Botnets and cybercrime

admin    IT News, Security    

Preface

One of the most insidious cyber threats for security community is represented by diffusion of botnets, networks of infected computers (bots or zombies) managed by attackers due the inoculation of malware. The controller of a botnet, also known as botmaster, controls the activities of the entire structure giving orders through communication channels; the use of botnets is very commons in various IT contexts, from cybercrime to cyber warfare.

A botnet could be used to conduct a cyber-attacks, such as a DDoS, against a target or to conduct a cyber-espionage campaign to steal sensitive information. There are various classifications of botnets, it’s possible to discriminate them from the architecture implemented, the used network protocol or technology on which they are based.

The level of diffusion of the botnets depends on the capabilities of managers to involve the largest number of machines trying to hide the activities of the malicious architecture. A critical phase in the arrangement of a botnet is represented by its constitution; the attackers have essentially two options, recruit bots diffusing a malware, typically via phishing campaign or sending the malicious agent via email, or renting in the underground the entire architecture.

As we will see in the post the diffusion of botnet is increased due various factors such as the availability of unprotected mobile platforms and the presence in the underground market of cyber criminals that rent services and structures to compose the malicious systems.

Infected machines receive commands from Command & Control (C&C) servers that instruct the overall architecture to operate to achieve the purpose for which it has been composed such as creation of SMTP mail relays for targeted spam campaign, implementation of a fraud scheme (e.g. Banking information gathering) or to launch a denial of service attack.

Current situation

According the analysis proposed recently by principal security firms botnets represent one of the most insidious cyber threats that caused in 2012 huge financial losses and serious damage to companies all over the world. The cyber threat botnet is creating great concern between security experts due its diffusion, millions of compromised computers connected to the Internet are in fact daily used to realize scams and cyber-attacks. The ease with which criminals can organize a botnet, although without having either special technical knowledge or complex infrastructures, is a factor that contributing in a meaningful way to the diffusion of botnets. Overall messaging botnet growth jumped up sharply from previous years. Behind the principal botnets, there is the cybercrime industry that is pushing on the diffusion of malware to infect an increasing number of machines, but also proposing new models of business, such as botnet rental or the commerce of the agents for botnet creation.

In many cases, the cyber criminals instead of monetizing botnet activities by directly implementing fraud schemas, rent a series of services to other criminals –a trend confirmed by the constant monitoring of the underground market offers.

According F-Secure, ZeroAccess is the most prevalent botnet observed in 2012. It compromised the largest number of machines in France, United States and Sweden, and it is considered most profitable malicious architecture. ZeroAccess infected millions of machines globally in 2012 with up to 140,000 unique IPs in US and Europe. F-Secure Threat Report H2 2012 states:

“The malicious site contains an exploit kit, usually Blackhole, which targets vulnerabilities on the user’s machine while they’re visiting the site. Once the machine is compromised, the kit drops the malware, which then turns the computer into a ZeroAccess bot.”

To give an idea of the economic impact of the botnets, the report revealed that the ZeroAccess threat reportedly clicks 140 million ads a day. It has been estimated that the botnet is costing up to USD 900,000 of daily revenue loss to legitimate online advertisers. ZeroAccess author also designed another revenue scheme through Bitcoin mining using the computational capabilities of its victims. More than half of the botnet is dedicated to mining Bitcoin for profit. Unfortunately, it is not the unique one. Botnets such as Zeus, Carberp, Dorkbot and SpamSoldier (a mobile botnet) were also very active.

Zeus botnet is confirmed as the most insidious and specialized botnet that hit banking sector. The United States, Italy and Germany were counties with major diffusions of the malware. According “2013 GLOBAL THREAT INTELLIGENCE REPORT (GTIR)”, proposed by the Solutionary security company, the US and Germany are the countries with the most prevalent sources of botnet Command and Control (C&C) traffic.

Figure 1 Botnet C&C Activity by Country – Solutionary Report

Solutionary experts confirmed that the emergence of the Blackhole 2.0 exploit kit will sustain the growth of number of botnets; SERT expects that this exploit platform will evolve in a much faster and more efficient manner being as an essential component for attackers.

Another interesting fact noted by security experts is that cyber criminals, to hide CnC communications, have started to adopt a solutions such as securing them using HTTPS protocol or hiding command messages within the traffic of social networks.

