Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for October 2016

Trend Micro: Fake Apple iOS Apps Are Rampant

Trend Micro: Fake Apple iOS Apps Are Rampant

The Apple iOS environment is riddled with malicious fake apps, signed with enterprise certificates and had the same Bundle IDs as their official versions on the App Store. Repackaged versions of Pokemon Go, Facebook, and several other gaming apps are just some of the affected titles.

Although iOS 10 has pulled the plug on App Store/legitimate apps updating and overriding their copycats, fake apps still affect devices running on iOS 9.3.5 or earlier. They can still be re-signed, installed and run on iOS devices as long as they tote the same Bundle IDs, according to Trend Micro, and have a valid certificate.

First reported in 2014, a similar technique called the Masque Attack allowed hackers to replace a genuine app from the App Store with a malformed, enterprise-signed app that had the same Bundle Identifier (Bundle ID). Apple subsequently patched the vulnerabilities (CVE-2015-3772 and CVE-2015-3725), but while it closed a door, scammers simply opened a window. Haima and other third-party app stores are abusing a feature in iOS’s code signing process to achieve the same effect.

“More than just creating fake versions, the vulnerabilities pose serious risks in that bad guys can target legitimate apps to distribute their malware,” Trend Micro researchers explained in a blog. “Scammers only need to create malicious content bearing the same Bundle ID as the genuine app’s, then ride on its popularity to entice users into installing their malware. Homegrown apps used by enterprises can also be spoofed, re-signed and repackaged via the same Bundle ID.”

The repercussions to legitimate apps also vary, depending on how their data controls app behavior or how their functionalities are implemented. Crooks can route the legitimate app to a malicious service to phish for personally identifiable information, or even directly steal the user’s online bank accounts. They can also modify an app’s function, such as replacing URLs opened by the app to download malware (which is run after users ‘trust’ the certificate). The legitimate app’s advertisement ID can also be modified so the revenue generated from its monetized ads is sent to the scammers instead.

Scammers need only prepare a relatively modest toolkit to re-sign the app, Trend Micro researchers added.

“App developers who incorporate functions such as in-app purchases are advised to follow Apple’s official guidelines, particularly how to validate receipts with the App Store, as well as employ mechanisms that can deter scammers from reverse-engineering the app,” the company recommended. “Businesses that employ/support iOS devices are recommended to balance mobility and productivity with privacy and security-conscious policies, especially when adopting BYOD. Aside from keeping the OS up-to-date, the risks serve as a reminder for end users to beware of downloading apps from dubious third-party marketplaces.”

Photo © chasdesign/Shutterstock.com

Source: Information Security Magazine

IoT Control Wins Trusted Environment Hackathon

IoT Control Wins Trusted Environment Hackathon

Internet of Things (IoT) security got a boost this week: SafeHaven, a system that enables granular control of IoT devices in a smart home, has won the inaugural GlobalPlatform Trusted Execution Environment (TEE) hackathon. 

GlobalPlatform is a cross-industry body that defines and develops specifications for secure chip technology. It challenged programmers, idea generators and designers to create trusted applications that make use of the latest TEE security technology.

The winning solution impressed judges as it had two trusted applications (one securing the user credentials and one controlling user access in a TEE) as well as two mobile applications (one performing administration and one performing user functionality).

Without prior experience of using the technology, developers Subhash Gutti and Harish Gowda created a functioning gateway system during the hackathon which remotely, instantly and securely denies or grants access to IoT devices using the TEE.

"In the age of mobile and IoT devices, the importance of secure operations and transactions of applications, backed by hardware security, is acknowledged and valued more than ever," said Henry Lee, vice president of security R&D for Samsung Mobile, which sponsored the event. "I believe that this hackathon will continue to act as a catalyst for recognizing the importance of trusted applications, TEE and hardware-backed security."

Rolling IDs, a start-up focusing on producing small wearable asset trackers, was named runner up, as it successfully demonstrated how TEE technology can host an algorithm that ensures privacy-by-design tracking mechanism. The second runner up, TuffPass, was a TEE-based consumer object which was designed to create, store and retrieve strong passwords.

“The TEE is poised to become the standard for ensuring device integrity, data confidentiality and authenticity for IoT devices,” said Abhijeet Rane, vice president of marketing at Sequitur Labs, which provided the development platform in the form of a Raspberry Pi and its TEE virtual environment. “It is imperative for developers to understand this technology and learn to develop applications that utilize it. The TEE hackathon event provided the opportunity to engage with and train developers, and a forum for developers to learn about TEE use cases.” 

Hackathon participants were invited to compete for cash prizes and the chance to present their trusted applications to TEE experts at the GlobalPlatform TEE Conference.

