Monthly Archives: July 2013

Unusual file-infecting malware steals FTP credentials

About 70 percent of computers infected with this threat are in the US, according to antivirus firm Trend Micro.

A new version of a file-infecting malware program that’s being distributed through drive-by download attacks is also capable of stealing FTP (File Transfer Protocol) credentials, according to security researchers from antivirus firm Trend Micro.

The newly discovered variant is part of the PE_EXPIRO family of file infectors that was identified in 2010, the Trend Micro researchers said Monday in a blog post. However, this version’s information theft routine is unusual for this type of malware.

The new threat is distributed by luring users to malicious websites that host Java and PDF exploits as part of an exploit toolkit. If visitors’ browser plug-ins are not up to date, the malware will be installed on their computers.

The Java exploits are for the CVE-2012-1723 and CVE-2013-1493 remote code execution vulnerabilities that were patched by Oracle in June 2012 and March 2013 respectively.

Based on information shared by Trend Micro via email, a spike in infections with this new EXPIRO variant was recorded on July 11. “About 70 percent of total infections are within the United States,” the researchers said in the blog post.

Once the new EXPIRO variant runs on a system, it searches for .EXE files on all local, removable and networked drives, and adds its malicious code to them. In addition, it collects information about the system and its users, including Windows log-in credentials, and steals FTP credentials from a popular open-source FTP client called FileZilla.

The stolen information is stored in a file with a .DLL extension and is uploaded to the malware’s command and control servers.

“The combination of threats used is highly unusual and suggests that this attack was not an off-the-shelf attack that used readily available cybercrime tools,” the Trend Micro researchers said.

The theft of FTP credentials suggests that the attackers are either trying to compromise websites or are trying to steal information from organizations that is stored on FTP servers. However, it doesn’t appear that this threat is targeting any industry in particular, the Trend Micro researchers said via email.

Via: csoonline

How keylogging malware steals your information

Keyloggers are a malicious form of software that can secretly install on your computer and then tracks personal and sensitive information, such as bank and credit account numbers, passwords and corporate data, as you type it into the keyboard. That information can then be used by the thief for fraud and identity theft.

Keyloggers are easily downloaded, and can infect machines simply through a visit to a site such as YouTube, social networking sites like Facebook, and other so-called “legitimate sites,” said George Waller from StrikeForce Technologies.

“It happened two months ago to NBC,” he explained. “The site was hacked, a Citadel Trojan keylogger was put on their site. So, everyone that went to the site for those few days was infected.”

Phishing is another common way that computer users become infected with keylogger software.

Unfortunately, most antivirus programs do not detect keylogging software.

Waller demonstrates the dangers of keylogger malware, and how it works, in this short video.


via: csoonline

Android mega flaw fixed but phones remain vulnerable

Handset makers are slow to push fix to users, and fragmentation is not helping in the enterprise.

Google quickly addressed a mega flaw in its Android mobile operating system after security researchers brought it to the company’s attention earlier this month, but those fixes appear to be slow in reaching handset owners.

“Samsung and HTC have both shipped some patches for some devices,” Adam Ely, co-founder of Bluebox, told CSOonline. Bluebox uncovered the vulnerability that could impact 99 percent of some 900 million Android devices in the world.

“The information from the manufacturers and carriers that’s coming in is pretty spotty,” Ely said.

Typically, handset makers push fixes to their latest models before addressing problems with older models. “They generally will first fix whatever’s most popular in their market, whatever they’re trying to push, and work backwards,” he said.

“Almost all OEMs don’t care about phones that were sold more than a year ago,” said Pau Oliva Fora, an Android analyst with viaForensics. “Not even Google has pushed updates to its Nexus phones yet.”

Rapid7 Vice President and General Manager for Mobile, Giri Sreenivas, agreed that handset makers aren’t being very transparent about how they’re tackling the Bluebox vulnerability.

“It’s likely that the first devices to see the fix beyond the Nexus devices, which are managed by Google, will be the Google Experience devices from HTC (HTC One) and Samsung [Galaxy S4],” Sreenivas said.

Nexus-branded Android devices are manufactured for Google by several handset makers and are usually the first to get updates and fixes.

