iTWire - iTWire - Security iTWire - Technology news, trends, reviews, jobs Sat, 29 Nov 2014 02:39:49 +1100 Joomla! - Open Source Content Management en-gb 'Syrian Electronic Army' subverts web traffic 'Syrian Electronic Army' subverts web traffic

A number of high-traffic websites have been affected by interfering with a single DNS setting at a popular domain registrar.

Multiple websites using the Gigya commenting service (aka 'customer identity management platform') - reportedly including high-traffic sites such as those operated by Aljazeera, CNBC, CNN, Dell, Microsoft, National Geographic, Nine News Australia, Red Bull, Stuff (New Zealand), UNICEF and William Hill Betting - have been displaying messages suggesting the site or its users had been hacked by the Syrian Electronic Army.

This was achieved by redirecting traffic intended for Gigya to other sites, by altering Gigya's DNS record at domain registrar GoDaddy.

DNS records determine how domain names are translated into IP addresses.

{loadposition stephen08}While the DNS record was soon corrected, the way records are propagated between DNS servers means it could take as long as two days for that change to reach them all. Consequently, some users may still see the spurious messages.

More than 700 sites may have been affected. Gigya claims to be "trusted by more than 700 leading brands."

Gigya CEO Patrick Salyer said "To be absolutely clear: neither Gigya's platform itself nor any user, administrator or operational data has been compromised and was never at risk of being compromised."

He added "Gigya has the highest levels of security around our service and user data. We have put additional measures in place to protect against this type of attack in the future."

And editor Patrick Crewdson said "We treat any breach of services we use very seriously. We have no reason to believe any user information was compromised, and we're working with Gigya to make sure such a breach doesn't happen again."

A tweet from @Official_SEA16 said the attack was harmless, and that users could protect themselves against similar but more malicious attacks by using the NoScript add-on for Firefox. NoScript blocks JavaScript and certain other types of content from running on web pages unless they have been whitelisted.

The Syrian Electronic Army has previously claimed responsibility for attacks on major media organisations including the BBC and the New York Times (also via a domain registrar, in that case Melbourne IT).

]]> (Stephen Withers) Security Fri, 28 Nov 2014 15:29:46 +1100
ACMA releases malware portal ACMA releases malware portal

The Australian Communications and Media Authority has launched its AISI (Australian Internet Security Initiative) portal.

The ACMA says the portal is the next phase in the development of the AISI which partners with industry to identify infected devices in Australia on the Internet. See details here.

The portal is designed to make it easy for Internet Service Providers to identify which of their customers’ devices have been affected by malware. The AISI has been collecting and collating information highlighting malware activity since 2005.

Using that information, the ACMA provides details to the AISI’s voluntary participants—ISPs and educational institutions—of apparent infections in their networks. In turn, ISPs can then proactively help their customers identify and treat these infections.

Approximately 70,000 observations of malware are now being received and processed daily for access by the program’s 139 participants through the AISI portal. These malware observations are linked to a particular Internet connection, but it’s often not straightforward matching an observation to a particular computer or other device in a home or business network.

“The AISI portal responds to rapid growth over recent years in how Australians use the internet, and the resulting challenges about identifying malware,’ said ACMA chairman Chris Chapman. “Growth in home networks and business networks in Australia—and in the number of devices attached to a network, such as smartphones, tablets, game consoles—make identifying an infected device much more difficult.

{loadposition graeme}

“The new AISI portal, however, is local network aware. It recognises the multiple devices connected to local networks. For the first time, it now provides internet service providers with detailed information about an infection that can determine the problem device within a home or business network,” Chapman said.

ACMA research has identified that in Australia around half of all households have networks with more than five devices connecting to the internet and 56 per cent of small businesses and 74 per cent of medium-sized businesses have their own network connected to the internet.

Other ACMA programs targeting or ameliorating cyber security threats include the Phishing Alert Service and theSpam Intelligence Database(SID). The ACMA has also launched a videowhich explains malware and gives tips for consumers on protecting their devices online. The video was originally developed by the US consumer protection agency, the Federal Trade Commission (FTC).

‘Cyber-criminals aren’t going away anytime soon, so the ACMA will continue to fight malware on two fronts: educating consumers and businesses to take action to protect themselves is critical; and ensuring that programs such as the AISI identify problems as soon as they arise,” said Chapman.

