We Live Security » Languages » English http://www.welivesecurity.com News, Views, and Insight from the ESET Security Community Tue, 15 Apr 2014 14:39:58 +0000 en-US hourly 1 http://wordpress.org/?v=3.7 Heartbleed claims British mums and Canadian tax payers as victims http://www.welivesecurity.com/2014/04/14/mums-tax-payers-heartbleed/ http://www.welivesecurity.com/2014/04/14/mums-tax-payers-heartbleed/#comments Mon, 14 Apr 2014 20:57:46 +0000 Heartbleed claims British mums and Canadian tax payers as victims http://www.welivesecurity.com/?p=42725 The critical security vulnerability in OpenSSL known commonly as “Heartbleed” continues to raise alarms, with websites now warning that hackers have breached their systems by exploiting the bug, and stolen personal information about users.

The post Heartbleed claims British mums and Canadian tax payers as victims appeared first on We Live Security.

]]>
The critical security vulnerability in OpenSSL known commonly as “Heartbleed” continues to raise alarms, with websites now warning that hackers have breached their systems by exploiting the bug, and stolen personal information about users.

For instance, Mumsnet – a phenomenally popular British parenting website with 1.5 million registered users – has reported that its servers were not only vulnerable, but that users’ data had been accessed as a result:

On Friday 11 April, it became apparent that what is widely known as the ‘Heartbleed bug’ had been used to access data from Mumsnet users’ accounts.

Heartbleed is a security hole that existed in OpenSSL, the security framework which most websites around the world use. There’s a summary of Heartbleed and its effects here.

On Thursday 10 April we at MNHQ became aware of the bug and immediately ran tests to see if the Mumsnet servers were vulnerable. As soon as it became apparent that we were, we applied the fix to close the OpenSSL security hole (known as the Heartbleed patch). However, it seems that users’ data was accessed prior to our applying this fix.

So, over the weekend, we decided we needed to ask all Mumsnet users to change their passwords. So, you will no longer be able to log in to Mumsnet with a password that you chose before 5.45pm on Saturday April 12, 2014.

We have no way of knowing which Mumsnetters were affected by this. The worst case scenario is that the data of every Mumsnet user account was accessed. That’s why we’ve required every user to reset their password.

I must admit I was a little puzzled by the statement. One of the “features” of the Heartbleed bug is that it doesn’t leave any clues that systems have been compromised, making it hard for sites to know that they have fallen victim.

However, BBC technology reporter Rory Cellan-Jones got to the bottom of the mystery when interviewing Mumsnet chief executive and founder Justine Roberts about the security scare.

In that report, Roberts says that she became aware that hackers had accessed users’ passwords when her own Mumsnet account was used without permission by a hacker, who subsequently posted a message claiming that they had accessed the account after exploiting the Heartbleed OpenSSL flaw.

A smoking gun and convincing evidence that Heartbleed was involved? Perhaps not. After all, perhaps Roberts was phished or had keylogging spyware on a computer that she had used that grabbed her password.

Mumsnet Heartbleed advisory

However, Mumsnet was perhaps wise under the circumstances to assume the worst and force members (known as Mumsnetters) to reset any password created on or before Saturday.

And I was pleased to see as well that Mumsnet recommended users change their passwords anywhere else on the net where they might be using the same password.

It’s worth everybody realising that you should never use the same password in more than one place – otherwise you could have an account breach on a site which might not be critically important (Mumsnet, for instance) leading to much more serious hacks of your personal information elsewhere.

Meanwhile, in other news from the other side of the great Atlantic pond, the Canadian tax agency has revealed that social insurance numbers of about 900 taxpayers were removed from CRA systems by hackers exploiting the Heartbleed vulnerability.

Regrettably, the CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.

Again, it’s not clear how the Canadian authorities determined that the Heartbleed security hole had been the vehicle for stealing the tax payers’ information.

But one thing is obvious. Now it has been publicly proven how easy it is to exploit Heartbleed, we can expect more and more online criminals to try their luck, and see what information they might be able to glean from online companies and websites that have not taken sufficient steps to protect the data on their servers.

The post Heartbleed claims British mums and Canadian tax payers as victims appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/14/mums-tax-payers-heartbleed/feed/ 0
All eyes on Heartbleed bug: worse than feared and could affect “billions” http://www.welivesecurity.com/2014/04/14/all-eyes-on-heartbleed-bug-worse-than-feared-and-could-affect-billions/ http://www.welivesecurity.com/2014/04/14/all-eyes-on-heartbleed-bug-worse-than-feared-and-could-affect-billions/#comments Mon, 14 Apr 2014 16:51:51 +0000 All eyes on Heartbleed bug: worse than feared and could affect “billions” http://www.welivesecurity.com/?p=42694 The full scope of the Heartbleed bug came to light in a series of reports by researchers and white-hat hackers, with some claiming a billion smartphones may be at risk, as well as a statement allegedly from the US government over its use of the bug.

The post All eyes on Heartbleed bug: worse than feared and could affect “billions” appeared first on We Live Security.

]]>
The full scope of the Heartbleed bug came to light in a series of reports by researchers and white-hat hackers, as well as a statement allegedly from the government over its use of the bug.

The Heartbleed bug can, as many feared, be used to extract private SSL keys, the “Holy Grail” for a hacker – allowing access even if the Heartbleed bug is dealt with. Two white-hat hackers were able to extract keys – Fedor Indutny and Ilkka Mattila – were both able to use Heartbleed to extract private keys in a competition set up by data security company CloudFlare. The source of the bug, which has been active for at least two years, was errors introduced by a PhD student writing for the open-source company OpenSSL, as reported by We Live Security here.

“We confirmed that both of these individuals have the private key and that it was obtained through Heartbleed exploits,” said CloudFlare. The scope of the bug – which allows malicious individuals to extract information invisibly during an encryption process – was already causing widespread alarm.

Digital Trends reported that the ability to steal private keys raised the scope of Heartlbeed considerably. “Having access to these private keys means hackers can return even after the Heartbleed exploit has been removed through the window.” The ‘bad guys’ will only cease to have access to this key once the server’s security certificates are all updated – which tends to happen rarely — it’s akin to having the keys to a car rather than having to break in.

Ars Technica reports that this means that merely fixing the bug may not solve the problems Heartbleed has created. Private keys are used as ‘padlocks’ for a huge amount of private data across the internet, and it is now by no means certain that the keys to the padlocks have not already been stolen.

Merely updating the open-source tool may not be enough, Ars points out.”The results are a strong indication that merely updating servers to a version of OpenSSL that’s not vulnerable to Heartbleed isn’t enough,” the site said.

“Because Heartbleed exploits don’t, by default, show up in server logs, there’s no way for sites that were vulnerable to rule out the possibility the private certificate key was plucked out of memory by hackers. Anyone possessing the private key can use it to host an impostor site that is virtually impossible for most end users to detect,” the site writes.

The source of the bug, which has affected at least 500,000 sites and millions of users, was a small programming error made by a PhD student, who has spoken of his regret at the incident.

Forbes Magazine points out that few have investigated a potentially lethal aspect of the bug – its effect on smartphone apps, with Forbes claiming up to a billion handsets could be at risk. Forbes claims that any smartphone not protected by “enterprise grade” security may be at risk due to apps. “The Internet security world and the media have sounded alarms about potential vulnerabilities for consumers using “desktop” browsers to visit websites that may be running bogus server code. Yet little attention has been paid to the global problem of 40-60 billion active smartphone applications that may share some of those same servers or connect to their own group of servers that may also be compromised.”

The BBC reports that computers vulnerable to the bug are already being scanned – although it’s still not clear whether this is the work of researchers or cybercriminals. Around 500,000 servers are vulnerable according to Netcraft, although many have rapidly deployed the patch.

The bug, known as ‘Heartbleed’ is described as one of the “most serious security flaws ever found” according to the Telegraph’s report. It affects the open-source encryption software OpenSSL – which is used on millions of web servers – and has been undiscovered for more than two years. The Telegraph reports that it could have been used to steal passwords, credit card details and even encryption keys, without trace.

Major sites including Yahoo Mail and others, are vulnerable, and are scrambling to deploy fixes. A proof-of-concept exploit for the bug has already been posted on coding site Github.

The researchers who discovered Heartbleed say that it has left private keys and other secrets exposed “for years”. The researchers tested the vulnerability themselves and wrote that they were able to gain access to large amounts of data, leaving no trace of their presence.

“We have tested some of our own services from an attacker’s perspective,” they wrote. “We attacked ourselves from outside, without leaving a trace. Without using any privileged information, we were able steal from ourselves secret keys, usernames and passwords, instant messages, emails and business critical documents and communication.”

The bug was discovered by researchers from Finnish firm Codenomicon working with Google. A dedicated website helps to explain some of the risks – although the researchers admit they do not know how widely the bug has been exploited.

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet,” the firm writes.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

ESET Senior Research Fellow David Harley offers advice on how to deal with problem, “Sites that have never run the 1.0.1 and 1.0.2-beta releases of OpenSSL including 1.0.1f and 1.0.2-beta1 shouldn’t be panicking about this, but those that are running them need to upgrade to 1.0.1g or recompile -DOPENSSL_NO_HEARTBEATS, as recommended by the OpenSSL security advisory. However, they should also be looking for and revoking (and reissuing) compromised keys, and changing user passwords. This applies even to sites that ran a vulnerable version for a while but have upgraded since, as the bug has been around since 2011. While I haven’t checked all the links and resources listed there, this site looks like an excellent starting point for sites that need to know more about the problem and its remediation, as well as the heartbleed.com page. It’s worth remembering that some embedded devices also use OpenSSL: it isn’t just a server issue.”

White-hat hackers Fedor Indutny and Ilkka Mattila successfully took on the Heartbleed hacking challenge laid down by Web performance and security company CloudFlare. “We confirmed that both of these individuals have the private key and that it was obtained through Heartbleed exploits,” said CloudFlare. Within nine hours, four more competitors had cracked the competition, and extracted private keys.

Big-name companies including Google, Yahoo and Dropbox are scrambling to update their systems to close the Heartbleed loophole, but the danger is far from over. Stay tuned to our lists of apps and websites that are affected for details of how to protect yourself, and follow any prompts you receive to reset your passwords from the online services you use.

TechRadar compiled a list of the best and worst advice from mainstream media – noting that for many sites, the demand for simplicity meant that the advice was, “Change your password and don’t use ‘password’ as your new password.” The incident has, at least, ignited serious debate over the security of passwords, and of encryption systems. Fox News reports that the Department of Homeland Security says that there is a clear need for the government to monitor web use.

CloudFlare wrote, ““Our recommendation based on this finding is that everyone reissue and revoke their private keys,” CloudFlare wrote in an update today. “CloudFlare has accelerated this effort on behalf of the customers whose SSL keys we manage.”

The post All eyes on Heartbleed bug: worse than feared and could affect “billions” appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/14/all-eyes-on-heartbleed-bug-worse-than-feared-and-could-affect-billions/feed/ 0
Taxing Times: Dealing with tax identity fraud in America http://www.welivesecurity.com/2014/04/14/taxing-times-avoiding-tax-identity-fraud-in-america/ http://www.welivesecurity.com/2014/04/14/taxing-times-avoiding-tax-identity-fraud-in-america/#comments Mon, 14 Apr 2014 15:48:34 +0000 Taxing Times: Dealing with tax identity fraud in America http://www.welivesecurity.com/?p=41818 Filing your taxes on April 15? What if someone has already filed “your” income tax return? Sadly, this can happen, and it does happen, all too often. Here's why, and what you can do about it.

The post Taxing Times: Dealing with tax identity fraud in America appeared first on We Live Security.

]]>
In America today, tax identity fraud is a relatively easy and low risk means of turning law breaking into money making. So, on the eve of the April 15 deadline for filing Form 1040, the U.S. Individual Income Tax Return, it is important to consider what happens in the following nightmare scenario: someone other than you has already filed “your” income tax return.

If someone has used your identity to file a return in your name already, and you are filing electronically, your legitimate return will be rejected; if you file by mail and there is already a return on file, you will eventually get a letter from the IRS telling you about the situation, questioning your legitimate return. In both cases, any refund that is owed to you will be delayed.

Later in this article I discuss how to deal with these situations and hopefully prevent them, but first let’s look at the size and scope of the monster we’re dealing with here.

The nature of tax identity fraud

To say that tax identity fraud is rampant in America would be an understatement. The perpetrators have used this scam to steal billions, and the number of innocent victims over the last three years is in the millions. The IRS published a dossier of tax identity fraud cases it has prosecuted, listing details of the fraud committed. It makes for pretty depressing reading, apart from the fact that all of these people were convicted. Sadly, convictions are not a strong enough deterrent for some people.

Consider case of Rashia Wilson of Tampa Bay, Florida, the self-proclaimed “Queen of IRS Tax Fraud.” She raked in millions by filing bogus returns (while convicted of stealing $3.1 million, estimates of the actual proceeds from her activities range from $7 to $20 million). And Ms. Wilson did this despite a lack of education—she never made it past sixth grade—and a lack of common sense, as demonstrated by her taunting of the authorities on her Facebook page. Yes, she bragged about her crimes on her actual Facebook page, with her real name and photos of herself waving huge wads of cash. Thanks to such lapses in judgment, Ms. Wilson is now serving a 21-year prison sentence, but she also serves as living proof that ripping off the IRS is way too easy.

Here are more staggering numbers from TIGTA, that’s the Treasury Inspector General for Tax Administration, which reported in 2012, “Potentially fraudulent tax refunds issued total approximately $3.6 billion in 2011, which is down by $1.6 billion compared to the $5.2 billion TIGTA reported for Tax Year 2010.”

So it’s no surprise that tax identity fraud is a growth industry, impacting a disturbing 1.2 million taxpayers in calendar year 2012, but a staggering 1.6 million in the first six months of 2013. Those numbers are direct from the TIGTA, whose tax identity fraud report of September, 2013 (.pdf), also documented the pain that taxpayers face if they fall victim to this crime. In a random sample of 100 cases reviewed, “case resolution averaged 312 days.” In other words, making things right can take 10 months, if you’re lucky.

The most common type of tax identity fraud is possible because the IRS does not immediately cross-check a taxpayer’s report of income earned and taxes paid against employer reports of income paid and taxes withheld. Refunds for over-payment of taxes are thus sent out before the W-2 and 1099 data is verified, allowing crooks to submit fake reports of taxes paid above and beyond taxes owed, resulting in a refund due. This type of fraud is further facilitated by the option to file electronically and get your refund delivered on a pre-paid cash card, or directly deposited to an anonymous card (for example, the “Green Dot” Visa or Mastercard you can buy at many drugstores has “routing and account numbers suitable for direct deposit” according to the Wall Street Journal).

Before you accuse the IRS of being completely irresponsible for behaving like this, bear in mind that congress pushed the agency to promote electronic filing, immediate payment of refunds, direct deposit and cash cards. (The point of cash cards was to assist people who don’t have bank accounts and therefore had to use check cashing services to get their refunds, thereby falling prey to check-cashing scams.) And as far as I can tell, Congress routinely messes up the budget of the IRS, underfunding key programs in the one government agency that can show you how much incremental revenue each new hire will generate.

The IRS does have a program in place to combat tax identity fraud:

“IRS Criminal Investigation (CI) detects and investigates tax fraud and other financial fraud, including fraud related to identity theft. Identity theft is most likely to occur in our Questionable Refund Program (QRP) area where individual identities are stolen with the intent to file false returns claiming tax refunds.”

 What could go wrong?

1. Your return is rejected: If you find that another a tax return has been filed with your Social Security number, you should use IRS Form 14039 to alert the IRS. Do this right away. You will need to provide information about the tax year affected and a copy of the last return you filed prior to the identity theft. After you have filed this form, keep calling the IRS for updates on a regular basis to prevent your case from slipping through the cracks.

Reading the TIGTA identity fraud report referred to earlier will give you a detailed picture of where cases like this bog down. The IRS has pledged to do a better job with such cases. Try to hold them to that pledge.

2. You are asked to return a refund: This can occur if you are the victim of a different type of scam, as reported in the Wall Street Journal, in which a more skilled criminal uses routing information from a victim’s personal check. The criminal will “trick the electronic tax-payment system into transferring funds from a victim’s bank account as an estimated-tax payment to another stolen name and Social Security number, then file a refund claim transferring the stolen funds to his own account.” (See “ACH debit block” below as a means of defeating this scam.)

3. You are accused of under-reporting income: You could potentially be contacted by the IRS for not reporting income when in fact you did not earn that income. This happens when someone else gives your Social Security Number to an employer; that employee’s earnings are reported to the IRS in your name and the IRS notices you did not include them on your return. If this happens, do not panic, simply explain what happened. Remember, you are not the only person to which this has happened, and the IRS agent will have encountered this problem before. (In my experience, IRS agents are quite reasonable and simply want to get the facts straight.)

4. You are turned down for a loan: You could find yourself turned down for a loan because of discrepancies between your tax record and those that the IRS maintains (because the IRS was tricked into accepting a return that is way different from your real situation).

How to protect yourself

Unfortunately, there is a limit to what consumers and small businesses can do right now to prevent tax identity fraud. One thing we can all do is lobby congress to clean up this mess. In addition, here are a few defensive measures one can take:

1. Protect your Social Security Number: Do not disclose your SSN unless absolutely necessary. For example, avoid using your Social as an account identifier when using medical services (you have the right to demand an account identifier number instead, one exception being Medicare and Medicaid patients). Your Social is the prime ingredient for tax identity fraud and you don’t want to make it easy for the bad guys by being careless with this information.

2. Order your IRS Transcript: This allows you to see what the IRS has on record for you in terms of tax payments and refunds. Contrary to popular myth, the IRS does not play poker with your data, they are quite happy to share with you the data they are holding that relates to you. Just Google “IRS transcript” and you can find how to do this at irs.gov. If you use a reputable accounting service, they should be happy to get your transcript for you (the IRS will verify this request with you).

3. File your returns early: This is not always feasible, but the thinking is that it limits the opportunity for fraud in the current filing period. However, this will not stop estimated tax fraud where a criminal uses your bank account number and bank routing number to make an estimated tax payment to the IRS on behalf of a stolen name and Social Security number, then claims a refund which the IRS pays to an account under the control of the scammer.

4. Monitor your bank accounts: Always a good idea when there are so many people trying to get away with bogus charges these days. Try to review account transactions at least once a week and immediately alert your bank when you see something that you didn’t authorize. Note that some banks have alert services that will email or text you every time money is taken out of your account, a great way to stay on guard against fraud.

5. Ask your bank about an ACH debit block: Putting an ACH debit block on your account prevents crooks taking money with this type of transfer, however, it could prevent you executing legitimate online or over-the-phone electronic payments.

6. Lobby for change: Yes, I mentioned this before, but it is worth repeating. And it is not as hard as you might think, you can even get apps for this. Consider the “Congress” app from the nonpartisan Sunlight Foundation, which is free and comes in iOS and Android versions. It can find your representative and let you place a call to their office with just a few clicks. For more tips on Internet lobbying, read this helpful article by Jam Kotenko on Digital Trends.

Finally, when it comes to interaction with the IRS, remember:

“The IRS does not initiate taxpayer communications through email. Unsolicited email claiming to be from the IRS, or from an IRS-related component such as EFTPS, should be reported to the IRS at phishing@irs.gov.”

Note: I am not a certified accountant, although I have worked as a tax auditor. Nothing said here should be taken as financial planning advice, and I can’t promise answers to every tax fraud related question, but I am keen to help reduce tax identity fraud and would appreciate hearing from you if you have experienced this problem.

The post Taxing Times: Dealing with tax identity fraud in America appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/14/taxing-times-avoiding-tax-identity-fraud-in-america/feed/ 0
German security agency warns botnet ‘army’ has harvested 18 million emails and passwords http://www.welivesecurity.com/2014/04/14/german-security-agency-warns-bot-army-has-harvested-18-million-emails-and-passwords/ http://www.welivesecurity.com/2014/04/14/german-security-agency-warns-bot-army-has-harvested-18-million-emails-and-passwords/#comments Wed, 22 Jan 2014 16:46:40 +0000 German security agency warns botnet ‘army’ has harvested 18 million emails and passwords http://www.welivesecurity.com/?p=28703 Scans of a huge botnet have revealed that it has harvested at least 16 million usernames and passwords for email sites and other online services, according to a report released by German security agency, the Bundesamt für Sicherheit in der Informationstechnik (BSI).

The post German security agency warns botnet ‘army’ has harvested 18 million emails and passwords appeared first on We Live Security.

]]>
Scans of a huge botnet have revealed that it has harvested at least 16 million usernames and passwords for email sites and other online services, according to a report released by German security agency, the Bundesamt für Sicherheit in der Informationstechnik (BSI).

The agency has not revealed what malware is behind the attack, which is also sending spam from the infected computers, according to The Register’s report. It’s also not clear what the email-password combinations provide access to.

Tim Griese, a spokesman for BSI, said that although around half of those affected are German email addresses (ie from the German .de domain, there are .com addresses on the list, according to PC World‘s report.

Griese said, ““We can’t tell more about the background,” while the investigation was ongoing, and this was also the reason that the BSI had not released details on which botnet was involved, or which malware was behind the attack.

The BSI’s FAQ says that users who are affected should check their computer, and other computers in the home for malware, and that, “ Users should change all passwords they use to log on to social networking sites , online shops , email accounts and other online services.”

According to The Inquirer’s report, a website (German-language only at present), allows users to check whether their email is among the list of victims.

Pasting an address into a box on the site results in the BSI sending victims an email with a code displayed on screen – a move which should prevent the cybercriminals sending fake emails masquerading as the BSI.  “This reply e-mail also contains recommendations on necessary protective measures,” the agency said.

Under German law it is illegal for the government to contact users directly, even in cases such as this, according to PC World’s report.

ESET Senior Research Fellow David Harley says:“Where your login credentials have been revealed, it’s obviously a good idea to change your password. However, an attacker is likely to assume that you use the same credentials on other sites, and he may try them on other sites of interest to him (of course, they may not be sites of interest to you.) So it’s a good idea (if an irksome task) to change your password on other sites that do use the same credentials.”

 

The post German security agency warns botnet ‘army’ has harvested 18 million emails and passwords appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/14/german-security-agency-warns-bot-army-has-harvested-18-million-emails-and-passwords/feed/ 0
Interview: Windigo victim speaks out on the ‘stealth’ malware that attacked his global company http://www.welivesecurity.com/2014/04/14/interview-windigo-victim-speaks-out-on-the-stealth-malware-that-attacked-his-global-company/ http://www.welivesecurity.com/2014/04/14/interview-windigo-victim-speaks-out-on-the-stealth-malware-that-attacked-his-global-company/#comments Mon, 14 Apr 2014 14:03:53 +0000 Interview: Windigo victim speaks out on the ‘stealth’ malware that attacked his global company http://www.welivesecurity.com/?p=42652 Francois Gagnon is a Canadian business owner who was targeted because his company had lots of servers, and many customers - victims for the gang. Gagnon didn't notice for weeks, until complaints from customers alerted him. A team of ESET experts contained the infection, and Gagnon's help with forensics was also valuable.

The post Interview: Windigo victim speaks out on the ‘stealth’ malware that attacked his global company appeared first on We Live Security.

]]>
Operation Windigo was one of the biggest operations against a criminal gang of this year – led by ESET with help from law enforcement and scientists from around the world, including Europe’s CERN (the organization behind the Large Hadron Collider). It highlighted a new, dangerous threat, where criminals target UNIX servers to redirect victims – and successfully took over thousands of servers and sites around the world.

Pierre-Marc Bureau, Security Intelligence Program Manager says, “The malicious gang is using these servers to send spam, redirect web traffic to malicious content, and steal more server credentials to widen their operation.” At its height, Windigo sent 35 million spam messages a day and redirected 500,000 web users to malicious sites. A detailed analysis of the malware and techniques used, and the ongoing battle against Windigo, can be found here, written by Bureau. ESET researcher Oliver Bilodeau chronicles the ongoing battle against Windigo here.

The victims often never knew they were infected. Even today ESET blocks thousands of redirects from infected servers – and this arduous research has thrown light on a new, sinister face of cybercrime.

ESET researchers have helped many companies identify and neutralize the infection, and this effort goes on today. Francois Gagnon, whose company was targeted, reveals what happened when this novel, emerging threat took hold of his large company.

Bureau says, “ESET has invested months of efforts to analyze, understand, and document Operation Windigo. At the peak of analysis activity, six researchers worked on the investigation.  We are very proud of the current results and we continue to monitor the situation. All servers have not been cleaned and the malicious gang behind the operation is still in control of significant resources. There is still a lot of work to do!” Veteran security researcher, writer and We Live Security contributor Graham Cluley says that at one point half a million PCs were attacked a day. Most victims remained unaware.

Francois Gagnon, owner of a business whose servers in France and Canada fell victim for weeks, explains how a large business can fall prey – and not notice.

Were you aware that this sort of attack was possible?

Like most businesses of our size, we knew criminals ‘sniffed around’, but had never been the subject of a serious attack. To begin with, we didn’t realize what it was. But this did not feel like something really offensive. It was running in the background pretty silently. No crash or anything happened. I think that’s why it had infected so many servers before people started to react.

Did the nature of the attack surprise you?

One of the first things you learn in any form of hi-tech business is that anything is possible. But we knew from the start that Windigo was something different. It was subtle. No one stole our database – the first we heard was that suspicious behavior like random redirections in some websites were mentioned by some customers.

When did you realize that something very bad was happening?

We discovered that some of our servers were on Email Blacklists – used to pick out spammers. We knew that our system had sent spam. Our customers also mentioned that some of our sites – we have 2,000 – were randomly redirecting customers. It was customer complaints that helped us realize something was badly wrong. Some suspicious behaviors like random redirections in some websites were mentioned by some customers as well.

Just how ‘stealthy’ is this infection – how long did it take you to realize you were a victim?

I suppose we have been infected a few weeks before we realized what was going on.We pushed our investigation further and realized that most servers had been infected after we had opened tickets with cPanel. Their servers were infected and they infected our servers using SSH connections to us.

How did you react? Did you fear your business was under threat?

We rapidly went from not worrying to the worst worry of all – that it was an advanced threat, targeted specifically at us. We run a dozen servers and 2,000 sites. At the beginning we thought that it could be a targeted attack, but we quickly understood that many other businesses were running through the same issues. Plenty of people were talking about those strange behaviors on many forums.

Did you work closely with researchers on this – when did you realize that there were so many other victims?

We were quickly contacted by ESET and were told about how big this infection was and quickly started to work very closely with the research team. We cleaned infected servers but kept some intact for ESET’s investigation. Marc-Etienne of ESET offered advice – clean the server and reinstall. It’s a harsh cure, but we did it. We have now cleaned almost all of our infected servers and re-installed. We worked closely with ESET’s team, and some servers were used to help the researchers understand the infection. We have now-reinstalled most of them.

Why were you targeted?

That is easy. We have a lot of servers, and many customers in France and Canada.

Why do you think your business was targeted?

Simply because we have many servers, and many customers in France and Canada. Thanks to the quick action of ESET, our company’s reputation was not damaged – we listened to our customers and acted. We did not suffer severe financial loss, either.

What are your feelings towards the gang behind this – and the companies still suffering?

This attack is big. Many web hosting companies were infected and didn’t even know what it was. They were told by cPanel to reinstall – and that was it. That was all the help we got. We were lucky. We worked closely with ESET, who helped put it right, and I hope we helped in turn with the Windigo project.

What is the status of your company now?

We are fully operational. We have always been cautious and took seriously any strange or suspicious behavior. If the government took these kind of attacks more seriously and invested more money to help companies such as ESET it may prevent some attacks.

An introduction to this long-running, complex malware campaign – whose perpetrators remain at large – is offered by Pierre-Marc Bureau in “Operation Windigo” here.

At his request, We Live Security used a fake name for our interviewee. The gang behind Windigo is still at large and reprisals are a possibility,

The post Interview: Windigo victim speaks out on the ‘stealth’ malware that attacked his global company appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/14/interview-windigo-victim-speaks-out-on-the-stealth-malware-that-attacked-his-global-company/feed/ 0
“I am responsible”: Heartbleed developer breaks silence http://www.welivesecurity.com/2014/04/11/i-am-responsible-heartbleed-developer-breaks-silence/ http://www.welivesecurity.com/2014/04/11/i-am-responsible-heartbleed-developer-breaks-silence/#comments Fri, 11 Apr 2014 13:12:47 +0000 “I am responsible”: Heartbleed developer breaks silence http://www.welivesecurity.com/?p=42577 The source of the bug, which has affected at least 500,000 sites and millions of users, was a small programming error made by a PhD student, who has spoken of his regret at the incident.

