Posts

Basefarm SIRT Newsletter 2013-03-15

BF-SIRT NEWSLETTER
Year – Week: 2013 – 11
https://www.basefarm.com/en/technical-support/Basefarm-SIRT/

Weekly summary
The big headlines this week has been how security expert Brian Krebs was targeted by criminals who amongst other things took down his site and had police raid his house. Google has also released information on how FBI is secretly spying on some of its customers, and a Reuters Editor has been indicted for allegedly helping hackers break into Tribune Co. Facebook also released information on how the hack didn’t have as much impact as it could have had – due to the amount of preparations they had taken for these occurances.

http://threatpost.com/en_us/blogs/how-facebook-prepared-be-hacked-030813
http://www.wired.com/threatlevel/2013/03/google-nsl-range/
http://threatpost.com/en_us/blogs/reuters-editor-indicted-helping-hackers-break-tribune-co-031413

Important Software Security updates
Adobe Flash Player

Security tips
The tip of this week is to turn on “Click-to-play”. This means that in order to have a Flash video or Java applet run on a website, you’ll need to press a button to confirm you want to run this. This means that no hidden flash objects or java applets that can cause issues on your computer will launch automatically.

More information: http://krebsonsecurity.com/2013/03/help-keep-threats-at-bay-with-click-to-play/

Security news
Security expert Brian Krebs targeted by angry criminals out for revenge – causing simultaneous fake take-down letters to his ISP, DDOS of his website and a fake distress call leading to an armed police raid of his home.
http://krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards/

Crown casino hi-tech scam nets $32 million
http://www.heraldsun.com.au/news/law-order/crown-casino-hi-tech-scam-nets-32-million/story-fnat79vb-1226597666337

February 2013 Cyber Attacks Statistics
http://hackmageddon.com/2013/03/08/february-2013-cyber-attacks-statistics/

Researchers Find 25 Countries Using Surveillance Software
http://bits.blogs.nytimes.com/2013/03/13/researchers-find-25-countries-using-surveillance-software/

Sinkholing of Trojan Downloader Zortob.B reveals fast growing malware threat
http://www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/

Basefarm SIRT Newsletter 2013-03-08

BF-SIRT NEWSLETTER
Year – Week: 2013 – 10
https://www.basefarm.com/en/technical-support/Basefarm-SIRT/

Weekly summary
Evernote was the highest profile victim of an attack this week. The attack on their systems meant that 50 million account names and encrypted passwords were stolen.
USA has also become the world’s leading spam-relayer. This most likely doesn’t mean that there is a kingpin spammer in USA, but what it does show is that there is a large amount of hijacked computers being used for this. USA it’s not the number one malware infected country (China was 2012 according to PandaLabs), but there are reasons such as IPs from USA is less likely to be blacklisted as easily as well as speeds between email providers are likely to be higher from USA than China.
More information about the zero-day-exploiting malware MiniDuke has also surfaced. It appears that MiniDuke has been running its cyber-espionage campaign around since mid 2011, and appears to have targeting governments in countries such as Belgium, Unites States and Ireland.
The Dubai Police made arrests this with in regards to a cyber crime gang who were able to transfer more than $2m from Dubai Exchange companies’ accounts, while Bank Muscat in Oman was hit by $39m ATM cash-out heist which most likely happened due to the hackers being able to duplicate a set of pre-paid Travel Cards.
The first couple of days of the Pwn2Own has also taken place. Pwn2Own, which is being co-sponsored by HP this year, is a yealy competition where security researchers attempt to be the first to exploit software, with resulting prize money for doing so. So far, over $270K has been given out to people who managed to exploit IE10, Chrome 25, Firefox 19, and Java 7.

