Monthly Archives: January 2017

Most organizations are overwhelmed, understaffed, and/or underfunded when it comes to cybersecurity. These constraints create a critical need to prioritize on the most critical cybersecurity measures. However, often these priorities are unclear or hard to determine, leading to less-than-optimal cybersecurity product purchases and/or activities. This is because the metrics about which overarching cybersecurity priorities matter most are by-and-large not well-established or well-accepted by the cybersecurity industry – making it very difficult for customers to know what to do first and what is a “nice to have.”

WHY DOES THIS MATTER?

Don’t we already have this problem solved? Clearly, a lot of time has been spent by various organizations to come up with 10,000’s of controls. However, anyone who has tried to implement cybersecurity across an organization has likely experienced that there are too many topics to cover and there are no good sources to explain what the top areas to focus on should be.

In fact, many players in the cybersecurity industry’s “marketing machine” spend considerable effort to sell customers on one kind of product or another without really helping them with overall prioritizing. Customers can only do a few things. “I only have time to do the top 10 – but what are those?”

In order to figure out what those top 10 are for a customer’s organization, we as the defender ecosystem need generally accepted structure and metrics.

WHY IS THIS HARD? HASN’T IT BEEN DONE BEFORE?

Unfortunately, like well thought-through answers, the answer to the question what is the exact number and prioritization is often “It depends…”.

It depends on: What systems? What applications? What data? Scale of IT landscape? Functional aspects? Non-functional aspects? Financial/organizational constraints? OWASP, the Open Web Application Security Project, or the BSI Baseline Protection Manual catalogues, for example, give us a simple to-do’s based on concrete metrics because they cover a specific problem, use-case, and technology (web applications).

So, if your cybersecurity needs to cover more than the covered point solutions (usually the case for enterprise cybersecurity, where a lot of the intelligence is in the system-of-systems “glue” between systems) – and you cannot go down a high-assurance architecture route either (usually the case for enterprise cybersecurity, as well) – then what?

Numerous generic compliance frameworks, standards and guidance give a great broad overview of many things you may consider doing. The presented guidance is very detailed in some well-understood areas, but spotty in other, less clear-cut areas. Nevertheless, NIST 800.53 and similar frameworks are great guidance if you have the time and budget to get through it (or are mandated to use it).

WHAT SHOULD YOU DO?

Time and money (and also cybersecurity competency) limit how much you can do. Cybersecurity teams are often overworked, understaffed, fire-fighting breaches, etc. These limitations determine how far down the list of “to-do’s” you can realistically ever get.

It is not the primary purpose of this article to postulate a “top 10 to-do” list but rather to discuss the needs and challenges to get to industry-wide vetted metrics of what matters most in cybersecurity (potentially with some adaptations based on industry, IT landscape, regulatory/legal environment, etc.)

Let’s look at typical intrusion patterns to potentially guide us. Intrusion phases can be categorized into six phases: Reconnaissance; Initial Exploitation; Establish Persistence; Install Tools Move Laterally; Collect; and Exfiltrate & Exploit. Attacks often start with finding holes in less-protected systems or tricking users into doing something to open up a hole. The attacker may try to get such a foothold in uncritical devices because they are usually less protected. There may be nothing to do/steal there, but it usually allows the attacker to move on laterally (“pivot”) to more critical assets, eventually getting access to valuable resources.

It is important to distinguish the phases and appreciate how these phases are connected to determine the countermeasures that need to put in place. For example:

1. Countering initial exploitation: it is important to prevent as much in the early stages (initial exploitation) as possible, e.g. by using antivirus tools, email attachment scanners, good authentication etc. However, at the current state of the cybersecurity ecosystem, you need to assume that these countermeasures will fail at some point (e.g. “zero-day malware” which your antivirus tool doesn’t know yet). It could be that unsecured “smart” lightbulb that may be the starting point for the hacker. In fact, seemingly uncritical IoT devices are currently a major source of vulnerabilities (and have been used by hackers to cause a major internet outage in November 2016). Another major source of attacks is that some user in their organization will eventually click on a (spear-) phishing email attachment or website link – people are processing so much information every day that human errors are to be expected (even if only due to freak event circumstances such a names matching colleagues etc.), even for security-educated individuals. And sufficiently locking down email attachments or websites is not really feasible for most organizations either because that would reduce productivity. So you have to assume that some initial exploitation will happen eventually.

