Google Wallet gains interest from security researchers

Google’s NFC service will be thoroughly vetted for vulnerabilities, access for cybercriminals. Cloning may be possible.

Google’s new near field communication (NFC) payment service, Google Wallet, will get a thorough review from security researchers, who have long been discussing the inherent weaknesses of NFC.

The Google Wallet service, announced this week uses the PayPass credit or debit system by Mastercard. For now the new payment system only works with Google’s Nexus S smartphone, but Google reportedly will sell kits so other Android devices could support the technology. In order to work, merchants must support Mastercard PayPass, a service which has gained acceptance with the payment card data security standards (PCI-DSS). Supported devices must also run Google’s payment app to complete transactions.

Google has set up a FAQ on Google Wallet security and privacy for merchants considering supporting the service. Google said it has designed “multiple elements” at the hardware level into its service to help prevent snooping or tampering.

According to Google, credit card credentials are stored using hardware-based encryption. The app itself is sandboxed. Sandboxing isolates the app from other processes to make it more difficult for cybercriminals to leverage device or other application vulnerabilities to gain access to the sensitive data.

Jimmy Shah, a mobile security researcher at McAfee wrote that up until now, researchers have focused on “ghost and leech attacks” as a threat to NFC technology.

“You’re more likely to be hit by a crook brushing by you with an RFID reader to steal or transmit your credentials to a fake RFID card,” Shah wrote.

The good news is that Google has introduced a third layer of protection, a PIN number, to initiate a tap-and-pay transaction. Google Wallet data won’t be transmitted without the user inputting the PIN. Shah said the step prevents anyone from stealing usable NFC data via a reader.

Researchers will have to wait for Google Wallet to reach consumers before it can be fully vetted, he said. No doubt, Google has put it through various tests to ensure device configuration errors and other issues don’t expose it to attacks.

The Google Wallet app has not yet been widely released, so it’s difficult to properly identify possible weaknesses. Once it’s available on more phones, we’re bound to see more research from both the criminal element and legitimate security researchers.

Reverse engineering, cloning may be possible

The Google Wallet app will likely be reverse engineered by cybercriminals, Shah said. It’s a feat that is not too difficult today with the availability of free tools on the Internet. A possible hole, according to Shah is its secure chip, which uses asymmetric encryption to authenticate access to the data. “This implies that an attacker has a good chance of extracting the authentication key from the Google Wallet app,” he said.

The next step would be to create a malicious application that emulates the official Wallet app to fool the “secure element” chip into giving up your credentials. From here, the attacker can collect account information for sale or for attempts at cloning the data to new NFC cards.

It’s a safe bet that the PCI Council (and Mastercard) will be watching developments closely. The council said earlier this year that its new mobile payment task force would review NFC payment systems and other mobile payment technologies.

“We’re trying to dissect the mobile area now because there are just so many unknowns out there and so many different devices that don’t have any security we can see,” said the Council’s General Manager Bob Russo in an interview with SearchSecurity.com back in March.

SmartCard Alliance on NFC payment systems

The SmartCard Alliance, a non-profit organization backed by a number of technology companies pushing mobile payment systems, issued a video last month addressing NFC payment systems. The Alliance is supporting “chipless pin.” (Chipless is seen as cheaper, though the rest of the world is moving toward chip and PIN.) The video is an interview with payment systems consultant Steve Mott. He said everyone has a stake in providing services and technology to the “mobile ecosystem.” New NFC infrastructure could ultimately do away with the old mag stripe, physical card payment system.

“It’s clearly outlived its usefulness,” Mott said of current credit card payment systems in the interview.

“It’s too costly, it’s too fraud prone, it creates ungodly expenses like PCI compliance. We’ve spent enough in the United States on PCI compliance since 2004 to implement EMV chipless PIN three times over.”

Symantec to acquire Clearwell for its eDiscovery processing platform

Acquisition of Clearwell Systems Inc. bolsters Symantec’s eDiscovery capabilities in a crowded market for software that helps contain civil litigation costs.

Symantec Corp. has agreed to acquire privately-held data achiving and backup vendor Clearwell Systems, Inc., in a $390 million deal that launches the security vendor into the eDiscovery market.

The agreement is subject to customary closing conditions, including regulatory approval, and is expected to close in September.

The market for electronic discovery software has been booming as businesses are required to tap into archived emails and other documents during the discovery process in civil litigation cases. Specialized software helps reduce the costs and risks associated with legal discovery.

