Hackers get into AMD and steal over 30,000 - wait for it - BYTES!

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

A hacker calling himself r00tbeer, supposedly representing a four-strong hacker group calling itself r00tbeersec, has announced on Twitter a hack of chip vendor and Intel rival AMD.

After bragging just over a day ago that "our next target will be a large company, stay tuned for the upcoming database dump," the mighty hackers lived up to their promise. Earlier today they leaked a complete SQL database dump totalling nearly thirty-two KB.

(Yes. You read that correctly. It's just under 32 kilobytes in the new measuring system, and just over 30 kibibytes, as today's youth - who wouldn't know a power of two if it chopped them in half - like to call the old units.)

It's a SQL database of 189 usernames and and what look like PHPass-hashed passwords, apparently retrieved by foul means from AMD's WordPress-driven blog site.

185 of the usernames are accompanied by email addresses, of which 174 are from AMD and most of the rest from two PR companies, edelman.com and bitecommunications.com. A reminder to the PR guys: if you work on the AMD account and you've been using the same password on other sites, stop doing that!

A few of the records also include an intriguing - but unexplained - field called user_activation_key. Whatever those are, it would be a good idea for AMD to deactivate them and issue new ones.

All in all, a small deal in the history of security breaches. More of a hackette than a hack, and no AMD customers need to panic, which is good news.

But every hack is, at its heart, bad news.

If only we were collectively more conscientious about patching against criminals, and if only those criminals were more likely to be caught!

Of course - since, where hacking is concerned, an injury to one is an injury to all - the vast majority of Internet Good Guys amongst us can help make both those things come true.

Patch early. Patch often. Keep logs. Report breaches.

Here's some frank talk to tell you why:

(Duration 15'25", size 11MBytes)

Follow @duckblog
-

View the original article here

Targeted destructive malware explained: Troj/Mdrop-ELD

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

I work in SophosLabs, and one of my jobs is to write detections for new malware. What makes this piece of malware stand apart is that it is targeted.

On the afternoon of 15 August, SophosLabs received a file called str.exe that claimed to be a Microsoft file:

At first glance, the file didn't look to be legitimate, so I launched the program. It copied itself to:

c:\windows\system32\trksvr.exe

The file contained some interesting strings:

trksvr.exe
trksrv.exe
testdomain.com
\System32\cmd.exe /c "ping -n 30 127.0.0.1 >;nul && sc config TrkSvr binpath= system32\trksrv.exe && ping -n 10 127.0.0.1 >;nul && sc start TrkSvr"

Immediately, I became suspicious. There is the apparent misspelling of trksvr (it is also called trksrv in the file - spot the difference?), the use of testdomain.com, and the hackerish way that the code started itself as a service.

The more technical of you might have noticed that the code is interspersed by the command ping -n 30 127.0.0.1, which pauses between actions (about 30 seconds each time on my test machine).

I was confident it was malicious. And, because no other security lab seemed to detect the file, I picked a name, Troj/MDrop-ELD, wrote a quick detection, and went home.

The next day, we saw a flurry of queries about a "new" piece of malware called Disttrack or Shamoon. It turned out that it was the same piece of malware that I had detected the previous night. So one of my colleagues did some more detailed analysis.

Thanks to Darrel for the following information:

Troj/MDrop-ELD is a targeted attack; due to some quirks of the malware, there's currently no chance of data exfiltration (unless you happen to be the company targeted by this attack).

Troj/MDrop-ELD attempts to contact IP address 10.1.252.19 - this is probably the internal IP address of the first owned machine in the target's network - on ports 1103 (xrl) and 1104 (adobeserver).

Troj/MDrop-ELD attempts to gather information about the target's machines:

dir "C:\Documents and Settings\" /s /b /a:-D 2>;nul | findstr -i download
2>;nul >;f1.inf
dir "C:\Documents and Settings\" /s /b /a:-D 2>;nul | findstr -i document
2>;nul >;>;f1.inf
dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i download 2>;nul >;>;f1.inf dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i document 2>;nul >;>;f1.inf dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i picture 2>;nul >;>;f1.inf dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i video 2>;nul >;>;f1.inf dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i music 2>;nul >;>;f1.inf dir "C:\Documents and Settings\" /s /b /a:-D 2>;nul | findstr -i desktop
2>;nul >;f2.inf
dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i desktop 2>;nul >;>;f2.inf dir C:\Windows\System32\Drivers /s /b /a:-D 2>;nul >;>;f2.inf dir C:\Windows\System32\Config /s /b /a:-D 2>;nul | findstr -v -i systemprofile 2>;nul >;>;f2.inf dir f1.inf /s /b 2>;nul >;>;f1.inf dir f2.inf /s /b 2>;nul >;>;f1.inf

This Trojan then attempts to overwrite a number of files in the *userprofile areas of the disk, killing various .lnk, .bmp, .ini, .cab etc file types with a broken JPG (JFIF) file. It also attempts to overwrite the MBR, rendering the machine unbootable. This is most likely being used to obfuscate the source of the user's infection and prevent Data Recovery on the system.

While this is going to be quite frustrating and annoying for users, the good news is that this piece of malware doesn't do anything unrecoverable. The various overwritten files are non-critical ones, so infected machines can be fixed with a fixmbr command from some boot media.

Sophos customers have been protected against this attack since Wednesday 15 August. As always, we are reminded that it is important to back up systems regularly. This particular piece of malware didn't destroy important files permanently, but the next one might.

Follow @sophoslabs

Trojan image from Shutterstock.

