Mac malware found in malformed Word documents - is China to blame?

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Our friends at F-Secure have blogged today about a boobytrapped Word document, that appears to be designed to infect computer systems running Mac OS X.

The malicious Word file, examined by the experts in SophosLabs, claims to be about the "6th International Uyghur Women's Seminar & 1st World Uyghur Women's Congress", run by the International Uyghur Human Rights & Democracy Foundation.

Vulnerabilities, exploited in malformed Word documents, install malicious code onto the recipients' computer and a legitimate-seeming Word file with content relevant to the victim is displayed as a smoke screen.

It's clear that the attack is targeted against Uyghur Mac users, and we have seen similar attacks in the past.

Sophos products detect the malware as OSX/Agent-AADL and Troj/DocOSXDr-B.

The obvious question people are likely to ask is... are China to blame for this attack? After all, we have seen several attacks in the past which have targeted minority groups in the country.

There's no 100% proof connecting this attack with the-powers-that-be in Beijing, but you would be a brave man to bet against it.

All Mac users need to keep in mind that its important that all computers, regardless of operating system, are properly secured - and to be on their guard against attacks.

Whether it's likely that you aren't in China's good books or not, there are more and more cybercriminals investigating how they might infect the many Mac computers out there.

It is true that there is much less malware for OS X than there is for Windows, but that's not going to make you feel any better if you end up targeted in an attack like this.

Mac users, just like Windows users, need to ensure that they install the latest security patches and keep their software properly up-to-date.

If you're not already doing so, run anti-virus software on your Macs. If you're a home user, there really is no excuse at all as we offer a free anti-virus for Mac consumers.

Follow @gcluley

View the original article here

How do you know if an anti-virus test is any good?

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Anti-virus or, as we say now in the industry, anti-malware testing has been around for years.

These tests and comparatives are the consumer reports of the IT security industry, aimed at educating both the anti-malware developer and the consumer on how a product performs.

There's been a fair bit of activity in the anti-malware testing world lately - both AV-Test and AV-Comparatives released major reports last week, and at Virus Bulletin we're putting the finishing touches to our latest comparative on Windows XP, due out in the next week or so.

As usual at this time of year I've been getting a lot of people asking me, why are they all different? How do I know who to believe? What makes one test better than another, or are they all equally brilliant/useless/biased/random?

They're never easy questions to answer.

Testing anti-malware products is a complex and difficult process, and 'reading' tests - judging their quality, significance and relevance to one's own personal requirements - can be equally taxing.

So, I thought it might help to put together some simple points about how to spot a quality test, and how to judge the relevance of its findings.

Certifications vs. comparatives

To start with, traditional testing falls into two main types: certifications and comparatives.

Comparatives will pit a bunch of products against each other, hopefully on an at least fairly-level playing field, and report which does best, often combining a number of different metrics.

Certification schemes, which I’m going to focus on today, tend not to rank products in order. They instead set a fixed standard and award a badge to all products reaching that standard.

In reality, many testers who have traditionally run comparative testing have moved to a kind of hybrid model, providing some sort of certification awards alongside their comparative figures (this has been Virus Bulletin's approach for many years now).

How certifications work

The 'pure' certification schemes tend to provide little or no information on what goes on behind the scenes. They will work with vendors to ensure their required standard is reached and once it is, the certification is awarded, usually with ongoing testing and consulting to ensure the standard is maintained.

Hybrid approaches are usually a little more open, publishing details of how all participants performed and calling out those which did badly.

While in some cases this may become a form of bullying (pressuring developers to stump up for consultancy fees to solve the problems reported in a test), in most cases honest and legitimate testers will provide participating vendors with ample information to confirm, diagnose and fix any issues they spot.

So, the first thing to consider when a product wins a badge in a test is, what does that mean? What is the standard required to earn the award?

This causes quite some confusion in itself. A surprising number of people assume that holding a 'certified' badge is a mark of extreme brilliance, that only the very best and brightest could possible attain such dizzy heights, but that is rarely the case.

Certainly in the case of the VB100 award (which I operate), the certification itself is meant as a mark of basic competence, showing a product is reasonably well put-together and maintained - but not necessarily more than that.

For example, if you’re in an elevator and you see a safety kite mark such as TUV, you know it means that it has been tested for conformity to safety standards. You don’t assume that it must also have extra shiny walls, super speeds, or one of those little fold-down chairs for when you get tired.

This is how most certifications should usually be understood. Passing is a sign of quality in the sense of quality assurance, not necessarily an indicator of surpassing innovation.

Finding out exactly how the baseline for a given certification is set is not necessarily an easy task. This in itself should be something of a warning signal - one of the most basic requirements for judging the quality of a test is access to a complete and detailed methodology, and if the methodology is inadequately described, there's no real way for the consumer to tell if the test is worthwhile.

The Anti-Malware Testing Standards Organisation (AMTSO), a cross-industry group working to improve testing, included in its 'Fundamental Principles of Testing' document the words "Testing should be reasonably open and transparent", and this seems like a pretty obvious thing if the end-users of tests are supposed to understand and trust their findings. (Full disclosure - I'm on the board of directors of AMTSO, and helped draft several of its documents.)

At Virus Bulletin, our current requirements are quite simple - products must detect (in standard static scanning and on access) 100% of samples from the most recent 'WildList' (a small but carefully selected set of malware samples which are independently validated and proven to be affecting real-world users). At the same time there must be no false positives in our in-house set of clean files.

We can keep it this basic because our reports also contain a wide range of other metrics, including several other detection measures and a number of speed and performance metrics, including a recently-added stability rating system.

Other certifications will likely include a wider range of requirements - for example, ICSA Labs, one of the biggest players in general security certification, has requirements which include logging and administration features to ensure products are usable and provide reliable reporting as well as quality protection.

Both AV-Test and AV-Comparatives base their awards on a combination of factors from their overall test suite; AV-Test scores each product on a range of areas and sets a passing score which their combined total must reach, while AV-Comparatives has a multi-level award system giving higher value awards to the top performers.

Summary

There can be value in certification tests. But before you even think of relying on a badge or award to judge the relative quality of one solution over another, dig a little deeper into its background and find out what exactly is required to earn that badge.

I was going to include links in here to some of the major test labs’ methodologies, but maybe it’s better to let you find them for yourselves – go to your favourite tester’s website, and dig out their description of how they do their tests and how they grant their awards. Or, just Google the lab name and the word ‘methodology’.

If you can’t find out the full details of how a test works, ask yourself, why not? What’s the big secret? Why should I just take it as read that this test is being done right?

If you do manage to find it, read it through. Does it tell you all you need to know? Do you come away from it with a clear idea of what is being tested, and how?

Most importantly in the case of certifications, does it clearly state what the baseline requirements are for earning the award?

If so, then you’re in luck - this basic understanding is the first step on the road to being able to properly follow and apply the results of a test, compare it with others, and perhaps even find out which really is the best product for your particular needs.

There’s still some way to go though – in my next article, we’ll look a bit more closely at the various group tests and comparatives.

Follow @VirusBtn
Follow @NakedSecurity

Image of certified stamp and check box courtesy of Shutterstock.

View the original article here

Warning! Hackers are exploiting Texas explosion news to spread malware

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Once again, cybercriminals are leaping at the opportunity to take advantage of breaking news stories to spread malware.

The latest example, coming just days after malware authors exploited interest in the Boston Marathon bombings, concerns the fatal explosion in the small community of West, Texas, of a fertiliser plant.

Here's an example of one of the malicious emails intercepted by SophosLabs, with the subject line "CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas".

Other messages have been seen using the subject line "Raw: Texas Explosion Injures Dozens".

Clicking on the link contained inside the emails takes unsuspecting computer users to a webpage that contains a series of embedded YouTube videos.

Harmless enough, you might think. However, the webpage also contains a 640x360 pixel iFrame, that attempts to suck in malicious content from another site, designed to infect your computer. The attack uses the Redkit exploit kit to take advantage of vulnerabilities on visiting PCs in order to infect them with malware.

The Redkit exploit kit uses a PHP shell hosted on compromised websites to run its operations.

Firstly, Redkit bounces first level redirects to the next compromised server, and then malicious content delivering PDF or JAR (Java Archive) exploits are served up from a command & control server.

