Monday 20 January 2014

DDoS attacks now coming from mobile apps, Prolexic report says

Hackers are now using mobile apps to launch distributed denial of service (DDoS) attacks against enterprise clients, according to a new report from Prolexic Technologies Inc., a security solutions provider focused on protecting against DDoS attacks.
In the fourth quarter of 2013, a team of security engineers at Prolexic uncovered a case where hackers were targeting a major, unnamed financial services firm located in Asia using AnDOSid, an Android operating system app.
(Image: Prolexic). AnDOSid app for Android.
(Image: Prolexic). AnDOSid app for Android.
The app launched a HTTP POST flood attack, where the number of HTTP requests becomes so huge, a victim’s server has trouble responding to them all. When the server begins to rely too heavily on its system resources, it crashes.
While Prolexic’s report highlighted this specific case, it also noted this won’t be the last we’ll see of mobile app-enabled DDoS attacks. It’s simple enough to download an app that will perform a DDoS attack from an online app store, and any aspiring hacker would be able to use it, without having any experience in mounting cyber attacks, researchers wrote.
In the attack on the financial services firm, the attackers used at least 12 unique attacks, one of which had a hacktivist message to recruit others to help them. That means many of the people involved were volunteers who purposely connected to the command and control server and joined the botnet. The hackers were then able to control their devices remotely and kickstart the attack.
(Image: Prolexic). Hacktivist message appearing in a DDoS campaign.
(Image: Prolexic). Hacktivist message appearing in a DDoS campaign.
“The prevalence of mobile devices and the widespread availability of downloadable apps that can be used for DDoS is a game changer,” said Prolexic president Stuart Scholly in a statement.
“Malicious actors now carry a powerful attack tool in the palm of their hands, which requires minimal skill to use. Because it is so easy for mobile device users to opt-in to DDoS attack campaigns, we expect to see a considerable increase in the use of these attack tools in 2014.”
Part of the reason is that it’s easier to launch an attack using a mobile device is because the apps involved, like AnDOSid, have an easy-to-use interface. While AnDOSid was originally designed for security professionals to test their own sites for vulnerabilities, the attackers leveraged it for this particular attack campaign against the financial services firm because it provides simple instructions like “Go” and “Stop” – perfect for directing volunteers.
(Image: Prolexic). Low Orbit Ion Cannon, an Android app.
(Image: Prolexic). Low Orbit Ion Cannon, an Android app.
And AnDOSid isn’t the only tool. Prolexic researchers also found a new app called Low Orbit Ion Cannon, also used to participate in the same attack campaign on the financial services firm. The app was available in the Google Play store in December 2013.
“Mobile devices add another layer of complexity. Because mobile networks use super proxies, you cannot simply use a hardware appliance to block source IP addresses as it will also block legitimate traffic,” Scholly said.
“Effective DDoS mitigation requires an additional level of fingerprinting and human expertise so specific blocking signatures can be developed on-the-fly and applied in real-time.”
Beyond adding mobile apps to hackers’ weapons arsenal, Prolexic researchers also noted between 2012 and 2013, they were seeing more sophisticated attacks reaching a greater number of targets. About a fifth of these attacks came from the U.S., the biggest source of DDoS attacks, followed by China, Thailand, the U.K., and South Korea.
Seeing an attack campaign staged by multiple mobile device owners running at least 12 attacks is something we should expect to see more often, Prolexic’s team said in their report, writing this particular case was a “prime example of DDoS attacks today.”
“No longer are they simple attacks, but instead they take a scatter shot approach, seeking to find any weakness with which to take down a website in a number of ways,” the report said.
Researchers noted they expect China to eclipse the U.S. as a source of DDoS attacks in the coming years, as it has a large Internet population and a foreign policy that encourages government employees to use the Internet to their country’s advantage.

Mobile Threat Monday: Fake Minecraft Scams Android Gamers

Image via Flickr user Tiago A. Pereira According to F-Secure, a Trojanized version of Minecraft - Pocket Edition (or Minecraft PE) is making the rounds on third-party app marketplaces. Though it costs half as much as the genuine article, it has a few "enhancements" that players won't like.
Worse Than Creepers
F-Secure told SecurityWatch that the phony Minecraft PE is currently available on several Russian app stores. This isn't surprising as not all third party stores vet their apps as thoroughly as Google, making some of them havens for malicious applications.
Careful readers will probably remember that cloned versions of popular apps are nothing new; in fact, it's a common tactic to trick victims into downloading and installing malicious applications. These fake apps are generally free, to further entice victims, but this ersatz Minecraft PE bucks the trend by charging 2.50 Euros for the app—the real app costs 5.49 Euros.
Charging victims earns the scammers some cash right off the bat, but that's not all this app does. "The real game is included but it has one added permission: android.permission.SEND_SMS and the payment system has been 'enhanced,'" said F-Secure. This critical change means that the app can use victims' phones to send text messages.
According to F-Secure, the SMS message generated by the app are sent to so-called "premium rate numbers" in Russia. These might be signing up victims for pricey subscriptions to services they don't want. The messages might also be adding money to their phone bill—like those fundraiser shortcodes used by NPR and the Red Cross, but in this case used for evil. Interestingly, whoever made the fake app might not own the numbers the messages are being sent to, but may get a cut from whoever does.
Sneakier Than Endermen
Mojang, the creators of Minecraft, are no fools and F-Secure writes that they included some security measures in their code to prevent this kind of thing from happening. Unfortunately, the creator of this Trojanized app is clever.
"The original Minecraft includes a check inside the dex code that verifies the signature that has been used to sign the APK. If it's not [Mojang's], the code refuses to run," said F-Secure. The phony Minecraft PE includes a special tool to specifically trick this failsafe, thus allowing it to work.
Guard Your Fortress
In Minecraft, if you leave a hole in our outer defenses, dangerous monsters will find their way into your home. Likewise, turning off the default restriction on installing third-party applications on your Android device can allow malware into your phone.
And searching for free or cracked versions of popular apps is like asking monsters to come into your home. It's always better to pay the developers and get the real, secure version of any Android app. Especially in the case of Minecraft, which is worth every penny. As is usually the case, it pays to pay.

