Posts Tagged: Diginotar


18
Jun 13

Windows Security 101: EMET 4.0

Several years ago, Microsoft released the Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help Windows users beef up the security of third-party applications. This week, Microsoft debuted EMET 4.0, which includes some important new security protections and compatibility fixes for this unobtrusive but effective security tool.

EMET's main window.

The main window of EMET 4.0

First, a quick overview of what EMET does. EMET allows users to force applications to use several key security defenses built into Windows — including Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Put very simply, DEP is designed to make it harder to exploit security vulnerabilities on Windows, and ASLR makes it more difficult for exploits and malware to find the specific places in a system’s memory that they need to do their dirty work.

EMET can force a non-Microsoft application to perform ASLR on every component it loads, whether the program wants it or not. Please note that before you install EMET, you’ll need to have Microsoft’s .NET Framwork 4 platform installed. And while EMET does work on Windows XP (Service Pack 3 only), XP users cannot take advantage of mandatory ASLR and a few other notable protections included in this tool.

However, EMET includes several important security features that can help fortify third-party applications on XP. Namely, its “Structured Exception Handler Overwrite Protection,” or SEHOP protection, which guards against the most common technique for exploiting stack overflows on Windows. Microsoft says this mitigation has shipped with Windows ever since Windows Vista Service Pack 1.

In addition to a revised user interface, EMET 4.0 includes a handful of new features that were bundled with the 3.5 tech preview version, such as novel methods of blocking an exploit technique called return-oriented programming (ROP). Attackers can leverage ROP to bypass DEP protections by using snippets of code that are already present in the targeted application.  

One of the much-hyped new capabilities of EMET 4.0 is its “certificate trust” feature, which is designed to block so-called “man-in-the-middle” attacks that leverage counterfeit SSL certificates in the browser. The past few years saw several attacks that impersonated Webmail providers and other top Internet destinations using fraudulent digital certificates obtained by certificate authorities, including Comodo, DigitNotar and Turktrust. This feature is a nice idea, but it seems somewhat clunky to implement, and only works to protect users who browse the Web with Internet Explorer. For tips on configuring and using this feature of EMET, check out this post.

Continue reading →


14
Jun 13

Iranian Elections Bring Lull in Bank Attacks

For nearly nine months, hacker groups thought to be based in Iran have been launching large-scale cyberattacks designed to knock U.S. bank Websites offline. But those assaults have subsided over the past few weeks as Iranian hacker groups have begun turning their attention toward domestic targets, launching sophisticated phishing attacks against fellow citizens leading up to today’s presidential election there.

Phishing email targeting Iranians. Source: Google.

Phishing email targeting Iranians. Source: Google.

Since September 2012, nearly 50 U.S. financial institutions have been targeted in over 200 distributed denial of service (DDoS) attacks, according to the U.S. Department of Homeland Security. A Middle Eastern hacking collective known as the Izz ad-Din al-Qassam Cyber Fighters has claimed credit for the assaults, and U.S. intelligence officials have repeatedly blamed the attacks on hacker groups backed by the Iranian government.

But roughly three weeks ago, experts began noticing that the attacks had mysteriously stopped.

“We haven’t seen anything for about three weeks now,” said Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry coalition that disseminates data about cyber threats to member financial institutions. “It’s not clear why [the attacks stopped], but there are a lot of things going on in Iran right now, particularly the presidential elections.”

Meanwhile, data collected by Google suggests that the attackers are focusing their skills and firepower internally, perhaps to gather intelligence about groups and individuals supporting specific candidates running for Iran’s presidential seat. In a blog post published this week, Google said that it is tracking a “significant jump” in the overall volume of phishing activity in and around Iran.

Continue reading →