Monthly Archives: January 2015

For the past several months, different groups of attackers have distributed malware through Microsoft Office documents that contain malicious macros, reviving a technique that has been out of style for over a decade.

Macros are scripts that contain commands for automating tasks in various applications. Microsoft Office programs like Word and Excel support macros written in Visual Basic for Applications (VBA) and these can be used for malicious activities like installing malware.

To prevent abuse, starting with Office XP, released in 2001, users are asked for permission before executing unsigned macros embedded in files, this being the primary reason why attackers have stopped using macros in favor of other malware distribution methods.

However, it seems that when coupled with social engineering the technique can still be effective and some cybercriminal groups have recently started to exploit that.

“The Microsoft Malware Protection Center (MMPC) has recently seen an increasing number of threats using macros to spread their malicious code,” malware researchers from Microsoft said in a blog post last Friday.

Two such threats that primarily target users in the U.S. and U.K. and whose activity peaked in mid-December are called Adnel and Tarbir. Both are distributed through macros embedded in .doc and .xls documents that are delivered via spam emails and typically masquerade as receipts, invoices, wire transfer confirmations, bills and shipping notices.

When opened, the documents provide victims with step-by-step instructions on how to enable the untrusted macros to run, the Microsoft researchers said. “The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button.”

Another malware program that’s being distributed through macros is called Dridex and targets online banking users. At their peak in November, the Dridex-related spam campaigns distributed up to 15,000 documents with malicious macros per day, according to researchers from security firm Trustwave.

The documents posed as invoices from software companies, online retailers, banking institutions and shipping companies and some of them had instructions on how to enable the macros to run, the Trustwave researchers said Tuesday via email.

It’s not just cybercriminals who began using the macros technique again, but also state-sponsored attackers. Researchers Gadi Evron and Tillmann Werner recently presented their analysis of a cyberespionage operation dubbed Rocket Kitten at the Chaos Communication Congress in Hamburg. The attackers targeted government and academic organizations in Israel and Western Europe using spear-phishing emails that contained Excel files with malicious macros. When run, the macros installed a sophisticated backdoor.

Another cyberespionage campaign that used Word documents with malicious macros was CosmicDuke, which was uncovered in September and targeted at least one European Ministry of Foreign Affairs. “It’s heartwarming to see how kind the attackers are: when you open the email attachment, the Word document helps you enable macros by instructing you to click ‘Enable Content’,” researchers from F-Secure said Wednesday in a blog post discussing connections between the CosmicDuke, MiniDuke and OnionDuke malware programs.

Via: itworld

Officials at the United States Postal Service (USPS) have revealed that a breach originally reported in November may have compromised the health information of 485,000 employees.

The potentially exposed data was stored in “a file relating to injury compensation claims,” said USPS Chief Human Resources Officer Jeffrey Williamson last month.

That file, along with employees’ Social Security Numbers and other personal information, was compromised back in September after hackers exploited a USPS server’s weak default password. Officials then waited two months to report the breach.

Ken Westin, Senior Technical Marketing Manager and Security Analyst at Tripwire, notes how the announcement made by USPS testifies to the diversification of data breaches more generally: “With several recent breaches, we are seeing not only the traditional ‘Steal My Identity’ types of data such as names, Social Security Numbers, addresses of customers and employees, but also other more sensitive data sources such as credit card numbers and medical records.”

This may be because of how lucrative such data is among cyber criminals. According to a report by EMC Corporation, whereas a credit card goes for one dollar on the black market, health insurance credentials go for $20.

Westin explains that this trend of compromising medical data should scare businesses and government agencies, not just because the data is compromised but also because of the risks of storing such data on corporate networks without proper security controls in place, as required by regulatory compliance directives for PCI and HIPAA.

If employees’ healthcare information is not property protected, corporations and government agencies risk incurring additional fines and greater legal risk.

“Many IT organizations may not even be aware that data subject to strict regulatory compliance is stored on their networks,” says Westin. “Indeed, one of the first places to look for this type of data is the Human Resources Department. We must ask ourselves a number of questions. Are there any records kept regarding medical procedures? Are any credit card numbers stored on laptops for health savings plans or corporate cards?”