Sophos protects against the attack, detecting the injected malicious iFrames as Troj/ExpJS-II and Troj/Iframe-JG.

It seems clear that whoever is behind this malware attack was also being the attempt to infect computers with malware using the disguise of a news story about the Boston bombing earlier this week.

The criminals behind this attack couldn't care less that innocent people have died in Texas and Boston. Their only interest is making money by exploiting the computers of news-hungry internet users.

Don't make life easy for malicious hackers - and always go to legitimate news outlets for breaking news rather than rely upon unsolicited emails.

Follow @gcluley

Thanks to SophosLabs researchers Paul Baccas and Fraser Howard, and Naked Security reader Nick Burns, for their assistance with this article.

View the original article here

Apple updates Safari, gives better control over Java applets

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Apple has pushed out a Safari update to go along with this week's Java Tuesday fix.

Apple's browser goes to version 6.0.4 on OS X 10.7 and 10.8 (Lion and Mountain Lion), and to 5.1.19 on Macs that are still running 10.6 (Snow Leopard).

The key change that the new version brings to the party is finer-grained control over Java applets in the browser.

At this point, you're probably asking yourself, "Why?"

After all, as regular Naked Security readers will know, we've been suggesting for nearly a year that you should turn Java off in your browser altogether, unless you are certain that you need it.

We even recorded a dedicated Techknow podcast entitled All about Java to help you make up your own mind on how to manage the risks.

Listen to the podcast, duration 16'19".

We weren't alone in proposing such a blunt-edged tool to deal with the threat from browser-based Java exploits.

Homeland Security's US-CERT team in the United States said something similar, and so did our chum Brian Krebs.

But our advice hasn't been universally popular.

Some readers and listeners hit back at us for being unworldly, pointing out that an all-or-nothing approach to Java in the browser just isn't practical in their world.

? One reader, a contractor to an aerospace company that relies on website Java for outsiders to upload their work, pointed out that for him it was a choice between getting paid and following our advice. Other readers told us that their financial institutions insist on browser-based Java for internet banking. And some sysadmins noted that they were required to support in-house applets that wouldn't work with the latest Java versions, forcing them not only to enable Java but also to leave it unpatched.

Even users who were keen to take our advice were stuck at the thorny question, "How do I know whether I need Java or not?"

So Apple has headed towards a middle ground in which Safari allows you to authorise some applets, blocks others outright, and asks you what you want to do with all the rest.

The feature appears in the Security tab in Safari's Preferences pane:

The Allow Java tick-box isn't an all-or-nothing option any more, sporting as it does a shiny new Manage Website Settings... button next to it.

When you first enable Java, all applets on all sites are in an "ask me" state, provoking a question like this when you come across them:

Annoying though this may seem, it's actually a good way of helping you answer that question, "What do I need Java for, if anything?"

Once you've encountered an applet-serving web page, you can click into the Manage Website Settings... window and choose one of four options for the future:

There's a subtle difference between Allow and Allow Always, and it's important to understand it.

The former option will run the relevant applet next time you visit the page, provided that you've kept your Java installation up-to-date; if you haven't, you'll get a handy warning:

The latter option, Allow Always, overrides the version check, and is obviously intended for use only in stubborn cases, such as legacy applets that require an older, insecure Java version.

As Apple advises:

This setting is only recommended for trusted websites that require the Java web plug-in, such as websites that are only accessible on your company's intranet.

For sysadmins who support OS X users on a corporate network, or for contractors like our aerospace worker above, this feature is a good starting point for a "have your cake and eat it" approach to Java in the browser.

But it is far from perfect, not least because there's no easy way to pre-populate the allowlist, and no way to lock down the blocklist.

So, even in an environment where users are keen to do the right thing, mistakes are not only possible, but likely, especially when it comes to the free-for-all Allow Always option.

Intrepid sysadmins, however, might be willing to knit their own scripts for pre-configuring the allowlist (for example, to pre-authorise a set of intranet applets) after taking a look Safari's plist file.

Use the plutil (property list utility) command to dump your Safari configuration in human-readable form:

If you've added any applets to the control list via Safari's warning dialogs, you'll see how they are recorded near the end of the XML data:

The four possible values of the Manage Website Settings options shown above are encoded into the PluginPolicy key as one of four strings:

The plist is usually in binary format, but if you convert it to XML and edit it, Safari itself will happily load the XML version next time you start it.

With that, a determined sysadmin should have enough information to write a script that automatically populates users' WhitelistedBlockedPlugins settings with an appropriate applet list.

And that, in a nutshell, is the new "control Java in your browser" feature in Safari, at least on OS X.

Windows users of Safari, assuming there are any left, are out of luck: as far as we can tell, Safari for Windows is still back on version 5.1.7, which came out last year.

Follow @duckblog

View the original article here

Hosting company Hostgator hacked, suspect arrested after being "rooted with his own rootkit"

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

A system administrator - or, more accurately, a former system administrator - from Hostgator, a server hosting company in Houston, Texas, has been arrested for hacking into his former employer's network.

Court documents allege that after Eric Gunnar Grisse, 29, got the sack from his job at Hostgator, he jumped right back into the company's network, using a backdoor Trojan he had planted earlier.

Hosting companies do just what their name suggests: they run racks full of servers, plus a network to connect them all up, and then rent you time and space on one or more of them, so you don't need to own and operate your own IT infrastructure.

The services available typically include: simple websites, where your web pages are handled by a web server that also hosts other user's websites; virtual servers, where virtualisation is used to share out powerful physical servers amongst multiple customers; and dedicated servers, where a specific physical server is provisioned with an operating system and turned over to you almost as if it were your own.

?Web hosting is a bit like renting a bed in a backpackers' dormitory; a virtual server is like a room in a boarding house; and a dedicated server is like an apartment in a high-rise block.

Obviously, if you misconfigure your own hosted setup, you run the risk of being hacked and having your online presence ruined.

Most hosting companies try to prevent you from making egregious mistakes, but if you choose to give edit rights to your web pages to an careless contractor, say, that's your lookout.

At the same time, you put a lot of trust in the security competence of your hosting provider.

After all, if your provider configures its network badly, then other customers might wrongly be able to mess with your servers, even though you set up your parts of the system correctly.

Worse still, hackers who are able to get into the operational innards of a hosting business might be able to mess with any and all of the systems on the network.

Gisse, it is alleged, was able to get unlawful access somewhere between these two levels.

According to the affidavit in this case, Gisse's remote access program was found on 2723 separate servers inside Hostgator's network.

That's about 25% of the servers entrusted to Hostgator, according to a commentator on the online community forum webhostingtalk.com.

The court documents claim, amongst other things, that Gisse:

Named his backdoor program pcre, which makes it look vaguely like a commonly-used system library known in full as Perl Compatible Regular Expressions.Altered the system tools ps and netstat, which list running programs and network activity respectively, to hide his own presence. (This makes his hack a "rootkit", in the old-school Unix sense of the word.)Stole a Hostgator SSH login key file so he could continue to authenticate even from outside, after being sacked.

SSH (secure shell) is a ubiquitous and general-purpose way of accessing Unix systems remotely by creating an authenticated and encrypted network connection between two computers. Typically, there are two ways of logging in over SSH: by typing in a traditional username and password, and by using a pre-computed public/private key pair.

The keypair approach is popular with sysadmins because it avoids the need to keep typing in usernames and passwords. You generate a keypair, and upload the public key to a secure area on the server; then you can login from any computer on which the private key file is installed.

You can encrypt the private key if you like, which protects it against theft, but many people don't bother so that they can write automation scripts that use the key to carry out administrative tasks.

Gisse was caught, it is claimed, due to evidence that included:

Logs saved as part of a once-a-minute screenshotting tool implemented by Hostgator to keep an audit trail of IT operations. The investigators claim that Gisse expressed the intention to "get himself fired" and to steal data from the company, and also identified logins from his Hostgator account, under the name acdc, to a server in Germany named efnet.pe.An illicit network connection, open at the time of investigation, between Hostgator and efnet.pe. Apparently, the investigators were able to use the connection in reverse to locate a stash of hacking tools, exploits, and data belonging to Hostgator, as well as a logged-in user called acdc.

If the allegations are true, it sounds as though the suspect was hoist by his own petard, or at least rooted with his own rootkit!

