- North Korea has never been considered a “big player,” BUT things are beginning to change with the new regime in North Korea
- Coincidence? The last spike in “touches” occurred in November 2012 when North Korea replaced their defense minister with “a more aggressive, hard-line military commander”
- While the touches span across 13 industries, the financial sector was the top target, and has been for quite some time
The percentage increase statistic strikes me as pretty well-nigh meaningless, given that the base was tiny, a couple hundred incidents a month, but this does seem to indicate that North Korea has found a new toy.
Last week, when Symantec researchers said they had discovered the Windows version of the Crisis Trojan could spread to VMware virtual machines, it was big news. But Trend Micro doesn’t see Crisis as a major threat for enterprises using VMware. In fact, executives at the company think Crisis’s potential to spread to virtual machines was overblown.
“There was a fair amount of hype,” Harish Agastya, director of product marketing for data center security at Trend Micro, told me in a meeting this week at VMworld in San Francisco.
The Crisis malware only impacts Windows-based Type2 hypervisor deployments, not Type 1 hypervisor deployments, which are what most enterprises use, he said. “It’s specific to Type 2,” he said.
Warren Wu, director of product group management in the data center business unit, wrote a blog post that provided more details on the different deployments and attack scenarios. Here’s his description:
Type 1 Hypervisor deployment – Prime examples are VMware ESX, Citrix Xensource etc. It would help to think of these products as replacing the Host OS (Windows/Linux) and executing right on the actual machine hardware. This software is like an operating system and directly controls the hardware. In turn, the hypervisor allows multiple virtual machines to execute simultaneously. Almost all data center deployments use this kind of virtualization. This is NOT the deployment this malware attacks. I’m not aware of malware capable of infecting Type 1 Hypervisors in the wild.
Type 2 Hypervisor deployment – Example VMware Workstation, VMware Player etc. In this case the hypervisor installs on TOP of a standard operating system (Windows/Linux) and in turn hosts multiple virtual machines on top. It is this second scenario that the malware infects. First, the host operating system is compromised. This could be a well-known Windows/Mac OS attack (with the only added wrinkle being the OS is detected and the appropriate executable is installed). It then looks for VMDK files and probably instantiates the VM (using VmPlayer) and then uses the same infection as that used for the Host OS. This type of an infection can be stopped with up-to-date, endpoint antimalware solutions.
What makes Crisis unique, Wu wrote, is that it specifically seeks out virtual machines and tries to infect them. It also infects the VM through the underlying infrastructure by modifying the VMDK file instead of infecting the VM through more conventional avenues such as file shares, he said.
Trend Micro has made a name for itself in virtualization security, so what the company is saying about Crisis carries a lot of weight. Trend Micro was the first security vendor to partner with VMware and produce an agentless antivirus product. At VMWorld, the company launched the latest version of its Deep Security server security platform, which provides anti-malware and firewall protection, intrusion prevention and integrity monitoring to protect virtual servers and desktops.
The new version features caching and de-duplication functions to reduce file scanning and improve performance and hypervisor integrity monitoring. Deep Security 9 also includes integration with VMware’s vCloud Director and Amazon Web Services. That integration combined with a unified management console will enable customers to manage security of their physical, virtual and cloud servers from a single console, Agastya said.
Trend also launched Trend Ready for Cloud Service Providers, a program that provides certification that Trend Micro’s cloud security products – Deep Security and Secure Cloud– are compatible within a service provider’s environment, said Scott Montgomery, global strategic director of cloud provider business development at Trend. AWS, Dell, HP Cloud Services and Savvis are among the cloud service providers that have received the Trend Ready designation.
It seems the Federal Financial Institutions Examination Council could have done a little better with its cloud computing advisory. Earlier this month, the FFIEC issued a statement on outsourced cloud computing. The resource document outlines key cloud computing risks financial institutions should consider.
