A report by the group found that 41 per cent of the FSB’s membership have been a victim of cybercrime in the past year. The most common threat is virus infections, with 20% of small businesses falling victim – while 8% have been victims of hacking and 5% have suffered security breaches.

In total, cybercrime costs small business £785 million ($1.1 billion) a year. But the Federation of Small Businesses says the cost to the wider economy could be even greater, as small businesses avoid using the internet for fear of cyber attacks. Previous FSB research shows that only a third of businesses with their own website use it for sales.

Small businesses are responding to the threat – 36% of respondents regularly install security patches, and six out of ten claim to regularly update antivirus software. Only 20% say they have taken no steps to protect themselves against cybercrime.

Mike Cherry, the National Policy Chairman, Federation of Small Businesses, said: “Small business cybercrime poses a real and growing threat and it isn’t something that should be ignored. Many businesses will be taking steps to protect themselves but the cost of crime can act as a barrier to growth.

“For example, many businesses will not embrace new technology as they fear the repercussions and do not believe they will get adequate protection from crime.”

The post Small business cybercrime costs $6,000 a year, says British group appeared first on We Live Security.

Technology site The Verge likened the new console to the Telescreen from 1984, saying that the Xbox One Kinect microphone function raised concerns about the information available if the machine were to be compromised by a malicious actor.

The function is part of the console’s Kinect controller, which is now part of the Xbox One package. The new Xbox One has voice and gesture control built into its operating system.

Saying, “Xbox on” to the Kinect will switch on the console – which means that the console must “listen” constantly for commands, even when supposedly switched off. At Microsoft’s launch event in Seattle, demonstrators described the peripheral as the “eyes and ears of the living room”.

The sensor offers a Full HD infrared view, and is so sensitive it can read users’ heartbeats via tremors and colour changes invisible to the naked eye.
The news raised concerns among fans. “I think it’s creepy that you can say “Xbox on” and it will turn on. It means it’s always listening to you,” said one Twitter user.

The Verge suggested that the “always on” microphone could have serious implications for privacy – possibly more so even than Google Glass. “The new Xbox could pose greater privacy implications – especially if the system, which many users will connect to the internet, is compromised remotely by a malicious actor,” said the site.

The post Xbox One Kinect microphone “always on” security fears appeared first on We Live Security.

“Disruptive and destructive attacks on our country will get worse,” said Alexander, the leading U.S. general in charge of the nation’s cybersecurity.  “Mark my words, it will get worse.”

Speaking at the Reuters Cybersecurity Summit in Washington last week, Alexander described cyber espionage as “the greatest transfer of wealth in history.”

U.S. Secretary of Homeland Security Janet Napolitano said at the same summit that her main concern was with “the known unknown”.

Napolitano said that the recent heist which used ATM machines around the world to withdraw $45 million via prepaid debit cards offered an illustration of the scope of cybercrime.The attack targeted prepaid credit cards. By raising the limit on cloned cards the hackers were able to withdraw “unlimited” funds for short periods. In New York, the hackers withdrew $2.8 million in hours.

“We don’t have the identity of all the adversaries who are trying to either commit crimes or acts over the cyber networks,” said Napolitano. “The things we know about, we can deal with. It’s the known unknown.”

The post Cyber attacks on America “will get worse”, warns NSA director appeared first on We Live Security.

Tim Rains says that for several years, computer viruses have been “out of favour with attackers”, but points to statistics showing that they have made a comeback in 2012, at least in certain territories.

Writing on the Microsoft Security Blog, Rains says, “I have rarely seen the virus threat category found on more than 5 percent of systems with detections globally. But more recently I have noticed that viruses seem to be making a comeback.  The relative prevalence of viruses has been trending up.  The prevalence worldwide for the virus threat category was 7.8 percent in the fourth quarter of 2012.”

Rains says that for the past few years, “Viruses simply didn’t support the profit motive many attackers had in the same way that Trojan downloaders and droppers, miscellaneous Trojans, and password stealers and monitoring tools all did.” But new threats designed to steal information are sparking a comeback.

