Tuesday 13 August 2013

Google ups top security bug reward to $5,000

google-money-bags
Google has increased the maximum reward available to researchers participating in its Chromium and Google Web Vulnerability Reward Programs (VRPs) to $5,000 and revealed it has issued over $2m worth of payments to bug hunters.
Google's Chrome security head Chris Evans and security program manager Adam Mein revealed the news in a blog posting, confirming that the company has received 2,000 threat reports from independent researchers since launching the bug bounty programs in 2010. The Google masters said to celebrate the programs' success Google will increase the maximum reward available for finding bugs to $5,000.
"Today we're delighted to announce we've now paid out in excess of $2,000,000 across Google's security reward initiatives. Broken down, this total includes more than $1,000,000 for the Chromium VRP and Pwnium rewards, and in excess of $1,000,000 for the Google Web VRP rewards," they wrote.
"Today, the Chromium program is raising reward levels significantly. In a nutshell, bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000. In many cases, this will be a five-times increase in reward level."
The two added the company will continue to issue even higher payments on a case-by-case basis.
"We'll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity. We will continue to pay previously announced bonuses on top, such as those for providing a patch or finding an issue in a critical piece of open-source software," they wrote.
Google is one of many tech companies to offer researchers monetary rewards for spotting security flaws in their products. Facebook issued a massive $20,000 to a security researcher for spotting a critical flaw leaving its users open to attack by hackers. Security news aggregator Packet Storm also runs an ongoing bug bounty program, which offers up to $7,000 for working exploits.

Android Malware Protection Strong, But Price Makes a Difference

Image via Flickr user JD Hancock
While most Android security apps continue to offer top-notch protection, features like anti-theft tools are big differentiators. The recent test results from the independent German testing lab AV-Test show four apps with perfect scores and three that failed to be certified.
Who Won, Who Lost
This round, our Editors' Choice Bitdefender Mobile Security & Antivirus shared the crown with Kaspersky Mobile Security, Kingsoft Mobile Security, and Qihoo 360 Mobile Safe in a four-way tie all with perfect 13-point scores. That's a perfect six in the protection category, another six in the usability category—which looks at battery life and other user-impact issues, and one point for extra features.
Notably, this round of testing included 1,972 malware samples and an average detection rate of 95.2 percent across all thirty apps. That's a bit lower than previous testing, but not enough to be worrisome.  Individual detection rates for apps varied between 100 percent and 63.3 percent.
Though the scores were mostly distributed between 12 and 13 points, there were a few losers. AegisLab Antivirus Premium, SPAMfighter VIRUSfighter Android, and Zoner Mobile Security all failed to achieve certification. That's only three apps, but they account for 10 percent of all the apps tested.
Here's a full breakdown of the scores.
AV-Test
Features Are Everything
A big takeaway from the latest round of testing is that while free mobile security suites continue to perform as well, if not better, than their paid counterparts, they don't come with all the bells and whistles. Among said bells and whistles are useful tools like backup, encryption, and critically importantly anti-theft features.
While those are all important, anti-theft tools are probably the most valuable to the average user. Lookout Mobile Security, for instance, offers GPS tracking, remotely triggered alarm, spycam, and just-before-the-battery-runs-out location "signal flare" for free. If you want to remotely lock or wipe your device, you need to pay for the upgrade. Our Editors' Choice for free Android security avast! Mobile Security & Antivirus, on the other hand, is fully featured and totally free.
Further complicating matters is the recent trend among some Android developers to release several free or low-cost apps, and a single for-pay suite. You can, for instance, download Bitdefender's Clueful Privacy Advisor for application reputation information, Bitdefender Anitvirus Free, and Bitdefender Anti-Theft and get most of the features of the $9.95/year Bitdefender Mobile Security & Antivirus.
Choose Your WeaponThe good news is that most of the top-tier for-pay Android security options have a free trial period.  This is great for users, since with so many high-scoring applications, it really comes down to features and how well you like the app. Try a bunch and go with what suits you best. Or just get avast! and save a little money.
Whichever app you settle on, do take the time to set up your security app. While Android malware isn't very common, theft and loss are huge problems. For just a few dollars or few minutes of your time, you can make sure that your device is protected no matter where it ends up

Is it Adware? Antivirus Vendors Say Yes, Google Says No

Is it Adware
It's totally true that we'd have a lot fewer free games and other apps if developers couldn't recoup some of their costs by displaying advertisements. It's equally true that some ad-supported programs and ad networks go way, way beyond what's reasonable in pushing ads and harvesting personal information. Some will even change your wallpaper, or tweak your ringtone so you hear an ad when you get a call. Mobile security vendor Lookout threw down the gauntlet a couple months ago, calling out ad networks with bad behavior. A new study by Zscaler shows that quite a few other vendors agree. The one holdout? Google. Researchers at Zscaler took the top 300 apps in each Google Play category and ran them through the VirusTotal service. When you submit a file, VIrusTotal runs the file past over 40 antivirus scanners and reports how many (and which) identified it as some kind of malware. On this basis, the researchers determined that 22 percent of the apps were flagged as adware by at least one vendor.
Many Voices
The report goes on to analyze just how many antivirus vendors flagged each of the over 1,800 alleged adware products. They broke the apps down into four groups based on how many products called them malicious: fewer than five, five to ten, ten to 15, and 15 or over. The 15 or over group comprised just 2 percent of the total, while 23 percent fell in the ten to 15 range. The majority of the products, 53 percent, got zinged by five to ten products. That "fewer than five" category? Only 22 percent of the apps matched it. Clearly we're not talking about a lone vendor with a vendetta against advertising. Five or more antivirus vendors agreed on the adware designation for the vast majority of the apps involved.
The report continues with a detailed analysis of one sample, and links to the VirusTotal analysis for all of those that were flagged as adware by more than 15 vendors. You can see an example here. Different vendors give it different names, from UnclassifiedMalware to Airpush to Plankton, but 21 of the 46 antivirus scanners identified it as malicious.
Conflicting Aims
"It is in the best interests of Google to appease advertising companies," notes the report. "Google has plenty of incentive to allow apps with aggressive advertising practices. AV vendors on the other hand have no such incentive but are instead under pressure to show that they are adding value by identifying malicious/suspicious/unwanted content."
The report goes on to point out that Apple has taken a very different approach. "[Apple has] shown that they're willing to sacrifice advertising revenue to provide a positive user experience, even restricting the ability of advertisers to track device IDs and MAC addresses." You'll want to read the full report, which concludes with a list of the "intrusive behaviors" that Zscaler's team feel serve to define adware. Not surprisingly, this list agrees closely with Lookout's definition.
There's one more wrinkle to this story; Google acquired VirusTotal last year. At the time, the word was that VIrusTotal would continue to operate independently from Google. Should we be worried about Google interfering with the way VirusTotal handles Android apps? Of course not! After all, the Google motto is "Don't be evil."