The Credit Card is Dead; Now What Do We Do?

Credit Cards With recent data breaches at Target, Neiman Marcus and other popular merchants, using a credit card for shopping is beginning to seem like a Bad Idea. Near Field Communication (NFC) payment systems like Google Wallet were supposed to make credit cards obsolete, but iOS devices don't support NFC. Even in the Android realm, Google Wallet only works with specific phones. So what can we do?
Enter the Usher Identity Platform from MicroStrategy. This all-software solution promises to overcome the inherent weaknesses of card-based authorization by changing the front-end payment process. Usher is linked to the user's phone and authenticated biometrically. According to the press materials, your credit card number is "dematerialized" and replaced by your mobile identity.
It's all very forward-looking, but can a system like this really work? I certainly had my doubts, so I took an opportunity to interrogate Steve Bruggers, MicroStrategy's VP of Financial Services.
How Would It Work?
Rubenking: Here's a very basic question. How do I use Usher to pay for, say, a meal if the restaurant has not installed Usher support?
Bruggers: Just like you cannot use payment, debit or ATM cards at an establishment that is not connected to the appropriate payment or funds transfer network, you would not be able to use Usher at an establishment that does have a connection to Usher. However, it should be noted that an Usher-based payment solution is a software solution and therefore will not require new hardware readers at the retail establishment, as do EMV smart card solutions.
Rubenking: Typically in that restaurant setting I would hand my card to the server (yes, the server could copy my number at that point). I certainly would not hand my smartphone to anybody, so what is the flow? How do I pay for lunch with Usher?
 Bruggers: There are several possible flows for using Usher to pay at a restaurant. One flow would be for the restaurant to have a register that can print a QR code on the customer bill. The customer would pay by scanning the QR code with the Usher client on the smartphone. Another flow would be for the server to have a mobile device, integrated with the POS register, that they would bring to the table and the customer would scan a QR code on the mobile device with his phone.
Rubenking: At the grocery I can pull out my wallet, grab and swipe my credit card in one motion, and put back my wallet faster than an old-West gunslinger can draw. How can Usher possibly be as fast and easy as that?
Bruggers: Paying with your phone can be just as fast, and sometimes faster, than paying with plastic. Paying with plastic often requires handing your card to the clerk, who then checks the signature, swipes the card, and then hands it back to the cardholder. Holding the phone up to be scanned can be a quicker, more seamless process. Paying with a mobile device is a natural next step in the continuing process of mobilizing everything we do. Starbucks, for example, is now doing four million transactions a week with their mobile payment app.
How Does It Start?
Rubenking: Your website lists many, many use cases for Usher, but none of them matter in the end unless you can get a huge number of people using it. How do you imagine getting past the initial hurdle, where nobody will use it because it doesn't really work until a huge number of people already use it?
Bruggers: The most obvious deployment path for Usher would be as a private-label digital payment card offered directly by the merchant, either as a direct debit or a stored value solution. This is what Starbucks has done with its mobile app and they have seen very large scale and positive adoption by customers. Obviously Starbucks continues to accept plastic credit/debit and cash, as would a retailer using Usher as their private-label payment card.
Consumers will adopt Usher if it gives them a greater sense of trust, is more convenient, delivers a better shopping experience and saves them money (either in offers from the merchant or discounts for using Usher to pay.) That's what the Starbucks experience has proven.
Businesses will adopt Usher if it makes the payment more secure, reduces costs (both losses from fraud and operating expenses) and grows revenue by offering a better and safer shopping experience.
Rubenking: My father simply won't use a smartphone. If restaurants and stores switch over to Usher, will they lose his business?
Bruggers: No, Usher works alongside other payment processes. Just like there are multiple payment options now (credit, debit, cash, check, etc.) Usher would be another alternative.
Biometric Possibilities
Rubenking: On the website I see the word "biometric" over and over, but I haven't yet uncovered exactly what sort of biometric authentication is intended. I'm assuming face or voice, or both, since fingerprint authentication has never passed the "easy" test. Just what sort of biometric authentication is planned?
Bruggers: Potentially any biometrics that can be captured by a mobile device could be used to authenticate identity with Usher. Usher integrates products from biometric vendors. The two primary biometrics MicroStrategy has been working with are voice and face recognition. As biometric methods improve and new modalities become available they all become potential candidates to integrate with Usher.
Will It Fly?
I think Bruggers hit the nail on the head with his comment that getting started will require one or more major merchants to buy into the system, using it as private label digital payment system. For customers, it will be just one more app, no big deal to install and use.
I do note that this may not quite be the software-only solution that was promised. Bruggers mentioned "a register that can print a QR code on the customer bill" and "a mobile device, integrated with the POS register." Quite likely either of those would require an investment in new equipment for restaurant use. Payment at the cash register, as in a retail store, will probably be a better starting point.
In any case, this is definitely a good time to promote a payment system that replaces the insecure credit card system. I don't even shop at Target (or Neiman Marcus, for that matter), yet my bank had to issue a new card last week. Short of shopping with cash only, a smartphone solution sounds pretty good.

