STE WILLIAMS

The popularity of online shopping continues to grow every year as cash-strapped consumers discover the savings that can be made in comparison to traditional brick and mortar retailers.

At this time of year, as we search for Cyber Monday bargains and prepare for Christmas, it is also rather tempting to enjoy the comfort of shopping from our own homes and not have to battle the seasonal queues.

But shopping on the web is not always a perfect experience as many consumers discover to their cost.

Last Christmas, for example, shoppers in the UK lost over £12m, according to Action Fraud, the City of London Police and Get Safe Online who are warning consumers to take extra care when shopping for tablets, games consoles, electrical items and other gifts online.

Tony Neate, CEO of Get Safe Online said:

£12.4m is a huge amount of money to be lost to online fraud but unfortunately, it’s the type of figure I see every year. The problem is, scams change and adapt as trends come and go. They have also become more sophisticated as we get wiser to what is and isn’t legitimate so it’s understandable that people sometimes get caught out.

Action Fraud, run by a government agency known as the National Fraud Authority, received more than 10,000 reports of online fraud and auction site scams over the Christmas period. On average, the victims of these crimes lost over £1,700 each.

One of the reasons why so many people were duped last year may have been the fact that the fraudsters were well aware of which items were going to be popular. Rip-offs and scams centred on smartphones, games consoles, Apple products and items of designer clothing.

Other gift ideas such as jewellery, watches and precious metals were also used as bait in various online cons.

This year the list of popular gift ideas is likely to be very similar and so shoppers should be extra vigilant when considering buying any of the above. Particular attention should probably be given to the next gen consoles that have just been announced – the PS4 and Xbox One are both in short supply and in huge demand which will surely be a combination that online fraudsters will find hard to resist.

So, what can you do to ensure that you are not a victim at this time of year?

Action Fraud, Get Safe Online and the City of London Police have listed out ten tips:

1. Trust your instincts – if an offer looks too good to be true it usually is. Legitimate popular technology and designer items are rarely discounted.

2. Check the URL in the web browser. Don’t be fooled by spoof websites where the address is slightly different.

A while back we deliberately misspelled the addresses of many popular websites to see what we’d find. Watch the video below, or view it on YouTube here.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

3. Ensure the website address begins ‘https’ at the payment stage – this indicates a secure payment.

4. Don’t access links in unsolicited emails, always type in the website address or use a search engine to find a site.

5. Only deal with reputable sellers – only use sites you know or ones that have been recommended to you.

6. Avoid paying by money transfers direct to people you don’t know. Use an online payment option such as PayPal, which helps to protect you.

7. Watch out for pop-ups appearing asking you to confirm your card details before you are on the payment stage. Never enter your PIN number online.

8. If your bid for an online auction item is unsuccessful, don’t be tempted to trade off-site if another seller approaches you with a similar item. This is likely to be a scam and you won’t be covered.

9. Keep security software and firewalls up-to-date. Regularly update your internet browser when a new patch (security update) is released.

10. Keep receipts and check these against your statement – if you spot a transaction you did not authorise speak to your card company immediately.

Security Minister James Brokenshire said that although the UK government is working to reduce online crime, the public need to play their part in ensuring they don’t fall victim to festive scams:

We are taking the fight to cyber criminals with the newly created National Cyber Crime Unit, which is part of the National Crime Agency.

But the public should also stay vigilant to ensure they don’t lose their hard-earned money on fakes and frauds. Following straightforward steps while shopping online will help the public to avoid cyber fraudsters.

Shoppers can find great bargains online ahead of Christmas and this time of year provides a welcome boost to retailers. But shoppers should remember if something looks too good to be true it often is.

By following the tips above you can minimise the risk of becoming an online fraud victim but if you, or anyone you know, has fallen for any type of online con you can report the matter to Action Fraud in the UK, or if you’re in the US you can find out who to report the crime to on the Department of Justice website.

