Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for April 2016

US Presidential Primary Apps Leak Sensitive Data

US Presidential Primary Apps Leak Sensitive Data

As 2016’s presidential primaries have progressed, the number of presidential primary apps installed on mobile devices has grown considerably, becoming more prevalent than ever. And that’s a bit of a problem considering that most of them leak personal data about their users.

“[They’re] more popular than ever, thanks mostly to Donald Trump, according to our data,” said Symantec researchers, in a blog post. “Trump has been the focus of much interest, dominating all candidates with 75% of presidential primary apps categorized under his name.”

The unfortunate reality however is that election season is a key opportunity for data thieves to wreak havoc. And, presidential primary apps can gather plenty of information, and meaning that they’re ripe vectors for exposing sensitive data. Downloading election apps may be a quick way to surrender sensitive data to unwanted eavesdroppers, especially if users connect to them using unsecured Wi-Fi or automatically connect to public Wi-Fi hotspots.

User phone numbers and location comprise just some of the data being exposed. Other types of private data include account details, such as email addresses and social network user names; lists of installed apps on a device; brand, model and operating system of the device; the international mobile subscriber identity (IMSI) contained on the SIM card; and the settings of a device, such as language or time zone.

Symantec has found that out of more than 1,200 presidential-primary-related Android apps that it looked at, more than 50% exposed sensitive data. Of the most popular primary election apps observed—those with more than 1 million downloads—nearly 25% were found to be exposing sensitive data.

“Most primary apps are unofficial and not affiliated with a campaign, but even official apps have some data exposure, as we found by looking at two primary candidate apps using the Norton Mobile Security with Norton Mobile Insight app,” Symantec explained.

On the official apps front, using Norton Mobile Insight, Symantec found the official apps for John Kasich and Ted Cruz to be problematic. In the case of the official John Kasich 2016 mobile app, every app installed on a device and the user location may be exposed. In the case of the official Ted Cruz “Cruz Crew” app, mobile device details and unique IMSI may be exposed.

All of it is data that could be intercepted by attackers and shared with third parties.

Users should install apps from only trusted sources and pay close attention to permissions that apps may be requesting; and, they should turn off location settings when not using the GPS function, to prevent apps from knowing a user’s exact coordinates.

“If an app is asking for more information than you’re comfortable sharing, it might be a sign to run the other way,” Symantec said. “Think of what the purpose of the app is, and only provide information that is necessary for the app to serve its function.”

Photo © ChristinaMuraca/Shutterstock.com

Source: Information Security Magazine

Patient Data Found Dumped in Alleyway

Patient Data Found Dumped in Alleyway

A large amount of confidential patient data has been found dumped in a Bournemouth alleyway, according to reports by the Daily Echo.

A passer-by stumbled across a number of black plastic ribbons which apparently contain counterfoil prescription label information, patients’ names, dates-of-birth, addresses and doctor details along with NHS patient numbers.

The details have been passed onto the NHS and an investigation is now underway to get to the bottom of how they wound up in the alleyway in the first place.

An ICO spokesperson said: “We’re aware of a potential incident and are making enquiries.”

Whilst there were no medical details on the plastic strips, the sensitivity of the information they do contain could, in the wrong hands, easily be used for malicious intent. It has been clear for some time that the medical industry is becoming a big target for hackers who recognize the potential value of securing patient data, so the fact that this information was found in such a publicly accessible place is a huge concern.

“In these days of massive database breaches, it seems very strange to read of confidential data being found in this physical form,” David Harley, ESET senior research fellow told Infosecurity. “Apart from potential risks to those whose data was exposed, there should be concern about how it got where it was found.”

Harley added that the dangers surrounding both the theft and loss of patient data can have damaging repercussions for the individuals to whom the data refers and often leads to illegal transgressions like the generation of fake IDs, substance buying/selling and fraudulent insurance claims.