The process allows the safe passage of cyber threats, such as malicious code, and protects communications from control of security firms, but only once the victims have been already infected. For malware updates or stolen data, these communications often make use of data encryption. That’s why monitoring inbound HTTPS traffic is crucial to identify and block attacks even though it provides minimal value in detecting CnC communications.

Classification of botnets

Trying to categorize the concept of botnet is not easy. There are many purposes for which these architectures are created. They inevitably influence factors such as the malware used to compromise victims, rather than the technology that you want to use.

Botnets could be discriminated by the structure they implement. Some networks are based on one or more C&C, every bot is directly connected with Command & Control server. The C&C manages a list of infected machines; it monitors their status and gives them operative instructions.

This type of architectures is simple to arrange and manage but present the drawback of being very vulnerable, shutting down the C&C the entire botnet could not operate, the server in fact represents a single point of failure because the operation of the botnet is functional to the capability of its bot to reach the control systems. Principal detection techniques are based on the analysis of traffic between bots and C&C, to improve resilience to eradication-decentralized botnets have been designed.

Figure 2 – Botnet C&C based

In decentralized botnet architectures, also known as Peer-to-Peer botnets, the bots are not necessarily connected to the C&C servers, but they compose a mesh structure in which commands are also transmitted from the zombie to the zombie. Each node of the network has a list of addresses of “neighbor” bots with which they communicate and exchange commands. In a similar structure, each bot could send orders to others and attackers to control the entire botnet, but they need access to at least one computer.

Figure 3 – P2P botnets

Last year Symantec security researchers detected a variant of the popular Zeus malware that relies on P2P communication as a backup system in case the C&C servers were not reachable. The variant isolated by Symantec doesn’t use C&C servers implementing an autonomous botnet, the experts Andrea Lelli declared:

“Every peer in the botnet can act as a C&C server, while none of them really are one,””Bots are now capable of downloading commands, configuration files, and executable from other bots — every compromised computer is capable of providing data to the other bots,”

This type of botnet is really concerning. It’s hard to fight due the absence of a point of failure as represented in a classic botnet architecture by the C&C servers. Despite the fact that destroying a decentralized botnet is more difficult, this type of architecture presents a management superior complexity. That’s why hybrid structures are the hackers’ privilege choice.

Botnets could be also classified by using network protocol or the technology on which they are based. Various architectures could be based on different communication protocols. One of the classic botnet scheme is the IRC-oriented, that is, based on Internet Relay. Each bot receives a command through an IRC channel from an IRC-Bot Server. An IRC bot is composed of a collection of scripts that connects to Internet Relay Chat as a client.

Most advanced botnets use their own protocols based on protocols such as TCP, ICMP or UDP. For example in the case mentioned before of Zeus Peer to Peer variant, the expert noted that authors implemented communication through UDP protocol.

Botnets could be based also on instant messaging services, so they are called IM-oriented, in this case commands are sent to the zombies via IM-services such as AOL, MSN and ICQ. Of course we cannot miss web-based botnets, a collection of infected machine controlled through www. HTTP bots connect to a specific web server, receiving commands and sending back data. This type of architecture is very easy to deploy and manage. A particular variant is represented by social network botnets. These architectures use popular social media platforms to send messages to zombies. These architectures are very difficult to trace due large of volume generated by social networking activities.

This type of botnet has become very popular with the diffusion of exploit kits able to compromise remote machines and control them. Usually cyber criminals send malicious links to the victims, via mail or social network messages, that hijack user on a compromised website that hosts the exploit kit. In a dynamic way, the victim is infected and one or more malware is downloaded to victim’s host.

According to Group-IB, the new trend in C&C communication methods is the usage of public and well-known application protocols as well as placing C&C on social networks profiles and user accounts. The architecture of such botnets can be different and can be used for different purposes:

• DDoS attacks
• Spamming (e-mail, social networks)
• Covert channel for information exchange
• PsyOPS in social networks

In such cases, it is hard to detect the anomalies in network traffic to find the malicious activity, as the bots just check the prepared file or text signature in social network. Sometimes the functions of modern social networks, cloud services and WEB-portals are used as a covert channel for information storage. One of the latest incidents was related to Evernote services, where the hackers prepared their own user account and uploaded the file with the commands to the botnet. The same method was used also with Twitter in Flashback botnet. The Zeus botnet is a classic example of this type of architecture, it was known to be able to steal banking credentials from victims.

