May 24, 2013

You are here: Home / Archives for Security Report

58% of vulnerabilities which exploit kits try to use are over 2 years old

January 24, 2013 by

solutionary-logo(LiveHacking.Com) – A new report from the security company Solutionary, has revealed that 58% of the vulnerabilities targeted by the top exploit kits are at least two years old. In total the company looked at 26 of the most common exploit kits and found exploit code from nine years ago. The fact that code from 2004 is still in the kits implies that old vulnerabilities are still fruitful for cyber criminals.

Further analysis showed that 58% of the vulnerabilities targeted are over two years. Solutionary also say that number of newly discovered and disclosed vulnerabilities has declined since 2010.

It seems as if Russia the center for exploit development with 70 percent of kits released or developed there. Following Russia comes China and Brazil. Of these kits BlackHole 2.0 continues to be the most often-used exploit kit while the lesser known Phoenix 3.1 exploit kits offers the highest number of vulnerabilities.

“The fact that cyber criminals are able to penetrate network defenses by targeting aging vulnerabilities and using old techniques demonstrates that many organizations are still playing catch-up when it comes to cyber security,” said Rob Kraus of Solutionary. “Exploit kits largely focus on targeting end-user applications. As a result, it is vital that organizations pay close attention to patch management and endpoint security controls in order to significantly decrease the likelihood of compromise.”

The popularity of BlackHole was also confirmed when Solutionary saw that 30% of the malware samples are indirectly linked to BlackHole exploit kit, while 18% of the malware samples directly attributed to BlackHole.

On the effectiveness of anti-virus solutions, the report found that anti-virus and anti-malware software cannot detect 67 percent of malware being distributed.

Filed Under: Malware, News, Security Report Tagged With: , ,

Top malware threats of last year included autorun and malicious Javascript

January 21, 2013 by

usb-flash-drive(LiveHacking.Com) –  ESET has released a new report looking back at the top attack vectors used by malware to infect PCs in 2012. The top three vectors where the autorun.inf file, obfuscated Javascript and iframe injections. Together these three accounted for almost 15% of the ways that malware found its way onto PCs.

Autorun.inf is a special file placed on removal media (like USB flash disks) that tells Windows what file to run when the media is inserted into the computer. Many different types of malware copy themselves onto any removable media present and change the autorun.inf file to make sure that the malware is run when the media is inserted into a machine. It is a popular way for malware to infect computers that are not connected to the Internet. A recent report by the USA’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) revealed that two power generation facilities became infected with malware via USB flash drives that were being used inside the plants. It is also the method believed to have been used to infect Iran’s nuclear program with Stuxnet. In total 5% of malware infections detected by ESET’s Live Grid was spread via the autorun.inf file.

Although Microsoft disabled Autorun on Windows XP and Vista, to prevent malware infections, nearly two years ago (back in February 2011), ZDNet’s  Dancho Danchev is hypothesizing that the number of infections that happen via Autorun is still high because of software piracy. Basically users are running a pirated/outdated version of Windows. These installations aren’t being updated because of Microsoft’s Genuine Advantage program and so remain with Autorun enabled. The piracy problem was also reiterated by Symantec when it speculated that “the lack of patching due to piracy may be a contributory factor to high infection rates in those countries.”

Another 8% of infections came via hacked webpages with some kind of malicious intent. When a web page is hacked the attacker can alter the HTML to insert Javascript or an iframe that redirects the browser to a URL where malware is hosted or to start a drive by download. Normally any injected Javascript is obfuscated.

“Since poisoned web sites and scripts are an ongoing and regrettable but inevitable part of the threatscape, it’s not surprising that HTML/Iframe.B and HTML/Scrinject.B are still with us…” wrote David Harley, a senior research fellow at ESET.

Filed Under: Malware, News, Security Report Tagged With: ,

Malware found in U.S. power plants, should America be worried?

January 16, 2013 by

us-cert logo(LiveHacking.Com) – According to a new report (pdf) released by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the Department of Homeland Security’s Office of Cybersecurity and Communications, the last three months of 2012 saw at least two instances of malware infecting computers inside power generation facilities.

The first case came to ICS-CERT’s attention when it was contacted by the staff at a power generation facility. Several different bits of malware, which has been classified as both common and sophisticated, were discovered when an employee asked IT staff to inspect a USB drive used to back up control systems configurations within the control environment.

Initial analysis of the malware, found on the USB drive, raised some alarms since one of the infections was linked to known sophisticated malware. ICS-CERT engineers went on-site and took drive images of the infected hardware. The engineers also discovered two critical engineering workstations, which were infected by the malware, that had no backups, and an poor or incorrect removal of the malware would have significantly impaired the operation of the power plant.