The Australian Internet Security Initiative is the centrepiece of the ACMA’s work on internet security. The AISI receives data from 17 organisations, including Microsoft, The Shadowserver Foundation and Team Cymru (which undertake research on Internet security).

In August 2014, the Communications Alliance published the iCode C650:2014, which replacied a 2010 version developed by the now defunct Internet Industry Association. The iCode aims to promote a security culture in the internet industry by reducing the number of compromised computers in Australia. It is designed to provide a consistent approach for Australian ISPs to help inform, educate and protect their customers against cyber security risks. The iCode encourages all Australian ISPs to participate in the AISI.

]]> (Graeme Philipson) Security Fri, 28 Nov 2014 12:00:01 +1100
Cloud rolling in: Sophos's 'leapfrog' move Cloud rolling in: Sophos's 'leapfrog' move

The recent release of Sophos Cloud Server Protection is just part of a broader strategy.

Sophos Cloud Server Protection is, as the name suggests, a server-specific component of Sophos Cloud providing malware protection, host intrusion prevention and web security, all with a web-based interface for managing multiple servers.

The company claims it is the only security product that continually monitors servers, detects new applications, and intelligently adjusts policies to maintain operational efficiency.

Sophos Asia Pacific managing director Stuart Fisher (pictured) told iTWire that the traditional approach to security is not working, so the company is in the midst of a transformation that will allow it to provide better and more complete security for all users.

{loadposition stephen08}The 2011 acquisition of network security vendor Astaro was an important move for Sophos, and earlier this year it acquired Cyberoam Technologies, which also plays in that space.

Sophos's Project Copernicus is aimed at combining the technologies originating from those two businesses.

The other big project underway at Sophos is Galileo, which has the goal of providing unified endpoint and network protection from the cloud: "we're betting the company on the cloud," he said.

The target market is the 25 million or so midmarket organisations around the world. "They're the ones with the biggest security challenges," Fisher said, as they do not have in-house security expertise and they would rather not struggle with the implications of using products from multiple providers due to the resulting deployment and management problems.

Sophos will offer a complete product - endpoint protection, virtual firewall, mobile device management and more - through its network of partners.

"We are literally leapfrogging the industry" with this new deployment model built around partners and the cloud, he said.

The endpoint protection component is already available, with the others on the roadmap for 2015. "We're not looking at big releases," said Fisher, components will instead be introduced progressively.

Sophos also plans to release a comprehensive "enterprise grade" security package for homes, protecting endpoints, networks, routers and more.

"We can be very disruptive in this market," Fisher said, and it will "help us win hearts and minds."

Fisher is well aware that Sophos does not have the mindshare of its main competitors, but the company is outgrowing the market at a time when "our competition sees to be in a world of pain," citing Symantec's turnover of CEOs and plans for divestiture, and Intel Security's pending retirement of the McAfee brand.

Sophos's message is resonating with the market and with analysts, he claimed.

]]> (Stephen Withers) Security Wed, 26 Nov 2014 17:44:41 +1100
Unicorn goes wild - unpatched Windows gets the horn Unicorn goes wild - unpatched Windows gets the horn

A very old but only just fixed Windows vulnerability is the key to a new in-the-wild attack.

Security vendor ESET says it has detected a real-life exploit for a vulnerability that's been part of Windows for nearly two decades.

Microsoft recently fixed a Windows vulnerability that's exploitable through Internet Explorer. The vulnerability has been present since Windows 95, and the addition of VBScript to Internet Explorer made it remotely exploitable, despite the Enhanced Protection Mode sandbox in version 11, or the use of Microsoft's Enhanced Mitigation Experience Toolkit.

Because such vulnerabilities are so rare, this one was dubbed Unicorn by its discoverer, IBM's X-Force Research team.

{loadposition stephen08}Now security vendor ESET says it has detected the use of this vulnerability on a compromised page on a Bulgarian web site that Alexa ranks as one of the most visited sites in Bulgaria and one of the top 11,000 globally.

The company warns that the attack code - which is based on a proof of concept produced by a Chinese researcher - downloads and executes known malware.

ESET Research staff suggest that the presence of the code on just one of the site's pages could indicate that it is still being tested by the miscreants.

"It was only a matter of time before we started seeing this vulnerability actively used as part of a cybercriminal campaign," they said.

"Scouring our data, we found several blocked exploitation attempts while our users were browsing a major Bulgarian website.

