Verisign Repeatedly Breached

Verisign admitted it was hacked repeatedly last year but could not identify what data may have been stolen.  It doesn’t believe the Domain Name System servers were hacked, but it cannot say for sure.  Symantec bought its certificate business in 2010, and says that there was no evidence that the system was affected.  Verisign came clean in an SEC filing, saying that its security team failed to advise management about the attacks until 2011, despite taking action to address the hacks.

Symantec’s VeriSign remains one of the largest providers of Secure Sockets Layer certificates in the world.  Web browsers look for these certificates when connecting users to secure sites, beginning with “https”.  These sites include most banking sites and certificates are also used for some email and other communications portals.

If the SSL infrastructure were compromised, an attacker could create a Google certificate or a Bank of America certificate that would be trusted by any browser in the world, according to an analyst in the MSNBC article.  Symantec’s spokeperson reiterated, “there is no indication that the 2010 corporate network security breach mentioned by VeriSign Inc was related to the acquired SSL product production systems.”

Of course the company claims that they were attacked by “the most sophisticated form of attacks,” including some that are “virtually impossible to anticipate and defend against.”  There’s no evidence that I am aware of to prove or refute that claim.

Exchange 2010 SP2 Released

Microsoft has released Service Pack 2 (SP2) for Exchange 2010.  You can download it from the usual MS download site.  Great care has been taken by Microsoft to ensure that SP2 is high quality, and doesn’t suffer from the issues that affected two roll-up update releases for SP1 earlier this year.

• A key new feature in SP2 is the hybrid configuration wizard (HCW), designed to automate the setup of hybrid connectivity between an on-premises Exchange 2010 organization and Exchange Online running in Office 365.  Previously, admins had to tweak Exchange settings manually to get this kind of connectivity.  HCW will now do the heavy lifting, and reduce the number of necessary steps. 
• Another new SP2 feature is Address Book Policies (ABPs).  ABP is an answer to demand from large companies and hosting providers to logically segment their Global Address List (GAL), rather than allowing all users to see the complete GAL.  ABPs allow admins to filter different objects from the GAL and build a customized address book which is assigned to specific mailboxes by policy.  Once an ABP is assigned, the mailbox user can only see and address objects found in their customized view.  ABPs depend on Active Directory and Microsoft provides a schema update to make ABPs available to Exchange.  You will have to apply the schema update in any Active Directory forest where you want to deploy Exchange 2010 SP2.  Schema changes in the past have been problematic, and always seem to cause concern.
• The reintroduction of Outlook Mobile Access (OMA) will allow small screen mobile phone use.  More interesting to the Asian micro market segment than North American, as our screens appear to have gone in the opposite direction.

Exchange customers should prepare for deployment of SP2 after thoroughly testing within their environments.

My Own Dogfood – Mmmmmm

First, my apologies to anyone that may have received spicy email invites from one of several of my personal email addresses.  I won’t share the addresses, as they are cryptically named, and wouldn’t help you discern who I am in real life anyway.  Regardless, I have taken a big bite of my own personal dogfood.  Not too long ago, I posted this entry on my blog calling for care and caution from researchers and security professionals.  My own vigilance allowed me to detect a security lapse caused by my own carelesness and trust.  This isn’t the first time, and I am sure it will not be the last.

Recently, I have found at least 3 of my 5 personal email addresses have been receiving what I deemed to be spam.  I initially ignored it, figuring it will eventually just go away, as these things seem to do after soliciting no response over time.  Not so.  I have received many invitations from folks on various “adult forums” that require a valid email to join, and a confirmation of that email address to confirm.  It seems these email addresses may have been compromised.

Now, I don’t generally object to porn, to each their own, consenting adults, and as long as no one is getting hurt…  However, the sites I have found I now have valid accounts on could cause some questions and dismay from my spouse, caling into question my loyalty and even my sexual orientation.  (I still like girls, and love my wife, by the way!!!)  The accounts had the same passwords, which weren’t too hard to figure out.  I am changing the passwords and shutting these accounts down wherever I find them.  I will be changing the passwords on ALL of my email accounts as well, and may kill a few off too for good measure.  Same goes for forum and web accounts.  My personal system will be wiped and imaged as a precautionary measure.

I hope that this has been an elaborate prank, and not some wierd attempt at revenge for some perceived misdeed.  I suspect that I have found the source of at least the pranksters’ point of entry.  It seems my wireless pre-shared key has been compromised, as family members often need to get wifi access for their PC or smartphone.  One of the “features” of these devices is their ability to store the key cryptically (****** instead of text) or displayed as plain text at the flick of a tick box, without any aditional password prompting.  I believe that someone close to one of these family members accessed a device that was not well secured, left on a table, or otherwise unlocked.  They clicked the tick box and viola.  Exposed credentials.  Either that or I have several alternate personalities that I am not yet aware of surfing up interesting content in my sleep.

