GBCONCEPTS ONLINE

McAfee Labs has disclosed on their security blog that “it is working around the clock’ and ‘diving deep’  to unravel the latest attack which it has dubbed “Aurora” that hit multiple companies and was publicly disclosed by Google on Tuesday.

The latest malware exploits a previously unknown vulnerability in Microsoft Internet Explorer. The organisation says it has informed Microsoft about the issue and this prompted Microsoft to publish an advisory on Thursday afternoon.

WHY AURORA?

The company reports that the name,

“Aurora” was part of the filepath on the attacker’s machine that was included in two of the malware binaries that we have confirmed are associated with the attack. That filepath is typically inserted by code compilers to indicate where debug symbols and source code are located on the machine of the developer. We believe the name was the internal name the attacker(s) gave to this operation.

The organisation writes that they  ”are working with multiple organizations that were impacted by this attack as well as the government and law enforcement”.

INTERNET EXPLORER AS THE CULPRIT

On its blog, Microsoft says, “Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks.  Today, Microsoft issued guidance to help customers mitigate a Remote Code Execution (RCE) vulnerability in Internet Explorer.

Google posted this on their blog, “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.

SCOPE AND COVERAGE
The report continues, “First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users’ computers”.

MODE OF ATTACK

Mcafee writes that, “As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer.

Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system. The attacker can now identify high value targets and start to siphon off valuable data from the company.

Our investigation has shown that Internet Explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7. Still, so far the attacks we’ve seen using this vector have been focused on Internet Explorer 6. Microsoft has been working with us on this matter and we thank them for their collaboration.

While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios. So there very well may be other attack vectors that are not known to us at this time”.
The report says that, contrary to some reports findings to date have not shown a vulnerability in Adobe Reader being a factor in these attacks.

WHAT IS THE SOLUTION?

Though google has used information garnerd from their researching the attack to improve their infrastructure, there is little they can do for the individual user. However, they offered this advise:

“In terms of individual users, we would advise people to deploy reputable anti-virus and anti-spyware programs on their computers, to install patches for their operating systems and to update their web browsers. Always be cautious when clicking on links appearing in instant messages and emails, or when asked to share personal information like passwords online”. You can read more here about our cyber-security recommendations. People wanting to learn more about these kinds of attacks can read this Report to Congress (PDF) by the U.S.-China Economic and Security Review Commission (see p. 163-), as well as a related analysis (PDF) prepared for the Commission, Nart Villeneuve’s blog and this presentation on the GhostNet spying incident”

A Changing  Threat Landscape

George Kurtz the McAfee blog writer states that,”Blaster, Code Red and other high profile worms are definitely a thing of the past. The current bumper crop of malware is very sophisticated, highly targeted, and designed to infect, conceal access, siphon data or, even worse, modify data without detection.

These highly customized attacks known as “advanced persistent threats” (APT) were primarily seen by governments and the mere mention of them strikes fear in any cyberwarrior. They are in fact the equivalent of the modern drone on the battle field. With pinpoint accuracy they deliver their deadly payload and once discovered – it is too late.

Operation Aurora is changing the cyberthreat landscape once again. These attacks have demonstrated that companies of all sectors are very lucrative targets. Many are highly vulnerable to these targeted attacks that offer loot that is extremely valuable: intellectual property.

Similar to the ATM heist of 2009, Operation Aurora looks to be a coordinated attack on many high profile companies targeting their intellectual property. Like an army of mules withdrawing funds from an ATM, this malware enabled the attackers to quietly suck the crown jewels out of many companies while people were off enjoying their December holidays.  Without question this attack was perpetrated during a period of time that would minimize detection”.

According to the McAfee writer, this attack is only the tip of the iceberg.

Tweet This Post

Wikipedia puts it this way:

Cloud computing is Internet- (“cloud-”) based development and use of computer technology (“computing“).In concept, it is a paradigm shift whereby details are abstracted from the users who no longer need knowledge of, expertise in, or control over the technology infrastructure “in the cloud” that supports them. Cloud computing describes a new supplement, consumption and delivery model for IT services based on Internet, and it typically involves the provision of dynamically scalable and often virtualized resources as a service over the Internet.

The term cloud is used as a metaphor for the Internet, based on the cloud drawing used to depict the Internet in computer network diagrams as an abstraction of the underlying infrastructure it represents. Typical cloud computing providers deliver common business applications online which are accessed from a web browser, while the software and data are stored on servers.

These applications are broadly divided into the following categories: Software as a Service (SaaS), Utility Computing, Web Services, Platform as a Service (PaaS), Managed Service Providers (MSP), Service Commerce, and Internet Integration.

Many non-technical inclined readers will scratch their heads at this explanation as it adds more  confusion to a confusing question.

CLOUD COMPUTING IN SIMPLE TERMS

Cloud computing can be explained simply as the use of a computer service or resource over the internet without bothering to buy or own the resource.

A typical example will be:

Suppose you want to type a letter using Microsoft Word 2007. But you do not have MS-Word 2007 in your computer or do not want the burden of buying, maintaining and installing countless programs in a computer, so you walk into the nearest cyber cafe and go online to a company that offers MS-Word 2007 as a service. You pay a small fee, click on a link and MS-Word 2007 launches direct from the company’s website to your system in the cafe. You simply type your letter, maybe save it on memory stick,  send it as an attachment or print it out.

Now the company offers the MS-Word 2007 as a service to which you have subscribed and the internet is referred to as the cloud. There are various ways of accomplishing this.

These include Software as a Service (SaaS), Utility Computing, Web Services, Platform as a Service(PaaS), Managed Service Providers (MSP), Service Commerce, and Internet Integration.