Follow @duckblog

View the original article here

Snapchat sexting spam - how to stop messages from Honey Crush 9 and her friends

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Snapchat, which claims to deliver more than 150 million saucy photos per day between users' mobile phones, has suffered this week from a spam attack.

It's possible - if you are over the age of 17 - that you still don't know what Snapchat is.

It's a smartphone app, available for both iPhone and Android devices, that allows users to control how long a sent message or picture can be seen for, before it expires after a maximum of 10 seconds.

Still not getting the idea? Well, maybe this will help explain the attraction. The service has become notorious because some have touted it as a way of safely "sexting" and sharing naked pictures. Meanwhile, others have argued that it's not safe at all.

What isn't in doubt, however, is that Snapchat has become immensely popular - particularly among young people.

And so it wasn't really a surprise to see users complain that they had been sent photos from scantily-clad women with names such as "Honey.Crush9" inviting them to join them in a Skype conversation.

Receiving such a sleazy photograph can certainly get you into trouble (see the Twitter conversation above, where one user explains her boyfriend would have had some serious questions to answer if "Honey Crush" had turned out to be a secret saucy admirer of his rather than a spammer), but there are other potential security risks.

The messages sent via Snapchat encouraged recipients to connect with the apparent sexy senders on Skype. Once you've made sexy Honey your Skype friend, she could exploit you in a number of ways.

For instance, "she" could send you malicious links with the promise of a webcam chat, or send you spammy links to a dating website, or make automated Skype calls to spread fake anti-virus warnings.

In some of the more eyebrow-raising situations she might enter into a steamy webcam conversations with you, where she strips and encourages you to do the same... only to take photos and video footage for the purposes of blackmail.

Snapchat's CEO and co-founder Evan Spiegel posted a message on the site's official blog apologising for the spam attack, and offering advice to users.

The reason why so many people received unsolicited photos from Honey Crush and her spamming counterparts is that Snapchat allows anyone to send you photo messages. By default, anyone who knows your username or phone number (or who can guess it) can send you a message.

To protect yourself from Snapchat spam like the examples seen above, you can configure the app to only accept messages from users on your list of friends.

According to Snapchat's FAQ, you can change this setting. It tells users to tap the camera icon as if you are going to take a picture, then, tap the square button on the bottom right corner of the screen.

Select "Settings", go to "Who can send me snaps...", and select "My Friends" instead of "Everyone."

What a shame Snapchat didn't make this the default in the first place...

Follow @gcluley

View the original article here

Anatomy of a phish - how to spot a Man-in-the-Middle attack, and other security tips

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Even if you are used to phishing scams, it still pays to take the occasional look at a scam campaign, just to remind yourself not to let your guard down.

So here's a recent scam in which the crooks are targeting customers of Absa, one of the Big Four banks in South Africa.

The email used in the scam pretends to be a refund from the South African Revenue Service (SARS):

The South African tax year ended on 28 February, so the timing is right, and with the Revenue Service's eFiling system available this year even from mobile phones, more South Africans than ever will be expecting to deal with the tax office electronically.

Of course, even if you are an ABSA customer and expecting a tax refund, you should still be suspicious, not least because your bank won't send you login links via email.

Banks avoid sending you links to their secure banking sites precisely so they can tell you, "Never click on emailed login links, because they won't be from us."

There are other tell-tale scam signs here, too, if you are alert to orthographic (writing and spelling) clues, such as these:

The Revenue's online service is called eFiling, not EFilling.Dates in South Africa are written with the month in the middle, where it jolly well belongs, so 18 April 2013 is 18/04/2013, not 04/18/2013.

Note that you shouldn't rely on spotting phishing emails and websites only by looking out for errors of this sort, because there is nothing to stop the crooks being careful.

But if you spot something that obviously doesn't look right, assume the worst.

If you do click the link without thinking, you won't go to Absa's website, but instead to a hacked website in Korea.

The server itself isn't owned by the criminals - it's just being "borrowed" to provide free IT services for this phish.

The Korean site doesn't actually host the fake banking pages, but instead simply bounces you, using an HTTP redirect, to a hacked site in the Netherlands, where the fraudulent login process begins.

The visual appearance of the fake pages is professional, largely because the crimimals have ripped off Absa's own HTML and JavaScript code to reproduce the look and feel of the real thing, right down to the virtual keyboard asking for your PIN:

Then you are asked to enter your password:

Note that Absa's login system usually only asks you for a randomly-selected subset of the characters in your password, as a precaution to stop a crook from learning your entire password from a single login attempt.

This doesn't improve security enormously, but it does make things harder for a cybercriminal or a shoulder-surfer, and it is a designed-in part of Absa's login process.

So, take the trouble to familiarise yourself with what your bank advises you to look out for.

In this case, the phishers are greedily asking for your entire password in one shot, presumably so they know all the possible characters for next time; this should be a tell-tale sign that something is wrong.

The next screen asks you to put in the Random Verification Number (RVN) code that Absa sends to your mobile phone as a one-time password:

This should ring alarm bells even more loudly.

Absa specifically documents that the RVN is used only in special cases involving more than simply looking at your balance, which is what the original email was inviting you to do:

When creating a new beneficiary, changing transfer limits, or other kinds of sensitive transactions, a special one-time password, called a Random Verification Number (RVN), will be sent to your cellphone. You must type this into the indicated field for verification. Just before the payment is made, another one-time password will be sent to your cellphone, called a Transaction Verification Number (TVN) to confirm the transaction. These passwords can only be used once, and dramatically decrease the risk of being defrauded.

The only plausible reason you'd be asked for an RVN code when you thought you were just checking your balance is that you aren't talking to the bank's real site, but to an imposter site that is attempting a Man-in-the-Middle (MiTM) attack.

The idea is that you perform what you think is an innocent transaction with the bank, while the Man-in-the-Middle commences a simultaneous sensitive transaction with the real banking site - such as telling the bank that you just agreed to pay out money to him.

When the bank asks the Man-in-the-Middle a question he can't answer, he asks you. And what you tell him, he tells to the bank as if he knew it all along.

You think you're talking to the bank and asking it to do X, but you're really talking to the MiTM, who uses the security information innocently submitted by you to ask the bank to do Y.

This is why it is vital to keep checking, throughout any online banking session, that you are on the bank's real site.

If you're an Absa customer, for example, you need to know that Absa's internet banking site is called https://ib.absa.co.za/, and that it uses HTTPS, or secure HTTP.

Don't look in the web page itself for "proof" that the site is secure, because the crooks try to fill their fake pages with security reassurances.

In this phish, for example, the first page in the fraudulent login sequence advises you to watch out for phishing scams, and even correctly advises you never to login from links sent via email:

Always look in the address bar (which can't be directly modified by a web page, only by the browser itself) for the tell-tale HTTPS padlock.

In most modern browsers, you can also click on the padlock in the address bar to double-check who owns the secure website:

The identification information in an HTTPS transaction isn't infallible - it's a bit like the certification stamp on a certified copy - but if it is wrong or missing, then you can be certain you are being tricked.

Finally, you're asked for the Transaction Verification Number (TVN):

With your PIN, password and a TVN, the crooks could, at least in theory, pay out money, but only to someone who is already setup up as a beneficiary on your account (a person you pay money to).

So they might be able to pay your electricity bill, or send a gift to your mother.

But with a one-time RVN as well, the crooks could, at least in theory, add themselves as a beneficiary first, and then use the TVN to send themselves some of your money.

So always be on your guard.

In this phish, any one of these signs should have been enough to put you off, even if you were an Absa customer awaiting a taxation refund:

Orthographic (writing and spelling) errors in email.Clickable link to login page in email.Wrong link, going to a site in Korea.Link redirects to wrong location, going to a site in the Netherlands.Login site not correct for Absa.Login site not encrypted with HTTPS.Non-standard procedure for password entry.Inappropriate request for Random Verification Number (RVN).

If you detect the smell of phish at any point in the process, pull the plug.

The longer you stay "on the hook," the more security information the crooks will end up getting out of you.

Follow @duckblog

View the original article here

8 tips for a security incident handling plan

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Most of us know that there is no such thing as 100% security, and that - unfortunately - it's only a matter of time until a security incident occurs.

