Hacking & Security

Malware no longer avoiding virtual machines

InfoWorld.com [Security] - 13 Srpen, 2014 - 14:18

Many malicious software programs used to make a quick exit on virtual machines, a tactic designed to avoid a security check. But that isn't the case anymore, according Symantec research.

As companies increasingly use VMs in operational environments, malware writers are largely trying other methods to avoid detection. It means that simply running VMs won't be enough to scare away malware.

Kategorie: Hacking & Security

Malware no longer avoiding virtual machines

InfoWorld.com [Security] - 13 Srpen, 2014 - 14:18

Many malicious software programs used to make a quick exit on virtual machines, a tactic designed to avoid a security check. But that isn't the case anymore, according Symantec research.

As companies increasingly use VMs in operational environments, malware writers are largely trying other methods to avoid detection. It means that simply running VMs won't be enough to scare away malware.

Kategorie: Hacking & Security

Authentication in the Cloud

InfoSec Institute Resources - 13 Srpen, 2014 - 14:00

Cloud computing is changing the way we interact with devices, software, data and processes. But some things never change, and one thing that remains true across the old and new computing paradigms is the importance of authentication to confirm the identity of the user and/or system with which we’re communicating. [...]

The post Authentication in the Cloud appeared first on InfoSec Institute.

Kategorie: Hacking & Security

Patch Tuesday wrap-up, August 2014: RCE + ASLR bypass + EoP == patch early, patch all!

Sophos Naked Security - 13 Srpen, 2014 - 13:27
Patch Tuesday is here again. Paul Ducklin explains how this month's vulnerabilities can work together for harm, and why *all* the updates matter, not just the ones that ended up with a "critical" or "severe" tag...

Worldview-3 — Satellite That Could Allow Google and U.S Government to See Your Face from Space

The Hacker News - 13 Srpen, 2014 - 12:50
Majority of my articles are related to government spying, privacy and security issues of your online stuffs and also measures that you can adopt in protecting yourself from being spied on. But, your all efforts will soon be of no use - someone is about to secretly track your every footstep. Google will soon get an eye in the space that will be enough powerful to see your face, thanks to the
Kategorie: Hacking & Security

DEA paid out $854,460 for free Amtrak passenger data

Sophos Naked Security - 13 Srpen, 2014 - 12:15
Since 1995, a former Amtrak employee has been selling passenger data to the US Drug Enforcement Administration - information that cost the DEA $854,460, but which it could have gotten for free.

State-of-the-art spear phishing and defenses

InfoWorld.com [Security] - 13 Srpen, 2014 - 12:00

The number of phishing sites was up 10.7-percent as of Q1 this year (over last year) while at the same time almost 32.7-percent of PCs globally were infected with malware, including adware and spyware, indicating that phishing is an increasing issue for the enterprise, according to a report from the Anti-Phishing Working Group of the Internet Engineering Task Force.

Kategorie: Hacking & Security

State-of-the-art spear phishing and defenses

InfoWorld.com [Security] - 13 Srpen, 2014 - 12:00

The number of phishing sites was up 10.7-percent as of Q1 this year (over last year) while at the same time almost 32.7-percent of PCs globally were infected with malware, including adware and spyware, indicating that phishing is an increasing issue for the enterprise, according to a report from the Anti-Phishing Working Group of the Internet Engineering Task Force.

Kategorie: Hacking & Security

State-of-the-art spear phishing and defenses

InfoWorld.com [Security] - 13 Srpen, 2014 - 12:00

The number of phishing sites was up 10.7-percent as of Q1 this year (over last year) while at the same time almost 32.7-percent of PCs globally were infected with malware, including adware and spyware, indicating that phishing is an increasing issue for the enterprise, according to a report from the Anti-Phishing Working Group of the Internet Engineering Task Force.

Kategorie: Hacking & Security

Adobe Releases Critical Security Updates for Flash Player, Acrobat and Adobe Reader

The Hacker News - 13 Srpen, 2014 - 10:44
Adobe has released security updates to fix seven vulnerabilities in its Flash and Air platforms and one in its Reader and Acrobat which, according to the company, is being exploited by attackers in wild "...in limited, isolated attacks targeting Adobe Reader users on Windows." The vulnerabilities could allow an attacker to "take control of affected systems" marked critical by the company.
Kategorie: Hacking & Security

Tenn. Firm Sues Bank Over $327K Cyberheist

Krebs on Security - 13 Srpen, 2014 - 07:02

An industrial maintenance and construction firm in Tennessee that was hit by a $327,000 cyberheist is suing its financial institution to recover the stolen funds, charging the bank with negligence and breach of contract. Court-watchers say the lawsuit — if it proceeds to trial — could make it easier and cheaper for cyberheist victims to recover losses.

