Monthly Archives - February of 2013
 

Thursday, February 28, 2013

 
RSA Conference: Ransomware + Mitigating Botnets Posted by Sean @ 12:49 GMT

RSA Conference USA 2013 is taking place this week.

On Wednesday, our Antti Tikkanen and Paolo Palumbo gave a talk called: Ransomware Attacks!

RSA HTA-W23, Ransomware Attacks!
Slides available here. [PDF]

Here's a view of the ZeroAccess botnet:

ZeroAccess

The screenshot was taken from a KML file that maps over 200 thousand unique bots (which is just fraction of ZA).

And that brings us to Mikko's RSA talk: New Ways of Mitigating Botnets

RSA BR-R33, New Ways of Mitigating Botnets
Slides available here. [PDF]

Here's Mikko fighting some "bots" in preparation for his talk:

Mikko playing Space Invaders







 
 

 
 
Trademark Python™?? Posted by SecResponse @ 11:26 GMT

It seems the Python Software Foundation needs some help with a company in the UK that is trying to trademark the word "Python" for "software, servers, services… pretty much anything having to do with a computer".

So here, for the record, is our statement.

F-Secure Labs hearts Python

We at F-Secure use Python extensively in our organization, mainly on the back end and for internal tooling, but it's ubiquitous in our R&D work, and we encourage all our developers to embrace Python (in the fairly unlikely event that they are not already enthusiastic about it). To the best of our knowledge, our company is representative of the technology industry in Europe in general in this respect; apart from very specialized niche companies, everybody is using Python, and it would seem preposterous outrageous insane unfair to grant this trademark to anybody except the legitimate holder of the intellectual property rights for the Python programming language.

Best Regards,
NftL

 
 

 
 
Wednesday, February 27, 2013

 
Things That Make You Go Hmmm… About Apple "Security" Posted by Sean @ 13:22 GMT

Dear Tim Cook,

Have you searched for the term "antivirus" lately? — I'm guessing not.

Here's what Google Instant is currently offering up:

google.com, antivirus

Hmm, "antivirus for mac" — very interesting.

You know, maybe it's time for Apple to adjust its "security culture"?

Let's do some more searches. Here's what you'll get from apple.com when you search for "security updates":

apple.com Search Results

Marketing material. Typical. Oh, support info is on the right-hand side. Alright, fair enough then, security is a support issue.

Here's what you'll get from apple.com/support/ when you search for "security updates":

apple.com/support/ Apple Support Search Results

The top result is from December of last year, and there are even older results below. But there does seem to be a mention of security updates inside the text. Opening the article finally links you to an index: Apple security updates.

The index shouldn't be so difficult to find. And it's kind of sad it needs to be in quotes to actually show up in the search results.

Apple Security Updates

So let's take a look at the most recent security update article:

About the security content of Java for OS X 2013-001 and Mac OS X v10.6 Update 13

At the very bottom of the page, there's a section about Malware removal:

Malware removal

This is the definition of the word "summary" as provided by Google:

google, summary definition

Not for nothing, but don't you think its kind of lame that "malware removal" isn't mentioned in the summary?

Now let's search for something else.

Here's something you'll find if you search apple.com/support/ for "antivirus":

Avoid harmful software

Avoid harmful software? Gee, great tip. If this was 2009.

These apps, called

Internet downloads and email enclosures?

To be very frank, this advice was already behind the times when it was written in July 2012:

Last Modified: Jul 31, 2012

You just might want to get somebody to update that article with a mention of "exploits" and "drive-by attacks" and "watering holes" and… oh, you know, relevant stuff.

Look, here's the thing. Eleven years ago, Internet worms smacked around Windows so much — it ended up being a real wake up call. At which point, Microsoft made a big, and successful, effort to change its security culture.

But Apple?

Here's your corporate line:

"For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."

Here's the problem.

Apple not only refuses to confirm issues "until" patches are available — it doesn't even discuss them after the fact.

And why is that a problem?