Looking ahead to January, the Government will be taking steps to increase online confidence amongst members of the public as well as small and medium-sized businesses. The campaign, designed to help organisations and individuals make simple changes to their online behaviour, will be funded and supported by private sector partners including Sophos whose CFO, Nick Bray, commented:

As the UK’s leading cyber security company, we are both delighted and proud to support the government in this and other cyber security initiatives. Improving cyber security is a national imperative and Sophos is committed to working with both government and industry to ensure this happens.

Follow @Security_FAQs
Follow @NakedSecurity

Image of scam alert courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/neIhW_PSpvE/

PORTLAND, OREGON — December 2, 2013 — Tripwire, Inc., a leading global provider of risk-based security and compliance management solutions, today announced the results of a survey on mobile security and holiday shopping. The survey was conducted by Dimensional Research and OnePoll from November 18-20, 2013, and evaluated the attitudes of 1,400 consumers in the U.S. and U.K.

Mobile shopping is expected to increase dramatically this holiday season. Digital measurement company comScore announced that mobile commerce spending on smartphones and tablets in the U.S. increased $5.8 billion in Q3 – a 26% increase over Q3 2012. Yet, during the same time period, mobile malware threats also increased 26%, making consumers more vulnerable to mobile attacks than ever before.

Ninety-one percent of U.S. and 83% of U.K. respondents believe that shopping on a computer provides more security than shopping on a mobile phone. Fifty-nine percent of U.S. respondents and 65% of U.K. respondents said they do not have any security software on their mobile phone. Despite mobile malware concerns, many plan to use their mobile phones for holiday shopping.

Key U.S. findings include:

Respondents from wealthier households are three times more likely to shop for the holidays using their mobile devices.

Male respondents are 50% more likely than female respondents to shop on their mobile devices at work.

Respondents from wealthier households are seven times more likely to say there is no maximum price for items they would purchase with their mobile device.

50% more men than women say the convenience of mobile shopping overrides security concerns.

“Shopping on mobile devices is all about convenience, and it is clear from the data that consumers are quite willing to forgo security for that convenience,” said Dwayne Melancon, chief technology officer for Tripwire. “The survey also seems to confirm the stereotype that men do not like to shop and will go out of their way to avoid shopping malls. It is also not surprising that affluent households are more likely to shop on mobile devices this holiday season; after all, they will have more discretionary income to spend and typically place a higher value on the convenience of shopping online.”

About Tripwire

Tripwire is a leading global provider of risk-based security and compliance management solutions, enabling enterprises, government agencies and service providers to effectively connect security to their business. Tripwire provides the broadest set of foundational security controls including security configuration management, vulnerability management, file integrity monitoring, log and event management. Tripwire solutions deliver unprecedented visibility, business context and security business intelligence allowing extended enterprises to protect sensitive data from breaches, vulnerabilities, and threats. Learn more at www.tripwire.com, get security news, trends and insights at http://www.tripwire.com/state-of-security/ or follow us on Twitter @TripwireInc.

Article source: http://www.darkreading.com/mobile/cyber-monday-survey-us-more-concerned-ab/240164333

LONDON, December 2, 2013 /PRNewswire/ —

NTT Com Security [http://www.nttcomsecurity.com ] (formerly Integralis), a global information security and risk management organisation, has announced the availability of its next generation Managed Security Services (MSS), delivering advanced security and risk management capabilities to the global enterprise. The enhanced MSS is available under the company’s single global brand, WideAngle, which was launched earlier this year to represent its information security and risk management portfolio of managed services, consulting and technology solutions.

As companies look to become more agile, the internal IT boundaries have blurred and increasingly businesses need to protect data and manage risk across a variety of IT architectures. WideAngle MSS [http://www.nttcomsecurity.com/en/services/managed-security-services ] provides the visibility needed to do this for companies of all sizes, across on-premise, cloud or hybrid technology environments. The WideAngle MSS is capable of analysing vast amounts of disparate data and distilling it into actionable information that enables businesses to manage increasingly diverse threats and make informed risk management decisions.