2. Countering pivoting (lateral movement): Therefore, in addition, you need to minimize the impact of such successful exploitations. A great way to do this is by implementing more fine-grained access controls across your networks, systems, devices and applications. Instead of giving particular users or devices broad access to much information and many systems, devices, and applications, you need to reduce access to the “minimum needed” to get the task done. This will likely involve contextual, dynamic, fine-grained access control technologies (for example “attribute-based access control”, ABAC) combined with security policy automation tools to make ABAC manageable. This is contrary to the traditional “hard shell, soft inside” security model where firewalls are put in place to control who can get in and out of an enterprise network. With “bring your own device” (BYOD) and cloud computing rapidly used by organizations today, traditional trust boundaries are messy or non-existent, making “hard shell, soft inside” ineffective.

3. Knowing when it happens & impact control: Security is never 100%. So assuming that both those and everything else you put in place fail, you need to have tools (and people!) in place who can detect that you got breached. In addition, you need to figure out ways of how your organization will recover from a catastrophic hacker/failure event. Just to name a few examples, mirror sites, hot/cold backups, etc. are necessary, as well a way to restore systems to a clean state after being attacked.

How do you prioritize? Without clear metrics, it is hard to estimate how likely which kind of vulnerability and associated impact will be.

SOME FINAL THOUGHTS…

It should be helpful to at least broadly structure major priorities based on a thought process. In particular, there are ongoing discussions in the cybersecurity industry about whether – and in which order of priority – you should:

• Prevent: One school of thought makes preventing breaches by reducing attack surface and vulnerabilities the “plan A”. This approach is usually followed by more mission-critical/safety-critical industries and military/intelligence.
• Detect and respond: Another school of thought around cybersecurity professionals is that prevention is relatively futile and you should rather make your efforts on detection and response your “plan A”.
• Control impact (recovery): Yet another (more extreme) school of thought thinks that both prevention and detection are quite futile and we should mainly focus on impact control and recovery.
• Sell it to management and auditors: And yet another school of thought thinks that the primary objective is to convince management auditors that security meets (compliance) requirements.

The author’s (personal) view is that prevention should still be “Plan A,” followed by “detect & respond,” followed by impact control, and lastly sell it to management. But this is open to debate until we have more solid, generally accepted industry-wide metrics.

Even so, here is my personal current top 10 list based on that rough prioritization:

A more detailed whitepaper about this topic can be found at objectsecurity.com/whitepaper.

via:  tripwire

In the early days of computer viruses, there were different classifications of viruses based on their behavior. Worms had the ability to self-replicate, while polymorphic viruses had the ability to change their appearance to avoid eradication. Additionally, multipartite viruses consisted of a combination of viral techniques. There are, of course, other virus types in the canon of computer security history.

Since viruses have changed from simple destructive mechanisms to money-generating tools, it seemed that all those special classifications have been replaced with only one – ransomware.

It has been written in the past that a ransomware event is not a data breach because no data is taken from the target machine. This sentiment is also expressed in the proposed New York State Cyber Security regulation.

However, as recently reported by The State of Security’s David Bisson, ransomware has now taken on a new character much like the early viruses. The latest KillDisk variant contains code that searches for sensitive data (such as passwords stored in web browsers and files) and exfiltrates that information.

It is posited that the exfiltrated data could potentially be used to extort more money from victims. This new dual-purpose ransomware exhibits characteristics that put it into the category of a multipartite strain.

To be sure, this is a new and even more troubling development in the ransomware field; a target may now be twice victimized.

While there have been reports about self-replicating ransomware as far back as 2014, that technique never seemed to gain much traction with malware authors.

