Monthly Archives: November 2014

Warning comes 3 days after FireEye publicly revealed Masque Attack, and shortly after WireLurker threat to iOS and Mac OS devices surfaced.

Three days after security company FireEye warned of an iPhone/iPad threat dubbed “Masque Attack”, the U.S. government has issued a warning of its own about this new risk by malicious third-party apps to Apple iOS devices.

The United States Computer Emergency Readiness Team (US-CERT) issued the alert regarding Masque Attack posted in full at the bottom of this article. But in summary, US-CERT warned that:

This attack works by luring users to install an app from a source other than the iOS App Store or their organizations’ provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link.  

This technique takes advantage of a security weakness that allows an untrusted app—with the same “bundle identifier” as that of a legitimate app—to replace the legitimate app on an affected device, while keeping all of the user’s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable.

Revelations of Masque came on the heels of a related exploit (that also threatens Macs) called WireLurker. 

Some observers have rushed to explain that Mac and iOS device users should not panic, assuming they haven’t done anything really careless with their gadgets and computers.

Apple Insider, for example, wrote that “WireLurker and Masque Attack are not viral and can’t infect users unless they intentionally disable their security and manually install apps bypassing Apple’s builtin trust verification systems for iOS and Macs.”

And in fact, the government’s alert actually prompted Apple itself, which generally only comments on hot issues when it absolutely needs to, issued a statement to an Apple blog in which it claims that it is not aware of even a single customer that has been affected by the Masque Attack.

Here’s the US-Cert alert in its entirety:

Apple iOS “Masque Attack” Technique

Systems Affected

iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.

Overview

A technique labeled “Masque Attack” allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances.

Description

Masque Attack was discovered and described by FireEye mobile security researchers.[1] (link is external) This attack works by luring users to install an app from a source other than the iOS App Store or their organizations’ provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link.  

This technique takes advantage of a security weakness that allows an untrusted app—with the same “bundle identifier” as that of a legitimate app—to replace the legitimate app on an affected device, while keeping all of the user’s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable.

Impact

An app installed on an iOS device using this technique may:

• Mimic the original app’s login interface to steal the victim’s login credentials.
  
• Access sensitive data from local data caches.
  
• Perform background monitoring of the user’s device.
  
• Gain root privileges to the iOS device.
  
• Be indistinguishable from a genuine app.
  

Solution

iOS users can protect themselves from Masque Attacks by following three steps:

1. Don’t install apps from sources other than Apple’s official App Store or your own organization.
   
2. Don’t click “Install” from a third-party pop-up when viewing a web page.
   
3. When opening an app, if iOS shows an “Untrusted App Developer” alert, click on “Don’t Trust” and uninstall the app immediately.
   

Further details on Masque Attack and mitigation guidance can be found on FireEye’s blog [1] (link is external). US-CERT does not endorse or support any particular product or vendor.

References

• [1] FireEye (link is external)
  

Via: networkworld

Security firm Cyphort released a report that provides an in-depth analysis of point-of-sale (POS) malware – specifically Backoff, BlackPOS and FrameworkPOS – used in some of the biggest breaches in recent time.

Backoff was used in the UPS breach and is built for a serious attack on any POS system, with scaled and long-term operations in mind, Dr. Fengmin Gong, cofounder and chief architect of Cyphort, told SCMagazine.com in a Tuesday email correspondence.

“[Backoff is a] full featured malware, starting with a runtime packer to frustrate static (signature) detection, it takes care to minimize artifacts left on the infiltrated system, with self-updating design and robust persistence, using encryption for its image on the disk, it includes attack payload [such as] keylogger in addition to memory scraping, a command-and-control featuring multiple servers and full set of commands,” Gong said.

BlackPOS was used in the breach of Target and is relatively unsophisticated, Gong said, explaining it has a rigid design for targeted POS system attacks, and uses memory scraping to harvest data with a fixed exfiltration mechanism. FrameworkPOS, which was used in the attack on Home Depot, is a copycat adaptation of BlackPOS with little innovation, Gong said.

Currently, Cyphort Labs does not have any data on who is behind these threats.

