(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

With recent news of mobile malicious adware that roots smartphones, attention is again being paid to mobile security and the malware threat that is posed to it. While mobile ransomware is also a pervasive and growing threat, there are mobile RATs (such as JSocket and OmniRAT) that are also able to take full remote control of mobile devices. Some of the functionality of those tolls includes the ability to use the microphone to listen in on victims and to view whatever is in front of the camera while the unsuspected victims goes about their day.

Its important to realize that mobile malware, in essence, is just a question of apps. Even in the adware rooting apps above, it all still begins with installing an application which means there are some defined ways users and enterprises can protect themselves. The other danger is that most of the time, these devices are on the cellular network so they operate outside all of the network protective technologies an enterprise has to detect, if not prevent, compromise. Here is a quick list of what users and enterprises can do.

For users:

  • Never install applications outside of the mobile app stores (i.e. Google Play, Apples App Store)
  • Ensure that smartphones are set to NOT install apps from unverified sources
  • Do NOT root/jailbreak your phones as this removes a great deal of the security features
  • Observe what permissions applications are requesting on install and reject those that want the Christmas Tree list of permissions (i.e. all of them)
  • Install a mobile anti-malware solution of your choosing

For enterprises:

  • For phones under your control, ensure all the above are set and are unmodifiable by the end-user
  • Provide users in sensitive positions a corporate provided phone so that you can do the above and restrict sensitive information to the corporate phone
  • Provide a BYOD network for personal mobile devices and monitor that network for indicators of compromise and respond accordingly. Encourage users to use that network.

What else would you add to this list?

John Bambenek
bambenek\at\ gmail /dot/ com
Fidelis Cybersecurity

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(credit: Getty Images)

TV makers are constantly crowing about the tricks their smart TVs can do. But one of the most popular brands has a feature that it’s not advertising: Vizio’s Smart TVs track your viewing habits and share it with advertisers, who can then find you on your phone and other devices.

The tracking—which Vizio calls “Smart Interactivity”—is turned on by default for the more than 10 million Smart TVs that the company has sold. Customers who want to escape it have to opt-out.

In a statement, Vizio said customers’ “non-personal identifiable information may be shared with select partners … to permit these companies to make, for example, better-informed decisions regarding content production, programming and advertising.”

Read 10 remaining paragraphs | Comments


(credit: Ed Yourdon)

Browser-trusted certificate authority (CA) Comodo said it mistakenly issued transport layer security credentials for "mailarchive," "help," and at least five other forbidden names and warned that "quite a number" of unnamed competitors have committed similar violations.

The non-compliant certificates are forbidden under the baseline requirements enforced by the CA Browser Forum, an industry group of CAs and browser makers that establish rules CAs must follow for their digital certificates to be trusted in Chrome, Internet Explorer, and other major browsers. The rules forbid the issuance of certificates for internal names that aren't part of a valid Internet domain name or for a reserved IP address such as

The rules are designed to prevent the issuance of certificates for names such as “exchange,” “mailserver,” “domain," or "localhost," which many operating systems and organizations use to designate internal servers or other resources. The regulations similarly bar certificates for public IP addresses reserved for routers or other internal resources inside a home or organization network. A CA-issued certificate for something as generic as "mailserver" or "," for instance, could be used to spy on or impersonate any resource that used that name or IP address. The baseline requirements bar all CAs from issuing certificates with such internal names or IP addresses and expire after November 1, 2015.

Read 5 remaining paragraphs | Comments


The love note that Linux.Encoder.1 leaves website admins after it does its dirty work. (credit: Doctor Web)

The antivirus software company Doctor Web has issued an alert about a new form of crypto-ransomware that targets users of Linux-based operating systems. Designated as "Linux.Encoder.1" by the company, the malware largely targets Web servers, encrypting their contents and demanding a ransom of one Bitcoin (currently about $500).

Many of the systems that have been affected by the malware were infected when attackers exploited a vulnerability in the Magento CMS. A critical vulnerability patch for Magneto, which is used to power a number of e-commerce sites, was published on October 31. Doctor Web researchers currently place the number of victims in the "at least tens" range, but attacks on other vulnerable content management systems could increase the number of victims dramatically.

In order to run, the malware has to be executed with administrator-level privileges. Using 128-bit AES crypto, the malware encrypts the contents of all users' home directories and any files associated with websites running on the systems. It then goes through the whole directory structure of mounted volumes, encrypting a variety of file types. In each directory it encrypts, it drops a text file called README_FOR_DECRYPT.txt. This demands payment and provides a link to a Tor "hidden service" site via a Tor gateway.

Read 1 remaining paragraphs | Comments


On Friday, a blog post from Fox Glove Security was posted that details a widespread Java unserialize vulnerability that affects all the major flavors of middleware (WebSphere, WebLogic, et al). There is a lot of great details, including exploitation instructions for pentesters, in the post so go take a look. It didnt get much press because admittedly its complicated to explain. It also doesnt have a logo.

In this case, they describe how to use this class of vulnerabilities for remote code execution of Java-based web applications. This vulnerability is present in the common-collections library in Java. As you can imagine from the name, this has a huge surface area of attack of applications all over including those that are custom-coded that use those class files.

The exploits demonstrated have to be initiated from the local network, but in poorly configured environments this may lead to truly remote attacks being successful.

The short version is that many programming languages (in this case Java), accept serialized input from users and convert it to unserialized data. If that data is not otherwise sanitized (or ideally, never take untrusted input in the first place, at least for unauthenticated users). Its the oldie but goodie of unsanitized input with a mix of OWASP A9 of Components with Known Vulnerabilities.

At present, these does not appear to be a patch for the vulnerability but the blog post above does layout a very ugly mitigation that can be deployed.

P.S. From the blog, No one gave it a fancy name, there were no press releases, nobody called XXXXXX (insert firm I shouldnt mock here) to come put out the fires.. Well played, good sir, well played.

John Bambenek
bambenek\at\ gmail /dot/ com
Fidelis Cybersecurity

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
TestLink 1.9.14 Persistent XSS
TestLink 1.9.14 CSRF Vulnerability

The Register

GCHQ's infosec arm bins advisor accreditation scheme
The Register
GCHQ's communications security arm, CESG, has been accused of leaving a gaping hole in the government security advisor profession by axing its accreditation scheme. The CESG Listed Advisor Scheme (CLAS), the accreditation programme for private ...

Internet Storm Center Infocon Status