The KillDisk ransomware has only targeted large Ukrainian banks (demanding an extremely large ransom), but we should all stay vigilant as we have seen how rapidly these new techniques are adapted to other attack campaigns.

As with all malware, it all starts by executing a file on your computer.

HERE ARE SOME TIPS TO PROTECT YOU FROM THIS NEW MULTIPARTITE RANSOMWARE:

• Do not store passwords in a file on your computer or allow your browser to remember your passwords. Now is a good time to review some of the password managers that are available.
• Verify all unexpected E-Mail attachments by contacting the sender by phone to verify the legitimacy of the message. (Do not contact the sender by E-Mail, as their mail account was probably compromised.)
• Be more mindful with all files. Rather than just automatically enabling content in a Microsoft Office document (which we are all in the habit of doing), stop for a moment to verify that you are in fact opening the file you intended to open.
• Never click on unsolicited or unexpected links in E-Mail messages.

Remember that the entire key to security awareness is to stop and think before proceeding.

via:  tripwire

The latest variant had default credentials for a Huawei desktop virtualization solution.

A cybersabotage program that wiped data from 30,000 computers at Saudi Arabia’s national oil company in 2012 has returned and is able to target server-hosted virtual desktops.

The malware, known as Shamoon or Disttrack, is part of a family of destructive programs known as disk wipers. Similar tools were used in 2014 against Sony Pictures Entertainment in the U.S. and in 2013 against several banks and broadcasting organizations in South Korea.

Shamoon was first observed during the 2012 cyberattack against Saudi Aramco. It spreads to other computers on a local network by using stolen credentials and activates its disk-wiping functionality on a preconfigured date.

In November last year, security researchers from Symantec reported finding a new version of Shamoon that had been used in a fresh wave of attacks against targets in Saudi Arabia. The version was configured to start overwriting data on hard disk drives on Thursday, November 17 at 8:45 p.m. local time in Saudi Arabia, shortly after most workers in the country started their weekend.

Researchers from Palo Alto Networks found yet another Shamoon variant, different from the one seen by Symantec and likely used against a different target in Saudi Arabia. This third version had a kill date — the day when it was configured to start wiping data  — of November 29 and contained hard-coded account credentials that were specific to the targeted organization, the Palo Alto researchers said Monday in a blog post.

Some of those credentials were for Windows domain accounts, but a few were default usernames and passwords for Huawei FusionCloud, a virtual desktop infrastructure (VDI) solution.

VDI products like Huawei FusionCloud let companies run multiple virtualized desktop installations inside a data center. Users then access these virtual PCs from thin clients, making workstation management across different branches and offices a lot easier.

Another benefit of VDI solutions is that they create regular snapshots of these virtualized desktops, allowing administrators to easily restore them to a known working state in case something goes wrong.

Apparently the attackers behind this latest Shamoon campaign were aware that the targeted organization used Huawei’s VDI product and realized that it wouldn’t be enough to just wipe virtual PCs using stolen Windows domain credentials.

“The fact that the Shamoon attackers had these usernames and passwords may suggest that they intended on gaining access to these technologies at the targeted organization to increase the impact of their destructive attack,” the Palo Alto Networks researchers said. “If true, this is a major development and organizations should consider adding additional safeguards in protecting the credentials related to their VDI deployment.”

While so far this technique has only been observed in a targeted cyberattack whose primary purpose was the destruction of data, it could easily be adopted by ransomware creators in the future. Some ransomware variants already attempt to delete certain types of backups before encrypting data, so targeting VDI snapshots would be a natural expansion of that tactic.

None of the targets in the November attacks were named by Symantec or Palo Alto Networks.

via: networkworld

Nvidia announced the launch of its GeForce Now platform for PCs during its CES keynote.

As the company’s CEO Jen-Hsun Huang noted during the keynote, the majority of PCs in use today aren’t able to play modern games simply because they can’t support modern graphics cards. GeForce Now for PCs will simply these potential gamers to access a cloud-based gaming service.

