Sherman's Security Blog

Malware targeting point-of-sale (POS) systems has been a major trend of the last six months or so, with a flock of interrelated malware families being sold, shared, exchanged, tweaked and improved by the various denizens of the cyber underworld.

With easy pickings to be had from under-protected small operations, this pattern is only going to grow until people start fighting back with better system security, and ideally better payment card systems.

How point-of-sale malware works

A few weeks ago I looked at a report highlighting the high levels of data breaches in the retail and food and drink sectors, areas not famed for handling large bank accounts or valuable industrial secrets.

For some time before that, we’ve seen a number of reports on malware strains targeting POS systems. Both here on this blog and elsewhere, I’ve read reports analysing a slew of attacks, all aiming to harvest data from POS systems. The main aim is to pick up small batches of card numbers from mom-and-pop operations where the least attention is payed to best security practices.

These are in a way the opposite of the high-profile, high-sophistication targeted attacks which make most of the headlines these days. Big-name brands are rarely involved, and no huge sums of money are being stolen from any single victim.

Instead, large numbers of smaller targets are being taken for small amounts of cash, in the end making for big windfalls for the bad guys with much less risk of aggressive countermeasures.

POS present

These malware families are being diligently worked on to improve and expand their functionality, and as most seem to be available for sale to anyone willing to buy them online, their implementation grows more diverse by the day.

The functionality is used as a standalone data exfiltration technique in more focused attacks, or rolled into more general-purpose crime kits, which can probe for any likely POS data just as they would for anything else of potential value.

In the last week or two, there have been some detailed analyses of some of the major strains, including a multipart blog series from Trustwave’s SpiderLabs, whose annual report inspired my first look at this topic.

More recently, we’ve seen a hugely in-depth study from Team Cymru, a specialized Internet security research firm dedicated to making the Internet more secure. Their report covers several of the major POS-targeting families, particularly one they dub ‘Alina’, and includes some basic recommendations for businesses on how to mitigate such attacks.

Both these studies highlight the complex web of interrelationships between several seemingly different malware strains, the similarities being in the structure of their command and control systems.

This implies some degree of organisation and pooling of ideas and resources. All of this effort is aimed purely at harvesting card info, and converting that info into cash.

What payment systems are affected?

To clear up some misunderstandings from recent pieces on this topic, these problems don’t only affect operations in the US, where the EMV or ‘Chip and Pin’ system hasn’t yet been implemented. There have been reports of data breaches all over the world, but they do share one common trait, they all impact locations where the chip-and-pin system is not widely used.

Outside of the US, this is mainly international hotels where large numbers of foreign guests are processed. In the US, it’s just about anywhere.
The chip-and-pin system itself is not entirely perfect, as we’ve seen some reports of that being bypassed too, but they seem to be almost exclusively physical breaches, where pin-reading machines have been doctored, or replaced with Trojan lookalikes.

That kind of attack is pretty hard to defeat of course – you can be as careful as you like with your anti-virus updates, your software patches and your firewall rules, but if the bad guys can come into your house and replace your PC with an identical-looking one under their control, it’s basically game over.

Mitigation: what can be done to stop point-of-sale attacks?

Chip-and-pin at least provides some protection against the indiscriminate data-harvesting conducted by the likes of ‘Alina’, ‘Vskimmer’ and ‘Dexter’. Once it is properly and universally adopted, with no-one anywhere carrying old-style, easily copied ‘Track 2’ style cards, this whole cabal of scammers should be out of business.

In the meantime, there are some things business owners can do to protect themselves, starting with the basics of ensuring all software running on their customer-facing networks is kept up-to-date with the latest patches. They should also ensure that any services allowing remote access have secure passwords – many of these attacks have simply used default passwords in common tools to penetrate networks.

In happier news, a convicted Romanian carder has invented a device which protects ATMs from card-skimming add-ons. Joy.

Via: sophos

Yahoo’s Flickr photo-sharing service is now offering one full terabyte for users, enough storage space to hold whole swathes of the world’s photos. The service is offering this benefit in addition to its full resolution photo storage service.

While the average user will probably not touch the outer limits of this storage space in a lifetime, this alone is probably enough to draw dedicated photographers to the service and, more important, bring lapsed users back to the Yahoo fold.

This move is important. Given the odd nature of most photo sharing services, you are either limited to a few dozen gigabytes or, in the case of Instagram and other mobile services, an unstated upper limit that is not part of the marketing collateral. While I don’t doubt that Google or Facebook could make the terabyte claim in the near future, being first to market with this particular feature is an important milestone.

This move is quite clearly a play by Yahoo to make its wares relevant. The long-beleaguered Flickr has at once enthralled and frustrated pro users with claims of abandonment by the web giant.

