iTWire - iTWire - Security iTWire - Technology news, trends, reviews, jobs http://www.itwire.com Mon, 24 Nov 2014 02:51:52 +1100 Joomla! - Open Source Content Management en-gb Yummba puts online banking credentials (and your money) at risk http://www.itwire.com/business-it-news/security/66214-yummba-puts-online-banking-credentials-at-risk http://www.itwire.com/business-it-news/security/66214-yummba-puts-online-banking-credentials-at-risk Yummba puts online banking credentials (and your money) at risk

A major cloud company has warned of a new set of tools being used to commit bank fraud.

Akamai's Prolexic Security Engineering and Response Team (PLXsert) has detected a new set of webinject tools used in conjunction with the Zeus malware to steal online banking credentials and perform fraudulent funds transfers.

"PLXsert has identified more than 100 financial institutions for which active webinjects are available in the wild. Most are mid-size and large financial institutions in North America and Europe," said Akamai security business unit senior vice president and general manager Stuart Scholly.

Webinjects - the insertion of custom elements into web pages - are nothing new. They are often used by malware to collect and exfiltrate credentials for banking and other websites.

{loadposition stephen08}The Yummba webinjects - the name is that of the (apparently Russian) individual or group behind the code - work with the Zeus malware kit and the Automatic Transfer System (ATSEngine) to collect banking usernames and passwords, card and CVV numbers, expiry dates, and other sensitive information such as dates of birth.

This may be done under the guise of an "additional authorisation process" or similar, with each webinject customised to match the look and feel of the relevant organisation's real website.

Where online banking credentials have been obtained or a legitimate session established, the malware may immediately transfer funds from the victim's account.

The PLXsert report [registration required] suggests the first line of defence is user awareness. Learning to recognise suspicious emails ("Red flags are generic salutations, grammatical errors in URLs, unexpected attachments, and attachments sent from unknown entities") helps prevent the Zeus malware from reaching a computer in the first place.

Endpoint security software can help, but PLXsert warns "there may be very low levels of detection for some threats."

At the network level, deep packet inspection and the blacklisting of illegitimate URLs provides some protection.

"PLXsert anticipates the underground crimeware ecosystem will continue to produce new and more powerful tools like Yummba webinjects to take advantage of the massive number of exploited devices on the Internet," said Akamai.

Image: EFF-Graphics [CC BY 3.0] via Wikimedia Commons

]]>
swithers@blackandwrite.com.au (Stephen Withers) Security Fri, 21 Nov 2014 17:34:01 +1100
Alert! Safari Trojan http://www.itwire.com/business-it-news/security/66213-alert-safari-trojan http://www.itwire.com/business-it-news/security/66213-alert-safari-trojan Alert! Safari Trojan

A friend has had an annoying Safari browser based issue where clicking a link opens a separate ad tab.  This is a relatively new Trojan malware that cleverly obfuscates the most useful page on getting rid of it.


Who said Macs are not vulnerable to security attacks?  Nobody recently that’s for certain, it is true however that incidents of such attacks are far less frequent that those of us running Windows based machines.

However, I thought I would relate this recent experience:  A friend showed me her iMac Safari problem.

“Every time I click on this hyperlink, a new tab opens trying to sell me software” she said.

And sure enough, doing a search engine search and clicking on one of the resultant links not only opens the expected window, but gives focus to an unwanted tab trying to flog security orientated software.  The kind of thing we see all the time on Windows based boxes.   It does not seem to vicious in its intent, just extremely annoying.

Trying to investigate the issue online with only Safari to work with becomes a chore.  Particularly – as I soon found out – when it becomes clear this clever piece of malware hides the one page I have found that helped from the machines browser.

It was not until later on searching using another device that I found the following link:

Https://discussions.apple.com/thread/6531026

This link features the steps required to remove the malware.  This involves removing certain installed services , files and extensions (as needed).  It works perfectly but does highlight an issue Apple need to address.

{loadposition mike08}Yes this particular user has had their machine infected from a site offering streaming of [illegal] media, in this case Megashare.  However, as is pointed out on the helpful page, you cannot rely on the OS X Gatekeeper functionality to warn you of the malwares installation.  In this case the developer has a valid codesigning certificate issued by Apple, meaning the software is installed without vetting by Gatekeeper.  Nice.

