Archive | Other Industry News RSS for this section

Added Security for Twitter Users to Come Soon!

Two-Factor Authentication

From spam to ham, Twitter deals with a lot of security issues on a daily basis. What about viruses/malware? I’m sure, yes. But, more importantly: account security. What do Twitter users need? Security assurance!

Therefore, Twitter is developing and perfecting a two-factor authentication method that will allow Twitter to not only ask for a password, but also a different credential to be sure of who is accessing your account.

From recent issues with Twitter accounts being hacked, it is best to have this in place, before it happens to other high profile organizations. Some of the recent organizations hacked were high profile including the Associated Press‘s account, CBS 60 Minutes account, and the BBC’s account.

Expect a shift in all online high profile websites switching to two-factor authentication. Apparently, it is the go-to emergency security solution.

Free Software Pioneer Richard Stallman calls Ubuntu ‘Spyware’

Richard Stallman, the pioneer of free software, has asked a South American free software association to not promote Ubuntu at any event, giving reasons that it “spies on its users” by collecting desktop search activity, and then handing it over to Amazon.

Canonical, developers of Ubuntu, a Linux-based operating system, released version 12.10 with the desktop search last October. Users can opt out of this, in which Canonical claims it retrieves anonymous user data, which is shared with third parties.

After calling Ubuntu spyware, it seems it might be a ridiculous banter by Stallman. It may not be spyware, but it’s no surprise any software collects data. Wouldn’t you be shocked if you found out software didn’t collect data?

A lot of heated criticism has been over this desktop search, however, Stallman’s request was declined. The FLISOL event organizer stated that users should have freedom of choice. As we know, limited freedom of choice is bad when it comes to software.

Whether Stallman wants Ubuntu promoted anymore is irrelevant to the fact that Ubuntu is one of the fastest growing distros of Linux.

Google disallowing Ad-Blockers in Play store

While Google Play has operated in an odd fashion, by mostly approving apps correctly, except for a few slipping by. But, it has also approved ad-blocking apps. Most of the time these apps either operated in browser environment (like Firefox add-on: AdBlock Plus) or in a rooted environment (which helps disable all device ads).

Google says no more, as many report on social networks that ad blockers are removed from Google Play. Most of the time, the reason for removal: “Violation of section 4.4 of the Developer Distribution Agreement.”

Supposed that Google is disallowing updates to current versions, which means that even if you have ad blockers on your device, they will eventually dysfunction, if not already.

Pwn2Own (2013) Contest a Blast – FULL Results

CanSecWest is a conference, and 2013’s conference once again involved the Pwn2Own contest for hackers, an elite (1337) competition. The concept remained simple and will always that if you pwn a fully-patched browser running on a fully-patched laptop, you get to keep the laptop.

However, different rules applied this year. It involved successfully demonstrating the exploit, providing the sponsor (HP) the fully functioning exploit, and all details involved with the vulnerability used in the attack. If there were many vulnerabilities, multiple reports are needed, etc.

The work couldn’t be sold to anyone else, and proof of concept would belong to HP once sold. Basically, HP buys the winning exploits for own use. Their idea of reward money was the following:

  • Google Chrome on Windows 7 = $100,000
  • IE10 on Windows 8 = $100,000 or IE9 on Windows 7 = $75,000.
  • Mozilla Firefox on Windows 7 = $60,000
  • Apple Safari on Mac OS X Mountain Lion = $65,000
  • Adobe Reader XI and Flash Player = $70,000
  • Oracle Java = $20,000

It was assuredly a blast at the competition, no doubt about it.

DAY ONE: Java, Chrome, IE10, and Firefox PWNED!!!

(Where’s Safari, right? It survived!)

The idea behind each attack is the ability to browse to an untrusted website where you’re able to inject and run arbitrary code outside of the browsing environment.

Of course, one of the rules is: “A successful attack … must require little or no user interaction and must demonstrate code execution… If a sandbox is present, a full sandbox escape is required to win.”

ie-ff-chrIn addition to Chrome, Firefox, and IE10 being pwned, Java was pwned three times on the first day. Once by James Forshaw, Joshua Drake, and VUPEN Security. VUPEN Security also led a lot of the pack of issues by successfully exploiting IE10 and Firefox as well.