Because we don't live in an era of Internet worms anymore. This is an era of Internet hacks! And information is valuable in that it allows for organizations with a large Mac user base to make informed threat assessments.

And the more Apple shares with the community, the better off everybody will be.

So please, consider making a change in Apple's culture of secrecy and denial.

You have talented, and friendly, security response analysts working for you. Why not highlight their efforts? Consider putting them front and center and applaud them for their good work. Own this problem, get in front of it.

Because it's the right thing to do.

Regards,
Sean Sullivan
Security Advisor, F-Secure Labs

 
 

 
 
Tuesday, February 26, 2013

 
Poika Visits Malaysia Posted by Sean @ 13:05 GMT

Looks like our poika (AV-TEST's award for Best Protection 2012) decided to visit Malaysia.

Seen here with members of our Kuala Lumpur team:

Our poika visits Kuala Lumpur

That's a very cool view…

 
 

 
 
Monday, February 25, 2013

 
The Lowest Hanging Fruit: Java Posted by Sean @ 17:00 GMT

By all measures, Java is the current title holder for the lowest hanging fruit in computer security. (And by Java, we mean JRE and its various browser plugins.) It wasn't always so. How did it happen? Let's review some highlights in the history of low hanging fruit.

From 2004 to 2008: Attacks shifted from Windows to Office.

2004, August — Windows XP Service Pack 2 was released.

2005, February — At RSA Conference, Microsoft announced the first beta of Microsoft Update.

2005, June — The initial release of Microsoft Update.

Result: Over time, fewer Microsoft Office vulnerabilities in the wild as Microsoft Update replaced Windows Update.

From 2008 to 2010: Attacks increasingly focused on Adobe.

2009, February — "Adobe Reader has become the new IE"

From my point of view, Adobe Reader has become the new IE. For security reasons, avoid it if you can.

2009, March — Adobe started a quarterly update schedule, available on "Patch Tuesday".

  •  ASSET Blog: Adobe Reader and Acrobat Security Initiative

2009, April — Oracle buys Sun, became owner of Java.

2010, March — PDF Based Targeted Attacks are Increasing

Targeted Attacks

  •  Computerworld: Hackers love to exploit PDF bugs, says researcher

Adobe wasn't surprised by the data. "Given the relative ubiquity and cross-platform reach of many of our products, Adobe has attracted — and will likely continue to attract — increasing attention from attackers."

Given the relative ubiquity and cross-platform reach of many of our products…

2010, July — Adobe Joins Microsoft's MAPP Program.

  •  ASSET Blog: Working Together: Adobe Vulnerability Info Sharing via Microsoft Active Protections Program (MAPP)

Result: Adobe became a team player… and has the results to show for it.

From 2010 to 2013: Java claims the title lowest hanging fruit (on multiple OS).

2012, April — Adobe ends "quarterly updates", responds monthly, as needed, still aligned with Microsoft's update schedule.

  •  ASSET Blog: Background on Security Bulletin APSB12-08

2012, August — Java Runtime Environment = Perpetual Vulnerability Machine

2013, January — ZDNet reporter, Ed Bott, declared Java the new king of foistware.

  •  ZDNet: A close look at how Oracle installs deceptive software with Java updates

2013, February — Numerous companies admit to security breaches due Java.

  •  The Verge: After so many hacks, why won't Java just go away?

Result: Java's browser plugin is deemed public enemy number one.

But wait, is disabling Java's browser plugins enough?

2011, March — Spotify Free users attacked via malicious ads. At least one attack used a Java exploit.

  •  SC Magazine: Spotify in malvertising scare

Seems it isn't just "browsers" that can trigger Java.

From 2013 to 201X: Oracle either evolves or JRE becomes increasingly irrelevant.

Oracle releases its critical patch updates on the Tuesday closest to the 17th day of January, April, July and October. By releasing such updates on a day other (and later) than "Patch Tuesday", Oracle currently forces IT departments to schedule an additional patch maintenance assessment and testing meeting.

Something really ought to change.