GeForce Now will be available in March for $25 dollars for 20 hours of play. “It’s basically a GeForce gaming PC on demand,” Huang said. The idea here is to give all of those who want to play PC games but simply don’t have the hardware to do so a way to easily play virtually any modern game on their computers — even if they are Macs.

That does sound awfully familiar for anybody who ever used the old OnLive platform. That platform, though, depended heavily on support from gaming companies. During today’s keynote, Huang showed the Steam store running on Nvidia’s GeForce Now platform, though, so the number of supported games shouldn’t be an issue.

Nvidia itself has also used the GeForce Now brand before. Until now, though, it was all about streaming games from  your own PC — not one that lives in the cloud.

Huang also stressed that the company worked on this project for quite a while and it’s only now that its engineers have found a way to make the service run fast enough — and with low enough latency — to work.

To use the service, gamers will have to download a small client. Installing and starting games should only take a few seconds, but we have obviously not used the service ourselves yet, so we have to take Nvidia’s word for this.

It’s unclear whether Nvidia is hosting this service in its own data centers or on AWS or another cloud computing platform.

via: techcrunch

In recent weeks there have been some peculiar new strains of ransomware spotted.

Take the Popcorn Time ransomware, for instance, which lets you decrypt your files “the nasty way” by helping the blackmailers spread their attack further.

If you can infect two other victims (and get them to pay up) Popcorn Time’s developers will allegedly send you your decryption key for free.

Now there’s a new novel twist on ransomware. As Bleeping Computer reports, the Koolova ransomware displays a surprising message on infected systems:

Hello. I’m nice Jigsaw or more commonly known as Jigsaws twin.

Unfortunately all of your personal files (pictures, documents, etc…) have been encrypted by an evil computer virus known as Ransomeware’.

Now now, not to worry I’m going to let you restore them but only if you agree to stop downloading unsafe applications off the internet.

If you continue to do so may end up with a virus way worse than me! You might even end up meeting my infamous brother Jigsaw 🙁

While you’re at it, you can also read the small article below by Google’s security team on how to stay safe online.

Oh year I almost forgot! In order for me to decrypt your files you must read the two articles below.

The so-called twin of Jigsaw, includes links to an article on the Google blog about how to browse the internet more safely, and one of Bleeping Computer’s articles about the original not-so-nice incarnation of Jigsaw.

As if you needed any further incentive, Koolova goes on to tell you that you shouldn’t rest on your laurels. A countdown is slowly ticking down – and when it reaches zero, it claims your encrypted files will be deleted.

As Bleeping Computer reports, clicking on the links to the security-related articles prompts a button to appear in Koolova’s front end, inviting you to request your decryption key from its Command & Control server.

So, the obvious question is this… are you likely to encounter this peculiar “nice” ransomware?

It seems unlikely – after all, what possible incentive could a real criminal have for distributing it?

Nonetheless, it wouldn’t do you any harm to clue yourself up about computer security, ensure you have appropriate defenses in place and make sure that you are making regular secure backups of your data.

After all, if you ever do get hit by ransomware, you can’t feel confident that the hackers who have encrypted your files will be quite so nice.

via:  tripwire

Customers who shopped at the company’s website between July 30 and October 12 of 2016 may be affected.

Trading card maker Topps recently began notifying an undisclosed number of customers that their names, email addresses, mailing addresses, phone numbers, credit or debit card numbers, expiration dates and verification numbers may have been stolen by “one or more intruders” last fall.

Any customers who placed orders through the Topps website between July 30, 2016 and October 12, 2016 may be affected.

“Once we became aware of this incident, we engaged a security firm to examine our network, and we worked with the security firm, as well as our website development and hosting companies to implement multiple measures to strenghten the security of our system,” Topps stated in its notification letter [PDF] to those affected.

“We stopped the incident and continue to work with our security firm to help prevent a similar incident from happening again,” the company added.

All those affected are being offered one year of free access to identity theft protection services from CSID.

