seCURE Connexion Year-in-Review 2012

Thanks for being readers to the seCURE Connexion blog. It is our honor to bring the latest security news and developments to your media attention. This is a 2012 year-in-review of some of the most popular posts here on the blog.

1. Antivirus Software Toplist – this was the best post on the blog this year, as we reviewed the latest in antivirus software and security suites.
2. Miley Cyrus Sex Tape Scam Details – this was just behind our toplist for antivirus software, in which Miley Cyrus was a victim of the latest celebrity “fake leakage” of a sex tape.
3. Advantages and Disadvantages of Bring-Your-Own-Device in Education – we thoroughly reviewed what it was like to use the BYOD perspective in education, and whether it was good or bad.
4. FAQ: How Did ZeroAccess/Sirefef Infect You? – One of the year’s worst propagating trojan/rootkits, this FAQ helped answer some questions.
5. Advantages and Disadvantages of Single-Sign-On Technology – we fully reviewed what it was like to deal with Single-Sign-On technology in the upcoming years.
6. ZeroAccess/Sirefef Infects up to 9 Million PCs – We discussed the troubles of ZeroAccess trojan and how fast it propagated.
7. All about TPM Chip in Windows 8 – Microsoft is Many Years Late – We discuss how Microsoft is many years late on implementing the TPM chip in Windows 8-based devices.
8. Windows 8 medical app, EMR Surface launched – the first great medical app for Windows 8 was released, introducing medical technology to the Windows 8 market.
9. RasGas energy company hacked
10. Rakshasa Case Study: Really Undetectable?

Hope you had fun reading. Thanks again for joining us on this security blog. 🙂

News from December 23-26, 2012: ZeroAccess new variant, Google Chrome changes, Fake YouTube notifications

The following is the latest list of updates in the computer security industry:

• For those that know how much of a pain ZeroAccess can be, a new variant was released lately that hides module paths, most of them showing descendants of malware infected porn files (particularly about animal sex or erotica).
• It will now be impossible to silently install extensions into Google’s Chrome browser. With version 25, the option is no longer allowed.
• People are being scammed by spam and other notifications for pharmaceutical ads promoting on YouTube. These spammers commonly operate in affiliate networks, pushing fake drugs and other false pharmaceuticals.

That is all the latest news, which we missed because of Christmas holiday. Kudos to everyone!

Feds Requiring All Vehicles to have Black Boxes

Federal regulators are proposing that new automobiles sold in the United States after September 2014 come equipped with black boxes, so-called “event data recorders” that chronicle everything from how fast a vehicle was traveling, the number of passengers and even a car’s location.

While many automakers have voluntarily installed the devices already, the National Transportation Safety Agency wants to hear your comments by February 11 on its proposal mandating them in all vehicles. Congress has empowered the agency to set motor-vehicle-safety rules.

Clearly, regulators’ intentions are about safety, as the devices would trigger — for about 30 seconds — during so-called “events” such as during sudden breaking, acceleration, swerving or other types of driving that might lead to an accident. The data, which can either be downloaded remotely or by a physical connection, depending upon a vehicle’s model, is to be used by manufacturers and regulators “primarily for the purpose of post-crash assessment of vehicle safety system performance,” according to an announcement in the Federal Register. (.pdf)

Read more on Wired.com

Obama Urged by US House Republicans to not issue Cybersecurity Order

46 US House of Representatives Republicans joined in a letter (PDF) to urge President Barack Obama not to issue the executive order on cybersecurity. The White House is currently drafting an executive order that encourages operators of critical infrastructures (like banks, power grids, etc.) to meet cybersecurity standards.

“Instead of preempting Congress’ will and pushing a top-down regulatory framework, your administration should engage Congress in an open and constructive manner to help address the serious cybersecurity challenges facing our country,” the lawmakers wrote.

The executive order is expected for release in January, which will help protect these vital systems from hackers. It’s highly important that this gets put into action, or the United States can see some issues happen such as power loss, plane crashes, train derailments, etc.

“This framework will work better than attempts to place the government in charge of overseeing minimum standards for industries seeking to invest in new and innovative security solutions,” the Republicans wrote.

The letter of urgency, led by Representatives Marsha Blackburn (Tennessee) and Steve Scalist (Louisiana) is aimed at helping to reduce the amount of government involvement in cyberwar, in hopes not to stir rages with hackers and other pests. However, if something isn’t done very soon, America as we know it could be in a lot of trouble.

 

 

Will 2013 Be a Challenging Year for Computer Security?

Much of the attention in 2013 in computer security will be mainly focused on industrial control systems (ICS), Android, and the all new Windows 8 OS. With the dealings of malware like Stuxnet and other government threats, to the normal hackers and attackers on consumer devices – it will be a challenge in both business and consumer markets.

Supervisory software runs on dedicated workstations and programmable hardware devices, and this is called a control system. They’re used to monitor and control many different operations, such as power grids, trains, airplanes, water distribution systems, military installations, and many more. Many times, control systems are used in critical infrastructures, especially systems for big populations that depend on electricity, clean water, transportation, etc.

