WiFi + Airport = Lost password

As most travelers know, many airports and VIP lounges offer Wi-Fi connectivity but, unfortunately, these connection are rarely encrypted.   Here’s an example:

All data sent and received travels in clear text, which means anyone could intercept the data for malicious purposes.  This unencrypted data could include passwords, logins, financial information like PIN codes, etc.

Many people also know that it’s always better to use a VPN connection.  However, in many cases,  VPN connection are filtered out and blocked by rules on the network firewall. I tried two different protocols and both were blocked.  Mostly network administrators don’t allow using VPNs from Public WiFi access points only because they want to make sure the network isn’t be used for malicious purposes without any readable network logs.  These policies actually allow to the bad guys to launch really easy  man-in-the-middle  attacks when all traffic pass through a malicious host.

The reality is that using a public Wi-Fi service can expose your really sensitive data to cybercriminals. Recently, we saw some famous people lose their Facebook and other social network passwords by using open (insecure) Wi-Fi connections.

So what is the solution when your VPN is blocked? Well, in some cases, an SSL (https) connection may help. Please, before going to any Website, type in the address bar https:// and then the domain name. After the page is loaded, please check if the certificate used for encryption is a valid one and issued to the site you’re visiting. If you see something wrong with the certificate, stop using the site.

Another solution is to use a cable Ethernet connection instead of a WiFi. Many lounges have such connection as well; it will be much safer for you.

In any case if you’re connected from a public place, it’s better not to use eBanking or ePayment services. That data is the main target for criminals. So, travel safe and keep your personal data safe as well!

Read more »

iPhone passwords succumb to researchers' attack

Researchers at the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany, have found a way to steal passwords found in the Apple iPhone's keychain services within six minutes.

In order to steal passwords, the researchers said, the attacker must have have the actual, physical iPhone in hand--this isn't a remote maneuver. First, the attacker has to jailbreak the iPhone, and from there then must install an SSH server on the smartphone to be able to run unrestricted programs. The researchers also created a "keychain access script" that they then copied to the iPhone. After executing that script, they found that they were able to decrypt and see some passwords saved in the keychain.

Over the past year, several iPhone exploits have been revealed by researchers around the world, including some that attack vulnerabilities in the mobile Safari browser. But at least so far, the issues have affected users who jailbreak their own devices. Even in the Fraunhofer Institute's case, a non-jailbroken iPhone will not reveal keychain passwords. Jailbreaking is the process of bypassing the restrictions that Apple sets up to keep users from tinkering with the device's underlying system software.

Researchers said that this latest issue has to do with how iOS handles encryption--namely, that "encryption is independent of the personal password to protect access to the device properly." In other words, even if a user protects access to the iPhone--or any other iOS-based device--with a passcode, it won't be enough to stop hackers from using this method to access saved passwords in the keychain.

It should be noted that the proof-of-concept maneuver would not reveal passwords for Web sites. Services like Gmail, AOL Mail, Yahoo Mail, and others with "protected" passwords "were available to the script only after entering the passcode to unlock the device, which by assumption, should not be possible for an attacker," the researchers noted.

But the folks at Fraunhofer Institute don't necessarily believe that iPhone owners should assume that they will be safe if they don't jailbreak their iPhones. In their scenario, the researchers assumed that the iPhone was stolen and the person who took it knew how to jailbreak the device and create and run scripts. They said in their evaluation of their proof-of-concept that the difficulty level of exploiting the vulnerability is "low."

"Owners of a lost or stolen iOS device should therefore quickly initiate a change of all stored passwords," the researchers wrote in their report. "Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts."

Malicious hackers are increasingly turning towardsthe mobile market to target unsuspecting victims.

Earlier this week, security firm McAfee revealed that mobile malware threats were up 46 percent last year. The company said that it expects "cybercriminal activity" in the mobile market to surge in 2011.

Read more »

Data theft attacks besiege oil industry, McAfee says

A McAfee diagram of how the Night Dragon attacks proceeded.

(Credit: McAfee)

For years, companies in the oil and energy industry have been the victims of attempts to steal e-mail and other sensitive information from hackers believed to be in China, according to a new report from McAfee.

