Security Technology

Google Hacking is a hacking technique used by hackers to identify web security vulnerabilities on web applications or gather information for general or individual targets. Mostly this information includes configuration and source code files, sensitive data, database information, etc. This ... [+]The post Web Security Vulnerabilities Exposed by Google Searches (Google Hacking) appeared first on Acunetix.

The U.S. Department of Health and Human Services continues to ramp up its investigations of health care-related entities as a result of breaches.

As WikiLeaks founder Julian Assange approaches the one-year anniversary of his confinement in the Ecuadorian embassy in London, a report released Wednesday reveals that donations to the secret-spilling site have slowed to a trickle.

Infamous file-sharing kingpin Kim Dotcom claimed today he is the inventor of two-factor authentication, a method of securing online services.

The notorious info-stealing ZeuS/ZBOT variants are reemerging with a vengeance, with increased activity and a different version of the malware seen this year. In our 2013 Security Predictions, we predicted that cybercrime will be characterized by old threats resurfacing, but with certain refinements and new features in tow. The 1Q of the year proved this thesis, as seen in threats like CARBERP and Andromeda botnet. We can now include the data-stealing malware ZeuS/ZBOT to this roster of old-but-new threats, which we’ve noted to have increased these past months based from Trend Micro Smart Protection Network feedback. Figure 1. Smart Protection Network feedback for ZBOT (Jan – May 7 2013) As seen in this chart, ZBOT variants surged in the beginning of February and continued to be active up to this month. It even peaked during the middle of May 2013. These malware are designed to steal online credentials from users, which can be banking credentials/information or other personally identifiable information (PII). ZBOT Earlier Versions vs. Current Versions Early generation of ZBOT variants creates a folder in %System% folder where it would save the stolen data and configuration file. Users can also find a copy of itself in the said folder. These ZBOT versions modify the Windows hosts file to prevent users from accessing security-related websites. The strings appended to the hosts file can be seen in the downloaded configuration file. An example of earlier ZBOT versions include TSPY_ZBOT.SMD and TSPY_ZBOT.XMAS. Current ZBOT variants were observed to create two random-named folders in the %Applications Data% folder. One folder contains the copy of the ZBOT folder while the other folder contains encrypted data. Example of this is TSPY_ZBOT.BBH, which was found to globally on top based from Smart Protection Network. ZBOT malware of this generation are found to be mostly either Citadel or GameOver variants. Unlike earlier version, the mutex name is randomly generated. Both variants send DNS queries to randomized domain names. The difference in GamOver variant is that it opens a random UDP port and sends encrypted packets before sending DNS queries to randomized domain names. How does this malware steal your credentials? ZBOT malware connects to a remote site to download its encrypted configuration file. Figure 2. Screenshot of ZBOT communication to C&C server The following information can be seen once the configuration file is decrypted: Site where an updated copy of itself can be downloaded List of websites to be monitored Site where it will send the stolen data These configuration files contain banks and other financial institutions that ZBOTs monitor in browsers. Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system. Trend Micro Solution for ZBOT variants There are several avenues for detecting ZBOT variants, such as: First, as the malware tries to write to the registry “Userinit” entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Secondly, detecting the call-back routine to the remote site upon execution, as it acquires its configuration file Finally, detecting where the site would send the stolen data, or if acquires an updated copy of itself In the screen capture below, it demonstrates that the exact behaviour of writing to the registry “Userinit” entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon was successfully blocked by OfficeScan’s Behavioural Monitoring function and the malware fails to execute: Figure 3. OfficeScan Scanning Screenshot The second opportunity to detect ZBOT variants is when the malware downloads its configuration file, an updated copy of itself, or even with the attempt to upload its stolen information. Trend Micro Web Reputation Services can detect this funci

Edwin Vargas, 42, was arrested on Tuesday for allegedly buying email login credentials and cracking fellow officers' email accounts.

Edwin Vargas, 42, was arrested on Tuesday for allegedly buying email login credentials and cracking fellow officers' email accounts.

As cloud computing matures, a growing number of organizations are interested in moving to cloud environments to help lower IT costs, increase efficiencies, and realize greater flexibility. However, organizations that consider cloud computing have also...(read more)

Posted by Stephen McHenry, Director of Information Security Engineering Protecting the security and privacy of our users is one of our most important tasks at Google, which is why we utilize encryption on almost all connections made to Google. This encryption needs to be updated at times to make it even stronger, so this year our SSL services will undergo a series of certificate upgrades—specifically, all of our SSL certificates will be upgraded to 2048-bit keys by the end of 2013. We will begin switching to the new 2048-bit certificates on August 1st, to ensure adequate time for a careful rollout before the end of the year. We’re also going to change the root certificate that signs all of our SSL certificates because it has a 1024-bit key. Most client software won’t have any problems with either of these changes, but we know that some configurations will require some extra steps to avoid complications. This is more often true of client software embedded in devices such as certain types of phones, printers, set-top boxes, gaming consoles, and cameras. For a smooth upgrade, client software that makes SSL connections to Google (e.g. HTTPS) must: Perform normal validation of the certificate chain; Include a properly extensive set of root certificates contained. We have an example set which should be sufficient for connecting to Google in our FAQ. (Note: the contents of this list may change over time, so clients should have a way to update themselves as changes occur); Support Subject Alternative Names (SANs). Also, clients should support the Server Name Indication (SNI) extension because clients may need to make an extra API call to set the hostname on an SSL connection. Any client unsure about SNI support can be tested against https://googlemail.com—this URL should only validate if you are sending SNI. On the flip side, here are some examples of improper validation practices that could very well lead to the inability of client software to connect to Google using SSL after the upgrade: Matching the leaf certificate exactly (e.g. by hashing it) Matching any other certificate (e.g. Root or Intermediate signing certificate) exactly Hard-coding the expected Root certificate, especially in firmware. This is sometimes done based on assumptions like the following: The Root Certificate of our chain will not change on short notice. Google will always use Thawte as its Root CA. Google will always use Equifax as its Root CA. Google will always use one of a small number of Root CAs. The certificate will always contain exactly the expected hostname in the Common Name field and therefore clients do not need to worry about SANs. The certificate will always contain exactly the expected hostname in a SAN and therefore clients don't need to worry about wildcards. Any software that contains these improper validation practices should be changed. More detailed information can be found in this document, and you can also check out our FAQ if you have specific questions.

This post by Aleatha Parker-Wood is very applicable to the things I wrote in Liars & Outliers: A lot of fundamental social problems can be modeled as a disconnection between people who believe (correctly or incorrectly) that they are playing a non-iterated game (in the game theory sense of the word), and people who believe that (correctly or incorrectly) that...