 
 

 
 
Saturday, February 23, 2013

 
Another Friday Night Disclosure: Microsoft Posted by Sean @ 06:47 GMT

In this week's episode of Friday Night Disclosures: Microsoft.

General Manager of Trustworthy Computing Security, Matt Thomlinson, provided details in a post on the MSRCTeam's blog:

MSRCTeam, Recent Cyberattacks

For those of you catching up on previous episodes of FND, see also:

Timeline: Hacks Related to Apple
Our Mac Antivirus Blocks Java Exploits (Our Windows AV, too.)

P.S. Kudos to Microsoft for publishing its disclosure notification on the Web (unlike Apple).

 
 

 
 
Friday, February 22, 2013

 
Our Mac Antivirus Blocks Java Exploits Posted by Sean @ 10:35 GMT

Yesterday, two of our analysts, Brod and Timo, tested a Facebook/Apple hack related Java exploit with our Anti-Virus for Mac.

And the result?

Our Mac AV blocked the exploit with a generic detection (created Nov. 19th 2012) called: Exploit:Java/Majava.B.

2013-02-21 Exploit:Java/Majava.B

Nice!

So, how is the sample related? On February 15th, Mac malware samples were shared via a "Mac malware" mailing list. In the follow up discussion, two file hashes were shared, one of which is available via VirusTotal. And that sample turned out to be a Java exploit that drops a Windows backdoor. Brod analyzed the backdoor (detected as Trojan.Generic.8282738) and discovered that it attempts to connect to digitalinsight-ltd.com, one of the sinkholed C&Cs related to Friday's Mac malware.

Our generic detection, Exploit:Java/Majava.B, is used by our cross-platform antivirus scanning engine, so our Windows customers are protected, too. Our thanks to the analyst who shared the file hash (she knows who she is).

 
 

 
 
Thursday, February 21, 2013

 
Chinese Hackers Posted by Sean @ 15:01 GMT

All you probably need to know about Mandiant's Chinese hacker report:


Chinese military hacker unit behind US attacks

Well, that, and that not everything in Mandiant's report about Chinese hackers can be verified.

Marketplace's Shanghai-based China correspondent, Rob Schmitz, called a phone number supposedly belonging to a hacker (from a Mandiant video) and reached a 69 year old farmer instead.



Edited to add: there are malicious versions of Mandiant's report being used in spear phishing attacks. Don't open any attachments claiming to be "APT1: Exposing One of China's Cyber Espionage Units", here's the direct source: intelreport.mandiant.com.

 
 

 
 
Wednesday, February 20, 2013

 
Timeline: Hacks Related to Apple Posted by Sean @ 12:20 GMT

The hacks related to Apple involve a lot of complexities. Let's review the time line:

February 1st: Twitter's Director of Information Security, Bob Lord, posted "Keeping our users secure" on Twitter's blog. On a Friday. The weekend of the NFL's Super Bowl. Lord explained that Twitter had been hacked, and that 250,000 accounts have had their passwords reset as a result. Lord advised people to disable Java's browser plugin.

February 1st: The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) issues Alert (TA13-032A) warning of multiple vulnerabilities in Oracle Java.

February 1st: Oracle releases a critical patch update for Java (JRE 7 Update 11 and earlier).

February 4th: Monday. We asked contacts at Apple: Based on Lord's post, we suspect a Mac payload, do you have any samples that you are allowed to share with us? The reply: "Twitter has not shared any samples with us."

February 4th: our post "What is Java technology and why do I need it?" speculated that a Twitter developer's Mac had been compromised via Java's browser plugin, and also noted with interest that Apple's XProtect was blocking Java 7 Update 11 (and earlier).

February 5th: US-CERT updates its alert.

February 7th: Oracle releases a critical patch update for Java (JRE 7 Update 11 and earlier) ahead of schedule because of "active exploitation in the wild" of one of the vulnerabilities addressed.

February 7th: Adobe published a security bulletin for Adobe Flash Player. From the bulletin: "Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform…".

Adobe APSB13-04, Firefox and Safari for Mac

Tip: You can download Google Chrome for Mac here.

