CosmicDuke and the latest political news

After we had published the CosmicDuke report in July 2014, we continued to actively follow the malware. Today, we discovered two new samples that both leverage timely, political topics to deceive the recipient into opening the malicious document.

The first one discusses the Ukraine crisis and EU sanctions over Russia and the original document was published here less than a week ago

The topic of the second document is definitely focusing on current affairs: Scotland votes on independence today. The original article was published early this week. Here is the decoy document:

It is obvious that the attackers are keeping abreast of the latest political news, and they are very agile: they have the capability and capacity to rapidly utilize the information to increase the odds of social engineering.

If you are interested in learning more about CosmicDuke, these latest samples, as well as other interesting discoveries, will be discussed in detail at T2, an information security conference during October 23-24 in Helsinki, Finland.

On 18/09/14 At 09:13 PM

More here

Posted in Uncategorized | Leave a comment

Tracking People From their Cell Phones with an SS7 Vulnerability

What’s interesting about this story is not that the cell phone system can track your location worldwide. That makes sense; the system has to know where you are. What’s interesting about this story is that anyone can do it. Cyber-weapons arms manufacturers are selling the capability to governments worldwide, and hackers have demonstrated the capability.

More here

Posted in Uncategorized | Leave a comment

Why do Apple’s security questions still suck?

It’s been two weeks, so why do Apple’s security questions still suck?

Here’s an example of questions you’ll be asked when you create an Apple ID:

Apple Security Questions

And here’s the full list…

Security Question 1:

  •  What is your favorite children’s book?
  •  What is your dream job?
  •  What was your childhood nickname?
  •  What was the model of your first car?
  •  Who was your favorite singer or band in high school?
  •  Who was your favorite film star or character in school?

Security Question 2:

  •  What was the first name of your first boss?
  •  In what city did your parents meet?
  •  What was the name of your first pet?
  •  What is the first name of your best friend in high school?
  •  What was the first film you saw in the theater?
  •  What was the first thing you learned to cook?

Security Question 3:

  •  What is the last name of your favorite elementary school teacher?
  •  Where did you go the first time you flew on a plane?
  •  What is the name of the street where you grew up?
  •  What is the name of the first beach you visited?
  •  What was the first album that you purchased?
  •  What is the name of your favorite sports team?

The problem is painfully obvious — the questions are far too subjective or else are based on easily obtainable information.

What then does one do?

Whatever the question, create a nonsense answer. But then you’ll have another problem… you’ll forget the nonsense when needed.

So what next then?

Use your password manager’s note field:

Childhood nickname? SvenHjerson

Hopefully you’ll never need to use your answer — make sure nobody else can either.

—————

For related advice, please see our article on dealing with passwords.

On 16/09/14 At 01:46 PM

More here

Posted in Uncategorized | Leave a comment

We Need More Than Penetration Testing

Last week I read an article titled  People too trusting when it comes to their cybersecurity, experts say by Roy Wenzl of The Wichita Eagle. The following caught my eye and prompted this post:

[Connor] Brewer is a 19-year-old sophomore at Butler Community College, a self-described loner and tech geek…

Today he’s what technologists call a white-hat hacker, hacking legally for companies that pay to find their own security holes. 

When Bill Young, Butler’s chief information security officer, went looking for a white-hat hacker, he hired Brewer, though Brewer has yet to complete his associate’s degree at Butler…

Butler’s security system comes under attack several times a week, Young said…

Brewer and others like him are hired by companies to deliberately attack a company’s security network. These companies pay bounties if the white hackers find security holes. “Pen testing,” they call it, for “penetration testing.”

Young has repeatedly assigned Brewer to hack into Butler’s computer system. “He finds security problems,” Young said. “And I patch them.”

On the face of it, this sounds like a win-win story. A young white hat hacker does something he enjoys, and his community college benefits from his expertise to defend itself.

My concern with this article is the final sentence:

Young has repeatedly assigned Brewer to hack into Butler’s computer system. “He finds security problems,” Young said. “And I patch them.”

This article does not mention whether Butler’s CISO spends any time looking for intruders who have already compromised his organization. Finding security problems and patching them is only one step in the security process.

I still believe that the two best words ever uttered by Bruce Schneier were “monitor first,” and I worry that organizations like those in this article are patching holes while intruders maneuver around them within the compromised network.

More here

Posted in Uncategorized | Leave a comment

Two New Snowden Stories

New Zealand is spying on its citizens. Edward Snowden weighs in personally.

The NSA and GCHQ are mapping the entire Internet, including hacking into Deutsche Telekom.

