Here is my collection of security trends for 2012 from different sources:
Windows XP will be the biggest security threat in 2012 according to Sean Sullivan, security advisor at F-Secure: “People seem to be adding new systems without necessarily abandoning their old XP machines, which is great news for online criminals, as XP continues to be their favourite target.”
F-Secure also says also that it might not be long before the cyber criminals turn their attentions to tablet devices. Attacks against mobile devices have become more common and I expect this to continue this year as well.
Americans more susceptible to online scams than believed, study finds. A recent survey from The Ponemon Institute and PC Tools dives into this question and reveals a real gap between how aware Americans think they are of scams and how likely they actually are to fall for them.
Fake antivirus scams that have plagued Windows and Mac OSX during the last couple of years and now it seems that such fake antivirus scams have spread to Android. Nearly all new mobile malware in Q3 2011 was targeted at Android.. When antivirus software becomes a universally accepted requirement (the way it is on Windows is the day), has the platform has failed and missed the whole point of being mobile operating system?
Cyber criminals are developing more sophisticated attacks and the police will counterattack.
Mobile phone surveillance will increase and more details of it will surface. Last year’s findings have included Location data collecting smart-phones, Carrier IQ phone spying busted and Police Surveillance system to monitor mobile phones. In USA the Patriot Act lets them investigate anything, anywhere, without a warrant. Now they are on your devices and can monitor everything. Leaked Memo Says Apple Provides Backdoor To Governments: “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices.
Geo-location tagging in smartphones to potentially cause major security risks article says that geo-location tagging security issues are likely to be a major issue in 2012—and that many users of smartphones are unaware of the potentially serious security consequences of their use of the technology. When smartphones images to the Internet (to portals such Facebook or Flickr) there’s a strong chance they will also upload the GPS lcoation data as well. This information could be subsequently misused by third parties.
You need to find your balance between freedom and security (
Vapauden ja turvallisuuden tasapaino). Usernames poured out for all to see, passwords and personal identification numbers are published. A knowledge of access management is even more important: who has the right to know when and where the role of functioning? Access, identity and role management are essential for the protection of the whole system. Implementation of such systems is still far from complete.
When designing networked services, the development of safety should taken into account in the planning stage, rather than at the end of execution. Even a secure network and information system can not act as operating a vacuum.
Reliability of the server certificates will face more and more problems. We can see more certificate authority bankruptcies due cyber attacks to them. Certificate attacks that have focused on the PC Web browsers, are now proven to be effective against mobile browsers.
Stonesoft says that advanced evasion techniques (AET) will be a major threat. Stonesoft discovered that with certain evasion techniques (particularly when combined in particular combinations) they could sneak common exploits past many IDS/IPS systems (including their own, at the time last summer). Using the right tool set (including a custom TCP/IP stack) attackers could sneak past our best defenses. This is real and they foresee a not too distant future where things like botnet kits will have this as a checkbox feature.
Rise of Printer Malware is real. Printer malware: print a malicious document, expose your whole LAN says that sending a document to a printer that contained a malicious version of the OS can send your sensitive document anywhere in Internet. Researchers at Columbia University have discovered a new class of security flaws that could allow hackers to remotely control printers over the Internet. Potential scenario: send a resume to HR, wait for them to print it, take over the network and pwn the company. HP does have firmware update software for their printers and HP Refutes Inaccurate Claims; Clarifies on Printer Security. I wonder how many more years until that old chain letter, where some new insidious virus infects everything from your graphics card to your monitor cable, becomes true.
Unauthorized changes in the BIOS could allow or be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization’s systems or disrupt their operations. How Do You Protect PCs from BIOS Attacks? The U.S. National Institute of Standards and Technology (NIST) has drafted a new computer-security publication that provides guidance for computer manufacturers, suppliers, and security professionals who must protect personal computers as they start up “out of the box”: “BIOS Integrity Measurement Guidelines,” NIST Special Publication 800-155.
According to Stonesoft security problems threaten the lives and the year 2012 may be the first time when we lose lives because of security offenses. According to the company does this happen remains to be seen, but the risk is due to industrial SCADA systems attacks against targets such as hospitals or automated drug delivery systems. I already posted around month ago about SCADA systems security issues.
849 Comments
Tomi Engdahl says:
Global Risks 2012
Seventh Edition An Initiative of the Risk Response Network
http://reports.weforum.org/global-risks-2012/
World Economic Forum in collaboration
The World Economic Forum’s Risk Response Network (RRN) was launched to provide private and public sector leaders with an independent, impartial platform to map, measure, monitor, manage and mitigate global risks. Our flagship research activity is this report.
Case 1: Seeds of Dystopia
Dystopia, the opposite of a utopia, describes a place where life is full of hardship and devoid of hope. Analysis of linkages across various global risks reveals a constellation of fiscal, demographic and societal risks signalling a dystopian future for much of humanity.
Case 2: How Safe are our Safeguards?
As the world grows increasingly complex and interdependent, the capacity to manage the systems that underpin our prosperity and safety is diminishing.
Case 3: The Dark Side of Connectivity
The impacts of crime, terrorism and war in the virtual world have yet to equal that of the physical world, but there is fear that this could change. Hyperconnectivity is a reality. With over five billion mobile phones coupled with internet connectivity and cloud-based applications, daily life is more vulnerable to cyber threats and digital disruptions.
