STE WILLIAMS

An international strike force has seized 706 counterfeit-peddling sites in the fourth annual Cyber Monday crackdown, dubbed Project Cyber Monday IV.

Europol took down 393 domains, Hong Kong Customs seized 16, and the US’s Immigration and Customs Enforcement (ICE) shuttered 297 in the joint operation.

As ICE noted in a statement, the markets get flooded with phony merchandise right about now, in the weeks leading up to year’s end.

Every year, counterfeit headphones, sports jerseys, personal care products, shoes, toys, luxury goods, cell phones and electronic accessories get seized, according to the US’s National Intellectual Property Rights (IPR) Coordination Center in Washington, DC.

Of course, cheesy, cheap sneakers aren’t the biggest danger.

Also at risk is consumers’ personal financial information, as ICE Acting Director John Sandweg says:

Counterfeiters take advantage of the holiday season and sell cheap fakes to unsuspecting consumers everywhere. Consumers need to protect themselves, their families, and their personal financial information from the criminal networks operating these bogus sites.

As Naked Security’s Lee Munson noted recently, last Christmas, UK shoppers lost over £12m to online fraud, according to Action Fraud, the City of London Police and Get Safe Online.

Those organisations are warning consumers this year to take particular care when shopping for tablets, gaming consoles, electrical items and other gifts online.

Perhaps unsurprisingly, rip-offs last year centered on the same shiny gizmos they’re warning about this year: smartphones, gaming consoles, and Apple gadgetry, plus designer clothes, which leads us right back to counterfeit goods.

The seized domain names for counterfeit sites are now in the custody of the governments involved in the operation. They’re also now bedecked with banners that notify visitors of the seizure and educate them about the federal crime of willful copyright infringement.

According to Infosecurity Magazine, investigators also found PayPal accounts used by the seized websites, with more than $175,000 being targeted for seizure by the US government.

Andrew Munoz, spokesman for ICE in the US state of Utah, told KSL.com that counterfeit websites have recently become more sophisticated and will often be included in Google search results.

Munoz advised consumers to keep an eye out for little things: a poorly created website, spelling and grammar errors, and/or poor-quality photos.

Another warning sign is a site whose domain name is tough to remember, one that offers deals too good to be true, or one with customer service links to Yahoo or Gmail accounts, he said.

Be careful out there.

Follow @LisaVaas

Follow @NakedSecurity

Image of online shopping cart courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/68C-zByjZLA/

A US senator has asked leading car manufacturers to explain how they secure their vehicles against cyber attacks. Democrat Edward Markey’s request comes after recent disclosures from security experts who have reported on how they have hacked into cars.

Markey asked 20 leading car makers to respond to a set of questions about vehicle security, including how they test modern electrical systems and onboard wireless networks.

Recent news reports suggest that Markey’s concerns may well be justified.

Last year Naked Security reported how a $30 hacking kit could be used to steal BMW cars and, in August, researchers Charlie Miller and Chris Valasek showed Forbes reporter Andy Greenberg how a ride in a Toyota Prius could turn into the journey from hell.

Their research showed how hackers could take control of a car’s electronic smart steering, brakes, acceleration, engines and lights.

Its not just the bad guys who can manipulate the electronics in modern cars though. Yesterday, the BBC featured an article about RF Safe-Stop, a device capable of stopping a vehicle by blasting electromagnetic waves at it, which it says is something of interest to the police and military.

Markey, who also has an interest in the area of privacy, wrote a letter to Ford, General Motors, BMW and others on Monday in which he said:

As vehicles become more integrated with wireless technology, there are more avenues through which a hacker could introduce malicious code and more avenues through which a driver’s basic right to privacy could be compromised.

These threats demonstrate the need for robust vehicle security policies to ensure the safety and privacy of our nation’s drivers.

The Auto Alliance, an industry group which represents the leading car manufacturers, responded yesterday with a statement in which it said:

Auto engineers are incorporating security solutions into vehicles from the first stages of design and production, and their security testing never stops.

As cars and other forms of transportation increasingly incorporate in-vehicle computer systems to help with everything from safety to navigation, cyber-security is among the industry’s top priorities and the auto industry is working continuously to enhance vehicle security features.