The post “I am responsible”: Heartbleed developer breaks silence appeared first on We Live Security.

]]>
The ‘Heartbleed’ flaw in an encryption technology used in millions of sites has left internet giants such as Yahoo and Minecraft developer Mojang interrupting service as they scramble to find a ‘fix’.

The source of the bug, which has affected at least 500,000 sites and millions of users, was a small programming error made by a PhD student, who has spoken of his regret at the incident.

The BBC reports that computers vulnerable to the bug are already being scanned – although it’s still not clear whether this is the work of researchers or cybercriminals. Around 500,000 servers are vulnerable according to Netcraft, although many have rapidly deployed the patch.

Ars Tehnica has claimed that evidence shows that sites with the bug were probed “months” before it had been revealed – which could mean that it has been exploited to steal data.

The offending code was submitted just before New Year in 2012, by Robin Seggelmann, a PhD student no longer attached to the project. Speaking to The Guardian, he said,

“I am responsible for the error, because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version.”

“The code… was the work of several weeks. It’s only a coincidence that it was submitted during the holiday season.

Computing Magazine has reported that the flaw has been detected in networking equipment from Cisco and Juniper. The fact that the flaw has been found in networking gear including firewall hardware could mean the situation is even more serious. Speaking to the Wall Street Journal, a Juniper spokesperson said, “It doesn’t sound like a flip-the-switch sort of thing. I don’t know how quickly it can be resolved.”

Naturally, the internet has flooded with advice on what to do – with some alarmist pieces claiming that all passwords must be reset. Wired described the bug as “catastophic” and claimed that the entire internet needed a password reset.

Google, for instance, said that its passwords did not need to be reset unless they were used on other sites.

Password manager application LastPass has created a tool which allows site owners and users to check if a site is vulnerable.

The flaw, in the widely used open-source encryption technology OpenSSL, could have left user data vulnerable to cybercriminals.

The bug, known as ‘Heartbleed’ is described as one of the “most serious security flaws ever found” according to the Telegraph’s report. It afffects the open-source encryption software OpenSSL – which is used on millions of web servers – and has been undiscovered for more than two years. The Telegraph reports that it could have been used to steal passwords, credit card details and even encryption keys, without trace.

Major sites including Yahoo Mail and others, are vulnerable, and are scrambling to deploy fixes. A  proof-of-concept exploit for the bug has already been posted on coding site Github.

The researchers who discovered Heartbleed say that it has left private keys, and other secrets exposed “for years”. The researchers tested the vulnerability themselves and wrote that they were able to gain access to large amounts of data, leaving no trace of their presence.

“We have tested some of our own services from an attacker’s perspective,” they wrote. “We attacked ourselves from outside, without leaving a trace. Without using any privileged information, we were able steal from ourselves secret keys, usernames and passwords, instant messages, emails and business critical documents and communication.”

The bug was discovered by researchers from Finnish firm Codenomicon working with Google. A dedicated website helps to explain some of the risks – although the researchers admit they do not know how widely the bug has been exploited.

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet,” the firm writes.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

ESET Senior Research Fellow David Harley offers advice on how to deal with the problem, “Sites that have never run the 1.0.1 and 1.0.2-beta releases of OpenSSL including 1.0.1f and 1.0.2-beta1 shouldn’t be panicking about this, but those that are running them need to upgrade to 1.0.1g or recompile -DOPENSSL_NO_HEARTBEATS, as recommended by the OpenSSL security advisory. However, they should also be looking for and revoking (and reissuing) compromised keys, and changing user passwords. This applies even to sites that ran a vulnerable version for a while but have upgraded since, as the bug has been around since 2011. While I haven’t checked all the links and resources listed there, this site looks like an excellent starting point for sites that need to know more about the problem and its remediation, as well as the heartbleed.com page. It’s worth remembering that some embedded devices also use OpenSSL: it isn’t just a server issue.”

Open SSL wrote on their site, “A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1.

 

 

The post “I am responsible”: Heartbleed developer breaks silence appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/11/i-am-responsible-heartbleed-developer-breaks-silence/feed/ 0
Privacy, Social Media, and the Younger Generation http://www.welivesecurity.com/2014/04/11/privacy-social-media-and-the-younger-generation/ http://www.welivesecurity.com/2014/04/11/privacy-social-media-and-the-younger-generation/#comments Fri, 11 Apr 2014 04:40:48 +0000 Privacy, Social Media, and the Younger Generation http://www.welivesecurity.com/?p=42339 When parents post photographs and information about their children to social media, what are the privacy implications for those children when they're grown? What happens on the internet tends to stay on the internet, and not necessarily in a good way.

The post Privacy, Social Media, and the Younger Generation appeared first on We Live Security.

]]>
I was recently contacted via the WeLiveSecurity blog site by a senior journalism major at an American university, working on a research paper about child privacy and the internet, in particular the implications of the way that some parents (and guardians) post photographs and potentially sensitive information about their children to social networking sites. What are the privacy implications of the exposure of those data for those children when they have become adults?

While I’m usually happy to share the benefit of my own prejudices, I asked my colleague at ESET Lysa Myers if she had any thoughts on the topic, knowing that her interest in elements of security and malware that go far beyond her indisputable knowledge of the bits and bytes of malware, as her recent blogs for WeLiveSecurity bear witness. Two people don’t constitute a huge sample, even in the fairly small anti-malware research community, but at least we don’t represent the same gender and age group.

You might think this would be centred on the risks to minors from exposure to the attentions of school bullies and sexual deviants, and in fact I found it impossible to answer without some reference to this kind of exposure, but in fact the main thrust of the research is a little less dramatic, though by no means less important.

family

Family Photos on Social Media

We were asked whether there are ethical problems when parents or guardians of children post photos and information about their children online before the children are old enough to have had a say about their digital footprint, and if so, what the problems are.

I don’t suppose that most parents think of posting pictures of their children on (say) Facebook as any different to showing them to friends and relatives in the bar or at a family dinner: after all, they probably see it as being for the benefit of much the same people, only reaching more people.  We don’t usually regard it as an ethical question if parents take photos or home movies of their children long before those children can reasonably be expected to express a truly informed opinion about whether they want that footprint (digital or analogue) to exist. It’s natural to be proud of your children. It might be less fun for the audience, or for a child-turned-adult, but it’s probably not an ethical issue. Unless you regard it as a parent’s ethical – or even moral – responsibility to think about the difference between the online and offline contexts and act accordingly.

Data Persistence 

There are at least two related problems with a digital footprint, as compared to the non-virtual world. (1) Physical photographs and other documents are (scanners and photocopiers apart) in some sense unique objects. You put a photo back in your wallet or purse and, as far as other people are concerned, it’s gone. If you trust someone enough to give them a photo or other information, you either give yours away or you generate a copy. Put it on the web/social media and you lose control over it. It’s not just your friends and relatives who see (and, potentially, keep) a copy: unless they’re anal about what they post, where, and who is able to see it, then (potentially) it’s also available to their friends/contacts and even to complete strangers. (2) The digital world may seem transient because it’s ‘just’ bits and bytes pushed through a wire, but digital data are actually extraordinarily persistent. Taking a site down or deleting an email is rarely a guarantee that the offending object no longer exists.

What happens on the internet tends to stay on the internet, and not necessarily in a good way.

The Ubiquitous Digital Footprint

The enquirer suggested that it might be considered odd for children born in the past 5-10 years not to have or want some kind of online presence, but asked ‘… is it fair for children’s parents to assume this about their children before their children have had the chance to decide whether they even want an online presence?’

I certainly know many people my own age or older who have declined to be silver surfers, and don’t have as much as a mobile phone, let alone a smartphone or a social media app. However, I’m not sure I know anyone under thirty who doesn’t have or want an online presence at all. But I can see that people might not, for many reasons, want to have their digital identity predetermined by their parents.

First Steps, First Footprints

Lysa commented:

I was just hearing from a friend about a set of parents who, for the birth of their child, created accounts in their child’s name for all the major social networking sites. They also registered a website using the child’s name as the URL. The intent was to reserve this space for their child, so that they could have a chance to create a digital presence from scratch, upon his or her 18th birthday. Until that day, these parents will not post pictures or details about the child online, so that the child can craft its online persona all on its own.

This struck me as an incredibly sweet and thoughtful gesture on the part of the parents. And yet it isn’t necessarily feasible to keep a child’s activities completely off the Internet – while friends and family may buy into this idea, more and more schools and organizations are posting pictures of children online. (That in itself may be cause for privacy legislation some day!) It might be possible to opt out of these picture days, but some children might feel like they’re being excluded from cherished social moments in that case.

That certainly seems to show a scrupulousness about preserving the child’s privacy (and safety) that might cause many proud parents to think twice about their own readiness to post about their own children.

As it happened, I recently reviewed for Virus Bulletin an eBook by Tony Anscombe that makes a similar suggestion about buying web sites on your child’s behalf to prevent his or her identity being hijacked later on in life. There are actually practical problems with this – do you buy every possible TLD that resembles your child’s name, in the hope of preventing cybersquatting? What happens if providers go out of business? How many other variables might kick in?

But more relevantly to this enquiry, perhaps, what strings are attached to services that your parents acquire for you? Perhaps there are none, at least that the parent would regard as conscious manipulation, but the parent/child relationship is often extraordinarily subtle and complex, and control is an element of that relationship from both sides. Besides, it’s part of the process of maturation to want to become more independent and intent on making one’s own decisions.

When does Parental Responsibility become Snooping?

no entry

WeLiveSecurity blogger Rob Waugh recently cited in Two-thirds of parents spy “regularly” on children’s social media accounts a survey by VoucherCloud of 2,105 UK parents regarding the social media use of children aged 13-16.

  • 55% of parents made sure they knew the passwords used by their children to social network sites and 31% signed into such accounts on a regular basis without the child’s knowledge.
  • 45% of the parents claimed to know their child/children’s email password, whilst 36% knew their social media login details for at least one of their profiles.
  • Vouchercloud’s Matthew Wood was quoted as saying “It’s sad to see that some parents feel the only way they can assess what their children are up to is via a sly look at their social media.” I can’t disagree, but presumably a proportion of this ‘snooping’ is out of a concern for the child’s safety rather than curiosity and an urge to control, and that can certainly be seen as part of the parental role. But even accepting that argument, when does it become an unacceptable invasion of privacy? Many teenagers and not a few parents would probably think that minors are entitled to a measure of privacy long before the age of majority. And that if a parent feels compelled to monitor from time to time, all parties may be more comfortable if the possibility of occasional checking is at least openly discussed.

So when and if children’s photographs and identity-related data are posted by their parents while they’re still minors, what difference will it make to them when they reach the age where they can decide for themselves whether they want a digital presence at all?

Opting out of Social Media

Lysa commented:

That’s something we have yet to really see. This is very much the norm now, rather than the exception. It may be that as these kids who have been born since the ubiquity of the Internet reach the age of majority, we could see a rash of lawsuits relating to their desire to erase childhood records from the web.

This is a very new and tricky area which will likely take decades to hash out to some reasonable degree. The people who are old enough to make legislation had a childhood pre-Internet that was not recorded, posted and indexed by search engines. So this sort of issue is not particularly pressing for them, and may not be until their own Internet-saturated children come of age. It may also be that this simply becomes so much a part of our post-Internet culture that the presence of compromising or embarrassing photos is considered de rigueur and that the absence of such things is more cause for concern.

Without disagreeing at all with those thoughts, my own opinion is that to some extent it depends on how careful the family has been. It’s not impossible – depending on the services used – to restrict access to friends and relatives, to prevent or at least restrict casual copying and mitigate the risk of unanticipated dissemination. In some cases they will take that much care, if only because of the horror stories about misuse of data relating to children in particular and other issues such as identity theft and various kinds of scam.

It’s possible to overstate the dangers of being online in general, so it’s very possible that even parents or guardians whose security awareness isn’t particularly high won’t be putting their tweens and teens into any great danger. At any rate, no greater danger than they might put themselves into, as they go through the painful process of making their own mistakes. But as I’ve said before, on the Internet data are generally persistent: whether that matters depends on the context.

Social Attitudes and the Anthropology of Technology

Victoria - Piazza Regina Valetta

It seems to me that the issues being raised here, while interesting and important, are one facet of a larger issue. Many of us who are still working were born in the 1940s/50s when World War II was barely over and the world was mostly run by people who had been (young) contemporaries of Queen Victoria and Theodore Roosevelt. Culturally and anthropologically, it’s not surprising that older people cling to mores and attitudes still resonant of parental authority and a world where the most prevalent communications technology was represented by radio, television and the telephone, but these were far less ubiquitous than the cell-phone and mobile computing (not yet quite the same thing!) are now.

Roosevelt

Our grandchildren (and their children, in some cases!) find it difficult to understand what it was like to live in a world so limited in a technological and informational sense. They have quite a different problem with information – while they understand the technology that makes it available far better than many of my generation, they have access to far too much data and lack the life experience to enable them to discriminate easily between good and bad data, information and misinformation. And our own children are stuck somewhere between those two worlds (and that includes some of the Wunderkinder of the dotcom and social media revolutions). It’s no wonder that our overall cultural and ethical development hasn’t kept pace with the technology that to some extent rules our lives.

My own daughter is well beyond the majority age, but grew up more aware than many of her generation of computing and related technologies, in part due to my work, and was an early adopter of social media.  Her own reaction to the publishing of photos was this:

…ultrasounds, baby photos etc. I think could be considered acceptable – at the end of the day a child is a child. Although maybe embarrassing, the photos do not have the same long term problems as, for instance, employers getting to see embarrassing drunken photos. I would say it’s about as unethical as showing the obligatory naked bath photo to a new boyfriend/girlfriend. If the child when old enough decides not to add to its digital footprint there is no long term harm done.

(We could get into deep discussion about the parental ‘right’ to embarrass one’s offspring, but this is a blog article, not a book :))

More contextual information such as full names and family information may present more of an ethical problem, in my book. My feeling is the issue comes alive when the information is fully traceable to those children, once they are old enough to judge for themselves whether they wish to have an online presence. If it is fully traceable then there may be issues but if not, the child can be separate from what then essentially becomes a whimsical if embarrassing look back on his or her childhood which it can choose to either acknowledge or ignore. I guess the point I’m making here is that it’s a grey area, but very much depends on the level of information available.

It’s an interesting subject which I hadn’t really thought about before now (despite my friends list being full of pictures of babies and children) and I don’t think that many people around my age have thought about it either.

Protective Parenting as Management Strategy

Rob Waugh’s article cites an article summarizing my contribution to a set of tips published by SafeSoundFamily almost a year ago: : Internet Safety for Kids: 17 Cyber Safety Experts Share Tips for Keeping Children Safe Online. Its relevance here, I guess, is that I was arguing for a a “gentle, guided introduction” at a very early age that would, potentially, enable parents to be more relaxed about a child’s ability to manage his or her own safety further down the line.

It may be the key is to achieve an acceptable balance between an authoritarian, protective-but-controlling model and a more laissez-faire model. (Hmm. Parenting as management strategy…) I suspect that for many people, there will be a shift from the first towards the second as the child gains maturity and is capable of greater independence. Trusting your children to make their own decisions is an important step towards ‘letting go’ in a wider sense.

The children of today seem to be eager to use technology and participate interactively in game-play and some form of social media from an early age. The age at which they should be allowed and even encouraged to do so, though, is – I think – still very much a parental decision. After all, a parent’s ability to preserve the child’s security and privacy at this point is, as Lysa suggests, a point of concern not only at the time or in the following months, but also when they become legally entitled to take control of their pre-majority records.

Having done a little work with schools (mostly at the behest of my wife, a former IT teacher), I’ve become aware of an interesting paradox. There’s a common stereotype that parents and grandparents know far less about technology than their children. In fact, a surprising number of students are fairly Luddite in their attitudes to information technology, at least as far as the formal teaching of technology is concerned. “Why do I have to learn about spreadsheets? I’m going to be a [mechanic/farmer/garbage collector…].”

Let’s disregard the fact that it’s hard to think of any occupation that could never require you to write a letter, construct a business plan, keep accounts, use a Facebook page for PR, evaluate the validity of a comparative review, or update your résumé. It seems to me that we’re talking about an implicit distinction between computing on a handheld/mobile device seen primarily as recreational, and business computing seen as closer to traditional Information Technology (IT) and computer science as taught in schools and colleges.

Skills, Responsibility and ‘Ageing Out’

Perhaps this tells us that there is a greater gulf than is usually acknowledged between young people who are highly skilled in computing and those who are adept at the use of social media on consumer devices. If I’m right, it’s possible that those in the first group are better equipped on average to protect themselves in terms of security and privacy than many who fall into the second group.

And also to exploit those who are less technologically savvy, if they so choose. I’m not aware of any useful current research – equivalent to Sarah Gordon’s research into virus writers in the 1980s and 90s – that might tell us about ethical development in modern malware creators. However, my suspicion is that the shift in recent years away from hobbyist virus writing and towards malware for profit has raised the age at which malware authors might ‘age out’ (move towards a less antisocial position).

Further Discussion/References

Finally, here are some more relevant references and resources:

  • The book review I mentioned above is available to Virus Bulletin subscribers here: Don’t forget to write.
  • Tony Anscombe’s book is here: One Parent to Another: Managing Technology and Your Teen.
  • The other book mentioned in the review, by Sorin Mustaca, is Improve Your Security. It’s less focused on teen/child issues, but does nevertheless include some relevant commentary.
  • Here’s a resource I wouldn’t have known about if I hadn’t been asked to contribute to it, and I certainly don’t agree with every opinion that was expressed there, but you may find some content there that’s of interest to you.

Unfortunately, Sarah Gordon’s papers, which made a huge contribution to our understanding of malware writers at the time, seem to be pretty hard to find on the internet these days. I’m thinking in particular of The Generic Virus Writer (written for the fourth Virus Bulletin Conference in 1994) and the follow-up paper The Generic Virus Writer II (for the 6th VB conference in 1996).

Photograph of Theodore Roosevelt from the Library of Congress
Other photographs by permission of Small Blue-Green World

David Harley
Lysa Myers
Katherine Harley

The post Privacy, Social Media, and the Younger Generation appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/11/privacy-social-media-and-the-younger-generation/feed/ 0
Android malware? Google will be watching your every move http://www.welivesecurity.com/2014/04/10/bad-android-apps-google-will-be-watching-your-every-move/ http://www.welivesecurity.com/2014/04/10/bad-android-apps-google-will-be-watching-your-every-move/#comments Thu, 10 Apr 2014 19:55:22 +0000 Android malware? Google will be watching your every move http://www.welivesecurity.com/?p=42562 Google is to boost security on its Android devices, by continuously checking apps to see that they haven’t mutated into malicious Android malware, monitoring all apps on Android devices for suspicious behavior, according to PC World.

The post Android malware? Google will be watching your every move appeared first on We Live Security.

]]>
Google is to boost security on its Android devices, by continuously checking apps to see that they haven’t mutated into malicious Android malware, monitoring all apps on Android devices for suspicious behavior, according to PC World.

At present, apps have to pass one “exam” on installation to prove that they don’t exhibit malicious behavior, then are considered to be safe. But as various research projects, both on Android and iOS have shown, it’s perfectly possible for an app to change its functions after installation to become Android malware.

Slashgear reports that the new system builds on Google’s existing “Verify apps” function, which scans apps at the point of installation. Slashgear reports that Google’s engineers compare it to alarm systems in the home: the previous system is like a door or window sensor. The ongoing checks for malicious behaviour are more like movement sensors looking for intruders already within the home.

In an official Android blog post, Google wrote, “Building on Verify apps, which already protects people when they’re installing apps outside of Google Play at the time of installation, we’re rolling out a new enhancement which will now continually check devices to make sure that all apps are behaving in a safe manner, even after installation.”

The current system was introduced in 2012, and, as Google explained in a blog post, “once an application is uploaded, the service immediately starts analyzing it for known Android malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it  against previously analyzed apps to detect possible red flags. We actually run every application on Google’s cloud infrastructure and
simulate how it will run on an Android device to look for hidden, malicious behavior.”

The Next Web described the move as a significant upgrade for Android malware security, saying that the company will now employ the app-scanning technology used for its app store for a “continuous audit” of apps as they run.

Maximum PC reports that Android malware is actually surprisingly rare, according to Google’s statistics. The magazine also points out that the new protection will extend to apps installed before Google’s current system began in 2012.

“Because potentially harmful applications are very rare, most people will never see a warning or any other indication that they have this additional layer of protection. But we do expect a small number of people to see warnings (which look similar to the existing Verify apps warnings) as a result of this new capability,” Google stated in a blog post. “The good news is that very few people have ever encountered this; in fact, we’ve found that fewer than 0.18 percent of installs in the last year occurred after someone received a warning that the app was potentially harmful.”

 

The post Android malware? Google will be watching your every move appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/10/bad-android-apps-google-will-be-watching-your-every-move/feed/ 0
Windigo not Windigone: Linux/Ebury updated http://www.welivesecurity.com/2014/04/10/windigo-not-windigone-linux-ebury-updated/ http://www.welivesecurity.com/2014/04/10/windigo-not-windigone-linux-ebury-updated/#comments Thu, 10 Apr 2014 14:12:29 +0000 Windigo not Windigone: Linux/Ebury updated http://www.welivesecurity.com/?p=42383 There have been some interesting new developments since we published our report on Operation Windigo. In this blog post you will read about a Linux/Ebury update, and the reaction of the criminal gang to our post.

The post Windigo not Windigone: Linux/Ebury updated appeared first on We Live Security.

]]>
There have been some interesting new developments since we published our report on Operation Windigo. In this blog post you will read about a Linux/Ebury update, more details around our publicly released indicators of compromise (IOC), and we wanted to thank the security community for its help since the release of the report.

Updates to Linux/Ebury

As previously described at length, Linux/Ebury is an OpenSSH backdoor and credential stealer that is the backbone of the operation. It provides the malicious group with all the server resources it needs to run all the other malware services, be it Linux/Cdorked, Perl/Calfbot, or its own infrastructure.

As we were in the process of publishing the report, we stumbled upon version 1.3.5 of Linux/Ebury. We shared the sample, but were unable to provide more details about it in the original report due to time constraints.

The criminal gang behind Linux/Ebury has updated the code that deals with the shared memory segment so as to restrict its permissions. The permissions were rather broad previously (666) and they have restricted them to only the owner (600). We believe this was done in response to the Ebury FAQ published before our report by CERT‑Bund, which recommended looking out for shared memory with broad permissions (666). This small change could trick the administrators of infected systems into believing that their machines are not infected after all.

Version 1.3.5 Older versions
Ebury shared memory segment creation in version 1.3.5 Ebury shared memory segment creation before version 1.3.5

Updated Indicators of Compromise (IOC)

Both CERT‑Bund’s FAQ and our own IOCs have been updated to reflect the new permissions. This update doesn’t affect the ssh -G check, but we expect that the malicious group is working on an update right now to defeat this easy check. We will post an update to our blog if that happens.

How to determine if you are infected

Based on the feedback we received, we decided to give more details about the techniques one may use to determine if a machine is infected with the various pieces of malware from this operation.

Here we will focus on several commands and tools useful for system administrators or power-users to investigate individual systems under their control. For larger providers we advise that you look at the network-based indicators that we provided when we released our report.

Linux/Ebury

The backdoored ssh associated with Linux/Ebury carries additional “features” that were added to ssh to accommodate the malicious operators. The -G parameter is one of those. The ssh -G indicator thus relies on the fact that on a clean system there is no -G switch, meaning that when issuing the command one gets the following error:

ssh: illegal option -- G

Here is what the console looks like on a clean system:

$ ssh -G
ssh: illegal option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

Here is what the console looks like on an infected system:

$ ssh -G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

There is no mention of the illegal option. Note that newer versions of OpenSSH will output unknown instead of illegal.

The command that we provided in our previous blog take advantage of this behavior, printing “System clean” if the words “illegal” or “unknown” were matched in the output of ssh -G and printing “System infected” otherwise.

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

One case of a false positive that was brought to our attention was that this technique is ineffective if the Linux distribution used on the system had applied the patches for X.509 certificate support in OpenSSH. Gentoo with the X509 USE flag is one such distribution. Use the shared memory inspection technique described below in that case.

Shared Memory Inspection

Linux/Ebury relies on POSIX shared memory segments (SHMs) for inter-process communications. Currently, it uses large segments of over 3 megabytes of memory.

First, a word of caution: other processes could legitimately create shared memory segments. Be sure to verify that sshd is the process that created the segment, as we show below.

Identifying large shared memory segments can be done by running ipcs -m as root:

# ipcs -m
------ Shared Memory Segments --------
key        shmid      owner     perms      bytes     nattch
0x00000000 0          root      644        80         2
0x00000000 32769      root      644        16384      2
0x00000000 65538      root      644        280        2
0x000010e0 465272836  root      600        3282312    0

Looking for the process that created the shared memory segment is possible with the ipcs -m -p command:

# ipcs -m -p
------ Shared Memory Creator/Last-op PIDs --------
shmid      owner      cpid       lpid
0          root       4162       4183
32769      root       4162       4183
65538      root       4162       4183
465272836  root       15029      17377

Checking whether the process matches sshd with a ps aux piped in grep with the process id (replacing 15029 with the proper process ID found with ipcs):

# ps aux | grep 15029
root     11531  0.0  0.0 103284   828 pts/0    S+   16:40   0:00 grep 15029
root     15029  0.0  0.0  66300  1204 ?        Ss   Jan26   0:00 /usr/sbin/sshd

An sshd process using shared memory segments of around 3 megabytes (3282312 bytes in this case) is a strong indicator of compromise.

Linux/Cdorked

There are a few approaches one can use to detect whether a server is infected with Linux/Cdorked. A simple way is to leverage a specific behavior of the backdoor that redirects any requests to /favicon.iso to Google.

Running this simple curl command:

curl -i http://myserver/favicon.iso | grep "Location:"

will result in the following output on an infected server:

$ curl -i http://myserver/favicon.iso | grep "Location:"
Location: http://google.com/

Depending on configuration, a clean site will return either nothing on this particular command, or a different Location header. Further inspection can be done by removing the grep portion of the command: curl -i http://myserver/favicon.iso.

Additionally, one can look at the shared memory segments similarly to the Linux/Ebury case except that the process creator of the shared memory will be apache (httpd), nginx or lighttpd. On newer variants of Linux/Cdorked remember that the permissions are more strict than before (600 instead of the previous 666).

Be careful when looking for shared memory segments since they could be normal depending on your setup. For example we know that suPHP uses shared memory.

Perl/Calfbot

The presence of a /tmp/... file reveals that a server is infected and the file creation timestamp will accurately reflect the infection time. However, if the server is rebooted or the C&C server sends a KILL command, the file will still be present but the malware will not be running anymore. In order to confirm an active infection, one must test for the presence of a lock on /tmp/... using the following command:

flock --nb /tmp/... echo "System clean" || echo "System infected"

If a system is infected, lsof can be used to see what process owns that lock:

lsof /tmp/...

The following command can also be used to confirm that the targets of the /proc/*/exe symbolic links are the real crond executable:

pgrep -x "crond" | xargs -I '{}' ls -la "/proc/{}/exe"

Anything looking like "/tmp/ " (with a space) in the output is very suspicious.

Note that pgrep requires the procps package. If you can’t install pgrep replace

pgrep -x crond

with

ps -ef | grep crond | grep -v grep | awk '{print $2}'

It’s far from over

After we released our report, we saw the malicious group reaching out to infected systems and reconfiguring them using the Xver command. Unfortunately this prevents us from reliably estimating the number of systems that were cleaned.

Since this command is one of those that triggers our Linux/Ebury snort rule, we would advise ISPs or hosting providers to try to monitor their whole network and protect their customers.

Thank you security community!

Thanks to the widespread interest in our research, we were able to raise awareness of this operation to a point where we have been contacted by many other researchers. We have engaged in new collaborations, received more samples and are getting more and more people notified and systems cleaned. These new collaborations are leading to reinvigorated efforts to shut down this operation — or at least impede its effectiveness.

We would like to invite anyone who is affected by the operation and would like to help take it down to reach us at windigo@eset.sk.

