Security Technology

The U.S. Department of Health and Human Services continues to ramp up its investigations of health care-related entities as a result of breaches.

Infamous file-sharing kingpin Kim Dotcom claimed today he is the inventor of two-factor authentication, a method of securing online services.

The notorious info-stealing ZeuS/ZBOT variants are reemerging with a vengeance, with increased activity and a different version of the malware seen this year. In our 2013 Security Predictions, we predicted that cybercrime will be characterized by old threats resurfacing, but with certain refinements and new features in tow. The 1Q of the year proved this thesis, as seen in threats like CARBERP and Andromeda botnet. We can now include the data-stealing malware ZeuS/ZBOT to this roster of old-but-new threats, which we’ve noted to have increased these past months based from Trend Micro Smart Protection Network feedback. Figure 1. Smart Protection Network feedback for ZBOT (Jan – May 7 2013) As seen in this chart, ZBOT variants surged in the beginning of February and continued to be active up to this month. It even peaked during the middle of May 2013. These malware are designed to steal online credentials from users, which can be banking credentials/information or other personally identifiable information (PII). ZBOT Earlier Versions vs. Current Versions Early generation of ZBOT variants creates a folder in %System% folder where it would save the stolen data and configuration file. Users can also find a copy of itself in the said folder. These ZBOT versions modify the Windows hosts file to prevent users from accessing security-related websites. The strings appended to the hosts file can be seen in the downloaded configuration file. An example of earlier ZBOT versions include TSPY_ZBOT.SMD and TSPY_ZBOT.XMAS. Current ZBOT variants were observed to create two random-named folders in the %Applications Data% folder. One folder contains the copy of the ZBOT folder while the other folder contains encrypted data. Example of this is TSPY_ZBOT.BBH, which was found to globally on top based from Smart Protection Network. ZBOT malware of this generation are found to be mostly either Citadel or GameOver variants. Unlike earlier version, the mutex name is randomly generated. Both variants send DNS queries to randomized domain names. The difference in GamOver variant is that it opens a random UDP port and sends encrypted packets before sending DNS queries to randomized domain names. How does this malware steal your credentials? ZBOT malware connects to a remote site to download its encrypted configuration file. Figure 2. Screenshot of ZBOT communication to C&C server The following information can be seen once the configuration file is decrypted: Site where an updated copy of itself can be downloaded List of websites to be monitored Site where it will send the stolen data These configuration files contain banks and other financial institutions that ZBOTs monitor in browsers. Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system. Trend Micro Solution for ZBOT variants There are several avenues for detecting ZBOT variants, such as: First, as the malware tries to write to the registry “Userinit” entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Secondly, detecting the call-back routine to the remote site upon execution, as it acquires its configuration file Finally, detecting where the site would send the stolen data, or if acquires an updated copy of itself In the screen capture below, it demonstrates that the exact behaviour of writing to the registry “Userinit” entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon was successfully blocked by OfficeScan’s Behavioural Monitoring function and the malware fails to execute: Figure 3. OfficeScan Scanning Screenshot The second opportunity to detect ZBOT variants is when the malware downloads its configuration file, an updated copy of itself, or even with the attempt to upload its stolen information. Trend Micro Web Reputation Services can detect this funci

Edwin Vargas, 42, was arrested on Tuesday for allegedly buying email login credentials and cracking fellow officers' email accounts.

Edwin Vargas, 42, was arrested on Tuesday for allegedly buying email login credentials and cracking fellow officers' email accounts.

As cloud computing matures, a growing number of organizations are interested in moving to cloud environments to help lower IT costs, increase efficiencies, and realize greater flexibility. However, organizations that consider cloud computing have also...(read more)

