LivingSocial reported a breach of their systems which resulted in the names, email addresses, dates of birth and hashed and salted password values being stolen. Although LivingSocial passwords were hashed and salted, unfortunately the cryptographic algorithm used was not a particularly strong one (SHA-1) this means that while cracking that password database is not trivial, it is certainly not impossible.
As a result, LivingSocial has reset all passwords for every user and obliged them to create new ones, this time using a new algorithm (bcrypt). Additionally, as password reuse continues to be a perennial problem, they have also rightly advised all their customers to change their passwords on any other sites that use the same or a similar password.

But things just got a little more urgent for those affected. Someone calling themselves KATOGRAPHR has posted a series of samples of the stolen data up on pastebin, about fifty-thousand samples if they are to be believed. The reason for the samples is that KATOGRAPHR is advertising the full database dump of  ”over 50M uid/email/sha1/salt” for the princely sum of 1 bitcoin (currently worth around $130USD).

Of course payment is up front, followed by an email with your “delivery address” and there’s no vouching for the veracity of the goods unless livingsocial care to verify, however several of the “taster” pastebin dump links remain active.

What does this mean for you? Well if you’re the type of person who tends to reuse your password across multiple web sites today’s the day to get out there and start changing that password and breaking that habit. Criminals now have your email address and common password.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to acheive this. Create a complex, yet memorable, password using upper and lower case letters, numbers and special characters such as $%&!. Try using the initial letter from each word in a memorable sentence for example. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember.

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

Stop that RAT! by dirigentens

Much of the focus on Advanced Persistent Threat and targeted attack prevention methodology can be related to the Lockheed Martin Cyber Kill Chain, which is itself based on the conventional US military targeting doctrine — find, fix, track, target, engage, assess (F2T2EA) methodology.  The Cyber Kill Chain comprises seven phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control  (C2) and Actions on Objectives.

It is important to remember that the Cyber Kill Chain does not describe a defence methodology, rather it breaks down the steps an attacker will take in order to compromise a target.  This view of an attack as a chain of related actions, rather than discrete incidents is key to understanding how to frustrate, disrupt or evade persistent attempts at intrusion. Offense must inform defence, where the goal is to terminate an attackers ability to continue or complete the assault.

An active defence against targeted attacks relies on using the strengths of the attacker against them. While there is a marked asymmetry between agile attackers with no need to respect legal niceties and heavily armoured targets obliged to play by the rules, an on-going analysis of attacks as campaigns, across all phases, will identify key indicators and repetitions. These markers enable a defender to move the point of reaction from the passive post-exploitation phase to the more proactive Weaponization and Delivery, or even Reconnaissance phases.

The key to success is the analysis and correlation of large volumes of attack data. Identification of patterns means that subsequent attacks, which reveal new attack indicators, can be used to upgrade defences and mitigations. Where an initial compromise may be detected do to the presence of command and control traffic on the victim network, or by a post-compromise anti-malware detection, analysis and actionable intelligence will enable the development of more proactive measures. Infrastructure or exploits leveraged by attackers in one intrusion are often reused in later stages of an APT campaign or against other victim organisations. Attack modelling may reveal the exploit used for installation, allowing for vulnerabilities to be patched and Intrusion Prevention technologies to be updated. The subsequent identification of attack traffic at the delivery stage will allow for the updating of ACLs, firewalls and other blocking technologies, evolving the organisations defences from late-stage to early stage detection and mitigation.

The recent attacks on several Korean companies offers a powerful example of this method of defence. On March 19, we saw the first indications of this attack. South Korean organisations received a spam message that contained a malicious attachment. The attachment downloaded nine files from several different URLs, to hide the malicious routines a fake website was shown.

It was at this stage that we were able to protect our customers by analysing the malicious attachment in an attack synthesis environment. Deep Discovery executed the attachment in a sandbox and generated a list of URLs to be blocked, which was used to disrupt the effectiveness of these attacks immediately. The combination of actionable intelligence provided by Deep Discovery and decisive actions by IT administrators ensured that this attack was ultimately unsuccessful against those organisations.