Sources:
http://bfblogg.wpengine.com/blog/2013/03/02/fifty-million-evernote-usernames-out-in-the-wild/
http://bfblogg.wpengine.com/blog/2013/02/08/basefarm-sirt-weekly-newsletter-2/
http://www.theregister.co.uk/2013/03/07/spam_relay_chart/
http://analysisintelligence.com/cyber-defense/meet-miniduke-espionage-malware-hitting-european-governments/
http://www.theregister.co.uk/2013/03/01/bank_muscat_atm_mega_fraud/
http://www.ehackingnews.com/2013/03/cyber-crime-gang-arrested-for-hacking.html
http://www.networkworld.com/news/2013/030713-researchers-rake-in-280k-at-267468.html

Important Software Security updates
Java: http://bfblogg.wpengine.com/blog/2013/03/05/java-7-update-17-java-6-update-43/

Security tips
We’d like to remind everyone of the importance of not reusing any of your passwords. Doing so could mean that you end up losing a great deal of things.
Let’s say I’m using X and I have the same password on my email account Z and Website X.
I signed up to Website X with my email account, which means that if Website X is hacked and my password decrypted (it’s not even certain they will have encrypted my password) then that means that they will be able to access my email account as well from there.
By having access to my email account they could for example gain further access to other services by doing password resets or pretend to be me and send out malware.

This is one of the reasons why we suggest that you create complex and unique passwords for every site you use.
It’s understandable that you can’t remember these kind of passwords, but don’t worry – there are tools for this which means you only have to remember one single passphrase in order to gain access to your password vault.

My personal preference is 1Password Pro which has got a stand-alone client as well as a web interface. It also got plugins for IE, Chrome and Firefox which makes signing into accounts a breeze.
Those who prefer to use free and open source can use KeePass Password Safe. I believe it lacks a bit of functionality, but it’s got a lot of plugins/extensions that you can use to further its use.

More information:
https://agilebits.com/onepassword
http://keepass.info/

Security links
16-28 February 2013 Cyber Attacks Timeline
http://hackmageddon.com/2013/03/04/16-28-february-2013-cyber-attacks-timeline/

Hacking the Mind: How & Why Social Engineering Works
http://www.veracode.com/blog/2013/03/hacking-the-mind-how-why-social-engineering-works/

The web won’t be safe or secure until we Break it
http://queue.acm.org/detail.cfm?id=2390758

Jailed cybercriminal hacked into his own prison’s computer system after being put in IT class
http://nakedsecurity.sophos.com/2013/03/04/jailed-hack-prison/

The Life Cycle of Web Server Botnet Recruitment
http://blog.spiderlabs.com/2013/03/the-life-cycle-of-web-server-botnet-recruitment.html

Security Blogger Award Winners 2013
http://www.ashimmy.com/2013/03/security-blogger-award-winners-2013.html

Basefarm SIRT Newsletter #5

BF-SIRT NEWSLETTER #5
Year – Week: 2013 – 09
https://www.basefarm.com/en/technical-support/Basefarm-SIRT/

Weekly Summary
This week, Microsoft also admitted to have been affected by the same attack that hit Apple and Facebook.
Information on how Apple devices running the latest update can get their data compromised if the attacker has physical access to the phone was also divulged, so it’s important to not leave your phone unattended. Should your phone be lost or stolen, it’s important to do a remote wipe as soon as you can. Cpanel also released information that root passwords belonging to servers of their customers that had been used by their technical support had been compromised, leaving many customers at risk. They have sent advice to affected customers to change their root or account passwords. There has also been a lot of discussions, as was expected, during the week regarding the validity of Mandiant’s APT1 report about how China is sponsoring hacking against the US.

Sources:
http://blogs.technet.com/b/msrc/archive/2013/02/22/recent-cyberattacks.aspx
http://arstechnica.com/apple/2013/02/researchers-find-yet-another-way-to-get-around-ios-6-1-passcode/
http://nakedsecurity.sophos.com/2013/03/01/cpanel-suffers-break-in-loses-root-passwords/
http://roer.com/2013/02/26/apt1-matching-data-to-your-hypothesis-is-not-the-same-as-proving-your-case/
https://www.mandiant.com/blog/netizen-research-bolsters-apt1-attribution/

Important Software Security updates
Adobe Flash Player
Java

Security tips
As the “Sports holidays” are currently on-going in Sweden (and other countries), we’d like to remind everyone to keep your mobile devices that you bring on your holiday secure. You can read some tips about this on the following site: http://bfblogg.wpengine.com/blog/2012/12/21/mobile-security/

Security news
Stuxnet 0.5 – the missing link.
http://www.symantec.com/connect/blogs/stuxnet-05-missing-link

Phishing has gotten Very good.
http://www.schneier.com/blog/archives/2013/03/phishing_has_go.html