Rains says that computer viruses proliferate in countries with low levels of broadband penetration, such as Egypt, Indonesia and Ethiopia, where software is updated rarely, and infection rates can be as high as 40%.

Pointing to the success of Win32/Sality, a family of polymorphic file injectors found on 8,204,434 computers worldwide, Rains says, “Sality is one of the top five detections on Windows XP.  Sality hasn’t been as successful on newer versions of Windows. Sality’s success proves that file infectors can be still be successful.  Unlike computer viruses from yesteryear, attackers today are trying to steal information, sometimes by turning on computers’ microphones and cameras.”

Rains says that defending against such threats is “relatively easy” – suggesting users update their system software frequently, and also run real-time antivirus, as well as using caution with removable media such as USB sticks and external hard drives.

The post Computer viruses “are making a comeback”, says Microsoft appeared first on We Live Security.

Bank security officers were invited to a classified video conference held at 40 FBI field offices around the country, according to FBI Executive Assistant Director Richard McFeely.

The video conference offered insight into “who was behind the keyboards,” according to McFeely, speaking to at the Reuters Cybersecurity Summit.

Customer accounts have not been put at risk by the attacks – although the sustained DDoS attacks have meant it has been impossible to access bank websites. One NBC report claimed that the websites of 15 major banks were offline for a total of 249 hours in six weeks earlier this year.

Earlier this year President Barack Obama signed an executive order to improve information-sharing between companies and branches of government, saying, “”We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

Banks such as Wells Fargo and Bank of America were first attacked in September 2012, by a group calling itself Izz ad-Din al-Qassam Cyber Fighters. The attacks have continued since then. McFeely declined to discuss who was behind the attacks, or other details of the continuing investigation.

McFeely said that the one-day security clearances are part of an effort to communicate more effectively with victims of cybercrime, admitting that the agency had been “terrible” in the past. “That’s 180 degrees from where we are now,” McFeely said.

McFeely said, “”The first time we bring someone in from out of the country in handcuffs, that’s going to be a big deal.”

The post FBI shares information on cyber attacks with US banks appeared first on We Live Security.

“Cyberspace is contested every day, every hour, every minute, every second,” said Sir Iain Lobban, Director of GCHQ.

Sir Iain contributed an article entitled “Countering the cyber threat to business”  to the Spring 2013 edition of the Institute of Directors Big Picture policy journal. Sir Iain said that although cyber attacks are now reported frequently in the media, the reports still fail to capture the scope of cybercrime.

“GCHQ’s cutting-edge technology adds a unique perspective on the issue, illuminating the threats in cyberspace. And I have to say that the incidents I see described in the media are just a snapshot of what is going on,” he wrote. “On average, 33,000 malicious emails a month are blocked at the gateway to the Government Secure Intranet – they contain sophisticated malware, often sent by highly capable cyber criminals or by state-sponsored groups. And a far greater number of e-mails, comprising less sophisticated malicious e-mails and spam, is blocked each month.”

Sir Iain set out a guideline entitled 10 Steps to Cyber Security in the article, saying “The responsibility to manage your organisation’s cyber risks starts and stops at board level. Basic information risk management can stop up to 80% of the cyber attacks seen today.”

The post Mainstream media only offer a “snapshot” of scope of cybercrime, says British intelligence head appeared first on We Live Security.

The activists identified themselves as the Syrian Electronic Army, and posted messages saying, “Hacked By Syrian Electronic Army,” in place of headlines on the FT’s technology blog.

Links to YouTube videos purportedly showing executions carried out by Syrian rebel groups were posted to the newspaper’s Twitter feeds. The hacks triggered renewed calls for Twitter to improve its security, according to a Reuters report. Twitter blamed spear-phishing for the spate of recent attacks on accounts owned by media companies.

“Various FT blogs and social media accounts have been compromised by hackers and we are working to resolve the issue as quickly as possible,” the paper said in a statement.