50 Global Risks are listed on the report.
Tomi Engdahl says:
Hackers Steal $6.7M In Bank Cyber Heist
http://yro.slashdot.org/story/12/01/17/234208/hackers-steal-67m-in-bank-cyber-heist
“A perfectly planned and coordinated bank robbery was executed during the first three days of the new year in Johannesburg, and left the targeted South African Postbank — part of the nation’s Post Office service — with a loss of some $6.7 million. The cyber gang behind the heist was obviously very well informed about the post office’s IT systems, and began preparing the ground for the heist a few months before, by opening accounts in post offices across the country and compromising an employee computer in the Rustenburg Post Office.”
Hackers steal $6.7 million in bank cyber heist
http://net-security.org/secworld.php?id=12230
Having also raised the withdrawal limits on those accounts, money mules had no problem withdrawing great amounts of money from ATMs in Gauteng, KwaZulu-Natal and the Free State during the next few days, stopping completely when the offices were opened again on January 3.
It was a happy New Year’s Day for gang who pulled off…R42m Postbank heist
http://www.timeslive.co.za/local/2012/01/15/it-was-a-happy-new-year-s-day-for-gang-who-pulled-off…r42m-postbank-heist
The security expert said serious questions needed to be raised about Postbank’ s internal systems: “At first glance you have to say the intrusion detection system on its servers were obviously not working properly. It will be difficult for the post office to detect and stop something like this. But, if they had the will and knowledge, it could certainly have been prevented.”
Tomi Engdahl says:
Global economic crime survey 2011
http://www.pwc.com/gx/en/economic-crime-survey
PwC’s sixth Global economic crime survey examines the causes and effects of fraud worldwide, focusing on the growing threat of cybercrime. A decade on and the fraud risk continues to rise. Our survey shows that economic crime is persistent and that organisations need to be vigilant and proactive when fighting fraud.
Download the 2011 survey
http://www.pwc.com/gx/en/economic-crime-survey/download-economic-crime-people-culture-controls.jhtml
We have seen a 13% rise in fraud since our last survey and organisations see more fraud ahead. In today’s technology driven environment, cybercrime is emerging as a serious threat to organisations.
Against this backdrop, here are 5 ways to protect your organisation against economic crime:
Know who you are dealing with – staff, suppliers, partners and agents
Align IT, Internal Audit and the Board in the fight against economic crime
Conduct regular fraud risk assessments
Leadership by a Cyber-Savvy CEO, who instils a cyber risk-aware culture
Implement a cyber crisis response plan
Tomi Engdahl says:
The Evil New Tactic Behind Anonymous’ Massive Megaupload Revenge Attack
http://gawker.com/5877707
The hacktivist collective Anonymous is in the middle of a huge revenge spree after the Feds shut down popular filesharing site Megaupload today. But they’re using an evil new tactic that tricks people into helping their attack if they click an innocuous link.
Here’s one reason they’ve been able to muster so much firepower: Anonymous members are distributing a link that ropes internet users into an illegal DDoS attack against these websites simply by clicking it. The link is being shared widely on Twitter and in Anonymous chat rooms, often with no context except that it relates to Operation Megaload. I clicked it a few minutes ago because it was being spammed in an Anonymous chatroom and found myself instantly DDoSing Universalmusic.com, my computer rapidly pinging the page with no way to stop except quickly closing the window.
The link is a page on the anonymous web hosting site pastehtml. It link loads a web-based version of the program Anonymous has used for years to DDoS websites: Low Orbit Ion Cannon. (LOIC). When activated, LOIC rapidly reloads a target website, and if enough users point LOIC at a site at once, it can crash from the traffic.
Tomi Engdahl says:
Anonymous Takes Down DOJ, RIAA, MPA and Universal Music
http://yro.slashdot.org/story/12/01/19/2238202/anonymous-takes-down-doj-riaa-mpa-and-universal-music
“Shortly after a federal raid today brought down the file sharing service Megaupload, hackers aligned with the online collective Anonymous have shut down sites for the Department of Justice, Universal Music Group and the RIAA. ‘It was in retaliation for Megaupload, as was the concurrent attack on Justice.org,’ Anonymous operative Barrett Brown tells RT on Thursday afternoon.”
Tomi Engdahl says:
Mobile malware is about to explode, users need education
Column Users need to stop being naive and vendors should crack down
http://www.theinquirer.net/inquirer/opinion/2140338/mobile-malware-explode-users-education
Mobile malware is pretty much at the stage that desktop malware was in 1986 or 1987 in terms of the number of threats, Tom Parsons, a senior manager at Symantec Security Response told me recently. The number of threats is into the thousands now.
Around half of threats involve premium text messages that the malware automatically sends without the user’s knowledge. Typically four are sent costing between £4 and £8 each. In my opinion, there is a big potential for this to get worse with upcoming technologies like near field communication (NFC), which will be used for day-to-day payments instead of a debit card.
Of the main mobile operating systems, it’s no surprise that Android is targeted the most.
As I highlighted in a recent news story, a problem with Android is that malware is finding its way into legitimate apps.
On the subject of mobile malware, Mikko Hypponen, chief research officer at F-Secure told me the firm is getting more and more queries from users concerned about the level of access applications have to their information on their mobile.
Hypponen says that users should carefully review the rights they grant to apps and complain to the vendor if they feel the app is looking for rights it can’t justify.
Tomi Engdahl says:
Click on an Anonymous link, and you could be DDoS’ing the US government
http://nakedsecurity.sophos.com/2012/01/20/anonymous-opmegaupload-ddos-attack/
Here’s a quick summary of events:
* On Wednesday, thousands of websites participated in an “internet blackout”, protesting against proposed US anti-piracy legislation.
* Yesterday, file-sharing website Megaupload was shut down, and its founders arrested.
The charge? Online piracy alleged to have cost the entertainment industry more than half a billion dollars.