Oracle Joins Adobe, Microsoft in Giant January Patch Tuesday

Image via Flickr user Dan Dickinson It's a trifecta of software patches, with Microsoft, Adobe, and Oracle all releasing security updates on the same day.
As expected, Microsoft started off 2014 with a fairly light Patch Tuesday release, fixing six not-so-critical vulnerabilities across four security bulletins. On the same day, Adobe issued two critical updates fixing three critical remote code execution flaws in Adobe Reader, Acrobat, and Flash. A scheduling quirk meant Oracle's quarterly Critical Patch Update also fell on the same Tuesday, resulting in a huge volume of patches for IT administrators to deal with. Oracle fixed 144 vulnerabilities across 40 products, including Java, MySQL, VirtualBox, and its flagship Oracle database.
"While Microsoft is only releasing four updates, there is plenty of work for IT administrators due to releases by Adobe and Oracle," said Wolfgang Kandek, CTO of Qualys.
The Java patches from Oracle should be highest priority, followed by the Adobe Reader and Flash advisories, and then the Microsoft Word and XP updates, experts said.
Oracle Takes on JavaEven taking into account that Oracle patches quarterly and is fixing more products, this CPU is still a record-breaker in the number of issues fixed. Of the 144 security flaws, 82 could be considered critical as they may be exploited remotely without authentication.
The majority of the vulnerabilities addressed in Oracle's gargantuan CPU were in Java v7. Oracle fixed 34 remote execution flaws, with several scoring 10 on the Common Vulnerability Scoring System scale. CVSS indicates the seriousness of the flaw and the likelihood of the attacker gaining total control of the system.
Java was one of the most attacked softwares in 2013 and experts warned it will continue to be a popular target. If you don't use it, uninstall it. If you need to have Java installed, at least disable it in the Web browser, since all the attacks thus far have attacked the browser. If you do access Web applications that require Java, keep it on a different Web browser than your default one and switch when necessary. If you don't need it, don't keep it. If you do keep it, patch immediately.
Oracle also fixed five security flaws in its own Oracle database, one of which can be exploited remotely, and 18 vulnerabilities in MySQL. Three of those bugs could be attacked remotely and had the maximum CVSS score of 10. Server software Solaris had 11 flaws, including one which could be attacked remotely. The most serious Solaris bug had a CVSS score of 7.2. The CPU addressed nine issues in Oracle Virtualization Software, which includes virtualization software VirtualBox, of which four could be triggered remotely. The maximum CVSS score was 6.2.
If you are running any of these products, it is important to update them immediately. MySQL is widely used as the back-end system for a number of popular CMS and forum software, including WordPress and phpBB.
Reader and Flash FixesAdobe fixed security issues in Adobe Flash, Acrobat, and Reader, which if exploited, would give attackers total control of the target system. The attack vector for the Acrobat and Reader bug was a malicious PDF file. The Flash flaw could be exploited by visiting malicious Web pages or opening documents with embedded Flash objects.
If you have background updates turned on for Adobe products, the updates should be seamless. Users with Google Chrome and Internet Explorer 10 and 11 will not have to worry about the new version of Flash as the browsers will update the software automatically.
Light Microsoft UpdateMicrosoft fixed a file format vulnerability in Microsoft Word (MS14-001) that can be exploited remotely if the user opens a booby-trapped Word file. It affects all Microsoft Word versions on Windows, including Office 2003, 2007, 2010, and 2013, as well as Word document viewers. Mac OS X users are not affected.
The zero-day vulnerability (CVE-2013-5065) affecting Windows XP and Server 2003 systems that was discovered in the wild last November has finally been patched (MS14-002). Although the privilege escalation flaw in NDProxy cannot be executed remotely, it should be high-priority because it can be combined with other vulnerabilities. The attacks in November used a malicious PDF document to first trigger a flaw in Adobe Reader (which was patched May 2013 in APSB13-15) in order to access the Windows kernel bug. Microsoft fixed a similar privilege escalation flaw in Windows 7 and Server 2008 (MS14-003).
"If you are worried about 002 and not 003, you are likely going to have some problems come April when support ends for Windows XP," Rapid7 said.
On their own these vulnerabilities might not be critical, but combined they can be much more serious, Trustwave warned. If a campaign using a malicious Office document executed code targeting the privilege elevation bug, "then a phishing email to an unsuspecting user would be all that's necessary," the team said.

