Pages

Apr 10, 2013

The Quake's Aftershock: 3 Reminders


Most of us witnessed and felt the shaking of the buildings we were in yesterday afternoon. After the sirens went off, I had to climb down 20 floors by stairs before heading to my car and evacuating the area.

As an Information Security Consultant, whose life goes around saving and protecting data, I have three points that everyone relates to:

1- Is your Business Continuity Plan in place? Have you tested it?

We all claim we have amazing plans to recover from incidents that disrupt business operations yet almost no one has put them to the test until they get tested by mother nature. I didn't see many organizations yesterday shifting to their Business Continuity Site and resuming operation!

  • Test your plan
  • Educate your staff about it

2- Disaster Recovery: It's different than Business Continuity.

Just imagine for a second that the shake we felt made your data center look like my little brother's toy room.  It didn't burn, you might have lost nothing but at this time, nothing works. You went offline!

Having a disaster recovery plan would have saved you the tension, pressure and staying up overnight trying to sort out that mess. But again, have you tested that? Many organizations I know have a disaster site ready and fully operational. But almost no one tests to check how fast they can take the latest backup tape, recover that data in the disaster site and how fast employees can connect there and resume operations. 

Now, for my sake, imagine you got all the above covered. But you must have have forgotten to assign roles to your staff. You still have to call and give the orders manually during this panic time!

  • Test the recovery of your backup tapes periodically.
  • Assign responsibilities and train your staff to back each other up when needed.





3- Data, Data, and Data. Avoid hearing "I didn't save that file!"

While most organizations claim they have sophisticated backup solutions in place and all brag how much they spent on it. They fail at a simple test I usually do. I go to a workstation, I create a document on the desktop and I save it. And then, I shutdown the machine. While the clients are giving me weird looks, I ask them to please recover that file and tell me what I typed in it.

Most go to their data center, slide that server panel out and try to dig that file out. Some other times, the system administrator immediately tells me, "Haha funny, its not saved in the user drive. Therefore its not backed up". I smile and ask, "When you create a document, where is the most intuitive place you save your file to before moving it to the user drive that's backed up? Of course, the desktop". 

Loosing a financials projects excel sheet, that a senior manager was working on since morning, will not be a position you want to be in, trust me!
P.S.- Its funny to note that after feeling the whole tower shaking, most people chose to go to the fire drill spots. Its not a fire drill! If the building was shaking, you get the hell out of there as far as you can. Had the building collapsed, it would have been right on your head! I'm sure most towers are not built with earthquakes in mind. Neither do they have a safety procedure to check before tenants go back to office.

2 comments:

