In this show: US Government says that Cyber Crime is worse than Terrorism, Hacking Back, New exploit kit: Neutrino, Andromeda Botnet is back, Firefox OS, Bitcoin loses 25% because of a bug, Celebrity Credit Reports Stolen according to Equifax and Transunion, Colin Powell’s facebook hacked and much more.

Downloads

HD Apple HD Apple SD Audio MP3 Android

Show Notes

Intelligence officials see cyberattacks as a top US threat
http://www.networkworld.com/news/2013/031213-intelligence-officials-see-cyberattacks-as-267624.html?source=nww_rss

  • Cyberattacks are near the top of the list of most serious threats facing the U.S., with the rivaling concerns about terrorism and North Korea, intelligence officials with President Barack Obama’s administration said.
  • “Increasingly, state and non-state actors are gaining and using cyberexpertise. These capabilities put all sectors of our country at risk, from government and private networks to critical infrastructures.”
  • Clapper raised concerns about budget cuts forced under the congressional process called sequestration.


RSA 2013: On Security Awareness, Hacking Back and Going Offensive Legally

  • The 7 Highly Effective Habits of a Security Awareness Program
  1. Create a Strong Foundation
  2. (Have) Organizational Buy-in
  3. (Encourage) Participative Learning
  4. (Have) More Creative Endeavors
  5. Gather Metrics
  6. Partner with Key Departments
  7. Be the Department of HOW
  • On Hacking Back and Going Offensive Legally
  • the information security professionals, should be the “Department of HOW” and not the “Department of NO”. We must focus on how to allow users to do what they want safely, not simply saying no to our own customers and further locking down systems
  • the need to establish dos and don’ts in company security policies, we should raise the bar and let security be a key part of solving business challenges, not an obstacle to it.


A New Exploit Kit in Neutrino

  • new exploit kit called “Neutrino” being sold in the underground
  • Systems with versions Java 7 Update 11 and below are vulnerable.
  • When exploited successfully, it downloads a ransomware variant,
  • Ransomware typically lock computers until users pay a certain amount of money or ransom


Andromeda Botnet Resurfaces

  • The Andromeda botnet – first spotted in late 2011 – has recently resurfaced
  • This threat arrives via a familiar means: spammed messages with malicious attachments or links to compromised websites hosting Blackhole Exploit Kit (BHEK) code
  • Andromeda itself is highly modular, and can incorporate various modules, such as:
  • Keyloggers
  • Form grabbers
  • SOCKS4 proxy module
  • Rootkits
  • The top affected countries of this threat are Australia, Turkey, and Germany 
    The perpetrators behind Andromeda have improved the malware’s propagation routines to proliferate itself by dropping several component files, one of which creates the registry key containing an encrypted .DLL file for its propagation
  • we’re going to see more refinements in the tools or malware that attackers use


The Firefox OS: How Safe Will It Be?

  • Firefox OS hasn’t really been aimed at security researchers or analysts
  • Mobil Devices that support Firefox OS haven’t even been released to developers
  • HTML5 is definitelypowerful enough to be a useful application platform – but this also means thatmalicious behavior can also be performed with HTML5
  • it’s hard to say how secure it will or won’t be. However, because of how its apps are built, it does pose a slightly different environment compared to either iOS or Android

Anatomy of a problem – Bitcoin loses 25% in value due to a long-missed bug

  • Bitcoin is an algorithmic currency, backed not by printed banknotes or government assurances, but by a database of cryptographic proofs-of-work.
  • block of data that produces a cryptographic hash with a specific bit pattern
  • Bitcoin ecosystem have all related to the services, known as exchanges, which trade real money into, and out of, bitcoins
  • And in 2012, Bitcoin exchange Bitcoinica suffered not one but two digital breakins, leading to bitcoins (which are effectively just strings of data bytes) worth more than $300,000 being stolen
  • No a discovered flaw, had a fatal but unknown flaw
  • This episode is an excellent reminder of one of computer science’s great ironies, namely that fixing bugs isn’t always the positive step you might hope.