View the original article here

Practical IT: Passwords 101 for businesses

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The human element is often referred to as the weakest link in a secure system. Time and time again studies have demonstrated that we are not good at choosing passwords, nor can we keep them secret.

It’s tempting to give up on passwords entirely. Assuming your users' passwords are always compromised is certainly a sensible starting point. Ensuring that high-value, high-risk assets are protected by more than just a password is no longer just strongly recommended, it’s essential.

Despite this, regular initiatives to shore up password strength are unlikely to be wasted time. Maybe your finance app is well protected but you allow users remote access to a password-protected web-based email portal. If so, don’t underestimate the value of an email account to an attacker. Even a low privileged employee’s account is a great place to learn more about a company and launch a plausible social engineering attack.

Similarly, authenticated staff-only apps are rarely tested as well as the public ones. Once an attacker has a foot in the door, privilege escalation is often trivial. That low-value, password-protected web app could be used as the entry point for a larger, more serious compromise.

The starting point

It isn’t a password policy, nor is it user education. As one of the most visible, user-impacting aspects of information security, passwords are something everyone has an opinion on. The starting point is to don your hard hat, get your facts right and set aside a good chunk of time to handle the inevitable debate. Don’t expect people to thank you either – you’re not going to be very popular for a while.

Hopefully you’ve already got a base password policy for your organisation so it’s probably wise to review it. If you don't have a policy, prepare one.

This is where the contention starts. Understand that commonly-argued points regarding length, complexity, forced changes, etc. do generally have some merit. The tricky part is balancing them.

The balancing act

Sure, enforcing very long passwords will cause people to write them down but allowing 3 letter passwords will clearly make them easily guessable.

Likewise, users hate forced changes but never expiring corporate passwords is a risky approach unless you are very confident they will never be compromised. Be it a phishing attack, a simple mistake (can you honestly say you’ve never typed your password into the wrong window) or an attacker sniffing the network for weak hashes, there are lots of ways for passwords to end up in the wrong hands. For more in this area, Bruce Schneier’s advice is a good read.

Complexity controls (requiring numbers, punctuation, mIxEd cAsE, etc) are another perennial discussion point. They have problems, as famously highlighted on xkcd. Humans are also great at gaming them. I guarantee that given any realistic complexity policy you’ll easily be able to create a weak password which passes. But without complexity controls how do you protect against a trivial dictionary attack? You’ll need to weigh up the risk versus reward for your organisation.

Testing passwords

Although controversial, a solid way of cutting through the debate and assessing which passwords are weak in the real-world is to test them with a controlled attack on the hashes. But make sure you have appropriate authorisation to do this! Performing the test safely and securely can be tricky so it might be a good idea to include it as part of a pentest from a trusted firm. As an added precaution, as soon as the list is generated take steps to keep the cracked password list separate from the associated usernames.

The great thing about this approach is that it will likely use the same common tools and techniques that an actual attacker would employ. Theoretically debating strategies for improving password entropy is one thing but the reality is an attack will likely involve one of a few known tools. If one of those tools, out-the-box, employs a strategy that trivially cracks a password hash then it’s unequivocally and demonstrably weak.

It’s worth noting that given enough time you’ll crack every password, limiting the time spent on an attack ensures you’ll get most value from the result by focusing on worst cases. Telling someone with a password of “A

After conducting this exercise, you’ll likely spot some clear recurring problems with passwords which will really help you with a policy tailored towards your organisation. Every organisation is different so it’s important to do this yourself.

That said, an almost guaranteed finding is that password length is the most important factor. If you enforce one thing, it should be this.

Just as important as the actual policy are the associated guidelines. Include links to sensible strategies like Graham’s, below, and provide some examples of bad passwords based on known user behaviour (obviously anonymously and only after they’ve been changed).

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

Responsibility is important to highlight in the guidelines. Everyone should understand it’s up to them to make sure they choose a good password. Just because a system allows a password doesn’t mean it’s secure!

This may seem obvious but, particularly on systems with strong complexity controls, a common response to a cracked password is: “How can my password be weak, the computer let me choose it?”!

Armed with clear guidelines and an intelligently deployed policy, you’ll probably want to communicate it to everyone using easily cracked passwords. It’s not the time for naming and shaming so use the BCC field and make sure the email carefully explains the test, which account was tested and the next steps to fix it. Obviously including the cracked password, tempting as it may be, is not a good idea. All this will generate some controversy – great!

Getting people thinking and talking about this stuff is half the battle.

Follow @NakedSecurity

Login screen, password sign and system hacked images courtesy of Shutterstock.

View the original article here

Invisible iFrame drive-by malware attacks explained [VIDEO]

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

iFrames and script tags are being used by malicious hackers to serve up drive-by internet attacks, silently and invisibly.

iFrames allow webmasters to embed the content of one webpage into another, seamlessly.

There are legitimate reasons why some websites may want to do that - but what cybercriminals do is exploit the functionality (presumably they have been able to gain write access to the website) to deliver malware such as fake anti-virus or a PDF vulnerability exploit to infect your computer.

What's sneaky is that malicious hackers can make the embedded content invisible to the naked eye, by making the window zero by zero pixels in size. You can't see the threat, but your web browser is still dragging it down.

Check out the following video by our own Chet Wisniewski, which shows how malicious iFrames work:

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

If you want to learn more you can subscribe to our YouTube channel for similar videos. But even better than that, we hold regular "Anatomy of Attack" events where we demonstrate malware threats and you can quiz Sophos experts.