February 8th: our post "Update: Flash Player Exploit Targeting Macs and Windows" notes that Lockheed Martin CIRT contributed to Adobe's investigations.

February 8th: the folks at AlienVault Labs post "Adobe patches two vulnerabilities being exploited in the wild" and provides analysis of "2013 IEEE Aerospace Conference schedule", one of the Windows-based attacks exploiting Flash Player's vulnerability.

February 12th: Adobe releases its security update for Flash Player.

Tip: Check your version(s) of Flash Player here.

February 15th: Facebook's security team posted "Protecting People On Facebook" on its Page. On a Friday. Just before a three-day weekend in the United States. The security team explained that some Facebook employee "laptops" have been hacked via a Java exploit.

February 15th: Joe Sullivan, Facebook's Chief Security Officer, is interviewed by Sean Gallagher of Ars Technica. Sullivan said that C&C servers related to the attack are sinkholed by a third-party and traffic indicates several other companies have been affected.

February 15th: Mac samples (bookdoors) are shared with an AV mailing list.

February 18th: our Helsinki-based Mac analyst, Brod, examines the bookdoors. We quickly determine that all of the related C&C's are sinkholed by The Shadowserver Foundation. Other recent Mac backdoors, targeting Uyghur people, have not been sinkholed in this manner. To us, this indicates that the backdoors are part of a law enforcement investigation. Knowing that Chief Security Officer Joe Sullivan is a former U.S. Attorney (federal prosecutor), we suspect a connection to Facebook.

February 18th: our post "Facebook Hacked, Mobile Dev Watering Holes, and Mac Malware" connected several of the dots, and notes Facebook's statement that the source of the attack was a compromised website for mobile application developers.

February 19th: Reuters breaks the news that Apple employees were also hacked via a Java exploit. According to Reuters, "a person briefed on the case said that hundreds of companies, including defense contractors, had been infected with the same malicious software."

February 19th: Mike Isaac at AllThingsD reports iPhoneDevSDK is the compromised mobile developer website.

February 19th: Oracle releases a "special" critical patch update for Java (JRE 7 Update 13 and earlier) which includes all of the fixes from February 1st, " plus an additional five fixes which had been previously planned for delivery."

February 19th: Apple releases a security update which includes a malware removal tool.

February 20th: Ian Sefferman, an administrator at iPhoneDevSDK writes that prior AllThingsD's article, "we had no knowledge of this breach and hadn't been contacted by Facebook, any other company, or any law enforcement about the potential breach."

iPhoneDevSDK Compromised
Click image to embiggen.

February 20th: Bloomberg reports sources suggest the attack on Apple came from Eastern Europe.

Open Questions

Q: Adobe reported in the wild attacks on websites targeting Flash. Those attacks appear to be targeting defense contractors. Where are those watering holes located?

Q: How many companies were affected?

Q: How many unique connections have been made to Shadowserver's sinkhole?

Q: How long has this type of thing been going on? Apple began removing old versions of Java from Macs when people updated OS X in October 2012. Was that a proactive… or reactive decision? How many times has Apple been compromised?

Considerations

Macs have something like a 15% market share in the real-world. Such market share equals a relatively low motivation for bad guys to develop bulk commoditized "malware as a service" which targets average Mac owning consumers. Folks who use Macs for home are as relatively secure today as they were yesterday, and as such, they probably have a reasonable sense of security.

But in the "developer world", Macs have a much higher percentage of market share. (In Silicon Valley we'd guesstimate it's probably the inverse of the real-world: 85%.) As such, there is relatively high motivation for bad guys to develop "sophisticated" attacks that incorporate Mac-based payloads. Folks who use their Macs for work should not have the same sense of security as home users. Clearly, work-based Macs are more of a target and expectations of security should scale to match the threat level.

Developers assuming a "15%" motivation of attack — aren't paranoid enough — and are operating with a false sense of security. It's time for businesses and organizations to reassess.