The new service has three key building blocks – device management, automated analysis and security enrichment – and is delivered by NTT Com Security experts through its Global Risk Operations Centres (GROC). Over 150 NTT Communications global data centres will provide valuable threat information to enrich the analysis layer, while dedicated security experts analyse this information and provide context based on their knowledge of the customer’s business in order to help them make security risk decisions. WideAngle MSS provides unrivalled visibility and control to manage information security risk, by actively notifying clients about potential threats and proactively mitigating vulnerabilities.

WideAngle MSS provides a highly flexible 24/7 service allowing organisations to choose from five different service levels, that are tailored to their individual business needs.

Andrew Lev, Chief Product Officer, NTT Com Security, stated: “Companies are operating in a new, and disruptive, computing environment. At the same time the security threats they face are becoming ever more sophisticated. We have built on our expertise and heritage to create a portfolio of services that empower organisations to proactively manage risk in this new landscape. Embedding the knowledge that comes from our global data centre network gives organisations a unique and comprehensive view into the developing threat landscape as it happens. Our ability to proactively remediate those vulnerabilities in a customer as well as in cloud and hybrid environment is vital for delivering the next generation of information security risk management.”

Akira Arima, CEO, NTT Communications, added: “The ongoing expansion of NTT Com Security’s Managed Security Services offering demonstrates the power of leveraging group-wide global skills and capabilities. Most importantly it shows how by working together, companies within the group can develop and bring to market dynamic services that address customers’ security risks and challenges.

We are very positive about the capability of WideAngle MSS and are working to ensure that, as a group, it is part of everything we do.”

About NTT Com Security (formerly Integralis)

NTT Com Security (formerly Integralis) is a global information security and risk management organisation, which delivers a portfolio of managed security, business infrastructure, consulting and technology integration services through its WideAngle brand. NTT Com Security helps organizations lower their IT costs and increase the depth of IT security protection, risk management, compliance and service availability. NTT Com Security AG, is headquartered in Ismaning, Germany and part of the NTT Communications Group, owned by NTT (Nippon Telegraph and Telephone Corporation), one of the largest telecommunications companies in the world. For more information, visit http://www.nttcomsecurity.com

Article source: http://www.darkreading.com/management/ntt-com-security-releases-next-generatio/240164342

BANGALORE, India, December 2, 2013 /PRNewswire/ —

ANCOR is a highly scalable, cloud based analytics and correlation engine that provides real time, practical, integrated security intelligence. Saner is the first of a suite of products to tap into ANCOR’s engine. With Saner, businesses and home users can now easily identify and mitigate potential security vulnerabilities in endpoint devices.

SecPod Technologies, a leading information security company, has announced the rollout of its security platform, SecPod Ancor – an analytics and correlation engine. Additionally, SecPod announced the availability of SecPod Saner – a vulnerability mitigation solution for businesses and home users.

SecPod’s ANCOR consists of an agent that resides on endpoint devices to collect and transmit requisite data to the highly scalable, cloud-based analytics and correlation engine. ANCOR collates information from the agents on endpoint devices, software reputation services, and vulnerability and malware data, with standards and best practices to provide real time, practical, integrated security intelligence.

“Strong defense is better than a weak cure and proactively assessing the vulnerabilities, fixing the loopholes, and strengthening the system along with providing real-time protection from attacks helps ensure a secure ecosystem,”

says Chandrashekhar, CEO. “ANCOR promises to deliver on that with a line of products to cover key areas of system security.”

ANCOR is based on four binding principles – Visibility, Prevention, Learning, and Protection.

Using the services of ANCOR, SecPod Saner identifies potential security vulnerabilities, misconfigurations and missing patches and automatically remediates the system to keep it secure.

“With the availability of ANCOR and Saner,” Greg Pottebaum, VP Business Development says. “Vulnerability management is now very affordable, practical, and effective, rather than being overly expensive and complicated.” Greg adds, “Businesses and home users can now get enterprise-class security assurance with SecPod Saner at a fraction of previous costs.”

