Snowmageddon – Episode 6

Published: 7 March 2013
Categories: Security Decoded

This weeks top news…  No it is not the snow storm that wasn’t.  

Of course, another Java patch release for a vulnerability.

Evernote forces 50 million users to reset their passwords.

And so much more……

Downloads

HD Apple HD Apple SD Audio MP3 Android

Show Notes

Oracle Issues Emergency Java Update


https://krebsonsecurity.com/2013/03/oracle-issues-emergency-java-update/

– Oracle today pushed out the third update in less than a month to fix critical vulnerabilities in its Java software
– What makes Java vulnerabilities so dangerous is that Java is a cross-platform product, meaning exploits against vulnerabilities in Java can be used to deliver malicious payloads to Mac and Linux systems just the same as they can Windows PCs.
– Java is a corporate product that somehow landed on something like 80 percent of consumer systems.
– This is a buggy program that seems to produce a reliable stream of zero-day exploit opportunities for malware writers. So, if you don’t need it, junk it.
– Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java


Evernote Forces Password Reset for 50M Users



http://www.h-online.com/security/news/item/Vulnerabilities-served-up-1810524.html 
– Online note-syncing service Evernote is forcing all of its 50 million users to reset their passwords after detecting suspicious activity on its network.
– Evernote said digital intruders gained accessed to customer usernames, email addresses and encrypted passwords
– The company says it has found no evidence that any of the content that users store in Evernote was accessed, changed or lost, and that there is no indication payment information for Evernote Premium or Business customers was accessed.
– now is a great time to review your password practices. At the top of the password no-no’s list is reusing your email password at any other site.



Fake Mandiant APT Report Used as Malware Lure


http://isc.sans.edu/diary/Fake+Mandiant+APT+Report+Used+as+Malware+Lure/15226
– attackers are circulating malicious versions of the PDF document. 
– The fake report was distributed as an email attachment named Mandiant.pdf 
– according to Symantec and targeted the CVE-2013-0641 vulnerability in Adobe Reader and Acrobat


The Security Risks of Compromised Digital Certificates


http://blog.trendmicro.com/trendlabs-security-intelligence/the-security-risks-of-compromised-digital-certificates/
– Last week, Trend Micro found malware samples that had been signed with digital certificates belonging to two software companies that develop specialized software. 
– Since the two digital certificates are used by developers making very specialized products, this can increase the chances that this attack will succeed.
– Both attacks used Java exploits to get onto the affected systems
– This allows different types of malware to be launched into the memory of infected system without actually dropping the physical malware file
– Using a valid digital certificate can trick the target system and even security software into thinking that the running program came from a legitimate source. We have reported on similar incidents involving signed malware in the past


Understanding Targeted Attacks: How do we defend our selves


http://blog.trendmicro.com/trendlabs-security-intelligence/understanding-targeted-attacks-how-do-we-defend-ourselves/

– Part of identifying the network is also having a deep understanding of it, specifically the operations, processes, events, and behavior we consider normal. Knowledge of what is truly normal and what is not will help identify anomalies better and faster.
– Defence with inside out protection, defence with depth
– The better attitude to take is to assume that an attack is already inside the network, as this will force us to rethink the way we are currently protecting it.


http://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-targeted-attacks-requires-an-integrated-solution/
    •    we’ve talked a lot Advanced Persistent Threats (APT), and how such threats require a different class of protection in order to be managed effectively.
    •    recent work from ISACA on the 2012 Advanced Persistent Threat (APT) Awareness Study shows 63% of security professionals said they were or could be a target for APT attacks
    •    most notably that a number of organizations are still focusing resources in the wrong direction to protect against APT attacks.
    •    Enterprises need to understand the nature of APTs to better protect their networks against APTs


From Alarming to Familiar: Different Social Engineering Techniques



http://blog.trendmicro.com/trendlabs-security-intelligence/from-alarming-to-familiar-different-social-engineering-techniques/
    •    There are also other techniques that use different, more sober approach.
    •    These techniques do not aim to trigger alarm, but instead to try to avoid it. They try to blend into their intended victims’ normal behavior or use their interests in order to get the them into schemes.
    •    And though these techniques are far less alarming in terms of the message they bring, they are harder to detect, and often more sinister.
    •    An example of this is the watering hole technique, which was used recently in an attack that ended up affecting companies such as Facebook and Apple.