Many worries that we’d be watching in 2013 that other security authorities are watching as well include the rise of more government malware. Especially, when it comes to control systems, which are believed to be widely targeted and surveyed.

For other problems to be faced include intense rises of mobile malware, particularly in the Android marketplace. The problem is that Android malware is becoming more widespread. It looks like hackers are retrying some old methods of Windows operating system exploitation on Android devices. This can prove to become a big problem to watch out for.

The big issue with Android attacks also seems to point at privilege escalation attacks, which like to work through malicious apps installed by the user to gain root access and take control of the device. With hundreds of millions of Android devices already infected since its birth, the size of botnets have gotten to be big, and there may still be a lot of devices infected.

Also, keep in mind that when you use a smartphone, you’re leaking a lot of information. This is mainly through App usage, which most of them collect a bit of data from your phone. It isn’t exactly personally-identifiable information, however, it’s enough to make some people nervous.

Android is very open, and you can download apps from almost anywhere for Android. This is much like Windows OS has been. But, that’s a whole different long story.

Windows 8 will be a challenge for security, because researchers, hackers, security experts, etc. want to get in on testing just how secure it is.

Read more about threats in 2013

How Hackers Find Attack Targets (mini-whitepaper)

Hackers are always searching for ways to target and dismantle security. But, the questions do indeed continue about how hackers find a way in, how they exploit vulnerabilities, and ways to do this dismantling. What is the main answer? Research!

There are many different things that hackers do that gives them the wide open door into vulnerabilities:

• Hackers study their target well in advance of actual hacking. They do their homework, and figure out how strong the target is, how to exploit the vulnerability, method of attack, backup plan, and anonymity.
• Hackers commonly use search queries through search engines to create a map of the target’s vulnerabilities. Many different items can be for display when creating a map, such as server statistics (downtime/uptime), platform usage, coding languages, and other miscellaneous unspecific information.
• The map is configured carefully to build a complete intelligence database (which can be shared for high fees across the hacker community). It compiles a lot of information not only through research as explained above, but also uses government databases, financial filings, court records, etc. Who would’ve thought to check for stuff like that?
• The hacker’s main purpose after doing the research is to identify any security and technology officers on staff at the company. The hackers needs to know the security architect, how powerful they are, some of the recent meetings, new plans, etc. The hacker reads how the roadmap is for the officer, and whether the time to attack is good soon, or whether the hacking should be held off. (Not really a lot of time to decide, to be honest)
• The last stage of research before the planning of the attack, the hacker looks for business partners, trusted or strategic customers, suppliers, etc. that are used by the target. It may be easier, sometimes, to attack a smaller business partner than the actual target, some have argued. But, this information is dependent on the information gathered in the search engines and other info.
• Once this is all compiled, all of the information offers a list of likely points within the target to attack.
• The attack is usually staged, literally, in efforts to find the target point, nailing it at the right time, and exiting without being caught. This is in hopes of securing the vulnerability exploit well, and knowing the best route to escape.
• The hacker attacks when ready, and the operation is complete soon after. The idea or methodology for a hacker is to “push in, pull out” or like Facebook would say “Move fast, break things”. What a philosophy!

There is little that can be done, when you have a public company, and all the information on the company is widely available. People will do their research. You can reduce the significance of the threats of hackers by conducting the same research yourself, setting up your own map, and conducting competitive counter-intelligence. This can be a difficult things to learn.

It’s best to take necessary operations to ensure that if a hacker comes nearby, to always be ready using the following methods (some may not apply to your business):

1. Secure all servers with adequate security protection. Through good amounts of searching on search engines, you can find a wealth of free tips and more whitepapers on good server security. Simply searching for “server security” will result in a lot of good results. Also, it’s good to look for SQL Security, which is a very good, invaluable resource.
2. Encrypt passwords incoming to your server! When people enter passwords in to your website (for accounts and logins), make sure they get encrypted. If the passwords are being sent in plaintext form, this can make the passwords easy to read while in transmission to the server from the user’s browser.
3. Always have good passwords at your end. Everyone should have a very good password. It’s best to have a password consisting of at least 8 total characters in the form of at least one capital letter, one small letter, one number, and one symbol. This is the best way, and the only other way to prevent it from being hacked easily. There is no longer 100% protection from your password being stolen. Some of the best passwords can be stolen easily. But, at least having a very good password will protect you while other security methods can be implemented (fingerprint scanners, voice activation, unique ID codes, etc.).
4. Encourage your users to have good passwords, by forcing them to use the characteristics described above for their password.
5. Have weekly meetings with your staff about how best to implement security policy, some of the latest threats, the analytics behind your network (server uptime/downtime, security breaches, etc.), and future plans to implement policies.

By following all these simple steps, your company can become widely aware of hackers and be able to implement good security policy that will save a lot of time and money!