About SecPod Technologies

SecPod Technologies is an information security products company. SecPod provides practical security solutions through its suite of products built on ANCOR, its highly scalable analytics and correlation engine. The company is headquartered in Bangalore, India. To learn more, visit http://www.secpod.com

Article source: http://www.darkreading.com/management/secpod-debuts-ancor-and-saner-its-securi/240164374

Kaspersky Lab has recorded several thousand attempts to infect computers used for online banking with a malicious program that its creators claim can attack “any bank in any country”. The Neverquest Trojan banker supports almost every trick used to bypass online banking security systems, including web injection, remote system access and social engineering. Due to the Trojan’s self-replication capabilities, Kaspersky Lab is warning a sharp rise in the number of attacks involving Neverquest can be expected, resulting in financial losses for users all over the world.

The weeks prior to Christmas are traditionally a period of high malicious user activity. As early as November there have been instances where posts were made in hacker forums about buying and selling databases to access bank accounts and other documents, which are used to open and manage the accounts to which stolen funds are sent. Neverquest appeared on the market even earlier – an advert looking for a partner to work with the Trojan on the servers of a group of cybercriminals, with their support, was posted in July of this year.

Sergey Golovanov, Principal Security Researcher, Kaspersky Lab, commented:

“After wrapping up several criminal cases associated with the creation and proliferation of malware used to steal bank website data, a few ‘holes’ appeared on the black market. New malicious users are trying to fill these with new technologies and ideas. Neverquest is just one of the threats aiming to take over the leading positions previously held by programs like ZeuS and Carberp.”

Neverquest steals usernames and passwords to bank accounts as well as all the data entered by the user into the modified pages of a banking website. Special scripts for Internet Explorer and Firefox are used to facilitate these thefts, giving the malware control of the browser connection with the cybercriminal’s command server when visiting the sites of 28 sites on the list, including those that belong to large international banks, sites of German, Italian, Turkish and Indian banks, as well as payment systems. Another function of Neverquest helps the malicious users replenish their list of targeted banks and develop code to be seeded on new websites, extending the target list.

Of all of the sites targeted by this particular program, an investment fund appears to be the top target. Its website offers clients a long list of ways to manage their finances online. This gives malicious users the chance to not only transfer cash funds to their own accounts but also to play the stock market, using the accounts and the money of Neverquest victims.

After gaining access to a user’s account with an online banking system, cybercriminals conduct transactions and wire money from the user to their own accounts or – to keep the trail from leading directly to them – to the accounts of other victims.

Protection against threats such as Neverquest requires more than just standard antivirus; users need a dedicated solution that secures transactions

[http://www.securelist.com/en/analysis/204792304/Staying_safe_from_virtual_robbers#12

]. In particular, the solution must be able to control a running browser process and prevent any manipulation by other applications.

The full version of the expert article dedicated to Neverquest is available at securelist.com [http://www.securelist.com/en/analysis/204792315/Online_banking_faces_a_new_threat

].

About Kaspersky Lab

Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers.

Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at http://www.kaspersky.co.uk. [http://www.kaspersky.co.uk ]

* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report “Worldwide Endpoint Security 2013-2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2012.

Article source: http://www.darkreading.com/attacks-breaches/experts-predict-mass-attacks-on-online-b/240164375

Dutch banks have agreed on a common framework of rules for their online banking customers, which they will require people to follow if they are to qualify for refunds of money stolen through phishing, carding or other forms of online fraud.

The Dutch Banking Association (Nederlandse Vereniging van Banken, NVB), representing most banks operating in the Netherlands and working together with consumer representatives, has come up with a list of five key areas (Dutch language – Google translation) in which people must exercise the appropriate caution if they are to qualify for refunds.

For the most part, how banks respond to claims of online or card fraud is covered by government-imposed banking regulations, with banks given more or less flexibility to demand evidence of fraud, depending on the region.