"As you might have guessed, the compromised website was using CVE-2014-6332 to install malware on the computers of its unsuspecting visitors."

The solution: apply the patch to still-supported versions of Windows, and stop using older ones online. (That said, a comment on the IBM page about the discovery of the vulnerability suggests it may be possible to patch Windows XP by having it pose as Windows Embedded POS Ready 2009.)

]]> (Stephen Withers) Security Wed, 26 Nov 2014 16:01:34 +1100
The Box will protect everything The Box will protect everything

So says BitDefender in introducing a new solution for protecting the Internet of Things.

Calling for the end of the era of simple antivirus (didn't that happen about 3 years ago?) and the start of seamless online 'Protection from Everything', BitDefender has announced The Box, a combined hardware and software solution that offers a near magical level of protection from everything and for all who enter the home.

According to BitDefender, “The new device wards off fraud, malware, data theft, spying and other modern-day ills and ensures total safety for PCs, Macs, iPhones, iPads, Android or Jolla devices, Wiis and Xboxes, smart TVs, smart fridges and all other Wi-Fi-enabled devices.

The device is a combination of router, network firewall and rather simple intrusion prevention system. It is designed to sit behind an existing Internet connection device (ADSL or Cable modem), being connected to one of its ethernet ports, it could also be placed in front of the connection device, so that it also protects the router from Internet-based attacks, or can act itself as a router.

The Box has a single-core 400 MHz MIPS microprocessor, 16 MB Flash memory, 64 MB DDR2 RAM, two 10/100 ethernet ports and a wireless chipset supporting 802.11b/g/n Wi-Fi standards and is able to operate at speeds up to 150Mbps.

{loadposition davidh08}“The deep, network-level protection prevents any threat from reaching these devices.
The Box also offers antitheft capabilities, able to tune up a device and update its operating system, depending on the device and platform.

"Able to be set up in seconds, users can start managing their devices in minutes and enjoy years of seamless security. The Box will also ensure user equipment continues to operate at maximum efficiency while under comprehensive protection."

BitDefender's Catalin Cosoi observes, “The Box represents the birth of a faster, smarter, leaner and more convenient weapon against online dangers. The Box embodies security the way it should be - it fully protects you 24/7 and most members of the family won't even realise it's there."

US pricing will be $199, with a yearly subscription of $99 for the second and subsequent years. Australian pricing is not yet available.

The Box will be available in Australia in 2015; iTWire intends reviewing one as soon as it is available in an attempt to test these rather amazing claims.

]]> (David Heath) Security Wed, 26 Nov 2014 13:11:52 +1100
Symantec uncovers Regin trojan’s rein of backdoor malware terror’s-rein-of-backdoor-malware-terror’s-rein-of-backdoor-malware-terror Symantec uncovers Regin trojan’s rein of backdoor malware terror

An unknown nation state has created a multi-staged backdoor trojan malware threat dubbed Regin by Symantec which seeks to get in like a ray-gunned Flynn and flummox its targets with ultra advanced spying capabilities.

Uh-oh… it’s not just Stuxnet or Duqu that have been created by stunningly competent malware creators in unknown nation states, but now a new threat that has seemingly been in operation since 2008, using multiple stages and steps for mass surveillance against anyone its creators desire to target.

Named ‘Backdoor.Regin’ by Symantec, Regin’s rein of terror is one that has taken ‘months if not years’ to develop, with its authors going to ‘great lengths’ to cover their tracks, as described at Symantec’s blog

Symantec’s technical whitepaper (PDF link) on the threat goes into the details of the multi-staged threat, noting that ‘each stage is hidden and encrypted, with the exception of the first stage.’ 

One the first stage has been executed, a ‘domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyse and understand the threat.’

Symantec has provided an image showing each of the five steps, with the malware’s ‘module approach’ letting it load ‘custom features tailored to the target’.

But this multi-staged and modular approach is not new, with modularity seen in malware such as Flamer and Weevil, and multi-staged capabilities seen with Stuxnet and Duqu.

Although Regin was initially active and targeting organisations as far back as 2008 through to 2011, Regin’s rein had been terminated by its creators.

Regin then rose back from hibernation in 2013, targeting not just companies, but individuals, government organisations and research institutes - even telcos were targeted so that Regin’s creators could shocking access calls going over a telco’s network.

{loadposition alex08}Talk about being owned, pwned and Capone’d by the malware mobsters!

