Archive for November, 2012
The Los Angeles Fire Department recently began informing past patients that their personal data, including Social Security numbers and birthdates, were exposed as a result of a data breach at a city contractor.
“The city’s ambulance billing duties are handled by Advanced Data Processing Inc., which received nearly $6 million from the Fire Department between June 2011 and Oct. 30, according to City Controller Wendy Greuel. … In its notification letter, a copy of which was obtained by The Times, the Fire Department said patient information was used to file fraudulent tax returns as part of a scheme to illegally obtain tax refunds,” writes The Los Angeles Times’ David Zahniser. “The department advised the potential victims to call the IRS to determine whether false returns had been filed in their names, and to take steps to protect their credit rating.”
“The investigation comes after an employee of private contractor Advanced Data Processing Inc. … admitted to accessing individual account information for an estimated 900 ambulance riders, according to LAFD officials,” CBS Los Angeles reports.
“ADPI spokeswoman Lisa MacKenzie said notification letters were sent by the company nationwide,” writes The Contra Costa Times’ Dakota Smith. “The only people who would have been impacted in Los Angeles would be those who may have taken an ambulance, either an LAFD one or one operated by another company that uses the company’s services. ‘It’s always a drag for anything like this to happen,’ MacKenzie said. ‘The company is doing everything that they can to provide information and resources for anyone who may have been affected.'”
A clutch of serious events, particularly to do with unintentional release of government-held information, have led privacy commissioner Marie Shroff to label 2012 “the year of the data breach”, in her annual report released yesterday.
The report singles out the ACC’s unintentional release of data on more than 6500 clients in March and the more recent leakage in the Ministry of Social Development’s kiosks.
In private industry, the customer can always react to a provider’s inadequate privacy practices by moving their business to a competitor, but with government this is not possible, the commissioner points out. This has led to calls for formal powers and sanctions against such breaches.
“It is clear that people believe regulators should have — and use — the ability to call agencies to heel,” Shroff says. “For instance in our public opinion survey earlier this year, 97 percent of respondents said that the privacy commissioner should have the power to order an agency to comply with the law, and 88 percent said they wanted businesses punished if they misuse people’s personal information.”
Personal information is increasingly recognised as an “asset class” in a business, says Shroff in the annual report, and its proper handling is of importance to the economy, particularly where cross-border movement of data is concerned.
“For instance, the World Economic Forum refers to the evidence of an emerging asset class of personal data, but also goes on to note the lack of rules, norms and frameworks that, by contrast, exist for other types of assets,” Shroff says.
“We may have the valued goods in the form of personal data — and the means of distribution through online networks — but we have sometimes lacked cross-border enforcement mechanisms and regulatory solutions for when things go wrong.”
Amendments to the Privacy Act to offer better cross-border protection were put in place in 2010, and the commissioner records that European Union authorities are as a result in the final stages of declaring New Zealand privacy legislation “adequate” for participation in trade with Europe. The adequacy finding is expected before the end of the year.
Privacy risk management should be recognised as a responsibility for the whole of the company, Shroff says.
The report flags cloud computing as an area of progress and the commissioner favourably mentions the Cloud Computing Code of Practice developed under the guidance of the Institute of IT Professionals.
The commissioner’s office has been working on a guide for cloud computing targeted at SMEs and expect to be able to make this freely available online shortly.
Grady Memorial Hospital announced this afternoon that an estimated 900 EMS ambulance service patients may have had personal information stolen this year.
The data breach occurred after an employee of Advanced Data Processing, Inc., a company which handles the hospital’s ambulance billing system, illegally stole thousands of patients’ data nationwide from numerous hospitals, including the Atlanta public hospital. According to Grady Hospital spokeswoman Denise Simpson, some personal records were compromised between mid-January and mid-October.
“Some Grady EMS ambulance service patients are being notified that selected personal information may have been stolen,” she said in a statement.
Medical information was not improperly disclosed, but patient records including names, social security numbers, and dates of birth were taken over the course of that nine month period. To help patients, the billing company has offered affected victims one year’s worth of free credit monitoring and taken action against its former employee.
