[SecurityRatty] tag: data-centric

Summarizing Zero Day's Posts for September

Tue, 07 Oct 2008 06:54:00 +0000

As usual, here's September's summary of all of my posts at Zero Day. You may also want to catch up and go through August's and July's summaries, next to adding my personal RSS feed or Zero Day's main feed to your RSS reader.

Notable article for September - Spamming vendor launches managed spamming service.

01. DoS vulnerability hits Google's Chrome, crashes with all tabs
02. Malware and spam attacks exploiting Picasa and ImageShack
03. Spamming vendor launches managed spamming service
04. Facebook introducing new security warning feature
05. Google downplays Chrome's carpet-bombing flaw
06. Targeted malware attack against U.S schools intercepted
07. The most "dangerous" celebrities to search for in 2008
08. Norwegian BitTorrent tracker under DDoS attack
09. Attacker: Hacking Sarah Palin's email was easy
10. Bill O'Reilly's web site hacked, attackers release personal details of users
11. India's government: At last, we've cracked Blackberry's encryption
12. Memory exhaustion DoS vulnerability hits Google's Chrome
13. 44% of second hand mobile devices still contain sensitive data
14. Spammers attacking Microsoft's CAPTCHA -- again

Web Based Malware Emphasizes on Anti-Debugging Features

Mon, 06 Oct 2008 22:42:00 +0000

Following the ongoing development of a particular web based malware, always comes handy in terms of assessing the commoditization of anti-debugging features within modern malware. With plain simple, "managed binary crypting and firewall bypassing verification" on demand in February, to August's overall anti antivirus software mentality as a key differentiation factor of the malware.

So what are they working on? Anti tracing and emulation protection, PeiD and PESniffer protection, as well as anti heuristic scanning with a simple junk data adding feature in order to maintain a smaller binary size.

Here's a translated description :

"- The binary works under admin and under normal user
- The binary is always run as the "current user"
- An unlimited number of bots can be loaded and integrated within the command and control, and with the geolocation feature, filters can be applied for a particular country
-After successful infection, the binary which is tested against popular firewall and proactive protection security ensures that the actions it takes and their order do not trigger protactive protection mechanisms in place
- binary file size is 25k, the size can be reduced once it's crypted

- Doesn't take advantage of BITS protocol
- Doesn't allow an infected host to be infected twice
- Bypassing NAT and supporting "always-on" connections
- A simple, easy to configure web based admin panel"

What if the buyer doesn't care about the quality assurance practices applied? Managed lower AV detection and firewall bypassing service comes into play.

Symantec updates DLP endpoint, antispam gateway

Mon, 06 Oct 2008 20:00:00 +0000

Symantec plans to release updated versions of its antispam gateway and data-loss-prevention agent.

Fake Windows XP Activation Trojan Wants Your CVV2 Code

Mon, 06 Oct 2008 15:01:01 +0000

In a self-contradicting social engineering attempt, a malware author is offering to sale a (updated version of Kardphisher) DIY fake Windows XP activation builder, which despite the fact that it claims "We will ask for your billing details, but your credit card will NOT be charged", is requesting and remotely uploading all the credit card details required for a successfully credit card theft.

Perhaps among the main reasons why such simplistic social engineering attempts never scaled in a "malicious economies of scale" approach, is because sophisticated crimeware kits capable of obtaining the very same data automatically, started leaking for everyone to start taking advantage of - including yesterday's cybercriminals using such DIY fake message builders.

Moreover, according to recently reseased survey results, end users cannot distinguish between fake popups and real ones, and on their way to continue doing what they were doing, click OK on that pesky warning message telling them that they're about to get infected with malware. Taking into consideration the fact that the popup windows the researchers used look like cheap creative compared to the average fake security software's layout high quality GUIs, it is perhaps worth restating your research questions with something in the lines of - What motivates end users to install an antivirus application going under the name of Super Antivirus 2009 or Mega Virus Cleaner 2008? The fact that the fake status bar is telling them that they're infected with 47 spyware cookies, or the fact that they ended up at the fake site while browsing their trusted web services?

The increase of rogue security software domains is happening due to the high payout affiliation based model, the standardized creative allowing the participants to come up with their own fake names if they want to, and due to the fact that the fake security threats scareware approach seems to be perfectly taking advantage of the overall suspicion on the effectiveness of their legitimate security software.

Disk Containing Data on 17 Million T-Mobile Customers Missing, The Data Is For Sale

Mon, 06 Oct 2008 07:44:19 +0000

In 2006, 17 million German customer records were stolen from T-Mobile, a mobile network operator headquartered in Bonn, Germany. T-Mobile has admitted the incident where stolen customer records included names, addresses, phone numbers, dates of birth and email addresses. Silent about the data loss for more than two years, the company published its version of events [...]

Is Google Using Chrome to Index Password Protected Web?

Mon, 06 Oct 2008 07:20:02 +0000

An interesting theory we heard recently is that Google will use Chrome to index the password protected Web. Right now the Chrome Terms of Service prevents Google from indexing private data. But when you consider that Chrome was initially presented as a browser for applications, instead of just web pages, this theory begins to make more sense.

PCI Bans WEP SecurityStarting 2010

Mon, 06 Oct 2008 05:38:19 +0000

Version 1.2 for the PCI Data Security Standard was released last week.

One interesting outcome is that the insecure wireless WEP protocol will be banned…but not until June 2010. Says Ars Technica:

Although TJX has become the poster-child for consumer data theft over WiFi, it is (by far) not the only company to use insecure wireless technologies. Wireless security manufacturer AirDefense released a report in late 2007 saying that a quarter of the 4,748 retail access points it surveyed across the US had no security whatsoever, while another quarter only used WEP, “one of the weakest protocols for wireless data encryption.” Just under half (49 percent) of the surveyed hotspots used WiFi Protected Access (WPA) or WPA 2—much stronger encryption protocols than WEP.

If you’re wondering about what other impacts will have, you might want to read through the PCI site or sign up for the SecureWorks webcast on October 14th to learn more.

Schwarzenegger again nixes data breach bill

Mon, 06 Oct 2008 00:00:00 +0000

For the second time in 12 months, California Gov. Arnold Schwarzenegger has vetoed legislation that would have set new IT security requirements designed to protect credit and debit card data in retail systems.

T-Mobile loses disk containing data on 17 million customers

Mon, 06 Oct 2008 00:00:00 +0000

T-Mobile lost a disk containing personal information on 17 million of its German mobile-phone customers in early 2006, the company confirmed.

Shell fingers IT contractor in theft of employee data

Mon, 06 Oct 2008 00:00:00 +0000

Shell Oil has notified its U.S. employees that an IT contractor used the personal data of four Shell workers to file fake unemployment claims in Texas.