Follow Us

Articles

South Korean under cyber attack - Security Decoded - Episode 8

 

In this show:  South Korean banks under attack, Remote Linux Wiper, Your web hosting account is getting hacked, EA's Origin game allows hackers to take control of your computer, Apple adds 2 factor authentication and much more.

 

 

Cyber Crime Worse Than Terrorism - Episode 7

 

In this show: US Government says that Cyber Crime is worse than Terrorism, Hacking Back, New exploit kit: Neutrino, Andromeda Botnet is back, Firefox OS, Bitcoin loses 25% because of a bug, Celebrity Credit Reports Stolen according to Equifax and Transunion, Colin Powell's facebook hacked and much more.

 

Downloads

HD   Apple HD   Apple SD   Audio MP3   Android

 

Show Notes

 

 

Intelligence officials see cyberattacks as a top US threat
http://www.networkworld.com/news/2013/031213-intelligence-officials-see-cyberattacks-as-267624.html?source=nww_rss

  • Cyberattacks are near the top of the list of most serious threats facing the U.S., with the rivaling concerns about terrorism and North Korea, intelligence officials with President Barack Obama's administration said.
  • "Increasingly, state and non-state actors are gaining and using cyberexpertise. These capabilities put all sectors of our country at risk, from government and private networks to critical infrastructures."
  • Clapper raised concerns about budget cuts forced under the congressional process called sequestration.


RSA 2013: On Security Awareness, Hacking Back and Going Offensive Legally

  • The 7 Highly Effective Habits of a Security Awareness Program

 

  1. Create a Strong Foundation
  2. (Have) Organizational Buy-in
  3. (Encourage) Participative Learning
  4. (Have) More Creative Endeavors
  5. Gather Metrics
  6. Partner with Key Departments
  7. Be the Department of HOW

 

  • On Hacking Back and Going Offensive Legally
  • the information security professionals, should be the “Department of HOW” and not the “Department of NO”. We must focus on how to allow users to do what they want safely, not simply saying no to our own customers and further locking down systems
  • the need to establish dos and don’ts in company security policies, we should raise the bar and let security be a key part of solving business challenges, not an obstacle to it.


A New Exploit Kit in Neutrino

  • new exploit kit called “Neutrino” being sold in the underground
  • Systems with versions Java 7 Update 11 and below are vulnerable.
  • When exploited successfully, it downloads a ransomware variant,
  • Ransomware typically lock computers until users pay a certain amount of money or ransom


Andromeda Botnet Resurfaces

  • The Andromeda botnet – first spotted in late 2011 – has recently resurfaced
  • This threat arrives via a familiar means: spammed messages with malicious attachments or links to compromised websites hosting Blackhole Exploit Kit (BHEK) code
  • Andromeda itself is highly modular, and can incorporate various modules, such as:
    • Keyloggers
    • Form grabbers
    • SOCKS4 proxy module
    • Rootkits
  • The top affected countries of this threat are Australia, Turkey, and Germany 
    The perpetrators behind Andromeda have improved the malware’s propagation routines to proliferate itself by dropping several component files, one of which creates the registry key containing an encrypted .DLL file for its propagation
  • we’re going to see more refinements in the tools or malware that attackers use


The Firefox OS: How Safe Will It Be?

  • Firefox OS hasn’t really been aimed at security researchers or analysts
  • Mobil Devices that support Firefox OS haven’t even been released to developers
  • HTML5 is definitelypowerful enough to be a useful application platform – but this also means thatmalicious behavior can also be performed with HTML5
  • it’s hard to say how secure it will or won’t be. However, because of how its apps are built, it does pose a slightly different environment compared to either iOS or Android

 

Anatomy of a problem - Bitcoin loses 25% in value due to a long-missed bug

  • Bitcoin is an algorithmic currency, backed not by printed banknotes or government assurances, but by a database of cryptographic proofs-of-work.
  • block of data that produces a cryptographic hash with a specific bit pattern
  • Bitcoin ecosystem have all related to the services, known as exchanges, which trade real money into, and out of, bitcoins
  • And in 2012, Bitcoin exchange Bitcoinica suffered not one but two digital breakins, leading to bitcoins (which are effectively just strings of data bytes) worth more than $300,000 being stolen
  • No a discovered flaw, had a fatal but unknown flaw
  • This episode is an excellent reminder of one of computer science's great ironies, namely that fixing bugs isn't always the positive step you might hope.

 

Adobe tells Windows and Mac users to install critical security updates for Flash and AIR

  • Adobe also issued critical security updates for its Flash Player and AIR products, impacting many Windows and Mac users
  • The latest Flash Player update from Adobe fixes four security vulnerabilities.
  • Although the security holes could, potentially, be exploited by a malicious hacker to hijack computers evidence hasn't yet been seen that these vulnerabilities are being exploited in real-world attacks

 

Help Keep Threats at Bay With ‘Click-to-Play’

http://krebsonsecurity.com/2013/03/help-keep-threats-at-bay-with-click-to-play/

  • Limiting Web Browser plugins like Java and Flash can block attacks from commiting “Drive By” attacks
  • there is a relatively simple and effective alternative: Click-to-Play.
  • Click-to-Play is a feature built into both Google Chrome, Mozilla Firefox and Opera (and available via add-ons in Safari)
  • blocks plugin activity by default, replacing the plugin content on the page with a blank box. Users who wish to view the blocked content need only click the boxes to enable the Flash or Java content inside of them.
  • Getting a click-to-play like feature working in Microsoft‘s Internet Explorer seems to be a bit more complicated
  • these approaches can be used to block Java content from running by default
  • A side note, if you unplug Java from any of your browsers, Oracle’s Java installer re-enables the plug-in when the program is updated

 

Equifax and Transunion say hackers stole celebrity credit reports

  • hackers had managed to publish the credit reports and personal information of a number of public figures on a newly-created website.
  • Victims include celebrities such as Beyoncé Knowles, Ashton Kutcher, Paris Hilton and Britney Spears - as well as public figures such as US Vice President Joe Biden, Hillary Clinton and Michelle Obama.
  • According to Bloomberg, Equifax Inc and TransUnion Corp have confirmed that sensitive, personal-identifying information about celebrities and public figures has been taken from their systems.

 

Colin Powell's Facebook account has been hacked

  • It appears that whoever broke into Colin Powell's Facebook account, didn't do so to steal secrets
  • However the account was compromised, it might be time for Colin Powell to read up on password security - and ensure that his Facebook page is better defended in future.
  • The most likely answer is that his password was compromised

 

Evolution: Microsoft moving past the Patch Tuesday update cycle for its Windows 8 apps

  • Microsoft noted a change in the security update policy for several applications that it built and has deployed as part of its Windows 8 operating system
  • Patch Tuesday, the second Tuesday of every month, is a ritual moment in which Microsoft releases a slew of updates across its product lines; Windows, Windows Server, Office, and other applications are given patches in a single push, helping IT bosses handle the update process with some order
  • However, with Windows 8, Microsoft delivers a number of applications through its new Windows Store
  • The company has decided to follow what I call the pedestrian path, by simply releasing updates as they are ready
  • There is an exception to this, in that if a security bug affects software that would normally be fixed during Patch Tuesday, the update will go out to both at the same time. This limits the ability for hackers to note a fix in one piece of code, and exploit the same weakness in other software.

 

Mobile Malcoders Pay to (Google) Play

http://krebsonsecurity.com/2013/03/mobile-malcoders-pay-to-google-play/

  • An explosion in malware targeting Android users is being fueled in part by a budding market for mobile malcode creation kits
  • brisk market for hijacked or fraudulent developer accounts at Google Play that can be used to disguise malware as legitimate apps for sale
  • brisk market for hijacked or fraudulent developer accounts at Google Play that can be used to disguise malware as legitimate apps for sale
  • Google charges just $25 for Android developers who wish to sell their applications through the Google Play marketplace, but it also requires the accounts to be approved and tied to a specific domain
  • The buyer in this case is offering $100 for sellers willing to part with an active, verified Play account that  is tied to a dedicated server.
  • Last year, malware on smartphones increased more than 780 percent over 2011, according to a Kaspersky
  • 99 percent of the mobile malware targeted Android devices
  • During 2011, an average of 800 new types of malicious programs were discovered every month
  • this figure rose in 2012 to 6,300 programs

 

iPhone thief posts picture of himself seemingly smoking pot on victim's Facebook page

  • 27-year-old Miss Estrada had her iPhone 4S stolen
  • It appears that the thief then taunted his victim by posting images taken with the stolen iPhone to the victim's Facebook account.
  • For once, maybe something good will come out of a smartphone user not having properly locked her device with a hard-to-crack password.
  • If you're interested in other Facebook goofs made by criminals, check out the burglar who uploaded his own picture to the victim's Facebook account and the two men who robbed an internet cafe, but forgot to log out of Facebook first.