“We believe that FrameworkPOS is closely related to BlackPOS as it’s a simple [copycat],” Gong said. “Backoff is likely now actively used and maintained by multiple groups. We suspect that they are used (shared or sold) as an SDK in the underground, because we have seen new samples in the wild suggesting small tweaks with different versions and group designations.”

In order to defend against these types of threats, retailers and other organizations need to start monitoring their POS system and subnet with a product that is able to provide visibility on all file movement in and out of the POS infrastructure, Gong said, adding it is critical that the product is able to detect evasive behaviors.

Attackers have a long history of profiting from stolen payment card information through fraudulent purchases, selling dumps in underground marketplaces and more, Gong said. In the future, POS malware will likely incorporate new armoring techniques, and may evolve so that memory scraping is no longer necessary for harvesting card data, Gong added.

“EMV is helpful in curbing the assault from the current POS malware that uses memory scraping to harvest card information from the POS machine,” Gong said, explaining attackers may change their strategy as a result.

“We have to start watching all points where malware can sneak in or take our data out; we have to be prepared to catch them at any and all the steps, when they try to [come in] using a vulnerability exploit, or a spear-phishing email, or try to send the stash out; we have to use all methods at our disposal, because they will try to evade us whichever way they can.”

Via: scmagazine

Hackers are gearing up for the big holiday shipping season with a new collection of email that are just too good not to click on.

“We see an uptake in things posing as Amazon and eBay receipts — and airline flight confirmations, based around the fact that people are traveling more and are expecting these confirmations to come in,” said Troy Gill, senior security analyst at AppRiver, a Florida-based email service provider.

Some users refuse to believe that the emails are malicious, Gill said.

“They’ll actually try to go into quarantine and try to release the email,” he said.

“Even to me, as a trained professional, seeing these all the time, some look identical to the ones you get from the actual vendor. However, I don’t think any common transactions from Amazon would ever have attachments at all. As a customer, I’ve never seen it, and I make purchases from them all the time.”

Gill recommended that companies warn their employees not to open attachments from major shopping or travel sites.

“If you get an email with a Word attachment, don’t open it, just go to the site, log into your account, and all the transaction history is right there readily available.” he said. “It’s always a good idea to go right to the horse’s mouth.”

So far this month, AppRiver has quarantined more than 600,000 email messages with the subject line “Your Amazon Order Has Dispatched (#3digits-7digits-7digits)” and a return address of “amazon.co.uk.”

The attached Word document has a macro that installs a Trojan dropper that creates a process named “SUVCKSGZTGK.exe” and the dropper then installs a keylogger that harvests banking information, email logins, and social media accounts.

“Hopefully, by default, macros are disabled in Word but many people do have them enabled,” Gill said.

Another email campaign, with nearly 160,000 messages quarantined over the past few days, has the subject “Your order on Amazon.com” and a return address of “amazon.com” and a very realistic look, with actual Amazon graphics.

This campaign attempts to get users to click on links that to go compromised WordPress sites that download a file named “invoice1104.pdf[dot]scr” which is also a Trojan dropper.

“As we commonly see with this these types of campaigns, the payload can be changed out by the malware distributors so this dropper could pull down some other form of malware in the future,” said Gill.

Gill also recommended that companies train employees to immediately report suspicious emails.

“I feel that a lot of people are just, ‘out of sight out of mind’,” he said. “If they don’t see any immediate impact from it, it’s really not a concern, or maybe they don’t want to mention to their employer that they actually opened an attachment. That kid of mentality, I think, is far to common.”

This is a particular problem because, according to a recent security report by Google, about 20 percent of hijacked accounts are accessed within 30 minutes of a hacker getting the login info.

After getting in, the hackers often change the password to lock out the legitimate user, search for information about other accounts they can hijack, and use their access to send personalized phishing emails to the victim’s friends and colleagues, said Elie Bursztein, Google’s Anti-Abuse Research Lead, in the report.

“I’ve seen malware spread that way on numerous occasions,” said AppRiver’s Gill. “Of course I’ll be more likely to open an email from my friend Scott rather than some random made-up name.”