As Marissa Mayer noted in her presentation, this is about “bringing lifetimes of beauty into Flickr.” It’s also about convincing casual photographers to trust Flickr as a universal shoebox for their old snaps – a lucrative and surprisingly important thing to be.

Via: techcrunch

The ATLAS infrastructure leverages Arbor Networks’ world-wide service provider customer base to gather data about Internet traffic patterns and threats.  Currently 246 of Arbor’s customers are actively participating in the ATLAS program, and are sharing data on an hourly basis.

The data shared includes information on the traffic crossing the boundaries of participating networks, and the kinds of DDoS attacks they are seeing. The graph below shows the cumulative ‘total’ traffic ( to / from) Syria across all of these participating networks. This does not show the total traffic into and out of Syria, this is simply a snapshot taken from the vantage point of 246 network operators around the world. As you can see traffic drops to virtually nothing earlier on today.  The actual traffic interruption is likely to have occurred between 1000 and 1100 today, the graphs show traffic interruption an hour later than this due to the variable, hourly reporting from ATLAS participants to our servers.

(UPDATED: as of 5:50am ET on 12/1/12)

As a reminder, this is not the first time we have seen a complete cut off of Internet access in the Middle East. You may recall back in January 2011, something similar occurred in Egypt,

UPDATE: Syria’s back online

Apple has released iTunes 11.0.3 for OS X and Windows today.

This update fixes a certificate validation issue for both Mac and Windows. If this vulnerability were exploited an attacker would be able to spoof an SSL certificate without a warning being presented, allowing the attacker to potentially execute arbitrary code.

They also fixed 40 other vulnerabilities in the Windows version of iTunes, which sounds really terrible (and might be), until you consider why.

iTunes renders a lot of HTML and Mac users already have the WebKit-based browser, Safari, installed on their Macs.

The Windows version of iTunes cannot rely on the Safari version of WebKit being present (thank God Apple doesn’t require Safari to be installed), so Apple includes the needed libraries inside of the iTunes for Windows package.

What is unclear is why Apple has waited for so long to release these fixes for Windows users of iTunes. Let’s take a look at the history of the oldest vulnerability fixed, CVE-2012-2824.

CVE-2012-2824 is a “use after free” vulnerability in the SVG parsing code in WebKit. It has a CVSS severity score of 10, is considered easy to remotely exploit and could result in remote code execution (RCE).

It was first reported on 27 April 2012 by miaubiz and was fixed in Google Chrome’s implementation of WebKit on 26 June 2012, about 2 months from initially being reported.

Apple’s first attempt at fixing this flaw was in iOS 6.0.1 and Safari 6.0.2 on 1 November 2012, approximately six months after being reported.

It is on of the vulnerabilities bundled into today’s iTunes 11.0.3 update more than one year after disclosure.

Another vulnerability of note fixed in today’s Windows version of iTunes is CVE-2012-5112, or as it is better known the Pinkie Pie vulnerability from Google’s Pwnium 2 contest at the Hack in the Box 2012 conference.

In combination with another flaw this bug won Pinkie Pie $60,000 USD and a Chromebook courtesy of Google.

While I do question the amount of time Apple needed to fix these bugs, that isn’t the point of this post.

The point is you should update iTunes now, especially if you are a Windows user who needs it to manage your music, movies, TV shows, iPad or iPod.

The latest version of iTunes for Windows or OS X is always available at http://www.apple.com/itunes/download/.

Via: nakedsecurity

Microsoft released its monthly security update today that fixes a critical flaw in Internet Explorer (IE).

Users are being advised to update their systems following the release of Microsoft’s monthly Patch Tuesday security update, as the May edition includes a critical fixes for zero-day vulnerability in IE and one other flaw rated by the company as a critical security risk.

If exploited, the flaws could allow an attacker to remotely execute code on a targeted system.

Microsoft has listed the critical patches as a top deployment priority as do most of us in the industry.

The flaws impacted every current supported version of both IE and Windows, along with the zero-day status make the deployments an important fix for all users.

Other security issues addressed in the update include eight bulletins rated by Microsoft as important security risks. The flaws include remote code execution as well as a denial of service and another elevation of privilege flaw which could prove to be bigger issues for some customers.

Administrators of Windows Server 2012 systems need to patch as a flaw in the HTTP.sys component could be targeted to perform denial of service attacks, possibly crippling a system and preventing user access for the duration of the attack.

Similarly, a flaw in Windows XP could be exploited in conjunction with other attacks.

Windows XP is not recommend to be run as the dated platform has security concerns, such as an attacker could potentially target one of the Internet Explorer flaws to access a system and then target the elevation privilege flaw to gain total control over the system and potentially wreak further havoc.

Support for Windows XP is ending on April 8, 2014. If you’re running this version after support ends, you won’t get security updates for Windows.