W’re talking about a malware attack spread across ten different countries, with attack vectors including spoofed websites, and exploits in apps that had vulnerabilities, like Yahoo Messenger.

No reproducible vector has been established as Symantec released its findings, showing just how incredibly sophisticated this malware threat is, with custom modules able to be deployed at will to change attack vectors and go after targets with razor sharp accuracy.

This extends to dozens of different payloads, from Remote Access Trojans (RATs) that can effectively give malware creators complete control over an end-user PCs - more control than even the end-user has for the ultimate in covert surveillance that even extended to recovering deleted files.

Worse still is Symantec’s noting of the extreme lengths to make the malware inconspicuous so that ‘espionage campaigns’ lasting several years could be staged - a frightening thought for anyone.

The malware also has its own encrypted virtual file system, anti-forensics capabilities and other stealth features, as well as being able to covertly communicate with ICMP/ping, embedded commands in HTTP cookies and even custom TCP and UDP protocols.

Symantec concludes that Regin required ‘significant investment of time and resources’, pointing to a nation state being responsible for Regin, and how intelligence gathering efforts ensure these investments in highly stealth and frighteningly capable malware continue being made.

Symantec also openly concedes there is still much that is unknown about Regin, with additional functions and features likely still undiscovered.

Symantec’s blog and whitepaper have all the scary but all-too-real details.

]]> (Alex Zaharov-Reutt) Security Mon, 24 Nov 2014 10:39:12 +1100
Yummba puts online banking credentials (and your money) at risk Yummba puts online banking credentials (and your money) at risk

A major cloud company has warned of a new set of tools being used to commit bank fraud.

Akamai's Prolexic Security Engineering and Response Team (PLXsert) has detected a new set of webinject tools used in conjunction with the Zeus malware to steal online banking credentials and perform fraudulent funds transfers.

"PLXsert has identified more than 100 financial institutions for which active webinjects are available in the wild. Most are mid-size and large financial institutions in North America and Europe," said Akamai security business unit senior vice president and general manager Stuart Scholly.

Webinjects - the insertion of custom elements into web pages - are nothing new. They are often used by malware to collect and exfiltrate credentials for banking and other websites.

{loadposition stephen08}The Yummba webinjects - the name is that of the (apparently Russian) individual or group behind the code - work with the Zeus malware kit and the Automatic Transfer System (ATSEngine) to collect banking usernames and passwords, card and CVV numbers, expiry dates, and other sensitive information such as dates of birth.

This may be done under the guise of an "additional authorisation process" or similar, with each webinject customised to match the look and feel of the relevant organisation's real website.

Where online banking credentials have been obtained or a legitimate session established, the malware may immediately transfer funds from the victim's account.

The PLXsert report [registration required] suggests the first line of defence is user awareness. Learning to recognise suspicious emails ("Red flags are generic salutations, grammatical errors in URLs, unexpected attachments, and attachments sent from unknown entities") helps prevent the Zeus malware from reaching a computer in the first place.

Endpoint security software can help, but PLXsert warns "there may be very low levels of detection for some threats."

At the network level, deep packet inspection and the blacklisting of illegitimate URLs provides some protection.

"PLXsert anticipates the underground crimeware ecosystem will continue to produce new and more powerful tools like Yummba webinjects to take advantage of the massive number of exploited devices on the Internet," said Akamai.

Image: EFF-Graphics [CC BY 3.0] via Wikimedia Commons

]]> (Stephen Withers) Security Fri, 21 Nov 2014 17:34:01 +1100
Alert! Safari Trojan Alert! Safari Trojan

A friend has had an annoying Safari browser based issue where clicking a link opens a separate ad tab.  This is a relatively new Trojan malware that cleverly obfuscates the most useful page on getting rid of it.

Who said Macs are not vulnerable to security attacks?  Nobody recently that’s for certain, it is true however that incidents of such attacks are far less frequent that those of us running Windows based machines.

However, I thought I would relate this recent experience:  A friend showed me her iMac Safari problem.

“Every time I click on this hyperlink, a new tab opens trying to sell me software” she said.

And sure enough, doing a search engine search and clicking on one of the resultant links not only opens the expected window, but gives focus to an unwanted tab trying to flog security orientated software.  The kind of thing we see all the time on Windows based boxes.   It does not seem to vicious in its intent, just extremely annoying.