The National Highway Traffic Safety Administration (NHTSA) also responded to recent concerns over car hacking. From a statement released on Tuesday:

While increased use of electronic controls and connectivity is enhancing transportation safety and efficiency, it brings a new challenge of safeguarding against potential vulnerabilities. NHTSA recognises these new challenges but is not aware of any consumer incidents where any vehicle control system has been hacked.

The senator, however, believes that the automobile industry has played down the risks highlighted by recent security research, saying that:

Airbags and seat belts protect the safety of drivers, but we also need car companies to ensure the security and privacy of those in automobiles in this new wireless age.

Markey, who serves a member of the Senate Commerce, Science and Transportation Committee, believes that the risks of vehicles being hacked is significant and that tracking and navigating systems in modern vehicles could be used in collecting driver data without the consumers’ knowledge or consent.

He would like Congress to examine car security policies.

On the other side of the fence Stuart McClure, Cylance Inc’s chief executive, downplayed the threats posed to cars by hackers, telling Reuters that such attacks were far harder to implement on vehicles than on traditional computing devices.

Follow @Security_FAQs
Follow @NakedSecurity

Image of padlocked car courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FhfrhQa1xPE/

5 ways to prepare your advertising infrastructure for disaster

Botnet takedowns need to be improved if the industry is to avoid the risk of creating more problems than it solves every time its decapitates a zombie network, according to a former Scotland Yard detective turned security researcher.

Adrian Culley, a technical consultant at infosec firm Damballa* who served with the Met Police for 13 years until 2003, told El Reg that more co-ordination and better strategies are needed in botnet takedowns.

As things stand, botnet takedowns are frequently an exercise in whack-a-mole: as one zombie network is taken down, another springs up. Zombie networks are created by both organised crime and intelligence agencies. “Botnets are a blended threat,” Culley told El Reg. “Criminal, commercial and government elements are all involved and sometimes it’s tough to see where one stop and the other begins.”

Culley named China, Russia and Israel (which he described as the example “no one talks about”) as the countries whose spooks have turned to creating botnets. Recent Snowden revelations have shown that elements of the NSA are running botnets too.

Techniques such as sinkholing to wrest control of the botnet work need to be followed up by deeper analysis, according to Culley. The former Met Police officer said that more in-depth analysis after the fact can future takedowns in much the same way the introduction of post-mortems improved surgical techniques and procedures. Better communications between parties involved in botnet takedowns are also needed.

Culley cited the Conficker takedown as a “good example of how to do it right”.

Hyper-fluxing

Organised crime and other elements are upping their game by using P2P architectures for command and control networks or rotating domain changing algorithms (hyper-fluxing) used by zombie drones to contact command nodes.

Hyper-fluxing is a refinement of the fast-fluxing technique of generating commands nodes that’s been around for several years as a means to move away from fixed-address command-and-control infrastructures that are easier to identify and take down. While fast-fluxing involves using one domain changing algorithm hyper-fluxing involves switching between multiple domain-changing algorithms.

Internet defenders need to up their game or else bot-herders will render their best efforts hopelessly inadequate.

Law enforcement and industry must be involved in dismantling zombie networks, and arresting the cybercrooks who profit for them. But the role played by industry needs to be better co-ordinated, a role suited to an organisations such as ICANN, Culley suggested.

A paper (PDF) co-authored by Damballa analysing 45 active botnets revealed that while some takedowns were effective, others did not appear to have a significant long term impact on the targeted botnet. In particular, botnets with secondary communications channels are far more resilient to takedowns.

The research – Beheading Hydras: Performing Effective Botnet Takedowns (abstract below) – was put together by Manos Antonakakis, chief scientist at Damballa, along with computer scientists from the Georgia Institute of Technology and the University of Georgia,

Devices infected with malicious software typically form botnet armies under the influence of one or more command and control (CC) servers. The botnet problem reached such levels where federal law enforcement agencies have to step in and take actions against botnets by disrupting (or “taking down”) their CCs, and thus their illicit operations. Lately, more and more private companies have started to independently take action against botnet armies, primarily focusing on their DNS-based CCs.

While well-intentioned, their CC takedown methodology is in most cases ad-hoc, and limited by the breadth of knowledge available around the malware that facilitates the botnet.