If there's not an "Anatomy of an Attack" event scheduled in your area soon, drop us a note and we'll let you know if and when one is coming to your part of the world.

http://twitter.com/gcluley

Empty picture frame image from Shutterstock.

View the original article here

Monday review: the hot 23 stories of last week

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Tags: Adobe, amd, Apple, bitcoin, correcthorsebatterystaple, dropbox, Facebook, Facedeals, ftc, geolocation, hacking, Java, Kim Dotcom, megaupload, michael dell, Microsoft, Oracle, OS X, password policy, passwords, Patch Tuesday, Practical IT, Pwnium 2, Quora, Steve Jobs, Twitter, WeKnowYourHouse, Wikileaks, wikileaks.org

View the original article here

Japan to test phones which will alert if it sounds like you are being scammed

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Fujitsu and the Nagoya University will begin field trials for phone scam detection technology sometime this month, the organisations announced on Friday.

The scam detection system, which was first announced in March, claims to be able to recognise a phone scammer by combining voice intonation analysis with keyword recognition.

Japan's elderly population is frequently victimized by phone scams, with criminals often posing as acquaintances or authority figures such as police or lawyers.

When criminals pose as acquaintances, they often try to convince their targeted victims that they're in trouble and need money transferred to an account to bail them out.

The system works by detecting the changes in the voice pitch and levels that are common in the intonations of stressed-out victims, by recognising typical words used by voice scammers - "indebtedness," "compensation," "debt," or "repayment," for example - and by alerting family members or others that something's up.

Fujitsu and Nagoya University will equip landlines with detection devices in 100 Okayama Prefecture homes.

When a possible scam occurs, the alarm messages will go out to family members, the police, the bank, and Fujitsu.

On receiving the message, family members will contact the participant and ask what happened, to determine whether the call was in fact a scam.

Meanwhile, the police will immediately visit the participant's house to assess the situation.

Simultaneously; the bank will temporarily halt payment transactions from whatever account was designated by the participant for use in the trial. .

The trials will be carried out in collaboration with the Okayama Prefectural Police, the Okayama Pref. Information Communications unit of the National Police Agency's Chugoku Regional Police Bureau, and The Chugoku Bank.

The voice recognition part of the system might sound like eavesdropping, but Fujitsu promises that it's not.

Rather, the software ignores everything except the number of times a caller uses typical scam words, based on a keyword list provided by Japan's National Police Academy and on recordings of actual remittance-solicitation phone scams.

The technology is designed to recognise a condition known as "overtrust."

Overtrust occurs when victims are overwhelmed with distressing information and lose their powers of judgment.

Aa Fujitsu has described it, there are limits to human powers of perception and judgment. When overwhelmed with distressing information, some people, without knowing it, lose the capacity to objectively evaluate information provided by another party.

When overtrust occurs, victims tend to believe everything they're told - a situation that makes them vulnerable to getting fleeced by scammers.

It's not just the elderly who are susceptible, of course. The quick flash of a toy plastic police badge once caused me and a companion to hand over our wallets when we were touring Athens.

Fortunately, our scammers were overly greedy: they wanted more money than the pittance we had in our wallets and handed them back, asking to see our "hidden" money.

Our intonations and voice levels were likely steeped in stress.

Would you opt for a scam detection system? Would it feel intrusive?

I likely would, particularly were they to come up with a version I could wear around my neck when visiting foreign lands, where I emit the unmistakable aroma of clueless tourist.

Follow @LisaVaas

Young girl on the phone image from Shutterstock.

View the original article here

Online Piracy: Challenging the 'three strikes' approach

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The 'graduated response' strategy to stopping illegal online filesharing has been replicated in countries around the world from South Korea to New Zealand, France and the UK.

Whilst the sanctions and legal process differ, the general 'three strikes or you're out' approach works by sending warnings to customers about copyright infringement allegations against them, telling them to stop or face the consequences.

These laws are often controversial, and are frequently seen as the result of extensive government lobbying by the film and music industry to protect their out-dated business models.

Nevertheless, the proponents argue they lose vast sums of money from piracy which diminishes the economic growth of creative industries, thus making such laws necessary.

The controversy often lies in the draconian and disproportionate punishments, which go far beyond a casual slap on the wrist.

In New Zealand, for example, a presumption of guilt lies on the alleged infringer, and if they can't disprove the charges, they can face fines up to NZ $15,000 or a maximum six month internet disconnection for repeat infringement.

In France, the law allows a judge to order internet disconnection for up to one year, or alternatively a €1500 fine.

It is this well-established French "Hadopi" system that three years on has now been called into question this week by the French Culture Minister, Aurélie Filippetti.

Aurélie Filippetti condemns the regulator as a waste of money, citing its failure to develop alternative legal download services, and questions the proportionality of disconnecting repeat offenders from the internet.

It costs a whopping €12 million per year for its 60 officers who send around 1 million emails annually.

Although nobody has actually been disconnected under the law, 314 cases have gone through their warnings and then referred for prosecution.

Hadopi is currently under broader review, and its future and funding are uncertain as Filippetti feels its utility has not been proven.

So, what warning might the Hadopi experience provide for other younger graduated response policies, particularly for the UK?

The UK government has recently restarted the push for enforcement of the Digital Economy Act (DEA). Whilst it was rushed onto the statute books back in 2010, enforcement has repeatedly been postponed.

Following the failure of an appeal against the DEA by Talk Talk and BT in March this year the regulator Ofcom reopened their consultation on the draft operational DEA code last month.

The new text states that as of 2014 copyright owners who identify sources of illegal downloading can report this information to the relevant ISPs.

