Top Apps Largely Forgo Windows Security Protections

July 1, 2010

Many of the most widely used third-party software applications for Microsoft Windows do not take advantage of two major lines of defense built into the operating system that can help block attacks from hackers and viruses, according to research released today.

Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista (and Windows 7) a feature called address space layout randomization or ASLR, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention (DEP) — first introduced with Windows XP Service Pack 2 back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they’re seeking, the code placed there will not execute or run.

These protections are available to any applications built to run on top of the operation system. But according to a new analysis by software vulnerability management firm Secunia, half of the third party apps they looked at fail to leverage either feature.

As indicated by the chart to the right, Secunia found that at least 50 percent of the applications examined — including Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, VideoLAN VLC Player, and AOL‘s Winamp — still do not invoke either DEP or ASLR. Secunia said DEP adoption has been slow and uneven between operating system versions, and that ASLR support is improperly implemented by nearly all vendors.

“If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly,” wrote Alin Rad Pop, a senior security specialist at Secunia. “While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms. If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attackers choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable.”

Continue reading

Security Updates for Adobe Acrobat, Reader

June 29, 2010

Adobe Systems Inc. is urging users to update installations of Adobe Reader and Acrobat to fix a critical flaw that attackers have been exploiting to break into vulnerable systems.

The update brings Adobe Acrobat and Reader to version 9.3.3 (another update for the older 8.2 line of both products brings the latest version to v. 8.2.3). Patches are available for Windows, Mac, Linux and Solaris versions of these programs. Adobe’s advisory for this update is here, and the Reader update is available from this link — or by opening the program and clicking “Help” and “Check for Updates.” If you download the update from the Adobe Reader homepage, you’ll end up with a bunch of other stuff you probably don’t want (see below, after the jump for more on this).

If you use Adobe Reader or Acrobat, please take a moment to update this software. Users may also want to consider switching to other free PDF readers that are perhaps less of a target for malicious hackers, such as Foxit Reader, Nitro PDF Reader, and Sumatra.

Continue reading

Advertisement

e-Banking Bandits Stole $465,000 From Calif. Escrow Firm

June 28, 2010

A California escrow firm has been forced to take out a pricey loan to pay back $465,000 that was stolen when hackers hijacked the company’s online bank account earlier this year.

In March, computer criminals broke into the network of Redondo Beach based Village View Escrow Inc. and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm.

Owner Michelle Marisco said her financial institution at the time — Professional Business Bank of Pasadena, Calif. – normally notified her by e-mail each time a new wire was sent out of the company’s escrow account. But the attackers apparently disabled that feature before initiating the fraudulent wires.

The thieves also defeated another anti-fraud measure: A requirement that two employees sign off on any wire requests. Marisco said that a few days before the theft, she opened an e-mail informing her that a UPS package she had been sent was lost, and urging her to open the attached invoice. Nothing happened when she opened the attached file, so she forwarded it on to her assistant who also tried to view it. The invoice was in fact a Trojan horse program that let the thieves break in and set up shop and plant a password-stealing virus on both Marisco’s computer and the PC belonging to her assistant, the second person needed to approve transfers.

As a guarantor of payment for residential real estate transactions, Village View Escrow holds other peoples’ money until the sale of a property is complete. Failure to come up with the funds when a real estate deal is finalized can spell bankruptcy and possibly worse for an escrow provider. Since the incident, Marisco has had to take out a $395,000 loan at 12 percent to cover the loss (she managed to get $70,000 in wires reversed).

“I’m working for nothing right now, and can’t afford to pay myself,” Marisco said in a phone interview.

Officials from Professional Business Bank did not immediately return calls seeking comment.

Continue reading

Anti-virus is a Poor Substitute for Common Sense

June 25, 2010

Common sense always speaks too late.” — Raymond Chandler

A new study about the (in)efficacy of anti-virus software in detecting the latest malware threats is a much-needed reminder that staying safe online is more about using your head than finding the right mix or brand of security software.

Last week, security software testing firm NSS Labs completed another controversial test of how the major anti-virus products fared in detecting malware pushed by malicious Web sites: Most of the products took an average of more than 45 hours — nearly two days — to detect the latest threats.