BBC News notes that security researcher Chris Vickery uncovered vulnerabilities in Topps databases back in December of 2015 and June of 2016, but he wasn’t able to get a response from the company by email. It’s not clear whether the credit card breach was related to the flaws Vickery found.

A recent Thales e-Security survey of 1,016 U.S. adults found that fully 88 percent of respondents said they would stop using digital payments if they fell victim to cybercrime as a result of a data breach.

Seventy percent said they would stop using digital payments if money was stolen from a linked bank account, 68 percent said they would do so if unauthorized charges appeared on a linked credit card account, and 59 percent said they would do so if their user name and password were stolen.

“The mobile payments industry needs to take note that their future success is based on trust,” Thales e-Security director of payment strategy Jose Diaz said in a statement. “And that trust can easily fail if they do not provide the strong protection of their infrastructure, transactions and data that customers expect.”

A separate Thales survey of 1,000 adults in the U.S. and the U.K. recently found that 55 percent of respondents would switch to only using cash at a retailer if they learned that credit card data had been stolen from its systems — and 20 percent would stop shopping at that retailer altogether.

via:  esecurityplanet

While new revelations about Russian hacking during the US election continue to make headlines, they were by no means the only big cyberattacks of the last year. In fact, there were so many that you could dub 2016 as “the year of the hack”.

A hallmark of 2016 cyberattacks has been just how public they have become. On October 21, an attack on internet infrastructure provider Dyn with a distributed denial of service (DDoS) attack took down access to Netflix, Facebook, Twitter plus the Guardian, CNN, The New York Times, the Wall Street Journal and others.

In addition to the high profile nature of the hack, it was noteworthy because of its cause: exploitation of internet-connected everyday devices such as webcams and digital recorders.

Last month, the bank operated by UK supermarket chain Tesco was hit, resulting in £2.5m being stolen from the accounts of some 9,000 customers.

And then there was the massive Yahoo hack. It technically took place in 20013, but the revelation came this month that data from more than 1bn user accounts was compromised, with some dubbing it the largest such hack in history. This news followed a September revelation of a 2014 incident that allowed hackers to steal the personal data associated with at least 500m Yahoo accounts.

Russia was not the only country involved in a hacking controversy in 2016. For the first four months of the year, Apple was in a well-publicized tussle with the FBI over whether the company would help hack into the iPhone of San Bernardino gunman Syed Farook.

“2016 was most notable for the evolution of nation state attacks,” said Richard Stiennon, author of There Will Be Cyberwar. “Cyber espionage has been an important tool for hackers and intelligence agencies since at least 2004 and Titan Rain. But releasing the emails from the Democratic National Committee and John Podesta was new and scary.”

He also suggested that the lessons for 2017 could begin with looking at who is doing the attacking and then at how much work organizations will have to do in improving data protection.

Stiennon said the level of data protection an organization needs to prevent similar breaches and embarrassing “doxing” (wherein stolen documents are released to the public) is daunting to contemplate, but necessary.

Craig Fagan, policy director at the World Wide Web Foundation, agrees. “Every citizen has the right to know that their personal data is being stored securely and privately online,” he said. “Yet the scale and breadth of the hacks we’ve seen in 2016 show that governments and companies must do more to safeguard these essential digital rights. 2017 must be the year to change this.”

It also looks like the growing scale of attacks will impact how they tackle the threat of hacking in 2017. In the September announcement of its 2016 Internet Organised Crime Threat Assessment (IOCTA), the European Police Office (Europol) highlighted the growing range of cyberthreats.

The past year “has seen the further evolution of established cybercrime trends,” according to Steven Wilson, head of Europol’s European Cybercrime Centre. “The threat from ransomware has continued to grow and has now expanded into sectors such as healthcare. Europol has also seen the development of malware targeting the ATM network, impacting cash services worldwide.”

Rob Guidry, CEO of social media analytics company Sc2 and a former special adviser to US central command, suggested that money was still a big motive behind a lot of attacks and played a major role in Russian hacking.