Adobe tells Windows and Mac users to install critical security updates for Flash and AIR

  • Adobe also issued critical security updates for its Flash Player and AIR products, impacting many Windows and Mac users
  • The latest Flash Player update from Adobe fixes four security vulnerabilities.
  • Although the security holes could, potentially, be exploited by a malicious hacker to hijack computers evidence hasn’t yet been seen that these vulnerabilities are being exploited in real-world attacks

Help Keep Threats at Bay With ‘Click-to-Play’

http://krebsonsecurity.com/2013/03/help-keep-threats-at-bay-with-click-to-play/
  • Limiting Web Browser plugins like Java and Flash can block attacks from commiting “Drive By” attacks
  • there is a relatively simple and effective alternative: Click-to-Play.
  • Click-to-Play is a feature built into both Google Chrome, Mozilla Firefox and Opera (and available via add-ons in Safari)
  • blocks plugin activity by default, replacing the plugin content on the page with a blank box. Users who wish to view the blocked content need only click the boxes to enable the Flash or Java content inside of them.
  • Getting a click-to-play like feature working in Microsoft‘s Internet Explorer seems to be a bit more complicated
  • these approaches can be used to block Java content from running by default
  • A side note, if you unplug Java from any of your browsers, Oracle’s Java installer re-enables the plug-in when the program is updated

Equifax and Transunion say hackers stole celebrity credit reports

  • hackers had managed to publish the credit reports and personal information of a number of public figures on a newly-created website.
  • Victims include celebrities such as Beyoncé Knowles, Ashton Kutcher, Paris Hilton and Britney Spears – as well as public figures such as US Vice President Joe Biden, Hillary Clinton and Michelle Obama.
  • According to Bloomberg, Equifax Inc and TransUnion Corp have confirmed that sensitive, personal-identifying information about celebrities and public figures has been taken from their systems.

Colin Powell’s Facebook account has been hacked

  • It appears that whoever broke into Colin Powell’s Facebook account, didn’t do so to steal secrets
  • However the account was compromised, it might be time for Colin Powell to read up on password security – and ensure that his Facebook page is better defended in future.
  • The most likely answer is that his password was compromised

Evolution: Microsoft moving past the Patch Tuesday update cycle for its Windows 8 apps

  • Microsoft noted a change in the security update policy for several applications that it built and has deployed as part of its Windows 8 operating system
  • Patch Tuesday, the second Tuesday of every month, is a ritual moment in which Microsoft releases a slew of updates across its product lines; Windows, Windows Server, Office, and other applications are given patches in a single push, helping IT bosses handle the update process with some order
  • However, with Windows 8, Microsoft delivers a number of applications through its new Windows Store
  • The company has decided to follow what I call the pedestrian path, by simply releasing updates as they are ready
  • There is an exception to this, in that if a security bug affects software that would normally be fixed during Patch Tuesday, the update will go out to both at the same time. This limits the ability for hackers to note a fix in one piece of code, and exploit the same weakness in other software.

Mobile Malcoders Pay to (Google) Play

http://krebsonsecurity.com/2013/03/mobile-malcoders-pay-to-google-play/
  • An explosion in malware targeting Android users is being fueled in part by a budding market for mobile malcode creation kits
  • brisk market for hijacked or fraudulent developer accounts at Google Play that can be used to disguise malware as legitimate apps for sale
  • brisk market for hijacked or fraudulent developer accounts at Google Play that can be used to disguise malware as legitimate apps for sale
  • Google charges just $25 for Android developers who wish to sell their applications through the Google Play marketplace, but it also requires the accounts to be approved and tied to a specific domain
  • The buyer in this case is offering $100 for sellers willing to part with an active, verified Play account that  is tied to a dedicated server.
  • Last year, malware on smartphones increased more than 780 percent over 2011, according to a Kaspersky
  • 99 percent of the mobile malware targeted Android devices
  • During 2011, an average of 800 new types of malicious programs were discovered every month
  • this figure rose in 2012 to 6,300 programs

iPhone thief posts picture of himself seemingly smoking pot on victim’s Facebook page

  • 27-year-old Miss Estrada had her iPhone 4S stolen
  • It appears that the thief then taunted his victim by posting images taken with the stolen iPhone to the victim’s Facebook account.
  • For once, maybe something good will come out of a smartphone user not having properly locked her device with a hard-to-crack password.
  • If you’re interested in other Facebook goofs made by criminals, check out the burglar who uploaded his own picture to the victim’s Facebook account and the two men who robbed an internet cafe, but forgot to log out of Facebook first.