Westin goes on to explain that organizations need to be able to show that they at least attempt to comply, for if there is a breach, anyone will be able to see what types of data exist on their network.

In addition to instituting other security measures, USPS has announced that it will institute changes to employee policies and procedures, as well as make upgrades to systems and equipment, in an attempt to better protect employees’ personal and healthcare information.

Via: tripwire

‘Insanely stupid’ down time hurts Verizon in rivalry with Amazon, IBM and Microsoft, says analyst.

Verizon is warning users of its new cloud service to brace for a two-day outage late this week.

The company confirmed this afternoon that its new cloud service, Verizon Cloud, will be shut down for maintenance for as long as two days starting at 1 a.m. ET on Saturday, Jan. 10. Users are being told to shut down their virtual machines an hour before the maintenance work begins.

As a result, Verizon Cloud users won’t be able to access cloud services, whether it’s their cloud-based email or data and apps stored in the cloud, during the outage. According to a tweet from Verizon’s Cloud Client Care, users’ VMs, object stores, the Verizon Cloud Console and the API will be unavailable.

The move is shocking, according to Dan Olds, an analyst with The Gabriel Consulting Group. “For their customers, this could be a very rocky two-day period,” he said. “A two day outage, for any reason, is a very big deal to enterprise cloud customers. I can’t recall any cloud outage that is this lengthy.

“In a traditional data center, an outage like this is rare, and completely unacceptable unless it’s due to a true catastrophe,” Olds said. “However, even in the case of a catastrophe, most enterprises have disaster plans that will either keep the enterprise running throughout, or will allow them to recover quickly”

Verizon, which would like to be playing in the cloud big leagues with the likes of Amazon, IBM, Microsoftand Google, noted that the shutdown will only affect Verizon Cloud, a service for enterprise customers that just emerged from beta in the third quarter of 2014.

The company’s legacy platforms — Enterprise Cloud, Enterprise Cloud Managed Edition, and Enterprise Cloud Federal Edition — will not be affected.

Verizon, though, has been working to move companies from its legacy platforms to Verizon Cloud.

A Verizon spokesman said the downtime should affect about 10% of the company’s enterprise cloud customers.

Frank Gens, an analyst with IDC, pointed out that it’s not uncommon for a cloud vendor to schedule maintenance. But preparing companies to be without service for two days is surprising.

“Forty-eight hours seems very excessive,” he added. “My guess is that it will be quite a bit shorter. If it isn’t, that’s a real problem. Certainly, it’s not a major business problem in the near term but, obviously, it’s a PR challenge, putting them under greater scrutiny at just the wrong time — as the market is getting more demanding, and the competition from Amazon, Google, Microsoft, IBM and others is getting stiffer.”

At this point, users would be smart to be prepping for a long outage.

“I’m betting that many of them are feverishly downloading data in order to have access to it during the outage,” said Olds. “Some of these customers are probably using the Verizon service as their own customer-facing portal. These folks are going to have to either quickly come up with an alternative mechanism to keep their business online, or they’re going to have to figure out how to explain why they’re taking a 48-hour vacation. Neither of these options are particularly appealing.”

A two-day service shut down is going to make it a tough sell for Verizon to convince business and IT executives that it is an enterprise cloud player, capable of competing with Amazon, IBM or Microsoft.

When it comes to judging a cloud vendor, reliability and uptime are two critical factors. Being offline for two days does not bode well for either.

“A planned outage of this length and magnitude is much more than just a black eye for Verizon,” said Olds. “It shows that they don’t understand the importance of their service to their customers, and, worse yet, are oblivious to the impact on them. This outage is something that Verizon’s competitors — including Amazon, Google and Microsoft — will use as a competitive weapon against Verizon, and pretty successfully, I’d think.”

Rob Enderle, an analyst with the Enderle Group, said if Verizon’s downtime this weekend does last the full 48 hours, it could be enough for customers to trade them in for a competitor.