Via: csoonline

The company has also acknowledged that the attackers leveraged a third-party vendor’s user name and password to access Home Depot’s network.

Well I got my email yesterday, along with millions of others.

Home Depot has announced that a recent data breach, which took place from April to September of 2014 and exposed approximately 56 million payment cards, also exposed separate files containing approximately 53 million email addresses.

The files containing the email addresses did not contain passwords, financial information or any other sensitive personal information.

While Home Depot says it’s “making every effort” to notify all customers whose email addresses were stolen, the company also stated in a FAQ [PDF], “Even if you do not receive an email notification from us, it’s safe to assume your email address could have been stolen.”

“In all likelihood this will not impact you,” the company said in a statement. “But, as always, it’s important to be on guard against phishing scams that are designed to trick you to provide personal information in response to phony emails.”

“It is important not to give out personal information on the phone, through the mail or on the Internet, unless you have initiated the contact and are sure of who you’re dealing with,” the company added. “Similarly, you should not click directly on any email links if you have any doubts about whether the email comes from a legitimate source.”

Adam Kujawa, head of malware intelligence at Malwarebytes Labs, stated that the most significant threat resulting from the stolen emails is, of course, the likelihood of phishing attacks.

“Spear phishing tactics utilizing the knowledge that the email addresses belong to Home Depot customers is a likely outcome, resulting in millions of people potentially receiving fake emails claiming to be from Home Depot requesting either the opening of an infected/malicious file or requesting login credentials,” Kujawa said.

Home Depot also announced that in the previously-disclosed breach, the attackers leveraged a third-party vendor’s user name and password to access Home Depot’s network, though those credentials alone didn’t provide access to Home Depot’s point of sale devices.

“The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada,” the company stated [PDF].

HyTrust president and co-founder Eric Chiu told eSecurity Planet by email that the Home Depot breach is yet another example of a significant data breach happening from the inside. “Insider threats are not only the number one cause of breaches but also lead to the biggest damage; this is because once on the network, an outside attacker looks like any other employee and can take their time siphoning off data without being seen,” he said.

“Also, as we have seen from other high-profile breaches, data is the new currency — not only are attackers looking to use credit cards to make fraudulent charges, but also use email addresses for phishing attacks in order to trick consumers into providing more information or install spyware on their computers,” Chiu added.

Lancope CTO TK Keanini told eSecurity Planet that the supply chain is an attractive target for hackers for two reasons: (1) it often has more access than it really should, and (2) margins are so low that suppliers are forced to cut costs by cutting security spending. “It is going to get a lot worse before it gets better,” he said.

“I’ve been saying for some time that attackers are better at systems thinking than defenders,” Keanini added. “Until defenders are better at thinking about securing systems in innovative ways, this will continue to be a problem. I think by now retail understands that cybercrime is a part of the business, and now it is time to model in that persona in their business continuity plans.

Via: esecurityplanet

Researchers have discovered a new attack on iOS devices that could allow attackers to unsuspectingly access and steal users’ personal and financial information from their app caches.

The “Masque Attack” works off a vulnerability in third-party app stores that, when exploited, allows attackers to replace genuine apps downloaded from the App Store with their own malicious versions, according to a FireEye blog post. Legitimate apps can be written over if they share the same bundle identifiers as the malicious apps.

“This vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier, so attackers can use enterprise provisioning/adhoc provisioning apps to replace the original apps from the app store,” Tao Wei, senior research scientist, said in an email to SCMagazine.com

This attack is one of the first to be put together with WireLurker malware, which originally attacked iOS devices through USB.

As compared to that original attack, the Masque version spreads malware directly through the internet and can originate with a phishing text prompting an iOS user to download a new app.

As an example, researchers sent a phishing text to themselves with instructions to check out a new app, as well as a download link. When they clicked on the link to download the app, nothing was installed outright. Rather, their Gmail app was written over with malicious code.

