Tuesday, December 01, 2015
The ModPOS threat has been described both as “the most sophisticated point-of-sale malware we have seen” and “a complex, highly functional and modular code base that places a very heavy emphasis on obfuscation and persistence” by iSIGHT, which has reversed engineered the malware and published an in-depth report with threat indicators on the subject. iSIGHT Partners first spotted elements of the ModPOS framework way back in 2012, although it wasn’t until 2013 that it logged activity in the wild properly. Throughout 2014, however, the attackers ramped things up with active targeting of US retailers and iSIGHT warns of a ‘high likliehood’ of ongoing ModPOS campaigns. “We believe this very hard to detect malware is likely being used in broader campaigns” says Stephen Ward from iSIGHT who continues “and are disclosing details to help retailers and other organizations with POS and other payment processing systems hunt for and eradicate the malware.” Here at IT Security Thing we recommend that you take the time to download and digest the iSIGHT report forthwith. In the meantime, here’s what the IT security industry suggests you should be doing to mitigate against the ModPOS threat and other POS malware as we run up to the seasonal sales peak following the Black Friday weekend.
Friday, November 27, 2015
Most corporate attacks apparently happen on a Friday, but just imagine how much of a threat is posed to retailers this coming weekend which is topped and tailed by Black Friday and Cyber Monday? News that web application security outfit High-Tech Bridge has notified Zen Cart, one of the largest ecommerce management systems, of a critical flaw that enables the execution of arbitrary code certainly won't help settle rattled nerves. Nor for that matter will the arrival of ModPos , one of the most advanced pieces of card data stealing malware to surface this year. SCMagazineUK.com has been asking industry experts exactly what risks retailers face, and what they can do to mitigate against them even at this late hour of the day...
Friday, November 20, 2015
This isn’t a review, we don’t do them, but if it were our conclusion would be that the Nexus 6P is not only the best Nexus that Google has thrown out there to date, and offers incredible value for money up against premium handsets from rivals including Apple and Samsung, but it ticks plenty of boxes on the security side of things as well. In fact, until the malware-eating SnapDragon 820 chip starts appearing in smartphones in 2016 the Nexus 6P would be our first choice for a secure Android stock experience. Instead of drooling over the gorgeous 2,560 x 1,440 resolution AMOLED screen with its 518ppi density or all-metal unibody design, we were more interested in determining how secure it is. Our teardown revealed there are four areas in which the Nexus 6P shines as far as security improvements to the Android family of smartphones are concerned, namely: biometrics, OS security updates, app permissions and encryption. So we took a closer look at each in turn...
According to the latest Infoblox DNS Threat Index, which measures the creation of malicious Domain Name Service (DNS) infrastructure, just four examples accounted for 96 percent of the total activity in the 'exploit kit' category during the third quarter of 2015. The exploit kits in the hit parade were Angler, Magnitude, Neutrino and Nuclear. This represents, quarter on quarter, a 75 percent increase in the creation of malicious domains by cyber-criminals unleashing exploit kits. So why did one security expert who spoke to SCMagazineUK.com suggest this explosion in exploit kit activity can be used to help harden your security posture?
George Osborne said the word 'cyber' 134 times in his 45-minute speech to GCHQ earlier this week. They say that talk is cheap, but in this case it could turn out to be quite expensive. Not only does Osborne plan to double cybersecurity spending to £1.9 billion over the next five years, but the proposals he set out in his speech will be expensive in terms of protecting our data and our critical national infrastructure. If you include the Snooper’s Charter in all this, the government’s measures could ultimately could cost us our freedom.
Wednesday, November 18, 2015
The truth of the matter, as the ProtonMail example highlights, is that you can't actually trust the bad guys, so paying any ransom is always going to be a gamble. The FBI advice is about as useful as a one-legged man at an arse-kicking party. When it comes to paying a ransom to decrypt your data, the odds are stacked against you in my experience. How so? Well, quite apart from the trust issue (and yes I am banging on about that, for a very good reason) there's the coding issue. Take the Power Worm ransomware that was spotted doing the rounds recently - it was so badly coded that the attackers couldn't decrypt your locked up data even if you paid the release fee and they wanted to. Why so? Well, this variant was so full of bugs that it effectively destroyed the keys required to decrypt data.