The two graphs below show the performance of the commercial versions of 10 top anti-virus products. NSS permitted the publication of these graphics without the legend showing how to track the performance of each product, in part because they are selling this information, but also because — as NSS President Rick Moy told me — they don’t want to become an advertisement for any one anti-virus company.

That’s fine with me because my feeling is that while products that come out on top in these tests may change from month to month, the basic takeaway for users should not: If you’re depending on your anti-virus product to save you from an ill-advised decision — such as opening an attachment in an e-mail you weren’t expecting, installing random video codecs from third-party sites, or downloading executable files from peer-to-peer file sharing networks — you’re playing Russian Roulette with your computer.

Continue reading

Exploiting the Exploiters

June 23, 2010

Most computer users understand the concept of security flaws in common desktop software such as media players and instant message clients, but the same users often are surprised to learn that the very software tools attackers use to break into networks and computers typically are riddled with their own hidden security holes. Indeed, bugs that reside in attack software of the sort sold to criminals are extremely valuable to law enforcement officials and so-called “white hat” hackers, who can leverage these weaknesses to spy on the attackers or interfere with their day-to-day operations.

Administrative page from a live Crimepack exploit kit.

Last week, French security researchers announced they had discovered a slew of vulnerabilities in several widely used “exploit packs,” stealthy tool kits designed to be stitched into hacked and malicious sites. The kits — sold in the underground for hundreds of dollars and marketed under brands such as Crimepack, Eleonore, and iPack — probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to quietly install malicious software.

Speaking at the Syscan security conference in Singapore, Laurent Oudot, founder of Paris-based TEHTRI Security, released security advisories broadly outlining more than a dozen remotely exploitable flaws in Eleonore and other exploit packs. According to TEHTRI, some of the bugs would allow attackers to view internal data stored by those kits, while others could let an attacker seize control over sites retrofitted with one of these exploit packs.

“It’s time to have strike-back capabilities for real, and to have alternative and innovative solutions against those security issues,” Oudot wrote in a posting to the Bugtraq security mailing list.

Continue reading

Security Updates for Firefox, Opera Browsers

June 23, 2010

Mozilla has shipped a new version of Firefox that corrects a number of vulnerabilities in the browser. Separately, a new version of Opera is available that fixes at least five security flaws in the software.

Firefox version 3.6.4 addresses seven security holes ranging from lesser bugs to critical flaws. Mozilla says this latest version of Firefox also does a better job of handling plugin crashes, so that if a plugin causes problems when the user browses a site, Firefox will simply let the plugin crash instead of tying up the entire browser process. Firefox should auto-update (usually on your next restart of the browser), but you can force an update check by clicking “Help,” and then “Check for Updates” (when I did this, I noticed that in its place was the “Apply Downloaded Update Now,” option, indicating that Firefox had already fetched this upgrade.

Mozilla also shipped, 3.5.10, an update that fixes at least nine security vulnerabilities in its 3.5.x line of Firefox. The software maker will only continue to support this version of Firefox for another couple of months, so if you’re on the 3.5.x line, you might consider upgrading soon (don’t know which version you’re using, click “Help” and “About Mozilla Firefox”).

Opera’s update brings the browser to version 10.54, which corrects a few critical vulnerabilities. Opera now includes an auto-update feature, so Opera users may already have been notified about this update (I wasn’t). In any case, Opera is urging users to upgrade to the latest version, available here.

The Case for Cybersecurity Insurance, Part I

June 22, 2010

In very few of the many stories I’ve written about online banking fraud against businesses has insurance paid for much — if any — of the losses victim companies suffered. However, several victims I’ve interviewed in recent incidents did have cybersecurity insurance coverage bundled as part of larger business risk insurance policies. In each case, the businesses suffered fairly substantial thefts, and appear likely to recoup all of their direct financial losses.

The most recent incident involved Golden State Bridge Inc., a Martinez, Calif. engineering and construction company that builds bridges. The thieves used an extremely stealthy but as-yet-unclassified strain of malicious software to steal the company’s online banking credentials, and on May 19th, the crooks used that access to set up a series of fraudulent payroll payments totaling more than $125,000.