With this paper, we aim to bring order, measure, and reason to the botnet takedown problem. We propose a takedown analysis and recommendation system, called rza, that allows researchers to perform two tasks: 1) a post-mortem analysis of past botnet takedowns, and 2) provide recommendations on how to successfully execute future botnet takedowns. As part of our system evaluation, we perform a post-mortem analysis of the recent Kelihos, Zeus and 3322.org takedowns. We show that while some of these take-downs were effective, others did not appear to have a significant long-term impact on the targeted botnet. In addition to the post-mortem analyses, we provide takedown recommendation metrics for 45 currently active botnets, where wend that 42 of them can likely be disabled entirely by using a DNS-based takedown strategy only.

A recent blog post, Three Reasons Why Botnet Takedowns are Ineffective by Brian Foster, CTO at Damballa, condenses the themes of the whitepaper. Foster reckons a combination of “haphazard” botnet takedowns, ignoring secondary communication methods that allow zombie networks to be reanimated and failure to arrest the cybercriminals behind botnets means that zombie networks pose a much bigger problem to internet hygiene than might otherwise be the case. ®

Bot-note

Damballa’s name comes from a Voodoo snake god that protects against zombies. The infosec firm specialises against fighting against botnets of malware-infected (zombie) computers as well as so-called Advanced Persistent Threats.

Disaster recovery protection level self-assessment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/04/botnet_takedowns/

Stores across the country were a madhouse when Black Friday arrived, with throngs of shoppers showing up to take advantage of seasonal sales. Online, the customer rush has been similar, though the security challenge businesses face takes on a different form.

This year, according to analytics firm comScore, online sales on Black Friday totaled an estimated $1.198 billion. But alongside those numbers are numbers like these from fraud prevention firm Signifyd: An estimated 1.2 percent of e-commerce sales on smartphones were fraudulent. A legitimate transaction on a tablet averaged $132. A fraudulent transaction on a tablet averaged $216.

More numbers: On Dec. 2, investigators from law enforcement agencies around the world seized 690 domain names belonging to sites trafficking in counterfeit goods.

“Black Friday and Cyber Monday just provide an additional avenue that makes the threats seem more legitimate and create spikes in an overwhelming flow of attacks,” explains Colby Clark, director of incident management at FishNet Security. “People are torn, on one hand, by the desire to be mindful of cyberthreats and, on the other, by trying to take advantage of a deal that seems too good to miss. Unfortunately, the latter usually wins.”

Some managed security providers noted that they did not see an abnormal amount of malicious activity affecting their customers on either day. However, according to Clark, much of the malicious activity surrounding Black Friday and Cyber Monday may not have been identified yet. Often, he says, successful website hacks may not be noticed for weeks or longer due to a lack of monitoring.

For the most part, Black Friday and Cyber Monday hacks focus primarily on social engineering, he says.

“People are expecting solicitations and massive discounts — their guard is down and will likely click on things they otherwise would not,” says Clark, noting an uptick on attacks targeting vulnerabilities on mobile devices.

During high volume times for a site, it may be easier for a cyberattack to be masked by the normal flow of traffic, “similar to how a thief may be able to get away with shoplifting easier when a store is busy,” Jon French, security analyst at AppRiver, tells Dark Reading.

“It’s always a good idea to keep an eye on any public-facing part of the Internet, but it may be a good idea to play it safe and keep a closer eye during these peak shopping seasons for online retailers,” French says. “This could involve a variety of actions, such as monitoring network patterns or looking for really out-of-the-ordinary orders coming in.”

In preparation for Black Friday and Cyber Monday, security experts at consulting firm Neohapsis recommended businesses use HTTPS to make sure all data between customers and their sites is encrypted, and to check that systems are patched and updated.

“Businesses should ensure their workstations are in a good security place,” advises Catherine Pearce, security consultant at Neohapsis.

“Unfortunately, this event offers both a good pretense and a good opportunity for security problems if attackers can somehow convince or trick your users into visiting attack sites on their computer,” she adds. “Attackers have been abusing popular trends for years … they can use Cyber Monday to attack your users, include phishing, blackhat SEO, and watering-hole attacks, where attackers have already compromised a legitimate site, but wait for a time of high traffic to launch their attack.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/black-friday-to-cyber-monday-keeping-hac/240164418

If you follow technology gossip, you probably saw the fuss kicked up last week by a Seattle resident called Nick Starr, who went into a local 24-hour diner wearing Google Glasses.