The key to success is the ability to gather and analyse large volumes of attack data globally, across industry verticals. IP addresses, protocol anomalies, email addresses, vulnerabilities, encryption algorithms, file identifiers and more must all be collected and correlated in an continual effort of attack synthesis, even when the attack itself has been successfully blocked.  Synthesis of attackers tools and intentions, even in a successfully mitigated attempt, will often reveal further intelligence that may inform future defence.

Photo by Phil_Parker by permission.

Time was when one of the key things that a security technology had to avoid, was initiating an avalanche of event notifications. Tuning technologies to only alert when something Very Certain™ and Very Bad™ had happened was the order of the day. Your firewall had to be absolutely certain that those inbound packets were not part of an established network flow or your Intrusion Prevention System needed to be able to state categorically that those packets contained an exploit attempt, before they raised an alert.

In the twentieth century and even into the beginning of the twenty-first we were in the habit of consulting our defences in isolation; the firewall tells me everything is ok, the IPS tells me everything is ok, the anti-malware tells me everything is clean; so everything is ok, right? Wrong. This myopic approach to security is one of the factors currently contributing to the success of targeted attacks around the world.

In reality, the old adage of not being able to see the wood for the trees has never been truer. We focus too much on the “known-bad”, disposing of the “normal” in the interest of a more streamlined and focussed analysis process, but we ignore the context at our peril.

Picture this; a security camera in the corridor outside your server room spies a person, let’s call him Dave. Using both gait recognition and facial geometry Dave’s identity is confirmed, the system even notes that he is wearing a cleaner’s uniform, which is good because Dave is a cleaner. Dave approaches the door to the server room and presents his NFC card to the door lock, which opens because the security camera and door security talk to one another. A second camera, inside the server room, confirms that it is indeed Dave that has walked through the door and everything is fine.

Under the myopic model, all these events are deprecated and filed away in a soon-to-be-purged log of “Nothing To See Here”, however the context offered by these sort of run of the mill events is invaluable as we are about to see…

Dave, in the server room, instead of cleaning the floor deviates from known good behaviour. He sits down at a server and begins tapping away on the keyboard. This is clearly Not A Good Thing and should be ringing alarm bells somewhere. But if we strip out all the context that our clever brains remembered and correlated, what are we left with? A person in the server room using a computer. Stand down the SWAT team, this event is surely also destined for the “Nothing To See Here” folder.

In the age of targeted attacks, the rules for security event monitoring have also changed. Unless we begin to take advantage of the opportunities afforded by big data management and event correlation; unless we begin to augment the information made available to our Security Information and Event Management systems then highly targeted attacks will continue to pass unnoticed. Attackers make use of legitimate user credentials and trusted relationships in order to maintain a presence at the heart of your most sensitive networks over a prolonged period of time, passing with impunity through your discrete security technologies.

Unless you learn back to take two steps back and appreciate the view, you’ll only ever see the trees. Context is king.

Mobile malware can no longer be ignored!

The security industry has an embarrassing problem. For several years it became a matter of course for the big names in security to warn annually that ‘next year’ was to be the year of mobile malware. “Look out“, we said, “mobile malware, it’s coming…“; but it never did. It remained elusively over the threat horizon. In reality, every year since Cabir in 2004 we have saw appearances and developments in mobile malware (originally for Symbian, J2ME and Windows CE) but it simply never reached critical mass or moved beyond the mischievous.

Now that the problem is well and truly here (the last two years have both been called “the year of mobile malware” at several points) we have a problem persuading the world at large that we are not crying “Wolf!” yet again. There is a distinct scepticism paired with a strong belief that the security industry may be selling a solution to a problem that doesn’t exist, or if it does then it only exists in far off countries and little used app stores. So, in the interest of clarity, here are a few numbers that hopefully will go some way towards putting that scepticism to bed, once and for all.

Trend Micro’s Mobile App Reputation Services [PDF] proactively sources and analyses Android apps from around the world. We give them reputation scores in three discrete areas; Maliciousness, Resource Utilisation and Privacy. Here are the numbers, hot of the presses this 8th March 2013, bear in mind these numbers change every minute, upwards…

We have thus far analysed more than 2 million apps, a not inconsiderable sample size when you consider that the entire Google Play offering is around 700,000 apps, and here’s the brutal truth.