More here

Posted in Uncategorized | Leave a comment

A Twitch of Fate: Gamers Shamelessly Wiped Clean

Twitch.tv is a video gaming focused live streaming platform. It has more than 50 million viewers and was acquired by Amazon.com in August for nearly a billion dollars.

We recently received a report from a concerned user about malware that is being advertised via Twitch’s chat feature. A Twitch-bot account bombards channels and invites viewers to participate in a weekly raffle for a chance to win things such as “Counter-Strike: Global Offensive” items:

items (165k image)

The link provided by the Twitch-bot leads to a Java program which asks for the participant’s name, e-mail address and permission to publish winner’s name, but in reality, it doesn’t store those anywhere.

Those who have fallen victim to this fake giveaway will be shown this message after entering their details:

congrats (17k image)

After this message, the malware proceeds to dropping a Windows binary file and executing it to perform these commands:

  •  Take screenshots
  •  Add new friends in Steam
  •  Accept pending friend requests in Steam
  •  Initiate trading with new friends in Steam
  •  Buy items, if user has money
  •  Send a trade offer
  •  Accept pending trade transactions
  •  Sell items with a discount in the market

This malware, which we call Eskimo, is able to wipe your Steam wallet, armory, and inventory dry. It even dumps your items for a discount in the Steam Community Market.

Previous variants were selling items with a 12% discount, but a recent sample showed that they changed it to 35% discount. Perhaps to be able to sell the items faster.

code_sell_discount (67k image)

Being able to sell uninteresting items will allow the attacker to gather enough money to buy items that he deems interesting. The interesting items are then traded to an account possibly maintained by the attacker.

Victims have reported in forums.steamrep.com that their items were being traded to this Steam account without receiving anything in return:

steamaccount (113k image)

All this is done from the victim’s machine, since Steam has security checks in place for logging in or trading from a new machine. It might be helpful for the users if Steam were to add another security check for those trading several items to a newly added friend and for selling items in the market with a low price based on a certain threshold. This will lessen the damages done by this kind of threat.

On 12/09/14 At 11:29 AM

More here

Posted in Uncategorized | Leave a comment

H1 2014 Threat Report

Our latest Threat Report is now available.

H1 2014 at a glance

The report includes our statistics, incidents calendar and threatscape summaries for H1(Q1+Q2) 2014.

Download: H1 2014 Threat Report [PDF]

Additional case studies: Whitepapers

On 08/09/14 At 01:05 PM

More here

Posted in Uncategorized | Leave a comment

Security. Privacy. Identity.

Key components of digital freedom:

Things we defend.

This is F-Secure Labs.

On 05/09/14 At 12:07 PM

More here

Posted in Uncategorized | Leave a comment

Security of Password Managers

At USENIX Security this year, there were two papers studying the security of password managers:

It’s interesting work, especially because it looks at security problems in something that is supposed to improve security.

I’ve long recommended a password manager to solve the very real problem that any password that can be easily remembered is vulnerable to a dictionary attack. The world got a visceral reminder of this earlier this week, when hackers posted iCloud photos from celebrity accounts. The attack didn’t exploit a flaw in iCloud; the attack exploited weak passwords.

Security is often a trade-off with convenience, and most password managers automatically fill in passwords on browser pages. This turns out to be a difficult thing to do securely, and opens up password managers to attack.

My own password manager, Password Safe, wasn’t mentioned in either of these papers. I specifically designed it not to automatically fill. I specifically designed it to be a standalone application. The fast way to transfer a password from Password Safe to a browser page is by using the operating system’s cut and paste commands.

I still recommend using a password manager, simply because it allows you to choose longer and stronger passwords. And for the few passwords you should remember, my scheme for generating them is here.

More here

Posted in Uncategorized | Leave a comment

Wi-Fi Sense?

Windows Phone 8.1 (Lumia Cyan) updates are currently rolling-out to various Lumia devices. One of the new features is Microsoft’s “Wi-Fi Sense” which will automatically connect to Wi-Fi networks and accept terms.

Wi-Fi Sense

Your phone will automatically accept Wi-Fi network terms?

Yes.

Wi-Fi Sense

“Not all Wi-Fi networks are secure.”

(At least you’re able to edit the infomation provided on your behalf.)

Wi-Fi Sense

Also, Wi-Fi Sense will share Wi-Fi network access with your contacts and “friends”.

Wi-Fi Sense

So… if your phone knows the password to your company’s Wi-Fi network, now your Facebook friends can access it too?

Information security managers are going to love that.

On 04/09/14 At 01:26 PM

More here

Posted in Uncategorized | Leave a comment