 

Germans bombarded in malware attack, shipment firm caught in crossfire forced to suspend email address

  • A particularly vociferous malware campaign has been forcefully spammed out in the last 24 hours, targeting German internet users.
  • contain an attachment which pretends to be a PDF file
  • subject line "Luftfrachsendung AWB" Shipping company
  • Innocent company

 

Wipe the drive! Stealthy Malware Persistence Mechanism - Part 1

http://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394

  • Shmoocon 2013 Jake Williams and Mark Baggett gave presentation “Wipe the Drive”
  • you should always wipe the drive and reinstall the OS after a confirmed malware infection
  • The time and effort required to accurately analyze the capabilities of malware and conduct forensic analysis to determine if those capabilities were used is usually not in the cards.
  • AV scanners and cleaners are not effective resolution
  • TECHNIQUE  #1  - File Associations Hijacking
  • TECHNIQUE #2   BITS BACKDOOR
  • When you have malware on your machine,  just wipe the drive.

 

Google Doodle celebrates Douglas Adams and HHGttG - remember, "DON'T PANIC!"

http://nakedsecurity.sophos.com/2013/03/11/google-doodle-celebrates-douglas-adams-and-hhgttg-remember-dont-panic/

  • Reimaging infected computers is much quicker and more reliable these days, but it's often overkill, and (if you need to do it en masse) can still take ages and be pretty inconvenient for your users.
  • Dont Panic

 

Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents

  • Yahoo Mail users have been seeing their accounts broken into for months. While Yahoo says it has plugged at least two separate security holes leading to accounts getting hijacked, it appears the problem persists.
  • First reported to Yahoo in Jan 2013 and the activity is still being report in Mar 2013
  • Attacks typically consist of Yahoo users receiving an email from a friend or colleague (and sometimes a completely unknown party) containing a link that if clicked on, results in the account being hijacked
  • The bit.ly URL that is included (we’re not linking it here for obvious reasons) redirects to a fake MSNBC page that reportedly hijacks your Yahoo Mail account immediately if you are logged in.
  • Compromised accounts are being locked out.  Phone numbers are posted to a fake page where the are scammers attempting to get a ransom payment in exchange for an account they have compromised.
  • Potential targets are not only grabbed from your contacts list but from your “Sent” and “Inbox”
  • On January 7, a lone hacker by the name of Shahin Ramezany uploaded a video to YouTube demonstrating how to compromise a Yahoo account by leveraging a DOM-based cross-site scripting (XSS) vulnerability exploitable in all major browsers. The same day, Yahoo got back to TNW with two statements, first saying it was investigating and secondly confirming it fixed the flaw.
  • On January 8, researchers from Offensive Security let TNW know they had discovered that the vulnerability is still present, demonstrating a workaround showing they can still exploit the flaw in question.
  • On January 11, Yahoo issued a third statement to TNW: “The cross-site scripting vulnerability that we identified on Friday was fixed the same day. We can confirm that we’ve now fixed the vulnerability on all versions of the site.”
  • On January 28 and January 30, two Yahoo users contacted TNW to say their account was compromised via what they believed was the same way that was described in our previous articles.
  • On January 31, we followed up with a story regarding a known flaw in the SWF Uploader component of Yahoo’s developer blog as pointed out by Bitdefender Labs. Yahoo says it fixed this flaw and recommended affected users change their passwords.
  • On February 25, February 27, March 1, and March 4 we received more emails from Yahoo users saying their accounts had been compromised.
  • reiterated its previous stance. “The XSS flaws reported to Yahoo! have been fixed and we continue to aggressively investigate reports of any email accounts exhibiting anomalous behavior,” a Yahoo spokesperson told TNW. “We’re committed to protecting our users and their data. We strongly urge our users to change their passwords frequently and to use unique, alphanumeric passwords for each online site they visit

 

Cyber Cold War

 

Downloads

HD   Apple HD   Apple SD   Audio MP3   Android

 

We have a lot to cover this week, but before we get to our list of items, here is the contact details for the Infosec Institute that we mention on the show:

Carol Currie
INFOSEC INSTITUTE / INTENSE SCHOOL
http://infosecinstitute.com
Toll Free - 866-471-0059 x 7185
Direct - 708-689-0131 x 7185

On this show we talk about (and more):

  •    New Report Says Cyberspying Group Linked to China’s Army
  •    Q&A on Attacks by the Comment Crew
  •    Unusually detailed report links Chinese military to hacks against US
  •    Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent
  •    The new Presidential Executive Order and the State Of The Union speach
  •    A Hacker finally has a face, and yes he is Chinese (is there a theme here?)
  •    Oxford University blocks Google docs
  •    New Adobe PDF Reader 0 Day and Acrobat exploit found in the wild
  •    Apple provided plugin removed from browsers
  •    Facebook, Twitter and Apple hack sprung from an iPhone dev forum
  •    DDoS Attack on Bank Hid $900,000 cyberheist
  •    ShmooCon Firetalks 2013
  •    iOS 6.1 hack lets users see your phone app, place calls
  •    LA Times Exploit on their website was there for 6 weeks
  •    Crimeware-as-a-service
  •    New vulnerability in Blackberry Enterprise Server
  •    Key Figure in Police Ransomware activity and 10 of his buddies arrested

 

 

Show Notes

New Report Says Cyberspying Group Linked to China’s Army:

http://www.networkworld.com/news/2013/021913-new-report-says-cyberspying-group-266810.html?source=nww_rss


Q&A on Attacks by the Comment Crew

http://www.symantec.com/connect/blogs/apt1-qa-attacks-comment-crew

  • Mandiant
  • Called APT1
  • As far back as 2006
  • Group called the Comment Crew
  • They were dubbed the Comment Crew due to their use of HTML comments to hide communication to the command-and-control servers.
  • The initial compromise occurs through a spear phishing email sent to the target. The email contains an attachment using a theme relevant to the target. Some recent examples used by this group and blocked by Symantec technologies are listed here:
  • U.S. Stocks Reverse Loss as Consumer Staples, Energy Gain.zip
  • Instruction_of_KC-135_share_space.doc
  • New contact sheet of the AN-UYQ-100 contractors.pdf
  • U.S. Department of Commerce Preliminarily Determines Chinese and Vietnamese Illegally Dumped Wind Towers in the United States.doc
  • ArmyPlansConferenceOnNewGCVSolicitation.pdf
  • Chinese Oil Executive Learning From Experience.doc
  • My Eight-year In Bank Of America.pdf
  • Targets include Finance, Information Technology, Aerospace, Energy, Telecommunications, Manufacturing, Transportation, Media, and Public Services
  • Trojan.Ecltys,Backdoor.Barkiofork, andTrojan.Downbot.

 

Unusually detailed report links Chinese military to hacks against US

http://arstechnica.com/security/2013/02/unusually-detailed-report-links-chinese-military-to-hacks-against-us/
http://www.pressgazette.co.uk/bbc-china-crew-detained-military-after-filming-cyber-warfare-headquarters

  • Security firm Mandiant has published an unusually detailed report documenting China-sponsored hacking intrusions that have siphoned terabytes of sensitive data from 141 organizations over the past seven years.
  • latest report to lay a battery of computer intrusions at the feet at hackers linked to China's government
  • many of those claims lacked crucial details, opening them up to skeptics who complained that the lack of specificity made it difficult or impossible to conclude Chinese actors were behind attacks targeting US governmental agencies, corporations, and human rights organizations.
  • The Mandiant report is largely a response to these critics.
  • It identifies a 12-story white office tower on the outskirts of Shanghai as the nerve center for a hacking group long known to security researchers as the "Comment Crew."
  • The tower also happens to be the headquarters for the People Liberation Army's Unit 61398, which was described in 2011 as the "premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence" by the Virginia-based nongovernmental organization known as the Project 2049 Institute.
  • Many of the claims in the Mandiant report have been independently confirmed by US intelligence officials, according to an article published by The New York Times.
  • According to Mandiant, Comment Crew has for years vacuumed up the proprietary secrets of more than 100 targets, including technology blueprints, manufacturing processes, clinical trial results, pricing documents, and negotiation strategies.
  • Of more concern, Comment Crew hackers have most recently tuned their focus to computer systems used to control dams, gasoline refineries, and other critical infrastructure.

