Thursday 14 November 2013

Keypic aims to replace wobbly-text CAPTCHAS with pictures that “lock” spammers out

A new start-up aims to keep spammers out of websites – without forcing human beings to undergo CAPTCHA tests.
Last month, We Live Security reported on an AI firm which showed off software which can reliably crack the wobbly text used to “block” automated programs.
Instead, Keypic uses an image – usually an advert, but it can be a single pixel, an animation, or anything the site’s administrator wants – and checks for typically “human” behavior. It’s already used on nearly 6,000 sites, and is available as a plug-in for WordPress and Drupal.
“Our service does a full cross check against all other requests (we receive hundreds or them every second) to determine if your user is a spammer or not,” the company says, claiming that its service is effective for free email service sign-up, and for blog comment spam.
The service works by an automated process that looks for typical spammer behavior – starting with the fact that most programs won’t download an image, whereas a human using a browser will. The data is cross-referenced with thousands of other form submissions.
“Whether the image is retrieved is just one of the ten or so data points Keypic checks,” says Mark Gibbs of Network World. “Other data points include how long it takes for the form to be submitted (which reveals software that tries to submit at a high rate), what order are the fields filled in, what the IP address is, what browser is being used, how many requests are received per minute from a single IP address, and the characteristics of any text entered into fields other than name and password.”
Keypic Web Service sends back a number – in percentage form – showing the likelihood a user is or is not a spammer. The company says it can radically improve response to interactive features such as polls – or blog comment channels.
“Most bloggers are familiar with programs that submit bogus comments, usually for the purpose of raising search engine ranks of some website (e.g., “buy penny stocks here”). This is called comment spam,” the company says. “With Keypic, only humans can post comments on a blog, and bot actions are really restricted. There is no need to make users sign up before they enter a comment, and no legitimate comments are ever lost.”
Last month, a new artificial intelligence startup, Vicarious, showed off software which could “crack” CAPTCHA tests.
A program designed by Vicarious is shown “breaking” CAPTCHA text in a video released by the company. The system, known as Vicarious AI, achieves a success rate of up to 90% against standard CAPTCHAs used by Google, Yahoo and PayPal, its creators claim – using machine learning, rather than massive amounts of computing power

One in five big banks has faced “high risk” security incidents via web apps

Half of the 50 biggest banks have faced security incidents affecting their web applications. Fifteen per cent of those incidents were classified as “high” or “critical” risks, a new study has revealed.
The research was carried out by Swiss IT services firm High-Tech Bridge, and found that 11 bank sites had faced serious incidents in the past eight years, according to Computer World.
High-Tech Bridge claim that research by Frost and Sullivan shows that three out of four network intrusions are the result of insecure web applications. The company acknowledges that its data does not include information on DDoS attacks or phishing – threats commonly faced by banks.
The Swiss firm published its research, based on publicly available data, to coincide with a “cyber war game” testing the defenses of Britain’s investment banks. The firm was involved in testing security for some of these institutions, according to CEO Ilia Kolochenko, interviewed by the London Evening Standard.
Most bank sites had faced low- or medium-risk incidents involving their web applications, usually involving cross-site scripting vulnerabilities.
Ilia Kolochenko, High-Tech Bridge CEO, says: “The numbers we see are quite impressive, even though our research only covered publicly-known security incidents and we didn’t take into account the more common DDoS attacks or phishing campaigns as they do not involve security of web application directly.
“The statistics confirm that even financial institutions should pay more attention to their web application security, not only to protect their customers but to maintain their digital reputation. The fact that there are few security incidents publicly exposed in 2013 does not necessarily confirm that web applications are becoming more secure. It’s more about new objectives of hackers – today they are not looking for glory but for profit, therefore don’t make any noise and compromise web systems without being noticed.”
A ‘war game’ scenario on Tuesday, reported by We Live Security tested thousands of banking staff across London’s investment banks against the ‘worst case scenario’ – a major cyber attack on stock exchanges, among other scenarios.The simulation – ‘Waking Shark II’ is one of the largest exercises of its kind ever organized in the world, according to a report by Reuters. The exercise also simulated other scenarios, such as how banks ensure the availability of cash from ATM machines.
The “game” was organized by the Bank of England, the Treasury and Britain’s Financial Conduct Authority and follows a similar exercise two years ago.
In September, Scott Borg, chief of the U.S. Cyber Consequences Unit, said that he believed manipulation of the financial markets would be the next major target for cybercriminals, according to Computer World.
More than half of securities exchanges around the world faced cyber attacks last year, according to a paper released by the International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges (WFE), according to an earlier We Live Security report.

