Monthly Archives: January 2014

In October 2013, Microsoft adopted a silent, offensive method to tackle infection due to a Tor-based botnet malware called ‘Sefnit‘.

In an effort to takedown of the Sefnit botnet
to protect windows users, Microsoft remotely removes the older versions of installed Tor Browser software and infection from 2 Million systems, even without the knowledge of the system’s owner.

Last year in August, after Snowden revelations about the National Security Agency’s (NSA) Spying programs, the Internet users were under fear of being spied. During the same time Tor Project leaders noticed almost 600% increase in the number of users over the anonymizing networks of Tor i.e. More than 600,000 users join Tor within few weeks.

In September, researchers identified the major reason of increased Tor users i.e. A Tor-based botnet called ‘Sefnit malware‘, which was infecting millions of computers for click fraud and bitcoin mining.

To achieve the maximum number of infections, cyber criminals were using several ways to spread their botnet. On later investigation, Microsoft discovered some popular softwares like Browser Protector and FileScout, bundled with vulnerable version of Tor Browser & Sefnit components.

‘The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network.‘

It was not practically possible for Microsoft or the Government to instruct each individual on ‘How to remove this Malware‘, so finally Microsoft took the decision of remotely washing out the infections themselves.

To clean infected machines, Microsoft began updating definitions for its antimalware apps.

“We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.” and later also in Malicious Software Removal Tool.

But why Tor Browser?

“Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network. This is a problem not only for the workload it applies to the Tor Network, but also for the security of these computers.” Microsoft says.

So they removed it and to Justify their action, Microsoft points out several vulnerabilities in the Tor version bundled with Sefnit malware i.e. Tor version 0.2.3.25, that opens the user to attack through these known vulnerabilities.

“Tor is a good application used to anonymous traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release builds at the time of writing is v0.2.4.20.”

May be this is the right way to neutralize the infections, but the Microsoft’s action also clarifies the capability to remotely remove any software from your computer.

Via: thehackernews

Exorbitant custom support deal fees may not be the highest costs organisations running Windows XP will face after support ends in April.

Microsoft support for its Windows XP operating system (OS) ends on 8 April 2014. After this date, the software publisher will provide security updates until 14 July 2015.

Organisations still running Windows XP after April 2014 will have to pay substantial fees to Microsoft if they want a custom support contract, so what are the options for the company still running its business on the OS?

The fees for a custom support contract are anticipated to be significant. Although terms will depend on the particular deal struck with Microsoft, analyst organisation IDC predicts users can expect to pay $200 per PC per year for custom XP support in the first year, rising to $400 per PC in 2015 and $1,000 per PC in 2016.

Any business or public sector department running a large XP installed base will quickly see its IT budget eaten up by these significant support costs.

Analyst company Gartner estimates that more than 15% of mid-size and large enterprises will still have Windows XP running on at least 10% of their PCs after Microsoft support ends.

Security is the most pressing issue the IT department will face when XP support ends. Even after the SP2 release in 2004 – which hardened Windows XP – its security model was regarded as vastly inferior to Windows 7 and Windows 8.

In an organisation with 1,000 PCs, Citrix estimates that 9.1% will be compromised by XP security failings. When XP support ends, some experts believe the unsupported OS will become the target of increased attacks. The alerts published in Microsoft’s Patch Tuesday updates may act as a catalyst, spurring hackers to target vulnerabilities in XP.

Organisations’ reliance on XP

But why have IT departments left it so late to address the issue? Windows XP dates back to 2001. Microsoft stopped selling it in 2008, at which point the support clock began ticking. 7 April 2014 will be the last day Microsoft fully supports the OS. But at their launch, Windows XP and XP Professional OSs represented a concerted effort to deliver a consistent desktop OS for home and business users. Software providers were encouraged to create XP applications for the internet-ready OS. The Internet Explorer 6 (IE6) browser was built-in, enabling browser-based applications.

Gary Schare, president of Browsium – a company that makes browser emulation technology – says that, when XP came out in 2001, everyone had just completed Y2K and there was a big push to move to web technology, because people wanted to move from client server to web applications. They wanted to avoid lock-in but, according to Schare: “IE6 was super proprietary, and was tied to Windows.”