 

 

Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent

http://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion-at-energy-industry-giant-telvent/

  • In letters sent to customers last week, Telvent Canada Ltd. said that on Sept. 10, 2012 it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings —OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced “smart grid” technologies.
  • The firm said it was still investigating the incident, but that as a precautionary measure, it had disconnected the usual data links between clients and affected portions of its internal networks.
  • Joe Stewart, director of malware research at Dell SecureWorks and an expert on targeted attacks, said the Web site and malware names cited in the Telvent report map back to a Chinese hacking team known as the “Comment Group.”

 

Executive Order -- Improving Critical Infrastructure Cybersecurity

http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

 

 

A Chinese Hacker's Identity Unmasked

http://cyb3rsleuth.
blogspot.com/2011/08/chinese-threat-actor-identified.html
http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked

 

 

Google Blocks                        

https://blogs.oucs.ox.ac.uk/oxcert/2013/02/18/google-blocks/

  • Oxford University
  • Blocking Google Docs
  • Due to Phishing
  • Oxford has been a target for phishing attacks
  • using forms on google docs

 

New Adobe PDF Reader 0day and Acrobat Found Exploited in the Wild

http://eromang.zataz.com/2013/02/13/new-adobe-pdf-reader-0day-and-acrobat-found-exploited-in-the-wild/
http://it.toolbox.com/blogs/personal-pc-assistant/adobe-has-scheduled-patches-for-the-latest-exploits-55085

 

Apple-provided Java plug-in removed with software update

http://appleinsider.com/articles/12/10/16/software-update-removes-apple-provided-java-applet-plug-in
http://support.apple.com/kb/HT5666

  • two Java updates, one for OS X 10.6 Snow Leopard and another for OS X 10.7 Lion and OS X 10.8 Mountain Lion
  • Latter removes Java plugin from all installed web browsers
  • forcing users to download the latest version curated directly by Oracle

 

Facebook, Twitter, Apple hack sprung from iPhone developer forum

http://arstechnica.com/security/2013/02/web-forum-for-iphone-developers-hosted-malware-that-hacked-facebook/
http://www.reuters.com/article/2013/02/19/us-apple-hackers-idUSBRE91I10920130219

  • iphonedevsdk.com, could still be hosting exploit attacks
  • The java "zero-day" exploit allowed the attackers to install a collection of malware on the Java-enabled computers of those who visited the site
  • Site is still infected, do not visit
  • iphonedevsdk.com is an example of a "watering hole" attack.
    • These attacks compromise a site popular with a population of desired hacking victims, using security vulnerabilities to install code on the Web server hosting it, which injects attacks into the HTML sent to its visitors.
  • The exploit was the source of the attack on Twitter that led to the theft of Twitter usernames and passwords, according to a source familiar with the attack, and was used to infect computers belonging to Apple engineers.
  • Mobile developers who have used the forum in the last few months should check their systems for signs of malware.

 

DDoS Attack on Bank Hid $900,000 Cyberheist

http://krebsonsecurity.com/2013/02/ddos-attack-on-bank-hid-900000-cyberheist/

  • A Christmas Eve cyberattack against the Web site of a regional California financial institution helped to distract bank officials from an online account takeover against one of its clients, netting thieves more than $900,000.
  • At approximately midday on December 24, 2012, organized cyber crooks began moving money out of corporate accounts belonging to Ascent Builders, a construction firm based in Sacramento, Calif. In short order, the company’s financial institution – San Francisco-based Bank of the West — came under a large distributed denial of service (DDoS) attack, a digital assault which disables a targeted site using a flood of junk traffic from compromised PCs.
  • KrebsOnSecurity contacted Ascent Builders on the morning of Dec. 26 to inform them of the theft, after interviewing one of the money mules used in the scam. Money mules are individuals who are willingly or unwittingly recruited to help the fraudsters launder stolen money and transfer the funds abroad. The mule in this case had been hired through a work-at-home job offer after posting her resume to a job search site, and said she suspected that she’d been conned into helping fraudsters.
  • Mark Shope, president of Ascent Builders, said that when the company’s controller originally went online on the morning of Dec. 24 to check the firm’s accounts, her browser wouldn’t let her access the bank’s page. She didn’t know it at the time, but her computer was being remotely controlled by the attackers’ malware, which blocked her from visiting the bank’s site.
  • The money mule was just one of 62 such individuals in the United States recruited to haul the loot stolen from Ascent. Most of the mules in this case were sent transfers of between $4,000 and $9,000, but several of them had bank accounts tied to businesses, to which the crooks wired huge transfers from Ascent’s account; five of the fraudulent transfers were for amounts ranging from $80,000 to $100,000.
  • Not long after putting through a batch of fraudulent automated clearing house (ACH) and wire transfers from Ascent’s accounts, the fraudsters initiated a DDoS attack against the bank’s Web site, effectively knocking it offline.
  • It’s not clear what tactics or botnets may have been used in the DDoS attack, but the cyberheist+DDoS approach matches the profile of cybercrime gangs using the Gameover Trojan – a ZeuS Trojan variant that has been tied to numerous DDoS attacks initiated to distract attention from high-dollar cyberheists.



ShmooCon Firetalks 2013

http://www.irongeek.com/i.php?page=videos/shmoocon-firetalks-2013#Thin_Slicing_a_Black_Swan:_A_Search_for_the_Unknowns


iOS 6.1 hack lets users see your phone app, place calls

http://news.cnet.com/8301-13579_3-57569389-37/ios-6.1-hack-lets-users-see-your-phone-app-place-calls/

  • Video of how to perform on youtube
  • Gives access to recent calls, make calls and voicemail
  • Apple is working on a fix, it will require a code upgrade
  • "Apple takes user security very seriously," the company told CNET today. "We are aware of this issue, and will deliver a fix in a future software update."



New Adobe Vulnerabilities Being Exploited in the Wild

http://www.symantec.com/connect/blogs/new-adobe-vulnerabilities-being-exploited-wild



Anonymous Planning Feb. 14 Attack on Goldman Sachs

http://analysisintelligence.com/cyber-defense/anonymous-planning-feb-14-attack-on-goldman-sachs/

  • Stood up



Exploit Sat on LA Times Website for 6 Weeks

http://krebsonsecurity.com/2013/02/exploit-sat-on-la-times-website-for-6-weeks/

  • The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks.
  • since at least December 23, 2012
  • Initially denied by the LA Times and said is was a problem with a google ad server
  • estimated about 18 million visitors visited the infected site.




Facebook computers compromised by zero-day Java exploit

https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766
http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/

  • Facebook officials said they recently discovered that computers belonging to several of its engineers had been hacked using a zero-day Java attack that installed a collection of previously unseen malware.
  • the attack did not expose customer data, and it was contained to the laptops of a small number of Facebook engineers.
  • The attack was discovered when a suspicious domain was detected in Facebook's Domain Name Service request logs.


       

New Crimeware-as-a-Service Market Thriving

http://www.lightreading.com/vulnerabilities-and-threats/new-crimewareasaservice-market-thriving/211201308

  • First it was do-it-yourself malware and phishing toolkits, then it was specialized sites selling stolen FTP credentials and credit card accounts, and now it’s the next phase in cybercrime: crimeware as a service.
  • cybercriminal organizations set up shop as service providers to other bad guys, offering them online, point and click criminal software as a service -- often with customer service guarantees.
  • With relatively less effort, they can get more money. Instead of collecting data and trying to sell it, which takes more time, they build a platform to do that, and can reach a wider audience that would like to commit these crimes.
  • This lets other criminals who don’t want to install and update their own software or run their own malicious servers get their stolen information via a Web-based service that does the dirty work for them.
  • The operators of these services typically operate in small groups of five to eight people in the U.S., Netherlands, Germany, Russia, and China, he says. “The servers are hosted in Asia -- in China and Malaysia."

 

Cyber espionage campaign against the Uyghur community, targeting MacOSX systems

http://labs.alienvault.com/labs/index.php/2013/cyber-espionage-campaign-against-the-uyghur-community-targeting-macosx-systems/?utm_source=rss&utm_medium=rss&utm_campaign=cyber-espionage-campaign-against-the-uyghur-community-targeting-macosx-systems


BSRT-2013-003 Vulnerabilities in BlackBerry Enterprise Server components that process images could allow remote code execution

http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=F4340F5D8C8B606B9B94529CB2703746?noCount=true&externalId=KB33425&sliceId=1&cmd=&forward=nonthreadedKC&command=show&kcId=KB33425&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl




OnRamp, A Free, Open Source Ad Server From OpenX, Gets Shut Down After Getting Besieged By Hackers

http://techcrunch.com/2013/02/12/besieged-by-hackers-onramp-the-free-open-source-ad-server-from-openx-gets-shut-down/


Trending malware /phishing

 

BlackBerry Spam with Backdoor

http://about-threats.trendmicro.com/us/spam/468/Blackberry%20Spam%20with%20Backdoor

  • This spammed message targets BlackBerry users.
  • It is a notification asking the reader to download and open the attached .ZIP file for a full experience of their device.
  • However, the said attachment contains a backdoor, detected by Trend Micro as BKDR_ANDROM.JWS.
  • When users open the attachment, routines of the said backdoor are executed on the reader's system.

