Cybercriminals shift focus to bank employees

Security experts say fighting financial breaches will take both training and technologyto the employee.

That is according to the FBI, which issued a warning earlier this week that the latest trend by cybercriminals is to get employee login credentials, using spam and phishing emails, keystroke loggers, and Remote Access Trojans (RAT).

And the best way to fight it? That leads to the ongoing debate over training vs. technology. While most security experts say both are necessary, and the FBI provides a list of training recommendations and policy protocols to keep employees from giving up the keys to the financial kingdom, some experts like George Tubin, senior security strategist for Trusteer, say improved technology is the only effective solution.

“Part of the solution is training,” he said. “But we’ve been talking about this for so long, trying to educate customers and employees. It has become one of those battles I don’t think we’re going to win.”

“Some of the ploys are so good they could fool almost anyone — very sophisticated schemes like web injections and email from friends that lead you to open an attachment. The real answer comes in automated technology, to make sure people don’t respond to those things,” Tubin said.

He also noted that the trend toward employees working at remote branch or at home, the BYOD (bring your own device) trend and being allowed to surf the web off the corporate network “makes them extremely vulnerable.”

Brian Berger, vice president at Wave Systems, agrees. “Users are going to be users no matter how strong the security awareness education is, so it is critical that organizations have a counter measure in place to help mitigate threats like these,” he said. “Specifically, hardware authentication through the Trusted Platform Module (TPM) makes it so the criminals couldn’t penetrate even if the employee had a misstep.”

Kevin Flynn, a senior product manager at Fortinet, compares training to driver education for teens. “Drivers Ed may help reduce accidents but it doesn’t necessarily make teenagers safe drivers,” he said. “Security belongs in the network.”

However, Scott Greaux, vice president product management and services at PhishMe, said, “Education is an organization’s best defense against these threats but those efforts need to break away from the traditional security awareness model and employ creative and immersive education techniques such as mock phishing exercises that both improve awareness and increase retention.”

Greaux doesn’t rule out better technology as a factor. But he said the human element can heighten security in protocols. “Financial institutions should implement a mix of random and threshold based reviews for all wire transfers,” he said. “This will add an extra layer of human interaction with transactions making it more challenging to fraudulent transfers to go unnoticed.”

The potential damage from stolen credentials is obvious. With that information – especially if they have the credentials of more than one employee — criminals can access the accounts of any customer. The FBI did not name any specific banks, but said that “small-to-medium sized banks or credit unions have been targeted in most of the reported incidents…”

However, the agency did say a few large banks have also been affected. In those cases, the criminals were able to conduct unauthorized wire transfers overseas. The FBI said the amounts have ranged between $400,000 and $900,000. And in at least one case, “the actor(s) raised the wire transfer limit on the customer’s account to allow for a larger transfer.”

But the damage goes beyond monetary. It is one thing for a customer to be hacked or fall for a malware scam, but Tubin said it was “totally different” for a  financial institution itself to be compromised. “The damage to the reputation of a large institution could be devastating. That’s the last thing a bank needs is to be compromised.”

No matter how good the technology, the FBI recommends a number of basic precautions that financial enterprises should take. Among them: Remind employees not to open attachments or click on links in unsolicited emails; do not allow employees to access the Internet freely, or personal or work emails on the same computers used to initiate payments; do not allow employees to access administrative accounts from home computers or laptops connected to home networks; and ensure employees do not leave USB tokens in computers used to connect to payment systems.

Financial institutions should also monitor employee logins that occur outside of normal business hours; implement time-of-day login restrictions for the employee accounts with (access to payment systems; and restrict access to wire transfer limit settings, the FBI said.

Roger Thompson, chief emerging threats researcher at ICSA Labs, doesn’t debate training vs. technology. He says both are critical: “The best way to do security is think Swiss cheese. Any given layer has lots of holes in it, but if you arrange your cheese slices in layers, they cover up each other’s holes. In other words, no one layer has to be anywhere near perfect, provided there are enough layers.”

Advertisements

Microsoft releases fix for Internet Explorer flaw

Security vendors mixed on severity ratings of the most recent browser vulnerability

September 20, 2012 —  Microsoft on Wednesday released a temporary fix for an Internet Explorer vulnerability affecting most versions of Windows, as security vendors debated the risk of infection by exploits found on the web.

Microsoft said the “one-click” fix would have to be installed manually, but would not require a system reboot or affect a person’s ability to brows the Web. On Sept. 21, Microsoft planned to push out a permanent patch to Windows users through the operating system’s automatic update feature.

The patch will fix the latest publicly disclosed vulnerability, as well as four other critical flaws, said Yunsun Wee, director of Microsoft’s Trustworthy Computing unit.

Security vendors disagree on the threat level of the known vulnerability discovered over the weekend. Sophos raised the level to “high,” one notch below “critical.” The flaw, in IE versions 6 through 9, enables a hacker to install software capable of commandeering a computer.