“Individuals can be severely disadvantaged, for instance when they’re billed for medical services that have been obtained (or merely charged for) fraudulently in their names. This is a serious problem in the US, and becoming more common in the UK as privatized medical care becomes more common.”

Source: Information Security Magazine

SWIFT Software Bug Exploited by Bangladesh Bank Hackers

SWIFT Software Bug Exploited by Bangladesh Bank Hackers

A bug in SWIFT banking software may have been exploited to allow hackers to make off with $81 million from Bangladesh’s central bank in February, according to reports.

Investigators at British defense contractor BAE Systems told Reuters that the malware in question, evtdiag.exe, had been designed to change code in SWIFT’s Access Alliance software to tamper with a database recording the bank’s activity over the network.

That apparently allowed the attackers to delete outgoing transfer requests and intercept incoming requests, as well as change recorded account balances – effectively hiding the heist from officials.

The malware even interfered with a printer to ensure that paper copies of transfer requests didn’t give the attack away.

It’s thought that the malware was part of a multi-layered attack and used on the SWIFT system once Bangladesh Bank admin credentials had been stolen.

Although it was written specifically for this attack it could be repurposed for similar attacks in the future, BAE claimed.

However, it hasn’t been discovered yet how the attackers ordered the all-important transfer requests, according to the report.

“I can’t think of a case where we have seen a criminal go to the level of effort to customize it for the environment they were operating in,” BAE head of threat intelligence, Adrian Nish, told the newswire. “I guess it was the realization that the potential payoff made that effort worthwhile.”

For its part, SWIFT confirmed it is later today releasing a software update to “assist customers in enhancing their security and to spot inconsistencies in their local database records.”

Its messaging system is used by around 11,000 financial institutions and the like around the world.

It may still be the case that security shortcomings at the Bangladesh Bank also contributed to the cyber theft.

Several reports claimed that the bank was using second-hand routers costing just $10m, and that key firewalls were missing from its security set-up.

Ross Brewer, EMEA managing director at LogRhythm, argued that even firewalls can’t protect organizations against persistent, sophisticated attacks.

“Unfortunately, in this threat landscape, hackers will keep trying and trying until they find a bank’s weak spot,” he added.

“They are persistent and have the tools and skills to get past basic security tools, which means it really is a case of when you will get breached, not if. By having tools in place that can identify a threat on the network as soon as it appears, banks can mitigate any risk and limit the consequences straightaway.”

BAE is apparently planning to release more details on its investigation later today.

Source: Information Security Magazine

Philippine Police Cuff Comelec Hack Suspect

Philippine Police Cuff Comelec Hack Suspect

Philippine police have arrested one of three individuals suspected of hacking the website of the national election commission (Comelec) at the end of March and exposing the details of over 50 million voters.

The country’s National Bureau of Investigation (NBI) announced the arrest last week, having worked with Comelec and other government agencies on the case, according to the Manila Bulletin.

They’re currently analyzing the computer of the 23-year-old IT graduate, who apparently hails from Sampaloc, Manila.

The man has been named as Paul Biteng, a security researcher listed in Facebook’s Security Hall of Fame and Microsoft’s Security Researcher Acknowledgments page, according to the paper.

He is said to have taken part in the arrest in order to highlight vulnerabilities in the Comelec site, however, Biteng may now face prosecution under the Cybercrime Prevention Law.

The site compromise led to the personal details of up to 55 million Filipinos – all the registered voters in the country – being exposed online.

Security firm Trend Micro claimed at the time that these details included 1.3 million records of overseas Filipino voters, which featured passport numbers and expiry dates.

Also publicly available online were hundreds of thousands of email addresses, plus names, dates of birth, home addresses and job titles.

The breach puts these citizens at increased risk of follow-on phishing attacks and other online scams, and even possible blackmail.

It was reported that Anonymous hackers originally compromised and defaced the Comelec site on 27 March. Then, three days later, a group going by the name ‘LulzSec Pilipinas’ stuck the data online.