Figure 4 – Zeus Builder

Mobile botnets

As explained, one of most interesting evolutions in botnet world is the opening to mobile to mobile platform. Damballa Research Laboratory discovered 40,000 infected mobile devices that have communicated through C&C servers for the first six months of 2011. Meanwhile, colleagues at McAfee Lab were some of the first firms to announce a large scale diffusion of new variant of Zeus malware on mobile platform. Today, mobile botnets are a reality. Millions of mobile devices have been infected by botnets in China via 7,000 Trojanized applications.

“Security researchers say they have discovered a huge botnet running on the smartphones of more than a million unsuspecting mobile users in China. The botnet can allow the smartphones to be hijacked remotely and potentially used for fraudulent purposes. (BBC)”

Exactly as for a desktop machine, mobile botnets exploit the same communication channels (e.g. IRC, HTTP, P2P), and the technological evolution of mobile solution provides environments having advanced capabilities that are attracting an increasing number of botmasters.

Drew Williams, President at Condition Zebra declared:

“Since July 2012, more than 100 million Android phones have found their way to new owners, which represents slightly more than half of the market in smartphones (sorry, iPhones). Fake apps and bad SMS messaging is all the rave with the malware writers these days, and as the new year unwinds, we have already seen report after report of this rising tide of “new” target exploits.”

Following a list of principal mobile botnet observed in the last year

Figure 5 – Principal Mobile Botnet (Meisam Eslahi for Security Affairs)

Security researcher and digital forensic investigator Meisam Eslahi listed for Security Affairs the principal mobile cyber threats to emphasize their existence and their negative impacts on mobile network environments:

Zeus

The Zeus in the Mobile or Zitmo is a multiplatform agent that infects a variety of mobile operating systems, such as Symbian, Windows Mobile, BlackBerry, and Android, mainly by social engineering approaches. It sends an infected SMS to victims contain a fake URL to dupe users to download a security certificate that is, in fact, the Zitmo bot. It is also able to intercept messages sent by banks to their customers and authenticates illegal transactions by stealing mobile Transaction Authentication Numbers (TAC).

DroidDream

DroidDream was one of the good examples of this silent and insidious malware, since it is activated silently and at night (11pm to 8 am) when the mobile’s users are asleep. It was designed to gain root privileges on infected mobiles and install a second application to steal sensitive information and protect itself from removal.

Android.Bmaster

The Android.Bmaster has infected a high number of mobile devices by using Trojan applications and exploited techniques. The Symantec named Bmaster as “A Million-Dollar Mobile Botnet” since it has gained millions of dollars through premium SMS, telephone or video services. However, recently a new mobile botnet called MDK has overtaken the Bmaster by infecting nearby 7,000 applications and having one million mobile devices under the control of its botmaster.

Ikee.B

Although the Ikee.B is a simple botnet in nature, it can be named as one of the early generations of mobile botnets that operates on jailbreak iPhones with almost the same functionality as computer-based botnets. Scanning the IP range of iPhone networks, looking for other vulnerable iPhones in global scale and self-propagation are the main activities of this malware.

AnserverBot

Amongst different types of mobile botnets, the AnserverBot can be considered as one of the most sophisticated malwares. Its command and control is designed based on a complex two-layer mechanism and implemented over a public blog. In addition to detecting and disable the security solution in infected device, the AnserverBot periodically checks its signature to verify its integrity in order to protect itself from any type of changes.

TigerBot

TigerBot is fully controlled by SMS instead of the Internet and web technologies. However, it detects the C&C messages and makes them invisible to the mobile device owners. In addition to collecting private data like SMS messages, it has sophisticated capabilities to record voice-call conversations and even surrounding sounds.

There is also appeared new kind of mobile malware oriented on banking fraud called Perkele Lite, which costs $7, 000 for a configured file and $12,000 for preparing and placing it on Google Play WEB-site – said Andrey Komarov, Group-IB. It provides own C&C interface and exclusive functions for designing as legit banking application.

Figure 6 . Perkele Lite post in the undergrond

Cost of botnets and DIY trend

One of most concerning phenomena related to malware diffusion is the increasing of the offer of tools and services to allow criminals to implement and manage similar structures.

An increasing number of ill-intentioned individuals are requesting services and are acquiring the tools and malicious code for the arrangement of powerful botnet thanks the explosion of the sales model of malware as a service. Security expert Dancho Danchev is considered one of the most careful observers of cyber-criminal activities in the underground, he has posted many articles updating his readers on the evolution of black markets and described the tendency, dubbed “Do it yourself”, that refers the diffusion of instruments in criminal world that make possible the establishment of malicious botnet.