“Russian hackers, specifically, tend to be motivated by the value of the data that they take. They have also been known to [for compensation] back Russian national strategic pursuits with DDoS and other means, to drive a political aim,” he said. “The Russian government has had a cozy relationship with professional private hackers for years, and it has been highly useful to them.”

In addition to being active players in the encouragement of hacking, the World Wide Web Foundation’s Craig Fagan also warns that some governments are “unravelling the security of the internet for everyone” through new legislation.

“For instance, the UK’s new Investigatory Powers Act forces ISPs [internet service providers] to store everyone’s browsing history for 12 months, creating an ideal target for scammers and blackmailers,” he said. “The Act is likely to embolden other countries to follow the UK’s bad example, with grave consequences for all of our privacy.”

Andrew Crocker, an attorney on the Electronic Frontier Foundation’s civil liberties team, echoed this sentiment and warned against fear of cyber attacks and hacking being used by lawmakers to pass sweeping anti-hacking legislation that could have unintended consequences. “The prevalence of these data breaches, botnets, and other attacks highlight the importance of data security best practices and the need to reject government proposals to weaken security, such as mandating encryption backdoors,” he said.

Sc2’s Rob Guidry suggests that by the time we get to the end of 2017, we may look back on the major hacks of 2016 as being not so bad.

“It’s going to get worse before it gets better,” he says. “Hacking is going to become a price that people pay for doing business over the internet much in the same way that piracy was once a cost of doing business through shipping.”

via:  enterprise-security-today

Trend Micro has discovered a new family of ATM malware called Alice, which is the most stripped down ATM malware family we have ever encountered. Unlike other ATM malware families, Alice cannot be controlled via the numeric pad of ATMs; neither does it have information stealing features. It is meant solely to empty the safe of ATMs. We detect this new malware family as BKDR_ALICE.A.

Trend Micro first discovered the Alice ATM malware family in November 2016 as result of our joint research project on ATM malware with Europol EC3. We collected a list of hashes and the files corresponding to those hashes were then retrieved from VirusTotal for further analysis. One of those binaries was initially thought to be a new variant of the Padpin ATM malware family. However, after reverse analysis, we found that it to be part of a brand new family, which we called Alice.

ATM malware has been around since 2007, but over the past nine years we have only learned of eight unique ATM malware families, including Alice. This new discovery is remarkable because it shows a clear tendency for malware writers to attack an ever-increasing variety of platforms. This is especially acute against ATMs, due to the high monetary value they represent. This tendency has accelerated enormously over the last 2-3 years, which is when the bulk of those families have been discovered.

Technical Details

The family name “Alice” was derived from the version information embedded in the malicious binary:

Figure 1. File properties of Alice sample

Based on PE compilation times and Virustotal submission dates, Alice has been in the wild since at least October 2014. The Alice samples we found were packed with a commercial, off-the-shelf packer/obfuscator called VMProtect. This software checks if the embedded binary is being run inside a debugger and displays the following error message if it determines that to be the case:

Figure 2. Error message

Before any malicious code runs, Alice checks if it is running within a proper Extensions for Financial Services XFS environment to make sure that it’s actually running on an ATM. It does this by looking for the following registry keys:

• HKLM\SOFTWARE\XFS
• HKLM\SOFTWARE\XFS\TRCERR

If these registry keys do not exist, the malware assumes that the environment is not right and terminates itself. Alice also requires the following DLLs to be installed on the system:

• MSXFS.dll
• XFS_CONF.dll
• XFS_SUPP.dll

Depending on whether its XFS check was successful or not,  Alice displays either an authorization window or a generic error message box:

Figures 3 and 4. Post-execution message boxes. On the left is an authorization window, which appears if the XFS check is successful. On the right is an error message, which appears if the check yields a negative result.

