A Week in Security (Apr 05 - 11)

A Week in Security (Oct 18 – Oct 24)

Last week, we touched on a fake Java download, an Apple invoice phish, current tactics used by chip-and-PIN fraudsters, an upcoming conference in APAC, an overview on how to identify phishing emails, malicious Word macros, Dyreza malware from spam, and a really bizarre Tweet.

Robert Westervelt of the IDC Security Products group wrote in a blog post that in spite of security issues surrounding the Internet of Things (IoT), positive, innovative opportunities can still come out from them.

Senior security researcher Jérôme Segura found and documented the latest malvertising campaign that targeted German users. He dubbed it kampagnen, the German term for “campaign”, and it was a prominent string found on URLs being abused by malvertisers at that time. Malicious ads were found on popular sites like eBay.de and T-Online.de.

Segura also reported on the latest tech support tactic he encountered wherein the schemers impersonated Apple product technicians. As remote assistance becomes increasingly popular, it is expected that scams like this would also increase over time, worse when they start targeting non-English users who may not be familiar with this kind of online danger.

Notable news stories and security related happenings:

  • Facebook Appoints Self World Police, Promises State Attack Warnings. “Facebook’s heading into ticklish territory here because China’s recently made it abundantly clear that it is not at all happy at being fingered for attacks. If The Social Network TM starts pointing the finger, it may find itself being rather unhelpful in the wider context of US foreign policy and therefore less likely to be shopped as an exemplar of US ingenuity.” (Source: The Register)
  • Security Professionals Agree Vulnerability Sharing Beneficial, Wary On Implementation. “While the majority of information security professionals agree on the benefits of sharing threat intelligence, most will share only amongst a trusted peer community (49.3 percent) and others only internally (34.3 percent) according to a new survey.” (Source: Legal Tech News)
  • Kudos to Adobe. They Patched Flash Quicker Than They Promised. “In a security advisory, Adobe initially said that it hoped to issue a fix for the vulnerability this week (in other words, the week beginning Monday 19th October). However, it actually managed to push out the patch ahead of schedule on Friday 16th October instead.” (Source: Graham Cluley’s Blog)
  • Is It Still Possible to Do Phone Phreaking? Yes, with Android on LTE. “Android won’t recognize that a data call is being made and show nothing on a smartphone’s screen. A video call could eat up the victim’s data allowance and potentially garner them a huge bill. The vulnerabilities on the operator side could also lead to some crippling attacks…” (Source: CSO Online)
  • Want Some Nuclear Power Plant ‘Zero-Day’ Vulnerabilities? Yours For Just $8,000. “Whilst weaknesses in Apple’s iOS 9 can fetch up to $1 million, flaws in certain industrial control systems that run nuclear power and water plants – known widely as SCADA (Supervisory Control and Data Acquisition) boxes – can be bought for next to nothing, according to a Russian businessman who sells them.” (Source: Forbes)
  • Don’t Overdo Biometrics, Expert Warns. “Biometric data such as fingerprint scans is being collected too widely and too casually, according to security company Protegrity USA. […] Meanwhile, FireEye researchers Tao Wei and Yulong Zhang demonstrated the ability to harvest fingerprints on a large scale from some mobile devices at the Black Hat conference this summer.” (Source: CSO Online)
  • IBM Runs World’s Worst Spam-Hosting ISP? “Typically, the companies on the receiving end of this criticism are little-known Internet firms. But according to anti-spam activists, the title of the Internet’s most spam-friendly provider recently has passed to networks managed by IBM — one of the more recognizable and trusted names in technology and security.” (Source: Krebs on Security)
  • Bump Into Someone and Lose Up to £30 from Your Contactless Card. “Furthermore, the contactless payment process is not supposed to transmit payment information more than that about 10cm from a reader – although some researchers have claimed to intercept payment data from further distances.” (Source: Graham Cluley’s Blog)
  • Researchers Reveal How Attackers Could Turn Back Internet Time. “NTP is so ubiquitous that most people who use computers rely on it without realizing it. It’s important because Web browsers such as Safari or Chrome rely on a system of certificates to verify that a website claiming to be Amazon.com, for instance, is actually Amazon.com. If those certificates are compromised, they can be revoked – but only until the certificate expires. Turning back the clock on users’ computer is effectively a way to convince computers that an expired – and possibly compromised – certificate is still valid.” (Source: Christian Science Monitor)
  • BlackBerry Promises Robust Security on Android-Based Priv. “BlackBerry is building security right into the handset with a manufacturing process dubbed Root of Trust, which involves injecting cryptographic keys into the device hardware, “providing a secure foundation for the entire platform,” he added. The handset then uses these embedded keys to check every part of the device — from the hardware to its operating system to apps — and ensure they haven’t been tampered with.” (Source: PC Magazine – UK)
  • Employee Activities That Every Security Team Should Monitor. “As innocuous as a casual email exchange may seem, the person on the other end might actually be trying to lure employee to share credentials. And even if many work-oriented applications seem to pose no threat to IT, many apps, in fact, are infamous for collecting all kinds of data without an average user’s knowledge.” (Source: Help Net Security)
  • CCTV Camera Botnets on the Rise. “The most common reason is that typically products are rushed to market so they can be first on the scene, and not much consideration is invested in giving the device security by design. As a result IoT botnets are now gaining popularity with hackers, with CCTV botnets reported to be among the most common.” (Source: SC Magazine)
  • Privacy by Design Does Not Sacrifice Security. “‘You can’t have good privacy without strong security,” Cavoukian said. “If you don’t lead with strong security, you will never have data privacy.’ It’s important to understand that privacy does not equal security, and privacy is not about having something to hide, she added.” (Source: eSecurity Planet)
  • Tech-savvy Users are Actually the Worst Offenders. “Even as businesses and the federal government have made cybersecurity a high priority, 93% of office workers engage in some form of unsafe online habits that could jeopardise their employer or their customers, according to Intermedia.” (Source: Help Net Security)

Safe surfing, everyone!

The Malwarebytes Labs Team