At the vulnerability Oscars, the winner is… Buffer overflows!
http://www.veracode.com/blog/2013/02/at-the-vulnerability-oscars-the-winner-is-buffer-overflow/

How much does it cost to buy 10 000 US based malware infected hosts?
http://blog.webroot.com/2013/02/28/how-much-does-it-cost-to-buy-10000-u-s-based-malware-infected-hosts/

The MiniDuke Mystery
http://www.securelist.com/en/blog/208194129/The_MiniDuke_Mystery_PDF_0_day_Government_Spy_Assembler_0x29A_Micro_Backdoor

Basefarm SIRT Newsletter #4

BF-SIRT NEWSLETTER #4
Year – Week: 2013 – 08
https://www.basefarm.com/en/technical-support/Basefarm-SIRT/

Weekly Summary
This week, a lot of high profile companies have come forward about being victims of attacks. Companies like Apple and Facebook fell victims of Java exploits when browsing a well-known iOS developer forum, causing their computers to be taken over by attackers. This once again goes to show the importance of keeping your systems updated as much as you can and removing software you don’t need. If there’s need for a browser plugin such as Java or Adobe Acrobat Reader, then don’t have it activated in your primary browser but simply keep it enabled in a secondary browser for those specific Java websites.

NBC.com was also compromised this week, causing everyone visiting the site (many tens of thousands) to be redirected to a site serving malware. The malware exploited previously known Java and Adobe Acrobat Reader vulnerabilities to take control over the victim’s computers.

There’s also been reported by The New York Times that a unit within the Chinese Army is seen as tied to hacking against the U.S. China in turn denied this accusation.

On the good side of things, Google have released information that they have reduced the number of compromised accounts by 99.7% since their peak in 2011.

We have also launched a website for those interested in reading up on Basefarm SIRT. You can find the page here: https://www.basefarm.com/en/technical-support/Basefarm-SIRT/

Sources:

http://threatpost.com/en_us/blogs/nbc-website-hacked-leading-visitors-citadel-banking-malware-022113

http://threatpost.com/en_us/blogs/ios-developer-site-core-facebook-apple-watering-hole-attack-022013
https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766
http://googleblog.blogspot.com/2013/02/an-update-on-our-war-against-account.html
http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html

Important Software Security updates
Java 7 / Java 6: http://bfblogg.wpengine.com/?p=1085
Mozilla updates (Firefox, Thunderbird, Seamonkey): http://bfblogg.wpengine.com/?p=1084
Google Chrome: http://bfblogg.wpengine.com/?p=1098
Adobe Acrobat Reader: http://bfblogg.wpengine.com/?p=1100

Security tips
In light of the latest breaches, we’d like to suggest that you have a look at the software and browser plugins you have installed on your system(s).
Unfortunately, depending on an antivirus just doesn’t cut it, as malware is transforming and mutating which means your antivirus won’t find the reported malware signature. Attackers are also applying vulnerabilities faster and faster, which means that the time between disclosure of a vulnerability to the time when it’s being exploited through ad networks or hijacked sites is much shorter these days.

The first step is to simply check which software you have installed, and uninstalling the ones you don’t have an explicit need for.
Once you have uninstalled the applications and browser plugins you don’t need, it’s time to update them.

You can check your browser plugins up-to-date status on the following page: https://browsercheck.qualys.com/

As for your software, it’s a matter of visiting the developer’s webpage and verifying that you’re using the latest version of their software.
To keep your OS automatically patched through Windows Update or Mac’s Software Update goes without saying.

Security news
Chinese Army unit is seen as tied to hacking against U.S.
http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html

China says U.S. hacking accustations lack proof
http://www.reuters.com/article/2013/02/20/us-china-hacking-idUSBRE91I06120130220

DDoS attack on on bank hid $900,000 Cyberheist
http://krebsonsecurity.com/2013/02/ddos-attack-on-bank-hid-900000-cyberheist/

Freezing Android devices break disk encryption
http://www.net-security.org/secworld.php?id=14433

February 1st – 16th cyber attacks timeline
http://hackmageddon.com/2013/02/18/1-16-february-2013-cyber-attacks-timeline/

Basefarm SIRT Newsletter #3

BF-SIRT INTERNAL NEWSLETTER #3
Year – Week: 2013 – 07
https://www.basefarm.com/en/technical-support/Basefarm-SIRT/

