Security Protection – Harry Waldron MVP Rotating Header Image

April, 2013:

Twitter Security – Best practices for Group Account

Several protective practices are shared as follows:

http://securitywatch.pcmag.com/security/310959-how-to-protect-your-group-twitter-account
 
QUOTE: Several Twitter accounts belonging to the United Kingdom’s Guardian were hit by the Syrian Electronic Army over the weekend, and last week, Associated Press, CBS News, and BBC were also hacked. SEA threatened to keep up its attacks because Twitter keeps suspending its account. Several of the recommendations fall under basic Security 101 and are tips anyone should follow, for both their personal accounts as well as shared ones.

Twitter encouraged users to change passwords and select strong passwords and be on the lookout for suspicious communications or that may be a part of a spear phishing campaign. All organizations, not just media, should be aware of potential phishing attacks. “These incidents appear to be spear phishing attacks that target your corporate email. Promoting individual awareness of these attacks within your organization and following the security guidelines below is vital to preventing abuse of your Twitter accounts,” the memo said.

Since Twitter uses email for password resets and official communications, users need to keep their email accounts secure, first by selecting strong (and different!) passwords. If two-factor authentication is available on the email account, it should be enabled, Twitter suggested. Users should never send passwords via email, even internally, Twitter warned. That way, attackers can’t find the password of the account through someone else’s archived messages.

Proof of Concept Airplane software vulnerabilities should not impact safety

Initially, saw this as a POC against simulation software and certainly a wakeup call to promote safety.  However, Hugo’s comments are worth noting below … He noted software exploits and vulnerabilities, that with the right delivery system that could be potentially manipulated.   While there are limitations on what can be accomplished, there are many mitigating controls that make this impractical currently.  Still industrial automation and especially remote control systems must be as secure as possible. 

http://commandercat.com/2013/04/posthitb2013.html

QUOTE: After reading some of the news related to my talk at HITB 2013, I am writing this post with the goal of clarifying some misunderstandings, probably due to the lack of time I had during the talk, because I omitted details or other reason. Some of the most common wrong statements I have seen are related to:
  • The Android application: No, the Android application I developed cannot attack an airplane by itself. This application is just a user interface that send commands to the base station and receives feedback. Without the base station, and all the other hardware shown on the slides, the application is by itself useless.

 
  • The flight simulator: I did not found the vulnerabilities in the flight simulator; I found all the vulnerabilities on real software and hardware of on-board aircraft systems.

 
  • ACARS exploitation: No, I did not attack ACARS, neither ADS-B. I just used those protocols to send and receive information to/from the aircrafts. Exploits and payloads are delivered using those protocols but I don’t attack them. That would be like saying that an exploit attacks TCP just because it is delivered via the network.

 
  • Real airplanes: No, none of my tools or code can be used directly against real aircrafts. I did and kept it this way on purpose, but the vulnerabilities I found apply to real aircraft systems and code.

 
  • Old hardware: For my research I targeted both old FMS models (dating back from the 70s) as well as some of the newest ones (two or three years old).

 
  • Exploitability: I understand the skeptical community saying “this is not possible because ACARS does not offer commands for doing X or Y”. Once again, I only used ACARS as a communication channel and my research targeted the FMS. So, have you ever heard of memory corruption? Also, when I mentioned “No rootkit” I was referring to the fact that hiding is currently not necessary so it was not implemented, not that the post-exploitation did not include hooking.

A counter-response is noted in this thread, which documents some key safety controls that make the scenario shared very difficult to achieve (and these type comments, led to the points above)

http://www.askthepilot.com/hijacking-via-android/

Computer Firewalls – Benefits of bi-directional protection

Intego security notes benefits of outbound protection where malware attempts to connect to the Internet from an infected computer.  By definition, all firewalls offer in-bound protection, and there are additional benefits in detecting and preventing malware from phoning home 

http://www.intego.com/mac-security-blog/whats-the-difference-between-incoming-and-outgoing-firewall-protection/

QUOTE: The other day, we mentioned that the OS X application firewall provides only inbound protection. I imagine there are some of you who are wondering what exactly that entails, and more specifically, how that differs from what’s in Intego’s products. Well, guess no more! Here’s a handy explanation about the difference between incoming and outgoing firewall protection.