From there, the ISP tracks down the infringing subscriber and posts them notification letters warning them to stop illegally downloading content.

If the subscriber ignores the warnings and receives three of these letters within 12 months, their details are added to an anonymised "Copyright Infringement List".

Once on this list, copyright owners can then seek a court order demanding the ISP hand over the information needed to begin legal action against the infringer.

Whilst the threat of litigation is clearly a pretty big incentive to stop illegally downloading, punishment without changing the underlying reason for such behaviour can only do so much.

As noted above, Hadopi has been criticised for not developing legal alternatives. The Ofcom Code however pushes for directing of users to legal, licensed services, and stresses the need for development of attractive online content services.

This reflects recommendations for reform made in last year's UK Government-commissioned "Digital Opportunity: A review of Intellectual Property and Growth" report, where Professor Ian Hargreaves noted, "Emphasising enforcement as an alternative to improved digital licensing and modernised copyright law is the wrong approach. Action is needed on all fronts. "

He continued, "The role for Government is to facilitate the provision of readily available legitimate digital content, to reshape copyright law where it is out of touch and to support this with effective measures to educate consumers and to enforce the law."

It seems that heavy-handed enforcement and pointing infringers to a few overpriced legal content access services won't be enough to truly address piracy. The content providers who only rely on the big stick of demonising and chasing illegal downloaders need to do more to find their elusive carrot.

Until there are enough innovative, responsive business models allowing quality, low cost access to legal content, (such as licensed streaming) it is difficult to see how copyright owners can realistically compete with the alternative of free, on demand pirated content.

Follow @mooseabyte

Copyright and Skull icon images from Shutterstock.

View the original article here

Blizzard owns up to data haemorrhage - painful but probably not too bad

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Big-time online entertainment outfit Blizzard has just owned up to a data haemorrhage.

One silver lining here (and you know how much I like to find those in any security calamity) is that there doesn't seem to be any weasel-wording going on.

Blizzard president, CEO and co-founder Michael Morhaime himself has taken up his virtual pen to explain that:

Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.

Blizzard strongly suggests - but manfully doesn't pretend to guarantee - that financial data such as credit cards, billing addresses, and real names weren't got at.

(As you can imagine, the conundrum at the heart of any breach is working out what didn't happen. Breaches invariably lead to a lot of "what ifs", including, "What if the crooks covered their tracks or left a false audit trail?")

A second silver lining is that Blizzard stored and managed its authentication data sensibly.

There are numerous ways to do this; Blizzard chose to use the Secure Remote Password (SRP) protocol, which offers the double whammy of in-transit security (like SSL/TLS or Diffie-Hellman-Merkle) and at-rest security (like hashing-and-salting).

Greatly, if not excessively, simplified, SRP uses public-key-crypto-style calculations so that:

* The client and the server are able to exchange authentication data securely.

* Data packets from an authentication session cannot be reused.

* No hashes or dictionary-attackable data are visible in the client-server exchange.

* The server never needs to write the user's password to disk.

* The server needs a copy of the user's password in memory only once, at password setup time.

In short: sniffing SRP traffic tells you nothing about the user's password, and stealing the server's authentication database doesn't directly reveal any password secrets either.

Nevertheless, since Blizzard's servers hold enough data to verify that you know your password and can type it in correctly at your end, anyone who has a clone of Blizzard's authentication system has what he needs to run a password-guessing attack.

So the usual advice applies:

1. If you chose unwisely, your password could be guessed quickly. Stop choosing unwisely!

2. It's worth changing your Blizzard password right away, even if you did choose wisely.

3. If you've used the same password elsewhere, change that one too, and don't reuse passwords again.

4. If you store authentication data for your users, using solid cryptography to protect it in case it's stolen is good, but not losing it in the first place is even better.

And, even though it doesn't get the data back:

5. If you do suffer a security breach, a sincere apology like Mike Morhaime's goes a long way.

Follow @duckblog
-

Thanks to Naked Security readers Krazymouse and Matt B for the heads-up on this story.

View the original article here

Pentagon bankrolls new worm

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

That headline got your attention, didn't it?

Fortunately - or unfortunately, depending on your opinion of the viability of malware-as-military-ordnance - we're not talking about worm as in virus here.

We're talking about worm as in lumbricus terrestris (or worm as in worm, to you and me).

That's right: a gaggle of researchers from MIT, Harvard and Seoul National University have made international headlines with a technical paper about an earthworm-style robot, apparently bankrolled by DARPA, and published in the IEEE/ASME Transactions on Mechatronics.

You're not likely to read the catchily-titled Meshworm: A Peristaltic Soft Robot With Antagonistic Nickel Titanium Coil Actuators - with the paper costing $31 a look, you'd have to be pretty keen on cybernetic peristalsis - but we can at least show you an image here on Naked Security, thanks to MIT's publicity department.

(If still images don't do it for you, MIT has a video of the worm in action. But don't get too excited: the worm peaks at speeds of 0.005 metres per second. Usain Bolt, for what it's worth, is more than 2000 times quicker - though, to be fair, he doesn't have to wriggle along on his belly.)

So far, the worm is powered and controlled externally, so it's not capable of autonomous operation - so no chance yet of hackers hijacking it "in the wild", as it were.

Nevertheless, there's some fun technology in there.

I can't see the manufacturers of wheeled and tracked military vehicles quaking in their commercial boots just yet. But maybe - just maybe - this invention heralds the creation of a robot vacuum cleaner which can get under the couch and doesn't get stymied every time it comes across a corner.