In the document, the FFIEC said it considers cloud computing to be another form of outsourcing with “the same basic risk characteristics and risk management requirements as traditional outsourcing.”
Right there, I think a lot of security experts would disagree. Cloud computing involves so many new elements — namely multi-tenancy – that present different risks than traditional outsourcing models. The FFIEC cloud computing statement covers multi-tenancy and other issues associated with cloud computing, such as potential complications with regulatory compliance due to data location, but at a high level without much detail. The document also covers familiar ground like vendor management and due diligence, stressing the importance of both in cloud computing arrangements.
Perhaps the FFIEC figured others, such as the National Institute of Standards and Technology (NIST), have already provided ample guidance on cloud computing risks. Late last year, NIST released its Guidelines on Security and Privacy in Public Cloud Computing (.pdf), which covers threats and risks associated with public cloud computing and provides organizations with recommendations.
Still, banks look to the FFIEC for guidance, and if any industry needs to be careful with moving data into the cloud, it’s banks. The FFIEC’s rather cursory treatment of the subject is puzzling indeed.
A recent audit into U.S. federal agencies’ adoption of cloud computing services highlighted challenges that likely would resonate with private enterprises looking to move applications to the cloud.
The report by the U.S. Government Accountability Office looked at the progress seven agencies have made in implementing the White House’s “Cloud First” policy. According to GAO, agencies need to do better planning – of the 20 plans for implementing cloud solutions the agencies submitted, seven didn’t include estimated costs. None of the plans for meeting the federal cloud computing strategy included details on how legacy systems would be retired or repurposed.
What’s telling, though, is the list of cloud challenges GAO compiled after talking to agencies. Topping the list is concern over the ability – or inability – of cloud providers to meet federal security requirements. For example, State Department officials reported that cloud providers can’t match the department’s ability to monitor its systems in real time. Also, Treasury officials noted that meeting a FISMA requirement for maintaining a physical inventory is tough since they don’t have insight into the cloud provider’s infrastructure and assets.
Other challenges cited in the GAO report include agencies not having the necessary expertise to implement cloud services; a Health and Human Services official reported that it’s difficult to teach staff a new set of procedures, such as monitoring performance in a cloud environment. Another challenge: Ensuring data portability and interoperability by avoiding vendor lock-in.
Sounds familiar, right? Security, cloud provider transparency, lack of expertise, vendor lock-in are all issues that organizations, both public and private, are wrestling with as they try to take advantage of cloud services. In its report, the GAO notes that recently issued federal guidance and initiatives, including guidance from NIST and FedRAMP, address some of these issues. Still, the issues are far from easy to solve. The journey to the cloud is a pretty bumpy one right now, as the GAO report found.
Well it could have been worse. Yahoo on Friday said it has fixed the vulnerability that allowed hackers to expose approximately 450,000 email addresses and passwords belonging to the Yahoo Contributor Network. That’s a huge number but still small potatoes compared to the half billion visitors Yahoo claims each month.
The online giant said in a blog post Friday that the compromised data was an older file containing email addresses and passwords provided by writers who joined Associated Content prior to May 2010, when Yahoo acquired it and renamed it the Yahoo Contributor Network. “This compromised file was a standalone file that was not used to grant access to Yahoo systems and services,” Yahoo said.
In addition to fixing the vulnerability that led to the breach, the company said it deployed additional security measures for affected Yahoo users, boosted its underlying security controls and is notifying affected users. “In addition, we will continue to take significant measures to protect our users and their data,” Yahoo said.
Yahoo’s blog post touted its response to the breach as “swift” but the company had already taken a lot of punches since the reports of the breach were published Thursday. Some security pros berated Yahoo for lack of security while others expressed mock surprise that the struggling company still had so many members. For sure, the breach – the latest in a series of password breaches – is yet another reminder of the need for users to be more careful about the passwords they create and for companies to take proper steps to secure those passwords.