“Our objective in setting up this hackathon was to allow developers to implement ideas on TEE and the result has been outstanding; developers were able to quickly develop impressive secure application prototypes,” said Gil Bernabeu, technical director for GlobalPlatform.

Photo © a-image

Source: Information Security Magazine

Anti-worm ‘Nematode’ Could be Answer to Mirai Botnets

Anti-worm ‘Nematode’ Could be Answer to Mirai Botnets

A security researcher has uncovered what is claimed to be an effective way to mitigate the threat from Mirai-powered IoT botnets like the one that caused a massive internet outage over a week ago.

The developer claimed the anti-worm ‘Nematode’ could help patch vulnerable connected devices exploited by Mirai – which scans for default Telnet credentials.

The following explanation was posted on GitHub:

“The idea is to show that devices can be patched by a worm that deletes itself after changing the password to something device- specific or random. Such a tool could theoretically be used to reduce the attack surface. This is meant to only be tested in closed research environments. Use of this software is at your own risk.”

Those discussing the Proof of Concept on Reddit echoed the author's caution, warning that researchers would be breaking the law if they try this out in the wild without getting permission of the owner of any insecure IoT device.

The internet went briefly into meltdown on 21 October after DNS provider Dyn was taken out by a DDoS launched from a 100,000-strong IoT botnet.

The knock-on effect for Dyn customers meant the likes of Amazon, Twitter, Reddit and Spotify were taken offline on the Friday.

The provider confirmed the botnet was mainly powered by devices compromised by Mirai, malware publicly released just weeks before.

However, it refused to be drawn on who might have been behind the attack, or whether it was – as some have claimed – a massive 1.2Tbps.

In related news, security firm Invincea claimed last week to have found a stack buffer overflow bug in the Mirai source code which, if exploited, could prevent an HTTP flood attack.

However, it doesn’t address the underlying problem of vulnerable IoT devices and effectively leaves them intact to be exploited in future attacks.

Source: Information Security Magazine

Security Research Boost as DMCA Exemptions Are Announced

Security Research Boost as DMCA Exemptions Are Announced

There was good news for the white hat community on Friday after a new exemption to the Digital Millennium Copyright Act (DMCA) was finally authorized, removing a major legal barrier for security researchers.

The new temporary exemption effectively means that, as long as they abide by the Computer Fraud and Abuse Act (CFAA), researchers can do things like jailbreak phones, reverse engineer and circumvent obfuscated code in tech that allows access to copyrighted material.

The Federal Trade Commission explained:

“There are at least four main requirements researchers must meet when setting up a research environment in order to fall under the exemption. First, the computer program, or any devices on which those programs run, must be ‘lawfully acquired.’  Second, during research, the device and computer program should operate ‘solely for the purpose of good-faith security research.’ This means, in part, that the research ‘must be conducted in a controlled setting designed to avoid harm to individuals or the public.’ Third, the research must not begin before today, October 28, 2016.”

Electronic Frontier Foundation staff attorney, Kit Walsh, welcomed the temporary exemption, which will be in force for the next two years.

However, she claimed they had been “unlawfully and pointlessly delayed” for a year.

“Those limits were a result of opponents’ claims that removing DMCA liability for security researchers and vehicle owners who tinker with their own cars (or merely look at the code inside) would lead to a host of unlawful and undesirable activity, from auto theft, to spying, to safety violations and destruction of the environment,” she said in a blog post.

The head of the Copyright Office and the acting librarian of Congress who conducted the last rulemaking have now both left their positions, and the new librarian is choosing a new head for the Copyright Office.

It is hoped the newcomers will be more sympathetic to the security research community.

Source: Information Security Magazine

UK ‘USB Cufflinks’ Terror Suspect Faces March Trial

UK ‘USB Cufflinks’ Terror Suspect Faces March Trial

A suspected Isis member who is alleged to have trained terrorists in encryption techniques is set to go on trial in March 2017.

Samata Ullah, 33, from Cardiff, appeared by video link-up at the Old Bailey at the end of last week.

He’s accused of six terror offences including being a member of Isis, and writing cybersecurity tips in a blog for other colleagues.

The Ansar al Khilafah blog is said to have also featured instructional videos on topics such as encrypting communications in order to stay hidden from the authorities.

Other charges include one count of providing instruction or training for the commission or preparation of terrorism, one count of directing terrorism, and two counts of possession of material for terrorist purposes.

Ullah reportedly owned a pair of Linux USB cuff links which, when arrested, were found to contain backed up content from the Ansar al Khilafah blog and instructions on how to use P2P network ZeroNet, according to The Express.

The latter features in-built Tor functionality which can anonymise content, something Ullah is suspected of using to keep the blog hidden from the authorities.

He’s also said to have been a user of encrypted messaging service Telegram.

Police are said to have gathered 6TB of data from Ullah’s various devices.