The only other exploit was by Nils & Jon, where both successfully exploited Chrome.

The day after the first day of Pwn2Own, Mozilla and Google patched the exploits that were pushed out. Amazingly fast, Firefox went on to version 19.0.2 (which you should’ve been updated automatically), and Chrome went on to version 25.0.1364.160 (effectively patching 10 vulnerabilities).

“We received the technical details on Wednesday evening and within less than 24 hours diagnosed the issue, built a patch, validated the fix and the resulting builds, and deployed the patch to users,” said Michael Coates, Mozilla’s director of security assurance, in a Thursday blog.

Microsoft has decided to wait until next week’s Patch Tuesday run of updates to push out the fix for the Internet Explorer exploit on IE10.

DAY TWO: Adobe Reader and Flash Player PWNED!!! Java PWNED AGAIN!!!

The last day of Pwn2Own 2013 went with a BANG!fl-ar-ja

Flash Player…exploited by VUPEN Security (any surprise?). Adobe Reader PWNED by George Hotz. Java once again was exploited, this time proxied by Ben Murphy.

Who’re the overall prize winners?

  • James Forshaw, Ben Murphy, and Joshua Drake for Java – each $20,000
  • VUPEN Security for IE10 + Firefox + Java + Flash – $250,000
  • Nils & Jon for Google Chrome – $100,000
  • George Hotz for Adobe Reader – $70,000

Of course, George Hotz is best known for jailbreaking the iPhone and PlayStation 3. He’s still in progress with a lawsuit with Sony over the issue for PS3.

It’s amazing to see that Java was PWNED 4 times in just two days, but is it any surprise based on the number of vulnerabilities Oracle has dealt with for Java?

Now in its eighth year, Pwn2Own contest had $480,000 in payouts, a record year. Amazing!

Got any vibe on this issue? Post comment below! 🙂

RSA Conference Details Unfold in this Super Writeup!

The RSA conference is a yearly security conference where various internet security topics are discussed. Well, this year’s discussions are quite intense, and involve many of the latest problems.

  1. Security training is an important thing for any person. Teaching people about the seriousness of threats is highly important. Not just about some of the basics of threats, like an IP address, firewalls, or antivirus software. But, more than that, more focused on trends in computer security, social engineering, etc. With the increase of people using tablets, smartphones, etc., there is a big need for understanding cybersecurity. (Secure Connexion has their own ventured school, SecuSchool, hosted on a sister website.)
  2. Cybersecurity on Planet Earth is in big trouble! Experts state that the internet was designed to be build without security concerns. However, with password theft, business attacks, fraud, phishing, etc. – this makes internet security far more important. Problem is, attackers are also getting organized with their criminal activity. With that, there is a need for counterintelligence methods.
  3. “Too big to be good” is how most security companies are being stated as. By the time new businesses are started fighting new cyberthreats, criminals already have new plans being carried out.
  4. Free personal data (in numbers of petabytes) are out there in social media and analytics. Scams, fraud, and phishing scams can be built with the free information available online.
  5. Mobile malware on the rise. An apparent 30% of malware submissions (not necessarily new) are reported to come from mobile platforms.
  6. Cyberespionage is on the rise big time!  Governments are spying on each other, gathering information, stealing secrets, and preparing to construct cyberattacks.
  7. There are a lot of good security startups, which are making steady advances toward the future of cybersecurity. We’re just one of those startups.

Today, continuing in RSA, keynote speeches will be posed from Vint Cerf of Google, Philippe Courtot of Qualys with special guess John Pescatore of SANS Institute, Christopher Young of Cisco, Mike Fey of McAfee, and Jimmy Wales of Wikipedia.

Last year’s conference highlights were as follows:

  • Application, cloud, data, and mobile  security
  • Cryptography
  • Hacking and other threats
  • Governance & laws
  • Risk & compliance
  • Professional development
  • Strategy & architecture
  • Technology infrastructure

We will most likely have more details about RSA 2013 in the coming days. The conference runs from February 25-March 1 in San Francisco.