 

Same Old Brand New Malware Tricks

http://blog.trendmicro.com/trendlabs-security-intelligence/same-old-brand-new-malware-tricks/

 

Key Figure in Police Ransomware Activity Nabbed

http://blog.trendmicro.com/trendlabs-security-intelligence/key-figure-in-police-ransomware-activity-nabbed-2/
http://www.symantec.com/connect/blogs/trojanransomgerpo-criminal-arrested

  • Ransomware is a nasty scam that infiltrates your computer and tricks you into thinking that you’ve done something wrong.
  • Police ransomware in particular informs users that they need to pay their local police a fine.
  • The apparent arrest of this cybercriminal of Russian origin occured in Dubai, United Arab Emirates.
  • The law enforcement authorities are working to extradite him to Spain for prosecution. Along with his arrest, the operation included the arrests of 10 other individuals tied to the money laundering component of the gang’s operations, which managed the monetization of the PaySafeCard/UKash vouchers received as payment in the scam.
  • The gang apparently had a branch in Spain that exchanged these vouchers and converted them into actual money, which would then be transferred to the leaders of the gang in Russia.

 

Snowmageddon - Episode 6

 

This weeks top news...  No it is not the snow storm that wasn't.  

Of course, another Java patch release for a vulnerability.

Evernote forces 50 million users to reset their passwords.

And so much more......

 

Downloads

HD   Apple HD   Apple SD   Audio MP3   Android

 

Show Notes

Oracle Issues Emergency Java Update


https://krebsonsecurity.com/2013/03/oracle-issues-emergency-java-update/

- Oracle today pushed out the third update in less than a month to fix critical vulnerabilities in its Java software
- What makes Java vulnerabilities so dangerous is that Java is a cross-platform product, meaning exploits against vulnerabilities in Java can be used to deliver malicious payloads to Mac and Linux systems just the same as they can Windows PCs.
- Java is a corporate product that somehow landed on something like 80 percent of consumer systems.
- This is a buggy program that seems to produce a reliable stream of zero-day exploit opportunities for malware writers. So, if you don’t need it, junk it.
- Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java


Evernote Forces Password Reset for 50M Users



http://www.h-online.com/security/news/item/Vulnerabilities-served-up-1810524.html 
- Online note-syncing service Evernote is forcing all of its 50 million users to reset their passwords after detecting suspicious activity on its network.
- Evernote said digital intruders gained accessed to customer usernames, email addresses and encrypted passwords
- The company says it has found no evidence that any of the content that users store in Evernote was accessed, changed or lost, and that there is no indication payment information for Evernote Premium or Business customers was accessed.
- now is a great time to review your password practices. At the top of the password no-no’s list is reusing your email password at any other site.



Fake Mandiant APT Report Used as Malware Lure


http://isc.sans.edu/diary/Fake+Mandiant+APT+Report+Used+as+Malware+Lure/15226
- attackers are circulating malicious versions of the PDF document. 
- The fake report was distributed as an email attachment named Mandiant.pdf 
- according to Symantec and targeted the CVE-2013-0641 vulnerability in Adobe Reader and Acrobat


The Security Risks of Compromised Digital Certificates


http://blog.trendmicro.com/trendlabs-security-intelligence/the-security-risks-of-compromised-digital-certificates/
- Last week, Trend Micro found malware samples that had been signed with digital certificates belonging to two software companies that develop specialized software. 
- Since the two digital certificates are used by developers making very specialized products, this can increase the chances that this attack will succeed.
- Both attacks used Java exploits to get onto the affected systems
- This allows different types of malware to be launched into the memory of infected system without actually dropping the physical malware file
- Using a valid digital certificate can trick the target system and even security software into thinking that the running program came from a legitimate source. We have reported on similar incidents involving signed malware in the past


Understanding Targeted Attacks: How do we defend our selves


http://blog.trendmicro.com/trendlabs-security-intelligence/understanding-targeted-attacks-how-do-we-defend-ourselves/

- Part of identifying the network is also having a deep understanding of it, specifically the operations, processes, events, and behavior we consider normal. Knowledge of what is truly normal and what is not will help identify anomalies better and faster.
- Defence with inside out protection, defence with depth
- The better attitude to take is to assume that an attack is already inside the network, as this will force us to rethink the way we are currently protecting it.


http://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-targeted-attacks-requires-an-integrated-solution/
    •    we’ve talked a lot Advanced Persistent Threats (APT), and how such threats require a different class of protection in order to be managed effectively.
    •    recent work from ISACA on the 2012 Advanced Persistent Threat (APT) Awareness Study shows 63% of security professionals said they were or could be a target for APT attacks
    •    most notably that a number of organizations are still focusing resources in the wrong direction to protect against APT attacks.
    •    Enterprises need to understand the nature of APTs to better protect their networks against APTs


From Alarming to Familiar: Different Social Engineering Techniques



http://blog.trendmicro.com/trendlabs-security-intelligence/from-alarming-to-familiar-different-social-engineering-techniques/
    •    There are also other techniques that use different, more sober approach.
    •    These techniques do not aim to trigger alarm, but instead to try to avoid it. They try to blend into their intended victims’ normal behavior or use their interests in order to get the them into schemes.
    •    And though these techniques are far less alarming in terms of the message they bring, they are harder to detect, and often more sinister.
    •    An example of this is the watering hole technique, which was used recently in an attack that ended up affecting companies such as Facebook and Apple.


Ichitaro Vulnerability: Another Zero-Day Exploit in the Wild



    •    http://www.symantec.com/connect/blogs/ichitaro-vulnerability-another-zero-day-exploit-wild
    •    Symatec reports seeing this exploit since mid Jan
    •    Specific to Japan
    •    especially for those using the Japanese word processor software, Ichitaro.



What to Include in a Malware Analysis Report



http://zeltser.com/reverse-malware/malware-analysis-report.html


FireEye and Guidance Software Partner To Deliver Integrated Cyber Attack Detection and Incident Response Solution



http://www.fireeye.com/news-events/press-releases/read/fireeye-guidance-software-partnership-integrated-cyber-attack-detection-incident-response-solution

http://www.fireeye.com/news-events/press-releases/read/fireeye-mandiant-enhance-partnership-leveraging-fireeye-next-generation-threat-protection-platform

Bit9



https://blog.bit9.com/2013/02/25/bit9-security-incident-update/
- Bit9 continues to believe the attack against Bit9 was part of a larger campaign to infiltrate select US organizations in a very narrow market space
- We continue to believe the scope of the attack remained the landing point from the SQL injection attack and the virtual system containing the certificate. The surrounding systems were protected by Bit9 which limited lateral movement for the attackers

Punkspider enumerates web application vulnerabilities



- Punkspider" runs essentially a vulnerabiliy scan on random web sites.

http://isc.sans.edu/diary/Punkspider+enumerates+web+application+vulnerabilities/15274

Symantec Mandiant Reports


http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/comment_crew_indicators_of_compromise.pdf
    •    All Raw data to help create detection signatures


Phishing goes Mobile


http://blog.trendmicro.com/trendlabs-security-intelligence/when-phishing-goes-mobile/

- 75% of mobile phishing URLs were rogue versions of well-known banking or financial sites. Once users are tricked into divulging their login credentials to these sites, cybercriminals can use these stolen data to initiate unauthorized transactions and purchases via the victim’s account. 
    •    For 2012, we found 4,000 phishing URLs designed for mobile Web
    •    Then there’s the issue of users’ attitude towards mobile devices. It’s easy for users to dismiss these devices as simple devices that has no major security implications


http://whatsyourstory.trendmicro.com/?cm_mmc=Social-_-Twitter-_-TW:Trend%2BMicro-_-sf9763225&sf9763225=1



Microsoft admits it was also hit by hackers, malware infects their Mac business unit



http://nakedsecurity.sophos.com/2013/02/23/microsoft-malware-attack/
    •    Microsoft published a statement on its security blog revealing that it was joining the growing list of well-known companies who had suffered at the hands of hackers.
    •    Microsoft says that a "small number of computers", including some in the company's Mac business unit, were infected by malware.
    •    the attack is similar to those which impacted the likes of Facebook and Apple, then a key part of the attack was the exploitation of a Java browser plug-in vulnerability.

