Welcome! When the best offense is a good defense, you’ve come to the right place. Given the ever-changing landscape of technology threats, that couldn’t be more true. Each week, we’ll cover current security threats, patches and issues that affect you and your business. And when something really big happens, we’ll post on Twitter and update this page with all the details you need to stay safe. Read on!

Venom

We’ve had some big security issues over the past year. But Venom isn’t going to be one of them, despite the name. Sometimes, it’s easy to get carried away by the hype and hyperbole. If we’re doing our job right, though, rather than scaring you we’re preparing you.
This latest vulnerability, classified as CVE-2015-3456, is a problem in the floppy drive emulation code found on many virtualization platforms. What that means is if an attacker were able to, by considerable effort, escape the Guest OS, they could use the host to launch other network attacks. Essentially, an administrator account would have to be compromised for this to happen. Only certain platforms are impacted and they have patches currently available. Major VMs that are not impacted include:

• VMware
• Microsoft Hyper-V
• Bochs
• AWS
• Linode

• http://www.csoonline.com/article/2922066/vulnerabilities/venom-hype-and-pre-planned-marketing-campaign-panned-by-experts.html?utm_source=twitterfeed&utm_medium=twitter
• http://venom.crowdstrike.com/

Rombertik Malware

It’s elusive, evasive, and the next evolution of malware. Newly identified by Cisco researchers, “Rombertik” doesn’t just self-destruct when it finds tools that can detect it. Instead, if tries to destroy the Master Boot Record (MBR) of the machine it’s on, which is destructive because when the machine restarts, it will be inoperable. The MBR is critical to system operation, and is the first sector of a hard drive, where all the initial instructions are at boot up, letting the computer know to load the operating system.

This is an example of complex malware, hard to detect, and to protect against. Its purpose is to gain access to the target’s browser, read credentials and pilfer other sensitive information which it then collects to send off to a remote server. Rombertik spreads via spam and phishing emails. Here’s how it works:

Once loaded into the system, Rombertik first runs a series of anti-analysis checks to determine if it is running within a sandbox. In case it isn’t running within the sandbox, Rombertik decrypts and installs itself on the victim’s machine, which then allows the malware to launch a second copy of itself and overwrite the second copy with the malware’s core spying functionality. After completing this process and before begins spying on users, Rombertik runs a final check to make sure it is not being analyzed in memory. In case it finds any indication of being analyzed, the spyware attempts to destroy the master boot record (MBR) of the vulnerable computer. Rombertik then restarts the machine, and because now the MBR is missing from the hard drive, the victim’s computer will go into an endless restart loop.

The best defence in this situation is a layered defence, because Rombertik won’t be able to evade all the layers.

• http://blogs.cisco.com/security/talos/rombertik
• http://www.scmagazine.com/cisco-writes-up-new-malware-campaign/article/413068/
• http://thehackernews.com/2015/05/malware-destroy-hard-drive.html

Macro Malware’s Re-Emergence. Be Aware. Be Very Aware

Remember that saying “Everything old is new again”? That’s a trend in InfoSec. It’s not at all uncommon for threats to re-emerge after seeming cease, because attackers have taken the time to revisit and retool. Think of it as a more damaging version of reduce, reuse, recycle. What happens is that the malware gets onto computers via spam email attachments. When the user opens the document, they are prompted by a bar along the top asking if they wish to enable macros to read the item. Most people click willingly, enabling the macro and the malware. The malware then becomes a portal for even nastier stuff waiting in the wings, like the banking Trojan, Dridex, which hunt down and collect valuable personal and financial information. Once again, the onus is on the end user to be aware of what they open and click, but that isn’t always an easy judgement call as these emails look very convincing. Currently, most attacks are happening within the US and the UK.

http://www.infosecurity-magazine.com/news/macro-malware-returns-with-a/#.VUbXOQefKP9.twitter

WordPress Sites Backdoored

Another week, another WordPress security issue. According to Zscaler, this time multiple WordPress sites are leaking credentials. Compromised sites are implanted with a “Backdoor” code that serves up injected JAVA script when the user enters their credentials on the login page. The end user remains oblivious as they are redirected to a successful logged in session of a WordPress site. Meanwhile, those valuable credentials are encoded and sent to off to the attacker’s command and control server. The recommendation from the ZScaler security research report is what we’ve been saying consistently:

“It is extremely important for the site administrators to keep their WordPress sites patched with the latest security updates,”

• http://research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html
• https://threatpost.com/wordpress-sites-backdoored-leaking-credentials/112703

PHP Hash Comparison Flaw May Put Many Sites at Risk

About a year ago, a flaw in PHP password hashes was identified involving the equals-equals operator (==). Robert Hansen, vice president of WhiteHat Security, describes the issue as “one that affects any website that uses two specific types of operators for comparing hashes in PHP.” The issue mostly affects authentication, but this could extend to binary checking, cookies, and passwords, among other things.

“The problem is how PHP handles hashed strings when either the double equal (==) or “!=” operators are used to compare them. When either of these two operators is used for comparing hashes, PHP interprets any hashed value beginning with ‘0e’ as having the value 0. So if two different passwords are hashed and both their hashed values begin with ‘0e’ followed by numerals, PHP will interpret both as having the value 0. Even though the hash values for both passwords are completely different, PHP would treat them both as the number zero if both begin with 0e and when either ‘==’ or ‘!=’ are used.”

This gives attackers a way to try and compromise user accounts by entering a string that when hashed gets equated to zero by PHP. If a password in the database is represented the same way, the attacker will get access to the account, Hansen said. Until now, there haven’t been examples of these hash types.

• https://blog.whitehatsec.com/magic-hashes/
• http://www.darkreading.com/vulnerabilities—threats/php-hash-comparison-weakness-a-threat-to-websites-researcher-says-/d/d-id/1320353?_mc=RSS_DR_EDT
• http://securityaffairs.co/wordpress/36732/hacking/php-hash-comparison-flaw.html

GPU Keylogger and Linux Rootkit attacks

Malware just keeps evolving. This time it’s targeting the GPU over the CPU with 2 new items: Jellyfish Rootkit for Linux and Demon Keylogger. The GPU, graphics processor unit, has its own processor and memory. That allows the malware to operate incognito, attracting no attention since malicious code isn’t modifying processes in the main operating system kernel. The danger becomes that these types of rootkits can snoop on the CPU host memory via the direct memory access (DMA). This allows hardware components to read the main system memory without going thru the CPU so actions are harder to catch.
Some attacker advantages with GPU are:

• No GPU malware analysis tools are available on the Internet
• Can snoop on CPU host memory via DMA (direct memory access)
• GPU can be used for fast/swift mathematical calculations like parsing or XORing
• Stubs
• Malicious memory is still inside GPU after device shutdown

For reference purposes, a GPU-based keystroke logger consists of two main components:

• A CPU-based component that is executed once, during the bootstrap phase, with the task of locating the address of the keyboard buffer in main memory
• A GPU-based component that monitors, via DMA, the keyboard buffer, and records all keystroke events

http://thehackernews.com/2015/05/gpu-rootkit-linux-Keylogger.html

Breaking Bad Themed Crypto Ransomware

This latest ransomware, Trojan.Cryptolocker.S, is currently going after computers running Windows based systems in Australia. The attackers leverage social engineering methods to get victims to open a malicious zip archive file, apparently with a major courier firm in the file name. Attackers then can run their own PowerShell script on the computer to run the ransomware. Encryption uses a random AES key, which is then encrypted with an RSA public key. Targetted files for encryption include media files, music, images, .lnk and .rar extensions.

Symantec has a blog post about how to stay protected if you get ransomware here.

http://www.symantec.com/connect/blogs/breaking-bad-themed-los-pollos-hermanos-crypto-ransomware-found-wild

And Last but not Least …You know that Flashlight App you have?

Time to shed a little light on a dark matter. The top 10 Android flashlight apps are actually malware designed to steal your data off your mobile device.

https://www.youtube.com/watch?v=Q8xz8xKEFvU

Thanks for reading!

Welcome! When the best offense is a good defense, you’ve come to the right place. Given the ever-changing landscape of technology threats, that couldn’t be more true. Each week, we’ll cover current security threats, patches and issues that affect you and your business. And when something really big happens, we’ll post on Twitter and update this page with all the details you need to stay safe. Read on!