Cybersecurity Order Signed by President Obama – Now What?

It’s been studied for months to issue an Executive Order for Cybersecurity on information sharing of cybersecurity threats between companies. It’s been talked about for years. It’s a pressing issue that with high-level attacks going on targeting critical infrastructures, that information sharing between companies is important. President Barack Obama agrees that this should take effect.

One core problem in information sharing is that data on new threats to security and other cybercrime attacks need to be shared when it happens rather than in the middle of an attack. Usually, some companies will provide some info to other companies, but put it on low priority where the other company (on the receiving end) receive it too late to do anything about it.

As we reported back in late December, 46 US House of Representatives Republicans joined in a letter (PDF) to urge President Barack Obama not to issue the executive order on cybersecurity. The letter of urgency, led by Representatives Marsha Blackburn (Tennessee) and Steve Scalist (Louisiana) was aimed at helping to reduce the amount of government involvement in cyberwar, in hopes not to stir rages with hackers and other pests.

However, if companies don’t band together to help defeat the cybersecurity problems scattering aggressively on the Internet, then every normal internet user will be doing some information and credit card sharing, which could cause money to be robbed out of the pockets of millions of people everyday. But, with this Executive Order, at least companies can share information about cybersecurity threats and prevent people from being robbed, and clean up the situations of data and identity theft.

As we reported late last month, critical infrastructure vulnerabilities are getting out of hand.

“The cyber war has been under way in the private sector for the past year,” says Israel Martinez, a board member of the U.S. National Cyber Security Council, a nonprofit group composed of federal government and private sector executives.

“We’re finding espionage, advanced persistent threats (APTs), and other malware sitting in networks, often for more than a year before it’s ever detected,” Martinez says.

With this information paired with the Department of Defense wanting more cybersecurity workers, the state of National Security will improve along with cybersecurity.

According to Wired Magazine Online, The order, which runs eight pages (.pdf), directs the Attorney General’s office, the office of Homeland Security Secretary Janet Napolitano and the Director of National Intelligence to issue instructions to their agencies that would “ensure the timely production of unclassified reports of cyberthreats to the U.S. homeland that identify a specific targeted entity” to Congress and also develop a program for providing “classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure,” according to the document.

With the government wanting to expand operations to handle critical infrastructure vulnerabilities implementing more workers, to expediting security clearances, they have this to say in the Order:

“It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.”

Some worry about this order, and hope this is the right thing to do.

“I am concerned that the order could open the door to increased regulations that would stifle innovation, burden businesses, and fail to keep pace with evolving cyberthreats,” Republican Representative Michael McCaul, of Texas, said in a statement.

“The president’s executive order rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties,” ACLU legislative counsel Michelle Richardson said in a statement. “Greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information.”

We’ll see the state of the internet security landscape as time goes on, as this is just the beginning. In efforts to see this thing through, congress will be keeping a close eye on this issue, and perhaps start adding other measures to support it.

All-Out Cyberwar is Going On in the Dark, Pentagon Increasing Cybersec Teams

Could there be a “cyber 9/11”? Would there be an all-out cyberwar happening right now? There is a war going on, a cyber one at that, going on here in the states. If you work for a defense contractor, bank, train and plane transportation providers (also including RTAs and other digitally-depending transportation methods), power company, water and utilities plants, etc. are in direct line of fire of potential cyberwar problems.

A brewing cyberwar has been going on in the past year, and usually people view it as governments going head to head (like it would in actual wars). However, there is more of a cyberwar against governments, corporations, and of course the entities we named above.

With seeing government threats, like Stuxnet, Flame, etc., to cybercrime units like Red October, Rustock, even Virut/Waledec – seems like the threat is getting out of hand. With the use of tactics like from these malware powerhouses, our worry for a severe (life-threatening) attack should be a lot greater…mainly to the fact that the US should seriously prepare itself.

“The cyber war has been under way in the private sector for the past year,” says Israel Martinez, a board member of the U.S. National Cyber Security Council, a nonprofit group composed of federal government and private sector executives.