In many areas the customer is assumed to be innocent and funds returned without much proof required.

In the UK, for example, the FCA rules state that banks must refund any unauthorised transaction, with the burden of proof on the bank to show that the customer either gave their explicit authorisation or that there was “gross negligence” in how they protected their card or login details. A 13-month time limit applies for reporting theft.

US banks are covered by the 1978 Electronic Fund Transfer Act, which details the levels of liability consumers must absorb, depending on how quickly they report an unauthorised transaction – generally a $50 limit is imposed if theft is reported within 48 hours, and losses occurring more than 60 days after an initial unreported loss may not be protected.

Just how understanding banks may be about phished or guessed login details may well vary from state to state and bank to bank. Regulations in some other countries are less consumer-friendly, while others leave the decision entirely up to the individual banks, as was the case in the Netherlands until the recent agreement.

The new Dutch policy will come into force in January 2014, and sets out five rules for people to keep to.

Paraphrasing fairly loosely from the scheme’s main summary (Dutch language – Google translation) and local Dutch coverage of the scheme:

1. Passwords and codes should be kept secret – they shouldn’t be written down or given to other people to use, nor should they be given out over the phone or in email. Make sure no-one can see you when you enter passwords or PINs. Passwords should be well-chosen so as not to be easily guessable, avoiding standard personal info like birthdays.
2. Don’t let other people use your cards – keep them in a safe place and regularly check that your cards are where they should be.
3. Keep the devices you use to access online banking well secured – ensure that any devices used to access online banks are kept updated with the latest security patches. This includes security software such as anti-malware and firewalls. Don’t run any pirated software. Lock your devices with a passcode, and make sure you log off when you’re done with an online banking session.
4. Keep an eye on your account – check your account at least every two weeks. If you’re on old-fashioned paper statements, you need to read them within two weeks of their arrival. If you can’t check on your account for some time, you’ll need to be able to give a good reason.
5. Report any incidents or anything suspect to the bank – tell your bank promptly if you think anything is amiss, and then follow their instructions.

Mostly fairly unexceptionable stuff – numbers 2, 4 and 5 at least are all fairly obvious and should perhaps be classed as “general common sense” for any bank user.

The parts that specifically relate to digital security feel a little sparse though. When I first heard of this agreement, I imagined something rather more detailed, and pictured it being the foundation of a serious consensus on how people are expected to behave online – how they treat their own digital identity.

It called to mind the “Internet Driver’s License” debate which has rumbled on for years, and offered the promise of some firm ground on which to base such a qualification.

Banks these days seem to be merging into ever-larger global juggernauts, so if they can agree on the level of caution they expect from their customers around the world, it could set out a good standard for people to apply in all areas where their identity must be proven online.

But so far at least there’s not much to see – just some vague platitudes about choosing good passwords, with no real specific recommendations, beefed up a little by some sensible ideas on keeping them secure once they’ve been picked. Then some similarly generic comments on keeping your devices reasonably safe, but again no specific advice.

I’d like to see this taken much further, adding a detailed breakdown of the main things to avoid when choosing passwords, as well as some handy tips on choosing strong ones, perhaps even a general agreement on the minimum length and complexity.

There could also be more detail in the section on securing your devices. Banks and regulators seem happy setting fairly arbitrary deadlines for things, such as the cut-off dates for reporting, so why not insist that patch levels on operating systems and key software, and updates for security tools, be no more than n hours/days/weeks behind current at the time of infiltration, with good reasons needed for skipping patches.

There could be more explicit requirements regarding screen locking and unlocking, and there are many other topics the Dutch rules don’t seem to really cover at all, although something could have missed in translation.

Examples of areas which could be added might include using only wireless access points you know to be reasonably secure, or your systems and data properly encrypted to foil hands-on hackers.

In short, this feels like a reasonable start, but if this sort of thing is going to become a proper and verifiable basis for how people should protect themselves, I’d expect to see future revisions being a lot more explicit and detailed.