Weekly Summary
Bit9, the security company that is used by many Fortune 100 firms and the U.S. Government for their software and network security was compromised last Friday. The attackers compromised Bit9’s network by gaining entry to some computers inside the Bit9 network where they had unfortunately forgot to install their own software. Said attackers then signed certain malware as “safe”, which gave them the ability to deploy malware on the target, which was protected by Bit9. It was also found out that an exploit had been sitting on one of LA Times Websites for six weeks, redirecting users to a Blackhole exploit kit. This reiterates the importance of doing continuous security and vulnerability checks on your websites.

Sources:
https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/
http://krebsonsecurity.com/2013/02/exploit-sat-on-la-times-website-for-6-weeks/

Important Software Security updates
Windows: http://bfblogg.wpengine.com/?p=1034
Adobe Flash Player: http://bfblogg.wpengine.com/?p=1036
Adobe Acrobat Reader: http://bfblogg.wpengine.com/?p=1044

Security tips
Two-factor auth means additional security in the way that you have more than one authentication factor, and you are already using it today with your bank (in order to get money out of the ATM you need to input both a Card and a PIN code). You can enable two-factor authentication on a lot of services such as Google/Gmail, Lastpass, Facebook, Dropbox, Yahoo! Mail, Amazon Web Services and WordPress, and its advised to do so. Of course, using two factor auth does not mean you’re complete safe though as you could for example become the victim of a Man In The Middle attack, so continue being careful after you have activated it.

You can find information on how to enable two-factor authentication here: http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two+factor-authentication-right-now

Security news
Kids ‘using coding skills to hack’ friends on games, expert says
http://www.bbc.co.uk/news/technology-21371609

Montana TV warns of ZOMBIE ATTACK in epic prank hack
http://www.theregister.co.uk/2013/02/12/spoof_zombie_apocalypse_warning/

Adobe Flash Player 0-day and HackingTeam’s Remote Control System
http://www.securelist.com/en/blog/208194112/Adobe_Flash_Player_0_day_and_HackingTeam_s_Remote_Control_System

Japanese “cat hacker” suspect caught
http://www.wired.co.uk/news/archive/2013-02/12/japanese-cat-hacker-caught

iOS 6.1 Hack allows iPhone lock screen bypass
http://thehackernews.com/2013/02/ios-61-hack-allows-iphone-lock-screen.html

Basefarm SIRT Newsletter #2

Basefarm SIRT weekly newsletter #2
Year – Week: 2013 – 06

Basefarm SIRT is the Security Incident Response Team of the Basefarm Group. We are posting weekly newsletters with the latest security information which we find interesting to the Basefarm Blog.

Preface
As you remember from last week, The New York Times had been severely compromised for four months before it was noticed (during which time their anti-virus software only located 1 our of 55 malwares on their servers). The New York Times believes that the hackers gained entry through a spear-phishing attack, which means employees was sent emails containing malware attachments or links to sites with malware. Since then, Wall Street Journal, Washington Post, US Federal Reserve and Twitter (where it seems the attackers gained access to information of 250 000 accounts) has also come forward that they were compromised.

So what does this show?
Amongst other things, no matter what security systems are in place, no company can with a straight face say they are never going to be compromised. There will always be some ways in, so the goal is making sure there are as few of those as possible, which is why we try to do as much proactive security work as we can.

The reality is unfortunately that the easiest way in is usually through you – a human that clicks on a phishing mail or gets a malware payload through one of your outdated plugins. Cisco released their 2013 Annual Security Report, and it shows that most malware today gets into your system through your common news or business sites, and they do so by compromising ad networks said sites are using.