Storage and database vendors have tapped into the market, including EMC Corp acquired Kazeon Systems Inc. in 2009 for $75 million. It also sells RSA’s Archer platform for eDiscovery and compliance management. Gartner Inc. calculates the annual growth rate for eDiscovery at 14% and estimates that it will reach $1.7 billion by 2014.

Brian W. Hill, an analyst with Forrester Research Inc. said Clearwell and Symantec have had a longstanding partnership across their archiving and eDiscovery offerings. Clearwell has been focused on processing, search and review to support eDiscovery, he wrote in the Forrester Research blog.

Clearwell offerings have some overlap so I anticipate a period of assessment and rationalization. The two vendors, however, have joint partners and some existing product integration and Symantec certainly recognizes the importance of the intersection of archiving and eDisovery.

Symantec, which acquired Veritas in 2004, will add the eDiscovery capabilities as an offering for its customers. The company said it would integrate Clearwell’s capabilities into its Enterprise Vault archiving product.

“As information continues to grow at unprecedented rates, the biggest challenge for customers is to protect, manage and backup this information as well as have the ability to categorize and discover it efficiently,” said Deepak Mohan, senior vice president, Information Management Group, Symantec in a statement.

Symantec said the Clearwell platform can also be integrated and cross-sold along with its NetBackup, Data Loss Prevention and Data Insight software.

Some experts say the market is still immature and includes a myriad of small vendors. Forrester’s Hill said enterprises have had difficulties with the complexity of using different eDiscovery providers with different applications. Clearwell competed against Autonomy Corp., Recommind Inc. and ZyLAB North America LLC. In addition, Informatica, Oracle and SAP offer their own branded eDiscovery software suites.

According to Hill:

Given how long litigation and investigations often take, buyers want to make sure that their provider will be there when it counts. With about 200 employees, Clearwell is bigger than many of its counterparts, but Symantec will clearly be around for the long haul.

Facebook scam prompts call for more social networking safeguards

Scammers are spreading phishing attacks and other scams on Facebook and other social networks.

By Ryan Cloutier, Contributor

Facebook scammers began spreading a cross-site scripting attack last weekend, luring victims with a link leading to a phony Facebook “dislike” button. But experts are warning users of the social network not to click the link if they value their privacy and security no matter how many things they dislike.

The link is fraudulent, there is no official “dislike” button, and despite outcries and support from Facebook users the world over “there likely never will be,” writes Graham Cluley on Sophos Security’s Naked Security blog. Clicking the “enable dislike button” link that accompanies the scam message will not have the desired result. Instead, it will spread the link to other users in the victim’s friend list and run hidden JavaScript.

“The thing is, because it can download further code from the Web and run it, the nature of the threat can change at any time,” said Cluely in an interview with SearchSecurity.com. “Normally it would point people to a survey scam, ultimately.”

Attacks focusing on social networks have grown in frequency over the years as the networks grow larger. Microsoft’s Security Intelligence Report found that phishing impression on social networking sites increased from 8.3% in January 2010, to 84.5% of impressions by December.

“We get more reports from people concerned about scams on Facebook than any other kind of internet threat,” Cluely said.

Cluely suggested the reason for the increase in attacks is due to the immaturity of the Facebook platform and thus, Facebook is not doing enough to stamp out these spam campaigns. While financial institutions have sophisticated security teams and their online banking users are more protective of their accounts, Facebook is an easier mark for attackers because it has “600 million users, many of whom are fairly naïve regarding security matters and are only too keen to click on a link offering them a sexy video or a dislike button and deal with the consequences later,” Cluely said

Cluely puts the onus of preventing these kinds of attacks largely on Facebook, saying they should be scanning inks similar to the ways hotmail and Gmail do and taking action against survey companies who exploit their systems. He also thinks they should be educating users as to the dangers of what they are clicking.

“I think Facebook has grown so huge and been such a phenomenal success that it’s going to be around to stay, but I do think they would serve their community better if they took security more seriously and made it more of a priority,” Cluley said. “I’m not predicting the end of Facebook by any means … we’d like Facebook to look after users better.”

For its part, Facebook says it began rolling out new security features. The social network said it would warn users about suspicious links before they are  duped by clickjacking and cross-site scripting attacks. Facebook will ask users for a confirmation before they “like” a news item, posting it to their friends’ News Feeds and request confirmation prior to clicking a suspicious link. The social network also has a Facebook security page in which it is attempting to educate users about various social networking threats. 