Commenting on a previous XP OS support article, one Computer Weekly reader noted: “It’s going to be XP for the next few years at least. The reason is simple. At least 60% of my apps don’t work on the newer flavours of Windows, and I really don’t feel like shelling out another couple of thousand to get the newer versions. What I have works, and I see no reason to line Microsoft’s pockets any more than I already have. Like a lot of others, I will migrate when, and only when, I have absolutely no other viable alternative.”

Another reader said he still ships hundreds of industrial XP boxes a year. “We’re getting XP licences under the Windows Embedded programme until at least December 2016. Microsoft could easily support XP for years until they produce something consumers actually want.”

Browser challenge and virtualisation

Clearly, some applications have been modernised to suit more recent OSs, such as Windows 7, but it has been the browser that has created the most problems for IT departments. Quocirca analyst Clive Longbottom points out that figures from sites that attract large numbers of hits from a broad range of users show that 5% of desktops worldwide remain on IE6, or approximately one in four of all desktops running XP.

A product such as Browsium Ion controls settings in a native browser to enable legacy apps to work. It injects Javascript to get around incompatibility.

Another option which may work in the interim, is to virtualise the XP environment, using a product such as Citrix XenDesktop to run virtual XP on top of a Windows 7 environment, or to build a hosted virtual desktop environment. So long as the virtual XP environment is not given free reign to access everything on the internet, this may prove a secure way to maintain access to certain core XP and IE6 applications that cannot be migrated.

“We are seeing people continue to virtualise XP applications and use AppDNA [a Citrix product to identify OS compatibility issues] to identify application compatibility,” says Jason Tooley, UK manager at Citrix. “We are seeing companies approaching the deadline with challenges of migrations that have effectively run out of time for a true migration to Windows 7/8. They will have to run XP applications in a Citrix virtual environment.”

IT departments can also run XP using Remote Desktop Services (RDS) on Windows Server 2003, which Microsoft will support until 7 April 2015, giving another year of support.

Citrix’s Tooley says some of the company’s XP customers have been running RDS on Windows Server 2003 using XenApp 4.5. “Our extended support dates for XenApp 4.5 – the version that supports WS2k3/R2 – aligns with Microsoft’s extended support dates.”

Mitigate security risk

If virtualisation is not practical, Gartner recommends IT departments segregate their corporate local area network, so the XP-based PCs effectively live on a private network. This will limit the extent to which a hacker can use a compromised XP machine to gain access to the wider corporate network.

What is clear from all the advice on running the unsupported XP OS is that the environment should be locked down, with a whitelist of authorised applications and kept in a known state, which enables the XP machine to be rebuilt easily. As one reader points out: “Knowing how your computer works is by far the most effective defence against security problems. Hiding things under ever more complex layers of software is a sure-fire way to get yourself stuck in a security pothole.”

So the issue fundamentally boils down to simplicity. A known environment is more secure than one where the user is free to download software from the internet – or indeed install anything else.

According to Gartner research vice-president Stephen Kleynhans, the strategy to keep XP secure will depend on the machines in question. “The key thing to do is limit the opportunities for new malicious code to get on those devices, then harden them so that, if they are exposed, there is some line of protection,” he says.

Like Y2K, 8 April 2014 represents a line in the sand for which the entire industry needs to prepare. “Generally, people know what they have to do,” says Kleynhans.

To harden the machine, ensure antivirus (AV) software is supported and up to date. Most big AV companies say they will support the XP OS for some time, but Kleynhans counsels organisations not to expect security support beyond 14 July 2015. During this time, users will probably get signature updates for new threats.

It is a lot of work and it may be as much work as converting to Windows 7. But the organization that has not paid attention to the implications of the end of support for XP is probably not the type of organization that is concerned about security.

The Licensing implications of virtualisation

Analyst firm Gartner warns that, while virtualisation certainly offers options for IT departments looking to circumnavigate problems arising from Microsoft’s end of support for XP, the software company considers virtualising the browser a violation to its licensing terms and conditions, so the IT department will need to check what is covered under its licence agreement.

Hosting IE6 or 7 in virtual desktop infrastructure is permitted. According to Citrix, putting an XP image in the XenClient Type-1 hypervisor, for example, and using the browser would work, but support for this ends very soon. Microsoft does not permit using App Streaming/App-V to isolate the browser in a package. Citrix says many thousands of users today use XenApp to publish IE6/7 for exactly this purpose and it does not break licensing rules.

Via: computerweekly

The Internets are ablaze this morning after comments from HBO’s CEO about users sharing their HBO Go accounts. According to most reports out there today, the company couldn’t care less who you share your account with. Share your account with everyone! Free love forever! Hurray!