Those, in case you missed them, are the creepy streaming-video spectacles from Google that seem to have little practical purpose other than to intrude unrelentingly into the privacy of everyone who comes within eyeshot.

Indeed, the device (which is a nightmare of cardinality to start with, because spectacles are one of those curiously plural English singular nouns, while computers are not) has already spurred the amusingly apposite epithet glasshole.

That word describes those whose self-awarded sense of entitlement to wear their Glasses when out and about greatly exceeds the sense of discomfort and distrust those same Glasses provoke in the people around them.

Anyway, according to reports, Starr not only took exception to the diner’s laudable insistence that he take his Glasses off – for the sake of everyone else, and because, hey, the restaurant isn’t a public place – but went on a glassholic rant on Facebook to urge that the staff member who told him where to go should be sacked.

Starr apparently also ranted that the diner had lost business as a result of its killjoy attitude, because he had now shelved his plans to go there with his partner for Thanksgiving – glassed up, one assumes, so as not to miss a minute of his own self-importance.

We say “according to” and “apparently” because Mr Starr’s Facebook post, to which many stories direct us to learn about his outspoken views on privacy and why we need a lack of it, is not public.

You’ll have to log in to read it:

The Lost Lake Cafe and Lounge, Open 24 Hours, on the other hand, is not so coy about its opinion of glassholitude, and has served public notice on Starr and his ilk to show them where to stick their spectacles:

We recently had to ask a rude customer to leave because of their insistence on wearing and operating Google Glasses inside the restaurant. So for the record, here’s Our Official Policy on Google Glass:

We kindly ask our customers to refrain from wearing and operating Google Glasses inside Lost Lake. We also ask that you not videotape anyone using any other sort of technology. If you do wear your Google Glasses inside, or film or photograph people without their permission, you will be asked to stop, or leave. And if we ask you to leave, for God’s sake, don’t start yelling about your “rights”. Just shut up and get out before you make things worse.

We imagine that this sort of showdown will become ever more prevalent as always-on recording devices create a digital divide between those who dismiss privacy as outmoded in the 21st century, and those who feel strongly that it should be respected as part of civil society.

So, expect an ongoing argument between the privacy deniers, like Scott McNealy, then CEO of then-company Sun Micrososystems, who famously said, “You have zero privacy…Get over it,” and Eric Schmidt, then CEO of Google, who respected privacy so much that he banned CNET reporters from Google for 12 months for publishing information about him that they had found using his company’s search engine.

(Indeed, that’s the same Google that makes the Glasses.)

In the meantime, our guts are telling us that the Lost Lake Cafe and Lounge, Open 24 Hours, stands to gain much more in the way of publicity and business from unashamedly saying “No” to glassholes than it would from Google Glass users who might otherwise drop in to film themselves eating, say, Blackened Northwest Salmon, grilled with lemon and topped with fresh dill, served with seasonal vegetables and simple green salad, $13.00.

And if you don’t like it (the ban on Google Glasses, not the Blackened Northwest Salmon), then, in the words of Lost Lake Cafe and Lounge, Open 24 Hours, Capitol Hill, 1505 Tenth Avenue, Seattle WA, “We reserve the right to refuse service to anyone.”

Still, it wouldn’t hurt for Lost Lake to put some decent coffees on the menu – espressos and ristrettos, for instance.

Maybe it’s just that I speak British English, but “drip” as an adjective for anything – especially coffee – doesn’t make me want to consume it.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9iScq094HJg/

The Canadian government recently put forward a new set of cyber laws designed to prevent online bullying.

The proposed legislation immediately drew howls of outrage from all corners, accusing the government of simply reviving its previous failed attempt at introducing draconian state snooping in a new disguise.

So, what’s really going on with Bill C-13?

The bill was announced by Canada’s Justice Minister Peter MacKay on November 20th, nicely coinciding with Anti-Bullying Week in the UK.

