Feed aggregator

Redirecting

April 2013 Super Tuesday

IBM X-Force 2012 Annual Trend & Risk report has released!

March 2013 Super Tuesday Update

February 2013 Super Tuesday Update

January 2013 Super Tuesday Update

December 2012 Microsoft Super Tuesday

November 2012 Microsoft Super Tuesday

October 2012 Microsoft Super Tuesday

Key highlights in the IBM X-Force 2012 Trend & Risk Report

Attorney General Eric Holder is on record the Department of Justice supports legislation that generally would require the government to get a probable-cause warrant to read your e-mail. That we're having this discussion is because federal law, dating to the ...

Over the last couple of days, multi-tasking cybercriminals have been spreading a "Facebook Profile Spy" campaign across Facebook, enticing users into installing a rogue Chrome extension, next to monetizing the campaign through an unethical pseudo-mobile marketing agency, known as Prizerally. Sample redirection chain: hxxps://www.facebook.com/pages/Hajmc1rnjr/172683159561584?sk=app_

Last night our CTO and Co-Founder Chris Wysopal joined Fox Business’ The Willis Report to chat about medical record privacy in a segment titled “Digital Records Putting Your Health Information at Risk?” In the six minute segment Chris talks about “the dark side” of putting medical data online in cloud servers. Among the stats thrown around;

• 50% of doctors offices put customer data online,
• 80% of hospitals put customer data online,
• 21 million people had electronic records stolen in last 3 years,
• 94% of healthcare companies report data breaches.

Staggering numbers no doubt, you might be asking exactly how dangerous is this information? Health insurance fraud, financial identity theft, credit risk and even personal endangerment. If a someone undergoes a medical procedure under your identity, your medical records become flawed. In a scenario where you’re undergoing emergency procedures your records could say you’ve had your appendix out when in fact you haven’t. Beyond personal data privacy concerns are medical device security concerns, a topic we’ve previously touched upon. Wysopal on the subject says, “The medical device problem is particularly scary because you have these devices which were standalone and now you’re adding wireless functionality to them…so you can monitor these devices and connect to them. A lot of them weren’t designed with security in mind.” All of a sudden these devices that were designed to only be accessed physically in person are now being exposed to attackers online, Wysopal also adds to the commentary, “It’s also hard to fix these medical devices and update them because there’s such a long certification process..they aren’t like typical IT systems that you can patch in a few hours.” So what can you do to protect yourself?

1. Ask your health insurance company for a copy of your medical record and activities.
2. Pull your credit report at least once a year and verify all accounts and activity.

If you don’t recognize something on one of these two reports, raise a red flag immediately starting with your healthcare provider. Check out the full video here for more great information.

written by WilliamMichael82.

written by nikeShoes.

Twitter introduced multi-factor login verification on Wednesday. Good news? Well… that depends.

Twitter's initial implementation of two-factor authentication (2FA) relies on SMS.

But… Twitter also uses SMS as a way to send and receive Tweets (making use of SMS for double-duty: social and security). It's possible to "STOP" incoming Tweets via SMS, and that makes sense, because people sometimes end up roaming unexpectedly — and there needs to be a way to stop the SMS feature. Otherwise it could generate a costly bill.

Unfortunately, an attacker could use SMS spoofing to disable 2FA if he knows the target's phone number.



We've done some testing.

The STOP command removes the phone number from the account — and that in turn disables Twitter's 2FA.

Not great.

But there's an even worse possibility at the moment.

If you don't yet have 2FA enabled, an attacker who gains access to your account via spear phishing could enable it for himself!

All that's required is random phone number and SMS spoofing the word "GO".



Then the attacker can enable the account's 2FA.



Then send a message. (The message doesn't contain a confirmation code, so it isn't really needed.)



And then click "Yes".



That's it.

No confirmation code is needed to add a number. (Confirmation is required to change the account's associated e-mail address.)

This is what the victim will see — even if they reset the account's password.



The victim will be locked out, and cannot recover the account without Twitter's support.