Follow @duckblog

View the original article here

Monday review: the hot 21 stories of last week

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

View the original article here

Insecure WordPress blogs unwittingly host Blackhole malware attack

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

SophosLabs has intercepted a major malware campaign, spread via spam email and compromised self-hosted WordPress blogs, which attempts to infect computers using the notorious Blackhole exploit kit.

Be on your guard if you have received an email entitled "Verify your order", as links contained within the email could take you to a poisoned webpage, designed to install malware onto your PC.

Here's what a typical email looks like:

Subject: Verify your order

Message body:
Dear [name],

please verify your order #[random number] at [LINK]

We hope to see you again soon!

The websites that are being linked to aren't ones that have been created by the malicious hackers.

They are legitimate websites that are running a self-hosted installation of the popular WordPress blogging platform. (Note, this does not include the many millions of bloggers who use the WordPress.com service - the vulnerable sites are those where people have installed their own WordPress software).

Unfortunately, some people haven't properly secured their sites - which has allowed malicious hackers to plant malicious code from the Blackhole exploit kit, and means that malware is now downloading onto innocent users' computers.

Sophos products detect the malware as Troj/PDFEx-GD, Troj/SWFExp-AI, Mal/ExpJS-N and Troj/Agent-XDM.

More and more of the attacks that we are intercepting involve the Blackhole exploit kit - recent examples include emails posing as traffic tickets from NYC, rejected wire transfer notifications and fake Facebook photo tag notifications.

Remember to not just keep your anti-virus software up-to-date, but also to ensure that any software you run on your web server is also properly secured, and kept patched and current (that includes blogging software like WordPress and any plugins that it might use).

Follow @gcluley

View the original article here

How social engineering tricked Wal-Mart into handing over sensitive information

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Wal-Mart pretty much sliced itself open and spilled its guts onto the scammer's lap.

In this year's Capture the Flag social engineering contest at Defcon, champion Shane MacDougall used good lying, a lucrative (albeit bogus) government contract, and his talent for self-effacing small talk to squeeze the following information out of Wal-Mart:

The small-town Canadian Wal-Mart store's janitorial contractor,Its cafeteria food-services provider,Its employee pay cycle,Its staff shift schedules,The time managers take their breaks, Where they usually go for lunch, Type of PC used by the manager, Make and version numbers of the computer's operating system, and Its Web browser and antivirus software.

Reporting from the Las Vegas show, which wrapped up a few weeks ago, Stacy Cowley at CNNMoney wrote up the details of how Wal-Mart got taken in to the extent of coughing up so much scam-worthy treasure.

Calling from his sound-proofed booth at Defcon MacDougall placed an "urgent" call - broadcast to the entire Defcon audience - to a Wal-Mart store manager in Canada, introducing himself as "Gary Darnell" from Wal-Mart's home office in Bentonville, Ark.

The role-playing visher (vishing being phone-based phishing) told the manager that Wal-Mart was looking at the possibility of winning a multimillion-dollar government contract.

"Darnell" said that his job was to visit a few Wal-Mart stores that had been chosen as potential pilot locations.

But first, he told the store manager, he needed a thorough picture of how the store operated.

In the conversation, which lasted about 10 minutes, "Darnell" described himself as a newly hired manager of government logistics.

He also spoke offhand about the contract: "All I know is Wal-Mart can make a ton of cash off it," he said, then went on to talk about his upcoming visit, keeping up a "steady patter" about the project and life in Bentonville, Crowley writes.

As if this wasn't bad enough, MacDougall/Darnell directed the manager to an external site to fill out a survey in preparation for his upcoming visit.

The compliant manager obliged, plugging the address into his browser.

When his computer blocked the connection, MacDougall didn't miss a beat, telling the manager that he'd call the IT department and get the site unlocked.

After ending the call, stepping out of the booth and accepting his well-earned applause, MacDougall became the first Capture the Flag champion to capture every data point, or flag, on the competition checklist in the three years it's been held at Defcon.

Defcon gives contestants two weeks to research their targets. Touchy information such as social security numbers and credit card numbers are verboten, given that Defcon has no great desire to bring the law down on its head.

Defcon also keeps its nose clean by abstaining from recording the calls, which is against Nevada law.

However, there's no law against broadcasting calls live to an audience, which makes it legal for the Defcon audience to have listened as MacDougall pulled down Wal-Mart's pants.

One interesting thing to note: this year's contest took on a battle of the sexes theme, with 10 male and 10 female contestants vying to capture the flag.

Are men better at weaseling information out of people and at lying? Crowley quoted one female contestant who folded under the guilt of lying, saying she "just couldn't do it."

From her writeup:

Some contestants got nowhere with their calls, especially when they posed as outside marketers or researchers. Others froze up when they got a live human being on the line.

One first-time contestant landed a receptive HR representative, only to visibly collapse with guilt. She signaled the tech crew to cut the line.

"I just couldn't do it," she said afterward. "I'm an honest person. I didn't realize it would feel so wrong to sit there lying."

But while females might have more compunction than males about duping others, they're actually better at sniffing out a con.

Back in May, Chris Hadnagy of Social-Engineer.org, which sponsors the annual Capture the Flag contest, told Threatpost's Paul Roberts that female employees at targeted companies were less likely to fall for social engineering ruses than their male counterparts:

"Every time we get a woman on the phone as a target, she does better than the guys. She's more paranoid, and answers fewer questions. Her 'phish' meter goes up quicker and she hangs up."

Its anecdotal, but it's interesting.