“With [ADPI’s] help, the authorities identified the employee who admitted to the crime,” a company spokeswoman says. “The employee was immediately terminated.”
ADPI is also continuing to work with law enforcement officials as police are still trying to figure out if the former ADPI employee used the data procured in an illegal manner. No charges have been filed at this time.
The cybercrime group behind the Citadel malware and Reveton ransomware has upped the stakes with a new extortion technique, the FBI’s Internet Crime Complaint Center said today.
Reveton scams have now co-opted the Internet Crime Complaint Center with a new fake warning to users whose computers have been infected.
“In addition to instilling a fear of prosecution, this version of the malware also claims that the user’s computer activity is being recorded using audio, video, and other devices,” an FBI advisory said.
Victims usually are lured to a website hosting the malware. Once Reveton has been installed, the victim’s computer is locked up and a screen materializes with a warning that Federal law has been violated. The victim also sees a message that the FBI has determined that the user’s IP address has accessed child pornography and other illicit content.
The victim is instructed that the only way to unlock their computer is to pay a fine via a prepaid money card service, the FBI said.
“In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud,” the advisory said.
Despite the fact that some victims have paid up, they quickly learn they’ve been scammed and their machines are not unlocked.
The FBI has warned about Reventon infections before but earlier scams did not threaten victims with video and audio surveillance.
Citadel is a constantly evolving malware platform. In October, its authors update the malware with a dynamic configuration module that allows them to inject code directly into compromised browsers in real time.
This new feature lessens the chance that the malware would be detected by security software since this would eliminate the need for update configuration files to be sent to each bot.
“This shows us that this team is really serious. Their development skills are very strong; these are not amateurs,” siad Limor Kessem of RSA Security in an interview with Threatpost.
Citadel is an advanced platform. It updates almost quarterly with new features that indicate a level of professional development, organization and resources. It also runs on an open source model of sorts, support its own customer relationship management, support teams and user forums where issues are discussed.
In July, experts noted chatter that Citadel might be taken off the market in underground forums and updates would be limited only to existing customers.
Commenting on this Article will be automatically closed on March 2, 2013.
Persistent targeted attacks against the government, financial services, manufacturing and critical infrastructure take on many characteristics. Attackers can have different backgrounds and motivations, and the tools they use can range from commodity malware to zero-day exploits.
One characteristic that’s consistent throughout most of these campaigns against high profile organizations is the initial means of infiltration—spear phishing.
Nine times out of 10, attackers walk into an organization right through the front door of its Exchange Server, crafting convincing email messages purportedly from a trusted source that either trick the victim into opening an infected attachment or visiting a website where credentials are stolen, or malware is surreptitiously installed on the visitor’s machine. In any event, the first wave of the targeted attack kicks off from a lowly email.
Even the most security conscious organizations in the world such as RSA Security, which was infiltrated nearly two years ago by hackers after the source code of its flagship SecurID authentication token, are liable to fall victim to a spear phishing message. Why? Because spear phishing works.
Spear phishing as a craft has improved tenfold over what it was a half-decade ago when messages were shady even to the untrained eye. The grammar in the messages was bad, the spelling even worse. Sometimes company logos were out of date, and messages just wouldn’t pass the smell test. Now it’s nigh impossible to sniff out phony messages from the real deal. Humans trust email as a platform, and that’s their first downfall, experts say.
“Most organizational management and security teams understand what spear phishing is. The problem is they do not know how, or do not have the time and resources, to teach people what phishing is and how to detect or defend against it,” said Lance Spitzner, a SANS Institute instructor and inventor of the honeypot. “As such, they continue to be highly vulnerable to spear phishing attacks.”
Spitzner is a big proponent of awareness training inside organizations, training them not only what phishing attacks look like, but what to do if they’re phished.
“Spear phishing works because people have not been trained on how to detect such attacks. Even if they do fall victim, if people can figure out after the fact they did something wrong and then report it right away, this is still a win,” Spitzner said. “If you teach people even the basics that email is an attack platform, and simple steps to detect common attacks, you can still have a dramatic impact.”