* Overnight, websites belonging to the FBI, Department of Justice, RIAA, MPAA, Universal and others were struck by a distributed denial-of-service (DDoS) attack.
* The loosely-knit collective Anonymous has claimed responsibility for the attacks (which they dupped Operation Megaupload):
In the past, Anonymous has encouraged supporters to install a program called LOIC (Low Orbit Ion Cannon) which allows computers to join in an attack on a particular website, blasting it with unwanted traffic.
This time, things are slightly different: you only have to click on a web link to launch a DDoS attack.
Don’t forget, denial-of-service attacks are illegal. If you participate in such an attack you could find yourself receiving a lengthy jail sentences.
We are a world of links they lead to knowledge and if a misleading link causes a DDOS then the owners of the sites that get DDOS should learn not to be a target.
With this “Trick” Anonymous, knowingly or not, gave the people that which has been used against them for years…
Plausible Deniability.
Tomi Engdahl says:
Europe to issue tough new data-protection rules soon
http://www.reuters.com/article/2012/01/22/us-eu-data-idUSTRE80L0Q820120122
The European Union will propose tough new rules in the coming days on how corporations handle Internet users’ personal data, a long-awaited move that could have far-reaching implications for Web giants such as Google Inc and Facebook.
“In Europe we have too many rules, conflicting rules,” she said. “The extra cost to business of this fragmentation is 2.3 billion euros ($3 billion) a year.”
Europe’s new data-protection rules are expected to be issued on January 25.
The EU regulation will need to be approved by national governments, some of which, such as France and Germany, may resist seeing their oversight on privacy matters shift to Brussels.
According to a draft obtained by Reuters, the EU proposals would bolster significantly regulators’ powers on fighting data-protection breaches, requiring companies to notify regulators when data has been stolen or mishandled.
The rules also create a “right to data portability” to ensure that people can easily transfer their personal information between different companies or services.
Tomi Engdahl says:
Polish state website taken down by hackers
http://www.google.com/hostednews/afp/article/ALeqM5gbrRCx2bEkgdwHaJ6KJhrwTSaR8w
Hackers identifying themselves as the “Polish Underground” took down the Polish government website early on Monday, the most recent in a series of attacks protesting against anti-piracy legislation.
At the weekend, the computer hacker group Anonymous launched attacks on official websites belonging to the Polish president, prime minister and parliament, also in protest against the Anti-Counterfeiting Trade Agreement (ACTA).
“Hacked by the Polish Underground: Stop ACTA,” appeared on the website of Poland’s centrist Prime Minister Donald Tusk early on Monday.
Tomi Engdahl says:
Anonymous Twitter links cause DDoS attacks
http://www.theinquirer.net/inquirer/news/2140416/anonymous-twitter-links-cause-ddos-attacks
SECURITY VENDOR Sophos has warned Twitter users that they could be launching distributed denial-of-service (DDoS) attacks by clicking on links.
The firm is warning users that a simple click on a link could be triggering a DDoS attack. It is specifically talking about hacktivist group Anonymous posting links to pastehtml.com.
“This time, things are slightly different: you only have to click on a web link to launch a DDoS attack.”
Tomi Engdahl says:
The Hacker is Watching
http://www.gq.com/news-politics/newsmakers/201201/luis-mijangos-hacker-webcam-virus-internet?printable=true
Every online scam begins more or less the same—a random e-mail, a sketchy attachment. But every so often, a new type of hacker comes along. Someone who rewrites the rules, not just the code. He secretly burrows his way into your hard drive, then into your life. Is he following your every move?
When she called her friend to see what she’d missed, things actually got freaky: Suzy’d never sent a thing. The girls pieced together the clues and agreed: Suzy’s AOL account had been hacked. For the next couple of weeks, the girls remained watchful for malware, insidious software capable of wreaking all sorts of havoc.
But at some point, each of them looked up and noticed the same strange thing: the tiny light beside their webcam glowing.
Amy watched in horror as the picture materialized on the screen: a shot of her in that very room…
The more ubiquitous cameras become, the less we’re aware they’re even there.
For the agents of the cyber squad, the case’s legacy is clear: Despite billions spent on technology that lets us broadcast our daily lives, all it takes is one guy, a self-taught hacker with no college degree, to turn that power against us.
Tomi Engdahl says:
Sourcefire jumps into anti-malware market
http://www.theregister.co.uk/2012/01/23/sourcefire_anti_malware/
Sourcefire, the security biz behind the commercial versions of the open-source Snort intrusion-detection software, is bowling itself at enterprises and touting tech designed to quickly detect and block malware outbreaks.
FireAMP offers a malware discovery and analysis tool that offers visibility of threats and outbreak control. The technology offers a means to limit the damage from virus infections
“FireAmp could replace anti-virus, but it’s not going to replace it immediately, especially because firms have invested in conventional security software. We’re offering FireAMP as a way to shore up defences.”
FireAMP, which is based on technology Sourcefire acquired from Immunet last year
Tomi Engdahl says:
Hackers manipulated railway computers, TSA memo says
http://www.nextgov.com/nextgov/ng_20120123_3491.php?oref=topstory
“On December 1, a Pacific Northwest transportation entity reported that a potential cyber incident could affect train service,”
Hackers, possibly from abroad, executed an attack on a Northwest rail company’s computers that disrupted railway signals for two days in December, according to a government memo recapping outreach with the transportation sector during the emergency.
On Dec. 1, train service on the unnamed railroad “was slowed for a short while” and rail schedules were delayed about 15 minutes after the interference
“Cyberattacks were not a major concern to most rail operators” at the time, adding, “the conclusion that rail was affect [sic] by a cyberattack is very serious.”
