Archive for category virus and malware info

BOSTON – Downstream is where you live today as a security person. If Gene Kim has his way, you’ll be inline soon enough.

Kim’s keynote today at Source Boston 2013 took listeners on a deep dive of the integration of development and IT operations and helped map out how organizations may be able to wedge security into the conversation and help security practitioners escape a system that pre-ordains failure—one they are for the most part powerless to avoid today.

Kim has spent more than a decade studying high-performing operations teams in a variety of industries inside and outside of IT. Those which are successful, are so with a combination of rigor and discipline, and pay more than lip service into the integration of security into application or process development. To put it in Star Trek terms, as Kim did, developers embody Mr. Spock in that they sit closely to the boss and think too hard about problems, while operations are more like Mr. Scott, engineers who pull levers and knobs, and yell a lot in an emergency. Security? They’re they token security guard who wears the red uniform and usually ends up as the casualty in every episode.

“We need to span the boundary between the two,” Kim said of development and operations. “We need to increase the flow of work in the proper direction and not pass defects downstream.”

Kim relayed an example of how Twitter injects static analysis into the development lifecycle every time a developer hits save on a project. If there’s an issue, they’ll get an email informing them of a vulnerability and how to remediate it. When the problem is fixed, the developer will get a “thank you” email.

“Security is done not at the end of a project when you add costs, but they do it inline,” Kim said. “In my opinion, this is the way all information security is going to be done 10 years from now. Not in batches and not at the end of a project.”

Kim said companies are collectively spending $2.6 trillion annually on IT failures, ranging from downtime, to data loss and more. Adding $2.6 trillion to the economy would radically change things, he said.

“Creating a culture and process that pre-ordains failure, for security downstream, this affects lives,” he said.

Kim assured attendees too that this kind of rigor isn’t reserved for rock star companies such as Google or high-end financial services companies, or Netflix. He’s seen success stories with retailers, higher education institutions and in many other industries. Learning from the big guys, however, never hurts.

Netflix, for example, was the only company running Amazon Web Services instances not to endure any downtime during a 2011 outage, Kim said. That’s because they made a decision never to rely on AWS for availability, he said, pointing to a decision to introduce chaos into its DevOps environment. The Chaos Monkey tool built by Netflix randomly kills processes in production all the time, forcing developers and operations to work together with security and learn how to defeat failure.

“They got really good at having code and an environment that survives failure,” Kim said. “The goal is to break things before they get into productions. Find misconfigurations, enforce HTTPs, add static code analysis to their automated integration and testing; they did all these things.”

Ultimately, organizations must evolve toward a culture that accepts risk and learns from failures. Google, for example forces its developers to manage their own code for six months before its passed on for approval and ultimately production.

“If an application is fragile, there is a hand-back mechanism where it goes back to the developer,” Kim said. “It’s a way for developers and operations to hold each other accountable.”

That accountability also includes feedback loops that include DevOps and security so that all are involved in incident escalation and mutual understanding of respective issues.

“The outcome is that defects are fixed faster,” Kim said. “If you do it for one issue, you should be able to replicate it throughout an organization. You have better communication and cooperation.”

Commenting on this Article will be automatically closed on July 16, 2013.

Article source: http://threatpost.com/en_us/blogs/devops-integration-key-avoiding-pre-ordained-security-failures-041613

Throw another log onto the proverbial Android malware fire: According to mobile security firm NQ Mobile, infections targeting devices running the Google-based operating system doubled in 2012. That translates to a 163 percent increase from 2011 and accounts for over 65,000 different types of malware discovered, up 30,000 from 25,000 the year before.

This is at least per the firm’s 2012 Security Report, an annual review of malware scanned by NQ Mobile and its Security Lab, released Monday.

A handful of other trends are discussed in the report, including a decrease in malware targeting Symbian-based devices, and China being responsible for the lion’s share of infections globally.

The report also breaks down three of the most prevalent malware attack vectors, like how attackers are still taking genuine apps from Google’s Play marketplace, adding malicious code and then uploading the tweaked app to third party app stores.

Attackers are also using malicious URLs and SMS phishing, or smishing to thwart Android users.

Attacks on Android devices are a fairly regular occurrence these days, and have grown exponentially, at one point in 2011, even up 742 percent over the course of three months. In China, botnets, some 100 million strong, composed entirely of Android devices thrive, while in Japan, malicious apps litter messageboards and phony app marketplaces.