Be careful out there.

]]>
mike.bantick@gmail.com (Mike Bantick) Security Fri, 21 Nov 2014 16:39:42 +1100
ACMA boosts the fight against malware with new portal http://www.itwire.com/business-it-news/security/66210-acma-boosts-the-fight-against-malware-with-new-portal http://www.itwire.com/business-it-news/security/66210-acma-boosts-the-fight-against-malware-with-new-portal ACMA boosts the fight against malware with new portal

The Australian Communications and Media Authority (ACMA) is launching a new initiative to further enhance its efforts, with industry and business, to identify and warn of malware infecting devices on the Internet.

ACMA will launch its Australian Internet Security Initiative (AISI) online portal on Friday 28 November in a free live webcast to industry and the public.

The AISI has been collecting and collating information that indicates malware activity since 2005, and ACMA’s Internet Security Programs Manager, Julia Cornwell McKean, says the portal is the next generation of the AISI, which partners with industry to identify infected devices on the internet.

Cornwell McKean said ACMA uses the information collected through the portal to provide details to the AISI’s voluntary participants – internet service providers and educational institutions – of apparent infections in their networks.

{loadposition peter}“In turn, internet service providers can help their customers identify and treat these infections,” Cornwell McKean said.

The live webcast of the AISI portal next week will be led by Cornwell McKean, who will talk about the ACMA’s suite of internet security programs, including the AISI.

Cornwell McKean will also explain how the new portal can be used by internet service providers to help consumers identify compromised devices and rid them of malware.

The launch will include the premiere of a new video that highlights the malware threat faced by Internet users.

To tune in live to the launch event at 9.30am, Friday 28 November, or to sign up to receive reminders, before the event begins, click here.       

]]>
peter.dinham@itwire.com (Peter Dinham) Security Fri, 21 Nov 2014 15:51:27 +1100
WireLurker arrests in China, but Masque problem widens http://www.itwire.com/business-it-news/security/66135-wirelurker-arrests-in-china-but-masque-problem-widens http://www.itwire.com/business-it-news/security/66135-wirelurker-arrests-in-china-but-masque-problem-widens WireLurker arrests in China, but Masque problem widens

Three people have reportedly been arrested on suspicion of involvement in the creation and distribution of the WireLurker malware affecting iPhone and iPads. But it turns out that WireLurker was just one example of a broader problem.

Three people allegedly involved in the creation and distribution of WireLurker have been arrested in China.

WireLurker was spread through Trojanised versions of hundreds of legitimate OS X applications. These programs were distributed through the Maiyadi app store.

Once installed on a Mac, WireLurker waited for an iOS device to be connected - hence the name - and then installed malware on the iPhone, iPad or iPod touch.

{loadposition stephen08}The iOS component exfiltrated data from the device, and either Trojanised certain apps that were already installed on the device, or exploited iOS's enterprise provisioning features to install malicious apps. Apple subsequently revoked the misused security certificates.

A Weibo message from the Beijing Public Security Bureau Corps stated that individuals named Chen, Lee and Wang had been arrested for creating and distributing WireLurker. The distribution site had been shut down, and Chen and Lee were still in detention, according to the message.

According to FireEye, WireLurker is a limited example of what it has dubbed Masque attacks - the replacement of already-installed apps with fakes. Such attacks have been shown to be possible over Wi-Fi as well as via USB.

FireEye explained that the "vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier." Perhaps the worst-case situation is where security-critical apps such as mobile banking or other 'for value' apps are replaced by apps that look authentic but are designed to steal credentials.

The vulnerability was present in iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, the company said. There is no obvious indication in Apple's security notes that it had been fixed before 8.1.1 was released last night.

Unless Apple does address the problem, perhaps by more rigorous certificate checking, it seems likely that attacks will continue even though the WireLurker miscreants have been apprehended.

For now, US-CERT recommends the following mitigations:

• Don't install apps from third-party sources other than Apple's official App Store or your own organisation

• Don't click "Install" from a third-party pop-up when viewing a web page.