The catch: that’s… not quite what he’s saying.

Here’s the relevant clip from the BuzzFeed interview:

Now, he is saying that HBO doesn’t see account sharing as a problem for their business model. Share away! But if you listen to the entire video, it becomes quite clear that there’s a silent “…for now” at the end of each sentence.

The key bit (emphasis added):

Pleper: To us, it’s a terrific marketing vehicle for the next generation of viewers, and to us, it is actually not material at all to business growth.

BuzzFeed: So the strategy is you ignore it now, with the hopes that they’ll subscribe later…

Pleper: It’s not that we’re ignoring it, and we’re looking at different ways to affect password sharing. I’m simply telling you: it’s not a fundamental problem, and the externality of it is that it presents the brand to more and more people, and gives them an opportunity hopefully to become addicted to it. What we’re in the business of doing is building addicts, of building video addicts. The way we do that is by exposing our product, our brand, our shows, to more and more people.

Translation: it’s not a problem… until we decide it’s a problem. Then we flip the switch (“we’re looking at different ways to affect password sharing”) to make password sharing more challenging, and everyone we’ve gotten hooked (“what we’re in the business of doing is building addicts”) coughs up the cash for their own account.

Hey, kid — the first one’s free!

Is there anything wrong, or evil, with this strategy? Not really. In fact, it’s pretty damned smart. It’s like an indefinitely long free trial in disguise. With HBO currently set-up to be sold only as a premium add-on to a cable bill that’s generally already pretty massive, convincing someone to get their their own account is a pretty huge hurdle. If the alternative is people pirating HBO’s shows, HBO might as well get those people comfortable with the convenience of going through the official channels.

Just don’t expect it to last forever. They’re not “building addicts” for nothing.

Via: techcrunch

Cambridge University researchers reveal why people believe malicious, fake security messages and ignore real warnings.

How do you react to the following warning when it pops up on your screen?

I have yet to find a person who always obeys the above warning, but the warning below has proven very effective, even though it’s a complete fake. Why?

This is a question two University of Cambridge researchers try to answer in their paper, Reading This May Harm Your Computer: The Psychology of Malware Warnings. Professor David Modic and Professor Ross Anderson, authors of the paper, took a long hard look at why computer security warnings are ineffective.

Warning message overload

The professors cite several earlier studies which provide evidence that users are choosing to ignore security warnings. I wrote about one of the cited studies authored by Cormac Herley, where he argues:

• The sheer volume of security advice is overwhelming.
  
• The typical user does not always see the benefit from heeding security advice.
  
• The benefit of heeding security advice is speculative.
  

The Cambridge researchers agree with Herley, mentioning in this blog post:

“We’re constantly bombarded with warnings designed to cover someone else’s back, but what sort of text should we put in a warning if we actually want the user to pay attention to it?”

I can’t think of a better example of what Herley, Anderson, and Modic were referring to than my first example: the “site’s security certificate is not trusted” warning.

Warning messages are persuasive

Anderson and Modic also looked at prior research dealing with persuasion psychology, looking for factors that influence decision-making. Coming up with the following determinants:

• Influence of authority: Warnings are more effective when potential victims believe that they come from a trusted source.
  
• Social influence: Individuals will comply if they believe that other members of their community also comply.
  
• Risk preferences: People in general tend to act irrationally under risky conditions.
  

Use what works for the bad guys

In order to find out what users will pay attention to, Anderson and Modic created a survey with warnings that played on different emotions, hoping to see which warnings would have an impact. In an ironic twist, the researchers employed the same psychological factors already proven to work by the bad guys:

“[W]e based our warnings on some of the social psychological factors that have been shown to be effective when used by scammers. The factors which play a role in increasing potential victims’ compliance with fraudulent requests also prove effective in warnings.”

The warnings used in the survey were broken down into the following types:

• Control Group: Anti-malware warnings that are currently used in Google Chrome.
  
• Authority: The site you were about to visit has been reported and confirmed by our security team to include malware.
  
• Social Influence: The site you were about to visit includes software that can damage your computer. The scammers operating this site have been known to operate on individuals from your local area. Some of your friends might have already been scammed. Please, do not continue to this site.
  
• Concrete Threat: The site you are about to visit has been confirmed to include software that poses a significant risk to you. It will try to infect your computer with malware designed to steal your bank account and credit card details in order to defraud you.
  