Tomi Engdahl says:
Pwn2Own 2012 Gets Serious About Security Vulnerabilities
http://www.esecurityplanet.com/browser-security/pwn2own-2012-gets-serious-about-security-vulnerabilities.html
The HP-sponsored hacking challenge revises its rules in an effort to expose even more vulnerabilities.
Over the last several years, the Pwn2Own hacking challenge has become known as the place where browsers get hacked, sometimes within just a matter of minutes. This year, the event’s organizers at HP TippingPoint’s Zero Day Initiative (ZDI) are looking to project a more serious demeanor and downplay the sensational nature of the contest — even as they change the rules in an effort to demonstrate a record number of exploited security vulnerabilities.
“Each 0-day vulnerability that is demonstrated against any of the browsers (Firefox, IE, Safari and Chrome) will be worth a certain point value,” Portnoy said.
“In the past, Pwn2Own has shown the importance of 0-day vulnerabilities and the fact that at any given time you are susceptible to attack regardless of your patch level,” Portnoy said.
Tomi Engdahl says:
EU data leak must notify within 24 hours
http://translate.google.fi/translate?sl=auto&tl=en&js=n&prev=_t&hl=fi&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.tietoviikko.fi%2Fkaikki_uutiset%2Feu%2Btietovuodosta%2Btaytyy%2Bilmoittaa%2B24%2Btunnin%2Bsisalla%2Fa762417%3Fs%3Dr%26wtm%3Dtietoviikko%2F-25012012%26
Companies must continue to notify the authorities infringe the privacy of information leaks within 24 hours of the fines and the threat of legal action.
24-hour rule has been exhibited publicly since Reding, the Department published a consultation of the draft in December. The act of violating companies could be punishable by a fine, which could be worth up to five per cent of the company’s turnover.
The new rule is considered to be a reaction to Sony ‘s case, last July, when the company took over a week to inform the 77 million customers that their data may have been leaking
Tomi Engdahl says:
GOOGLE: Updating our privacy policies and terms of service
http://googleblog.blogspot.com/2012/01/updating-our-privacy-policies-and-terms.html
Google’s New Terms Of Service & Privacy Policy: Anything You Do May Be Used To Target You?
http://marketingland.com/google-terms-of-service-privacy-policy-4293
Google announces privacy changes across products; users can’t opt out
http://www.washingtonpost.com/business/technology/google-tracks-consumers-across-products-users-cant-opt-out/2012/01/24/gIQArgJHOQ_story.html
Tomi Engdahl says:
O2 leaks 3G users’ mobile numbers to every website visited
http://www.theregister.co.uk/2012/01/25/o2_hands_out_phone_numbers_to_websites/
The info leak was highlighted yesterday by O2 customer Lewis Peckover, who set up a little web tool that displays all the HTTP header information sent to sites by connecting web browsers. These strings of data include details such as the URL of the page requested, and the web browser and operating system versions used by the person visiting the site.
For customers browsing on an O2 3G connection, these headers also include their telephone number in an x-up-calling-line-id line – added in by proxy server software most likely running on the telco’s network, rather than disclosed by a gadget’s browser or software.
O2 send your phone number to every site you visit using their mobile data network? test tool that shows Headers received:
http://lew.io/headers.php
Tomi Engdahl says:
EU proposes ‘right to be forgotten’ by internet firms
http://www.bbc.co.uk/news/technology-16677370
A new law promising internet users the “right to be forgotten” will be proposed by the European Commission on Wednesday.
It says people will be able to ask for data about them to be deleted and firms will have to comply unless there are “legitimate” grounds to retain it.
The move is part of a wide-ranging overhaul of the commission’s 1995 Data Protection Directive.
Tomi Engdahl says:
O2 3G stops giving punters’ mobile numbers to websites
HTTP header blooper stamped out within hours after outcry
http://www.theregister.co.uk/2012/01/25/o2_stop_phone_number_leak/
The disclosure that affected all users of O2′s 3G network on iPhone and Android in the UK was highlighted earlier today.
Tomi Engdahl says:
http://www.tietoviikko.fi/kaikki_uutiset/kaleva+kyberhuolet+tekevat+tietoturvayhtioille+tulosta/a763526?s=r&wtm=tietoviikko/-26012012&
People’s uncertainty and concern about the safety of your computer receives them in the direction of the security companies, says Kaleva .
This is especially true when the news about security problems spread.
Tomi Engdahl says:
Why O2 shared your mobile number with the world
And why they’ll probably do similar again
http://www.theregister.co.uk/2012/01/25/o2_number_sharing/
O2 has been sharing customers’ phone numbers with every website they visited, but O2 isn’t the only offender – it’s just the one that slipped up and got caught.
Delivering customer phone numbers to every website, in the HTTP headers, wasn’t a deliberate policy nor some form of conspiracy, just a badly configured proxy that should have removed the data before it left the company’s network. Adding the information wasn’t the mistake, failing to take it away is what caused the problem.
Mobile web browsing is different from fixed browsing for one important reason – the network can absolutely, and securely, identify the customer from the SIM card, which opens up lots of opportunities unavailable to fixed ISPs. Once the customer has been identified then services can be automatically billed to that user
If the user is connecting to the billing system, or the operator’s music shop, then that header is used to bill the services to the right account.
But if the HTTP page request is routed out of the operator’s network, and not to a contracted partner, then there’s some router that is supposed to remove such data.
That’s the gear which was wrongly configured at O2, and let the headers through.
O2′s intended handling of HTTP requests is nothing compared to Vodafone, which routinely strips all the headers from those using featurephones making it impossible for sites to optimise content for such handsets. Vodafone even appends its own HTML to pages, adding a navigation bar highlighting their premium services.