Enterprises, however, are losing that fight. A Trend Micro research paper revealed that 91 percent of targeted attacks observed between February and September of this year involved spear phishing. Attackers involved in nation-state sponsored APT-style attacks prefer spear phishing as a means for reaching high-ranking executives or technology managers with privileged access to high-value systems.
The majority of spear phishing messages (94 percent), meanwhile, contain malicious yet common file types as attachments, i.e., PDFs, Excel spreadsheets or Word documents. Rarely are executable files send via email attachments since most security systems will detect these; if they are sent, they’re usually compressed and sent in a password-protected archive file such as .zip or .rar.
“People normally share files (e.g., reports, business documents, and resumes) in the corporate or government setting via email,” the Trend Micro report said. “This may be due to the fact that downloading off the Internet in such a setting is frowned upon. That is why a higher number of spear-phishing emails with attachments are sent to targets in the corporate or government sector. “
Government agencies and activist groups are the most targeted via spear phishing, Trend Micro said. Most often, members of these types of organizations have some type of biographical information available online either on agency websites or social media pages, treasure troves for attackers mining for organizational data to be used in social engineering.
“In a lot of cases, these emails are not true spear phishing. The attacker may simply customize the ‘From’ address to match the victim organization or include the company name in the subject line,” Spitzner said. “The state of awareness is so poor that even basic spear phishing is effective. Long story short, it does not take a lot of time.”
Prior to a spear phishing campaign, attackers invest time doing reconnaissance prior to an infiltration. They scour social media sites, or purchase stolen information underground to profile an organization and understand exactly whom they want to target with a phishing message. This person would have access to systems or files of most interest to a particular mission.
Once inside, victims are often infected with a remote access Trojan (RAT) that gives an attacker a persistent backdoor into a network. The RAT can communicate with the attacker and send back system information, legitimate credentials and more that would allow the infiltrator to pivot from system to system until they land on the information they’re after.
“Our findings highlight how spear phishing aids APT attacks because of the vast amount of information available at the touch of our fingertips,” Trend Micro said. “Organizations should strive to improve their existing defenses and take into careful consideration what types of and how much information they make available online.”
Spear phishing is a different animal than a generic spam campaign pushing illicit pharmaceuticals, for example Spitzner said the best defense is continuous training inside an organization.
“We patch computers at least once a month, so too should you teach people in your awareness program. Far too many organizations take a compliance approach and teach people only once a year,” Spitzner said. “Active internal phishing assessments also work well. You do not need to spend a lot of money on these.”
A recent private summit sponsored by RSA Security also pointed to the effectiveness of people-focused breach prevention programs.
“Many of the preventative security measures discussed at the Summit focused on people, not systems,” RSA said in a report on the summit. “Delegates generally observed a trend toward treating internal employees as ‘a less trusted space.’”
Commenting on this Article will be automatically closed on March 2, 2013.
The sophisticated banking Trojan gains a new trick: The ability to detect virtual machines controlled using remote sessions, a common configuration for researchers.
A sophisticated banking Trojan known as Shylock has gained a new trick: The ability to detect whether it’s running in a virtual machine (VM) that is being analyzed by malware researchers.
While malware, such as the infamous Conficker worm, has used a variety of anti-VM techniques to attempt to make analysis more difficult, Shylock may be the first to detect whether the VM is actively being controlled by a researcher through a remote connection, according to software security firm Trusteer. Virtual machines are commonly used by malware researchers and analysts to run programs in a simulated environment to more easily detect malicious behavior.
“We see more institutions and corporations use network scanning tools to grab potentially dangerous files off a system, and then a malware analyst will use a remote desktop to access the machine where it is stored,” said George Tubin, senior security strategist for Trusteer. “And so malware authors are looking for researchers who are accessing the virtual machines from a remote desktop.”
When Shylock detects that it is running in a virtual environment, the program will exit, according to Trusteer.
While Shylock and other malware attempt to prevent themselves from running in virtual machines, VMs have become such a common part of infrastructure that other malicious programs seek out such systems. The Crisis malware, for example, would find and infect virtual-machine images through functions normally used to patch the virtual systems. In addition, researchers have found techniques for stealing data from other virtual machines running on the same host.
