Author: David Forrestall

Categories
Computer & Network Security|Social Engineering>Phishing

Highly effective social engineering using Google Drive

Researchers at Symantec have identified an attack on Google Documents users using highly effective social engineering methods. This attack is so successful because the redirect page is hosted on Google’s servers and comes in over SSL. The criminals used Google Drive’s preview function to get public facing URL’s. The sign in page is pictured below. Take a second and see if you can spot the flaw.

 

If you were sent an email request and directed here would have missed the Sign in to continue to Google Drive? My son’s school uses Google Doc’s for students and I know he would have missed it and entered his Login credentials. The moral of this story is to be conscious of how much personal information you store in any service with this much access to your life.

 

Categories
Research

News Brief – 03/13/14

Critical crypto flaw in Facebook’s WhatsApp for Android exposes chats

Tread carefully when allowing apps access to features on your phone like access to the SD card.

The Android version of WhatsApp, the cross-platform instant messaging app purchased by Facebook for $16 billion, has a loophole that leaves chat histories wide open to other apps installed on the same smartphone, a security consultant says.

162,000 WordPress instances abused for DDoS attack

Security researchers have uncovered a recent distributed denial-of-service (DDoS) attack that used at least 162,000 WordPress-powered websites to knock another site offline.Source

If you use wordpress, it must be updated as soon as updates are released.  Standard security practices should be followed including:

  1. Using logins other than the admin account and disabling or reducing privileges of that account.
  2. If possible changing the default wp- prefix to a different prefix for virtual directories.
  3. Installing logging plugins to monitor logins.
  4. Keeping plugins up to date.
  5. If possible, putting a web application firewall in front of the WordPress installation.

Security updates available for Adobe Flash Player

Today’s release does not include critical updates, but Adobe should be updated as soon as updates are released.  Adobe is often the target of phishing attacks.

Release date: March 11, 2014

Vulnerability identifier: APSB14-08

CVE number: CVE-2014-0503, CVE-2014-0504

Platform: All Platforms

290k+ users possibly affected in North Dakota University breach

The affected server contained the name, Social Security number, and other student information for 291,465 current and former students including some Fall 2014 applicants, as well as the SS number and employee ID number for 784 faculty and staff members. 

Apparently, the compromised dates back to October 2013.

Again, as another breach has been reported we find out that it has been ongoing for a significant amount of time.  Logging alone is no longer a viable option for discovering and preventing attacks.  SIEM solutions that can analyze and interpret logs and correlate them from many systems are necessary in today’s data driven, fast paced environments.

 

Categories
Computer & Network Security>Microsoft|Computer & Network Security>Microsoft Security Bulletin

March 2014 Microsoft Security Bulletin Release

For this month’s round of patches Microsoft has released five new security bulletins, two of which are for critical vulnerabilities.  The first critical update is a cumulative security update which resolves numerous vulnerabilities that could allow remote code execution in both workstation and server operating systems.  The second update is an update specifically for Microsoft DirectShow which could also allow remote code execution in both workstation and server operating systems.

In addition to the security bulletins, Microsoft also released an updated version of the Microsoft Windows Malicious Software Removal Tool, and re-released a security advisory update for vulnerabilities in Adobe Flash Player running in Internet Explorer.

Microsoft recommends that customers apply these updates immediately using update management software, or by checking for updates using the Microsoft Update service.

Source: http://technet.microsoft.com/en-us/security/bulletin/ms14-mar

Categories
Compliance > Privacy

Apple iOS and OS X Critical Vulnerability

Recently Apple released updates that contain a critical security patches that address flaws with SSL encryption which could allow attackers to intercept email and other communications that are meant to be encrypted in iPhone, iPad and Mac computers.

Apple released a “security advisory” in which they provide vague statements regarding said security issues:  ‘For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.‘

Apple did not say when or how it learned of the vulnerability, but the bug appears to exist in some versions of iOS 6, iOS7, Mac OS X, and Apple TV.  iOS 6.1.6 and 7.0.6 were recently released to fix the issue.  The bug appears to also have been introduced in OS X 10.9.  OS X 10.91 is still affected.

