Tag Archive: CyberSecurity


Video: Microsoft responds to Pwn2Own IE hack

Just moments after researchers from VUPEN used two zero-day vulnerabilities to hack into the Internet Explorer 9 browser, I caught up with Mike Reavey, senior director in the Microsoft Security Response Center (MSRC) to get his response to the attack and some information on what happens next.

 

Microsoft Security Response Center (MSRC) director Mike Reavey talks about the CanSecWest Pwn2Own challenge that saw a successful exploit of two zero-day vulnerabilities in the Internet Explorer 9 browser.

Source: ZDNet

 

Symantec says hackers stole source code in 2006

Symantec Corp said a 2006 breach led to the theft of the source code to its flagship Norton security software, reversing its previous position that it had not been hacked.

The world’s biggest maker of security software had previously said that hackers stole the code from a third party, but corrected that statement on Tuesday after an investigation found that Symantec’s own networks had been infiltrated.

The unknown hackers obtained the source code, or blueprint for its software, to Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere, Symantec spokesman Cris Paden said.

Last week, the hackers released the code to a 2006 version of Norton Utilities and have said they planned to release code to its antivirus software on Tuesday. It was not clear why the source code was being released six years after the theft.

Source code includes instructions written in computer programming languages as well as comments that engineers share to explain the design of their software. For example, a file released last week from the source code of a 2006 version of Norton Utilities included a comment that said “Make all changes in local entry, so we don’t screw up the real entry if we back up early.”

Companies typically heavily guard their source code, which is considered the crown jewels of most software makers. At some companies access is granted on an as-needed basis, with programmers allowed to view code only if it is related to the tasks they are assigned.

The reason for all the secrecy is that companies fear rivals could use the code to figure out the “secret sauce” behind their technology and that hackers could use it to plan attacks.

Paden said that the 2006 attack presented no threat to customers using the most recent versions of Symantec’s software.

“They are protected against any type of cyber attack that might materialize as a result of this code,” he said.

Yet Laura DiDio, an analyst with ITIC who helps companies evaluate security software, said that Symantec’s customers should be concerned about the potential for hackers to use the stolen source code to figure out how to defeat some of the protections in Symantec’s software.

“What we are seeing from Symantec is ‘Let’s put the best public face on this,'” she said. “Unless Symantec wrote all new code from scratch, there are going to be elements of source code in there that are still relevant today.”

Symantec said earlier this month that its own network had not been breached when the source code was taken. But Paden said on Tuesday that an investigation into the matter had revealed that the company’s networks had indeed been compromised.

“We really had to dig way back to find out that this was actually part of a source code theft,” he said. “We are still investigating exactly how it was stolen.”

Paden also said that customers of pcAnywhere, a program that facilitates remote access of PCs, may face “a slightly increased security risk” as a result of the exposure.

“Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information.”

Ryan: This is one of the reasons I had been telling people for years not to use Symantec programs. I knew they had been hacked because Viruses had been disabling out Norton on machines I had been fixing and I was seeing a big trend with this.

Source: Reuters / Yahoo! News

Where Have All the Spambots Gone?

First, the good news:  The past year has witnessed the decimation of spam volume, the arrests of several key hackers, and the high-profile takedowns of some of the Web’s most notorious botnets. The bad news? The crooks behind these huge crime machines are fighting back — devising new approaches designed to resist even the most energetic takedown efforts.

The volume of junk email flooding inboxes each day is way down from a year ago, as much as a 90 percent decrease according to some estimates. Symantec reports that spam volumes hit their high mark in July 2010, when junk email purveyors were blasting in excess of 225 billion spam messages per day. The company says daily spam volumes now hover between 25 and 50 billion missives daily. Anti-spam experts from Cisco Systems are tracking a similarly precipitous decline, from 300 billion per day in June 2010 to just 40 billion in June 2011.

There may be many reasons for the drop in junk email volumes, but it would be a mistake to downplay efforts by law enforcement officials and security experts.  In the past year, authorities have taken down some of the biggest botnets and apprehended several top botmasters. Most recently, the FBI worked with dozens of ISPs to kneecap the Coreflood botnet. In April, Microsoft launched an apparently successful sneak attack against Rustock, a botnet once responsible for sending 40 percent of all junk email.

In December 2010, the FBI arrested a Russian accused of running the Mega-D botnet. In October 2010, authorities in the Netherlands arrested the alleged creator of the Bredolab botnet and dismantled huge chunks of the botnet. A month earlier, Spamit.com, one of the biggest spammer affiliate programs ever created, was shut down when its creator, Igor Gusev, was named the world’s number one spammer and went into hiding. In August 2010, researchers clobbered the Pushdo botnet, causing spam from that botnet to slow to a trickle.