The attacks, to which McAfee gave the sinister name "Night Dragon," penetrated company networks through Web servers, compromised desktop computers, bypassed safeguards by misusing administrative credentials, and used remote administration tools to obtain the information, the security firm said late yesterday. McAfee and other security companies now have identified the method and can provide a defense.

"Well-coordinated, targeted attacks such as Night Dragon, orchestrated by a growing group of malicious attackers committed to their targets, are rapidly on the rise. These targets have now moved beyond the defense industrial base, government, and military computers to include global corporate and commercial targets," McAfee said in a white paper (PDF) published today.

And the attack was at least partially successful, McAfee said: "Files of interest focused on operational oil and gas field production systems and financial documents related to field exploration and bidding that were later copied from the compromised hosts or via extranet servers. In some cases, the files were copied to and downloaded from company Web servers by the attackers. In certain cases, the attackers collected data from SCADA systems," the supervisory control and data acquisition systems that control and monitor industrial processes.

McAfee didn't reveal details about what SCADA data was involved, but it's a potentially serious matter: such systems are at the operational heart of everything from oil pipelines and refineries to factories and electrical power distribution networks.

McAfee told The Wall Street Journal that the attacks appeared to be purely about espionage, not sabotage. The latter possibility has become a more vivid fear with the Stuxnet attack that apparently damaged Iranian nuclear operations. China is a particular concern: it's a rising industrial power that Google has implicated in attempts to crack its own network and obtain sensitive information.

McAfee notified the FBI of the Night Dragon attacks, and the FBI is investigating, the Journal reported.

Several Night Dragon attacks were launched in November 2009, McAfee Chief Technology Officer George Kurtz said in a blog post, but attacks have been going on for at least two years and likely as long as four.

"We have strong evidence suggesting that the attackers were based in China," Kurtz said. "The tools, techniques, and network activities used in these attacks originate primarily in China. These tools are widely available on the Chinese Web forums and tend to be used extensively by Chinese hacker groups."

The attacks themselves used a variety of methods that, although described as "relatively unsophisticated," were nonetheless effective.

First came an attack to compromise a Web server that then became a host for a variety of hacking tools that could probe the company's internal network. Password cracking and other tools were used to gain access to PCs and servers. Remote administration software, including one called zwShell, let attackers control compromised Windows PCs to gather more data and push the attack toward more sensitive areas.

An appendix of the white paper offers more details on the Chinese connection:

While we believe many actors have participated in these attacks, we have been able to identify one individual who has provided the crucial C&C infrastructure to the attackers--this individual is based in Heze City, Shandong Province, China. Although we don't believe this individual is the mastermind behind these attacks, it is likely this person is aware or has information that can help identify at least some of the individuals, groups, or organizations responsible for these intrusions.

The individual runs a company that, according to the company's advertisements, provides "Hosted Servers in the U.S. with no records kept" for as little as 68 RMB (US$10) per year for 100 MB of space. The company's U.S.-based leased servers have been used to host the zwShell C&C [command and control] application that controlled machines across the victim companies.

Beyond the connection to the hosting services reseller operation, there is other evidence indicating that the attackers were of Chinese origin. Beyond the curious use of the "zw.china" password that unlocks the operation of the zwShell C&C Trojan, McAfee has determined that all of the identified data exfiltration activity occurred from Beijing-based IP [Internet Protocol] addresses and operated inside the victim companies weekdays from 9:00 a.m. to 5:00 p.m. Beijing time, which also suggests that the involved individuals were "company men" working on a regular job, rather than freelance or unprofessional hackers. In addition, the attackers employed hacking tools of Chinese origin and that are prevalent on Chinese underground hacking forums. These included Hookmsgina and WinlogonHack, tools that intercept Windows logon requests and hijack usernames and passwords...

Although it is possible that all of these indicators are an elaborate red-herring operation designed to pin the blame for the attacks on Chinese hackers, we believe this to be highly unlikely. Further, it is unclear who would have the motivation to go to these extraordinary lengths to place the blame for these attacks on someone else.

The early phase of the Night Dragon attack gains access to Web servers.