Malware as a service model allows the outsourcing of criminal services. Let’s think of botnet architecture management and C&C hosting services, thanks to the offer in the underground, criminals don’t need to own a botnet architecture neither need particular skills to manage it, they just need to rent infected network to spread of malicious agents.

Recently the researcher described a new service offering access to thousands of malware-infected hosts, Danchev also estimated the cost to arrange a botnet composed of 10,000 machines located in the US.

Figure 7 – Botnet Admin Panel

The expert analyzed a service offering access to infected hosts located everywhere in the world that is active since middle of 2012 and that despite its official Web site is currently offline it remains in operation until the present day.

Offer of similar services will increase in the next months, also attracting ordinary criminals and inexperienced cyber criminals. This will cause a decrease in the cost needed to acquire infrastructures and services to conduct a cyber-attack.

Purchases of US-based, malware-infected hosts are more expensive than machines located elsewhere due higher online purchasing power compared to the rest of the world.

Following the price list proposed by Danchev, as it is possible to note the expense is contained, and the offers various and articulated.

• 1,000 hosts World Mix go for $25, 5,000 hosts World Mix go for $110, and 10,000 hosts World Mix go for $200
• 1,000 hosts EU Mix go for $50, 5,000 hosts EU Mix go for $225, and 10,000 hosts EU Mix go for $400
• 1,000 hosts DE, CA and GB, go for $80, 5,000 hosts go for $350, and 10,000 hosts go for $600
• Naturally, access to a U.S.-based host is more expensive compared to the rest of the world. A 1,000 U.S. hosts go for $120, 5,000 U.S. hosts go for $550 and 10,000 U.S hosts go for $1,000

Last year Trend Micro published an excellent analysis on the Russian underground market, researcher Max Goncharov analyzed the services and the products offered by cyber on online Russian forums and services attended by hackers such as antichat.ru, xeka.ru, and carding-cc.com. It is relatively simple to come across sites that offer rented service for pre-built botnets, if the following table reflects the cost of Botnets, organizing a botnet has never been so easy!

Figure 8 – Botnet prices (Trend Micro)

Conclusions

The scenario presented demonstrates the rapid diffusion of botnets, and the increased ease for criminals to acquire products and services to create and manage malicious architecture. This first article is an introduction of the botnet world that provides an overview of the state of the art on this cyber threat detailing also offers that support the growing phenomena of DIY.

The fight against the proliferation of botnets, in my judgment, goes through following key factors:

• Timely and methodical study of evolution of technological solutions on which are based botnets. It’s important to define a universally recognized set of indicators to deterministically qualify the threat and its evolution.
• The promotion of joint operations that involve government agencies and the major private industry players. In this sense, some large companies have already embarked on a close collaboration with governments, as in the case of Microsoft.
• Awareness of the cyber threats and divulging best practices for the containment of the infection.
• Approval of regulations and penalties, recognized globally, for those who develop or contribute to the spread of botnets. Unfortunately today, different legislative frameworks represent an advantage for those who intend to commit a crime using these tools.

Despite the good intentions, we are still far from global agreement on the definition of the proper action against botnet diffusion, both on legislative and operative perspectives.

In the second part of the article that I’ll submit in the next weeks, we will analyze most sophisticate solutions implemented by botmaster to keep secure their infrastructures and monetization method behind them. The second part will also propose methods for detection and fighting of malicious architecture.

[infosecinstitute]

Yes, This Week’s DDoS Attack Was Huge, And Part Of An Ominous Trend

admin    IT News, Security    

Depending on who you believe, the week long Spamhaus-Cyberbunker cyberattack we covered Wednesday was either a threat to the Internet itself or hyped up by an overzealous security vendor. Either way, it was still serious business.

While much of the Internet disruption may have in fact been localized to Europe, and also potentially caused by tampering with underwater telecom cables in the Mediterranean, big DDoS attacks — that is, distributed denial-of-service assaults that aim to knock target computers off the Internet — are real, and have been on the rise since 2010.

Dan Holden, the director of ASERT, Arbor Networks’ security engineering and response team, has been monitoring DDoS attacks for more than 12 years. In 2012 his company released a Worldwide Infrastructure Report that reports attack sizes have been peaking at around 100Gbps (check out this detailed look at the report here). This week’s attack was more than 300Gbps — way above the norm, in other words.

That’s because the attackers actually co-opted part of the Internet’s basic infrastructure — the Domain Name System, or DNS — in such a way as to greatly amplify the firehose stream of data they were directing at target computers.