Despite this, it's rare to see a good incident response process and plan in place.

When an incident occurs, it's more common to observe frantic running around and (admittedly smart) people improvising action plans.

The lack of upfront preparation can lead to disaster, as bad decisions get made under pressure.

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).

Have an incident response plan. It is, of course, the most obvious advice, however you would be amazed at the number of organisations that "haven't quite got around to it yet".

It doesn't need to be 400 pages long (nor should it be half a page most likely) but documenting your incident response plan and distributing it up front can make a massive difference when the inevitable occurs.

Pre-define your incident response team and make sure it draws from multiple disciplines. A good incident response team should not just consist of IT or security people (though they undoubtedly need to be a strong core), but should also include PR, HR, Legal and executives to name just a few.

For instance, not involving the PR team could result in external communications that are more damaging than the breach in the first place.

Make sure each member of the team is briefed on their involvement and expectations. Watch that list of team members, however. It gets old quickly as people leave, go on vacation or just forget what they signed up for.

Define your approach: watch and learn or contain and recover. We have seen great examples of this in the news recently. When an incident occurs and is verified - for instance a hacker compromising one of your web servers - you need to make the call on whether to recover as quickly as possible or to watch the attacker and learn.

You need to make this policy decision upfront because it requires good preparation, executive support and a skilled team to manage the risk. Most organisations will (and should) focus on containing the damage and recovering business systems.

Detailed forensics and observing the attackers is often too great a business expense for many firms, but don't give up entirely on capturing evidence - you never know when you may need it later.

If you are a target likely to come under persistent long term attacks from adversaries (perhaps a nation state, a competitor or a hacking gang that you have riled somehow) learning more about your adversary to help build future defences can make a lot of sense.

You should not venture down this path unless you have the resources (people, duplicate systems, network infrastructure for suitable containment) to execute it successfully and it absolutely requires executive buy-in or you will find yourself out of a job very quickly if it goes wrong.

Make this decision up front, discuss the risk attitude of the business and alter your incident response process appropriately. Of course, you won't watch and learn on every attack, so identify the two paths and when you will use them.

Pre-distribute call cards. Another common mistake is to depend upon your normal communication infrastructure in the event of an incident.

Imagine that the LAN stops working, no-one knows anyone else's number and email doesn't work. It will be pretty tough to handle an incident in that situation.

Decide up front communication methods, choose a call bridge or similar and then distribute details to each of the stakeholders.

Forensic and incident response data capture. This goes wrong a lot. During and after security incidents, pressure can be high and there is a tendency to rush, which - of course - means mistakes are made.

You need to ensure that you have comprehensively captured the right data and logs without taking up hours you don't have - it's not a trivial balance.

In particular, define how you will capture notes (I like a lined, dated paper notebook which is easy for courts to get their heads around) and evidence.

Do you run Volatility to capture memory? Do you power off the machine and take an image of the disk to capture as much as you can before the attack shuts down? Decide in which instances you will follow each path and build a toolkit ready to go.

Get your users on-side. Incident response is not just an 'IT thing'. Make sure your incident response links up with your organisation's acceptable use policy and security awareness program.

You want your users to know how to tell you if they think an incident is occurring. In particular, system administrators, application owners and data owners should know how to contact you if they spot something unusual. The incident response process can then be spun up (or spun down if it's a false alarm) quickly.

Don't just write the policy and leave it on the intranet somewhere.

Know how to report crimes and engage law enforcement. Certain types of incident may require you to report to law enforcement but often when such an opportunity arises no-one knows exactly how to do it.

From having your web server hacked to the theft of credit card details or IP it pays to understand the process and requirements in advance. Check out Naked Security's quick guides on reporting computer crimes and find out who your representative is before you need them.

Practice makes perfect. The process can be documented but when it comes time to use it the bridge is enabled and no one connects or knows what to do. Stage an incident and have your team dial in and work through the mock scenario.

Of course, be sure to make them aware that it is a drill or you might end up in the awkward scenario of announcing a practice-run to the real world as if it actually happened. It's hard to convince people you weren't hacked retrospectively!

Here is some recommended further reading if you are building an incident response plan, brought to you by SANS (good sample incident forms) and NIST (draft on incident handling - PDF).

Happy incident handling.

Follow @JamesLyne
Follow @NakedSecurity

Images of bad news, happy team, and files courtesy of Shutterstock.

View the original article here

You won't believe how crazy this password infomercial is (and neither did Ellen DeGeneres) [VIDEO]

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Oh, the joys of late night television in the United States!

When there's nothing funny on American TV, you can always rely upon an infomerical selling some crazy product to have you chuckling or simply agog in disbelief that anyone would ever buy such a thing.

Ellen DeGeneres clearly feels the same, and she recently focused some attention on a product that claimed to solve a computer security problem experienced by many internet users - how to remember your passwords.

Take a look at the video below about the "Internet Password Minder":

As one of the customers featured in the infomerical breathlessly explains:

"I don't have to worry anymore about security or identity theft... I now have all my passwords in one place. It's great"

At first I thought perhaps the people behind the "Ellen" show had made the infomercial as a spoof, but now I'm not so sure. After all, I find it hard to believe that *any* infomericals are real.

As Ellen amusingly asks, wouldn't it be cheaper to save money and write all your passwords on a $5 bill?

You could even keep the (patent-pending - don't steal the idea!) $5 bill password minder in your wallet if you liked - much more convenient than the book-sized Internet Password Minder!

Sheesh.

Here's my own video explaining how to generate a tough, hard-to-crack password that is still easy to remember.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

If you can't remember your passwords, and have difficulty juggling different passwords for different websites, then just use password management software like KeePass, 1Password or LastPass.

It makes a lot more sense than Ellen's Internet Password Minder or a $5 note.

Well done for Ellen for raising awareness of password security issues with her large TV audience in an amusing way.

PS. Just as I was about to publish this article, I found a comment on Ellen's website from someone who claims to be the woman in the infomercial who no longer worries about identity theft.

Follow @gcluley

Hat-tip: Paul Baccas of SophosLabs, who hasn't yet explained what he was doing watching Ellen.

View the original article here

Goodbye to spam, er, @spam, on Twitter...

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Most of us are inured to email spam, and it's hardly surprising that there is so much of it, since email is an open ecosystem.

Loosely speaking, anyone can run an email server of their own, or an email client, and connect to any other email server to inject good, bad or indifferent messages into the email universe.

If you don't want to run your own server, there are thousands of organisations that will offer you space on their servers, from webmail giants like outlook.com and Gmail, to conventional email providers such as your ISP.

Internet email is a giant mesh of interconnected service hubs, each with its own set of spokes (its population of users), exchanging messages using well-known open standards with names like SMTP, POP and IMAP.

In contrast, social networks like Twitter are closed ecosystems.

There's only one service provider, and, logically if not physically, just one server, with every user connecting to that single messaging hub.

Naively, then, it's easy to assume that spam would be easy to control, and infrequently seen, on sites like Twitter.

But Twitter's "single hub" is more like a country or a planet than a village or a town, and it has hundreds of millions of spokes, rather than the 30-or-so that the mental image of a bicycle wheel conjures up.

In fact, Twitter and its users have perennial problems with spam, as a quick search of Naked Security will reveal:

Within seconds of the news breaking that Pope Benedict XVI was to retire, spam began to appear on Twitter taking advantage of the story.Motor-mouthed UK "Top Gear" celebrity Jeremy Clarkson, who has more than 1.7 million followers, had his Twitter account compromised by spammers who bombarded the Twittersphere with links to a bogus news website promoting an Acai Berry diet solution.Bogus warnings claiming you'd been featured in an online photo surged across Twitter, leading those who clicked to a website infected with the infamous Blackhole Exploit Kit.Free iPad and iPhone scams tricked you with a bait-and-switch in which the "free" iDevices evaporated and costly SMSes or other quite different offers took their place.

Twitter isn't powerless against spams and scams of this sort, and has fought back not just online, but also in the courts, notably taking action last year against companies that live off Twitter-spamming software, or off large numbers of automated Twitter accounts.

With this in mind, you might be surprised that the micro-blogging site's own Twitter identity for reporting spam, the easily-remembered account @spam, has been killed off.

Not to worry, though.

