Archive for December 2010

Smartphones seen as a major threat to corporate networks   Leave a comment

Over three-quarters of workplace smartphone users believe they expose their business to attack.

A recent survey found that eight out of ten respondents believe smartphones expose their business to attack, with data leakage cited as the top security concern. Graham Titterington, a principal analyst at Ovum and author of the report, told SC Magazine that there is a large quantity of mobile devices supplied by large organisations and often security was put ahead of costs.

“The uses of mobile devices are still weighted towards social networking, email and collaboration portals rather than accessing the customer relations model. When it comes to security there is more fear of the unknown and the numbers of people who reported actual losses are actually quite low, but about 60 per cent are afraid of personal devices being used as a conduit for malware getting on to the network, while about 40 per cent are concerned about a compliance knock-on failure,” he said.

“There are a whole lot of technologies being used but not overwhelmingly, the main one is remote device wiping, while securing access to corporate data is done at the application level.”

The survey also found protection is randomly implemented. Among the 52 per cent of organisations that use some form of authentication for mobile users, 62 per cent rely on simple username and password sign-on, while only 18 per cent use Public Key Infrastructure (PKI) certificates. Just nine per cent utilise two-factor authentication featuring one-time passwords.

Rick Chandler, treasurer of the European association of e-identity and security, said that in the last year social networking had taken off and a large amount was done on mobile devices.

“The devices do not have intrinsic security built in, so there is a big awareness thing to be done and that is where the security business can deliver stuff.”

Frank Bunn, senior manager of communications service providers in the global industry solutions team at Symantec, said that there is a low security usage on mobile devices, with generally only simple protection with password authentication, because there is no one overall operating system, like with Windows on PCs.

Bunn said: “There is still confusion about the role of the operator; should the mobile operator just provide connectivity or should they be in a position to bring value added services to the table? In our mind they are in a really good position to provide some level of security because all of the traffic is flying to his network and he can intercept not just for own interest, but it is also about providing a service.

“There is a lot of security that the provider can bring to the table and we think that they need to provide a layered approach.”

http://www.scmagazineuk.com/smartphones-seen-as-a-major-threat-to-corporate-networks/article/191552/?DCMP=EMC-SCUK_Newswire

Advertisements

Posted December 1, 2010 by axxerainc in Uncategorized

Rumours that Zeus and SpyEye Trojans have merged creates concern on the strength of banking malware   Leave a comment

A recent merger of two major banking Trojans has led to new concerns about the ability of banking malware.

It has recently claimed that the Zeus and SpyEye Trojans merged to create one major botnet. Along with the well known Zeus Trojan, SpyEye was described by novirusthanks.org at the start of this year as ‘a new fresh and sophisticated web-based bot’ that could be the possible successor to Zeus ‘due to its very interesting features, with the main objective to steal bank accounts, credit cards, ftp accounts and other sensitive data from the victim’s computer’.

Kapil Raina, senior product manager at IronKey, said that he believed that the cause of the merger was the Zeus writer retiring and he believed that SpyEye would become the dominant virus of the two.

He said: “The significance of this will mean more brains between the owners and less competition and that is a real problem. It does not need more mules and I believe that the sophistication will increase. Zeus had such a focus from government that the creator had to get out of the game, I heard that it can make $2-3 million on average but with enough mules, it can make $4-5 million a week and that is a lot of incentive to keep it alive.”

Paul Wood, senior analyst at Symantec Hosted Services, claimed that the Zeus toolkit fell into the public domain some time ago and this led to smaller but more dominant botnets ‘with the same intention in mind’, rather than one big botnet.

Talking to SC Magazine, Ed Rowley, product manager of M86 Security, said: “Was this created from a merger or acquisition? It is interesting how it mirrors the business world with an OEM partnership agreement. Did the cyber criminals get rights to it or did they just steal it? There is a saying that there is no honour among thieves.”

David Jevans, CEO of IronKey, said: “The demand is there for this malware as the codes get more sophisticated. They are now working on getting malware and the Trojan (SpyEye) is not as well seen as Zeus but anyone can change it, but I am not sure what will happen. At the end of the day people do not want the code to die and will give it away.”

David Holmes, software engineer at F5, said that while Zeus and SpyEye remain a threat, he warned of ‘a new kid on the block’ called Feodo, which he said has the ability to deliver a payload that attacks over a dozen different banking institutions. He also warned of URLZone which he said was the scariest new threat as it does not just steal credentials; it transfers money out of an account but manipulates the browser to keep showing the user their old balance.

He said: “I could not sleep knowing that each time I touched my bank account I might be letting the bad guys take all my money. I eventually made an appointment with a neighbourhood broker and invested that money to keep it safe.

“The FBI says that Zeus, SpyEye and URLZone stole $100 million in 2008 and 2009. One would expect cyber crime gains to be even larger this year as Feodo makes the rounds. If you were to plot these two trends, rising cyber crime and increasing online banking you expect a rise in the number of victims.