Report: Sony breach started with attack from Amazon EC2

An attacker rented space on Amazon’s EC2 service to wage cyber attacks on Sony Corp., according to a report.

Sony restarted its PlayStation Network and Qriocity services over the weekend and investigators have reportedly traced the attack to servers hosted on Amazon’s EC2 service.

Sony’s computer forensics team, which is investigating a massive data breach of its systems, believes the intruder rented space on Amazon’s cloud-based hosting service under a bogus name, according to a report from Bloomberg citing an anonymous source close to the investigation.

The attacker used the service as a platform to wield several attacks that crippled Sony Corp., and affected more than 100 million users of its gaming services. The breach is believed to be the largest data breach in the U.S. since the massive data breach at Heartland Payment Systems in 2009.

On Saturday, Sony partially restarted its PlayStation Network and Qriocity services, which were shut down since April 20, while the forensics team investigated the scope of the massive Sony breach.

The initial Sony breach exposed sensitive data on about 77 million Sony users. The company then discovered an outdated database from 2007, which included more than 12,000 non-U.S. credit and debit card numbers and 10,700 debit cards of users in Austria, Germany, the Netherlands and Spain.

The company has created the position of chief information security officer and implemented a number of steps to bolster security.

In a message to customers, the company said it added automated software monitoring and configuration management and bolstered encryption of passwords and other sensitive data. The company is also adding network security, boosting the number of firewalls and improving their effectiveness by ensuring they are configured properly. The company also said it added network monitoring technology that has the ability to detect software intrusions and network anomalies that could be suspicious activity.

Experts say the data security breach highlights the growing lack of awareness over the location of sensitive data at enterprises. Eric Holmquist, president of security consultancy Holmquist Advisory said it is critical for organizations to conduct data discovery on systems prior to implementing data security measures. Holmquist was interviewed recently for the SearchSecurity.com Security Squad podcast.

“I’ve seen so many instances where people can evidence all the technology, all the procedures and all the policies and you say ‘great, where’s the data inventory?’ and you get blank stares,” Holmquist said. “It really is unfortunate that it often takes an event to get people to do things better.”

Harry Sverdlove, chief technology officer of Bit9 told Security Wire Weekly that the massive Sony breach is another wakeup call in a string of high profile data breaches of late. Sony was careless when it put credit card data on an unencrypted database that was easily accessible, he said. You have to know where your valuable assets are.

“From what we can tell there were some fairly obvious things Sony could have done to prevent this,” Sverdlove said. “It reinforces that if you want to have a secure posture, you don’t just look at your infrastructure, but you have to look at your assets.”

VUPEN outs sandboxing weaknesses in Google Chrome attack

The French security firm exploited a Google Chrome vulnerability, bypassing its sandboxing security feature and ASLR and DEP capabilties.

Google Chrome’s sandboxing security technology, designed to keep malicious code from infiltrating system processes has been compromised by researchers at VUPEN Security.

In an advisory issued Monday, the company said its research team discovered a zero-day vulnerability in the Google browser. The flaw enabled the team to bypass all security features in Chrome, including Address Space Layout Randomization and Data Execution Prevention, two techniques designed to foil exploits from gaining access to running processes.

“While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any default installation of Chrome despite its sandbox, ASLR and DEP,” the company said in its advisory.

The bypass works on Windows systems and relies on zero-day vulnerabilities. The company said the attack can be pulled off without exploiting a Windows kernel vulnerability.

The company said it would not publicly disclose the exploit code or technical details of the underlying vulnerabilities. The company issued an accompanying video as proof that the browser vulnerability was exploited.

A Google spokesperson told Brian Krebs of KrebsOnSecurity that the company’s engineering team was unable to verify VUPEN’s claims, because VUPEN hadn’t shared any information about their findings. If the vulnerability is verified, Google will issue an automatic update to the browser.

Weaknesses in ASLR and DEP have surfaced in the past at the TippingPoint Pwn2Own contest. Microsoft, which uses the technology, said a successful attack typically takes extremely sophisticated measures, including multiple zero-day vulnerabilities.

Sandboxing technology is seen as an added layer of defense for applications that are commonly targeted by attackers. Adobe Systems Inc. developed Adobe Reader X, which uses a sandbox to thwart attacks. A researcher bypassed a similar sandboxing feature used in Adobe Flash Player. The company has acknowledged that sandboxing is not a silver bullet approach, but an added security layer that can deter many attackers.