Jan 14, 2013

Skynet, the potential use of Tor as a bulletproof botnet


"On September 2012 the German security firm G Data Software detected a botnet with a particular feature, it is controlled from an Internet Relay Chat (IRC) server running as a hidden service of the Tor.
There are pro and cons for this design choice, of course the greatest advantage resides in the difficulty for the localization of the command and control servers (C&C), due the encryption of the connections interior to the network and the unpredictability of the routing of the information, most important disadvantages are the complex implementation and latency in the communication.
Usually botnets host Command & Control (C&C) machines on hacked or rented server but this exposes the malicious structures to the risk to being taken down or hijacked. Security firm generally takeover C&C and the associated domains hijacking traffic to different controlled host with a technique that is known as “sinkholing”.
Thanks to sinkholing it is possible to study the botnet deeply and decapitate it, but sometimes it is not possible to follow this approach because botmasters acquire hosting services from provider that guarantees the operators that they won’t respond to abuse complaints nor cooperate with takedown requests. These providers are commonly known as “bulletproof hosting” and they are well known to the cybercrime industry.
The idea is not new, security engineer Dennis Brown proposed it for the first time during the Defcon Conference in 2010, but the discovery I’m presenting confirms the efficiency of the concept and its diffusion. Security experts from security firm Rapid7 have detected a botnet controlled by servers located in the Tor network.
The botnet, named Skynet, can fulfill different tasks such as mining bitcoin or to provide bot agents to involve is cyber attacks such as DDoS attacks or spamming, to do this it includes several components such an IRC-controlled bot, a Tor client for Windows, a Bitcoin mining application and a variant of the famous Zeus malware to steal banking credentials.
The malware is able to receive command submitted through the IRC channels the bot connects,the IRC server is provided as Tor Hidden Service and use the following nickname pattern: [NED-XP-687126]USERNAME. The malicious code include also modules for packet flooding to use to DDoS attacks.
Recently I wrote many articles highlighting the great interest in the bitcoin currency schema demonstrated by cybercrime, one of the most common monetization schema is the possibility to abuse of victims computation capabilities to mine coins.  The author of Skynet have demonstrated great attention in Bitcoin Mining, the malware includes the “CGMiner” open-source bitcoin miner which is able to support CPU and GPU for mining process. The Skynet bot installs a couple of hocks to detect user’s activity on the PC (WH_MOUSE and a WH_KEYBOARD) in this way it could start mining bitcoins only after two minutes of inactivity and immediately stops when some user interacts again with his desktop. The original idea proposed on Reddit describe the mining with following statements:
  “My Botnet only mines if the computer is unused for 2 minutes and if the owner gets back it stops mining immidiatly, so it doesn’t suck your fps at MW3. Also it mines as low priority so movies don’t lag. I also set up a very safe threshold, the cards work at around 60% so they don’t get overheated and the fans don’t spin as crazy.”
The mining activities are managed by botmaster with an open source application called “Bitcoin Mining Proxy” that allow the assignment of pools to the miners.
Another interesting feature of the Skynet botnet is that each bot becomes itself a Tor relay increasing the size of the network and increasing the maximum sustainable load.
Resuming the principal advantages of botnet based on Tor are:
  • The botnet traffic is encrypted, which helps prevent detection by network monitors.
  • By running as an Hidden Service, the origin, location, and nature of the C&C are concealed and therefore not exposed to possible takedowns. In addition, since Hidden Services do not rely on public-facing IP addresses, they can be hosted behind firewalls or NAT-enabled devices such as home computers.
  • Hidden Services provide a Tor-specific .onion pseudo top-level domain, which is not exposed to possible sinkholing.
  • The operator can easily move around the C&C servers just by re-using the generated private key for the Hidden Service.
Every machine in the botnet is under complete control of botmaster that steal sensible information and banking credentials from the victim, but what is really interesting is that Command and Control (C&C) servers are  accessible only from within the Tor network through Hidden Service protocol. The Hidden Service protocol was designed to provide a huge list of services such as Internet Relay Chat (IRC) masquerading the IP addresses of the server that provide them and of the clients that access to it, none of the actors involved is able to determine identity of other participants.
The Italian Claudio Guarnieri, researcher at Rapid seven has published an interesting post on community.rapid7.com on the botnet, he suggested that the botnet is the same described in a post, published on Reddit some months ago, titled “IAmA a malware coder and botnet operator, AMA”.
Long story short, Tor, due to its design and internal mechanics, makes it a perfect protocol for botnets. Because of this, all critical communications of Skynet to its C&C servers are tunneled through a Tor SOCKS proxy running locally on compromised computers.” said Guarnieri.
Rapid7 researchers provided interesting information on actual status of the botnet that has reached a number of bots between 12,000 and 15,000, a surprising size that exceeded expectations of its creators described in the post on Reddit. The malicious code that infected the victims was distributed through the famous worldwide distributed Internet discussion system Usenet.
“People download software from Usenet and install it in the offices or at friends pretty often. Also Usenet isn’t that hard anymore, as easy as buying a premium account for an onc click hoster. Most Providers have their own Usenet client for idiot proof downloads”
Every content shared through Usenet is commonly downloaded by users and redistributed through other file-sharing technologies such as BitTorrent.
Regarding the malware Guarnieri wrote on the blog:
“The malware sample we retrieved from Usenet has an unusually large size (almost 15MB) and has a fairly low detection rate”
The choice of Tor network appears efficient despite Tor network has a great disadvantage in its latency and instability, it must be considered that during the ordinary exercise bots receive from C&C server few information that consist in commands and control messages, in this optic Tor works well enough.
What is striking of the story is the amazing growth of the botnet, despite the author has described it seven months ago, it stayed undetected for a long period by routing C&C traffic via TOR, many other botmasters could follow same approach for their architectures with unpredictable consequences.
Botnet based on Tor network doesn’t represent unique efficient innovation recently detected, the implementation of peer to peer protocol for communication scope inside the structure rather than Tor-based ones, provide same level of anonymity but is able to increase resiliency and overcome the problems of latency described.
The size of Skynet botnet doesn’t represent a serious problem but the potentiality expressed by its structure yes, if it will be able to infect new machines it could be soon a dangerous cyber threat.
Detect packet originated from Tor nodes is quite simple with firewalling techniques but drop all traffic preventively could blacklist legit Tor users that adopt the famous network to ensure their anonymity, don’t forget that Tor network gives the opportunity to many people to avoid censorship and traffic interception, it’s widely used by whistleblowers and political activists.
Add words to the excellent Claudio’s post would be foolish and presumptuous, I compliment the excellent analysis and I report its findings in full:
The lessons learned are:
  • Exploitation is not required to build a decently-sized botnet. Always be careful when using any Internet service, especially file sharing.
  • It is possible to build an almost cost-free bulletproof botnet. In its democratic nature Tor is a great tool, both for legitimate users as well as for cybercriminals unfortunately.
Lesson for botnet operators:
  • As The Grugq says, “keep your mouth shut”. Talking about your business on Reddit is not such a smart idea.
Pierluigi Paganini"
No comments:

Oct 25, 2012

Is Antivirus Becoming Obsolete?