In the UK, US and elsewhere there’s an ongoing battle between law enforcement and prosecutors and technology providers over the use of encrypted services and devices to effectively hide illegal activity from investigators.

This has surfaced most publicly in the States where the FBI took Apple to court to try and force the firm to build a back door into its software in order to help the Feds unlock a device belonging to the San Bernardino shooter.

So far, Silicon Valley has steadfastly refused to cooperate in such a way, claiming it would set a dangerous precedent and undermine the security of key tech platforms for hundreds of millions of innocent users around the globe.

Source: Information Security Magazine

Cyberbit Range Offers Simulated Attack Training

Cyberbit Range Offers Simulated Attack Training

One of the largest challenges for enterprises and companies fighting against cyberattacks is the lack of skilled talent. The Cyberbit Range has ridden onto the scene to provide lifelike simulation for security operations trainees—kind of like the holodeck, in Star Trek.

Organizations can't afford for new analysts entering security operations centers (SOCs) to train on the job, so the need for realistic environments (much like simulations that pilots or other field personnel would use) is at an all-time high. The Cyberbit Range provides virtual and physical SCADA training, which is tough to replicate in a purely virtual environment; new ransomware and other attack scenarios researchers have discovered in the wild; and dynamic modeling, which allows clients to customize simulations according to their own workflows, software and environments.

The virtual training environment comes complete with complex incident simulation, a massive library of attack scenarios and next-generation training tools. With the dynamic modeling, companies can now replicate their own network setup, use their actual security tools and simulate their typical network traffic so trainees can receive the most effective and realistic training available.

The range also includes training for business executives, and SCADA training that uses actual SCADA hardware and unique ICS/SCADA protocols to simulate the physical environment and improve team effectiveness during an attack.

“Security analysts are expected to both master and operate dozens of new tools continually against threats they have never seen, so organizations that put people first will succeed and thrive in today’s ever-evolving threat landscape,” said Adi Dar, CEO of Cyberbit. “By making real-life simulated training more accessible, Cyberbit Range ensures teams—from SOC staff to executives—are best-equipped to manage these targeted attacks.”

“Every day, cyber-criminals are developing new means of infiltrating networks in government, in the private sector and in organizations across the globe,” said Ken McCreedy, senior director of cybersecurity and aerospace for the Maryland Department of Commerce. “The flood of new types of cyber threats has, in turn, created a tremendous demand for cybersecurity professionals. Thanks to ETA’s selection of the Cyberbit Range for its new cybersecurity training center in Baltimore, Marylanders will have access to lifelike simulations and interactive training, ensuring a new wave of cyber sleuths will be able to effectively strategize and combat evolving cyber-attacks.”

Photo © Mopic

Source: Information Security Magazine

Converse E-Commerce Site Hacked for Payment Info

Converse E-Commerce Site Hacked for Payment Info

Australian fans of the iconic Converse All-Star sneaker brand beware: The company’s digital Oz outpost has been hacked.

The company’s e-commerce site was intercepting payment details for website visitors that made purchases between Sept. 2 and Oct. 12 of this year.

Security researcher Troy Hunt broke the news, posting a tweet showing the letter that the company sent customers.

“We were recently made aware that www.converse.com.au was targeted by computer hackers using malicious programs known as malware,” the letter reads. “This malware targeted payment card information.”

The site is actually run by a company called Conquest Sports, which licenses the Converse name in Australia and New Zealand. So, other sites elsewhere in the world remain unaffected.

The good news is that Conquest Sports was able to catch the intrusion quickly—once discovered on Oct. 12, it remediated the issue the same day, it said.

The news comes just as Australia reels from its largest-ever data breach, stemming from an attack on the Australian Red Cross Blood Service.

The data stolen in that attack included over 1.2 million records pertaining to 550,000 blood donor applicants. The information crucially included answers to a highly sensitive question on whether the applicant had engaged in "at-risk" sexual behavior over the past year.

Other info included names, blood types, dates of birth, email and snail mail addresses and phone numbers—all of which could be used in subsequent phishing attacks.

Photo © emka74/Shutterstock.com

Source: Information Security Magazine

Most Americans Believe a Tech-Enabled Terrorist Attack is Imminent

Most Americans Believe a Tech-Enabled Terrorist Attack is Imminent

A full 69% of Americans believe a major, technology-based terrorist threat is likely within the next three to five years.

Pace University announced poll findings that show that fear of these kinds of cyber-threats increases with age, reflecting a potential generational divide in how technology is understood and experienced.  

Only 58% of participants under 30 believed that a technology-based terrorist threat was imminent, while 85% of participants over 60 felt the same way. Men are also more likely to fear these kinds of cyber-attacks, with 76% responding yes, compared with only 61% of women.