PirateBrowser Beats Blockades, Doesn't Make You Invisible to NSA

PirateBrowser
Late last week the Pirate Bay, that jolly torrent tracker/political party, announced a new Web browser designed to circumvent Internet censorship. Dubbed the PirateBrowser, this handy Web crawler is filled with special tools to help you circumvent the frequent blockades of The Pirate Bay. Just don't expect it to keep Big Brother from watching.
According to the PirateBrowser website, the browser consists of Firefox Portable along with a Tor client called Vidalia and the foxyproxy addon. The PirateBrowser's creators write that there have been "no modifications to any of the packages used" so everything is (allegedly) on the up-and-up.
But with NSA surveillance as the security topic du jour, many people seem to have assumed that the PirateBrowser would keep Big Brother from peeking over your shoulder. This doesn't appear to be the case.
At the very top of the PirateBrowser page, an FAQ informs visitors that the browser won't provide total anonymity online. "While it uses Tor network, which is designed for anonymous surfing, this browser is intended just to circumvent censorship — to remove limits on accessing websites your government doesn't want you to know about," reads the website.
What It Doesn't It Do
Connecting to the Tor network bounces your browser requests through a string of random volunteer servers. Each server in the chain can only read one of the encrypted relay requests, making it harder to figure out exactly who did what online. While fascinating, and vital for journalists and human rights activists, it's not perfect.
In a 2009 blogpost, a Tor representative explained how a determined observer could probably discover who went to which website if they were able to monitor traffic going into and out of the Tor network.
"The way we generally explain it is that Tor tries to protect against traffic analysis, where an attacker tries to learn whom to investigate," reads the blog post. "But Tor can't protect against traffic confirmation (also known as end-to-end correlation), where an attacker tries to confirm a hypothesis by monitoring the right locations in the network and then doing the math."
Just last week we got another object lesson in the limits of Tor's security. Reportedly, a known Javascript exploit in older version of Firefox portable was used to gather evidence against Eric Eoin Marques—who law enforcement claims runs the largest child pornography ring on the planet. The FBI is presumed to have been involved.
In that attack, an iframe tag was loaded onto websites hosted within the Tor network by the (in)famous Freedom Hosting. The tag loaded Javascript which in turn recorded the MAC address and Windows computer name of the visiting computer, and then sent that information off to servers in Virginia allegedly belonging to the FBI.
So What Does It Do?
In short: PirateBrowser keeps people using Pirate Bay. In a quote attributed to Pirate Bay by The Register and others, the Torrent tracker says, "Do you know any people who can't access TPB or other torrent sites because they are blocked? Recommend PirateBrowser to them. It's a simple one-click browser that circumvents censorship and blockades and makes the site instantly available and accessible."
While there is almost certainly a healthy dash of "fight the man" and civil-liberties mixed in with the PirateBrowser, there's also a lot of self-interest. Torrents are a great way to download large files (legal or otherwise) but they work best when lots of people are sharing and downloading the file at the same time. The whole point of BitTorrent was that popular files are easier to download, not harder.
When The Pirate Bay is blocked by whole countries or ISPs, fewer people are contributing to the torrents, making the service less valuable. The PirateBrowser, in theory, keeps people engaged with the service and contributing to downloads.
And then there's they money. The Pirate Bay does include advertising on its website and notably the PirateBrowser did not come pre-loaded with AdBlock. Admittedly, hosting a popular website is not cheap, especially when you're frequently being taken to court, but the more people are on the site the better it is for Pirate Bay.
According to TorrentFreak, the PirateBrowser is just the first step as The Pirate Bay is reportedly "working on a special BitTorrent-powered browser, which lets users store and distribute The Pirate Bay and other websites on their own." Now that sounds interesting.
None of this is to say the PirateBrowser couldn't be a useful tool for a political blogger in Tehran, but there are other services already available for them and purpose-built with anonymity in mind. While it's good to see more browsers that take anonymization seriously, hopefully future browsers will be a little more robust.

