NEWS FROM THE LAB - May 2013
 

 

Thursday, May 30, 2013

 
F-Secure Globe Posted by Sean @ 12:40 GMT

A visualization project using some of our customer upstream data: F-Secure Globe

F-Secure Globe

By Liew Swee Meng — based on The WebGL Globe

 
 

 
 
Wednesday, May 29, 2013

 
The Future: No Hiding Place Posted by Sean @ 12:42 GMT

This week's issue of The Economist has a very interesting article.

No hiding place: A plan to assess people's personal characteristics from their Twitter-streams

No hiding place

Researchers at IBM's Almaden Research Centre in San Jose, California think they can determine a person's presumptive personality from just 50 Tweets:

"In a test of the new system, Dr Haber analysed three months' worth of data from 90m users of Twitter.
His software was able to parse someone's presumptive personality reasonably well from just 50 tweets,
and very well indeed from 200."

So… marketers will finally be able to determine truly effective ways to target consumers?

We should be so lucky if it were just marketers.

Here's another Economist article from April.

How might your choice of browser affect your job prospects?

How might your choice of browser affect your job prospects

According to "Big Data" — you'll be a better employee if you use a non-default web browser.

One shudders to imagine how HR recruiters will use people's presumptive personalities.

(Targeted ads will be the least of our worries.)

It's enough to make you want to cut your tail off: Delete Your Oldest Tweets Using Twitter Archive Eraser

 
 

 
 
Friday, May 24, 2013

 
Twitter's 2FA: SMS Double-Duty Posted by Sean @ 12:40 GMT

Twitter introduced multi-factor login verification on Wednesday. Good news? Well… that depends.

Twitter's initial implementation of two-factor authentication (2FA) relies on SMS.

But… Twitter also uses SMS as a way to send and receive Tweets (making use of SMS for double-duty: social and security). It's possible to "STOP" incoming Tweets via SMS, and that makes sense, because people sometimes end up roaming unexpectedly — and there needs to be a way to stop the SMS feature. Otherwise it could generate a costly bill.

Unfortunately, an attacker could use SMS spoofing to disable 2FA if he knows the target's phone number.

Twitter's SMS 2FA

We've done some testing.

The STOP command removes the phone number from the account — and that in turn disables Twitter's 2FA.

Not great.

But there's an even worse possibility at the moment.

If you don't yet have 2FA enabled, an attacker who gains access to your account via spear phishing could enable it for himself!

All that's required is random phone number and SMS spoofing the word "GO".

Twitter's SMS 2FA

Then the attacker can enable the account's 2FA.

Twitter's SMS 2FA

Then send a message. (The message doesn't contain a confirmation code, so it isn't really needed.)

Twitter's SMS 2FA

And then click "Yes".

Twitter's SMS 2FA

That's it.

No confirmation code is needed to add a number. (Confirmation is required to change the account's associated e-mail address.)

This is what the victim will see — even if they reset the account's password.

Twitter's SMS 2FA

The victim will be locked out, and cannot recover the account without Twitter's support.

So… perhaps you should enable your account's 2FA — before somebody else does it for you.

Fortunately, the majority of Twitter users aren't big targets. Unfortunately, accounts such as @AP are. And Twitter's SMS-based 2FA could be more harm than help when the use case is a dedicated attacker.

Twitter's blog post says "this feature has cleared the way for us to deliver more account security enhancements in the future."

Let's hope so.

Updated to add: some good news (maybe).

According to this December 2012 article by Lucian Constantin, Twitter's back end doesn't allow commands to be sent via long code if the phone number's operator is known to Twitter and provides short code support. And it shouldn't be possible to spoof the origin number to a short code.

So it shouldn't be possible to issue the "STOP" command to your phone, if your operator supports Twitter's short code. However, it is still quite possible for an attacker to add his phone to your account if it's compromised via phishing.

Twitter's 2FA doesn't require multi-factor confirmation to enable. Anybody with the password can easily add a phone number.

 
 

 
 
Thursday, May 23, 2013

 
Mac Spyware Bait: Lebenslauf f�r Praktitkum Posted by Sean @ 10:12 GMT

As a follow up to yesterday's Kumar in the Mac post… have you received e-mail attachments such as this?

Lebenslauf f�r Praktitkum

Attachments:

  •  Christmas_Card.app.zip
  •  Content_for_Article.app.zip
  •  Content_of_article_for_[NAME REMOVED].app.zip
  •  Interview_Venue_and_Questions.zip
  •  Lebenslauf_f�r_Praktitkum.zip (Translates as: CV for Internship.)

If so, you may be the target of a spear phishing campaign designed to install a spyware on your Mac.

Here's a list of binaries signed by Apple Developer "Rajinder Kumar".