• Vague Threat: We have blocked your access to this page. It is possible the page contains software that may harm your computer. Please close this tab and continue elsewhere.
  

The research team then enlisted 500 men and women through Amazon Mechanical Turk to participate in the survey, recording how much influence each warning type had on participants.

People respond to clear, authoritative messages

Anderson and Modic expressed surprise that social cues did not have the impact they expected. The warnings that worked the best were specific and concrete. Such as messages declaring that the computer will become infected by malware, or a certain malicious website will steal the user’s financial information. Anderson and Modic suggest the software developers who create warnings should heed the following advice:

• Warning text should include a clear and non-technical description of the possible negative outcome.
  
• The warning should be an informed direct message given from a position of authority.
  
• The use of coercion (as opposed to persuasion) should be minimized, as it is likely to be counterproductive.
  

The bottom line according to Anderson and Modic, “Warnings must be fewer, but better.” And from what I read in the report, the bad guys are doing a superior job when it comes to warnings, albeit for a different reason.

Via: techrepublic

Over the holidays, it was reported that malicious ads had appeared on various Yahoo sites and affected users in Europe. Two claims about this attack have been made: first, that it affected “millions” of users, and secondly, that it was used to plant Bitcoin miners on affected computers. Some of these claims may be a bit overstated, and the coverage may not have been able to give a more complete picture of the threat.

We can’t say for certain just how many users were exposed to this attack. However, it’s worth noting that users with up-to-date versions of Java would have been protected. We identified two Java vulnerabilities – CVE-2012-0507 and CVE-2012-4681 – that were used in this attack to plant various malicious payloads on user systems. (It is believed that these vulnerabilities were delivered by the Magnitude Exploit Kit, one of the successors to the infamous Blackhole Exploit Kit.) However, both of these vulnerabilities have been patched for a fairly long time: the first vulnerability was patched in February 2012; the other was patched in August 2012.

Similarly, while Bitcoin miners may have been part of the potential payloads, it was far from the only one. We identified multiple malware threats as payloads. These included DORKBOT and GAMARUE variants, as well as TROJ_OBVOD.AY, which is used in click fraud schemes. The payloads that were delivered to users were quite diverse.

Aside from keeping their software patched, well-designed security products can help keep users safe. For example, the browser exploit technology that is part of our existing products is able to protect users against this particular attack.  This technology analyzes scripts and other web objects that runs in the browser and uses heuristic analysis to determine if these are malicious. This protects users even if the updated software is not present on a user’s system. It is not a replacement for keeping software up to date, but well-thought out endpoint security is very useful in increasing the available “defense in depth” for users.

While the infection vector may have been out of the ordinary, the attack itself was not. Basic good computing practices – such as keeping software updated and using a well-built security product – would have helped reduce the risk for end users tremendously. It’s an excellent reminder for users to practice safe computing practices.

Via: trendmicro

Up to 50 percent of parking tickets are dismissed when fought in court, but it takes knowledge and time to do it. New app Fixed will do it for you. Take a photo of your ticket, Fixed contests it, and if it’s dismissed, you pay Fixed 25 percent of the ticket price. If Fixed loses, you pay it nothing, so there’s nothing to lose. Fixed just launched in San Francisco, but wants to fight tickets nationwide.

David Hegarty started Fixed after paying four parking tickets one morning only to come to his car and find two more. “The tickets were complete bullshit, and I knew they had been erroneously issued,” he tells me.

Sure, you could say he should have been more careful/not parked like an idiot. But in many cities, and especially San Francisco, parking rules are very complicated. Even if you manage to follow them all, the police and meter maids screw up sometimes too and wrongly give you a ticket.

So Hegarty did the research, figured out how to contest parking tickets, and submitted appeals on his two new tickets. He got both dismissed, so he started contesting all his tickets and frequently won. Soon he realized he wasn’t the only one sick of parking tickets, so he created Fixed with David Sanghera and DJ Burdick.

Here’s how it works:

1. Sign-up for Fixed (currently in a small beta trial in San Francisco) and enter your credit card details.
   
2. Come back to your car, find a parking ticket you think was unfairly issued, take a photo of it with Fixed, and type in the violation number.
   
3. Fixed looks up the violation type, tells you the probability of getting that type dismissed, and prompts you to take photos as evidence.
   