Over the past few weeks, I have been seeing traffic utilization returning to the levels that they used to hover at while multiple adults lived here, lots of DNS queries for odd sounding URLs and such.  The wireless network will be reconfigured again shortly, and will use a new key for encryption and access.  I am in the process of visiting many, many “dating sites” and the like, and hope that when my wife catches me surfing over to “spicy_dates [dot] com” she has already read this blog post.

• Pre-shared keys are a convenience feature.  I constantly battle convenience, and should not have taken a shortcut.  Lesson learned.
• All the precautions in the world won’t stop a determined attacker.  Lesson learned.
• There is still no patch for sTuPiD.  Still learning.

iPad Encryption & Security Efforts Lacking

A recent Sybase-SAP survey of 500 workers found that one third of employees have put company data at risk by sending work-related emails or documents to their personal email accounts and accessing the company intranet from remote locations.  One in four has conducted work-related email exchanges on a personal mobile device.  Even in the presence of policy, tools like this will be misused, unintentionally introducing significant risk to the company from interception, breach and disregard for regulatory compliance in the name of convenience and expediance.  I have no doubt that the employees’ intentions were good, but their choices were misguided.

The German-based tech giant SAP is currently beta testing a product that will allow it to send PGP-encrypted confidential email to its 7,000 iPad using employees.  Those employees will be able to decrypt the email messages using a Symantec viewer iPad app.  There remains a problem to be sorted out yet, however.  Employees won’t be able to send encrypted email from their iPads, at least not yet.  Apple’s current iPad email encryption capability literally goes only halfway to meeting this communication need.  It can handle email encryption to iPads but not from them.  Apple says full email encryption will be coming in iOS 5.  In the meantime, users are stuck with half of a solution.

Apple has been notorious for its slow reaction to security issues, mainly because of market penetration of the PC and Microsoft’s dominance.  Times, they are a-changing, and Apple had better get to adopting a stronger, more agile stance in this regard fast.  Microsoft has learned some hard lessons, and Apple would do well to learn from their competitors’ mistakes and successes.  The iPad and other mobile platforms are becoming standard fare for businesses and enterprises worldwide.  This is a success story that could shake the IT industry as we know it.  iPad is no longer just a consumer device.  iPads are pouring into the enterprise. After only 18 months on the market, iPads are now being deployed or tested at 86% of Fortune 500 companies, according to Apple’s most recent quarterly report.  Malicious attackers have historically targeted Microsoft Windows machines because they are prolific and contain valuable and profitable data.  With iPads taking the place of laptops and iPhones supporting a similar function in medical, legal and even the financial industries, much of the attention of attackers will soon be diverted elsewhere.

Malware purveyors are plying their trade with increasing frequency.  The rate of malware attacks more than doubled in the second quarter this year to 287,298 unique instances in June, according to Cisco’s quarterly threat report released this week.  A company faces an average 335 encounters every single month!  Researchers are discovering and announcing serious vulnerabilities in Apple’s IOS, demonstrating that Apple hasn’t fallen as far from the other tech platform tree as their fan-boys would have you believe.  It’s all just software, and anybody’s software can continue weaknesses.

Apple has been showing some signs of recognition of the enterprise security message, and missed the mark on others.  They did release iOS 4.3.4 in July to patch a PDF vulnerability.  Just a week and a half later, Apple released iOS 4.3.5 that fixed a certificate validation vulnerability.  Apple has also recently released a kind of virus scanner for the devices, and got a taste of how quickly malware authors can turn the tables.  A new physical cover for the iPad 2 offers the capability to lock the device upon closure, however it also UNLOCKS the device automatically when opened.  This could have provided additional security functionality that may have reduced the requirement to lock down the timeout value associated with idle time if it was given sufficient forethought.  Instead, it offers convenience features at the expense of security.  I sincerely hope that Apple and 3rd party vendors will focus on this emergent platform and provide good, robust and reliable security tools to keep the data that these devices access and share, secure from theft and unauthorized interception.