For now, Dutch consumers have been presented with a fairly vague set of rules, making it hard to be sure if one is fully following them. Those vague rules are also likely to give banks quite some flexibility to assert that their defrauded customers weren’t fully cautious and compliant, should they want to.

Dutch banks will, we would hope, be fairly understanding and lenient with their customers, but in some areas this sort of looseness could easily be exploited by more aggressive banking regimes.

Thanks to Martijn Grooten of Virus Bulletin for help with Dutch sources.

Follow @VirusBtn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xzlDNvHtrMU/

Tags: 2FA, backup, bitcoin, chet chat, Cryptography, drupal, Exploit, mersenne twister, passwords, random, sophos security chet chat, sscc, twister, two-factor authentication, vulnerability, XP, Zero Day

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rxTMwJyXj8Y/

Email delivery: 4 steps to get more email to the inbox

Two in five (39 per cent) of computers submitted for testing to a free browser security test from Qualys were affected by critical vulnerabilities, mostly related to browser plug-ins.

The findings, based on 1.4 million BrowserCheck computer scans, paint a picture of e-commerce buyers left wide open to attacks by cybercriminals just before the busiest online shopping period of the year. Browser vulnerabilities are routinely used to push malware at victims from compromised (often otherwise legitimate) websites through drive-by download attacks.

Chrome has close to 40 per cent of its instances afflicted with a critical vulnerability. Similar numbers apply to Firefox and Internet Explorer, which have 35 per cent and 41 per cent of their instances vulnerable to attacks. Safari (29 per cent) and Opera (34 per cent) came in as the best of a bad bunch, according to the figures from Qualys. The overall net population might be somewhat more secure because Qualys is looking at a sample of people who have taken the trouble to check their browser security.

Qualys CTO Wolfgang Kandek says that browser plug-ins were a bigger part of the problem than core security software.

“Browsers themselves are only partly to blame though; we see most of them quite up-to-date, with Chrome leading the pack with 90 per cent, Firefox at 85 per cent and Internet Explorer trailing with 75 per cent,” Kandek explained. “The larger part of the problems are contributed by the plug-ins that we use to extend the capabilities of our browsers, led by Adobe Shockwave and followed by Oracle Java and Apple Quicktime.”

The overall message is simple: consumers should patch up their computers (and particularly their browser plugins) if they don’t want to or run a higher risk of getting pwned by banking trojans or spyware. There are various tools available.

Kandek has published further commentary on his findings – alongside a chart depicting the distribution of vulnerabilities between browsers – in a blog post here. ®

Disaster recovery protection level self-assessment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/02/browser_insecurity/

For a period of two years, if often felt that not a week went by without some security company or product vendor announcing the takedown of a multi-million node botnet. I don’t know if it was the waning enthusiasm of the media to cover “yet another botnet takedown”, the public’s exhaustion over a threat they could do little prevent, or the fact that the majority of botnet “takedowns” were merely temporary setbacks for their criminal overlords, but as we reach the end of 2013 the frequency of such boastings have declined noticeably.

While the public broadcasts of botnet takedowns are now more likely to be associated with a golden age in the battle against the bots, the war continues on a less visible plane. Irrespective of whether this war can in fact be won, a question I’m increasingly being asked is whether certain organizations and government entities want in fact to win it.

Why wouldn’t the good guys want to win the botnet battle? Many salty dogs of the security industry have experienced how shutting down one attack vector forces the threat to evolve in another direction; a direction that will likely be even more difficult to combat or, minimally, require substantial research effort to investigate. Eighty-percent efficacy against a threat you understand is considerably better than zero-percent of a threat you have no technology in your back-pocket for.

But that’s not the only reason why a growing pool of security professionals would sooner hold-back from shutting down the botnets that plague the Internet. Botnets harvest a lot of data from their victims. Access to that data is increasingly lucrative and, if you package the data just right, can be sold on as a subscription feed to a growing pool of organizations.