Twitter simply wants you to send your spam reports to @support instead.

No big change, and probably (if the truth be told) a wise decision to use @support as a generic clearing house for customer-facing issues of all types.

After all, the word "spam" is like "virus" these days.

Everyone knows what "spam" means in everyday conversation: e-stuff you didn't want to receive.

?The English language loves the transfer of meaning, happily extending "spam" so that it means "any sort of unwanted garbage delivered electronically", and adapting "virus" to cover "any sort of bad software." That's metonymy, the same figure of speech by which we read "Redmond" yet think "Microsoft", or "Crown" but think "the apparatus of statehood."

But in the context of a security complaint, does @virus cover @Trojan, and @spam cover @scams?

Does @spam cover lolcats sent in great quantity by someone you'd rather not hear from, or should problems of that sort go to @partialstalking or to @iunheartlolcats?

No need for that sort of uncertainty anymore.

Just remember:

Use @support for anything that you think requires attention by Twitter, including spam in all its metonymic forms.Do send in reports. If you don't report it (as the cops like to remind us about minor crime), then officially it didn't happen, so it can't get the attention it deserves.

Oh, and don't forget that Twitter allows you to report spammy accounts in a single shot, so you don't have to report message after message.

Assuming you're logged into Twitter, you can just go to an account's profile page, click on the "person icon" pulldown menu, and choose Report @account for spam.

Lastly, if you are faced with a spammy link, but you're pretty sure it doesn't go anywhere directly dangerous, don't be tempted to click it anyway "just to see."

Here's a video that makes just that point:

Even if an unsolicited link doesn't put you immediately in harm's way, remember the advice you can see in the video above: don't buy, don't try, don't reply.

Follow @duckblog

View the original article here

Facebook Home - Great if you think privacy is dead

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Is Facebook Home the long rumored Facebook phone? Nope.

Rumors of a Facebook phone are nearly as common as OS X users who don't think they need anti-virus, but that doesn't make either one of them true.

Facebook is avoiding the hassles of designing and manufacturing its own hardware, but nevertheless making a land grab for control of the user experience.

The concept is simple: replace the lockscreen and application launcher on popular Android devices with a streamlined, Facebook-focused experience.

It is only available on a few devices at this time, including the Samsung Galaxy S3, Samsung Galaxy Note II, HTC First, HTC One X, and HTC One X+.

So I thought I would take a quick look at it from a security and privacy standpoint.

Modifying things like lockscreens can easily go sideways, as we've seen in the past with iOS.

In fact, without even considering how the app is designed to work, there are already reports of Home disabling the built-in Android pattern/passphrase lock on the new HTC First.

That isn't supposed to happen, of course, so I would think twice about enabling it until Facebook is able to release a fix.

What Facebook Home is supposed to do is replace your plain vanilla lockscreen with a continuously-updated feed from your Friends, a feature they call Cover Feed.

You will see their photos, wall posts, comments, Likes, and more, all the time, in real time.

All of this information is visible without unlocking your phone and provides the opportunity to double-tap to Like the content you are viewing.

This is an interesting new take on the "lock" in "lockscreen," and while the always-logged-in "privacy is dead" angle won't be a surprise to Facebook fans, it raises worrying opportunities for abuse.

Just imagine what some of your friends might post to their walls simply to have it show up on your phone during a business meeting!

Even if you are not a Facebook Home user, you'll still be impacted.

When you post a photo or comment, you won't know when or where it will show up on your Friends' phones, or who might be around to see it.

And if you travel a lot, you may end up stuck with some heavy-duty roaming fees from downloading all of those photos, all of the time.

The Facebook Home Launcher component is largely uncontroversial.

It's uncomplicated, and while it steers you towards Facebook functionality and apps rather than Android ones, it seems perfectly functional.

The feature people seem to like the best is called Chat Heads.

I have to admit, if I were a frequent Facebook chatter I would love this -- in fact I wish Google Talk worked more like Chat Heads.

The idea is your Friends' photos appear as little circles at the edge of your screen, popping out and displaying any chat messages, no matter what application you are using on your phone at the time.

My verdict?

If you are a heavy Facebook user and don't mind the privacy risks, I think you'll really like Facebook Home. (I'd wait until Facebook works out the lockscreen bypass problems, but otherwise it isn't inherently broken.)

But if you are a corporate user and enlisted in a BYOD program, I'd steer clear.

In fact if I were administering a BYOD program, I would disallow Facebook Home, as I feel there is too much room for information leakage for it to be a safe choice in a business environment.

My advice?

Take the time to think through the privacy implications before you install it.Be understanding if your employer doesn't let you use it on BYOD devices. Consider living without the Cover Feed option, even if you love the idea.Follow @chetwisniewski

View the original article here

Microsoft looks like being next with two-factor authentication

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

We've written recently about Apple and Automattic starting to offer two-factor authentication (2FA) for online accounts.

Word on the street says that Microsoft will soon be doing the two-step, too.

The rumours all seem to stem from one source, Microsoft technogoss site liveside.net, whose allegedly-leaked screenshots of not-yet-public interface pages seem to bear out the story.

So, with appropriate caution given that all roads seem to emanate from the same place, here are some screenshots of liveside's screenshots.

This one shows what purports to be a new option in the Security info tab of the Microsoft account configuration interface:

And here's what is supposed to be the initialisation step for the newly-activated 2FA feature:

It's not clear exactly what the "Don't ask me for a code" tickbox is for, but it looks as though you will be able to exempt your most commonly-used device (say, your day-to-day laptop) from needing 2FA-protected logins.

I hope that's not the case, because 2FA adds real value if you use it as a matter of routine, not if you use it only in special cases.

Sure, you can argue that an oft-used and cherished laptop is less likely to get you into trouble with a keylogger than, say, a PC in an internet cafe or a kiosk at the airport.

But if you care about security, you won't read your email, personal or business, on kiosks or in internet cafes at all.

And if you genuinely cherish that oft-used laptop, and your oft-used accounts, you'll want only the best levels of security every time you use them.

Adding further veracity to the liveside claims is the quietly recent appearance of the Windows Phone Authenticator app in the Windows Phone Store:

Incidentally, Microsoft's own Phone Store summary reassures you that the app "implements industry-standard security code generation," and one of the screenshots from liveside's stash advises you:

If you have an iOS, Android or BlackBerry device, search your app store for an authenticator app.

So it looks as though you'll be able to buy into Microsoft's 2FA without buying a Windows Phone on which to run Microsoft's app.

Furthermore, a commenter on liveside claims that the "Use a different verification option" in the second screenshot above leads to a configuration page on which you can choose SMS-based verification codes if that's what you prefer.

Are you convinced?

I must say that the word-on-the-street sounds pretty believable, and if it's true, then it's great news.

(On the other hand, the selfsame street blithely assured us that Microsoft's most recent Patch Tuesday update for Internet Explorer would fix the vulnerabilities exposed at the 2013 PWN2OWN competition, but that turned out to be untrue.)

Anyway, even if everything here is spot-on, you can't force horses to drink, albeit that you have led them to water.

So if (or when) this feature does go live, it will be interesting to see how quickly and widely Microsoft cloud users will adopt it...

Follow @duckblog

View the original article here

SKorea says NKorea behind computer crash in March

SEOUL, South Korea (AP) — North Korea was responsible for a cyberattack that shut down tens of thousands of computers and servers at South Korean broadcasters and banks last month, officials in Seoul said Wednesday, noting that an initial investigation pointed to a military-run spy agency as the culprit.

The accusation comes as tensions run high on the Korean Peninsula, with North Korea delivering increasingly belligerent rhetoric as it stews over U.N. sanctions and U.S.-South Korean military drills.

Investigators detected similarities between the March cyberattack and past hacking attributed to the North Korean spy agency, including the recycling of 30 previously used malware programs — out of a total of 76 used in the attack, said Chun Kil-soo, an official at South Korea's internet security agency.

Investigators believe that six computers in North Korea were used to access South Korean servers using more than 1,000 IP addresses in 40 countries overseas, Chun said. Thirteen of those IP addresses were traced back to North Korea.

He said the attack appeared to have been planned for about eight months.

"We saw evidence that the attack was extremely carefully prepared," Chun said at a news briefing.