“We’re finding espionage, advanced persistent threats (APTs), and other malware sitting in networks, often for more than a year before it’s ever detected,” Martinez says.

Martinez studies different issues, such as US entities being targeted by fronts from China, Iran for intellectual property theft to other cybercrimes such as stealing identities or cash.

When we look at Stuxnet for example, the US and Israel crafted it jointly to disrupt Iranian nuclear facilities. Problem here is, doing that may have just been a provoking edge to the cybcerwar for Iran to develop something else and revenge. Doing this caused Iran then, to strike back with cyber attacks on US banks. Some have thought Iran was behind the Shamoon virus as well, which wipes out 30K hard drives and taking computers offline at Saudi Aramco for several weeks.

Defense firms in the US are hoping that some of the Fortune 500 cybersecurity companies have a good plan to counterattack and defend for the US to these opponents.

The Pentagon has come back with newer accounts of management for this cyberwar by planning to increase cybersecurity teams. The Senate is continually pushing for legislation for information sharing on threats and cyber attacks. President Obama prepares to issue executive order on cybersecurity, so the Department of Defense is looking for a massive increase in the number of trained cybersecurity personnel helping to defend our country’s public and even private networks.

The government has had trouble in the past looking for the right personnel, since most are employed by agencies that don’t discuss operations publicly (due to the risk of the information getting in to the wrong hands). The Pentagon is planning to push up the number of security professionals up to 5,000 in the next few years (which is up from a little under 1,000). They’re hoping for both military and civilian security personnel to join up, so the diversity helps the US prepare for any issue.

Expect a better take charge situation by corporate, government, and private firms in this cyberwar situation!

Anonymous Says “Expect Us 2013” – #OpNewBlood – McAfee Underestimates

Anonymous is not going away. Just wanted everyone to know that. It’s not a likely thing for them to disappear at all. From what McAfee made it sound like, is that Anonymous was low-key and not a big threat. However, it is to be disagreed with. They could strike crazy at any time with a hacking attack.

Their year-in-review video details what they have done, and it is clear they have similar plans in 2013, if not more. Some are saying the next mission to finally carry out is “#OpNewBlood”. This is actually an old plan, but they’re still carrying it out. There are already tons of posts on Twitter discussing #OpNewBlood, and how many people can freely join Anonymous. Some have linked to how to set up chatting in IRC and how to be anonymous when browsing the Internet. Many recruiting efforts are underway, such as AnonyOnion. Can anyone LOL?

Their press release on AnonNews characterizes an “Expect Us 2013” banner. See for yourself. Apparently, a lot of the new operations would be led by @Crypt0nymous.

Anyway, back to the details about the video, it details info about the temporary shutdown of websites belonging to The US Department of Justice, the FBI, the Motion Picture Association of America – which were all in protest of the indictment of MegaUpload. Although the sites were temporarily down, it sent a message of protest against the US Government, in hopes to say that people still have a voice.

However, the hacktivism continues, and is showcased in the video. It shows newsreels of Anonymous’ intervention in Syria, when the Syrian Government shut down Internet access for a day. Apparently, from what also showed up in the video involved Anonymous’ “cyberwar” against the Israeli Government – when clearly it is a problem with Syria and other neighboring countries.

“The operations which are listed in the video are only examples, there are far more operations,” Anonymous wrote in the statement. “Some of them still running, like Operation Syria. We are still here.”

Despite such threats, and other details that Anonymous threw in the faces of the viewers of the video (with a lot of them saying F*CK YEAH!), many other underestimate their presence. But, what risk can we take in computer security? The first time we let our guard down, Anonymous will strike. They do it every time. Never let your guard down in computer security. McAfee: We’re calling out to you. Stop spreading the message giving people the idea that Anonymous is going to be less active or less threat. We don’t need anymore damage. The more we stay aware, the better protected we will be.

This “syncopathic” (goth jargon: syncope=fainting, pathic=motivation) approach is common for Anonymous…meaning they are silent (kind of when you faint), and then all of the sudden they jump up (motivate quickly) and go into hacking/activism.

Expect Anonymous or get a reality check! That’s all we’re saying here. It’s not worth the mess/damage to let your guard down.