Linux/Ebury – Version 1.3.5 – libkeyutils.so : e2a204636bda486c43d7929880eba6cb8e9de068

The post Windigo not Windigone: Linux/Ebury updated appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/10/windigo-not-windigone-linux-ebury-updated/feed/ 0
10 years of Mac OS X malware http://www.welivesecurity.com/2014/04/10/10-years-of-mac-os-x-malware/ http://www.welivesecurity.com/2014/04/10/10-years-of-mac-os-x-malware/#comments Fri, 21 Mar 2014 15:37:38 +0000 10 years of Mac OS X malware http://www.welivesecurity.com/?p=41417 The malware problem on Mac OS X is nothing like as bad as it is on Windows, but that doesn't mean it can be ignored.

The post 10 years of Mac OS X malware appeared first on We Live Security.

]]>
Before we begin, let’s make one thing really clear.

The malware problem on Mac OS X is nothing like as bad as it is on Windows.

There are something like 200,000 new Windows malware variants being discovered each day. Malicious code activity in the Mac world is far less frenetic, but the fact is, malware does exist that can infect our iMacs or MacBooks.

And if your Apple computer is unlucky enough to fall victim you’re not going to feel any better than your PC-owning friends who are struggling to remove a backdoor Trojan or a pernicious browser toolbar from their copy of Windows.

Apple IIAlso, it’s worth bearing in mind that Mac malware is not a new phenomenon.

Malware for Apple devices actually predates the Macintosh *and* the PC, with the first example being the Elk Cloner worm written by Rich Skrenta, and designed to infect Apple II devices way back in 1982.

But threats on Apple II and Apple computers running Mac OS 9 and earlier aren’t really relevant anymore to anyone aside from historians.

What modern Mac users care about are what malware threats exist for Mac OS X.

And, it turns out, that 2014 will see the tenth anniversary of Mac OS X malware. Here are some of the more notable examples of worms and Trojan horses that have been seen for the platform in the last ten years.

Renepo (2004)

As ESET’s Mac malware facts webpage illustrates, the first malware specifically written for Mac OS X emerged in 2004.

Renepo (also known as “Opener”) was a shell script worm, and contained an arsenal of backdoor and spyware functionality in order to allow snoopers to steal information from compromised computers, turn off updates, disable the computer’s firewall, and crack passwords.

Renepo

Renepo was never going to be a serious problem for the vast majority of Mac users, as it didn’t travel over the internet and required the attacker to have access to your computer to install it. Nevertheless, it was an indicator that Apple Macs weren’t somehow magically protected against malicious code.

Leap (2006)

Leap represented, for many people watching observing Apple security, the first real worm for the Mac OS X operating system.

Leap could spread to other Mac users by sending poisoned iChat instant messages – making it comparable to an email or instant messaging worm.

At the time, some Mac enthusiasts leapt (geddit?) to Apple’s defence and argued that Leap “wasn’t really a virus”, but claimed it was a Trojan instead. But – in my opinion – they were wrong.

The argument typically went that because Leap required user interaction in order to infect a computer (the user had to manually open the malicious file sent to them via iChat), then it couldn’t be a virus or a worm

But then commonly discovered examples of Windows malware encountered at the time either, like the MyDoom or Sobig, also required manual intervention (the user clicking on a file attachment). And yet, Mac users seemed very keen to call those examples of Windows malware “viruses” at every opportunity.

In my opinion, viruses is a superset consisting of other groups of malware, including internet worms, email worms, parasitic file viruses, companion viruses, boot sector viruses and so forth. Trojans are in an entirely different class of malware because – unlike viruses and worms – they cannot replicate themselves and cannot travel under their own steam.

Leap was rapidly followed by another piece of malware, a proof-of-concept worm called Inqtana which spread via a Bluetooth vulnerability.

So, next time someone tells you that there are no viruses for Mac OS X – you can now speak with authority and tell them, oh yes there are!

Jahlav (2007)

Things took a more serious turn with Jahlav (also known as RSPlug), a family of malware which deployed a trick commonly seen on Windows-based threats by changing an infected computer’s DNS settings. There were many versions of Jahlav, which was often disguised as a fake video codec required to watch pornographic videos.

Jahlav

Of course, the criminals behind the attacks knew that such a disguise was a highly effective example of how social engineering could trick many people into giving an application permission to run on their computer.

The truth was that many Mac users, just like their Windows-loving counterparts, could easily let their guard down if they believed it would help them see X-rated content.

MacSweep (2008)

An early example of Mac OS X scareware, MacSweep would trick users into believing it was finding security and privacy issues on their computers – but in fact any alerts it displayed were designed simply to trick unsuspecting users into purchasing the full version of the software.

Snow Leopard (2009)

Snow Leopard isn’t malware, of course. It was version 10.6 of Mac OS X, released in August 2009.

And the reason why it is included in this history of Mac OS X malware is because it was the first version of the operating system to include some built-in anti-virus protection (albeit of a very rudimentary nature).

Mac OS X Snow Leopard intercepting some malware

Apple, rattled perhaps by the widespread headline-making infections caused by the likes of the Jahlav malware family, had decided it needed to do something.

However, as its anti-virus functionality only detected malware under certain situations (and initially only covered two malware families) it was clear that security-conscious Mac users might need something better.

Boonana (2010)

This Java-based Trojan showed that multi-platform malware had well and truly arrived, attacking Macs, Linux and Windows systems.

The threat spread via messages on social networking sites. pretending to be a video and asking the enticing question “Is this you in this video?”.

Boonana

MacDefender (2011)

MacDefender saw Mac malware infections reach new heights, as many users began to report seeing bogus security warnings on their computer.

Using blackhat search engine optimisation techniques, malicious hackers managed to drive traffic to boobytrapped websites containing their rogue anti-virus scans, when users searched for particular images.

The danger, of course, was that users were being duped into handing over their credit cards in order to purchase a “solution” to the alarming messages.

MacDefender

Tens of thousands of people contacted Apple’s technical support lines, requesting assistance.

Flashback (2011/2012)

The Flashback malware outbreak of 2011/2012 was the most widespread attack seen on the Mac platform to date, hitting more than 600,000 Mac computers.

Flashback

The attack posed as a bogus installer for Adobe Flash and exploited an unpatched vulnerability in Java, with the intention of stealing data (such as passwords and banking information) from compromised Mac computers, and redirecting search engine results to defraud users and direct them to other malicious content.

In September 2012, ESET researchers published a comprehensive technical analysis of the Flashback threat which is well worth a read, if you want to know more.

Lamadai, Kitm and Hackback (2013)

In recent years, Macs have also been used for espionage – and naturally suspicious fingers have begun to point towards intelligence agencies and government-backed hackers when very specific victims are targeted.

The Lamadai backdoor trojan, for instance, targeted Tibetan NGOs (Non-Governmental Organizations), exploiting a Java vulnerability to drop further malware code onto infected users’ computers,
Lamadai malware

Kitm and Hackback, meanwhile, spied on victims at rge Oslo Freedom Forum, giving the malicious hacker the ability to remotely run commands at will.

LaoShu, Appetite and Coin Thief (2014)

So, what of 2014? Has the 10th anniversary been a notable year so far for Mac OS X malware?

Well, according to researchers at ESET, new Mac malware variants continue to be seen every week, putting Mac users who don’t defend their computers at risk of data loss or having their computer compromised by an attack.

State-sponsored espionage continues to make its presence felt, with the discovery of Appetite, a Mac OS X Trojan that has been used in a number of targeted attacks against government departments, diplomatic offices, and corporations.

Angry Bird, upset that people are pirating his softwareLaoShu meanwhile, has been widely spread via spam messages – posing as an undelivered parcel notification from FedEx, and scooping up documents of interest that have not been appropriately secured.

CoinThief, however, has probably received the most attention recently as it is distributed in cracked versions of Angry Birds, Pixelmator and other top apps, duping users into infection.

What made CoinThief most interesting, however, was that investigators found the malware was designed to to steal login credentials related to various Bitcoin-related exchanges and wallet sites via malicious browser add-ons.

In summary – protect yourself

This has just been a short history of Mac OS X malware. If you want to learn more about any of these threats, or are interested in any of the other Mac malware that ESET has seen in the last 10 years, be sure to check out the company’s “Straight facts about Mac malware” webpage and consider taking the free trial of ESET Cybersecurity for Mac.

Because, even though there isn’t as much malware for Mac as there is for Windows, one infectious outbreak is too many, and we know that the bad guys are working hard to find fresh victims.

Further reading:

The post 10 years of Mac OS X malware appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/10/10-years-of-mac-os-x-malware/feed/ 0
NSA revelations shake faith in U.S. tech firms as Harris poll shows public conflicted http://www.welivesecurity.com/2014/04/09/nsa-revelations-shake-faith-in-tech-u-s-firms-as-harris-poll-shows-public-conflicted/ http://www.welivesecurity.com/2014/04/09/nsa-revelations-shake-faith-in-tech-u-s-firms-as-harris-poll-shows-public-conflicted/#comments Wed, 09 Apr 2014 16:16:34 +0000 NSA revelations shake faith in U.S. tech firms as Harris poll shows public conflicted http://www.welivesecurity.com/?p=42224 The National Security Agency (NSA) surveillance activities revealed by former CIA contractor Edward Snowden appear to be taking a serious toll on public confidence in technology companies in America, such as Internet service providers and software companies, according to a Harris poll commissioned by ESET. The poll found that two-thirds of adult Americans who said

The post NSA revelations shake faith in U.S. tech firms as Harris poll shows public conflicted appeared first on We Live Security.

]]>
The National Security Agency (NSA) surveillance activities revealed by former CIA contractor Edward Snowden appear to be taking a serious toll on public confidence in technology companies in America, such as Internet service providers and software companies, according to a Harris poll commissioned by ESET. The poll found that two-thirds of adult Americans who said they are at least somewhat familiar with the NSA revelations believe such companies have violated the trust of users “by working with the government to secretly monitor communications of private citizens.”
nsa-harris-eset-violated-640s67
That violation of trust led 60% of those Americans familiar with the NSA revelations to agree with this statement: “I am say now less trusting of technology companies…as they may be assisting the government in surveillance of private citizens.”

Taken together with the changes in online behavior uncovered by the same poll and reported on We Live Security last week, these findings support the idea that economic fallout from the NSA’s activities may be broader than first thought. With well over half of the respondents signalling a decline in trust, it is reasonable to ponder the impact of this phenomenon on the uptake of technology products and services.
nsa-harris-eset-less-trust-640s60
We already know that a small–but in my opinion significant–percentage of people are reducing their use of technology, so is there a trend toward delaying or modifying the purchase of software or Internet services? While the ESET survey did not address this question directly, I would love to see major media organizations and public opinion researchers exploring questions like this.

In fact, we did get two interesting data points from a poll released last week by Reason-Rupe. The poll covered a wide range of social and political issues in America and included this question: “Which of the following do you trust the most with your personal information?” The choices included the IRS, the NSA, Google, and Facebook. The results, which echo some of the ESET findings I will report in a moment, indicate that the two tech giants have a lot of work to do when it comes to public trust. Both the IRS and NSA were trusted more than Google and Facebook, who were ranked as most trusted with personal information by just 10% and 5% of the survey subjects respectively. Even though many Americans dislike the IRS, it was trusted by more than a third of respondents (35%), whereas the NSA was trusted by less than one in five (18%).

When it came to the second privacy-related Reason-Rupe question, “Who do you think is most likely to violate your privacy?” the NSA topped the list at 36%. Facebook was ranked second most likely to violate privacy at 26%, while Google was relatively well-regarded at 10%. We will return to this aspect of trust in a moment.

Tech distrust tempered by public safety concerns?

While the ESET survey revealed considerable levels of mistrust and antipathy toward technology companies among people familiar with the NSA revelations, arising from the apparent involvement of firms in secret government surveillance, these sentiments were not universal. A significant number of the same group of people, familiar with the NSA revelations, people told us companies should cooperate in government surveillance efforts. Indeed, just over half said companies should cooperate. nsa-harris-cooperate-640s52
So what is going on here? Another statistic might provide a clue. We found that mass surveillance has a fair number of supporters in America. Of those Americans who were surveyed and who said that they were at least somewhat familiar with the NSA revelations, 57% agreed that mass surveillance at the scale revealed by Snowden helps prevent terrorism (versus 43% that disagreed). Note that the statement says “scale” revealed and not type, and therein may lie another clue.
nsa-harris-helps-640s57
I get the impression that people see value in surveillance as a defense and deterrent, but they are not necessarily happy with the way the government has gone about the surveillance. I’m not saying that’s the only way to interpret the survey results, but that is my best guest, bolstered by one more finding: the number of people who “believe there should be new laws implemented to better regulate government surveillance.” An impressive 81% of American adults who said they were at least somewhat familiar with the NSA revelations agreed with that statement.
nsa-harris-eset-laws-640s81

Whether or not American politicians and political candidates are asking the same question and getting the same answer, I don’t know. However, as the mid-term elections get closer, and position statements on surveillance legislation are publicized, we may find out.

Cyber crime vs. government surveillance vs. companies

We have already seen some political responses from the very same technology companies about whom the public has strongly mixed feelings. I think there will need to be much more of the same if said companies are to lower the level of concern we discovered when we asked: Which one of the following aspects of surveillance and data gathering concerns you the most? Well over half (58%) of Americans familiar with the NSA revelations are most concerned about surveillance and data gathering by companies for profit. Compare that to just one-in-five (21%) who are most concerned about government surveillance for national security reasons.
surveillance-concerns

Just as tech companies will need to keep working on earning the public’s trust, companies and organizations of all kinds will need to be vigilant when it comes to cyber crime. Why? Because our survey suggests that, when it comes to the security of their personal information, people are far more worried about criminal hackers than government data gathering.

Over two-in-five (42%) Americans familiar with the NSA revelations are most worried about criminal hackers stealing information (e.g., personal details, passwords, bank or credit card information) from a company or service they trusted (either online of offline). A further one third (33%) are most worried about criminal hackers stealing information.

I grouped those two responses in the following pie chart, which shows that only 18% of those surveyed are most worried about secret surveillance and data gathering directed by the government at private citizens such as themselves. (A small percentage are either worried about some other security risk or not worried at all.)

What should tech targets and other companies do?

If your tech company is likely to be a target of the negative sentiment reported here, you might be wondering what you should be doing to win back confidence. In my opinion the watchword is transparency. Be as open and honest as you can about how you deal with government requests for data. Publicize your policies on this and every other aspect of data privacy. Be proactive in starting a conversation about privacy with your customers.

You should also give serious consideration to taking visible political action. If there is a bright spot in the attitudes we have observed it is that 74% of people we interviewed in an NSA related survey late last year said they would admire a company “that took a stand against unlimited government access to my personal information.”

And what if you’re not a tech company, or don’t consider your firm to be tarnished by the Snowden/NSA revelations? I think you still need to be sensitive to the opinions we uncovered. They are yet another indicator that the American public is more sensitive than ever about how their personal information is handled. Not that the NSA is the only factor in play. There is no doubt in my mind that the massive security breach at Target, revealed in the closing days of 2013, has further fueled data privacy concerns. Again, my advice is to embrace transparency and be up front about your privacy policies and commitment to data security. Given the blanket media coverage of the NSA revelations and the Target breach, organizations can no longer claim to be surprised if there is a data breach and the data subjects get very upset.

Survey Methodology: The survey was conducted online within the United States by Harris Poll on behalf of ESET from February 4-6, 2014 among 2,034 U.S. adult adults ages 18 and older, among which 1,691 are at least somewhat familiar with the NSA revelations. This online survey is not based on a probability sample and therefore no estimate of theoretical sampling error can be calculated. For complete survey methodology, including weighting variables, please contact esetpr@schwartzmsl.com.

Survey Reporting: Unless otherwise noted in the text, percentages reported for responses refer to the 1,691 persons who said they were at least somewhat familiar with the NSA revelations.

The post NSA revelations shake faith in U.S. tech firms as Harris poll shows public conflicted appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/09/nsa-revelations-shake-faith-in-tech-u-s-firms-as-harris-poll-shows-public-conflicted/feed/ 0
‘Heartbleed’ encryption flaw leaves millions of sites at risk http://www.welivesecurity.com/2014/04/09/heartbleed-encryption-flaw-leaves-millions-of-sites-at-risk/ http://www.welivesecurity.com/2014/04/09/heartbleed-encryption-flaw-leaves-millions-of-sites-at-risk/#comments Wed, 09 Apr 2014 13:24:14 +0000 ‘Heartbleed’ encryption flaw leaves millions of sites at risk http://www.welivesecurity.com/?p=42367 A flaw in an encryption technology used to protect major websites including Yahoo has left a huge amount of private data at risk - and internet giants are scrambling to find fixes for a problem which could leave customer data exposed to criminals.

The post ‘Heartbleed’ encryption flaw leaves millions of sites at risk appeared first on We Live Security.

]]>
A flaw in an encryption technology used to protect major websites including Yahoo has left a huge amount of private data at risk – and internet giants are scrambling to find fixes for a problem which could leave customer data exposed to criminals.

The bug, known as ‘Heartbleed’ is described as one of the “most serious security flaws ever found” according to the Telegraph’s report. It afffects the open-source encryption software OpenSSL – which is used on millions of web servers – and has been undiscovered for more than two years. The Telegraph reports that it could have been used to steal passwords, credit card details and even encryption keys, without trace.

Major sites including Yahoo Mail and others, are vulnerable, and are scrambling to deploy fixes. A  proof-of-concept exploit for the bug has already been posted on coding site Github.

The researchers who discovered Heartbleed say that it has left private keys, and other secrets exposed “for years”. The researchers tested the vulnerability themselves and wrote that they were able to gain access to large amounts of data, leaving no trace of their presence.

“We have tested some of our own services from an attacker’s perspective,” they wrote. “We attacked ourselves from outside, without leaving a trace. Without using any privileged information, we were able steal from ourselves secret keys, usernames and passwords, instant messages, emails and business critical documents and communication.”

The bug was discovered by researchers from Finnnish firm Codenomicon working with Google. A dedicated website helps to explain some of the risks – although the researchers admit they do not know how widely the bug has been exploited.

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet,” the firm writes.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

ESET Senior Research Fellow David Harley offers advice on how to deal with problem, “Sites that have never run the 1.0.1 and 1.0.2-beta releases of OpenSSL including 1.0.1f and 1.0.2-beta1 shouldn’t be panicking about this, but those that are running them need to upgrade to 1.0.1g or recompile -DOPENSSL_NO_HEARTBEATS, as recommended by the OpenSSL security advisory. However, they should also be looking for and revoking (and reissuing) compromised keys, and changing user passwords. This applies even to sites that ran a vulnerable version for a while but have upgraded since, as the bug has been around since 2011. While I haven’t checked all the links and resources listed there, this site looks like an excellent starting point for sites that need to know more about the problem and its remediation, as well as the heartbleed.com page. It’s worth remembering that some embedded devices also use OpenSSL: it isn’t just a server issue.”

Open SSL wrote on their site, “A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1.”

The post ‘Heartbleed’ encryption flaw leaves millions of sites at risk appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/09/heartbleed-encryption-flaw-leaves-millions-of-sites-at-risk/feed/ 0
“New weapon” against malware intrusion designed by American student http://www.welivesecurity.com/2014/04/09/new-weapon-against-malware-intrusion-designed-by-american-student/ http://www.welivesecurity.com/2014/04/09/new-weapon-against-malware-intrusion-designed-by-american-student/#comments Wed, 09 Apr 2014 10:42:36 +0000 “New weapon” against malware intrusion designed by American student http://www.welivesecurity.com/?p=42393 A new technique for spotting cyber attacks has been designed by a young American student - and could prevent attacks against planes and power plants, by looking for abnormal communications within computers, rather than sifting for malicious software.

The post “New weapon” against malware intrusion designed by American student appeared first on We Live Security.

]]>
A new technique for spotting cyber attacks has been designed by a young American student – and could prevent attacks against planes and power plants, by looking for abnormal communications within computers, rather than sifting for malicious software.

Patricia Moat, a doctoral student who talked of her ambitions in a student magazine at Binghamton University, says, “This is like catching an intruder coming into your house. And it excites me to do something most people have never done.”

Moat is working with a team funded by the Air Force Office of Scientific Research, uses a system which scans for “system calls” – communications between applications and a computer’s operating system, such as Windows. IT can defend against attacks which other methods – such as scanning for malware – can’t, according to Computer magazine.

Spotting ‘abnormal’ calls can be key to stopping disasters, according to her supervisor Victor Skormin. Moat’s supervisor Victor Skormin says that the approach can be used on many different computerised systems: he gives the example of planes misdirected to land short of a runway, or of power grids robbed of electricity, as reported by Homeland Security’s in-house magazine.

“Actually, it’s a war taking place in cyberspace, and it requires many different weapons and defenses,” Skormin says. “There are many existing attacks that our application works against very successfully.”

Moat and Skormin’s technology monitor all the signals sent between applications and the operating system – system calls happen constantly, such as when an application accesses files – but looks for abnormal calls, by comparing a system’s behavior with its state of “normalcy”

By designing a system which looks for abnormal behaviour in the way that many different systems operate, the tteam may be able to fend off novel attacks – even ones built to attack one specific system.

The post “New weapon” against malware intrusion designed by American student appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/09/new-weapon-against-malware-intrusion-designed-by-american-student/feed/ 0
Goodbye, Windows XP! http://www.welivesecurity.com/2014/04/08/goodbye-windows-xp/ http://www.welivesecurity.com/2014/04/08/goodbye-windows-xp/#comments Tue, 08 Apr 2014 23:59:11 +0000 Goodbye, Windows XP! http://www.welivesecurity.com/?p=42311 This patch Tuesday, April 8, 2014, sees the last updates to be released to the public for Windows XP and Office 2003. After today, these programs have reached their End of Life (EOL) status, and will no longer be supported by Microsoft

The post Goodbye, Windows XP! appeared first on We Live Security.

]]>
Tuesday, April 8, 2014 is Patch Tuesday, and on that day, a little under a third of the readers of the blog will install this month’s batch of Windows Updates on computers running Microsoft Windows XP. Just as they did the previous month, and the month before and so forth all the way back to a decade ago when Microsoft standardized release dates for security updates.  But this month is a little different, with the release of just two patches for Windows XP and two patches for Office 2003 in April 2014′s small set of patches. What makes those four patches different is that they are the last updates to be released to the public for Windows XP and Office 2003. After today, these programs have reached their End of Life (EOL) status, and will no longer be supported by Microsoft.

The world is a much different place than it was in 2001, when Windows XP was released to manufacturing, and over the past 4,610 days, Microsoft has provided support, assistance, troubleshooting and, yes, security updates for this venerable operating system.

While Microsoft may have ended its support of Windows XP that does not mean that other companies have as well. ESET realizes that not all of our own customers are able to upgrade to newer versions of Windows, and has committed to supporting Windows XP until at least April 30, 2017 (and possibly even beyond that, depending on how many of you are still on XP then). With that in mind, we thought now would be a good time to provide a detailed listing of ESET’s resources for Windows XP users:

We Live Security

Blog Posts

Podcasts (Windows XP-specific)

Podcasts (General Advice)

White Papers (General Advice)

ESET

Knowledgebase

Downloads for businesses

Downloads for home users

Miscellaneous Downloads

If you still are in the process of replacing computers running Windows XP, chances are you are purchasing computers running Windows 8.1 Update, Microsoft’s newest desktop operating system. Understanding the security features of this new version of Windows may be a little overwhelming if you have been using Windows XP for the past thirteen years, so here are some articles to help get you up to speed:

Blog Posts

Podcasts

White Papers

ESET Knowledgebase

Some final words of advice

Although ESET will be providing you with support and helping you to secure your remaining Windows XP computers for the next three years, it would be remiss of us not to mention the practical limitations of securing an operating system which is no longer maintained by its developer.

Even security software such as ESET’s, no matter how effective it is, is not a replacement for the updates a developer provides for its operating systems. While security software can protect vulnerable operating systems from many different kinds of threats, it is not a replacement for fixing those vulnerabilities which allow threats to exploit them. That is something that can only be done by the operating system’s developer.

With Microsoft Windows XP being over a decade old and having reached its End of Life, there are practical limitations to how secure it can be made, by Microsoft, ESET or anyone else. We will continue protecting your computers until you can switch to a newer, more secure version of Windows, but the sooner you are able to do that, the safer your computers, your data—and you—will be. We have additional plans to discuss Windows XP, and will keep you informed of any changes we see to its security posture. Stay tuned to We Live Security for additional coverage.


Have you completed your migration from Windows XP or are you still running it? If the latter, do you have a planned date for when you will be off of Windows XP? What steps, if any, are you taking to secure Windows XP now that it is no longer support by Microsoft? Let us know below!

The post Goodbye, Windows XP! appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/08/goodbye-windows-xp/feed/ 0
Samsung smartphones are security favourite – for adulterers http://www.welivesecurity.com/2014/04/08/samsung-smartphones-are-security-favourite-for-adulterers/ http://www.welivesecurity.com/2014/04/08/samsung-smartphones-are-security-favourite-for-adulterers/#comments Tue, 08 Apr 2014 22:06:31 +0000 Samsung smartphones are security favourite – for adulterers http://www.welivesecurity.com/?p=42321 Samsung is the most popular brand of smartphone among a large portion of the adult population - adulterers, with the Korean handsets chosen by more than half of those conducting secret affairs.

The post Samsung smartphones are security favourite – for adulterers appeared first on We Live Security.

]]>
Samsung is the most popular brand of smartphone among a large portion of the adult population – adulterers, with the Korean handsets chosen by more than half of those conducting secret affairs.

Samsung was chosen by 54% of the British men polled by extra-marital affair site Ashley Madison, and by 48% of women. Apple’s iPhone came in a poor third, with around 25% of both men and women.

Samsung’s Android operating system allows ‘sexters’ more options to conceal messages, and does not reveal full message text by default on screen. Samsung’s Android operating system also offers users more control over alerts which might be seen by a partner.

The survey, largely of British site users, but with information from other countries such as Mexico found that ‘sexting’ was increasingly common. Nearly 40% of cheating men send ‘sexts’ around five to seven times per week. Oddly, women often sext from the supermarket – with 31% of cheaters admitting to doing so. Both male and female site users admit to having taken “sex selfies” – with around 70% of users of both sexes having taken such erotic self-portraits.

Men are most likely to sext from work (36%), women from the supermarket (31%). ‘This surprised us,’ says Christoph Kraemer, ‘the only country where more women say they sext from the supermarket is Mexico, but it makes sense, women are known for multi-tasking and if you’re time-short, why not use those spare minutes in the check-out queue!’

‘We see the same pattern globally with Samsung the most popular and the iPhone second, especially for women,’ says Christoph Kraemer, AshleyMadison.com’s European Communications Director.  ‘Samsung have upped their game and it’s paid off – except for our Finnish members, who still opt for Nokia.’
‘Technology is important for our members’ says Christoph Kraemer. ‘The very nature of having a secret affair means people are short of time, so they want speed and first rate functionality from a mobile.  This survey is a vote of confidence in Samsung from the cheating community.’

The post Samsung smartphones are security favourite – for adulterers appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/08/samsung-smartphones-are-security-favourite-for-adulterers/feed/ 0
If you love someone, upgrade them from XP http://www.welivesecurity.com/2014/04/08/love-someone-upgrade-xp/ http://www.welivesecurity.com/2014/04/08/love-someone-upgrade-xp/#comments Tue, 08 Apr 2014 14:31:34 +0000 If you love someone, upgrade them from XP http://www.welivesecurity.com/?p=42270 It is us, the nerdy geeks who are into computers, who have a moral right to help the great unwashed, and lead them into a bright new future without Windows XP.

The post If you love someone, upgrade them from XP appeared first on We Live Security.

]]>
Sting famously sang “If you love someone, set them free.”

Here’s my suggested improvement: “If you love someone, upgrade them from XP.”

It’s not actually such an odd connection to make. Way back in October 2001, Sting gave a free concert in New York’s Bryant Park to “celebrate the launch of Microsoft Windows XP”.

Don’t believe me? Here’s the press release, and a photo of the lute-playing Geordie in action at the event:

Sting

Why am I singing variations on songs by the former lead singer of The Police?

Well, today is the last day that Microsoft will be publishing security patches for Windows XP.

That’s clearly bad news for computer users who are still using the ageing operating system, as there is no doubt that malicious hackers will attempt to exploit the millions of vulnerable PCs out there.