• 293,091 Apps classified as outright malicious and a further 150,203 classified as high risk. It took Microsoft Windows 14 years to attract this volume of malicious code!
• Of those 293,091 malicious apps, 68,740 were sourced directly from Google Play. It’s not just Chinese and Russian app stores.
• 22% of apps were found to inappropriately leak user data, over the network, SMS or telephone. The leaked data most often includes IMEI, ICCID, Contact data and telephone number. A few apps were even found to leak data using the microphone and camera (along with several other kinds of private data).
• In addition, 32% of apps were classified as “Poor” in terms of battery usage, 24% “Poor” for network usage and 28% for memory usage.

It’s no surprise that BlackBerry have opted to integrate our Mobile App Reputation Service in their Blackberry World, stopping those malicious apps from ever reaching their customers. It would be heartening to see more app stores taking the safety of their customers so seriously.

Image courtesy of .v1ctor. on Flickr

I’m happy to say that, as a result of close cooperation between Trend Micro threat research and Spanish law enforcement a number of important arrests have been made in connection with the Reveton ransomware. The Spanish police announcement can be found here [Spanish].

Over the past several months Trend Micro researchers have been providing evidence and intelligence related to the Reveton ransomware or “police trojan”. Law enforcement in Spain first became interested in this malware as a result of complaints they were receiving from victims of the scam. Trend Micro and Spanish law enforcement agencies have collaborated extremely closely; sharing intelligence, sharing samples and related technical detail. As a direct result of activities carried out by Trend Micro threat research, they were able to map the criminal network infrastructure including traffic redirection and command and control servers. Some of the intelligence gathered by law enforcement enabled them to reach a high degree of certainty of the identity of one of the individuals at the very top of this criminal gang.

That intelligence has directly contributed to the arrest of at least 11 individuals. One of the arrests is a 27 year-old man believed to be one of the head members of the cybercriminal gang that produces the ransomware strain we know as Reveton. The arrest of this cybercriminal of Russian origin happened in Dubai, United Arab Emirates and extradition to Spain is being worked on in order to bring him to justice. Along with the arrest of the criminal, this operation involved taking down the part of the gang in charge of the monetization of the PaySafeCard/UKash vouchers received as payment in the scam. The gang had a branch in Spain that exchanged these vouchers and converted them into real money, which would then be sent to the main gang in Russia. 10 of those arrested are believed to have been involved in this money laundering activity, 6 of them are Russian, 2 Ukrainian and 2 Georgian, all of them were based in Spain. Police estimate that this single group was laundering more than €1.000.000 in a single year.

This coordinated activity (in much the same way as the Trend Micro/FBI action against the DNS Changer gang last year), leading directly to the arrest of individuals believed to be actively engaged in cybercrime rather than simply taking down associated infrastructure, should serve as a model for how the security industry and law enforcement can effectively cooperate in the fight against online crime.

Some very sensitive communications happen over WhatsApp

WhatsApp Inc. the company behind the hugely successful cross (mobile) platform messaging app have been hauled over the coals subsequent to a joint investigation by the Dutch Data Protection Authority and The Office of the Privacy Commissioner of Canada. Their joint news release from the 28th January finds that WhatsApp is guilty of

“violating certain internationally accepted privacy principles, mainly in relation to the retention, safeguard, and disclosure of personal data“.

These findings reinforce the conclusions that David Sancho came to last year when researching the security of mobile apps, and also the conclusions of a recently released Ponemon study into data privacy

The investigation ran over several months and resulted in three key findings, two of the issues have already been substantially resolved by WhatsApp Inc. but a third remains outstanding.

The two issues which WhatsApp Inc. have already taken steps to resolve hinge on the security of their internet communications. The investigating organisations found that all messages sent using WhatsApp were sent unencrypted, meaning that it was trivial to intercept private communications. These communications can often contain not only text based messages, but also images, sound, video and location information. In September 2012, in partial response to the investigation, WhatsApp introduced encryption to its communications.