In May, 2012, Kingsport, Tenn.-based Tennessee Electric Company Inc. (now TEC Industrial) was the target of a corporate account takeover that saw cyber thieves use a network of more than four dozen money mules to siphon $327,804 out of the company’s accounts at TriSummit Bank.

TriSummit was able to claw back roughly $135,000 of those unauthorized transfers, leaving Tennessee Electric with a loss of $192,656. Earlier this month, the company sued TriSummit in state court, alleging negligence, breach of contract, gross negligence and fraudulent concealment.

Both companies declined to comment for this story. But as Tennessee Electric’s complaint (PDF) notes (albeit by misspelling my name), I called Tennessee Electric on May 10, 2012 to alert the company about a possible cyberheist targeting its accounts. I’d contacted the company after speaking with a money mule who’d acknowledged receiving thousands of dollars pulled from the firm’s accounts at TriSummit.

According to the complaint, the attackers first struck on May 8, after Tennessee Electric’s controller tried, unsuccessfully, to log into the bank’s site and upload that week’s payroll batch (typically from $200,000 to $240,000 per week). When the controller called TriSummit to inquire about the site problems, the bank said the site was probably undergoing maintenance and that the controller was welcome to visit the local bank branch and upload the file there. The controller did just that, uploading four payroll batches worth $202,664.47.

[SIDE NOTE: When I spoke with Tennessee Electric's controller back in 2012, the controller for the company told me she was asked for and supplied the output of a one-time token upon login. This would make sense given the controller's apparent problems accessing the bank's Web site. Cyber thieves involved in these heists typically use password-stealing malware to control what the victim sees in his or her browser; when a victim logs in at a bank that requires a one-time token, the malware will intercept that token and then redirect the victim's browser to an error page or a "down for maintenance" message -- all the while allowing the thieves to use the one-time token and the victim's credentials to log in as the legitimate user.]

On May 9, Tennessee Electric alleges, TriSummit Bank called to confirm the $202,664.47 payroll batch — as per an agreement the bank and the utility had which called for the bank to verbally verify all payment orders by phone. But according to Tennessee Electric, the bank for some reason had already approved a payroll draft of $327,804 to be sent to 55 different accounts across the United States — even though the bank allegedly never called to get verification of that payment order.

Tennessee Electric alleges that the bank only called to seek approval for the fraudulent batch on May 10, more than a day after having approved it and after I contacted Tennessee Electric to let them know they’d been robbed by the Russian cyber mob.

ANALYSIS

This lawsuit, if it heads to trial, could help set a more certain and even standard for figuring out who’s at fault when businesses are hit by cyberheists (for better or worse, most such legal challenges are overwhelmingly weighted toward banks and quietly settled for a fraction of the loss).

Consumers who bank online are protected by Regulation E, which dramatically limits the liability for consumers who lose money from unauthorized account activity online (provided the victim notifies their financial institution of the fraudulent activity within 60 days of receiving a disputed account statement).

Businesses, however, do not enjoy such protections. States across the country have adopted the Uniform Commercial Code (UCC), which holds that a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”

Under state interpretations of the UCC, the most that a business hit with a cyberheist can hope to recover is the amount that was stolen. That means that it’s generally not in the business’s best interests to sue their bank unless the amount of theft was quite high, because the litigation fees required to win a court battle can quickly equal or surpass the amount stolen.

Recent cyberheist cases in other states have brought mixed (if modest) results for the plaintiffs. But Charisee Castagnoli, an adjunct professor of law at the John Marshall Law School, said those decisions may end up helping Tennessee Electric’s case because they hold open the possibility that courts could hear one of these cases using something other than a strict interpretation of the UCC or contract law  – such as fraud or negligence claimsAnd that could lead to courts awarding punitive damages, which can often amount to several times the plaintiff’s actual losses.

“We’re still seeing lawyers who are hunting for their best argument in terms of financial recovery, but what they’re really searching for is a way to get this out of the UCC and out of contract law, because under those you only get actual damages,” Castagnoli said. “And there’s really no way under the UCC and contract law theory to apply an economic recovery that will be an incentive for banks to change their behavior.”

Most recently, for example, Missouri-based Choice Escrow & Land Title unsuccessfully sued its bank to recover $440,000 stolen in a 2010 cyberheist. Choice’s attorney’s failed to convince the first court that the bank’s online security procedures weren’t commercially reasonable. An appeals court confirmed that ruling, and went a step further by affirming that the bank could recover its attorney’s fees from Choice Escrow.

In the case of Patco Construction, a company in Maine that was hit by a $588,000 cyberheist in 2009, a lower court ruled the security at Patco’s bank was commercially reasonable. But an appeals court in Boston called the bank’s security systems “commercially unreasonable,” reversing the lower court.  Castagnoli said the appeals court in the Patco case also left open what the victim’s obligations and responsibilities are in the event that the bank’s security measures fail.

“Even though it looks like from a victim business’s perspective that the Patco case is good and the Choice decision bad, there may be enough good language in both of those cases [to help] Tennessee Electric’s case,” Castagnoli said.”You’d think with a harmonized statute [like the UCC] which exists across all 50 states that we’d have some clarity in terms of plaintiff rights of recovery in these cases, but we really don’t.”

Do you run your own business and bank online but aren’t willing to place all of your trust in your bank’s online security? Consider adopting some of the advice I laid out in Online Banking Best Practices for Businesses and Banking on a Live CD.

Kategorie: Hacking & Security

New study: Activists pose easy target for nation-state attackers

Ars Technica - 12 Srpen, 2014 - 21:30
Flickr user: Intel Free Press

Lean operations and a lack of technical staff make non-governmental organizations a prime, and relatively soft, target for well-funded adversaries, according to an academic study of a four-year campaign targeting one such group.

In a paper to be delivered at the USENIX Security Conference next week, six academic researchers analyzed nearly 1,500 suspicious e-mail messages targeting the World Uyghur Congress (WUC). The team found that, while the malware managed to reliably evade detection by many antivirus programs, the attacks were relatively unsophisticated, using known vulnerabilities that had already been patched. The social engineering tactics, however, were very targeted and convincing, with the majority written in the native language, referring to events of interest to the NGO and appearing to come from known contacts, said Engin Kirda, a professor of computer science at Northeastern University and a co-author of the paper.

"You read about sophisticated attacks, but the malware that we analyzed was pretty standard," Kirda said. "It was not some ground breaking obfuscation or malware."

Read 9 remaining paragraphs | Comments

Kategorie: Hacking & Security

Microsoft Keeps Focus on IE Security With Patch Tuesday Updates

Threatpost - 12 Srpen, 2014 - 21:09
Microsoft released nine security bulletins today, including a critical Internet Explorer update, as part of its monthly Patch Tuesday release.
Kategorie: Hacking & Security

Blackphone goes to Def Con and gets hacked—sort of

Ars Technica - 12 Srpen, 2014 - 21:07

When the Blackphone team arrived at Def Con last week, they knew they were stepping into a lion’s den. In fact, that's exactly why they were there. The first generation Blackphone from SGP Technologies has been shipping for just over a month, and the company’s delegation to DefCon—including Silent Circle Chief Technology Officer Jon Callas and newly hired SGP Technologies Chief Security Officer Dan Ford—was looking to both reach a natural customer base and get help with further locking down the device.

Ask and you shall receive. Jon “Justin Case” Sawyer, the CTO of Applied Cybersecurity LLC, walked up to the Blackphone table at Def Con and told them he rooted the phone. And those who followed him on Twitter received an abbreviated play-by-play.

What followed, however, was not what Sawyer or the Blackphone team counted on: a BlackBerry blogger at N4BB leapt on one of Sawyer’s tweets and wrote a story with the erroneous headline, “Blackphone Rooted Within 5 Minutes.” By the time Sawyer was presenting on Sunday at Def Con with Tim Strazzere, the story had been picked up by a number of blogs and websites—and nearly all of them didn’t bother getting further details from Sawyer or Blackphone.

Read 19 remaining paragraphs | Comments

Kategorie: Hacking & Security

Adobe, Microsoft Push Critical Security Fixes

Krebs on Security - 12 Srpen, 2014 - 20:56

Adobe and Microsoft today each independently released security updates to fix critical problems with their products. Adobe issued patches for Adobe Reader/Acrobat, Flash Player and AIR, while Microsoft pushed nine security updates to address at least 37 security holes in Windows and related software.

Microsoft’s recommended patch deployment priority for enterprises, Aug. 2014.

Two of the nine update bundles Microsoft released today earned the company’s most-dire “critical” label, meaning the vulnerabilities fixed in the updates can be exploited by bad guys or malware without any help from users. A critical update for Internet Explorer accounts for the bulk of flaws addressed this month, including one that was actively being exploited by attackers prior to today, and another that was already publicly disclosed, according to Microsoft.

Other Microsoft products fixed in today’s release include Windows Media Center, One Note, SQL Server and SharePoint. Check out the Technet roundup here and the Microsoft Bulletin Summary Web page at this link.

There are a couple other important changes from Microsoft this month: The company announced that it will soon begin blocking out-of-date ActiveX controls for Internet Explorer users, and that it will support only the most recent versions of the .NET Framework and IE for each supported operating system (.NET is a programming platform required by a great many third-party Windows applications and is therefore broadly installed).