"If you pick the average person off the street and ask them about information security, most of them will likely associate the term with the antivirus software on their computers. Most "civilians" are unfamiliar with terms such as "HIPS," "IDS," "IPS" and the vast assortment of other security products commonly in use. Those sorts of things operate behind the scenes. But, AV packages are widely deployed and are often offered free of charge when you buy a new computer -- at least for the first 30 days.
But, as the malware war continues to escalate, it is reasonable to question the level of effectiveness that antivirus software, as a category, brings to the table.
"When last I looked, there were 78,500,000 unique instances of malware, according to AV-Test.org," said Paul Henry, security and forensic analyst at Lumension, a Scottsdale, Ariz.-based endpoint security company. "How in the world is anyone going to keep up with the signatures to inspect that large of a database?
According to a survey released by FireEye, a Milpitas, Calif.-based company that specializes in defense against advanced targeted threats, malware that can slip through signature-based detection has nearly quadrupled in the past year alone.
"The problem with signature-based defenses is a scaling issue," explained Ali Mesdaq, security researcher at FireEye. "There are so many new exploits coming out every day that the signature databases can't scale to that level. Some sort of technology development will be needed before they will be able to handle the rapid increase in volume."
Meanwhile, a separate survey, conducted by Carbon Black, a Sterling, Va.-based vendor that focuses on security-related data collection, suggests that in most cases, just about any bug will be able to be detected by at least one of 43 antivirus packages on the market today. The bad news is that an effective matchup between the specific bug and the specific AV package on your customers' systems is nearly coincidental.
The Carbon Black team then tested how long it would take for the individual AV packages to catch up with the ones they had missed. "The results were a big surprise to us," said CEO Mike Viscuso. "What we found was that if an antivirus package did not detect the virus within the first week, it probably never would."

Carbon Black's Viscuso estimates that virus traffic is growing at a rate of 783,000 new samples each day. Therefore, whatever signatures are missed on any given day will have to compete with all the new ones coming online tomorrow and the next day. Viscuso added that even if you could somehow keep up with the growth, the resulting performance hit on the individual machines would be far worse than the market would bear.
"That leads us to believe that customers should leverage the signature databases of multiple AV packages, as opposed to just one," said Viscuso. "In many cases, the AV products don't allow you to run more than one on a single machine. So, channel partners and customers should use a service that can scan all those binaries so that even if your particular antivirus isn't catching it, maybe the other one will."
Henry, from Lumension, argues that many machines are not adequately protected because we are relying on failed technologies that are erroneously considered to be a best practice.
"Firewalls are another example," he said. "For the last 20 years, we've used things like port-centric firewalls. If they wanted to block somebody from going to the Internet, we would block port 80. So, that just means the bad guys need to reconfigure their software to use port 79 because they left port 79 open."
Henry suggests that enterprises move towards a positive model for security in which they identify what is allowed to run, as opposed to a negative model for security in which they identify what is not allowed to run -- as is the case with antivirus.
"In a white-listing environment you have to approve a given piece of software, or even a script, to run in this environment," he said. "Beyond that, you also have to validate that nothing is changed with that piece of software. In other words, the signature for that software needs to be trusted. If it's not trusted, then it's not allowed to run. It's more work to deploy software in an environment like this. The administrative burden is a lot higher than just turning on antivirus. But, the level of security is much improved."
Henry added that, despite his point of view, the market for antivirus products will remain strong because AV technology is typically required by standards bodies. "If they went out and just did white listing, they would be non-compliant," he said.
"I'm not saying throw away antivirus," Henry added. "I'm saying complement antivirus with white listing. It's simply a smarter way to go."

Meanwhile, Cameron Camp, a security researcher with AV vendor ESET, says that antivirus might not solve the complete needs of IT security, but it is one more component in a strategy of defense in depth.
"Endpoint security is not a silver bullet, but that does not mean that you shouldn't put a lock on your front door," he said. "You really have to get inside the mind of this kind of attacker and understand what it is that they are after. Look for uncharacteristic exfiltration -- especially exfiltration that peaks during non-business hours that are probably business hours in the country to which the data is going."
Camp points to IDS and IPS devices as an important component in defense in depth. "Most people don't need super-fast deep packet inspection. But, even less expensive IDS and IPS devices provide a level of security, just like endpoint products provide a level of security. By having these sprinkled throughout your environment, you stand a vastly superior chance of detecting problems and collecting evidence. You want to demonstrate that you've done due diligence, and that goes very far with investors."
PUBLISHED OCT. 3, 2012 "
No comments:

QR code: A new frontier in mobile attackability


"A single poisoned link is all it takes to expose an entire organization to a full-scale attack.