At the very least, developers and other professionals should segment work (with access to production back ends) and play into separate virtual machines if not separate hardware.

Edited: Added the February 19th link to Apple's update.

 
 

 
 
Tuesday, February 19, 2013

 
Apple One of the "Other Companies" Hacked Posted by Sean @ 22:23 GMT

Wow. According to Reuters, Apple was one of the "other companies" recently attacked by hackers who infected Macs.

Hundreds of companies, including defense contractors, are affected according to Reuters.

And according to AllThingsD, a site called iPhoneDevSDK is the likely watering hole where the attack took place.

iPhoneDevSDK

Here's the geographic stats from DomainTools.

DomainTools, iphonedevsdk.com

Apple will be releasing a software tool to help identify and repair infected Macs.







 
 

 
 
Facebook Confirmed: Several Other Companies Hacked Posted by Sean @ 14:38 GMT

Yesterday's post generated some feedback along the lines of "interesting theory". But here's the deal, that other companies were hacked is not a theory — it's a fact. Facebook's Chief Security Officer, Joe Sullivan, said so himself in an interview with Ars Technica.

Facebook Chief Security Officer offers details in exclusive interview.

According to Sullivan, Facebook's security team worked with a third-party to sinkhole the attacker's server — and they discovered traffic coming from several other companies.

These are the domains associated with the Mac malware we wrote about yesterday:

  •  corp-aapl.com
  •  cloudbox-storage.com
  •  digitalinsight-ltd.com

They're all currently pointing to shadowserver.org. And that would be the third-party sinkhole mentioned by Sullivan.

So we ask the question again, just how many other mobile application developers took a drink from the watering hole that nailed Twitter & Facebook? Does "several other companies" mean only a handful of unique connections were made to the sinkhole? Or does it mean Facebook has only been able to identify "several" out of many more connections?

We would like to know: in total, how many unique connections have been made to Shadowserver's sinkhole?

Just a ballpark figure, please.

 
 

 
 
Monday, February 18, 2013

 
Facebook Hacked, Mobile Dev Watering Holes, and Mac Malware Posted by Sean @ 13:12 GMT

Friday, February 1st: Twitter announced it was hacked. The post (Keeping our users secure) by Bob Lord, Director of Information Security, was sparse on details but recommended disabling Java's browser plugin.

And according to Lord, the attackers "were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."

And we believe other companies and organizations have also been recently similarly attacked

Friday, February 15th: Facebook announced it was hacked. According to the Security Team's note (Protecting People On Facebook), a handful of employees visited a compromised website hosting a Java "exploit which then allowed malware to be installed on these employee laptops."

Allowed malware on laptops

So, disable Java's browser plugin by default, and only enable it when you really need to do so. But we already knew that, didn't we?

And while everybody else is bashing Oracle, we have a more interesting question: what malware on what type of laptop?

Why? Because Macs are the type of laptop we almost aways see in Facebook's employee photos.

Here's Facebook's Security Team's Cover Photo:

Own Your Space
ImageFacebook Security: "Own Your Space"

As we've already speculated on February 4th, an exploit opens the door — what walked through that door and onto the hip young Silicon Valley developer's MacBook?

Well, interestingly enough, last Friday evening, we received (via a mailing list) new Mac malware samples to analyze. Samples that were uploaded to VirusTotal on January 31st, one day before Twitter's announcement.

One type of sample are custom compiled SSH daemons which we suspect are very likely dropped by an exploit. The others aren't actually "samples" insofar as they aren't binaries, they're one line of program (Perl) which runs at startup and opens a reverse shell.

The URLs used include: a misspelling of "Apple Corp"; something that sounds like a digital consulting company; and something that pretends to be a cloud storage service.

Okay, so there's a Mac threat out there and most Mac users are completely unaware of it. They have a false sense of security. That's bad, right? But that's not even the worst of it when you really consider all of the details. What was the compromised website which hosted the Java exploit? According to Facebook's note, it was a mobile developer website!

Visited a mobile developer website that was compromised

Get it? A "watering hole" attack targeting mobile application developers.