Sophos chose high for now, because an exploit for the vulnerability, known as CVE-2012-4969, had not been added to Blackhole and other popular underground tools used by hackers. “If the prevalence increases, we will likely move to critical,” said Chester Wisniewski, a senior security adviser for Sophos.

Rather than wait for more exploits of the flaw, Rapid7 and FireEye rated the vulnerability as critical and highly critical, respectively. The highest ratings were warranted because the number of exploits on the Web was growing and IE accounts for a third to more than half of the browser market. The share varies by tracking firm.

“There are many users at risk, so it’s definitely highly critical,” said Atif Mushtaq, a security researcher at FireEye.

AlienVault reported on Tuesday that it had found three booby-trapped websites capable of installing malware in visitors’ systems. The malware-carrying sites included nod32XX.com, led-professional-symposium.org, a fake domain of a professional site aimed at manufacturers of LED (light-emitting diode) lighting, and defensenews.in, the main defense news portal in India. Malware being used included the PlugX remote access Trojan program.

“It seems the guys behind this zero-day [exploit] were targeting specific industries,” Jaime Blasco, an AlienVault researcher, said in a blog post. “We’ve seen that they compromised a news site related to the defense industry and they created a fake domain related to LED technologies that can be used to perform spear-phishing campaigns to those industries.”

The targeted nature of many of the attacks led to nCircle rating the vulnerability between medium and high. “We are not seeing full-on, drive-by attacks with this,” Storms said. “What we’re still seeing is more targeted, very specific attacks.” A drive-by attack is when simply going to a site can infect a computer.

Nevertheless, the vulnerability was serious enough for Germany’s Federal Office for Information Security to issue an alert Monday, warning people against using IE until Microsoft releases a fix. Sophos was also recommending that people use another browser.

Microsoft was given high marks for the speed of its response to the vulnerability. “Generally, they are moving really quick, and they are communicating with the public,” Storms said.

Microsoft released a workaround on Monday and said the next day that it would release a temporary fix in a “few days.” 

Because consumers are usually slow to install manual fixes, a much larger number of Windows users will be protected once the automatic update is released. “They need to prioritize an official patch that is deployed using Windows Update to truly provide protection to most IE users,” Wisniewski said.

Happy 4th Birthday, Android

Android Birthday Cake

Apple may have the brand cachet, but Google has the sheer firepower. In just four short years, Google’s Android mobile platform has overtaken the global smartphone market. The first Android-powered phone, the T-Mobile G1, launched on Sept. 23, 2008. It landed more than a year after the first iPhone—and a few months after Apple introduced the App Store and made the iPhone a proper smartphone.

It’s always fun to look back and see how much the tech world has changed. But even as recently as 2008, when Android first hit the scene, most consumers still had regular cell phones instead of smartphones, Palm OS was still a contender, Research In Motion was on a BlackBerry Curve-fueled and Pearl-fueled upswing, and there was no such thing as an iPad. Mobile apps had yet to enter the public consciousness. Most phones were either 2G or 3G, not many had GPS yet, and any touch screen phone that wasn’t an iPhone needed a stylus.

The G1 wasn’t an amazing piece of hardware, either. Its 384MHz processor was relatively slow even for the time, and it looked like a slightly ungainly and unfinished T-Mobile Sidekick, with its oversize, slide-out QWERTY keyboard and thick, slanted chin. The OS itself was pretty barren, and looked like a Linux install without any customizations. Still, it had a glass capacitive touch screen and a WebKit browser like the iPhone, and you could heavily customize the home screen. As a result, the G1 still felt more capable than the stylus-based and non-touch smartphones of the day. Our reviewer Sascha Segan called the G1 “a basic introduction to what could be a blockbuster mobile platform.”

Enter the Motorola Droid
Sascha was right, of course, but it wasn’t immediately obvious at the time. After the G1 came out, we only saw a few other Android handsets appear over the course of the next 12 months, leading us to wonder if the platform was ever going to make it for real. Then came the Motorola Droid—the first high-profile Android handset to hit Verizon, complete with a tremendous “Droid Does” marketing campaign and a signature “Droiiid” sound for when new email arrived. It helped that it was also a fast phone and came with free voice navigation, the first handset ever to do so.

The Droid in fact did it for Android; for the first time, mainstream consumers began to wonder if they should get an iPhone or a Droid. From there, Android popularity surged—and the rest is history. 2010 saw the first Samsung Galaxy S handsets, while the start of 2011 brought the first 4G LTE devices running Android, more than a year and a half ahead of Apple. Screen sizes began to expand further and further. Google tried and failed to sell its own Nexus handset, only to resurrect the name in a series of purist phones across multiple manufacturers, culminating in the current Samsung Galaxy Nexus lineup.

Then there are the Android tablets. Most weren’t success stories, and many were downright terrible. But we’ve seen some bright spots recently, including the Kindle Fire HD, the versatile Galaxy Note 10.1, and my personal favorite, the Google Nexus 7, with its smooth, fast performance, bright display, and $200 price tag. We’ve even seen the debut of “phablets,” devices that straddle the line between phones and tablets, with screens in the low 5-inch range.