Mobile Threat Monday: Android Banking Trojan Sidesteps Two-Factor Authentication

Android malware SW2
When we talk about Android malware, we're usually discussing apps that look to make money in small or subtle ways, usually by tricking you into viewing ads or sending premium SMS messages. This week, we look at full-blown banking Trojan that will siphon cash directly from your bank account if you're not careful.
This week's bad app is designed to sidestep two-factor authentication for online banking transactions. Like on Twitter or other sites with two-factor authentication, some banks will send short security codes called mTANs via text message to users' phones to confirm transactions. Normally, users would enter these into a website or app, but these banking Trojans get it first.
Zitmo.B
F-Secure Security Response Director Antti Tikkanen explained to SecurityWatch that this is a variant on the Zitmo malware, or "Zeus In The Mobile." It doesn't work on its own, but needs a victim who already has a Zeus Trojan on their windows PC. "When the user visits his online bank using the browser on the PC, the banking Trojan shows a message in the browser explaining that 'an additional security application' has to be installed on his phone to use the online bank," explained Tikkanen. "This application is the Zitmo trojan."
These apps trade under two names, usually ing.certificaat.apk or zertifikat.apk. According to F-Secure, these names indicate that the Trojans are aimed at Dutch and German users, as they translate to "certificate" in the respective languages. The apps may appear as "com.certsysdata.core" or "com.androidcore.providers.system10" in your Running Apps menu.
Zitmo
The Zitmo.B Trojan runs in the background in conjunction with the Zeus Trojan on the victim's computer. Using the victim's bank login information nabbed by Zeus on the PC, the attacker can initiate a transfer of funds. Zitmo.B then intercepts the mTAN sent via SMS message from the bank to confrim the transfer. Zitmo.B forwards the confirmation code to the attacker's webserver, and suppresses the message from ever appearing on the victim's phone. The attacker is now free to raid the victim's bank account.
This is particularly scary because once Zitmo.B is on the victim's Android, the rest of the attack is automatic. "So the user does not have to do anything," said Tikkanen.
Staying Safe
These Trojans require victims to willingly install them, which involves allowing third-party apps on their phone. This option is buried in the settings menu, and is turned off by default. People who make use of legitimate third party marketplaces, like Amazon's App Market for instance, may have enabled this feature.
Generally, we advise that Android users keep this turned off unless absolutely necessary. Installing Android security software, like our Editors' Choice award winners Bitdefender Mobile Security and Antivirus or avast! Mobile Security & Antivirus, can also guard against Trojanized apps.

Infographic: Is Your Business Safe From Cyberattacks?

Infographic Organization Info
We all hope that companies have adequate resources to protect their employees' information. After all, there's a constant flow of sensitive data circulating within the company ranging from personal credit card numbers to corporate records. However, the fact is that hackers have gotten pretty smart. Instead of targeting the enterprise as a whole, many attacks now compromise individual employees. Data security company Imperva released an infographic explaining the stages of a targeted attack and how to protect your organization from these attacks.
Employers can let out a sigh of relief in one respect, though: the report states that less than one percent of employees are malicious insiders. However, all employees have the potential to be compromised insiders.
The Seven Deadly StagesImperva outlines seven stages of a targeted attack. In the first stage, the attacker will size up the organization and search social networking sites, like Facebook or LinkedIn, for individuals whose profiles identify the targeted organization as their workplace. Upon finding an employee, the attacker will compromise the individual with malware, which can be done through phishing emails. In fact, 69 percent of data breaches involve malware. An attacker who is successful in the malware attack will start to explore and snoop around the company's network.
At this point the attacker will start to steal other employees' usernames and passwords and install back doors. It's likely that the attacker will adjust employees' permissions to create "power users," which makes it easier to expose the network to malware compared to a normal user.
The nightmare only continues as the attacker will impersonate a legitimate user and steal sensitive data either on other individuals or the company as a whole. If the attacker hasn't been discovered at this point, he or she will slyly return "power users" permissions back to normal user settings and keep an account on the system to use in case of a return visit.
Protect Your OrganizationYou don't have to be a victim to these malicious attacks. There are eight easy steps to safeguard your organization. To reduce the likelihood of an attack, it's a good idea to identify and build policies to protect sensitive data, and audit any access activity to it.
Since attackers are looking to compromise individuals, train employees in how to identify spear-phishing emails and warn them against opening any suspicious emails. Set up solutions, like antivirus software, that can prevent unwanted software from reaching individual users' devices. Antivirus software should detect if an individual has been compromised or if any devices have been infected. You should also check if there has been abnormal or suspicious user activity.
If you do find any compromised devices, contain them by blocking command and control communications from them. To protect any data you want to keep safe, stop compromised users and devices from accessing sensitive applications and information. A few obvious steps you'll want to take after realizing your devices and passwords have been compromised is to change user passwords and rebuild the devices to help prevent future attacks. Finally, after you've cleaned up all you could on the attack, oversee audit trails and forensics to improve the incident response process in hopes of cutting off attacks earlier rather than later.  
No company is completely safe from cyberattacks, but taking measures to protect sensitive information and installing antivirus software can help prevent the likelihood of attacks and catch malicious activity early on.
Click on the image below to view the full infographic.
Infographic Business Safe

10 Black Hat Hacks That Will Make You Put On a Tinfoil Hat

via Black Hat
Reading about digital security can sometimes be like a horror novel that leaves you trembling and nervous. At no time is this more true than Black Hat, the industry conference that attracts hackers from around the world to share their best discoveries. If you wanted to rest easy tonight, stop reading now. If you're brave, then just jump ahead to our hand-dandy slideshow.
Barnaby Jack and Edward Snowden
While this year's Black Hat was bigger than ever, the two most talked about individuals were not in the room. First was famed hacker Barnaby Jack, who died suddenly just days before he was scheduled to appear that conference. Jack had received a lot of attention for some of his attacks on what would come to be called the Internet of Things. In 2010, for instance, he had ATMs on stage and spewing cash at his command. Last year, he demonstrated how to attack insulin pumps remotely with potentially deadly results. This year, Jack promised to go even further.

The other invisible attendee was noted leaker and former NSA contractor Edward Snowden, who helped reveal the NSA's PRSIM and Xkeyscore surveillance programs. The facts about what these programs do and do not do, and who they target, are hazy at best, but have spurred discussions about privacy, security, and the limits of legal data collection.
In response to these issues, NSA director General Keith Alexander delivered the conference's keynote speech in an attempt to tell the intelligence fraternity's point of view. Alexander promised to give the audience the truth, but what that means might still be open for debate. Somehow, the General managed to never breathe the name of Snowden during the one-hour presentation.
Hair-Raising Hacks
Along with this unusually high drama of this year's Black Hat were the usual slew of incredible hacking projects, which covered everything from toilets to iPhones. While they make for good news stories (and paranoia-inducing reading), the hope is that publicizing these issues will help solve them faster.
That's hopefully the case for the iPhone Mactans hack (take a look at the slideshow) but especially the billion browser botnet attack, the creators of which admitted that they had no good solutions.