On a related point, the investigation also found that WhatsApp was using a weak methodology when generating “passwords for message exchanges”. In essence the identity of the message sender was being asserted using either the MAC address or IMEI number of the sending device. The investigation (rightly) concluded, as this information could be relatively easily exposed or stolen, that it was unreliable as an authentication mechanism and that spoofing the sender of a WhatsApp communication was too simple. Since this finding, WhatsApp Inc. have improved the technology behind message sender authentication and now use randomly generated keys for signing.

To benefit from both of these important security enhancements, user of WhatsApp, whether active or not are strongly encouraged to make sure that they are running the latest version.

Finally the investigation concluded that WhatsApp Inc. were not being transparent enough in how they handle their users’ address books. In order to populate the WhatsApp address book on the user device, and to identify new users as they sign up for the service, once the user gives consent the entire address book from a customer device is uploaded to WhatsApp Inc’s servers. This step is a prerequisite to use the service on every mobile platform with the exception of Apple’s iPhone running iOS 6, where users have the option of adding contacts manually. In addition, rather than deleting the uploaded data once it has been processed, it is retained in hashed form, in order to help WhatsApp identify new users as they sign up for the service.

The retention of data in this was contravenes Canadian, Dutch and European data protection legislation, which states that data should only be retained for as long as is necessary for the fulfilment of an identified purpose. This last issue has yet to be fully resolved by WhatsApp Inc.

Dutch authorities have warned that they will continue to monitor WhatsApp Inc’s progress on this issue and may enforce sanctions if required.

This joint investigation by sovereign data protection agencies is a very welcome global first. As communication becomes more cross-jurisdictional and cross-border and services continue their inexorable march to the cloud and the mobile platform, regular users need to know that there are investigative bodies, with real teeth, whom they can approach in the case of privacy concerns and who will effectively collaborate to reach a successful conclusion.

Image courtesy of IndigoValley on Flickr

In the wake of last week’s confirmed attacks against The New York Times, Wall Street Journal and Washington Post comes a shocking new revelation that the US Energy Department, home to the National Nuclear Security Administration which looks after America’s nuclear arsenal has also fallen victim to compromise.

According to a report in the Washington Free Beacon, officials have confirmed that 14 servers and 20 workstations were compromised during the attack.

At this early stage, when so few details of the attack have been released officially, it’s difficult to come to any firm conclusions, but the details we have so far are already very concerning. The report in the Washington Free Beacon states “They believe the sophisticated penetration attack was not limited to stealing personal information. There are indications the attackers had other motives, possibly including plans to gain future access to classified and other sensitive information.”. While stating that no classified information was accessed during the attack, it has been confirmed that personal information on hundreds of employees was accessed.

If the intent was espionage-related, as seems the most likely case, then it is unlikely that the attackers will give up due to the failure of one attack, modern attacks of this nature are run more as a campaign than as individual attacks. Even if no classified data was accessed (while it is “still under investigation” I have my doubts on how certain that conclusion can be), at a minimum the information that has already been confirmed to have been accessed will be invaluable in creating future targeted attacks against individuals working for and with the Energy Department and National Nuclear Security Administration, which remain very high profile targets.

Nation-states have always invested in cutting edge technology for the purposes of international espionage and continue to do so, this should come as no surprise. Governments and corporations alike owe it to their employees and to their citizens to apply similar cutting-edge technology to encrypt sensitive data and monitor critical networks for suspicious behaviour in real-time. It should not be a simple exercise to breach such a high risk organisation.

The stories around the intrusions at those high-profile newspapers have zoomed in on how the installed anti-virus solution at the victim organisation did not flag up the malicious files used by the attacker and that is part of the problem. Organisations continue to rely on single layers of security, often designed to solve a completely different problem, when faced with an advanced targeted attack.

Measuring the effectiveness of traditional anti-virus technology by its ability to detect customised targeted attacks is as useful as measuring the effectiveness of a hammer in removing a screw. It’s simply the wrong tool for the job. If an attacker can’t bypass your antivirus then his “targeting” is woefully inadequate. Security fit for today’s threat landscape needs to operate more on the assumption that “breach will happen” and the ability to provide real-time, actionable information as soon as it does. This allows the victim to rapidly contain and remediate.