How RAM Scraper Malware Stole Data from Target, Neiman Marcus

ThreatTrack Security Malware Analysts While Target is still keeping mum on how attackers managed to breach its network and hoover up information belonging to more than 70 million shoppers, we now know that RAM scraping malware was used in the attack.
"We don't know the full extent of what transpired, but what we do know is that there was malware installed on our point-of-sale registers. That much we've established," Target CEO Gregg Steinhafel said in an interview with CNBC discussing the recent breach. The company initially said payment card information for 40 million people who shopped at one of its retail outlets over the holiday season were compromised. Target said last week that personal information for 70 million people were also stolen, and that any shopper who came to the stores in all of 2013 were at risk.
Unnamed sources told Reuters over the weekend that the malware used in the attack was a RAM scraper. A RAM scraper is a specific type of malware which targets information stored in memory, as opposed to information saved on the hard drive or being transmitted over the network. While this class of malware is not new, security experts say there has been a recent uptick in the number of attacks against retailers using this technique.
Attacking MemoryRAM scrapers look inside the computer's memory to grab sensitive data while it is being processed. Under current Payment Card Industry-Data Security Standard (PCI-DSS) rules, all payment information must be encrypted when it is stored on the PoS system as well as when it is being transferred to back-end systems. While attackers can still steal the data from the hard drive, they can't do anything with it if it is encrypted, and the fact that the data is encrypted while traveling over the network means attackers can't sniff the traffic to steal anything.
This means there is only a small window of opportunity—the instant when the PoS software is processing the information—for attackers to grab the data. The software has to temporarily decrypt the data in order to see the transaction information, and the malware seizes that moment to copy the information from memory.
The rise in RAM-scraping malware can be tied to the fact that retailers are getting better at encrypting sensitive data. "It's an arms race. We throw up a roadblock and the attackers adapt and look for other ways to grab the data," said Michael Sutton, vice-president of security research at Zscaler.
Just Another MalwareIt's important to remember that point-of-sale terminals are essentially computers, albeit with peripherals such as card readers and keypads attached. They have an operating system and run software to handle the sales transactions. They are connected to the network to transfer transaction data to back-end systems.
And just like any other computer, PoS systems can be infected with malware. "Traditional rules still apply," said Chester Wisniewski, a senior security advisor at Sophos. The PoS system can be infected because the employee used that computer to go to a Web site hosting the malware, or accidentally opened up a malicious attachment to an email. The malware could have exploited unpatched software on the computer, or any of the many methods that result in a computer getting infected.
"The less privilege the store workers have on the point-of-sale terminals, the less likely they will get infected," Wisniewski said. Machines that process payments are extra-sensitive and should not allow Web surfing or installation of unauthorized applications, he said.
Once the computer is infected, the malware searches for specific types of data in memory—in this case, credit and debit card numbers. When it finds the number, it saves it to a text file containing the list of all the data it has already collected. At some point, the malware then sends the file—usually over the network—to the attacker's computer.
Anyone Is a TargetWhile retailers are currently a target for memory parsing malware, Wisniewski said any organization handling payment cards would be vulnerable. This type of malware was initially used in the hospitality and education sectors, he said. Sophos refers to RAM scrapers as the Trackr Trojan, and other vendors call them Alina, Dexter, and Vskimmer.
In fact, RAM scrapers aren't specific to just PoS systems. The cyber-criminals can package up the malware to steal data in any situation where the information is usually encrypted, Sutton said.
Visa issued two security alerts in April and August last year warning merchants of attacks using memory-parsing PoS malware. "Since January 2013, Visa has seen an increase in network intrusions involving retail merchants," Visa said in August.
It's not clear how the malware got onto Target's network, but it's clear something failed. The malware wasn't installed on just one PoS system, but on many computers around the country, and "no one noticed," Sutton said. And even if the malware was too new for antivirus to detect it, the fact that it was transferring data out of the network should have raised red flags, he added.
For the individual shopper, not using credit cards is not really an option. This is why it is important to regularly monitor the statements and track all transactions on their accounts. "You have to trust the retailers with your data, but you can also stay vigilant," Sutton said.

