December 2010 - Posts
Improved mobile computing security will most likely be a focal point for 2011. The ISC highlights a new Trojan that is installed from an infected game or application. There are some prompts that may be prevent access to the Android O/S. When installing any mobile or PC application, every prompt should be reviewed carefully and users should exit out if security could be potentially compromised.
Android malware enters 2011
http://isc.sans.edu/diary.html?storyid=10186
QUOTE: One thing a lot of security researchers have been predicting for years is rise in mobile malware. However, due to mobile phones with low power, a lot of operating systems, closed environments and many other reasons we haven’t seen any significant mobile malware until this year.
And just in time for 2011 a new trojan for Android has been found by a company called Lookout. While Android trojans have been very popular, this one was pretty advanced and that is why it caught everyone’s attention. The most important characteristic of this trojan is that it has botnet capabilities. This means that the trojan connects to a C&C server in order to retrieve commands and enables an attacker in effectively controlling the infected phone.
So how does the trojan gets installed in the first place? The attackers managed to infect some Android games which are hosted on various sites. The user simply goes to install such a game and gets infected. However, keep in mind that the installer will warn the user that the application wants to access sensitive parts of the phone as well as capabilities to send SMS messages, make phone calls etc.
That being said, we know that most users will just click on yes (remember UAC on Vista?) – and I’m afraid that statistics for users blindly clicking on yes is even worse on mobile phones since there are many more users and security awareness is much, much lower.
The Stuxnet worm was one of the most sophisticated attacks during 2010. Below are informative links highlighting the most recent analysis:
A Four-Day Dive Into Stuxnet’s Heart
http://www.wired.com/threatlevel/2010/12/a-four-day-dive-into-stuxnets-heart/
Report Strengthens Suspicions That Stuxnet Sabotaged Iran’s Nuclear Plant
http://www.wired.com/threatlevel/2010/12/isis-report-on-stuxnet/
QUOTE: The sophisticated worm, which many computer experts believe was created as a specific attempt to sabotage Iran’s nuclear power plant centrifuges, has written a new chapter in the history of computer security. Written to affect the very Siemens components used at Iran’s facilities, some analysts have even speculated it may have been the work of a state, rather than of traditional underground virus writers.
The new CCSK designation may help individuals receive specialized training for implementing cloud computing solutions for their organization. While the CCSK is too new for wide spread recognition, continuing education is always beneficial. Companies investing in their security team training in this area may also receive some good ideas for implementing this growing trend in a more secure manner than going in on an unplanned basis.
CSSK HOME
http://www.cloudsecurityalliance.org/certifyme.html
CSSK FAQ
http://www.cloudsecurityalliance.org/ccsk_faq.html
QUOTE: The Cloud Security Alliance’s Certificate of Cloud Security Knowledge (CCSK) is now open for testing. The industry’s first user certification program for secure cloud computing, the CCSK is designed to ensure that a broad range of professionals with responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud.
As cloud computing is being aggressively adopted, it is critical that the industry provide training and certification of professionals to assure that cloud computing is implemented responsibly with the appropriate security controls. The Cloud Security Alliance (CSA) has developed a widely adopted catalogue of security best practices, the Security Guidance for Critical Areas of Focus in Cloud Computing, V2.1. The CCSK provides evidence that an individual has successfully completed an examination covering the key concepts of the CSA guidance and ENISA whitepaper.
Mozilla took quick and effective action to resolve a password exposure for their site as documented below:
Mozilla Adons user accounts - minor exposure of passwords fixed
http://blog.mozilla.com/security/2010/12/27/addons-mozilla-org-disclosure/
QUOTE: On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our web bounty program. We were able to account for every download of the database. This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.
The database included 44,000 inactive accounts using older, md5-based password hashes. We erased all the md5-passwords, rendering the accounts disabled. All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts. SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009.
It is important to note that current addons.mozilla.org users and accounts are not at risk. Additionally, this incident did not impact any of Mozilla’s infrastructure. This information was also sent to impacted users by email on December 27th.