Here’s how they work, according to Carlos Morales, Arbor Networks’ vice president of global sales engineering and operations:

Attackers send DNS queries to a [DNS server] on the Internet but use the victim address as the source of the query. When the response goes back, a response that is usually multiple times the size of the initial query, the response goes to the victim. Multiple this by hundreds of thousands of requests from bots on the Internet spoofing the one victim address and you get a very large flood of traffic to the victim machine.

Holden says DNS is becoming an increasingly popular target for DDoS. As many as 27 million DNS servers across the Internet are “open” in a way that allows them to be hijacked this way.

That means that while this week’s attack may not have knocked us Americans off of the Web, the amount of localized disruption overseas was definitely large enough to cause serious reverberations. This may not have been the Web’s D-Day, but these could definitely be the opening salvo of a hacker blitzkrieg. Let’s hope the ISPs and powers that be don’t Neville Chamberlain it.

[RWW]

The Mobile Enterprise: 4 Steps To Keeping It Secure

admin    IT News, Security    

Security is a balancing act, especially when it comes to emerging technologies that promise to unlock massive business potential. Each new wave of change requires an enterprise to adapt its security posture, or risk being left behind – or exposed to unmanaged risk.

Mobile is no different.

What was predominantly a consumer-oriented phenomenon is rapidly becoming a top business priority. Individuals, product teams and marketing departments are all scrambling to seize the benefits mobile presents, while security organizations are scrambling to regain control – or at least awareness – of all the enterprise’s mobile-related activities. Enterprises recognize that going mobile requires a strategic perspective.

The importance of defining a security strategy for mobile carries greater urgency than ever. While 84% of consumers now use their personal smartphones for work, mobile malware has increased more than four times since 2010. Recent reports indicate that 51% of companies have experienced data loss due to insecure mobile devices – and the average cost of a breach was a hefty $5.5 million. Enterprises have a very real need to reduce this risk while not affecting business objectives focused on mobile. (For a visual look at mobile security stats, see the infographic at the end of this post).

Given the dynamic nature of the mobile market, it can be difficult for an enterprise to define a mobile risk management strategy. Organizational inertia alone can lead to increased risk. One approach is to concentrate on four focus areas of mobile security:

1. BYOD
2. Protected Access
3. Secure Mobile Solutions
4. Mobile Security Intelligence

1.BYOD, or Bring Your Own Device, has become a defining characteristic of mobile adoption in the enterprise. While not exclusive to smartphones and tablets, these new devices led the way with rapid, organic penetration of many enterprises. But every organization can customize the policies that govern the use of employee-owned mobile devices within the enterprise. BYOD policies should reflect the organization’s risk appetite based on its industry, regulations and culture. Policies can modulate the degree of device choice and which employees participate. Of course, before it can enforce its BYOD policies, an organization needs to gain visibility and control over these new devices.

2. Protected Access: Mobile devices empower employees to access relevant information whenever they need it. No matter how much enterprise data is stored on the device, users will frequently need to access additional enterprise data and resources. The enterprise must not only establish secure connectivity channels but also manage risk associated with user authentication and authorization. Given that mobile access typically takes place predominantly outside enterprise boundaries, special care is needed to prevent unauthorized access and reduce risky behaviors. Plus, protecting mobile access provides security teams another lever to gain awareness over their mobile audiences even when they cannot have visibility over the devices themselves (i.e. consumers, partners and unmanaged employees).

3. Secure Mobile Solutions: Apps have emerged as the primary interface for delivering mobile solutions to consumers, partners and employees. Apps enable the rich, task-oriented functionality and user experience that mobile consumers demand. Some mobile solutions are outsourced, while others are built by various parts of an enterprise. Security design needs to be incorporated in each step of the software development lifecycle. Mobile app developers – who are generally not particularly security aware – need tools and processes that help them bake in the enterprise’s security standards and best practices. And the enterprise must also enforce a baseline of security standards across the entire range of mobile solutions it develops.

4. Mobile security through risk management requires constant vigilance. With rapid innovation comes new capabilities that promote new behaviors. And as mobile adoption accelerates, it becomes a richer target for attackers. The threat landscape indicates a growing affinity towards targeted attacks at individuals or organizations, leveraging mobile as a primary socialization platform. To identify risks and take appropriate mitigation steps, enterprises need to gather intelligence across all the touchpoints of mobile engagements. Intelligence gathering should include aggregating security events from the device, users, apps and the network for analysis – including tracking compliance with existing risk management policies.