Although the legitimate app was effectively replaced, the malware could still access the original app’s local data, which often contain cached emails or login tokens.  Plus, to make the attack even sneakier, the malicious app’s design almost exactly copied the original interface, and to succeed, the attacker only needed to use the same bundle identifier as Gmail, or “com.google.Gmail.”

FireEye told Apple about the vulnerability in July; however, a patch has yet to be released. To see if an app is already compromised, iOS 7 users can check the enterprise provisioning profiles installed on their devices.

This attack was verified on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, on both jailbroken and non-jailbroken devices.

As compared to iOS, Android devices do enforce certificate matching.

Via: scmagazine

In an effort to make to make Internet and mobile transactions more secure, American Express has launched a new service that aims to replace payment card numbers with unique tokens.

E-commerce sites and digital wallet applications that use the company’s new token service won’t have to store customers’ card details. Instead merchants, banks and payment processors will be able to work with digital tokens that are mapped to real payment card accounts.

The payment tokens can be tied to specific merchants, transaction types or payment devices, limiting the ability of cybercriminals to misuse them if compromised. This means that widespread adoption of tokenization for card-not-present transactions would likely reduce fraud.

Unlike payment card numbers, if tokens are compromised, they can easily be revoked and replaced without the need to physically reissue the cards they link back to.

The American Express Token Service is based on the Payment Tokenization Specification and Technical Framework published this year by EMVCo, the organization that maintains the EMV standard for chip-enabled payment cards. It is already available in the U.S. and American Express plans to start rolling it out internationally in 2015.

The service’s release comes at a time of growing mobile payments adoption, partially driven by the launch of Apple Pay, which also uses tokenization. Major U.S. and international banks are also planning to launch their own mobile payments apps next year.

Those apps will likely use a technology called Host Card Emulation (HCE) that is present in NFC-enabled mobile devices running Android 4.4 “KitKat.” American Express has also developed network specifications for HCE to enable its card-issuing partners to use the technology.

Via: csoonline

It was surely only a matter of time before someone thought to capitalize on the current trend for wearables with a battery designed to charge via kinetic energy. And so meet Ampy: a spare battery pack, currently bidding for crowdfunds on Kickstarter, that straps to your person and, its makers claim, charges up from human movement, such as walking, running and cycling. So instead of just quantifying the number of steps you’ve taken you could convert those steps into stored charge in a lithium-ion battery pack to help juice up your mobile devices via USB.

It’s a nice-sounding idea in theory — if you don’t mind the thought of strapping a rather chunky battery pack onto your person and running around the streets — but, as with all crowdfunding projects, it pays to be a little sceptical of how effective it will prove in practice. And indeed whether it will make it to market at all. Hardware is always hard.

Ampy is currently just a prototype, with its Chicago-based makers raising crowdfunding to step up to fully fledged production. At the time of writing they’ve smashed their original funding target of $100,000, with more than $245,000 raised so far — and another 10 days left on their campaign — so they do at least have the funds to deliver on their product promises. They are also giving themselves a lengthy period to deliver the goods, with the device not due to ship til June 2015.

The Ampy battery will hold just 1000mAh of charge meaning it’s a smaller capacity than most smartphone batteries so is only going to offer a top-up charge for most of your handheld devices.

“As you move, your motion couples with the magnets inside Ampy’s inductors, producing electricity and recharging the internal lithium-ion battery,” says Ampy co-founder Tejas Shastry, explaining how the charging mechanism works. “The more you move and the faster you move, the more energy you generate. We’ve found that running is one of the best ways to generate energy Ampy outputting up to hundreds of milliwatts.”

“A typical day of walking for a city dweller (10,000 steps) can give you up to 3 hours of battery life for your smartphone. The instantaneous power output is lower than for running but still enough to provide charge your phone,” he adds.

Although the Kickstarter campaign page doesn’t (yet) show the device actively charging (i.e. from human activity) the project makers have provided an email update to backers which includes a couple of GIFs apparently showing Ampy hooked up to a current meter and generating a charge while it’s shaken/strapped to a runner’s leg:

“Tens of milliamps leads to peak power of over 100 milliwatts,” it adds in the email update. “While peak power is interesting, the best way to calculate the amount of energy that can be delivered to your phone is by measuring the change in voltage of AMPY’s internal battery before and after generating energy. This is how many electronic devices determine how much charge is in their battery.”