Posted by Stephen McHenry, Director of Information Security Engineering Protecting the security and privacy of our users is one of our most important tasks at Google, which is why we utilize encryption on almost all connections made to Google. This encryption needs to be updated at times to make it even stronger, so this year our SSL services will undergo a series of certificate upgrades—specifically, all of our SSL certificates will be upgraded to 2048-bit keys by the end of 2013. We will begin switching to the new 2048-bit certificates on August 1st, to ensure adequate time for a careful rollout before the end of the year. We’re also going to change the root certificate that signs all of our SSL certificates because it has a 1024-bit key. Most client software won’t have any problems with either of these changes, but we know that some configurations will require some extra steps to avoid complications. This is more often true of client software embedded in devices such as certain types of phones, printers, set-top boxes, gaming consoles, and cameras. For a smooth upgrade, client software that makes SSL connections to Google (e.g. HTTPS) must: Perform normal validation of the certificate chain; Include a properly extensive set of root certificates contained. We have an example set which should be sufficient for connecting to Google in our FAQ. (Note: the contents of this list may change over time, so clients should have a way to update themselves as changes occur); Support Subject Alternative Names (SANs). Also, clients should support the Server Name Indication (SNI) extension because clients may need to make an extra API call to set the hostname on an SSL connection. Any client unsure about SNI support can be tested against https://googlemail.com—this URL should only validate if you are sending SNI. On the flip side, here are some examples of improper validation practices that could very well lead to the inability of client software to connect to Google using SSL after the upgrade: Matching the leaf certificate exactly (e.g. by hashing it) Matching any other certificate (e.g. Root or Intermediate signing certificate) exactly Hard-coding the expected Root certificate, especially in firmware. This is sometimes done based on assumptions like the following: The Root Certificate of our chain will not change on short notice. Google will always use Thawte as its Root CA. Google will always use Equifax as its Root CA. Google will always use one of a small number of Root CAs. The certificate will always contain exactly the expected hostname in the Common Name field and therefore clients do not need to worry about SANs. The certificate will always contain exactly the expected hostname in a SAN and therefore clients don't need to worry about wildcards. Any software that contains these improper validation practices should be changed. More detailed information can be found in this document, and you can also check out our FAQ if you have specific questions.

Since its initial release in February 2012 the Raspberry Pi – a very inexpensive, palm-sized computer meant to help teach computer science in schools –  has become a favorite of hobbyists, makers, and tech enthusiasts everywhere. Why wouldn’t it be? The Raspberry Pi offers tinkerers a very low-cost (both to buy and to run) computer in an extremely compact platform. In addition, because of its origins as an educational tool, it’s easy to use and is versatile. Accordingly, it can be used in all sorts of creative ways. However, its apparent simplicity and low cost comes with a downside. The Raspberry Pi is not a simple “device” with limited capabilities; it is a fully capable computer. The same pitfalls that befall normal desktop computing can  hit the Raspberry Pi, if it is not properly secured. Some uses of the Raspberry Pi actually turn them into servers, and that is something that users may not really know how to secure. For example, some people have made the Raspberry Pi into a server that controls their home automation system, or allows users to watch videos served by the Pi remotely. For many uses of the Raspberry Pi, security isn’t much of a concern – it will never be online or even exposed to external input that could be used as an infection vector. The trouble comes when it’s used in situations where it is online – particularly as a server – where it’s at potential risk. For example, some automated scanners are already trying to log in with the pi user. In short, the Raspberry Pi is only as secure as the uses you use it for. Good server security is not always easy; consider that even IT professionals make mistakes. Look into known server best practices if you do use a Raspberry Pi for these uses. Considering its origin as an educational tool, learning how to secure a server would be an appropriate use for a Raspberry Pi. Post from: Trendlabs Security Intelligence Blog - by Trend MicroIs The Raspberry Pi Secure?

On the heels of the Syrian Electronic Army compromising a number of high-profile accounts—including those of the Associated Press, The Guardian, and The Onion—Twitter has introduced a two-factor authentication feature that should make such attacks more difficult. In a blog post today, Jim O'Leary of Twitter's security team announced the release of "login verification," an optional security measure that requires a verified phone number and e-mail address. Twitter is a bit late to the two-factor authentication party. Word first spread that Twitter was working on a two-factor authentication scheme in February when the company advertised job openings for security engineers to develop "user-facing security features, such as multi-factor authentication and fraudulent login detection." Google has offered two-factor authentication since February of 2011, and Facebook introduced two-step login approval in May of 2011. Like Google's two-factor authentication, Twitter's login verification sends a code via SMS to be entered to confirm login. But unlike Google's system, the code will be sent every time users sign into Twitter through its website. This is the case even if it's from a computer or device that they've logged in from before. The phone has to be enrolled through Twitter's existing SMS service first—you have to text a code to Twitter to verify the phone first, which may not work with some phone carriers. The relationship between phones and accounts is also strictly one-to-one: if you have a shared business account, you're going to need to share a phone number too. If you have multiple accounts and only one phone number, then you can only secure a single account. Read 1 remaining paragraphs | Comments

Following a series of high-profile Twitter account hijacks, the microblogging service finally has delivered two-factor authentication.