But botmasters are not idly standing by while their industry is dismantled. Analysts from Kaspersky Lab this week published research on a new version of the TDSS malware (a.k.a. TDL), a sophisticated malicious code family that includes a powerful rootkit component that compromises PCs below the operating system level, making it extremely challenging to detect and remove. The latest version of TDSS — dubbed TDL-4 has already infected 4.5 million PCs; it uses a custom encryption scheme that makes it difficult for security experts to analyze traffic between hijacked PCs and botnet controllers. TDL-4 control networks also send out instructions to infected PCs using a peer-to-peer network that includes multiple failsafe mechanisms.

Getting infected with TDL-4 may not be such a raw deal if your computer is already heavily infected with other malware: According to Kaspersky, the bot will remove threats like the ZeuS Trojan and 20 other malicious bot programs from host PCs.  “TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them,” wrote Kaspersky analysts Sergey Golovanov and Igor Soumenkov.

The evolution of the TLd-4 bot is part of the cat-and-mouse game played by miscreants and those who seek to thwart their efforts. But law enforcement agencies and security experts also are evolving by sharing more information and working in concert, said Alex Lanstein, a senior security researcher at FireEye, a company that has played a key role in several coordinated botnet takedowns in the past two years.

“Takedowns can have an effect of temporarily providing relief from general badness, be it click fraud, spam, or credential theft, but lasting takedowns can only be achieved by putting criminals in silver bracelets,” Lanstein said. “The Mega-D takedown, for example, was accomplished through trust relationships with registrars, but the lasting takedown was accomplished by arresting the alleged author, who is awaiting trial. In the interim, security companies are getting better and better about working with law enforcement, which is what happened with Rustock.”

Attacking the botnet infrastructure and pursuing botmasters are crucial components of any anti-cybercrime strategy: TDSS, for example, is believed to be tied to affiliate programs that pay hackers to distribute malware.

Unfortunately, not many security experts or law enforcement agencies say they are focusing attention on another major weapon in battling e-crime: Targeting the financial instruments used by these criminal organizations.

Some of the best research on the financial side of the cybercrime underworld is coming from academia, and there are signs that researchers are beginning to share information about individuals and financial institutions that are facilitating the frauds. Recent studies of the pay-per-install, rogue anti-virus and online pharmacy industries reveal a broad overlap of banks and processors that have staked a claim in the market for handling these high-risk transactions. Earlier this week I published data suggesting that the market for rogue pharmaceuticals could be squashed if banks and credit card companies paid closer attention to transactions destined for a handful of credit and debit card processors. Next week, I will publish the first in a series of blog posts that look at the connections between the financial instruments used by rogue Internet pharmacies and those of the affiliate networks that push rogue anti-virus or “scareware.”

Source: Krebs on Security

Survey: 90% of Companies Say They’ve Been Hacked

If  it sometimes appears that just about every company is getting hacked these days, that’s because they are.

In a new survey (PDF Found Here) of 583 U.S companies conducted by Ponemon Research on behalf of Juniper Networks, 90% of the respondents said their companies’ computers were breached at least once by hackers over the past 12 months.

Nearly 60% reported two or more breaches over the past year. More than 50% said they had little confidence of being able to stave off further attacks over the next 12 months.

Those numbers are significantly higher than similar surveys and suggest that a growing number of enterprises are losing the battle to keep malicious intruders out of their networks. “We expected a majority to say they had experienced a breach,” said Johnnie Konstantas, director of product marketing at Juniper.

“But to have 90% saying they had experienced at least one breach and more than 50% saying they had experienced two or more, is mind blowing,” she said. It suggests “that a breach has become almost a statistical certainty,” these days.

The organizations that participated in the Ponemon survey cut across both the private sector and government and ranged from relatively small entities with less than 500 employees to enterprises with more than 75,000. The online survey was conducted over a five-day period earlier this month.

Roughly half of the respondents blamed resource constraints for their security woes, while about the same number cited network complexity as the primary challenge to implementing security controls.

The Ponemon survey comes at a time when concerns about the ability of companies to fend off sophisticated cyberattacks are growing. Over the past several months, hackers have broken into numerous supposedly secure organizations, such as security firm RSA, Lockheed Martin, Oak Ridge National Laboratories and the International Monetary Fund.