Referred to as the “Protecting Canadians from Online Crime Act”, the legislation is seen as a direct response to the deaths of Canadian cyberbullying victims Rehtaeh Parsons and Amanda Todd, both of whom committed suicide following online harassment, as have tragically many others.

The opening section of the bill seems to address this issue fairly directly, making it a criminal offence to publish or otherwise distribute “intimate images” without consent, with a potential punishment of up to five years imprisonment.

Even this part is not without controversy however, with some commentators suggesting that it would cover far more than the malicious online bullying, harassment and defamation it is aimed at, citing public interest publication and also frivolous and unintentional posting of pictures which could be seen as intimate.

Others have suggested it fails to properly understand and address the issues faced by young internet users, calling for more proactive rather than purely punitive intervention, while still others contend that the “consent” requirement may not cover the likes of “revenge porn” where images may have been taken with consent but later distributed.

Revenge porn is an area specifically targeted by new and planned laws in other jurisdictions, including California.

It is the rest of Bill C-13 that most commentators have taken issue with though.

In the summary of the bill, only the first of six key points refers directly to its ostensible main subject of cyber-bullying, while the rest detail additional powers to be granted to investigators, to access, monitor and record information on suspected digital criminals.

Much of this content seems to be recycled from the Canadian government’s previous attempt at getting this legislation, 2012’s Bill C-30, known as the “Protecting Children from Internet Predators Act” and introduced as an attempt to battle online paedophilia.

This seems to reveal a pattern of hiding these provisions under the cover of a clearly worthwhile effort to protect young people, although Bill C-30 was originally (and rather more honestly) entitled the “Lawful Access Act”, in reference to the added access rights it would have granted to police.

One Canadian minister went as far as claiming that those who opposed the bill stood on the side of child pornographers. Bill C-30 was killed after public outcry at the snooping powers it would have granted.

This was back in 2012, before the whole Snowden/NSA debacle heightened public awareness of just how much governments may be intruding into their privacy online.

Canadian legal experts point out that the new bill retreads much the same ground, although some of the most widely-criticised components have been removed, including granting full and unimpeded access to subscriber info from phone and internet provider firms, with no need for warrants, and requiring ISPs to build in interception methods into their systems.

The new powers that remain in Bill C-13 include granting immunity to anyone who hands over personal info to the police as long as there is no explicit ban on passing on such info – so, police can call on anyone they think may have data they might be interested in and ask for a look at it, with no requirement that they have any reason to want to see that data.

The data holders will not be obliged to comply without a warrant, but they will not be penalised if they do hand over information.

Where warrants are required, they seem to mostly only require the police have “reasonable grounds to suspect” some sort of wrongdoing, rather than the more usual and considerably stricter “grounds to believe”.

New warrants proposed include ones allowing access to metadata and location information from suspects’ devices and service providers, and letting the police avoid telling people that they have been subject to such intrusions.

There are also tweaks to sections of law covering what could be loosely called “hacking”, including accessing systems or intercepting data or passwords without authorisation, as well as making or owning hardware or software designed to access for-fee services without paying (previously only hardware was covered), and creating tools which might facilitate hacking.

All in all there seems to be quite a lot here worth worrying about. There is doubtless some worthwhile content in the bill, but the way it has been put together looks at best misguided, at worst duplicitous.

Not only are there many points which remain little changed from the previous highly controversial outing, they have once again been buried inside a bill which, for all its worthiness, now looks like little more than a cloak under which to hide the nastier content.

The bill has been up for debate in the Canadian parliament over the last week. It has already drawn comment from the Canadian Privacy Commissioner, and a campaign to fight the provisions has been launched.

Given the reaction the last time these powers were proposed, and the increased profile of privacy issues in the last six months or so, it seems likely that the Canadian government will face another barrage of indignation at their latest attempt to sneak in-depth snooping powers into law.

Follow @VirusBtn
Follow @NakedSecurity

Image of Canada eye and Big Brother courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/L6UyvZvKEew/

Australian news site news.com.au has reported a rather worrying problem with the mobile website of Aussie clothing brand Witchery.

According to News Limited journalist Sarah Michael, customers visiting Witchery’s mobile site were able to retrieve – and even to edit – the personal information of other customers via a feature called “track my order.”

Customers could also view every order currently being processed, not just their own.