So… perhaps you should enable your account's 2FA — before somebody else does it for you.

Fortunately, the majority of Twitter users aren't big targets. Unfortunately, accounts such as @AP are. And Twitter's SMS-based 2FA could be more harm than help when the use case is a dedicated attacker.

Twitter's blog post says "this feature has cleared the way for us to deliver more account security enhancements in the future."

Let's hope so. On 24/05/13 At 12:40 PM

As a follow up to yesterday's Kumar in the Mac post… have you received e-mail attachments such as this?



Attachments:

  •  Christmas_Card.app.zip
  •  Content_for_Article.app.zip
  •  Content_of_article_for_[NAME REMOVED].app.zip
  •  Interview_Venue_and_Questions.zip
  •  Lebenslauf_für_Praktitkum.zip (Translates as: CV for Internship.)

If so, you may be the target of a spear phishing campaign designed to install a spyware on your Mac.

Here's a list of binaries signed by Apple Developer "Rajinder Kumar".

Detected as Trojan-Spy:OSX/HackBack.B:

  •  1eedde872cc14492b2e6570229c0f9bc54b3f258
  •  6737d668487000207ce6522ea2b32c7e0bd0b7cb
  •  a2b8e636eb4930e4bdd3a6c05348da3205b5e8e0
  •  505e2e25909710a96739ba16b99201cc60521af9
  •  45a4b01ef316fa79c638cb8c28d288996fd9b95a
  •  290898b23a85bcd7747589d6f072a844e11eec65 — mentioned in yesterday's post.

Detected as Backdoor:OSX/KitM.A (includes screenshot feature):

  •  4395a2da164e09721700815ea3f816cddb9d676e

Though the spear phishing payloads are not particularly "sophisticated", the campaign's use of German localization and the target's name (removed in the example above) does indicate the attackers have done some homework.

Be vigilant.

More information:
Mac Spyware Found at Oslo Freedom Forum
Big Hangover On 23/05/13 At 10:12 AM

There's another case of Backdoor:OSX/KitM.A in the wild.

A German-based investigator reached out to us yesterday regarding OSX/KitM. (We wrote about it last week.) KitM stands for "Kumar in the Mac", which is our designation for spyware — related to OSX/Filesteal a.k.a. OSX/HackBack — that is signed using an Apple Developer ID in the name of Rajinder Kumar. The Developer ID has since been revoked by Apple.

This latest version of OSX/KitM used a Romanian C&C server called liveapple.eu during the period of attack, December 2012 to early February 2013. The spear phishing used an attachment called Christmas_Card.app.zip. (Remember, the attack started in December.)

So, that brings us to this bit of advice for those of you who might be targets.

This is the default "Gatekeeper" security setting:


Mac App Store and identified developers

This is the setting that you want, unless you're actively installing software:


Mac App Store

This is the prompt that results when OSX/KitM attempts to install with the stricter setting:



If you're running OS X Mountain Lion or Lion v10.7.5 — adjust your settings as an extra layer of precaution.

SHA1: 290898b23a85bcd7747589d6f072a844e11eec65 On 22/05/13 At 12:45 PM

The Mac spyware discovered at the Oslo Freedom Forum last week is apparently connected to larger espionage efforts — and those efforts look to be connected to India.

Yesterday, the folks from Norman released their Hangover Report.

HANGOVER REPORT (tot.114pg): Indian APT group hacked Telenor, others; related to the MacOS trojans found at OFF blogs.norman.com/2013/security-…— Snorre Fagerland (@SnorreFagerland) May 20, 2013


Snorre Fagerland has confirmed a connection to the C&Cs used by Backdoor:OSX/KitM.A.

Also related, from the folks at ESET: Targeted information stealing attacks in South Asia use email, signed binaries

Apple has reportedly revoked the Developer ID used by KitM.A. On 21/05/13 At 01:35 PM

BBC News has a 13 minute report that's worth a view.



LulzSec hacker: 'Internet is a world devoid of empathy' On 17/05/13 At 12:54 PM