Samsung-branded devices have shared the brunt of Android’s troubles as of late. SMS vulnerabilities and password bypass flaws have been discovered on a handful of Samsung Galaxy devices over the past month or so, forcing the vendor to work on a patch to address the issue.

For those interested in the full NQ Mobile report, it can be viewed here. (.PDF)

Commenting on this Article will be automatically closed on July 16, 2013.

Article source: http://threatpost.com/en_us/blogs/nq-mobile-android-malware-doubled-2012-041613

The attackers who compromised Web hosting provider Linode used a zero day vulnerability in Adobe ColdFusion and were able to access the company’s database, source code and customers’ credit card numbers and passwords. The company said that the customer credit card numbers were encrypted, as were the passwords, but it forced a system-wide password reset after the attack was discovered.

The attack on Linode was described by the company on Monday, a few days after it said that one of its customers was compromised. The details of the attack are quite similar to other attacks that have resulted in password leaks and database breaches, aside from the use of the ColdFusion zero day. Many of these operations tend to be executed through the use of stolen or compromised credentials or a known bug in one of the targeted systems.

The ColdFusion vulnerability used in the Linode attack was patched by Adobe on April 9. 

“As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database. We have been working around the clock since discovering this vulnerability. Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure,” Linode officials said. 

“Credit card numbers in our database are stored in encrypted format, using public and private key encryption. The private key is itself encrypted with passphrase encryption and the complex passphrase is not stored electronically. Along with the encrypted credit card, the last four digits are stored in clear text to assist in lookups and for display on things like your Account tab and payment receipt emails. We have no evidence decrypted credit card numbers were obtained.”

The company said that customer passwords are not stored in the Linode database. However, the company does store salted hashes of those passwords, and that’s what the attacker accessed. Those hashes should be of no use to the attacker, but the company decided to reset all customer passwords anyway. 

Commenting on this Article will be automatically closed on July 16, 2013.

Article source: http://threatpost.com/en_us/blogs/linode-hacked-through-coldfusion-zero-day-041613

Dennis Fisher talks with Bruce Schneier about the effects of the Boston Marathon bombing, how the psychology of fear plays into people’s reactions to these events and what the political aftermath could be.

Commenting on this Article will be automatically closed on July 16, 2013.

Article source: http://threatpost.com/en_us/blogs/bruce-schneier-boston-marathon-bombing-and-psychology-fear-041613

Google has fixed a series of serious vulnerabilities in its Chrome OS, including three high-risk bugs that could be used for code execution on vulnerable machines. As part of its reward program, Google paid out more than $30,000 to a researcher who found three of the vulnerabilities.

All of the vulnerabilities that Google fixed in Chrome OS are in the O3D plugin, an API that enables developers to create 3D applications for the Web. Three of the vulnerabilities are high-risk and the other flaw is rated a medium severity bug. 

Here are the vulnerabilities that Google fixed in Chrome OS 26:

• [227197] Medium CVE-2013-2832: Uninitialized memory left in buffer in O3D plug-in.Credit to Ralf-Philipp Weinmann.
• [227181] High CVE-2013-2833: Use-after-free in O3D plug-in. Credit to Ralf-Philipp Weinmann.
• [227158] High CVE-2013-2834: Origin lock bypass of O3D and Google Talk plug-ins. Credit to Ralf-Philipp Weinmann.
• [196456] High CVE-2013-2835: Origin lock bypass of O3D and Google Talk plug-ins. Credit to Google Chrome Security Team (Chris Evans).

Ralf-Philipp Weinmann, the researcher who discovered three of the flaws, received $31,336 in bug bounties for his work. That’s at the highest end of the rewards that Google pays out in its Chromium reward program. Most of the rewards are in the $1,000-$3,000 range, with some going above that, depending upon the severity of the vulnerability and difficulty of exploitation.

“We’re pleased to reward Ralf-Philipp Weinmann $31,336 under the Chromium Vulnerability Rewards Program for a chain of three bugs, including demo exploit code and very detailed write-up. We are grateful to Ralf for his work to help keep our users safe,” Ben Henry of the Chrome team said in a blog post.

Commenting on this Article will be automatically closed on July 15, 2013.

Article source: http://threatpost.com/en_us/blogs/google-fixes-three-high-risk-flaws-chrome-os-041513

In the lucrative world of online gambling, many poker rooms – especially those that rely on the user to download a client to play – are marred by insecurities.