Few operators are so brazen, but most will strip out comments and redundant code, and almost all of them compress images and videos for mobile consumption.
So when a website pops up on a mobile screen it has already been analysed, compressed, manipulated and mangled, headers have been appended and stripped
Tomi Engdahl says:
O2 apologizes for ‘unintended’ number-leak cockup
Will cooperate with Information Commissioner’s probe
http://www.theregister.co.uk/2012/01/25/o2_apology_3g_phone_leak/
“We would like to apologize for the concern we have caused,” the company said in a statement.
The cellco said it was standard industry practice to send out user’s phone number information in this way to “certain trusted partners”,
The number appeared in an x-up-calling-line-id line and was storable by the site
Company statement:
O2 mobile numbers and web browsing
http://blog.o2.co.uk/home/2012/01/o2-mobile-numbers-and-web-browsing.html
We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused.
Q: What’s happened with O2 mobile numbers when I browse the internet on my mobile?
A: Every time you browse a website (via mobile or desktop), certain technical information about the machine you are using, is passed to website owners. This happens across the internet, and enables website owners to optimise the site you see. When you browse from an O2 mobile, we add the user’s mobile number to this technical information, but only with certain trusted partners. This is standard industry practice. We share mobile numbers with selected trusted partners for 3 reasons: 1) to manage age verification, which manages access to adult content, 2) to enable third party content partners to bill for premium content such as downloads or ring tones that the customer has purchased 3) to identify customers using O2 services, such as My O2 and Priority Moments. This only happens over 3G and WAP data services, not Wifi.
Q: Which of my information can website owners access?
A: The only information websites had access to is your mobile number, which could not have been linked to any other identifying information we have about customers.
Q: Why did this happen?
A: Technical changes we implemented as part of routine maintenance had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site.
Tomi Engdahl says:
Anonymous Goes After World Governments in Wake of Anti-SOPA Protests
http://www.wired.com/threatlevel/2012/01/anonymous-internationalist/
Over the last week, Anonymous has launched unprecedented string of attacks on government and business sites around the world,
Continuous DDoSing and hacking attacks by Anonymous seems to be largely a response to proposals to strengthen intellectual property law at the expense of an open internet and to what Anonymous perceives to be overreaching of the power by various governments.
On Wednesday, the Federal Trade Commission tweeted “The FTC takes this malicious act seriously”
the fear of Anonymous is now real in the corporate world.
Tomi Engdahl says:
Symantec Tells Customers To Stop Using pcAnywhere
http://tech.slashdot.org/story/12/01/26/140215/symantec-tells-customers-to-stop-using-pcanywhere
If the attackers place a network sniffer on a customer’s internal network and have access to the encryption details, the pcAnywhere traffic — including exchanged user login credentials — could be intercepted and decoded. If the attackers get their hands on the cryptographic key they can launch remote control sessions and, thus, access to systems and sensitive data. If the cryptographic key itself is using Active Directory credentials, they can also carry out other malicious activities on the network.
Comment:
What the story doesn’t mention is that the pcAnywhere source was nicked. It sounds like Symantec was aware of the weaknesses, and chose not to act until the source was stolen and the security weaknesses became public.
Symantec ‘fesses up: ‘Code theft worse than we thought’
pcAnywhere users – batten down the hatches
http://www.channelregister.co.uk/2012/01/18/symantec_leak_latest/
Symantec advises customers to stop using pcAnywhere
http://www.net-security.org/secworld.php?id=12291
According to a white paper the company has published on Wednesday, the risks for the users are the following:
Man-in-the-middle attacks (depending on the configuration and use of the product) because of vulnerable encoding and encryption elements within the software.
If the attackers get their hands on the cryptographic key they can launch remote control sessions and, thus, access to systems and sensitive data. If the cryptographic key itself is using Active Directory credentials, they can also carry out other malicious activities on the network.
If the attackers place a network sniffer on a customer’s internal network and have access to the encryption details, the pcAnywhere traffic – including exchanged user login credentials – could be intercepted and decoded.
Symantec pcAnywhere™ Security Recommendations
http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf
Tomi Engdahl says:
Blackhole crimeware kit drives web threat spike
Report: Conficker also still causing mayhem
http://www.theregister.co.uk/2012/01/26/sophos_fakeav_conficker/
Fake anti-virus scams are on the wane but drive-by-download threats have rocketed over the past year thanks to the hugely popular Blackhole crimeware kit, while Conficker remains prolific some three years after its release, according to Sophos.
The UK-based security vendor said in its Security Threat Report 2012
http://www.sophos.com/medialibrary/PDFs/other/SophosSecurityThreatReport2012.ashx
Freebie Black Hole Exploit Kit Limited By Encoding
http://www.darkreading.com/advanced-threats/167901091/security/vulnerabilities/229625617/freebie-black-hole-exploit-kit-limited-by-encoding.html
Black Hole is a Web exploit kit believed to be developed by Russian hackers; it is typically used for drive-by download attacks using Java and Adobe PDF exploits, among others. It has become one of the most widely deployed exploit kits and is relatively pricey, with a $1,500 annual license fee. Its creator also offers shorter-term licenses: $35 for one day, $700 for three months, and $1,000 for six months.
But the freebie Black Hole version circulating online isn’t as feature-rich as the paid version. The download link contains obfuscated and encoded PHP code, says HD Moore, CSO of Rapid7 and chief architect of Metasploit.
So the freebie Black Hole crimeware kit is fairly limited, although a user could salvage the exploits it contains: “The exploits themselves are useful,” Moore says. “You could grab copies of the exploit and build out your own exploits. But that won’t buy you much because the AV engines [already] have it.”
