Hackers target social media, step up mobile attacks

Social media has become a top target of hackers and mobile devices are expanding that target, IBM reported last week in its X-Force 2013 Mid-Year Trend and Risk Report.

Attacks on businesses are getting increasingly sophisticated, the report said. Some attacks studied by IBM researchers were opportunistic—exploiting unpatched and untested web applications vulnerable to basic SQL injection or cross-site scripting.

Others were successful, the report continued, because they violated the basic trust between end user and sites or social media personalities thought to be safe and legitimate.

"Social media has become a new playground for attackers," said Kevin Skapinetz, program director for product strategy for IBM Security Systems.

The report noted that a growing trend this year is the takeover of social media profiles that have a large number of followers. The trend continues to play a pivotal role in the way attackers are reaching their targets.

"It's one thing to get an email or spam from someone you've never heard of," Skapinetz said in an interview. "It's another thing to have one of your friends have their account compromised and send you a link that might interest you."

Traditional sources of online aggravation can't resist the siren call of social media, either. "Even if email is used in an attack, it will be under guise of coming from a social media account," he said. "Attackers are becoming more operationally sophisticated."

Social media attacks can affect more than the usual suspects, too. Social media exploits affect more than individuals; they can negatively impact enterprise brand reputation and cause financial losses, the report said.

Mobile devices are also becoming a hacker magnet. "Although mobile vulnerabilities continue to grow at a rapid pace, we still see them as a small percentage of overall vulnerabilities reported in the year," the report said.

What may be making matters worse is the proliferation of mobile devices in the workplace under Bring Your Own Device Programs. "BYOD—what a nightmare that can be for any organization," HBGary's Threat Intelligence Director, Matthew Standart, said in an interview.

"It's difficult to protect your data even when you own all your devices and getting visibility into all your devices is a challenge in itself," Standard said. "Allowing users to bring their own devices increases the complexity tenfold."

The IBM report also noted that Distributed Denial of Service (DDoS) attacks are being used for more than just disrupting service at target sites. The attacks are being used as a distraction, allowing attackers to breach other systems in the enterprise.

"Both attacks and attack threats are being used as decoys," Marc Gaffan, co-founder of Incapsula, said in an interview.

"The attackers will bring down a website, get the IT people focused in a certain direction, tie up their resources on the DDoS attack while a more sophisticated breach is performed with no one paying attention," Gaffan said.

A decoy attack could also be used in conjunction with a phishing attack, he added. For example, a phishing message could be sent to a bank's customers asking them to use an alternative URL because the bank is having trouble with its common web address. A recipient may follow good security practices and paste the common URL for the bank in his browser.

Because the bank is under a DDoS attack, however, they can't connect to the institution, he said. So, in desperation, they click on the URL in the phishing message and get infected.

Those kinds of misdirection DDoS attacks, though, haven't become mainstream. "They are occurring, but they're relatively rare," said Daniel Peck, a research scientist at Barracuda Networks.

The IBM report also questioned the dedication of many organizations to sound security basics. "Many of the breaches reported in the last year were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice," the researchers wrote.

"Attackers seem to be capitalizing on this 'lack of security basics' by using a model of operational sophistication that allows them to increase their return on exploit," they wrote.

"The idea that even basic security hygiene is not upheld in organizations, leads us to believe that, for a variety of reasons, companies are struggling with a commitment to apply basic security fundamentals," the researchers wrote.

Barry Shteiman, senior security strategist with Imperva, said in an interview that the lack of adherence to basics could be due to a fundamental misunderstanding of security by companies. "They don't understand the difference between a safety belt and auto insurance," he said. "They don't understand that it's more important to protect themselves than to preserve their reputation after a breach has been made."

John Mello writes on technology and cyber security for a number of online publications and is former managing editor of the Boston Business Journal and Boston Phoenix.
More by John P. Mello Jr

View the original article here

Internet Explorer hackers use same tools as Bit9 attack

A criminal group exploiting the recently discovered Internet Explorer browser zero-day vulnerability has been linked to the Chinese hackers who compromised the Bit9 security platform earlier this year.

The connection between the two groups is in the command and control infrastructure used, says security vendor FireEye. Within the two infrastructures were similar malware, IP addresses, and email addresses used to register domains.