Google said it has furnished its Android partners with a patch to address the problem. “Some OEMs are already shipping the fix to their Android devices,” Google spokeswoman Gina Scigliano said in an email. “Nexus devices will receive the fix in an upcoming software update.”

While the vulnerability which allows digital desperadoes to turn any legitimate application into a malicious Trojan been undetected in Android for four years, it seems to have escaped the notice of the hacker community.

“We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools,” Scigliano said.

In addition to the patches it’s pushing, Google has also configured its online app store, Google Play, to scan apps distributed through the outlet for the defect, as well as offering a program called Verify Apps to check apps obtained from outside Google Play for the flaw.

Shortly after Bluebox discovered its master key vulnerabililty — named so because it allows a hacker to modify an application package (APK) without breaking its cryptographic signature — a similar vulnerability was posted to a Chinese language website.

“Google has patched the second vulnerability posted on the Chinese website, but similar to the master key vulnerability, there is no transparency from the OEMs about how and when to expect these patches to reach end-user devices,” said Rapid7’s Sreenivas.

“In an interesting twist,” he said. “The Cyanogenmod communities are already starting to incorporate the fixes from Google; therefore, we are seeing custom ROMs running on jailbroken devices and offering a level of protection that other devices are not able to offer.”

Although one of the co-founder’s of Android, Rich Miner, recently discounted the negative impact fragmentation has had on the operating system, Bluebox’s Ely said his firm had found that the ecosystem’s fractured landscape was definitely contributing to mitigating the serious problem.

“It’s a challenge because of fragmentation in the market,” Ely said. “Enterprises are having trouble keeping track of what’s [been] patched, what hasn’t.”

Google patched the problem fast, but now the patches have to be tested on the myriad versions of Android out there running on an assortment of handsets, he said.

“That’s what makes this difficult,” Ely said. “It’s the number of places it has to be fixed, which is the result of fragmentation in the market.”

While the Bluebox exploit has been treated as an apocalypse waiting to happen by some, others are more sanguine about the discovery. “These issues have been blown out of proportion,” said Ken Pickering, development manager for security intelligence at Core Security.

“Yes, you can bypass signature checks, but the Google Play Store is already scanning for this malware,” Pickering said. “So, unless you’re rooting your phone and sideloading applications, the majority of users should be unaffected by these defects.”

“Don’t get me wrong, it’s a bad bug,” he said. “But the actual exploit would be very hard to reproduce on the majority of environments, and it would only affect a minority of users.”

Via: csoonline

AT&T offers phones on monthly installments, with annual upgrades

AT&T is offering no-contract smartphones and tablets on monthly installments, with the promise of an annual upgrade, taking on similar offers by competitor T-Mobile US.

Starting July 26, the U.S. carrier is offering customers in the country a new smartphone or tablet every year with “no down payment, no activation fee, no upgrade fee and no financing fees,” the company said Tuesday.

After 12 payments, customers can trade the device in and upgrade to a new one, again without a down payment, or they can continue to use the earlier device without further payments after 20 months. After the upgrade, the remaining unbilled installment payments on the previous device are waived.

AT&T’s no-contract “Next” plan saves it the expense on hefty subsidies on smartphones for customers, which carriers typically hope to make up through service contracts usually running for two years. It also offers customers the opportunity to upgrade to newer smartphone and tablet models. The AT&T Next program is open to new customers or existing subscribers that are eligible for an upgrade.

T-Mobile launched last week an upgrade offer that will let subscribers for a monthly fee of US$10 trade in their existing phones for a new model at a T-Mobile store as often as twice per year, once they’ve been on its Jump plan for at least six months. Customers don’t have to wait until the end of a two-year contract or finish paying off a device in monthly installments. When they upgrade phones, customers will not have to pay remaining installments and can purchase new phones for the same price as new customers. The $10 fee also offers protection against malfunction, damage, loss or theft.

In March, T-Mobile introduced plans that let consumers pay for a new phone in installments rather than sign a two-year contract. Customers can also use their own unlocked device.

AT&T Next is available for any current smartphone or tablet available from the carrier. Device installments range from $15 to $50 with the Samsung Galaxy S4 having a monthly installment of $32, the company said. If the wireless service is discontinued, the balance installments fall due. Discounted handset offers coupled with service plans will continue, AT&T said.