“Enterprise services typically measure downtime in seconds or less,” he said. “Hours of downtime is often considered a high-severity problem. Days of downtime is a primary reason to discontinue using the service. This would be intolerable to most businesses of any size and absolutely unacceptable to enterprises…. A planned outage of several days in today’s world is largely unheard of and should serve as a massive red flag for this service.”

Verizon simply should have made this outage invisible to their users, shifting customers to redundant resources during a slow time.

Said Enderle: “Cutting them off is insanely stupid.”

Via: networkworld

North Korea on Sunday criticized the United States for slapping sanctions on Pyongyang officials and organizations for a cyberattack on Sony Pictures — the latest fallout from a Hollywood movie depicting the fictional assassination of North Korean leader Kim Jong Un.

An unnamed spokesman for North Korea’s Foreign Ministry, in rhetoric that closely mirrors past statements, denied any role in the breach of tens of thousands of confidential Sony emails and business files and accused the United States of “groundlessly” stirring up hostility toward Pyongyang. The spokesman said the new sanctions would not weaken the country’s 1.2-million-strong military.

The spokesman told the North’s official media mouthpiece, the Korean Central News Agency, that the sanctions show America’s “inveterate repugnancy and hostility toward the DPRK,” referring to the North’s official name, the Democratic People’s Republic of Korea.

“The policy persistently pursued by the U.S. to stifle the DPRK, groundlessly stirring up bad blood toward it, would only harden its will and resolution to defend the sovereignty of the country,” the spokesman said.

The United States on Friday sanctioned 10 North Korean government officials and three organizations, including Pyongyang’s primary intelligence agency and state-run arms dealer, in what the White House described as an opening move in the response toward the Sony cyberattack.

The sanctions might have only a limited effect, as North Korea already is under tough U.S. and international sanctions over its nuclear and missile programs. President Barack Obama also warned Pyongyang that the United States was considering whether to put North Korea back on its list of state sponsors of terrorism, which could jeopardize aid to the country on a global scale.

American officials portrayed the sanctions as a swift, decisive response to North Korean behavior that they said had gone far over the line. Never before has the U.S. imposed sanctions on another nation in direct retaliation for a cyberattack on an American company.

There have been doubts in the cyber community, however, about the extent of North Korea’s involvement. Many experts have said it’s possible that hackers or even Sony insiders could be the culprits, and questioned how the FBI can point the finger so conclusively.

Sen. Robert Menendez of New Jersey, the outgoing chairman of the Senate Foreign Relations Committee, said the sanctions announced Friday were “a good first step” but didn’t go far enough.

Menendez told CNN’s “State of the Union” on Sunday that he had written to Secretary of State John Kerry, urging him to consider putting North Korea back on the list of state sponsors of terrorism, “which would have far more pervasive consequences.”

The 10 North Koreans singled out for sanctions didn’t necessarily have anything to do with the attack on Sony, senior U.S. officials said. Anyone who works for or helps North Korea’s government is now fair game, especially North Korea’s defense sector and spying operations, they said.

North Korea has expressed fury over “The Interview,” an anti-Pyongyang Sony comedy starring Seth Rogen and James Franco. It has denied hacking Sony, but called the act a “righteous deed.”

Sony initially decided to call off the film’s release after movie theaters decided not to show the film. After Obama criticized that decision, Sony released the movie in limited theaters and online.

Questions remain about who was behind a nearly 10-hour recent shutdown of North Korean websites. The United States never said whether it was responsible, but North Korea’s powerful National Defense Commission blamed the U.S. and hurled racial slurs at Obama, calling him a reckless “monkey in a tropical forest.”

Such hateful comments are not new: Pyongyang has similarly attacked other U.S. officials and called South Korea’s female president a prostitute.

Via: enterprise-security-today

Google has come under heavy criticism for releasing details of an elevation of privileges flaw it found in Windows 8.1 just 90 days after notifying Microsoft.

The Project Zero team publicly disclosed the vulnerability on 29 December.