The March 20 cyberattack struck 48,000 computers and servers, hampering banks for two to five days, although Financial Services Commission official Lim Wang-sub said Wednesday that no bank records or personal data were compromised. Staffers at TV broadcasters KBS, MBC and YTN were unable to log on to news systems for several days, although programming continued during that period. No government, military or infrastructure targets were affected.

It was not the first time Seoul has blamed Pyongyang for such online assaults.

South Korea's National Intelligence Service said North Korea was behind a denial of service attack in 2009 that crippled dozens of websites, including that of the presidential office. Seoul also believes the North was responsible for cyberattacks on servers of Nonghyup bank in 2011 and Joongang Ilbo, a national daily newspaper, in 2012.

North Korea blamed South Korea and the United States for cyberattacks in March that temporarily disabled Internet access and websites in North Korea, where a small number of people can go online.

Though Wednesday's findings were from an interim investigation report, the final conclusions were not likely to change much, said Lim Chae-ho, a professor of network security at the Korea Advanced Institute of Science and Technology.

"Future evidence will strengthen the case rather than reverse it," Lim said. "It is worrisome that the North's cyberattacks are getting increasingly severe."

Experts believe North Korea trains large teams of cyber warriors and that the South and its allies should be prepared against possible attacks on key infrastructure and military systems. If the inter-Korean conflict were to move into cyberspace, South Korea's deeply wired society would have more to lose than North Korea's, which largely remains offline.

View the original article here

Anatomy of an exploit - Linksys router remote password change hole

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

A security researcher from San Jose in California has published a how-to guide detailing a number of vulnerabilities in various Linksys routers.

Phil Purviance, who goes by the handle of SUPER.EVR (EVR stands for Exploitation Vulnerability Research), reported the holes privately on 05 March 2013:

Hello Cisco PSIRT, I would like to report several vulnerabilities in Linksys network equipment. A public advisory regarding these issues may be released 30 days after sending this report.

And Purviance certainly lived up to his threat, publicly releasing the gory details on 05 April 2013 on his blog.

I don't want to get sidetracked into a discussion about the disclosure process here - whether 30 days was long enough, whether it was fair to expect a reply after emailing Cisco, which no longer owns the Linksys brand, or whether explicitly documenting the holes was wise.

You'll have to make your own mind up on those issues, because the purpose of this article to zoom in on one of the holes to see what we can learn from it.

The vulnerability we'll be looking at is:

Linksys EA2700 Password Change Insufficient Authentication and CSRF Vulnerability

Imagine that you are trying to penetrate a network inside a building that is monitored by security guards, offers no remote computer access, and is surrounded by an electric fence and motion detectors.

You're not going to get inside, but now imagine yourself holding up a placard outside one of the office windows saying, "Kindly enable remote login on port 5128 and change the password to b4nana," and waiting a while.

Imagine if it worked!

That's a simile for one of the bugs that Purviance found.

It gets the tag CSRF, for Cross Site Request Forgery, because it lets you embed, in an external web page (that's the placard outside the window), a URL that refers to a configuration script that will run on your router (that's the list of instructions on the placard).

So the Cross Site Request isn't a demand from an angry web server, but rather a web page that deliberately takes you to site B via site A.

In this case, visiting an otherwise innocent-looking external site can cause your browser to initiate internal actions on your router.

And if the router assumes that you are authorised simply on the basis that you are issuing the request from inside the network, an external attacker can easily use you as his "inside proxy" to violate security.

The unprotected configuration page found by Purviance permitted just the sort of silent reconfiguration jokingly shown on our placard: enabling external router admin (something you should never be tempted to do by choice), changing the password, and more.

So much for the metaphorical electric fence, the security guards and the motion detectors.

Of course, for this attack to work, the criminal needs to know what internal URL to embed in his external web page, which means he needs to know the internal name or IP number of your router:

That's so that when your browser processes the dodgy URL, the malicious reconfiguration request goes to the right web page on the right router, and produces the right HTTP request, as in the example above.

In Purviance's example, as above, he chose 192.168.1.1, which is a good guess for many networks.

? Private IP address ranges for your home or business network run from 10.0.0.0 to 10.255.255.255, from 172.16.0.0 to 172.31.255.255, and from 192.168.0.0 to 192.168.255.255. Advocates of security through obscurity suggest choosing randomly from the available private spaces, and as long as you don't rely on this as a security measure in its own right, you might as well do just that.

By the way, the problem of internal command-and-control URLs embedded into external websites (the Cross Site Request part) is why many web services require you to enter your password again to authorise key operations, even if you are already logged in.

That not only does prevents curious (or malevolent) colleagues from making long-term changes to your configuration if you inadvertently leave your screen unlocked, but also makes attempted alterations caused by CSRF more obvious.

Requiring re-authentication not only makes the CSRF fail, but also draws your attention to the attempt because an unexpected password dialog pops up.

So, the lessons to learn from this bug are:

Don't gripe at websites that ask for your credentials again when performing configuration or security-related tasks. The inconvenience is a small price to pay for the additional safety.Keep your eye open for firmware updates for your routers and other network hardware. Security patches don't just apply to desktop operating systems and applications.When writing web services that are worth password-protecting, don't just protect access to the URL of the relevant starting page. Make sure that the individual URLs that accept and process commands (whether by GET or POST requests) are all authenticated, too.Logout from web services when you aren't using them. Don't needlessly leave yourself in the position that accidental or unexpected clicks can have unintended side-effects.

? Yes, the last point above includes logging out routinely from Facebook, Twitter and your webmail, too. It's much more convenient to stay logged in all day, but much less safe, and very much less secure.

As for closing this hole if you have a Linksys EA2700 router, Dan Goodin of Ars Technica reports that:

A statement issued by officials from Belkin, which recently acquired the Linksys brand, said the vulnerabilities documented by Purviance had been fixed in the Linksys Smart Wi-Fi Firmware that was released in June.

And according to Linksys, the June 2012 firmware release was itself superseded in July, October and November last year:

Purviance didn't make it clear, in his vulnerability disclosure, which firmware version he used during his research.

But if you aren't on the latest firmware version, you probably ought to grab it anyway.

After all, this isn't the first time we've written about vulnerabilities in, and the external misuse of, SoHo routers.

And if you're really keen, you can use the hacking-by-numbers tool Metasploit to do a penetration test against your own router, as exploit modules for Purviance's holes are already available online.

Follow @duckblog

View the original article here

Hacker "Kayla" admits attacks on Sony, Murdoch, Nintendo

By Estelle Shirbon

LONDON (Reuters) - A British computer hacker pleaded guilty on Tuesday to cyber attacks on targets including Sony, Nintendo, Rupert Murdoch's News International and the Arizona State Police.

Ryan Ackroyd's plea meant his planned jury trial did not go ahead and, as a result, the court did not hear any evidence on the motivation behind the attacks he made using the persona of a 16-year-old girl named Kayla as part of hacking group LulzSec.

Dressed in a tracksuit bottom and t-shirt, with a large tattoo on his arm and crew-cut hair, Ackroyd spoke only to identify himself and to enter his plea.

Ackroyd, 26, was arrested in 2011 with three other British young men in connection with an international cyber crime spree by LulzSec, a splinter group of hacking collective Anonymous.

The other three had already pleaded guilty to several charges including cyber attacks on the CIA and Britain's Serious Organised Crime Agency (SOCA).

Anonymous, and LulzSec in particular, made international headlines in late 2010 when they launched what they called the "first cyber war" in retaliation for attempts to shut down the WikiLeaks website.

Ackroyd faced four charges but pleaded guilty to just one. Prosecutors said they would not pursue the other charges.

Ackroyd and his three fellow hackers will be sentenced on May 14, judge Deborah Taylor said.

Mustafa Al-Bassam, 18, and Jake Davis, 20, had both pleaded guilty to two counts while Ryan Cleary, 21, had pleaded guilty to six counts including that he attacked Pentagon computers operated by the U.S. Air Force.

Cleary, Al-Bassam and Davis admitted to launching so-called distributed denial of service (DDoS) attacks in which websites are flooded with traffic to make them crash.

Ackroyd denied taking part in DDoS attacks but admitted, as did the three others, to hacking into computer systems, obtaining confidential data and redirecting legitimate website visitors to sites hosted by the hackers.