Tomi Engdahl says:
FBI releases plans to monitor social networks
http://www.newscientist.com/blogs/onepercent/2012/01/fbi-releases-plans-to-monitor.html
The US Federal Bureau of Investigation has quietly released details of plans to continuously monitor the global output of Facebook, Twitter and other social networks, offering a rare glimpse into an activity that the FBI and other government agencies are reluctant to discuss publicly. The plans show that the bureau believes it can use information pulled from social media sites to better respond to crises, and maybe even to foresee them.
FBI plans social network map alert mash-up application
http://www.bbc.co.uk/news/technology-16738209
The FBI is seeking to develop an early-warning system based on material “scraped” from social networks.
It says the application should provide information about possible domestic and global threats superimposed onto maps “using mash-up technology”.
The bureau has asked contractors to suggest possible solutions including the estimated cost.
The FBI issued the request three weeks after the US Department of Homeland Security released a separate report into the privacy implications of monitoring social media websites.
“Information posted to social media websites is publicly accessible and voluntarily generated. Thus the opportunity not to provide information exists prior to the informational post by the user,” it says.
Pentagon sets its sights on social networking websites
http://www.newscientist.com/article/mg19025556.200-pentagon-sets-its-sights-on-social-networking-websites.html
New Scientist has discovered that Pentagon’s National Security Agency, which specialises in eavesdropping and code-breaking, is funding research into the mass harvesting of the information that people post about themselves on social networks.
Tomi Engdahl says:
JavaScript can make you a DOS attacker’s knowledge
http://www.cert.fi/tietoturvanyt/2012/01/ttn201201271148.html
Security Now!
01/27/2012
Network users unwittingly denial of service attacks
Recent denial of service attacks have been used in the web browser used in an attack tool. It is possible that a third party ends up unwittingly driving attack implements Javascript code.
Recently, various countries have copyright organizations, and government organizations have been targets of denial of service attacks.
Denial of service attacks, among other things, used for web-browser based program. In recent times, have been found in sites where the browser is loaded attack traffic to the creative application of JavaScript, which is carried out in the same way when the page is loaded. If you visit such a page, he may unknowingly directed large amounts of traffic the attacker to choose from. It is expected that the purpose of denial of service tailored software code re-injected in greater numbers on hacked Web servers, Web sites.
The user can be difficult to detect on their own machine for outgoing traffic, denial of service.
Pole Position: Poland Attacked by Anti-ACTA Hackers
http://www.f-secure.com/weblog/archives/00002302.html
NoScript 2.2.8
https://addons.mozilla.org/en-US/firefox/addon/noscript/
The best security you can get in a web browser!
Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.
Tomi Engdahl says:
EU is proposing a new data protection law
The following article has an video on it:
http://www.tietoviikko.fi/kaikki_uutiset/eu+ehdottaa+uutta+tietosuojalakia++rikkomuksista+kovat+sakot/a765315?s=r&wtm=tietoviikko/-27012012&
The directive will have demands for companies with more than 250 people: data security officer needed, breaches needs to be reported within 24 hours, fines for companies for breaking rules
Tomi Engdahl says:
Hijacked Web Traffic For Sale
http://yro.slashdot.org/story/12/01/30/0413226/hijacked-web-traffic-for-sale
A web store has been discovered that sells hacked traffic that has been redirected from legitimate sites. Sellers inject hidden iframes into popular web sites and redirect the traffic to a nominated domain. Buyers purchase the traffic from the store to direct to their sites and the sellers get paid
Tomi Engdahl says:
Google Teams With Facebook and Microsoft To Phight Phishing
http://www.wired.com/wiredenterprise/2012/01/google-phight-phishing/
On Monday, Google, Facebook, Microsoft, Yahoo!, and eleven others outfits announced they had formed a new alliance to combat phishing — a way of fooling email and web users into providing sensitive information, including credit card numbers. The alliance is known as Domain-based Message Authentication, Reporting and Conformance, DMARC for short, and the aim of this sprawling alliance is to lay down new email standards that help stop the nefarious practice.
“One of the worst experiences for a user is being phished,” Adam Dawes, a Google product manager and DMARC representative, tells Wired. “The best way to protect them is to make sure the email never reaches the spam folder at all.”
Tomi Engdahl says:
Symantec: We Didn’t Know in 2006 Source Code Was Stolen
http://www.wired.com/threatlevel/2012/01/symantec-source-code-hack/
The company surprised the public last week when it disclosed that hackers had obtained source code for its pcAnywhere software and other products, and that the code had likely been stolen in a six-year-old breach that Symantec had never disclosed.
“We knew there was an incident in 2006,” he told Threat Level. “But it was inconclusive at the time as to whether or not actual code was taken or that someone had actual code in their hands.”
Paden said the company doesn’t know if the “Lords of Dharmaraja” stole the code from its servers in 2006 or obtained the code from someone else who stole it. One thing is certain, he said, Symantec never gave the Indian government its source code.
Tomi Engdahl says:
Shmoocon Demo Shows Easy, Wireless Credit Card Fraud
http://it.slashdot.org/story/12/01/30/177220/shmoocon-demo-shows-easy-wireless-credit-card-fraud
“[Security researcher Kristin] Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions.
With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card.
Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets
http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/
As she showed on a Washington D.C. stage Saturday, she can read all the data she needs to make a fraudulent transaction off that card with just a few hundred dollars worth of equipment, and do it invisibly through your wallet, purse, or pocket.
RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions
Tomi Engdahl says:
Platform security: Mobile devices victimized
Truth be told, security for mobile platforms is weak at best, and while Android and Apple have been taking the largest amount of hits these days, BlackBerry has its issues also.
http://www.controleng.com/home/single-article/platform-security-mobile-devices-victimized/182dc0d006.html
Tomi Engdahl says:
800 Days Until Windows XP End of Support
http://windowsteamblog.com/windows/b/springboard/archive/2012/01/28/800-days-until-windows-xp-end-of-support.aspx
It takes 18-24 months to plan for and deploy a new operating system. If you haven’t started planning to migrate your Windows XP PCs to a modern OS, or if your migration plan have stalled here are some great tools to help you.
Tomi Engdahl says:
McAfee launches its Mobile Security 2.0 software
Android users get extra app alert feature
http://www.theinquirer.net/inquirer/news/2142521/mcafee-launches-mobile-security-software
Mobile malware is an increasing worry as the popularity of devices like smartphones and tablets booms.
SECURITY VENDOR McAfee has launched the second version of its Mobile Security software for smartphones and tablets. (£24 per year)
Mobile Security 2.0 is compatible with Android, Blackberry and Symbian devices, but app alert is available only for Android.
Tomi Engdahl says:
Vuosikatsaus 2011
http://www.cert.fi/katsaukset/2011/vuosikatsaus2011.html
The year 2011 was characterized by several much-publicized data breaches, where the information obtained is disseminated to the public Internet. Both domestic and foreign services, user names, passwords and other information is published prominently in online chat rooms and file sharing services.
Reliability of the certificate system has been put to the test root certificates to productive enterprises oriented intrusion and the businesses involved.
Second-generation GSM cellular networks for voice and data traffic encryption methods can no longer be regarded as entirely safe.
US-security company RSA SecurID strong authentication devices associated with data stolen from the company targeting an information for breaking.
Finnish banks have experienced more and more contacts with the bank captures control of the malware files.
Shortcomings of e-commerce applications, the vulnerabilities are, in some cases made it possible to abuse, where the subscriber has the goods could not believe that it carried out the payment of products ordered.
Tomi Engdahl says:
Ongoing Attacks Target Defense, Aerospace Industries
http://it.slashdot.org/story/12/01/31/1952229/ongoing-attacks-target-defense-aerospace-industries
Researchers have identified a strain of malware that’s being used in a string of targeted attacks against defense contractors, government agencies and other organizations by leveraging exploits against zero-day vulnerabilities. The attacks may have been going on since 2009 in some form
Tomi Engdahl says:
The Hi-Tech Security at the Super Bowl
http://tech.slashdot.org/story/12/02/01/2215224/the-hi-tech-security-at-the-super-bowl
Tomi Engdahl says:
http://www.tietoviikko.fi/msareena/mskumppanikulma/symantecin+kevaan+haaste+mobiililaitteet+ja+kayttajan+vahva+tunnistaminen/a768915?s=r&wtm=tietoviikko/-02022012&
Symantec’s Spring Challenge: The mobile user equipment and a strong identification
This year, under a magnifying glass, in particular for mobile devices, and various types of equipment management, and strong user authentication.
We live in a very interesting time. Mobile device management of companies have swum different tablets and smartphones. These devices placed on a central “enterprise ready” is a very interesting soup. Tasty soup may be the same management will also be workstations and servers.
Tomi Engdahl says:
Death of IE6 still greatly exaggerated, says browser hit squad
http://www.theregister.co.uk/2012/02/02/ie6_browsium/
Internet Explorer 6 dead? In your dreams, Microsoft, in your dreams.
Redmond broke out the dancing shoes and did a twirl on IE6’s grave in January, citing data that showed its once-celebrated, now-hated browser had slipped below 1 per cent US market share. The decline followed some determined pushing by, of all people, Microsoft
One problem: the aforementioned data, gathered by Net Applications, counts browsers running on Joe Netizen’s PC. It doesn’t count enterprise users.
IE6 is entrenched because many apps such as ERP and CRM, as well as finance kit from SAP, Siebel and Hyperion – the business lifeblood for many enterprises – have been built to work solely in IE6. Migration is seen as too expensive, time-consuming or too risky: or all three.
For many business running Windows XP, their browser is IE6: they bypassed IE7 and IE8
Tomi Engdahl says:
MasterCard joins Visa in pushing PINs into America
http://www.theregister.co.uk/2012/02/01/mastercard_visa/
MasterCard has published its roadmap for getting Americans to use chip-and-PIN cards in stores, following Visa’s lead in proposing to replace swipe cards by April 2013.
Over the next year, Americans will have to get used to entering a PIN when using a credit card, rather than scrawling a name (any name) as they do today. That’s because MasterCard has joined Visa in pushing an April 2013 date on the implementation of chip-and-PIN terminals in US retailers.
Visa is already threatening that “liability for counterfeit fraud may shift to the merchant’s acquirer” if EMV isn’t supported.
EMV stands for Europay, MasterCard & Visa, and is the standard to which chip cards conform. When presented to a reader, the EMV chip takes part in a cryptographic exchange which makes the cards prohibitively expensive to forge. EMV chips – contact or contactless – are infinitely more secure than the basic RFID payment systems which got Forbes magazine into such a tizzy last week.
The worst combination results from cash-point machines (ATMs) which haven’t been upgraded to use the EMV chip, so are still dependent on the easily-copied magnetic stripe.
Tomi Engdahl says:
Who’s Behind the World’s Largest Spam Botnet?
http://krebsonsecurity.com/2012/02/whos-behind-the-worlds-largest-spam-botnet/
A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. The latest casualties? Several individuals likely responsible for running Grum, currently the world’s most active spam botnet.