Initially, the attackers set up two batches of automated clearing house (ACH) payments –one for $50,000 and another for $75,000 – effectively sending a series of transfers to a dozen different money mules, willing or unwitting individuals lured into helping the criminals launder stolen funds by wiring the funds overseas and taking a small commission (usually 8 percent) for themselves.

When the first two batches were processed by Golden State’s bank on May 20, the thieves apparently figured they were home free, and set in motion another seven bundles of fraudulent payments for several hundred thousand dollars more, according to Ann Talbot, the company’s chief financial officer.

“Once they executed those first two successfully, they must have been like, ‘Oh, we’ve hit the mother lode! Let’s go for it!’,” Talbot recalled. “Had they succeeded in putting those through, we and the bank would have been looking at losses of more than $750,000.”

But Talbot noticed the fraudulent transfers the day the money started moving out of Golden State’s accounts, and sprang into action to get the seven new batches canceled. Unfortunately, by that point most of the mules who were sent loot in the first two batches had already withdrawn their transfers.

Talbot said nearly all of the money mules were located on the East Coast, which she believes is a tactic designed to give the attackers the longest head start possible before West Coast victims notice the fraudulent transfers.

“These mules were with East Coast banks, and most of them had [withdrawn] the money from their banks before we were even open for business,” Talbot said.

For what it’s worth, I observed this same pattern of the thieves relying mainly East Coast mules in an earlier post, Charting the Carnage from eBanking Fraud.

SECRET QUESTION CHECKUPS

Like many financial institutions serving primarily business customers, the California Bank of Commerce — Golden State’s bank — pushes most of the security and authentication for its online banking systems out to customers, requiring a simple username and password, and occasionally prompting customers to provide the correct answer to one or more of their “secret questions”.

Read more after the jump….

Continue reading

A Spike in Phone Phishing Attacks?

June 20, 2010

A couple of readers have written in to say they recently received automated telephone calls warning about fraud on their credit card accounts and directing them to call a phone number to “verify” their credit card numbers. These voice phishing attacks, sometimes called “vishing,” are a good reminder that today’s scam artists often abuse a range of modern technologies to perpetrate old-fashioned fraud.

Graphic courtesy Internet Identity

Phone phishing schemes often begin with a pre-recorded message that prompts the recipient to call a supplied telephone number — frequently a toll-free line. Usually, the calls will be answered by an interactive voice response system designed to coax account credentials and other personal information from the caller.

Lures for these telephone phishing attacks also are sent via text message, a variant also known as smishing. Indeed, the Sacramento Bee warned last week that residents in the area were receiving text messages spoofing the Yolo Federal Credit Union.

A new report (PDF) from anti-phishing vendor Internet Identity found that credit unions continue to be a favorite target of smishing attacks, and that text-to-phone scams used a toll-free number in about half of the lures sent in the first quarter of 2010.

Internet Identity also tracked at least 118 smishing attacks in the first quarter of 2010, although the company said that number represents a 40 percent drop in these scams over the last three months of 2009.

It may be hard to imagine how many people actually fall for these scams, but you might be surprised. In March 2008, I wrote about an extremely complex vishing attack that targeted customers of multiple credit unions. A source I interviewed for that story later managed to make a copy of one of the servers that these crooks used to accept incoming calls for this scam, which ran uninterrupted from Jan. 13, 2008 to Feb. 21. From that story: “During that time, the phishers sent millions of text messages, and records from that server show that roughly 4,400 people called the fake bank phone number as directed. Out of those, 125 people entered their full credit/debit card number, expiration and PIN.”

Have you or someone you know recently received one of these scam phone calls or texts? Sound off in the comments below.

Sophisticated ATM Skimmer Transmits Stolen Data Via Text Message

June 17, 2010

Operating and planting an ATM skimmer — cleverly disguised technology that thieves attach to cash machines to intercept credit and debit card data — can be a risky venture, because the crooks have to return to the scene of the crime to retrieve their skimmers along with the purloined data. Increasingly, however, criminals are using ATM skimmers that eliminate much of that risk by relaying the information via text message.