When Facebook users click on a malicious link, it may alter Profile settings that need to be repaired and better secured as noted in link below:
How to Clean Up Your Facebook Account After Getting Scammed
http://blogs.pcmag.com/securitywatch/2010/12/how_to_clean_up_your_facebook.php
QUOTE: Have you clicked the link to a Facebook message like that? Typically it brings you to a survey at which you're asked to install an application. If you follow all the instructions you'll end up spreading the same things to your friends. This sort of thing is really common on Facebook. Thanks to Graham Clueley for writing a blog and video on how to clean your profile up after making such a mistake. Here's the video.
The Internet Storm Center reports increase in Malware Domains ending in IN
Malware Domains 2234.in, 0000002.in & co
http://isc.sans.edu/diary.html?storyid=10165
QUOTE: Those of you watching the malware universe have no doubt noticed the recent increase of malicious sites with ".in" domain names. The current set of names follow the four-digit and seven-digit pattern. Passive DNS Replication like RUS-CERT/BFK shows that a big chunk of these domains currently seems to point to 91.204.48.52 (AS24965) and 195.80.151.83 (AS50877). The former Netblock is in the Ukraine (where else), the latter likely in Moldavia. Both show up prominently on Google's filter (AS24965,AS50877), Zeustracker, Spamhaus (AS24965,AS50877) and many other sites that maintain filter lists of malicious hosts.
Avoid these emails that appear to come from iTunes. It directs users to a fake website, where and a Java scripting exploit can infect PCs that are not up-to-date on security.
Fake iTunes email isn't a phish, it's a 'sploit
http://sunbeltblog.blogspot.com/2010/12/fake-itunes-email-isn-phish-it.html
QUOTE: An email making the rounds makes the innocent claim that “it is possible that your account password has been stolen”. Actually, no. The site serves a malicious script. Nevertheless, the exploits served are six to eight months old — CVE-2010–0886 (a Java exploit) and CVE-2010-1885 (a cross-site scripting method that exploits a vulnerability in Windows Help). Downloading the latest version of Java and insuring you’re up-to-date on Windows patches will protect against any attack.
F-Secure offers an informative post related to the growing trend of Facebook and other social networking SPAM.
Social Networking SPAM - Comprehensive Q&A by F-Secure
http://www.f-secure.com/weblog/archives/00002079.html
A new vulnerability in Internet Explorer has been discovered and users should be cautious in visiting any unusual websites that could be potentially malicious
Microsoft Security Advisory (2488013)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/2488013.mspx
Additional Resources
http://www.f-secure.com/weblog/archives/00002080.html
http://isc.sans.edu/diary.html?storyid=10132
http://blogs.technet.com/b/msrc/archive/2010/12/22/microsoft-releases-security-advisory-2488013.aspx
QUOTE: This exploit has been discussed over the last day or so on full disclosure and a number of other sites. Metasploit already has a module available for it (just search for CSS & IE). The issue manifests itself when a specially crafted web page is used and could result in remote code execution on the client.
Microsoft's EMET provides an easy-to-use configuration tool for developing improved PC security:
Microsoft EMET - Enhanced Mitigation Experience Toolkit v2.0
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04
QUOTE: Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET allows users to manage these technologies on their system and provides several unique benefits:
1. No source code needed: Until now, several of the available mitigations (such as Data Execution Prevention) have required for an application to be manually opted in and recompiled. EMET changes this by allowing a user to opt in applications without recompilation. This is especially handy for deploying mitigations on software that was written before the mitigations were available and when source code is not available.
2. Highly configurable: EMET provides a higher degree of granularity by allowing mitigations to be individually applied on a per process basis. There is no need to enable an entire product or suite of applications. This is helpful in situations where a process is not compatible with a particular mitigation technology. When that happens, a user can simply turn that mitigation off for that process.
3. Helps harden legacy applications: It’s not uncommon to have a hard dependency on old legacy software that cannot easily be rewritten and needs to be phased out slowly. Unfortunately, this can easily pose a security risk as legacy software is notorious for having security vulnerabilities. While the real solution to this is migrating away from the legacy software, EMET can help manage the risk while this is occurring by making it harder to hackers to exploit vulnerabilities in the legacy software.
4. Ease of use: The policy for system wide mitigations can be seen and configured with EMET's graphical user interface. There is no need to locate up and decipher registry keys or run platform dependent utilities. With EMET you can adjust setting with a single consistent interface regardless of the underlying platform.