“The number of high profile and critical ‘hits’ is also increasing,” says the IOSCO report. The report warns that underestimation of the severity of this emerging risk may lay open securities markets to a black swan event.”
A survey of 46 exchanges around the world found that 53% had faced cyber attacks – mostly disruptive in nature, rather than financially motivated, and mostly consisting of malware or DDoS attacks. Nearly all – 89% – of those surveyed agreed that cybercrime should be considered a systemic risk.

Hackers could turn Android phones into PIN-harvesting spy tools

A man in an alleyway using a mobile phone
Hackers could theoretically hijack and use smartphones' cameras and microphones to steal users' bank details, according to researchers from Cambridge University.
Laurent Simon and Ross Anderson claimed it is possible to create malware that uses Android phones' cameras and microphones to harvest numerical PINs in a joint research paper called PIN Skimmer: Inferring PINs Through The Camera and Microphone.
The paper said the malware could be spread on its own or injected into insecure legitimate applications. Once infected, the hijacked apps could theoretically then force the microphone and camera to follow the user's taps on the screen.
"The microphone is used to detect touch events, while the camera is used to estimate the smartphone's orientation and correlate it to the position of the digit tapped by the user," explained the paper. "The mobile application collects touch event orientation patterns and later uses learned patterns to infer PINs."
The paper said the malware could be created to have a learning element that improves the attackers' chances of stealing the PIN the more times it is entered. The theory was tested using the Google Nexus S and Samsung Galaxy S3 smartphones, and the tests yielded a 50 percent success rate when detecting four-digit PINs entered more than five times.
The tactic could theoretically be used by cyber criminals to steal numerical login details for a victim's online bank account, for example. The researchers listed the theoretical attack as proof that application developers and manufacturers need to start taking security more seriously.
Attacks on smartphones are a growing problem facing businesses, especially for users of Google's Android operating system. This is because Google has chosen to leave Android open to developers, letting them tweak it and release applications outside of the official Play Store.
While the strategy boosts innovation, it also leaves it open to abuse, allowing criminals to use it to spread malware via Trojanised apps and other means. Seventy-nine percent of all mobile malware is designed to target Android, according to the most recent figures from the US Department of Defense.

EC under threat from ‘continuous cyber attacks'

European commission
The European Commission (EC) has said that it is being hit by a “continuous stream of cyber attacks” that range from basic phishing scams to high-level attempts to steal data.
The vice president of the EC responsible for inter-institutional relations, Maroš Šefčovič, revealed that the attacks targeting the organisation during a speech at the annual Security and Safety Symposium in Brussels.
“Like so many other public and private organisations throughout the world, the Commission is suffering a continuous stream of cyber attacks,” he said.
“Whereas most of these attacks relate to relatively innocent 'phishing' or similar IT scams, an increasing number specifically aim at the Commission’s interests, activities and information.”
The revelation is perhaps not hugely surprising given the threats faced by firms of all sizes from cyber criminals, but the high-level nature of the attacks Šefčovič hinted at underlines just how serious a threat this has become.
During the speech Šefčovič also touched on the concerns that the PRISM spying scandal has raised as he questioned whether such high-level intrusion was really warranted.
“Although the principle objective of the surveillance programmes might well be justified on anti-terrorism grounds, questions remain with regard to privacy laws and related issues of jurisdiction,” he said.
He added, though, that organisations must also consider the risk from their own staff leaking information. “However serious this incident might look, we must not forget that no less harm could be done by negligence or deliberate leakage of classified or sensitive information by our own staff.”
To counter these issues Šefčovič said cross-industry work was vital to help share information and work together to protect against similar threats. "The success of our security measures depends to a large extent upon the effective co-operation with our partners, both in the Commission and outside," he said.
The threat to firms of all sizes has saw UK banks take part in a cyber war games event this week, dubbed Waking Shark II, which saw firms such as Barclays and RBS test out their responses to major cyber attacks.