(Credit: McAfee

Read more »

Sandboxing to come in Avast 6

Free security suites have long been offering protection for Windows computers that has ranged from adequate to excellent. After using the Avast 6 beta for the past week, it looks like Avast 6 will land far closer to the high end of the spectrum thanks to its new WebRep browser add-on and sandbox environment, unique in the free antivirus marketplace. 

Avast 6 Free will come with a sandbox feature to isolate risky programs while they run.

(Credit: Screenshot by Seth Rosenblatt)

 

The security suite is available in three forms: Free Antivirus, which replicates the features available in the upcoming Avast 6 Free; Pro Antivirus, which offers a 30-day trial for checking out Avast's first level of paid security; and Internet Security, which ramps up the feature set to include more security tools. 

The biggest new feature is the AutoSandbox, which walls off suspicious programs, preventing them from potentially damaging your system while allowing them to run. Few details have been provided so far as to how the AutoSandbox works, however a response from an Avast employee on Avast's forums gave some indication of how it works. Avast's sandbox allows the program to run, while keeping track of which files are opened, created, or renamed, and what it reads and writes from the Registry. These permanent changes are virtualized, so when the process terminates itself, the system changes it made will evaporate. 

The AutoSandbox settings are accessible from the new Additional Protection option on the left nav. It defaults to asking the user whether a program should be sandboxed, although you can set it to automatically decide. There's a whitelist option for programs that you always want to exclude from the sandbox, and you can deactivate the feature entirely. 

Avast 6 will come with an optional browser plug-in for Internet Explorer and Firefox called WebRep, which is Avast's new Web site reputation service. It uses a combination of data from Avast's virus labs and user voting to determine a safety score for a site. Similar add-ons are a common tool available in most antivirus suites, so it's good to see Avast join them. Like its competitors, Avast appears to have ignored Google Chrome and its 10 percent market share when it comes to search result rating add-ons. However, Avast has promised that the Chrome add-on will be released soon. 

The browser add-ons install when installing Avast 6. If you don't want them, it's actually easier to remove them from within Avast instead of within the browser. Currently, removing the add-on using the browser's interface will cue Avast to re-install the add-on the next time the computer is rebooted. 

Other new features have been introduced in Avast 6 beta. The Troubleshooting section now comes with a "restore factory settings" option, there's a new sidebar gadget for Windows 7 and Vista, and you can set automatic actions in the boot-time scan. Two features that have filtered down to the free version are the Script Shield and site blocking. The Script Shield now works with Internet Explorer 8 and 9's protected mode. Meanwhile, the paid versions have gained some new features, such as SafeZone, a virtualization feature for secure online banking. The installer has shrunk for all versions by about 20 percent. 

Avast 6 Free also comes with the optional WebRep add-on, for rating search results and Web sites.

(Credit: Screenshot by Seth Rosenblatt)

 

The initial build of the program was buggy and actually caused my computer to enter into a crash loop that I escaped by booting into Safe Mode and removing it. However, subsequent builds have proven to be far more stable. Note that if you do install the beta, you'll have to completely uninstall your current antivirus program, even if it's Avast 5. The company expects to have an upgrade mechanism in place by the time Avast 6 is ready for wide distribution. 

Other known problems in the beta include the fact that the SafeZone feature doesn't work yet and that the firewall in the paid versions contains a conflict with uTorrent.
Performance benchmarks are not available because of the in-development nature of this release. It's simply changing too quickly for benchmarks to provide any useful information, given the time it takes to conduct them. 

Although the suite looks good and bodes well for the coming public release, this is a beta product and so it's not recommended for security duties on your primary or only computer. However, it's well worth exploring on secondary machines, and it's encouraging to see Avast not laying fallow after the gains made in version 5.


The beta announcement thread on the Avast forums can be read here.

Read more »

Firefox beta to Web: 'Do Not Track'

Firefox 4 beta 11 has landed a useful security feature for people who are sick of "stalkertizements," those cookie-based ads that use your browsing history to target ads at your perceived tastes. The new "Do Not Track" feature in Firefox 4 beta 11 for Windows, Mac, and Linux sends out a header that tells Web sites that you want to opt out of behavioral tracking, though Mozilla cautions in a blog post that it will take some time for sites and advertisers to respond to the header. 

This diagram shows how Firefox's new 'Do Not Track' feature works.