And that’s why we’re calling on you to help.

Chances are, if you’re reading We Live Security, that you’re a tech-savvy computer user with a healthy interest in information security. Maybe you actually work in an IT department, or are responsible for keeping the computers in your home or office safe-and-sound from malware attacks.

And, if you’re regularly reading We Live Security, you will have seen plenty of warnings about the upcoming demise of Windows XP support and – hopefully – have taken steps and measures to ensure that computers under your care will not be affected.

Seeing as Microsoft first announced the end-of-life for Windows XP way back in 2007, it’s hard for anyone to complain that they haven’t been given enough time to sort something out.

However, there are millions of computer users out there who are blissfully ignorant of the XP cut-off date. They may not even know if they have Windows XP installed or a different versions of Windows (if that’s the case, here’s a helpful website which can tell you in the blink of an eye).

And I believe that it us, the nerdy geeks who are into computers and follow the security news, who have a moral right to help the great unwashed.

If you have friends or family who you suspect might be using a creaky old version of Windows, which might be XP, then now is the time to pay them a visit and offer them a helping hand.

Chances are that your Aunty Hilda doesn’t know how to upgrade to a more modern version of Windows, or is frightened of making a mistake, and they could do with the support of someone friendly to help them make the switch.

And, if their computer is too old or doesn’t have powerful enough hardware to run a more modern version of Windows, don’t forget there are alternatives out there.

Maybe now would be a good time to switch to an alternative operating system such as one running a flavour of Unix (I realise that’s not a great option for many users, and may terrify them more than visiting the shops to buy a newer PC).

Alternatively, if they find some spare cash down the back of the sofa and have been seen gazing longingly at Apple’s trendy gadgets, maybe they would be open to splashing out on an Apple MacBook or iMac?

The important thing is for users to switch from Windows XP as soon as possible, before their computers are attacked and compromised.

The first step is to raise awareness of the issue. You can do that this weekend by paying them a visit, and offering to take a quick look at their PC for them.

The next step is to do something about it. Again, you can help to advise on what the best steps for that particular individual is.

But, whatever you do, don’t leave your friend or family member in the lurch when it comes to XP. Be a decent net citizen and lend them a helping hand, at what could be – for many – a baffling time of change and adjustment.

Further reading:

The post If you love someone, upgrade them from XP appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/08/love-someone-upgrade-xp/feed/ 0
Swooping robot attack which felled triathlete “may be work of hackers” http://www.welivesecurity.com/2014/04/07/swooping-robot-attack-which-felled-triathlete-may-be-work-of-hackers/ http://www.welivesecurity.com/2014/04/07/swooping-robot-attack-which-felled-triathlete-may-be-work-of-hackers/#comments Mon, 07 Apr 2014 16:50:17 +0000 Swooping robot attack which felled triathlete “may be work of hackers” http://www.welivesecurity.com/?p=42209 A competitor in an Australian triathlon was hospitalized with injuries and “pieces of propeller in her head” after a drone plunged from the sky, causing head injuries. The competitor, Raija Ogden was treated by paramedics at the scene after the UAV (Unmanned Aerial Vehicle) suddenly plunged from the sky, hitting her on the head. The

The post Swooping robot attack which felled triathlete “may be work of hackers” appeared first on We Live Security.

]]>
A competitor in an Australian triathlon was hospitalized with injuries and “pieces of propeller in her head” after a drone plunged from the sky, causing head injuries.

The competitor, Raija Ogden was treated by paramedics at the scene after the UAV (Unmanned Aerial Vehicle) suddenly plunged from the sky, hitting her on the head. The UAV had been filming the race.

The vehicle, a helicopter-style ‘drone’ may have been attacked by hackers, according to the owner of New Era Photography and Film, who said the incident appeared to be “suspicious”, according to local paper Everything Geraldton.

“We are currently in discussions with the videographers to assess how the incident occurred and the circumstances surrounding the accident,” the drone’s owner, Warren Abrams, said.

Sky News reported that Abrams claims that initial investigations show that someone “channel hopped” the aerial device – making it uncontrollable. Abrams claimed that a similar incident had affected the drone earlier in the day. .

Network World reported that Ogden said, “I have lacerations on my head from the drone and the ambulance crew took a piece of propeller from my head. My hair was completely red with blood. I didn’t hit the ground.”

The Register reported that the Australian Broadcasting Corporation said that the drone’s operators had concluded that “channel hopping” was involved, and commented, “perhaps it is time for sports administrators to give some serious consideration to airspace management?”

The post Swooping robot attack which felled triathlete “may be work of hackers” appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/07/swooping-robot-attack-which-felled-triathlete-may-be-work-of-hackers/feed/ 0
“Virus Shield” app is top-selling hit – but does absolutely nothing http://www.welivesecurity.com/2014/04/07/virus-shield-app-is-top-selling-hit-but-does-absolutely-nothing/ http://www.welivesecurity.com/2014/04/07/virus-shield-app-is-top-selling-hit-but-does-absolutely-nothing/#comments Mon, 07 Apr 2014 13:44:27 +0000 “Virus Shield” app is top-selling hit – but does absolutely nothing http://www.welivesecurity.com/?p=42183 Armed with an impressive-looking shield logo, security app Virus Shield shot to the top of the sales charts on Android last week. There was one, tiny, problem: the app was a fake.

The post “Virus Shield” app is top-selling hit – but does absolutely nothing appeared first on We Live Security.

]]>
Armed with an impressive-looking shield logo, security app Virus Shield shot to the top of the sales charts on Android last week, becoming the top new paid download on Google Play, according to Appbrain’s statistics – and offering “protection for personal information”.

There was one, tiny, problem: the app was a fake. Virus Shield wasn’t a Trojan or spyware – both of which are common on Google’s unpoliced app store, as reported by We Live Security here, it just didn’t do anything.

The app was downloaded more than 10,000 times, at a price of $4, according to Android Police, and users rated it an impressive 4.7 out of 5. Neowin described the app as “a complete scam”.

Recruiting experts via Google Plus, Android Police analyzed the code of Virus Shield, and found that its only function was that the logo changed slightly when tapped on the touchscreen. The code contained no other security features whatsoever.

The reviews were presumably fake – but the high score was enough to tempt a sufficient number of buyers to gain the app some explosure on the store, according to Gizmodo. ESET’s guide to spotting scammy apps details some of the tricks used to sell malicious – or useless – apps. Popular game FTL appeared on Play, but buyers were forced to give it a five-star rating to start playing. It didn’t work, of course.

Virus Shield promised that it “Prevents harmful apps from being installed on your device” and “protects your personal information.”

The app was pulled from the store by Google, but a search for its name reveals a huge number of ‘antivirus’ apps from unknown developers, offering vague promises of protection for phones.

ESET’s guide to how to spot – and avoid – such apps details telltale signs that an app isn’t what it seems. Like many ‘fakes’, Virus Shield was by an unknown developer, whose descriptions on other sites were less than flattering.

Android Police wrote, “Let’s not mince words here. This is fraud, pure and simple, and the developer “Deviant Solutions” potentially made considerable amounts of money based on a complete lie. We assume that a lot of the initial reviews were fake, but now that it’s on the top of the charts, at least a few people will be buying it in the belief that it will protect them.”

ESET’s in-depth guide to spotting ‘bad’ apps on Google Play can be found here.

The post “Virus Shield” app is top-selling hit – but does absolutely nothing appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/07/virus-shield-app-is-top-selling-hit-but-does-absolutely-nothing/feed/ 0
Two-thirds of parents spy “regularly” on children’s social media accounts http://www.welivesecurity.com/2014/04/06/two-thirds-of-parents-spy-regularly-on-childrens-social-media-accounts/ http://www.welivesecurity.com/2014/04/06/two-thirds-of-parents-spy-regularly-on-childrens-social-media-accounts/#comments Sun, 06 Apr 2014 09:32:52 +0000 Two-thirds of parents spy “regularly” on children’s social media accounts http://www.welivesecurity.com/?p=42160 Two-thirds of the respondents to the survey admitted to using various methods to check on children “without their knowledge" - and one-fifth had found "incriminating" posts which they confronted children about.

The post Two-thirds of parents spy “regularly” on children’s social media accounts appeared first on We Live Security.

]]>
Social media accounts are the hubs of young people’s lives, but today’s youngsters would do well to check their friends lists and privacy settings – two-thirds of parents check social media accounts without their chldren’s knolwedge.

The poll, of 2,105 UK parents focused on the social media use of children aged 13-16, and was conducted by voucher company VoucherCloud. Facebook’s legal minimum age is 13, although children much younger than this use the site – previous research by the London School of Economics found that 43% of children aged nine to 12 used the site, according to a BBC report.

Two-thirds of the respondents to the survey admitted to using various methods to check on children “without their knowledge.” Of those polled, 81% of parents said that their children used social media, while 19% said they either did not, or that they were unaware whether they did.

This revealed that 73% of the children that used social media were on Facebook, making it the most popular site, whilst 56% were on Twitter. A further 49% used Instagram.

Many parents made sure to be aware of the passwords for such accounts – and used this sign into the accounts without the knowledge of their children. More than half (55%) admitted to this, and a third (31%) did so “on a regular basis”.

Two-thirds of parents – 67% – also searched for their children’s profiles online to monitor them anonymously. It’s widely known, though, that children often use fake names on social sites, to avoid monitoring by either schools or parents – a tactic employed frequently by cyberbullies according to youth research agency Family, Kids and Youth, as reported by The Guardian.

Parents were asked, ‘Do you know the passwords to either your children’s personal email account or any of their social media accounts?’. 45% of the parents claimed to know their child/children’s email password, whilst 36% knew their social media login details for at least one of their profiles.

Most parents admitted that their prime concern was “safety”. A further third sayid that they did so simply to check what their children were up to – as ‘they didn’t tell them anything.’

Nick Bagot, a 42-year-old London parent, said that parents often ‘shared’ accounts such as Apple IDs which allowed further monitoring: “Using the same Apple ID across several products – an iPad, an iPhone, a Mac – allows me to monitor my children’s emails and texts via iMessage. Children often forget that this is even possible.”

One-fifth of those surveyed had found something ‘incriminating’ by snooping on social accounts, and of those, more than half (53%) had confronted their children about this.

Those parents who confronted their child/children were asked ‘Did you confess that you’d checked up on their social media or email account(s)?’ to which 38% said ‘yes’, but the majority, 62%, made out that they’d found out ‘by other means’.

Matthew Wood of vouchercloud made the following comment:”Today’s world can often come across as a sinister place to parents. Media coverage of social media related nightmares is widespread, so it’s no surprise that they’re wary of what their children are up to. Are they sexting? Are they talking to strangers online? It seems that many parents think the only way to find out is via stealth.”

“It’s sad to see that some parents feel the only way they can assess what their children are up to is via a sly look at their social media. Is this indicative of the modern world? This might be the case, but teenagers have always been well known for their secretive ways, so perhaps parents shouldn’t take it to heart too much and should just accept it’s one of those phases.”

Writing for SafeSoundFamily ESET Senior Research Fellow David Harley says that parents should use the internet with their children, starting as early as pre-school age – and the key is a “gentle, guided introduction.”

The post Two-thirds of parents spy “regularly” on children’s social media accounts appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/06/two-thirds-of-parents-spy-regularly-on-childrens-social-media-accounts/feed/ 0
The future of security: Microsoft rewards 5-year-old who found critical password flaw http://www.welivesecurity.com/2014/04/05/the-future-of-security-microsoft-rewards-5-year-old-who-found-critical-password-flaw/ http://www.welivesecurity.com/2014/04/05/the-future-of-security-microsoft-rewards-5-year-old-who-found-critical-password-flaw/#comments Sat, 05 Apr 2014 16:17:10 +0000 The future of security: Microsoft rewards 5-year-old who found critical password flaw http://www.welivesecurity.com/?p=42155 Most five year olds can write their own name - but few have a job title to put after it. A young Xbox fan has joined an elite group of official Microsoft “security researchers” after he exposed a security flaw on Xbox’s Live Service.

The post The future of security: Microsoft rewards 5-year-old who found critical password flaw appeared first on We Live Security.

]]>
Most five year olds can write their own name – but few have a job title to put after it. A young Xbox fan has joined an elite group of official Microsoft “security researchers” after he exposed a password flaw on Xbox’s Live Service.

Kristoffer von Hassel was also rewarded with free games, a free subscription, and an official thanks from the company after exposing a simple and potentially damaging security flaw, according to Yahoo News.

The five-year-old’s “hack” revealed a serious password flaw in Xbox Live’s authentication system – which Microsoft has since fixed – and has named the young gamer as a researcher on its website, according to a report by 10 News.

In a statement, the company said: “We’re always listening to our customers and thank them for bringing issues to our attention. We take security seriously at Xbox and fixed the issue as soon as we learned about it.”

Kristoffer was officially thanked by the company for exposing the flaw – which he worked out as a way to log into his dad’s account in San Diego without knowing his password. Xbox Live accounts not only give access to real-money transactions, but also would allow young gamers access to violent games, and games age-rated for profanity among their players.

The hack is simple. Kristoffer discovered that if he entered a wrong password, then simply entered blank spaces to fill the entire password field as his second authentication attempt, he was able to use his father’s account freely, according to the BBC‘s report.

“I got nervous. I thought he was going to find out,” Kristoffer said in an interview with local TV station KGTV. “I thought someone was going to steal the Xbox.”

As well as an official thanks from the company, his name is immortalized alongside other (mostly older) security researchers on a Microsoft web page, “The Microsoft Security Response Center (MSRC) is pleased to recognize the security researchers who have helped make Microsoft online services safer by finding and reporting security vulnerabilities. Each name listed represents an individual or company who has privately disclosed one or more security vulnerabilities in our online services and worked with us to remediate the issue.”

The post The future of security: Microsoft rewards 5-year-old who found critical password flaw appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/05/the-future-of-security-microsoft-rewards-5-year-old-who-found-critical-password-flaw/feed/ 0
Microsoft to fix zero-day flaw that meant just previewing an Outlook email could infect your computer http://www.welivesecurity.com/2014/04/04/patch-tuesday/ http://www.welivesecurity.com/2014/04/04/patch-tuesday/#comments Fri, 04 Apr 2014 10:35:42 +0000 Microsoft to fix zero-day flaw that meant just previewing an Outlook email could infect your computer http://www.welivesecurity.com/?p=42120 It's one thing to have a security hole that relies upon users visiting an infected website, or opening a dodgy attachment - but it's quite a different level of threat when simply *previewing* a message in your email client infects your computer.

The post Microsoft to fix zero-day flaw that meant just previewing an Outlook email could infect your computer appeared first on We Live Security.

]]>
Patch Tuesday, the day when Microsoft releases its regular bundle of security fixes, is looming – and now we have some details of what it is going to contain.

A Microsoft Security Bulletin pre-announces that the company will release four bulletins, two rated Critical and two rated Important in severity, on 8th April.

In a blog post, Dustin Childs of Microsoft’s Trustworthy Computing group confirmed that one of the fixes would relate to a zero-day flaw that has left users’ computers open to infection simply by previewing a boobytrapped email in Microsoft Outlook.

When discovered a couple of weeks ago, Microsoft explained that the exploit related to the handling of Rich Text Format (RTF) files:

At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted [rich text format] RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

RTF fileClearly it’s good news that this critical flaw, which has been apparently exploited in the wild in targeted attacks, is now being fixed.

It’s one thing to have a security hole that relies upon users visiting an infected website, or opening a dodgy attachment – but it’s quite a different level of threat when simply *previewing* a message in your email client infects your computer.

By Patch Tuesday standards though, four bulletins equals quite a light month. But, unfortunately, there are two ways of looking at this.

You could, if you’re an eternal optimist, argue that the relatively small update means that Microsoft has turned a corner, and its products are well on the road for finally turning a corner when it comes to security vulnerabilities.

Or, if you’re a grumpy old pessimist who has worked in IT security for more than 20 years and feels like they’ve seen it all before, you might fear that online criminals are holding back on their vulnerabilities and exploits until after the cut-off date for Windows XP.

After all, any exploits uncovered in Microsoft software products after April 8th aren’t going to get fixed for Windows XP users. And there’s every likelihood that come the May Patch Tuesday, malicious hackers will attempt to reverse-engineer Microsoft’s fixes for more modern versions of Windows and see if they could be used to attack vulnerable XP systems.

Is the glass half empty or half full? I guess we will all know soon enough.

Further reading:

The post Microsoft to fix zero-day flaw that meant just previewing an Outlook email could infect your computer appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/04/patch-tuesday/feed/ 0
What is EMV, and why is it such a hot topic? http://www.welivesecurity.com/2014/04/03/what-is-emv-and-why-is-it-such-a-hot-topic/ http://www.welivesecurity.com/2014/04/03/what-is-emv-and-why-is-it-such-a-hot-topic/#comments Thu, 03 Apr 2014 19:13:13 +0000 What is EMV, and why is it such a hot topic? http://www.welivesecurity.com/?p=42081 You may know it by one of many names: EMV, Integrated Chip Cards, or more simply Chip & Pin or Smart Cards… but whatever you call it: it is a hot topic for debate on the subject of credit card fraud. In this post we will explain the difference between these and traditional credit cards, and why it is being discussed so heatedly in the wake of the Target breach.

The post What is EMV, and why is it such a hot topic? appeared first on We Live Security.

]]>
You may know it by one of many names: EMV, Integrated Chip Cards, or more simply Chip & Pin or Smart Cards… but whatever you call it: it is a hot topic for debate on the subject of credit card fraud. Many folks in the US in particular are unfamiliar with this technology, and many more of us are only familiar with it as a source of frustration when traveling abroad. In this post we will explain the difference between these and traditional credit cards, and why it is being discussed so heatedly in the wake of the Target breach.

Would you like that with stripes or chips?

The magnetic stripe technology that we are all so familiar with on the back of our credit cards has been around for over 40 years now. The first iterations were much like the tape used by audiocassettes, in that they contained data that was recorded in variations within a coating of iron oxide (also known as rust, for those of us not conversant in chemistry terms) on plastic strips. Those strips were affixed to cards, which could then be swiped by readers that were able to retrieve the data. Since the beginning, little has changed in the technology behind these cards, and there is very little built in to protect these cards against fraudulent usage.

At about the same time magnetic stripe cards were first being introduced, the first patents for chip cards were being filed. But it was not until the early 1990s that these cards were widely used for credit and debit card purposes. The three companies that joined together to do this were Europay, MasterCard and Visa, which is what gives us the name EMV. Rather than storing data on a magnetic stripe, these cards have data on a chip that is affixed to the card. In many countries in the world, this is now the default credit card technology, and payment systems with magnetic stripe readers are becoming increasingly rare.

Chip cards are so named because they have a small microprocessor affixed to them, which acts like a small computer. Data on the chip are accessed interactively, and the chip requires specific, expected responses from a card reader in order to reveal its information. This makes cloning of cards significantly more difficult and costly for criminals.

The specifics of cards using chips can vary quite a bit. In many cases, the card is “Chip & PIN” which means that the payment process involves reading bank and identity information from the chip, and then the customers must enter their PINs to authenticate their identities. This means that customers are providing two factors of authentication – something the customer has (the card) and something the customer knows (the PIN).

Physically, the purchase process would feel very familiar to debit card users in the US, except that the card is “dipped” into the reader rather than being “swiped”. (A very slight difference, except when you have an older card that resists being read as the strip has mostly been rubbed away!)

In other cases, a sort of hybrid technology is used, which can be more similar to the traditional “Swipe & Sign” cards. Cards may have a magnetic stripe so that they can be “swiped” for purchases in countries like the US that have not yet migrated to the newer technology. And in some cases there may not be the requirement to use a PIN, and these cards are called “Chip & Signature” cards.

How does this help prevent fraud?

As readers of this blog may be painful aware, the longer any technology remains unchanged, the more opportunity criminals will have to break any security around that technology. This is precisely what we have seen with the “Swipe & Sign” cards in the US. Criminals have had four decades to understand and learn to steal this information, which leads to a significant amount of fraud. In the case of the recent Target breach, this meant using RAM-scraper malware that lay in wait on Point of Sale (POS) machines, for credit and debit card data to be in memory, so that it could gather and distribute that information to the malware’s controller.

This RAM-scraping tactic meant that even if retailers encrypted the data on disk and as the information went across the Internet, it was not protected. This sort of scenario is an inevitable consequence of the use of encryption – when the data are in use, as in the case of viewing or verifying data, the information is temporarily unprotected. Using strong encryption significantly decreases the time during which data are at risk, but many attackers now use malware designed to wait for that very brief window to be opened.

The use of EMV cards would not necessarily have protected against an attack using RAM-scraper malware, because not all financial transactions require the presence of a physical credit card. But not having a physical card severely limits its utility to criminals. It is possible to impersonate physical Chip & PIN cards so they can be used more widely, and while this is both difficult and imperfect, the tactic has already been used by criminals for years. While EMV technology has the potential to decrease card fraud, it is not a panacea.

The majority of fraud cases in countries using Chip & Pin cards are “card not present” transactions, such as online purchases, where the chip cannot be used for verification.  Businesses in Canada have found a way to combat this, which requires cardholders to log into their bank account rather than provide financial information directly to the merchant.

Implementation matters

As we can see in the case of the Canadian restrictions, how businesses implement EMV makes a big difference in how well the technology is able to reduce fraud. This is one specific area of concern, when it comes to the way EMV is likely to be adopted in the US. Ideally:

  • A chip is used alone, without also having a magnetic stripe
  • The correct PIN must be entered within a very limited number of attempts
  • A signature must never be accepted in lieu of a PIN
  • Additional measures must be taken to secure card-not-present purchases

In the US, what is being proposed is:

  • A chip and magnetic stripe will both be present
  • A signature may be used in lieu of entering a PIN
  • Additional measures will not be mandated

As you can see, this scenario is significantly less secure than is ideal. While this will improve card safety to some degree, it will be a fairly minimal improvement that leaves the US lagging behind most of the world. And businesses should be aware that failing to move towards the use of chip readers would mean they are on the hook for more of the liability for fraudulent purchases.

In all things relating to security and privacy, the goal is to make accessing our data prohibitively expensive or difficult for our adversaries. And in this way, switching away from Swipe & Sign cards is a step in the right direction. But we should not expect this change to end credit card fraud. Hopefully moving towards Chip & PIN cards is simply a first step in moving towards greater security measures for credit card transactions – one that allows merchants to make the necessary changes at a less-painful pace.

The post What is EMV, and why is it such a hot topic? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/03/what-is-emv-and-why-is-it-such-a-hot-topic/feed/ 0
“Domestic spyware” apps increasingly precursor to violence – or murder http://www.welivesecurity.com/2014/04/03/domestic-spyware-apps-increasingly-precursor-to-violence-or-murder/ http://www.welivesecurity.com/2014/04/03/domestic-spyware-apps-increasingly-precursor-to-violence-or-murder/#comments Thu, 03 Apr 2014 19:05:40 +0000 “Domestic spyware” apps increasingly precursor to violence – or murder http://www.welivesecurity.com/?p=42093 Apps designed to ‘report’ on handset users’ communications while remaining undetected have increasingly become a factor in cases of domestic violence and even murder.

The post “Domestic spyware” apps increasingly precursor to violence – or murder appeared first on We Live Security.

]]>
Apps designed to ‘report’ on handset users’ communications while remaining undetected have increasingly become a factor in cases of domestic violence and even murder.

The apps, many on sale via app stores for smartphones such as iPhone, BlackBerry and Android, are marketed as a means for parents to monitor children’s use of smart devices, according to TechDirt.

But an Australian study has found that 97% of domestic violence cases involved the use of spyware by the abusive partner.

CBS tested software on sale in America, and found that such software was often legal due to loopholes – for isntance, it was marketed as a tool to track rogue employees or children.

One such package boasted, “All phone calls are recorded. Once you log into your account, you can see when the call was made, the number associated with the person on the other side and even listen in.The same goes for text messages. Even more shocking, if a phone call wasn’t taking place but the phone was on, it could be used to bug a room and even record video. The GPS also allows someone to track where you are at any given moment of the day.”

One such app, Mobistealth was used in a murder case in Australia by killer Simon Gittany to read his girlfriend’s Lisa Harnum’s SMS messages. In one message, she revealed plans to escape the abusive relationship, and he threw her off the balcony of a 15th floor apartment.

Mobistealth, along with other products such as Flexispy, are available online in free and premium versions. Mobistealth describes itself as, “a full-featured powerful cell phone tracking software package that enables you to get all the answers to your questions. What questions you say? They are questions about where the phone has been and what its user has been doing with it. With Mobistealth Android Spy Software, you can find out where the phone has been and where it is now. On the control panel, you get a line-by-line history with a date/time stamp linked to a map showing where the target phone has been. You can adjust the polling interval to get near real time logging of the target phone’s GPS location.”

“The Basic version of Mobistealth allows you to view the target phone’s contact file. This is useful because it answers the question as to whom your child or employee is communicating with.

With Mobistealth, you get to see the incoming and outgoing history of whom the target phone user was chatting with, conversing with, and planning with. Every SMS message on the phone gets sent to the Mobistealth server so that you can read what your child or employee is discussing. Even if they delete the message thread, you still retain it for viewing from your control panel.”

In the Victorian study, 46% of victims said they felt as if they were being ‘watched’, but less than half of those had told anyone of this.

In the UK, a team at Newcastle University has developed counter-spyware to protect victims.

Following the initial pilot studies, trials of the new technologies will begin next month. Victims can simply point a phone’s camera at a QR code on a poster, to ‘clean’ evidence that may enrage a spouse.

“Any online access leaves behind an electronic trail which can easily be followed to see what we’ve been up to,” explains Dr Budi Arief, from the Centre for Cybercrime and Computer Security (CCCS) at Newcastle University.

“For most of us this is a useful record but for someone living in fear of abuse the very systems set up to help them can actually be used against them. “What our technology does is erase these electronic footprints, allowing people to seek help in safety without fear of reprisal.”
For domestic abuse victims, even seeking help can be risky.

“Another important consideration in the case of domestic violence is that in many cases, victims do not know where to get help from,” adds Mr Martin Emms, a PhD student at the School of Computing Science. As a solution, the Newcastle University team has developed single use URL codes that can be distributed to victims.

These codes – represented as QR codes – are embedded into innocent-looking postcards and flyers and take the user directly to a support site. As the name suggests, the link will only direct its user to a support site once; subsequent attempts to use it will be directed to a ‘safe page’ – an innocuous one such as BBC News or Google home page.

This will be used in combination with the cleaner app. Once accessed, the app selectively wipes clean the user’s digital footprints, removing any trace of their search for support – including temporary internet files, browser history entries and cookies – while leaving other electronic trails intact.

“This is very important as a completely clean browsing history raises suspicions,” explains Mr Emms.

Instead of a postcard, the information is embedded in a poster advertising the domestic violence support service. Positioned in public places, the feature is only available while the user is standing close to the poster. Once they leave the area, the information cannot be accessed using either the history or the back button.

“We talk a lot about digital inclusion and the work being done to make it accessible to all,” says Dr Arief.

“Our work has highlighted a vulnerable group whose need for online access is greater than most. These people are prevented from getting help, not through a lack of access or digital knowledge but through fear.

“Our hope is these technologies can be used to overcome this particular barrier and give more victims of domestic violence the confidence to seek help.”

The post “Domestic spyware” apps increasingly precursor to violence – or murder appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/03/domestic-spyware-apps-increasingly-precursor-to-violence-or-murder/feed/ 0
Surveillance cameras hijacked to mine Bitcoin while watching you http://www.welivesecurity.com/2014/04/03/surveillance-cameras-hijacked-to-mine-bitcoin-while-watching-you/ http://www.welivesecurity.com/2014/04/03/surveillance-cameras-hijacked-to-mine-bitcoin-while-watching-you/#comments Thu, 03 Apr 2014 17:56:56 +0000 Surveillance cameras hijacked to mine Bitcoin while watching you http://www.welivesecurity.com/?p=42084 Malware written specifically for DVR recorders used for the output of surveillance cameras has forced some machines to mine Bitcoin - although the low-powered machines are 'very bad' miners, Wired points out.

The post Surveillance cameras hijacked to mine Bitcoin while watching you appeared first on We Live Security.

]]>
When you pass a surveillance camera, you assume it’s doing its one simple job – watching. But malware written specifically for DVR recorders used for surveillance has forced some machines to mine Bitcoin and pass the cryptocurrency to unknown gang masters.