The good news is that a spokesperson for Country Road, the company that owns the Witchery brand, has gone on the record to say that no credit card information was exposed.

That’s a relief, because Witchery’s mobile site proudly boasts:

Card-free membership – make your wallet that bit lighter – your card number is stored in the app!

The bad news, of course, is that your credit card is one of the few aspects of your PII (Personally Identifiable Information) you can change fairly easily.

You also enjoy some statutory protections against fraud and abuse of your card, notably that you will probably get your money back if someone rips you off.

Things like the combination of your name and address are much harder to change if you think they have fallen into the wrong hands.

There’s no suggestion that Witchery’s regular website suffered from the same problem, and this wouldn’t be the first time that the security of a company’s mobile offering was found to be lower than its full-sized counterparts.

For example, when Facebook finally announced “HTTPS everywhere” in late 2012 – a move in which Naked Security likes to think it played a modest part – it had to admit that it was still working with mobile phone vendors to bring the same privacy and security benefits to mobile users.

Likewise, in Apple’s world, apps approved for sale in the App Store have been found not only to grab hold of your contact data without proper permission, but also to upload it to the app’s creator using unencrypted HTTP, something that would be considered out of the question for a regular website.

If news.com.au has it right, the Country Road spokesperson described Witchery’s problem with the words, “A small problem has been identified by our third party provider and is being fixed.”

We’re not sure that’s quite the right way to put it – describing a leak of customers’ PII as “a small problem” isn’t merely insensitive, it seems to imply that as long as what’s breached doesn’t have some immediate financial connection, such as a credit card number or expiry date, it doesn’t really count.

You can listen to more about this topic in a recent Sophos podcast, where Chester Wisniewski and I discuss where security is heading in the so-called the Internet of Things:

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Chester explains that we aren’t really looking at an internet of things, but rather at an internet of intimate information about the people who happen to own and use various internet-connected things.

The relevant discussion kicks off at 10’19”, but we think you’ll enjoy the podcast enough to listen your way there rather than fast-forwarding.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/L_FDiq5zsDk/

About six weeks ago we wrote about an amusingly alarming security hole in various D-Link routers.

Simply by configuring your browser’s User Agent setting to a not-terribly-secret string of characters, you could skip the router’s login page and thus administer the router without knowing the password.

The alarming part of the hole is that the string is comparatively easy to find in the firmware of all affected routers:

    xmlset_roodkcableoj28840ybtide

The amusing part is what happens if you ignore the xmlset part and reverse the rest:

    Edit by 04882 Joel: Backdoor

We were never quite sure if this was a cheap trick by D-Link so that its own command line utilities could work what you might call “frictionless magic” with your router – look Ma! no password required! – or if it was the accidental aftermath of debugging code that got forgotten.

We never found out who Joel was, either, and we have no idea if 04882 was his D-Link staff number, his nickname, or even some kind of curious date-and-time marker.

The immediate workaround for “Joel’s Backdoor” was to make sure that your router wasn’t accepting admininstrator connections (known as remote management) from the WAN interface, i.e. from traffic coming directly from the internet.

Fortunately, remote management from outside is blocked on D-Link routers by default, thus greatly reducing the risk to most devices.

→ With or without a security hole like this, you almost certainly don’t want remote administration enabled on a SoHo router. Attackers will spot your router at home, and they will regularly and routinely be probing for holes, known and unknown, that could get them into your network. (Check your logs for proof.) Never rely on being “too small and uninteresting” for the crooks.

Nevertheless, it’s still a pretty big risk if anyone on your network can tweak, or be tricked into tweaking, your router settings.

Even if you only let trustworthy friends or family onto your LAN, they might be infected with malware that gives cybercrooks a foothold inside your network and thus direct access to your router.

Or they could be tricked into clicking on a link that was served up from outside, but which points to an internal configuration page on your router.