[NOTE TO READERS: The Today Show this morning ran an interview with me for a segment they produced on ATM skimmers.]

Visit msnbc.com for breaking news, world news, and news about the economy

This latest entry in my series on skimmers includes a number of never before published pictures of a cell-phone based skimmer set that sends stolen bank card data to the attacker using encrypted text messages. The following images were obtained directly from a skimmer maker who sells them on a very well-protected online fraud forum. This particular craftsman designs the fraud devices made-to-order, even requesting photos of the customer’s targeted ATMs before embarking on a sale.

Just as virus writers target Windows in large part because it is the dominant operating system on the planet, skimmer makers tend to center their designs around one or two ATM models that are broadly deployed around the globe. Among the most popular is the NCR 5886, a legitimate, unadulterated version of which is pictured below.

This skimmer I’m writing about today sells for between $7,000 and $8,000 USD, and includes two main components: The actual card skimmer device that fits over the card acceptance slot and records the data that is stored on the back of any ATM cards inserted into the device; and a metal plate with a fake PIN pad that is designed to sit directly on top of the real PIN pad and capture the victim’s personal identification number (PIN) while simultaneously passing it on to the real PIN pad underneath.

Not all skimmers are so pricey: Many are prefabricated, relatively simple devices that fraudsters attach to an ATM and then collect at some later point to retrieve the stolen data. The trouble with these devices is that the fraudster has to return to the compromised ATM to grab the device and the stolen data stored on it.

In contrast, wireless skimmers like the one pictured below allow the thief to receive the stolen card data from anywhere in the world, provided he or she has a working cell phone signal.

The actual card skimmer in this seller’s model is quite small, and yet includes both a magnetic strip reader and a tiny radio that sends the collected data (known as “dumps” in fraud circles) in an encrypted format to a device built into the PIN pad (more on that in a moment).

Here are a few photos of the razor thin skimmer that comes with this kit:

Card skimmer with track reader and radio, front side.

And here’s a view of the electronics that powers this little thief:

The card skimmer, reverse view

Continue reading

Drug Charges Against Accused AT&T/iPad Hacker

June 17, 2010

A hacker in a group that discovered the AT&T iPad-related flaw was arrested on drug charges following the execution of an FBI search warrant of his home in Arkansas on Tuesday, according to published reports.

CNET’s Elinor Mills writes that the FBI found a broad selection of narcotics at the home of a man tied to “Goatse Security,” the group that recently claimed responsibility for extracting contact information on more than 114,000  iPad customers from AT&T’s Web site.

From the CNET story:

Andrew Auernheimer, 24, was being held in Washington County Detention Center in Fayetteville, Ark., according to Lt. Anthony Foster of the Washington County Sheriff’s office in that state. The drugs were found during the execution of the warrant, said Lt. Mike Perryman, of the Fayetteville Police Department. However, Perryman could not say what prompted the warrant.

Auernheimer, who goes by the name “Escher” and the hacker handle “Weev,” faces four felony charges of possession of a controlled substance and one misdemeanor possession charge, Foster said. The drugs included cocaine, ecstasy, LSD, and schedule 2 and 3 pharmaceuticals, he said.

Spiegelmock and Auernheimer speaking at Toorcon 2006

Auernheimer is quite a colorful character. I met him in 2006 at the Toorcon security conference in San Diego, where he and Mischa Spiegelmock – an employee for blogging service LiveJournal – were delivering a talk on what they claimed was an unpatched security flaw in Mozilla’s Firefox browser that hackers were supposedly attacking to compromise Web surfers. At the time, Auernheimer introduced himself as Andrew “Weev” Wbeelsoi.

That presentation — which called on security researchers everywhere to stop publicizing and fixing software security vulnerabilities — was at times hilarious and bizarre. Weev started out by informing the audience that he was delivering his speech while tripping on acid. When I followed up with Weev after that talk to get more details on their claims, it was fairly plain that he wasn’t kidding about the acid trip. However, the two hackers would later admit to me that they didn’t really have the zero day exploits that they claimed, and that they were just trying to have a little fun with the security industry.