As Wired points out, the low processing power of the Hikvision machines mean that they are very, very bad at mining Bitcoin.

“The low-powered ARM chip is one of the worst possible processors you could pick for the crypto-heavy calculations that make up bitcoin mining,” the magazine commented.

In previous attacks, criminals have focused on machines with enough number-crunching power to generate Bitcoin quickly. Gaming service ESEA admitted a rogue employee had added a Bitcoin miner to its game client, earning thousands of dollars via its use of gamers’ graphics cards, as reported by We Live Security here.

“After accessing a couple of the DVRs, we noticed that the malware was running on the DVR itself. Two pieces of malware typically ran: a customized version of minderd, the Bitcoin miner – [we] actually learned today that, in this case, it may mine Litecoin, not Bitcoin – [and] a piece of software called cmd.so, which initiated the scans for Synology devices that we observed before and that led us to investigate the DVR,” said Johannes Ulrich of SANS Technology Institute.

It’s not clear whether the DVRs were targeted as miners, or simply as a way to spread the malware – infected machines scan for others – and the infected machines all appeared to have a default password.

 Ulrich writes, “Last week, we reported that some of the hosts scanning for port 5000 are DVRs (to be more precise: Hikvision DVRs, commonly used to record video from surveillance cameras. The compromisse of the DVR likely happened via an exposed telnet port and a default root password (12345). Analysis of the malware is still ongoing, and any help is appreciated.”

Virus Bulletin’s Martijn Grooten commented, “Kudos to camera DVRs hackers for finding something worse (i.e. very ineffective cryptocurrency mining) to use them for than surveillance.”

http://rt.com/usa/hackers-security-dvrs-bitcoin-miners-913/

Ulrich In a Wednesday email correspondence, Ullrich told SCMagazine.com that the malware was discovered while emulating a Synology disk storage device in an investigation of recent scans for port 5000. He said a lot of the scans came from Hikvision DVRs.

Ullrich suggested that attackers are simply using the Telnet access – essentially a protocol used to access remote computers – because the compromised DVRs all appear to be in default configuration, meaning Telnet is exposed and the root password is set to default (12345).

Although the DVRs were observed looking for Synology disk storage devices, the video recording machines are not the only devices at risk.

http://www.scmagazine.com/cryptocurrency-mining-malware-discovered-on-surveillance-dvrs/article/341059/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29

“We found one Linux based router that was also affected,” Ullrich said in an interview with SC Magazine. “The larger picture here is that attackers move away from desktops as exploit targets as there are less vulnerable desktops out there. However, the number of badly protected devices is going up exponentially and they turn out to be very hard to patch and secure compared to desktops.”

David Harley, Senior Research Fellow at ESET, said of the earlier ESEA incident, “I remember a time when distributed processing was a pretty specialized area that was sometimes used for volunteer initiatives like SETI@home and various medical research projects.” .

“Along came malicious botnets that harnessed the capabilities of virtual networks for resource-intensive attacks like DDoS and captcha-breaking. I suppose it was inevitable that the bad guys would try harnessing the spare (and not so spare) processing capacity of victim machines as a way of exploiting the much-abused Bitcoin currency.”

Previous ESET stories featuring abuses of Bitcoin can be found here.

The post Surveillance cameras hijacked to mine Bitcoin while watching you appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/03/surveillance-cameras-hijacked-to-mine-bitcoin-while-watching-you/feed/ 0
With just days to go, just how many PCs are still running Windows XP? http://www.welivesecurity.com/2014/04/02/with-just-days-to-go-just-how-many-pcs-are-still-running-windows-xp/ http://www.welivesecurity.com/2014/04/02/with-just-days-to-go-just-how-many-pcs-are-still-running-windows-xp/#comments Wed, 02 Apr 2014 23:06:53 +0000 With just days to go, just how many PCs are still running Windows XP? http://www.welivesecurity.com/?p=42039 If computers continue to run Windows XP, and don't receive any more security patches. they are not just putting themselves and the data they carry at risk, they are endangering all of us who use the internet.

The post With just days to go, just how many PCs are still running Windows XP? appeared first on We Live Security.

]]>
Next Tuesday, April 8 2014, Microsoft will release the last ever security patches for Windows XP.

And if you look at the figures from Net Market Share, things aren’t looking too good.

Net Market Share keeps a tally on worldwide operating system and browser usage by measuing the hits on websites and – according to them – Windows XP is still powering some 27.69% of worldwide PCs.

Worldwide operating system marketshare

That’s an alarming statistic. But is it true?

Well, as we have all learnt through life, statistics can be deceptive.

The truth is that in much of the world, the usage of Windows XP is probably not anywhere near 27.69%. It’s commonly believed that the figures have been skewed massively by China where – according to some reports – Windows XP still had a marketshare of approximately 50% at the end of 2013.

A large part of the problem in China, no doubt, is the widespread usage of pirated versions of the operating system dubbed “GhostXP” locally.

Chinese pirated copy of Windows XP

The stat appears to be backed up by Microsoft’s figures for usage of the no-longer-trusted Internet Explorer 6, the default browser in Windows XP.

Microsoft’s IE 6 Countdown website gives percentages for Internet Explorer 6 usage around the world.

IE6 around the world

And, surprise surprise, there’s only one country which sticks out like a sore thumb: China.

Close-up of chart, focusing on China

Regardless of what the figure for Windows XP usage is in your country, chances are that even if a small percentage of your internet-using population is using the old OS, it could still amount to a considerable number of computers.

And that’s a problem.

Because, if those computers continue to run Windows XP, and don’t receive any more security patches they are not just putting themselves and the data they carry at risk, they are endangering all of us who use the internet.

How so? Well, every computer that is compromised or hijacked by hackers can be used as a launchpad for further attacks – whether they be denial-of-service attacks, spammed out phishing campaigns, or deliberate dissemination of malware.

And if it happens that you are unlucky enough to have your personal information stored on a computer at a business still running Windows XP (and sadly, many businesses are still running legacy computers running creaky old versions of the Windows operating system) then it could be your private sensitive data that is up for grabs.

The worry is that malicious hackers will reverse-engineer future security patches from Microsoft (designed to enhance the security of more recent versions of Windows), but the flaws that they are designed to fix will also be present in the newly-retired XP operating system.

Windows XPIn short, hackers will be interested in targeting the now poorly-protected Windows XP platform with even greater vigour.

ESET security veteran and fellow WeLiveSecurity scribe Aryeh Goretsky has written some wise words, offering practical tips for people who have decided they need a little extra time and plan to stay protecting Windows XP computers for a little while longer.

Aryeh has also documented what to do if you think you are ready to bite the bullet and move on.

And, by the way, if you’re not sure if you are running Windows XP or not, here is a helpful webpage created by Microsoft: http://amirunningxp.com

The post With just days to go, just how many PCs are still running Windows XP? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/02/with-just-days-to-go-just-how-many-pcs-are-still-running-windows-xp/feed/ 0
Attack on Samsung’s Boxee TV service leaks 158,000 passwords and emails http://www.welivesecurity.com/2014/04/02/attack-on-samsungs-boxee-tv-service-leaks-158000-passwords-and-emails/ http://www.welivesecurity.com/2014/04/02/attack-on-samsungs-boxee-tv-service-leaks-158000-passwords-and-emails/#comments Wed, 02 Apr 2014 21:43:03 +0000 Attack on Samsung’s Boxee TV service leaks 158,000 passwords and emails http://www.welivesecurity.com/?p=42031 An attack on the forums for the Boxee internet-TV service has yielded 158,000 customer passwords - and what appears to be email addresses and full messaging histories for the victims.

The post Attack on Samsung’s Boxee TV service leaks 158,000 passwords and emails appeared first on We Live Security.

]]>
An attack on the forums for the Boxee internet-TV service has yielded 158,000 customer passwords – and what appears to be email addresses and full messaging histories for the victims.

The large-scale data breach affects forum users, rather than revealing passwords for the service itself – but perhaps the most unique feature of the attack has been the company’s response: total silence.

Boxee’s main corporate page still contains an upbeat message about its recent deal with Samsung, and its social feeds contain no mention of the hack, according to SlashGear’s report.

The attackers posted an 800MB file of user data, and it was left to independent security researchers such as Scott McIntyre to highlight the story, with Tweets such as, “It is real, it happened last week and many of us in operational security have had a full copy of the data since then.”

Speaking to Ars Technica, the file appears to contain 172,000 email addreses, plus 158,128 cryptographically scrambled email addresses – as well as birth dates, IP addresses, message histories, and password changes.

Ars’ Dan Goodin points out that while the information may be scrambled, it’s still dangerous. Such ‘dumps’ are highly susceptible to cracking attacks – and the wealth of information in this leak could be highly valuable to ID thieves.

Expert Reviews says that users have not been notified by email that their information may be at risk.

Concerned users can visit a website built using the data dump to see if their details have leaked –  https://haveibeenpwned.com/. Entering an email address or username will allow users to check if they are among the victims whose data has leaked.

The post Attack on Samsung’s Boxee TV service leaks 158,000 passwords and emails appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/02/attack-on-samsungs-boxee-tv-service-leaks-158000-passwords-and-emails/feed/ 0
Win32/Sality newest component: a router’s primary DNS changer named Win32/RBrute http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/ http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/#comments Wed, 02 Apr 2014 14:31:50 +0000 Win32/Sality newest component: a router’s primary DNS changer named Win32/RBrute http://www.welivesecurity.com/?p=41890 DNS hijacking is still going strong and the Win32/Sality operators have added this technique to their long-lasting botnet. This blog post describes how the malware guesses router passwords as part of its campaign to misdirect users, send spam and infect new victims.

The post Win32/Sality newest component: a router’s primary DNS changer named Win32/RBrute appeared first on We Live Security.

]]>
Win32/Sality is a family of malware that has been using a peer-to-peer botnet since at least 2003. It is a file infector and a trojan downloader, the latter of which is mainly used to send spam, although it has been used for different purposes such as faking advertising network traffic, distributed denial of service or VoIP account cracking. All commands and files exchanged through Sality’s P2P network are digitally signed, making it resilient to protocol manipulation. Its modular architecture as well as the longevity of the botnet shows good programming practice and an efficient software design.

We’ve been tracking Win32/Sality network for quite some time now and  seen more than 115 000 IP addresses reachable from the Internet using so-called “super peers,” which keep the botnet alive and propagate commands to regular peers.

We have seen the same components downloaded over the years with little change to their underlying behavior. Lately, a new component has now appeared with some novel characteristics:  the ability to change a residential broadband gateway router’s primary DNS address, which is different from the usual FTP password stealer or spambot deployed by Win32/Sality. According to our telemetry data, this component was dropped for the first time at the end of October 2013. It was first publicly discussed by Dr. Web, who has published a technical analysis of one component, the IP address scanner. They named it Win32/RBrute.

This blog will contain

  • An overview of the infrastructure supporting the primary DNS changer component
  • A technical analysis of the two binaries that support the operation
  • A brief analysis of the spread of the operation
  • A review of the similarities between the DNS changer component and the other components dropped by Win32/Sality

A new purpose: changing a router’s primary DNS

This feature adds a new dimension to the Win32/Sality operation. The first component, detected by ESET as Win32/RBrute.A, scans the Internet for router administration pages in order to change the entry for their primary DNS server. The rogue DNS server redirects users to a fake Google Chrome installation page whenever they are trying to resolve domains containing the words “google” or “facebook”. The binary distributed through this installation page is in fact Win32/Sality itself, providing a way for the Sality botnet’s operators to increase its size further by infecting other users behind this router.

The IP address used as the primary DNS on a compromised router is part of the Win32/Sality network. In fact, another malware, detected by ESET as Win32/RBrute.B, is installed by Win32/Sality on compromised computers and can act either as a DNS or a HTTP proxy server to deliver the fake Google Chrome installer.

The Operation

Far from being a new technique these days , changing the primary DNS  on a router is quite in vogue  right now for everything from the theft of bank credentials to blocking communications with security vendors, especially with recent reports of vulnerabilities in different router’s firmware.

Win32/RBrute.A tries to find the administration web pages for routers by downloading a list of IP addresses from its C&C server to scan and then reporting back its findings. At the time of our investigation, Win32/RBrute.A targeted the following routers:

  • Cisco routers matching “level_15_” in the HTTP realm attribute
  • D-Link DSL-2520U
  • D-Link DSL-2542B
  • D-Link DSL-2600U
  • Huawei EchoLife
  • TP-LINK
  • TP-Link TD-8816
  • TP-Link TD-8817
  • TP-Link TD-8817 2.0
  • TP-Link TD-8840T
  • TP-Link TD-8840T 2.0
  • TP-Link TD-W8101G
  • TP-Link TD-W8151N
  • TP-Link TD-W8901G
  • TP-Link TD-W8901G 3.0
  • TP-Link TD-W8901GB
  • TP-Link TD-W8951ND
  • TP-Link TD-W8961ND
  • TP-Link TD-W8961ND
  • ZTE ZXDSL 831CII
  • ZTE ZXV10 W300

If a web page is found, the C&C sends a short list of about ten passwords to the bot and instructs it to perform a brute force password guess attack against the router. If the bot is able to log in to the router, it will then proceed to change the router’s primary DNS server settings. It is interesting to note that only brute force attack is used to gain access to the router’s administration portal; no exploit code is used. The authentication is done with usernames of “admin” and “support”, although previous versions also tried “root” and “Administrator”. Below is a list of passwords we have observed being transmitted from the C&C:

  • <empty string>
  • 111111
  • 12345
  • 123456
  • 12345678
  • abc123
  • admin
  • Administrator
  • consumer
  • dragon
  • gizmodo
  • iqrquksm
  • letmein
  • lifehack
  • monkey
  • password
  • qwerty
  • root
  • soporteETB2006
  • support
  • tadpassword
  • trustno1
  • we0Qilhxtx4yLGZPhokY

In the event of a successful login, the malware changes the primary DNS server to a rogue one, reports a successful infection to the C&C, and continues with scanning the Internet.

Once a router’s primary DNS address is compromised, all DNS queries made by users will go through the rogue DNS server, modifying them to point to the fake Chrome installer page whenever “facebook” or “google” domains are resolved.

google_doesntexist

This example shows a successful redirection for a domain that is not registered but contains the word “google”.

This operation is somewhat similar to DNSChanger, which drove users to install fake software to further spread malware using a rogue DNS service.

Once a computer is infected by running the fake Google Chrome installer, its primary DNS server will be changed to “8.8.8.8” by updating the following registry key:

HKLM/SYSTEM/ControlSet001/Services/Tcpip/Parameters/Interfaces/{network interface UUID}/NameServer = “8.8.8.8”

It should be noted that the IP address “8.8.8.8″ belongs to Google Public DNS, a legitimate domain name service operated by Google, and it is not involved with Win32/RBrute.

Since infected PCs will no longer be using the router’s DNS server, they will no longer be affected by its bogus redirections. On the other hand, the router is still compromised and will nag each computer trying to resolve “facebook” or “google” domains through its DNS service until they are infected with Win32/Sality. This tactic is far from stealthy and in fact tries to annoy the user into infecting its system or simply breaking “google” and “facebook” domains for operating systems that are not targeted (e.g. Linux).

Currently, the goal of this operation appears to be solely to increase Sality’s botnet size.

Technical Analysis

Win32/Sality’s DNS changer component is composed of two binaries: a router scanner and a DNS / HTTP server. Both malware are dropped by Win32/Sality.

Router Scanner Binary – Win32/RBrute.A

At the beginning of the execution, the malware creates a mutex with the name “19867861872901047sdf” to avoid running multiple instances.

It then checks a hard-coded IP address every minute to fetch a command; that command is either a scan instruction or a request to try to log onto an IP address to change the primary DNS.

A scan instruction comes with an IP address to start and the number of addresses to try. Win32/RBrute.A will try to do a HTTP GET on TCP/80, hoping to receive a HTTP Error 401 – Unauthorized. The router model is extracted from the realm attribute of the HTTP authentication schemes. If a targeted router is found, the malware sends back its IP address to the C&C.

Win32/RBrute.A flowchart

Win32/RBrute.A flowchart

The C&C will then issue a request to login to the router using a password provided by the C&C. If the login is successful, the primary DNS server is changed in the router to a host running the Win32/RBrute.B malware.

DNS and HTTP Server Binary – Win32/RBrute.B

This component is divided in three parts: the control thread, the DNS server thread, and the HTTP server thread.

Although both the DNS and the HTTP server thread can be used at the same time, the malware will choose, based on a random value, to be either a DNS or a HTTP server. A constant in the formula ensures that 80% of the infections will act as DNS servers, although we’ve seen this constant set to 50% at the beginning of the operation.

Choosing the DNS or HTTP server thread randomly.

Choosing the DNS or HTTP server thread randomly.

If the chosen server thread would not start, the malware will fall back to the other mode:

Fallback to the other mode if the choosen thread could not start.

Fallback to the other mode if the choosen thread could not start.

The operator can also force a thread to start by sending a specially crafted DNS or HTTP request. A mutex with the name “SKK29MXAD” ensures that only one instance can run on the host.

Control Thread

The control thread is used to report back to the C&C and to reconfigure the server instance.

Every two minutes, the malware will send a packet to a hard-coded IP address containing information about the machine on which it is running. The C&C will then answer with an IP address that will be used to deliver the infected Chrome installation. If the malware is in DNS mode, the IP address served by the C&C will be that of a rogue HTTP server installed on a Sality-compromised machine. In the other case, the C&C will send the IP address of a server outside of Sality’s P2P network, which will be serving the fake Chrome installation page.

Listed below is the host information sent by the control thread to the C&C:

  • Computer name – GetComputerName()
  • Local time – GetLocalTime()
  • Country – GetLocaleInfoA()
  • Windows directory – GetWindowsDirectoryA()
  • Windows product name – from the registry key “HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Product Name
  • CPU names – from the registry keys
    HKEY_LOCAL_MACHINE/HARDWARE/DESCRIPTION/System/CentralProcessor/<CPU #>/ProcessorNameString
  • Memory stats – GetMemoryStatusEx()
  • Result of IsDebuggerPresent()
  • Memory usage of the malware – GetProcessMemoryInfo()
  • Uptime of the malware – in minutes
  • Number of threads n use

The information packet has the format:

table2222

The screenshot below shows an information packet sent to the C&C.

Host information packet sent to the C&C. In blue: payload checksum, in red: payload length, in black: encrypted server mode, in green: encrypted host information

Host information packet sent to the C&C.
In blue: payload checksum, in red: payload length, in black: encrypted server mode, in green: encrypted host information

The host information, green in the previous example, is the following string encrypted with RC4:

9BC13555|24.03.2014 21:56:27|United States|C:\WINDOWS|Microsoft Windows XP|proc#0 QEMU Virtual CPU version 1.0|1|358|511|1117|1246|0|2|0|0|

The C&C will then answer with a packet with the service IP address to use:

rogue

DNS Server Thread

The DNS server looks for requests that contain “google” or “facebook” in the domain name. If it finds one, the DNS response it will send back will contain the IP address of a Win32/RBrute.B HTTP server on the Sality network. If the query doesn’t contain “facebook” or “google”, it will relay the query to Google’s DNS servers (“8.8.8.8” or “8.8.4.4”) and will forward the response to the client.

Sending a packet to the server on UDP/53 with “0xCAFEBABE” as the payload will set the “udme” flag in the Windows registry key “HKEY_CURRENT_USER/SOFTWARE/Fihd4“. This flag ensure that the DNS server thread will start at the next reboot, overriding the random process. The server will reply “0xDEADCODE” to confirm the command.

HTTP Server Thread

When receiving a browser request by a user that has been redirected, the HTTP server thread will first look at the browser User-Agent and will have a different behavior consequently.

If the User-Agent contains “linux” or “playstation”, the server will silently drop the connection (how rude!). If the User-Agent makes reference to a mobile (matching one of the following words: “android”, “tablet”, “Windows CE”, “blackberry” or “opera mini”), the server will serve Win32/Sality (!) malware 5% of the time even though these are mobile devices User-Agent; otherwise, the request is dropped.  Finally, if the User-Agent contains “opera”, “firefox”, “chrome”, “msie” or anything else, the user will be served the Win32/Sality.

The User-Agent will affect the port on which the query is made on the rogue HTTP server distributing the malware.

horse

Any HTTP GET request sent to these ports will serve the fake Chrome installation page… even if you’re browsing with Chrome!

Akin to the DNS server thread, the botmaster can affect the HTTP server behavior by sending a specially- crafted HTTP packet. Specifically, sending a GET or POST request with the User-Agent “BlackBerry9000/5.0.0.93 Profile/MIDP-2.0 Configuration/CLDC-2.1 VendorID/831” will set the “htme” flag in the  registry key “HKEY_CURRENT_USER/SOFTWARE/Fihd4“, effectively ensuring that malware will start the HTTP server thread upon reboot, overriding the random process. The server will send “<html>kenji oke</html>” to confirm a successful execution.

The HTTP server also keeps a list of allowed files to be served. If a browser makes a HTTP query on a domain matching “google” or “facebook” to a file not in the list, the server will reply with a HTTP 200 OK, with the following payload:

<html><meta http-equiv=”refresh” content=”0; url=/”></html>

redirecting the browser to the front page — hence serving the fake Chrome installation page. For example, if the user browses to “http://google.com/does-not-exist” and “does-not-exist” is not in the allowed files list, the user will be redirected to “http://google.com” instead of having the usual HTTP 404 error.

We should also note that every HTTP GET query made on the HTTP server that contains the string “.exe” will be forwarded to the rogue HTTP server, regardless of the allowed files list. The rogue server will always answer with an infected binary.

Similarities with other Sality components

Based on the following observations, we believe that the main file infector as well as all the components previously described are all developed by the same group of people. By looking at each of the components binaries, they all share the same technical details and coding style.

No persistence needed

None of the dropped Sality components, including those discussed before, needs a way to be persistent across system reboot, although some modules might store configuration in the registry. They are always downloaded and launched by the persistent layer: the file infector.

Buffer Initialization

The operators have the standard practice of initializing their buffers with the ‘0’ value. The compiler “visual-c++” doesn’t optimize the following C code when the operators compile a software:

char buf[4096] = {0};

This is compiled into the code displayed in the following screenshots.

Un-optimized initialization of a buffer of size 4096 bytes.

Un-optimized initialization of a buffer of size 4096 bytes.

This assembly stub is seen in every component dropped by Win32/Sality.

Bypassing the Firewall

All components that need to receive connections from the Internet share the same code to add a specific rule in the Windows Firewall authorizing incoming requests to go through. It will add the value “[malware file name]:*:Enabled:ipsec” to the following registry key “HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/AuthorizedApplications/List” to achieve this goal. The following screenshot shows a subset of the “add_to_firewall_exception()” function.

A subset of "add_to_firewall_exception()" function, shared by almost all components of Win32/Sality.

A subset of “add_to_firewall_exception()” function, shared by almost all components of Win32/Sality.

In Win32/RBrute.B, this function is called at the beginning of the malware execution:

Calling add_to_firewall_exception() before creating the mutex in the WinMain() function of Win32/RBrute.B.

Calling add_to_firewall_exception() before creating the mutex in the WinMain() function of Win32/RBrute.B.

Same thing found in the Win32/Sality’s spambot component:

Win32/Sality's spambot component calling the add_to_firewall_exception() function.

Win32/Sality’s spambot component calling the add_to_firewall_exception() function.

Infection Statistics

Our data show that the detection for Win32/Sality is currently decreasing or at least staying stable since 2012. We believe that the reduced number of detections is due to the reduced efficiency of the current infection vectors. This might explain why the operators are looking for new ways to spread Win32/Sality.

Win32/Sality detection worldwide

Win32/Sality detection worldwide

If we take a look at the detections for the last year, we can see a small increase, around December 2013, in Win32/Sality detections that coincides with the date where the DNS changer component was released in the wild, although those numbers should be taken with a grain of salt since other factors could contribute to variation in its spreading, like being dropped by another botnet.

Win32/Sality detections last year

Win32/Sality detections last year

We’re not sure about the effectiveness of the Win32/Sality router DNS changer operation, since a lot of router configuration portals listen only on the private address space (e.g., 192.168.0.0/16) — making them non-accessible from the Internet. Also, the router password brute force is not very aggressive, only trying a list of about ten passwords.

Conclusion

The usual infection vectors of Win32/Sality might not be sufficient enough to keep the botnet alive; hence the botnet controllers are deploying new component to grow the botnet. DNS hijacking on routers can be quite effective if done correctly. It can reach a lot of users behind a single router, especially on public access points. As routers are not commonly protected by security solutions, it provides an unrestricted environment to attackers allowing them to try several techniques to steal users’ information. An existing technology that could fix the problem is DNSSEC, since the result of a DNS request is cryptographically signed and hence not prone to tampering.  A good security practice that would reduce the scope of the problem is to change the default password on router’s web interface.

File Analyzed

The following are the SHA-1 hashes of files observed during our monitoring of Win32/RBrute malware.

Win32/RBrute.A

8f4e43675948e806d99125e916191e04f8840b46
f8031d843626ac198a6f3c056f57098012e178e2
21649df3044f2203403a855108c1db1d95a2ab46

Win32/RBrute.B

5d1263c1c707ce163c9b36452dcb7340a7fd8909
73e2fe07a3f875521b5bfe8c3dd8fd6b6819c8f8

The post Win32/Sality newest component: a router’s primary DNS changer named Win32/RBrute appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/feed/ 0
New Harris poll shows NSA revelations impact online shopping, banking, and more http://www.welivesecurity.com/2014/04/02/harris-poll-nsa-revelations-impact-online-shopping-banking/ http://www.welivesecurity.com/2014/04/02/harris-poll-nsa-revelations-impact-online-shopping-banking/#comments Wed, 02 Apr 2014 09:24:06 +0000 New Harris poll shows NSA revelations impact online shopping, banking, and more http://www.welivesecurity.com/?p=41806 A new Harris poll shows that revelations about the National Security Agency’s digital surveillance activities are changing online behavior for many Americans and some say they are doing less online banking and less online shopping because of what they have learned about the NSA.

The post New Harris poll shows NSA revelations impact online shopping, banking, and more appeared first on We Live Security.

]]>
Online banking and shopping in America are being negatively impacted by ongoing revelations about the National Security Agency’s digital surveillance activities. That is the clear implication of a recent ESET-commissioned Harris poll which asked more than 2,000 U.S. adults ages 18 and older whether or not, given the news about the NSA’s activities, they have changed their approach to online activity.

Almost half of respondents (47%) said that they have changed their online behavior and think more carefully about where they go, what they say, and what they do online.

Harris-NSA-poll-bankingWhen it comes to specific Internet activities, such as email or online banking, this change in behavior translates into a worrying trend for the online economy: over one quarter of respondents (26%) said that, based on what they have learned about secret government surveillance, they are now doing less banking online and less online shopping. This shift in behavior is not good news for companies that rely on sustained or increased use of the Internet for their business model.

Online commerce shrinkage?

After 20 years of seemingly limitless expansion of Internet commerce, these poll numbers may come as something of a shock to online firms, but they were not a complete surprise to ESET researchers. Last fall we detected early signs of this phenomenon when we conducted a smaller survey of “post-Snowden” attitudes. Some respondents reported reduced online shopping and banking behavior (14% and 19% respectively). At that time it was reasonable to speculate that such changes in behavior might be a temporary blip, but our latest findings suggest otherwise. And the reasons are not hard to find: continued revelations from the Snowden documents and a lack of convincing reassurances from government about privacy protections.

The news for online stores and financial services does not get any better when you dig deeper into the numbers. The economically important 18-34 age group are more likely to say they are doing less shopping online (33% compared to an overall 26%). Online retailers who rely more on female shoppers should note that 29% of women surveyed said they have reduced how much they shop online (compared to 23% of men and 26% overall). When it comes to banking online 29% of folks in that 18-34 age bracket had cut back, as had 30% of those aged 65 and older.

Harris-nsa-impact-on-emailClearly, these findings will be of concern to the retail and financial services sectors, but the news is also bad for just about any sector of the American economy where replacing physical contact with electronic communication is part of the business model.

Just under one-quarter of respondents (24%) said that, based on what they have learned about secret government surveillance, they are less inclined to use email. Important economic sectors ranging from healthcare to education and government are looking at expanded use of electronic communications as a way to cut costs and improve service levels. Those objectives could be harder to attain if a significant percentage of the public is less inclined to use those channels. We observed a higher than average contraction in email use in the 18-34 age group (32%) and in households where annual household income is under $50,000.

