In Development
Receive Invite When Available
Security News
In Development
Receive Invite When Available
In Development
Receive Invite When Available
Lesson to Admins: Be Sure Remote Execution Flaw is Patched
Anti-virus vendors must dread hearing from Tavis Ormandy. The Google Project Zero researcher has been hunting bug vulnerabilities in anti-virus products for at least a year, unearthing holes in the very software that is supposed to protect companies (see Yes Virginia, Even Security Software Has Flaws).
See Also: How to Mitigate Credential Theft by Securing Active Directory
Ormandy's target this time was Symantec. He found several remote code execution vulnerabilities, including one in the core scanning engine used in all Symantec and Norton-branded products. The problem is so severe that even a single email engineered to exploit the flaw could compromise a computer, depending on the platform.
"Just receiving an email is enough, no need to open or read it (even webmail, so long as the tab is open)," Ormandy wrote on Twitter.
Symantec said Monday in an advisory that it had issued a fix for the flaw - designated CVE-2016-2208 - through its LiveUpdate service. The up-to-date version of its anti-virus engine is "20151.1.1.4." Other issues found by Ormandy, however, can't be fixed by LiveUpdate and will require a separate update. A Symantec spokeswoman says the company is working on those issues.
Ormandy's findings were met with surprise, even by computer security pros used to seeing the worst. "A securely configured PC/Mac (no Flash, disabled Office macros, fully patched) is hackable simply by having anti-virus scan inbound mail?!," wrote Kenn White, a security researcher and co-director of the Open Crypto Audit Project.
So, why are anti-virus programs so attractive a target for hackers? To work effectively - and detect malicious activity - the applications require deep access into a computer's operating system. On Windows, Symantec's scanning engine is loaded into the kernel, which is the core code inside the operating system. Successful use of Ormandy's scanning engine bug on Windows causes a memory corruption issue within the kernel and could allow remote attackers to seize full control of some systems.
Kernel memory corruption in Symantec/Norton antivirus, CVE-2016-2208 (more patches soon). https://t.co/Sqhm0a48Fp pic.twitter.com/F22xDIelSU
"This is about as bad as it can possibly get," Ormandy writes in his advisory. The result on Windows is the "blue screen of death." On Linux, Unix and Mac OS X, the successful exploitation of the remote heap overflow problem can give an attacker root access to the system.
Ormandy couldn't be reached for comment. Since last year, Ormandy has found more than 45 flaws within security products from vendors such as Kaspersky Lab, ESET, FireEye, Avira and Sophos.
Anti-Fraud , Anti-Malware , Data Loss
Attempted Heist Reportedly Targeted TPBank's SWIFT Software With Trojanized PDF Reader
A Vietnamese bank says it foiled a plot to transfer $1.36 million out of its accounts - via the interbank SWIFT messaging system - in the fourth quarter of 2015 as part of a suspected malware attack launched by fraudsters (see SWIFT Warns Banks: Coordinated Malware Attacks Underway).
See Also: Creating a User-Centric Authentication and Identity Platform for the Healthcare Industry
Tien Phong Commercial Joint Stock Bank, based in Hanoi, on May 15 said in a statement to Reuters that it detected the suspicious transfer requests quickly enough to contact receiving banks and put a stop to the transfers. The attempted attack "did not cause any losses," TPBank's statement reportedly said. "It had no impact on the SWIFT system in particular and the transaction system between the bank and customers in general."
SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication, is a Brussels-based cooperative, owned by 3,000 banks, that was founded in 1973, and which maintains a messaging system used by 11,000 banks.
The State Bank of Vietnam - the country's central bank - is probing the attack after having received related information from TPBank on May 16, spokeswoman Le Thi Thuy Sen tells Bloomberg.
TPBank and the State Bank of Vietnam couldn't be immediately reached for comment on those reports.
SWIFT declined to comment on those reports, except to point to a May 13 security alert that it sent to its customers, warning them of "a highly adaptive campaign targeting banks' payment endpoints." That warning said an unnamed Vietnamese bank had also been targeted by the same attackers who attempted to transfer $1 billion out of the central bank of Bangladesh's account at the Federal Reserve of New York.