As reported by Infosecurity
last week, it affects the NtApphelpCacheControl function used for caching application compatibility data. If exploited, it allows a malicious app to run as an administrator by bypassing the user account control (UAC).

The flaw itself is not particularly critical, as users must have already been compromised for it to be effective, according to Sophos Canada’s senior security advisor, Chester Wisniewski.

“There are also several mitigations that can be employed to reduce the risk from this flaw,” he wrote in a blog post.

“People testing the vulnerability are saying that using UAC at its maximum setting prevents the flaw from working without a warning being presented. Better yet, if you don’t log in to your computer with administrative credentials at all when surfing the web or performing everyday tasks, there is no UAC to bypass.”

However, Google was criticized on its Google Security Research forum for its strict 90-day disclosure deadline.

“Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible and I’d have expected a greater degree of care and maturity from a company like Google,” wrote one user.

“I find it hard to believe that a company like Google is automatically disclosing a vulnerability affecting billions of PCs during a holiday season,” another added.

Project Zero researcher, Ben Hawkes, added to the forum comments to defend the web giant’s actions, clarifying that the incident was reported to Microsoft on 30 September.

He argued:

“On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.”

Although the majority of bugs reported under the program get fixed before the 90-day deadline passes, Google promised to monitor the effects of this policy.

However, the amount of information disclosed by Google after this particular deadline had passed was also problematic, Sophos’s Wisniewski argued.

“Without getting into the full disclosure debate, there is one thing about this particular disclosure that doesn’t lend credibility to Google’s arguments that Project Zero is doing a public service and abiding by its famous ‘Don’t be evil’ policy,” he explained.

“The public disclosure included proof-of-concept (PoC) code that allows anyone with interest the immediate ability to exploit the vulnerability. In my book, that’s not compatible with behavior that is allegedly in the public interest.”

Via: infosecurity-magazine

Lawsuit claims Apple misrepresents amount of storage available to customers, pushes them to pay for iCloud premium plans.

A pair of Florida men have sued Apple for allegedly misrepresenting the amount of storage room available to owners of 16GB iPhones and iPads.

The two, Paul Orshan and Christopher Endara, accused Apple of “unfair, unlawful, and fraudulent business acts or practices,” including false advertising, and asked a California federal judge to designate the lawsuit as a class action so that others can participate.

In the complaint filed Dec. 29, Orshan’s and Endara’s lawyers claimed Apple failed to tell buyers that a fifth of the 16GB in low-end iPhones and iPads is occupied by the operating system and pre-installed apps, leaving consumers less than the full amount for their own content, such as apps, photos and other files.

“Reasonable consumers do not expect this marked discrepancy between the advertised level of capacity and the available capacity of the devices, as the operating system and other storage space unavailable to consumers occupies an extraordinary percentage of their devices’ limited storage capacity,” the complaint stated.

By the plaintiffs’ calculations, a 16GB iPhone 6 had 13GB of space available to the user, while the 16GB iPhone 6 Plus and 16GB iPad Air had 12.7GB and 12.6GB, respectively. The portions of the 16GB inaccessible to users ranged from 19% to 21%.

The lawsuit also charged Apple with a Machiavellian strategy that used the disparity between the advertised and actual user-available storage space to push customers into paying for iCloud premium plans. “Using these sharp business tactics, defendant gives less storage capacity than advertised, only to offer to sell that capacity in a desperate moment, e.g., when a consumer is trying to record or take photos at a child or grandchild’s recital, basketball game or wedding,” the lawyers wrote.

Apple charges $0.99 per month for an additional 20GB — above the free allotment of 5GB — with other plans ranging from $3.99 monthly (for 200GB) to $19.99 per month (for 1TB).

Although the complaint claimed that, “It does not appear that Apple permits users of its devices to access cloud storage from other vendors,” that is not the case: iOS users can use the free storage or paid options of a variety of services, including Dropbox, Microsoft’s OneDrive and Google Drive.

