Information Security News
The number of drive-by malware attacks that exploit vulnerabilities in Microsoft's Silverlight application framework may be surpassing those that abuse Oracle's Java framework, according to a recent analysis of one popular hack-by-numbers tool kit.
Since April 23, the Angler exploit kit has shown a significant uptick in attacks that target Silverlight users, according to a blog post published Monday by Levi Gundert, technical lead in Cisco Systems' threat research group. While the Silverlight exploits were accompanied by attacks that also targeted Adobe's Flash player, the recent campaign failed to trigger vulnerabilities in Oracle's Java framework, which over the past couple of years, has become widely targeted by malicious hackers who surreptitiously install malware by exploiting vulnerable software on end users' computers.
To succeed, the Angler campaign observed by Gundert had to exploit two Silverlight vulnerabilities, one that Microsoft patched 14 months ago and the other that was fixed in October. CVE-2013-0074 gave attackers the ability to remotely execute malicious code, while CVE-2013-3896 provided the means to bypass data execution prevention, a security mitigation added to most Microsoft applications in recent years. The measure prevents most data loaded into memory from being executed.
Bill Aims to Strengthen DHS InfoSec Staff
A Senate committee is set to debate and vote on a bill to help beef up the Department of Homeland Security's cybersecurity workforce. The DHS Cybersecurity Workforce Recruitment and Retention Act of 2014, if enacted, would give the department the ...
A malicious app targeting Android users has grown so fully featured that researchers said it has become one of the most expensive pieces of malware available in underground markets. The story helps demonstrate the high potential of Android-based trojans as operators of traditional PC-based fraud search for ways to bypass the increasing use of two-factor authentication.
Not long ago, the so-called iBanking malware package offered little more than a way for traditional PC trojans that target online bank accounts to bypass two-factor authentication protections. While the interception of incoming and outgoing SMS messages remains the main selling point, iBanking has morphed into the Swiss Army knife of Android malware. Included in the $5,000 fee is the ability to redirect incoming voice calls, covertly capture sounds within range of the device's microphone, track geolocation, access the file system, and remotely corral the device into sprawling mobile botnets that use either HTTP or SMS to communicate, depending on the current network status of the infected handset.
An analysis published Tuesday by researchers from Symantec explained:
Usually, your operating system will be assigned a DNS server either via DHCP (or RAs in IPv6) or statically. The resolver library on a typical workstation will then go forward and pass all DNS lookups to this set of DNS servers. However, malware sometimes tries to use its own DNS servers, and blocking outbound port 53 traffic (udp and tcp) can help identify these hosts.
Brent, one of our readers, does just that and keeps finding infected machines that way. Just now, he is investigating a system that attempted to connect to the following name servers:
He has not identified the malware behind this yet, but no other system he is using ("we are running bluecoat web filter AND we're using OpenDNS AND I'm running snort"). Brent uses oak (http://ktools.org/oak/) to help him watch his logs and alert him of issues like this.
According to the Farsight Security passive DNS database, these IPs resolve to a number of "interesting" hostnames. I am just showing a few here (the full list is too long)
ns-facebook-[number]-[number].irl-dns.info <- the [number] part appears to be a random number
*.v9dns.com <- '*' to indicate various host names in this domain.
Johannes B. Ullrich, Ph.D.
by Sean Gallagher
A security study drawing data from more than 1,600 networks over a six-month period found that 97 percent of the networks experienced some form of breach—despite the use of multiple layers of network and computer security software. The study, performed by analysts from security appliance vendor FireEye and its security consulting wing Mandiant, compared current network defenses to the Maginot Line, the infamous French fortress chain that the Germans bypassed during their May 1940 invasion.
The data collected from network and e-mail monitoring appliances from October 2013 to March 2014 also showed that three-quarters of the networks had command-and-control traffic indicating the presence of active security breaches connected to over 35,000 unique command-and-control servers. Higher-education networks were the biggest source of botnet traffic.