“Black hat” hacker claims to earn $20,000 per hour – but Reddit doubts it

A self-styled “hacker” claims that crime can pay – saying that his 3 million-strong PC botnet earns him up to “$15,000 to $20,000” per hour.
The comments were revealed in a Reddit AMA in which a site user revealed the details of building and running his own cybercrime operation.
The hacker – under the username throw4way1945 – claimed to be able to send 90 million spams per day, and orchestrate phishing and DDoS attacks to order. The thread attracted dozens of questions.
Sites such as GigaOm suggested the thread offered an insight into the everyday life of those who use hacking skills to make money. “It turns out that the best Black Hat hackers run their operations just like any other business,” GigaOm wrote.
Not all Reddit users were convinced however, and a moderator removed the AMA, commenting, “ This whole thread reeks of bullsh** and I’m removing it. I’m not going to drop docs on op, but he’s 95% full of sh**.”
For $150, the “hacker” claimed he could send a million spam or phishing emails in chunks of 50,000 emails, using a 3-million PC botnet he described as the “Black Shadow Project”.
“i can make 15-20k in a hour.  jail doesnt concern me,” throw4way1945 said, admitting he would work for “anyone. have 0 control over who downloads my file. i simply post a exploit kit (usually in the form of a deface) and then add the link to spam mail and send.”
“Throw4way1945” boasted that he was self-taught, and coded his own attacks over three years. Perhaps tellingly, he suggested readers could learn more about him on his blog – which led, of course, to a broken link.

Whiter-than-white hats, malware, penalty and repentance*

I was recently contacted by a journalist researching a story about ‘hackers’ quitting the dark side (and virus writing in particular) for the bright(-er) side. He cited this set of examples – 7 Hackers Who Got Legit Jobs From Their Exploits – and also mentioned Mike Ellison (formerly known as Stormbringer and Black Wolf, among other handles), who in 1997 contributed a well-written and thought-provoking paper to Virus Bulletin, arguing that the antivirus industry should move beyond stereotypes of virus writers as socially inept, ethically challenged, and programmatically incompetent, and engage with them in dialogue and even consider employing (reformed) virus writers. Ellison had himself written viruses for his own research purposes but apparently he never released them into the wild, though he published code in various forums. His farewell to virus writing and his reasons for quitting the practice are quoted in full by Kurt Wismer here.
As it happens, I was at that presentation and discussion (it was the year of my own first paper for Virus Bulletin), and exchanged some emails with him subsequently. Not that I would have been persuaded enough to offer him a job, even if I had actually been working in the security industry at that time. (I was handling anti-virus, among other chores, for a medical research organization.) Still, he made some good points in his presentation and our later email exchange, and certainly came over as one of the more ethically grounded and technically knowledgeable (ex-)virus writers with whom I had contact at that time. The way Joel Deane recalled it, many of the audience members outside the AV industry were convinced enough to react positively to the idea of an anti-virus product from a company that employed former virus writers, but to the best of my knowledge, Ellison was never offered a job in the AV industry.
I was later approached by a publisher wanting someone to complete a book on which someone called Michael Ellison had apparently done much of the initial work. In fact at least one other researcher received similar approaches, but as far as I know, no-one from the industry took up the offer. I can’t be sure it was the same Michael Ellison as I no longer have any of that correspondence, but it’s relevant to my present train of thought either way.
The book plan as presented to me was largely along the lines of writing a demonstration virus, then writing the module to detect and disinfect it. It’s unlikely that any mainstream AV researcher at the time would have been prepared to publish self-replicating code: I was even more concerned, though, that readers of such a book would be misled into thinking they’d learned far more about virus and antivirus technology than they really had: that approach seems to me to be seriously flawed. In the end, a reader would finish up with an outsider’s view of how anti-malware technology is written using examples of quasi-malicious code that weren’t really typical of the real thing. (Suddenly I’m reminded of the Rosenthal utilities…) However, the publisher refused to consider any modification to the plan and I don’t think it was ever finished. (It’s because Ellison had already said that he wouldn’t be writing any more viruses that I wonder if it might have been a different Michael Ellison.)
There have been other virus writers who were reportedly offered jobs related to or in the security industry on the strength of their presumed programming skills. The PC Mag slide deck cited above has some recent instances, but any rehabilitation of such individuals has not usually been into the mainstream AV industry. There have been whispers about virus writers employed directly by the AV industry – Ellison mentioned in his paper that some of his VX peers were ‘perhaps’ working in AV, perhaps undermining his own core propositions, but didn’t name names, and I’m not about to. (I realize that there are still people out there who believe that we write all the malware, but we don’t.)
I recall one semi-reformed virus writer who claimed that his security clearance in the UK was higher than mine, but I can’t remember his handle. The fact is, though, that vendors in the core virus detection industry would have avoided (publicly at least) employing ex-VXers for several reasons: suspicion of inadequate ethical development; conviction that writing malware is far from proof of technical skill; a suspicion that virus writers are less likely to have the discipline necessary to work in a team or have good coding habits, and may be reluctant to be trained in more ‘appropriate’ ways of working; but probably most of all because other companies would use it to undermine their credibility. In fact, I’ve always felt that for most outsiders, the AV industry would have made its case much better in a variety of contexts – such as the issue of whether it’s a good idea to test security products using newly-created malware - by focusing on the technical arguments against writing ‘good’ viruses (and employing virus writers) rather than simply contending that writing self-replicating code is intrinsically unethical.
However, that was then and this is now, you’ll be surprised to hear. Viruses have not completely vanished and sometimes have much more impact than the low volumes in which they are generally seen. However, malware culture has drastically changed in the 21st century. Malware is almost entirely profit-driven. If security vendors don’t trust hobbyist virus writers enough to employ them, they certainly aren’t likely to put any trust at all in people whose expertise is in writing banking trojans, phishing, and so on. Moving away from vendors with core expertise  in malware detection, security firms in general are more likely to employ hackers – whatever you may understand by the term – with interests and presumed expertise in areas other than malware creation, such as vulnerability research.
The core issue is that a very high percentage of the (new) malware we see nowadays is criminally malicious, so the individual has already chosen to cross a line, and it’s not so easy to walk back over that line when you’ve broken the law. There were, of course, individuals at the time of Ellison’s experimentation whose motives were plainly malicious (usually destruction rather than financially motivated). Conversely, there are still individuals whose experimentation is inspired by curiosity and desire for peer approval rather than real malice or intended criminality. But we generally expect even precocious teens to have enough sense of social responsibility and sense of mens rea not to write phishing Trojans.
There are plenty of recent examples of people who’ve cooperated with law enforcement after capture but far fewer of someone known to have experienced some form of moral epiphany rather than a desperate attempt at an exit strategy. My guess is that the curious/experimental mindset is more to be found in areas like vulnerability research, most of whose practitioners wouldn’t regard themselves as criminals, though most of them probably hope to make some money out of what they do. That isn’t criminal in itself, of course – I expect to make some money out of at least some of what I do! – but it is different to old-school (whitehat) hacking for the sake of experimentation. The gangs behind most malware are usually focused on efficiency and ROI and ‘good enough to work’ coding, though we see evidence of some slightly more blue-sky research. However, co-operation from within those groups is most likely to be inspired by self-preservation.  
By the way, if you think you’ve seen the feature graphic before, it’s extracted from the cartoon here. If you haven’t seen it, it might amuse you for a nanosecond or two.
*”…And he spoke through his cloak, most deep and distinguished
And handed out strongly, for penalty and repentance
William Zanzinger with a six-month sentence…”
(Bob Dylan, ‘The Lonesome Death of Hattie Carroll’)