These photos? No, these are not my photos.

On Tuesday morning  Facebook announced the imminent launch of Graph Search, a natural language search platform allowing you to query the mind-bogglingly vast amounts of data that have been “shared with you” on the social network.

Of course in the context of Facebook “shared with you” means “stuff you can see” whether shared directly with you or just inadequately protected, as is most often the cause. In the vast majority of cases you would never see all the data which is actually visible to you on Facebook, sometimes because Facebook tries to anticipate what you will find interesting and edits your News Feed accordingly, but mostly because you simply don’t know it’s there. Graph Search is set to change all that!

Natural language queries, for example “People who like Llamas and live in Kentucky” or “Anarchists who still live with their mum” will almost certainly turn up data you would never otherwise have seen.

Data which is visible to you includes of course information shared directly with you by your friends, but also information shared by friends of friends, information shared with a restricted audience but where one of your friends has been tagged and anything shared publicly. “Information” covers literally everything that Facebook users have entered into their profiles and timelines, status updates, check-ins, personal information, photographs, employment information, personal preferences, the works.

Think about it this way, if a Facebook user takes a photo and makes it public, and you get tagged in that photo, then anyone searching for photos of that location will be able to see that picture and your association with it. If you liked the look of a stranger you saw in a bar recently then maybe “Women in Rothera who drink in the the Dog & Corset” will help you track down the object of your affections, and all this without ever having to speak to her.

There are some steps you can take to lock down your personal information and how widely information about you is shared before Graph Search is introduced. Now is the time to review your Facebook privacy settings, you may be surprised to learn that the layout and available options have changed yet again.

Click this link, which will take you to your Facebook Privacy Settings (if you are logged in) make sure that you have restricted the visibility of future posts to your preferences, I would recommend a minimum of “Friends” and then use the Activity Log to review all of the posts and other things in which you have been tagged, removing any tags you wish. Once that’s done, use the Who can look me up? section to control how visible your personal information and profile is. I would heartily recommend disallowing search engines from linking to your timeline and allowing only Friends to look up your profile.

Now click on the Timeline and Tagging section over on the left. Use this section to restrict who can post on your timeline. It is also advisable to enable reviewing of posts you are tagged in before they appear on your timeline. Remember though, these posts will still show up elsewhere, whether you allow them on your own timeline or not. In the section Who can see things on my timeline? there are a couple of really critical options that only become visible if you dig a little deeper. In Who can see posts you’ve been tagged in on your timeline? choose Custom and you will notice that as well as restricting the content to Friends only, you can also restrict certain people or lists from seeing that content if necessary.

Perhaps most importantly, hidden away in Who can see what others post on your timeline? again if you choose the Custom option is a very handy little checkbox. By default, any tagged content is being shared not only with you and your friends, but also with ALL Friends of those tagged. You can pretty much guarantee there will be a lot of people that you don’t know looking at those photos. Yes, those photos. Uncheck that box.

In the bottom section is the rather ambiguous sounding When you’re tagged in a post, who do you want to add to the audience if they aren’t already in it? Do you want all of your friends to automatically see any post in which you are tagged? Normally I’m guessing not. Set this option to “Only me“.

Finally, on your own Facebook profile page, click the “Likes” box, click the “Edit” button and set each section to “Only me“.

Of course Facebook are only doing this to allow more of us to find the things we are actually looking for, but sometimes the things that someone is looking for are not the same as the things that you want them to know. If you remove the context, you remove yourself from the search results.

Image credit: daniellehelm on Flickr

Instagram’s Suicide Note

UPDATE 19th Dec: Instagram co-founder Kevin Systrom posted a blog last night pledging to reword the offending policies. My original blog post follow.Just over two years ago, in May 2010, Mark Zuckerberg was accused of calling his first few thousand users “dumb f*cks” for the trust they placed in him (before you ask why I censor this, my nine year-old boy reads this stuff sometimes). It seems that perhaps someone else in the corporate machine that is now Facebook could be hoping for similar from their recently acquired Instagram user base.