The project is also badged as ‘Dragon Certified’, by the hardware crowdfunding Dragon Innovation platform.

A spokesman for the certification program confirmed to TechCrunch it has checked out the Ampy project. “Our engineers reviewed their CAD files to perform an in-depth Design for Manufacturing review. We are able to ensure that it can be manufactured and assembled. Our COGS analysis further determined what their minimum funding threshold had to be and if that minimum funding threshold was achieved (which it has been in this case), the product could be built,” he said.

“Though our focus is on manufacturability, one outcome of the analysis was that our engineer was able to determine that the product does in fact generate enough energy in the coils and high enough voltage to drive all the circuitry.”

As well as hardware the team are building a companion app where users can quantify the amount of energy they’ve generated and also the amount of calories burnt from their battery-generating exertions.

On the lengthy timescale for shipping Ampy, Shastry had this to say when we asked: “Scaling a manufacturing operation takes time, and our manufacturing schedule is one of the points that Dragon Innovation helped us set. You can check out the details of what they certified here. Even with a production-ready unit, you have to account for tooling, assembly, and shipping lead times.”

If you’re convinced enough to give Ampy a whirl, it’s up for grabs on Kickstarter starting at $85 (for the battery without the accessory straps pack).

One thing is certain: battery life continues to be the biggest constraint for mobile usage. And so while our thirst for apps continues to outstrip the capacity of the batteries inside our mobile devices then there will be a market for Ampy and other battery topper-upper mover-and-shakers.

Via: techcrunch

Visa’s contactless payment cards will approve very large transactions in currencies other than the British pound due to a flaw in a protocol, U.K. researchers contend.

They concluded it would be possible for criminals to turn a mobile phone into a point-of-sale terminal and pre-set a large amount of money to be transferred from a payment card even if it was in someone’s pocket.

The type of card, known as EMV after its developers Europay, MasterCard and Visa, uses a microchip to facilitate transactions rather than a magnetic stripe. EMV will soon be used widely across the U.S.

Some types of EMV cards are configured for “contactless” payments, where a customer doesn’t have to enter a PIN for smaller transactions that in the U.K. are limited to £20 (US$32).

Researchers with Newcastle University found that Visa’s contactless card would authorize a transaction up to 999,999.99 without a PIN if it was in a currency other than the pound.

If an improvised point-of-sale device gets close enough to someone’s card in a wallet, the contactless card would approve an offline transaction in less than a second.

The researchers cautioned, however, that they did not test the back-end system of banks, so it is unclear if the transaction cleared by the card would be be fully processed. It wasn’t clear from the payment protocol’s documentation how banks would deal with the inconsistencies the research uncovered.

Still, they wrote in a news release that “the fact that we can bypass the £20 makes this new hack potentially very scalable and lucrative. All a criminal would need to do is set up somewhere like an airport or the London underground where the use of different currencies would appear legitimate.” It isn’t clear whether the researchers tried to contact Visa or the banks about the flaw.

EMV cards have been used for many years in Europe and other parts of the world. The microchips that contain account information and authorize transactions are not easy to forge unlike the magnetic stripe data on cards today, which can be easily copied.

But the researchers predicted that as the magnetic stripe is phased out, contactless payments may become interesting to criminals.

Via: csoonline

The flaws allow attackers to execute commands, overwrite files and launch CSRF attacks.

Cisco Systems released patches for its small business RV Series routers and firewalls to address vulnerabilities that could allow attackers to execute arbitrary commands and overwrite files on the vulnerable devices.

The affected products are Cisco RV120W Wireless-N VPN Firewall, Cisco RV180 VPN Router, Cisco RV180W Wireless-N Multifunction VPN Router, and Cisco RV220W Wireless Network Security Firewall. However, firmware updates have been released only for the first three models, while the fixes for Cisco RV220W are expected later this month.