Brazilian banking threatened by a malware embedded inside RTF file

The clients of the Brazilian financial institutions have been hit by a banking trojan embedded in RTF file and spread through a spam campaign.

The banking is one of the most targeted sector by cybercrime that exploit always new vector to infect a customer’s machine of the clients of banks.
I decided to write this post to alert banks’ customers and to avoid large scale infection, the malicious campaign is started in Brazil where many clients of financial institutions have received via mail an .rtf file that hide an ugly surprise.
Kaspersky security experts have spotted a spam mail campaign against the customers of Brazilian banks characterized by an interesting trick to infect recipients.
Almost every malicious spam campaign that targeted in the past banking institutions carried executable file masquerades as a pdf file or exploited known vulnerabilities in the browser with specifically crafted file.
The campaign that targeted Brazilian users carries “Comprovante_Internet_Banking.rtf”(“Receipt from Internet Banking.rtf) file as attachment, when the victim opens the RTF file, the document shows an image thumbnail with a message
“Click to see in a larger size”.
Clicking an image thumbnail in a rtf file user will be presented with a message saying a CPL file is about to be executed, in reality it is the malware Trojan.Win32.ChePro detected by the Kaspersky experts.
Brazilian banking malware embedded rtf
The banking malware that hit Brazilian banks seems to have Indian origin, the choice of .RTF file format as the attack is not casual, it allows to embed a file objects, including executable file. The cybercriminals behind the spam campaign against Brazilian banking have exploited this feature to embed the malware file in the document.Why Brazil?

Brazil is the biggest country in Latin America with a population of approximately 200 million people and a high Internet penetration, Mobile penetration is upward of 132% (2012) and still growing by about 7% annually.
“Brazil’s highly stratified social structure often means that those on a low income are drawn into illegal activity, including writing malicious programs designed to steal data belonging to bank customers. The fact that online banking systems are widely used in Brazil makes this type of criminal activity all the more attractive. Additionally, the country does not have legislation which effectively combats cybercrime.
Between them, Brazil’s biggest banks have millions of online banking customers. For instance, Banco do Brasil has 7.9 million online customers, Bradesco has 6.9 million, Itaú has 4.2 million and Caixa has 3.69 million. These numbers are high enough to motivate the criminals: even if the percentage of successful attacks is small, the profits can still be impressive.” stated an old, but actually, report of Kaspersky.

Banking users … You are advised!

Does Android 4.4 improve your security?

The newly released Android 4.4 features a tasty new codename (KitKat), some design improvements, revamped Contacts and Hangouts apps, and, of course, several security-related changes. So, how much more secure is Android 4.4?
kitkat_title
From a security standpoint, major improvements in 4.4 fall into one of two categories – certificates handling and OS hardening.

Improved handling of digital certificates

Android 4.4 will warn the user if a Certificate Authority (CA) is added to the device, making it easy to identify Man-in-the-Middle attacks inside local networks. At the same time, Google Certificate Pinning will make it harder for sophisticated attackers to intercept network traffic to and from Google services, by making sure only whitelisted SSL certificates can connect to certain Google domains.
The most common Android infection source remains the same: unofficial apps downloaded from third-party stores.