Hackers write sophisticated browser-based attacks that operate quite stealthily. Now, they're going after our mobile phones, which are soon to be the number one way we access the web.

As QR codes have evolved, they now can offer users – and thieves - unlimited information within seconds of scanning.

And we scan them voluntarily.

We've already been trained to think twice before entering an unknown link we get from a stranger or even a friend, but almost anyone will scan an unknown QR code with a smartphone or a tablet, if the offer it's embedded in looks tempting enough.

The experiment

Over a three-day security conference in London, I created a small poster featuring a big security company's logo and the sentence "Just Scan to Win an iPad." Thousands of people walked by, no one asked where the sign came from, and no one took it down, not even a representative of the company featured on the sign.

The results: 455 people scanned the sign and browsed the link over the three days. The breakdown: 142 iPhone users, 211 Android users, 61 Blackberry, and 41 unknown browsers. Remember, this was a conference for security professionals.

As I'm a nice guy fighting for the right side, the QR code simply linked to a web page featuring a smiley face. If I had decided to include a malware or poisoned URL attack based on multiple mobile smart phone browsers, I wonder whose phone I would have penetrated.

To make a long story short: QR codes are becoming more and more prevalent. And most of us don't have the same AV or URL filtering technology on our phones or tablets that we have on our PCs.

The question is: Can we really fully trust the QR codes we see on the streets, in restaurants, or in ads? Regretfully, the answer is no.

Any attacker can take advantage of QR codes. And remember, unlike computers, most mobile devices do not include antivirus solutions to protect us against mobile malware.

Think before you scan.
  • Does this QR code seem to come from a reliable source?
  • After scanning the QR code and seeing the link, is the link really from whom it claimed to be?
  • Would I click on this link if it came through my email?
Even if you miss out on the iPad or the free ice cream cone, you're probably better off."

No comments:

Aug 10, 2012

Virtual Keyboard


I’ve just realized there’s actually a significant number of online banking sites using virtual keyboards as part of the authentication process for the banks customers.  So, instead of using your keyboard to enter the password a virtual keyboard appears on the screen where the user is FORCED to enter his/her credentials by clicking on the virtual keys.  And just to add some more security every time you click on one of the virtual keys the  positions of the virtual keys on the keyboard are shuffled randomly (I’m assuming this is present to thwart an attack where the keylogger malware is also logging the mouse click positions as well).
I’ll go over the claimed security advantage that a virtual keyboard  prevents a spyware (such as a keylogger) from recording your password when you’re typing it.  Since the user is clicking on the mouse over random areas on the screen the attacker will not be able to determine what the keys are.  If the scenario here is to protect against a keylogger device (i.e. a hardware keylogger) then this might be true.  But keep in mind that most keyloggers come in the form of malware infecting your computer.  That is, they are just another software installed on your system.  If the attacker is able to install a keylogger on your system, what is to stop the attacker from installing another software that basically does screen captures once you’re on a e-banking site ?
Sometimes it is a given that you’ll be trading off some usability in return for extra security.  We just need to make sure that the trade-off is worth it.
The trade off here is in the convenience of entering the password.  It goes without saying that it is easier for a user to type a string in a field than use a mouse to click on a virtual keyboard.
I’ve enrolled in one of the online banking services where a virtual keyboard is required.  I have to say it is not the most pleasant experience in terms of data entry.  Naturally, I try to complicate the banking password a bit to protect against password guessing (Of course I usually try to apply some of the concepts I wrote about here but online banks usually impose a limit on what you can enter as a password).  In any case, entering the password using a virtual keyboard takes a long time (sometimes close to 30 seconds or even more), especially when you have to hit the shift key multiple times.  Also, since the password is masked when I’m typing it, I can’t really verify whether or not I’m entering the right thing.  The randomization of the positions of the virtual keys every time I click on the mouse further increases the error rate.  More than I would like, I find myself having to re-enter the password because I have entered the wrong value.
There might even be a chance that we’re actually less secure when using a virtual keyboard.   Since the clicks on the screen are visible, you’re basically riskingshoulder surfing in a public place.  It is very easy for a passer-by to look at the screen and take a glance at what you’re entering.  Banks do not usually allow long passwords, so, it is probably within reach of a surfer’s memory.
I would just say the trade-off is just not worth it.  I haven’t really seen a statistic that discloses the number of victims of keylogging malware.  Even if a statistic existed, a key logging malware can easily be transformed into one that captures screenshots.
One would think there are other more effective ways of protecting bank customers from keyloggers.  For starters, customers might want to avoid using public computers.  Maybe the bank itself should check if the customer is accessing the e-banking site from a more familiar location/browser, if not maybe enforce a further authentication barrier. As for virtual keyboards, all what they seems to do is make it more difficult for a legitimate user to access the site.
No comments:

"Gauss malware: Nation-state cyber-espionage banking Trojan related to Flame, Stuxnet"


Kaspersky Lab researchers have discovered a “complex cyber-espionage toolkit” called Gauss which is a nation-state sponsored malware attack “closely related to Flame and Stuxnet,” but blends nation-state cyber-surveillance with an online banking Trojan. It can steal “access credentials for various online banking systems and payment methods” and “various kinds of data from infected Windows machines” such as “specifics of network interfaces, computer’s drives and even information about BIOS.” It can steal browser history, social network and instant messaging info and passwords, and searches for and intercepts cookies from PayPal, Citibank, MasterCard, American Express, Visa, eBay, Gmail, Hotmail, Yahoo, Facebook, Amazon and some other Middle Eastern banks. Additionally Gauss “includes an unknown, encrypted payload which is activated on certain specific system configurations.”
“Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation,” Kaspersky wrote. “The payload is run by infected USB sticks and is designed to surgically target a certain system (or systems) which have a specific program installed. One can only speculate on the purpose of this mysterious payload.” The malware copies itself onto any clean USB inserted into an infected PC, then collects data if inserted into another machine, before uploading the stolen data when reinserted into a Gauss-infected machine.
The main Gauss module is only about 200k which is one-third the size of the main Flame module, but it “has the ability to load other plugins which altogether count for about 2MB of code.” Like Flame and Duqu, Gauss is programmed with a built in time-to-live (TTL). “When Gauss infects an USB memory stick, it sets a certain flag to ‘30’. This TTL flag is decremented every time the payload is executed from the stick. Once it reaches 0, the data stealing payload cleans itself from the USB stick.” Kaspersky Lab senior malware researcher Roel Schouwenberg said, "It may have been built with an air-gapped network in mind."Kaspersky on Gauss relationship to Stuxnet, Duqu, Flame
There were seven domains being used to gather data, but the five Command & Control (C&C) servers went offline before Kaspersky could investigate them.International Business Times has already laid the blame for creating Gauss at the feet of the U.S. and Israeli governments. Kaspersky said, “We do not know if the people behind Duqu switched to Gauss at that time but we are quite sure they are related: Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu.” Kaspersky also reported, it’s “hard to believe that a nation state would rely on such techniques to finance a cyber-war/cyber-espionage operation.”
So far Gauss has infected more than 2,500 systems in 25 countries with the majority, 1,660 infected machines, being located in Lebanon. The researchers believe Gauss started operating around August-September 2011. “After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same ‘factory’ or ‘factories.’ All these attack toolkits represent the high end of nation-state sponsored cyber-espionage and cyberwar operations, pretty much defining the meaning of ‘sophisticated malware’.” You can read more about the “abnormal distribution” on theKaspersky blog and or the full technical paper [PDF].
Meanwhile FinFisher lawful intercept malware used by government organizations for intelligence and surveillance activities was discovered in the wild and analyzed by Rapid7Gamma International claimed it didn’t sell its FinFisher spyware to Bahrain even though Bahrain activists were targeted. Instead the company suggested it might be a “demonstration copy of the product stolen from Gamma and used without permission.” Bloomberg then reported the FinFisher spyware can secretly monitor computers, intercept Skype calls, turn on Web cameras and record every keystroke has now spread to five continents.
After an in-depth analysis of the “governmental malware,” Rapid7’s Claudio Guarnieri concluded, "The malware seems fairly complex and well protected/ obfuscated, but the infection chain is pretty weak and unsophisticated. The ability to fingerprint the C&C was frankly embarrassing, particularly for malware like this. Combined, these factors really don’t support the suggestion that thieves refactored the malware for black market use. That said, once any malware is used in the wild, it's typically only a matter of time before it gets used for nefarious purposes.”
According to CitizenLab's research and WikiLeaks cables, following should be the supported features:
  • Bypassing of 40 regularly tested Antivirus Systems
  • Covert Communication with Headquarters
  • Full Skype Monitoring (Calls, Chats, File Transfers, Video, Contact List)
  • Recording of common communication like Email, Chats and Voice-over-IP
  • Live Surveillance through Webcam and Microphone
  • Country Tracing of Target
  • Silent extracting of Files from Hard-Disk
  • Process-based Key-logger for faster analysis
  • Live Remote Forensics on Target System
  • Advanced Filters to record only important information
  • Supports most common Operating Systems (Windows, Mac OSX and Linux)
This is also an increase in other multi-platform malware infections such as the ethically questionable backdoor monitoring tools, virtual force for remote searches, sold to law enforcement and intelligence agencies. Russian anti-virus firm Dr. Web discovered a Trojan that could control Mac and Window machines and dubbed it ‘Crisis’. F-Secure found it lurking in a Colombian Transport website. It would "check if the user's machine was running in Windows, Mac or Linux and then download the appropriate files for the platform." It has been called DaVinci/Morcut/Crisis/Flosax, but it's definitely a commercial espionage Trojan sold by The Italian Hacking Team which just happens to be a Gamma/FinFisher competitor. The Hacking Team also brags of being able to get around encryption and specializes in selling services that allow intelligence agencies to monitor 100,000 targets at a time
Last but not least of things to worry about on the cyber horizon, there is Rakshasa a “perfect, persistent and undetectable hardware backdoor.”
No comments:

"FinFisher Spyware Reach Found on Five Continents: Report"


The FinFisher spyware made by U.K.- based Gamma Group likely has previously undisclosed global reach, with computers on at least five continents showing signs of being command centers that run the intrusion tool, according to cybersecurity experts. 
FinFisher can secretly monitor computers -- intercepting Skype calls, turning on Web cameras and recording every keystroke. It is marketed by Gamma for law enforcement and government use. 
Research published last month based on e-mails obtained by Bloomberg News showed activists from the Persian Gulf kingdom of Bahrain were targeted by what looked like the software, sparking a hunt for further clues to the product’s deployment. 
In new findings, a team, led by Claudio Guarnieri of Boston-based security risk-assessment company Rapid7, analyzed how the presumed FinFisher samples from Bahrain communicated with their command computer. They then compared those attributes with a global scan of computers on the Internet. 
The survey has so far come up with what it reports as matches in Australia, the Czech Republic, Dubai, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar and the U.S. 
Guarnieri, a security researcher based in Amsterdam, said that the locations aren’t proof that the governments of any of these countries use Gamma’s FinFisher. It’s possible that Gamma clients use computers based in other nations to run their FinFisher systems, he said in an interview. 
“They are simply the results of an active fingerprinting of a unique behavior associated with what is believed to be the FinFisher infrastructure,” he wrote in his report, which Rapid7 is publishing today on its blog at https://community.rapid7.com/community/infosec/blog. 
The emerging picture of the commercially available spyware’s reach shines a light on the growing, global marketplace for cyber weapons with potential consequences. 
“Once any malware is used in the wild, it’s typically only a matter of time before it gets used for nefarious purposes,” Guarnieri wrote in his report. “It’s impossible to keep this kind of thing under control in the long term.” 
In response to questions about Guarnieri’s findings, Gamma International GmbH managing director Martin J. Muench said a global scan by third parties would not reveal servers running the FinFisher product in question, which is called FinSpy. 
“The core FinSpy servers are protected with firewalls,” he said in an Aug. 4 e-mail. 
Muench, who is based in Munich, has said his company didn’t sell FinFisher spyware to Bahrain. He said he’s investigating whether the samples used against Bahraini activists were stolen demonstration copies or were sold via a third party. 
Gamma International GmbH in Germany is part of U.K.-based Gamma Group. The group also markets FinFisher through Andover, England-based Gamma International UK Ltd. Muench leads the FinFisher product portfolio. 
Muench says that Gamma complies with the export regulations of the U.K., U.S. and Germany. 
It was unclear which, if any, government agencies in the countries Guarnieri identified are Gamma clients. 
A U.S. Federal Bureau of Investigation spokeswoman in Washington declined to comment. 
Officials in Ethiopia’s Communications Minister, Qatar’s foreign ministry and Mongolia’s president’s office didn’t immediately return phone calls seeking comment or respond to questions. Dubai’s deputy commander of police said he has no knowledge of such programs when reached on his mobile phone. 
Australia’s department of foreign affairs and trade said in an e-mailed statement it does not use FinFisher software. A spokesman at the Czech Republic’s interior ministry said he has no information of Gamma being used there, nor any knowledge of its use at other state institutions. 
Violating Human Rights? 
At Indonesia’s Ministry of Communications, head of public relations Gatot S. Dewa Broto said that to his knowledge the government doesn’t use that program, or ones that do similar things, because it would violate privacy and human rights in that country. The ministry got an offer to purchase a similar program about six months ago but declined, he said, unable to recall the name of the company pitching it. 
The Estonian Information Systems Authority RIA has not detected any exposure to FinSpy, a spokeswoman said. Neither has Latvia’s information technologies security incident response institution, according to a technical expert there. 
Bloomberg News reported July 25 that researchers believe they identified copies of FinFisher, following an examination of malware e-mailed to Bahraini activists. Their work, led by security researcher Morgan Marquis-Boire, was published the same day by the University of Toronto Munk School of Global Affairs’ Citizen Lab. 
The new study builds on those findings, using the same samples of malicious software. 
Guarnieri’s study found, among other things, that the Bahrain server answered anyone connecting to it with the message, “Hallo Steffi.” 
The investigators then found this pattern in other computers by searching data from an Internet survey research project, Critical.IO, which has been cataloging publicly accessible computers around the world. 
The researchers then developed a map that shows the location of the servers, along with their unique IP addresses on the Internet. 
Gamma’s Muench said none of its server components sends out strings such as “Hallo Steffi.” 
The earlier Citizen Lab research linked the malware sent to the activists to FinSpy, part of the FinFisher spyware tool kit. 
The Citizen Lab research showed the malware took screen shots, intercepted voice-over-Internet calls and transmitted a record of every keystroke to a computer in Manama, the capital of Bahrain, which has been gripped by tension since a government crackdown on protests last year. 
Muench said the computer found in Manama isn’t a FinFisher product. Instead, the server very likely runs custom-built software used to forward traffic between two or more other systems, he said.