This flaw affects the basic security that Apple uses to implement SSL connection.  The main risk is when using an affected device in untrusted environments where someone could be eavesdropping – free unsecured wifi such as coffee shops, airports and hotels.  According to the post by Brian Krebs, For now, it may be wise to avoid using Safari on OS X systems. As Dan Goodin at Ars Technica writes, “because the Google Chrome and Mozilla Firefox browsers appear to be unaffected by the flaw, people should also consider using those browsers when possible, although they shouldn’t be considered a panacea.”

Sources:

http://www.digitalmunition.net/?p=823

https://www.imperialviolet.org/2014/02/22/applebug.html

Categories
Computer & Network Security|Compliance>PCI|Research

The Switch to Chip and PIN. Will it change anything?

Chip & PIN, the future of credit cards

Late next year the U.S. will finally catch upto the rest of the world when it comes to credit card transactions.  Customers will no longer be signing credit card receipts, instead they will enter a PIN, similar to making a debit transaction.  The U.S. is the last major market to still use the old-fashions signature system, which is the primary reason why about half of the world’s credit fraud happens in the U.S.

What is Chip & PIN?

Basically, we are replacing our signature with a PIN code.  Each card will include a microchip that is matched to a PIN code. When inserted into the POS system, the Chip is read and the PIN code authenticates the card.  Already flaws in the system have been reported since 2010, not to mention how incredibly vulnerable 4 digit PINs are to social hacking as discussed in this article.  If most of the fraud occurs in the US where we don’t use this system, is it logical to think that most of the effort to commit fraud is not focused on finding flaws in the Chip & PIN system?  A British research firm has released a paper detailing a new vulnerability with Chip & PIN.  According to the paper, “EMV did not cut fraud as its proponents predicted. While using counterfeit and stolen cards did become more difficult, criminals adapted…”  According to their research, it does not appear that Chip & PIN technology reduced cyber-related fraud.

Will this really make our information safer?

Let’s take the Target breach for example.  This data was compromised because of malware installed on their POS system which gathered information as it was in transit.  Would having a chip & pin system in place have prevented the loss of the information?  It doesn’t appear that way.  So the question is, then, will the new system, in the event of data loss, prevent the abuse of that information and protect consumers from fraud?

The problem in the Target breach was not a result of fraud; that was the outcome.  The result was the lack of comprehensive security policies and programs at place in the organization or at the very least the lack of diligence in enforcing them.  This is an issue that is not unique to Target or retail or any other industry.  If the problem is not fraud, but broken security why are we poised to spend billions as a total economy to shift to a solution that doesn’t solve the problem?  Is it really to protect consumers from fraud?

UPDATED: PayPal President’s credit card was stolen and used fraudulently.  “Marcus noted that his credit card had EMV chip technology, a more secure system currently in use in Europe. But that didn’t stop the data from being stolen and used for a “ton of fraudulent” transactions, according to the PayPal chief.” Source: USAToday

What does the Chip & PIN system solve?

The WSJ article announcing the shift says it best, Part of the October 2015 deadline in our roadmap is what’s known as the ‘liability shift.’ Whenever card fraud happens, we need to determine who is liable for the costs…So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable.

The new system is not about protecting consumers, it’s about protecting credit card companies and shifting the liability to the merchant and the consumer.  There are benefits to the consumer, and it will reduce fraud.  It will require a higher level of sophistication to commit fraud with any data that is gathered.  That is just it though, there are still ways to commit fraud and we know there are ways to get the data, its just a matter of time.

So should we be spending the effort and the capital to invest in this new system while creating a false sense of security?  This system should not be touted as the be all and end all of credit card fraud.  It is a step to mitigating the risk.

Where should we start?