Comelec has sought to play down the seriousness of the incident, claiming the site that was hacked was not connected to the one used to display any electoral results.

However, Trend Micro confirmed that its own research proved “massive records of PII, including fingerprints data were leaked.”

Source: Information Security Magazine

Card Payment Details Most Sought After Data in 2015

Card Payment Details Most Sought After Data in 2015

Trustwave has released its 2016 Global Security Report which delves into the latest trends in cybercrime, data breaches and security threats of the last year.

Of particular note, the report revealed that card payment details were the data most sought after by hackers in 2015, the driving force behind 60% of the attacks the firm investigated. In terms of prime targets, retail was the most compromised industry, followed by the hospitality sector, and the food and beverage market.

Further, Trustwave unearthed weaknesses in application security with almost all (97%) of the applications it tested having at least one vulnerability – 10% of these were considered to be critical or high risk.

“Cyber-criminals have been congregating and organizing for years, but 2015 showed a marked increase in the behavior we would normally associate with legitimate businesses,” said Trustwave Chief Executive Officer and President Robert J. McCullen. “Based on the study of numerous security incidents, exploit kits and malvertising campaigns, our 2016 Trustwave Global Security Report shows businesses how and where these sophisticated criminal organizations are most likely to attack, and more importantly, how to defend their assets.”

Perhaps most poignantly, the research revealed Angler to be the most prevalent exploit kit of 2015, accounting for 40% of exploit kit-related incidents observed. This was more than double than Nuclear, which was the second most prevalent. Angler was also the first exploit kit to integrate several newly disclosed exploits, including four zero-day exploits and seven “one-day” exploits, which target vulnerabilities for which patches have been released, but have not yet been widely distributed.

In a statement to Infosecurity, Panda Security technical director Luis Corrons explained that exploit kits are now a common tool used by hackers that are continuing changing and becoming more complex.

“As security professionals learn how to fight against this kind of threats, they evolve, mainly trying to figure out ways to stay undetected,” he said

“As simple as it sounds, an update policy in place can solve almost all the problems due to infections from exploit kits. Of course when you have several hundreds/thousands of computers, the world “simple” might be not accurate. In that case you need a solution that shows you which computers are actually executing vulnerable versions of software (Java, Flash, browsers, etc.) so you can act and be protected beforehand,” Corrons added.

Source: Information Security Magazine

Adobe Customers May Have to Stick with Buggy QuickTime

Adobe Customers May Have to Stick with Buggy QuickTime

Apple this week finally admitted it has ceased supporting QuickTime for Windows, but some Adobe customers will have to stick with the flawed software or risk not being able to use their Adobe products.

News of Apple’s decision came first not from the firm itself but Trend Micro almost a week ago. The security vendor was told, having disclosed two new vulnerabilities in the multimedia software, that they would not be fixed.

Apple has rectified that now with a statement on its website detailing how to uninstall the product.

However, Adobe has now thrown something of a spanner in the works, despite claiming to have “worked extensively on removing dependencies on QuickTime in its professional video, audio and digital imaging applications.”

“Unfortunately, there are some codecs which remain dependent on QuickTime being installed on Windows, most notably Apple ProRes. We know how common this format is in many worfklows, and we continue to work hard to improve this situation, but have no estimated timeframe for native decode currently,” it said in a statement.

“Other commonly used QuickTime formats which would be affected by the uninstallation of QuickTime include Animation (import and export), DNxHD/HR (export) as would workflows where growing QuickTime files are being used (although we strongly advise using MXF for this wherever possible).”

The firm claimed its endgoal is to support everything natively without the need for QuickTime, but in the meantime, customers will have no choice but to run the buggy software, which black hats are likely to be researching exploits for as we speak.

In related security news, Adobe yesterday released an update for its Adobe Analytics AppMeasurement for Flash library, designed to fix a vulnerability rated “important” – that is “Priority 2.”