No comments:

Jul 29, 2012

Could Your Blog Cause You Big Problems?

Could Your Blog Cause You Big Problems?


Blogging has become so common that it seems as if everyone is at it. It is not hard to see why – it is a cheap, easy way to connect with people, and anyone can do it. Blogs are read by millions across the world. In Britain, more than half of people who use the internet spend some of their time reading blogs. Everyone, from teenagers killing time in their bedrooms, to multi-national corporations, has got in on the blogging act.


There is nothing wrong with that, of course. Blogging is engaging and informative for readers. However, it is not always safe. Inevitably, the growing popularity of blogging has meant that it has attracted the attention of people up to no good, as well as those just looking for a good read.
Blog Risks
You probably put a lot of time and energy into your blog – so imagine if a hacker got in, and locked you out? Once in, there are several things they might want to do. If it is a business blog, they might be keen to embarrass you by posting inappropriate material. They might look to steal personal information from you and others who access the blog. They might mercilessly spam your readers, or just use your blog to link to their own site to get themselves more hits. The more popular your blog, the more likely you are to be targeted. If you do not know how to protect yourself, it is time to find out.
Staying Safe
There are a few things you should do to keep your blog safe from hackers. Remember that if anyone else has access to the blog, they immediately become a security risk, as they might take risks that you would not. Make sure they work to keep your blog safe too. Choose a unique, strong password for your blog and any email accounts associated with it, and change them regularly. Make sure you have good virus protection, and do your research when choosing a hosting service – not all have the same commitment to virus protection that you might. Finally, do not allow spam comments; as well as looking bad, the links in them can be viruses. Do all that, and whilst you cannot be sure your blog is safe, you can rest assured that it will be much safer than it would have been if you’d done nothing.
No comments:

Security Predictions for 2012

LiveEnsure™
liveensure_predictions

"The Top 5 Auth Predictions for 2012"

Confident Technologies of San Diego predicted these five things were going to happen in 2012 with respect to securit and authentication . You can read their entire post here:
 

It's roughly halfway through the year and we thought it was a good time to review these predictions about authentication security and see if they have (or will) come true or not. What do you think? Let us know your thoughts on Twitter @liveensure.
 
Prediction #1:  BYOD (bring your own device) will spell big trouble for businesses in terms of data loss in 2012.
 
Is it risky to use your mobile device for security?  Smart solutions are clever enough to turn any BYOD risk into a positive, cost-saving security weapon for trust. By embracing the pervasiveness of mobile devices and leveraging their unique characteristics for secure, private user authentication, an innovative solution such as LiveEnsure® affords businesses, web sites and applications the ability to strengthen user security and immunize against data loss in the face of this growing trend.
 
Prediction #2:  There will be a large data breach which will finally cause organizations across many industries to realize they cannot rely solely on passwords to protect user accounts.
 
Absolutely. Relying upon the user to manage their authentication security has been the failure of many products, providers and solutions in the past. The most egregious example of this is when sites and networks employ just a simple username and password for user access security.  A solution like LiveEnsure® which exploits natural factors (device, session, context) vs. man-made or recalled factors provides the strongest, simplest,  elegant and cost-effective way for businesses to “fix” the existing user login gap across websites, applications and services. Sites and apps merely mashup the service with their existing login process, while users simply leverage their smart device in a private and seamless way to enforce and protect their identity online. Unlike traditional solutions, there are no passwords, SMS messages, cookies, certificates, secret images, JavaScript, tokens or dongles with LiveEnsure®.
 
Prediction #3 Targeted variations of Zeus-in-the-Mobile style attacks will grow.
 