http://blog.trendmicro.com/trendlabs-security-intelligence/why-is-the-watering-hole-technique-effective/
    •    See as early as 2009
    •    Old but new
    •    No Lures needed
    ◦    Compromise a site
    ◦    Have a vulnerability to exploit
    ◦    Develop malware


http://blog.shadowserver.org/2013/02/22/comment-group-cyber-espionage-additional-information-clarification/


http://blog.trendmicro.com/trendlabs-security-intelligence/business-models-behind-information-theft/

http://windows.microsoft.com/en-us/internet-explorer/downloads/ie-10/worldwide-languages

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf
http://www.symantec.com/connect/blogs/stuxnet-05-missing-link
http://www.symantec.com/connect/blogs/stuxnet-05-disrupting-uranium-processing-natanz
http://www.symantec.com/connect/blogs/stuxnet-05-how-it-evolved

http://www.wired.com/threatlevel/2013/02/twitter-tumblr-pinterest/

http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates

https://isc.sans.edu/diary/VMware+releases+new+and+updated+security+advisories/15244

https://isc.sans.edu/diary/Chrome+25.0.1364.87+addresses+multiple+vulnerabilities+http%3Agooglechromereleases.blogspot.com.au201302stable-channel-update_21.html/15241

Broadcast Zombie Alert

 

Downloads

HD   Apple HD   Apple SD   Audio MP3   Android

 

 

In Security Decoded this week we cover the news and there is a lot of it:

Hacker announces the Zombie Apocalypse is here over the Emergency Broadcast System
* Facebook had a Zero Day
* Multiple US Government agencies we hacked
* Zeus is showing up in Japan
* Your heating and elevator controls could be easily hacked
* A new RAT called Frutas
* More Java, Flash, PDF and Microsoft vulnerabilities announced
* The PCI Special Intrest Group releases guidance around Cloud Computing
* And much more news. And we talk in details about security certifications.

Hacked Emergency broadcast announces Zombie Apocalypse is here

http://now.msn.com/hackers-broadcast-zombie-attack-emergency-alert-on-tv?ocid=ansnow11
http://jimromenesko.com/2013/02/11/story-of-the-day/

  • Viewers in Montana who were no doubt already on the edge of their seats waiting for the results of "teen cheaters take lie detectors" were suddenly confronted with a bigger calamity on Monday. The CW station of KRTV was interrupted by an emergency alert for a zombie apocalypse. Viewers were told that "the bodies of the dead are rising from their graves and attacking the living" in several Montana counties. KRTV confirmed someone had hacked into their emergency alert system and "there is no emergency."

Fed says internal site breached by hackers, no critical functions affected - Anonymous attack on US Government

http://www.reuters.com/article/2013/02/06/net-us-usa-fed-hackers-idUSBRE91501920130206
http://www.zdnet.com/anger-rises-as-fed-confirms-anonymous-hack-downplays-us-bank-emergency-system-breach-7000010902/

http://www.zdnet.com/anonymous-reveals-ample-fed-access-fbi-opens-criminal-investigation-7000011073/

Summary: The U.S. Federal Reserve admitted members of Anonymous exploited a web application

vulnerability and accessed contact information belonging to over 4,000 U.S. bankers. Anonymous leaked the

stolen data by placing it on other compromised state and foreign government websites while the Federal

Reserve stressed no critical agency operations were affected. The attack is part of Anonymous’ campaign

against the U.S. government in remembrance of Aaron Swartz’s death. They made a second release Friday

afternoon. It’s a directory listing of an “F:” drive and it confirms speculation ColdFusion was running on the

compromised system. It is speculative the vulnerabilities patched by last Adobe ColdFusion security bulletin

(2013-01-15) were used to compromise the victim. The second link includes a map of the affected

institutions. None are in California or New York. These don’t conform to Fed Districts. There’s insufficient

intelligence to assess the probability the attackers have data on many more institutions. We are trying to

collect intelligence to address this. Targeted email is almost certainly the greatest risk.



Energy Department networks hit by Sophisticated Cyber Attack

http://freebeacon.com/cyber-breach/
http://www.scmagazine.com/energy-department-latest-to-be-struck-by-skilled-hackers/article/279178/

  • Personal information on several hundred employees was compromised
  • There are indications the attackers had other motives, possibly including plans to gain future access to classified and other sensitive information.
  • No classified information was compromised in the cyber attack
  • The source or identity of the cyber attacker is not known, according to U.S. officials and outside security analysts. However, Chinese hackers are likely suspects because the department is known to be a major target of China for both secrets and technology.
  • The relative sophistication of the cyber attack is an indication of nation-state involvement.
  • A total of 14 computer servers and 20 workstations at the headquarters were penetrated during the attack.

'Cyber-attack' strikes govt again / Foreign Ministry says classified documents possibly stolen from computer

http://www.yomiuri.co.jp/dy/national/T130206004945.htm

  • At least 20 internal documents, including confidential items, may have been stolen from the Foreign Ministry via an official computer in an apparent cyber-attack, it has been learned.
  • The ministry said Tuesday it had examined only one computer so far, and it would examine other computers to determine whether they were not infected with malware.
  • The cyber-attack followed the recent revelation at the Agriculture, Forestry and Fisheries Ministry that more than 3,000 pieces of information, including highly confidential documents, are suspected to have been stolen via unauthorized access to its computers.
  • According to the Foreign Ministry, it was notified by the National Information Security Center (NISC) on Jan. 28 that a computer at the ministry had possibly been the victim of unauthorized access. The ministry conducted an investigation and verified one of its computers had unauthorized communications with an external server.
  • The documents believed stolen include conference materials that could be considered class-2 information in terms of confidentiality according to the government's standard classification.

 

Nokia Taiwan web sites defaced

http://news.softpedia.com/news/Turkish-Hackers-Deface-4-Nokia-Taiwan-Websites-Leak-100-000-Records-327075.shtml

  • Hackers of the Turkish Ajan group have breached Nokia Taiwan’s official website (nokia.com.tw). They defaced four subdomains andleaked files that, according to the hackers, contain around 100,000 records, including user details.

 

  • The affected subdomains are member.nokia.com.tw, event.nokia.com.tw, fun.nokia.com.tw, and swipe.nokia.com.tw.

 

  • It’s difficult to determine precisely how many users are affected by the breach. However, the Nokia610_Users file contains the names, email addresses,phone numbers, and IMEIs of 440 customers.

 

  • One of the larger files, NKA073_User, contains the details of close to 20,000 users. The names,mobile phone numbers and email addresses of over 25,000 customers are stored in another file named Event_N97_User.

Citadel

http://krebsonsecurity.com/2012/05/at-the-crossroads-of-ethieves-and-cyberspies/
http://www.eweek.com/security/citadel-trojan-moves-from-crime-to-espionage/

  • Developers pulled from distribution last year
  • Now they are using it for espionage
  • Mcaffe reports it was used to infiltrate the governments of Japan and Poland as well as some private companies in Sweden and Denmark
  • Group behind it has been dubbed the “Poetry Group” because of the shakespearian verses that are in it’s code
  • Appears to be a “for hire” job

 

Python and Debian wiki’s hacked

http://wiki.python.org/moin/WikiAttack2013

  • An analysis of the incident revealed that an exploit had been planted on our servers possibly as early as July 25 2012, which allowed arbitrary execution of code under the user running theMoinMoin wiki.
  • It is likely that the password information was downloaded from the server in the course of the security breach, so we recommend changing your passwords immediately, if you have used the same password for other services as well.

We’re going to blow up your boiler: Critical bug threatens hospital systems

http://arstechnica.com/security/2013/02/were-going-to-blow-up-your-boiler-critical-bug-threatens-hospital-systems/

  • 21,000 vulnerable systems found on the internet
  • used by bank, hospitals and others
  • Sold by Honeywell
  • Controls heating systems, Elevators and other industrial equipment
  • Niagra AX-Branded
  • Demonstrated at Kaspersky’s security analyst summit in San Juan
  • Takes about 25 seconds to take control



Facebook Zero Day

http://arstechnica.com/security/2013/02/at-facebook-zero-day-exploits-backdoor-code-bring-war-games-drill-to-life/

 

  • got an email from FBI with a link
  • file that was there was done out of process and without verification
  • “red team” stood up
  • Backdoor removed
  • Exploit was used on Engineer’s laptop (the undisclosed software was then made aware of the zero-day used by Facebook in their test)
  • Did not sound the test alarm until the team was underway
  • everything was a test to see how they handled a security situation
  • Use this quote, it is a good reference to Episode 1 in our predictions where we state CyberSecurity is falling behind and needs to close the gap, "Internet security is so flawed," Facebook Chief Security Officer Joe Sullivan told Ars. "I hate to say it, but it seems everyone is in this constant losing battle if you read the headlines. We don't want to be part of those bad headlines.



