Social Malice

According to a Barracuda survery, “One in 100 tweets today are malicious, and one in 60 Facebook posts are as well.” Their survery showed LinkedIn users, as of now, feel the safest, but that may not last for long.   It appears LinkedIn attacks may cause more disruption and cause more of a stir, if compromised.

According to the research, Twitter mainly gets infected the same way search engine poisoning happens.  Attackers try to cast  grab the attention of as many viewers as possible and direct them right into getting infected.  Facebook is less likely to have malicious code sneak into your system, but via your presumed trusted friends posting links on their wall, end-users often feel safer and more readily click on the links, allowing their systems to become infected.

More shocking, however, is Barracuda’s survey of sites on Google, Twitter, Bing,  and yahoo over a 153 day period, and found an astounding 34,627 malware sites, with one in every thousand sites leading to malware.

 

http://www.darkreading.com/insider-threat/167801100/security/client-security/231901810/social-malice-one-in-100-tweets-and-one-in-60-facebook-posts-are-malicious.html

Fortune 500 RSA attack

A massive attack, hitting about 760 companies earlier this year, led up to security vulnerabilities in SecurID tags. A few of these companies include, Microsoft, Amazon, Google, Cisco, Intel, IBM, Abbot Laboratories, Charcles Schwab and Wells Fargo.

Many Internet Service Providers (Comcast, AT&T, Sprint and Verizon for example) were also on the list of names of companies that were attacked. However it is believed these companies were attacked through their subscribed customers, and not a direct breach of their own security.

The attack started from a command and control server that was attack and taken over. However, no one knows yet just how that had happened. Anti-Virus company McAfee actually let their system become infected with the malware so they could try and reverse engineer the code.

Considering most of these companies were Fortune 500 companies, many security analysts have rightfully shown cause for concern.

10 Security Issues commonly overlooked

According to a www.techrepublic.com blog, there are 10 security issues that system admins may not even know about.

1)Employees. This, to a point, I find hard to believe this could be overlooked. I may be hard to catch an employee in the act, but generally I think it is assumed employees may, at some point, have some malicious intent. Tight internal security is a must.

2)Common coding mistakes. A mistake in coding may lead to potential attacks. Most common are SQL injections. According to the blog (by Justin James), WordPress is a good example of  a website that one would assume is trustworthy but contains security issues.

3)Unauthorized machines. Bringing an outside PC into a network infrastructure to do a task, that the current infrastructure doesn’t allow them to do. James says the best way to avoid this is with “igorous IP address audits and policies”. Obviously, if a computer cannot get an IP then they can’t do much damage.

4)Ancient “rock solid” servers. These are the servers that are really old and seem to have been built to last. They haven’t failed yet, so why replace them? Sounds reasonable, but the problem is theses servers are so old they probably aren’t getting new updates and/or patches. This leaves them very open and vulnerable to attacks.

5)Legacy applications. James states many of these applications make the system vulnerable because many times they don”t have the current update version and/or they are discontinued.

6)Local admins. When certain people are given local admin permissions when they probably shouldn’t have them. Many times people can get said permissions on accident, so James states it is best to reset the list of admin permissions regularly.

7)Incorrect share/file permissions.  It’s very important to makes sure sensitive documents are not available to be viewed by everyone. Without strict measures anyone can view potentially sensitive information.

8) Hidden servers within applications. These may be installed without any knowledge, but must be carefully monitored. They must be monitored to ensure they are secured properly

9)VPN clients. With a VPN, they must constantly monitor who is logging onto the network and compare them to the list of authorized system to ensure no unauthorized machines are logging onto the network.

10)Disabled security software. People sometimes try to circumvent security software (anonymizers, for example). They may think they are “too smart” to create a security issue and/or leak, but often times it doesn’t depend on he/she making a mistake.

So these are Justin James’ top ten overlooked security issues. Which do you think are the most important out of these?

http://www.techrepublic.com/blog/10things/10-security-problems-you-might-not-realize-you-have/2768

Willingly allowing to be tracked?

An American citizen (unsure if he was American-born or naturalized) named Hasan Elahi had returned to U.S. soil after leaving the country for a while and was questioned intently by the FBI for over 6 months over his whereabouts, his storage locker in Tampa, FL and if he may have had connections to Al Qaeda, Islamic Jihad, Hamas or Hezbollah. It appears that he did not, and he had several pieces of evidence that he, in fact, did not. He willingly cooperated above and beyond what the FBI requested to the point when after he was cleared, he willing gave the FBI his personal information (ex: where he was when he left the country, account information, call logs, pictures of his current locations etc). He did this as a symbol to show the FBI he was not trying to do anything fishy, and believed if he did this, the FBI wouldn’t consider him a suspect for anything else in the future.

Hasan’s belief is that this would not work if every American citizen did this, because the FBI would have to hire some 300-million extra employees to keep up with that data coming in, and felt his act was more symbolic then anything.

But his final point correlates what he was doing to what people do every day and may not even realize it.  When we post where we are, what were doing, who we are with, check in to locations on social networks like Twitter, Facebook etc, how is that any different to what he was doing with the FBI willingly? Ultimately, the only difference is the information isn’t being directly supplied to the FBI. The FBI could, however, get that information easily by contacting Facebook, for example, subpoenaing information if needed.

I admit I do use Facebook (the only social network I use), however I never was into telling the world where I was, or what I’m doing or who I’m with. Not strictly because I don’t want people to keep tabs on me,  but for the most part I don’t think most people care to know “Oh, he’s at Wal Mart with John Doe. Ok?” But you never know who does want to know. Your jealous ex-girlriend or ex-boyfriend may want to know.

For me, I’ll stick to posting random sarcastic comments, sports posts and miscellaneous comments here and there.

 

http://www.nytimes.com/2011/10/30/opinion/sunday/giving-the-fbi-what-it-wants.html?_r=1&pagewanted=all

Duqu the cyberweapon

A new piece of malware has been discovered recently, going by the name Duqu. This program has been shown to look very similar to the one that sabotaged Iran’s nuclear reactors.

This malware, however, is different then Stuxnet (the malware that attacked Iran’s nuclear reactors) in that instead of causing havoc, it was designed to spy and steal sensitive data, also logging keystrokes. Symantec believes all of this could just the foundation for a cyber attack. So as of now, its just in the “gathering information” stage.

Duqu has attacked a few organizations already, the earliest detection dating back to December of 2010. However, there have been multiple variations found, leading Symantec to believe this malware has conducted far more spying then originally thought. No one knows, as of yet, who is being this piece of malware.

Not much is known at all about this malware, and for it being out for so many months still with many unanswered questions, that’s cause for some great concern. If a cyber attacker were able to sabotage a country’s nuclear reactors so easily, they could easily wreak havoc on the entire planet.

The iphone that ruined a marriage?

Just a few day ago, according to MacRumors.com, the new iPhone 4s app called “Find My Friends” has claimed its first marriage. The story was not proven fact or fiction as of yet, but it’s probably a strong possibility that its true.

The man posting the blog had installed the app on his wife’s phone without her knowledge. He had assumed she was meeting someone in the city, so he installed the app in hopes to catch her. Sure enough, the phone was listed at being at the address he was expecting. He had messaged her asking her where she was, in which she replied she was in some other location, and was effectively caught in her lie. Below is a quote from the man that posted his story in MacRumors.com:

“I got my wife a new 4s and loaded up find my friends without her knowing. She told me she was at her friends house in the east village. I’ve had suspicions about her meeting this guy who live uptown. Lo and behold, Find my Friends has her right there.

I just texted her asking where she was and the dumb b!otch said she was on 10th Street!! Thank you Apple, thank you App Store, thank you all. These beautiful treasure trove of screen shots going to play well when I meet her a$$ at the lawyer’s office in a few weeks.

thankfully, she’s the rich one.”

One has to contemplate the morality of an app like this, but one need not contemplate the morality of adultery. iPhone didn’t ruin the marriage, the wife did; It may have just helped end it before things got worse.

Anonymous and HBGary

In February of this year, HBGary announced a new tool called “Razor” to fight off malicious attacks. This specialized tool plugs into corporate networks which scans for various types of malicious code. If Razor finds malicious code, it “detonates” it in a virtual machine, and performs low-levels of tracing on the origin of the code. This would help to suggest the presence of malware inside the company.

HBGary was to set up a booth an RSA booth to show off what Razor can do. However, when they returned the next morning they found a note left on their booth from Anonymous. This led them to believe that they were now physically being threatened and stalked, and not just cyber-stalked.

The anonymous group of hackers previously had hacker into HBGary’s Federal website and unleashed an SQL injection in their content management system and was able to crack and change the passwords of its employees, effectively locking them out of their own accounts. From their they were able to get into HBGary Inc.’s website and recovery the email spool of Greg Hoglund, and threatening to release that information which would cause millions of dollars of damage to the company. All this because HBGary reported they would release a list of alleged participants of Anonymous.

Greg Hoglund logged into an Anonymous IRC chatroom and the following is a brief except from the conversation with them and some Anonymous members:

“<+greg> so you got my email spool too then

<&Sabu> yes greg.

<@`k> greg we got everything

<+Agamemnon> Greg, I’m curious to know if you understand what we are about? Do you understand why we do what we do?

<+greg> you realize that releasing my email spool will cause millions in damages to HBGary?

<@`k> yes <+c0s> greg: another reason its not out yet.

<+Agamemnon> yes we do greg

<@`k> greg is will be end of you and your company”

HBGary had withdrawn from the RSA presentation over personal safety concerns, and it appears the attacks from Anonymous against HBGary are not completely over yet. “They’re in it for the laughs… this is a real funny game for them.” said a spokesman for HBGary.

Facebook security: An oxymoron?

Facebook has been under-fire for some time now for their alleged “data-mining” procedures.  They have recently had more attention brought against them by two lawmakers over their tracking technology. They are calling for a Federal Trade Commission (FTC) investigation. The issue came up when an Australian blogger noticed that even while logged out of the sites, Facebook may be continuing to monitor the online activities of the end-user.

The Data Production Commissioner’s Office as already planning on auditing Facebook, ever before an European group brought to light the ability for people to request information that Facebook stores about them. They also show on their website just how to request and receive the information.  These recent findings and reporting has since accelerated the commission’s audit on Facebook.

Tidserv infections

Tidserv infections are very common nowadays, and more then just a little annoying. Tidserv malware can be installed on an unsuspecting clients machine with no clear indication that they have even been affected.  Fake URLS, peer to peer (P2P) software (like uTorrent), instant messaging links and/or downloads, and even legitimate websites hacked by some ill-willed individual may be one of the ways a computer may become infected.

Internet scamming has become even more profitable then the drug trade.  Tidserv is a major contributing factor in this. The process is simple.  A malicious coder will disperse the infection in the aforementioned ways. Once he/she has infected computers, he/she will be able to send out even MORE malicious code, or, the “flavor of the week.” They may have complete control of that computer, with the ability to install key-loggers to steal password and bank information.  They may also install rogue “anti-virus” software like “XP Security Software 2012.” Cleverly named to mislead people, this fake anti-virus will claim to detect multiple infections on your computer, and you would need to pay for the program in order to remove them. But, of course, when you pay, nothing happens. You just give a crook your hard-earned money and get more malware in the process. Tidserv may also hijack your web browser, and no matter how many times you change it, it always goes back to whatever website tidserv sets the browser to be in.

Even more annoying are the tidserv infections that attack the master boot record (MBR). These infections are on a seperate partition on the hard drive, so even a format wouldnt rid the hard drive of the infection. Upon re-installation of the operating system, the infected MBR would just re-infect the computer.  Specialized tools are needed to remove tidserv from the MBR of a hard drive.

Tidserv infections are versatile, and sometimes pretty tricky to fight. They have the ability to phone home for the latest updates to itself, making it just that much harder to get rid of. By infecting a system with its own code, the infection can sometimes remain virtually hidden from even the best anti virus programs out there.  Education is the best way to help prevent a computer from being infected, thought nothing is 100%. Keep an eye out for sudden changes in your computers performance, check to see if a new process has started to run during start up, and never click on a “fishy” looking link, and never pay for a program that suddenly has appeared on your computer!

IPv6 Transition

With all the IPv4 addresses running out, with the multitudes of devices out there that each have their own separate IP addresses, IPv6 handles that nicely. IPv4 can hold ~4.2 billion addresses, but IPv6 can handle ~340 undecillion addresses. However, with anything new in techonology, theres always the chance for security issues.

IPv6 was set up to try to fix many of the issues that its predecessor had, but one issue with IPv6 will be how all routable devices will obtain an address.

Also, with many of our devices able to connect to the internet now, we may all be tracker using our IP addresses. A simple ping or trace route can send packets of information back to whomever wants to know where exactly we are. Many smart phones have the same issue (like Apples iPhone) with their GPS implementation. Privacy will be a major concern, as companies aim to track end users data for research, or even someone just maliciously trying to keeps tabs on someone. Anonymity will be faced with some major challenges.

By default, IPv6 actually releases a products MAC address. A MAC address is a static number, much like a serial number, that is unique to each individual product. By acquiring a MAC address, you can find out who exactly owns the product. And by pinging or using trace route, you can know exactly where “John Doe” is at any time.

This issue has been recognized, as a research team devised Moving Target IPv6 Defense (MT6D), which is a way for people to communicate over the internet while still maintaining there anonymity to an extent. However, nothing is 100% in security, so it will be interesting to see how the “bad guys” try to find a way around this.