The security analyst community used to be quite open in the way they shared information about botnets – in particular, information about the command and control (CC) servers, the domain names and IP addresses being used, samples of the bot malware, and copies of the CC software. Now, because this information has a demonstrable value, those that have it are much less likely to “give back to the community”. If anything, they’re more likely to create new subscription services and provide it as a paid-for stream of data.

But what is this data, and who is it useful to?

When people first hear that botnet data is up for sale, I think most jump to the conclusion that the data is a stream of all the personal and confidential information being stolen from the botnet victims. In some cases it may be, but most often it’s not. More often than not, it may simply be a list of IP addresses of the victims under the control of a single piece of malware.

Depending upon who you’re selling to and what their missions are, even data as “uninteresting” as the IP addresses of the victims holds a unique and complementary value to some folks. For example, government agencies like the CIA or NSA can use it to map which botnets are successfully penetrating computers within countries or institutions they’re tracking. By knowing what the original malware was, the agency is going to know the operating system and major application version numbers of the infected devices. This adds to the pool of knowledge about an adversary which could be leveraged in a time of need.

If an organization is smart, they’ll also be sinkholing the CC domains – probably not all of them, just enough to provide visibility of the victims, but not crossing a threshold which forces the criminal who built the botnet to change tactics and stop growing their botnet.

If the botnet CC software isn’t particularly well written (which is often the case), or if someone has reverse engineered the CC portal software and found interesting vulnerabilities, then simply knowing the domain names used by the botnet malware may allow an agency to access all the information being harvested by the bot on the victims computer (e.g., UID’s, passwords, applications installed, browser history, banking credentials, etc.), or even issue new commands.

It used to be that the worlds of bug hunters and malware analysts were separate and far between. In the last couple of years the ability to analyze malware samples and identify exploitable vulnerabilities in them has become very important. Given that some botnets have a bigger pool of victims than many commercial software vendors have licensed customers, the value of an exploit that grants reliable remote control of a popular malware agent is rising in value. I’d hazard a guess that a remotely exploitable vulnerability in Zeus, SpyEye, or any of the other top-10 botnet malware families is likely worth tens of thousands of dollars to most government agencies around the world.

In many ways, botnets have become a golden goose to those charged with gathering intelligence on the populations of foreign entities. The bulk of the victim’s data is useful for mapping populations, communication profiles, and as egress points for counter intelligence exercises. Then, given how many botnet victims there are, the probability that a few “interesting” computers will have succumbed along the way is similarly high – providing direct insight in to a pool of high value targets.

The incentives are high for many businesses and government agencies to not be too heavy handed in combating the global botnet pandemic. There’s money to be had and, with each passing day, more interesting ways are being uncovered in how to package the data, and how to employ it.

— Gunter Ollmann, CTO, IOActive Inc.

Article source: http://www.darkreading.com/attacks-breaches/a-mercenary-approach-to-botnets/240164329

For decades, opportunistic attackers have scanned the Internet for open ports through which they can compromise vulnerable applications.

Such scanning has only gotten easier: The Shodan search engine regularly scans the Internet and stores the results for anyone to search; researchers from the University of Michigan have refined techniques to allow for fast, comprehensive scans of a single port across the Internet; and programs, such as NMap, allow anyone to scan for open, and potentially vulnerable, ports.

While the most commonly attacked ports are those used by Secure Shell (SSH), the file transfer protocol (FTP), the remote desktop protocol (RDP), and Web servers (HTTP), companies need to monitor network activity aimed at less common protocols and ports, say security experts. Attackers will likely increasingly look for vulnerabilities in less common ports, says HD Moore, chief research officer for vulnerability-management firm Rapid7, which has made a name for itself scanning the Internet for just those ports.

“This stuff is not in the top bucket, in terms of priority, but it tends to bite people because they are not keeping an eye on it,” he says.