4. If the ticket is for street cleaning, you might be prompted to take a photo of a missing street cleaning times sign. If it’s a “red curb” violation, you might be asked to photograph the faded curb paint. Fixed supplements the evidence with data like when the curb was supposed to be repainted, or whether the street was actually steep enough to warrant a “wheels not curbed” ticket.
   
5. Fixed prepares a “contest letter” to fight the ticket, has you digitally sign it, mails it on your behalf, and takes care of all correspondence with the court.
   
6. If Fixed gets your ticket dismissed, you pay it 25 percent of what the ticket would have cost. If it loses, you pay the ticket like normal but pay Fixed nothing.
   

The idea was so popular that Fixed filled up its early beta group in SF almost as soon as it launched its site, but you can sign up for the waiting list now.

For now, Fixed is bootstrapped, but it may need to raise money to expand its team to match demand for the service. It says San Francisco alone issues about $100 million worth of parking tickets a year, and estimates the US as a whole doles out over $3 billion in tickets. That’s a lucrative market that could help it raise venture capital to bring its ticket-fighting app across the country. And one day, it hopes to expand into contesting traffic tickets and moving violations.

In the meantime, it will have to compete with clumsier web-based services Parkingticket.com and ParkingTicketGuys. Scaling will be a serious challenge, and the company could run into trouble dealing with city governments. “They’ve seen parking fines as a cash cow that they milked from motorists,” Hegarty says. “If we start helping the motorist fight back, we don’t know how they’ll react.” Hopefully local governments would just nuke Fixed with some law like “only you and your lawyer may contest tickets on your behalf.”

Now, there’s an argument to be made that fighting parking tickets just takes money from the community. Ticket revenue can go to pay for important local infrastructure, and a lot of tickets are designed to prevent people from unsafely parking, obstructing other cars, or endlessly squatting on spots. And sending frivolous contest letters could slow down the whole legal system.

But still, I agree with Hegarty that it sometimes feels like city governments are unfairly sucking blood from people who can’t afford garages or private car services like Uber. $64 tickets (in SF) for not re-parking your car at 6 a.m. every other day seems a bit outrageous. If cities want to hammer people with expensive tickets, they should have to make parking rules clear and enforce them fairly. If they don’t, Hegarty says Fixed is “here to restore a little bit of justice to your day.”

Via: techcrunch

Redmond has decided to extend anti-malware updates for Microsoft Windows XP because it doesn’t want to get a big black eye if there are waves of attacks on the large number of Windows XP machines still in use. Microsoft wants to be seen as being committed to security, while trying to persuade XP owners to migrate to a more modern Windows.

Windows XP has received a modest extension on its approaching end of life support. On Wednesday, Microsoft announced that it will continue to offer anti-malware updates for XP through July 14, 2015.

The company has said it will end general XP support by April 8 of this year as it attempts to move the large number of XP users to a more recent Windows version, preferably version 8. Microsoft said its extension for updates to the anti-malware signatures and engine will not affect the decision to end OS support. As recently as last fall, Microsoft had not committed to extending updates of anti-malware signatures and engine past the general support cutoff date.

The updates will be available for enterprise customers through System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection and Windows Intune on XP, and, for consumers, through Security Essentials. However, any consumers expecting to use Security Essentials should make sure they have the app, since Microsoft will no longer allow new installations of that software on XP after the April 8 deadline.

Third-Party Product

Any XP owners without Security Essentials after that date will need to download a third-party antivirus product to run the updates. Microsoft points out that an outdated operating system like XP can provide only some protection against malware, since the threats have evolved while the OS has not.

At least one software security firm, Kaspersky Lab, has announced that its Anti-Virus 2013 and Internet Security 2013 will continue XP support.

As of December, according to Web analytics firm Net Applications, XP’s market share was still 29.98 percent, making it the second most popular version of Windows after Windows 7 at 47.52 percent. This would be impressive under any conditions, but is even more so when one considers that, in the fast-evolving world of operating systems, XP was released in 2001. The most recent Windows versions, 8.1 and 8, have 3.6 percent and 6.89 percent respectively.

Avoiding a ‘Big Black Eye’

Laura DiDio, an analyst with industry research firm Information Technology Intelligence Corp., told us that Microsoft was extending the anti-malware updates because it “doesn’t want to get a big black eye” if there are waves of attacks on the large number of XP machines still in use.

She said that Microsoft wants to be seen as being committed to security, even as it tries to persuade the reluctant XP owners to migrate to a more modern Windows version.