As I was writing this, I discovered this article, by CSOOnline.  This articles takes a very strategic approach to analyzing the situation I am discussing. I strongly suggest reading it.

Companies should stop trying to only meet compliance requirements and instead focus on comprehensive security.  Many industry standard compliance requirements focus so much on privacy they often neglect general security, such as segregation of networks like environment and protected data.  Organizations must focus on general, overall security, and data will become protected within, otherwise, regardless of the protections we put in place at the point of sale, breaches will continue to happen.

Why is it hard to do this?  It’s often not visible and it’s expensive.  Consumers don’t see the results of a secure network, they only see the results of an insecure network or of changes at the POS.  This is a difficult position for CISOs and CIOs to compete in, and in the end the consumer loses.

 

Categories
Information Security>Data Breach|Compliance>Privacy|Social Engineering|Computer & Network Security>Vulnerabilities

NBC Sochi Hack Report Fraudulent

UPDATED: Kyle Wilhoit, Senior Trend Micro Researcher, further confirmed that NBC misrepresented the ‘hacks’ in their video in his blog posts here and here and his whitepaper.  Wilhoit is quoted in his blog as saying, “First, all the attacks required some kind of user interaction….Second, these attacks could happen anywhere. They would not just happen in Moscow, nor did it require us to be in Moscow….Third, the infections occurred on newly unboxed hardware. Had basic security precautions such as updating the operating system or not opening emails from unrecognized sources been done, these attacks could have been prevented.”

UPDATED: We originally re-posted the story from NBC.  As security researchers have charged, this could be the work of media bias and manipulation.  It seems as though, as usual, standard security best practices are all that are needed.

Tweet from Kyle Wilhoit, security researcher in the NBC video in reference to the white paper he is writing describing his trip to Moscow (not even Sochi): “Agreed. A line from the paper: “In this case, he would have been hit in Russia; just the same way he would if in Philadelphia”

So in short, the video was made to sound like Moscow was more dangerous than say a coffee shop in America.  As it turns out according to Kyle’s Twitter feed, its no more dangerous if you follow standard security.  They purposely downloaded malicious files, and navigated to malware infested Russian websites.  According to Erratasec’s blog:

That leaves us with the same advice that we always give people:
  1. don’t click on stuff
  2. patch your stuff (browser, Flash, PDF)
  3. get rid of the really bad stuff (Oracle’s Java)
  4. don’t click on stuff
  5. oh, and if you really are in Sochi, use VPN over the public WiFi

Source: http://blog.erratasec.com/2014/02/that-nbc-story-100-fraudulent.html

Visit NBCNews.com for breaking news, world news, and news about the economy

According to NBC, visitors “can expect to be hacked.”  The State Dept warns that “travelers should have no expectation of privacy, even in their hotel rooms.”  From the point of logging onto their computer and connecting to the internet, the computer was attacked within less than a minute and fully compromised in less than 24 hours.  This could become one of the largest data breaches ever if visitors do not heed these warnings.  There will be high profile celebrities, athletes, heads of state, foreign dignitaries and more, all with information that attackers would love to exploit.

The advice according to NBC is to leave your electronic devices at home if they are unnecessary.  If they are necessary do not connect to public wifi, and remove any private information such as photos, financial information, or similar data.

Categories
Computer & Network Security>Adobe|Computer & Network Security>Patches

Adobe Flash Player Critical Update

Adobe has released a critical patch to address a vulnerability that could allow an attacker to take control of an affected system.

Release date: February 4, 2014

Vulnerability identifier: APSB14-04

CVE number: CVE-2014-0497

Platform: All Platforms

Source: http://helpx.adobe.com/security/products/flash-player/apsb14-04.html

Categories
Computer & Network Security>Adobe|Information Security>Data Breach|Compliance>Privacy

Breach Alert! Yahoo user data stolen

As evidence to why users should not use the same usernames and passwords across sites, it appears that data collected from recent breaches was used to massively hack into user email accounts at Yahoo.  Yahoo recognized the attack and has taken steps to reset passwords.  Their Security Update was posted on Tumblr today.