Last month’s Amazon Web Services cloud outage sparked a lot of online discussion and debate over the viability of cloud services. According to published reports, an online dating company ditched AWS after massive storms caused power outages and knocked out service in one of Amazon’s U.S. East-1 Availability Zones June 29.
But Netflix – one of Amazon’s biggest cloud customers – said it remains “bullish on the cloud” despite the AWS outage. In a blog post Friday, Greg Orzell, software architect at Netflix and Ariel Tseitlin, director of cloud solutions at the company, wrote a post mortem of the outage, which they said was one of the most significant Netflix had experienced in over a year. The outage showed up things that both AWS and Netflix could do better, they wrote.
“Our own root-cause analysis uncovered some interesting findings, including an edge-case in our internal mid-tier load-balancing service,” they wrote. “This caused unhealthy instances to fail to deregister from the load balancer which black-holed a large amount of traffic into the unavailable zone. In addition, the network calls to the instances in the unavailable zone were hanging, rather than returning no route to host.”
Netflix is working to improve its resiliency and is working closely with Amazon on ways to improve the cloud provider’s systems, “focusing our efforts on eliminating single points of failure that can cause region-wide outage and isolating the failures of individual zones,” Orzell and Tseitlin wrote.
“While it’s easy and common to blame the cloud for outages because it’s outside of our control, we found that our overall availability over the past several years has steadily improved,” they wrote. “When we dig into the root causes of our biggest outages, we find that we can typically put in resiliency patterns to mitigate service disruption.”
Last summer, I attended a session at the Gartner Catalyst Conference 2011, on planning for resiliency in the cloud. Richard Jones, a managing vice president at Gartner, said the public cloud is a utility and utilities fail, making it critical that customers prepare for downtime. Enterprises often assume cloud services are reliable but they need to take responsibility for uptime, he said.
Seemed like sound advice to me. Other companies may want to look to Netflix for cues on planning for cloud resiliency.
DNSChanger infections have declined precipitously, but remaining systems could have Internet access turned off today.
It appears the Internet will not be thrown into turmoil as a result of the FBI shutting down the servers feeding systems containing DNSChanger malware.
The DNS Working Group, made up of a number of experts from security firms, DNS providers and the government, has been tracking infections. As of June 11, there were only about 69,000 DNSChanger infections in the United States and far fewer in other countries. The working group also estimated that globally there were approximately 303,000 systems containing the malware.
When the FBI arrested six Estonian nationals in November, charging them with running a sophisticated Internet fraud ring, investigators seized servers in data centers in Estonia, New York, and Chicago that were pointing victims to spoofed websites. The FBI estimated at the time that there were 500,000 infections in the U.S. and up to 4 million abroad.
With the news coverage aimed at consumers with little knowledge of the malware, it is very likely that the number of infections has drastically declined, although the working group hasn’t released updated figures. When the replacement DNS servers designed to avoid disruption are turned off today there won’t likely be any serious problems. It has still generated a number of hyped headlines including “Internet doomsday virus,” and “Internet blackout looms.” Let’s put this in context: There are still 2.5 million machines infected with Conficker.
The DNSChanger malware is a good example of the need for increased security vigilance on the part of average computer users. It can go a long way to reducing the number of serious incidents by disrupting the spread of malware. The working group has a great security protection Web page that leads computer users to additional information about phishing, antimalware and Windows 7 security features. The links lead to solid information from the U.S. Computer Emergency Readiness Team, the Carnegie Mellon Cylab Usable Privacy and Security Laboratory and the FBI. The advice is good, and is without the marketing spin designed to sell security software.
Another great resource that puts the DNSChanger problem into context is Canada’s Public Safety office, which published a document in November. The Canadian DNS Changer TDSS/Alureon/TidServ/TDL4 Malware Web page has been updated to help people determine if their systems have been infected and contains tools to help victims remove the infection.
Checking a system can be done by simply visiting a websiteor manually depending on your operating system.