As you may imagine, inbound protection protects you from threats that originate outside of your Mac and try to get in. There are many types of automated or direct attacks that this type of protection is useful to combat, and this is the type of protection that OS X’s application firewall provides.

But arguably the more important component, from an anti-malware perspective, is outbound protection. Outbound protection alerts you to attempts to connect out from your machine. There are a lot of legitimate processes on your machine that do need to connect out (such as to get email, surf the web, get or update settings, etc.) but if there is unknown malware on your machine, you want to be able to prevent it from connecting out to send data or to alert its controller.

Android Security – Application can hijack simulator but not real plane

While there was some initial misreporting, Commercial airlines contain special hardware and software that would prevent a situation as described in article.  With that said, everyone must constantly plan security appropriately in airlines, power plants, automobiles, or other things which could be potentially manipulated from the outside 

http://www.theregister.co.uk/2013/04/13/faa_debunks_android_hijack_claim/

QUOTE: Aviation officials have taken a skeptical view of claims that it’s possible to hijack a commercial aircraft using a smartphone, with both the US Federal Aviation Administration (FAA) and the European Aviation Safety Administration (EASA) issuing statements to the effect that it simply couldn’t happen.  On Wednesday, Spanish security researcher Hugo Teso gave a presentation at the Hack in the Box conference in Amsterdam in which he claimed he had developed an Android app that could allow him take control of an airplane by feeding misinformation into its in-flight communications systems.

“The FAA is aware that a German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer,” the agency wrote, making something of a muddle of the facts. The statement went on to explain that although Teso may have been able to exploit aviation software running on a simulator, as he described in his presentation, the same approach wouldn’t work on software running on certified flight hardware.

Android Security – BadNews Malware Family

Lookout Mobile security warns of a major new Android malware family called “Bad News” that uses highly advanced techniques to spread and manipulate infected smartphones

https://blog.lookout.com/blog/2013/04/19/the-bearer-of-badnews-malware-google-play/

QUOTE: Lookout has discovered BadNews, a new malware family, in 32 apps across four different developer accounts in Google Play. According to Google Play statistics, the combined affected applications have been downloaded between 2,000,000 – 9,000,000 times. We notified Google and they promptly removed all apps and suspended the associated developer accounts pending further investigation. All Lookout users are protected against this threat.

BadNews masquerades as an innocent, if somewhat aggressive advertising network. This is one of the first times that we’ve seen a malicious distribution network clearly posing as an ad network.  Because it’s challenging to get malicious bad code into Google play, the authors of Badnews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny.

Badnews has the ability to send fake news messages, prompt users to install applications and sends sensitive information such as the phone number and device ID to its Command and Control (C&C) server. BadNews uses its ability to display fake news messages in order to push out other types of monetization malware and promote affiliated apps. During our investigation we caught BadNews pushing AlphaSMS, well known premium rate SMS fraud malware, to infected devices.

BadNews is a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behavior. If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred.

Facebook – New Hoax claims shutdown on May 15th

Facecrooks security notes a newer version of this hoax was found to be circulating 

http://facecrooks.com/Scam-Watch/Hoax-Claims-Facebook-is-Shutting-Down-on-May-15.html

QUOTE: The same rumors and hoaxes tend to circulate on Facebook time and again. There’s the classic viral message claiming that Facebook is going to begin charging users to access the site, and another popular rumor asserting that if you merely re-post a viral message, you can prevent Facebook from accessing your data. Another old rumor that apparently still has some legs asserts that Facebook will shut down imminently. 

Of course, this hoax is patently absurd; Facebook is a publicly traded company whose stocks goes for almost 27 dollars a share. It’s one of the biggest tech companies in the world; to announce that it’s going to be shut down because the CEO is stressed out is completely ridiculous, but, for whatever reason, people believe it. It’s important to treat everything you read with a healthy dose of skepticism, particularly on the Internet. Facebook isn’t going away anytime soon, and apparently neither are the hoaxes that spread on it.

Android Security – Google tightens Play Store security

Google has made some beneficial recent changes as noted below:

http://nakedsecurity.sophos.com/2013/04/28/google-tightens-up-play-store-policy-officially-bans-off-market-updates/

QUOTE: Google has made a number of changes to its Android Play Store ecosystem recently. Part of the reason is that Mountain View has been copping lots of flak for the prevalence of malware in unofficial application markets, often in pirated apps. That’s a trifle unfair, since one of the attractions of Android over Apple’s iOS is that it’s actually possible to shop “off-market” if you wish. Sure, there’s a greater risk of shooting yourself in the foot if you do, but you’re not forced to live dangerously, and even if you do go outside the Play Store, a little caution goes a long way towards keeping you safe. More realistically, however, Google has been criticized for the appearance of malicious apps in its own Play Store.

Mobile Security – Risks associated with Personal phones used for business purposes

An interesting article describing risks in using personally owned mobile phones for business use

http://redtape.nbcnews.com/_news/2013/04/23/17864332-use-your-personal-smartphone-for-work-email-your-company-might-take-it

QUOTE: If you use your personal smartphone or tablet to read work email, your company may have to seize the device some day, and you may not get it back for months. Employees armed with a battery of smartphones and other gadgets they own are casually connecting to work email and other employer servers. It’s a less-than-ideal security arrangement that technology pros call BYOD — bring your own device. Now, lawyers are warning there’s an unforeseen consequence of BYOD. If a company is involved in litigation — civil or criminal — personal cellphones that were used for work email or other company activity are liable to be confiscated and examined for evidence during discovery or investigation.

The convenience is hard to ignore, as is the personal touch — workers love picking their own phones — but of course, cost savings is the real driving force. Increasingly, companies are requiring workers to supply their own gadgets at their own cost, the way a restaurant might require waiters to purchase their own uniforms. Even if companies reimburse those employees, there can be a big hidden cost for workers — the possibility of losing their phone for days or months while their company combs through it for data relevant to legal action.

Ransomware – New fake FBI version even invokes webcam

Ransomware is a malicious attack that puts a lock on a user’s PC, where they cannot easily proceed without paying the charge or removing the malware.  A new fake version appears to come from FBI and even has capability to activate a user’s webcam.  Infected users should never pay this fee and they should seek removal tools to delete these malicious agents.

http://redtape.nbcnews.com/_news/2013/04/26/17917497-ransomware-tricks-victims-into-paying-hefty-fines

http://www.symantec.com/connect/blogs/upswing-ransomware-activity

QUOTE: Computer users around the globe are being hit by a new kind of virus that freezes their computer and accuses them of committing heinous crimes. The threats sound real enough that victims are coughing up $200 to pay a “fine,” and virus writer gangs are netting millions, security firms say.  In each case, the accusation appears on a pop-up screen while the virus simultaneously disables the computer. The message often shows the user’s IP address and city, and sometimes, recent websites visited by the victim.  The most alarming version activates the victim’s webcam, takes his or her picture, and displays it on the warning.

“They are saying, ‘we know who you are, where you are, and what you were doing,'” said John Harrison, a security researcher with Symantec. “They attempt to scare the heck out of you.” The victim is then offered an option: pay a fine within 72 hours, and the charges will be dropped, while the computer will be restored.

Internet Storm Center – Capture of Fake Technical Calls

The ISC is capturing social engineering attacks and have close to 200 incidents documented

https://isc.sans.edu/diary/Report+Fake+Tech+Support+Calls+submission+form+reminder/15704

https://isc.sans.edu/reportfakecall.html

QUOTE: We are trying to better understand how common “Fake Tech Support” calls are, and what they are trying to achieve. If you received a call that claims to provide tech support, or another service, only to extract information from you or to trick you into installing malware on your system, please use the form below to report any details.

SUMMARY OF DATA CAPTURED
https://isc.sans.edu/reportfakecallstats.html