When first run, Alice creates an empty 5 MB+ sized file called xfs_supp.sys and an error logfile called TRCERR.LOG, both in the root directory. The first file is filled with zeros and no data is ever written to it. The second file (TRCERR.LOG) is a log file that the malware uses to write any errors that occur during execution. All XFS API calls and their corresponding messages/errors are logged. This file is not deleted from the machine during uninstallation. It remains on the system for future troubleshooting, or perhaps the malware author forgot to clean it up.

Alice connects to the CurrencyDispenser1 peripheral, which is the default name for the dispenser device in the XFS environment. Alice does not attempt to connect to other ATM-specific hardware; therefore criminals cannot issue any commands via the PIN pad. Alice doesn’t terminate itself if it fails to connect to CurrencyDispenser1, instead it simply logs the error.

The PIN input seen in Figure 4 provides a way to issue commands to the Alice malware. Three commands can be entered are:

Multiple mistakes in entering the correct PIN will result in the following window being shown and the malware terminating itself:

Figure 5. Error message

When the correct PIN code is entered, Alice will open the “operator panel”. This is a screen showing the various cassettes with money loaded inside the machine, which the attacker can then steal at their leisure. (In this sample, no cassettes are shown since we were running this malware on a test setup.)

Figure 6. Operator panel

Note that entering “0” or “9” as the cassette ID will also cause sd.bat to be run and xfs_supp.sys to be deleted.

When the money mule inputs the cassette number in the operator panel, the CurrencyDispenser1 peripheral is sent the dispense command via the WFSExecute API and stored cash is dispensed. ATMs typically have a 40-banknote dispensing limit, so the money mule might need to repeat the operation multiple times to dispense all the stored cash in the cassette. The stored cash levels for each cassette are dynamically updated on the screen, so the money mule knows how close they are to completely emptying the cassettes.

Alice is usually found on infected systems as taskmgr.exe. While the malware itself has no persistence method, we believe that the criminals manually replace the Windows Task Manager with Alice. Any command that would invoke the Task Manager would instead invoke Alice.

Conclusions

Several things stand out about Alice. It is extremely feature-lean and, unlike other ATM malware families we have dissected, it only includes the basic functionality required to successfully empty the money safe of the ATM. It only connects to the CurrencyDispenser1 peripheral and it never attempts to use the machine’s PIN pad. The logical conclusion is that the criminals behind Alice need to physically open the ATM and infect the machine via USB or CD-ROM, then connect a keyboard to the machine’s mainboard and operate the malware through it.

Another possibility would be to open a remote desktop and control the menu via the network, similar to the hacking attacks in Thailand and other recent incidents. However, we have not seen Alice being used this way. The existence of a PIN code prior to money dispensing suggests that Alice is used only for in-person attacks. Neither does Alice have an elaborate install or uninstall mechanism—it works by merely running the executable in the appropriate environment.

Alice’s user authentication is similar to other ATM malware families. The money mules that carry out the attacks receive from the actual criminal gang(s) the PIN needed. The first command they enter drops the cleanup script, while entering the machine-specific PIN code lets them access the operator panel for money dispensing.

This access code changes between samples to prevent mules from sharing the code and bypassing the criminal gang, to keep track of individual money mules, or both. In our samples the passcode is only 4 digits long, but this can be easily changed. Attempts to brute-force the passcode will eventually cause the malware to terminate itself once the PIN input limit is reached

Given the fact that Alice only looks for an XFS environment and doesn’t perform any additional more hardware-specific checks, we believe that it has been designed to run on any vendor’s hardware configured to use the Microsoft Extended Financial Services middleware (XFS).

One more thing about the use of packers: Alice uses the commercially available VMProtect packer, but it is far from alone. We found GreenDispenser packed with Themida, and Ploutus packed with Phoenix Protector, among others.

Packing makes analysis and reverse engineering more difficult. Common malware has been using this technique for years, with malware today using custom-built packers. So why are ATM malware authors only just now discovering packing and obfuscation techniques?