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Stop TVs spying on us! U.S. Senator calls for safer “Smart” devices

A U.S. Senator has called on the manufacturers of Smart TVs to make their devices safer – after a demonstration of an attack which showed off how hackers could “spy” on users through a television’s built-in webcam.
“You expect to watch TV, but you don’t want the TV watching you,” said Senator Charles E Schumer, a Democrat from New York. “Many of these smart televisions are vulnerable to hackers who can spy on you while you’re watching tv in your living room. Manufacturers should do everything possible to create a standard of security in their internet-connected products.”
His comments come in the wake of a demonstration at the Black Hat security conference in Las Vegas, where a researcher showed off how to remotely activate the microphones and cameras in a Samsung Smart TV, as reported by NBC.
“Smart TVs sold over 80,000,000 units around the world in 2012,” SeungJin ‘Beist’ Lee wrote of his Black Hat briefing. “This next generation “smart” platform is becoming more and more popular. Expensive Smart TVs have many hardware devices like a Camera or Mic which, if remotely controlled, means bad guys can spy remotely without you knowing. Even more, it is possible to make Smart TVs monitor you 24/7 even though users turn off their TV.”
Schumer issued his comments in the form of an open letter to television companies.   “For a TV to secretly function as a spycam would violate a fundamental expectation of privacy in the American home,” Schumer writes.
“As technology has advanced in recent years, we are connected in ways that were previously unimaginable.  Televisions now have Wi-Fi, cameras, and other features similar to those of a computer, and are able to complete new and exciting tasks:  surfing the internet, making calls, streaming videos and more.”
“These advances can dramatically improve the viewing experience of the American consumers.  What has not changed, however, is that Americans expect that when they turn on the television they are in the safety and privacy of their home or office, and not being spied on by hackers.With these expanding features, televisions must include additional security measures.”
ESET Security Evangelist Stephen Cobb offers a guide to securing a household full of digital devices in a blog post here. “On a typical evening or weekend at home, how many computing devices is your household using?” Cobb asks. “In my house the answer is 10, and that’s just my wife and I. Before you decide we’re an extreme example, make sure your household computer count includes all of the laptops, tablets, iPods, smartphones and the like. Then think about the TV and DVD player, one or both of which may be connected to the home network. The fact is, many homes today are multi-device households, with numerous PCs, Macs, tablets and smartphones.”
Samsung advised users to cover the lens of their camera in the wake of the demonstration, issuing a statement which said. “Samsung takes all concerns regarding consumer privacy and information security very seriously, and we have released a software update to resolve this issue. In addition, the camera can be turned into the bezel of the TV so that the lens is covered, or disabled by pushing the camera inside the bezel. The TV owner can also unplug the TV from the home network when the Smart TV features are not in use.”

Warning over security flaws in HP printers which can reveal passwords

Security flaws in some models of HP LaserJet Pro printers can reveal users’ administrator passwords to remote attackers,  a researcher has revealed.
“Some networked HP LaserJet printers have hidden URLs hardcoded in the firmware. The URLs are not authenticated and can be used to extract admin password in plaintext – among other information like WiFi settings (including WPS PIN),” according to Polish security researcher Michael Sadjak.
The printer manufacturer has released firmware updates for the affected devices, but as The Register points out in its report, such devices are rarely patched by consumers.
HP said in its support document, “A potential security vulnerability has been identified with certain HP LaserJet Pro printers. The vulnerability could be exploited remotely to gain unauthorized access to data.
The vulnerability is in two hidden URLs hardcoded into the firmware, which contain configuration information for the devices.
“The password seems to be encrypted on the screen above… but wait, the value contains hex representation of the admin password in plaintext (!). In other words, using this method, the admin password can be extracted regardless of its complexity,” Sadjak says.

