Mobile, Vulnerability

Mobile Zeus malware found targeting BlackBerry devices

 A new form of the infamous Zeus banking Trojan has been uncovered targeting Research in Motion’s (RIM) BlackBerry devices, according to Kaspersky Lab.

The Kaspersky researchers reported finding several new samples of the Zitmo (Zeus in the mobile), one of which was targeting the BlackBerry platform, on Tuesday.

The Zitmo variant has reportedly been operating for at least two years targeting Android phones by masquerading as banking security application or security add-on.

Previously the BlackBerry ecosystem has not been a common target for attackers, despite its ties to several high-profile government and financial institutions.

This is largely due to BlackBerry devices running on RIM’s corporate servers with strong security, which includes a number of features like file encryption, password security and remote wipe powers.

The new Zeus variant shares its predecessor’s goal and is mainly designed to steal online banking credentials from users.

The new version targeting BlackBerry devices reportedly does this by forwarding incoming SMS messages to the command and control device operated by the criminals.

The tactic is designed to help the criminals circumvent the out-of-band authentication systems used by many European banks, by hijacking the one-time password authentication password sent via SMS.

The Zeus variants discovery comes amid widespread reports from security vendors that mobile malware levels are booming.

The majority of the attacks are reported to be targeting the Android ecosystem, a pattern that will likely continue in the near future, according to security firm Trend Micro, which published its own threat report in July.

Standard
Vulnerability

The policy that helped Anonymous hack AAPT

How vigilant is your host or public cloud provider?

Anonymous’ theft of data from a dormant AAPT server might not have been possible had the telco used a different host.

AAPT has said the Cold Fusion server Anonymous accessed was, essentially, forgotten. In its un-patched state it was therefore easy meat.

If you doubt that’s a fact, consider the evergreen market for network discovery tools that scour a network and report back with a list of every piece of attached kit. Consider, too, the phenomenon of virtual machine sprawl, which raises its head when IT departments summon oodles of virtual machines into existence and then forget them.

Lost servers on a LAN aren’t a big deal. But the Anonymous/AAPT incident shows hosted servers rather raise the stakes.

Which is why we decided to ask several hosting and cloud providers what they do when they see an orphaned server. Telstra, Optus and AWS have not responded to those queries.

But Melbourne IT, where AAPT’s server resided, has, explaining its stance as follows:

In Melbourne IT’s hosting environment there are either active servers or decommissioned servers. Customers use their servers for different purposes, whether they be production environments, testing environments or disaster recovery services. Some servers could be kept on standby by customers for business continuity or for changing project demands; others exist for regulatory compliance where data needs to be stored for a certain number of years.

How customers decide to use their servers can change from month to month or year to year. How often the content on those servers is updated, or what content is stored on those servers, is at the customer’s discretion. Given such a wide range of usage by our customers, the concept of a ‘dormant server’ does not exist.

Therefore all active servers are treated as active unless we have received notice from the customer to decommission the service (or Melbourne IT decommissions the server due to a breach of contract by the customer). Decommissioned servers are removed from the active server pool and the data is erased.

In other words, if you forget about a server hosted at Melbourne IT and keep paying for it, the company will run it forever.

Standard
Mobile, Vulnerability

Android Malware App

Android Malware App Covertly Makes Purchases On China Mobile Market

There seems to be a trend towards malware on the Android platform that extorts money from the user somehow, either through premium SMS or services – or the latest trojan – which covertly purchases apps from the mobile market.

We first wrote about Android Antivirus software from Symantec back in 2010 and it seems like recently, it’s becoming more necessary.

DroidDream malware starting proliferating the app store last year in 2011, and there was the article about China Facing Problems With Android Handsets & Pre-installed Trojans.

Security researchers are warning of yet another Android malware outbreak which has spread to nine app stores and infected 100,000 with code designed to covertly purchase apps and content from China Mobile’s Mobile Market.

Mobile security firm TrustGo explained that the MMarketPay.A Trojan could be hidden in a number of legitimate-looking applications, including those from Sina and media streaming company Funinhand, as well as travel and weather apps.

The malware has already been placed in nine different third party Android app markets in China, infecting over 100,000, the firm said. Once downloaded, the Trojan will automatically place orders for paid content and apps at China Mobile’s official Mobile Market online store without informing the user. It is able to intercept China Mobile’s verification SMS and post the code to the Mobile Market web site in order to complete the purchase, said TrustGo.

In the event of CAPTCHA being triggered at this stage, the malware will apparently send the relevant image to a remote server for analysis.

It seems to be happening most of all in China, this isn’t the first time and I guess it won’t be the last. I attribute it to the fact it’s a fairly new smartphone market and the sheer number of people there makes it very attractive to develop this kind of money making malware.

Just get it out there to a few million people (an extremely small percentage of the population in China) and you’re rich. China is being flooded with cheap Android handsets and tablets, so I’d expect to see more of these threats coming from there in the coming months.

The advice from the security experts at TrustGo is for users to only download Android apps from trusted app stores and to have some form of real-time mobile security scanner installed on their device to prevent any dodgy downloads.

