Welcome to my IT Security Blog where you can find current security articles as well as my opinion on various industry-centric topics, concentrating on security, privacy or anything else that catches my attention. The views expressed on this site are solely my ideas and do not reflect the views of my employer or anyone other than myself.
The SpyEye hacking toolkit has added an Android component that collects the text messages some banks use as an extra security precaution, a researcher said today.
“The standard SpyEye now also entices a user to download an Android app, which is actually a component that’s Android-specific malware,” said Amit Klein, the chief technology officer of Boston-based Trusteer, a security firm that specializes in online anti-cybercrime defenses.
The Android app poses as a security program — ironically, one that’s supposed to protect a user’s text messages from being intercepted — required to use a bank’s online services from a mobile device.
Many banks now send customers a one-time code, usually a series of numbers, to their mobile phone. To access the account, a user must enter not only the traditional username and password, but also the just-received passcode. It’s that passcode that the bogus Android app intercepts and then re-transmits to a hacker-managed command-and-control (C&C) server, said Klein.
Established vendors and startups last week announced products and services for network intrusion-detection and outsourced security management.
Hewlett-Packard, Axent Technologies and startup Sanctum debuted intrusion-detection software for corporate networks, while Raytheon Company announced BladeRunner, server-based software for monitoring internal corporate network traffic in order to prevent unauthorized transmission of sensitive material.
“It identifies traffic-flow patterns to identity anomalies,” says Jeff Waxman, president of Raytheon’s newly formed information assurance product area based in Linthicum, Md. “If the R&D department suddenly starts sending information out to the wide-area Internet, you’ll know that.”
Apple released an update to Mac OS X that blocks Safari users from reaching sites secured with certificates stolen from a Dutch company last summer.
The update follows others by Microsoft, Google, Mozilla and Opera Software, which have already blocked or permanently barred the use of all certificates issued by DigiNotar, a certificate authority, or CA, that acknowledged its servers were breached and unauthorized SSL (secure socket layer) certificates obtained by one or more attackers.
Apple’s update came just days after a security researcher criticized the company for “dragging its feet.” In March, Apple took a month to block nine certificates stolen from U.S.-based Comodo, three weeks longer than Microsoft.
Following the high-profile hack of DigiNotar, the makers of the Firefox browser are asking issuers of digital certificates to take a hard look at their internal security and to report back in a week.
In emails sent out to digital certificate authorities Thursday, Mozilla Certificate Authority (CA) Certificates Module owner Kathleen Wilson asked CAs such as Symantec and Go Daddy to audit their systems for any possible compromise, confirm that nobody can issue a digital certificate without two-factor authentication, and shore up practices with any third parties that might be able to issue digital certificates using the CA’s root key.
Mozilla is giving CAs until Sept. 16 to respond to the email, but the browser maker is not saying what will happen if any of its 54 CAs ignore the request.
The fallout from the recent breach of certificate authority (CA) DigiNotar continues at a rapid pace as more details about the scope of the attack come to light: More than 500 rogue digital certificates were created for such high-profile domains as cia.gov, microsoft.com, Microsoft’s windowsupdate.com, and mozilla.org, as well as one posing as VeriSign Root CA. In addition, more than 300,000 IP addresses, mostly in Iran, have been compromised.
The plot further thickened today when the hacker who breached certificate authority Comodo earlier this year claimed he was also behind the DigiNotar attack, and has hacked four more CAs, including GlobalSign and StartCom: “I told all that I can do it again, I told all in interviews that I still have accesses in Comodo resellers, I told all I have access to most of CAs,” wrote the hacker, who goes by the alias “ComodoHacker” and claims to be Iranian. He indicated that the attacks were in retaliation for the 16-year anniversary of a massacre of thousands of Muslims during the Bosnian War in the town of Srebrenica.
The Honeynet Project has helped create two tools aimed at making Android malware analysis simpler and free and, ultimately, help better secure the wildly popular mobile platform.
The new open-source tools were developed under the Google Summer of Code project, a program where students from around the world spend their summer breaks writing code for open-source software. Two students under the mentorship of The Honeynet Project focused on Android malware: One wrote a static analysis tool called APKInspector, and the other, a dynamic analysis system called DroidBox — both of which are aimed at giving researchers a way to easily reverse-engineer Android malware and to observe and dissect malicious Android apps.
“These two tools nicely complement each other and should really be part of one’s toolbox [who deals] with mobile malware,” says Christian Seifert, chief communications officer for The Honeynet Project. “We believe that mobile malware will flourish, and while similar to malware on the PC, [it has] some unique characteristics that will reflect themselves in unique characteristics of the malware itself.”
The U.S. Department of Homeland Security today issued a somewhat unusual bulletin warning the security community about the planned activities of hacking collective Anonymous over the next few months.
The bulletin, issued by the DHS National Cybersecurity and Communications Integration Center (NCCIC), warns financial services companies especially to be on the lookout for attempts by Anonymous to “solicit ideologically dissatisfied, sympathetic employees” to their cause.
Anonymous has recently used Twitter to try and persuade dissatisfied employees within the financial sector to give them information and access. Though such attempts appear to have been largely unsuccessful so far, “unwilling coercion through embarrassment or blackmail may be a risk to personnel,” the bulletin warned.