Ichitaro Vulnerability: Another Zero-Day Exploit in the Wild



    •    http://www.symantec.com/connect/blogs/ichitaro-vulnerability-another-zero-day-exploit-wild
    •    Symatec reports seeing this exploit since mid Jan
    •    Specific to Japan
    •    especially for those using the Japanese word processor software, Ichitaro.


What to Include in a Malware Analysis Report

http://zeltser.com/reverse-malware/malware-analysis-report.html


FireEye and Guidance Software Partner To Deliver Integrated Cyber Attack Detection and Incident Response Solution

http://www.fireeye.com/news-events/press-releases/read/fireeye-guidance-software-partnership-integrated-cyber-attack-detection-incident-response-solutionhttp://www.fireeye.com/news-events/press-releases/read/fireeye-mandiant-enhance-partnership-leveraging-fireeye-next-generation-threat-protection-platform

Bit9



https://blog.bit9.com/2013/02/25/bit9-security-incident-update/
– Bit9 continues to believe the attack against Bit9 was part of a larger campaign to infiltrate select US organizations in a very narrow market space
– We continue to believe the scope of the attack remained the landing point from the SQL injection attack and the virtual system containing the certificate. The surrounding systems were protected by Bit9 which limited lateral movement for the attackers

Punkspider enumerates web application vulnerabilities



– Punkspider” runs essentially a vulnerabiliy scan on random web sites.

http://isc.sans.edu/diary/Punkspider+enumerates+web+application+vulnerabilities/15274

Symantec Mandiant Reports


http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/comment_crew_indicators_of_compromise.pdf
    •    All Raw data to help create detection signatures


Phishing goes Mobile


http://blog.trendmicro.com/trendlabs-security-intelligence/when-phishing-goes-mobile/

– 75% of mobile phishing URLs were rogue versions of well-known banking or financial sites. Once users are tricked into divulging their login credentials to these sites, cybercriminals can use these stolen data to initiate unauthorized transactions and purchases via the victim’s account. 
    •    For 2012, we found 4,000 phishing URLs designed for mobile Web
    •    Then there’s the issue of users’ attitude towards mobile devices. It’s easy for users to dismiss these devices as simple devices that has no major security implications


http://whatsyourstory.trendmicro.com/?cm_mmc=Social-_-Twitter-_-TW:Trend%2BMicro-_-sf9763225&sf9763225=1



Microsoft admits it was also hit by hackers, malware infects their Mac business unit



http://nakedsecurity.sophos.com/2013/02/23/microsoft-malware-attack/
    •    Microsoft published a statement on its security blog revealing that it was joining the growing list of well-known companies who had suffered at the hands of hackers.
    •    Microsoft says that a “small number of computers”, including some in the company’s Mac business unit, were infected by malware.
    •    the attack is similar to those which impacted the likes of Facebook and Apple, then a key part of the attack was the exploitation of a Java browser plug-in vulnerability.

http://blog.trendmicro.com/trendlabs-security-intelligence/why-is-the-watering-hole-technique-effective/
    •    See as early as 2009
    •    Old but new
    •    No Lures needed
    ◦    Compromise a site
    ◦    Have a vulnerability to exploit
    ◦    Develop malware


http://blog.shadowserver.org/2013/02/22/comment-group-cyber-espionage-additional-information-clarification/


http://blog.trendmicro.com/trendlabs-security-intelligence/business-models-behind-information-theft/

http://windows.microsoft.com/en-us/internet-explorer/downloads/ie-10/worldwide-languages

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf
http://www.symantec.com/connect/blogs/stuxnet-05-missing-link
http://www.symantec.com/connect/blogs/stuxnet-05-disrupting-uranium-processing-natanz
http://www.symantec.com/connect/blogs/stuxnet-05-how-it-evolved

http://www.wired.com/threatlevel/2013/02/twitter-tumblr-pinterest/

http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates

https://isc.sans.edu/diary/VMware+releases+new+and+updated+security+advisories/15244

https://isc.sans.edu/diary/Chrome+25.0.1364.87+addresses+multiple+vulnerabilities+http%3Agooglechromereleases.blogspot.com.au201302stable-channel-update_21.html/15241

Podcast: Play in new window | Download