So the good news is that D-Link has just published firmware upgrades for the routers affected by “Joel’s Backdoor,” namely the following models:

DIR-100  Rev A1     Upgrade 1.13        - 1.14/1.14B01
DIR-120  Rev A1     Upgrade 1.03/1.04RU - 1.05B01
DI-524   Rev E3/E4  Upgrade 5.12        - 5.13B01
DI-524UP Rev A1/A2  Upgrade 1.07        - 1.08B01
DI-604UP Rev A1	    Upgrade 1.03        - 1.04B01
DI-604+  Rev A1     Upgrade 1.10        - 1.11B02 
DI-624S  Rev B1/B2  Upgrade 1.11        - 1.12B01 
TM-G5240 Rev A1     Upgrade 4.00B29     - 4.01B01

You can find out more about the hole that was patched (and hear our advice to programmers on avoiding this sort of vulnerability) in this Sophos podcast:

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Our discussion of the D-Link hole starts at 2’56”.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Yxjqf21oAmY/

We’ve written about the PlugX malware before on Naked Security, thanks to a pair of technical reports from SophosLabs Principal Researcher Gabor Szappanos (Szappi).

Szappi presented an inside look at this intriguing malware family in his analysis of PlugX Version 6, published back in May, and of its close cousin Smoaler, published in July.

Interesting tactics used in these malware samples include:

• They were distributed in believable-sounding emails.
• The emails included booby-trapped attachments.
• The attachments exploited a vulnerability in Micrsoft Word’s handling of RTF files.
• The attachments had a Tibetan political theme.
• The malware unpacked itself in several stages.
• The malware loaded and launched its own payload executable, bypassing the operating system program loader.
• The malware carried with it a digitally signed legimitate application, used to initiate infection.
• This legitimate application was tricked into loading a malicious DLL.
• The final payload opened a backdoor allowing the crooks to feed the malware instructions remotely.

PlugX revisited

Now, Szappi, and fellow researcher Xinran Wu of SophosLabs in Sydney, have been looking into what seems like another example of the PlugX family.

They have come across a curious mixture of similarities and differences.

This particular threat isn’t yet very widespread: we have had only one report directly from the wild, together with the email in which it was delivered, plus a handful of samples from other sources.

What we therefore don’t yet know is whether the PlugX malware writers are practising on new targets, experimenting with new malware, or (let us hope!) finding it increasingly difficult to get an infection foothold these days.

The primary differences in this attack are obvious:

• The malware is aimed at Japan.
• The Tibetan theme is replaced with a managerial one.
• The malware exploits a vulnerability in popular Japanese word processor Ichitaro, not Word.

There are numerous similarities, too:

• The malware loads and launches its own compressed payload executable, bypassing the operating system program loader.
• The malware carries with it a digitally signed legimitate application.
• This legitimate application is tricked into loading a malicious DLL.
• The final payload opens a backdoor allowing the crooks to feed the malware instructions remotely.

How the malware arrives

The malware arrived in a booby-trapped attachment to an email.

The email looked like this:

Subject: Personnel info for 26 Nov and 30 Nov

Attachment: PersonnelInfoFor26NovAnd30Nov.jtd

Many of you may have it already, but I have received personnel information as of 22 August and 27 August from XXXX.

I am sending this to you in an attachment.

Please check it. Thanks.

The .JTD extension is used by Ichitaro document files.

We can’t give you precise details about how the exploit works or how to mitigate it (we haven’t been able to configure an Ichitaro environment in which it triggers), but we recommend that all Ichitaro users look at the latest security bulletin from the product’s vendor, Justsystems.

The bulletin details a recent patch to protect you from files booby-trapped with exploits against the vulnerability CVE-2013-5990:

[JS13003] Risks of executing malware exploiting a vulnerability in Ichitaro. Published 2013-11-12.

Summary: Some of our products have been found to contain vulnerabilities. If exploited, this could allow arbitrary code execution. We have listed the affected products, with patches and mitigations, below.

Vulnerability: If a document crafted to exploit this vulnerability is opened, it will try to execute malicious code.

By simulating the execution of the exploit so that the shellcode in the document extracts the next stage of the malware, we can see what is supposed to happen next.

How the malware loads

A WinRAR self-extracting archive, containing three files, is written to disk and run:

The self-extractor turns control over to starter.exe, which is a 2011-vintage digitally signed application from anti-virus vendor Kaspersky:

The Kaspersky component is designed to load a DLL called splash_screen.dll, but doesn’t force that DLL to be loaded from a specific directory on the disk.