In "Brain Sex: The real difference between men and women", a book about the physiological differences between the genders' brains, Anne Moir and David Jessel write that from the fetus's development in the womb, female brains are organised to respond more sensitively to all sensory stimuli, most particularly verbal/aural:

Girls and women hear better than men. When the sexes are compared, women show a greater sensitivity to sound. The dripping tap will get the woman out of bed before the man has even woken up. Six times as many girls as boys can sing in tune. They are also much more adept at noticing small changes in volume, which goes some way to explaining women's superior sensitivity to that 'tone of voice' which their male partners are so often accused of adopting.

What's an organisation to do to protect against getting vished so thoroughly like Wal-Mart?

Will it be technology like the kind Fujitsu's putting into field trials this month: phone scam detection technology that analyses voice intonation and recognises typical words used by scammers?

Or could we perhaps turn around Defcon's "battle of the sexes" and turn it into "cooperation of the sexes?"

In other words, perhaps organisations should rely more on women's inherent strengths at parsing spoken language to detect scams.

Wal-Mart spokesman Dan Fogleman told CNNMoney that the company was "disappointed [that] some basic information was shared" and that it would be mulling over what it should learn from the incident:

When you're in the customer service business, sometimes our people can be a bit too helpful, as was the case here. We emphasize techniques to avoid social engineering attacks in our training programs. We will be looking carefully at what took place and learn all we can from it in order to better protect our business.

Should one lesson for Wal-Mart and other organisations be that women should be conducting the anti-scam workshops?

Let us know your thoughts in the comments section below, and please don't hate on me for emphasising the gender aspects of this interesting lesson in phone scams.

It was Defcon who set it up as a battles of the sexes, not me.

Follow @LisaVaas

Man and woman arm-wrestling, dialling phone number and Wal-Mart images from Shutterstock.

View the original article here

How to report phishing to Facebook

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Facebook has today announced a new way in which it hopes to combat phishing scams targeting its 955 million users.

In a post to its Facebook Security page, the social network has explained that the public can now report Facebook-related phishing emails directly to the company.

All you have to do is forward the phishing email to the following email address:

Facebook says in its post that by forwarding the message you are helping combat attacks, and could assist in forcing phishing websites offline:

By providing Facebook with reports, we can investigate and request for browser blacklisting and site takedowns where appropriate. We will then work with our eCrime team to ensure we hold bad actors accountable. Additionally, in some cases, we'll be able to identify victims, and secure their accounts.

They don't say so in their post, but I would imagine that Facebook's security team would appreciate it if you would forward any phishing messages you receive *with* the full email headers if possible, as that helps determine where the emails have really come from.

Of course, regular Naked Security readers would hopefully never click on a link in an unsolicited email purporting to come from Facebook. Or, at the very least, would have some alarm bells ring and be able to tell that they had reached a *fake* Facebook login page.

For a bit of fun, here is a screenshot of a Facebook phishing webpage. Would you and your friends be able to see why this page is clearly bogus?

Find out the answers to that puzzle here.

Oh, and if you have the time, don't forget to learn about how you can explain phishing to your grandma with our free Threatsaurus book.

If you're on Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 180,000 people.

Follow @gcluley

Hat-tip: Naked Security reader Michael Johnson

View the original article here

Creepy Quora erodes users' privacy, reveals what you have read

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The Quora website launched two years ago, collating questions-and-answers on a variety of topics and receiving favourable write-ups in the media.

It's possible that you were one of the early sign-ups to the service, investigating whether you would find it useful, and don't visit the site much very often. Or you could be one of the die-hard Quora lovers who still gets value out of the site's community.

But there's something that all Quora users should know.

Earlier this month, Quora made a decision which changes your privacy on the site. And they did it without asking your permission first.

They decided to introduce "Views" - functionality which creepily reveals to others the articles you have been reading.

In a trick presumably learnt from a chorus of other uncaring social networking sites, Quora has left it up to the user to turn off the "Views" feature (opt-out) rather than the much more privacy-friendly alternative of asking users to opt-in if they really want others to see what articles they have read.

As we've said many times before - if a feature really is a huge benefit to the user, why do websites have so little confidence that they can encourage users to opt-in rather than thinking it's alright to reduce privacy without asking first?

Now, you may think - why would I care if people can see what questions I have read on Quora?

Well, here's a few examples of the kind of things you could have read:

Still comfortable?

Sandra Liu Huang, a product manager at Quora, tried to justify why the site enabled the "Views" feature by default in a CNET interview:

"It will help writers get feedback to improve the content they write. If it were an opt-in product it wouldn't be as useful to writers because not enough people may go turn it on. It will improve the content and help readers discover useful and interesting content more quickly."

If you don't like the idea of other people seeing what you are reading you have two options:

1) You can change your Quora account settings, by visiting Profile/Settings/Views and choosing "No". (This is the option that Quora enabled without asking your permission)

2) Another option, of course, is to delete your account. Quora helpfully provides a Q&A about how to delete your Quora account.

At the time of writing, over 1800 people have read the deletion article.

What do you think about this new feature of Quora?

Was there a better way for Quora to introduce the technology?

Should people be concerned that it was turned on by default, or are we living in the dark ages by being worried about this kind of thing?

Leave a comment below and let us know your thoughts.

Follow @gcluley

View the original article here

Vote in our poll: is Google's fine of $22.5 million enough to buy privacy?

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

An apparently unrepentant Google has agreed to cough up $22.5 million to the US Federal Trade Commission (FTC) to dispose of charges that it "misrepresented privacy assurances to users of Apple's Safari browser."