As in… can't hack mobile devices? Okay then, go up stream and hack mobile application developers. At which point you can inject whatever you want into the developer's source code.

Twitter and Facebook obviously have dedicated security teams on the lookout for trouble. (They're big targets.) Unfortunately, other smaller Silicon Valley startups (with big user bases) don't have the same resources. At this point, we really hope somebody has been in touch with the folks at WhatsApp, which according to Google Play, has at least 100 million installations.

There are hundreds of thousands if not millions of mobile apps in the world. How many of the apps' developers do you think have visited a mobile developer website recently? With a Mac… and a very false sense of security?

We'll all be very lucky if this watering hole was only really trying to target big players such as Twitter and Facebook. On the other hand, if the campaign had a broader goal of hacking as many developers as possible — it really calls into question current bring your own device policies. BYOD = Bring your own destruction?

Advice

SSH daemon compromised systems will have one of the following:

  •  com.apple.cupsd.plist
  •  com.apple.cups.plist

Perl compromised systems will have one of the following:

  •  com.apple.cocoa.plist
  •  com.apple.env.plist

Any developer who has Java enabled in his browser, has visited mobile developer websites in the last couple of months, and finds evidence his computer is compromised — probably should use his source code versioning system to check recent commits.

And if you don't use a source code version system (such as SVN or Git), have fun re-reading your entire code base.

Edited to add: And it should almost go without saying that developers using Windows should practice the same vigilance.

 
 

 
 
Friday, February 15, 2013

 
Taking Poika Out on the Town: 2013 Posted by Sean @ 13:43 GMT

AV-TEST has awarded F-Secure Internet Security with Best Protection 2012.

And apparently we have ourselves something of a tradition in which we take our "poika" for a tour of the town.

Poika Tours 2011 & 2012:

Poika Tours 2011 & 2012

Presenting Poika on the Town 2013:

Cathedral
Poika outside the Helsinki Cathedral

Railway
Poika driving near the railway station

F-Secure HQ
Poika by our HQ

Sauna
Poika in the sauna

Roof
Poika on our HQ's roof

Snow
Poika having a roll in the snow (perfect after a nice sauna)

Lobby
Poika joins the party in our HQ's lobby

 
 

 
 
Thursday, February 14, 2013

 
Mitigate the Adobe Reader/Acrobat XI Vulnerability Posted by Sean @ 12:17 GMT

News broke yesterday regarding a zero-day vulnerability in Adobe Reader and Acrobat XI.

Adobe released its Security Advisory last night which includes some important mitigation options.

APSA13-02, Mitigations

Users can protect themselves by enabling "Protected View".

Here's what the setting looks like in Adobe Reader XI running on Windows 8.

Adobe Reader XI, Preferences, Protected View

Adobe recommends choosing the "Files from potentially unsafe locations" option, but to be frank, we suggest you select "All files".

 
 

 
 
Wednesday, February 13, 2013

 
"Police" Ransom Trojan Gang Busted Posted by Mikko @ 21:02 GMT

Spanish Police and Europol did a major bust today, arresting several persons connected to the well-known "Police" ransom trojans.

We've covered these ransom trojan families on our blog before, but in a nutshell, they lock up an infected PC, claiming to be the local police and demanding the victim to pay a "fine" to open up the system.

All in all, 11 people were arrested and six premises were searched.

Here's an arrest video released by Spanish Brigada de Investigación Tecnológica de la Policía Nacional.



Note the use of Cellebrite devices to take forensic images of suspect mobile phones (at around 2 minutes into the video).

Congratulations to Spanish Police and EC3. This bust must have felt good, as the brands of both have been misused by police trojans (see the below snippet taken from a screen displayed by a trojan):

ec3

More info from Europol.










 
 

 
 
Adobe Reader/Acrobat XI Vulnerable, Et Cetera Posted by Sean @ 15:15 GMT

Adobe is investigating an Adobe Reader & Acrobat XI (and earlier) zero-day exploit.