The Syrian group has claimed responsibility for several high-profile attacks against media groups, including an attack on the main Associated Press Twitter account where hackers sent out bogus “news” about an attack on President Obama. The AP Tweet caused panic on stock markets, wiping 143 points off the Dow Jones in minutes. The group has also claimed responsibility for recent hacks against Britain’s The Guardian newspaper, and news organizations such as NPR, CBS and the BBC.

In the wake of attacks this month, Twitter send out an email to media groups saying, “We believe that these attacks will continue, and that news and media organizations will continue to be high value targets to hackers.”

Twitter has provided media companies with guidelines on how to resist such hacks, including steps such as designating specific PCs to access company Twitter accounts.

Twitter has also been reported to be testing two-factor security systems. ESET Senior Research Fellow David Harley explains the benefits of two-factor authentication in a post here.

The post Financial Times becomes latest victim of Syrian Twitter hackers appeared first on We Live Security.

In the past few months, we have analyzed a targeted campaign that tries to steal sensitive information from different organizations throughout the world, but particularly in Pakistan. During the course of our investigations we uncovered several leads that indicate this threat has its origin in India and has been going on for at least two years. The journey began with a code-signing certificate and an exploit and the scope of the investigation has widened ever since. In this blog post, we will highlight several interesting artifacts of the campaign, but more will be revealed in my upcoming presentation at the 7th International CARO Workshop in mid-May.

Code signing certificate

For part of this campaign a code signing certificate was used to sign malicious binaries and improve their potential to spread. This certificate was issued in late 2011 to an Indian company called Technical and Commercial Consulting Pvt. Ltd., based in New Delhi.

When we started our investigation, the certificate had been revoked for files signed after March 31^st 2012. We contacted VeriSign with evidence that this certificate had been used maliciously since it was issued and they promptly revoked the certificate unconditionally. Overall, we found more than 70 signed malicious binaries using this certificate. Since each signed sample comes with an authoritative timestamp, it is possible to draw a timeline depicting when these binaries were produced:

Figure 1 Timeline of signing times. Black lines represent one sample signing time

From the information we gathered, the attackers were actively signing malicious binaries from March until June 2012. Then, there is a gap in the timeline, from the beginning of July until the beginning of August 2012. We then see another spike in certificate usage (even though it had already been revoked) in August and September 2012. There are several possible explanations as to why there is a gap during the summer of 2012, but it is likely that this was the off-season for both the attackers and their targets.

Although the investigation started with this code signing certificate, we then discovered several similar unsigned samples that were used in this campaign. Some of them were collected as far back as early 2011.

Droppers and decoy documents

The first infection vector we saw was using the famous CVE-2012-0158 vulnerability. This vulnerability can be exploited by a specially crafted Microsoft Office documents and allows arbitrary code execution. In the case we analyzed, a two-stage shellcode is executed when the user opens an RTF document. First, the shellcode sends information about the system to the domain feds.comule.com and then downloads a malicious binary from digitalapp.org.

The other infection vector we found used PE files disguised as Microsoft Word or PDF documents, most likely distributed through email. When the user executes the file, the malicious program downloads and executes additional malicious binaries (more on these executables below). To evade suspicion by the victim, a decoy Word document is shown to the user. We have identified several different documents that followed different themes.

One of these themes is the Indian armed forces. We do not have inside information as to which individuals or organizations were really targeted by these files. However, based on our detection metrics, it is our assumption that people and institutions in Pakistan were targeted.

The text in this first document seems to be a collage of various sources. The fake PDF document was delivered through a self-extracting archive called “pakistandefencetoindiantopmiltrysecreat.exe”:

This other PDF document was delivered through an executable called “pakterrisiomforindian.exe”:

In this case, the text comes from the Asian Defence blog, a blog aggregating Asian military news. Our telemetry data shows that this file was first seen in August 2011 on a system in Pakistan.

Payloads

We found many different types of payloads installed by the droppers, all of them were geared towards exfiltrating data from an infected computer to the attackers’ servers. The following table groups the binaries in different families and details their general characteristics.