In the Bangladesh Bank case, the attackers successfully transferred $100 million to overseas accounts, of which $81 million is still missing. Investigators say the stolen funds were laundered via casinos in the Philippines. SWIFT says the attack was carried out in part after attackers used malware to infect a PDF reader used by bank employees.
TPBank Blames Third-Party Vendor
TPBank's statement said the fraudulent transfer requests were made using an unnamed third-party vendor with which the bank had contracted, to allow it to interface with the SWIFT network. The bank said that in the wake of the fraudulent transfer requests, it stopped working with the third-party provider and now has a more secure system which directly interfaces with the SWIFT platform.
TPBank told Reuters that the attack against it might have been carried out using the Trojanized PDF reader detailed in SWIFT's customer alert.
SWIFT: 'Small Number' of Similar Cases
In its May 13 customer alert, SWIFT warned that beyond Bangladesh Bank, it was aware of a "small number" of similar cases at other banks, involving attackers successfully infecting an unnamed PDF reader used at victim banks, which could be used to alter statements and disguise fraudulent transfers. Its alert did not name TPBank.
British defense contractor BAE Systems on May 13 released research saying that "a commercial bank in Vietnam ... also appears to have been targeted in a similar fashion using tailored malware, but based off a common code base" (see Bangladesh Bank Attackers Hacked SWIFT Software).
Threat-intelligence firm iSight Partners says there is at least one more victim that has not yet been publicly disclosed. "We believe that at least three financial institutions in the region were affected by these actors, and in two instances, malware was deployed that had functionality specifically associated with SWIFT fraud," the firm says in a research note that also names the PDF reader targeted by attackers.
"The malware used to target the Vietnamese bank replaces Foxit's popular PDF reader software to mask records of SWIFT transactions when read," iSight Partners says. "When reports are read through the PDF reader, SWIFT records are altered to remove traces of fraudulent transactions."
The Lazarus Group Connection
Based on its digital forensic investigation, BAE Systems said the malware appeared to be tied to the Lazarus Group, as detailed in a February report into Operation Blockbuster that was coordinated by anti-fraud and analytics firm Novetta. BAE Systems said the group also appeared to use a code compiler named Kordllbot, and to have focused its attacks on organizations in South Korea and the United States.
The Novetta report said the Lazarus Group "has been active since at least 2009, and potentially as early as 2007, and was responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment."
BAE Systems said that it did not have enough evidence to incontrovertibly attribute the Bangladesh and Vietnamese bank hacks to the same group that hacked Sony. But it said currently available evidence strongly suggests a connection. "We believe that the same coder is central to these attacks," it said. "Who the coder is, who they work for, and what their motivation is for conducting these attacks cannot be determined from the digital evidence alone."
Who's Responsible for Securing SWIFT?
The bank hacking campaign has revealed uneven information security practices at some SWIFT-using banks. In the wake of the February theft from Bangladesh Bank, which came to light in March, bank officials publicly said the Federal Reserve Bank of New York and SWIFT were at least partially to blame. But the New York Fed fired back, saying that it had honored valid SWIFT requests, and SWIFT said that the attackers had been able to gain access to Bangladesh Bank's back-end systems and submit what appeared to be legitimate SWIFT messages.
A subsequent Bangladesh police investigation reportedly concluded that a SWIFT technician left exploitable loopholes after connecting the bank to SWIFT's network, to facilitate real-time payments. But other reports suggested that the bank lacked robust passwords and authentication controls, or even firewalls (see SWIFT to Banks: Get Your Security Act Together).
On May 10, representatives from SWIFT, Bangladesh Bank and New York Fed met to discuss the attack and related investigations, and issued a joint statement pledging greater cooperation.
SWIFT has also continued to urge all customers to conduct a top-to-bottom review of their security defenses. "Please remember that as a SWIFT user you are responsible for the security of your own systems interfacing with the SWIFT network and your related environment - starting with basic password protection practices - in much the same way as you are responsible for your other security considerations," its May 13 security alert reads. "Whilst we issue, and have recently reminded you about, security best practice recommendations, these are just a baseline and general advice."