Stolen PlayStation Network data includes CVV numbers; lawsuits filed

Hackers posting on underground forums claim the data stolen from the PlayStation Network includes user names, addresses, dates of birth, credit card numbers, expiration dates and card verification value numbers (CVV). Brian Krebs of Krebs on Security linked to a host of screenshots from hacker forums from his Twitter feed that illustrates the dialogue on the forum. Other reports claim that hackers are boasting they have credit card information from more than 2 million customers.

Sony, meanwhile, has yet to confirm the data was actually stolen, but says some of the accessed data was encrypted. From a Sony FAQ on its website:

“All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.”

Sony shut down the popular gaming network for more than a week after the breach was detected April 17.

A class-action suit against Sony was filed yesterday in San Francisco alleging damages from the breach. The complaint seeks payment for damages, payment of credit monitoring fees and refunds from Sony and Qriocity its movie and game-streaming service provider, Bloomberg reported yesterday.

Legislators have also chimed in. Rep. Ed Markey (D-MA) and Rep. Mary Bono Mack (R-CA) want more details from Sony on the breach and Mack says the incident could prompt introduction of another consumer data protection bill. Sony says it is in the process of upgrading the security of its network infrastructure and has hired an unnamed security company, working in conjunction with law enforcement, to conduct forensics investigations.

A recent Ponemon Institute report on the cost of a data breach estimates the cost at $214 per lost record, a 5% jump over the last report. More than 77 million records may have been breached in the Sony attack.

New drive-by attack technique better evades signatures

Drive-by cache attack silently loads malware into the browser cache

By Ryan Cloutier, Contributor

Researchers at Armorize Technologies have discovered a more sophisticated drive-by download attack that uses zero-day vulnerabilities and a technique designed to dupe signature-based antivirus.

Wayne Huang, founder and CEO of Armorize issued a report outlining the new attack, called drive-by cache, last weekend. The firm identified the attack taking place on a legitimate human rights website.

The new attack method is similar to the drive-by download method currently popular in exploiting Flash and JavaScript vulnerabilities. In this type of attack, when the user accesses an infected page their browser is forced to make a connection to another URL, which is often a malware server. It then downloads a piece of malware to the victim’s hard disk. The attack takes place in the background without user intervention.

This type of attack is popular due to how difficult it is to detect using traditional, signature based antivirus software. These types of attacks happen due to flaws and exploits resident in browser or third party application codes such as flash and JavaScript. Therefore, they are easy to hide amongst garbage code.

The drive-by cache attack technique identified by Huang and his team works similarly to the aforementioned method but instead of downloading the malware from an external source, the malware is executed from within the browser’s cache directory. The file is downloaded into the cache as part of the loading of the infected page, usually disguised as a jpeg or JavaScript file, that the browser downloads to its cache as an attempt to enhance the user’s browsing experience.

After caching the malware, the exploit and shell code are executed before the malware is finally executed as the final step. Huang and his team have dubbed this new type of attack drive-by cache and identified it on an Amnesty International website using the recently patched flash zero-day as the exploit.
The Armorize Team even found abnormal detection rates for the display.swf file, which contains the Flash exploit code.

“When we submitted the swf file to VirusTotal, 0 out of 42 antivirus vendors detected this exploit,” writes Huang on the Armorize blog. “As for newsvine.jp2 (swf.exe), we got 1/42 on VirusTotal (report is here). Only Microsoft detected this backdoor.”

The full Armorize report, including transcripts of the malicious code can be viewed here:  http://blog.armorize.com/2011/04/newest-…

Microsoft releases first third-party security advisories

Microsoft on Tuesday released its first security advisories for vulnerabilities its researchers found in third-party products: two in Google’s Chrome browser and one in Opera. Both have been fixed by the vendors.

The bug release was part of a broader announcement by Microsoft on its Coordinated Vulnerability Disclosure program, which it first announced last July. Under CVD, a security researcher reports security vulnerabilities to the affected vendor, a national CERT or other coordinator that will report the bug privately to the vendor; the researcher gives the vendor a chance to fix the problem or figure out a workaround before any party discloses it.

In addition to the security advisories, Microsoft on Tuesday also released a document that clarifies its approach to CVD as a vendor, vulnerability finder, and coordinator of vulnerabilities that affect multiple vendors, Matt Thomlison, general manager, Trustworthy Computing Security, wrote in a blog post.  The company also adopted an internal policy for vulnerability disclosure for employees to follow when finding security flaws in third-party products, he said.

The Microsoft Vulnerability Research program has privately notified third parties of vulnerabilities since it was established in 2008, he said. The advisories illustrate the company’s commitment to handling vulnerability disclosure in a coordinated way, Thomlison said.