The latest attack, which FireEye has dubbed Operation DeputyDog, appears to target manufacturers, government entities and media organizations in Japan, said Darien Kindlund, manager of FireEye Threat Intelligence. The group hid IE exploits on three Japanese news sites, hoping to compromise visitors' PCs.

The compromised sites recorded more than 75,000 page views before the exploits were discovered. The attackers apparently were casting a wide net in looking for systems belonging to the desired targets. The exploit would have worked on all versions of IE, starting with IE 6.

"Maybe only a fraction of those compromised systems are really their true intended targets," Kindlund said. "The others are considered collateral damage."

Microsoft acknowledged September 17 that there was a previously unknown vulnerability in IE that was being exploited by cybercriminals on the Internet. The attack in Japan was discovered two days after Microsoft disclosed the flaw, which enables criminals to execute code on victims' computers.

Researchers have said that nearly 70 percent of Windows business users are open to attack. The threat is serious enough that experts believe Microsoft will release a fix before its scheduled monthly patch release set for October 8.

Bit9 revealed in February that its code-signing certificates had been stolen, making it possible for the thieves to bypass the vendor's security platform and run malware on customer's systems.

The certificates are used to identify trusted applications on customers' whitelists of approved software. The hackers apparently figured out a way to go around this normally effective system by going after the vendor first.

In a report released last week, Symantec identified the Bit9 attackers, dubbed the Hidden Lynx group, as a professional team of hackers for hire who have operated since at least 2009.

The group is able to run multiple campaigns at once and has breached some of the "world's best-protected organizations," Symantec said. The infrastructure and tools used by the hackers originate from network infrastructure in China.

The hackers typically use Trojans designed specifically for a pay-to-order attack to steal intellectual property.

View the original article here

Old tricks help German hackers bypass iPhone 5s Touch ID security

Apple's Touch ID authentication system can be defeated using a well-honed technique for creating a latex copy of someone's fingerprint, according to a German hacking group.

The Chaos Computer Club (CCC), which hosts an annual hacking conference and publishes computer security research, wrote on its blog that their experiment shows that fingerprint authentication "should be avoided."

Apple introduced Touch ID with its latest high-end iPhone 5S on Sept. 10. A person's "fingerprint is one of the best passcodes in the world. It's always with you, and no two are exactly alike," according to the company's website.

A hacker who goes by the name Starbug found that while Touch ID scans at a higher resolution, it can be beaten by increasing the resolution of the victim's fingerprint.

The CCC posted a video of what it wrote is a successful attack. Faking the print involves photographing the victim's fingerprint at 2400 DPI. The image is inverted and laser printed at 1200 DPI onto a transparent sheet using a "thick toner setting," according to the CCC.

Pink latex milk or white wood glue is smeared into the pattern created the toner. After it cures, a sliver of latex is lifted from the sheet, and blowing on it gives a bit of moisture like that on a human finger. It then can be placed on the iPhone's fingerprint sensor, the CCC wrote.

The technique is not new. "This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market," the CCC wrote. Apple officials did not have an immediate comment on the CCC's findings.

Security experts have long warned that fingerprint authentication should not be solely relied upon, but rather used in concert with other technologies. Photos of fingerprints and molds have successfully bypassed fingerprint checks.

Touch ID is intended to reduce the number of times a person must enter a passcode, but Apple still requires a passcode in some circumstances, such as restarting the phone and if the devices hasn't been unlocked in two days.

Changes to the fingerprint settings also require a passcode, which can be configured to be longer and more complex than four digits.

View the original article here

Hackers exploit critical IE bug; Microsoft promises patch

Microsoft today said that hackers are exploiting a critical, but unpatched, vulnerability in Internet Explorer 8 (IE8) and Internet Explorer 9 (IE9), and that its engineers are working on an update to plug the hole.

As it often does, the company downplayed the threat.

[ Windows 8 left you blue? Then check out Windows Red, InfoWorld's plan to fix Microsoft's contested OS. | Microsoft's new direction, the touch interface for tablet and desktop apps, the transition from Windows 7 -- InfoWorld covers all this and more in the Windows 8 Deep Dive PDF special report. | Stay atop key Microsoft technologies in our Technology: Microsoft newsletter. ]

"There are only reports of a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9, although the issue could potentially affect all supported versions," Dustin Childs, a manager in the Trustworthy Computing group and its usual spokesman, said in a blog post Tuesday morning.