Trying to investigate the issue online with only Safari to work with becomes a chore.  Particularly – as I soon found out – when it becomes clear this clever piece of malware hides the one page I have found that helped from the machines browser.

It was not until later on searching using another device that I found the following link:


This link features the steps required to remove the malware.  This involves removing certain installed services , files and extensions (as needed).  It works perfectly but does highlight an issue Apple need to address.

{loadposition mike08}Yes this particular user has had their machine infected from a site offering streaming of [illegal] media, in this case Megashare.  However, as is pointed out on the helpful page, you cannot rely on the OS X Gatekeeper functionality to warn you of the malwares installation.  In this case the developer has a valid codesigning certificate issued by Apple, meaning the software is installed without vetting by Gatekeeper.  Nice.

Be careful out there.

]]> (Mike Bantick) Security Fri, 21 Nov 2014 16:39:42 +1100
ACMA boosts the fight against malware with new portal ACMA boosts the fight against malware with new portal

The Australian Communications and Media Authority (ACMA) is launching a new initiative to further enhance its efforts, with industry and business, to identify and warn of malware infecting devices on the Internet.

ACMA will launch its Australian Internet Security Initiative (AISI) online portal on Friday 28 November in a free live webcast to industry and the public.

The AISI has been collecting and collating information that indicates malware activity since 2005, and ACMA’s Internet Security Programs Manager, Julia Cornwell McKean, says the portal is the next generation of the AISI, which partners with industry to identify infected devices on the internet.

Cornwell McKean said ACMA uses the information collected through the portal to provide details to the AISI’s voluntary participants – internet service providers and educational institutions – of apparent infections in their networks.

{loadposition peter}“In turn, internet service providers can help their customers identify and treat these infections,” Cornwell McKean said.

The live webcast of the AISI portal next week will be led by Cornwell McKean, who will talk about the ACMA’s suite of internet security programs, including the AISI.

Cornwell McKean will also explain how the new portal can be used by internet service providers to help consumers identify compromised devices and rid them of malware.

The launch will include the premiere of a new video that highlights the malware threat faced by Internet users.

To tune in live to the launch event at 9.30am, Friday 28 November, or to sign up to receive reminders, before the event begins, click here.       

]]> (Peter Dinham) Security Fri, 21 Nov 2014 15:51:27 +1100
WireLurker arrests in China, but Masque problem widens WireLurker arrests in China, but Masque problem widens

Three people have reportedly been arrested on suspicion of involvement in the creation and distribution of the WireLurker malware affecting iPhone and iPads. But it turns out that WireLurker was just one example of a broader problem.

Three people allegedly involved in the creation and distribution of WireLurker have been arrested in China.

WireLurker was spread through Trojanised versions of hundreds of legitimate OS X applications. These programs were distributed through the Maiyadi app store.

Once installed on a Mac, WireLurker waited for an iOS device to be connected - hence the name - and then installed malware on the iPhone, iPad or iPod touch.

{loadposition stephen08}The iOS component exfiltrated data from the device, and either Trojanised certain apps that were already installed on the device, or exploited iOS's enterprise provisioning features to install malicious apps. Apple subsequently revoked the misused security certificates.

A Weibo message from the Beijing Public Security Bureau Corps stated that individuals named Chen, Lee and Wang had been arrested for creating and distributing WireLurker. The distribution site had been shut down, and Chen and Lee were still in detention, according to the message.

According to FireEye, WireLurker is a limited example of what it has dubbed Masque attacks - the replacement of already-installed apps with fakes. Such attacks have been shown to be possible over Wi-Fi as well as via USB.

FireEye explained that the "vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier." Perhaps the worst-case situation is where security-critical apps such as mobile banking or other 'for value' apps are replaced by apps that look authentic but are designed to steal credentials.

The vulnerability was present in iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, the company said. There is no obvious indication in Apple's security notes that it had been fixed before 8.1.1 was released last night.

Unless Apple does address the problem, perhaps by more rigorous certificate checking, it seems likely that attacks will continue even though the WireLurker miscreants have been apprehended.

For now, US-CERT recommends the following mitigations:

• Don't install apps from third-party sources other than Apple's official App Store or your own organisation

• Don't click "Install" from a third-party pop-up when viewing a web page.

• When opening an app, if iOS shows an alert with "Untrusted App Developer", click on "Don't Trust" and uninstall the app immediately.

]]> (Stephen Withers) Security Tue, 18 Nov 2014 18:25:37 +1100