Friday, November 13, 2015
LTE (4G) is more secure than GSM (2G) and UMTS (3G) but that doesn't make it impervious to International Mobile Subscriber Identity (IMSI) catchers. That's the conclusion of a presentation due to be given at Black Hat Europe this week, by Ravishankar Borgaonkar, Altaf Shaik, N. Asokan, Valtteri Niemi and Jean-Pierre Seifert. To prove the point, the researchers will build an LTE IMSI catcher and demonstrate how "most popular phones" fail the test courtesy of vulnerabilities in baseband software and deployed networks that bypass enhanced LTE security measures. If that weren't enough, the same team reckon it has also managed to perform what it describes as being rudimentary Denial of Service (DoS) attacks that effectively block the LTE signal and force the handset to dropdown to a 3G or 2G connection on demand.
Tuesday, November 10, 2015
People ‘root’ their smartphones for many reasons, most commonly in order to have as much control over the device as possible. Now malware is getting in on the act, with Trojanised, auto-rooting adware attacks on Android phones, which installs itself as a system app that can survive a factory reset. IT Security Thing investigates. Predictive security specialist Lookout, which uses ‘machine intelligence’ to predict zero day attacks, has spotted a large number of auto-rooting adware infected apps in the wild. So far it has detected more than 20,000 samples in apparently legitimate, and hugely popular, applications such as Candy Crush, Facebook, Google Now, Okta 2FA, Snapchat, Twitter and WhatsApp. Before you start worrying too much, the apps themselves may appear totally legitimate but they have been repackaged by the threat actors and the malicious code squirted into them. They all appear perfectly normal from the user perspective, functionality is not impacted at all and the malware remains well hidden. This, in and of itself, is unusual. Most commonly this type of app-cloning malware only actually goes as far as cloning the name and the executable icon; when it is clicked upon it then installs the malicious payload but without the original app doing anything. If that sounds like even more reason to panic, you can still relax unless you are in the habit of downloading your apps from outside of the official Google Play app store.
Friday, November 06, 2015
Earlier this year, XCodeGhost was behind the infiltration of the official Apple App Store by malware infected iOS apps. At the time it was pretty much exclusively a problem for users in China; that has changed with XCodeGhost now also hitting Western targets including the US. If that wasn’t bad enough news, the same researchers also reckon that a worrying variant called XCodeGhost S (the s standing for stealth) has managed to infect iOS 9 apps. So what is XCodeGhost/XCodeGhost S, how does it work and what should you do to avoid becoming a victim? IT Security Thing has been digging through the data to find out. Before we deal with the ‘what is XCodeGhost’ question, we need to establish what XCode is. The answer is pretty straightforward, XCode is a free integrated development environment (IDE) that comes with a host of development tools that make developing apps for iOS (and OS X for that matter) as easy as possible. If you want to know precisely what is included, then pop over to the Apple developer site for the full skinny on the latest version. What we are interested in, however, is a Trojanised version of the XCode IDE, which was made available for download through a popular Chinese cloud-based system. Now you might be asking yourself why any developer in their right mind would be thinking about downloading the IDE they are going to use to create apps for the iPhone from anywhere other than the official Apple store? It’s a pretty good question, and the answer highlights just how a lack of strategic security thinking can impact upon software from the earliest of stages in the development process.
Only this week we have learned of a hacking tool which allows a threat actor to, under an admittedly rather strict set of prior requirements, to access and stealthily decrypt all the login credentials and secure notes stored within an instance of the KeePass program. Which leads us to ponder, what the hell are we supposed to do if password vaults just aren't secure enough anymore? The hacker tool in question, that targets KeePass, has been named KeeFarce and isn't actually as worrying as it may appear at first. We say this despite the fact that, in principle, a similar tool could be designed that could empty the contents of pretty much any password vault. The reason that we are not in a state of panic is simply that in order for KeeFarce to do what it does, it needs the target computer to have already been compromised. So it's a great tool for pen testers and hackers alike, but only if they already have access to the machine with KeePass installed. What's more, it needs that instance of KeePass to be open with the user logged in and the password database unlocked. Under those circumstances it's pretty much game over anyway, so not as big a deal that it can silently decrypt and copy your password database to a file for you to collect at your leisure. That said, as Ken Munro, senior partner at Pen Test Partners, points out: "Someone did all the hard work to make this attack vector very easy to implement. Its success rate, however, is directly related to how exploitable the target workstations are."