Up until recently, ATM malware was a niche category in the malware universe, used by a handful of criminal gangs in a highly targeted manner. We are now at a point where ATM malware is becoming mainstream. The different ATM malware families have been thoroughly analyzed and discussed by many security vendors and these criminals have now started to see the need to hide their creations from the security industry to avoid discovery and detection. Today, they are using commercial off-the-shelf packers; tomorrow we expect to see them start to use custom packers and other obfuscation techniques.

Further technical details and a comparison of various ATM malware families can be found in this appendix.

Indicators of Compromise

The files used in this analysis have the following SHA256 hashes:

• 04F25013EB088D5E8A6E55BDB005C464123E6605897BD80AC245CE7CA12A7A70
• B8063F1323A4AE8846163CC6E84A3B8A80463B25B9FF35D70A1C497509D48539

via: trendmicro

The countdown to year’s end almost inevitably means an increase in online purchases. On the heels of Black Friday and Cyber Monday, a full-blown consumerist race kicks off the goes until January. This 2016 will continue to show consumers turning more and more to e-commerce for their gift giving needs.

However, the convenience of paying by credit card online comes hand in hand with a real risk to our wallets. A recent study by investigators at the University of Newcastle revealed that the existence of a multitude of online payment systems, with their corresponding security measures, isn’t enough to guarantee consumer protection.  It’s more like the opposite — often, as a result of so much variety, we end up with a chaotic jumble that generates major vulnerabilities.

After analyzing several different payment methods, researchers discovered a new type of attack that allows cybercriminals to hack a credit card in only six seconds.

This kind of attack, which takes advantage of a couple of vulnerabilities with Visa cards, is already being used. In fact, it is believed to be the system used to steal money from 20,000 accounts of Tesco’s clients.

Actually, the attack is not very complex. It uses sheer brute force. Specifically, it exploits two oversights in online payment platforms. On the one hand, these platforms do not detect multiple erroneous payment requests when coming from different websites. On the other hand, they allow up to twenty erroneous payments for each credit card on each page. And as if that wasn’t enough, the payment system doesn’t refresh to request different information from the buyer after each failed attempt.

Thus, the attacker needs only a credit card number to start randomly guessing the CVV (Card Verification Value) and expiration date until it arrives at the right combination through brute force. Investigators tested this kind of attack on the 400 most popular e-commerce websites. They demonstrated that if we trust a credit card’s security as the sole safety measure, theft becomes a real possibility.

Platforms which use the Verified by Visa system or even payments with Mastercard actually escape these vulnerabilities. This shows that online credit card security by itself may, paradoxically, pose a serious risk.

via:  pandasecurity

Duolingo, the popular language learning app, has long made learning a new language accessible to anybody with a computer or smartphone. Unlike being in a traditional class environment, though, using Duolingo was always a rather lonely experience. The company, whose app has now been used by over 150 million people, realized as much and today, with the launch of Duolingo Language Clubs, it’s adding a new (and optional) social component to its language learning experience.

The company likens the clubs, which are now available in both the iOS and Android versions of its app, to having gym buddies — but for your brain. The clubs allow you to share a newsfeed with your accomplishments with your friends — and to make the experience competitive, there’s also a weekly leaderboard.

“Learning a language is an inherently social experience,” said Duolingo co-founder and CEO Luis von Ahn in today’s announcement. “One of the hardest things about learning a language is staying motivated, and we believe this new feature will draw friends and family together around a common goal to help our users hit their goals more quickly.”

The new social features are now available for speakers of English, Spanish, Portuguese, French, German, Italian, Russian, Dutch, Hungarian, Ukrainian, Turkish, Korean, Chinese, Japanese, Vietnamese, Indonesian, Greek, Romanian, Czech, Polish, Thai and Hindi.

The fact that Duolingo announced the new features today is probably no accident. With January 1st only a few days off, plenty of people are surely adding “learn a new language” to their New Year’s resolutions (which they will promptly forgot in a week or two). Add a slew of new smartphone owners (who got their new gadgets for Christmas) to that list and December and January are likely pretty important months for Duolingo.

via:  techcrunch