Mobile is a transformational technology giving individuals unprecedented freedom and flexibility in how they engage professionally and personally. Enterprises cannot afford to ignore that opportunity, but can’t put themselves at risk in their rush to embrace the new technology. By focusing on BYOD, protecting access, securing mobile solutions and developing mobile security intelligence, enterprises can balance the risks and rewards for individual workers and the organization as a whole.

For more on mobile enterprise security, see the infographic below.

[RWW]

Top 12 IT Security Stories of 2012

admin    IT News, Security    

As 2012 winds down, it’s time to take a look at the year in security. Security and data breaches made plenty of headlines in 2012. Here are 12 of the most-read security articles of 2012.

1. 6 Ways to Defend Against Drive-by Downloads

Cybercriminals are increasingly using drive-by downloads to distribute malware without end users knowing something bad has just landed on their machine–until it’s too late. Here are six ways IT departments can protect end users from the productivity sink and potential data loss that drive-by downloads create.

2. How to Tell If an Email Is a Phishing Scam

As email phishing operations have grown more sophisticated and convincing, it’s harder for even savvy corporate email users to determine whether an email is authentic or fake. Here, CIO.com presents an example of a particularly convincing phishing email. We asked, Daniel Peck, a research scientist with email security company Barracuda Networks, to offer tips on how to spot a scam.

3. Are You at Risk? What Cybercriminals Do With Your Personal Data

When hackers attack a company’s systems and steal your personal data, what risk does that pose to you and other victims? How much is your name and email address worth to cybercriminals anyway? To find out what’s really at stake, CIO.com asked security experts six key questions about data security breaches.

4. 4 Ways to Prevent Domain Name Hijacking

A company’s domain name is one of its most valuable assets, yet businesses do little to protect them from being hijacked. As DNS hijacking becomes more prevalent, IT leaders need to understand how they can protect their companies from the damages domain hijacking wreaks. Here are four tips.

5. How to Build Multiple Layers of Security for Your Small Business

The complex and ever-changing security landscape can befuddle small businesses, and the plain truth is that there is no silver security bullet. Small businesses would be well-advised to deploy a multi-faceted security strategy. Here are eight must-have checklist items.

6. How to Prevent Thumb Drive Security Disasters

Small USB flash drives can cause big security headaches. Learn how four very different organizations have managed to balance the need to allow employees to transfer files for legitimate business purposes with the need to prevent data leaks.

7. How to Secure Data by Addressing the Human Element

Your sensitive data is only as secure as the weakest link in your organization, and in many cases the weak link is your employees. A properly established security awareness and training program can pay huge dividends.

8. Will Tech Industry Ever Fix Passwords?

What LinkedIn and other recent breaches tell us about widespread security risks as we embrace social media and cloud applications in the enterprise.

9. Facebook Timeline Scams Prey on Wishful Thinking

If you’re not a fan of the new Facebook Timeline design, beware of bogus Facebook groups and pages promising a return to the old design.

10. Mobile Malware: Beware Drive-by Downloads on Your Smartphone

Drive-by downloads are coming to your smartphone, and they’re harder to detect than traditional PC-based versions. Here’s how you can protect yourself, your users and your enterprise from mobile drive-by downloads.

11. How to Secure Sensitive Files and Documents

Much of an organization’s most sensitive information resides in unstructured files and documents that are commonly subject to data loss and leakage–especially in today’s mobile, Web-based world. IT pros must develop an approach to securing these documents that gives the business the control it needs without stymying employees’ productivity.

12. How to Defend Against Malnets

The number of malnets has jumped 300 percent in the past six months, according to security firm Blue Coat Systems. While they are nearly impossible to kill, there are steps you can take to protect your organization.

[CIO]

Vulnerabilities threaten to crash MySQL databases

admin    Bugs, IT News, Security    

A number of vulnerabilities have been discovered in the popular database software MySQL that could allow attackers to crash the service and deny access to users.

Although researchers initially believed that there were five vulnerabilities, one was recognised as a duplicate of an existing flaw and another a misconfiguration.