Detected as Trojan-Spy:OSX/HackBack.B:

  •  1eedde872cc14492b2e6570229c0f9bc54b3f258
  •  6737d668487000207ce6522ea2b32c7e0bd0b7cb
  •  a2b8e636eb4930e4bdd3a6c05348da3205b5e8e0
  •  505e2e25909710a96739ba16b99201cc60521af9
  •  45a4b01ef316fa79c638cb8c28d288996fd9b95a
  •  290898b23a85bcd7747589d6f072a844e11eec65 — mentioned in yesterday's post.

Detected as Backdoor:OSX/KitM.A (includes screenshot feature):

  •  4395a2da164e09721700815ea3f816cddb9d676e

Though the spear phishing payloads are not particularly "sophisticated", the campaign's use of German localization and the target's name (removed in the example above) does indicate the attackers have done some homework.

Be vigilant.

More information:
Mac Spyware Found at Oslo Freedom Forum
Big Hangover

 
 

 
 
Wednesday, May 22, 2013

 
Mac Spyware: OSX/KitM (Kumar in the Mac) Posted by Sean @ 12:45 GMT

There's another case of Backdoor:OSX/KitM.A in the wild.

A German-based investigator reached out to us yesterday regarding OSX/KitM. (We wrote about it last week.) KitM stands for "Kumar in the Mac", which is our designation for spyware — related to OSX/Filesteal a.k.a. OSX/HackBack — that is signed using an Apple Developer ID in the name of Rajinder Kumar. The Developer ID has since been revoked by Apple.

This latest version of OSX/KitM used a Romanian C&C server called liveapple.eu during the period of attack, December 2012 to early February 2013. The spear phishing used an attachment called Christmas_Card.app.zip. (Remember, the attack started in December.)

So, that brings us to this bit of advice for those of you who might be targets.

This is the default "Gatekeeper" security setting:

Mac, Security & Privacy
Mac App Store and identified developers

This is the setting that you want, unless you're actively installing software:

Mac, Security & Privacy
Mac App Store

This is the prompt that results when OSX/KitM attempts to install with the stricter setting:

Kumar's Christmas Card

If you're running OS X Mountain Lion or Lion v10.7.5 — adjust your settings as an extra layer of precaution.

SHA1: 290898b23a85bcd7747589d6f072a844e11eec65

 
 

 
 
Tuesday, May 21, 2013

 
Big Hangover Posted by Sean @ 13:35 GMT

The Mac spyware discovered at the Oslo Freedom Forum last week is apparently connected to larger espionage efforts — and those efforts look to be connected to India.

Yesterday, the folks from Norman released their Hangover Report.




Snorre Fagerland has confirmed a connection to the C&Cs used by Backdoor:OSX/KitM.A.

Also related, from the folks at ESET: Targeted information stealing attacks in South Asia use email, signed binaries

Apple has reportedly revoked the Developer ID used by KitM.A.
 
 

 
 
Friday, May 17, 2013

 
BBC News: LulzSec Hacker Interview Posted by Sean @ 12:54 GMT

BBC News has a 13 minute report that's worth a view.

LulzSec hacker: Internet is a world devoid of empathy

LulzSec hacker: 'Internet is a world devoid of empathy'

 
 

 
 
Thursday, May 16, 2013

 
LulzSec Sentencing in UK Posted by Mikko @ 13:32 GMT

LulzSec Twitter

LulzSec – the rockband of hacker groups – had three of their six members sentenced today in London.

LulzSec made headlines during their "50 days of Lulz" in May-June 2011, during which they attacked Fox, PBS, Sony, Nintendo, Sega, Minecraft, Infragard, NHS, US Senate, SOCA and CIA. They also recorded and published a conference call between US and European law enforcement officials, discussing police tactics against LulzSec.

LulzSec was different from most other attackers, as they weren't doing their attacks to make money or to protest. They did it for Teh Lulz. Also, they had no sense of self-preservation, which led to taking them down.

LulzSec had 6 core members:


The first three were sentenced today.

  • Jake Davis got a 24 month sentence. He will serve 12 months in a young offenders institute
  • Mustafa Al-Bassam got a 20 month sentence, suspended for two years and 300 hours of community work.
  • Ryan Ackroyd got a 30 month sentence. He will serve 15 months.

A botnet master associated with Lulzsec was sentenced at the same time: Ryan Cleary (aka Viral). He got a 32 month sentence. He will serve 16 months.

Sabu was arrested in June 2011. He pleaded guilty and has been working with FBI since. He's yet to be sentenced.

Darren Martyn was indicted in March 2012. He's yet to be sentenced.

So, five of the LulzSec six has been caught. The remaining mystery is the 6th member: Avunit.

Who was Avunit? How come none of the other members have given him up?

We have no idea who Avunit is. We have no identity. We don't even know which continent he is from.

P.S. Obligatory nyan.cat.







 
 

 
 
Mac Spyware Found at Oslo Freedom Forum Posted by Sean @ 12:29 GMT

The Oslo Freedom Forum is an annual event "exploring how best to challenge authoritarianism and promote free and open societies." This year's conference (which took place May 13-15) had a workshop for freedom of speech activists on how to secure their devices against government monitoring. During the workshop, Jacob Appelbaum actually discovered a new and previously unknown backdoor on an African activist's Mac.