OS hardening

Deep inside Android, there is a Linux core, and Google made some changes to it to enforce permissions and thwart privilege escalation attacks, such as exploits that want to gain root access. This makes it harder for Android 4.4 users to get root access on their device. On the bright side, it also makes it harder for malware to do the same, which is an important step in the infection of Android devices.
In general, these enhancements do not really make a big difference and won’t decrease infection rates. The most common Android infection source remains the same: unofficial apps downloaded from third-party stores.

A chance to reduce fragmentation

One of the biggest problems in the Android ecosystem is the large number of different versions of the OS, including ancient ones that are still running on users’ mobile devices – this is known as version fragmentation. For example, more than 25% of the users are still running Android 2.3, which was released years ago. This is a major security issue.
KitKat could potentially address that because of its lowered resource usage. Android 4.4 can run on devices with just 512MB of RAM, making it possible to install 4.4 on some legacy devices.
The real problem is the fact that most non-technical users will have to rely on hardware vendors to get an Android update. Sadly, many mobile phone makers prefer to withhold updates as a method of forcing users to purchase newer devices. At the same time, this is effectively increasing malware risks across their entire user base. Only by discussing this issue openly among both users and vendors can this problem begin to be dealt with.

MacRumors forum hacked more than one million of users at risks

MacRumors, the Mac news and information website and user forums, was hacked, more than 860,000 accounts were potentially compromised.

MacRumors, the popular Mac news and information website and user forums have been hacked this week, according the first news circulating on the internet more than 860,000 accounts were potentially compromised on the total of 1.8 million registered members the site claimed to have today.
The owner of the MacRumors website, Arnold Kim, confirmed the hack and apologized for the incident, he also revealed that a hacker compromised a moderator account to penetrate the platform, once inside they escalated their own privileges to steal user credentials.
We are looking into it further to see if there was another exploit, but there hasn’t been any evidence of it yet.
The hacker accessed to the usernames, emails and hashed passwords of the MacRumors website accounts, the users have been informed of the necessity  to change their passwords on the forums to avoid consequences. It’s known that the MD5 hashing method is not considered safe to use on commercial websites, hackers in fact could easily go back to the original passwords.
As usual more exposed are those users that share the same credentials between different web services.
macrumors breach 640x384
Arnold Kim sustains that MacRumors had been hacked in a similar manner to the Ubuntu forums , he also promised to improve the security of the platform to avoid future problems.
We are still working to get the forums fully functional and more secure,”
In a first time Kim confirmed that, according to the Log file, the hacker tried to access the password database, but there are no indications that the passwords are circulating online in any form, but he successively reported to Threatpost that the attacker behind the MacRumors Forums data breach was “friendly” and that none of the data accessed will be leaked. Arnold Kim confirmed to Threatpost journalists that the hacker posted on the forums a message to the community.
To proof the hack the hacker posted a portion of Kim’s password hash and salt, he also blamed a MacRumors Forums moderator whose credentials was stolen and used to access the password database.
“We’re not going to ‘leak’ anything. There’s no reason for us to. There’s no fun in that. Don’t believe us if you don’t want to, we honestly could not care less,” the hacker wrote.
The hacker confirmed that 860,106 passwords were dumped, and 488,429 still had a salt at least three bits long.
“Anyone that’d been active recently will have a longer salt, which will slow down the hash cracking by a fraction of the time it would have taken (duplicate salts = less work do, it’s like to have many with a 3 bit salt),” the hacker’s post said. “We’re not ‘mass cracking’ the hashes. It doesn’t take long whatsoever to run a hash through hashcat with a few dictionaries and salts, and get results.”“We’re not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place,” the hacker wrote.
The hacker blamed the users for bad habit of re-using passwords instead to criticize the security offered by MacRumors platform, he also added that the credentials are not being exploited to log into a web-based email accounts or other online services.