The BIG Story: Apple Rootpipe Vulnerability Still NOT Fixed! Tens of Millions of Apple Users at Risk

Apple claimed to have fixed it, but they haven’t. Note that this vulnerability was discovered last October, and had existed since 2011 in version 10.7. This leaves a dangerous backdoor open to attackers on any MACs with an operating system below 10.10. Yosemite. If you can, upgrade to 10.10.3. Thomas Brewster in his analysis of the situation painted the picture by numbers: there are over 3 billion internet users. Roughly 2% are on Macs, putting 60 million at risk. Attackers can gain admin privileges without proper authentication, execute code remotely and potentially compromise a machine. This hidden backdoor opens up root access, or control over the system, too widely. A patch will definitely need to be issued for older systems as well, but there is doubt being expressed if Apple will invest the time and effort to support. According to Emil Kvarnhammar, the TrueSec Security software engineer who reported the vulnerability to Apple last year:

“Fixing buffer overflows and similar is one thing (they usually back port that kind of issues), but fixing architectural issues like rootpipe will mean more work in dev and verification…I think (and hope) Apple might be reconsidering, knowing that users of older versions are upset and that even low-privileged guest accounts on Mavericks can be used to exploit the issue and become root.”

Apple has a lot to answer for, in light of the severity of this current threat, but so far neither solutions nor explanations are forthcoming.

• http://www.forbes.com/sites/thomasbrewster/2015/04/19/apple-fails-to-patch-rootpipe/
• http://www.forbes.com/sites/thomasbrewster/2015/04/09/apple-leaves-rootpipe-backdoors-in-3-per-cent-of-all-pcs-on-the-planet/
• https://www.securityweek.com/apple-failed-properly-fix-rootpipe-bug-os-x-researchers

Get Your Security Patches On!

Last week featured several critical security patch updates from Microsoft, but there were also urgent patches issued by Adobe.. Attackers have used the week that has passed to their advantage, building exploits against the Zero-Day Windows vulnerability, and utilizing a vulnerability in Adobe Flash to aid and assist. US Security firm FireEye claims Russian attackers have been using these new vulnerabilities to boost their ongoing efforts to spy on American diplomats and the White House.

The take-away here is that issuing security patches does not make vulnerabilities disappear. They will be re-used and deployed as often as attackers find opportunities. And those opportunities are typically systems left unpatched. According to Verizon’s recently issued 2015 Data Breach Investigations Report, they found that

“99.9 percent of the exploited vulnerabilities in 2014 had been compromised more than a year after the associated CVE (Common Vulnerabilities and Exposures) was published”.

• http://rightrelevance.com/?q=tab_type%3D2%26searchType%3Dfeeds%26start%3D0%26rows%3D30%26location%3D%26isPerson%3D%26articleId%3D455d3f637041e721ce4e2da67c376fff9925e726%26value%3Dcyberespionage%26taccount%3Dcyberwarfarre%26topic%3Dcyberespionage
• https://www.adobe.com/support/flashplayer/downloads.html
• http://www.eweek.com/security/slideshows/verizon-data-breach-study-finds-old-flaws-remain-dangerous.html

Oracle Ends Publicly Available Security Fixes for Java this Month

These public updates that included bug and security fixes could impact millions of applications. Instead, customers will need to sign on for long-term support deals or migrate to Java 8, which was released March of last year. Given that people are slow to change, this move to be forward-thinking may have serious long-term costs. Per Waratek security CTO John Holt Matthew, “there is a dangerous tradeoff; now millions of Java 7 applications will have to defend themselves against code-level vulnerabilities without the benefit of future fixes.” Users are advised to upgrade if they can, or use RASP, Java Run-time Application Self Protection.

With that in mind, be sure to install the latest series of critical patch updates for Java. There are 98 new fixes. The link is below.

• http://www.infoworld.com/article/2909685/application-development/oracle-cutting-publicly-available-security-fixes-for-java-7-this-month.html
• http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

XSS Security Advisory for WordPress Plugins

There doesn’t seem to be a week without a warning for WordPress users. Per the current advisory, numerous WordPress Plugins are vulnerable to Cross-site Scripting (XSS). This is largely because of two functions, add_query_arg() and remove_query_arg(), which are used by developers to modify and add query strings to URLs within WordPress. The problem stems from a lack of clarity in the official WordPress Official Documentation (Codex) for these functions so that plugin developers used them insecurely, assuming that these functions would escape the user input for them, when it does not. Sucuri security recommends that developers check that they are escaping them before use. They recommend using the esc_url() (or esc_url_raw())functions with them.