Whitehole Exploit Kit

http://blog.trendmicro.com/trendlabs-security-intelligence/whitehole-exploit-kit-emerges/

  • Recently Analyst at Trend Micro completed their analysis of a new Exploit Kit, Whitehole
  • Whitehole is just a randomly selected name to help differentiate it from the Blackhole Exploit Kit
  • While similar the Whitehole Kit doesn’t use JavaScript to hide it’s usage of “plugindetect.js”  It simply uses the .js with out trying to obfuscate it.
  • The new kit leverages existing JAVA vulnerabilites: 1-2011, 3-2012, and 1-2013
    • CVE-2012-5076
    • CVE-2011-3544
    • CVE-2012-4681
    • CVE-2012-1723
    • CVE-2013-0422

 

  • The new kit is currently being used in the following malware:
    • BKDR_Zaccess - known as a bootkit malware other this has the ability to download other malware or push fake applications like FakeAV
    • TROJ_Ransom - Known as Ransomeware, typically locks systems until users are force to pay a sum of money .  This malware is rapidy active in the wld and evolving at a fast pace  We have seen this in the form of “FBI” notifications of illegal web activity.

 

  • Whitehole is still in a Beta Testing mode but developers are currently seeling the kit  ranging from 200-1800 USD

 

Adobe Flash

http://blog.trendmicro.com/trendlabs-security-intelligence/zero-day-vulnerabilities-found-in-adobe-flash-player/
http://blog.fireeye.com/research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html
http://krebsonsecurity.com/2013/02/critical-flash-player-update-fixes-two-zero-days/
http://labs.alienvault.com/labs/index.php/2013/adobe-patches-two-vulnerabilities-being-exploited-in-the-wild/

  • Drops Multiple Files
  • Signed by LadyBoyle
  • Payload is 64 bit
  • One of the dropped executable files is digitally signed with an invalid certificate from MGAME Corporation, a Korean gaming company.
  • The same executable renames itself to try to pass itself off as the Google update process.
  • It creates startup registry entries for persistence after reboot.
  • The malware checks for presence of the AV processes listed below:
    • avp.exe
    • ctray.exe
    • tray.exe
    • 360tray.exe
  • It has a unique callback with the keyword “9002” and beacons to the CnC server at ieee.boeing-job.com
  • Sites Associated:
    • 369p.mail-signin.com
    • bm1k8.4pu.com
    • cti.moobesring.com
    • domcon.microtrendsoft.com
    • engage.intelfox.com
    • funny.greenitenergy.com
    • i0i0i.3322.org
    • ieee.boeing-job.com
    • krjregh.sacreeflame.com
    • lol.dns-lookup.us
    • lywja.healthsvsolu.com
    • matrix.linkerservices.com
    • mx.dns221.com
    • piping.no-ip.org
    • ru.pad62.com
    • stmp.allshell.net
    • support.icoredb.com
    • svr01.passport.serveuser.com
    • ukupdate.masteradvz.com
    • update.mysq1.net
    • update.updates.mefound.com
    • update1.mysq1.net
    • update3.effers.com
    • updatedns.itemdb.com
    • updatedns.serveuser.com

 

Another new PDF vulnerability

http://t.co/rsrGTOv1

  • PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1.
  • Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks.
  • The second DLL in turn drops the callback component, which talks to a remote domain.

Yahoo using old Java

http://krebsonsecurity.com/2013/02/yahoo-pushing-java-version-released-in-2008/

  • At a time when JAVA has come under the microscope for it’s multiple vulnerabilities and companies like Apple and Mozilla urges users to update to the most current version of JAVA, YAHOO is still offering an application based on a 2008 version of JAVA
  • Sitebuilder - is a free tool that is designed to make building a website as simple as point and click.  Sitebuild requires JAVA to function.
  • Yahoo bunbles this application with Java 6 Update 7.  It has not been cleared if this is an oversite or if SiteBuilder can function with recent versions of JAVA
  • Latest Java 6 is release 39
  • One final note about SiteBuilder: Building your site with this tool may not only be hazardous to the security of your PC, it may also make it harder for your site to get the recognition it deserves. A bit of searching on this tool turned up some less than flattering resultssuggesting that sites built with SiteBuilder do not support an important type of Web site search optimization called “canonicalization.”

Cross-Platform Frutas RAT Builder and Back Door

http://www.symantec.com/connect/blogs/cross-platform-frutas-rat-builder-and-back-door

  • back door remote access tool (RAT) written entirely in Java
  • The Frutas RAT allows attackers to create a connect-back client JAR file to run on a compromised computer.
  • Upon receiving a back door connection, the RAT server alerts the attacker and allows them to perform various back door functions on the compromised computer, including:

 

  • Query or kill system processes
  • Browse file systems
  • Download and execute arbitrary files
  • Send popup messages
  • Open a specified website in a browser
  • Perform denial of service attacks against a specified IP address

 

  • urity Firm “Bit9” compromise



Malvertising

http://www.symantec.com/connect/blogs/malvertising-and-dynamic-dns-never-ending-story

  • 5 month old malware campaign
  • uses DDNS - Dynamic Domain Hosting to help hide its source
  • delivered through advertisements on web pages
  • good link on how it works in show notes


NetSeer suffers hack, triggers Google malware warnings
http://www.zdnet.com/netseer­suffers­hack­triggers­google­malware­warnings­7000010776/

Cyber Threats Increase Around Valentines Day

http://www.symantec.com/connect/blogs/cyber-threats-increase-around-valentine-s-day

  • This year, various Valentine’s Day spam messages have started flowing through Symantec’s Probe Network. The top word combinations used in spam messages include the following:

 

  • Find-Your-Valentine
  • eCards-for-Valentine
  • Valentine’s-Day-Flowers

 

  • ValentineCard4you.zip
  • backdoor trojan



Money Transfer Spam Campaign with HTML Attachment

http://www.symantec.com/connect/blogs/money-transfer-spam-campaign-html-attachment

  • Phishers love to arouse curiosity and/or fear in the user’s mind and this stimulus can compel people to set aside all caution as well as  any safety measures they might have in place
  • users are advised to confirm a pending transaction with their bank and also told that there is a copy of a bank slip attached
  • If the HTML attachment is opened, users are shown an image of a payment order. It is interesting to note that this image is very faint and very difficult to read. Using the HTML tag HTTP-EQUIV "REFRESH", this image disappears after four seconds. This display of the receipt for a small time period is an attempt to arouse enough interest in the user so that they will venture further into the trap.
  • The page refreshes after four seconds and a popup appears that states that the user has been signed out of their email account and needs to sign in again to view the bank slip.
  • On clicking the only optional button, users are shown a website that resembles a well-known bank login page. If users input their bank credentials or their email address on this page, their information is sent to the scammers and may be used for nefarious purposes.

 

Phishing: The Easy Way to Compromise Twitter Accounts

http://www.symantec.com/connect/blogs/phishing-easy-way-compromise-twitter-accounts

  • Did you see this pic of you?
  • If the link is clicked, the browser is directed to a page that informs the user that they need to sign-in to their account to proceed. The page looks like it belongs to Twitter but it is actually a phishing page hosted on a server prepared by the attacker.
  • No matter what is entered into the login fields, correct or incorrect credentials, the user will appear back in their session.
  • Looks just like twitter
  • However, another fake page informs the user that the page they were attempting to visit does not exist.  The page then redirects back to the legitimate Twitter page and the user is unaware of anything malicious having taken place.




Microsoft, Symantec Hijack ‘Bamital’ Botnet

http://krebsonsecurity.com/2013/02/microsoft-symantec-hijack-bamital-botnet/
http://www.symantec.com/connect/blogs/bamital-bites-dust
http://www.symantec.com/tv/allvideos/details.jsp?vid=2142222223001&subcategory=security_response&pid=1&om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2013Feb_worldwide_Bamital

  • in the last two years, more than eight million computers have been attacked by Bamital
  • Affects Search
  • Microsoft and Symantec teaming up
  • Microsoft convinced a judge at the U.S. District Court for the Eastern District of Virginia to give it control over the infrastructure that Bamital used to coordinate the search hijacking activities of host PCs
  • A webpage will be displayed to users are infected with Bamital







NetSeer suffers hack, triggers Google malware warnings

http://www.zdnet.com/netseer-suffers-hack-triggers-google-malware-warnings-7000010776/




Operation Beebus

http://blog.fireeye.com/research/2013/02/operation-beebus.html

  • The malicious email attachment exploits some common vulnerabilities in PDF and DOC files.
  • The malware uses a well-documented vulnerability in the Windows OS known as DLL search order hijacking
  • By dropping the ntshrui.DLL in the directory C:\Windows, the malware achieves persistence.
  • RSA breach March 2011

PCI Security Standards Council releases the PCI DSS Cloud Computing Guidelines

https://www.pcisecuritystandards.org/security_standards/documents.php.