Security firms first discovered Shylock in February 2011. The malware, so named because the code contains references to Shakespeare’s The Merchant of Venice, uses man-in-the-middle techniques to steal money from victims’ accounts. The program targets several large financial institutions, injecting malicious content into the Websites when displayed in a victim’s browser to control sessions and steal information.
The program is actively developed by the cyber-criminal group that created the software. In February, for example, the malware was updated to give the cyber-criminal operator the ability to open a fake customer-service chat window on the victim’s computer to allow the online thieves to remotely ask them for sensitive information.
The latest changes aim to make analysis more difficult. While defenders aim to raise the cost to attackers of hacking their systems, attackers have likewise attempted to increase the cost of analyzing their malware. Slowing the defender’s ability to react to the latest build of an online hacking tool means a longer window in which to compromise systems.
Many malware variants have aimed at detecting the VMs that researchers use to analyze the programs. Other problems merely delay executing their malicious functions for minutes to hours to days, an effective technique, as security teams typically do not have the resources to wait for a program to do something malicious.
“The techniques prevent a lot of the research from being done in an automated fashion,” Tubin said. “If, to analyze malware, the researcher has to run it on an actual machine, that’s incredibly inefficient.”
The independent German lab behind AV-Test, which tests the effectiveness of endpoint security products, has pulled its seal of approval for Microsoft Security Essentials.
According to AV-Test, from September to October 2012, the effectiveness of Security Essentials at spotting zero-day malware attacks — including viruses, worms, and Trojan horses — dropped from 69% to 64%, compared with an industry average of 89%. For detecting malware that’s been discovered in the past few months, Security Essentials fared better, with a 90% detection rate, but that’s still below the 97% average for the industry.
In AV-Test’s examination of version 4.0 and 4.1 of Security Essentials, running on a 32-bit Windows 7 system, the antivirus software earned a “protection rating” of just 1.5 out of 6 points. AV-Test said it tests products every two months, and that to be “AV-Test Certified” a product must achieve 11 out of 18 available points, which are granted based on a product’s protection, repair, and usability capabilities.
In the AV-Test October 2012 study, out of 24 Windows 7 antivirus products assessed by AV-Test, only Microsoft’s product failed to make the grade.
[ Security Essentials has work to do, but Microsoft’s new OS bolsters enterprise security. Read more at Windows 8: A Win For Enterprise Security. ]
That downgrading follows a report released last month by independent testing firm NSS Labs, which found that antivirus tools’ effectiveness at blocking known exploits varied by 58%. While the leading product in the NSS tests — Kaspersky Internet Security 2012 — stopped 92.2% of known threats, Microsoft Security Essentials blocked only about half of the known threats it encountered, putting it in ninth place on the list of most effective products, and in last place when it came to protecting Windows XP systems.
In North America, Microsoft controls 27% of the antivirus market, followed by Symantec (16%), Avast (11%), and AVG (10%), according to a September 2012 antivirus market-share report from research firm OPSWAT. Globally, the leading antivirus providers by market share are Avast (17.5%), Microsoft, (13.9%), Avira (12.1%), ESET (10.6%), and Symantec (10.2%).
Interestingly, Security Essentials remains endorsed by Virus Bulletin, which in August 2012 gave the software its VB100 certification, which it says means that the product “can detect 100% of malware samples listed as ‘In the Wild’ by the WildList Organization,” as well as “generate no false positives when scanning an extensive test set of clean samples.” AV-Test also found that Security Essentials rated above the industry average when it came to not returning false positives when it did detect malware.
Originally released by Microsoft in 2009, Security Essentials is free for personal use or businesses with up to 10 PCs. Microsoft launched the service after consumers failed to purchase a similar premium security offering from Microsoft, dubbed Windows Live OneCare.
Antivirus and endpoint security suites are a cash cow for many security vendors. While consumers can avail themselves of a number of free — and well-regarded — options, the only choice for businesses seeking antivirus protection is to purchase corporate-level endpoint security software.