“So what is to be done? The anti-virus companies think we need to deploy them into the cloud (big surprise). I am not sure that we will be safe until you absolutely cannot install unsigned binaries on to your system. I am not saying that would fix it for all cases but it would leave an audit trail. Perhaps it could get traced and locked up and maybe money would be ‘safe’ in our accounts again.”

http://www.scmagazineuk.com/rumours-that-zeus-and-spyeye-trojans-have-merged-creates-concern-on-the-strength-of-banking-malware/article/191541/?DCMP=EMC-SCUK_Newswire

Posted December 1, 2010 by axxerainc in Uncategorized

Scareware scammers booby-trap worried Koreans   Leave a comment

Korean language search terms for the cross-border clash between North and South Korea are already been poisoned so that scareware portals appear prominently in results.

The use of black hat search engine optimisation techniques is designed to expose surfers to fake anti-virus scans that warn on non-existent threats in a bid to trick surfers into buying worse than useless software.

Cybercrooks behind the scam often latch onto breaking news events, such as last week’s royal engagement announcement, and the latest attack shows much the same tactics are now been applied well outside the English speaking world.

Searches in Korean for search terms related to Tuesday’s shelling between North and South Korea are liable to lead to pages that redirect surfers to scareware download packages that pose as either an ActiveX control or a Flash Player update.

The ActiveX control is served up to surfers using IE while the fake Flash update goes to fans of Firefox, as explained in a blog post by Trend Micro here.

http://www.theregister.co.uk/2010/11/23/korean_border_clash_scareware/

Posted December 1, 2010 by axxerainc in Uncategorized

Network card rootkit offers extra stealth   Leave a comment

Security researchers have demonstrated how it might be possible to place backdoor rootkit software on a network card.

Guillaume Delugré, a reverse engineer at French security firm Sogeti ESEC, was able to develop proof-of-concept code after studying the firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards.

He used publicly available documentations and open source tools to develop a firmware debugger. He also reverse-engineered the format of the EEPROM where firmware code is stored, as well as the bootstrap process of the device.

Using the knowledge gained from this process, Delugré was able to develop custom firmware code and flash the device so that his proof-of-concept code ran on the CPU of the network card. The technique opens the possibility of planting a stealthy rootkit that lives within the network card, an approach that gives potential miscreants several advantages over conventional backdoors.

Chief among these is that there will be no trace of the rootkit on the operating system, as it is being hidden inside the network interface card.

“The network card natively needs to perform Direct memory access (DMA) accesses, so that network frames can be exchanged between the driver and the device,” Delugré explains.

“From the firmware point of view, everything is operated using special dedicated device registers, some of them being non-documented. An attacker would then be able to communicate remotely with the rootkit in the network card and get access to the underlying operating system thanks to DMA.”

Delugré gave a presentation on his research at the hack.lu conference last month. A write-up of his research, along with slides on his presentation and a demo, was published on Sunday here.

http://www.theregister.co.uk/2010/11/23/network_card_rootkit/

Posted December 1, 2010 by axxerainc in Uncategorized

iOS 4.2 includes massive security update   Leave a comment

Apple has finally released the highly-anticipated iOS 4.2. While the attention around iOS 4.2 has been focused on the enhancements and new features — particularly for the iPad — the update also fixes more than 80 vulnerabilities in the iPhone, iPod, and iPad.

It is common knowledge that iOS 4.2 introduces features like multitasking — or at least Apple’s pseudo version of multitasking — a unified e-mail inbox, and the ability to organize apps by grouping them in folders to the iPad.

It also includes a variety of enhancements aimed at IT admins that make it easier to manage and protect iPads connected to a corporate network. The massive barrage of security updates, however, flew in under the radar.

It’s not that Apple is unwilling to admit that there are security issues, but Apple policy dictates that the vulnerabilities not be publicly disclosed until the patch is available. An Apple Web page detailing the security updates in iOS 4.2 explains, “For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.”

So, now that iOS 4.2 is out and the “patches or releases are available” it is safe to let you know that your iPhone, iPod, and iPad have been virtually Swiss cheese from a security standpoint. The iPhone and iPad are both now protected against more than 80 vulnerabilities — many with critical security implications — that most users were not even aware existed two days ago.

For example, viewing a PDF file is a relatively common task for an iPhone or iPad. According to Apple, it is also a potentially risky task on pre-iOS 4.2 devices. “A heap buffer overflow exists in FreeType’s handling of TrueType opcodes [CVE-2010-3814]. Viewing a PDF document with maliciously crafted embedded fonts may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking,” it says.

If you have surfed the Web on an iPhone or iPad, you might be interested to learn that a vast array of flaws exist that could allow an attacker to execute arbitrary malicious code on your device.

There is also a vulnerability which reveals your surfing history. “A design issue exists in WebKit’s handling of the CSS :visited pseudo-class. A maliciously crafted website may be able to determine which sites a user has visited. This update limits the ability of web pages to style pages based on whether links are visited.”

