27 Apr CeCOS VII Michael
04 Apr Virus calendar wallpapers for 2013 David
15 Mar Highlights from BlackHat Europe 2013 in Amsterdam Stefano Ortolani
21 Nov Return of the Indian phone scammers! David Jacoby
18 Oct ICS-JWG Fall Meeting 2012 Kurt Baumgartner
16 Oct Twitter Phishing Campaign Spreading Via Direct Messages David Jacoby
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
The Counter eCrime Operations Summit VII (CeCOS VII) engages questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the electronic-crime threat every day.
The annual event, organized by the Anti-Phishing Working Group (APWG) is this time held in Buenos Aires, Argentina.
Some of you may remember the virus wallpaper calendars that we published in previous years, listing a selection of significant events in the history of the IT security industry.
Well, we're posting new versions for 2013.
April's wallpaper is here.
But be sure to check our calendar page each month as we'll be adding new wallpapers as we go through the year.
We hope they'll be an interesting background for your desktop, as well as highlighting key security events from the past.
Every year as Europe wakes up from the cold winter to the warm days of spring, BlackHat traditionally descends to Amsterdam. This year’s conference is taking place on March 14-15 at the NH Grand Hotel Krasnapolsky, right Dam Square, the heart of Amsterdam. As spring doesn’t necessarily equal warm days here in Europe right now, the 500 or so BlackHat participants hit the conference rooms to attend quite a few interesting talks. Here’s a summary of the best talks at BlackHat Europe 2013.
The title of this blog reminds me of the old zombie horror movies back from the 80-ies, but what im going to write here is more like a comedy. Some of you guys have probably read my blog post about the time when i tricked them into accessing websites under my control, which led to me collecting alot of information about the callers.
After that blog post i didn’t receive any calls... until today. I was sitting in my home office, drinking my daily smoothie and writing on my paper for the Virus Bulletin magazine, and suddenly i hear the phone ringing. I don’t care about that anymore, because i hear that my wife answers the phone, but after a few minutes she enters my room and tells me that "they" are calling again.
As always, i booted up my VMware image with a totally FRESH installation of Windows XP and start talking to the scammers. For you who are not familiar with the scam, please read my other blog post which can be found below because i won’t cover it in this post. http://www.securelist.com/en/blog/208193750/Trying_to_unmask_the_fake_Microsoft_support_scammers
This time the scammers where using some different methods trying to convince me that my compute where infected with some malware. They even gave me the name "Frozen Trojan", and went to Google and tried to look it up for me. But they only ended up on results talking about the bird flue and other biological viruses which i thought was quite entertaining.
The Industrial Control Systems Joint Working Group Fall Meeting 2012 is being held in Denver, Colorado this year, organized by the DHS ICS-CERT. Yesterday, Billy Rios from Spear Point Security kicked off the meeting with a discussion that included mention of vendors' defensive postures and the exploit brokers out there. A couple other talks included speakers from Raytheon and the DHS. For someone that savors the technical meat at Infiltrate, Defcon and Project Basecamp, it seemed that was I was surrounded by vegans. For example, when one speaker was asked about whether or not their product thwarts common pass-the-hash techniques that can be used to enable APT related post-exploitation lateral movement from corporate to SCADA networks within ICS environments, the speaker explained that their product uses pass-the-hash and other mathematical techniques that he couldn't discuss to defend networks. Huh. Also, a generational air gap seems to be in place here too, with most of the speakers at least twice the age of speakers leaning into fresh offensive (and some defensive) security topics at Blackhat, Infiltrate, etc. Cultural differences abound.
A talk later in the day about 13 ways to evade firewalls could be boiled into a few thoughts - XSS problems are enabled by SSL proxies, sneakernet exacerbates Usb security issues, and misconfigured firewalls are an issue within ICS environments. These are all a decade old discussions, but may have some insight for top level folks that have no exposure to 10 year old security issues. The unfortunate thing is that these sorts of vulnerabilities continue to be present within critical infrastructure environments.
The second day seems to be starting off with much more interesting talks. SCADAHacker Joel Langill's talk on "Utilizing TCP/IP Addressing Scheme for Network Isolation" demonstrated the usefulness of subnet masking and the misunderstandings of implementing VLANs when enforcing network security policies. Joel runs a fantastic site, sharing links to information that provide complementary data to some of the ICS cyber-security consulting services that he performs.
Dr Nabil Adam from the DHS Science & Technology Directorate demonstrated the powerful modeling framework CEMSA that they have developed, providing ways to model and understand credible consequences of multiple interacting critical infrastructure disruptions. These consequences and disruptions evaluated here based on concrete data around US located industrial operations like chlorine gas plants and online network backbones are the shocking stuff that folks have speculated on for years as "cyber pearl harbors". The difference is that this intelligence and data analysis is the real deal in its precision and comprehension of planned attack, cascading, and coincidental disruptive events. It goes beyond ICS environments, to help policy and decision makers understand and prioritize disruptive impacts. Currently available to "anyone interested" from US based government agencies.
I got the impression that lately the amount of phishing attacks via social media was not as great as we have seen in the past. But just as I logged in to Twitter today I noticed that I had received two direct messages, and they both had a very similar message.