Kaspersky Named Antivirus Tsar

AV-Comparatives 2013 awards On any given day, you'll find researchers at AV-Comparatives working hard, putting antivirus products through a wide variety of tests. Throughout the year, they summarize and report on the results of these tests. And as each year ends, they present an overall report on their findings. The latest such report names Kaspersky as product of the year for 2013.
While the researchers do measure detection rates and such with precision, for the sake of reporting they define three levels of success: STANDARD, ADVANCED, and ADVANCED+. A product that doesn't even reach the STANDARD level is merely TESTED. Each report warns that despite differences in scores, products with the same rating should be considered equally good. As the only product to reach ADVANCED+ in every single test, Kaspersky easily earned the designation product of the year.
Other Top Rated Products
The report also praised Bitdefender, ESET, F-Secure Anti-Virus 2014, Avast, BullGuard, Fortinet, and Avira, naming them "top rated products." The criterion for getting into this club is quite simple. A rating of TESTED is worth zero, STANDARD is worth five, ADVANCED is worth ten, and ADVANCED+ is worth 15. Any product whose scores totaled 105 or higher made the cut for top rated, as long as it didn't fail either real-world protection test.
Note that some of the tests are optional. Not all vendors approve of AV-Comparatives's "retrospective" test, which simulates zero-day threat detection by forcing products to use old definitions, so some of them opt out. However, opting out of a test naturally cuts a vendor's total score; Sophos would have joined the top rated crowd if it had entered and passed the antiphishing test.
Tons of Information
The full report is definitely worth reading if you're trying to decide which security product will work best for you. It breaks down test results into a variety of categories, among them file-based detection, real-world protection, and performance. For each category it assigns gold, silver, and bronze winner status to one or more participating vendors. You may want to check the gold winners in the categories that are most important to your particular needs.
There's also an extremely detailed review of each product's user interface, complete with screenshots. Researchers considered a variety of specific user interface features. Are malware alerts clear and appropriate? Is there a cogent and useful help system? Are essential functions and status reports easy to find? A summary section reports on products that demonstrate good user interface design.
Malware in the modern world is complex and ever-changing. I'm immensely grateful for testing labs like AV-Comparatives, labs that work hard to keep their tests relevant and up to date. Without their input it would be really tough to determine which antivirus products do the best job.

What Happens to Your Antivirus When Windows XP Is Dead?

RIP Windows XP Windows XP reaches its end of life in less than three months, on April 8th. Microsoft strongly advises everyone to update to a more modern operating system like Windows 7 or Windows 8. Good advice, sure, but we know a lot of people will continue to run XP after its life has officially ended. What kind of options will they have for antivirus protection? Andreas Marx, CEO of AV-Test, surveyed nearly 30 major antivirus vendors and found that all of them planned to support for their products under XP even after XP passes on.
Not a Free Pass
Make no mistake, if at all possible you should upgrade any XP systems to a more modern operating system. Once Microsoft stops patching security holes, XP is going to be like a target in a shooting gallery. Your antivirus may be able to stop malware attacks exploiting these unpatched vulnerabilities, but it may not. Usually there's a partnership between the fully patched operating system and the antivirus. After April, XP won't be holding up its side of the deal.
A Definite End
Perhaps the biggest surprise from this survey is that Microsoft itself will continue to support Microsoft Security Essentials (as well as corporate security solutions) on XP until July 14th, 2015. A blog post explains that they're doing so "To help organizations complete their migrations." Extending support as far as antivirus signatures makes sense, but I didn't see it coming.
Avira, Bitdefender, and Trend Micro told Marx they planned a specific ending time for supporting antivirus installations on the XP platform. Avira will end protection on April 8th, 2015; Bitdefender in January of 2016 (2017 for corporate); and Trend Micro on January 30th, 2017. If you're sticking with XP and using one of these products, you've got time to plan your exit strategy.
Wait and See
Well over half of the companies surveyed said they didn't have specific plans at this time to end product support for those using XP, but they will support it for at least two more years. A few offered a different end time, while reserving the possibility they might extend support. ThreatTrack, publisher of VIPRE promised support until April 2015 or later. Sophos will offer support until at least September 30th, 2015, while Norman and Qihoo will keep going until at least January 2016. Again, any of these vendors might continue supporting XP for longer, if there's a demand.
XP Enthusiasm
A few vendors went beyond the "at least a couple years" promised by so many. Kaspersky will continue XP support until at least 2018 (2016 for business). Webroot won't end support until April of 2019, or later. And Norton hasn't made any decision at all on ending XP support. Of course, Norton's stance could also mean that they're reserving the right to end support earlier; we just don't know.
The full article details just what each vendor said about continued support, and offers other cogent advice about staying safe after the death of XP. Marx advises users to drop the no-longer supported Internet Explorer in XP and use Chrome or Firefox instead; users should switch away from Outlook Express as well.
So what will it be? Are you really going to leave the undead Windows XP in charge of your PCs? If circumstances force you to stick with XP, be aware your risk level will be rising. And choose an antivirus that will keep supporting you.