A recent study conducted by a pair of researchers suggests a number of online gaming companies whose poker clients rely on “skins,” aren’t adequately protecting their users while gaming online.

“Skins,” the customizable Web-based poker rooms that exist on companies’ websites, dictate what each gaming environment looks like and what protocols can be modified for each user.

According to a paper released on Wednesday, “An Overview of Online Poker Security,” (.PDF) “a vulnerability in one software can affect multiple Skins and millions of players.”

Penned by Luigi Auriemma and Donato Ferrante of ReVuln, a security and consultancy firm based on the tiny archipelago of Malta, the document highlights a number of flaws in poker applications.

Auriemma and Ferrante found the main problem with “skins” lies in the software’s updating infrastructure. The researchers found that the majority of poker client interfaces don’t use SSL connections or digital signatures when they download updates; making it easy for an attacker to take control of a user’s system through compromised connections.

In some cases, some software updates were digitally signed but that didn’t stop attackers from targeting the poker software.

Clients with skins developed by B3W, a gaming management system in Malta, were found updating over insecure HTTP, without signatures. On top of that the .EXEs, while signed, weren’t being verified before they were executed. Since the software auto-updates, attackers could easily infect the .EXEs before users update them.

In addition, a series of stack-based buffer overflow attacks that could open the software up to malicious code execution could also be executed in a handful of other poker rooms, including those who use software by Microgaming, a company based on Isle of Man, an island between the UK and Ireland.

In most cases, the poker software analyzed by the researchers stores usernames and passwords automatically on the player’s computer, making the software more susceptible to password leaking. The researchers found that in some cases, once they gained access to the registry key or configuration file, they could steal and decrypt users’ passwords.

The paper does note that some companies like PokerStars have done a good job at security, opting to implement RSA tokens and PINs to bolster the security of its users and combat these problems.

Online gambling is already a multi-billion dollar industry but it’s poised to explode even more over the next five years. Juniper Research, a British-based analyst service projected last month that as a whole the global online gambling market is slated to reach $45 billion by 2017.

Auriemma has made a name for himself over the past two years or so in the vulnerability research world, mostly for his work digging up supervisory control and data acquisition software (SCADA) bugs. In addition to the ICS bugs, Auriemma and his ReVuln partner, Ferrante, a former RIM researcher have also found flaws in popular gaming platforms like Steam and EA Origin over the last year.

Commenting on this Article will be automatically closed on July 15, 2013.

Article source: http://threatpost.com/en_us/blogs/online-poker-rooms-weighed-down-vulnerabilities-041213

Dennis Fisher talks with Gary McGraw, CTO of Cigital, about his childhood as a violin prodigy, his early introduction to personal computers with the Apple II, his start in software security and the state of the discipline today.

Commenting on this Article will be automatically closed on July 15, 2013.

Article source: http://threatpost.com/en_us/blogs/how-i-got-here-gary-mcgraw-041513

Months of distributed denial of service attacks against major U.S. banks have evolved in magnitude and ferocity causing service disruptions for online banking customers. They’ve also shown the way for other attackers to adapt and evolve techniques used in those attacks.

Apparently, someone is building a formidable botnet of compromised WordPress accounts that is likely to be used in a much larger attack, some experts are speculating. Similar to some of the late-stage bank DDoS attacks that used Web servers to generate unprecedented levels of traffic targeting online banking services, this WordPress botnet could be as disruptive.

Attacks against WordPress sites began last week, when some Web hosts and security experts reported brute-force attacks against administrative credentials using a combination of “admin” as a user name, and a list of common passwords. Compromised sites built on WordPress would notice slower back-end operations, log-in difficulties, or downtime.

Web host HostGator said it had seen more than 90,000 IP addresses involved in the attack. “The attack is well organized and very distributed,” wrote engineer Sean Valant on the company’s Gator Crossing blog.

Sucuri Security, a Web monitoring company in California, said it has noticed the number of log-in attempts blocked on the customer sites it monitors more than triple through the first two weeks of April—more than 77,000 a day. It added that common user names such as “admin”, “test,” “administrator,” “Admin,” and “root” top the list of log-in attempts. As for password attempts, “admin,” “123456,” “qwerty,” and many other common passwords are being used in the brute-force attacks.

CloudFlare CEO Matthew Prince said the attackers could be using a botnet of home PCs to build a bigger arsenal of compromised machines.