Companies should not just monitor for malicious activity using these protocols, but proactively take an inventory of the applications inside their own networks and connected to the Internet that expose firms to potential opportunistic attacks, says Johannes Ullrich, dean of research for the SANS Technology Institute. The SANS Institute’s DShield project collects data from contributors to analyze the ports in which attackers are most interested.

“Companies need not just to detect the attacks coming in, but to inventory all the devices that have in their network looking at traffic on these ports,” he says. “It sort of comes down to inventory control on the network.”

For companies looking for a place to start, Ullrich and Moore suggest five protocols where companies can check for weaknesses.

Intelligent Platform Management Interface (IPMI)
Over the past year, security researcher Dan Farmer has investigated weaknesses in the Intelligent Platform Management Interface (IPMI) protocol. Many companies use servers that can be monitored and managed through a baseboard management controller, an embedded device that communicates using IPMI. Farmer found that the IPMI standard and various implementations have a number of security flaws.

[‘Project Sonar’ community project launched for sharing Internet-scanning data, tools, and analysis. See Researchers Unite To #ScanAllTheThings.]

Rapid7 investigated SuperMicro’s specific implementation, finding that the company’s baseboard management controller used default passwords and was vulnerable to a number of universal plug-and-play issues.

“IPMI is used a lot by businesses and they don’t really understand what all the risks are,” Moore says. “It is really difficult to have an IPMI installation that is not vulnerable.”

Moore and other security experts recommend managing devices that use the IPMI protocol behind virtual private networks, firewalls and other security, always assuming the devices are in a hostile network.

Embedded Web Servers
A variety of devices are vulnerable, not because of the native protocols that they use, but because of the lightweight Web servers embedded in the devices to provide a management interface. From printers and baseboard management controllers to routers and PBXes, companies host a wide array of devices that likely have vulnerable Web interfaces to manage the technology.

“These undocumented, undisclosed and unmonitored Web interfaces are a bigger deal than most people realize,” Moore said. “They are really common, but they are not something that people normally keep track of.”

Ullrich agrees, saying that DShield data shows that companies are seeing opportunistic scans for the devices.

“All the miscellaneous devices–routers, switches–sometimes have a management interface on an uncommon port, but you see a decent amount of scanning activity for these,” he says.

Videoconferencing
Last year, Moore scanned the Internet for signs of video conferencing systems connected directly to the Internet and set to auto answer, estimating that some 150,000 devices were vulnerable to an attacker directly calling into the conferencing system.

“Most folks did not do any sort of security on the video conferencing side, and many of them had really horrible security on the Web management interface,” Moore says.

Companies should scan their public Internet space on port 1720, typically used by the H.323 messaging protocol, using a “status enquiry” to non-intrusively check for potential vulnerable systems, according to Rapid7.

SQL Servers
Databases are frequent targets of attacks. Many attackers scan for open Microsoft SQL Server and MySQL ports, but rather than attempting to compromise such systems with exploits, they instead attempt to brute force the password protecting the databases, says the SANS Institute’s Ullrich.

“They typically don’t search for a vulnerability there, but for a weak password,” he says. “They scan for the databases and then try to connect by guessing passwords.”

Companies should track down any database accessible from the Internet and ensure that adequate steps are taken to secure access to the servers.

Simple Network Management Protocol (SNMP)
The DShield project sees some scanning for the simple network management protocol (SNMP), but Ullrich sees the protocol as mainly an overlooked risk.

Moore, however, sees SNMP as an engine for future attacks. Because many companies do not pay attention to SNMP, the protocol could be used as a vector for compromise and as a method of amplification for distributed denial-of-service attacks, Moore says.

“SNMP tends to get short shrift in terms of security exposure, not to mention it can be used for amplification attacks,” Moore says. Amplification attacks typically use the DNS system, which can be made to respond to a single request with a multitude of packets. The SNMP protocol has similar characteristics, he says.

Companies should filter inbound malformed packets to prevent their systems from being used in a distributed denial-of-service attack and to block all outbound SNMP packets.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/monitoring/5-protocols-that-should-be-closely-watch/240164357