These changes are both worth mentioning because this month’s patch batch also includes Flash fixes (an ActiveX plugin on IE) and another .NET update. I’ve had difficulties installing large Patch Tuesday packages along with .NET updates, so I try to update them separately. To avoid any complications, I would recommend that Windows users install all other available recommended patches except for the .NET bundle; after installing those updates, restart Windows and then install any pending .NET fixes).

Finally, I should note that Microsoft released a major new version (version 5) of its Enhanced Mitigation Experience Toolkit (EMET), a set of tools designed to protect Windows systems even before new and undiscovered threats against the operating system and third-party software are formally addressed by security updates and antimalware software. I’ll have more on EMET 5.0 in an upcoming blog post (my review of EMET 4 is here) but this is a great tool that can definitely help harden Windows systems from attacks. If you already have EMET installed, you’ll want to remove the previous version and reboot before upgrading to 5.0.

ADOBE

Adobe’s critical update for Flash Player fixes at least seven security holes in the program. Which version of Flash you should have on your system in order to get the protection from these latest fixes depends on which operating system and which browser you use, so consult the (admittedly complex) chart below for your appropriate version number.

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although my installation of Chrome says it is up-to-date and yet is still running v. 14.0.0.145 (with no outstanding updates available, and no word yet from Chrome about when the fix might be available).

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed (required by some programs like Tweetdeck and Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 14.0.0.137 for Windows, Mac, and Android.

Adobe said it is not aware of any exploits in the wild that target any of the issues addressed in this month’s Flash update. However, the company says there are signs that attackers are are already targeting the lone bug fixed in an update released today for Windows versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat for Apple’s OS X are not affected).

Experience technical issues during or after applying any of these updates, or with the instructions above? Please feel free to sound off in the comments below.

Update, 6:52 p.m. ET: In the second paragraph, corrected the number of updates Microsoft released today.

Kategorie: Hacking & Security

15 new vulnerabilities reported during router hacking contest

InfoWorld.com [Security] - 12 Srpen, 2014 - 20:47

Routers appear to be as insecure as ever, after hackers successfully compromised five popular wireless models during a contest at the DefCon 22 security conference, reporting 15 new vulnerabilities to affected vendors.

Kategorie: Hacking & Security

15 new vulnerabilities reported during router hacking contest

InfoWorld.com [Security] - 12 Srpen, 2014 - 20:47

Routers appear to be as insecure as ever, after hackers successfully compromised five popular wireless models during a contest at the DefCon 22 security conference, reporting 15 new vulnerabilities to affected vendors.

Kategorie: Hacking & Security

15 new vulnerabilities reported during router hacking contest

InfoWorld.com [Security] - 12 Srpen, 2014 - 20:47

Routers appear to be as insecure as ever, after hackers successfully compromised five popular wireless models during a contest at the DefCon 22 security conference, reporting 15 new vulnerabilities to affected vendors.

Kategorie: Hacking & Security

August Update Tuesday - OneNote's First RCE, IE Memory Corruption

Kaspersky Securelist - 12 Srpen, 2014 - 20:34

The second Tuesday of the month is here along with Microsoft's August security updates, and with it brings interesting updates of OneNote and Internet Explorer. The full list is nine security bulletins long.

OneNote has been a part of Microsoft's drive into mobile and cloud technologies, away from traditional Wintel computing, providing Office-integrated note-taking multi-user collaborative functionality across tablets and mobile devices. I noticed a bunch of Blackhat attendees using this software. While the vulnerability is limited to all versions of Microsoft OneNote 2007,, and there have been a couple of releases since, I believe that this vulnerability is the first RCE enabled by a component exclusively delivered with the OneNote software. In this case, it is the file parser that reads onenote (.ONE) files that enables remote code execution attacks. This software package now is available for Windows, Mac, Windows RT, Windows Phone, iOS, Android and Symbian, but the vulnerable OneNote code appears to be available only for TabletPCs and the Windows platform. cve-2014-2815 was privately reported to Microsoft.

Another big Bulletin pushed today for Internet Explorer addresses 25 critical RCE vulnerabilities(!) across IE 6 - 11 on Windows clients Vista through 8.1, all memory corruption issues. The browsers on related server installs are rated moderate. Some of these vulnerabilities have been actively exploited ItW, so it is an urgent update issue.

 

And Adobe released their own patch separately from the Microsoft update process to fix an extraordinary sandbox vulnerability abused by APT that we reported a while back.      Be sure to check out those details. It effects fairly recent versions of Reader sandboxes.

Black Hat and DEF CON Wrap Up

Threatpost - 12 Srpen, 2014 - 20:01
Dennis Fisher and Mike Mimoso look back on the news from the last week in Las Vegas at Black Hat and DEF CON, including the Blackphone rooting, the Computrace research and the more upbeat mood at the conferences this year.
Kategorie: Hacking & Security
Syndikovat obsah