“We live in extraordinary times. Just last weekend a cyberattack cut millions of Americans off from the internet,” said Pace University president Stephen Friedman. “And throughout the presidential election cycle, hacked emails have been released in an attempt to influence America’s most fundamental and democratic process. We are ever-more reliant on technology, and our vulnerability to cybercriminals and cyber-attacks increases in tandem.”

 “There is no electronic system that cannot be hacked,” added Joel Brenner, former Inspector General and senior counsel at the National Security Agency, who reviewed the findings.

The results dovetail with an earlier Gallup poll showing that Americans view cyber-terrorism as a leading threat to US vital interests in the next 10 years. In that study, US adults ranked cyber-terrorism (73%) along with international terrorism (79%) and development of nuclear weapons by Iran (75%) as the highest of a dozen potential threats.

This is the first year Gallup asked about cyber-terrorism, defined in the poll as "the use of computers to cause disruption or fear in society."

Interestingly, Gallup found that Republicans and Democrats, including independents who lean toward each party, differ considerably in their assessments of what constitutes a real danger to the vital interests of the US. Republicans and Republican-leaning independents are much more likely to categorize most issues as a "critical threat."

Photo © posteriori

Source: Information Security Magazine

IT Admins Urged to Patch Critical Industrial Control Flaw

IT Admins Urged to Patch Critical Industrial Control Flaw

Security experts are urging IT teams to patch a critical remote code execution bug in one of the world’s most popular industrial control equipment providers, which could allow hackers to cause major operational disruption.

Security vendor Indegy revealed that the vulnerability affects Unity Pro, the flagship software for managing and programming Schneider Electric industrial controllers.

“Regardless of the SCADA/DCS applications in use, if Schneider Electric controllers are deployed, this software will be used on the engineering workstations,” it wrote. “This makes this attack relevant across virtually any process controlled by these PLCs. Since Schneider Electric is one of the largest industrial control equipment providers, this vulnerability is a major concern.”

The RCE bug resides in the “Unity Pro PLC Simulator” module which tests code prior to execution, and is present in all versions of the software.

It would effectively enable a remote hacker to impact the physical environment of any facility running the software, for example, turning off a city’s power supply.

The good news is that Schneider Electric has now released an updated version of the software thanks to the responsible disclosure of the bug by Indegy, which IT teams are urged to implement ASAP.

Tripwire senior director, Tim Erlin, argued that industrial control systems should always be kept air-gapped from the internet so they can’t be remotely attacked.

“While that may seem obvious to many people that control systems shouldn’t be directly accessible from the internet, it’s also a fact that many of these systems are,” he explained.

“In cases where a system can’t be patched or otherwise protected, Schneider customers should be diligently monitoring for any hint of exploit activity.”

Mike Ahmadi, global director of critical systems security at Synopsys, praised Schnieder for its quick response in issuing the patch.

“This is a sign of a mature organization with a solid cybersecurity incident management plan,” he said.

“As someone who has worked with Schneider in the past I know they expend considerable effort in internal cybersecurity vulnerability testing, as well as incident response."

Source: Information Security Magazine

Blood Service Data Leak Could be Australia’s Biggest

Blood Service Data Leak Could be Australia’s Biggest

The Australian Red Cross Blood Service has apologized after a database backup file containing over one million donor records including highly sensitive information on sexual activity was exposed to the public.

The ‘breach,’ which is said to the country’s biggest, came after a partner published the 1.74GB mysqldump file to a publicly facing website with directory browsing enabled.

This meant that an unnamed researcher was able to find it at random using a simple IP address scan for publicly exposed web servers returning directory listings.

He then told HaveIbeenpwned? founder Troy Hunt who contacted the AusCERT.

“There is no good reason to place database backups on a website, let alone a publicly facing one,” he wrote in a lengthy blog post explaining the situation.

The data included over 1.2 million records pertaining to 550,000 blood donor applicants. The information crucially included answers to a highly sensitive question on whether the applicant had engaged in "at-risk" sexual behavior over the past year.

Other info included names, blood types, dates of birth, email and snail mail addresses and phone numbers – all of which could be used in subsequent phishing attacks.

In a statement apologizing for the incident the Blood Service said it has taken immediate action to resolve the problem and informed the police and Australian Information Commissioner.

“To our knowledge all known copies of the data have been deleted. However, investigations are continuing,” said Blood Service CEO Shelly Park in a statement.

“The online forms do not connect to our secure databases which contain more sensitive medical information. The Blood Service continues to take a strong approach to cyber safety so donors and the Australian public can feel confident in using our systems.”

It remains to be seen if any other parties found the exposed information before the incident was flagged. It’s unclear how long the data was left publicly available, but it contains info on donors who’ve registered between 2010 and 2016.

Source: Information Security Magazine