Many of the attacks have involved the use of sophisticated malware and social engineering techniques designed to evade easy detection by conventional security tools.

The attacks have highlighted what analysts say is the growing need for enterprises to implement controls for the quick detection and containment of security breaches. Instead of focusing only on protecting against attacks, companies need to prepare for what comes after a targeted breach.

The survey results suggest that many companies have begun moving in this direction. About 32% of the respondents said their primary security focus was on preventing attacks.

About 16% claimed the primary focus of their security efforts was on quick detection and response to security incidents, while about one out of four respondents said their focus was on aligning security controls with industry best practices.

Source: PC World

Anonymous ‘may have been behind Sony PlayStation Network hack’

Members of Anonymous may have been behind the cyberattack on Sony‘s PlayStation Network and Online Entertainment systems despite a denial issued this week, according to reports.

Meanwhile, the group is believed to be considering another attack against Sony’s systems this weekend, just as the Japanese giant had hoped to return them to operation after being offline for more than a week.

Two journalists at The Financial Times report that “veterans” of the group have told them that one or more of the group’s supporters may have gone beyond the rest and broken into the company’s servers in April, rather than simply carrying out a cyberattack that would knock them offline.

Sony claimed in a letter to the US Congress that private investigators called in to find the cause of the cyber-theft, in which personal details and possibly credit card details of between 77m and 100m people using the global networks were stolen, had found a file with the name “Anonymous” and part of its slogan stored on a server that was attacked.

Some members of Anonymous issued an angry denial on Thursday in which they said that no investigation would find the group to have been involved in the thefts, although they agreed that Sony’s systems had been targeted – in an operation they dubbed “OpSony” – for a “denial of service” attack that would cripple it.

But the denial stopped short of saying that Anonymous members had in fact broken into Sony’s systems and left the file there.

Some members of Anonymous are skilled hackers who might have been able to break into Sony’s systems and steal the data. What is unclear is whether they would do it for personal gain or to prove that they could.

Anonymous representatives continued to insist that the break-in was not their purpose or responsibility. “Let’s be clear, we are legion, but it wasn’t us. You are incompetent, Sony,” it tweeted on one of the semi-official Anonymous accounts on Twitter on Thursday.

Now the FT says that Anonymous members had been discussing details of a vulnerability that would enable a break-in to the systems in a chatroom ahead of the beginning of OpSony in April. “The hacker that did this was supporting OpSony’s movements,” the FT quotes the activist saying.

Anonymous is reportedly considering another attack on Sony this weekend in retaliation for the company’s handling – and particularly its accusations against the group – of the PSN and SOE breaches.

The hackers involved told CNet they have access to some of Sony’s servers and that they will publicise any information they can glean from it. That might include internal company details – as happened when Anonymous targeted the website of UK law firm ACS:Law and US security company HBGary – or perhaps the credit card details held on the Sony site.

Anonymous originally targeted Sony over its legal pursuit of George Hotz, who had discovered a “root key” that would allow anyone to run pirated software on the company’s PlayStation 3 consoles.

Source: The Guardian

Sony hires firms to clean up after breach

The Japanese electronics giant has retained a team from privately held Data Forte that is led by a former special agent with the U.S. Naval Criminal Investigative Service to work alongside the FBI agents, who are also probing the matter.

Sony said on Tuesday that it has also brought on cyber-security detectives from Guidance Software and consultants from Robert Half International Inc’s subsidiary Protiviti to help with the clean-up.

Officials with Sony and the three firms did not respond to requests for information about the investigation. Agents with the U.S. Federal Bureau of Investigation have said little about the matter, except that they are looking into the breach of data, which might include some credit card numbers.

Connecticut Senator Richard Blumenthal, in a letter to Sony on Tuesday, asked the company to clarify the number of compromised credit card accounts and requested a detailed timeline outlining what the company knew about what was stolen and when it was known.

Blumenthal said he would ask U.S. Attorney General Eric Holder to investigate the matter and check whether Sony’s subsequent handling of the breach would make it civilly or criminally liable.

“I would appreciate a direct and public answer detailing what the company will do in the future to protect its consumers against breaches of their personal and financial information,” Blumenthal wrote.

“It’s a significant operation,” said David Baker, vice president of services with electronic security firm IOActive, which is not involved in the investigation.

He said that card issuers Mastercard and Visa Inc had likely appointed a firm to investigate.

Sony also said that it hired the law firm Baker & McKenzie to help it with the investigation.

On Monday, Sony said its PC games network had also been exposed to hackers, in an incident related to the massive break-in of its separate PlayStation video game network that led to the theft of data from 77 million user accounts. Sony revealed that attack last week.