Adobe Shockwave Vulnerabilities at Critical Level and Very Late

The US-CERT, operated by the Department of Homeland Security, has recently issued three advisories involving Adobe Shockwave Player. One of the bugs that was warned about in October 2010 is not scheduled to be fixed until February 2013…unbelievable!

Here are the following advisories issued recently:

• VU#519137: Shockwave Xtras vulnerability, originally a hole back in Oct. 2010, scheduled for fix in Feb. 2013.
• VU#323161: Vulnerable flash runtime
• VU#546769: Vulnerable downgrading

The first vulnerability, for Shockwave Xtras, as explained above, is long overdue to be patched. Many companies have done this before, notably Apple being long overdue fixing an iTunes flaw. The problem with Xtras, as the US-CERT reports in the bulletin, “Adobe Shockwave Player installs Xtras that are signed by Adobe or Macromedia without prompting, which can allow an attacker to target vulnerabilities in older Xtras.”

“Adobe has been working on addressing this issue in the next major release of Adobe Shockwave Player, which is currently scheduled to be released in February 2013,” Adobe’s Wiebke Lips wrote.

The other two vulnerabilities are miscellaneous design flaws that attackers can exploit. US-CERT also warned that Shockwave Player version 11.6.8.638 for Windows and Mac OS come with a vulnerable version of Flash runtime. The Full installer for 11.6.8.638 comes with Flash 10.2.159.1 released April of last year, which is vulnerable. Shockwave, the advisory said, uses its own Flash runtime rather than the system-wide Flash.

There are no current fixes. To learn about workarounds for these situations, please reference the advisory sites above.

Oracle Revises Java: Prevent Apps from Running in Browsers + How to

The latest Java release, update 10 on December 11, allows users to restrict Java from running in web browsers. The newest version of the Java Development Kit, JDK 7 update 10, provides the ability to prevent any Java application from running in the browser. Since Java has been subject to so many security vulnerabilities and other miscellaneous attacks, this was the best move by Oracle.

It includes a good amount of security enhancements also, including the ability to set a specific level of security for any unsigned Java applets.

Some of the exploits seen in the past have made it clear that this was needed also for the unsigned Java applets. It calls for more default deny technology, which restricts quite a bit of features, but includes greater security.

That’s the biggest problem in applications and operating systems, is that developers do not want to suppress the features so much, but also don’t want a bunch of security threats. So, finding that balance is very important.

Allowing these new enhancements for the security of Java will help prevent a slew of Java attacks and keep people from turning away from Java. Most people will try to find alternatives if a plugin keeps getting attacked, e.g. Foxit Reader or Nitro Reader replacing Adobe Reader.

“The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. Four levels of security are supported. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument,” Oracle said.

The final security feature released includes the ability to warn the user when the Runtime Environment (JRE) is out of date or below security standards.

 

How to enable this feature:

• Go to the Control Panel.
• Find the Java icon and double-click on it.
• Click the Security tab.
• Uncheck “enable Java content in the browser”.

Android Exploit Found on Samsung Devices

There is an Android kernel implementation flaw being investigated a lot closer by Samsung Electronics in their devices. Since Google does not have any official devices that Android can solely run on, that means specific device-makers have to implement the Android kernel into its devices.

Apparently, any app can use this vulnerability to exploit and gain root access to the device. Affected devices include the following Samsung devices:

• Galaxy Note
• Galaxy Note II
• Galaxy Note 10.1
• Galaxy Note Plus
• S2
• S3

Hackers have increasingly targeted the Android OS. This past Saturday was when this kernel vulnerability was found by user “alephzain” on XDA Developers, a forum for mobile (device/OS) developers. Alephzain noted that this was a “huge mistake” and that people should be very wary of this problem. Another forum user, Chainfire, helped note some more information, including about the affected devices. This flaw was thoroughly tested and confirmed.

It is best to have good mobile protection against any type of threat: Buy Kaspersky Mobile Security and protect your Android smartphone for 1 Year – only $19.95 – Holiday price: $9.95!

Yahoo Flaws Potentially Found by Egyptian Hacker

Security experts are investigating an Egyptian hacker who goes by the name “Virus_Hima”, who released screenshots of potential flaws in Yahoo’s website. This has been done before by the hacker, whose intentions may or may not be good.

One of the flaws identified by this hacker included the ability to access a full backup of one of Yahoo’s domains. The other problems included a cross-site scripting (XSS) and SQL injection vulnerability, according to a PasteBin.com post “Yahoo data leak by Virus_Hima“.

Some of his previous work included Adobe, where he released a batch of more than 200 email addresses obtained from a database belonging to them. Adobe shut down Connectusers.com as a result, which is the Connect Web conferencing service.

Without his “good intentions”, it appears that he also has shut down the claim that he sold a $700 XSS vulnerability in the black market. He claims to be a former blackhat, and that his intentions are good as a vulnerability researcher. However, he was spotted in his PasteBin.com post to be taking shots at security reporter Brian Krebs, calling his site “Krebsonshitz” when it clearly is “Krebs on Security”. Krebs reported about the hacker back when the XSS vulnerability was being sold.