A cleanup procedure was developed and executed together with the organization’s control system vendor to ensure that it would not adversely impact the critical workstations.

The second case happened in early October. A power company contacted ICS-CERT to inform it malware infection in a turbine control system. The malware infected around ten computers on the control system network that was down due to a scheduled outage for equipment upgrades. The infection resulted in more than planned downtime and delayed the plant restart by approximately 3 weeks.

“ICS-CERT continues to emphasize that owners and operators of critical infrastructure should develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable media. Such practices will mitigate many issues that could lead to extended system downtimes,” said the ICS-CERT report. “Defense-in-depth strategies are also essential in planning control system networks and in providing protections to reduce the risk of impacts from cyber events”

It is clear that these key infrastructural facilities need to have the correct security and backup policies and procedures in place, something which is sorely lacking at the moment.

Filed Under: News, Security, Security Report Tagged With: , , ,

ENISA tells banks to assume that all customer PCs are infected with malware

July 9, 2012 by

(LiveHacking.Com) – The EU’s cyber security agency ENISA (European Network and Information Security Agency) has released a report in response to the ”High Roller” cyber-attacks. These attacks targetted corporate bank accounts and, according to a  report recently published by McAfee and Guardian Analytics, are responsible for the loss of tens of millions dollars.

As part of the recommendations, ENISA has told the banking industry to  assume that all PCs are infected with malware. The  ”High Roller” cyber-attacks used the infamous Zeus malware, which isn’t universally detected by anti-malware programs and as such it is safer for banks to assume that all of its customers’ PCs are infected.

The report also mentions that basic two factor authentication does not prevent man-in-the-middle attacks on transactions. Therefore, ENISA recommends that banks cross check with their customers the details of certain types of transactions. These  cross checks can be performed via SMS or a telephone call.

ENISA also calls on the different national Computer Emergency Response Teams (CERTs) and law enforcement agencies to cooperate closer to help bring down the command and control servers used by the criminals.

The recommendations have been published due to the  nature of the “High Roller” attacks. First, these attacks are highly automated making them fast and easily missed. Second, the attacks are sophisticated with the ability to bypass two-factor authentication and fraud detection. Thirdly, the attacks are highly targeted.  Only PCs from users with corresponding high balances were targeted.

Filed Under: News, Security, Security Report Tagged With: , , ,

Congress Warned That Foreign Spies Penetrate US Military Networks

March 26, 2012 by

(LiveHacking.Com) – It should be assumed that foreign spies have penetrated the US military networks was the message sent to American’s politicians last week when security experts testified at hearings held by the US Senate Armed Services Committee on cybersecurity. The committee was told that enforcing a perimeter to keep out spies is unsupportable, and that the US should assume that its networks have already been fully penetrated. Instead, the committee was told, cyberdefence should be about protecting data not controlling access.

“We’ve got the wrong mental model here,” said Dr James Peery, head of the Information Systems Analysis Centre at the Sandia National Laboratories. “I think we have to go to a model where we assume that the adversary is in our networks.”

As part of a prepared statement to the committee Dr. Peery said “A silver bullet for solving the ‘cyber problem’ for DoD, DOE, dot-gov or the private sector does not exist. It is impossible to make an absolutely secure information technology (IT) system.

Dr. Peery

Dr. Kaigham Gabriel, current head of the Defence Advanced Research Projects Agency, likened the current cybersecurity efforts of the US DoD to treading water in the middle of the ocean.  The DoD oversees 15,000 networks that connect about seven million devices which presents numerous security challenges to the DoD. These challenges include:

  •  Attackers can penetrate our networks: In just 3 days and at a cost of only $18,000, the Host-Based Security System was penetrated.
  • User authentication is a weak link: 53,000 passwords were provided to teams at  Defcon; within 48 hours, 38,000 were cracked.
  • The Defense supply chain is at risk: More than two-thirds of electronics in U.S. advanced fighter aircraft are fabricated in off-shore foundries.
  • Physical systems are at risk: A smartphone hundreds of miles away took control  of a car’s drive system through an exploit in a wireless interface.
  • The United States continues to spend on cybersecurity with limited increase in security: The Federal Government expended billions of dollars in 2010, but the  number of malicious cyber intrusions has increased.

With regards to cyber offense (rather than defense) Dr. Gabriel wrote: “DARPA’s belief is that the Department must have the capability to conduct offensive operations in cyberspace to defend our Nation, Allies, and interests. To be relevant, DoD needs cyber tools to provide the President with a full range of options to use in securing our national interests. These tools must address different timescales and new targets, and will require the integrated work of cyber and electronic warfare at unprecedented levels.”