Ongoing impact of privacy intrusions

As a recent New York Times article titled “Revelations of N.S.A. Spying Cost U.S. Tech Companies” observed: “It is impossible to see now the full economic ramifications of the spying disclosures.” However, I think that when you look at this new survey and our previous research it is clear that changes in online behavior have already taken place, changes with broad economic ramifications.

online-shopping-nsa-400Whether or not we have seen the full extent of the public’s reaction to state-sponsored mass surveillance is hard to predict, but based on this survey and the one we did last year, I would say that, if the NSA revelations continue–and I am sure they will–and if government reassurances fail to impress the public, then it is possible that the trends in behavior we are seeing right now will continue. For example, I do not see many people finding reassurance in President Obama’s recently announced plan to transfer the storage of millions of telephone records from the government to private phone companies. As we will document in our next installment of survey findings, data gathering by companies is even more of a privacy concern for some Americans than government surveillance.

And in case anyone is tempted to think that this is a narrow issue of concern only to news junkies and security geeks, let me be clear: according to this latest survey, 85% of adult Americans are now at least somewhat familiar with the news about secret government surveillance of private citizens’ phone calls, emails, online activity, and so on. As to what should be done about this situation and its effects on commerce, privacy, and online behavior, I will have more findings to share in my next blog post, along with suggested strategies for companies who may be impacted.

Survey Methodology: The survey was conducted online within the United States by Harris Poll on behalf of ESET from February 4-6, 2014 among 2,034 U.S. adult adults ages 18 and older, among which 1,691 are at least somewhat familiar with the NSA revelations. This online survey is not based on a probability sample and therefore no estimate of theoretical sampling error can be calculated. For complete survey methodology, including weighting variables, please contact esetpr@schwartzmsl.com

The post New Harris poll shows NSA revelations impact online shopping, banking, and more appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/02/harris-poll-nsa-revelations-impact-online-shopping-banking/feed/ 0
Credit cards are dead, long live fingerprints? Samsung S5 first of ‘many’ scan-to-pay phones http://www.welivesecurity.com/2014/04/02/credit-cards-are-dead-long-live-fingerprints-samsung-s5-first-of-many-scan-to-pay-phones/ http://www.welivesecurity.com/2014/04/02/credit-cards-are-dead-long-live-fingerprints-samsung-s5-first-of-many-scan-to-pay-phones/#comments Wed, 02 Apr 2014 06:58:53 +0000 Credit cards are dead, long live fingerprints? Samsung S5 first of ‘many’ scan-to-pay phones http://www.welivesecurity.com/?p=41978 Samsung's Galaxy S5 offers a cutting-edge component that will change m-commerce forever - a fingerprint-scanner which offers instant authentication with one finger-swipe and which works in stores as well as online.

The post Credit cards are dead, long live fingerprints? Samsung S5 first of ‘many’ scan-to-pay phones appeared first on We Live Security.

]]>
Samsung’s reported difficulties in bringing its new flagship S5 to market on time may be to do with a cutting-edge component that will change m-commerce forever – a fingerprint-scanner which offers instant authentication with one finger-swipe.

MIT’s Technology Review describes the technology as one that is “likely to become commonplace” on handsets in the near future.

Technology Review describes the S5 as the first handset which can authorise payments both in stores and online. Apple’s iPhone 5S, by contrast, can only authorise payments within Apple’s own online stores.

Samsung has partnered with PayPal, and other members of the FIDO alliance, a technology group including giants such as Google and Lenovo, which aims to bring a ‘frictionless’ biometric payment system to market. The S5 will be capable of authenticating payments in stores which acccept PayPal as well as apps and sites, using a sensor beneath the Home button.

Speaking to MIT, Joel Yarbrough, senior director of global product solutions at PayPal says, “Today people are having to type in nine-digit passwords everywhere, including one-handed on the subway. Building a smart biometric experience solves both usability and dramatically increases the security level.”

Boy Genius Report says that the reader in the S5 appears to be more complex than Apple’s, according to a device ‘teardown’ by Chipworks, ““it seems to be split into two parts — a touch sensor incorporated into the home button, but also it takes input from  the main touch screen, and both have to be used to get your ID loaded.”

For customers, the feature is seen as a “premium” addition to a phone, according to telecoms analyst Ernest Doku, telecoms analyst at uSwitch, who said, “”Samsung appears to have cherry picked the most crowd-pleasing features available from other manufacturers – a fingerprint ID sensor and an attractive gold model like Apple’s iPhone 5S, a water and dust-resistant body like Sony’s Xperia Z2, and photography credentials to challenge the best from Nokia.”

Paypal has announced the phone will not store passwords or login details, only a unique encrypted key, which is less vulnerable to theft, according to CNET’s report. PayPal claims that the odds of someone finding a handset, and having a matching fingerprint are more than one in a milllion.
“By working with Samsung to leverage fingerprint authentication technology on their new Galaxy S5, we are able to demonstrate that consumers don’t need to face a tradeoff between security and convenience,” PayPal’s chief product officer Hill Ferguson said. “With a simple swipe of a finger, consumers can still securely log into their PayPal account to shop and pay with the convenience that mobile devices afford.”

In a hands-on test, gadget site Pocket-Lint said that the process is extremely seamless, “Once PayPal is selected as the payment method, and it recognises a user with a registered print, all it takes is a digit swipe and you’ve paid. During our hands-on with the Galaxy S5, we described the process as “scarily easy, but effective”.

Handsets such as the S5 may just be the beginning.  So far, phones such as Apple’s iPhone 5S have offered fingerprint scanners built into hardware – but smartphones could offer screens with built-in readers by summer this year, according to screen maker CrucialTec.

So far, users have had to swipe fingerprints across buttons built into the devices – the Home button in the case of iPhone, or the rear panel in the case of the HTC one Max.

CrucialTec, one of the leading manufacturers of biometric readers for mobiles will bring out scanners built into mobile screens soon, and the devices will be built into smartphone screens in by July this year, according to Digital Trends’ report.

Speaking to the Korea Herald, Charles Ahn, CEO of CrucialTec said that the phones would usher in dramatic changes to the smartphone market. ““The new touch screen panel, known as a matrix-switching touch screen panel, will bring dramatic change to the market,” Ahn said.

The new screens will also be completely bezel-less, and future versions of the Matrix-Switching Touchscreen Panel (MS-TSP) could include health monitoring sensors built into the panel.

Earlier reports had linked CrucialTec to Samsung’s rumoured fingerprint scanner built into its Samsung Galaxy S5 smartphone, but CrucialTec distanced itself from those reports. According to Ahn, only two companies, CrucialTec and Synaptics, own core technology required for the development of such panels.

The CEO of network specialist Ericsson predicted that biometrics would become “mainstream” in 2014, as reported by We Live Security here.

Stephen Cobb, Security Researcher with ESET said, when Apple unveiled the fingerprint sensor in Apple’s iPhone 5S that the device could be a “game changer” in a We Live Security report here.

Cobb said, “I have been a fan of biometrics as an added authentication factor ever since I first researched multi-factor and 2FA systems 20 years ago, however, user adoption is very sensitive to performance; in other words the iPhone 5S could advance biometrics, or put a whole lot of people off biometrics.”

Several start-ups are investigating even more out-there methods of biometric authentication, with some using user behavior as a metric, and shipping in the form of apps. Further We Live Security reports on the cutting edge of biometrics and passwords can be found here.

The post Credit cards are dead, long live fingerprints? Samsung S5 first of ‘many’ scan-to-pay phones appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/02/credit-cards-are-dead-long-live-fingerprints-samsung-s5-first-of-many-scan-to-pay-phones/feed/ 0
Tesla shocker as researcher picks electric supercar’s lock http://www.welivesecurity.com/2014/04/01/tesla-shocker-as-researcher-picks-electric-supercars-lock/ http://www.welivesecurity.com/2014/04/01/tesla-shocker-as-researcher-picks-electric-supercars-lock/#comments Tue, 01 Apr 2014 12:35:51 +0000 Tesla shocker as researcher picks electric supercar’s lock http://www.welivesecurity.com/?p=41881 The Model S is rated one of the safest cars on the road - but the electronic security system protecting its locks may not be quite as bulletproof, researchers claim. The six-digit PIN used to protect its lock can be brute-forced, or phished, by attackers.

The post Tesla shocker as researcher picks electric supercar’s lock appeared first on We Live Security.

]]>
Security questions were raised over the app-based “key” used to unlock the electric supercar Tesla – after a researcher showed it was possible to guess the key’s six-digit PIN by brute force. The Model S is rated one of the safest cars on the road – but the electronic security system protecting its locks may not be quite as bulletproof, researchers claim.

The Tesla car is “locked” using an iPhone app, accesssed via a basic six-character password, according to Sky News.

This leaves the car vulnerable to ‘brute force’ hacks where attackers try thousands of passwords until they find the corrrect one.

The hack was shown off by researcher Nitech Dhanjani at a conference in Singapore. While obtaining the password would not allow the attacker to drive the car, it would alllow attachers to drain batteries, operating headlights and halting charging.

Dhanjani pointed out that the ‘static’ password system also meant that phishing attacks could be used to obtain the password, and thus control the Model S’s systems.

Gizmodo pointed out that the methods Dhanjani highlighted were similar to those used to gain access to any online account – and not what one would expect of a high-end supercar such as the Tesla Model S.

In a blog post, Dhanjani wrote,“The Tesla website doesn’t seem to have any particular account lockout policy per incorrect login attempts. This puts owners at risk since a malicious entity can attempt to brute-force the account and gain access to the iPhone functionality.

in a statement, Tesla said, “”Our customers’ security is our top priority, be that in developing a car with the highest safety rating or doing everything we can to protect them against online security breaches.”

“We protect our products and systems against vulnerabilities with our dedicated team of top-notch information security professionals, and we continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process.”

Tesla said that it had altered its software to lock out users after five incorrect attempts.

Speaking to CNN, Dhanjani said that he was personally not concerned by the security of his own Model S, “”The time is right now for Tesla to fix this. As other car manufacturers draw inspiration from Tesla’s design and architecture, there will be more people to compromise and launch attacks against.”

The post Tesla shocker as researcher picks electric supercar’s lock appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/04/01/tesla-shocker-as-researcher-picks-electric-supercars-lock/feed/ 0
5 Tips for protecting Windows XP machines after April 8, 2014 http://www.welivesecurity.com/2014/03/28/5-tips-for-protecting-windows-xp-machines-after-april-8-2014/ http://www.welivesecurity.com/2014/03/28/5-tips-for-protecting-windows-xp-machines-after-april-8-2014/#comments Fri, 28 Mar 2014 16:14:18 +0000 5 Tips for protecting Windows XP machines after April 8, 2014 http://www.welivesecurity.com/?p=41654 Microsoft will cease providing security updates for the Windows XP operating system on April 8, 2014. If you cannot get away from Windows XP yet, there are still a few things you can do to keep yourself safe.

The post 5 Tips for protecting Windows XP machines after April 8, 2014 appeared first on We Live Security.

]]>
As you may have read in my post earlier this week about the end of days for Windows XP, Microsoft will cease providing security updates for this operating system on April 8, 2014. If you cannot get away from Windows XP just yet, there are still a few things you can do to defend your XP machines:

  1. The first thing is to make sure that you back up your computer’s files regularly, and periodically test you’re your backup strategy by restoring backups, preferably on a different computer, a few times a year. This helps ensure that in the event of a catastrophe, you will still have access to the information on your computer. The time to worry about your backups is not when faced with a virus, fire, earthquake or other calamity.
  2. The next thing to do is to make sure that your copy of Windows XP is up-to-date. Although Microsoft will stop making new updates for Windows XP after April 8, 2014, all of the old updates from before then will still be available, and should be applied. This also applies to the device driver software (a device driver is a computer program that allows the operating system to communicate with a particular kind of hardware), which may be available from your computer manufacturer or Microsoft’s Windows Update web site.
  3. In addition to the operating system and drivers, you should also make sure you have the latest versions of your application software on the computer, and that those are fully-patched and updated. Programs like Adobe Flash, Adobe Reader and Oracle Corp.’s Java are frequently targeted by the criminal gangs that develop and use malware, so keeping these up-to-date is just as important as looking after the operating system. Other software that you use, such as Microsoft Office, web browsers and so forth, should be on the latest version and have the latest patches applied as well.
  4. If the computer does not have to be connected to the Internet, disconnect or disable the connection so that the PC can only connect to other machines on the same non-Internet network. This will ensure that Internet-borne threats cannot directly attack your XP PC, and will make it harder for an attacker to steal data off the computer.
  5. Make sure your security software is up-to-date, as well. There are lots of security programs available for Windows XP, and most of their authors have committed to supporting Windows XP for years to come. Some are free, while others are sold as a subscription. A discussion of the features needed to protect Windows XP is outside the scope of this article, but at the very least, I would recommend looking for a security program that combines signature-based and heuristic detection, includes a firewall, and has some kind of host intrusion protection system. Vulnerability shielding and exploit blocking will be useful as well, as Windows XP will no longer be updated by Microsoft to protect against these types of attacks.

While these tips will help, your main goal should figuring out how to move away from Windows XP. If it is simply a matter of replacing a critical application, work out the cost and build that into your operating budget, likewise for computer upgrades or even replacement computers. That may be a capital expense, and an unwanted one in this economy, however, it is still better than going out of business because outdated computers failed or critical data was stolen.

Having to replace working computers every few years is not fun, but, like other mechanical equipment, computers do wear out and need to be replaced. Software, too, gets updated periodically, not just with security patches, but new features and functionality as well, that can improve your bottom line. You might find my podcast on security for older systems to be helpful listening material.

For readers who are using ESET for their anti-malware protection there is a helpful Knowledgebase article “Microsoft Windows XP end of support and ESET products.” ESET is committed to supporting the Microsoft Windows XP operating system for 32-bit and 64-bit versions of ESET products at least until the end of April, 2017.

The post 5 Tips for protecting Windows XP machines after April 8, 2014 appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/28/5-tips-for-protecting-windows-xp-machines-after-april-8-2014/feed/ 0
The Internet of Things isn’t a malware-laced game of cyber-Cluedo… yet http://www.welivesecurity.com/2014/03/28/the-internet-of-things-isnt-a-malware-laced-game-of-cyber-cluedo-yet/ http://www.welivesecurity.com/2014/03/28/the-internet-of-things-isnt-a-malware-laced-game-of-cyber-cluedo-yet/#comments Fri, 28 Mar 2014 14:11:29 +0000 The Internet of Things isn’t a malware-laced game of cyber-Cluedo… yet http://www.welivesecurity.com/?p=41766 Will the future be a murderous game of 'smart device' Cluedo, where Colonel Mustard meets his death at the hands of a Wi-Fi pacemaker, and Miss Scarlett is consumed in a Smart Home-ignited blaze. Not likely, says David Harley - where's the profit motive?

The post The Internet of Things isn’t a malware-laced game of cyber-Cluedo… yet appeared first on We Live Security.

]]>
A while ago I was asked by a journalist about an example of malware of which it had been reported that it could be developed to spread to a far wider range of hardware and architectures than the PCs it was actually known to attack. Malware that aims to spread over all those devices sounds more Proof of Concept than anything immediately purposeful (except in terms of old-school “look at how many machines I infected” bragging rights) but distinguishing between targets by architecture as well as broad platform does suggest potential for much more targeted attacks in the future. This is a scenario that could be compared to Java malware: devices using a range of versions, update and patch levels - where an update mechanism exists at all - but also, apparently, other architectures (ARM, MIPS and so on).

A possibility exists – and most of the conversation around threats against the Internet of Things concerns possibilities, rather than hard threats or even likelihood – of malware that discriminates not only by machine but by function, providing openings for other kinds of malicious activity. At the same time, end users may be as unaware of what is running on their devices as those people recently affected by intrusive or faulty firmware updates for TV/audiovisual technology, for instance. Attempts to hack Samsung Linux-based firmware and indeterminate vulnerabilities in that firmware have been reported for several years. Targeted threats are often seen as associated with individuals working in huge corporations, but they can be and are scaled down to smaller target groups such as SMEs, Mom and Pop shops, activist groups, even private individuals. There’s nothing outlandish either about the idea of an individual being targeted externally to an organization in order to exploit his access to internal resources via remote access channels.

Targeting devices that aren’t PCs and therefore probably don’t have an explicit malware detection mechanism would reduce the likelihood of early detection of device-specific malware. Payloads that would take advantage of device-specific functionality would require significant research and development, but who, a few years ago, would have given much thought to the likelihood of malware targeting uranium enrichment centrifuges?

The likelihood of mass-market security software especially designed for the whole range of devices that might be exploitable isn’t great. The companies making such devices would have to be prepared to discuss potential intrusive or disruptive attacks against such devices in the design and planning stages, and how countermeasures might be implemented, with specialist security companies. I guess we can only hope that the makers of a whole range of devices will devote more thought to building in sound security and update mechanisms for internet-connected devices. My own experience in healthcare in the decade before this one, and Bring Your Own Device (BYOD) issues in more recent years, suggest that it will take substantial evidence before manufacturers truly appreciate that they are making exploitable networked computer systems rather than isolated devices.

However, the fact that eavesdropping, sabotage and other attacks are or may be possible in surprising contexts doesn’t mean that they’re likely. The internet may have elements of the Wild West (and always did), but it hasn’t turned into a gigantic stage set from 1984, even if a laptop or television screen can sometimes behave like Big Brother’s telescreens. (That’s the 1984 Big Brother, not the TV unreality show.)

Nor are we all now players in a universal game of Cluedo where Professor Plum is likely to be bumped off by Wi-Fi-controlled sabotage of his pacemaker, Colonel Mustard and his library is about to be set on fire by a subverted heating system, or Miss Scarlett might die of a seizure induced by flashing lights controlled by a tablet app. There may be more possibilities for exotic attacks in a world where even your toilet may be online, and security company PR offices are having lots of fun flagging such exotica, but what is possible in cybercrime usually only actually happens if someone sees a substantial profit in developing an attack.

David Harley
ESET Senior Research Fellow

The post The Internet of Things isn’t a malware-laced game of cyber-Cluedo… yet appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/28/the-internet-of-things-isnt-a-malware-laced-game-of-cyber-cluedo-yet/feed/ 0
Channel Cybercrime: Bug allows hackers to hijack screen of Philips TVs http://www.welivesecurity.com/2014/03/28/channel-cybercrime-bug-allows-hackers-to-hijack-screen-of-philips-tvs/ http://www.welivesecurity.com/2014/03/28/channel-cybercrime-bug-allows-hackers-to-hijack-screen-of-philips-tvs/#comments Fri, 28 Mar 2014 13:28:55 +0000 Channel Cybercrime: Bug allows hackers to hijack screen of Philips TVs http://www.welivesecurity.com/?p=41758 Hackers could take control of Philips ‘smart TVs’ and broadcast their own ‘shows’ to watching famlies, thanks to a ‘fixed’ password which allows nearby attackers easy access to the set’s Wi-Fi adapter.

The post Channel Cybercrime: Bug allows hackers to hijack screen of Philips TVs appeared first on We Live Security.

]]>
Hackers could take control of Philips ‘smart TVs’ and broadcast their own ‘shows’ to watching famlies, thanks to a ‘fixed’ password which allows nearby attackers easy access to the set’s Wi-Fi adapter.

A hacker within Wi-Fi range of any 2013 Philips Smart TV can replace the image on screen with video or images of his choosing (useful, for instance, for phishing attacks, by creating a bogus login screen), and can read files on USB devices attached to the set.

Researchers ReVuln demonstrated the attack in a video, showing how private data such as browser cookies for sites used by the set’s owner could be remotely accessed.

Ars Technica’s Dan Gooodin described the attack as leaving televisions “wide open” – and said that the attack occurred in seconds, without anything being visible to the user, even as the attacker plundered files from USB sticks and the TV’s browser.

“Once someone has connected to the Miracast-enabled Wi-Fi network, they can use publicly available software to download any personal files that may be contained on USB drives plugged in to the Philips Smart TV. More troubling, connected devices can steal the highly sensitive browser cookies that many websites rely on to authenticate users when they access their private accounts.”

The vulnerability (a video demonstration is shown here) cropped up in new firmware for Philips 2013 Smart TVs, which include a hard-coded password for the devices’ “Miracast” access point, which annot be changed by users. This means hackers within range have a ‘key’ to access affected sets.

Independent security researchers ReVuln say, “The recent firmware released by Philips for their 2013 models of SmartTV (6/7/8/9xxx) have the WiFi Miracast feature enabled by default  with a fixed password and no PIN or request of permission for new WiFi connections. The impact is that anyone in the range of the TV WiFi adapter can easily connect to it and abuse of all the nice features offered by these SmartTV models.”

TP Vision, the vendor of Philips Smart TV range says, “We recognize the security issue as reported by ReVuln linked to Miracast on the high end 2013  Philips TVs.  Our experts are looking into this and are working on a fix . In the meantime we recommend customers to switch off their Miracast function of  the TV to avoid any vulnerability. ( Quick help: Press the HOME button –  navigate to Set up – select Network Settings –  Select Miracast – set to OFF).”

The company is currently working on a more permanent fix for the issue – but sets from other manufacturers may also be vulnerable. The ‘screen mirroring’ function used to gain access is certified by the Wi-Fi Alliance, and Miracast is merely Philips’ brand for a technology present in several brands of ‘smart’ TV.

The post Channel Cybercrime: Bug allows hackers to hijack screen of Philips TVs appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/28/channel-cybercrime-bug-allows-hackers-to-hijack-screen-of-philips-tvs/feed/ 0
PRISM-proof system could turn servers into spook-proof fortresses http://www.welivesecurity.com/2014/03/27/prism-proof-system-could-turn-servers-into-spook-proof-fortresses/ http://www.welivesecurity.com/2014/03/27/prism-proof-system-could-turn-servers-into-spook-proof-fortresses/#comments Thu, 27 Mar 2014 14:38:51 +0000 PRISM-proof system could turn servers into spook-proof fortresses http://www.welivesecurity.com/?p=41732 A young MIT student has invented a new system for storing data which could offer protection against unscrupulous colleagues - and even against the hi-tech tentacles of government organizations with “back doors” into corporate servers.

The post PRISM-proof system could turn servers into spook-proof fortresses appeared first on We Live Security.

]]>
A young MIT student has invented a new system for storing data which could offer protection against unscrupulous colleagues – and even against the hi-tech tentacles of government organizations with “back doors” into corporate servers.

The system, Mylar takes a different approach to data storage – data is stored in encrypted form on servers at all times (as opposed to the usual practice of storing such data unencrypted). The user’s browser decrypts the data, at a speed which means users, “Won’t notice a difference.”

MIT describes the system as PRISM-proof – in that, even if a system requests data from the server, it will be delivered in encrypted form, according to MIT technology review. Creator Baluca Popa says, ““You don’t notice any difference, but your data gets encrypted using your password inside your browser before it goes to the server,” Popa says. “If the government asks the company for your data, the server doesn’t have the ability to give unencrypted data.”

Other sites made much of the idea that the system would be ‘spy proof’ – although it obviously protects against just one tactic employed by intelligence agencies, rather than providing blanket  protection. Mylar is not simply a data safe, though, as revealed by Popa’s paper- it will be possible to search for files within the encrypted data, although decryption will require the user’s unique key.

The service is already being tested in Newton-Wellesley hospital in Boston – and fits into the hospitals systems so well that the researchers had to rewrite a mere 28 lines of code to use it in the hospital. In tests, the only noticeable difference is a slight slowing of chat communication – latency of around 50ms, according to IT ProPortal.

Speaking to Boy Genius Report, University of Pennsylvania researcher Ariel Feldman believes the service can offer added protection, but says that Internet companies may not necessarily deploy such systems. “It would be a watershed moment if any of these types of systems actually got deployed to millions of users. The real obstacles to adoption are usability and the business case for deploying them.”

 

The post PRISM-proof system could turn servers into spook-proof fortresses appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/27/prism-proof-system-could-turn-servers-into-spook-proof-fortresses/feed/ 0
Sniffing earwax could offer icky new frontier in biometrics http://www.welivesecurity.com/2014/03/26/sniffing-earwax-could-offer-icky-new-frontier-in-biometrics/ http://www.welivesecurity.com/2014/03/26/sniffing-earwax-could-offer-icky-new-frontier-in-biometrics/#comments Wed, 26 Mar 2014 18:33:06 +0000 Sniffing earwax could offer icky new frontier in biometrics http://www.welivesecurity.com/?p=41695 For most of us, earwax is a bodily product we prefer not to think about, but a team of scientists have discovered that the substance reveals a huge amount about its creator - and could even be used to identify people.

The post Sniffing earwax could offer icky new frontier in biometrics appeared first on We Live Security.

]]>
For most of us, earwax is a bodily product we prefer not to think about, keeping it at arms’ length on the end of cotton buds – but scientists analyzing the chemicals present in the waxy substance have found that it reveals a huge amount about its creator, and could even be used to identify people. The lead scientist on the Monell Centre project said wax, “could be an overlooked source of personal information.

Scientists from the Monell Centre analysed the chemicals that give earwax its distinctive, pungent smell – and found that compounds in the wax could be used to identify the wax creator’s racial origins, with ear wax differing markedly between East Asians and Caucasians.

Network World comments that the analysis of earwax is a a science in its infancy – Monell Centre describes itself as, “”the world’s only independent, non-profit scientific institute dedicated to interdisciplinary basic research on the senses of taste and smell.”

Thus far, the compounds in ear wax can be used to identify racial origin. Ear wax from 16 healthy volunteers was heated in vials, and the volatile compounds analysed. These odor-producing compounds differ widely between East Asian individuals and Caucasians.

“Our previous research has shown that underarm odors can convey a great deal of information about an individual, including personal identity, gender, sexual orientation, and health status,” said study senior author George Preti, PhD, an organic chemist at Monell. “We think it possible that earwax may contain similar information.”

Preti found that waxy-eared individuals were also more likely to have smelly armpits – a gene known as ABCC11 is related both to underarm odor production and also to whether a person has wet or dry earwax.

Scientists from the Monell Center have used analytical organic chemistry to identify the presence of odor-producing chemical compounds in human earwax. Further, they found that the amounts of these compounds differ between individuals of East Asian origin and Caucasians. The findings suggest that human earwax, an easily obtained bodily secretion, could be an overlooked source of personal information.

“Odors in earwax may be able to tell us what a person has eaten and where they have been,” said Preti. “Earwax is a neglected body secretion whose potential as an information source has yet to be explored.

Future studies will examine these possibilities.

Network World commented, “So, be warned, your identity, ethnicity, and lifestyle  could all potentially be revealed unless you shower a lot and keep your ears very clean. Just wait until the TSA droid at the checkpoint asks you to lift your arm ..”

The post Sniffing earwax could offer icky new frontier in biometrics appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/26/sniffing-earwax-could-offer-icky-new-frontier-in-biometrics/feed/ 0
Tumblr adds “nuclear defense system” (well, 2FA) to shield users http://www.welivesecurity.com/2014/03/26/tumblr-adds-nuclear-defense-system-well-2fa-to-protect-users/ http://www.welivesecurity.com/2014/03/26/tumblr-adds-nuclear-defense-system-well-2fa-to-protect-users/#comments Wed, 26 Mar 2014 16:58:34 +0000 Tumblr adds “nuclear defense system” (well, 2FA) to shield users http://www.welivesecurity.com/?p=41670 Popular blogging service Tumblr has become the latest web giant to add two-factor authentication as an “extra layer” of security for users - describing its new measure as a "nuclear defense system" armed with twin keys.

The post Tumblr adds “nuclear defense system” (well, 2FA) to shield users appeared first on We Live Security.

]]>
Popular blogging service Tumblr has become the latest web giant to add two-factor authentication as an “extra layer” of security for users – describing its new measure as a “nuclear defense system” armed with twin keys.

It’s an option accessible via the site’s settings menu, and which means Tumblr joins the ranks of other social sites such as Facebook, Twitter and Evernote in offering the feature to users who fear they might be a target for hackers.

IT Pro Portal reports that the new measure was introduced after a mysterious “breach” eight months previously.

The new option is available to all users via the Settings page – users toggle the “two-factor authentication” button, then verify their phone number. The site texts users a six-digit confirmation code, which expires within two minutes.