Operation Shady RAT

Score another big one for the good guys!  Even if they are a little late to the scene to save the maiden or slay the dragon…  I guess we have to score a whole bunch for the bad guys too, since they ran this scam successfully for so long…

Security vendor McAfee published a report on Tuesday about a hacking group that managed to penetrate 72 global companies, governments and non-profit organizations in 14 countries since 2006.  This massive operation stole national secrets, business plans and other sensitive information.  McAfee discovered the intrusions after gaining access to a command-and-control server that collected data from the compromised computers.  Over the past 5 to 6 years there has been a “historically unprecedented transfer of wealth” due to the operation it has named “Shady RAT”.

The attackers gained access to computers by sending targeted e-mails to individuals within the organizations containing an exploit that downloads malicious software and communicates with the command-and-control server to exfiltrate data and further infect their networks.  The data stolen consists of everything from classified information on government networks, source code, e-mail archives, exploration details for new oil and gas field auctions, legal contracts, SCADA (supervisory control and data acquisition) configurations, design schematics and more.  They were not too selective regarding the data that they gathered.  McAfee declined to name all of the organizations affected, but did name the International Olympic Committee (IOC), the World Anti-Doping Agency, the United Nations and the ASEAN (Association of Southeast Asian Nations) Secretariat.  Those organizations were of little economic interest to hackers, and add the speculation of nation state involvement.

In 2006, eight organizations were attacked, but by 2007 that number increased to 29, according to the report.  The number of victimized organizations peaked at 38 in 2009.  The duration of the compromises ranged from less than a month to more than two years in the case of an attack on an Asian Olympic committee.

So, should the average business, large, medium or small sized, be worrying about malware and the APT threat?  Oh, only if secrets, business plans and sensitive information matter to you, you bet your assets!  This cruft is going mainstream, this type of code is available, and coming soon to a PC near you.

Beware “Wrong Hotel Charge” Spam Scam

A very malicious spam campaign has been detected and reported by the good folks at m86 Security Labs.  The attack consists of emails appearing to come from reception desk managers at various hotels, targeting Visa users.  The emails exhibit subject lines such as “Hotel Sutton Place made wrong transaction” and “Wrong transaction from your credit card in Four Seasons Resort Scottsdale” and contain a rather long explanation in very bad English, claiming that the hotel has charged your credit card for over $1,000 by mistake.

To summarize, the email generally says, “Please see the attached form.  You need to fill it in and contact your bank for the return of funds,” and offers an attachment named RefundFormXXX.zip (XXX represents a random three digit number).  The unzipped file is Refund-Form.exe which is outfitted with the icon for an Excel file in order to encourage opening (executing) it.  Once executed, the malware downloads another executable from a Russian domain which is a fake AV application named “Security Protection”.

An HTTP request is sent to 188.72.202.121, requesting a module called ‘grabbers’ from load.php.  A file called update.dat is retrieved, which is actually an encrypted Windows .dll file.  Once decrypted it acts as a password stealer looking for stored passwords and targeting a huge number of applications including instant messaging programs, poker clients, FTP clients and web browsers.

Roughly one day after all of this malicious activity takes place, another HTTP request is sent, retrieving another fake AV called “Personal Shield Pro.

Recent Attacks Due To Common Vulnerabilities

The most recent and brazen security breaches and attacks at the CIA, US Senate, IMF and elsewhere have shown me one thing.  There has been a substantial amount of complacency in the Information Technology and Security fields.  There have been many reasons for skating by; budgets are tight, economy’s bad, no time, no resources, no training…  Businesses large and small have opted to do the bare minimum required by law or industry, expecting that to be enough to keep them out of the press.  I have said it before, and I will say it again, although saying it before has cost me at least one job.

Regulatory Compliance DOES NOT equal Security!!

If you are in the business of securing data that your customers have entrusted you with, and are of the mind that you only need to do what is mandated by Visa, Mastercard, PCI, Policy, or some other established standard on a subset of systems that are directly involved with the sensitive data, you are mistaken, and can expect to spend some time in the media shortly.  In an age where attackers are getting organized, popping up like mushrooms, where the greater challenge no longer appears to be breaking in or getting away with it, but finding enough space to post your 300,000 customer records as evidence of your success, you need to have a solid and enterprise encompassing STRATEGY.

Online attacks have taken on a targeted tone, whether to make quick money, prove a political point, or infiltrate high value and supposedly highly secure systems.  We have been arrogant and comfortable for far, far too long, thinking things were unbreakable, that our monitoring would be enough of a deterrent.  The systems and internetworks are just too complex, too many moving parts, too many variables, too many weak links in the chain.  We have all been lucky, swimming in the shark tank, and now it’s a feeding frenzy in the criminal underground.