(Credit: Mozilla)

 

The feature can be toggled via a check box in the Advanced tab of Firefox's Options window. 

Mozilla privacy lead Alex Fowler said that the engineers decided to base the feature in the header sent from the browser because it's something that all Web pages read as they load. A blacklist or cookie-based solution would be harder to implement across different browsers. He acknowledged that successful implementation of "Do Not Track" also depends on advertisers and site owners respecting that incoming header.


He added that the initial stages of a legislative fix are under way as at least one member of Congress--Rep. Jackie Speier (D-Calif.)--plans to introduce a bill ordering the Federal Trade Commission to create a "Do Not Track" program for advertisers. However, a second bill also being proposed does not include the "Do Not Track" option. Both might have a hard time passing in today's antiprivacy climate, although a bill with "Do Not Track" would be the harder sell because of its stronger privacy controls. 

Mozilla security and privacy engineer Sid Stamm has documented the technical implementation of "Do Not Track." 

Other changes in Firefox 4 beta 11--which Mozilla hopes will be the penultimate Firefox 4 beta--include moving connection status messages to a small overlay window, re-enabling WebGL on Linux, disabling automatic switching to offline mode when no network connection is detected, and a redesign of the default about:home page. The full changelog is available here.

Read more »

McAfee: Mobile threats on the rise

Mobile threats are spreading and spam continues to be a thorn in the average person's side, according to a new McAfee report about the fourth quarter.

Mobile malware threats increased by 46 percent last year as criminals continued to embrace new opportunities on smartphones and tablets, the security firm said today. 

"One of the most important threats of the quarter" among mobile devices was the Android-based Geinimi Trojan that Zeus botnet creators unleashed. It was flanked by several other malware threats, like the Symbian OS-focused Zitmo.A, McAfee said.

"Cybercriminals are keeping tabs on what's popular, and what will have the biggest impact from the smallest effort," Vincent Weafer, senior vice president of McAfee Labs, said in a statement. "McAfee Labs also sees the direct correlation between device popularity and cybercriminal activity, a trend we expect to surge in 2011."

McAfee's latest report could help bolster support for the company's plans in 2011 to become increasingly invested in mobile security, thanks to Intel, which announced plans to acquire the security firm last year in a deal valued at $7.68 billion. Intel said at the time that it plans to use McAfee's core security products to improve protection for mobile devices, TVs, and other products that the chipmaker believes don't have enough protection.

McAfee found in its report that the "lack of security awareness and mobile safeguards" will lead smartphone owners to face an increasing number of botnet attacks this year.

In addition, the growth of mobile devices and Web-connected products like Internet TVs contributed to more Web-based threats in 2010, McAfee said. The company found that phishing scams asking people to provide information to the Internal Revenue Service, offering gift cards, and stealing social-networking account information were quite "popular" in the fourth quarter. Worst of all, McAfee said that 51 percent of the top 100 search results for the top daily search terms directed people to malicious sites.

Adobe Systems also took a beating in McAfee's quarterly report. The security firm found that all last year, malware creators were "heavily" targeting Flash and PDF and that Adobe Acrobat was the most popular place for malicious users to take aim at unsuspecting victims. Worst of all, the security firm said it's "certain" that Adobe will continue to be hit hard by malware in 2011.

Spam continues to be a major issue for people, accounting for 80 percent of all e-mail traffic in the fourth quarter, McAfee reported. At that level, however, spam actually hit a low it hasn't touched since the first quarter of 2007. 

When it came to malware, consumers weren't so lucky. Twenty million "new pieces of malware" were developed in 2010, McAfee said.

Read more »

Microsoft patches Windows, IE

Microsoft today issued three "critical" security bulletins as part of its monthly Patch Tuesday program. Together with nine other alerts, which the company rated as "important," the bulletins address 22 vulnerabilities spanning Microsoft products from Windows and Internet Explorer to Office and Internet Information Services. 

On the top of the list is MS11-003, which is a cumulative update for Internet Explorer that resolves four vulnerabilities. Included is a fix for the nasty CSS bug outlined in Security Advisory 2488013, a bug that could give attackers control of people's computers. 