Amazon, GoDaddy Popular Choices for Malware Hosting

cloud malware We love the cloud because it's easier to spin up a server to host a Website or run a Web application if someone else takes care of all the hardware tasks. Well, it appears criminals love hosting providers, too, especially Amazon and GoDaddy.
Cyber-criminals are using cloud computing for many of the same reasons legitimate businesses and individuals are, Solutionary found in its Fourth Quarter 2013 Threat Report (PDF). Criminals are also hiding their malicious activities behind the reputations of major hosting providers such as Amazon, GoDaddy and Google. In fact, of the major Web hosting providers out there, Solutionary found that Amazon and GoDaddy were the most popular for hosting malware.
"Now we have to maintain our focus not only on the most dangerous parts of the Web but also on the parts we expect to be more trustworthy," said Rob Kraus, director of research in Solutionary's Security Engineering Research Team.
Why Cloud?Shifting to the cloud makes a lot of sense, since it is quicker to develop a malicious site and bring it online, as well as cheaper to repeatedly change IP addresses and domain names to avoid detection. Criminals can use multiple providers and expand their operations substantially, rather than trying to set up physical Web servers in multiple locations. For example, the report found a single malicious domain which was spread across 20 countries, 67 providers, and 199 unique IP addresses to avoid being detected or blocked.
Malware distributors are "utilizing the technologies and services that make processes, application deployment and website creation easier," Kraus said.
Criminals also cover their tracks better and have a higher degree of success if they rely on major hosting providers. Considering that organizations frequently filter out traffic using geographic blacklists and lists of known bad IP addresses, criminals need someplace "safe" that won't automatically trigger an alert. This is where major hosting providers come in, as they allow malware distributors to set up shop within a trusted address space. Organizations which may block traffic from Ukraine are less likely to block traffic coming from Amazon and GoDaddy, for example.
Solutionary also pointed out that geographic blacklisting and blocking strategies are not effective methods to detect and block malware attacks, since 44 percent of the world's malware is hosted within the United States to begin with.
Piggybacking on Trusted Brands
Hiding behind trusted domains and names is not something new, though. Spammers like using popular Webmail providers because people automatically trust a message from @outlook.com or @gmail.com more than one from @50orcdn.com, for example. Attackers also use Google Docs and Google Sites to create forms that can trick users into submitting sensitive information or downloading malware. Cloud storage providers such as Dropbox have been plagued in the past with criminals taking advantage of free services to host malware.
Because of Amazon's immense size, it makes sense that it is hosting more malicious sites than its competitiors. Regardless, it's clear that attackers are increasingly treating hosting providers as "significant distribution points," Kraus said.
In Solutionary's report, the researchers found that attackers are either buying services from major hosting providers directly or compromising sites already being hosted on these platforms. The users generally don't know how to take steps to harden their applications, making them vulnerable to attack. Some providers, such as Amazon with its Elastic Cloud Compute (EC2) service, charge on the actual bandwidth being consumed. This means criminals can set up the campaign on a small scale first, and then expand as necessary.
"The more lucrative the criminal activity, the more funds will be available to pay for the increasing capacity as it is needed," Solutionary noted.
Most cloud providers—especially Amazon—have security policies in place to shut down malicious sites and accounts as soon as they are detected. However, when the provider is huge, with hundreds of thousands of servers and thousands of users firing up new applications each month, this is a challenging task. As a result, you should not just assume that traffic coming from certain sites is automatically safe, or count on the providers to police the activities. It's on you to practice safe computing by keeping your computer secure and to scrutinize each site to figure out whether or not it is legitimate.

Push to replace “hugely insecure” credit card system in U.S after rash of retailer breaches

The ‘magnetic stripe’ credit cards used by American banks should be replaced with the more secure chip-and-PIN systems standard in Europe and around the world – and the recent data breaches suffered by Target, Neiman Marcus and other retailers should be a ‘wake-up call’, according to JP Morgan’s CEO and other security advocates.
Ed Mierzwinski of the U.S. Public Interest Research Group says that the breach has captured public interest in the security of their  cards, according to a report by Philly.com, and says that he believes it may catalyze change,”Congress has begun to ask questions,” he said. He describes the current system as viewing fraud as “just a cost of doing business.”
“This cyber-security stuff we’ve now pointed out for a year is a big deal. All of us have a common interest in being protected, so this might be a chance for retailers and banks to, for once, work together,” said JP Morgan CEO Jamie Dimon, according to Business Day Live’s report. Visa and Mastercard have also called for change.
Last week, Dimon described the breach as a “wake-up call”. JP Morgan is the world’s largest issuer of credit cards, according to USA Today’s report, and replaced two million cards in the wake of the breach.
The U.S. accounts for nearly half of the world’s $11.3 billion fraud losses on payment cards,, according to the Nilson Report, an industry newsletter.
“The absence of EMV cards and terminals in the U.S. contributes to fraud losses. Adoption of EMV at the point of sale is the strongest defense against counterfeit cards,” Nilson wrote.
In a detailed guide for consumers concerned over the latest breaches ESET’s Lysa Myers writes, “Have you used a credit or debit card in a store in the last three months? If you’re like me, you have, possibly numerous times. If so, you should check all of your credit and debit card accounts today to make sure there have been no fraudulent charges.” Myers offers advice for holders of cards with and without PINs.
EMV terminals take various forms, but cards equipped with the technology are far more difficult to clone, according to Forbes. In Forbes, Adam Tanner points out that even North Korea outpaces America on card security.