One of the patched flaws allows an attacker to execute arbitrary commands as root — the highest privileged account — through the network diagnostics page in a device’s Web-based administration interface. The flaw stems from improper input validation in a form field that’s supposed to only allow the PING command. Its exploitation requires an authenticated session to the router interface.

A second vulnerability allows attackers to execute cross-site request forgery (CSRF) attacks against users who are already authenticated on the devices. Attackers can piggyback on their authenticated browser sessions to perform unauthorized actions if they can trick those users to click on specially crafted links.

This vulnerability also provides a way to remotely exploit the first flaw. Researchers from Dutch security firm Securify, who found both issues, published a proof-of-concept URL that leverages the CSRF flaw to inject a command through the first vulnerability that adds a rogue administrator account on the targeted device.

A third security flaw that was patched by Cisco allows an unauthenticated attacker to upload files to arbitrary locations on a vulnerable device using root privileges. Existing files will be overwritten, the Securify researchers said.

Cisco released firmware versions 1.0.4.14 for the RV180 and RV180W models and firmware version 1.0.5.9 for the RV120W.

Users can limit the exposure of their devices to these flaws by not allowing remote access from the Internet to their administrative interfaces. If remote management is required, the Web Access configuration screen on the devices can be used to restrict access only to specific IP addresses, Cisco said in its advisory.

Via: networkworld

Two-way integration between Dropbox and Office 365 gives people yet another reason to pick up an Office subscription.

Never let it be said that Microsoft doesn’t wring the most out of a partnership. That’s certainly the case in its recent odd-couple engagements, hosting Oracle and Salesforce software on Microsoft Azure.

Microsoft’s teamup with Dropbox looks a lot like another pairing in the same vein. Both Microsoft and Dropbox customers can savor the deal, but once again Microsoft ends up with the better long-term bargain — in this case, giving Office users incentive to move to Office 365.

The outlines of the deal are simple enough: Microsoft is adding Dropbox connectivity to the mobile editions of Office 365, so users of Word, Excel, and PowerPoint can edit those files directly from within Dropbox’s interface. Dropbox is also tapped to build an app for the mobile editions of Windows, which in theory will be ready when the next version of Windows launches.

The pair-up makes sense on the face of it, since most Office/Dropbox users store Office documents in Dropbox, and Dropbox and Office 365 are complementary — not competitive — products.

That said, Microsoft’s OneDrive is a Dropbox competitor, so why would Microsoft pair up with a competitor? True, the company has been taking steps to make OneDrive more competitive on its own terms. But the real answer probably lies in Microsoft’s drive to convert its Office user base to the new, more lucrative subscription model.

The size of the Office base is staggering — 1.2 billion users, allegedly — but many are still using older editions of the program that generate little or no revenue for Microsoft. Anything that can nudge those users to Office 365 is likely worth a try.

Adding Dropbox support to Office 365 apps (and vice versa) makes both applications more useful, and Microsoft loses little. At worst, it drops some potential OneDrive business; at best, it adds new Office 365 users and — at least as important — converts more existing Office users to a subscription model it can monetize in the long run.

Microsoft can also give Dropbox users an excuse to switch to OneDrive, thanks to the way Office 365 and OneDrive are delivered jointly. The $6.99-per-month personal-use version of OneDrive includes Office 365 Personal, and the business version of OneDrive includes the full-blown Office Online for $5 per user per month. Dropbox, at $9.99 per month for the Pro version and $15 per month for the business version, has comparable storage offering — 1TB for Pro, no limits on business — but any applications on top of that are strictly what you bring.

As Microsoft becomes more dependent on its cloud services and subscription-based products for revenue, it’ll likely keep striking deals in this vein and justify them as “what’s best for the customer.” None of them is likely to be the deal that pushes Microsoft off its dependency on the legacy desktop, but every incremental bit helps.

Plus, having Dropbox build a version of its app for the mobile version of Windows 10 means there will be one more app likely to enjoy wide use out of the box — and help drive early adoption of the OS.

It’s hard to deny that building Office 365 support into Dropbox and vice versa is a boon for users, but in the long run Office 365 — and Microsoft — stands to benefit most.

Via: infoworld