The targets listed in the charge to which Ackroyd pleaded guilty also included Britain's National Health Service, the U.S. public broadcaster PBS and 20th Century Fox.

The defendants are free on bail pending their sentencing, under the condition that they do not access the Internet.

Cleary was indicted by a federal grand jury in Los Angeles last June but U.S. authorities have indicated they would not seek his extradition as he was being prosecuted in Britain on the same charges.

The name LulzSec is a combination of "lulz", another way of writing "lols" or "laugh out loud", and security.

(Editing by Louise Ireland)

View the original article here

Hacking highlights dangers to Seoul of North's cyber-warriors

By Ju-min Park

SEOUL (Reuters) - A hacking attack that brought down three South Korean broadcasters and two major banks has been identified by most commentators as North Korea flexing its muscles as military tensions on the divided peninsula sky-rocket.

Officials in Seoul traced Wednesday's breach to a server in China, a country that has been used by North Korean hackers in the past. That reinforces the vulnerability of South Korea, the world's most wired economy, to unconventional warfare.

China's Foreign Ministry said that hacking attacks were a "global problem", anonymous and cross-border.

"Hackers often use the IP addresses of other countries to carry out their attacks," ministry spokesman Hong Lei told reporters.

One government official in Seoul directly blamed Pyongyang, although police and the country's computer crime agency said it would take months to firmly establish responsibility.

Jang Se-yul, a former North Korean soldier who went to a military college in Pyongyang to groom hackers and who defected to the South in 2008, estimates the North has some 3,000 troops, including 600 professional hackers, in its cyber-unit.

Jang's alma mater, the Mirim University, is now called the University of Automation. It was set up in the late 1980s to help North Korea's military automation and has a special class in professional hacking.

The North's professional "cyber-warriors" enjoy perks such as luxury apartments for their role in what Pyongyang has defined as a new front in its "war" against the South, Jang told Reuters.

"I don't think they will stop at a temporary malfunction. North Korea can easily bring down another country in a cyber-warfare attack," Jang said.

Like much about North Korea, its true cyber capabilities are hard to determine. The vast majority of North Koreans have no access to the Internet or own a computer, a policy the regime of Kim Jong-un strictly enforces to limit outside influence.

The nominee to be the next South Korean intelligence chief told MPs recently the North was suspected of being behind most of the 70,000 cyber-attacks on the country's public institutions over the past five years, local TV channel YTN reported.

North Korea recently threatened the United States with a nuclear attack and said it would bomb South Korea in response to what it says are "hostile" war games in the South by Washington and Seoul.

Threats to bomb the mainland United States are empty rhetoric as Pyongyang does not have the capacity to do so and its outdated armed forces would lose any all-out war with South Korea and Washington, military experts say.

That makes hacking an attractive, and cheaper, option.

"North Korea can't invest in fighter jets or warships, but they have put all their resources into raising hackers. Qualified talent matters to cyber warfare, not technology," said Lee Dong-hoon, an information security expert at Korea University in Seoul.

However much of North Korea's limited funds go into its nuclear and ballistic missile programs.

LIMITED ATTACK

Wednesday's attack hit the network servers of television broadcasters YTN, MBC and KBS as well as two major commercial banks, Shinhan Bank and NongHyup Bank. South Korea's military raised its alert levels in response.

About 32,000 computers at the organizations were affected, according to the South's state-run Korea Internet Security Agency, adding it would take up to five days to fully restore their functions.

It took the banks hours to restore banking services. Damage to the servers of the TV networks was believed to be more severe, although broadcasts were not affected.

South Korea's military, its core power infrastructure and ports and airports were unaffected.

Investigations of past hacking of South Korean organizations have led to Pyongyang.

"There can be many inferences based on the fact that the IP address is based in China," said the South Korean communication commission's head of network policy, Park Jae-moon. "We've left open all possibilities and are trying to identify the hackers."

North Korea has in the past targeted South Korea's conservative newspapers, banks and government institutions.

The biggest hacking effort attributed to Pyongyang was a 10-day denial of service attack in 2011 that antivirus firm McAfee, part of Intel Corp, dubbed "Ten Days of Rain". It said that attack was a bid to probe the South's computer defenses in the event of a real conflict.

However, the hacking attack on Wednesday doesn't appear to be state sponsored, security vendor Sophos said, noting the malicious software it detected was not sophisticated.

"It's hard to jump to the immediate conclusion that this was necessarily evidence of a cyber-warfare attack coming from North Korea," said Graham Cluley, senior technology consultant at Sophos.

North Korea last week said it had been a victim of cyber-attacks, blaming the United States and threatening retaliation.

"North Korea is able to carry out much bigger attacks than this incident such as stopping broadcasts or erasing all financial data that could panic South Korea," Lee of Korea University said.

(Additional reporting by Jack Kim, Narae Kim, Hyunjoo Jin, Joyce Lee, Se Young Lee in Seoul and Ben Blanchard in Beijing; Editing by David Chance and Nick Macfie)

View the original article here

LulzSec: Hacker Admits Joining In Web Attacks

A 26-year-old has pleaded guilty to hacking websites of major institutions including the National Health Service, Sony and News International.

Ryan Ackroyd, from Mexborough, South Yorkshire, pleaded guilty to one charge of carrying out an unauthorised act to impair the operation of a computer, contrary to the Criminal Law Act 1977.

He had been due to stand trial charged with taking part in a string of cyber attacks but ended up admitting just the one charge.

Southwark Crown Court in London heard he admitted being a member of hacking group LulzSec.

As a member he acted as a "hacker" to access websites for Sony, 20th Century Fox, the NHS, Nintendo, the Arizona State Police, and News International between February and September 2011.

In July 2011 the Sun's website was hacked and users were briefly re-directed to a spoof page that falsely claiming that Rupert Murdoch had died.

Prosecutor Sandip Patel told the court: "He was the hacker, so to speak. They turned to him for his expertise as a hacker."

She said Ackroyd admitted using the persona of a 16-year-old girl Kayla on the site.

He will be sentenced on May 14 and the court heard prosecutors are not planning to pursue other charges against the 26-year-old.

Earlier today, Southwark Crown Court heard that fellow hackers Mustafa Al-Bassam, 18, from Peckham, south London, and Jake Davis, 20, from Lerwick, Shetland, have also now pleaded guilty to hacking.

The pair were also involved in launching cyber attacks on a range of organisations, including the CIA and the Serious Organised Crime Agency.

Ryan Cleary, 21, of Wickford Essex, has pleaded guilty to the same two charges as well as four separate charges including hacking into US air force agency computers at the Pentagon.

The men are said to have carried out distributed denial of service (DDoS) attacks on the institutions with other unidentified hackers belonging to online groups such as LulzSec, Anonymous and Internet Feds.

The DDoS attacks they carried out flood websites with traffic, making them crash and rendering them unavailable to users.

To do it, they used a remotely controlled network of "zombie" computers, known as a "botnet", capable of being programmed to perform the attack.

LulzSec is a spin-off of the loosely organised hacking collective Anonymous. Lulz is internet slang that can be interpreted as "laughs", "humour" or "amusement", and Sec refers to "security".

View the original article here

McCann Investigations Houston Computer Forensics Division Releases White Paper on Digital Intellectual Property Theft

McCann Investigations releases white paper which explores the complexities of digital intellectual property theft and methods by which a business can protect its data.

Houston, TX (PRWEB) April 11, 2013

McCann Investigations, a Texas-based computer forensics firm released a white paper titled Digital Intellectual Property Theft: Protecting your Organization. This paper explores the complexities of digital intellectual property. The sophistication of cyber assaults has increased at alarming rate allowing hackers to steal intellectual property from individuals and small companies, to large companies with a significant global presence.

In many cases, intellectual property theft occurs during a data breach which can often come from external sources such as hackers. But many times, intellectual property theft occurs when present for former employees (sometimes in collusion with one another) download or export proprietary company information such as engineering drawings, client lists or trade secrets. This is often done when those employees are seeking to create a competing company. In many intellectual property theft cases facilitated by employees, there is a component of non compete violations. Many companies have solid non compete agreements in place to prevent intellectual property theft and infringement issues.