This isn’t the first time Microsoft Security Essentials has lost its AV-Test seal of approval. In September 2010 the antivirus software failed to gain an AV-Test seal of approval. By December 2010, however, Microsoft overhauled Security Essentials, releasing version 2, which offered a better heuristic scanning engine, integration with Windows Firewall, and network traffic inspection for Windows Vista and 7 systems.
With Windows 8, Microsoft rebranded Security Essentials as Windows Defender — which was previously the name of an anti-spyware security feature — and added new capabilities. The security software is enabled by default for every Windows 8 installation but can be replaced with third-party antivirus software.
Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)
Phishers are using a typosquatted domain name designed to mimic the URL of a popular e-commerce destination in order to lure their victims to a malicious Website that prompts its visitors to download a malicious add-on that will guide users to phishing sites, even when they type legitimate URLs into their browser’s address bar.
According to a report written by Symantec’s Matthew Maniyara, the campaign’s primary motive is financial.
Fortunately, the potential success of this attack is reliant on the consent of its victims. The malicious site can only prompt users to install the add-on. Visitors to the site will see a dialogue box informing them that their browser has prevented installation and that user-permission is required if the add-on is to be installed.
In the case that Maniyara examined, the dialogue box even warns the user about only installing add-ons from trusted sources and that malicious software can damage computers.
It goes without saying that this is not an incredibly devious threat, but nevertheless, it utilizes some interesting tactics. First, when users navigate to the malicious site, it determines their browser before prompting them to install the malicious add-on that will work with that browser.
If a user allows the installation, the add-on goes into the Windows System32 directory and alters the hosts file. According to Maniyara, the hosts file is used to assign domain names to IP addresses. When a user enters a URL into their browser’s address bar, he explains, the browser checks the local DNS information, located in the hosts file, before sending the DNS query.
An un-altered host file basically translates human language (domain names and URLs) into language that the computer understands (IP addresses). In this case, however, the hosts file is modified by the add-on so that the domain names of recognizable brands are assigned new IP addresses associated with phishing sites. In this way, when a user attempts to navigate to a benign website, they end up at the malicious phishing site associated with it.
Symantec reports that the initial infection site that prompts users to download the malicious add-on is currently inactive.
Commenting on this Article will be automatically closed on March 1, 2013.
Sophos and TrendMicro, and anumber of other security firms, are reporting a dramatic increase in the prevalence of a worm using AutoRun and social engineering to proliferate.
If you thought Microsoft solved the AutoRun problem, you aren’t alone. They tried to shut it down after it was famously and cleverly used to spread earlier variants of the Stuxnet worm that targeted the industrial control systems that controlled centrifuges at Iran’s Natanz nuclear enrichment facility. However, as we continue to move further and further from that date, and we continue to see the word AutoRun popping up in headlines, it is increasingly becoming one of those network security nuisances that just won’t go away.
Part of the problem here, according to Sophos, is that users still aren’t very good about patching their machines. It’s the same, simple old problem that never seems to change. Despite the fact that Microsoft shipped a patch to disable AutoRun nearly two years ago, some users still haven’t gotten around to implementing it. So the worm is spreading, in large part, through autorun.inf files loaded onto removeable media and writeable network shared.
As for those who have Windows 8, on which AutoRun was never a feature, or those who did implement the patch to disable it, TrendMicro claims that WORM_VOBFUS (or W32/VBNA-X, as Sophos calls it) is propagating using another old social engineering trick: sex.
They claim that variants of the worm are spreading around Facebook using filenames like ‘sexy.exe’ and ‘porn.exe’ to ensnare its victims.
While Sophos doesn’t touch on the Facebook angle, its explanation for how the worm is spreading in a world mostly rid of AutoRun almost identical to TrendMicro’s. Despite PC’s ignoring autorun.inf files picked up on removable media or from some other infection method, the worm creates a number of seemingly benign looking but ultimately malicious folders and merely waits for some unwitting user to click them.
Once the infection takes place, according to Sophos, the malware performs all the usual operations. It phones home to its command and control server, receives instructions for downloading further payloads, and then, at least in the case that Sophos looked at, downloads a banking trojan from the Zeus family, and tries to steal its victim’s money in one way or the other.
Commenting on this Article will be automatically closed on March 2, 2013.