“Magnetic stripe card technology is outdated at best––predating the floppy disk by only a year––and hugely insecure at worst,” CNBC commented in a video report on the breaches afflicting American retailers.
Yahoo News UK’s Finance Editor James Andrews says that Europeans find America’s position puzzling, “Despite inventing the credit card, the US has generally lagged behind the rest of the world in finding new uses for plastic. The British invented the ATM in 1967 and the French have had smartcards and PIN verification since 1992.”
“Chip and PIN isn’t perfect, but has led to a big reduction in card fraud in the UK and made card cloning and skimming far harder.”
Describing America as an ‘island’ in a world of EMV or ‘Smart Chip’ cards, CNBC pointed out that not only Europe, but also emerging economies use the more secure EMV system.
Magnetic stripe cards have been used for more than 40 years, having been patented in 1969, speeding up a credit-check process from “minutes” to “seconds” – previously, retailers had to manually check card numbers against a book of “bad” cards issued each months, according to the system’s inventor, Ron Klein, as reported by Yahoo! News.
Gartner analyst Aviva Litan wrote in a blog post, “Bottom line: it’s time for the U.S. card industry to move to chip/smart cards and stop expecting retailers to patch an insecure payment card system.”
Smart Chip cards are not immune to fraud – but the PIN codes and ‘Smart Chips’ makes many forms of card fraud more difficult.
“While the Target breach is serious, consumers divulge the same information every time they hand their card to a waiter in a restaurant,” said Paul Schaus, president and CEO of CCG Catalyst Consulting Group, in USA Today‘s report.

PRISM: Obama promises to curtail NSA big data and metadata collection

US President Barack Obama
US president Barack Obama has announced a sweep of reforms designed to curtail and examine the National Security Agency's (NSA) spying powers, in a bid to win back trust following the PRISM campaign.
Obama announced he will be issuing a new presidential directive in a public speech, promising a number of key changes regarding how US intelligence agencies collect and examine data.
"Today I am announcing a series of concrete reforms," he said. "First, I have approved a new presidential directive for our intelligence activities at home and abroad. With it we will now review decisions about intelligence priorities on an annual basis."
Obama promised the reform will see a number of changes regarding the way agencies such as the NSA store data and receive clearance to enact missions. "We will reform procedures to provide greater transparency about our intelligence activities," he said.
These include the creation of a new independent, non-governmental panel of advocates to appear at the secret courts that approve or disapprove operations such as PRISM. There will also be fresh restrictions put in place by the attorney general, on how requests using the US Foreign Intelligence Surveillance Act (FISA) and National Security Letters can be made.
FISA and National Security Letters were used by the NSA to force numerous companies, including Google, Yahoo, Apple and Microsoft, to hand over vast amounts of customer data. The nature of the requests means the companies are not allowed to disclose what information was handed over without risking arrest.
Obama promised the reforms would help end this process, but failed to disclose exactly how.
"While investigating threats the FBI relies on National Security Letters that require companies to hand over information to the government. We must be more transparent about this," he said.
"I've ordered the attorney general to amend how we use National Security Letters so this secrecy will not be permanent and will end in time. We will also allow information providers to give more information than ever before about what data they've handed to the government."
Obama said the FISA reforms were an essential step in the government's battle to win back international trust following PRISM.
"The new presidential directive will clearly prescribe what we do and do not do when it comes to our overseas activities. US intelligence agencies will only use such data to meet specific needs," he said.
"We will also develop safeguards and create a time limit on how long we can store personal information. People around the world should know the US is not spying on them."
Obama also said that, despite the reforms being made, at no point did the NSA overstep its bounds. "As president, a president who looks at intelligence every morning I can tell you we need to protect against threats. 9/11 is proof of this," he said.
"The men and women of the intelligence community, including the NSA constantly follow protocols. They're not using their powers to listen to you calls or read your private emails. These people are our friends, our family members, our neighbours."
The US president accused several nations of hypocrisy, arguing that they are only upset because US operations are more sophisticated and effective than their own, promising the nation would continue to mount and develop its cyber operations.
"Many countries, including those that feigned surprise following the Snowden revelations, are trying to penetrate our networks," he said. "Our agencies will continue to gather intelligence on foreign governments' intentions. We will not apologise for doing it better."
The PRISM scandal broke in 2013, when whistleblower Edward Snowden leaked documents to the press detailing the NSA's spying operations. The leaks have continued in a steady stream of revelations. Most recently the NSA was shown to have collected and examined 200 million SMS messages per day in 2011.