“Intellectual property theft has become a big business for foreign countries looking to gain an edge in the global market.” Says Daniel Weiss, Managing Partner of McCann Investigations. “Smaller companies are more at risk given that they often do not have the resources as a larger company to secure their networks against such attacks.” Continued Weiss

McCann Investigations Houston Division specializes in several case types including fraud, embezzlement, theft, non compete enforcement, digital debugging, data breach incident response and complex family, civil and criminal.

About McCann Investigations

McCann Investigations is a Texas-based private investigations practice focused on comprehensive investigations incorporating digital forensics, surveillance, undercover work and backgrounds for clients in various case types. Case types include intellectual property theft, non compete enforcement, fraud, embezzlement and family law. McCann Investigators are experts in the latest computer forensics tools and are licensed with the state of Texas. McCann computer forensics examiners have provided expert testimony and reporting in hundreds of cases across the state.

Through digital investigations, McCann also delivers digital debugging and data breach and incident response services.    In cases where there is suspected external or internal hacking with the installation of malware of spyware or when data and privacy loss has occurred due to network breach, McCann investigations computer forensics and IT security experts use cutting-edge tools to document, evaluate and respond to the incident. McCann works with clients to analyze their IT networks and put protocols in place to secure the network.

McCann Investigations utilizes multiple tools in their comprehensive investigations including digital investigations, digital debugging, corporate investigations, litigation support, IT security audit and oversight, complex family, civil and criminal.

http://www.mccanninvestigations.com

Facebook: http://www.facebook.com/McCannInvestigations

Twitter: @mccanngi

Malisa Vincenti
McCann Investigations
800-713-7670
Email Information

View the original article here

Major computer crash in SKorea; hackers suspected

SEOUL, South Korea (AP) — Computer networks at major South Korean banks and top TV broadcasters crashed en masse Wednesday, paralyzing bank machines across the country and prompting speculation of a cyberattack by North Korea.

Screens went blank at 2 p.m. (0500 GMT), with reports of skulls popping up on some computer screens, the state-run Korea Information Security Agency said — a strong indication that hackers planted a malicious code in South Korean systems. Some computers came back online more than 2 ½ hours later.

Police and South Korean officials couldn't immediately determine the cause. But experts said a cyberattack orchestrated by Pyongyang was likely to blame. The rivals have exchanged threats following U.N. sanctions meant to punish North Korea over its nuclear test last month.

The shutdown appeared to be more of an inconvenience than a source of panic. There were no immediate reports that bank customers' records were compromised. It also didn't affect government agencies or networks essential to the country's infrastructure, such as power plants or transportation systems.

Still, it raised worries about the overall vulnerability to attacks in South Korea, a world leader in broadband speed and mobile Internet access. Previous hacking attacks at private companies compromised millions of people's personal data. Past malware attacks also disabled access to government agency websites and destroyed files in personal computers.

The shutdown comes amid rising rhetoric and threats of attack from Pyongyang in response to U.N. punishment for its December rocket launch and February nuclear test. Washington also expanded sanctions against North Korea this month in a bid to cripple the regime's ability to develop its nuclear program.

North Korea has threatened revenge for the sanctions and for ongoing routine U.S.-South Korean military drills it considers rehearsals for invasion.

Seoul believes North Korea runs an Internet warfare unit aimed at hacking U.S. and South Korean government and military networks to gather information and disrupt service.

Seoul blames North Korean hackers for several cyberattacks in recent years. Pyongyang has either denied or ignored those charges. Hackers operating from IP addresses in China have also faced blame.

The latest network paralysis took place just days after North Korea accused South Korea and the U.S. of staging a cyberattack that shut down its websites for two days last week. Loxley Pacific, the Thailand-based Internet service provider, confirmed the outage but did not say what caused the shutdown in North Korea.

Shinhan Bank, a major South Korean lender, reported a two-hour system shutdown Wednesday, including online banking and automated teller machines. It said networks later came back online, and that banking was back to normal at branches and online. Shinhan said no customer records or accounts were compromised.

The other bank, Nonghyup, also a major lender, said its system eventually came back online. Officials didn't answer a call seeking details on the safety of customer records.

Jeju Bank said some of its branches also reported network shutdowns.

At one Starbucks in downtown Seoul, customers were asked to pay for their coffee in cash, and lines were forming outside disabled bank machines. Seoul is a largely cashless city, with many people relying on debit and credit cards to pay for goods and services.

Broadcasters KBS and MBC said their computers went down at 2 p.m., but officials said the shutdown did not affect daily TV broadcasts. Computers were still down more than three hours after the shutdown began, the news outlets said.

The YTN cable news channel also said the company's internal computer network was completely paralyzed. Footage showed workers staring at blank computer screens.

KBS employees said they watched helplessly as files stored on their computers began disappearing as the computer went into shutdown mode.

"It's got to be a hacking attack," Lim Jong-in, dean of Korea University's Graduate School of Information Security. "Such simultaneous shutdowns cannot be caused by technical glitches."

The South Korean military raised its cyberattack readiness level but saw no signs of cyberattacks on its networks, the Defense Ministry said.

No government computers were affected, officials said. President Park Geun-hye called for quick efforts to get systems back online, according to her spokeswoman, Kim Haing.

In 2011, computer security software maker McAfee Inc. said North Korea or its sympathizers likely were responsible for a cyberattack against South Korean government and banking websites earlier that year.

The analysis also said North Korea appeared to be linked to a 2009 massive computer-based attack that brought down U.S. government Internet sites.

Pyongyang denied involvement.

But the accusations from both sides show that the warfare between the foes has expanded into cyberspace.

Last week, North Korea's official Korean Central News Agency accused South Korea and the U.S. of expanding an aggressive stance against Pyongyang into cyberspace with "intensive and persistent virus attacks."

South Korea denied the allegation and the U.S. military declined to comment.

Lim said hackers in China were likely culprits in the outage in Pyongyang.

But signs Wednesday pointed to North Korea, he said.

"Hackers attack media companies usually because of a political desire to cause confusion in society," he said. "Political attacks on South Korea come from North Koreans."

Last week, North Korea's Committee for the Peaceful Reunification of Korea warned South Korea's "reptile media" that the country was prepared to wage a "sophisticated strike" on the country.

Orchestrating the mass shutdown of the networks of major companies would take at least one to six months of planning and coordination, said Kwon Seok-chul, chief executive officer of Seoul-based cyber security firm Cuvepia Inc.

The company that provides network services for the companies that suffered outages said it did not spot signs of a cyberattack on its networks, said Lee Jung-hwan, a spokesman for LG Uplus Corp.

Lim said tracking the source of the outage would take months.

___

Associated Press writers Sam Kim and Foster Klug contributed to this report.

View the original article here

When is a password not a password? When Excel sees "VelvetSweatshop" [VIDEO]

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Over the last few months, I've spent a significant proportion of my time researching the CVE-2012-0158 vulnerability.

I'm glad to say that that research has paid off, and I will be presenting a technical paper at the Virus Bulletin conference in Berlin, later this year.

The paper, "Between an RTF and OLE2 place: an analysis of CVE-2012-0158 samples", will be a summary of my research so far into the threat.

One of the issues in detecting CVE-2012-0158 samples is that the delivery mechanism can be RTF, Word or Excel files.

Word and Excel files can be password-encrypted, meaning that it can be harder for an anti-virus scanning engine to see the malicious code.

The problem the attackers have, of course, is that they not only have to trick users into clicking on the attachment with social engineering, but also need to dupe their potential victims into entering a password.

With Excel, however, there is another method and that is to save the boobytrapped file as "Read Only".

"Read Only" applies the same encryption method and uses a default password chosen by the Microsoft programmers: "VelvetSweatshop".

Here is a short video showing how malware can use this default Excel password in its attempt to infect unsuspecting computer users.

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

If you would like to know more about the CVE-2012-0158 vulnerability then I urge you to attend the Virus Bulletin conference later this year. While you are there you can also listen to and meet other experts from Sophos:

My SophosLabs colleagues Numaan Huq and Peter Szabo also have a reserve paper at the conference: "Trapping unknown malware in a context web".

A strong showing for the SophosLabs experts at this year's Virus Bulletin conference, I'm sure you will agree. We look forward to meeting many of you in Berlin.

Follow @SophosLabs
Follow @NakedSecurity

View the original article here