“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” Prince said. “These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”

Attacks against U.S. banks spiked in January and again in March to upwards of 100 Gbps of traffic, sent from a relatively small number of compromised Web servers. Attackers, claiming to be protesting a movie “Innocence of Muslims,” are taking a liking to Web servers as a launch pad for DDoS attacks because of the higher processing power of a server, bandwidth and access they have to a Web host’s network and bandwidth.

In October, security company Prolexic identified one of the tools used in the attack as an offshoot of the Brobot, or itsoknoproblembro, toolkit. The malware attacks content management systems such as WordPress or Joomla and is capable of launching high bandwidth attacks at multiple targets simultaneously, a signature of the bank DDoS attacks.

Experts are recommending that WordPress managers change their log-ins, both user names and passwords. There are also security plug-ins available and two-factor authentication options available from WordPress. CloudFlare has also released a free tool that it said mitigates this attack.

Commenting on this Article will be automatically closed on July 15, 2013.

Article source: http://threatpost.com/en_us/blogs/hackers-using-brute-force-attacks-harvest-wordpress-sites-041513

Microsoft announced last night that it has stopped pushing a security update originally released on Patch Tuesday because the fix is causing some PCs to blue screen. Microsoft recommends users uninstall the patch, which is also causing compatibility with some endpoint security software.

“We’ve determined that the update, when paired with certain third-party software, can cause system errors,” said Trustworthy Computing group manager Dustin Childs.

MS13-036 was part of this week’s Patch Tuesday update. It addressed three vulnerabilities in the Windows Kernel-Mode Driver, which if exploited could allow an attacker to elevate their privileges on a compromised machine.

Microsoft rated the vulnerabilities “important” because an exploit would require an attacker to have physical access to a computer. The faulty update does not result in any data loss for users, Childs said, adding that only update 2823324 has been removed from the Windows download center, and the remainder of MS13-036 is still available.

Users began reporting issues earlier this week with some systems failing to recover from restarts, or applications failing to load, after the patch was installed.

The MS13-036 update was supposed to patch two separate race condition vulnerabilities (CVE-2013-1238 and CVE-2013-1292) and a NTFS NULL pointer deference vulnerability (CVE-2013-1293) that lead to privilege escalation for attackers. The update also addresses a font parsing vulnerability (CVE-2013-1291) that could lead to crashes and a denial-of-service condition.

This week’s Patch Tuesday release was relatively light with two critical bulletins and nine overall addressing 14 vulnerabilities. Notably missing were patches for the vulnerabilities in Internet Explorer 10 exploited during the Pwn2Own contest last month at the CanSecWest Conference.

Researchers from VUPEN were able to exploit a fully patched version of IE 10 on a Windows 8 machine. Up-to-date versions of Google Chrome and Mozilla Firefox were also hacked during the contest; Google and Mozilla had patches pushed out to users within 24 hours.

Childs said in an email to Threatpost on Tuesday that Microsoft was investigating possible issues identified by VUPEN.

“We are not aware of any attacks and the issues should not affect our customers as Pwn2Own organizers do not publicly disclose the competition’s findings,” Childs said.

Chaouki Bekrar, CEO and head of research at VUPEN, acknowledged that Microsoft does extensive compatibility tests that lead to delays in releasing updates, but added that the window of exposure is serious, regardless of the lack of publicly available exploit details.

“As Microsoft has the full details of all these flaws and patches are still missing, there is a chance that criminals discover the same vulnerabilities and exploit them to compromise critical systems,” Bekrar told Threatpost. “I’m not surprised about the delays; Microsoft had always been very slow in fixing reported vulnerabilities as they have very strict QA tests in place to avoid regressions.”

VUPEN brought eight zero-day exploits to Pwn2Own, Bekrar said, and used four of them against Microsoft products. One IE exploit used against Microsoft Surface Pro is a memory corruption bug that affects all versions from 6-10 on all Windows versions from XP to Windows 8. The second, also used against Surface, is a sandbox-bypass against IE 10 and prior. The third was an Adobe Flash zero-day exploit used to beat the sandbox in IE 9. The final exploit took advantage of a design error in Windows, Bekrar said, and enabled his team to bypass ASLR protections via a Firefox exploit.

Microsoft, however, did issue another cumulative update for IE this week that patches two critical remote code execution use-after free flaws in versions 6-10 the browser. Both may corrupt memory and enable an attacker to run malicious code on a compromised machine. Another bulletin, rated critical, patched remote code execution flaws in Microsoft Remote Desktop Client.

Commenting on this Article will be automatically closed on July 12, 2013.