Security Concerns This Winter – Android Malware, Facebook Problems, Anonymous, among other things

We’ve discussed over the past couple of weeks some of the things that happened in 2012, and things we’re focused on coming into the new year. There is a surge in a lot of security concern over several different issues, including Android malware, Anonymous, cyberwar, among other things. Here is a comprised list of the top concerns this Winter that we’ll be investigating on a continual basis.

  1. Identity Theft – this can be a problem for most people that get viruses and other malware on their computer. It can also be a problem on social networks. It is best to have a good antivirus and keep your social networking information safe. You don’t have to enter everything in your profile. Leave some fields blank so it is more trivial for the unsuspecting stalker. Sadly, you cannot know who’s viewed your profile, which makes it more difficult to discover stalkers. Hmm…hint Facebook.
  2. Spear-Phishing – plain and clear, spear-phishing is similar to identity theft. This is done by email-spoofing, which the attacker is masking him-or-herself as a legitimate company with legitimate looking emails. However, these emails are only subject to make you click and to either steal your information, or distribute malware, or even both. Normally, this is a big problem over the holidays, but now it’s starting to become widespread no matter the time of year.
  3. Human Error and the Failure to Update – Vulnerabilities – It is true that humans forget a lot of things. One of the biggest security risks we have always faced is that users fail to update their browser plugins and programs on their computer. However, through the use of this vulnerability, attackers exploit and send malware your way. Using a vulnerability scanner can help you keep managed of this atrocity.
  4. Browser Hijackers and Junkware – we still continue to see the problem of browser hijackers and junkware being distributed in installers for legitimate programs. What’s sad is, the royalties are so high for software developers to add in the install code for junkware, that the developers don’t know how bad the issue is. From Babylon Toolbar to Claro Search…these toolbars and homepage hijackers are unnecessary and technically need to be done away with. Good thing our security community has the ability to remove this crap with our special tools.
  5. Malware growth on Other Platforms – it’s no surprise that malware problems are lighting up on the iOS now, as well as Linux. It sure will start to become a problem this year. Even more on Windows 8 and Android than any other device.
  6. Android Malware Growth – This has become one of the biggest problems right now in the computing world is the steady high growth of malware on the Android platform. It will continue to be a problem, sadly.
  7. Anonymous Cyberattacks, and Government Cyberwar – we will still see cybercrime and cyberwar problems continue this year.

Stay in tune with this blog for further updates.

seCURE Connexion Year-in-Review 2012

Thanks for being readers to the seCURE Connexion blog. It is our honor to bring the latest security news and developments to your media attention. This is a 2012 year-in-review of some of the most popular posts here on the blog.

  1. Antivirus Software Toplist – this was the best post on the blog this year, as we reviewed the latest in antivirus software and security suites.
  2. Miley Cyrus Sex Tape Scam Details – this was just behind our toplist for antivirus software, in which Miley Cyrus was a victim of the latest celebrity “fake leakage” of a sex tape.
  3. Advantages and Disadvantages of Bring-Your-Own-Device in Education – we thoroughly reviewed what it was like to use the BYOD perspective in education, and whether it was good or bad.
  4. FAQ: How Did ZeroAccess/Sirefef Infect You? – One of the year’s worst propagating trojan/rootkits, this FAQ helped answer some questions.
  5. Advantages and Disadvantages of Single-Sign-On Technology – we fully reviewed what it was like to deal with Single-Sign-On technology in the upcoming years.
  6. ZeroAccess/Sirefef Infects up to 9 Million PCs – We discussed the troubles of ZeroAccess trojan and how fast it propagated.
  7. All about TPM Chip in Windows 8 – Microsoft is Many Years Late – We discuss how Microsoft is many years late on implementing the TPM chip in Windows 8-based devices.
  8. Windows 8 medical app, EMR Surface launched – the first great medical app for Windows 8 was released, introducing medical technology to the Windows 8 market.
  9. RasGas energy company hacked
  10. Rakshasa Case Study: Really Undetectable?

Hope you had fun reading. Thanks again for joining us on this security blog. 🙂

%d bloggers like this: