Saturday, September 29, 2012

Top 5 deadliest mobile malware threats of 2012

The most prolific and complex mobile malware threats to appear so far in 2012

While the amount of malicious software focused on the growing number of mobile devices on the market remains a drop in the bucket next to the amount targeting PCs, attackers are steadily turning the devices in consumers' pockets into targets.

So far this year, several pieces of malware have popped onto the radar and underscored the growing sophistication of cybercriminals targeting mobile devices. After fielding feedback from security pros, here in no particular order is Dark Reading's list of the five most dangerous, sophisticated, and prolific pieces of mobile malware that have appeared thus far in 2012.

1. FakeInst SMS Trojan and its variants "FakeInst disguises itself as popular apps like Instagram, Opera Browser, [and] Skype, and sends SMS messages to premium-rate numbers," says Jerry Yang, vice president engineering at mobile security firm TrustGo.

It is selected because it has been widely infected. There are many variants in the FakeInst family, such as RuWapFraud, Depositmobi, Opfake, and JiFake. Sixty percent of total Android malware we found belong to the FakeInst family. Geographically, it mainly exists in Russia. There are also samples found from all over the world.

2. SMSZombie, which was recently spotted in third-party markets in China and has infected more than 500,000 devices in the past few weeks. The malware works by sending SMS messages to China Mobile's online payment system and "top-up designated accounts. 

The amount of payment, frequency, and destination are all controlled by malware developer. It is significant because it takes extra steps to protect itself. Once installed, it obtains Device Admin privileges and is very difficult to remove, prompting TrustGo to publish details of a manual removal process on its blog. We expect more Android malware will adopt similar techniques to protect themselves.

3. NotCompatible discovered by Lookout Mobile Security in April, NotCompatible is the first piece of mobile malware that used websites as a targeted distribution method, notes Derek Halliday, lead security product manager at Lookout. 

NotCompatible is automatically downloaded when an Android browser visits an infected website. The downloaded application is disguised as a security update in an attempt to convince the user to install it. If it successfully installed, NotCompatible can potentially be used to gain access to private networks by turning an infected Android device into a network proxy, and can be used to gain access to protected information or systems.

4. Android.Bmaster bundled in with legitimate applications, Android.Bmaster was spotted on a third-party Android app market earlier this year. The majority of the infected victims were Chinese users.

Once on the device, the malware swiped sensitive data from the phone, including the Cell ID, location area code, and IMEI (International Mobile Equipment Identity) number, and caused users to send SMS messages to premium numbers. 

Analysis of Android.Bmaster's command-and-control servers indicate the total number of infected devices connected to the botnet over its entire life span numbered in the hundreds of thousands. The number of infected devices able to generate revenue on any given day ranged from 10,000 to 30,000, enough to potentially net the botmaster millions of dollars annually if the infection rates are sustained.

5. LuckyCat was the name given to a campaign of targeted attacks that struck the aerospace and energy industries in Japan as well as Tibetan activists and others. To broaden their attack, the perpetrators have brought the attack to the Android platform.

Once installed, the application displays a black icon with the text "testService," and opens a backdoor on the device to steal information. Luckycat is the first APT [advanced persistent threat] targeting Android platform. It is a Trojan horse for Android devices that opens a back door and steals information on the infected device.

Source: Dark Reading

Thursday, September 27, 2012

NIST Drafting Guide on Media Sanitization

Evolving Storage Environment Creates Need for Revised Guidance

The National Institute of Standards and Technology is revising guidance aimed to help organizations sanitize data based on the confidentiality of stored information. Draft NIST Special Publication 800-88 Revision 1: Guidelines for Media Sanitization discusses methods, techniques and best practices for the sanitization of data on different types of media, employing risk-based approaches to establish and maintain a media sanitization program.

The revised guidance doesn't specifically address all known types of media, but it does describe a sanitization decision process that can be applied universally. NIST is seeking public comment on the draft guidance to consider before issuing a final report.

Comments should be submitted to 800-88r1Comments@nist.gov by Nov. 30.

Simply, sanitization makes accessing data on media unfeasible. The proposed guidance identifies three sanitization models:

Clear: Applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. It's typically applied through the standard read and write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state, where rewriting is not supported.

Purge: Prescribes physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques.

Destroy: Renders target data recovery infeasible using state-of-the-art laboratory techniques and results in the subsequent inability to use the media for storage of data.


Monday, September 24, 2012

New malware "Mirage" targeting energy firms

Malware targets individuals via "spear-phishing" e-mails bearing tainted PDF files

Researchers have uncovered a new cyberespionage campaign being waged on a large Philippine oil company, a Taiwanese military organization and a Canadian energy firm, as well as targets in Brazil, Israel, Egypt and Nigeria. 

The malware being used is called "Mirage" and it leaves a backdoor on the computer that waits for instructions from the attacker, said Silas Cutler, a security researcher at Dell SecureWorks' Counter Threat Unit (CTU). Victims are carefully targeted with so-called "spear-phishing" e-mails with attachments that are "droppers" designed to look and behave like PDF documents.

However, they are actually standalone executable files that open an embedded PDF file and execute the Mirage trojan. The malware disguises its "phone home" communications to resemble Google searches by using Secure Socket Layers (SSL) in order to avoid detection, Cutler wrote in a report this week.

Researchers were able to take over domains being used in the campaign that were no longer registered or had expired and they used them to set up a "sinkhole" designed to receive any communications from infected computers. By pretending to be a command-and-control server they learned that there were about 80 unique IP addresses that appeared to be infected, involving as many as 120 individual computers.

"Deeper analysis of the phone-home requests and correlation with social networking sites allowed CTU researchers to identify a specific individual infected with Mirage. It was an executive-level finance manager of the Phillipine-based oil company," the report says.

Researchers couldn't say what data the attackers were aiming for, but it's not difficult to speculate given that countries are vying for oil and gas exploration rights in the South China Sea. It's unclear who is behind the campaign, but whoever sponsored it is "well funded and very active," said Joe Stewart, director of malware research at Dell SecureWorks.

While he declined to speculate who sponsored the campaign, the report said proxy software used on some of the command-and-control servers was created by a member of a Chinese hacker group called the "Honker Union of China." 

"We interrupted their command chain, so we don't know what documents they're looking for," he said. "Typically it's competitive information." The researchers believe that whoever is responsible also played a part an espionage campaign earlier in the year that targeted Vietnamese oil companies and government ministries, an embassy, a nuclear safety agency and others in various countries.

The command-and-control IP addresses used in the Mirage campaign belong to the China Beijing Province Network, as did three of the IP addresses used in the earlier "Sin Digoo" malware campaign, according to the researchers. This is the latest in a number of reports of international cyberespionage that have cropped up in recent years, with energy, defense and critical infrastructure firms increasingly being targeted.

Saturday, September 22, 2012

8-Point Data Security Plan for POS Security

Basic Security Steps for Smaller Merchants

To help retailers address some of those common network vulnerabilities, PCATS, the Coalition of Associations for Retail Data Security and the National Restaurant Association are assisting smaller merchants with basic security steps - steps that address risk mitigation rather than security standard compliance, 

They have developed a list of eight points for POS security. The 8-Point Data Security Plan, as the NRA refers to it, aims to simplify POS security. 

Liz Garner, director of commerce and entrepreneurship at the NRA, says the association is working with organizations like CARDS and PCATS to help restaurants look beyond Payment Card Industry Security standards. "We're trying to educate restaurateurs about security," Garner says. "They just need a simple guide that provides the very basics. PCI is too complex."

Download from here.

Thursday, September 20, 2012

The Bible of Risk Assessment

NIST Issues Risk Assessments Guidance

Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, provides direction for conducting risk assessments and amplifies the guidance found in SP 800-39: Managing Information Security Risk. Though SP 800-30 was written for federal information systems and organizations, its lessons can be applied to other organizations in and out of government.

The new guidance document, issued Sept. 18, provides direction for carrying out each of the steps in the risk assessment process, such as preparing for the assessment, conducting the assessment, communicating the results of the assessment and maintaining the assessment. It also shows how risk assessments and other organizational risk management processes complement each other.

Continuous Monitoring

Special Publication 800-30 also provides guidance to organizations on identifying specific risk factors to monitor systems continuously so that they can determine whether risks have increased to unacceptable levels, such as exceeding organizational risk tolerance. And it offers insights on different courses of action that should be taken.

Information technology risks include risk to the organization's operations, such as mission and reputation, as well as its critical assets, including data and physical property as well as individuals who are part of or served by the organization.

Can't Protect Everything

The new publication focuses exclusively on risk assessment, the second step in the information security risk management process. The guidance covers the four elements of a classic risk assessment: threats, vulnerabilities, impact to missions and business operations.

It also addresses the likelihood of threat exploitation of vulnerabilities in information systems and their physical environment to cause harm or adverse consequences.

With the insurance of the revised SP 800-30, the original series of five key computer security documents (including SP 800-39) envisioned by the Joint Task Force to create a unified information security framework for the federal government is completed. The Joint Task Force is a partnership of NIST, the Department of Defense, the Office of the Director of National Intelligence and the Committee on National Security Systems.

Tuesday, September 18, 2012

8 Steps to Promote Secure Mobile Apps

FTC Issues Guide on Getting It Right from the Start

Developing secure mobile applications is just one part of the process in creating new programs. Communicating how applications are secured - whether informing end users in your enterprise or marketing to consumers - is crucial in building IT security awareness among stakeholders.

The Federal Trade Commission has just published a guide to help mobile application developers observe truth-in-advertising and basic privacy principles when marketing new mobile apps. The FTC's new publication, Marketing Your Mobile App: Get It Right from the Start, notes that there are eight general guidelines that all app developers should consider.

The FTIC guidelines are:

Tell the truth about what the app can do.

False or misleading claims, as well as the omission of certain important information, can irritate users and land the application developer in legal hot water.

Disclose key information clearly and conspicuously.

Most people react negatively if they think a company tries to pull a fast one by hiding important information. Users are more likely to continue to do business with an organization that gives them the straight story up front.

Build privacy considerations in from the start.

Limit the information collected, securely store data and safely dispose of information no longer needed. For any collection or sharing of information that's not apparent, get users' express agreement. That way, customers aren't unwittingly disclosing information they didn't mean to share.

Offer choices that are easy to find and easy to use.

Make it easy for people to find the tools that are offered and design them so they're simple to use. Follow through by honoring the choices users have made. 

Honor privacy promises.

Chances are assurances are made to users about the security standards and how personally identifiable information is used. App developers must live up to those promises.

Protect children's privacy.

Mobile application developers have additional requirements under the federal Children's Online Privacy Protection Act if the application is designed for minors or if the application collects personal information about children.

Collect sensitive information only with consent.

Even when not dealing with children's information, it's important to get users' approval before collecting any sensitive data from them, such as medical, financial or precise geolocation information.

Keep user data secure.

The law requires application developers marketing their programs to take reasonable steps to keep sensitive data secure. One way to make that task easier: Don't collect information in the first place if there's no specific need for it.

People rely on mobile technology for a lot of stuff and they need to know what the developer has done to lock down apps, to protect against the types of attacks we're seeing.

Sunday, September 16, 2012

Techniques to Protect Yourself on Social Networks

Security tips from ISACA Journal

Vigilance continues to spearhead the security and, thus, the privacy of the information. It can be broken down into a few techniques that are simple but could make all the difference:

Choice of “friends” and contacts—Users should be extremely careful in their choice of friends on these networks. It is common practice to accept contact from friends of friends who are frequently complete strangers. This can lead to one’s private life being exposed to potentially harmful individuals.

Restricting private content to close friends and family only—Social networking sites are increasingly allowing their users to configure restrictions on access to their information. It is, therefore, important to use these restrictions and to ensure that they are properly configured, given that our information is public by default.

Careful choice of information to be broadcast—The key to the protection of privacy is, in fact, what information one broadcasts. Name, surname, date of birth, place of birth, photos, videos, comments and opinions should be carefully screened prior to being posted. Keep in mind that information posted on a network may one day be used against its author.

Awareness—Every sector of the population should be made aware of the need to protect themselves against the risk that the use of social networks may entail. In the business world, this awareness must form part of the IT security program.

Finally, social networks are a great way to express oneself and share with others. They help users lift the barriers of space and time and communicate with the world. However, there is another side associated with the proven dangers of user privacy violation.

These dangers are even more of a threat now thanks to the increasingly widespread trend of registering on several sites using a single user account. In response to this situation, each Internet user must remain vigilant and governments must put more pressure on the operators of these sites to safeguard the security of Internet users.

Read Guy-Hermann Ngambeket Ndiandukue’s full article, “Social Networks and Privacy—Threats and Protection,” in the current issue of the ISACA Journal, in which you will also find additional coverage of timely and relevant issues affecting the ISACA professional communities.

Friday, September 14, 2012

How to protect your Andriod-based Mobile?

Andriod Phone Security Tips

Unlike iPhone users, who can only download apps from iTunes, Android phone users have the ability to download apps from pretty much anywhere, rather than being locked into Google Play, the official Android store.


This open market policy offers an easy distribution method for malicious applications. In effect, this means that anyone can write an app and as Android users have no restrictions on what they can install on their smartphones or Tablet Computers, the potential to inadvertently install a malicious app is a very real security issue.

According to specialist anti virus ecurity company Sophos, in 2010 there were around 40 threats and in 2011 the number increased to more than 400. Evidence for 2012 suggests that this number will continue to increase.

Here are a few Andriod phone security tips that will reduce your risk of installing malware.


Avoid unknown sources


You have the option of installing Android apps and games from sources other than Google Play (sometimes known as sideloading). The problem is that many third-party app stores are not safe. If you choose to download an APK file and install it yourself, you could be putting malware on your device.


You may also be sent an APK file in an email or a text message, or you could be prompted to install one after clicking on a link in your web browser. It’s best not to install these unless you are certain it is safe.


To safeguard against inadvertent installation, make sure that the ability to install apps from unknown sources is turned off. This is generally off by default but it is worth checking. In Android 4.0 and above, go to Settings > Security and make sure Unknown sources is disabled. In previous versions of Android, hit Settings > Applications to ensure the Unknown sources box is not ticked. If you use the Amazon App Store, or perhaps you need to sideload an app for your work, then you can always go ahead and tick the Unknown sources box to allow installation to proceed and then disable it again. Just ensure that it is off by default to prevent you from inadvertently installing something dodgy.


Use Google Play


For the most part, the apps and games in Google Play should be safe but just because it’s available through the official Android app store does not mean it’s definitely safe to download. Make sure that you check the rating and read the reviews from other users on each app.


This can highlight potential problems and also technical issues you might encounter with your particular model or device. Don’t rely on Google Play reviews alone because app store ratings can be misleading. In general, the higher the rating and the more downloads an app has had, the safer it is to download. The biggest risk is from new releases which have very little feedback posted. If it hasn’t been downloaded many times and there isn’t much to go on then you might want to do a bit more research before you download.


Search for app reviews online


If you are uncertain about an app then just do a quick Web search. Make sure that the developer and/or publisher has a legitimate website. Try to find independent reviews or discussions in forums. The more separate sources you can find on the app, the better.


Make sure that you have the correct app. Some malware writers will create apps that are designed to look exactly like another popular established app. Check that the app name, developer, and publisher are all correct.


Improve your privacy with the following Andriod phone security tips


One of the main concerns nowadays is privacy. There are a lot of apps available for your mobile devices that use GPS for geolocation to know your current location, just like a photo embedded with your location that will be uploaded in social networking sites.


Anyone around the world will know where you are or where you live once you upload it on the internet. Usually, the apps will ask if you allow your location to be displayed the first time you open. You should not allow it if you are concerned for privacy.


Enabling the Passcode of your device and locking the screen will help you from other people to explore your contents. Different methods for every smartphones and tablets will vary in the procedures on how to enable passcode. For Android devices, connect-the-dots pattern is available while Apple devices possess slide to unlock and entering your Passcode.


This is the primary security measure that everyone should activate when having a new device.

Wednesday, September 12, 2012

Insiders suspected in Saudi cyber attack

Biggest Security Threat? Insiders?

One or more insiders with high-level access are suspected of assisting the hackers who damaged some 30,000 computers at Saudi Arabia’s national oil company last month, sources familiar with the company’s investigation say.

The attack using a computer virus known as Shamoon against Saudi Aramco – the world’s biggest oil company – is one of the most destructive cyber strikes conducted against a single business. Shamoon spread through the company’s network and wiped computers’ hard drives clean.

Saudi Aramco says damage was limited to office computers and did not affect systems software that might hurt technical operations. The hackers’ apparent access to a mole, willing to take personal risk to help, is an extraordinary development in a country where open dissent is banned.
“It was someone who had inside knowledge and inside privileges within the company,” said a source familiar with the ongoing forensic examination. 
Hackers from a group called “The Cutting Sword of Justice” claimed responsibility for the attack. They say the computer virus gave them access to documents from Aramco’s computers, and have threatened to release secrets. No documents have so far been published.

Reports of similar attacks on other oil and gas firms in the Middle East, including in neighboring Qatar, suggest there may be similar activity elsewhere in the region, although the attacks have not been linked. - Reuters

Monday, September 10, 2012

Breach Preparation: 4 Key Steps

Tips to Develop Breach Plan

You have one shot to get it right. How should organizations prepare properly for a data breach?

Too often, organizations that go to the effort of creating a breach response plan - but then they fail to actually test it. That is as if you have a fire evacuation plan, but you don't actually execute the drill to make sure the people get out of the building.

To prepare properly for a breach, organizations should:

Select an Individual to Lead the Charge:

Pick that right individual that has enough knowledge of the company and an overview of the importance of the personal identity information that needs to be protected.

Conduct an Audit of All Subcontractors:

So many breaches today occur at third-party service providers. Organizations, then, should ask their key vendors about their own data breach response plans, as well as how big of a priority it is to protect the data they're handling. It's also important to have a formalized agreement of the vendors' breach plans and that they practice it.

Involve the Right Departments:

Privacy, public relations, customer service and information security departments all need to be involved in breach planning. Outside professionals, such as legal and law enforcement, should also be included in the preparation process.

Complete a Yearly Breach Drill:

The ones that actually practice it and have seen some of the hitches that go on, when they've actually experienced a real breach they've done much better in responding more quickly, satisfying the regulators, minimizing the cost and protecting brand reputation.

Saturday, September 8, 2012

Real video footage of what skimmers "see"

"Handy" way to foil ATM skimming

Source from Krebsonsecurity:

I recently obtained the video footage recorded by that hidden ball camera. The first segment shows the crook installing the skimmer cam at a drive-up ATM early on a Sunday morning. The first customer arrives just seconds after the fraudster drives away, entering his PIN without shielding the keypad and allowing the camera to record his code.

Dozens of customers after him would do the same. One of the customers in the video clip below voices a suspicion that something isn’t quite right about the ATM, but he proceeds to enter his PIN and withdraw cash anyhow. A few seconds later, the hidden camera records him reciting the PIN for his ATM card, and asking his passenger to verify the code.



 

Skimmers can be alarming, but they’re not the only thing that can go wrong at an ATM. It’s a good idea to visit only ATMs that are in well-lit and public areas, and to be aware of your surroundings as you approach the cash machine. If you visit a cash machine that looks strange, tampered with, or out of place, then try to find another ATM.

Monday, September 3, 2012

How Critical Is To Keep Your System Upto Date?

Only 9 of 22 virus scanners block Java exploit

According to an analysis conducted by the AV-Comparatives, less than half of the 22 anti-virus programs tested protect users against the currently circulating Java exploit that targets a highly critical vulnerability in Java version 7 Update 6.

Two versions of the exploit were tested: the basic version that was largely based on the published proof of concept and started the notepad instead of the calculator, and, for the second variant, heise Security added a download routine that writes an EXE file to disk from the internet.

The test system was Windows XP that, except in the case of Avast, Microsoft and Panda, had the full versions of the security suites installed. For Avast, Microsoft and Panda, the researchers used the free versions of the products. Only 9 of the 22 tested products managed to block both variants of the exploit (Avast Free, AVG, Avira, ESET, G Data, Kaspersky, PC Tools, Sophos and Symantec).

Twelve virus scanners were found to be unsuccessful (AhnLab, Bitdefender, BullGuard, eScan, F-Secure, Fortinet, GFI-Vipre, Ikarus, McAfee, Panda Cloud Antivirus, Trend Micro and Webroot). Microsoft's free Security Essentials component at least managed to block the basic version of the exploit. It should be pointed out that these results are based on a snapshot taken on 30 August at 1pm and don't represent the overall quality of these anti-virus programs. 

The tested version of Java was current at the time, and the exploit code had been in circulation for several days. These findings demonstrate that it is unwise to base the protection of a system on a virus scanner alone. To prevent installed applications and plugins from becoming malware hideouts, these must also be kept up to date. Oracle appears to have now closed the critical Java hole with the release of Java version 7 Update 7 on Thursday evening. Those who have Java installed on their systems should update to the new version as soon as possible.

The exploit is bound to be a highly popular item in the armouries of cyber crooks for years to come because it is platform-independent and highly reliable. Just how reliable it is becomes clear when examining the statistics of an installation of the BlackHole exploit toolkit: after the integration of the exploit, the Java exploits achieved a success rate of between 75 and 99 per cent. Overall, BlackHole managed to infect every fourth computer – the usual success rate is one in ten.

Saturday, September 1, 2012

Don't post risqué photos online

Hackers Have Home-Field Advantage

Many of you reading that warning may be thinking "No kidding." But, you'd be surprised how many seemingly self-aware, intelligent, should-know-better adults continue to participate in this risky behavior. 

Even if you believe you are posting photos in a private or password-protected location, keep this in mind: If it's on the Internet, it's vulnerable. Hackers have been at this for years and know exactly how to get into "protected sites" to gain access to your information. Plus, the people to whom you've given access to your spicy photos can also copy and post them elsewhere for the world to see and to your embarrassment.

This is particularly evident with the emergence of a recent hacker trend called "fusking." Fuskers hack their way into secure sites with the sole intention of finding nude and other compromising images. And doing unthinkable and unsavory things with them.

Keep in mind the young people in your life may lack the common sense or the perspective necessary to understand just how vulnerable images like these can be, nor what kind of an impact their publication could have on their lives. Frequent reminders and modeling appropriate online behavior are the best ways to prevent your children and others from a potentially life-changing bad move online.