Mitmo Smartphone Malware

Internet Revoultion is reporting a new strain of the infamous ZeuS banking malware.  “Mitmo,” is injected as a rootkit on the victim’s smartphone via an SMS message that prompts the user to download a bogus app.  Once installed, the malware can modify the appeareance of the bank’s mobile Website, snatch the client’s login and password, and from then on, the infected smartphone monitors all incoming SMS messages, redirecting any bank SMS or mTan (mobile Transaction Authentication Number) back to a ZeuS bot herder.

This week saw the first notable appearance of “man-in-the-mobile” combined malware and iBot attacks in Poland, where ING Bank customers had their smartphone authentication numbers hijacked.

Definitiely worth reading this article, and the comments regarding the lack of asmartphone anti-virus protection.  I’m quite surprised that as this market has grown enormously (302 million phones in play in 2010) and quickly, there is a lack of product from the major vendors.  Expect to see some of the recent start-ups getting bought by the big boyz shortly.


Prepare For Memory Scraping Malware Bypassing Encryption

SANS is reporting that “pervasive memory scraping” malware is to become one of the most dangerous attack techniques likely to be used this year.  Pervasive memory scraping is a technique used by attackers who have gained administrative privileges on a computer in order to access encrypted data.  Evidence of this type of attack is appearing more often in new data breach cases.

Encryption is often touted as a quick and fairly easy solution to many privacy and confidentiality concerns and is a requirement of some regulations such as PCI, however encrypted data must be unencrypted in order to be viewed, used and processed.  In order to do this, the computer copies the encrypted data out to memory.  If the data set is large enough, it could also be written to temporary files.  Once the application that unencrypted the data is closed, there is the potential for leaving these remnants behind, at least for some period of time, unencrypted and unprotected.  Memory scraping malware takes advantage of these lapses and harvests the unencrypted data.

Continue reading

Know When To Fold ‘Em

Baseline is one of my favorite reads.  I subscribe to their hardcopy magazine as well as their RSS feeds.  Here is a slideshow that provides some good food for thought about pulling the plug on projects, employees, and employers.  Sometimes getting out from under a bad situation is the best thing that can happen for you and for the company.

Your strategy and the company direction may not be compatible, there may be serious breakdowns in communication, attempts to make improvements may be misunderstood or viewed politically, or there just may be a poor fit.  It’s important to be able to sever ties while still maintaining good will.

In Necessary Endings: The Employees, Businesses, and Relationships That All of Us Have to Give Up in Order to Move Forward (HarperBusiness), author Henry Cloud contends that employees aren’t failing when they seek to bring a stop to something.  Workers actually do themselves a disservice by remaining with visionless leaders, hostile or non-productive work environments, and career dead-ends.  The key, says Cloud, is knowing how to part ways without conveying negativity to those you’re leaving behind.

I will be adding this book to my reading list shortly.  Not because I haven’t done this in the past, but because this is something that I believe in, there is always room for improvement, and I like what I have read so far.

DDoS On Dutch Bank

ComputerWorld has posted an article recently on a subject that I haven’t heard a lot about for the last year.  It seems a Dutch bank was the victim of a malicious Distributed Denial of Service (DDoS) attack.  I say malicious, as there have been instances where a bank was accidentally hit with a traffic flood due to misconfiguration of a common tool, and even some spotty attacks that were quickly detected and avoided.  But nothing that I can recall recently where a brazen attack was aimed squarely at a bank, and took them off the map for a couple of days.  Apparently, the Dutch Government has been detecting similar attacks on their networks.

In my work with the Canadian Financial Institution Computer Incident Response Team (CFI-CIRT), I examined and reported on DDoS avoidance and response practices on behalf of the Canadian banking community.  Not a lot had changed from the last time that I had looked at DDoS protection mechanisms several years prior.  The solutions were just as expensive, just as finicky, and just as hard to justify to management without a direct attack to show losses against.  Your choices seemed to be (pick any 3):

  • Over provision your bandwidth.
  • Keep a second provider as a disaster recovery / incident response alternate.
  • Add an appliance or three to your architecture to examine and scrub the data stream.
  • Subscribe to a third-party service that filters the data stream.
  • Subscribe to a third-party service that provides redundant routes to the nth degree.
  • Convince your ISP to provide filtering services on demand as part of your incident response plan.
  • Build an internal response plan that engages the right folks to escalate the response externally.

Has anyone looked into DDoS solutions lately?  Have there been any improvements in the choices and offerings available to large and small businesses?

Financial Recruitment Site Hacked

If you are a under-employed Financial Services staffer like me, seeking your next gig, you might have registered at UK-based, global banking recruitment website  If you have, then skip on over there ASAP and change your password.  If you’ve used that password elsewhere, you’ve got some more changing to do. 

Oh, and take a lesson from this; don’t use the same password on multiple sites.

The British company believes its registered users’ names, email addresses, registered countries and encrypted passwords were accessed during the breach.  The website operator’s managing director issued a warning and apology to its customers over the weekend.  Neither nor its parent, New York Stock Exchange listed Dice Holdings, Inc. have released a public statement about the breach.

  • NightDragon Attacks Update

    Six previously un-named energy companies targeted in a recent series of coordinated, covert and targeted attacks have now been identified, and could face legal liability for not disclosing the breaches to shareholders.  The victim list includes Exxon Mobil, Royal Dutch Shell, BP, Marathon Oil, Conoco Phillips, and Baker Hughes, according to articles now published on the web by The Register and TheAge, based on a report from McAfee. 

    The attacks were ongoing for at least one full year, and possibly as long as four years.  The so far unknown attackers worked through servers located in China.  The targets of the attacks appears to have been topographical maps worth ‘millions of dollars’ containing locations of potential oil reserves. 

    Researchers from McAfee had promised to withhold the identity of the affected companies in exchange for help in preparing a report to “educate the community.”  The public outing of the victims could cause companies to hesitate when asked to participate in anonymous studies in the future.  That is unfortunate, as this is exactly the kind of information that NEEDS to be gathered and shared in order to have any impact on incidents such as this in the future.

    What Is Web Content Filtering?

    When a company starts to analyze the ingress and egress points on their network, usually after a significant malware event, they will inevitably begin to consider ways to control the types and sources of content allowed to enter and leave their environment.  There are several technologies that can and should be considered.  Chief among these technologies is Network Monitoring and Web Content Filtering.  The benefits of network monitoring and content filtering include productivity increases, network health awareness, protection from malware, elimination of liability issues, and reduction of bandwidth usage.  The threats posed by wide open access to everything on the internet are as diverse as the internet itself.  Things to consider in this regard:

    • Every business is legally bound by employment laws to ensure a worker friendly environment.  This includes ensuring that workers are not exposed to sexual harassment, including pornography and hate materials.
    • Recent legislation mandates that employees be advised when they are under surveillance, what kind of surveillance they are under, what the surveillance is for, and employers are not able to use or disclose surveillance records for unrelated purposes.
    • Web-based email and chat is a major vector for data loss.
    • Anti web malware service, Dasient reports there is an epidemic of web-based malware.  The Dasient “Infection Library” displays current malware infections totals.
    • Legitimate sites can also carry web-based malware, either through advertising or injected links.

    Continue reading