A big part of the problem is that employees simply have too much access.  The best thing we can do to secure the enterprise is the same old stuff we’ve been talking about for years.  So what are you doing about these recent attacks? Continue reading →

IMF Network Breached

The New York Times reports that the International Monetary Fund (IMF) has been hit with “a large and sophisticated cyberattack whose dimensions are still unknown.”  The IMF manages financial crises around the world, and is a repository of highly confidential information about the fiscal condition of many nations.  Its staff and board of directors were advised about the attack on Wednesday, but it did not make a public announcement.

Several senior officials said it was both sophisticated and “a very major breach”.  The compromise appears to have occurred several months ago.  Because the fund has been at the center of economic bailout programs for Portugal, Greece and Ireland, and possesses sensitive data on other countries on the brink of crisis, its database contains potentially market-changing information.  It also includes communications with national leaders as they negotiate behind the scenes.  It remains unclear precisely what information was accessed.   The World Bank, an international agency focused on economic development, cut the computer link that allows the two institutions to share information.  The drastic containment step was taken out of “an abundance of caution” until the severity and nature of the attack is understood.  The World Bank has since resumed its normal operations and says it has seen no evidence of any attacks.

No information is available regarding the origins of the attack, a delicate subject because most nations are members of the fund.  The attacks may have been made enabled through “spear phishing,” where specific people are researched and targeted through emails and social engineering, fooled into clicking on a malicious link or running a program that provides access to the network.  It is also possible that the attack was less specific, a case in which an intruder was testing the system to see what could be attacked, or a random lucky malware infection.

Sophos 2011 Security Threat Report

Sophos’ threat experts see 30,000 new malicious URLs each day.

70% of these sites are legitimate websites that have been compromised.

Their 2011 Security Threat Report has been released detailing the battle against malware.

It describes the significant threats of 2010, what to watch for in 2011, and more importantly, what you need to do to get ahead of the threats.

• .
• One of the more persistent threats of the year was fake anti-virus, also commonly known as “scareware” or “rogueware.”  In this widespread practice, software is introduced into a victim’s computer system, through an interface closely resembling—and in some cases directly impersonating—genuine security solutions.   Criminals are using this ploy to drain bank accounts and completely take over identities.
• The search engine is our gateway to the web, and crooks are skilled at manipulating search results from the popular engines such as Google, Bing and Yahoo! to lure victims to their malicious pages.   These pages host security risks and browser exploits just waiting to infect users who are directed to these sites. There’s also the abuse of legitimate search engine optimization (SEO) techniques. Legitimate SEO techniques are regularly used as marketing tools, but when SEO is abused by the bad guys, and supplemented by more devious methods, it’s known as “SEO poisoning”. With SEO poisoning, search engine results are poisoned to drive user traffic to the rogue site.  Google reported that up to 1.3% of their search results are infected . You’re directed to a bad page through a poisoned search.  Once a victim is lured to the desired webpage, they’re redirected to a rogue or compromised site.  On these sites, criminals infect users’ machines with malware or push fake goods and service while attempting to steal personal information.
• Facebook recorded half a billion active users, making it not only the largest social networking site, but also one of the most popular destinations on the web.  Young people are less likely to use email, and more apt to communicate through Facebook, Twitter or other social sites.  Unsurprisingly, scammers and malware purveyors targeted this massive and committed user base , with diverse and steadily growing of attacks throughout 2010.  One of the more common types of attack hitting Facebook users is “clickjacking,”.  These attacks use maliciously created pages where the true function of a button is concealed beneath an opaque layer showing something entirely different.  Often sharing or “liking” the content in question sends the attack out to contacts through newsfeeds and status updates, propagating the scam.

Other areas that are assessed and reported on are passwords, and spam.  It’s a good report, well worth the read.

Spoofed LinkedIn Invite = Malware

According to M86 Labs, malware scammers are targeting LinkedIn users with legitimate-looking messages that appear to come from the social networking site:

The scammers have used the actual LinkedIn email template and modified it to suit their needs, changing the link behind the confirmation button.  Simply hovering the mouse over the button reveals that the destination URL is not on LinkedIn, but on the salesforceappi.com (not to be confused with the legitimate salesforceapi.com domain).

For those unfortunate users who follow the link, the “BlackHole” exploit kit at the destination server tries to exploit a number of vulnerabilities in order to load up malware.  The bulk of the successful exploits appear to exploit Java and PDF reader vulnerabilities.

Lessons learned from this attack campaign include, don’t click that link!  Even if it looks familiar.  Instaed, open up your own browser window and visit the site yourself.  Legitimate invites will be present in your LinkedIn inbox.  Also, keep your software up to date!  One vulnerability is all that the bad guys need.  Once you have been had, it is difficult to undo the damage.