September 23, 2013: HIPAA health data security compliance deadline looms

September 23, 2013 is a date to note if your organization handles health-related information. You might be a medical clinic, or a company that does IT work for a clinic. You might not think of yourself as being a medical professional. You could be a data storage provider or an IT consultant who does some work for a company that sometimes helps out hospitals. The point being: Now is the time to make sure you are aware of the implications of September 23.
So what happens on September 23, 2013? That is the deadline for compliance with new HIPAA regulations. If you’re thinking HIPAA is “so last decade” then you need to think again, as in HIPAA 2.0. In January of this year, the U.S. government published new regulations that extend the reach of federal healthcare privacy and security laws, embracing a whole new range of companies that service the healthcare industry.
The new rules, codified as the “omnibus regulations,” also known as the “Final Rule,” include significant changes to the privacy, security, enforcement, and breach notification rules that were promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. According to the Head of the Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS):
This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.
The Final Rule became effective on March 26, 2013, and compliance is generally required by September 23, a little over 40 days from now. While the enforcement body, the OCR, did not immediately begin investigating and fining organizations after the original HIPAA rules went into effect, I would not bet my business on there being a “grace period” with the new rules. After all, PHI breaches are currently running at an average of 17,000 per day, based on the HHS breach data. You have to assume reducing that unhappy privacy statistic is a priority for OCR.

PHI and Business Associates

Practically every business that processes, stores or otherwise handles protected health information (PHI) is required to comply with privacy and security controls. PHI is individually identifiable health information, in other words, health information which can be linked to a particular person. Specifically, this information can relate to:
  • The individual’s past, present or future physical or mental health or condition,
  • The provision of health care to the individual, or,
  • The past, present, or future payment for the provision of health care to the individual.
Clinics and hospitals and health insurance companies may be the first things to come to mind when you read those bullets and these are generally considered “covered entities” under HIPAA. But the structure of the healthcare industry in America is such that a vast array of organizations and individuals currently service the industry. HIPAA refers to these service providers as “business associates” which are generally defined as: “a person or entity that creates, receives, maintains, or transmits protected health information (PHI) in fulfilling certain functions or activities for a HIPAA-covered entity.” (Godfrey & Kahn, S.C.)
(Let me say right now that I am not qualified to give you a legal opinion as to whether or not you or your company constitute a business associate under HIPAA 2.0. One area where this determination gets pretty tricky is the cloud and what are formally known as MTDCs or multi-tenant data-centers. Fortunately, some cloud providers offer very helpful information on this topic, like this AIS article about HIPAA and MTDCs.)
OCR to “vigorously enforce the HIPAA privacy and security protections”Under HIPAA 1.0 a covered entity was supposed to impose privacy and security requirements on the business associates with whom they did business by means of contractual agreements (BAAs or Business Associate Agreements). However, when the mandatory reporting of breaches of unsecured protected health information began in 2009, it quickly became clear that business associates were going to be a problem. So far, 57% of breaches involving 500 or more individuals have been from business associates, impacting five times as many individuals as breaches from covered entities. Now, under HIPAA 2.0, both the HIPAA Security Rule and the HIPAA Privacy Rule apply directly to business associates, making them potentially liable for civil and criminal penalties for any non-compliance with the HIPAA regulations.

Serious insecurity consequences

What sort of penalties are we talking about when HIPAA violations come to light? Consider this table of amounts levied in 2012, totaling almost $10 million:
breach stats from HIPAA
Clearly, HHS does not like people storing unencrypted PHI on mobile devices. And when OCR comes to investigate, you will be in trouble if you don’t have well-documented risk analysis, policy, and controls. You can find more HIPAA enforcement cases online. What you won’t see yet are fines levied against business associates. I predict we will see the first of these towards the end of next year, with possible headlines like this:
Cloudy with a chance of lawsuits: Data center dinged over medical record handling
Tip trip trashes clinic reputation: Record management firm faces five figure fine over health data flub!
Apart from the excessive alliteration, such stories are entirely feasible in the wake of September 23, 2013. Now is the time to ask if your organization needs to revisit HIPAA compliance. Remember, not every PHI breach ends in a fine. If you can show your organization has made a reasonable effort to comply with HIPAA 2.0 you may not be dinged (as in subject to a fine and subject of a national press release).

Cybercriminals “saving up” wave of Windows XP attacks for when Microsoft stops support

Cybercriminals will unleash a wave of “zero-day” vulnerabilities to attack Windows XP machines after April 8, 2014, a security expert has claimed. Microsoft will stop releasing security updates for the OS on that date.
Criminals will “sit on” such vulnerabilities until that date to make more money from their exploits, according to Jason Fossen of security training company SANS.
At present, vulnerabilities are patched by Microsoft. After April, only companies paying for custom support will be protected – and up to a third of organizations are expected to still use Windows XP machines.
“The average price on the black market for a Windows XP exploit is $50,000 to $150,000 – a relatively low price that reflects Microsoft’s response,” said Fossen, speaking to ComputerWorld.
“When someone discovers a very reliable, remotely executable XP vulnerability, and publishes it today, Microsoft will patch it in a few weeks. But if they sit on a vulnerability, the price for it could very well double.”
Fossen’s thesis is based on the still-significant number of PCs using Windows XP.
Windows XP, which came out in 2001, is still the second most popular version of Windows – 38.7% of PCs used XP as of the second quarter this year, according to NetMarketShare.
ComputerWorld has projected that 33-34% will still run the OS when Microsoft stops patching it. That’s a stark contrast, Fossen says, to the low numbers using Windows 2000 when it was retired in July 2010 – four-tenths of 1%, according to monitoring firm Net Applications. Even so, there were reports of zero-days targeting Windows 2000 when it was retired, according to ComputerWorld‘s report.
Research by Camwood, a British software consultancy, found earlier this year that  just 42% of firms running Windows XP have begun the migration process.
Microsoft recommends leaving at least 18 months to migrate. One in five of the IT people surveyed said that they intended to continue using the operating system, despite being aware of the risks.

Don’t get zombified! Security tips for PC gamers

Online gamers have become a prime target for cybercriminals – with attacks this year targeting major game publishers such as Ubisoft and Nintendo, and developers such as Crytek.
Cybercriminals target game sites looking for usernames and passwords – and also target PC gamers specifically with malware such as keyloggers and Trojans.
But even under heavy fire, there are a few steps that can keep your system safe – even if your favourite gaming websites do get hacked.
ESET‘s PC antivirus software is a good first step – offering security solutions that do not compromise speed, and which can run while you play. Below are a few more tips to stay safe.