Case Against Spokeo Sent to Appellate Court for Consideration of 'Harm' Issue
The U.S. Supreme Court this week sided with data aggregator Spokeo in a case dealing with when consumers can sue for privacy violations.
See Also: Achieving Advanced Threat Resilience: Best Practices for Protection, Detection and Correction
The high court, in a 6 to 2 decision, remanded the case to the Ninth Circuit Court of Appeals to examine the issue of whether the plaintiff had been harmed when Spokeo published incorrect information about him online.
Spokeo promotes itself as a "people search engine" that organizes white pages listings, public records and social network information to help individuals safely find and learn about people. Thomas Robins filed suit after he read his online profile on the Spokeo website that contained numerous mistakes, including incorrectly listing his age and inaccurately stating that he holds a graduate degree, is wealthy and is married with children. When he filed the suit, Robins was unemployed and seeking work, and claimed the incorrect information harmed his job prospects (see Holding Websites Liable for False Data).
Robins sued Spokeo under the federal Fair Credit Reporting Act. That law requires consumer-reporting agencies to take reasonable steps to assure the accuracy of information they publish. Companies found to willfully violate the act face actual damages of $1,000 for each violation. Consumers also can seek punitive damages.
Proving Harm
The Supreme Court has asked the appellate court to take a closer look at whether the harm suffered by Robins was significant enough to warrant a judgment of liability against Spokeo. In his majority opinion, Justice Samuel Alito wrote that for the case to move forward, Robins must show he suffered "concrete" damage that was "actual or imminent, not conjectural or hypothetical."
When the Supreme Court decided to take the case, cybersecurity lawyer Françoise Gilbert of the law firm Greenberg Traurig observed that Robins must prove that he was injured by the actions of the defendant, that he suffered specific damages. "In this particular case, the plaintiff could not point to a particular injury," Gilbert said. "Instead, the plaintiff argued that the fact that the defendant violated the plaintiff's rights under the Fair Credit Reporting Act was sufficient harm for the lawsuit to proceed."
Class Action
Because Robin's suit is a class action case that could include thousands of other plaintiffs similarly affected, a decision in favor of Robins could potentially lead to Spokeo paying substantial damages.
Internet firms such as eBay, Facebook, Google and Yahoo side with Spokeo, contending that if the court rules in favor of Robins "floodgates will open for class action litigation for no injury violations," said Linn Foster Freedman, a lawyer with Robinson and Cole.
Application Security , Technology
Stefan Esser: Tool Passed Three Reviews But Was Booted
Apple's App Store can be a tricky club. Even if an app gets in, that doesn't mean the store's bouncers won't come around for it another time.
See Also: Security Shouldn't be Boxed: The Cloudified Edge & End of an Era for Hardware Box Providers
That is the case with a security tool written by noted iOS expert Stefan Esser of SektionEins, a penetration testing and security consultancy based in Cologne, Germany.
Essers' app, called System and Security Info, was designed to be a cheap tool that runs a basic survey to indicate if an iOS device has been hacked or secretly "jailbroken." Jailbreaking, a practice that Apple strongly discourages, is the term for removing iOS's security defenses that prevent the installation of apps outside of Apple's store (see Jailbreaking iOS Devices: Risks to Users, Enterprises).
The app, which cost $0.99, was in the store for about a week before Apple booted it over the past weekend. Apple officials couldn't be reached immediately for comment.
Apple generally forbids what would be considered true security applications from running on iOS. The company doesn't allow deep access into the operating system needed for certain kinds of security monitoring, which has rankled security experts.
Essers has long been a critic of Apple's security processes, claiming that the company sometimes doesn't patch the bugs it says it does. In fact, the functionality of System and Security Info depended, in part, on APIs Apple said it would close off to developers but didn't.
With the app, Essers was pushing the limits: Would Apple give his company's app a pass?
"We expected that Apple might not let the app into the store," Essers tells ISMG. "But when we went through three App Store reviews, we thought 'Wow, Apple has really changed, and they are OK with this app and do not try to hide security problems from their users anymore.' Apparently, we were wrong."