FireEye and Mandiant analyzed real-time data from 1,614 FireEye appliances that had been placed on networks as part of “proof of value” trials; the devices provided monitoring. Each of the networks already had a “defense in depth” architecture, combining firewalls, intrusion detection and prevention systems, and antivirus software. Despite that, the appliances detected over 208,000 malware downloads across the monitored networks, of which 124,000 were unique malware variants.
by Peter Bright
The Chinese government has banned the installation of Windows 8 on government PCs, reports Re/code. The Central Government Procurement Center issued a directive last week barring the use of Microsoft's latest operating system as an energy-saving measure, according to Re/code.
State news agency Xinhua gave a different reason for the ban: it's to ensure system security after Microsoft ended support for Windows XP. The unsupported operating system is still estimated to be used on as much as half of the Chinese desktop market.
How the ban makes sense, either as a security measure or an energy-saving one, isn't clear. Lest there be any doubt, the solution to Windows XP's security problems—it's vulnerable to a number of unpatched flaws already—is to stop using it. Not ban the use of an actively supported operating system.
A couple weeks ago, Dropbox announced that it invalidated some old "shared links" users used to share confidential documents, like tax returns  . The real question here is of course, how did these tax returns get exposed in the first place.
Dropbox usually requires a username and a password to access documents, and even offers a two-factor solution as an option. But regardless, the user may allow a document to be access by others, who just know the "secret" link.
As we all know, the problem is "secret" links easily leak. But as users rely more on cloud services to share files, and passwords for each shared file are way too hard to set up, this is going to happen more and more. Dropbox isn't the only such service that offers this feature. In a recent discussion with some banks, the problem came up in that more and more customers attempt to share documents with the bank for things like mortgage applications. While the banks do refuse to accept documents that way, the pressure exists and I am sure other businesses with less regulatory pressure, will happily participate.
For a moment, lets assume the cloud service works "as designed" and your username and password is strong enough. Cloud services can be quite useful as a cheap "offsite backup", for example to keep a list of serial numbers of your possessions in case of a burglary or catastrophic event like a fire. But as soon as you start sharing documents, you run the risk of others not taking care of them as well as you would. May it be that their passwords are no good, or maybe they will let the "secret link" you gave them wander.
Confidential personal, financial or medical information should probably not go into your cloud account. And if they do, encrypt before uploading them.
Here are a couple of steps to de-cloud your life:
- setup an "ownCloud" server. It works very much like Dropbox with mobile clients available for Android and iOS. But you will have to run the server. I suggest you make it accessible via a VPN connection only. Sharepoint may be a similar solution for Windows folks.
- run your own mail server: This can be a real pain and even large companies move mail services to cloud providers (only to regret it later ...?). But pretty much all cloud mail providers will store your data in the clear, and in many ways they have to. Systems to provide real end-to-end encryption for cloud/web-based e-mail are still experimental at this point.
- Offsite backup at a friends/relatives house. With wide spread use of high speed home network connections, it is possible to setup a decent offsite backup system by "co-locating" a simple NAS somewhere. The disks on the NAS can be encrypted and the connection can use a VPN again.
- For Apple users, make local backups of your devices instead of using iCloud. iCloud stores backups unencrypted and all it takes for an attacker to retrieve a backup is your iCloud username/password.
Any other tips to de-cloud?
Posted by InfoSec News on May 20http://www.theregister.co.uk/2014/05/19/lifelock_yanks_mobile_app/
Posted by InfoSec News on May 20http://www.whig.com/story/25558098/mark-twain-casino-among-11-casinos-reporting-security-breach
Posted by InfoSec News on May 20http://www.haaretz.com/news/diplomacy-defense/.premium-1.591665
Posted by InfoSec News on May 20http://www.darkreading.com/risk/how-to-talk-about-infosec-to-your-board-of-directors/a/d-id/1251100
Posted by InfoSec News on May 20http://www.infosecnews.org/u-s-department-of-justice-indicts-five-members-of-the-chinese-pla-unit-61398-for-cyber-espionage/
Radical or Lazy, what type of info sec practitioner are you?
CSO Magazine (blog)
Matt Tett is the Managing Director of Enex TestLab, an independent testing laboratory with over 22 years history and a heritage stemming from RMIT University. Matt holds the following security certifications in good standing CISSP, CISM, CSEPS and CISA.