TechRadar comments, “Whether the new measures will be welcome by the community on Tumblr is yet to be seen. Traditionally extra steps on sign-in screens have been cited as tiresome and repetitive to websites using them.”

TechCrunch points out that while the new security measure remains optional, it brings Tumblr on par with other tech giants such as Facebook and Google. Users can opt to verify their phone using either a code delivered by SMS or via an app.

Tumblr said in a blog post, “The smile of a loved one. Your childhood blanket. A handsome bodyguard to take you in his arms. “Security” can mean a lot of things in this crazy life, but nothing says “security” like Tumblr’s two-factor authentication. It’s available as an option in your Settings page as of right now.”

“You know how you need two keys to launch a nuclear missile? Two-factor authentication works like that. One key is your password, the other key is your cellular phone, and you need both to access your Tumblr Dashboard.”

Banks and online gaming services already use “authenticators” extensively – but online services such as Twitter, Evernote and Dropbox have added two-factor systems to boost security. The mass adoption of smartphones has meant that 2FA apps have become a cheaper security measure for business

Two-factor systems are far more secure than passwords – many high-profile hacks, such as those against the Twitter accounts of media organizations last year, could not have happpened if a 2FA system had been in place.

ESET’s experts offer an in-depth guide to the advantages of two-factor authentication – and when it’s not necesssary – in this how-to guide.

The post Tumblr adds “nuclear defense system” (well, 2FA) to shield users appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/26/tumblr-adds-nuclear-defense-system-well-2fa-to-protect-users/feed/ 0
Time to Move On From Windows XP http://www.welivesecurity.com/2014/03/25/time-to-move-on-from-windows-xp/ http://www.welivesecurity.com/2014/03/25/time-to-move-on-from-windows-xp/#comments Tue, 25 Mar 2014 19:06:27 +0000 Time to Move On From Windows XP http://www.welivesecurity.com/?p=41591 Windows XP comes to an end of sorts on April 8, 2014. After this, Microsoft will cease providing security updates or support for this venerable operating system. ESET discusses implications and resources.

The post Time to Move On From Windows XP appeared first on We Live Security.

]]>
The world today is a much different place than it was in 2001 when Microsoft released Windows XP. With Windows XP Microsoft combined features to handle games and multimedia for consumers, and to provide stability and reliability for businesses. This strategy made for a wildly popular operating system. Now, thirteen years later, Windows XP comes to an end of sorts on April 8, 2014. After this, Microsoft will cease providing security updates or support for this venerable operating system.

Consider how your own use of technology has changed, in the last 13 years: In 2001, my home PC had an Intel Pentium 4 processor that ran at 1.8GHz and a gigabyte of RAM. Today, my home PC has an Intel Core i7 processor that runs at 3.7GHz and 32 gigabytes of RAM. While the processor in today’s PC appears to be only twice as fast as my computer from 2001, such comparisons are misleading. The actual difference in performance between the two is closer to 60-fold, and even faster for some operations. And my Internet connection? That went from just under a megabit-per-second to 20 megabits, a twenty-fold increase in speed.

Technology evolves, and just as our computers have changed, so has the software they run. Microsoft Windows is no exception to the rule, especially when it comes to security.

Numerous updates to Windows XP were released over the years, including three giant Service Packs in 2002, 2004 and 2008 that not only fixed numerous vulnerabilities that had left Windows XP open to attack, but added new features. In 2007, Microsoft’s struggle to release the successor to Windows XP ended with the release of Windows Vista. Microsoft then resumed releasing operating systems on a two-year cycle. Windows 7 arrived in 2009 and Windows 8 in 2012, just a little behind schedule.

Each new version of Windows has not only brought new features, but greatly strengthened security. The six-year gap between Windows XP and Windows Vista and the lackluster response to Windows Vista meant that a lot computers remained on Windows XP. Those computers remained vulnerable to attacks that, if they were not blocked completely by newer versions of Windows, were at least much more difficult for attackers to exploit successfully.

What you can do

If your home or business PC is still running Windows XP, it is not too late to upgrade.

I do not recommend going to Windows Vista, simply because support for it will be ending in 2017. Microsoft will stop supporting Windows 7 in 2020, and Windows 8.1 in 2023. From a security perspective, Windows 8.1 is a great improvement, but the interface is very touch-focused. Unless you are using a touchscreen, you might be better off upgrading to Windows 7 or using a program that makes the Windows 8.1 interface more like an earlier version of Windows. Computers running Windows 7 are still available from stores and computer manufacturers online.

The business-focused editions of Windows 7 (Professional, Ultimate and Enterprise) can run Windows XP Mode, which embeds the older version of Windows inside the new one.  This might let you run a last remaining application requiring Windows XP, at least until it is replaced. Keep in mind Windows XP Mode suffers identical issues to Windows XP and is a bridge to replacement of Windows XP, not a means of prolonging XP’s life. Windows XP Mode is not available for Windows 8.1.

XP Questions and Answers

Q: What exactly happens on April 8, 2014? Will Windows XP stop working?
A: On April 8, 2014, Microsoft will release its final security updates for Windows XP, and stop providing support and fixes for it. The operating system will still function the same way it has, and all old updates and fixes will still be available.

Q: Will all versions of Windows XP cease being supported by Microsoft after April 8, 2014?
A: No, not all. Windows XP Professional for Embedded Systems, a special version of Windows XP used in devices such as cash registers, ATMs and ticket machines, as well as various industrial and scientific equipment, will be supported until December 31, 2016. However, that date is fast approaching and if you have devices running XP Embedded you will eventually need to replace or update them.

Q: Are other Microsoft programs going to cease being supported?
A: Microsoft Office 2003 will no longer be supported after April 8, 2014. The next major end of life date is July 14, 2015, which is for Windows Server 2003. If your office has any servers left running Windows server 2003, you should be planning on updating or replacing them as well.

Q: I have to run Windows XP and cannot upgrade or replace my PC. Is there anything I can do to protect myself?
A: Make sure that your copy of Windows XP is fully patched; all your applications are on the latest versions with the latest patches as well; your PC is not just regularly backed-up, but you are testing those backups by periodically restoring them; your PC is running up-to-date security software; and you should also be figuring out how you can move away from Windows XP to a newer version of Windows.

Q: Where can I learn more about these issues?
A. I have provided a list of resources below. You might also find my podcast on security for older systems helpful. And I have written up 5 tips for defending Windows XP machines.

Resources: Windows XP-specific

General Advice: How to secure a PC

Resources: Windows 8-specific

We will have more to say about XP’s retirement on We Live Security. Let us know your concerns and we will endeavor to address them

The post Time to Move On From Windows XP appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/25/time-to-move-on-from-windows-xp/feed/ 0
Better Mac Testing: Static versus Dynamic Testing http://www.welivesecurity.com/2014/03/25/better-mac-testing-static-versus-dynamic-testing/ http://www.welivesecurity.com/2014/03/25/better-mac-testing-static-versus-dynamic-testing/#comments Tue, 25 Mar 2014 18:22:03 +0000 Better Mac Testing: Static versus Dynamic Testing http://www.welivesecurity.com/?p=40966 Dynamic or on-access Mac testing of AV products is problematical with samples for which Apple has implemented signature detection.

The post Better Mac Testing: Static versus Dynamic Testing appeared first on We Live Security.

]]>
Anti-malware testing on the Windows platform remains highly controversial, even after almost two decades of regular and frequent testing using millions of malware samples. By contrast, there is a  tiny  number of threats (by comparison) that affect OS X users, which suggests that it ought to be easier to test with a sample set that represents a high proportion of all known OS X threats. But there are also fewer prior tests on which to base test methodology, so establishing sound mainstream testing is trickier than you might think, not least because so few people have experience of such tests. But as both Macs and Mac malware increase in prevalence, the importance of testing software that’s intended to supplement the internal security of OS X increases, too.

OK. That’s more or less what it says in the abstract for our Virus Bulletin paper on the topic, but that’s because it happens to be what we think. :) Of course, we encourage you to read the paper – Mac Hacking: the Way to Better Testing? But this is the second article in a blog series based on the presentation rather than directly on the paper, offering a more concise summary of our views on Mac testing issues. The previous article is here.

 

The testers dilemma: Static testing in a dynamic threatscape

Comparative testing in the Mac world introduces an extra competitive layer. Products are not only in competition with each other, but with Apple, in that dynamic or on-access testing is only practical with samples for which Apple hasn’t implemented signature detection yet, or with samples that XProtect sigs may not catch in a real-life infection scenario. That is, for example, in an execution context where Xprotect.plist doesn’t kick in as expected and intended, because the utility doesn’t cover a specific infection vector.

In what ways might testing a Mac be easier? What can a tester do to make testing more real-world? Are there things that can reasonably be done that would make a test less realistic yet more fair and accurate?

Reconfiguring the environment and staying real-world

Admittedly, there are ways to ‘de-patch’ the relevant components of the OS, but is that real-world testing? If the OS is able to intervene because the malware is a variant that it recognizes, that’s real-world in a sense, but it’s not whole-product testing. At a time when mainstream testers are anxious to implement whole-product testing in accordance with AMTSO guidelines, it is difficult for testers to do so on OS X, whether for technical reasons or because of resource issues. (There are analogous issues on other platforms, especially mobile devices.) And that’s OK as long as it’s clear to readers of test reviews that what they’re looking at is a compromise, not a perfect reflection of a product’s capabilities in the real world. That’s because such a test is not a reliable guide to its capability regarding malware that isn’t already known and potentially neutralized. Furthermore, static testing isn’t conclusive proof of the detection that it would offer (or would have offered) in the absence of the operating system’s own defences.

Gatekeeper can be overridden manually, though that might still be a problem during an intensive test unless the Gatekeeper response is automated, or the utility is disabled completely.

The limitations of the signature-based XProtect.plist utility mean that it can be ‘evaded’. Certainly if you’re able to test before an XProtect signature is added, it’s unlikely that the utility will interfere with that testing segment. It’s possible, though, that static batch testing could still be derailed by the inclusion of samples for which a signature does exist.

That window before XProtect covers a new threat discovered by Apple’s own or other researchers has at times been days or weeks wide, leaving machines that are unprotected by mainstream anti-malware exposed to potential infection, though improved communication between Apple and the AV industry has significantly reduced this problem by facilitating the exchange of samples. Any window of opportunity that is available to the malware is also available to the tester. But that window closes when an Xprotect signature has been added. So most Mac testers have been almost entirely focused on retrospective testing with samples that are already  ‘XProtected’ or at any rate assumed to be. Unless they have access to really fresh samples, which is unusual.

Testing Longitudinally

A test run on a fully-patched system running the latest OS X versions can only be real-time if the samples aren’t detectable by active operating system utilities when opened, executed, copied and so on. Otherwise the OS won’t allow malware to execute. Testers don’t necessarily have time to spend wrestling with OS X internals. They may not have the resources to acquire, validate and test with samples before the xprotect.plist window closes, or to test longitudinally (i.e. over time) so as to accommodate that window of opportunity. Testers who do this routinely tend to be certification testers who have the capacity to run longitudinal testing because that’s essentially what their vendor customers are paying for. What we have here is an aggravated version of the dilemma already faced by testers when considering what Windows version(s) and patch levels to test with.

Testing by De-Protecting

Disabling system-integrated protection moves you away from the ‘real world’, at least as most people experience it. Not only is the system ‘untypical’ of real-life user experience, but disabling one aspect of the inbuilt security may break something else. If you’re testing in a live network scenario, you may have just introduced a risk to other vulnerable systems.

Dynamic testing on an unpatched, de-XProtected system or an earlier OS that doesn’t include Xprotect is perhaps real-world in the very limited sense that unpatched and un-updated systems do undeniably exist in the real world, though the number of up-to-date scanners that will run under OS X versions predating Snow Leopard (OS X 10.6) has already decreased dramatically. And (unless you’re doing platform-specific tests) something feels very wrong about using obsolescent OS system versions in order to test an additional layer of security that can’t be tested on a current OS version. Breaking’ a current OS (or, indeed, an app under test) in order to isolate a single layer of tested functionality is a long way from the principles of whole-product testing and can’t be representative of the average customer’s real-world experience, but remains a necessary compromise when testing with older malware.

Emulation and Obfuscation

Static testing of on-demand components rather than whole product testing is still too common, sometimes because static testing is cheaper and, in principle, simpler to implement, especially with large sample sets.

In many cases modern scanners do use emulation in on-demand scanning so that a program being scanned is allowed to execute harmlessly in a virtualized or emulated environment. Nonetheless, testing that assumes that ability in all contexts is not maintaining a level playing field. If sandboxing is less effective in some commercial-grade Mac security products, that may be because malicious Mac-directed programs have less need to be technically complex than their Windows-directed siblings, and that may be reflected in comparatively laid-back anti-malware technology. It’s not surprising if vendors don’t use resource-intensive technologies that are not – or not yet – needed in the context of OS X.

Mac product testing, however, is, historically, largely based at present on the (increasingly inaccurate) assumption that the difficulties of on-access scanning need not be addressed since Mac malware is less likely to be self-protected by the kind of anti-forensic obfuscation that characterizes so much Windows malware.

Some Mac scanners do make less use of advanced proactive detection techniques than commercial-grade Windows scanners do, even when they come from a company with Windows products. This is especially true in the context of Mac-specific threats, and in fact some products may be little more than a Mac-friendly shell around a ported Windows or Linux engine with added detection of Mac and cross-platform threats. However, it’s an oversimplification to imply that any but the most basic scanners make no use of behaviour analysis. Fortunately, some testers are now not only recognizing the problem and taking measures to counter it, but are also focusing less on raw detection and more on whole product testing, considering a whole range of factors that contribute to protecting OS X systems. AMTSO, the Anti-Malware Testing Standards Organization, has published a guidelines document on whole product testing: AMTSO Whole Product Testing Guidelines .

David Harley and Lysa Myers
ESET North America

The post Better Mac Testing: Static versus Dynamic Testing appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/25/better-mac-testing-static-versus-dynamic-testing/feed/ 0
Mark Zuckerberg invests in CAPTCHA-crushing AI which “thinks like a human” http://www.welivesecurity.com/2014/03/25/mark-zuckerberg-invests-in-captcha-crushing-ai-which-thinks-like-a-human/ http://www.welivesecurity.com/2014/03/25/mark-zuckerberg-invests-in-captcha-crushing-ai-which-thinks-like-a-human/#comments Tue, 25 Mar 2014 00:28:44 +0000 Mark Zuckerberg invests in CAPTCHA-crushing AI which “thinks like a human” http://www.welivesecurity.com/?p=41579 Mark Zuckerberg, Paypal founder Elon Musk and Ashton Kutcher have invested $40 million in an artificial-intelligence start-up, Vicarious, which can already 'read' CAPTCHA codes - and aims to mimic functions of the human brain.

The post Mark Zuckerberg invests in CAPTCHA-crushing AI which “thinks like a human” appeared first on We Live Security.

]]>
Mark Zuckerberg, Paypal founder Elon Musk and Ashton Kutcher have invested $40 million in an artificial-intelligence start-up, Vicarious, which has already sent ripples through the security community by ‘breaking’ the CAPTCHA codes used to ‘weed out’ software programs masquerading as humans.

Wired reports that the company aims to focus on creating a computer system that can mimic some of the functions of the human brain’s neocortex, an area devoted to spatial reasoning and high-level language processing.

One application of the software, Vicarious AI, achieves a success rate of up to 90% against standard CAPTCHAs used by Google, Yahoo and PayPal, which was demonstrated in a video shown off by the company last year, as reported by We Live Security here.

Wired points out that it may never be possible to simulate an entire human brain, or indeed an entire human neocortex, but a computer than could mimic even a fraction of the neocortex’s functions would change human history.

Speaking to the Wall Street Journal, Vicarious co-founder Scott Phoenix described the software as “A computer that thinks like a person. Except it doesn’t have to eat or sleep.”

Vicarious works under conditions of extreme secrecy – the WSJ reports it has not revealed its address for fear of corporate espionage – so which particular applications it is focusing on remain a mystery.

Image recognition appears to be core to its business, however. Phoenix said that one problem Vicarious aimed to solve was to form a complete idea of pictures, including texture – giving the example of computers being able to recognize the words “ice” or “table” but not “table made of ice”.

Being able to automate such tasks may have significant implications for privacy and security. Mark Zuckerberg’s investment used personal funds, rather than those belonging to Facebook (although Facebook’s own AI program is reaching “near human” levels of performance in recognizing faces, as reported by We Live Security here).

But computers which can recognize pictures in a “human” way could, for instance, bypass security measures such as Windows 8’s picture passwords – already vulnerable, according to security researchers, due to recognizable “patterns” in the way users choose points of interest, as reported by We Live Security here.

Banks such as Santander employ systems where users associate a phrase with an image as a security measure – again, a computer capable of recognizing images may disrupt, or even invalidate this as a security measure.

Last year’s demo showed software, known as Vicarious AI, achieving a success rate of up to 90% against standard CAPTCHAs used by Google, Yahoo and PayPal  – using machine learning, rather than massive amounts of computing power.

“This renders text-based CAPTCHAs no longer effective as a Turing test,” the company said in a statement. The security implications of the discovery are less clear. Speaking to the BBC, computer scientist Luis von Ahn, part of the team which developed CAPTCHA, said that it was difficult to verify the results, and that if Vicarious’s claims are true, sites may simply need to increase the distortion used in CAPTCHA images.

“Recent AI systems like IBM’s Watson and deep neural networks rely on brute force: connecting massive computing power to massive datasets,” , said Vicarious co-founder D. Scott Phoenix..

“This is the first time this distinctively human act of perception has been achieved, and it uses relatively minuscule amounts of data and computing power. The Vicarious algorithms achieve a level of effectiveness and efficiency much closer to actual human brains”

“Understanding how brain creates intelligence is the ultimate scientific challenge. Vicarious has a long term strategy for developing human level artificial intelligence, and it starts with building a brain-like vision system. Modern CAPTCHAs provide a snapshot of the challenges of visual perception, and solving those in a general way required us to understand how the brain does it”, said Vicarious co-founder Dr. Dileep George.

Vicarious says that this is just the first public demonstration of its “learning” Recursive Cortical Network (RCN) technology – and says that in future, it may be used in robotics, medical image analysis, image and video search. The company admits, though, that this is “many years” away.

“We should be careful not to underestimate the significance of Vicarious crossing this milestone,” said Facebook co-founder and board member Dustin Moskovitz. “This is an exciting time for artificial intelligence research, and they are at the forefront of building the first truly intelligent machines.”

The post Mark Zuckerberg invests in CAPTCHA-crushing AI which “thinks like a human” appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/25/mark-zuckerberg-invests-in-captcha-crushing-ai-which-thinks-like-a-human/feed/ 0
President Obama’s BlackBerry survives assault from Korean Androids http://www.welivesecurity.com/2014/03/24/president-obamas-blackberry-survives-assault-from-korean-androids/ http://www.welivesecurity.com/2014/03/24/president-obamas-blackberry-survives-assault-from-korean-androids/#comments Mon, 24 Mar 2014 07:23:27 +0000 President Obama’s BlackBerry survives assault from Korean Androids http://www.welivesecurity.com/?p=41570 Contrary to reports late last week, the BlackBerry smartphones used by White House staffers and the President are not to be replaced by Android or Windows Phone handsets from Korean manufacturers LG and Samsung.

The post President Obama’s BlackBerry survives assault from Korean Androids appeared first on We Live Security.

]]>
Contrary to reports late last week, the BlackBerry smartphones used by  White House staffers and the President are not to be replaced by Android or Windows Phone handsets from Korean manufacturers LG and Samsung.

The Wall Street Journal, quoting unnamed insiders, suggested that while Obama’s own BlackBerry was not under threat, but that smartphones from LG and Samsung were being tested for ‘internal use’. The news story caused a dip in BlackBerry’s stock price – the White House is one of the company’s most high-profile customers.

Few smartphones are as iconic as President Barack Obama’s faithful BlackBerry –  he was pictured with it so often during his 2008 Presidential campaign that the New York Times estimated that the “celebrity endorsement” could be worth up to $50 million to the company.

White House spokesman Jay Carney said, according to a report by ABC News, that no change was imminent, but that the White House Communications Agency was testing devices for “other areas of the administration.” The WHCA describses itself as “a one-of-a-kind military unit dedicated to providing premier, worldwide, vital information services and communications support to the president and his staff.”

President Obama was informed that he would have to give up his BlackBerry on taking office, but came to an agreement with intelligence agencies.

Silicon Beat reports that a BlackBerry spokesperson wrote a letter to the Wall Street Journal denying that the White House was considering a move away from BlackBerry handsets. Barbara Tate wrote, “Governments test new technologies frequently, but nevertheless the U.S. government continues to choose BlackBerry for its unmatched security and cost effectiveness. Other vendors such as Samsung and LG still have a long way to go to catch up to meet the government’s stringent requirements and certifications. BlackBerry’s operating system has already received the highest security approvals from the United States, Great Britain and NATO, and our latest operating system, BlackBerry 10, is already certified for high-security users in various NATO countries.”

Both Samsung and LG recently unveiled security software for their higher-end Android handsets, but reports from sites such as The Register suggested that upcoming Windows phones from the companies could be adopted instead by U.S. government agencies. The site reports that Windows Phone handsets recently overtook Android handsets in sales figures in the United States.

Venture Beat reports that BlackBerry, and its new CEO John Chen, are making efforts to ensure that their handsets retain their reputation for security – and their impressive list of state clients. Chen inaugurated a ‘security innovation’ center for the company this year, located in Washington DC. Chen said at the time, “We are committed to working with government and industry experts to solve some of the biggest challenges we face in securing mobile communication The Washington, D.C.-based security innovation center will be focused on creating lasting partnerships that will encourage ongoing dialogue aimed at making better products and policy.”

ESET malware researcher Cameron Camp wrote an in-depth breakdown of the security features of BlackBerry’s new BB10 operating system, concluding, “While there are a myriad of external (and internal factors) that may control the trajectory of the BB 10 operating system and its handsets’ future adoption, the security stance seems like a good start. While the winds of the market forces will blow where they may, it’s good to know a company like this had the foresight to revamp the whole stack in a thoughtful, security-focused way, and the guts to go for it.”

The post President Obama’s BlackBerry survives assault from Korean Androids appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/24/president-obamas-blackberry-survives-assault-from-korean-androids/feed/ 0
Bitcoin fixes Mt Gox theft bug – as exchange staff find 200,000 BTC in ‘forgotten’ wallet http://www.welivesecurity.com/2014/03/24/bitcoin-fixes-mt-gox-crash-bug-as-exchange-staff-find-200000-btc-in-forgotten-wallet/ http://www.welivesecurity.com/2014/03/24/bitcoin-fixes-mt-gox-crash-bug-as-exchange-staff-find-200000-btc-in-forgotten-wallet/#comments Mon, 24 Mar 2014 00:22:49 +0000 Bitcoin fixes Mt Gox theft bug – as exchange staff find 200,000 BTC in ‘forgotten’ wallet http://www.welivesecurity.com/?p=41561 Bitcoin’s developers have released a new version of the software, which includes a long-awaited fix for the “transaction malleability” bug which is said to have brought down the Mt Gox exchange - and Mt Gox staff have 'found' 200,000 BTC in an abandoned wallet in the exchange.

The post Bitcoin fixes Mt Gox theft bug – as exchange staff find 200,000 BTC in ‘forgotten’ wallet appeared first on We Live Security.

]]>
Bitcoin’s developers have released a new version of the software, which includes a long-awaited fix for the “transaction malleability” bug said to have brought down large exchanges such as Mt Gox and Bitstamp.

The new version, called Bitcoin 0.9.0 was revealed by a bitcoin developer in a Tweet, according to ZDNet. The release notes say that the version of Bitcoin Core offers, “Bug fixes and new regression tests to correctly compute the balance of wallets containing double-spent (or mutated) transactions.”

The bug allowed users to alter the unique ID of BTC transactions, before they were confirmed, and thus allegedly steal coins according to ZDNet‘s report. Mt Gox blamed the “transaction malleability” bug for its loss of more than $400m in Bitcoin, and other collapsed banks and exchanges said they had fallen victim to the same bug.

VentureBeat reports that the new version of Bitcoin includes five fixes to prevent fraudulent transactions, with a function which stops “mutated transactions” being relayed, and two more functions which report double-spending and conflicting wallet transactions.

Early in March, Mt Gox admitted that nearly $500 million in bitcoin had “disappeared”, in a statement posted online, blaming abuse of the “transaction malleability” bug in the system.

The exchange, which filed for bankruptcy protection early in March, as reported by We Live Security here, posted a new message to its site on Monday, saying that bitcoins had been “illicitly moved through the abuse of a bug”, and that “Although the complete extent is not yet known, we found that approximately 750,000 bitcoins deposited by users and approximately 100,000 bitcoins belonging to us had disappeared.”

Meanwhile, questions remain over whether investors in Mt Gox will ever be able to reclaim their money. The exchange said this week that it had “found” 200,000 BTC in old wallets, during its bankruptcy procedures.

The Register commented,“That’s good news for creditors inasmuch as it means the exchange is “only” missing about 650,000 Bitcoin, so there’s some prospect of recovering some of their lost currency.”

The site said in a statement, “MtGox Co., Ltd. had certain old format wallets which were used in the past and which, MtGox thought, no longer held any bitcoins. Following the application for commencement of a civil rehabilitation proceeding, these wallets were rescanned and their balance researched. On March 7, 2014, MtGox Co., Ltd. confirmed that an old format wallet which was used prior to June 2011 held a balance of approximately 200,000 BTC (199,999.99 BTC)”

 

 

The post Bitcoin fixes Mt Gox theft bug – as exchange staff find 200,000 BTC in ‘forgotten’ wallet appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/24/bitcoin-fixes-mt-gox-crash-bug-as-exchange-staff-find-200000-btc-in-forgotten-wallet/feed/ 0
Google encrypts ALL Gmail to keep snoopers out http://www.welivesecurity.com/2014/03/21/google-encrypts-all-gmail-to-keep-snoopers-out/ http://www.welivesecurity.com/2014/03/21/google-encrypts-all-gmail-to-keep-snoopers-out/#comments Fri, 21 Mar 2014 20:06:37 +0000 Google encrypts ALL Gmail to keep snoopers out http://www.welivesecurity.com/?p=41451 Starting today, Gmail will use an encrypted HTTPS connection to check or send email, regardless of what platform users employ to access the service - and will use security measures when moving mails internally, citing fears over government snooping.

The post Google encrypts ALL Gmail to keep snoopers out appeared first on We Live Security.

]]>
Starting today, Gmail will use an encrypted HTTPS connection to check or send email, regardless of what platform users employ to access the service – and there is no longer an opt-out for Gmail users to use a less secure connection instead.

The search giant also announced that all emails will be encrypted while moving internally between Google’s data centres, as reported by IDG News Service.

Writing on the official Google Blog Nicholas Lizborski, Gmail’s Engineering Security Lead writes, “Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email. Today’s change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers—no matter if you’re using public WiFi or logging in from your computer, phone or tablet.”

Geekwire points out that ordinary Gmail users will not experience a huge difference in the service – Google has supported HTTPS connections since 2008, and turned the service on for all users in 2010. At that point, though, users still had the option of switching it off. Google has removed that option today, Geekwire reports.

Citing concerns about government spying on emails, and referrring obliquely to Edward Snowden, Google’s Lizborski wrote, “In addition, every single email message you send or receive—100 percent of them—is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail’s servers, but also as they move between Google’s data centers – something we made a top priority after last summer’s revelations.”

PC World reported that a Google spokesperson admitted that the additional security afforded by HTTPS was achieved at a cost of a certain amount of latency (ie a slower connection speed). Speaking to PC World, the spokesperson said that Google’s engineers had taken steps to mitigate the effects on speed, and that the company believes it makes no sense to allow any user to continue using an unencrypted HTTP connection.

The post Google encrypts ALL Gmail to keep snoopers out appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/21/google-encrypts-all-gmail-to-keep-snoopers-out/feed/ 0
Master of Mavericks: How to secure your Mac using Apple’s latest update http://www.welivesecurity.com/2014/03/21/master-of-mavericks-how-to-secure-your-mac-using-apples-latest-update/ http://www.welivesecurity.com/2014/03/21/master-of-mavericks-how-to-secure-your-mac-using-apples-latest-update/#comments Fri, 21 Mar 2014 15:33:54 +0000 Master of Mavericks: How to secure your Mac using Apple’s latest update http://www.welivesecurity.com/?p=41524 Apple’s Mavericks update was the first free update to Mac OS X – itself a big step forward for security, as all Mac users can update to the latest version freely (providing their machine is up to the new software – which Apple allows you to check here). But under the bonnet of Mavericks lurk

The post Master of Mavericks: How to secure your Mac using Apple’s latest update appeared first on We Live Security.

