Wednesday, September 7, 2011

Apple Gets It Up for Counterfeiting




John Theriault, formerly of the FBI and Pfizer's counterfeit-busting division, has been hired by Apple. The recent wave of fake Apple stores appearing in China (23 so far) has prompted Steve Jobs and Apple to crackdown on the clones. As Apple's global security chief, Theriault, Champion of Legitimate Viagra, outlined a plan in 2008 to eradicate the issue.

Why mention this on a security blog? Well, such fake stores sell equally fake hardware, which is indistinguishable from the real thing in appearance. Besides using inferior internal parts the clones can potentially contain pre-installed malicious software. That software puts user data at risk.

As always, we recommend strong authentication such as challenge-response and transaction data signing.

Monday, August 29, 2011

Keep your friends close...

Kent Brockman would know what to do.


Forbes recently unveiled the identity of "Comex", the hacker famous for JailBreakme.com. JailBreakMe exploited a loophole on iPads and iPad 2s that allowed easy jailbreaking via a website, at least before Apple released a patch.

As Forbes explains, Comex is actually Nicholas Allegra of Chappaqua, NY, a student at Brown University who describes jailbreaking is as easy for him as "editing and English paper." At the end of the article, Forbes suggested Apple hire the young jailbreaking pioneer, probably a dream come true for Allegra, a self-described "Apple fanboy."

Apple has now done just that, and decided that rather than wage a back-and-forth war, they should coach the boy as a summer intern. (We're sure they'd like to glean some skills from the lad, too). Sony should take notice.

Tuesday, August 2, 2011

Zeus Targets Victims Using The RSA SecurID Breach as Bait

Malware writers are notorious for being flexible and oftentimes ahead-of-the-curve when it comes to exploits. According to a post by Dan Raywood at SC Magazine, the latest victims of malware writers are the users of RSA SecurID, which was breached by hackers in February 2009, and who were told they were in "safe" hands by none other than RSA. Well the nefarious and multifaceted Zeus has started to target RSA users as well. Victims receive a link with what's purported to be a security scanner for exploits of the RSA securid breach. This then installs a variant of the Zeus trojan. The RSA Securid related hack saga continues.

Zeus, and other hack attempts of RSA SecurID users will be on the increase. The number of phishing, spear phishing and man-in-the-middle attacks will be on the upswing and more such breaches will come to light. The key thing is for institutions, whether small or large, to adopt as many preventative measures as possible to mitigate such risks.

Monday, July 25, 2011

Small is Beautiful - Hackers are PC and Target Small Firms

According to a WSJ piece, hackers are targeting small firms who are often unaware that they are even victims - the "unknown unknowns." While all the large companies like Sony and Lockheed Martin make the headlines, many small businesses are targeted because they are easy picks for cyber criminals and have little defenses put in place. Most do not even have an IT team and are thus vulnerable and oftentimes unaware of the hacks:
With limited budgets and few or no technical experts on staff, small businesses generally have weak security. Cyber criminals have taken notice. In 2010, the U.S. Secret Service and Verizon Communications Inc.'s forensic analysis unit, which investigates attacks, responded to a combined 761 data breaches, up from 141 in 2009. Of those, 482, or 63%, were at companies with 100 employees or fewer. Visa Inc. estimates about 95% of the credit-card data breaches it discovers are on its smallest business customers.......................
..........In the time it takes to break into a major company like Citigroup Inc., a hacker could steal data from dozens of small businesses and not get detected, says Bryce Case Jr., a former hacker who broke into several government and corporate websites a decade ago and now runs an online message board for hackers called Digital Gangster. Now that small companies use computers, "the juice has become worth the squeeze," he says. "Even a pizza place has addresses, names and credit-card information."
Even small businesses have to adopt protective measures to inoculate themselves against these threats if they do not want to face the threat of bankruptcy. They also lack the scale advantage of large corporations whereby governments could bail them out on the classic too-big-to-fail logic they employ. Malware comes in many forms, even in batteries, and it seems there is no hierarchy of hacking. Hackers are equal opportunity employers after all and they seem to cherish diversity as much as the next liberal arts college when it comes to their victims. The era of PC (politically correct) hackers has just begun.

Saturday, July 23, 2011

Man-in-the-Battery Attack

The Man-in-the-Middle attack class seems to have had a brand new addition. Former NSA employee Charlie Miller, and currently a researcher at consultancy Accuvant, has identified a firmware exploit in Apple Macs that allows you take control of the computer through the microcontrollers of the battery by taking root control through the default passwords. He told Andy Greenberg of Forbes magazine:

“You could put a whole hard drive in, reinstall the software, flash the BIOS, and every time it would reattack and screw you over. There would be no way to eradicate or detect it other than removing the battery.” says Miller.

Charlie Miller plans on offering a tool to correct this potential security exploit at the upcoming Black Hat conference in August called "Caulkgun".

Friday, July 22, 2011

DNS Cache Poisoning Attack Hits Santander Bank In Brazil

Man-in-the-Middle attacks have started to emerge as the attack-class of choice by sophisticated hackers, as many institutions have started implementing preventative measures against Phishing attacks and Pharming attacks by adopting one-time password generators.

DNS Cache Poisoning attacks are not so common yet, and reported cases of it hitting banks are even more rare. Santander Bank's Brazilian branch just got hit by such an attack. The hackers managed to hijack the DNS servers that resolve the santander.com.br website and replace it with a visually perfect copy so as to harvest customer credentials and passwords. The only giveaway to users would have been if they glanced at the URL address bar in the browser and noticed that it was HTTP instead of HTTPS, a fact that the majority of users would have overlooked.

So it might be too early to pronounce the death of one-time passwords for most user authentication purposes, but it definitely is passe and old hat for banking security. Banks will have to adopt challenge-response and transaction data signing as hackers continue to innovate on all fronts and develop more man-in-the-middle attack class ranging from man-in-the-phone, man-in-the-browser, browser poisoning and the aforementioned DNS Cache Poisoning.

Wednesday, July 20, 2011

Activists Activate Attacks - Google Users Hacked Via IE


Google users are being victimized, apparently by politically motivated hackers. From the Google Online Security Blog:

We’ve noticed some highly targeted and apparently politically motivated attacks against our users. We believe activists may have been a specific target. We’ve also seen attacks against users of another popular social site. All these attacks abuse a publicly-disclosed MHTML vulnerability for which an exploit was publicly posted in January 2011. Users browsing with the Internet Explorer browser are affected.

For now, we recommend concerned users and corporations seriously consider deploying Microsoft's temporary Fixit to block this attack until an official patch is available.

To help protect users of our services, we have deployed various server-side defenses to make the MHTML vulnerability harder to exploit. That said, these are not tenable long-term solutions, and we can’t guarantee them to be 100% reliable or comprehensive. We’re working with Microsoft to develop a comprehensive solution for this issue.

The MHTML exploit is IE-specific because only IE supports MHTML, essentially a container format that stores several files in one document. The exploit has been around for quite a while now, but has only recently seen serious proliferation, partly because, as an IE-specific tool, MHTML is not cross-platform, so it's taken a while to take hold.

As noted above, Microsoft has issued a temporary fix, but it's just that: temporary. Users are still exposed and so is their data. User's should look into two-factor authentication to mitigate the loss of their username and password data. Google Authenticator is one such tool, and 2D barcode technology exists for those seeking stronger challenge-response security.