The information stolen from an infected computer is uploaded to the attacker’s server unencrypted. The decision not to use encryption is puzzling considering that adding basic encryption would be easy and provide additional stealth to the operation. The screenshot below shows a typical keylogger log:

The logs are very verbose and display the active window, the characters typed and the special keys in brackets. Since these logs are sent unencrypted, it is easy to detect the presence of an infected machine on your network by examining your HTTP network traffic.

In terms of persistence, many binaries we have analyzed add an entry in the Windows startup menu with a deceptive name. The screen shot below shows an example of such a startup menu:

While this technique allows the different components of the attack to be launched after each system reboot, it cannot be labelled as stealthy. Since targeted attacks usually try to stay under the radar as long as possible, we were surprised to see this technique used in this case.

C&C infrastructure

Most of the analyzed binaries contain a URL from which additional components are downloaded or to which an infected system’s content is uploaded. Sometimes, the C&C URL appears unencrypted in the binary. Other times, it is trivially encoded using a simple one-character rotation (ROT-1) as depicted below:

“gjmftbttpdjbuf/ofu” encrypted to “filesassociate.net”

We uncovered more than 20 domains linked to this campaign. While some still had an active DNS record, most of them did not resolve to an IP address. Using historical data around these domains, we were able to discover where these sites were hosted. It turns out that almost a third of all domains were hosted by OVH. This web hosting service has a reputation for hosting malware and spam content. In a recent HOSTExploit report it was ranked number 5 in the top 50 hosts for concentration of malicious activity served from an Autonomous System.

Most of the domain names are very close to real site or company names. This is a common tactic to try to conceal the true purpose of the C&C server. Two examples are “wearwellgarments.eu” and “secuina.com”. The former is very close to a real website called “wearwellgarments.com” while the latter looks like a misspelling of information security firm Secunia.

Origins of the malicious files

Analyzing this campaign allowed us to identify a few key indicators pointing to the geographic origin of these malicious files. We believe they all come from India. First, the code signing certificate was issued to an Indian company. In addition, all the signing timestamps are between 5:06 and 13:45 UTC, which is consistent with 8-hour work shifts falling between 10:36 and 19:15 in Indian Standard Time. This might seem a bit late, but considering that signing the binary is the last step in the development effort, it is likely that the malware authors were living in this time zone.

We also found several strings in the binaries that are related to Indian culture. In several scripts, a variable called ramukaka is used:

Ramu Kaka is a typical Bollywood-style servant in a house. Considering that this variable is responsible for achieving persistence on the system, this definition is a good fit.

The most compelling argument is found in our telemetry data. We found that many malware variants tied to this campaign appeared in the same location over a very small period of time. Each variant had only minor differences from each other, strongly suggesting an attempt by a malware creator to evade detection by our product. These files all appeared in the same region of India.

Infection statistics

Our telemetry data shows that Pakistan is heavily affected by this campaign. The following graph shows the detection distribution we have observed for all the malicious files we linked to this campaign in the last two years.

Thanks to our sinkholing of three domain names used by this campaign, we were also able to gather statistics on the geographical location of infected hosts.

As one can see, the regional distribution presented in the last two graphs is very different. Ukraine and Kazakhstan account for three quarters of all IP addresses seen during the sinkholing operation. This difference can be explained by the possibility that unique domains are only for specific sub-operation in this campaign. If that was the case, the sinkhole data we are seeing would only be a very partial view of the whole campaign.

Conclusion

This post examined evidence of a far-reaching targeted campaign aimed at different targets throughout the world. Our analysis indicates that the entire campaign originates from India. Although we have seen a number of infections throughout the world, it seems that the most prominent target is Pakistan. Targeted attacks are all too common these days, but this one is certainly noteworthy for its failure to employ advanced tools to conduct its campaigns. String obfuscation using simple rotation (a shift cipher), no cryptography used in network communication, persistence achieved through the startup menu and use of existing, publicly-available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks. On the other hand, maybe they see no need to implement stealthier techniques because the simple ways still work.