Two of the newest Android phones—the LG Optimus G and the Samsung Galaxy Note II—feature quad-core Qualcomm Snapdragon and Samsung Exynos processors, respectively. Even on regular smartphones, screen sizes are pushing up against the 5-inch mark. And we’re beginning to moving away from pure spec regurgitating, and into genuinely new capabilities like live zoom during mirrored video playback and on-the-fly photo filtering apps.

On Top, With Some Stumbles
Today, Android sits on the top of the platform heap in smartphone sales, beating its nearest rival (iOS) by roughly two to one in the U.S, and with Samsung far and away the sales leader. Android phones are great choices for consumers, for enterprises, for accessing the cloud, for enthusiasts hacking emulators and installing rogue OS builds—you name it and there’s a market for it. The latest OS, Android 4.1 “Jelly Bean,” rivals iOS in its smoothness and sophistication and beats it on customization options, if not in outright usability, and it’s finally beginning to appear on a few devices, too.

To be sure, the OS has taken some hits lately—most notably in Samsung’s massive loss to Apple during last month’s patent trial, one of the largest and most significant the tech industry has seen in more than a decade. The trick going forward will be for phone vendors to differentiate their devices and software builds, while simultaneously steering clear of existing UI patents and not completely alienating Android purists in the process. It’s a balancing act.

In addition, Android may have finally lost some of its inherent advantages over iOS with the introduction of the iPhone 5 last week, such as 4G LTE support, free voice navigation, and (to a limited extent) support for larger screen sizes. Finally, while Google Play is now stuffed with over half a million third-party apps, nearly all of them are for phones; there’s still a distinct lack of tablet-specific apps compared with the iPad.

These hurdles can all be overcome, though. There exists a vibrant and thriving Android enthusiast and developer community, plus more choice and fewer restrictions than you’ll ever see on Apple’s side. It’s been good to have you around, Android; here’s to faster performance, even cooler devices, and hopefully, fewer lawsuits in the months and years to come.

TDSS Malware Infecting Fortune 500 Includes Evasion Tactic

Hard-to-kill malware spotted in the wild includes a domain generation algorithm in the communications with its command-and-control infrastructure to make it harder to detect and eliminate. Use of such a tactic is part of a growing trend among malware threats as attackers look to thwart security.

A new edition of the notorious TDSS malware has been spotted using a domain generation algorithm (DGA) in communications with its command-and-control (C&C) as it spreads throughout enterprises.

Also known as TDL4, TDSS works by infecting master boot records, which has made it difficult for security programs to destroy. At one point, security researchers reported, the malware had built a botnet of 4.5 million victims. In 2011, it was linked separately to the spread of the notorious DNSChanger Trojan, which was at the center of an FBI takedown operation last year.

According to IT security technology company Damballa, the latest discovery led to a new understanding of the malware’s C&C infrastructure, which appears to be managing multiple versions of the malware across more than 250,000 infected victims worldwide. In collaboration with the Georgia Tech Information Security Center, Damballa researchers launched a sinkhole operation using some of the malware’s domains to gather evidence about the command-and-control structure.

The researchers discovered that the latest version of the malware has infected computers at 46 of the Fortune 500. Other victims include government agencies and ISP networks. The C&C traffic captured by the sinkhole also yielded new details of a click-fraud operation leveraging DGA-based C&C to provide status reports about the fraud operation’s successes so the information could be used by the criminal operators to provision the entire fraud campaign. Some of the top hijacked domains in the click fraud operation include Facebook.com, Google.com and YouTube.com.

In all, a total of 85 C&C servers and 418 unique domains were labeled as being related to the malware, with Russia, Romania and the Netherlands hosting the most C&C servers.

Domain generation algorithms (DGA) are traditionally used as a way to evade signature-based detection systems and static blacklists, explained Manos Antonakakis, director of academic sciences for Damballa. Using the tactic–which is also known as domain fluxing–allows the attacker to exploit the inability of network security systems to recognize and block the latest active domain names, he told eWEEK. The technique has become popular among malware authors, and has been adopted by Trojans such as Zeus and BankPath, he added. Pseudo-random domain generation has also been used by the Blackhole exploit kit to make attacks more persistent.

“As we previously reported, the rate at which DGA-based communications techniques are being adopted, and their ability to elude the scrutiny of some of the most advanced malware analysis professionals, should be of great concern to incident response teams,” Antonakakis said in a statement.

“By adding elusive DGA C&C capabilities to malware that already evades detection and circumvents best practices in remediation by infecting master boot records, TDL4 is becoming increasingly problematic,” he added. “With its known ability to act as a launch pad for other malware, and TDSS’ history of sub-leasing access to their victims, these hidden infections in corporate networks that go undetected for long periods of time are the unseen time bombs that security teams work so hard to uncover.”