"We are actively working to develop a security update to address this issue," Childs added.

According to Childs and the security advisory Microsoft also published today, the vulnerability affects all supported versions of IE, from the 12-year-old IE6 to the not-yet-officially-released IE11, the browser that will accompany Windows 8.1 when it ships Oct. 18.

"There is no escaping this one," said Andrew Storms, director of DevOps at cloud security vendor CloudPassage, referring to the bug affecting all versions of Microsoft's browser. "IE zero-days are never a good thing, especially when they affect every version," Storms added.

Although Microsoft's advisory did not put it in these terms, the vulnerability can be exploited using classic "drive-by" attack tactics. That means hackers need only lure victims running IE to malicious sites -- or legitimate websites that have previously been compromised and loaded with attack code -- to hijack their browser and plant malware on their Windows PCs.

Until Microsoft produces a patch, the company offered customers several options to protect themselves, including advice on configuring EMET 4.0 and running one of its "Fixit" automated tools to "shim" the DLL that contains the IE rendering engine.

EMET (Enhanced Mitigation Experience Toolkit) is a tool designed for advanced users, primarily enterprise IT professionals, that manually enables anti-exploit technologies such as ASLR (address space layout randomization) and DEP (data execution prevention) for specific applications.

But the Fixit route will be easiest for individual users: Microsoft's posted a link to the Fixit tool on its support site, and customers need only click the icon marked "Enable." Microsoft has used the shim approach before when faced with unexpected attacks against IE.

View the original article here

Cyberspies attack key South Korean institutions, North Korean hackers suspected

South Korean organizations that conduct research on international affairs, national security and Korean unification are under siege from cyberspies whose attack may have its origins in North Korea.

The attack campaign, which has been dubbed “Kimsuky,” involves the use of malware to steal sensitive information from these institutions and has been monitored for the past several months by researchers from antivirus vendor Kaspersky Lab.

The full list of victims remains unknown, but Kaspersky’s technical analysis suggests that organizations targeted included: the Sejong Institute, a non-profit think tank that conducts research in the areas of national security, unification, regional issues and international political economy; the Korea Institute for Defense Analyses (KIDA), a research institution whose research focuses on military planning, security and strategy, human resource development, weapon systems, and more; the South Korean Ministry of Unification which works towards the reunification of Korea and promotes inter-Korean dialogue and the Hyundai Merchant Marine, a South Korean logistics company specialized in container shipping.

“Among the organizations we counted, 11 are based in South Korea and two entities reside in China,” Dmitry Tarakanov, a malware researcher at Kaspersky Lab, said Wednesday in a blog post.

The malware used in the attack, which is now detected by Kaspersky products as Trojan.Win32.Kimsuky, communicates with attackers through a free webmail service in Bulgaria called mail.bg. The malware connects to the webmail interface and authenticates with hardcoded credentials for specific mail.bg accounts.

It then checks the inbox folder for messages that have subject lines indicating certain commands from attackers. Those emails can also contain encrypted attachments, which are encrypted malicious executable files that serve as updates or additional components for the malware.

It’s not clear how attackers distribute the Kimsuky Trojan horse program to their targets, but spear-phishing is a likely possibility, Tarakanov said.

The malware has several modules used for different functions that include keylogging, collecting directory listings from the infected computers, searching for and stealing documents in the HWP format that are generated by the South Korean Hancom Office Suite software and allowing attackers to remotely control the infected computers.

The remote control module is actually a modified version of TeamViewer, a legitimate remote control application, Tarakanov said.

The malware reports the infection status and sends all of the stolen data back to the attackers using the same webmail-based technique. The data is encrypted and attached to emails which are sent from the mail.bg accounts to hardcoded Hotmail accounts used by the attackers.

On system startup, the malware disables a firewall product developed by AhnLab, a South Korean security software vendor, if present and then turns off the Windows Security Center service in order to prevent the system from alerting users that no firewall is running.

A lot of South Korean organizations use AhnLab security products and because the targets are almost exclusively from South Korea, the attackers don’t even bother trying to evade security products from other vendors, Tarakanov said.