Two days ago I received the first message, and when I tried to verify if it was a link spreading malware, or a phishing site, the URL was already inactive. Now when I received another one I wanted to look at it quickly, and at the time of writing the phishing site is still active.
Virus Bulletin 2012 is now over, the final chapter from this year’s conference needs to be written. Almost all of the participants have packed their bags and gone home. This event was three action packed days containing everything from discussions about cyber war, interesting meetings with fellow researchers and presentations about Indian Phone Scammers. I am now sitting here and writing the last blog post about the Virus Bulletin 2012 conference in Dallas.
This is my second Virus Bulletin, and just like last time it gave me not just the opportunity to network with fellow researchers, but this time I also presented my own research. Vicente Diaz wrote about the second day at VB, and he included some pictures from my presentation on Malware against Linux and the Attackers Automated Tools - check out the pictures here. During my presentation I also had a 30 minute live demo where four people from the audience helped me identify vulnerabilities and exploit them using the same techniques as the bad guys used. The demonstration also contained automated scripts for backdooring and bypassing security mechanisms within the Linux operating system.
Greetings from the IDC Security Roadshow in Johannesburg, South Africa! I am sitting here in the hotel lobby looking out at the Nelson Mandela Square listening to the explosive track from DJ Fresh - The Feeling (Ft. RaVaughn) (Metrik Remix), reflecting on the last couple of days and the discussions I’ve had with various people.
I have been giving a few interviews and I was also presenting at the IDC security conference; my presentation is called “The Diary of a Security Geek” and it includes material from a one year long research project I have had. It basically contains observations made during these conferences and some really interesting facts on how security managers see IT security, how they prioritize and some interesting false perceptions on IT security and risks. I know that some of you might be interested in this research, so don’t worry - I will publish my research at a later date and I will also be giving the same presentation on quite a few conferences around the world this year.
There are just 11 days to go until the opening ceremony of the Summer Olympic Games in London. With the games fast approaching, now's a good time for us to issue a gentle reminder about security.
I'm not thinking here about the security of the games themselves. It's possible, of course, that someone might try to disrupt the systems used to support the games - for example, defacing web sites, tampering with scoreboards, or planting malware on official games web sites. But the UK government has put in place a team to try to minimise the risk of direct attacks on London 2012 systems.
But I'd like to highlight two possible dangers that might affect visitors to the games.
First, there's the risk of being tricked into visiting a fraudulent web site that, at first glance, seems to be a legitimate site, e.g. 'www.london2o12.com'. It's possible that scammers might try and cash-in on the last-minute scramble for tickets. This could be done to sell bogus tickets, or simply to trick people into entering personal information. And phishers don't just use e-mail to drive people to such sites. These days, cybercriminals are just as likely to use instant messaging, or messages in social networks.
Second, there's the risk associated with accessing unsecured wi-fi networks. In an 'always-on' world, wi-fi offers a way of staying connected; and you can find a wi-fi hot-spot nearly everywhere you go now. But if it's an unknown, untrusted wi-fi network, it's possible for someone to intercept the data you transmit. So if you're using a laptop or tablet, make sure you have a secure connection by always using 'https'; and use a unique, complex password for every online account (i.e. one that mixes letters, numbers and symbols and is more than eight characters). If you're using a smartphone, don't use an untrusted wi-fi network for any online transaction where you need to type in confidential data - this includes banking, shopping and social networking. And if you have to use public wi-fi (for example, for work), it's best to use VPN functionality, whichever operating system you use - Windows, Mac OS, Android or iOS.
So if you're looking to buy tickets for the games, or just planning to be in London this summer, be vigilant and stay safe.
* Wenlock and Mandeville are the official mascots of the London 2012 Summer Olympics.
Sweden recently experienced a large banking scam where over 1.2 million Swedish kronor (about $177,800) were stolen by infecting the computers of multiple victims. The attackers used a Trojan which was sent to the victims and, once installed, allowed the attackers to gain access to the infected computers. Luckily these guys were caught and sentenced to time in jail, but it took a while to investigate since over 10 people were involved in this scam.
It's possible that these attacks are no longer as successful as the bad guys would like, because we are now seeing them use other methods to find and exploit new victims. For quite some time now we have seen how hijacked Facebook accounts have been used to lure the friends of whose account has been hijacked to do everything from click on malicious links to transfer money to the cybercriminals’ bank accounts.
Please note that this is not a new scam - it has been out there for quite some time. But what we are now seeing is the use of stolen/hijacked accounts, or fake accounts, becoming very common on Facebook. So common, in fact, that there are companies creating fake accounts and then selling access to them to other cybercriminals. As you might expect, the more friends these accounts have, the more expensive they are, because they can be used to reach more people.
The problem here is not just technical – it’s primarily a social problem. We use Facebook to expand our circle of friends. We can easily have several hundred friends on Facebook, while we in real life we may only have 50. This could be a problem because some of the security and privacy settings in Facebook only apply in your interactions with people who you are not friends with. Your friends, on the other hand, have full access to all the information about you.