Adobe Reader Vulnerability, Feb 12

Details: Adobe Reader and Acrobat Vulnerability Report

Consider mitigating your Adobe Reader usage until there's an update from Adobe.

And speaking of Adobe updates, there's one for Flash Player:

Flash 11.6 Update

Check your version of Flash Player here.

There will be another Java update next week (on the 19th), which is an update to the to February 1st distribution.

Schedule another "Patch Tuesday" on your calendar.

And also of interest for some, Rails 3.2.12, 3.1.11, and 2.3.17 have been released.

 
 

 
 
Tuesday, February 12, 2013

 
7,000 Fake Identities Equals 200 Million USD Posted by Sean @ 12:44 GMT

Most people are aware of identity theft these days, and that it's a relatively easy way for criminal types to make money (by accessing credit). But we've wondered, at what point does it become easier to fake, rather than to steal identities?

The FBI answered that question last week when it arrested 13 people on charges of bank fraud.

Eighteen People Charged in International $200 Million Credit Card Fraud Scam

The defendants are alleged to have used thousands of fake identities, documents, and companies to get tens of thousands of credit cards. And they cashed out two hundred million dollars.

Our favorite detail?

"Law enforcement discovered approximately $70,000 in cash in the oven of one defendant."

Guess the freezer was full…

Prediction: as more of our personal identity becomes digital, and as schemes such as the one above become more common — we'll spend less time protecting our identity than we will trying to prove it isn't fake.

 
 

 
 
Friday, February 8, 2013

 
Update: Flash Player Exploit Targeting Macs and Windows Posted by Sean @ 13:15 GMT

On Monday, we speculated that recent Java exploits may have been used to hack the Macs of Twitter employees. And today there's a Flash Player update, and Adobe reports the patched vulnerabilities are being exploited in the wild.

CVE-2013-0634 affects Flash Player for Firefox and Safari for Mac.

CVE-2013-0634

What organizations have been targeted? Adobe doesn't say.

However, it's interesting to note that the Lockheed Martin Computer Incident Response Team contributed to Adobe's investigations.

Lockheed Martin Computer Incident Response Team

Read more at Krebs on Security.

 
 

 
 
Tuesday, February 5, 2013

 
Download: H2 2012 Threat Report Posted by ThreatSolutions @ 08:21 GMT

What's been demanding our attention in the second half of 2012? Discover the answer to that question in our H2 2012 Threat Report! It pretty much sums up all the important cases we've seen from July to December of 2012. Whet your appetite with short articles on passwords and corporate espionage, and then move on to the case studies on the following:

  •  Bots
  •  ZeroAccess
  •  Zeus
  •  Exploits
  •  Web
  •  Multi-platform attacks
  •  Mobile

Download a copy from here.

Correction (8 Feb 2013): The H2 2012 Threat Report was updated to amend the following statement in the ZeroAccess article: "A successful installation in the United States will net the highest payout, with the gang willing to pay USD 500 to 1,000 per installation in that location." The sentence was corrected to "[...] to pay USD 500 per 1,000 installations in that location."


Exploits

 
 

 
 
Monday, February 4, 2013

 
What is Java technology and why do I need it? Posted by Sean @ 16:09 GMT

Why do I need Java?

Here's what java.com says:

What is Java technology and why do I need it?

"Java is fast, secure, and reliable."

Secure? The U.S. Department of Homeland Security doesn't seem to think so. And neither does Apple, Mozilla and Twitter.

Twitter was hacked last week. And for some reason (which wasn't all that clearly explained), Twitter's Director of Information Security recommended disabling Java's browser plug-in.

If we were to speculate, we'd guess a developer at Twitter fell victim to a targeted attack which used a Java exploit. And being a hip Silicon Valley company, the developer probably uses a Mac. And that of course means the Java exploit dropped a Mac-based payload.

Kind of interesting that Mac's anti-malware component, XProtect, was blocking Java last week, no?

Hmm, so, do you really need Java?

Here are instructions for disabling Java browser plug-ins.