5. Ongoing improvement: EMET is a living tool designed to be updated as new mitigation technologies become available. This provides a chance for users to try out and benefit from cutting edge mitigations. The release cycle for EMET is also not tied to any product. EMET updates can be made dynamically as soon as new mitigations are ready
While Windows 7 and Office 2010 are much more secure than prior operating systems, it's still essential to ensure a new PC is updated for all Microsoft security patches, as well as all other vendor software, (e.g., Adobe Flash). This should be done immediately, along with setting up complex passwords, limited accounts, and other safety measures.
December 2010 - Very Large Security release
http://isc.sans.edu/diary.html?storyid=10081
Windows Update Site
(Choose the new Microsoft update to also include Office and other Microsoft products)
http://windowsupdate.microsoft.com/
This application will open up your entire Facebook account allowing spammed messages to be sent from it to all your contacts. There are no applications that can truly show you "who looked at your Facebook account". Instead, this dangerous application opens up your Facebook security so that the bad guys can LOOK and USE your account. Avoid installing ANY Facebook application unless you are sure it's safe.
Creeper Tracker Pro creeps around on Facebook
http://sunbeltblog.blogspot.com/2010/12/creeper-tracker-pro-creeps-around-on.html
QUOTE: Is it time to examine another Facebook scam? ... Why yes, it is ... This website takes the form of the familiar “find out who is watching you” wheeze so beloved by scammers everywhere. Something to note: although it claims “1,601,636 people like this”, that’s just part of the background graphic (it’s completely fake). Checking out the application page tied to this one tells us they have “15,034 monthly users” which doesn’t really tally with over a million Likes, does it? Anyway, hitting the Login button and filling in your details will prompt you to give the “application” access to your profile
A good list of recommendations to improve privacy controls:
Kim Komando - Top 10 Privacy Tips for 2010
http://www.komando.com/top10/privacy.asp
QUOTE: I looked back through the Privacy tips from 2010 and selected the 10 most-read. There's a wide variety of topics covered here. And they're all important for your privacy. Make sure you're protected from these threats!
1. 5 Facebook privacy settings you need to know about now
2. How to let nosy guests on your PC or Mac during holidays
3. What you reveal to Web sites
4. How Flash cookies threaten your privacy
5. Free tools to erase data for good
6. How to check a Website for proper security during e-commerce
7. Avoid rogue security software
8. Keep your passwords safe in one place
9. Protect your data before sending computers in for repairs
10. How to remove keyloggers from your computer
An interesting discussion and humorous flowchart can be found in the link below. I'm friends with both of our children and they are also Facebook contacts as well. The key for any user is to not share information or photos in this highly public setting, that they may regret later. Even deleted entries should show up later when prospective employers conduct Internet searches, so everyone should remain cautious. Privacy settings must also be set to high for additional protection.
Should You Friend Your Parents on Facebook?
http://gizmodo.com/5710785/should-you-friend-your-parents-on-facebook
The TDDS rootkit family is one of the most advanced malware attacks circulating. This analysis by Kaspersky Labs shares a recent modification to TDL4 to use a new unpatched Windows vulnerability.
TDDS Rootkit - TDL4 Starts Using 0-Day Vulnerability
http://www.securelist.com/en/blog/337/TDL4_Starts_Using_0_Day_Vulnerability
QUOTE: In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86/x64 (Windows Task Scheduler Privilege Escalation, CVE: 2010-3888). The use of this vulnerability was originally detected when analyzing Stuxnet.
Using an exploit for this vulnerability allows the rootkit TDL4 to install itself on the system without any notification from the UAC security tools. UAC is enabled by default in all the latest versions of Windows. After the Trojan launches in the system, e.g. in Windows 7, its process receives the filtered token (UAC in operation) with the regular user privileges. An attempt to inject into the print spooler process terminates with an error (ERROR_ACCESS_DENIED).
New modifications, however, attempt to use the 0-day exploit to escalate its privileges up to LocalSystem level. TDSS has once again reaffirmed its status as one of the most complex and dangerous malicious programs there is.
More Posts
Next page »