Visiting an apparently legit app store is no guarantee you’re going to get a malware-free experience, however. Malware is frequently turning up on the official Android marketplace Google Play – although admittedly less frequently than on some of the more dubious third party sites.

The latest discovery came at the tail end of last week when researchers found malware that lifts the victim’s location data and address book info. China in particular has been a hotbed of malicious Android activity for some time.

In April, the Chinese authorities were forced to publically reprimand the country’s two biggest mobile carriers, China Mobile and China Telecom, after uncovering “many problems” in their respective app stores.  Globally too, Android continues to be a favourite with cyber criminals.

So…if you live in China, and use an Android handset – be extremely careful! If not, you should be pretty safe, we aren’t seeing much of this type of malware outside of China – or any kind of Android malware really.

Even though there have been some serious flaws like – Critical Zero Day Abobe Flash Flaw Puts Android Phones At Risk.

The scariest part for me is how smartly this trojan has been developed, it can place orders, intercept the verification SMS and provide it back to the app store – that’s pretty impressive!

Standard
Vulnerability

Yahoo! Voices Hacked

Yahoo! Voices Hacked With SQL Injection – Passwords In Plaintext

There’s been a few HUGE cases of large sites being hacked and exposing either plaintext or extremely poorly encrypted passwords, it happened to LinkedIn not that long ago – and the latest case is of Yahoo!.

It wasn’t the main site, but with almost half a million username and password combos exposed – it’s a fairly large leak. It came from the Yahoo! Voices subdomain (Yahoo! Contributor Network) and seems to have been carried out with a fairly basic UNION type SQL Injection.

I imagine the database or old part of the site that powered the Yahoo! Contributor Network was developed way back in history before secure programming was as big (and as prominent) as it is now, and before frameworks took care of most the security nuts and bolts.

A Yahoo security breach that exposed 450,000 usernames and passwords from a site on the huge web portal indicates that the company failed to take even basic precautions to protect the data.

Security experts were befuddled Thursday as to why a company as large as Yahoo would fail to cryptographically store the passwords in its database. Instead, they were left in plain text, which means a hacker could easily read them.

“It is definitely poor security,” Marcus Carey, a security researcher at Rapid7, said. “It’s not even security 101. It’s basic application development 101.”

Yahoo declined a request for an interview, and only emailed a statement confirming the breach that occurred Wednesday. The company said that an “older file” containing roughly 450,000 user names and passwords was stolen from its Contributor Network, a subset of Yahoo’s massive network of Web sites. Membership in the Contributor Network consists of freelance journalists who write content for Yahoo Voices. The network was established following Yahoo’s 2010 acquisition of Associated Content.

Less than 5 percent of the stolen data had valid passwords, Yahoo said. “We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised,” the statement said.

Yahoo! seemed to have taken action fairly quickly, but still this is a very sloppy example of data security – even if it was an old system and a defunct one at that.

Unsurprisingly, the top 5 most common passwords in this data set were extremely easy to guess:

  • 123456
  • password
  • welcome
  • ninja
  • abc123

Ninja is a new entrant though, I don’t remember that being in the old common password lists, such as those in this article: The Top 10 Most Common Passwords

The breach had ramifications far beyond Yahoo, because the portal allowed people registering with the Contributor Network to use credentials from other sites to log in. Carey identified some of the other sites as Google’s Gmail, Microsoft’s Hotmail, AOL, Comcast and Verizon.

A hacker group called D33Ds Company took credit for the breach, and posted a statement on its website saying the attack was a warning. “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the group said, according to media reports. “There have been many security holes exploited in Web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly.”

The hackers claimed to use a common attack method called a SQL injection to access the database that fed the server hosting the site. A SQL injection typically involves sending commands through a search field or a URL to break into a poorly secured site. Tony Perez, chief operating officer for Sucuri, who used to work with defense contractors in developing secure applications, said Yahoo’s overall security lapses were a disservice to its users. “It makes you wonder. If a property like Yahoo at that scale is doing that, and they did it for their Yahoo Voices, what’s the probability of that also occurring in their other properties?”

The Yahoo breach occurred a month after professional social networking site LinkedIn acknowledged that 6.5 million usernames and passwords were stolen and posted on a Russian hacker forum. In that case, the passwords had been stored using a cryptographic method called hashing.

At least LinkedIn had the passwords hashed, albeit without salting – so they were pretty secure (but still not secure enough). Please hash, salt, use a salt on the physical disk from a file – oh there’s so many things developers can do to make sure if their system does get cracked – the damage is limited.

But do they do it, well mostly no – because product owners/managers are pushing out things with feature-set being the priority and anything else being pretty much unimportant.

It does make you wonder though, Yahoo! as an organization – how do they store their passwords for other web properties? I wouldn’t be surprised if it’s done with equal slackness.