Sources:
http://www.networkworld.com/news/2013/020113-lesson-learned-in-cyberattack-on-266335.html
http://www.nytimes.com/2013/02/02/technology/washington-posts-joins-list-of-media-hacked-by-the-chinese.html
http://blog.twitter.com/2013/02/keeping-our-users-secure.html
http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html


Important Software Security updates

Java 7 (Update 13) / Java 6 (Update 39)
http://www.java.com/en/download/index.jsp

Firefox (18.0.2)
http://www.getfirefox.com/

Adobe Flash (11.5.502.149 (Win and Mac), 11.3.379.14 (Windows 8) and 11.2.202.262 (Linux))
http://get.adobe.com/flashplayer/

For those using Firefox, you can go to the following page to see if your plugins are up-to-date:
https://www.mozilla.org/en-US/plugincheck/

Security tips
In the rise of the latest plugin vulnerabilities causing havoc on the web (Java and Flash), we suggest that those who have the ability to do so should enable click-to-play in their browsers. Doing this means that plugins such as Java (which should be fully disabled by default in your main browser anyway) or Adobe Flash won’t automatically load in your browser unless you click on the object.

You can find information on click-to-play for your browser at these locations:
http://www.ghacks.net/2012/07/21/configuring-chromes-click-to-play-feature/
https://blog.mozilla.org/security/2012/10/11/click-to-play-plugins-blocklist-style/

Security news
Microsoft and Symantec hijacks the “Bamital” Botnet
http://krebsonsecurity.com/2013/02/microsoft-symantec-hijack-bamital-botnet/

Canada Joins the DNSSEC Party
http://www.darkreading.com/blog/240147786/canada-joins-the-dnssec-party.html

China is world’s most malware-ridden nation
http://www.net-security.org/malware_news.php?id=2404

Where do you get malware from?
http://www.securitybistro.com/blog/?p=5384
http://www.net-security.org/secworld.php?id=14355

Basefarm SIRT Newsletter #1

Basefarm SIRT NEWSLETTER #1
Year – Week: 2013 – 05

Welcome to the first weekly security newsletter from your Basefarm SIRT team! In this newsletter we try to collect the latest weekly security news that we find worthwhile. As always, we continue sending out flash messages for critical issues that we find, but that does not mean the information is any less important for those who want to have safe and secure systems. We’d love to get feedback, so please send thoughts, suggestions, things we should add etc. to sirt@basefarm.com .

For those who aren’t familiar with what a SIRT team is, you can find information here:
http://www.cert.org/csirts/csirt_faq.html

Preface
It’s been quite a busy week with WordPress and UPnP vulnerabilities affecting millions of servers and networks. The biggest world wide news story of the week was of course the fact that the New York Times found out that their network had been compromised by Chinese hackers who got access to email accounts of senior staff, stole passwords for the corporate network for every New York Times employee and gained direct access to 53 personal computers of The New York Time employees. This went on for four months before it got noticed. The latest report from Arbor also shows that the DDoS attacks rose quite a bit during 2012 (+20% in bandwidth, +11% higher packet rates and a +41% rise in complex (multi-vector) DDoS attacks).

Important Software Security updates
iOS 6.1 for those with an iPhone.
http://support.apple.com/kb/HT5642

VLC Player 2.0.6 is available for those using VLC as their media player.
http://www.videolan.org/security/sa1302.html

Opera 12.13 is available for those using the Opera Browser.
http://my.opera.com/desktopteam/blog/2013/01/30/12-13-final-released

Security tips
Secure your passwords in Firefox
Setting a master password
Firefox: “Tools -> Options -> Security / Passwords -> Use a master password”
Thunderbird: “Tools -> Options -> Privacy -> Passwords -> Set Master Password”
Changing your master password
Firefox: “Tools -> Options -> Security / Passwords -> Change Master Password”
Thunderbird: “Tools -> Options -> Privacy -> Passwords -> Change Master Password” (not shown unless a master password is set)
http://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

Security news
Chinese hackers sit inside the network of New York Times for months without being spotted.
http://www.wired.com/threatlevel/2013/01/new-york-times-hacked/

US Cyber Command Seeks to Quintuple Cybersecurity Force.
http://www.washingtonpost.com/world/national-security/pentagon-to-boost-cybersecurity-force/2013/01/19/d87d9dc2-5fec-11e2-b05a-605528f6b712_story.html

Israel Strengthening its Cyber Stance.
http://www.businessweek.com/news/2013-01-27/israeli-troops-swap-guns-for-computers-as-cyber-attacks-increase

FBI Investigating Leak of US Stuxnet Involvement.
http://www.washingtonpost.com/world/national-security/fbi-is-increasing-pressure-on-suspects-in-stuxnet-inquiry/2013/01/26/f475095e-6733-11e2-93e1-475791032daf_story.html