• When opening an app, if iOS shows an alert with "Untrusted App Developer", click on "Don't Trust" and uninstall the app immediately.

]]>
swithers@blackandwrite.com.au (Stephen Withers) Security Tue, 18 Nov 2014 18:25:37 +1100
Tor users may easily be de-anonymised http://www.itwire.com/business-it-news/security/66123-tor-users-may-easily-be-de-anonymised http://www.itwire.com/business-it-news/security/66123-tor-users-may-easily-be-de-anonymised Tor users may easily be de-anonymised

Traffic analysis provides an easy method to identify Tor client nodes.

Utilising Cisco's Netflow technology, researchers led by Professor Sambuddho Chakravarty have identified 100% of Tor clients in a lab environment and 81% in the wild.

According to Cicso, Netflow "efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing." In other words, it's perfect for monitoring Tor traffic at an exit node.

In a paper (pdf) originally published earlier this year Chakravarty and his team noted:

We assess the feasibility and effectiveness of practical traffic analysis attacks against the Tor network using NetFlow data. We present an active traffic analysis method based on deliberately perturbing the characteristics of user traffic at the server side, and observing a similar perturbation at the client side through statistical correlation. We evaluate the accuracy of our method using both in-lab testing, as well as data gathered from a public Tor relay serving hundreds of users. Our method revealed the actual sources of anonymous traffic with 100% accuracy for the in-lab tests, and achieved an overall accuracy of about 81.4% for the real-world experiments, with an average false positive rate of 6.4%.

{loadposition davidh08}The paper identifies valid reasoning that suggests a single Autonomous System (a Tor intermediate node) may be a party to as much as 39% of all entry and exit node traffic, thus giving it an excellent (although incomplete) view of proceedings.

The paper continues, Our approach is based on identifying pattern similarities in the traffic flows entering and leaving the Tor network using statistical correlation. To alleviate the uncertainty due to the coarse-grained nature of NetFlow data, our attack relies on a server under the control of the adversary that introduces deterministic perturbations to the traffic of anonymous visitors. ... Among all entry-node-to-client flows, the actual victim flow can be distinguished due to its high correlation with the respective server-to-exit-node, as both carry the induced traffic perturbation pattern.

The following images are from Chakravarty et al's paper.

Continued on the next page.


With this standard Tor environment in place, the researchers seek to influence the activities of the client being sought. The easiest method is to identify a web site to which the client connects and arrange to have it manipulated to deliver a significant amount of download (perhaps forced delivery of multimedia content via a corrupted iFrame - the paper suggests a number of possible methods).

The technique then seeks to inject a traffic pattern by perturbing the TCP connection it sees arising from an exit node. Thereafter, the adversary uses NetFlow data to obtain traffic statistics from the server to exit node and correlates it individually to each of the entry node to client traffic statistics so as to find the flow which carries the injected fingerprint.

{loadposition davidh08}The technique, as described, was: the server injected the complex "step" like pattern by switching the server to exit traffic between roughly 1 Mbit/s, 50 Kbit/s, 300 Kbit/s and 100 Kbit/s, every 30 seconds.

This technique is far from perfect, but it certainly demonstrates that by controlling a number of intermediate and exit nodes in the live Tor network, and with the ability to manipulate the delivery of server data, it is no longer a difficult task to identify target nodes at the point they connect to the Tor network.

]]>
tritonsecure@gmail.com (David Heath) Security Mon, 17 Nov 2014 22:57:23 +1100
ESET discovers trojan aimed at G20 protesters http://www.itwire.com/business-it-news/security/66112-eset-discovers-trojan-aimed-at-g20-protesters http://www.itwire.com/business-it-news/security/66112-eset-discovers-trojan-aimed-at-g20-protesters ESET discovers trojan aimed at G20 protesters

It wasn’t just government and business leaders getting together at the G20 summit, but protesters and ‘threat actors’ targeting protesters with a malware-laden email for a ‘rally for Tibet’.

Internet security company ESET has discovered an APT - an advanced persistent threat - as an email with an infected Word document aimed at G20 protesters thinking there was a protest rally for Tibet being planned.

The email was titled ‘Join us at a rally for Tibet during the G20 summit’ and pretended to be from the Australian Tibet Council.

Attached was a Word document entitled ‘A_Solution_for_Tibet.doc’, which used the very old ‘CVE-2014-0158 vulnerability’ inside presumably unpatched copies of Microsoft Word.

If the document was opened and the vulnerability successful in its attempt to penetrate Microsoft’s defences, the trojan installed the ‘Gh0st RAT malware’ on that user’s computer.

Naturally, once Gh0st RAT is installed, it connects to the Command and Control Centre, it allows the operator to remotely control that user’s computer, utterly destroying protester privacy and leaving them completely open to being spied upon, manipulated or otherwise interfered with.

At ESET’s ‘WeLiveSecurity’ blog, the security firm notes that big events are being used ‘as a lure to compromise targets’, and that this, in itself is nothing new, nor the is the fact that Tibetan NGOs are being target.

{loadposition alex08}Expecting to see G20-themed threats targeting Tibetan NGOs, ESET’s suspicions were confirmed when it received a malware sample dubbed ‘Win32/Farfli’, which is the ‘Gh0st RAT’.

As ESET explains, ‘Gh0st RAT is an off-the-shelf RAT that is used by a variety of threat actors’ that ‘has been used in the past in numerous targeted campaigns as well as crimeware-like operations.’

Only two instances were detected by ESET in China, which was part of a very low number of detections seen by ESET’s malware researchers.

Inside the malware’s network comms was the word ‘LURK0’, instead of the expected ‘Gh0st’, with ESET reporting ‘LURK0’ has been seen in threats against Tibetan NGOs in the past.

In essence, this threat is yet another spear fishing email, with the ‘threat actor’ using the bait of a rally for Tibet to target specific people.

Part of the tactic is to pretend the email is from a legitimate organisation, with the text of the email not only purporting to be from the Australian Tiber Council, but with the text lifted from its site.

ESET notes these types of attacks are now ‘very common’, and reminds us all ‘to avoid opening email attachments sent by unknown senders and to keep software installed on its computer up-to-date.’

That of course includes not just operating systems, but software programs such as Microsoft Word and everything else you use on your computer.

For the full low-down on this malware attack, please visit ESET’s WeLiveSecurity blog. 

]]>
alex@itwire.com.au (Alex Zaharov-Reutt) Security Mon, 17 Nov 2014 11:25:24 +1100
Data security a ‘low risk’ issue for businesses http://www.itwire.com/business-it-news/security/66102-data-security-a-‘low-risk’-issue-for-businesses http://www.itwire.com/business-it-news/security/66102-data-security-a-‘low-risk’-issue-for-businesses Data security a ‘low risk’ issue for businesses

Data security is apparently considered a low risk issue for Australian business decision-makers, with concerns that senior executives fail to recognise the long-term financial damage that a security breach might have on their business.

The low level of concern about data security risks in Australia is reflected by business decision makers in other countries, according to security and risk management company NTT.

In its recently commissioned survey of 800 business decision-makers worldwide, including in Australia, NTT reveals that nearly two-thirds (63%) of respondents expect to suffer a security breach at some point, but less than one in ten (9%) see ‘poor data security’ as the greatest risk to their business.

In Australia, just over half of the business decision-makers surveyed (56%) say they do have a formal data security policy in place, while 56% have a business or disaster recovery plan in the event of a breach, which is above the global average of 47%.

{loadposition peter}But, Australian business leaders said that only 57% of their employees, on average, are aware of and understand the company’s data security.  

According to NTT, however, businesses are most likely to see risks coming from competitors taking market share, lack of employee skills and decreasing profits, rather than recognising the long-term damage – both in terms of time and money – of a security breach.

The survey, undertaken for NTT by Vanson Bourne, reveals that over half of senior decision-makers (59%) agree there would be minimal long-term damage from a security breach, although a significant number report that their organisation would suffer reputational damage (60%) and loss of customer confidence (56%) if data was stolen.  

In Australia, when it comes to the financial impact of a security breach, business decision-makers estimate that their revenue would drop, on average, by 9% as the result of an attack.

But, 14% expect a security breach to have no impact at all on revenue, while more than a quarter (29%) admit they do not know what the financial implications would be.

“The concern here is whether senior business decision makers recognise the risks to their organisation, as well as understand the value of good data security. There seems to be a worrying level of indifference,” said Garry Sidaway, Senior Vice President Security Strategy & Alliances, NTT Com Security.

“When we asked respondents what they associate with the term data security, only half believe it is ‘vital’ to the business, less than half see it as ‘good practice’ and less than a quarter see it as ‘a business enabler’.  The majority unfortunately still associates security with data protection or privacy.

“The report also suggests that there is still a disconnect between the cost of data breaches and the importance organisations place on IT security to drive these costs down.  With security incidents making headlines daily, and costs soaring for a major breach – up to AUD $2.1m on average for a large organisation – a security incident can have far-reaching implications, from damaging a company’s reputation and share price to its ability to attract the very best talent.”

According to Simon Church, CEO for NTT Com Security, most business decision makers “are not primarily concerned with the challenges or risks faced by their organisations that relate to technology”.  

“As an industry, we need to be much smarter at educating businesses about the wider implications of data breaches, and help move the information security dial from ‘important’ to ‘vital’, so that it becomes an essential part of a company’s overall risk posture and valued as highly as profits and reputation.”

Key findings of the NTT report include:

 Data policies in the business

•    On average 10% of an organisation’s IT budget is spent on data/information security, although 16% of respondents do not know the amount spent

•    Around half (49%) regard data security as ‘expensive’ and 18% see it as ‘disruptive’

Data Security

•    Globally, less than half (44%) report that all of their critical data is ‘completely secure’, while in Australia 54% said it was

•    55% of respondents report that (consumer) customer data is vitally important to the success of their business, but only 37% report that all (consumer) customer data is ‘completely secure’

•    45% report that business performance data is vitally important to their business, but only 31% admit that all of this data is ‘completely secure’.

Impact of a data security breach

•    Around three-quarters (72%) say it is vital their organisation is insured for security breaches

•    Less than half (48%) say their company insurance covers for both data loss and a security breach

•    A quarter of those with any insurance do not know exactly what they are insured for in the event of data security breach.

Personal knowledge and behavior

•    Less than half (41%) are not kept up to date by the IT security team about data attacks and potential threats

•    28% rely upon their own judgment of what is ‘safe behaviour’ when using/accessing work-related data, but a fifth (21%) state data security is a joint responsibility between them and the IT team.

]]>
peter.dinham@itwire.com (Peter Dinham) Security Fri, 14 Nov 2014 17:43:51 +1100
Melbourne, malware and android mobiles a lethal mix http://www.itwire.com/business-it-news/security/66079-melbourne-malware-and-android-mobiles-a-lethal-mix http://www.itwire.com/business-it-news/security/66079-melbourne-malware-and-android-mobiles-a-lethal-mix Melbourne, malware and android mobiles a lethal mix

Melbourne has the unenviable record as the Australian city most susceptible to malware threats, according to new research ranking it ahead of Brisbane, Perth and Sydney.

And, not only is Melbourne at the greatest risk of malware attacks, Melbournians who own android mobile phones are twice as likely as their Sydney counterparts to become victims of malicious software that can disrupt how their devices operate as well as gather their personal information.

The newly published research by the Australian arm of Helsinki-based security company F-Secure reveals that 18% of malware threats identified in Australia have occurred in Melbourne, while in suburban areas of the city South Yarra, just outside of the CBD, ranks first, with 10% of all threats identified.

Amongst other suburbs, 9% of malware threats were recorded in Sandgate, north of Brisbane; and 8% were identified in Merrylands, in Sydney’s west.

{loadposition peter}And, Brisbane ranks second amongst the CBD areas in capital cities (14%), with Perth coming in at third (11%), followed by Sydney at 9%.

According to Su Gim Goh, F-Secure’s Security Advisor in the Asia Pacific region, Melbournians are most likely to have their devices infected with malware “as they probably download more apps than other Australians”.

“However, regardless of where they live, all Australians should be taking control of protecting their personal data, considering the constantly changing threat landscape.”

“At F-Secure, we recommend that customers follow preventative measures that should be standard practice for anyone with a mobile phone or computer, including scanning all downloaded apps and setting up message barring – so they can live their digital lives freely.”

Goh says the vast majority of malware detected in Australia (55%) is classified as belonging to ‘possibly unwanted variant online’, and affect android mobiles. “This type of malware is a program or component that may be intrusive or inadvertently introduces privacy or security risks. Users typically accept the potential risk associated with the program, and elect to install and use the application.

And, be warned. According to F-Secure, the malware threats are typically designed to take money from unwitting users who install the apps, with 88% of the new families or variants featuring some way for the attacker to make a profit. One common method is the app sends text messages to a premium rate number; another is it charges a fee for a program that can normally be accessed for free.

F-Secure says aworrying trend is the ability for a type of ransomware to move across platforms, from personal computers to mobile devices, and locking access to a device until the user pays a ransom, usually by sending bitcoins to the attacker.

Internationally, F-Secure says it has seen a concerning rise in malware growth for the android platform in terms of the number of family and variant of mobile malware, from about 100 types per quarter in 2013, to about 300 per quarter this year.

Goh says most of the threats (about 99%) affect the android platform as it has an open app store ecosystem “that allows a tainted application to lurk into android mobile devices through third party stores”.

And, there’s a warning about the cost of cybercrime to Australia from F-Secure Australian Country Manager Adam Smith.

“In the Australian economy alone, the annual cost of cyber crime is staggering, at around $1.65 billion.

“Particularly in the lead-up to the holidays, consumers and merchants should protect themselves from card fraud, which happens more frequently than what you might think – 4,000 fraudulent transactions are recorded on average every day in Australia, and with internet shopping on the rise, more and more of these incidents are happening online and over Wi-Fi connections.

“Unsecured Wi-Fi access points are excellent sources of personal information such as credit card numbers and email logins for thieves. This type of information can potentially be passed over the Wi-Fi in plain text and quickly utilised for potential criminal gain.”

And, here’s F-Secure’s  top six security tips to help combat the malware threat:

1.     lock your device

2.     set up message barring

3.     use anti-theft protection

4.     scrutinise permission requests

5.     download only from trusted sources

6.     scan downloaded apps

]]>
peter.dinham@itwire.com (Peter Dinham) Security Thu, 13 Nov 2014 12:45:14 +1100
Kaspersky Lab identifies Stuxnet Patient Zero: first victims http://www.itwire.com/business-it-news/security/66050-kaspersky-lab-identifies-stuxnet-patient-zero-first-victims http://www.itwire.com/business-it-news/security/66050-kaspersky-lab-identifies-stuxnet-patient-zero-first-victims Kaspersky Lab identifies Stuxnet Patient Zero: first victims

The infamous Stuxnet worm that disabled Iranian nuclear centrifuges has been under intense investigation by Kaspersky Lab and other security firms, with Kaspersky revealing more information.

More than four years ago, the Stuxnet worm was not only discovered, it was discovered to be ‘one of the most sophisticated and dangerous malicious programs’, it was also considered to be ‘the world’s first cyber-weapon’.

There have been many mysteries around the story, but one major question revolves around what the exact goals of the whole Stuxnet operation were.
 
Kaspersky Lab has analysed more than 2,000 Stuxnet files over the last two–years, with its researchers now able to identify the first victims of the worm.
 
Initially, Kaspersky’s and other security researchers had no doubt that the whole attack had a targeted nature.

The company says that the code of the Stuxnet worm looked professional and exclusive, with evidence that extremely expensive zero-day vulnerabilities were used.

Even so, it wasn’t yet known what kinds of organisations were attacked first, nor how the malware ultimately made it right through to the uranium enrichment centrifuges of top secret facilities.
 
Kaspersky’s new analysis sheds light on these questions.

{loadposition alex08}It turns out that ‘all five of the organisations that were initially attacked operate within the Industrial Control Systems (ICS) area in Iran, developing ICS or supplying materials and parts.’

The fifth organisation to be targeted, explains Kaspersky, is the most intriguing because, ‘among other products for industrial automation, it produces uranium enrichment centrifuges’, with this ‘precisely the kind of equipment that is believed to be the main target of Stuxnet.’
 
The company say that ‘It is believed the attackers expected that these organisations would exchange data with their clients – such as uranium enrichment facilities – and this would make it possible to get the malware inside these target facilities. The outcome suggests that the plan was indeed successful.’ 
 
Kaspersky Lab experts made yet another interesting discovery: ‘revealing that the Stuxnet worm did not only spread via infected USB memory sticks plugged into PCs. This factor shaped part of the initial theory, explaining how the malware could sneak into a place with no direct Internet connection.’
 
Its security researched saw that the ‘data gathered while analysing the very first attack showed that the first worm’s sample (Stuxnet.a) was compiled just hours before it appeared on a PC in the first attacked organisation.’

Interestingly, ‘this tight timetable makes it hard to imagine that an attacker compiled the sample, put it on a USB memory stick and delivered it to the target organisation in just a few hours. It is reasonable to assume that in this particular case, the people behind Stuxnet used other techniques instead of a USB infection.’

Alexander Gostev, Chief Security Expert at Kaspersky Lab said: “Analysing the professional activities of the first organisations to fall victim to Stuxnet gives us a better understanding of how the whole operation was planned.”

“At the end of the day, this is an example of a supply-chain attack vector, where the malware is delivered to the target organisation indirectly via networks of partners that the target organisation may work with,” Gostev concluded.

You can read plenty more technical detail on various ‘previously unknown aspects of the Stuxnet attack’ in a blog post on Kaspersky Lab’s Securelist site. 

There is also a newly released book entitled ‘Countdown to Zero Day’ – by journalist Kim Zetter.

This book also includes previously undisclosed information about Stuxnet, some of which is based on interviews with members of Kaspersky Lab’s Global Research and Analysis Team who are helping to unravel the Stuxnet mystery.
 

]]>
alex@itwire.com.au (Alex Zaharov-Reutt) Security Wed, 12 Nov 2014 16:27:23 +1100
VIDEO: Venafi CISO in Australia, securing keys and certs against bad guys http://www.itwire.com/business-it-news/security/66044-video-venafi-ciso-in-australia-securing-keys-and-certs-against-bad-guys http://www.itwire.com/business-it-news/security/66044-video-venafi-ciso-in-australia-securing-keys-and-certs-against-bad-guys VIDEO: Venafi CISO in Australia, securing keys and certs against bad guys

Venafi is a US based security company that secures and protects keys and certificates so they can’t be used by bad guys in cyber attacks.

Venafi CIO and CISO, Tammy Moskites, is in Australia to talk to its customers among the big banks and retail brands, and spoke at a lunch event to a range of journalists.

I was attending the Zuora event so missed the full lunch event, but was still able to organise a 1-on-1 interview with Tammy Moskites to get the low-down on what Venafi does, how it protects its customers and why attacks on trusted keys and certificates are a big risk.

Venafi’s website explains that ‘criminals want to gain trusted status and go undetected’, which makes ‘keys and certificates a prime target’.

The company warns that ‘criminals steal and compromise keys and certificates that are not properly protected, and use them to circumvent security controls’ and that, as such, ‘this has become the attack of choice.’

You can see my 1-on-1 chat with Tammy Moskites below!


We are also told that compromised keys and certificates is one of the most urgent and highest priority cybersecurity issues.

This is because compromised keys and certificates are undermining ‘data loss prevention, next-gen firewalls, strong authentication, sandboxing and other security systems.’

Venafi says it ‘finds all keys and certificates and puts them under surveillance to detect anomalies’, while ‘vulnerable keys and certificates are fixed to prevent attack’.

As ‘ongoing remediation is performed automatically’, the company says it ‘strengthens defences of today’s critical security controls.’

More info at Venafi’s site here and at the video above!

]]>
alex@itwire.com.au (Alex Zaharov-Reutt) Security Wed, 12 Nov 2014 00:52:24 +1100