  • Public cloud environments are usually designed to allow access from anywhere on the Internet.
  • Perimeter boundaries between client environments can be fluid.
  • Clients may have limited or no oversight or control over cardholder data storage. Organizations might not know where cardholder data is physically stored, or the location(s) can regularly change. For redundancy or high availability reasons, data could be stored in multiple locations at any given time.
  • It can be challenging to verify who has access to cardholder data processed, transmitted, or stored in the cloud environment.

 

Dark Side of Home Automation

http://blog.trendmicro.com/trendlabs-security-intelligence/the-dark-side-of-home-automation/

  • X10. Because X10 devices use 4-bit ID numbers, it is vulnerable to brute-force attacks. Furthermore, because it can be turned off with just one command, a thief can turn-off an X10-based alarm and infiltrate a victim’s house.
  • Z-Wave. By using tools readily available on the Internet, an attacker can sniff all traffic that flows in WPAN. With this information, an attacker can monitor a user’s day-to-day activities and gain information on the kind of devices used at home and how these are controlled. More tech-savvy thieves can even execute random commands via WPAN.
  • ZigBee. Though ZigBee-based devices have a more secured communication, problems still exist in the gateway between WPAN and an IP network. An attacker can bypass ZigBee authentication due to user’s weak password or misconfiguration, allowing him to access devices like security cameras. With this, an attacker can monitor user’s daily activities and change gateway configuration to connect to a fake Domain Name System (DNS) or proxy server, that may lead to data theft.



Patch Tuesday

http://krebsonsecurity.com/2013/02/microsoft-adobe-release-critical-security-updates/

  • Five ofthe 12 patches Microsoft released today earned its most dire “critical” label
  • Thirteen of the 57 bugs squashed in Microsoft’s patch batch address issues with Internet Explorer
  • other critical patches fixproblems in the Windows implementation of Vector Markup Language (VML), Microsoft Exchange, andflaws in the way Windows handles certain media files.
  • The remaining critical patch fixesa flaw that is present only on Windows XP systems.






Strategy Analytics: Android and Apple iOS Capture a Record 92 Percent Share of Global Smartphone Shipments in Q4 2012
http://www.businesswire.com/news/home/20130128005593/en/Strategy-Analytics-Android-Apple-iOS-Capture-Record

 

Security Firms Stolen Crypto Key Used To Sign Malware

http://arstechnica.com/security/2013/02/cooks-steal-security-firms-crypto-key-use-it-to-sign-malware/

  • digitally signed malware using bit9 keys
  • infected 3 of their customers (bit9)
  • By stealing the keys the malware was able to take advantage of their “Application Whitelisting”
  • Virtually allowing all digitally signed applications to run on a customer’s network
  • "Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network,"
  • Keys not stored in a secure location
  • Certs have been revoked
  • There is no indication that the company’s Whitelisting products have been compromised
  • This parallels the 2011 RSA breach where customers were compromised through a theft of confidential data.

 

Security Certifications

 

  • Original question came from Christian Fellows of Eugene AR

 

  • Basically 2 tracks: Management and Technical,  Some cross over but not strong in both

 

  • Product Specific Certifications

 

Management

Certified Information Systems Security Professional(CISSP)

 

  • 10 domains of security
    • Access Control – a collection of mechanisms that work together to create security architecture to protect the assets of the information system.
      • Concepts/methodologies/techniques
      • Effectiveness
      • Attacks

 

  • Telecommunications and Network Security – discusses network structures, transmission methods, transport formats and security measures used to provide availability, integrity and confidentiality.
    • Network architecture and design
    • Communication channels
    • Network components
    • Network attacks

 

  • Information Security Governance and Risk Management – the identification of an organization’s information assets and the development, documentation and implementation of policies, standards, procedures and guidelines.
    • Security governance and policy
    • Information classification/ownership
    • Contractual agreements and procurement processes
    • Risk management concepts
    • Personnel security
    • Security education, training and awareness
    • Certification and accreditation

 

  • Software Development Security – refers to the controls that are included within systems and applications software and the steps used in their development.
    • Systems development life cycle (SDLC)
    • Application environment and security controls
    • Effectiveness of application security

 

  • Cryptography – the principles, means and methods of disguising information to ensure its integrity, confidentiality and authenticity.
    • Encryption concepts
    • Digital signatures
    • Cryptanalytic attacks
    • Public Key Infrastructure (PKI)
    • Information hiding alternatives

 

  • Security Architecture and Design – contains the concepts, principles, structures and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity and availability.
    • Fundamental concepts of security models
    • Capabilities of information systems (e.g. memory protection, virtualization)
    • Countermeasure principles
    • Vulnerabilities and threats (e.g. cloud computing, aggregation, data flow control)

 

  • Operations Security – used to identify the controls over hardware, media and the operators with access privileges to any of these resources.
    • Resource protection
    • Incident response
    • Attack prevention and response
    • Patch and vulnerability management

 

  • Business Continuity and Disaster Recovery Planning – addresses the preservation of the business in the face of major disruptions to normal business operations.
    • Business impact analysis
    • Recovery strategy
    • Disaster recovery process
    • Provide training

 

  • Legal, Regulations, Investigations and Compliance – addresses computer crime laws and regulations; the investigative measures and techniques which can be used to determine if a crime has been committed and methods to gather evidence.
    • Legal issues
    • Investigations
    • Forensic procedures
    • Compliance requirements/procedures

 

  • Physical (Environmental) Security – addresses the threats, vulnerabilities and countermeasures that can be utilized to physically protect an enterprise’s resources and sensitive information.
    • Site/facility design considerations
    • Perimeter security
    • Internal security
    • Facilities security

 

Security+ - CompTIA

 

  • Network Security (21% of exam)
  • Compliance and Operational Security (18%)
  • Threats and Vulnerabilities (21%)
  • Application, Data and Host Security (16%)
  • Access Control and Identity Management (13%)
  • Cryptography (11%)

 

Certified Information Security Manager (CISM) - ISACA

 

  • Information Security Governance
  • Information Security Steering Group
  • Legal and regulatory issues
  • Information Security Process Improvement
  • Recovery Time Objectives
  • Security Metrics
  • Due Diligence
  • Security Baselines
  • Disaster recovery
  • Collecting and presenting evidence
  • Cost Benefit Analysis
  • Privacy and Tax laws

 

Certified Information Security Auditor (CISA) - ISACA

 

  • SACA IS Auditing Standards, Guidelines and Procedures and Code of Professional Ethics
  • Control objectives and controls related to IS
  • CoBit controls
  • Procedures used to store, retrieve, transport, and dispose of confidential information assets
  • Control Self-Assessment (CSA)
  • IS auditing practices and techniques
  • IT governance frameworks
  • Quality management strategies and policies
  • Risk management methodologies and tools
  • Use of control frameworks (e.g., CobiT, COSO, ISO 17799)
  • Practices for monitoring and reporting of IT performance
  • Benefits management practices for CISA Certification
  • Processes for managing emergency changes to the production systems

 

Certified in Risk and Information Control (CRISC - “see-risk”) - ISACA

 

  • Risk Identification Assessment and Evaluation (RI)
  • Risk Response (RR)
  • Risk Monitoring (RM)
  • IS Control Design and Implementation (CD)
  • IS Control Monitoring and Maintenance (MM)

 

Certified in the Governance of Enterprise IT (CGEIT) - ISACA

 

  • For experienced IT governance personnel.
  • Covers:
  • IT Governance
  • Strategic Alignment
  • Value Delivery
  • Risk Management
  • Resource Management
  • Performance Measurement



Technical

Certified Ethical Hacker (CEH) - EC-Council

 

  • Required for admin at US Govt
  • Penetration testing methodologies
  • Stealthy network recon
  • Passive traffic identification
  • Remote root vulnerability exploitation
  • Privilege escalation hacking
  • IPv6 Vulnerabilities
  • Remote access trojan hacking
  • Running shellcode in RAM vs. on disk
  • Wireless insecurity
  • Breaking IP-based ACLs via spoofing
  • Abusing Windows Named Pipes for Domain Impersonation
  • Evidence removal and anti-forensics
  • Attacking network infrastructure devices
  • Hacking by brute forcing remotely
  • Hiding exploit payloads in jpeg and gif image files
  • Hacking Web Applications
  • Breaking into databases with SQL Injection
  • Cross Site Scripting hacking
  • Hacking into Cisco routers
  • Justifying a penetration test to management & customers
  • CEH review
  • Defensive techniques