Use Lastpass or another “password safe”
Gamers have to remember an awful lot of passwords these days – so it can be tempting to reuse the same one across multiple accounts, especially when it’s just for a copy-protection system such as Ubisoft’s Uplay. Bad idea. Uplay was hacked this year, and usernames and (encrypted) passwords leaked. Use a “throwaway” email address if possible for copy-protect schemes and other sign-ups – and as many passwords as possible. Use Lastpass or another “password safe” to stay on top of it all.
Think before you alt-tab
It helps to have a browser window open for a lot of games – especially complex ones such as MMOs. But it pays to think before alt-tabbing out of a game to check a link – people you meet in-game, even team mates or guildmates, may not be who they seem. The US Computer Emergency Response Team warns that people you meet “in game” may be there for the purpose of hawking malwware – and “direct you to phony web sites offering bogus patches or game downloads that, in reality, are malicious software.”
Is “God Mode” really worth all the cash in your bank account?
“Hacks” traded online might let you see through walls, or speed your character up – but many are very aptly named. It’s usually you who gets hacked, though – samples of PC “hacks” have found up to 90% carry malware.
Modding? Be very, very careful
In many online games mods and add-ons aren’t an extra – they’re an essential. Being seen out and about in World of Warcraft without a damage counter is a social faux pas. Just double-check the sites you’re getting them from. Sites such as ModDB or Curse are often reliable – but even they can harbour player-made mods that harbour malware. Check reviews, check URLs, and if possible have good AV software running.
Stay off the forums if you can resist it
Setting the world to rights on game forums can be irresistible – why HAS your class been nerfed? It’s unjust! Using forums can be risky, though – cybercriminals target game forums as an easy “way in” to grab large lists of usernames and passwords. If you do use them, make sure your password is different from your main game one, and if possible use a different “throwaway” email address.
Don’t buy gold – and if you do, don’t buy off the guy shouting in the chat channel
Buying gold, game currency or levelling services is risky business – the money/services you buy might well come from hacked accounts – and if you buy off the “sellers” hawking wares in the game’s chat channel, you’re even more at risk. No seller is 100% reliable, even big sites such as IGE, but small sites are havens for phishing attempts, spyware and credit card theft. Avoid.
Don’t turn off security features to speed up your PC
PC lagging? Don’t turn off security features to play – according to a survey of 1,000 PC gamers in the UK commissioned by ESET, more than 30 percent of PC gamers admit that they disable PC security features before playing online. As a result, more than two-thirds of the gamers surveyed admitted to having suffered a malware infection taking up to two days to recover from.
Joining a fan site, or a guild forum? Be careful
Take a long, hard look at any website that asks for game log-ins – even convincing looking fan sites. Blizzard, makers of World of Warcraft, warn, “Ssomeone deliberately targeting Battle.net accounts could create a site for that purpose, such as a fansite or forum for a Blizzard game. If you register on that website with your Battle.net username and password, you’ve given that person the keys to your account.”
Is there an authenticator on offer? Use it
Two-factor authentication isn’t bulletproof, but it’s a good step towards preventing account hacks – either in the form of a smartphone app, or a physical device.  If there’s an authenticator app on offer, use it – it makes it far more difficult for a criminal to get into your account, and can protect you, for instance, if your password leaks in a hack on another site.

V3 Hot Seat: WhiteHat Security CTO and founder Jeremiah Grossman


Whitehat CTO Jeremiah Grossman
Tech entrepreneur Jeremiah Grossman claims he started his first business when he was just eight years old, going on to create so many companies he can't actually remember them all. However it was only in 2001 the then Yahoo information security officer claims he really hit his stride, founding WhiteHat Security.
Headquartered in Santa Clara, California the company offers bespoke website defence systems to businesses of all sizes across the globe and lists itself as serving dozens of Fortune 500 businesses and in sectors including e-commerce, financial services, information technology and healthcare.
Grossman's Hot Seat is the latest from V3, following on from a host of leading industry figures ranging from government chief operating officer Stephen Kelly to Hotels.com chief technology officer Stuart Silberg.
V3: What's your favourite part of your current job?
Grossman: The best part of my job is getting to work on extremely hard problems that are important to the world, with the extremely smart people who are necessary to solve them.

What would be your dream job (apart from your current role, of course)?
I think I'd like to be a cage fighter, or a Geneticist. I can never decide which to do first.

Which mobile phone and tablet do you currently use?
At the moment I just use an iPhone 5.

Which person do you most admire in the IT industry?
There are a handful of people I admire, but top of the list is Robert "RSnake" Hansen.

Which technology has had the biggest impact on your working life?
For me HTTP has had the biggest impact.

What's been the highlight of your career so far?
There have been so many, it's hard to choose just one, but probably WhiteHat Security's first paying customer.

What was your first job?
I actually have no clue. I've been working and starting little businesses since I was eight.

What's your favourite thing about working in the IT industry?
For me it's that very few of the problems faced by modern society can't be solved, or at least substantially improved upon, by the work we do every day. IT makes people's lives better.

What will be the next big innovation of the coming years?
I have no idea, but I think big advancements are coming in the area of Life Sciences.

What do you do enjoy doing when you finish work?
I never really 'finish' work, but when I stop for a moment, Brazilian Jiu-Jitsu is my other passion.

What keeps you awake at night?
My children keep me awake.
Who is your favourite band or musician?
I rarely listen to music.

Where's your favourite holiday destination? Or favourite place for escape?
I live in Maui so I don't really need to escape.

Ereaders or real books?
I use both.

Twitter, Facebook or Google+?
I prefer Twitter.

Favourite film?
I rarely watch movies, but The 13th Warrior is probably one of my favorites.

Windows or Mac OS?
I use Mac OS X.

On-premise or cloud?
I use whatever gets the job done and fulfills the business requirements.

How can we get more school children interested in IT careers?
We can do this by getting more children interested in school in general, rather than making them view it as a compulsory life activity.

What websites do you have bookmarked at work?
I don't use bookmarks.