Germans bombarded in malware attack, shipment firm caught in crossfire forced to suspend email address

  • A particularly vociferous malware campaign has been forcefully spammed out in the last 24 hours, targeting German internet users.
  • contain an attachment which pretends to be a PDF file
  • subject line “Luftfrachsendung AWB” Shipping company
  • Innocent company

Wipe the drive! Stealthy Malware Persistence Mechanism – Part 1

http://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
  • Shmoocon 2013 Jake Williams and Mark Baggett gave presentation “Wipe the Drive”
  • you should always wipe the drive and reinstall the OS after a confirmed malware infection
  • The time and effort required to accurately analyze the capabilities of malware and conduct forensic analysis to determine if those capabilities were used is usually not in the cards.
  • AV scanners and cleaners are not effective resolution
  • TECHNIQUE  #1  – File Associations Hijacking
  • TECHNIQUE #2   BITS BACKDOOR
  • When you have malware on your machine,  just wipe the drive.

Google Doodle celebrates Douglas Adams and HHGttG – remember, “DON’T PANIC!”

  • Reimaging infected computers is much quicker and more reliable these days, but it’s often overkill, and (if you need to do it en masse) can still take ages and be pretty inconvenient for your users.
  • Dont Panic

Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents

  • Yahoo Mail users have been seeing their accounts broken into for months. While Yahoo says it has plugged at least two separate security holes leading to accounts getting hijacked, it appears the problem persists.
  • First reported to Yahoo in Jan 2013 and the activity is still being report in Mar 2013
  • Attacks typically consist of Yahoo users receiving an email from a friend or colleague (and sometimes a completely unknown party) containing a link that if clicked on, results in the account being hijacked
  • The bit.ly URL that is included (we’re not linking it here for obvious reasons) redirects to a fake MSNBC page that reportedly hijacks your Yahoo Mail account immediately if you are logged in.
  • Compromised accounts are being locked out.  Phone numbers are posted to a fake page where the are scammers attempting to get a ransom payment in exchange for an account they have compromised.
  • Potential targets are not only grabbed from your contacts list but from your “Sent” and “Inbox”
  • On January 7, a lone hacker by the name of Shahin Ramezany uploaded a video to YouTube demonstrating how to compromise a Yahoo account by leveraging a DOM-based cross-site scripting (XSS) vulnerability exploitable in all major browsers. The same day, Yahoo got back to TNW with two statements, first saying it was investigating and secondly confirming it fixed the flaw.
  • On January 8, researchers from Offensive Security let TNW know they had discovered that the vulnerability is still present, demonstrating a workaround showing they can still exploit the flaw in question.
  • On January 11, Yahoo issued a third statement to TNW: “The cross-site scripting vulnerability that we identified on Friday was fixed the same day. We can confirm that we’ve now fixed the vulnerability on all versions of the site.”
  • On January 28 and January 30, two Yahoo users contacted TNW to say their account was compromised via what they believed was the same way that was described in our previous articles.
  • On January 31, we followed up with a story regarding a known flaw in the SWF Uploader component of Yahoo’s developer blog as pointed out by Bitdefender Labs. Yahoo says it fixed this flaw and recommended affected users change their passwords.
  • On February 25, February 27, March 1, and March 4 we received more emails from Yahoo users saying their accounts had been compromised.
  • reiterated its previous stance. “The XSS flaws reported to Yahoo! have been fixed and we continue to aggressively investigate reports of any email accounts exhibiting anomalous behavior,” a Yahoo spokesperson told TNW. “We’re committed to protecting our users and their data. We strongly urge our users to change their passwords frequently and to use unique, alphanumeric passwords for each online site they visit