Many business users have been hesitant to upgrade to a newer Windows because of compatibility issues, such as the many reported with Vista, and because of Windows 8’s de-emphasis of keyboard-and-mouse interaction in favor of touch screens, which would mean upgrading to newer touch screen hardware.

When migration has occurred within the Windows family, the beneficiary has often been version 7. But some business users will now find that they can utilize a tablet , such as an Apple iPad or an Android -based tablet, for some of the functions of their old XP machines, or they might even entertain the notion of adopting the inexpensive, Net-centric, low-maintenance Chrome OS-based laptops.

Via: enterprise-security-today

In the wake of Target’s massive data breach, Michael Kassner explores the rise of POS malware and botnets.

After the Target data breach, I became curious as to how digital criminals were able to manipulate Point of Sale (PoS) systems without raising red flags. From what I’ve read, it’s surprisingly easy.

Before we dive into what the bad guys can do: let’s take a quick look at a generic PoS system. PoS hardware consists of the device used by customers to swipe their credit or debit card, and the computing equipment electronically attached to the device.

PoS software are the applications that process the data found on the credit or debit card’s magnetic stripe. Key information the software looks for is stored on two tracks:

• Track one: Cardholder’s name and account number
  
• Track two: Credit-card number and expiration date
  

Many PoS systems are Windows-based

I am not sure why, but I assumed PoS applications would use proprietary software. But they’re not; most are Windows-based. This blog post from Arbor Networks iterates what that realization means, “PoS systems suffer from the same security challenges that any other Windows-based deployment does.”

They may have the same security challenges, but the Arbor Networks blog touches on why threats targeting PoS systems are more of a concern:

“Potential brittleness and obvious criticality of PoS systems may be a factor in the reportedly slow patch deployment process on PoS machines, which increases risk.”

I was curious as to why patch deployment would be slow, particularly on mission-critical systems like PoS. A source of mine conversant on PoS systems explained patch deployment is slow or non-existent because of the many government and industry regulations. If a company supplying PoS systems updates or changes their product and the change reaches a certain threshold, it has to go through an approval process.

Another reason for slow patch rollout is management has learned to error on the side of caution when it comes to updates, remembering when it was anyone’s guess whether an update installed correctly, bricked workstations, or brought down mission-critical servers.

PoS malware

Some fallout from the Target data breach has been the acknowledgment that PoS systems are under attack. This US-Cert bulletin from January 2nd mentions:

“For quite some time, cyber criminals have been targeting consumer data entered in PoS systems. In some circumstances, criminals attach a physical device to the PoS system to collect card data. In other cases, cyber criminals deliver malware which acquires card data as it passes through a PoS system.”

The US-Cert quote is an opportunity for me to introduce Dexter. The PoS malware referenced in the bulletin. Researchers, with Arbor’s Security Engineering and Response Team, in early 2013 discovered servers hosting Dexter.

Dexter steals the process list from the infected computer, and dissects memory dumps looking for the track one and two data I mentioned earlier. At a certain point, the infected machine sends the captured data to the attackers’ command and control server. After which the criminals are free to use the information to clone new cards. The unfortunate thing is that as of yet, no one understands how the malware makes its way into the PoS system.

PoS botnets

It seems bad guys are not content with their success, deciding to bring their game to the next level—PoS botnets.

This from ArsTechnica:

“Underscoring the growing sophistication of Internet crime, researchers have documented one of the first known botnets to target PoS terminals.”

Dan Goodin in the ArsTechnica post mentioned that Dexter went through a major revision, and now incorporates botnet malcode. Grouping all the infected machines into a botnet is beneficial in that it allows the bad guys to monitor, in real time, the goings on of all the infected machines. It also allows the bot masters to issue commands that immediately propagate to all member bots. To put it simply, using botnet technology helps the bad guys steal more money, while improving their odds of avoiding detection.

Guidelines to protect PoS systems

Visa took a hard look at Dexter, and came up with some preventative guidelines in this security alert. First, Visa has identified the following domains as ones that are associated with Dexter:

• 11e2540739d7fbea1ab8f9aa7a107648.com
  
• 7186343a80c6fa32811804d23765cda4.com
  
• e7dce8e4671f8f03a040d08bb08ec07a.com
  
• e7bc2d0fceee1bdfd691a80c783173b4.com
  
• 815ad1c058df1b7ba9c0998e2aa8a7b4.com
  
• 67b3dba8bc6778101892eb77249db32e.com
  
• fabcaa97871555b68aa095335975e613.com
  

Visa recommends businesses add the above domains in firewall outgoing rule sets. Visa also recommends adding file-integrity monitoring and network-based intrusion detection to PoS systems. They also suggest isolating the PoS system from the rest of the business’s internal network.