Dalai Lama's Chinese website infecting visitors, expert warns

A prominent computer security firm has warned that the Dalai Lama's Chinese-language website has been compromised with malicious software that is infecting computers of visitors with software that could be used for spying on its visitors.
Kaspersky Lab researcher Kurt Baumgartner told Reuters that he is advising web surfers to stay away from the Chinese-language site of the Central Tibetan Administration's site until the organization fixes the bug.
He said he believes the group behind the campaign was also behind previous breaches on the site that have gone unreported as well as attacks on websites belonging to groups that focus on human rights in Asia.
Officials with the Office of Tibet in New York could not be reached for comment. That office houses the Dali Lama's official representative to the United States.
Baumgartner said that the Chinese-language site of the Central Tibetan Administration, which is the official organ of the Dali Lama's government in exile, has been under constant attack from one group of hackers since 2011, though breaches have been quietly identified and repaired before garnering public attention.
"They have been trying repeatedly to find vulnerabilities in the site," he said.
He said that it is safe to visit the group's English and Tibetan sites.
He said he believes the same group of attackers has repeatedly infected the site with malicious software that automatically drops viruses on computers running Microsoft Corp's Windows and Apple Inc's Mac operating systems. They infect machines by exploiting security bugs in Oracle Corp's Java software.
That gives them "back doors" into those computers. "This is the initial foothold. From there they can download arbitrary files and execute them on the system," Baumgartner said.
An Oracle spokeswoman had no immediate comment.
The Dalai Lama, Tibet's 78-year-old exiled spiritual leader, fled China to India in 1959 after an abortive uprising against Chinese rule.
Beijing considers the globetrotting monk and author a violent separatist and Chinese state media routinely vilify him. The Dalai Lama, who is based in India, says he is merely seeking greater autonomy for his Himalayan homeland.

World's sexiest computer hacker ordered to pay $35,000 in damages

A Russian woman widely dubbed the "world's sexiest computer hacker," prosecuted in the United States for taking part in stealing $3 million from bank accounts, has been released by a New York court and placed under surveillance.
Svechinskaya's attorney Richard Palma told the court that she was young and inexperienced when she was drawn into the conspiracy. Like many young people, she failed to assess what she was doing, he said, and asked the court to take into account her lack of a criminal record.
Svechinskaya, in turn, said she deeply regretted what she had done.
"This was the biggest mistake of my life and I can assure you that I will never do this again," she said.
The judge presiding over the case took into account the two months that Svechinskaya had spent in pretrial detention.
After the sentence was read, she was given 14 days to file an appeal. However, her lawyer told RIA Novosti that he was satisfied with the ruling.
Svechinskaya also told RIA Novosti that she was satisfied with the verdict. When asked what she was going to do now, she said she did not know.
According to a Department of Justice press release, Svechinskaya was recruited by a criminal group to open false bank accounts into which $35,000 in fraudulently acquired funds was deposited, and from which approximately $11,000 was withdrawn.
Svechinskaya and 37 others allegedly used dummy bank accounts, fake passports and a Zeus Trojan to appropriate $3 million from US banks and another $9 million from British banks.
US authorities on Thursday charged four Russian nationals and a Ukrainian man in connection with the theft of more than 100 million credit card numbers breaching the computer networks of major US and international corporations in what is being called the largest hacking scheme ever to be prosecuted in the United States.
â€Å“The losses in this case are staggering,” Paul Fishman, the US attorney for the district of New Jersey, told a news conference Thursday, The New York Times reported. â€Å“This type of crime is really the cutting edge of financial fraud.”
The five men stand accused of conspiring in a worldwide scheme that targeted major corporate networks, stole more than 160 million credit card numbers and resulted in hundreds of millions of dollars in losses, Fishman̢۪s office said in a statement Thursday.
They â€Å“conspired with others to penetrate the computer networks of several of the largest payment processing companies, retailers and financial institutions in the world, stealing the personal identifying information of individuals,” prosecutors said.
The crimes involved stealing the credit cards and selling them to resellers across the globe, resulting in hundreds of millions of dollars in losses to companies and individuals, â€Å“including losses in excess of $300 million by just three of the corporate victims, and immeasurable losses to identity theft victims,” prosecutors said in the statement.
Companies targeted by the group include NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard, according to prosecutors.
The Russian men indicted are Alexander Kalinin of St. Petersburg, Roman Kotov and Dmitry Smilianets of Moscow, and Vladimir Drinkman of Moscow and the city of Syktyvkar in northwestern Russia, according to Bloomberg. Mikhail Rytikov of Odessa, Ukraine, was also indicted in the case, prosecutors said.
Drinkman and Smilianets were arrested at the request of the United States while traveling in the Netherlands on June 28, 2012. Similianets was extradited last September and remains in federal custody, prosecutors said, while Drinkman remains in custody in the Netherlands pending an extradition hearing.
The other three suspects remain at large, prosecutors said.
The four Russian suspects have all been charged with unauthorized access to computers and wire fraud, all five have been charged with conspiracy to commit those crimes. Prosecutors said Rytikov provided anonymous web-hosting services allowing the hackers to obscure their activities.

Asbury Park's website taken over by hackers

The city’s municipal website was down Sunday after it was apparently hacked and replaced with a blue image of a man holding a partially disguised rifle.
Police Chief Mark Kinmon said the city was working with the website’s design company, M Studio in Asbury Park, to investigate and restore the website. As of Sunday night, the website still was down for maintenance.
“I would say it is very unusual,” Kinmon said of the hack. “I don’t recall anything like this happening in the past.”
The image, which was accompanied by music, included a reference to “Ayyildiz Tim,” or Ayyildiz Team. According to Web forums, the group are Turkish hackers that find weak Web page codes and take over sites, inserting their own images.
M Studio, on Bangs Avenue, did not immediately respond to a voicemail left there on Sunday.
The hack comes just weeks after the City Council raised discussions about finding a new company to redesign the municipal website. Mayor Myra Campbell said she wants a website that is more user-friendly.
She said a new website should give residents access to online forms and city code books.