According to Yahoo they are taking steps to protect users:

  • We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.
  • We are working with federal law enforcement to find and prosecute the perpetrators responsible for this attack.
  • We have implemented additional measures to block attacks against Yahoo’s systems.
Categories
Computer & Network Security|Information Security>Data Breach|Social Engineering>Phishing|Compliance>Privacy

Scammers take advantage of Target Breach victims

Can you recognize a phishing email?  Target recently sent out an email to those affected by the data breach with information about the breach and steps to take if your information was involved.  That email can be viewed on Target’s website.

target

Scammers are also taking advantage of the situation and sending their own Target breach notification emails.  Can you spot the differences in a real and fake email?

Honestly, I am surprised that Target sent their email the way they did.  One of the first ways to identify a suspicious email is whether or not you recognize the sender.  In the case of the legitimate Target email it came From: Target.com (TargetNews@target.bfi0.com).  This immediately raises a red flag in my head because I don’t know the domain bfi0.com.  This is a standard tactic of scammers to try and trick users into trusting the Target part of the email and ignoring the next part.  bfi0.comThis was an oversight on Target’s part to instill trust in their constituents.  I would not trust this email if I had received it.  I dug a little more and a WHOIS lookup shows that the bfi0.com domain is registered to an Epsilon Data Management who tracks email marketing campaigns.  I now know this is the real Target email.

The biggest items to notice in the real email are that they are not asking you to click on anything, except the Target.com website,  and they do not ask you for any information.

Scammers will try and make you feel compelled to click on links and divulge personal information.

If you have already received one of the fake emails, you should immediately delete it.  If you clicked on anything, you need to make sure your antivirus is up to date, and it would probably be a good idea to change the passwords on your online accounts.

If you divulged personal information from the scam email, you need to immediately contact your bank and or credit company and notify them to be vigilant of fraud activity.

Finally, Target is offering free credit monitoring to anyone affected by their breach, and I recommend signing up for it immediately.  You can see the details on Target’s website.

As a general rule, if you don’t recognize the sender, don’t trust the email.

 

Categories
Compliance>PCI|Compliance>Privacy

Top 25 Passwords from 2013: 123456 reigns supreme

2013 crowned a new champion of the #1 password based on passwords collected from data breaches.  The top password for 2012 was ‘password,’ but 2013 announces that ‘123456,’ reigns supreme.

SplashData, a security firm, releases their findings each year of the top passwords discovered from breaches.  This year, due to the size of the Adobe breach, you’ll see some Adobe passwords make the list.

  1. 123456 (+1)
  2. password (-1)
  3. 12345678 (0)
  4. qwerty (+1)
  5. abc123 (-1)
  6. 123456789
  7. 111111 (+2)
  8. 1234567 (+5)
  9. iloveyou (+2)
  10. adobe123
  11. 123123 (+5)
  12. admin
  13. 1234567890
  14. letmein (-7)
  15. photoshop
  16. 1234
  17. monkey (-11)
  18. shadow
  19. sunshine (-5)
  20. 12345
  21. password1 (+4)
  22. princess
  23. azerty
  24. trustno1 (-12)
  25. 000000

So what can you glean from this?  First, if your password is in this list, change it immediately.  It is literally one of the first passwords someone will try if you are targeted.  Second, it shows why users should not use the names of the application they are protecting in their passwords nor easy to remember letter and number combinations.

Securit360 recommends using a password manager to store complex and unique passwords for as many situations as you can  Where you can’t use a password manager, we recommend using passphrases made up of letters, numbers and symbols.  The longer the word the better, preferably 10 or more characters.  If you have to choose between long or complex, choose long.  Don’t use common words or phrases, don’t be predictable.  Don’t share passwords among accounts, but find a way to make a unique password for each account. Don’t use real information in your security questions, but if you do, use a phrase and not just a single word.  Turn on 2 factor authentication if it is available.