The flaw “could be abused to conduct DOM-based cross-site scripting attacks when debugTracking is enabled,” according to Adobe.

Source: Information Security Magazine

FIN6 Hackers Stole Millions of Cards – Report

FIN6 Hackers Stole Millions of Cards – Report

Security researchers have lifted the lid on the lucrative world of financially motivated cybercrime, claiming the ‘FIN6’ group may theoretically have made as much as $400 million from a single POS data heist.

FireEye and iSight Partners combined their threat intelligence efforts to compile the Follow the Money report.

It details how, by targeting various companies mainly in the retail and hospitality sectors, and using classic targeted attack techniques, the group managed to deploy Trinity POS malware on around 2000 systems.

The resulting stolen data, dating back as far as 2014, was found on a single underground card site.

The report continues:

“Our analysis of the data sold through this underground vendor indicates that FIN6’s compromises are highly profitable to the actors involved, potentially resulting in extensive fraud losses. For instance, in one FIN6-linked breach the vendor was advertising nearly than 20 million cards. These cards were predominantly from the United States and selling for an average of $21. So the total return for the shop — if all the data was sold at full price — could have been about $400 million.”

The report goes on to clarify that it’s unlikely FIN6 made the full $400m as buyers want the newest card data possible, which makes laundering stolen cards trickier than stealing them.

“Still, a fraction of $400 million is a significant sum,” it adds.

There’ll be more of an emphasis today on laundering those stolen cards asap – especially in the US where the majority of FIN6’s victims were – given the migration to EMV.

That will make stolen card data very difficult to use in order to clone cards – which is what most US fraudsters are buying it for on underground sites at the moment.

It’s predicted that there will be a shift over to card-not-present – i.e., e-commerce – fraud as a result once the majority of businesses have switched over to EMV.

Source: Information Security Magazine

SpyEye Masterminds Begin 24 Year Jail Term

SpyEye Masterminds Begin 24 Year Jail Term

US law enforcers are patting themselves on the back this week after the sentencing of the two men behind the notorious SpyEye banking malware, for a total of 24.5 years.

Russian Aleksandr Andreevich Panin, aka ‘Gribodemon,’ was handed down nine and a half years for his part as the primary developer and distributor of the malware, which caused losses of nearly $1 billion and infected over 50 million computers across the globe between 2010-2012, the DoJ said.

Algerian Hamza Bendelladj, aka ‘BX1,’ was given 15 years for sending over a million malware-laden spam emails, as well as selling malicious plug-ins for botnets, causing millions in losses to individuals and financial institutions, and running a carding forum: VCC.sc.

Panin was arrested on 1 July 2013, when he flew through Hartsfield-Jackson Atlanta airport, while Bendelladj was cuffed in Bangkok’s Suvarnabhumi airport on 5 January 2013 and subsequently deported.

Law enforcers are particularly pleased because they say Panin was just months away from releasing a new strain of SpyEye which could have caused “immeasurable losses” to the banking industry.

“It is difficult to over state the significance of this case, not only in terms of bringing two prolific computer hackers to justice, but also in disrupting and preventing immeasurable financial losses to individuals and the financial industry around the world,” said Georgia DA, John Horn, in a statement.

“The outstanding work by our law enforcement partners, both domestically and internationally, as well as terrific cooperation from the private sector, serves as a blueprint on how to combat complex cyber-crime syndicates around the world.”

Trend Micro was one of those private sector partners, providing vital information such as the online “handles” and accounts used by the duo, it revealed in a blog post.

As for law enforcement partners, the FBI were helped by the UK’s National Crime Agency, which arrested a British hacker, James Bayliss, in 2014 for his part in helping to code the ccgrabber plugin for SpyEye, according to Trend Micro.

“Taking down infrastructures and servers is but a short-term solution to the problem of cybercrime; to truly address cybercrime, the perpetrators themselves must be stopped,” the firm wrote.