“After a product or service is released, we feel security is a shared responsibility across the broad community. Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem,” he said.  “By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimize customer risk while a solution is developed.   We encourage others to adopt this philosophy in the interest of creating a safer and more trusted internet for everyone.”

Marc Maifrett, CTO of eEye Digital Security, said in a prepared statement that while Microsoft should be commended for taking an active role in vulnerability research, it and other technology companies should address larger problems that have led to security researchers to stop working with vendors.

First, he said vulnerability research isn’t easy and now they have a way to be compensated by selling zero-day vulnerabilities to buyers, both of good and bad intentions. Second, researchers are unsatisfied with the time it takes vendors to fix flaws that are reported to them.

“Microsoft, and other technology companies, still fail to set a time line of what the cut off period is for a researcher to wait for Microsoft to create a patch, after which point a researcher should be able to publish their details to help the community without not being vilified by Microsoft or other technology companies as being irresponsible, or uncoordinated as it is now,” Maifrett said.

DOJ and FBI shut down massive Coreflood botnet

The U.S. Department of Justice and FBI said they disabled a massive, international botnet that snatched user names, passwords and financial information used by criminals to steal money.

The Coreflood botnet is believed to have operated for nearly a decade and to have infected more than two million computers worldwide, they said.

In the action announced Wednesday, federal authorities seized five command-and-control servers and 29 domain names used by the botnet. The government also filed a civil complaint against 13 “John Doe” defendants, alleging wire fraud, bankfraud and illegal interception of electronic communications. In addition, the U.S. obtained a temporary restraining order that authorizes it to replace the C&C servers with substitute servers to prevent further infection to the compromised computers.

“These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure,” Shawn Henry, executive assistant director of the FBI’s Criminal, Cyber, Response and Services branch, said in a prepared statement.

“It appears the cybercriminals behind Coreflood were able to turn the botnet into a money-making machine. It is hard to estimate the actual loot, but the criminals likely made tens of millions of dollars, based on the estimates in the complaint filed by the Department of Justice,” Dave Marcus, McAfee Labs research and communications director, said in an email. “It is not outside of the realm of possibility that they netted more than US$100 million. The attackers were collecting personal information including bank account details over a period of time.”

While the U.S. action completely disables the existing Coreflood botnet, it doesn’t stop criminals from trying to build another botnet using a different version of the Coreflood malware, authorities warned.

Barracuda Networks the latest security firm targeted by hackers

The security vendor’s corporate website was compromised via a SQL injection attack.

Web security giant Barracuda Networks, acknowledged Monday that a hacker used a SQL injection attack to gain access to its corporate website.

The hacker made off with Barracuda encrypted passwords and email addresses of channel partners, sales leads and some Barracuda employees, according to Michael Perone, Barracuda’s executive vice president and chief marketing officer. Most of the data consisted of names and email addresses, Perone wrote in the Barracuda Labs blog.

“Further, we have confirmed that some of the affected databases contained one-way cryptographic hashes of salted passwords. However, all active passwords for applications in use remain secure.”

Perone acknowledged that the attacker bypassed the Barracuda Web application firewall that was in place to protect the website. The firewall was placed into monitoring mode for maintenance on April 8. A day later, an automated script began crawling the website looking for vulnerabilities.

“After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market,” Perone said.

The customer case study database shared the SQL database used for marketing programs which contained the names and email addresses. “The attack utilized one IP address initially to do reconnaissance and was joined by another IP address about three hours later,” Perone wrote.

Most of the exposed data were email addresses associated with sales leads for Barracuda channel partners. Some of the contents included email addresses and hashed passwords of Barracuda employees authorized to manage the website. Perone said the passwords were also “salted” preventing an attacker from using a tool to crack the hashing algorithm.

The website breach was reported Monday by the Register. The hacker, who called himself Fdf, claimed responsibility for the Barracuda attack, posting the stolen information on his website Monday.

Hackers have taken a keen interest in targeting security firms in 2011.  A similar website breach occurred to security giant McAfee. Cross-site scripting errors were to blame.  More serious breaches occurred to other security vendors. Last month, RSA, the security division of EMC Corp. announced a breach of its systems resulting in the compromise of its SecurID two-factor authentication products. In February hackers infiltrated HBGary Federal, bilking the firm of thousands of email messages.

Security experts from across the spectrum say that the breaches are an indication that no one is immune to an attack and that no single security technology is a silver bullet.