So, if there happens to be an imposter DLL with that name somewhere in the Windows PATH (which includes the current directory) the imposter will be run instead of the genuine DLL.

→ This is known as an insecure library loading vulnerability, and can be exploited against any program that denotes the DLLs it neeeds merely by name, e.g. MY.DLL, rather than by using unambiguous path-and-file names, e.g. C:SPECIFICMY.DLL. Warning to programmers: always specify DLL filenames unambiguously when calling LoadLibrary().

The imposter DLL reads, decompresses and loads the payload file, splash_screen.dll.sp1.

Here is the code in the imposter DLL that calls the Windows function RtlDecompressBuffer() in the system library NTDLL:

As a very mild anti-analysis trick, the decompressed data is nearly, but not quite, a proper Windows DLL file.

The two instances of XV in the diagram below are supposed to be MZ and PE respectively, where MZ denotes that a file is a Microsoft-format executable program, and PE denotes that it is a Portable Executable, or Windows program:

The absence of MZ and PE is irrelevant to the imposter DLL, which doesn’t rely on Windows to load the decompressed program.

Instead, the imposter DLL includes its own program loader, patching the splash_screen.dll.sp1 payload program correctly into memory itself, and then jumping to it.

While patching the decompressed payload, the imposter DLL uses the header information (amongst other load-time data) shown above, but once the loader is ready to jump into the payload program, the header information is redundant.

So the imposter DLL overwrites the payload header with zeros before transferring control to the payload itself.

That prevents malware analysts from easily dumping the running payload program out of memory onto disk in a form that would immediately make sense to Microsoft’s official Windows debugging tools.

Once again, this acts as a mild anti-analysis trick.

→ In practice, you can bypass this sort of anti-analysis by using a debugger to halt the imposter DLL immediately after the abovementioned call to RtlDecompressBuffer(), and dumping the relevant header data before it gets wiped out.

How the malware works

One the payload program has been loaded into memory and prepared for use, the imposter DLL jumps to it.

The payload connects to a server at www DOT mofamails DOT com for instructions on what to do next.

Like many bots or backdoors, this gives the infiltrators very general control over the infected computer, including functionality to:

• Collect running process and module information.
• Load and reconfigure system services.
• Start and stop processes.
• Create and delete files.
• Manipulate the registry.
• Acquire detailed system information.
• Log keystrokes.
• Take screenshots.
• Monitor network resources and connections.

What we can learn

The obvious questions raised by this attack are: why Japan, and why Ichitaro?

One answer is, “We don’t know.”

Another, sadly, is, “Why not?”

As far as we can tell, the PlugX creators acquired an Ichitaro exploit, giving them a way to attack victims they couldn’t reach before, so they decided to try it out.

What this reminds us is that we are all potentially at risk due to vulnerabilities and exploits, not just those of us who use the dominant operating systems and products in the market. (Apple OS X users take note!)

In short:

• Avoid opening attachments you weren’t expecting, no matter how believable they might sound.
• Keep up to date with patches against known vulnerabilities in all the software you use.
• Use an on-access (real-time) virus scanner, and ensure it is up to date.

Follow @duckblog

Note. Sophos products detect and block this malware as follows:

• Booby-trapped documents: Troj/DocDrop-AZ

• The malware dropped: Troj/Plugx-W

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SMrO6rcNkRw/

5 ways to prepare your advertising infrastructure for disaster

Better late than never: D-Link has issued the promised patch that closes an administrative backdoor in its SOHO broadband routers.

When the vulnerability was first discovered, the vendor promised to patch it by the end of October.

The patch has now been issued here.

If an attacker set their browser user agent string to read xmlset_roodkcableoj28840ybtide, their D-Link router would obligingly drop them straight into the admin page without a login. Only turning off remote administration would protect the device.

An amusing and really obvious (except that Vulture South didn’t notice it either) aspect of the vulnerability is what happens if the secret string is reversed. As pointed out by Sophos at Paul Ducklin’s Naked Security blog, the string (ignoring the xmlset_ part) reads:

Edit by 04882 Joel Backdoor

In other words, in our opinion, someone dropped the backdoor into the device during development and forgot to remove it later. ®

Disaster recovery protection level self-assessment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/04/dlink_finally_slams_shut_joels_backdoor/