The following Common Vulnerabilities and Exposures (CVE) identifiers have been assigned to the issues to track them:

• CVE-2012-5611 — MySQL (Linux) Stack based buffer overrun PoC Zeroday
• CVE-2012-5612 — MySQL (Linux) Heap Based Overrun PoC Zeroday
• CVE-2012-5613 — MySQL (Linux) Database Privilege Elevation Zeroday Exploit
• CVE-2012-5614 — MySQL Denial of Service Zeroday PoC
• CVE-2012-5615 — MySQL Remote Preauth User Enumeration Zeroday

The open source MySQL project was previously developed by a Swedish company by the same name, but was later purchased by Sun Microsystems in 2008, and further changed hands when Oracle subsequently bought Sun in 2010. Oracle is yet to respond to the vulnerabilities, but a replacement for MySQL, developed by Monty Program — MariaDB — which is meant to allow administrators to effectively replace the database software as a compatible alternative, have quickly moved to respond.

Monty Program Vice President of Architecture Sergei Golubchik (who also worked at MySQL prior to its purchase by Sun/Oracle) reported on the Open Source Security Mailing List that the first bug, CVE-2012-5611, is a duplicate of an older bug, CVE-2012-5579, which could allow users to crash the SQL instance or execute arbitrary code. It has been patched in the latest version of MariaDB.

However, Golubchik acknowledged that both CVE-2012-5612 and CVE-2012-5614 could cause the SQL instance to crash, and is working on resolving both issues.

CVE-2012-5615 allows an attacker to confirm whether a certain username is in use by the SQL instance as it immediately responds with “Access denied” if the account does not exist, but provides another response if the account exists, but the supplied credentials are incorrect.

“This is hardly a ‘zero-day’ issue; it was known for, like, ten years. But I’ll see what we can do here,” Golubchik wrote. He has since filed the issue with Monty Program developers as a major bug.

As for CVE-2012-5613, it was initially brought to the attention of the Full Disclosure forum as a means to increase the privileges of certain non-administrative users to one with administrative rights. This requires that the non-administrative user be granted the “FILE” privilege to write anywhere in the file system with the same rights as the SQL instance.

However, as Golubchik noted, the MySQL reference manual highlights, under 6.1.3. Making MySQL Secure Against Hackers and 6.2.1. Privileges Provided by MySQL, that this is a known issue and the database should never be configured this way.

Nevertheless, servers that are misconfigured this way are vulnerable to attack.

Security researcher Eric Romang has highlighted the issue on his blog, and also posted a video demonstrating how misconfigured servers are vulnerable.

[zdnet]

The security features of Android 4.2

admin    Android, IT News, Security    

Android 4.2 offers improved protection from rogue apps installed via third-party stores.

As the Android operating system grows in popularity,  viruses, Trojans, and other nefarious apps targeting the OS are on the rise. Fortunately, the recently unveiled Android 4.2 (still Jelly Bean) brings with it the launch of the new and more powerful security system integrated into the operating system.

The core component of the new Android 4.2 security suite is a real-time app scanning platform  designed to check running apps before any rogue software can install any malicious code.

Interestingly, the new security features in Android 4.2 appear to fit well with various security measures that Google implemented on the Play Store earlier this year. Indeed, the security on the Google Play Store resides on the server side and constantly analyzes uploaded apps.

On the device side, the new security features keep an eye on instaelled apps – offering a modicum of protection if you download software from somewhere other than the Play Store.

“We view security as a universal thing,” Android VP of Engineering Hiroshi Lockheimer told ComputerWorld.
“Assuming the user wants this additional insurance policy, we felt like we shouldn’t exclude one source over another.”

Essentially, the app scanning software  is an opt-in product, so you’ll be prompted by a request to verify apps. If you click agree, the security platform will start running and checking out apps you install or run. If for some reason you change your mind at a later point and don’t want the security service anymore, you can easily shut it off in the security section of the operating system menu.

So how does the security system work? When an app is loaded, the device sends information identifying the application to Google servers, which then analyze the data and compares it to a database of known apps.

“We have a catalog of 700,000 applications in the Play Store, and beyond that, we’re always scanning stuff on the Web in terms of APKs that are appearing,” Lockheimer says. “We have a pretty good understanding of the app ecosystem now, whether something’s in the Play Store or not.”

If the app is loaded from a third-party store is recognized by Google’s servers, the installation continues without any issues. However, if the information matches an app known to be dangerous or harmful the system will prevent you from installing it. You’ll also be notified if the app is questionable, but not outright dangerous. At that point, you can decide whether you want to continue the installation process.

“The server does all the hard work… The device sends only a signature of the APK so that the server can identify it rapidly,”  Lockheimer added.