EU admits Google fines are 'pocket money', urges data protection reforms

european-commission2-0909
Europe needs a much harsher regime to fine businesses that breach data protection laws, as recent penalties handed out to Google are nothing more than “pocket money” to the company.
EU justice commissioner Viviane Reding said plans to reform the data protection laws in Europe must be pushed through, otherwise firms will continue to ride roughshod over the laws as they exist.
She noted that while both French and Spanish authorities have fined Google, the amounts represent a tiny fraction of the company’s income.
“Taking Google's 2012 performance figures, the fine in France [€150,000] represents 0.0003 percent of its global turnover. Pocket money,” she said.
“Is it surprising to anyone that two whole years after the case emerged, it is still unclear whether Google will amend its privacy policy or not? People need to see that their rights are enforced in a meaningful way. If a company has broken the rules and failed to mend its ways, this should have serious consequences.”
Reding said under the new proposals Google would have faced a far harsher penalty that would make it think twice before ignoring data protection laws.
“Europeans need to get serious. And that is why our reform introduces stiff sanctions that can reach as much as two percent of the global annual turnover of a company. In the Google case, that would have meant a fine of €731 million ($1bn). A sum much harder to brush off.”
Reding added, though, that a stronger regime for data protection would not just be a fear tactic to scare businesses into shape, but it would also help provide them with a competitive edge over rivals.
"Our reform will thus not only open the market to companies, it will also help them to conquer this market by helping to build citizens' confidence. And what is more, strong data protection rules will also give companies with serious privacy policies a competitive edge," she said.
Data protection reforms within the EU have been debated for some time, but an agreement between nations has yet to be reached. The UK is concerned that overly proscriptive laws could damage the economy.
Proposals were meant to be in place by 2015 but that date might slip back if member states cannot agree.

NTP DDoS attack takes down League of Legends game servers

The network time protocol is an protocol which allows servers to request the network time from an specific server. In this case, Schneier explains how the NTP DDoS attack is used on taking down gaming networks like the League of Legends.

Q4 has started with a lot of bugs

A lot of League Of Legends users are complaining about network problems while they try to play a League of Legends match. League of Legends shut down the ranked matching system multiple times in the last days.
The NTP method first began to appear late last year. To bring down a server such as one running "League of Legends," the attackers trick NTP servers into thinking they've been queried by the "League of Legends" server.
The NTP servers, thinking they're responding to a legitimate query, message the "League of Legends" server, overloading it with as many as 100 gigabits per second (Gbps). That's large even for a DDoS attack.
In this way, one small request to an NTP server can generate an enormous response capable of taking down even high-capacity websites.

[Shocking ] Accident on the roller coaster in Orlando park tried to be hidden! FB malware

We have had the Nicki Minaj malware and now it seems that the hackers are trying another scene. The facebook post claims that they have an video of the roller coaster accident in Orlando Park. The title says that the Orlando Park tried to keep the video hidden and that it has been leaked now for you to be watched.
Once you click on the link you will be redirected to an website(remove --cyberwarzone from url) that is hosted in brazil. There you will find multiple images that try to trick you into believing that it is an video. You will see fake Facebook comments below the video and as you already thought - the video is fake.
Now what do these hackers gain when they trick you:
1. They get a lot of traffic to their website, they can monitor this to specifically target people.
2. They can gain access to your Facebook page
3. They get access to a lot of social media accounts as these malware shares itself.
Facebook Roller Coaster malware

10 million Starbucks customers at risk for official iOS app flaw

Security researcher Daniel E. Wood discovered a vulnerability in the Starbucks official iOS app related to the insecure storage of user data.

10 million Starbucks customers who purchases drinks and food using their Smartphones are exposed to serious risk of data breach.
This is yet another story in which a poor implementation of minimum security requirements could have an impact on the end user and it digital identity, just as happened in the Snapchat case.
The official Starbucks iOS app doesn't encrypting user's data, including your password. The Starbucks app is usable by the customers to pay products of the popular Coffee Company, and to perform usual operations available on a banking account such as control the balance, fund transfer and check transaction history.
The Security researcher Daniel E. Wood discovered the vulnerability (CVE-2014-0647) in STARTBUCKS v2.6.1. iOS application, he revealed that the app stores user's credential details and GPS data in plain text in the following file:
/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog
Once know the location is quite easy for an attacker, that has physical access to the handset, to retrieve the user's information accessing 'session.clslog' file. The attacker once accessed with the file could gain access to the customer’s amount of money available on the Starbucks account.
starbucks app
As usual the hack could cause further problem to the clients of Starbucks that used the app if they share same credential on different web services, the recommendation for who made purchases is to change it immediately and adopting a different username and password for every service
If you are using your email password as the same Starbucks account password, please change it on first priority.Starbucks has promptly managed the incident, issuing an official statement to inform the clients and a successily providing an advisory to publicize the availability for an app update.
“UPDATE (January 16, 2014 09:00 PM P.S.T.): As promised, we have released an updated version of Starbucks Mobile App for iOS which adds extra layers of protection. We encourage customers to download the update as an additional safeguard measure. Read a letter from Curt Garner, Starbucks chief information officer, regarding customer information and Starbucks Mobile App for iOS”
The company remarked that there is no evidence that its customers have been impacted, but let me suggest you to follow the above suggestions.
"We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised." the company is asking to its customers to report any suspicious activity or fraud occurred.
It’s time to consider seriously the security of mobile apps, such flaws represent a serious threat to a user’s security and privacy, the situation is particularly alarming for mobile banking, a sector considered privileged by cybercriminals.
Not different is the situation for use of mobile application in workspace, a growing number of application are developed also by enterprise for internal use, also in this case security is a must and could expose the company to risk of cyber attack.
Back to the Starbucks app …  also enjoy a cup of coffee could be dangerous, inNaples we say:
"Excuse me, coffee makes me nervous"