Our Mac analyst (Brod) is currently investigating the sample.

It's signed with an Apple Developer ID.

Developer ID

The launch point:

Launch point

It dumps screenshots into a folder called MacApp:

Screenshot dump folder

Functions:

Functions

There are two C&C servers related to this sample:

DomainTools, securitytable.org
securitytable.org

DomainTools, docforum.info
docsforum.info

One C&C doesn't currently resolve, and the other:

docsforum.info
Forbidden

Our detection is called: Backdoor:OSX/KitM.A. (SHA1: 4395a2da164e09721700815ea3f816cddb9d676e)

 
 

 
 
Wednesday, May 15, 2013

 
Download: Mobile Threat Report Q1 2013 Posted by Sean @ 12:45 GMT

Our Mobile Threat Report Q1 2013 is now publicly available.

Mobile Threat Count, Q1 2013

All of our past reports are also available in the "Labs" section of f-secure.com.

 
 

 
 
Monday, May 13, 2013

 
Webinar: Embedded Posted by Sean @ 13:51 GMT

F-Secure Labs Webinar: Mobile Threat Report Q1 2013


 
 

 
 
Friday, May 10, 2013

 
Webinar: Monday, May 13th Posted by Sean @ 17:43 GMT

It's time to schedule another F-Secure Labs webinar!

We're trying out Google's "Hangouts On Air" this go-around:

Google Hangout Webinar, May13

Details: F-Secure Labs Threat Report Preview Webinar

Hope to see you there.

 
 

 
 
Tuesday, May 7, 2013

 
Twitter's Password Fails Posted by Sean @ 12:51 GMT

Let's say you want to hack Jack Dorsey's online banking account. Where to start? His username?

Challenging… his online banking username is a secret. But how about his Twitter account?

Oh, that's easy. It's @jack.

That's the problem with "social" usernames — they're meant to be known.

Twitter's Password Fails

Another problem, Twitter appears to validate e-mail addresses:

Twitter's Password Fails

Looks like nobody's home at jackd@twitter.com:

Twitter's Password Fails

Twitter's settings include an option to require "personal" infomation such as an e-mail or phone number:

Twitter's Password Fails

But that's less than useless if Twitter won't actually let you add your number:

Twitter's Password Fails

And just how "personal" is a phone number anyway?

Twitter's Password Fails

Two-factor authentication?

Sure.

But Twitter should first stop validating e-mail addresses.

And then maybe it could add an option to disallow logins via the publicly known username.

Edited to add: On second thought…

How about this?

Twitter should stop validating e-mailing addresses in its password reset form.

And then, discriminate between using e-mail and username. If an account is accessed with the usernamedon't provide access to the account settings! The e-mail address (alias) could then be used only by account "adminstrators".

Example: regular @AP staff could login with "AP" — no settings for them! They could Tweet, but would be restricted from making changes to the account. But the @AP "admin", some guy in the IT department, that person could login using the "secret" e-mail address and would be able to change account settings (and lockdown the account in case of a breach).

Discriminating between e-mail and username — a way to distinguish between "admins" and "users".

 
 

 
 
Friday, May 3, 2013

 
Online Activities Related to Elections in Malaysia Posted by SuGim @ 11:57 GMT

Malaysia's 2013 general elections are scheduled for Sunday, May 5, 2013. Political news coverage is currently inundating all news outlets, including social networking sites, as the country's political parties go into high gear in the final run-up to polling day.

The huge media interest creates an opportunity for malware writers to gain new victims using established social engineering techniques — and sure enough, this week Citizen Lab released a report indicating that a sample of the sophisticated FinFisher (a.k.a. FinSpy) surveillance malware was discovered in a document crafted specifically for this event.

The malware was distributed in a booby-trapped Malay-language Microsoft Word document named "SENARAI CADANGAN CALON PRU KE-13 MENGIKUT NEGERI.doc" (In English: "List of proposed candidates for 13th General Elections according to states").

SENARAI CADANGAN CALON PRU KE-13 MENGIKUT NEGERI.doc

The report speculates that the attack document is targeting Malaysians looking for more information related to one of the most closely contested elections in the country's history. F-Secure detects the document in question as Trojan:W32/FinSpy.D.

Finfisher is produced by an European company called the Gamma Group. As we mentioned in a previous post, the company was present at the ISS World 2011 gathering hosted in Kuala Lumpur, Malaysia. The ISS event serves as a trade fair for surveillance software (attendance is by "invitation" or if you are a "telco service provider, government employees or law enforcement officer").

ISS World Kuala Lumpur

Additionally, there have been reports alleging that multiple news and social media sites, including YouTube, Facebook, and Malaysiakini (a popular Malaysian online news site) have been subjected to various forms of disruption, including defacements, denial of service attacks, and filtering.

F-Secure Labs is observing the situation. We saw a rise in malware detections during April 2013 in Malaysia. However, we don't really know if the increase was due to election-related activity or something else.

Malaysia, detections