Tag Archive for Security

| January 17, 2012
One comment

QR Codes Can Put Users at Risk

-Updated 01-26-12- It was just a matter of time and now the Websense (WBSN) ThreatSeeker Network has started spotting spam messages that lead to URLs that use embedded QR codes. According to a report at Help Net Security, this is a clear evolution of traditional spammers towards targeting mobile technology. The spam email messages look like traditional pharmaceutical spam emails and contain a link to the Web site 2tag.nl. Once the 2tag.nl URL from the mail message is loaded in the browser, a QR code is displayed, along with the full URL. When the QR code is read by a QR reader, it automatically loads the spam URL.

QR Codes Can Put Users at RiskQuick Response codes (QR codes) are a “new” type of barcode that can be used for a variety of purposes tracking, ticketing, labeling of products, etc. They can be put anywhere, in magazines, buses, websites, TV, tickets, and on almost any object which they might want to learn more about.

QR codeHelp Net Security writes that when used for legitimate purposes, they make life easier for users. “All you need to ‘visualize such a code is a smartphone with a camera and a QR reader application to scan it – the code can direct you to websites or online videos, send text messages and e-mails, or launch apps,” point out BullGuard’s researchers.

Unfortunately, QR codes can just as easily be used to compromise users’ mobile devices. “Much like URL shortening services can be and are used maliciously because of the fact that they obscure the real target URL, QR codes can also be used for such deception,Joe Levy, CTO of Solera Networks told DarkReading. “QR codes … provide a direct link to other smartphone capabilities such as email, SMS, and application installation. So potential attack vectors extend beyond obscured URLs and browser exploits very nearly to the full suite of device capabilities.”

Mobile malwareThere are several ways attackers are already using malicious QR codes to perpetrate their scams. A recent attack via QR code “Attaging” took place in Russia and involved a Trojan disguised as a mobile app called Jimm. Once installed, “Jimm” sent a series of expensive text messages ($6 each), racking up unwanted charges.

On Apple (AAPL) iOS devices, hackers are sending users to websites that will jailbreak the device and install more malicious malware. Tomer Teller, security evangelist at Check Point Software Technologies, told DarkReading, “a user scans a barcode and is redirected to an unknown website … the user phone will be jailbroken and additional malware could be deployed (such as key loggers and GPS trackers).

Google AndroidOn the Google (GOOG) Android  … Criminals are redirecting users to download malicious applications. All a user needs to do is scan a barcode and it will redirect to a website that will download the Android Application” according to the article.

In addition, attackers are using QR codes to redirect users to fake websites for phishing. “A QR code will redirect to a fake Bank that will look exactly like your bank. Since most smartphone screens are small, a normal user may not see the difference and will type in his or her (information) and hand it to the attackers,” Teller says. According to Mobile Commerce News some apps, like the NeoReader from Neomedia, that collect personally identifiable information (PII). This information is then sent to third parties who mine the data and possibly resell it.

mobile QR based paymentThe trend to mobile QR-based payment systems from firms like LevelUp, Kuapay, and Paypal are developing will drive QR code malware forward Mr. Levy says. “As our mobile devices and our wallets continue to converge through such technologies as near field communications (NFC), Bump and QR, malware authors are bound to prefer these very direct paths to the money. After all, these devices and apps are well on the road to becoming our new currency.”

So how do you protect yourself and the data on your mobile?

  • Download an app that scans QR codes and barcodes and shows the URL to which the codes want to take you. “Only use QR code reader software that allows the user to confirm the action to be taken i.e. visit a website link,” Paul Henry, security and forensic analyst at Lumension told DarkReading. “If you do not know and trust the link, cancel the action.
  • Do not scan QR codes from random stickers on walls and similar surfaces. Help Net Security says scammers are counting on people to do that because they can’t curb their curiosity.
  • Consider installing a mobile security app on your device, especially if it runs the Android OS. “Android is an open platform, which means that its source code can be examined by criminals and exploited easily when they find a weakness in, say, the Android browser,” according to the article. “That’s why most malicious apps transmitted via QR codes target the Android-based smartphones.”

rb-

I am not a fan of QR codes they seem to take you to an advertisement. Most of the destinations are fluff at best and dangerous at worst. Now that they have become nearly ubiquitous, they present more risk than necessary. Avoid QR codes.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| January 10, 2012
Comments Off on Are You on the Pwnedlist?

Are You on the Pwnedlist?

Are You on the Pwnedlist? Pwnedlist.com will tell you if your email has compromised. The site checks emails against a collection of nearly 5 million possibly compromised accounts. Brian Krebs at Krebs on Security reports that a user can enter a username or email address into Pwnedlist.com’s search box, and it will check to see if the information was found in any suspicious public data dumps.

PwnedlistAlen Puzic and Jasiel Spelman, two security researchers from DVLabs, a division of HP/TippingPoint created Pwnedlist.com. Mr. Puzic said. “… I could create a site that would help the everyday user find if they were compromised.

Pwnedlist.com currently allows users to search through nearly five million emails and usernames found online at sites like Pastebin. The site also often receives large caches of account data that people directly submit to its database. Mr. Puzic told Krebs on Security it is growing at a rate of about 40,000 new compromised accounts each week.

EncryptionThe researcher said information contained in these data donations often makes it simple to learn which organization lost the information. “Usually, somewhere in the dump files there’s a readme.txt file or there’s some type of header made by a hacker who caused the breach, and there’s an advertisement about who did the hack and which company was compromised,” Mr. Puzic in the article. “Other times it’s really obvious because all the emails come from the same domain.

DVLabs’ Puzic said in the article that Pwnedlist.com doesn’t store the username, email address, and password data itself; instead, it records a cryptographic hash of the information and then discards the plaintext data. According to the blog, a “hit” on any searched email or username only produces a binary “yes” or “no” answer about whether any hashes matching that data were found. It won’t return the associated password, nor does it offer any clues about where the data was leaked from.

Advice from the Pwnedlist developers

If Pwnedlist says your email or user ID is in their database, they offer the following advice:

Shocked woman

  1. “Don’t panic! Just because your email was found in an account dump does not mean it has been compromised.
  2. Immediately change any passwords that might be associated with listed email accounts.
  3. Go through all your accounts and create new passwords for each of them, just in case. “Better safe than sorry.”

The two researchers plan to publish regular updates to their Twitter account (@pwnedlist) when new data dumps are discovered. Longer-term, Mr. Puzic told Krebs that he plans a longitudinal study on password security.

rb-

I have several emails, professional and personal which thankfully Pwnedlist does not have in their databases. Follow password best practices and use an 8 character or longer password with at least one letter, number, and special character. Also, change your passwords regularly.

End-user password best practices:

  1. Passwords should be something you can remember but difficult for others to guess. That means avoid information anyone can pick up from Facebook.
  2. Use at least 8 characters. Some authentication systems will ask for more, but 8 well-chosen characters is usually enough.
  3. Mix letters, numbers, uppercase, lowercase, and even symbols when possible. 1GrdDC@82 is stronger than letter22
  4. Avoid dictionary words. Many brute force attacks are designed to guess them. ”Password” is not a good password.
  5. Use a unique password for each account. Your password at work should be different from your Facebook password.
  6. Do not share your password.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| January 3, 2012
Comments Off on Internet of Things

Internet of Things

Internet of ThingsOnce upon a time, back in 2005, there was a time when “using the Internet” always meant using a computer. Today getting on the Intertubes is an expected feature for many devices. The next digital frontier is the physical world, where the “Internet of Things.” The Internet of Things will bring an online ability to objects.

Twine Sensor Connects Household Objects to the Internet

Twine Sensor Connects Household Objects to the Internet Tested.com notes a Kickstarter project from two MIT Media Lab alums who developed a way to make the Internet of Things more available. A small, durable “Twine” sensor listens to its environment and reports back over Wi-Fi. The creators hope their new product will let regular users, even those without programming knowledge, digitally manage their surroundings.

A basic Twine unit senses temperature and motion, but other options like moisture detection, a magnetic switch, and more can be added using a breakout board. The various sensors and built-in Wi-Fi can be powered by either a mini-USB connection or two AAA batteries, which will keep it running for months. Twine readings get wirelessly loaded into the appropriately named Spool web app, where users can set simple if-then triggers that create SMS messages, tweets, emails, or specially configured HTTP requests.

For a donation of $99 or more will get you a basic unit when they ship in March.

Related articles

THE SMART FRRRIDGE. Chilly Forecast for Internet Frrridge

Internet FridgeThe Smart Frrridge is a new version of the familiar kitchen apparatus. According to Medienturn the new fridge comes with a built-in computer that can be connected to the internet. It is one of a growing class known as “Internet appliances” that include not only smartphones but also web-enabled versions of typical household appliances.

The refrigerator keeps an eye on the food in it by using RFID technology, a digital camera, and image processing. These technologies allow the fridge to keep track of what’s in it, how long has this been there, should it be trashed?

To keep in contact with the Smart Frrridge all you have to do is to pick up your mobile phone and call. It will be able to suggest a menu that uses the foods inside and generate a shopping list of the missing ingredients and place the order online.

The Smart Frrridge cab also be used to watch television, listen to music, to take a photograph, save it to an album, or post it to a website, or send it to an email recipient. The comes with a docking station you can just dock in your Apple (AAPL) iPod or iPhone and start using all your favorite cooking apps.

Related articles

SCADA: How Big a Threat?

Cyber attackerThere are reports of two recent cyber attacks on critical infrastructure in the US. Threatpost says the hacker who compromised the water infrastructure for South Houston, TX, said the district used a three-letter password, making it easy to break in.

There are also reports that a cyberattack destroyed a water pump belonging to a Springfield, IL water utility. There are mixed reports that an attacker gained unauthorized access to that company’s industrial control system.

According to DailyWireless, Supervisory Control And Data Acquisition (SCADA) software monitors and controls various industrial processes, some of which are considered critical infrastructure.

Researchers have warned about attacks on critical infrastructure for some time, but warnings became reality after a highly complicated computer worm, Stuxnet, attacked and destroyed centrifuges at a uranium enrichment facility in Iran.

German cybersecurity expert Ralph Langner found Stuxnet, the most advanced worm he had ever seen. The cybersecurity expert warns that U.S. utility companies are not ready to deal with the threat.

In a TED Talk Langner stated that “The leading force behind Stuxnet is the cyber superpower – there is only one, and that’s the United States.”

In a recent speech at the Brookings Institution, he also made the bigger point that having developed Stuxnet as a computer weapon, the United States has in effect introduced it into the world’s cyber-arsenal.

Related articles

New NIST Report Sheds Some Light On Security Of The Smart Grid

NISTDarkReading reports the National Institute of Standards and Technology (NIST) released a report (PDF) by the Cyber Security Coordination Task Group. The report from the Task Group which heads up the security strategy and architecture for the nation’s smart power grid includes risk assessment, security priorities, as well as privacy issues.

The smart grid makes the electrical power grid a two-way flow of data and electricity allows consumers to remotely monitor their power usage in real-time to help conserve energy and save money. DarkReading says researchers have raised red flags about the security of the smart grid. Some have already poked holes in the grid, including IOActive researcher Mike Davis, who found multiple vulnerabilities in smart meters, including devices that don’t use encryption nor do they authenticate users when updating software. He was able to execute buffer overflow attacks and unleash rootkits on smart meters.

Tony Flick, a smart grid expert with FYRM Associates, at Black Hat USA talked (PDF) about his worries over utilities “self-policing” their implementations of the security framework. “This is history repeating itself,” Mr. Flick said in an interview with DarkReading.

According to DarkReading, the report recommends smart grid vendors carry out some pretty basic security practices:

  • Audit personally identifiable information (PII) data access and changes;
  • Specify the purpose for collecting, using, retaining, and sharing PII;
  • Collect only PII data that’s needed;
  • Anonymize PII data where possible and keep it only as long as necessary;
  • Advanced Metering Infrastructure (AMI) must set up protections against denial-of-service (DoS) attacks;
  • Network perimeter devices should filter certain types of packets to protect devices on an organization’s internal network from being directly affected by denial-of-service attacks;
  • The AMI system should use redundancy or excess capacity to reduce the impact of a DoS;
  • AMI components accessible to the public must be in separate subnetworks with separate physical network interfaces;
  • The AMI system shall deny network traffic by default and allows network traffic by exception;
  • Consumers’ access to smart grid meters be limited. Authorization and access levels need to be carefully considered.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , , ,
| December 29, 2011
3 comments

40 Years of Malware – Part 4

40 Years of Malware - Part 42011 marks the 40th anniversary of the computer virus. Help Net Security notes that over the last four decades, malware instances have grown from 1,300 in 1990, to 50,000 in 2000, to over 200 million in 2010. Fortinet (FTNT) marks this dubious milestone with an article that counts down some of the malware evolution low-lights.

The Sunnyvale, CA network security firm says that viruses evolved from academic proof of concepts to geek pranks which have evolved into cybercriminal tools. By 2005, the virus scene had been monetized, and almost all viruses developed for the sole purpose of making money via more or less complex business models. According to FortiGuard Labs, the most significant computer viruses over the last 40 years are:

See Part 1 Here  – See Part 2 Here  – See Part 3 Here  – See Part 4 Here

Botnets2007 – By 2007, Botnets have infected millions worldwide using Zombie systems to send spam to generate Denial of Service (DoS) attacks, compromised passwords, and data. By 2007 cybercriminals had developed a lucrative business model they were protecting. The attackers became more concerned about protecting their zombie computers. Until 2007, botnets lacked robustness, by neutralizing its unique Control Center (PDF), a botnet could be taken down because Zombies didn’t have anyone to report to (and take commands from) anymore. The Storm botnet was the first to feature a peer-to-peer architecture (PDF) to decentralize its command and control functions. At the peak of the outbreak, the Storm Botnet was more powerful than many supercomputers and accounted for 8% of all malware running in the world according to FortiGuard.

Koobface2008Koobface (an anagram for Facebook) spreads by pretending to be the infected user on social networks, prompting friends to download an update to their Flash player to view a video. The update is a copy of the virus. Once infected, users would serve as both vectors of infection for other social network contacts and as human robots to solve CAPTCHA challenges for cyber-criminals, among other things. Koobface is also the first botnet to recruit its Zombie computers across multiple social networks (Facebook, MySpace, hi5, Bebo, Friendster, etc). FortiGuard estimates that over 500,000 Koobface zombies are online at the same time.

Conficker2009Conficker (aka Downadup) is a particularly sophisticated and long-lived virus, as it’s both a worm, much like Sasser, and an ultra-resilient botnet, which downloads destructive code from a random Internet server. (We still see it pop-up from time to time at work). Conficker targeted the Microsoft Windows OS and used Windows flaws and Dictionary attacks on admin passwords to crack machines and link them to a computer under the control of the attacker. Conficker’s weakness is its propagation algorithm is poorly calibrated, causing it to be discovered more often according to Fortinet. In 2009 some networks were so saturated by Conficker, that it caused planes to be grounded, hospitals and military bases were impacted. Conficker infected bout 7 million systems worldwide.

Advanced Persistent ThreatAdvanced Persistent Threat (aka APT, Operation Aurora) was a cyber attack that began in mid-2009 and continued through December 2009. The attack was first publicly disclosed by Google (GOOG) on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China and was both sophisticated and well resourced and consistent with an advanced persistent threat attack. According to Wikipedia the attack also included Adobe (ADBE), Dow Chemical (DOW), Juniper Networks (JNPR), Morgan Stanley (MS), Northrop Grumman,(NOC), Rackspace (RAX), Symantec (SYMC), and Yahoo (YHOO). There is speculation that the primary goal of the attack was to gain access to and potentially change source code repositories at these high-tech, security, and defense contractor companies.

The definition of an Advanced Persistent Threat depends on who you ask, Greg Hoglund, CEO at HBGary told Network World an Advanced Persistent Threat is a nice way for the Air Force and DoD to not have to keep saying “Chinese state-sponsored threat.” He says,” APT is “the Chinese government’s state-sponsored espionage that’s been going on for 20 years,” Mr. Hoglund told Network World.

Stuxnet USB2010 Stuxnet‘s discovery in September 2010 ushered in the era of cyberwar. According to most threat researchers today, only governments have the necessary resources to design and implement a virus of such complexity. Stuxnet is the first piece of malware specifically designed to sabotage nuclear power plants. It can be regarded as the first advanced tool of cyber-warfare. Stuxnet was almost certainly a joint U.S. / Israeli creation for damaging the Iranian nuclear weapons program, which it did, by destroying a thousand centrifuges used for uranium enrichment.

To spread, Stuxnet exploited several critical vulnerabilities in Microsoft (MSFT) Windows, which, until then, were unknown, including one guaranteeing its execution when inserting an infected USB key into the target system, even if a systems autorun capabilities were disabled. From the infected system, Stuxnet was then able to spread into an internal network, until it reached its target: a Siemens industrial software system that run Iran’s Bushehr nuclear reactor and most likely intended to destroy or neutralize the industrial system.

Duqu2011Duqu is the current star in the world of malware but, as history shows, that fame will be short-lived. Just like fashion models, modern malware has a lifespan in the media eye of a couple of weeks to a couple of months, tops. They then fade into the shadow of more dangerous and advanced tools, according to Help Net Security.

Gary Warner, director of Research in Computer Forensics in the UAB College of Arts and Sciences blogged that Duqu is a data-stealing program that shares several blocks of code with Stuxnet. In fact, one of the two pieces of malware we’ve seen that is described as being Duqu is also detected as Stuxnet by some AV vendors.

Symantec disclosed in their report that one of the infections they were analyzing was infected via a Word Document that exploited the system using a previously unknown 0-day attack.

On November 3, 2011, Microsoft released a Microsoft Security Advisory (2639658) Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege. The advisory starts with an executive summary which says, in part:

Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware.

rb-

Every couple of years a new malware is crowned the most innovative or dangerous cyber threat in the wild. The anti-malware industry is built on a game of chicken between malware creators and anti-malware creators, with end users stuck squarely in the middle. As this series of articles has shown this game has gone on for 40 years since computers were bigger than many houses and were as user-friendly as the DMV.

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| December 20, 2011
2 comments

Web Connected Television New Source of Threats

Web Connected Television New Source of ThreatsYou may want to consider the security of the fancy new 55-inch high-def LCD Television that Santa Claus brings you. Surprise, surprise, surprise they may have security holes that could allow hackers to take over your home network. Consumer appetite for on-demand and online video content will drive sales of Internet-connectable TV devices to nearly 350 million units worldwide by 2015 reports ITnewsLink.

Parks AssociatesConnected Living Room: Web-enabled TVs and Blu-ray Players forecasts worldwide sales of Internet-connectable HDTVs, Blu-ray players, game consoles, and digital video players like Apple‘s (AAPL) Apple TV will grow about fourfold from 2010.

Parks Associates says all major manufacturers are debuting new models with innovations in content aggregation, apps development, and user interfaces. Content options are finally catching up to the hardware innovations, and growing libraries of on-demand movies and TV available are starting to unlock the potential of connected TV devices as multifunction online entertainment and communications platforms.

The growth of these devices will increase opportunities for apps developers – including third-party developers and giants such as Google (GOOG), Samsung, and Yahoo (YHOO), and one other group, hackers.

Mocana logo Mocana, a company that focuses on securing the “Internet of Things”, released a study that highlights digital security flaws in Internet-connected HDTVs reports ITnewsLink. The Mocana researchers believe that the security flaws exist in many Internet TVs and recommend that consumers seek out third-party security tests before they purchase and install them in their homes.

Mocana’s CEO Adrian Turner told ITnewsLink: “…manufacturers are rushing Internet-connected consumer electronics to market without bothering to secure them … consumer electronics companies that might lack internal security expertise should seek it out, before connecting their portfolio of consumer devices to the Internet.”

Computer securityMocana’s research shows that attackers may be able to leverage Internet-connected TVs to hack into consumers’ home networks. Researchers found that the Internet interface failed to confirm script integrity before those scripts were run. Mocana was able to show that JavaScript could then be injected into the normal data stream, allowing attackers to obtain total control over the device’s Internet functionality. As a result, an attacker could intercept transmissions from the television to the network using common “rogue DNS”, “rogue DHCP server”, or TCP session hijacking techniques. The security holes could allow attackers to:

  • Present fake credit card forms to fool consumers into giving up their private information.
  • Create a man-in-the-middle attack on the HDTV to dupe consumers into thinking that “imposter” banking and commerce websites were legitimate.
  • Steal the TV manufacturer’s digital “corporate credentials” to gain special VIP access to backend services from third-party organizations including popular search engines, video streaming, and photo sharing sites.
  • Monitor and report on consumers’ private Internet usage habits without their knowledge.

The flaws Mocana uncovered should raise questions about the security of consumer electronics in general-which manufacturers are scrambling to connect to the Internet, often with little or no security technology on board.

Alfred E. NewmanMocana’s CEO Adrian Turner continued: “While much public discussion … on the recent explosion of smartphones … the vast majority of new devices coming onto the Internet aren’t phones at all: they are devices like television sets, industrial machines, medical devices, and automobiles – devices representing every conceivable industry. And the one thing that all these manufacturers have in common is that, unlike the computing industry, they don’t have deep experience in security technology.”

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
« Older Entries   Recent Entries »