A list of affected plugins is currently on the Sucuri Blog and includes Jetpack, WordPress SEO, Google Analytics by Yoast, Gravity Forms among many.

https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html

Spyware: New Browser Hack

Any computer running a late-model Intel microprocessor and a Web browser using HTML5 (i.e., 80% of all PCs in the world) is vulnerable to this attack. Dubbed “Spy in the Sandbox”, this tactic comes with little cost or time to the attacker. They lure the victim to an untrusted web page which contains content controlled by the attacker. Bogus software on the page launches a program to manipulate how data moves in and out of victim’s PC cache. Because this is spyware, NO data theft occurs. However, it can record details about browser history, keystrokes, mouse movements utilizing a classic side-channel attack to read the activity of processors, memory, and networking ports.

http://www.forbes.com/sites/bruceupbin/2015/04/20/new-browser-hack-can-spy-on-eight-out-of-ten-pcs/

Ransomware: What Would You Pay?

Sorry. Clearly Ransomware isn’t going away so let’s get smarter about what’s going on out there. If your files were jacked, would you pay? Desperation times call for desperate measures and at least 30% of security professionals – yes, security – say they would pay. That’s according to a recent survey by ThreatTrack Security.

A realistic expectation is that panic mode will set in. An episode of “The Good Wife” earlier this year accurately depicted the ensuing chaos and desperation that follows when an office discovers they can’t get to the files they need. The reality is that nobody is working on anything other than the immediate problem at hand. That’s a direct lost, impacting sales and profits. But the truth is that even if you do pay that ransom, you won’t get your files back. Because as the saying goes “There is no honour among thieves”, and there is even less among those conducting extortion in the cyberworld. Not when the game has become so easy and so lucrative.

http://www.csoonline.com/article/2911094/data-protection/cyber-extortion-a-growth-industry.html#tk.csosotd

This is cross-posted from the JIG Technologies Inc weekly website piece at  http://www.jigitsupport.com/company/yoursecuritymatters/

As always – Thanks for reading!
Cheryl Biswas, InfoSec Co-ordinator and Editor JIG Technologies Inc

My objective with these blogs is to show you that you can do a lot of this yourself, and to learn what you need to stay safe. I promise – you don’t have to have a computer science degree for this.

If knowledge is power then education is key. I thought it might be helpful to run a primer-style series on what types of threats are out there, and your best defence against each. We’ll take it one at a time, bite-size learning.

So – to get started. What’s the difference between viruses and malware? Malware is the umbrella term we use to refer to a whole host of troublesome things, including viruses, that infect our devices, hack our servers, and lie in wait.  A virus is bad, but not all bad things are viruses.

Technically, a virus is classified as “a self-replicating piece of malicious code that travels by inserting itself into files or programs.”  It’s a malware program that performs a harmful activity on the host it infects. It infects hosts by duplicating itself, without user consent, in files, programs or the boot sector of the hard drive. Viruses can cause a variety of problems including:

• access your personal data
• corrupt files and data
• log (copy and record) keystrokes
• send out spam to contacts.

There are a lot of anti-virus programs to choose from.  Some are free.  All are effective to varying degrees, but none will catch all the problems all the time. They can’t.  Viruses are built when hackers develop malicious code that exploits vulnerabilities or weaknesses in the code of programs, typically operating systems like Windows. These exploits are constantly evolving, so for anti-virus programs, it’s a matter of how quickly they can add that virus “signature” into their database so that the anti-virus program can detect it on future scans.

What can you do?  Always have a current and updated version of an anti-virus program running on your devices.  You can install them on phones and tablets, and you should, because these face the same risks as desktops and laptops. And contrary to popular opinion, Apple/Mac do get viruses and there are programs to protect them as well. Don’t let your licence expire so that you work on an outdated program. And – make sure you don’t ignore the prompts to update.  Those updates mean the difference between getting infected and staying safe.

Because You Own Your Own Security. Why leave it up to someone else?