It should be noted that other co-conspirators of the duo are likely still at large, as is the FBI’s most wanted cybercriminal – Evginy Bogachev, aka ‘Slavik’ – who originally passed the source code and rights for Zeus to Pavin.

Source: Information Security Magazine

Compromised Credentials at the Root of a Quarter of All Data Breaches

Compromised Credentials at the Root of a Quarter of All Data Breaches

Compromised credentials are still the cause of almost a quarter of all data breaches.

A Cloud Security Alliance (CSA) report has found that data breaches, account hijacking and malicious insiders all rated as top threats for IT professionals, and that these attacks often occur because of a lack of scalable identity access management systems, failure to use multifactor authentication, insufficient password use and a lack of ongoing automated rotation of cryptographic keys, passwords and certificates. As such, it’s not surprising that insufficient identity, credential and access management ranked as the top vulnerability.

“The survey results are insightful into understanding insufficient identity, credential and access management, as it relates to the evolving, increasingly cloud-based enterprise,” said Luciano Santos, EVP of research for the CSA. “We hope that organizations and cloud providers can use this information to help gain an understanding of how to protect themselves and their data beyond the perimeter, as they begin to adopt cloud environments.”

Of those who indicated their company reported a data breach, 22% of respondents noted the breach was due to compromised credentials. In addition, 65% of respondents indicated that the likelihood that their company would experience a future breach due to compromised credentials was medium to high.

Surprisingly, there were no significant differences in security solutions used between respondents who reported a breach and those who either did not report or did not know of a reported breach in their organizations. Companies embracing big data solutions consistently adopted more perimeter and identity security solutions; and 76% of internal access control policies extended to outsourced IT, vendors and other third parties.

“The survey findings reiterate that compromised credentials are a leading point of attack used in data breaches,” said Bill Mann, chief product officer for Centrify, which sponsored the report. “We hope that these findings will encourage organizations to leverage single sign-on, multi-factor authentication, mobile and Mac management, along with privileged access security and session monitoring, in order to minimize attack surfaces, thwart in-progress attacks and achieve continuous compliance. It’s also critical that companies secure internal and external users as well as privileged accounts—and it’s great to see that many organizations are already taking that step and extending access control policies to third parties.”

Photo © bluebay

Source: Information Security Magazine

#OpKillingBay Expands Target Focus

#OpKillingBay Expands Target Focus

Operation Killing Bay, a hacktivist group that targets Japanese government websites and sites of companies participating in whale and dolphin hunting, is expanding its focus.

The group, better known as #OpKillingBay on social media sites, has begun attacking sites unrelated to the hunts, according to Akamai SIRT members Larry Cashdollar and Ben Brown. One member of #OpKillingBay said that companies targeted not because they supported the hunts, but because they did nothing about them.

Last year, the group’s denial-of-service (DoS) attacks began in early September with an uptick in attacks in October following a TweetStorm. It was a two-pronged campaign, against both Japan for dolphin-hunting and Denmark for whale hunting. Each campaign featured their own website and information regarding each operation.

This year, the strategy has shifted. Akamai has also observed the group threatening to attack whaling groups from other parts of the world, and has found target lists for sites Iceland and the Faroe Islands. The most-targeted industries thus far are seafood companies, government agencies and theme parks. The group has declared any government site from Japan or Iceland to be a target, giving those country’s whaling activities in the past.

“We are also seeing that the attackers involved in #OpKillingBay are spreading out and participating in other operations as well,” Akamai said in an analysis. “On Jan. 12, we started to observe attacks against a Japanese automotive web site. Another automotive company joined the list of victims on February 4, and attacks continued every few days.”

The firm said that it’s unclear if the person claiming credit is actually the one launching the attacks, but Akamai is capable of viewing the attack traffic against the mentioned organizations and others that have been targeted within its infrastructure.

Photo © Sergey Uryadnikov

Source: Information Security Magazine