SHA1 Hashes

CVE-2012-0158 RTF Document:                  3b1d9d65159bea24ab1060e5603f9e3c2d38d08d
pakterrisiomforindian.exe:                   d859f1cf99049f89258c1faa59dcd97f587e45ac
pakistandefencetoindiantopmiltrysecreat.exe: 1db89237ef786c7f22a8d4cd7eccda8f6286a6de
Downloader:                                  08ce405f0a0277de355454862b164ffd94a7ea36
Document uploader:                           DB22E7DEA0C1CAF203072693485DE4E4FD2CB56A
System information gathering:                0D610F3F51750EADCF426E10E6DE5313605400FA
Keylogger:                                   AE7B9CFB10CD65B98C59DC012D6726B66BE92897
Screenshot:                                  A0DD0B8FD0C98E917BFDC96182088CAB5505CCD2
Connect-back shell:                          09D4ECA67B1D071E57C5951D97FE9DD9C62F1580
Self-replication through removable drives:   20A29D1F89C07BAFBB4C61CE208531D68125C8E

Detection Names

Below are ESET threat names related to this case:

Win32/Agent.NLD worm
Win32/Spy.Agent.NZD trojan
Win32/Spy.Agent.OBF trojan
Win32/Spy.Agent.OBV trojan
Win32/Spy.KeyLogger.NZL trojan
Win32/Spy.KeyLogger.NZN trojan
Win32/Spy.VB.NOF trojan
Win32/Spy.VB.NRP trojan
Win32/TrojanDownloader.Agent.RNT trojan
Win32/TrojanDownloader.Agent.RNV trojan
Win32/TrojanDownloader.Agent.RNW trojan
Win32/VB.NTC trojan
Win32/VB.NVM trojan
Win32/VB.NWB trojan
Win32/VB.QPK trojan
Win32/VB.QTV trojan
Win32/VB.QTY trojan
Win32/Spy.Agent.NVL trojan
Win32/Spy.Agent.OAZ trojan

The post Targeted information stealing attacks in South Asia use email, signed binaries appeared first on We Live Security.

In a group test of 11 security apps, ESET Mobile Security detected 100% of threats.

“AV-TEST checked 11 security apps to see if they were able to detect newly discovered apps infected by hidden banking Trojans,” says ESET Senior Research Fellow Righard Zwienenberg. “Attackers are spreading apps named ‘EV-SSL-Zertifikat’ or ‘Smart 1.2 App Security’.”

The test results were, Zwienenberg says, “only partially soothing”. Six out of 11 apps failed. Only five detected all 11 of the threats in the test – among them ESET Mobile Security.

“The detection rate went down heavily with other vendors,” says Zwienenberg.

“Right now, criminals are spreading several apps infected by Trojans. The malware attempts to intercepts mobile TAN (transaction authentication numbers) on the smartphone and thus enable transactions to third-party bank accounts. AV-Test advice is: do not install apps from unknown sources and be certain to use a security app on your smartphone. ”

Earlier this month, Poland’s influential CHIP magazine awarded ESET Smart Security its top prize in its antivirus product category.

The post ESET Mobile Security scores full marks in banking Trojan test appeared first on We Live Security.

“The regulatory environment which we must navigate continues to increase in complexity and is increasingly prescriptive,” Dell said. “Government and regulators are getting more interested not only in how secure we are, but how we secure.”

“Changes in regulation are taking away our ability to protect in the way we see fit, and telling us what controls we need where. That’s not wrong, but it presents a new challenge to how we find and implement infrastructure.”

“We have to become much more agile and proactive – how we look at, how we react to cybercrime. Our posture is changing from ‘observe and analyse’ to ‘detect and respond’,” Dell said, speaking at the 2013 Trend Micro Evolve conference, as reported by The Register. “Possibly our biggest challenge is that criminals don’t have funding cycles.”

Dell said that departments increasingly had to make a “business case” for new security measures, according to CSO.

The post Government regulation poses challenges for bank security, says Australian banker appeared first on We Live Security.