Tough to Tell: Has an iPhone Been Hacked?
It's difficult for even security professionals to figure out if an iPhone has been hacked. Because iOS is so locked down, SektionEins has resorted to using private jailbreak exploits for investigations, a method that isn't cheap. It essentially amounts to hacking an iPhone to figure out if it has been hacked.
"We, therefore, wanted to provide the public with a low-cost solution to find out if someone used one of the public jailbreaks or a customized version to hack and backdoor your device," Essers says in a blog post.
System and Security Info shows a list of running processes, which can help someone determine if an app is doing something it is not supposed to. It also looks for clues that a device may have been jailbroken using one of the known jailbreak exploits. Other signs it looks for include whether code-signing functionality has been disabled and if apps' SHA-1 hashes are legitimate.
Essers cautions that the tool isn't a replacement for a full analysis, but rather a good first sweep.
But over the weekend, Apple pulled Essers' app, saying it "provides potentially inaccurate and misleading diagnostic functionality for iOS devices to the user."
"Currently, there is no publicly available infrastructure to support iOS diagnostic analysis," according to a a statement from Apple that Esser posted via Twitter. "Therefore your app may report inaccurate information which could mislead or confuse your users."
Here. It basically says: we do not want our users to have the impression iOS could have security holes. go away. pic.twitter.com/7II1q96ZMt
System and Security Info compiled its information using APIs that Apple said last year it would close off. Apple made the changes to prevent applications from gathering information on other applications running on a system, which could be used for attack intelligence.
Essers asserts the changes, however, were only partial, and it was still possible to pull a list of running processes and other information, which has only positive security benefits.
"Apple has really bad QA [quality assurance] of security fixes, and unless this becomes more widely known and customers start to [ask] about it, they will not change," he says. "Apple still needs to get their Microsoft moment."
App Store: Largely Secure
Apple relies on a vetting process for new apps, which has largely kept its App Store free of malicious software. But there are notable exceptions.
Indeed, attackers have developed more sophisticated methods to slip past Apple's censors and appear in the store, at least for brief periods. In September 2015, more than 4,000 apps were discovered in the store that had been created with XcodeGhost, a malicious version of Apple's XCode development tool (see Apple Malware Outbreak: Infected App Count Grows).
The fake version of XCode added hidden code to an app compiled with it. Those apps could then collect information about an iOS device it was running on or open URLs. Apple quickly responded with a large sweep that removed the suspicious apps from its marketplace.
There are two elements of a ransomware attack - the infection and then the action that takes place on infected devices. And both elements are evolving, says Ben Johnson of Carbon Black. He shares insight on how to improve ransomware defenses.
Infections are on the rise - the daily headlines are testament to that, says Johnson, co-founder and Chief Security Strategist at Carbon Black. But what many security leaders don't see behind the scenes is how attackers are launching attacks that try to circumvent human defenses.
Social engineering is still effective, Johnson says, but taking the human out of the equation leads to even greater infection rates.
"If you can target a server or a remote desktop - someplace where there is no human - your chances as an attacker go up," Johnson says. "So, we're starting to see more targeting of servers and desktops through brute-forcing of credentials, or finding vulnerabilities in websites and then just automatically trying to encrypt their system."
When it comes to defending against these evolve attacks, organizations have two options: They can harden their systems to prevent infection, or - failing that - they can work to close open doors after they've been infected.
In an interview about defending against ransomware, Johnson discusses:
How ransomware and its targets have evolved; What to do to prevent infection, and how to respond when ransomware takes root; The surprising cultural challenges one often faces when fighting ransomware.Johnson is co-founder and chief security strategist for Carbon Black. In that role, he uses his experience as a cofounder and chief technology officer for Carbon Black, which merged with Bit9 in February 2014, to drive the company's message to customers, partners, the news media and industry analysts.
Johnson, who was directly responsible for the powerful functionality of the Carbon Black endpoint threat detection and response (ETDR) solution, has extensive experience building complex systems for environments where speed and reliability are paramount.