In a podcast about the patches, Jerry Bryant, the group manager of response communications for Microsoft's Trustworthy Computing Group, downplayed the scope of the CSS issue, saying that the company had seen only limited, targeted attacks focused on this vulnerability. To drive that point home, the company has released telemetry of how that vulnerability stacks up against an already-patched vulnerability in the Windows Shell, to explain why a fix was not made available outside the company's normal release cycle. 

"While our first priority is to protect customers from issues like these, we also look to minimize disruption that issues like out-of-band releases can bring," Bryant said. 

The second critical item included in the list of patches is the thumbnail image attack vulnerability, which is being addressed in MS11-006. This fixes the security hole in Microsoft's Windows Graphics Rendering Engine that could let attackers gain control of users' computers by having them load a specially formatted image. The problem affects Windows XP, Server 2003, Windows Vista, and Windows Server 2008, but not Windows 7 or Windows Server 2008 R2, the company said. 

"We have not seen any attacks against this vulnerability, but proof of concept code is available to attackers, so we recommend customers put this at the top of their priority list," Bryant said. 

The third critical item that's being patched is the OpenType Compact Font exploit as part of MS11-007. That particular vulnerability requires end users to load what Microsoft classifies as a "maliciously crafted" font. Bryant explained that the issue had privately been disclosed to the company, and that it was rated a 2 in the Exploitability Index, since Microsoft does not believe a reliable exploit code will show up within the next 30 days. 

One tier Lower on the company's deployment priority index (which is how Microsoft dictates to customers the order in which to deploy patches to machines) is the fix to the zero-day vulnerability with the FTP services in IIS 7.0 and 7.5. It too has a rating of 2 in the Exploitability Index, and it makes up part of MS11-004. 

Along with those critical and important updates, Microsoft is changing its Autorun functionality when users plug in USB thumb drives. The company is disabling Autorun from USB thumb drives in versions of Windows that are older than Windows 7, which already has such a security feature. That's going out to users as an AutoUpdate in Windows Update. 

As mentioned in previous coverage about this month's batch of updates, Microsoft has not offered up more details on long-term fixes for the MHTML vulnerability that cropped up last month and affects Internet Explorer. But according to Jim Walter, the manager of McAfee Threat Intelligence Service, the MHTML problem is smaller than most.

"The scope and impact of the MHTML vulnerability is relatively limited compared to other recent zero-day code execution vulnerabilities," Walter said in a statement. "Based on the information that is currently available, we are aware that successful exploitation could lead to the running of arbitrary scripts, as well as the disclosure of sensitive information."
More details about the list of fixes, and ways to deploy them, can be found in Microsoft's Security Response Center blog.

Read more »

Did Sony add a rootkit to PS3 firmware update?

Gamers on a forum accuse Sony of adding a rootkit to its latest version of PlayStation 3 firmware.

Rootkits, in general, have a bad reputation. Security watchers often associate them with malware. In this case specifically, though, the alleged rootkit would allow Sony to peer into users' system files without their knowledge.

A user dubbed N.A., who first mentioned the alleged rootkit last week on the Neogaf forum and cited work performed by developer Mathieulh, alleged that a rootkit in firmware version 3.56 allows Sony to "remotely execute code on the PS3" when users connect to the PlayStation Network. Mathieulh informed people over Internet Relay Chat that the alleged rootkit can be used by Sony for "verifying system files or searching for homebrew." It might also be used as a way to ensure users on the PlayStation Network are using Sony's own firmware.

However, N.A. also pointed out that "Sony hasn't activated any of this yet."

For its part, Sony hasn't made any mention of a rootkit being added to its latest update. A page on the company's site describing the updates in firmware version 3.56 say only that a "security patch has been added." Because of that, it should be noted that the claims made through Internet Relay Chat and forums are unsubstantiated, and there is currently no indication from Sony that a rootkit was added to its PlayStation 3 firmware.

What is clear is that Sony is in the middle of a real battle with jailbreakers who continue to take issue with the way the company safeguards its console. With each new update released by Sony since the company made the decision to end support for "Other OS," allowing folks to run operating systems--typically Linux--on the console, jailbreakers have found ways to run so-called homebrew applications.