Visa and every other source I read mentioned one thing that is paramount to keeping PoS systems secure; and it’s something we looked at early. Keep computers, especially those using Windows operating systems, up-to-date.

Via: techrepublic

Yahoo, following the lead of Google and Microsoft, has now enabled HTTPS encryption for all Yahoo Mail users by default.

A short company blog post by Jeff Bonforte, Yahoo’s senior vice president of Communication Products said:

As we promised back in October, we are now automatically encrypting all connections between our users and Yahoo Mail. Anytime you use Yahoo Mail – whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP- it is 100% encrypted by default and protected with 2,048 bit certificates. This encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail.

The implementation of encrypted connections, which came in a day earlier than the company’s self-imposed January 8 deadline, is part of Yahoo’s plans to beef up its security in response to growing concerns over government surveillance activities across the internet.

The leak of confidential documents by former NSA contractor Edward Snowden, which revealed how the NSA was collecting email metadata and snooping on other forms of internet communication, has prompted Yahoo and several other tech giants to work on making such surveillance significantly harder.

Some observers have pointed out that Yahoo hasn’t gone the whole way with HTTPS, notably because it hasn’t implemented what’s known as “forward secrecy.”

If you’re not familiar with the idea of forward secrecy, you might want to take a look at Paul Ducklin’s explanation of it from November 2013, when Twitter started using it.

Plain HTTPS connections use a public-private keypair so that your traffic to the server is encrypted, and the server is vouched for by the HTTPS certificate it presents.

But you can use the server’s private key later on to decrypt all current and previous traffic, assuming the earlier traffic was logged somewhere.

Forward secrecy adds a second layer of encryption, effectively using a throw-away public-private keypair to scramble each session, as well as using the server’s public-private keypair to identify that you are connected to the right server.

If the throw-away keypairs really are thrown away after each session, encrypted traffic can’t be unscrambled later.

Of course, webmail services have access to your unencrypted emails anyway, at least for a while, but forward secrecy nevertheless adds some additional security comfort.

On the other hand, forward secrecy also increases latency (more network traffic is needed when you login) and processing requirements (more CPU power is required to do the extra cryptographic calculations).

That’s probably why Yahoo hasn’t yet added it.

Google has offered HTTPS by default on Gmail since 2010. Facebook also began rolling out HTTPS on by default in November while Microsoft’s webmail service – Outlook.com – launched with the service back in July 2012.

Yahoo did actually introduce full-session HTTPS for its webmail users at the end of 2012 but it wasn’t implemented by default – users had to opt in prior to this.

Via: sophos

A quarter of UK businesses are moving their data out of the States following the NSA and Prism scandal.

The research also stated that 96% of UK businesses consider security a top priority, while 82% consider data privacy as a big concern.

The fears around privacy and data security have come about after revelations by whistleblower Edward Snowden revealed details about the secret surveillance programme called Prism in June.

The research conducted by hosting company Peer 1 claims 25% of the 300 UK businesses surveyed are saying they will move their data out of the US.

An EU enquiry into mass surveillance has now said the activities of the US National Security Agency (NSA) as well as the UK’s GCHQ appear to be illegal.

The European parliament’s civil liberties committee has called for an end to the “vast, systematic and indiscriminate” collection of personal data by UK and US intelligence agencies.

“With data privacy and security concerns top of mind after NSA, PRISM and other revelations around the world, businesses in the UK are taking real action,” said Robert Miggins, SVP business development, PEER 1 Hosting. “Many are moving data outside of the US, and even more are making security and privacy their top concerns when choosing where to host their company data.”

Peer 1 which is based in Vancouver with its European operations headquartered in Southampton, has 16 datacentres across North America and Europe.  Its research stated that almost 70% of UK businesses would sacrifice performance to ensure data sovereignty.

Additionally the top three concerns for UK businesses when choosing where to store company data are security (96%), performance (94%) and reputation (87%).

But organizations are struggling to understand laws surrounding data and data security. 60% admit to not knowing as much as they should and 44% feel that privacy and security laws confuse them.

Via: computerweekly