Via: networkworld

Tumblr security lapse – iPhone and iPad users update your passwords now!

Tumblr has released a “very important” update for their iPad and iPhone apps following what they describe as a “security lapse”.

It appears that passwords were being sent over the internet unencrypted, making it easy for anyone with bad intentions and a little technical knowledge to harvest Tumblr users’ login details.

The short post by Derek Gottfrid, Tumblr’s vp of product, gives very little away but does say that passwords may have been compromised by being “sniffed in transit”

Important security update for iPhone/iPad users

We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹. Please download the update now.

If you’ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password. It’s also good practice to use different passwords across different services by using an app like 1Password or LastPass.

Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience.

¹ “Sniffed” in transit on certain versions of the app

According to The Register who broke the news, a source approached them after failing to get the issue resolved by Tumblr’s support team.

It looks like the previous versions of the iOS apps weren’t logging users in using SSL. But Tumblr hasn’t said much, and their lack of transparency means we are left wondering whether or not this has indeed happened.

Fans of Tumblr – which was recently acquired by Yahoo – who access the site via Windows Phone or Android devices appear to have been unaffected.

So if you use Tumblr on your iPad or iPhone, download the latest version of the app now.

Then change your password, both on Tumblr and anywhere else where you have used the same login credentials.

If you’re having trouble choosing a new password, watch this video. And remember to always use a different password for each site. You can always use a password manager such as LastPass or KeePass to remember them all for you.

(I’m a fan of LastPass)


Via: sophos

Apple, Comcast CEOs talk turkey

Apple CEO Tim Cook appears to be making some headway in his latest attempt to take over the living room.

With media and tech hotshots gathered here for Allen & Co.’s annual deal-making powwow, Cook spent some time recently huddled with Comcast CEO Brian Roberts, according to sources.

Roberts, who heads the nation’s biggest cable-TV outfit, and Cook are hashing out how they might work together to allow Apple TV users to gain access to cable channels through the Web-connected set-top box.

Cook has been having similar talks with Time Warner Cable boss Glenn Britt, who is also on hand for the annual mogulfest in Sun Valley, Idaho.

That deal looks like it’s going to happen because Britt is more agnostic about being the so-called “dumb pipe.”

Time Warner Cable already has deals to pipe cable content through Roku and the Xbox game console.

Roberts, on the other hand, wants to be the corporate face for the consumer.

“He can’t stomach giving that up,” said a source.

However, Roberts, who has been talking to Cook on and off for months, doesn’t want to get left out. If Time Warner Cable is going to make Apple TV a more attractive product, Roberts wants to know what’s driving that deal.

Apple TV didn’t exactly revolutionize the living room when it launched in 2007. The company had little traction with the content guys to offer a game-changing device. The late Steve Jobs called it a “hobby.”

Playing games

Activision boss Bobby Kotick spent time chatting with Disney boss Bob Iger. Could he be trying to drum up funds for a long-held desire to buy the gamer back from Vivendi?

Sports break

Sun Valley kicked off in earnest yesterday with a conference on the sports leagues — which, depending on your point of view, will either save the pay-TV business or wreak havoc on the entire ecosystem.

Washington Post Chief Executive Don Graham asked NFL boss Roger Goodell why sports fees are now 80 percent of cable bills and whether that was sustainable.

Surprisingly, Goodell responded, “Probably not.”

He said that a range of devices and competing interests would help the NFL cut the pie in many more ways.

Malone panic

At presstime, Liberty Media Chairman Malone had yet to arrive, but his plan to push cable-TV consolidation is still causing mild panic among the mogul set.

Liberty owns a big slice of Charter Communications and is eager for a merger with Time Warner Cable.

“John Malone has a big presence here — he’s like a ghost,” said a source.

Via: nypost

App turns a mobile device into a personal authenticator

Passwords are at the root of online security problems because when typed into browsers, sent over open networks and centrally stored, they are easily compromised leaving the networks and accounts they “protect” vulnerable to criminals. But that can all change with a digital image that can save your online identity.