Last night Instagram announced a change to its Privacy Policy and Terms of Use agreements, that essentially gives itself the right to share any photo, posted publicly by any user for any purpose. Instagram reserve the right to profit financially from the sale of such photos and makes it very clear that the originator of the work will receive no compensation whatsoever. They further clarify that none of the content you provide to them is under any obligation of confidentiality.

The agreement says that Instagram will have;

“a non-exclusive, fully paid and royalty-free, worldwide, limited license to use, modify, delete from, add to, publicly perform, publicly display, reproduce and translate such Content, including without limitation distributing part or all of the Site in any media formats through any media channels“

In the original Terms of Use, this paragraph ended with “except Content not shared publicly (“private”) will not be distributed outside the Instagram Services.” That sentence is ominously no longer present…

They claim the further right…

“you agree that a business or other entity may pay us to display your username, likeness, photos (along with any associated metadata), and/or actions you take, in connection with paid or sponsored content or promotions, without any compensation to you”

And to make sure they’re covered for any minors using the service, those minors are informed that…

“If you are under the age of eighteen (18), or under any other applicable age of majority, you represent that at least one of your parents or legal guardians has also agreed to this provision”

and finally, just in case you didn’t get the point (my emphasis):

“None of your Content will be subject to any obligation of confidence on the part of Instagram, and Instagram will not be liable for any use or disclosure of any Content you provide”

If you carry on using the service after 16th January 2013, you will be subject to these new terms.

I deleted every one of my photos individually today and closed my account. If a web site or service presents you with terms of use that are personally unacceptable, it is the only sensible course of action. After the recent furore around InstaSpam on the service, I doubt that I will be the only one seeking a preferable platform.

Arguably, Facebook has reached a critical mass whereby it can get away with almost anything, including asking it’s members to vote away their voting rights. Instagram on the other hand, has not.

Trend Micro today released Security Threats to Business, the Digital Lifestyle, and the Cloud, our security predictions for 2013 and beyond. At first glance, the headline prediction may sound surprising; the volume of malicious and high-risk Android apps will hit 1 million in 2013. However, when you consider that our prediction for total Android malware by the end of 2012 has been constantly revised up throughout the year and now stands at over a quarter of a million, maybe it no longer sounds so fanciful.

The predictions paper proposes 10 provocative prognostications in all, some serious horizon scanning focussing on technology trends and lifestyle shifts making for very interesting reading, but I wanted to offer you a few predictions of my own.

There have certainly been some headline-grabbing malware this year, notably Flame, Gauss and their ilk. Although each of these in isolation could hardly be classified the biggest threat of 2012 the direction and momentum they represent is certainly alarming. 2012 will certainly go down as the year when we had proof positive that nations and governments are alive to the military possibilities afforded by digital covert operations and arguably they have already been used to breach both the Geneva Conventions and International Humanitarian Law. That’s a big deal; the implications of which I believe will only become clear with hindsight.

• Multi-platform exploit kits will surface; these kits will include drive-bys for mobile. This is based on the fact that Blackhole Exploit Kit is already collecting stats for Win8 and mobile OSs. Drive-bys for mobile will be a massive game-changer in the world of mobile malware.
• Malicious attachment renaissance - Recent research from Trend Micro found that some 91% of targeted attacks came in the form of spear-phishing emails, of which 96% used malicious attachments. Expect a renaissance of email attachment attacks, an area of defence that has perhaps been left to languish in recent years.
• Sandbox avoidance techniques - Innovations in security technology mean that attackers will have to spend more time developing techniques to evade automated sandbox analysis. Suicide as a tactic no longer works.
• Advanced custom malware – Commoditised - Combine rapid incorporation of 0-day exploits into exploit kits, the exploit kit market growth, custom ATS scripts, new features in Blackhole and you have the beginnings of a commodity market for advanced custom malware, it’s the next evolution. Just as advertising becomes more personalised, so does everything else, including cybercrime.
• More 3rd party app stores, more mobile, more social, more risk. - Because MOAR!!! Every device and every service is becoming so deeply interlinked with every other and with the cloud, that any computing environment is no longer discrete. Changes and insecurities in any part of the user experience chain can and do have amplified effects elsewhere.