Article source: http://threatpost.com/en_us/blogs/microsoft-uninstall-faulty-patch-tuesday-security-update-041213

MIAMI BEACH–Stephen Watt was involved in a series of attacks on retailers and restaurants that federal prosecutors called the largest identity theft in U.S. history. He wrote the sniffer used by some of his friends to steal millions of credit card numbers. After federal agents raided his apartment, confiscated all of his computer equipment, he eventually was indicted on a series of charges related to the attacks on TJX, Dave Buster’s and others and was facing several years in prison. So he took a plea deal, hoping to reduce his prison time and the financial burden on his family. In all of that, what he regrets most is taking the plea.

“I took the easy way out. I could not possibly have been coerced more into taking this plea than I was by the number [of years in prison] I was facing. It was still easier than fighting it out and that’s something I’ll always have bitter regret for, for not fighting it out,” Watt said. 

Standing on a raised stage during his talk at the Infiltrate conference here Friday, the tall, muscular Watt presented an imposing figure. But over the course of 90 minutes, he painted himself as something of a victim in the story, railing against the prosecutors and judges who he says didn’t understand the technical details of the case and were simply interested in making examples of him and his co-defendants. Watt doesn’t deny writing the sniffer that his close friend Albert Gonzalez used in a variety of attacks on TJX, Hannaford and other companies in the latter part of the last decade. What he disputes is the notion that he modified the tool specifically for various targets or that he even knew what Gonzalez was going to do with the sniffer.

“I knew that the prosecution couldn’t possibly prove that I knew the intent or location of the use of the sniffer, because I didn’t know that,” Watt said. “I did modify it, but that was just a recompile. I wrote the sniffer on my own box, tested it there with no idea what it would be used for. I was shocked when I found out what had happened.” 

Watt, who had been involved in the underground hacking scene in the late 1990s and early 2000s, was working at a software firm in New York in August 2008. He was coming home from the gym one evening and as he stepped out of the elevator in his apartment building he was greeted by a group of federal agents. One of them knocked him to the ground with a battering ram, he says, and then he was cuffed and watched as the agents executed a search warrant and walked out six hours later with all of his computers, removable media, tax documents and even some bits of paper left in his shredder. 

Several months later, Watt was indicted on several charges related to the attacks and served two years in federal prison in Washington state. He’s now on probation and is prohibited from using any computing devices, including smartphones. He says that the prosecutor involved in his case had little understanding of technology and that the software he wrote for Gonzalez was a simple program and was not tailored for specific targets, as the prosecution alleged. The prosecutors used hundreds of pages of logs of chats between Watt and Gonzalez to prove otherwise. Facing a long stretch in prison, Watt took the plea deal.

“Ultimately I decided that my black hat past and my association with the co-defendants was hust too much. I had a responsibility to end this and not be a financial burden to my family,” he said.

While admitting his involvement in the scheme, Watt said that he never profited from the attacks, unlike Gonzalez, a fact that the prosecutors acknowledged and used to show that he was a sociopath only interested in thrills. Watt, who was prosecuted by Stephen Heymann, the same man who ran the prosecution of Aaron Swartz, said that at the time of the attacks he had been out of the hacking scene for several years and was no longer interested in it.

“I was doing everything but using my computer, which I was totally sick of,” he said. 

He used the computer long enough to write the sniffer, which he said was a raw TCP sniffer with the capability to log all of the critical data coming in over a specific range of ports, then encrypt that data when the log got large enough and ship it off to a remote server. He handed the sniffer off to Gonzalez, who had been his friend since the late 1990s, and said he didn’t concern himself with what Gonzalez did with the tool.

“I don’t ask questions about things I have no need to know about,” he said, “and he would never share that information.”

As it turned out, Gonzalez was sharing that information with someone: the U.S. Secret Service. Gonzalez was working as a paid informant for the Secret Service and later tried to have his plea bargain overturned because he claimed that he was working at the direction of federal agents while the attacks were ongoing. 

While still angry about what he sees as an overzealous prosecution, Watt said that he looks at the $171.5 million in restitution he’s been ordered to pay as a symbol.

“I look at it as a badge of honor because it’s so high and so oppressive that I’ll never be able to pay it back anyway,” he said.

Commenting on this Article will be automatically closed on July 12, 2013.

Article source: http://threatpost.com/en_us/blogs/convicted-tjx-hacker-regrets-taking-easy-way-out-plea-deal-041213