Dr. Michael A. Wertheimer, director of research and development at the NSA, told the Senators that the federal government also faces a shortage of talent. Historically, the government has lost about one percent of their IT talent annually; this year the government is set to lose 10 percent of that workforce, the experts claimed. Wertheimer said that 44 percent of the NSA resigns from their position as opposed to retiring. Within the NSA’s IT staff, that figure is 77 percent resigning as opposed to retiring.

 

Filed Under: Attacks, Cryptography, Security, Security Report Tagged With: , , ,

Cambridge University Study Says That Multi Word Passphrases Not As Secure As You Might Think

March 19, 2012 by

(LiveHacking.Com) – It is conventional wisdom that the more complex a password is then the harder it is for hackers to crack. This had led online users to start using multi-word passphrases (rather than single-word passwords) for account authentication. Multi-word passphrases are easier to remember than completely random password strings and have the supposed added advantage that they are just as secure. However research from the Computer Laboratory at the University of Cambridge suggests that this might not be the case. Although mult-word passphrases could be as secure as random password strings, it is important to evaluate actual user choices for password not theoretical passphrase possibilities.

The research paper, by Joseph Bonneau and Ekaterina Shutova, studied data taken from the now-defunct Amazon PayPhrase system (which was only availbale in the US) to learn how people choose passphrases in general. The pair then set about trying to guess the passphrases using a dictionary attack based on movie titles, sports team names, and other types of proper nouns taken from Wikipedia. Using this method the researchers cracked about 8,000 phrases.

Apply some clever mathematics and the results shows that passphrases provide the equivalent of 20 bit security against an attacker trying to compromise 1% of available accounts. Normal passwords provide under 10 bits when using the same maths, so clearly passphrases are better, but not enough to make online dictionary attacks impractical unless proper rate-limiting is used by the online service.

Some clear trends emerged—people strongly prefer phrases which are either a single modified noun (“operation room”) or a single modified verb (“send immediately”). These phrases are perhaps easier to remember than phrases which include a verb and a noun and are therefore closer to a complete sentence. Within these categories, users don’t stray too far from choosing two-word phrases the way they’re actually produced in natural language. That is, phrases like “young man” which come up often in speech are proportionately more likely to be chosen than rare phrases like “young table.”

Filed Under: Security, Security Report Tagged With: , ,

20 Percent of Fortune 100 Companies Were Hit by the RSA Attackers

October 25, 2011 by

(LiveHacking.Com) - Brian Krebs, who was until just a couple of years ago a reported for The Washington Post, has revealed that over 760 other companies have been hit by the same attackers which targeted RSA earlier this year.

In his blog post, Brian says that “more than 760 other organizations had networks that were compromised with some of the same resources used to hit RSA. Almost 20 percent of the current Fortune 100 companies are on this list.”

Brian does, however, give some caveats:

  1. Many of the network owners listed are Internet service providers, and are likely included because some of their subscribers were hit.
  2. It is not clear how many systems in each of these companies or networks were compromised.
  3. Some of these organizations (there are several antivirus firms mentioned  below) may be represented because they  intentionally compromised internal systems in an effort to reverse engineer malware used in these attacks.
The most interesting name on the list include:
  • The Alabama Supercomputer Network
  • Cisco Systems
  • eBay
  • The European Space Agency
  • Facebook,
  • Google
  • IBM
  • Intel Corp
  • the Internal Revenue Service (IRS)
  • MIT
  • Motorola Inc.
  • Northrop Grumman
  • Novell
  • PriceWaterhouseCoopers
  • Research in Motion (RIM) Ltd.
  • Seagate Technology
  • VMWare
Filed Under: Attack, Security, Security Report Tagged With: , ,

Missing Dots in Email Addresses Allows Security Researchers to Catch 120,000 Messages

September 13, 2011 by

(LiveHacking.Com) - Security researchers have captured thousands of emails by buying domains for commonly mistyped email addresses. Over six months they grabbed 20GB of data made up of 120,000 wrongly sent messages. These emails included trade secrets, business invoices, personal information about employees, network diagrams and passwords.

According to researchers Peter Kim and Garret Gee of the Godai Group around 30% of the top 500 companies in the US were vulnerable to this data leak.

The problem arises because of the way some organisations set up their email systems. Most companies use a single domain for all email, but some use subdomains. So rather than just user@bank.com the company has set up us.bank.com for its USA employees and uk.bank.com for its UK employees and so on.