As with my previous story about Google and its WiFi trawling, we need a timeline summary to keep track (no pun intended) of what's been going on here:

* In February 2010, Google launched Buzz, a social networking application for Gmail.

The launch drew the ire of of those concerned about privacy, and a class action lawsuit arose alleging that Google "automatically enrolled Gmail users in Buzz, and that Buzz publicly exposed data, including users' most frequent Gmail contacts, without enough user consent."

* In November 2010, Google paid $8.5 million to settle the class action.

As we reported back then, Google didn't pay out nickels-and-dimes to each offended individual in the class action, but agreed to put the lump sum "into an independent fund to "support organisations promoting privacy education and policy on the web."

* In March 2011, Google apologised to Buzz users and settled with the FTC.

The settlement included an agreement by Google to implement a comprehensive privacy program that includes privacy and data protection audits by an independent third party every two years for the next 20 years. Google's apology certainly sounded pretty straight-from-the-hip, telling you that:

User trust really matters to Google. That's why we try to be clear about what data we collect and how we use it — and to give people real control over the information they share with us.

* In December 2011, the FTC busted Google using sneaky web coding to bypass Safari's cookie policy.

Briefly explained in a neat technical posting from the FTC itself, Google overrode Safari's cookie controls to bypass the browser's regular behaviour of blocking so-called third party cookies. (That's a cookie which is set by a site other than the original one you visited.)

Google achieved this by creating an invisible HTML form and then using JavaScript to pretend that the user had submitted it. This caused Safari to process the third-party page, and, by extension, its cookies, at the same trust level as the first-party page. The FTC understandably considered this dubious, not least because the HTML form had neither content nor a Submit button.

So much for giving people "real control over the information they share with us."

* In August 2012, Google agreed to pay $22.5 million to the FTC.

The FTC's argument against Google was simple: the company hadn't lived up to the privacy promises it made to its consumers.

And there you have it. What more to say?

Google will cough up $22.5 million for putting sneaky code into its web pages, even after agreeing that it would get comprehensive about privacy.

Nevertheless, according to reports, Google's public response seems unrepentant - or at least unapologetic - and comes close to dismissing the issue as old, tired and unimportant. The BBC, for example, quotes a Google spokesman as saying: "The FTC is focused on a 2009 help centre page published more than two years before our consent decree, and a year before Apple changed its cookie-handling policy."

Optimistically, the BBC goes on to report the comments of Nick Pickles, director of privacy campaign group Big Brother Watch:

The size of the fine in this case should deter any company from seeking to exploit underhand means of tracking consumers. It is essential that anyone who seeks to over-ride consumer choices about sharing their data is held to account.

To be sure, $22.5 million is a lot of money.

But Google already forked out $500 million in August 2011 for helping illegal vendors of pharmaceuticals to place ads on its servers. Not just for taking the scammers' money, you understand, but for helping these "customers" to bypass the controls Google had already put in place to prevent the abuse.

So...is the money enough? Or is Google just treating the penalty as part of its cost of doing business?

Have your say in our poll.

-
Follow @duckblog
-

View the original article here

How to explain phishing to your Grandma [VIDEO]

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Have you ever had to explain phishing to your Grandma?

Are you tech support for friends and family?

If so, then the Sophos Threatsaurus is just the book for you to give to them. This one-minute video shows you why:

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

Whether you’re an IT professional, use a computer at work, or just browse the Internet, this book is for you.

We explain the facts about threats to your computers and to your data in simple, easy-to-follow language.

Download the hot-off-the-press 2012 edition Threatsaurus now!

(Direct download. No registration, no password, no email address.)

http://twitter.com/duckblog
-

View the original article here

Sophos Techknow - Understanding SSL

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Welcome to another episode of Techknow, the podcast in which Sophos experts debate, explore and explain the often baffling world of computer security.

In this episode, entitled Understanding SSL, Paul Ducklin and Chester Wisniewski look into the ecosystem of SSL (Secure Sockets Layer) and TLS (Transaction Layer Security).

SSL is often taken for granted.

To many of us, it's not much more than "the S in HTTPS", or "the padlock in the browser."

But how does it work? Are SSL and TLS the same? Who verifies SSL certificates? How do we know we can trust them? What happens if we realise we can't? What technological glitches do we need to know about?

Duck and Chet discuss all this, and more, in this quarter-hour podcast.

Listen now:

(03 August 2012, duration 16'10", size 11MBytes)

Listen later:

Follow @duckblog
-

Tags: CA, Certificate Authority, collision, DigiNotar, hash, MD5, Podcast, random, randomness, SSL, techknow, TLS

View the original article here

Poisoned DOC file used in targeted malware attack against military contractor

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Experts at SophosLabs are recommending that businesses and organisations check that they are keeping up-to-date with their security patches, in the light of a malware attack that was seen today - targeting a defence contractor.

The attack is similar in nature to one which SophosLabs intercepted a couple of years ago, where a malicious PDF file claiming to be about the Trident D-5 missile, launched from nuclear submarines, was sent to a military contractor.

The latest attack was sent to the contractor - whose name is not being made public by Sophos - embedded inside a file called Details.Doc, attached to the following email:

Dear Sir,

It is so nice to contact you!

We write to inform you that we are some question for your.
View attached document for the detail.
Looking forward to hearing from you soon!

Many thanks and best regards!

trav.whan

The email pretends to be from a YAHOO.COM.TW address but the headers show that emails did not come from YAHOO.