Authentify introduced an alternative to overworked passwords, an online security app that turns mobile devices into secure personal authenticators. Combining enterprise control with user convenience, the Authentify xFA Service replaces passwords with a mobile xFA app that scans an on-screen, short-lived cryptograph—a digital image that, when scanned, activates a PKI digital certificate for strong authentication—and turns a smartphone into an authenticator that delivers server-to-server class endpoint security with no effort from the end user or the enterprise.

xFA, which stands for “x” factors of authentication, also provides strong multi-factor authentication supporting voice biometrics and other forms of secure messages allowing enterprises or their users to choose the level of authentication the transaction warrants.

Authentify xFA can be used by any online service provider or enterprise that needs strong protection at time of logon but also needs a simple user experience. xFA provides greater protection to financial services, e-commerce, medical insurance firms or any enterprise/SMB private networks from password exploits or breaches without losing productivity or inconveniencing users.

“Password security is broken and the headlines prove it,” said Peter Tapling, Authentify president & CEO. “We developed xFA because the security is in a different class, anchored by digital certificates and biometric authentication. Until now, however, cost, user complexity and ease of deployment have been formidable barriers preventing the widespread use of these technologies. Authentify is changing that paradigm because xFA is even easier to use than passwords yet delivers the proven security of digital certificates and voice biometrics over a second channel. And since the users’ own mobile device becomes the authenticator, it’s easy to scale.”

Authentify’s xFA defeats a broad range of exploits designed to steal passwords or hijack online sessions such as man-in-the-middle, man-in-the-browser, viruses, Trojans and keyloggers, and does so with a more engaging user experience than other technologies that layer on top of one another.

Via: net-security

Charles Sturt offers free CISSP training

Charles Sturt University is hosting a free six-week online training course to help students prepare for the Certified Information Systems Security Professional certification.

The IT Masters course which starts next Wednesday was claimed to be comparable to paid offerings worth almost $4000.

Students will be asked to do up to 12 hours of study between webinars in the lead up to a timed open book CISSP practise exam.

IT Masters chief executive Martin Hale said most students would need to do further study to be ready for the CISSP exam.

“The CISSP certification exam is one of the toughest in the industry,” Martin said in a statement.

“250 questions over six hours and you need to get at least 70 percent to pass so you really need to make sure you are prepared.”

The course run by Dr Craig Wright will offer free reference materials but students were recommended to buy additional text books.

Students gaining their CISSP certification will gain a credit towards IT security degrees at Charles Sturt University.

The 90 minute weekly webinars run from 12:30 to 2pm AEST each Wednesday.

Webinars will be recorded. Sign up here.

Course  schedule:

Webinar: Wed 17th July, 12:30-2pm AEST Week 1:
• Access Control
• Application security
Webinar: Wed 24th July, 12:30-2pm AEST Week 2:
• Business continuity and disaster recovery planning
• Cryptography
Webinar: Wed 31st July, 12:30-2pm AEST Week 3:
• Information security and risk management
• Legal, regulations, compliance, and investigations
Webinar: Wed 7th August, 12:30-2pm AEST Week 4:
• Operations security
• Physical (environmental) security
Webinar: Wed 14th August, 12-30-2pm AEST Week 5:
• Security architecture and design
• Telecommunications and network security
Exam: Wed 21st August, 12:30pm AEST Week 6:
• CISSP practice exam

View there other free courses here.


Via: scmagazine

Google brings free landline calls to Gmail and Hangouts

Google Voice, Gmail and Hangouts users will soon be able to make landline telephone calls free of charge to people in the US and Canada from anywhere in the world.

The search giant announced the news today on its Enterprise blog along with a host of updates to Hangouts, Voice and Gmail, which will be rolling out in the next few days. “We’ve heard loud and clear that you miss the ability to make calls from Gmail, so today we’re happy to announce it’s back – and better than before,” the post stated.

“Even better: calls to the US and Canada are now free from all countries where Hangouts calling is available. And international rates remain super, super low.”

Calls made from Google users in the UK to UK landlines currently cost 2.4p per minute.

In addition to the news of free calls, Google showed off the ability to add multiple landlines to a Hangouts call, along with the addition of more frivolous options, such as adding applause and other sound effects to calls.

Google also reiterated that Hangouts would eventually be the future of Google Voice, with more additions to come. “As we’ve said before: Hangouts is designed to be the future of Google Voice, and making and receiving calls is just the beginning. So stay tuned for future updates,” the post said.

While this news may please many European users, Google is not in the good books of the European Commission, with demands being made of it to delete its unlawfully collected Street View WiFi data by the end this month. In addition, Google has claimed it has done a ‘pretty good job’ to alleviate the EU’s concerns over a lack of competition among European users.

Via: v3

Tesla Supercharger network goes nationwide, gets quicker

For Model S drivers, Tesla Motors‘ oft-delayed Supercharger announcement was worth the wait. The electric vehicle company today explained how it will expand its network of high-speed electric vehicle charging stations across North America (and hinted that the technology will come to Europe and other areas in the future).

The Supercharger roll out will take place as follows. The number of Supercharger stations will triple from eight today to 25 by the end of June, bringing coverage to more of California, the Pacific northwest, in Texas between Austin and Dallas, and in Illinois and Colorado, as well as the east coast. By the end of the year, Superchargers “will connect most of the major metro areas in the US and Canada,” Tesla says, and by a year from now, the network will cover “almost the entire population of the US and Canada.” You can see the 2015 map above (click to enlarge) and there’s an interactive map over on Tesla’s website that shows the predicted coverage area through the years. CEO Elon Musk said on a conference call today that he thinks there will be more in the ground by 2015 than the map shows today.

“Tesla needed to solve the problem of long-distance travel and we can’t wait for others to agree with our strategy.” – Elon Musk

The first Tesla model, the Roadster, and other electric vehicles are not compatible with the Superchargers, so for right now, only Model S drivers will be able to use all these new stations. All future Tesla vehicles will be able to take advantage of the technology, though, and Musk said he’s not against working with other automakers to make their EVs compatible. The batteries need to be built with Supercharging in mind, he said, and Tesla needed to “solve the problem of long-distance travel and we can’t wait for others to agree with our strategy. If we wait for some sort of consensus, it’s going to take too long. We just need to get going and other manufacturers can either copy us or join us.”

Musk also said there is grid storage – using huge, half-megawatthour batteries – at some of the stations that have solar power, where stationary batteries take energy from the sun and store it until a Model S pulls up. That means these stations can be completely taken off the grid, so that “even if there is a zombie apocalypse,” Musk said, “you will still be able to travel throughout the country using Superchargers.” Good to know.

We heard before that Tesla might announce something about a battery swap. When asked about that today, Musk coyly said he’s a big fan of options and that, “maybe we’ll have something to say about that in the future.”

On top of the increased number of stations, Tesla is also upgrading the Supercharger technology to be faster. Instead of charging at 90 kW, the new rate is 120 kW, which means you can add three hours of driving to a pack in “just over 20 minutes.” Tesla previously announced that Supercharging is and will remain free, for life, which makes going on a road trip awfully affordable once you’ve paid your $80,000 for a Model S. Musk said he’s going to do just that, retracing a college road trip from LA to NYC, with all of his kids (he has five) later this year.

Tesla opened its first Superchargers last October. At the time, the company said each station cost around $250,000 to install. Today, Musk said the stations cost $150,000 without solar and $300,000 if they have solar panels.



Electric vehicles prove more popular when green energy is available

Electric vehicle buyers enjoy green energy. Turns out, folks are more likely to buy a plug-in vehicle if they know the electricity that will power the car, or at least some of it, will come from a renewable energy source.

That’s the conclusion of a study produced by Environmental Research Letters (ERL), which found that plug-in vehicle demand in regions with a “green electricity” option is a stunning 23 percent higher than in areas without a clean-energy option. Researchers from Canada’s Simon Fraser University and UC Davis polled prospective electric-vehicle and plug-in-hybrid buyers and found that buyer interest jumped where there was a chance to double-down on their green cred if they could use something like, say, solar power. For those with a little time on their hands, here’s the report.

Automakers like Tesla Motors, with its solar-powered Superchargers, and BMW have already shown they understand the connection between green energy and selling EVs. The Germany-based company is getting ready to start selling its first mass-produced plug-in vehicles under its new i sub-brand – the i3 is due towards the end of the year – and last year struck a deal with Real Goods Solar to offer special deals to ActiveE drivers who wanted to charge green.

Via: green.autoblog