The PlayStation network lets video game console owners download games and play against friends. The Sony Online Entertainment network, the victim of the latest break-in, hosts games such as “EverQuest” and “Free Realms,” which are played over the Internet.

Sony said late on Monday that the names, addresses, emails, birth dates, phone numbers and other information from 24.6 million PC games accounts may have been stolen from its servers as well as an “outdated database” from 2007.

A Toronto law firm on Tuesday launched a C$1 billion ($1.05 billion) proposed class-action suit against Sony for breach of privacy, naming a 21-year-old PlayStation user from Mississauga, Ontario, as lead plaintiff. The damages would cover the cost of credit monitoring services and fraud insurance for two years, the firm, McPhadden Samac Tuovi LLP, said in a statement.

Source: Reuters

Defcon speaker calls IPv6 a ‘security nightmare’

The internet’s next-generation addressing scheme is so radically different from the current one that its adoption is likely to cause severe security headaches for those who adopt it, a researcher said last week.

With reserves of older addresses almost exhausted, the roll-out of the new scheme — known as IPv6 or Internet Protocol version 6 — is imminent. And yet, the radical overhaul still isn’t ready for prime time — in large part because IT professionals haven’t worked out a large number of security threats facing those who rely on it to route traffic over the net.

“It is extremely important for hackers to get in here fast because IPv6 is a security nightmare,” Sam Bowne, an instructor in the Computer Networking and Information Technology Department at the City College of San Francisco, said on day one of the Defcon hacker conference in Las Vegas. “We’re coming into a time of crisis and no one is ready.”

Chief among the threats is the issue of incompatible firewalls, intrusion-prevention devices, and other security appliances, Bowne said. That means many people who deploy IPv6 are forced to turn the security devices off, creating a dangerous environment that could make it easier for attackers to penetrate network fortresses.

What’s more, internet addresses that use the new protocol by default contain a 64-bit string that’s generated by a computer’s MAC, or Media Access Control, address. The use of the so-called extended unique identifier means that people who want to remain anonymous online will have to take precautions that aren’t necessary under today’s IPv4 system.

“It means that everything you send or receive is labeled with your real MAC address and therefore if you were to do something naughty, like download copyrighted material, they would know who you are much better than they do if all they have is an IP version 4 address,” Bowne said.

Some operating systems, including Windows Vista and Windows 7, have privacy settings turned on by default that cause the string to be randomly generated. While this setting helps preserve anonymity, it also has the potential to break many end-to-end communications, so it may not always be available, Bowne warned. Many organizations require the use of the extended unique identifier so they can keep tabs on their employees’ internet usage, he added.

To be sure, IPv6 offers many features, including a method for easier end-to-end encryption, that should make networking more secure.

“We’ve got a lot of benefits and we’ve taken a lot of the learning from a security perspective from IPv4 and implemented a lot of new security features into IPv6,” said Joe Klein, a subject matter expert with the North American IPv6 task force, who was also attending Defcon. “The problem with it is we’re in a transition period and that’s going to take anywhere from five to 10 years to fully implement it and start to provide end-to-end encryption.”

The new protocol, because it hasn’t been tested as widely as IPv4, is also likely to suffer from vulnerabilities resulting from buffer overflows and similar bugs, he said. The flaws will likely be worked out as it gains wide acceptance, but that will also take years, he added.

Bowne and Klein aren’t the only people warning of growing pains in the net’s addressing system. This recent submission to the Full-disclosure list claims Google’s Gmail service is also having trouble adapting to the scheme.

Bowne — who teaches classes in ethical hacking, network defense, and Windows 7 — also outlined several attacks that exploit unique characteristics of IPv6 to wreak havoc on networks. Packet amplification attacks place a 0 in the routing header of each packet, causing them to travel in a looped path. Ping-pong exploits take advantage of the wealth of /64 subnets available in the protocol, allowing attackers to send packets from one non-existent connection to another. The result is an endless series of “ICMP unreachable” error messages. As a result, networks are flooded with garbage data.

The transition to IPv6 is necessary to deal with the growing exhaustion of IPv4 addresses. The older protocol, which is based on a 32-bit addressing system, yields about 4 billion unique numbers, fewer than the 7 billion humans who populate the planet. At the current usage rate, the allocation of free addresses could be used up by June of next year, according to some estimates. IPv6, by contrast, is a 128-bit scheme that allows for over 3.4×1038 addresses, which ought to keep the world going for quite some time.

Source: The Register