The IP is actually from a personal computer:

Received: from travwhanpc (61-220-44-2xx.HINET-IP.hinet.net [61.220.44.2xx])

The email's attachment - titled Details.doc - exploits the CVE-2012-0158 vulnerability.

Unusually, the file really is an OLE2 format DOC file, despite the majority of files exhibiting this vulnerability being RTF files.

The boobytrapped file tries to drop and execute executable code (in the form of an .EXE file) which will install the 'PittyTiger' backdoor onto the victim's Windows PC.

SophosLabs has released detection for the DOC file as Troj/DocDrop-AF and the EXE as Troj/BckDrPT-AA.

SophosLabs have seen large number of files exploiting the CVE-2012-0158 vulnerability being emailed to companies in a diverse number of sectors - not just those in defence.

The Microsoft security patch, MS12-027, has been available for 3 months now and there are really no excuses for not having applied it.

Follow @SophosLabs

Gas mask image from Shutterstock.

View the original article here

Olympic malware poses as US Women's Gymnastics scandal video

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

SophosLabs has intercepted a malware campaign that has been spammed out, exploiting interest in the London Olympics which are currently making headlines and filling TV schedules around the world.

The emails, which have been spammed out so far in limited numbers, all have a subject line designed to entice sports fans into opening the messages:

Huge scandal with the USA Women's Gymnastics Team on the 2012 London Olympics

Part of the email reads:

Recent Olympic gold medal winner, USA Women's Gymnastics winner Gabrielle Douglas, faces a lifetime ban after reportedly testing positive to banned diuretic furosemide. With details of the case still emerging, British Olympics Committee has ordered a suspension of the athlete until final results arrive.

View the video on youtube now

However, clicking on the link takes you not to the real YouTube website, but a lookalike webpage that runs various pieces of JavaScript code, and asks uses to download an Adobe Flash plugin to view the content.

Sophos products detect the malware as Troj/Agent-XIK and Troj/JSRedir-IA.

As always, remember to think twice before following links in unsolicited messages. And, if you really want to keep up-to-date with the latest goings-on from the London Olympics, visit an established news website for the headlines - don't trust an email that arrives in your inbox out of the blue.

Follow @gcluley

View the original article here

Journo totally owned thanks to over-helpful iCloud support

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Mat Honan is a living example of Journalism 2.0.

He's influential in the social media whirl; he writes - or wrote - for Gizmodo; he used to be something-or-other at WIRED magazine; he lives in the Haight in San Francisco; he's not afraid to say what he thinks about Google; he made a post-modern website about Barack Obama of which he's inexplicably proud (the website, not POTUS); and he's moderately keen on himself - but only moderately so, at least for a Journo 2.0.

Honan has also recently been the victim of a hack - a hack of the "why bother with security when I can talk my way past it" sort for which Kevin Mitnick achieved his infamy.

Indeed, some people will probably spend hours telling us that it doesn't even qualify as a hack, although it effectively hacked Honan's digital life into shreds.

Simply put, the hacker - forget that, the criminal - called up Apple support and tricked them into handing over control of Honan's iCloud account.

Apple recently beefed up its password security by forcing users to provide a bunch of security questions. (For the record, Chester liked the idea, but I thought it was a step backwards, and we argued about it in a Chet Chat. The disagreement starts at about 5'30" below.)

In this case, however, the crook side-stepped any and all security using social engineering, persuading an Apple support staffer that he really was the lawful owner of the account, and thereby getting access.

It's really hard to defend against this sort of attack.

You can have - and enforce - utterly inflexible procedures for password reset, but in my opinion, the main reason companies endorse this sort of inflexibility in technical support isn't to improve security, it's to save money by taking humans out of the loop. The inflexibility means that legitimate users will, from time to time, be incontrovertibly incommoded.

A physical-world analogue of this sort of inflexibility might be a hotel which had no procedure for recovering property from the room safe. "Sorry, Sir," they'd say. "We don't even look to see what you have left in there to work out if it's really yours. We simply drill the safe out of the wall and destroy it in its entirety. We did warn you: don't forget the code."

Or you can keep humans in the loop, and run the risk that their occasional helpfulness will occasionally be off the mark.

That's what happened with Honan.

Sadly, the crook wasn't happy just with breaching security at Apple. The hacker also took the trouble of invoking the remote wipe feature of Honan's iDevices - and he's an unashamed fanbuoy, using an iPhone, an iPad and a Macbook Air. The crook was also able to take over Honan's Gmail account, his Twitter account and - through account linking - the Twitter account of Gizmodo, with whom Honan has, or had, a trusted journalistic relationship.

Of course, Honan found out the hard way about all this criminal activity, because the crook redirected his "did you mean to change your password" emails and changed his passwords.

The lessons to be learned?

* Encrypt everything you put into the cloud, using an encryption solution which operates outside the cloud.

* Keep your online accounts separate. Don't link accounts together for convenience, lest they all get compromised in one go.

* Don't link personal and work social media accounts, lest an injury to one become an injury to both.

* Make and keep backups for yourself, outside the cloud. (Honan admits he didn't, and has gone so far as to call himself "a jerk" for not doing so.)

* Consider an independent remote wipe service, rather than relying on one which is part of the cloud offering it aims to protect.

I know that this advice sounds as though I'm urging you to buy a dog and bark yourself. Why embrace the cloud if you end up re-implementing some of the features it offers you (often apparently "for free")?

The answer is simple: it's your digital life.

Use the cloud to add some convenience to your digital lifestyle, but make sure that you embrace the cloud. Don't let the cloud embrace you!

Follow @duckblog
-

View the original article here