These are just a few examples. Many of the more than 80 flaws addressed in iOS 4.2 have very serious security implications. While the general public wasn’t aware of these flaws, attackers probably were. If they weren’t they are now–so the clock is ticking to get the iOS 4.2 update applied before malicious developers find ways to exploit these vulnerabilities.

http://www.computerworld.com/s/article/9197839/iOS_4.2_includes_massive_security_update?source=CTWNLE_nlt_pm_2010-11-23

Posted December 1, 2010 by axxerainc in Uncategorized

Is SAP afraid of a Stuxnet-style attack?   Leave a comment

Enterprise software provider SAP is stepping up its security stance as its once-isolated systems become increasingly connected to the Internet, posing new risks as hackers diversify their targets.

SAP’s ERP (enterprise resource planning) and CRM (customer relationship management) software are often the core management tools for large enterprises, used for functions such as managing payroll, creating purchases orders, invoicing, and paying suppliers, among others. A trove of very sensitive data is held within those systems that, if hacked and the information obtained, could be used to cause great harm to a business.

SAP systems have typically been buried within an organization and not been connected to the Internet. The greatest threat still today to SAP is insiders who already have access to the systems and seek to make modifications. SAP security consultants often spend time on “segregation of duties,” or ensuring that no one person has access or privileges for a wide range of financially sensitive tasks.

However, that is changing. Companies can set up Web-based customer portals that lead into their SAP software, which would give attackers a new vector for which to get inside the systems.

“You can now have all your business information directly connected to the Internet,” said Mariano Nuñez Di Croce, director of research and development for Onapsis, which does SAP security evaluations for companies.

Cyberattackers also appear to be diversifying their targets. The most alarming example is Stuxnet, a piece of malware designed to manipulate Siemens WinCC systems, a type of SCADA (supervisory control and data acquisition) product used for manufacturing.

The latest data shows that Stuxnet was designed to tamper with frequency converter drives, which change electrical output from a power grid to a much higher frequency. The process is used for uranium refinement, which has led to speculation that Stuxnet was developed by a country to interfere with nuclear weapons development.

Nonetheless, Stuxnet showed that computer systems thought to be protected somewhat by their obscurity may be increasingly targeted, whether for sabotage or industrial espionage.

With SAP, “I think we may see something like that in the near future, but mostly now the concern is a direct attack, such as taking a system offline or modifying business information,” Nuñez Di Croce said.

Stuxnet “was the shot across the bow of the industry,” said Alex Ayers, director of operations for Turnkey Consulting, a U.K.-based company that also specializes in SAP security. “If you’ve got people who have the ability to do this, why should we assume that any ERP can’t be targeted in the same way?”

SAP spokesman Hilmar Schepp said the company is not aware of any Stuxnet-like malware targeting its software. Because “Stuxnet was designed to attack mainly Microsoft and Siemens software, please understand that we don’t want to comment further on this,” Schepp said.

The core of SAP is its Netweaver platform, which is framework on which other SAP applications sit. If an attacker can get inside Netweaver, any of the other applications on top of it can be compromised, Nuñez Di Croce said.

Vulnerabilities in SAP products numbered around 20 in 2007, but that figure has risen to nearly 300 this year, Nuñez Di Croce said. The reason for the rise, Nuñez Di Croce and Ayers said, is increased attention from security researchers into SAP systems and more scrutiny from the company.

SAP has also been evangelizing the importance of better security practices to its customers. In September it published a white paper, “Secure Configuration SAP Netweaver Application Server ABAP,” that consolidated a set of its existing security recommendations into a succinct document. The recommendations cover SAP systems that are used on internal networks and are not Internet facing.

“While some organizations already have made these configurations, we realized that other customers still underestimate the increased level of threat from inside a company,” Schepp said.

SAP also said in September that it would release patches on a regular schedule on the second Tuesday of the month, the same day as Microsoft. Adobe Systems also adheres to the same schedule for the convenience of system administrators.

Many companies simply don’t patch SAP for fear of disrupting part of its functionality, Nuñez Di Croce said. Ayers said the situation is somewhat similar to how some companies deal with Windows, with some administrators more on the ball than others.

SAP is “really just taking it [security] a lot more seriously,” Ayers said. “I think it’s industry’s time to catch on to that and make sure we don’t get into a situation where someone’s system has been trashed.”

SAP also offers a variety of security tools for customers, including its Security Optimization Service and the EarlyWatch Alert, which alerts administrators on system performance issues.

Nuñez Di Croce’s company, Onapsis, has upgraded its X1 ERP vulnerability testing product to test for compliance against all of the recommendations in SAP’s white paper. Onapsis is holding a webinar on Dec. 1 to explain how the product is used.

http://www.computerworld.com/s/article/9197840/Is_SAP_afraid_of_a_Stuxnet_style_attack_?source=CTWNLE_nlt_security_2010-11-23

Posted December 1, 2010 by axxerainc in Uncategorized