The hackers are always busy. Key-loggers, screen-scrapers, trojans, viruses and traditional social engineering hacks rely upon the user personally transmitting their private credentials either on-screen or via the keyboard. Existing multi-factor authentication solutions rely upon user skill to protect private information when taking it from the secure channel (i.e. out-of-band, their own recollection) and placing it back into the vulnerable “channels” of the browser, keyboard or existing communication paths where hackers are waiting to capture it. LiveEnsure® revolutionizes that flow by taking authentication information from the insecure channel and verifying it in an external secure channel through a mechanism called triangulation. Hackers are unable to see, capture and replay security login information when LiveEnsure® is used to protect authentication process.
 
Prediction #4: Smart devices will enable smart authentication via image-based authentication, biometrics and more.
 
There is nothing unique about mobile devices that makes their biometric or image-based authentication techniques any more effective, secure, impervious, immutable or private than they were before on the desktop or other proprietary devices. They just make them more pervasive. Is that a good thing? LiveEnsure® leverages the unique and powerful capabilities of smart mobile devices without adopting the inherent privacy risks often associated with them. LiveEnsure® is able to provide hack-proof authentication for users, sites and apps via line-of-sight authentication. LiveEnsure® proves the user is who they are, where they are and when they are - without any of the privacy risks associated with NFC (near field communication), cookies, certificates, out-of-band messages, special on-screen encoded values and browser-based Javascript fingerprint harvesting and transmission. LiveEnsure® is a blue-water innovation in a sea of red-water challenges with respect to user and device authentication.
 
Prediction #5: Retailers and mobile payment providers will lead the adoption of new mobile authentication techniques in 2012.
 
Authentication is for everyone. LiveEnsure® recognizes that user trust and defense-in-depth security measures are no longer reserved for major corporations, top-tier websites and expensive applications and networks. Usable security is a right and a requirement for all who participate online, whether via mobile commerce and gaming, social networks or private user-to-user chats, messaging and information exchange. Strength, simple deployment, lower cost and elegant usability are the key factors for ensuring market and customer adoption of any authentication solution. LiveEnsure® provides those benefits tailored to the safe, high-volume, low-barrier user experience so critical to the satisfaction with and success of online businesses, services and applications.
 
If you don't believe us, simply grab your iPhone, iPad, Android or Windows Mobile device and try it now at http://experience.liveensure.com. In addition, we invite you to follow us on Twitter and Facebook for the latest updates and news from LiveEnsure®.
No comments:

Jun 7, 2012

Were you "Flamed" ?

Flame Attackers Used Collision Attack to Forge Microsoft Certificate


The attackers behind the Flame malware used a collision attack against a cryptographic algorithm as part of the method for gaining a forged certificate to sign specific components of the attack tool. Microsoft officials said on Tuesday that it's imperative for customers to install the update issued for the problem on Sunday, as it's possible for other attackers to exploit the same vulnerability without using the collision attack.
Cryptographic hash algorithms are designed to produce unique results for each input. If an attacker is able to find two separate inputs that produce the same hash as outputs, he has found a collision. Two of the more popular hash algorithms, MD5 and SHA-1, both have been found to be vulnerable to collisions. SSL certificates, like the one that the Flame attackers forged to sign the malware, use digital signatures, which can be vulnerable to hash collisions.
Microsoft officials said that there is still quite a bit of danger to customers, outside of the Flame malware itself.
"The Flame malware used a cryptographic collision attack in combination with the terminal server licensing service certificates to sign code as if it came from Microsoft. However, code-signing without performing a collision is also possible. This is an avenue for compromise that may be used by additional attackers on customers not originally the focus of the Flame malware. In all cases, Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack," Mike Reavey of the Microsoft Security Response Center, said.
The Flame attackers used the forged Microsoft digital certificate to perform a man-in-the-middle attack against victims, impersonating the Windows Update mechanism and installing malicious code instead. Reavey said Microsoft is preparing to change the way that Windows Update works in response to the attack.
"To increase protection for customers, the next action of our mitigation strategy is to further harden Windows Update as a defense-in-depth precaution. We will begin this update following broad adoption of Security Advisory 2718704 in order not to interfere with that update’s worldwide deployment. We will provide more information on the timing of the additional hardening to Windows Update in the near future," Reavey said.
The possibility of attacks against Windows Update have been a serious concern for Microsoft officials and customers for many years now. Real-world attacks had not surfaced until the information about the Flame mechanism surfaced. But the way that the Flame attackers used their forged certificate was interesting. They used it to create a fake update server inside an organization that's been compromised, and then downloading the malicious code to other machines, spreading the malware.
The way that Flame spread among machines had been a mystery until researchers discovered the use of the forged certificate.
No comments:
Subscribe to: Posts (Atom)