The putative class-action lawsuit was similar to one that targeted Microsoft in November 2012 over alleged misrepresentations of the user-available space on the Redmond, Wash. company’s Surface tablets. The 64GB Surface Pro 3, for example, has approximately 37GB for user content, meaning that about 42% of the stated space is reserved for the operating system and other files.

A federal judge ordered the parties to enter arbitration in February 2013, the last action taken in that case, according to court records.

On its website, Apple explains how it calculates storage space on its iOS devices, but unlike Microsoft for its Surface, has not published figures for user content.

Via: computerworld

The latest Windows 8.1 update added a feature that allows application compatibility data to be cached for quick reuse when new processes are created. But a privilege escalation flaw opens the door for abuse.

The way it’s supposed to work is this: A normal user can query the cache but cannot add new cached entries, as the operation is restricted to administrators. This is checked in the background with a purpose-built function. However, it turns out that this function doesn’t correctly check the impersonation token of the caller to determine if the user is an administrator.

“It reads the caller’s impersonation token…and then does a comparison between the user SID in the token to LocalSystem’s SID,” explained Google Project Zero researchers, writing on the search giant’s vulnerability database. “It doesn’t check the impersonation level of the token, so it’s possible to get an identify token on your thread from a local system process and bypass this check.”

Looking for a way to exploit the vulnerability, Google has created a proof of concept (PoC) in which a cache entry is made for an UAC auto-elevate executable (like ComputerDefaults.exe). Any executable could be used, as long as there’s a suitable pre-existing app compatibility configuration to abuse. From there, anyone can gain administrative access to the machine and associated networks.

The PoC has been tested on Windows 8.1 update, both 32 bit and 64 bit versions—and works. However, “It’s unclear if Windows 7 is vulnerable as the code path for update has a TCB privilege check on it (although it looks like depending on the flags this might be bypassable),” Google noted.

The vulnerability was reported to Microsoft in September and has just now been made public since it hasn’t yet been patched. Microsoft’s next Patch Tuesday is scheduled for Jan. 13.

Via: infosecurity-magazine

To battle hackers, you have to think like one. The FBI said it [is] seeking technology experts — including those with experience in “ethical hacking” — to become “cyber special agents.”

“Cyber permeates every aspect of what we do, whether it’s counterterrorism, criminal investigations or traditional cyberattacks, as we’ve seen in the recent past,” the FBI said.

North Korea, for example, is at the center of a confrontation with the United States over the hacking of Sony Pictures. The hacking is believed tied to Sony’s movie “The Interview” about the assassination of North Korea’s leader.

“The FBI seeks highly talented, technically trained individuals who are motivated by the FBI’s mission to protect our nation and the American people from the rapidly evolving cyber threat,” Robert Anderson Jr., executive assistant director for the bureau’s criminal, cyber, response and services branch, said in a statement Monday

In its job post, which is open until Jan. 20, the agency said it has “many vacancies” for cyber special agents.

Such agents, the FBI said, should have the skills to “conduct multi-faceted investigations of high-tech crimes, including cyber-based terrorism, computer intrusions, online exploitation and major cyber fraud schemes.”

Preferred backgrounds and work experiences include computer forensics, computer programming and “ethical hacking,” according to the job posting. One way to get a resume to stand out at the FBI: Get certified in ethical hacking.

The EC-Council, which provides certification in information security and e-business fields, offers, for example, a “Certified Ethical Hacker” course as a way to get professionals to think like a hacker.

“To master the hacking technologies, you will need to become one,” EC-Council says on its website. Students in the council’s training will “scan, test, hack and secure their own systems.”

Some companies hire ethical hackers to try and bypass their own computer security systems. They aim to locate weak points that could be exploited by malicious hackers.

The annual salary range in the FBI’s job posting is $59,340 to $76,568.

Prospective cyber special agents are expected to meet the same threshold as special agents. Key requirements to be a special agent include passing a background check and fitness test. Agents must be at least 23 and no older than 37.

Applicants for the cyber special agent’s job must also have at least a four-year degree from an accredited college or university. Preferred degrees include applied and computational mathematics; digital and computer forensics; and computer information systems.

Via: enterprise-security-today

If you think the biometric security on your phone or front door are enough to keep your personal information or belongings safe, think again.

German hacker Jan Krissler, who operates under the handle Starbug, has demonstrated that a simple photograph posted online can be used to recreate your fingerprint using commonly available imaging software.

One expert has recreated the fingerprints of Germany’s Minister of Defence, Ursula von der Leyen, using just a photo of her.

The security researcher known as Starbug, used publicly available software called VeriFinger with photos of the finger taken from different angles.

Starbug, whose real name is Jan Krissler, told attendees of the Chaos Computer Club’s (CCC) 31st annual congress in Hamburg, Germany, how he achieved the hack.

Mr Krissler obtained a high-resolution photograph of the politician’s thumb using a ‘standard photo camera’ during a press conference.

He also used other ‘good quality’ photos of the politician, taken from a variety of angles.

From these images, he reconstructed an accurate thumbprint using the VeriFinger software.

This software is good enough, according to CCC, to fool fingerprint security systems.

‘These fingerprints could be used for biometric authentication,’ it wrote in a blog post.

Source: The Daily Mail

In this particular demonstration Krissler used several photos and ran them through a software application called Verifinger to recreate the minister’s fingerprint.

In the future, as biometric fingerprint technologies become more prevalent, such a hack could be even easier than stealing someone’s wallet. A simple wave of your hand to someone taking a picture and then posting it online could now become a major security threat and could be a boon to identity thieves. All that an unscrupulous individual would need is a picture of your fingerprint. With high resolution cameras now embedded on most smart phone devices photographs of a particular target could be downloaded directly from a social media page or an image sharing web site. Or, someone can simply snap a photo of your hand from a few feet away as you pass them on the street.

In a recent blog post, Starbug says that once replicated the copycat print can easily defeat biometric authentication:

The questionable validity of security claims by the vendors of fingerprint systems will be even more disputed after this presentation.

But how can you defeat such a simple method for stealing your identity?

Starbug provides a tried and true solution. “After this talk, politicians will presumably wear gloves when talking in public.”

Via :  shtfplan

2014 was an amazing year in startup news. In fact, they wrote more than 13,000 articles on TechCrunch.

Here’s all the big news from the past year.

Apple: We predict that large phones will be the next big thing.

WhatsApp: Sorry, I can’t hear you over the sound of all the $$$$.

Amazon: Remember that one time we built a phone?

Facebook: Too many apps.

Foursquare: As many apps as users.

Snapchat: There are no repercussions for
bad behavior.

Uber: There are no repercussions
for bad behavior.

Google: It only took us 6 years to make Android look good.

Aol: We’re still here.

Samsung: The next big thing was last year.

Xiaomi: ⌘C, ⌘V

Xiaomi Mi Pad and an iPad Mini Retina

Ello: Yo.

Secret: Hey! Come back! Can anybody hear me?

Lenovo: Soon we’ll own you too.

Motorola: Made in China.

Fitbit: You’re fatter than you think.

Sony: We’re still releasing ‘The Interview.’ Actually stop everything, we’re not releasing it. Actually we’re releasing it.

Spotify: Taylor Swift looks like a tall alien anyway.

John Oliver: This is how you win the Internet.

BlackBerry: QWERTY FTW! (WAIT, HOW DO YOU DISABLE CAPS LOCK?)

Reddit: Now the front page to the worst of the Internet.

Dropbox: Trading your privacy for 1TB of storage.

Beats Electronics: Beats by Tim Cook.

Airbnb: Remember that one time we changed our company logo to a vagina?

Oculus Rift: Now you can experience life without leaving your house.

Nintendo: New Super Smash Brothers Plus XL U!

Netflix: Hey, do you guys remember Blockbuster?

HBO: Hey, do you guys remember Netflix?

Comcast: We still don’t care about you.

Time Warner: We actually fucking hate you.

Microsoft: Actually thinking differently.

HP: Your printer ink is still low.

Yo: Yo.

Via: techcrunch