 

EC-Council Certified Security Analyst (ECSA) - EC-Council (ADVANCED ETHICAL HACKING)

 

  • Leverage 0day (private unreleased exploits) attacks as part of the “Advanced Persistent Threat”
  • Run sophisticated attacks against client side applications
  • Use fuzzers and dynamic analysis to attack custom and COTS apps
  • Reverse engineer binaries to find new vulnerabilities never discovered before
  • Exploit secured web applications
  • Run chained exploits to pivot from multiple exploitable systems
  • Attack and defeat VPNs, IDS/IPS and other security technologies

 

Certified Computer Hack Forensic Investigator (CHFI) - EC-Council

 

  • Computer Forensics Training with open source tools
  • Overview of Computer Crime
  • Preparing sterile examination media
  • Acquisition, collection and seizure of magnetic media.
  • Documenting a "Chain of Custody"
  • Understanding Microsoft Windows from a forensics point of view
  • Working with NTFS
  • Combing Partition table and boot record
  • Investigating The Master File Table (MFT)
  • Recovering Internet Usage Data
  • Recovering: Swap Files/Temporary Files/Cache Files
  • Digital Camera Computer Forensics
  • PDA and Mobile Computer Forensics
  • Linux/Unix computer forensics
  • Investigating data streams
  • File storage dates and times
  • File deletion/recovery
  • Preservation and safe handling of original media
  • Making bitstream copies of original media
  • Common data hiding techniques
  • Examining CD-ROM media
  • Carving out files "hidden" in unallocated disk space
  • Issues when presenting data in court
  • The marking, storage and transmittal of evidence.
  • Word document forensics and password cracking
  • Use tools such as Encase Forensic Edition, X-Ways Forensic Addition, Paraben, Forensic ToolKit (FTK), Linux dd, etc.

 

Certified Penetration Tester (CPT) - IACRB

 

  • Writing buffer overflow exploits
  • dlmalloc Heap Overflow exploits
  • Win32 Heap Overflow exploits
  • Linux stack overflow exploits
  • Defeating non-exec stacks
  • Return-to-libc shellcode
  • Function pointer overwrites
  • Crafting Injectable Shellcode
  • Defeating non-executable stacks
  • Linux LKM Rootkits
  • Windows Kernel Rootkits
  • Reverse engineering training
  • Vulnerability development and discovery
  • Attacking and blinding IDSs
  • Hiding your attacks from IDSs
  • Encrypted covert channels
  • Global Offset Table Overwrites
  • Windows Shellcode
  • Integer Overflows
  • Linux shellcode
  • "no listening port" trojans
  • A whole day on breaking through enterprise DMZs
  • Reconstructing binaries from sniffed traffic
  • Circumventing antivirus
  • Bi-directional Spoofed Communication
  • Session fixation
  • Advanced SQL Injection
  • Justifying a penetration test to management and customers
  • Defensive techniques

 

Certified Expert Penetration Tester (CEPT) - IACRB

 

  • Attacking fully patched systems
  • Buffer Overflows against Windows 2008 Server, Windows 7 clients
  • 0day attacks
  • Attacking DMZs and other secured infrastructure
  • Port Redirection
  • Compromising secured infrastructure
  • Using egghunter and meterpreter shellcode
  • Metasploit scripting and automation
  • NMAP automation
  • Running exploits in RAM vs. on disk
  • Hiding from IDSs
  • Covert Channels
  • Privilege Escalation attacks on Windows 7
  • Advanced Man In The Middle Attacks
  • Traffic Interception
  • Hijacking SSL encrypted sessions
  • MiTM VoIP attacks
  • Intercepting VoIP traffic and attacking Ethernet enabled PBXs

 

Certified Reverse Engineering Analyst (CREA) - IACRB

 

  • Understanding hashing functions
  • Working with encrypted binaries
  • Reversing UPX and other compression types
  • Discovering stack overflows
  • Discovering heap overflows
  • Creating a sandbox to isolate malware
  • Unpacking malware
  • Monitoring registry changes
  • Identifying malware communication channels
  • Understanding Digital Rights Management (DRM) implementations
  • Thwarting anti-debugger code
  • Debugging multi-threaded programs
  • Recursive traversal dissasemblers
  • Reversing .NET bytecode
  • CREA Review
  • Legal issues and the DMCA
  • Understanding conditional branching statements
  • Virtual machines and bytecode
  • System vs. Code Level reversing
  • Identifying variables
  • Compilers and branch prediction
  • Memory management
  • Win32 executable formats and image sections
  • Fundamentals of IDA Pro
  • Advanced uses of IDA Pro with hostile code
  • Using Ollydbg for runtime analysis of malware
  • Kernel mode debugging with SoftICE
  • Dumping executables from memory with Dumpbin
  • Locating undocumented APIs
  • Reversing ntdll.dll
  • Obfuscation of file formats



Certified Data Recovery Professional (CDRP) - IACRB

 

  • Logical Recovery of disabled hard drives
  • Using file format recognition tools
  • Logical recovery via avoiding BIOS interrupts
  • Motions that unlock the actuator of a drive
  • Diagnosing the physical recovery of drives
  • Comparing pre-recorded sound samples to live drives
  • Logic board replacements
  • Single and Multi-Platter Swaps
  • Head Assembly replacement
  • P-List and G-List recovery
  • Addressing SMART values
  • Dealing with damaged sectors
  • Reverse scanning
  • Capturing SID protected folders
  • Resolving kernel or driver issues with a Linux bootable disk
  • Head Stack replacement
  • Working with the Service Area (SA) of a drive
  • Reviewing data structures with a Hex Editor
  • Diagnosing "clicking noises"
  • Mac OS X Data Recovery
  • Linux Data Recovery
  • RAID 0 Recovery & RAID 5 Recovery
  • Vista and Recovery of Shadow Copies
  • Clearing passwords on a password protected drive
  • Solid state drive recovery
  • Firmware issues



Certified Computer Forensics Examiner (CCFE) - IACRB

 

  • Computer Forensics Training with open source tools
  • Overview of Computer Crime
  • Preparing sterile examination media
  • Acquisition, collection and seizure of magnetic media.
  • Documenting a "Chain of Custody"
  • Understanding Microsoft Windows from a forensics point of view
  • Working with NTFS
  • Combing Partition table and boot record
  • Investigating The Master File Table (MFT)
  • Recovering Internet Usage Data
  • Recovering: Swap Files/Temporary Files/Cache Files
  • Digital Camera Computer Forensics
  • PDA and Mobile Computer Forensics
  • Linux/Unix computer forensics
  • Investigating data streams
  • File storage dates and times
  • File deletion/recovery
  • Preservation and safe handling of original media
  • Making bitstream copies of original media
  • Common data hiding techniques
  • Examining CD-ROM media
  • Carving out files "hidden" in unallocated disk space
  • Issues when presenting data in court
  • The marking, storage and transmittal of evidence.
  • Word document forensics and password cracking
  • Use tools such as Encase Forensic Edition, X-Ways Forensic Addition, Paraben, Forensic ToolKit (FTK), Linux dd, etc.




Certified Application Security Specialist (CASS) - IACRB

 

  • Web Application (In)security
  • Core Defense Mechanisms – OWASP Top 10
  • Cross-Site Scripting (XSS)
  • Broken Authentication and Session Management
  • Insecure Direct Object References
  • Cross-Site Request Forgery (CSRF)
  • Insufficient Transport Layer Protection
  • Unvalidated Redirects and Forwards
  • Encoding Schemes, URL Encoding, Unicode Encoding
  • Bypassing Client-Side Controls
  • Transmitting Data via the Client
  • Hacking ASP.NET ViewState
  • Decompiling Java Bytecode
  • Coping with Bytecode Obfuscation
  • Reverse Engineering ActiveX
  • Manipulating Exported Functions
  • Attacking Authentication
  • Exploiting Verbose Failure Messages
  • Exploiting Vulnerable Transmission of Credentials
  • Attacking Password Change Functionality & Forgotten Password Functionality
  • Predictable Usernames & Initial Passwords
  • Prevent Misuse of the Account Recovery Function
  • Attacking Session Management
  • Attacking Access Controls
  • Common Vulnerabilities
  • Targeting Identifier-Based Functions
  • Securing Access Controls
  • Injecting into Interpreted Languages

Twitter - Home