By buying domains like usbank.com and ukbank.com the researchers where able to catch emails addressed to user@us.bank.com but due to a typing error were sent to user@usbank.com (without the dot after ‘us’).

Rather than getting an email back reporting the mistyped address, the email in fact went to the researchers. From there the email was forwarded to the correct address but with a bogus reply address so that the researchers could capture all the replies as well. This is what is known as a man-in-the-middle attack, or more specifically for email a man-in-the-mailbox attack.

Writing on the blog of security firm Sophos, Mark Stockley said: “It’s striking that the researchers managed to capture so much information by focusing on just one common mistake. A determined attacker with a modest budget could easily afford to buy domains covering a vast range of organisations and typos.”

Filed Under: Security, Security Report Tagged With: , , , , ,

Cybercrime Bigger Than Global Black Market in Marijuana, Cocaine and Heroin combined

September 8, 2011 by

(LiveHacking.Com) - The new Norton Cybercrime Report has put the cost of cyber crime to the world’s economy at $388bn annually, a figure that is greater than the combined global market for marijuana, cocaine and heroin ($288bn). Another startling statistic is that cybercrime costs are more than 100 times the annual expenditure of UNICEF ($3.65 billion).

The report, which was compiled using data from 24 countries, says that 431m adults experienced cybercrime in the last year. That is more than a million victims every day or 14 adults every second.

In terms of viruses and malware, the report notes that:

  • 4 in 10 adults surveyed do not have an up-to-date security software suite to protect their personal information online
  • 54% of online adults have experienced viruses or malware on their computers
  • 6 in 10 users of free AV software reported viruses and malware attacks
With regards to protection against viruses and malware, the report says that inadequate security software exposes people unnecessarily to the dangers of computer viruses and malware. With many failing to do the single easiest thing to prevent cyberattacks – i.e. install a full security suite – adults globally are going online, for considerable amounts of time, unprotected against the most common types of cybercrime.
And it is this last part which possibly reveals the true nature of the report. Although I don’t doubt the facts and figures, highlighting things like “6 in 10 users of free AV software reported viruses and malware attacks” and that the “single easiest thing to prevent cyberattacks” is to “install a full security suite” reminds us that this report is published by Norton/Symantec who want to sell you their security software.
Filed Under: Antivirus, Security, Security Report Tagged With: , ,

The Return of Master Boot Record (MBR) Malware

August 24, 2011 by

(LiveHacking.Com) - According to the August 2011 Symantec Intelligence Report, Master Boot Record (MBR) malware is making a comeback. The report, which combines research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report, reveals that there were as many new boot time malware (MBR) threats in the first seven months of 2011 as there were in the previous three years.

The master boot record (MBR) is the first sector of a hard drive that is used by a PC to hold the partition table and to bootstrap its operating system. The contents of the MBR are read and executed by the BIOS during bootup before the operating system itself is loaded.

“MBR infections offer great scope for deep infection and control of computers, which makes the idea attractive to malware creators. Contemporary MBR infection methods are a fairly complex affair usually executed by highly skilled individuals,” said Paul Wood, senior intelligence analyst, Symantec.cloud.

Other highlights of the report include:

Pump and dump: Spammers are seeking to benefit from fluctuations in the turbulent financial markets, most notably by sending large volumes of spam relating to certain “pink sheets” stocks in an attempt to “pump” the value of these stocks before “dumping” them at a profit.

Spam: In August 2011, the global ratio of spam in email traffic declined to 75.9 percent (1 in 1.32 emails); a decrease of 1.9 percentage points when compared with July 2011.

Phishing: In August, phishing email activity increased by 0.01 percentage points since July 2011; one in 319.3 emails (0.313 percent) comprised some form of phishing attack.

E-mail-borne Threats: The global ratio of email-borne viruses in email traffic was one in 203.3 emails (0.49 percent) in August, an increase of 0.14 percentage points since July 2011.

Web-based Malware Threats: In August, Symantec Intelligence identified an average of 3,441 Web sites each day harboring malware and other potentially unwanted programs including spyware and adware; a decrease of 49.4 percent since July 2011.

Endpoint Threats: The most frequently blocked malware for the last month was W32.Ramnit!html. This is a generic detection for .HTML files infected by W32.Ramnit, a worm that spreads through removable drives and by infecting executable files. The worm spreads by encrypting and then appending itself to files with .DLL, .EXE and .HTM extensions. Variants of the Ramnit worm accounted for 15.8 percent of all malicious software blocked by endpoint protection technology in August.

You can also get more information by reading the SlideShare Presentation: August 2011 Symantec Intelligence Report

 

 

Filed Under: Malware, Security Report Tagged With: ,
«Older Posts