PlayStation 3 firmware version 3.55 arguably attracted the most attention after well-known hacker George Hotz, known as his Web name, Geohot, found a way for users to run custom packages on the console. The move prompted Sony to request a restraining order against Geohot to take his solution off the Web. After a lengthy court battle with each side trading shots, Sony was awarded the restraining order last week.

"After consideration of the record and the arguments of counsel, the court finds that a temporary restraining order is warranted," U.S. District Court Judge Susan Illston wrote in a judgment released last week. "Plaintiff has submitted substantial evidence showing that defendant George Hotz has violated the Digital Millennium Copyright Act."

For his part, Hotz contends that his jailbreak shouldn't violate the DMCA. He pointed out that the DMCA allows mobile phone owners to jailbreak their devices without fear of legal recourse. The far-reaching act fails to mention other devices, which allowed Sony to gain the upper hand in its battle against Hotz.

"I think the same precedent should apply," Hotz said in an interview with G4TV last month. "If you can jailbreak one closed system, why can't you jailbreak another?"

It's a sentiment that many in the Neogaf forums agree with. And rather than face the possibility of being locked into Sony's latest firmware, those who believe Mathieulh's claim that a rootkit is in the latest software have warned others not to upgrade to 3.56.

"Official Firmware 3.56 released," an announcement reads on the forum. "Do NOT update."

Sony did not immediately respond to request for comment.

Back in 2005, Sony BMG came under fire for including a rootkit in software on some of the company's CDs. The rootkit was used to limit the widespread reproduction of music CDs at the time. Sony later reversed its stance, offering up a solution to remove the rootkit, and then eventually, recalled CDs with the rootkits installed.

Read more »

Microsoft to seal 22 security holes this month

Microsoft today said it will address 22 vulnerabilities as part of next week's Patch Tuesday, three of which are critical.

Three of the 12 bulletin items released by Microsoft earlier today are classified as critical, and affect Microsoft's Windows operating system, with one affecting Microsoft's Internet Explorer browser as well. The rest are classified as "important."

In a post on Microsoft's Security Response Center blog, the company said it will be making fixes for vulnerabilities in the Windows Graphics Rendering Engine, as well as CSS exploit in Internet Explorer that could allow an attacker to gain remote code execution.

Along with the fixes for the rendering engine and the CSS exploit, Microsoft says it will be addressing zero-day flaws that created vulnerabilities in the FTP service found inside of Internet Information Services (IIS) 7.0 and 7.5.

Not included in this month's batch of announced patches is a fix for the recently-discovered script injection attacks that affect Internet Explorer. Acknowledged by the company last week in Security Advisory 2501696, the exploit targeted the way IE handled MHTML on certain types of Web pages and document objects, and could provide hackers with access to user information. According to Wolfgang Kandek, chief technology officer at Qualys, the best route to prevent those attacks 

continues to be the workaround Microsoft outlined in its initial security advisory about the problem.

Microsoft has a full list of the pending issues here

Read more »

Report: Hackers penetrated Nasdaq computers

Federal authorities are investigating repeated intrusions into the computer network that runs the Nasdaq stock exchange, according to a Wall Street Journal report that cited people familiar with the matter.

The intrusions did not compromise the tech-heavy exchange's trading platform, which executes investors' trades, but it was unknown which other sections of the network were accessed, according to the report.

"So far, [the perpetrators] appear to have just been looking around," one person involved in the Nasdaq matter told the Journal.

The Secret Service reportedly initiated an investigation involving New York-based Nasdaq OMX Group last year, and the Federal Bureau of Investigation has launched a probe as well. Investigators are considering a range of motives for the breach, including national security threat, personal financial gain, and theft of trade secrets, the newspaper reported.

Nasdaq representatives could not be reached for comment.

Investigators have not been able to follow the intruders' path to any specific individual or country, but people familiar with the matter say some evidence points to Russia, according to the report. However, they caution that hackers may just be using Russia as a conduit for their activities.

The Nasdaq, which is thought to be as critical from a security standpoint as the national power grid or air traffic control operations, has been targeted by hackers before. In 1999, a group called "United Loan Gunmen" defaced Nasdaq's public Web site with a story headlined "United Loan Gunmen take control of Nasdaq stock market." The vandalism was quickly erased, and Nasdaq officials said at the time that the exchange's internal network was unaffected.

Read more »