]]>
Apple’s Mavericks update was the first free update to Mac OS X – itself a big step forward for security, as all Mac users can update to the latest version freely (providing their machine is up to the new software – which Apple allows you to check here).

But under the bonnet of Mavericks lurk an impressive number of additional security features – some of which are automatic, but some of which you have to hunt out and fine-tune for yourself

Mastering these can help ensure your new Mac has the defenses to rebuff rogue apps, store passwords safely, and – finally – deal with the scourge of unwanted ‘friends’ on iMessage.

Don’t forget there’s a free built-in password manager

Storing passwords in the cloud – anyone’s cloud – might not immediately seem like a safe idea, but Apple’s iCloud is protected with 256-bit AES encryption, and offers far more protection than other, risky practices such as storing passwords in some internet browsers. iCloud Keychain allows you to share your (encrypted) details across PCs, iPhones and iPads, generate strong passwords, and autofill credit card information. It’s all password protected, and encrypted, so even if you lose a machine, or a handset, the criminals will not be able to see your plain text password.

Java and Flash are kept at arms’ length

Java and Flash were made to feel a little unwelcome in Mavericks – and that’s good news for the security-conscious. Even users who had installed versions of Java and Flash on the Mac found that, during the update from Mountain Lion to Mavericks, the two programs (often the bane of security professionals’ lives due to the frequency they were targeted by attackers) were uninstalled by default. You can, of course, install both – but Mavericks is very insistent on users having the latest version (which makes them both slightly more secure), and the apps are ‘sandboxed’, so that it’s more difficult for bad actors to misuse the software to run executable files and damage your machine.

Installing apps? Choose the right option – safe-ish, safer, or REALLY safe

The most secure option for Mavericks users is to only accept apps downloaded from Apple’s Mac App Store – which is policed for malware and offensive content, in much the same way as App Store for iPhone is. Even approved appps CAN turn out to be malicious, but this is by far the safest option, and any rogue apps are swiftly removed by Apple when found.

For novice Mac users, this is a very safe option – although it can lock off some interesting software. It’s not enabled by default, but you can switch it on if you visit System Preferences, General, then change settings to “allow apps downloaded from Mac App Store”, you’ll only allow apps which have passed Apple’s approval process.

Weed out ‘bad’ apps with Gatekeeper

For a slightly more inclusive – but still safe – approach, you can also choose to allow only apps with a Developer ID (a policed list of known Apple developers which blocks known malware authors). Again, this is fairly safe. It can be overridden – by control-clicking the app and choosing to open it – but it’s a useful alert system.

“There are a bevy of new permission prompts in Mavericks,” says ESET’s Cameron Camp. “It wasn’t always the case before the upgrade. It’s more difficult to run executable stuff that’s not from the app store – there is a workaround, but it’s not obvious.”

It’s finally possible to cull your iMessage ‘friends’

Apple’s iMessage – which blends chat services and SMS – can be full of annoying ‘friends’ who know either your email or phone number, and never stop popping up. Now you can put a halt to this, with a ‘block’ systtem, where you have two options:

  • Opt to Block a single user (Messages > Preferences, and then click Accounts, and “Block Specific Users”. You can then add names to the list using the + button. You can also do this direct from your Buddies list by pressing the + button.
  • For a more fire-and-the-sword approach, you can do the same in reverse from the same menu, but instead whitelist people who WILL be able to talk to you. Everyone else will be locked out.

The post Master of Mavericks: How to secure your Mac using Apple’s latest update appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/21/master-of-mavericks-how-to-secure-your-mac-using-apples-latest-update/feed/ 0
Stealth malware sneaks onto Android phones, then “turns evil” when OS upgrades http://www.welivesecurity.com/2014/03/21/stealth-malware-sneaks-onto-android-phones-then-turns-evil-when-os-upgrades/ http://www.welivesecurity.com/2014/03/21/stealth-malware-sneaks-onto-android-phones-then-turns-evil-when-os-upgrades/#comments Fri, 21 Mar 2014 15:08:16 +0000 Stealth malware sneaks onto Android phones, then “turns evil” when OS upgrades http://www.welivesecurity.com/?p=41512 A new form of Android malware could bypass one of the main warning systems built into Google’s smartphone and tablet OS - allowing malicious apps to ‘sneak’ onto a phone with a relatively innocuous list of ‘Permissions’, then add new, malicious abilities.

The post Stealth malware sneaks onto Android phones, then “turns evil” when OS upgrades appeared first on We Live Security.

]]>
A new form of Android malware could bypass one of the main warning systems built into Google’s smartphone and tablet OS – allowing malicious apps to ‘sneak’ onto a phone with a relatively innocuous list of ‘Permissions’, then add new, malicious abilities during phone upgrades, according to Indiana University researchers.

For instance, an innocuous looking game or app could remain in place until the phone or network forces an upgrade, and then could suddenly add permissions to access accounts and data within the phone – allowing it to work as a password stealer. The process would happen without the phone user even being aware, according to Cite World.  

The app would install with a low level of permissions (many Android users now inspect the list, as it can include security risks such as reading phone calls or sending premium messages, as reported by WeLiveSecurity here), and thus ‘pass under the radar’, according to CitEWorld’s report.

Writing in a blog post, the Indiana Univesity researchers found that it was possible to install apps with either no Permisssions – which an app reveals to a user as it installs, such as ‘(Access to SD Card) – or a few, innnocuous ones, then add more sinister functions when the operating system is upgraded.

On many Android phones, OS upgrades are pushed out by operators when available, and users are urged to update to the newest version for security reasons.

However, the Indiana University researchers found that, while the OS upgrade may well fix security loopoles, quietly upgrading the Permisssions of an unknown app may allow malware near-complete control of the device Any OS upgrade allows apps, “to automatically acquire significant capabilities without users’ consent once they upgrade to newer versions,” the researchers wrote.

The researchers warn that the flaw affects ALL Android users worldwide, regardless of the age of their handset.

According to Threatpost‘s report, the flaw involves the Package Management System which Google uses to update apps. When dealing with older versions of Google’s OS, the software impoperly vets the privileges selected by apps, the site reported.

The researchers write, “Such capabilities include automatically obtaining all new permissions added by the newer version OS, replacing system-level apps with malicious ones, injecting malicious scripts into arbitrary webpages, etc. We call these vulnerabilities Pileup flaws (privilege escalation through updating). In total, we discovered six Pileup flaws in the code of Android OS. Those flaws affect all the Android devices worldwide, posing serious threats to billions of Android users who are actually encouraged to update their systems.”

Many apps – such as Facebook’s, have come under fire for Permissions which alter after the app has been installed. For instance, Facebook now requires the ability to turn a smartphone’s Wi-Fi connection on and off, as reported by We Live Security here. Most have innocent explanations,   A video showing

Protecting against apps which ask for further permissions after install is difficult. Apps built to go online update frequently, for perfectly valid security reasons – and often without alerting the users, at least not as clearly as the alerts on Android’s built-in Permissions menu.

“As Facebook users have noted over the last few weeks, for example, their Android app is now demanding access to SMS / MMS, calendar events, and WiFi control,” commented The Register.

Google’s solution for this was withdrawn rapidly, and a rash of new apps, including one supported by antivirus veteran John McAfee, aims to fill what usrs feel is a gap in Google’s OS.  It’s relatively common for seemingly innocuous apps to hide malicious functions in the “permissions” screen – a list of data which the app requires access to.

A We Live Security guide to spotting ‘bad’ apps from good can be found here.

The post Stealth malware sneaks onto Android phones, then “turns evil” when OS upgrades appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/21/stealth-malware-sneaks-onto-android-phones-then-turns-evil-when-os-upgrades/feed/ 0
Target breach optioned as Sony feature film http://www.welivesecurity.com/2014/03/21/target-breach-optioned-as-sony-feature-film/ http://www.welivesecurity.com/2014/03/21/target-breach-optioned-as-sony-feature-film/#comments Fri, 21 Mar 2014 03:54:02 +0000 Target breach optioned as Sony feature film http://www.welivesecurity.com/?p=41405 The Target breach, and in particular the role of respected security blogger Brian Krebs in breaking the story, has been optioned as a feature film by Sony. The studio bought the rights to the New York Times article, "Reporting From the Web’s Underbelly," with a view to creating a "cyber thriller."

The post Target breach optioned as Sony feature film appeared first on We Live Security.

]]>
The Target breach, and in particular the role of respected security blogger Brian Krebs in breaking the story, has been optioned as a feature film by Sony. The studio has bought the rights to the New York Times article, “Reporting From the Web’s Underbelly,” which told Krebs’ story in the wake of his exclusive revelations about the data breach at Target.

The Hollywood Reporter writes that the studio envisions the story as a “cyber thriller” set in the “high stakes world” of cybercrime.

Mashable reports that the studio has recruited Richard Wenk, writer of its recent version of The Equalizer, and action sequel The Expendables 2, to write the script.

Krebs’ blog, Krebs on Security, broke the story of the Target breach late last year, revealing that a large number of American debit and credit card details had been leaked from the retailer. The story had been leaked to Krebs, a former reporter at the Washington post, via officials at American credit card issuers.

In February this year, Nicole Perlroth’s profile article for the New York Times offered a portrait of Krebs, describing incidents such as Russian cybercriminals attempting to frame him with heroin purchased from the Silk Road “online drug market” (reported by We Live Security here), and describing how Krebs landed a string of exclusive stories, including several key revelations about the Target breach.

Perlroth described Krebs as, “A former reporter at The Washington Post who taught himself to read Russian while jogging on his treadmill and who blogs with a 12-gauge shotgun by his side.”

The post Target breach optioned as Sony feature film appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/21/target-breach-optioned-as-sony-feature-film/feed/ 0
Facebook’s ‘Deepface’ photo-matching is nearly as good as human brains http://www.welivesecurity.com/2014/03/19/facebooks-deepface-photo-matching-is-nearly-as-good-as-human-brains/ http://www.welivesecurity.com/2014/03/19/facebooks-deepface-photo-matching-is-nearly-as-good-as-human-brains/#comments Wed, 19 Mar 2014 19:24:43 +0000 Facebook’s ‘Deepface’ photo-matching is nearly as good as human brains http://www.welivesecurity.com/?p=41334 Facebook’s ‘Deepface’ photo-matching software can now ‘recognize’ human faces with an accuracy just a fraction of a percentage point behind human beings - a huge leap forward in the technology, with some potentially alarming implications for privacy.

The post Facebook’s ‘Deepface’ photo-matching is nearly as good as human brains appeared first on We Live Security.

]]>
Facebook’s ‘Deepface’ photo-matching software can now ‘recognize’ pairs of human faces with an accuracy just a fraction of a percentage point behind human beings – a huge leap forward in the technology, which some see as having potentially alarming implications for privacy.

Deepface can now match two previously unseen photos of the same face with 97.25% accuracy – humans can do the same with around 97.5% accuracy, a difference which TechCrunch describes as “pretty much on par”.

Facebook uses its current facial recognition software to ‘tag’ people in photos, which is used widely around the world. Although Deepface is a research project, and unrelated to the technology used on the site, it “closes the vast majority of the performance gap” with human beings according to the Facebook researchers behind it (PDF research paper here), and can recognise people regardless of the orientation of their face, lighting conditions and image quality.

Publications such as Stuff magazine describe the technology as “creepy”, saying that were it implemented “in the wild” it should make site users “think twice” about posting images such as “selfies.”

Deepface uses deep learning to leap ahead of current technology – an area of AI which uses networks of simulated brain cells  to ‘recognize’ patterns in large datasets, according to MIT’s Technology Review.

Yaniv Taigman of Facebook’s AI team says, “You don’t normally see that sort of improvement. We closely approach human performance.”

The leap forward in performance cuts errors by more than 25% in the accuracy – achieved, Taigman says in Facebook’s brief description of the milestone, by 3D modeling faces, and using a “nine-layer deep neural network” to analyze 120 million parameters. Business Insider describes the process as akin to using the 3D software to turn faces “forward” for comparison.

Deepface was “trained” using a dataset of four million facial images belonging to 4,000 individuals, Taigman says.

“Our method reaches an accuracy of 97.25% on the Labeled Faces in the Wild (LFW) dataset, reducing the error of the current state of the art by more than 25%,” Taigman says, noting that the software is “Closely approaching human-level performance.”

 In a paper entitled, Deepface: Closing the Gap to Human-Level Performance in Face Verification, Taigman and his co-authors write, “We believe that this work, which departs from the recent trend of using more features and employing a more powerful metric learning technique, has addressed this challenge, closing the vast majority of this performance gap [as compared with humans],” saying that Deepface can be applied to various population, without regard to pose illumination or image quality.

“Our work demonstrates that coupling a 3D model-based alignment with large capacity feedforward models can effectively learn from many examples to overcome the drawbacks and limitations of previous methods.”

The post Facebook’s ‘Deepface’ photo-matching is nearly as good as human brains appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/19/facebooks-deepface-photo-matching-is-nearly-as-good-as-human-brains/feed/ 0
Google Glass spyware lets snoopers “see through wearer’s eyes” http://www.welivesecurity.com/2014/03/19/google-glass-spyware-concept-lets-snoopers-see-through-wearers-eyes/ http://www.welivesecurity.com/2014/03/19/google-glass-spyware-concept-lets-snoopers-see-through-wearers-eyes/#comments Wed, 19 Mar 2014 15:45:06 +0000 Google Glass spyware lets snoopers “see through wearer’s eyes” http://www.welivesecurity.com/?p=41352 Spyware which stealthily takes photographs using Google Glass’s built-in camera and uploads them to a remote server without the user being aware has been demonstrated successfully on the eyepiece - despite Google’s policies explicitly forbidding such programs.

The post Google Glass spyware lets snoopers “see through wearer’s eyes” appeared first on We Live Security.

]]>
Spyware which stealthily takes photographs using Google Glass’s built-in camera and uploads them to a remote server without the user being aware has been demonstrated successfully on the eyepiece – despite Google’s policies explicitly forbidding programs which disable the screen while the camera is in use.

The spyware was designed by two California Polytechnic students, Mike Lady and Kim Paterson, who disguised their program as a note-taking app (albeit with a name that offers a clue to its actual function, Malnotes), and successfully loaded the app, which takes a photo every ten seconds and uploads it to the internet, according to Ars Technica’s report.

Google’s policies forbid programs which take pictures when its wearable Glass eyepieces are turned off – but there is nothing to stop users doing so, Forbes reported.

“The scary thing for us is that while it’s a policy that you can’t turn off the display when you use the camera, there’s nothing that actually prevents you from doing it,” Paterson told Forbes’ Andy Greenberg.

“As someone who owns Glass and wants to install more apps, I’d feel a lot better if it were simply impossible to do that. Policies don’t really protect us.”

The pair were able to upload Malnotes successfully to Google’s Play store, but were unable to sneak the app into the curated MyGlass store for Google Glass, Ars reports. Paterson noted that many Glass apps are currently “sideloaded” – ie not installed via official stores, but installed using developer tools in debug mode – as Glass is still in prototype.

“A lot of Glass developers are just hosting their apps from sites just to let other people try it. It’s sort of a wild-wild west atmosphere since very few apps are being released through the MyGlass store,” Paterson told Forbes. Paterson warned that if a user left Glass unattended, it would be easy to install such software without the wearer even being aware of its presence.

Google’s Glass eyepieces remain a hot topic for privacy advocates. Speaking to Business Insider, Daen de Leon, a software engineer, says that 13 bars and restaurants in San Francisco have an explicit “no Glass” policy, as well as others in Seattle, and Oakland, California.

After an incident where a Google Glass wearer was allegedly assaulted in a bar in Lower Haight for wearing the eyepieces, de Leon spoke to regulars and says that he, “”found her assumption that, as a complete stranger, she could enter a bar and just start recording regular customers without their permission quite disturbing.”

The post Google Glass spyware lets snoopers “see through wearer’s eyes” appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/19/google-glass-spyware-concept-lets-snoopers-see-through-wearers-eyes/feed/ 0
Revenue Service breach may have leaked data on 20,000 employees http://www.welivesecurity.com/2014/03/19/revenue-service-breach-may-have-leaked-data-on-20000-employees/ http://www.welivesecurity.com/2014/03/19/revenue-service-breach-may-have-leaked-data-on-20000-employees/#comments Wed, 19 Mar 2014 15:42:47 +0000 Revenue Service breach may have leaked data on 20,000 employees http://www.welivesecurity.com/?p=41381 Personal data for around 20,000 workers for the U.S. Internal Revenue Service (IRS), including names, social security numbers and addresses may have been exposed, after an employee plugged a thumb drive into a computer on an unsecured home network.

The post Revenue Service breach may have leaked data on 20,000 employees appeared first on We Live Security.

]]>
Personal data for around 20,000 workers for the U.S. Internal Revenue Service (IRS), including names, social security numbers and addresses may have been exposed on the internet, after an employee plugged a thumb drive into a computer on an unsecured home network.

The breach affects 20,000 employees and ex-employees who worked in Pennsylvania, New Jersey and Delaware, the IRS said in a statement. No details about taxpayers, or tax records, were leaked in the breach, according to NBC’s report.

The commissioner of the IRS, John Koskinen, said that an unencrypted thumb drive had been plugged into an unsecured home network, meaning that the information had been potentially available to third parties online, according to news agency Reuters.

Koskinen
said that, “At this point we have no direct evidence to indicate that this personal information has been used for identity theft or other inappropriate uses.” Many of the employees affected by the breach no longer work for the IRS, Koskinen said, and the agency would reach out to ex-employees to offer free identity theft monitoring, according to NBC’s report. .

Koskinen said that the drive contained,  ”sensitive personnel information, including names, Social Security numbers and addresses, of some employees, former employees and contracted employees.”

ABC News reported that Republican Dave Camp, chairman of the House Ways and Means Committee, said, “In the past, the IRS has released personal taxpayer information to the public, and has not been able to effectively prevent and detect identity theft. This latest report is concerning. The IRS has repeatedly broken the American people’s trust, and the Ways and Means Committee will take a thorough look into this incident.”

The post Revenue Service breach may have leaked data on 20,000 employees appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/19/revenue-service-breach-may-have-leaked-data-on-20000-employees/feed/ 0
Better Mac Testing? How OS security can make AV testing harder http://www.welivesecurity.com/2014/03/19/better-mac-testing-how-os-security-can-make-av-testing-harder/ http://www.welivesecurity.com/2014/03/19/better-mac-testing-how-os-security-can-make-av-testing-harder/#comments Wed, 19 Mar 2014 01:04:55 +0000 Better Mac Testing? How OS security can make AV testing harder http://www.welivesecurity.com/?p=40951 As Mac malware increases in prevalence, testing security software that supplements OS X internal security gets more important and more difficult.

The post Better Mac Testing? How OS security can make AV testing harder appeared first on We Live Security.

]]>
Anti-malware testing on the Windows platform remains highly controversial, even after almost two decades of regular and frequent testing using millions of malware samples. While Macs have fewer threats there are fewer prior tests on which to base test methodology, so establishing sound mainstream testing is trickier than your might think, not least because so few people have experience of it. But as both Macs and Mac malware increase in prevalence, the importance of testing software that’s intended to supplement the internal security of OS X increases, too. OK. That’s what it says in the abstract for our recent Virus Bulletin paper, but that’s because it happens to be what we think. :)

Of course, we encourage you to read the paper – Mac Hacking: the Way to Better Testing? But this is the first article in a blog series, based on the presentation rather than directly on the paper, giving a more concise summary of our views.

Windows versus OS X: infection rates

We’re not about to give an airing to the usual fanboi ‘Windoze bad, OS X impregnable’’ stuff. But compared to the hundreds of thousands of Windows-targeting samples ESET’s lab sees on a daily basis, the total number of unique OS X samples is tiny. We were going to count them before we presented the paper, but forgot to bring the magnifying glass.

Surely Mac testing, with that tiny potential sample population must be less contentious, with few threat families and generally lower infection rates?That tiny population makes finding a statistically meaningful number of samples less difficult for a tester with a comprehensive, up-to-date collection. Testing with all known Mac malware may be almost as quick – for a static test, at least – as using a smaller percentage of the most prevalent samples or families.

tell me apple

So what features and scenarios make Mac testing so much trickier? Apple’s intensive work on enhancing OS X security with internal detection of known malware has inadvertently driven testers back towards the static testing model from which Windows testing has moved on. How could Mac anti-malware testing be made easier and more similar to real-world scenarios? Can a test be less realistic and ‘real world’ yet more fair and accurate?

Windows testing has moved on from static testing – at least, the better testers have. But there are testing scenarios that are more-or-less unique to Macs and OS X, and offer unique challenges.

In recent years, the handful of threats has not just increased in number, but has in at least one case affected dramatic numbers of users.In fact, the percentage increase in the number of threats over the last year or two has been dramatic but that is in part because the starting figure was so low.

OS X has seen a steady trickle of generic malware with the occasional Flash Flood to keep the stats above water. Flashback to the Future, you might say. In 2012, OSX/Flashback pushed the number of infected machines way, way up to 600,000 – 700,000 or 2.1%, depending on whose blog and marketing literature you read. At any rate, an impressive number considering the Mac’s market share compared to Windows, and that figure is not just an outlier.

From the outset, many profit-motivated threats for OS X have been “multi-platform” or were created by the same gangs that have long been attacking Windows users. The most consistent recent growth area in Mac malware, however, has been targeted attacks, not generic, untargeted malware.

targeted attack 2

OS X almost seems to attract more (proportionally speaking) in the way of APTs, mostly targeting Non-Governmental Organizations (NGOs), presumably for political reasons]. Statistics may also be misleading because in some cases, once samples are shared Apple embeds some form of countermeasure into the OS itself.

Securing the OS

Apple and Microsoft demonstrate comparable performance over time on vulnerability patching, and proactive defensive technologies like application sandboxing. While historically, Apple has been low-key in its discussion of OS X malware, increasing volumes of Mac threat has seen Apple move towards a closer but not particularly public relationship with the anti-malware industry as well as generic, technical countermeasures. However, its inclusion of its own anti-malware components in OS X have introduced unexpected complexities into the product-testing arena, considering the simplicity of the components.

XProtect

Apple started to include signature detection within the operating system with Xprotect. Unlike Windows Defender, it cannot be directly compared to a full-blown commercial anti-virus/anti-malware product, but it is enough like an AV scanner to raise concerns about whether it can meet Mac users’ expectations.

XProtect.plist is intended to help detect malware purely reactively. The detections are quite specific, don’t cover all known threats and types of threat, and there is no heuristic or generic detection to help detect new malware or variants. However, it effectively stymies dynamic testing on systems where the sample is known and detection has been added to XProtect.plist.

XProtect.meta.plist has recently been used to take a higher-level approach to preventing potential malware attacks, primarily by preventing older browser plugins (namely Java and Flash) from working.

Some people are seeing what may be differences in Mavericks as regards the implementation of XProtect, but the core functionality seems to be the same.

Gatekeeper

Gatekeeper is OS X’s approximate (and less strenuously enforced) equivalent to the walled garden of iOS and the App Store.

protect 2

It has three basic settings:

  • Install and run only apps from the Mac App Store
  • Also install and run apps that have a Developer ID
  • Install and run apps from anywhere.

Control-clicking allows you to override your chosen default setting, so the decision remains with the user (and Mavericks offers an additional option for bypassing it). Gatekeeper can be helpful when a threat relies solely on social engineering to get you to infect your system but if the malicious app is signed and appears legitimate, or exploits a vulnerability not (yet) patched in order to install silently, it is ineffective. Both Gatekeeper and XProtect will ignore a file copied from fixed media or via applications that aren’t on its select list of applications to monitor, or if it’s one of the file-types OS X considers safe. And neither monitors files on egress.

There is a risk that signature protection built into the OS might do more harm than good: in this case because Apple’s customer-base will tend to overestimate the effectiveness of any measure Apple do take, the same way that they already overestimate the value of the free anti-malware tools already available, irrespective of platform. In fact, not all threats detected by anti-malware ever get added to XProtect: malware that is less ‘dangerous’ or prevalent may never be included, which is unfortunate if you’re one of its few victims (whatever you may understand by ‘few’). Bear in that many recent Mac threats are highly targeted, aimed at activists among particular ethnic groups and NGOs.

In the next article in this series we’ll look at the tester’s dilemma: static testing in a dynamic threatscape.

David Harley & Lysa Myers
ESET North America

The post Better Mac Testing? How OS security can make AV testing harder appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/19/better-mac-testing-how-os-security-can-make-av-testing-harder/feed/ 0
Over 500,000 PCs attacked every day after 25,000 UNIX servers hijacked by Operation Windigo http://www.welivesecurity.com/2014/03/18/attack-unix-operation-windigo/ http://www.welivesecurity.com/2014/03/18/attack-unix-operation-windigo/#comments Tue, 18 Mar 2014 13:55:40 +0000 Over 500,000 PCs attacked every day after 25,000 UNIX servers hijacked by Operation Windigo http://www.welivesecurity.com/?p=41156 Malware researchers at ESET have uncovered a widespread cybercriminal operation that has seized control of tens of thousands of Unix servers. Learn more about how to check your systems for compromise, and prevent innocent computer users from being attacked.

The post Over 500,000 PCs attacked every day after 25,000 UNIX servers hijacked by Operation Windigo appeared first on We Live Security.

]]>
If you run a website on a Linux server or are responsible for the security of your company’s Unix servers, there’s something very important you should do right now.

Researchers at ESET, in collaboration with CERT-Bund, the European Organization for Nuclear Research (CERN), the Swedish National Infrastructure for Computing and other agencies, have uncovered a widespread cybercriminal operation that has seized control of tens of thousands of Unix servers.

And if your system is found to be infected, experts strongly recommend you re-install the operating system, and consider all credentials used to log into the machine as compromised. In short, if you are a victim, all passwords and private OpenSSH keys should be changed.

The attack, which has been given the name “Windigo” after a mythical creature from Algonquian Native American folklore, has resulted in over 25,000 Unix servers being hacked, resulting in 35 million spam messages being sent each day from compromised machines.

Spam sent from Windigo-affected server

That would be bad enough, normally.

But in this case, malicious hackers have also been using hijacked web servers to infect visiting Windows PCs with click fraud and spam-sending malware, and display dating website adverts to Mac users.

Even smartphone users don’t escape – finding their iPhones redirected to X-rated content, with the intention of making money for the cybercriminals.

Windigo redirects iPhone users to X-rated websites

ESET’s security research team has published a detailed technical paper into “Operation Windigo”, and says it believes that the cybercrime campaign has been gathering strength, largely unnoticed by the security community, for over two and a half years.

“Over 35 million spam messages are being sent every day to innocent users’ accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements,” said ESET security researcher Marc-Étienne Léveillé.

In its attempt to hijack servers and infect computers, Windigo uses a complex knot of sophisticated malware components including Linux/Ebury (an OpenSSH backdoor and credential stealer that was the subject of a detailed investigation by ESET researchers earlier this month), Linux/Cdorked, Perl/Calfbot, Linux/Onimiki, Win32/Glubteba.M, and Win32/Boaxxe.G.

During a single weekend, ESET researchers observed more than 1.1 million different IP addresses going through part of Windigo’s infrastructure, before being redirected to servers hosting exploit kits.

An analysis of the visiting computers revealed a wide range of operating systems being used.

Victims by operating system

This in itself threw up some light relief, as researchers discovered that “23 people apparently still browse the Internet on Windows 98, and one person even does it on Windows 95.”

Léveillé and his fellow researchers are appealing for Unix system administrators and webmasters to run the following command which will tell them if their server is compromised or not:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

That single Unix command should quickly tell you if your system is seriously compromised or not by Windigo, and whether you need to take steps to clean-up and better protect your servers in future. Further details on how to tell if your server has been compromised are available included in ESET’s technical white paper on Operation Windigo [PDF].

Learn more now:
Download ESET’s detailed technical paper about “Operation Windigo”

The post Over 500,000 PCs attacked every day after 25,000 UNIX servers hijacked by Operation Windigo appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/03/18/attack-unix-operation-windigo/feed/ 0