Tomi Engdahl says:
An nice idea:
Wasting Hackers’ Time to Keep Websites Safe
Instead of blocking attacks, a startup distracts attackers with false information.
http://www.technologyreview.com/web/39521/page1/
Most security software defends PCs and websites by acting like a locked door to shut hackers out. A new security company, Mykonos Software, instead invites hackers in through a fake entrance and plays tricks on them until they give up.
“If you break in, I want to have fun with you,” says David Koretz, CEO of Mykonos.
When Mykonos’s software identifies an attacker, it tries to waste the hacker’s time by offering false data such as phony software vulnerabilities and fake passwords.
The company’s software is aimed primarily at hackers who use automated tools that identify and exploit vulnerabilities in websites, says Koretz. Such tools allow even relatively unskilled hackers, sometimes dubbed “script kiddies,” to cause considerable damage.
Wasting assailants’ time “changes the economics” of attacking websites, says Koretz.
Mykonos’s software creates the illusion that the hacker is making progress. “We can intercept their scans and inundate them with fake values,” says Koretz. “It takes much longer [for an attacker to scan a site], and the results are useless.”
Koretz predicts that the approach will become more common as conventional security software proves increasingly ineffective. “Deception is a legitimate defense,” he says.
Sven Dietrich, an expert on computer security and a professor at Stevens Institute of Technology, says annoying attackers can be a bad idea. “It’s conceivable that when he or she finds out that they’ve been had, they will seek retribution,” says Dietrich.
Tomi Engdahl says:
Google now scanning Android apps for malware
http://news.cnet.com/8301-27080_3-57370650-245/google-now-scanning-android-apps-for-malware/
Google has added an automated scanning process that is designed to keep malicious apps out of the Android Market, the company announced today.
The new service, code-named “Bouncer,” scans apps for known malware, spyware, and Trojans, and looks for suspicious behaviors and compares them against previously analyzed apps, Hiroshi Lockheimer, vice president of engineering on the Android team, said in an interview with CNET this morning.
“The system takes an app that’s been uploaded and runs it in the cloud and monitors what the app is doing in a virtual environment, if you will,” Lockheimer said.
Tomi Engdahl says:
Key Internet operator VeriSign hit by hackers
http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z820120202
VeriSign Inc, the company in charge of delivering people safely to more than half the world’s websites, has been hacked repeatedly by outsiders who stole undisclosed information from the leading Internet infrastructure company.
The previously unreported breaches occurred in 2010 at the Reston, Virginia-based company, which is ultimately responsible for the integrity of Web addresses ending in .com, .net and .gov.
VeriSign said its executives “do not believe these attacks breached the servers that support our Domain Name System network,”
“Oh my God,” said Stewart Baker, former assistant secretary of the Department of Homeland Security and before that the top lawyer at the National Security Agency. “That could allow people to imitate almost any company on the Net.”
Baker said VeriSign’s description will lead people to “assume that it was a nation-state attack that is persistent, very difficult to eradicate and very difficult to put your hands around, so you can’t tell where they went undetected.”
“This breach, along with the RSA breach, puts the authentication mechanisms that are currently being used by businesses at risk,” said Melissa Hathaway, a former intelligence official who led U.S. President Barack Obama’s cybersecurity policy review and later pushed for the SEC guidance. “There appears to be a structured process of hunting those who provide authentication services.”
Tomi Engdahl says:
http://www.controleng.com/media-library/integrated-safety-eguide-sponsored-by-abb.html
Process industries are inherently hazardous, and maintaining safety in processes and operations has become increasingly complex and costly. But too often, companies have difficulty demonstrating a clear return on investment in their safety activities. With both safety and financial concerns being a high priority, those in the process industry sometimes struggle to reconcile them.
Does this kind kind of thinking also start to apply to on-line business also?
music education says:
Greetings from Idaho! I’m bored to tears at work so I decided to check out your site on my iphone during lunch break. I love the knowledge you present here and can’t wait to take a look when I get home. I’m surprised at how fast your blog loaded on my cell phone .. I’m not even using WIFI, just 3G .. Anyhow, great site!
Tomi Engdahl says:
Half of Fortune 500s, US Govt. Still Infected with DNSChanger Trojan
http://krebsonsecurity.com/2012/02/half-of-fortune-500s-us-govt-still-infected-with-dnschanger-trojan/
More than two months after authorities shut down a massive Internet traffic hijacking scheme, the malicious software that powered the criminal network is still running on computers at half of the Fortune 500 companies, and on PCs at nearly 50 percent of all federal government agencies, new research shows.
The malware, known as the “DNSChanger Trojan,” quietly alters the host computer’s Internet settings to hijack search results and to block victims from visiting security sites that might help scrub the infections.
Internet Identity, a Tacoma, Wash. company that sells security services, found evidence of at least one DNSChanger infection in computers at half of all Fortune 500 firms, and 27 out of 55 major government entities.
“Yes, there are challenges with removing this malware, but you would think people would want to get this cleaned up,” said Rod Rasmussen, president and chief technology officer at Internet Identity. “This malware was sometimes bundled with other stuff, but it also turns off antivirus software on the infected machines and blocks them from getting security updates from Microsoft.”
Tomi Engdahl says:
Hackers outwit online banking identity security systems
http://www.bbc.co.uk/news/technology-16812064
Criminal hackers have found a way round the latest generation of online banking security devices given out by banks, the BBC has learned.
Tomi Engdahl says:
Exclusive: Hacked companies still not telling investors
http://www.reuters.com/article/2012/02/02/us-hacking-disclosures-idUSTRE8110YW20120202
At least a half-dozen major U.S. companies whose computers have been infiltrated by cyber criminals or international spies have not admitted to the incidents despite new guidance from securities regulators urging such disclosures.