Standard
Vulnerability

chapcrack – parsing and decrypting MS-CHAPv2

chapcrack – A tool for parsing and decrypting MS-CHAPv2 network handshakes.

chapcrack is a tool for parsing and decrypting MS-CHAPv2 network handshakes, it was announced recently at Defcon as we read over here – Marlinspike demos MS-CHAPv2 crack.

The process is as follows:

  1. Obtain a packet capture with an MS-CHAPv2 network handshake in it (PPTP VPN or WPA2 Enterprise handshake, for instance).
  2. Use chapcrack to parse relevant credentials from the handshake (chapcrack parse -i path/to/capture.cap).
  3. Submit the CloudCracker token to www.cloudcracker.com
  4. Get your results, and decrypt the packet capture (chapcrack decrypt -i path/to/capture.cap -o output.cap -n )

If you are interested in a much more in-depth, technical explanation – you can read more here:

Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate

Using this attack they have a 100% success rate of cracking DES hashes within 23~ hours.

Standard
News

How one bad algorithm cost traders $440m

A look at the worst software testing day ever

Knight Capital, a firm that specialises in executing trades for retail brokers, took $440m in cash losses Wednesday due to a faulty test of new trading software. This morning reports were calling it a trading “glitch”, which isn’t nearly as accurate as the term I’d use: “f**king disaster”.

The broad outline of the story is here and more colourful, bloody details are here.

But somehow – and this will probably the be the subject of several lawsuits, books, and maybe even a Broadway musical – the software didn’t behave as expected. It went out and did what it was designed to do: execute lots and lots of trades very, very quickly.

Unfortunately, the trading algorithm the program was using was a bit eccentric as well. On every stock exchange, there is a “bid” and an “ask” price. The bid price is what you’d pay the holder of the stock if you want to buy their shares. The ask price is what they’ll pay to buy those same shares from you. There’s always a spread between the two prices, with the “bid” being a few cents or more above the “ask”. If the stock is thinly traded, then the spread between the bid and the ask is higher than what you’d see for, say, IBM.

Knight Capital’s software went out and bought at the “market”, meaning it paid bid price and then sold at the ask price – instantly. Over and over and over again. One of the stocks the program was trading, electric utility Exelon, had a bid/ask spread of 15 cents. Knight Capital was trading blocks of Exelon common stock at a rate as high as 40 trades per second – and taking a 15 cent per share loss on each round-trip transaction. As one observer put it: “Do that 40 times a second, 2,400 times a minute, and you now have a system that’s very efficient at burning money”.

As the program continued its ill-fated test run, Knight’s fast buys and sells moved prices up and attracted more action from other trading programs. This only increased the amount of losses resulting from their trades to the point where, at the end of the debacle 45 minutes later, Knight Capital had lost $440m and was teetering on the brink of insolvency.

They may get at least a partial reprieve. The NYSE will reverse trades in six stocks during the time period when the prices were at least 30 per cent outside the normal trading range for the stocks. This will significantly defray much of Knight Capital’s losses for the day, but we don’t know if it’s enough to allow the firm to survive the blow.

We also don’t yet know exactly what happened. I find it hard to believe that the software was so faulty that it could just go into berserker mode and start wildly trading. Seems to me that that’s the type of issue that ISV regression testing would find and correct right away. On the other hand, I don’t think that the Knight Capital IT guys would just fire the program up for testing and not put in solid parameters to ensure that it doesn’t play with real money.

I think we’ll find that the culprit was a combination of ISV software bugs, bad documentation, and human error from Knight Capital. In short, plenty of blame to go around. But apportioning blame will have to wait until the forensics are complete. Then will come the lawsuits, settlements, high-level blue-ribbon commission hearings, and, finally, the insider tell-all books. Put me down for a Kindle version of the books, please. ®

Standard
Vulnerability

Reuters suffers double hack

Call it a “psy-ops” attack, if you like: Reuters has suffered the embarrassment of having two platforms infiltrated and used to spread propaganda messages supporting the Syrian regime.

The newswire’s woes began on Friday, August 3, when attackers gained access to its blogging platform and posted false stories claiming attributed to Reuters journalists. This included a post claiming to be an interview with Free Syrian Army (FSA) head Riad al-Assad foreshadowing a pull-out from northern Aleppo.

After Reuters took the blogging platform offline, the attackers directed their attention to a Twitter account operated by the agency, changing @ReutersTECH to @ReutersME and slotting in propagandistic and absurd posts (screenshot from @worldwidenieuws).

This included the improbable claim that the US intended to punish Egypt for a demonstration at which protesters chanted “Monica” at Hilary Clinton, claims that America never stopped funding Al Qaeda, and (predictably enough) alleged reports of heavy FSA losses in Aleppo.

The Twitter hijacker’s parting shot drew in Zionist propaganda, stating that Reuters was planning a shareholders’ meeting to investigate “Rothschild’s ‘iron grip’ over decision-making process”.

As Christian Science Monitor notes, such “ham-handed” propaganda probably doesn’t have much impact (Indeed, in El Reg’s experience, it’s easier and more effective to punk newswires with urban myths, but that’s another story). ®

Standard