Taking into account the profiles of the targeted organizations, one could easily suspect that the attackers might be from North Korea, the researcher said. “The targets almost perfectly fall into their sphere of interest.”

One piece of evidence that supports this theory has to do with the geographic location of the Internet Protocol (IP) addresses used by the attackers.

“During our analysis, we observed ten IP addresses used by the Kimsuky operators,” Tarakanov said. “All of them lie in ranges of the Jilin Province Network and Liaoning Province Network, in China.”

“Interestingly, the ISPs providing Internet access in these provinces are also believed to maintain lines into North Korea,” the researcher said, adding that no other IP addresses have been discovered that would put the attackers’ activity in other IP ranges.

South Korea is frequently attributing cyberattacks against organizations and institutions in the country to North Korean hackers. However, with most cyberattacks in general, establishing the location of attackers with a high degree of certainty is not possible.

View the original article here

Middle Eastern 'Molerats' hackers step up attacks

A wave of cyberattacks against Israeli and Middle Eastern targets this summer was the work of a highly active but shadowy hacktivist group that has started using Remote Access Trojans (RATs) previously favored by Chinese cyber-actors, security firm FireEye has warned.

Dubbed "Molerats" by FireEye, the politically-motivated group launched its latest attacks in June and July using the Poison Ivy (PIVY) RAT, analyzed earlier this week in a separate piece of research by the firm that studied its extensive use over many years by Chinese groups.

The campaign was originally believed to have focused on Israeli and Palestinian organizations but now appears to have had a wider target list, including other Arabic countries and the U.S.

Significantly, the latest wave of attacks were almost certainly linked to a wave of cyber-attacks last October and November on Middle Eastern targets using the XtremeRAT backdoor, including one on the Israeli Police, FireEye said.

The Molerats group's signatures included spearphishing attacks using malicious RAR archives, and a command and control infrastructure using and reusing known domains. The targeting also showed a consistent theme.

FireEye's conclusions are twofold; the sudden popularity of Poison Ivy suggests that this particular RAT is now being used beyond China and defenders should be more wary about attribution. Second, the Middle East has another hacktivist group—that might or might not have a connection with the better known "Gaza Hackers Team"—a development that needs to be watched.

"We do not know whether using PIVY is an attempt by those behind the Molerats campaign to frame China-based threat actors for their attacks or simply evidence that they have added another effective, publicly-available RAT to its arsenal," said FireEye's researchers in a blog note. "But this development should raise a warning flag for anyone tempted to automatically attribute all PIVY attacks to threat actors based in China. The ubiquity of off-the-shelf RATs makes determining those responsible an increasing challenge."

The Middle East now has a clutch of little-understood "nuisance" hacking groups, the best known of which is the Syrian Electronic Army (SEA), a group notable for focusing on Western targets such as U.S. media and dissidents opposing the country's Assad regime.

A second group is the Iranian Izz ad-Din al-Qassam Cyber Fighters, blamed for a series of huge DDoS attacks on U.S. banks in the last year. What distinguishes all of these groups from Western anti-establishment organisations such as the apparently extinct Anonymous Group is the level of resources, state backing and staffing they must have to sustain such large campaigns.

Although Molerats appears small by comparison with the other groups, the fact it wields RAT-based tools is significant. Such malware requires manual control, something that is anathema to conventional crime groups interested in profit at the minimum outlay. Its appearance is just another symptom of the gradual spread of cyberwar tactics to every corner of the globe.

View the original article here

Hackers attack League of Legends, steal user account data and credit card info

Game over, man, game over! Late Tuesday, Riot Games announced that hackers managed to breach the company's servers, swiping the usernames, email addresses, salted password hashes, and real-word names of North American players of the uber-popular League of Legends game. Worse, nearly 120,000 credit card transactions have been accessed.

"The payment system involved with these records hasn't been used since July of 2011, and this type of payment card information hasn't been collected in any Riot systems since then," Riot Games founders Marc Merrill and Brandon Beck explained in a blog post. "We are taking appropriate action to notify and safeguard affected players. We will be contacting these players via the email addresses currently associated with their accounts to alert them."

League of Legends had roughly 70 million registered users as of last October, with 12 million users active daily. In March, Riot said the game often has more than five million players online simultaneously. (It's also one of the 12 frustrating games we can't help but love.)