[tgdaily]

Most-hacked passwords revealed

admin    IT News, Security    

It’s probably no surprise that ‘password’ isn’t the cleverest password to choose for, say, your online banking. But if you thought ‘Jesus’ would save you from being hacked, think again.

SplashData has released its list of the year’s worst passwords, and while the top three – ‘password, ’123456′ and ’12345678′ remain unchanged, there are a number of new entries on the list.

These include the brilliant ‘password1′ – that’ll fool them – along with ‘welcome’, ‘ninja’, ‘mustang’ and, of course, ‘jesus’. Others have shot up the list in the last year, including ’123123′, ‘football’ and ’11111′.

“Those who have been through it can tell you how terrifying it is to have your identity stolen because of a hacked password,” says CEO Morgan Slain.

“We’re hoping that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites.”

The list was compiled from files containing millions of stolen passwords posted online by hackers.

“Even though each year hacking tools get more sophisticated, thieves still tend to prefer easy targets. Just a little bit more effort in choosing better passwords will go a long way toward making you safer online,” says Slain.

“It just takes a few extra moments to make a password better. If you get started now and make it a resolution to keep it up, your life online will be safer and more secure in 2013.”

[tgdaily]

Russians selling access to private company servers in just $4

admin    IT News, Security    

 

We have already seen vulnerability in Remote Desktop Protocol (RDP) is a potential dangers of desktop remote-access tools commonly used by IT departments to handle help-desk issues and by administrators to manage virtualized machines.

Report: Faulty encryption leaves some Android apps vulnerable

admin    Android, IT News, Security    

Pentagon Hacker McKinnon Wins 10-Year Extradition Battle

admin    Hacker, IT News    

Gary McKinnon leaves the High Court in London on July 14, 2009. Photo: Sang Tan/AP

Accused British hacker Gary McKinnon has won his 10-year battle to resist extradition to the U.S. on charges that he hacked Pentagon computers in the U.S.

U.K. Home Secretary Theresa May announced on Tuesday that her office would block the U.S. extradition request on human rights grounds, since McKinnon, 46, was at high risk of suicide were he to be sent to the U.S. to face trial.

“I have concluded that Mr. McKinnon’s extradition would give rise to such a high risk of him ending his life, that the decision to extradite would be incompatible with Mr. McKinnon’s human rights,” May said.

It marks the first time that the U.K. has blocked an extradition request since signing a treaty with the U.S. in 2003, according to the Guardian.

McKinnon, who was dubbed the “biggest military computer hack of all time” by U.S. authorities, has admitted to accessing U.S. government computers more than a decade ago, but claims he did so only to find proof of a military coverup regarding the existence of UFO’s.

McKinnon has been accused of hacking into more than 90 unclassified Pentagon and NASA systems in 2001 and 2002, causing some of them to crash. Authorities say his actions led to $900,000 in damages.

McKinnon allegedly left a message on one Army computer he breached in 2002, saying, “U.S. foreign policy is akin to government-sponsored terrorism these day…. It was not a mistake that there was a huge security stand down on September 11 last year…. I am SOLO. I will continue to disrupt at the highest levels.”

McKinnon was facing a sentence of between six months and six-and-a-half years in prison under federal sentencing guidelines, but in 2003, he rejected a plea offer that would have had him serving a prison sentence in the U.S. of just six to 12 months at a low-security facility, followed by a transfer back to the U.K. for a six-month parole.

He fought extradition in part by insisting that the U.S. planned to ship him off to Guantanamo Bay, and has spent a decade – nine years more than he would have spent in prison had he accepted the plea deal – keeping the case alive in the U.K. media.

McKinnon and his supporters argued that he should be tried in the U.K., since that was the location from which he allegedly committed his crimes.

McKinnon lost previous appeals in the High Court, the House of Lords and European Court of Human Rights. But two years ago a High Court judge ruled that McKinnon, who suffers from Asperger’s syndrome and depression, could be at risk of suicide if he were extradited to the U.S., which led the Home Office to conduct a psychiatric investigation. Psychiatric examiners concurred that McKinnon was at risk of suicide if extradited.

McKinnon’s case has shone a spotlight on the U.S.-U.K. extradition treaty, which U.K. critics say make it too easy for U.S. authorities to extradite U.K. citizens. May announced on Tuesday that she would introduce a so-called “forum bar” to determine if a British court should be given the power to bar prosecutions overseas if it believes the accused would get a more fair trial in the U.K.

[wired]