Affected players will want to keep an eye on their bank statements, but fortunately, those transactions were also hashed and salted, which means—like the swiped passwords— that they are very unlikely to be cracked any time soon. Even so, all League of Legend users will have to change their passwords the next time they log into the system. Better safe than, well, even more sorry.

If you used your League of Legends password at other websites, you'd be smart to change those as well. Or even better yet, take this opportunity to stop reusing passwords. (PCWorld has a guide to staying password-secure while maintaining your sanity.)

Riot also announced plans to add a couple of features to its security arsenal in the coming weeks and months. New accounts will need to be tied to a valid email address, and players will need to confirm any changes to existing accounts either via email or text message. Yup, that's a form of two-factor authentication, in case you were wondering.

This isn't the first time Riot has run into security woes. Last year, European League of Legends players had their account data compromised. Worried MOBA players shouldn't necessarily think the grass is greener on the other side of the fence, though. In 2011, Valve—maker of Defense of the Ancients 2, League of Legend's prime competitor—also fell victim to a hack attack that resulted in lost passwords and credit card info.

Brad Chacos spends the days jamming to Spotify, digging through desktop PCs and covering everything from BYOD tablets to DIY tesla coils.
More by Brad Chacos

View the original article here

Android becomes Windows' equal as a target for hackers

The capabilities of malware targeting the market-leading Android platform are mimicking those of Trojans that have wrung profits from Windows PC users for years, a new study shows.

With nearly an 80 percent market share, Android's mobile dominance parallels Windows in the PC world, making Google's operating system the "mobile world's equivalent," Kaspersky Lab said in its latest Threat Evolution report, released on Thursday.

The difference between Windows and Android malware is that the latter is evolving much quicker, as criminals borrow from what they learned in targeting PCs since the 1990s.

"The evolution of Android malware has gone much more quickly than the evolution of Windows malware," Roel Schouwenberg, a senior researcher for Kaspersky Lab, told CSOonline.

The peak in Android malware development so far was Backdoor.AndroidOS.Obad.a, which Kaspersky labeled in June as the most sophisticated mobile Trojan to date. Capabilities included opening a backdoor for downloading files, stealing information about the phone and its apps, sending SMS messages to premium rate numbers and spreading malware via Bluetooth.

Obad also reached new heights in its use of encryption and code obfuscation to thwart analysis efforts. In addition, it exploited three previously unknown Android vulnerabilities.

Looking at Obad overall, Kaspersky determined that the Trojan looked more like Windows malware than the typical Android program.

The vast majority of malware written today still targets the much more profitable Windows PC. Nevertheless, the rising number of malicious code samples indicated there is a new generation of developers working hard on breaking into smartphones, which surpassed PCs in shipments in 2011.

"That's where they believe the future is, and the future is there," Schouwenberg said.

In the first half of this year, the number of malicious code samples collected by Kaspersky broke 100,000 for the first time. For all of 2012, the security vendor collected about 76,000 samples.

Nevertheless, infection rates remain very low. For example, in watching Obad over a three-day period in June, Kaspersky found that attempts to install the malware reached only 0.15 percent of all infection tries by programs.

Part of the reason for the low infection rate overall is a paucity of channels for distributing malware. Most infections today occur through downloading malicious code tucked in an app found in an online app store, other than the official Google Play store.

Most of the users of those third-party stores are in Asia and Russia. In the U.S., smartphone users favor Google Play, which scans for malware.

The infection rate is expected to rise as other distribution methods evolve. Spam carrying links to malicious web sites is often used today and is expected to increase.

In addition, Kaspersky is seeing an increasing number of ads in mobile apps pointing to malicious sites. The vendor has also found a handful of sites with the popular Blackhole exploit kit, modified to download malware when the visitor is using an Android device.

Another troubling trend is the type of mobile malware discovered in the wild. While Trojans that send SMS messages to premium numbers account for the majority of smartphone infections, Kaspersky collects more mobile malware with backdoors for connecting to command and control servers.

"As soon as backdoors and Trojan downloaders come into play, that's when you realize these guys are trying to do something that's a little bit more sophisticated," Schouwenberg said.

Follow TechHive on Tumblr today.

View the original article here