IBM puts it this way:

An emerging IT delivery model—cloud computing— can significantly reduce IT costs & complexities while improving workload optimization and service delivery. Cloud computing is massively scalable, provides a superior user experience, and is characterized by new, internet-driven economics.

Various Companies are now offering this service. Examples include Microsoft, Yahoo, Google, AT&T, IBM and VMWare etc.

As another example, the email you type and send everyday is an example of cloud computing in operation. You can type and send emails locally from your computer by using Microsoft Outlook, but many people do not even know this. They simply walk into a cafe and call up their mail accounts and type the emails period.

Read more Here and here

As the technology ‘wars’ advances. It has been forecasted by Merrill Lynch that by 2011 the volume of cloud computing market opportunity would amount to $160bn, including $95bn in business and productivity apps (email, office, CRM, etc.) and $65bn in online advertising.(According to a post on Markus Klems blog)

The question on everyones lips are: Is cloud computing really the future of computing? Will it succeed where it’s brother the Grid failed?

Only time will tell.

Tweet This Post

 Following the recent fake Facebook password-reset e-mail scam, another scam aimed at tricking facebook users to reveal their passwords and downloading a Trojan that steals financial data has surfaced.

According to Fred Touchette, a senior security analyst at AppRiver, the scam works like this; 
A legitimate-looking Facebook notice asks people to provide information to help the social network update its log-in system.When the user clicks the “update” button in the e-mail, they are directed to a fake Facebook log-in screen where their user name is filled in and they are prompted to provide their password.

When unsuspecting victims provide the  information, they are taken to a page that offers an “Update Tool,” but that is actually the Zeus bank Trojan that is designed to steal financial and personal data, Touchette said.

Smart phones users are said to be at the greatest risk since the Facebook app installed on their devices can easily be duped because the phishing e-mail appears as an actual Facebook notification complete with Facebook icon.

The message is received in the e-mail in-box on the phone as well as under the Facebook notification section in the app itself, Touchette said.

According to Touchette, the AppRiver blog reports that it has captured about 6 million e-mails in its filters and noticed that the messages were coming in at a rate of 30,000 a minute at one point. That’s about 10 times the usual botnet e-mail message rate, he said.

WHAT TO DO?

According to the security expert,
“To protect against such phishing attacks, people should be extremely cautious about clicking on links in e-mails and they can mouse over the link to see if the domain is a legitimate domain”

Meanwhile, Facebook users should easily be tipped off that the latest scam is just that, a scam, he said. “Facebook doesn’t need all of its users to update their accounts in order for them to make changes to their site” .

He recommends that if there is any question about the legitimacy of the e-mail or the link, users should close the e-mail and go directly to the site to check for important notices to customers.

You can read more about this on the AppRiver blog.

Tweet This Post

Indications have emerged that the emails purpotedly sent by Facebook to members to reset their passwords following identified threats on their accounts is in fact an attack.
According to Anti-Virus industry experts, the malicious executable is linked to the Bredolab botnet, which has been linked to massive spam runs and identity-theft related attacks.

The email uses fake Facebook password-reset messages to trick PC users into downloading a dangerous piece of malware. These dangerous malware allows the attackers have full control of your PC, such as steal customer information, send spam emails and practically do as they please.

 Websense,  an industry player says the address of the sender is spoofed to display “support@facebook.com,” a trick commonly used to trick recipients into believing that the email is a legitimate email from the network.

The alert says,
“Websense® Security Labs™ ThreatSeeker™ Network has discovered a new wave of malicious email attacks claiming to be a password reset confirmation from Facebook. The From: address on the messages is spoofed using support@facebook.com to make the messages believable to recipients. The messages contain a .zip file attachment with an .exe file inside (SHA1:d01c02b331f47481a9ffd5e8ec28c96b7c67a8c6). The .exe file currently has a detection rate of about 30 percent on VirusTotal. Our ThreatSeeker™ Network has seen up to 90,000 of these messages sent out so far today”.

It continues,

“The malicious .exe file connects to two servers to download additional malicious files and joins the Bredolab botnet which means the attackers have full control of the PC, such as steal customer information, send spam emails. One of the servers is in the Netherlands and the other one in Kazakhstan”.

A Screenshot of the fake alert is shown below.

Fake Facebook reset password alert

All facebook account holders are hereby encouraged to disregard this email and take as much precaution as possible before downloading attachments that come with similar emails in the future if they are unsure or suspicious of the source.

The virus has a 30% detection rate on Virustotal. Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines.

As at the time of writing this report, the  Anti-virus programs that detected the malware are:

 The following did not detect it according to the Virustotal analysis;

Please don’t join the bredolab botnet and help in spam reduction.

Be sure your Anti-virus program is up-to-date.

Tweet This Post

This is a wake up call to ATM service providers in Nigeria and Africa in general.

Cybercriminals and Offline gangs are now using skimming devices to steal ATM card details of individuals and using it to milk such victims dry without such individuals knowing.

See the video man gets busted by police installing ’skimming’ device to ATM
Many folks out there may not be aware that it is possible for their funds to be stolen electronically by stealing it from you at the ATM.
This process is called “skimming,” and it involves installing a card reader and a camera on the ATM. The card reader gets the information on the magnetic stripe on the back of your card, and the camera watches what you enter for a PIN and transmits the information wirelessly to the thieves.

So when next you are using an ATM machine, it will be a good idea to keep an eye out for these devices.
You may ask how do I know what to look for?
To answer that I will present you with a plethora of resources.
First see a guide on spotting a skimmer. It’s a brief PDF from Consumerist.

See how to id an ATM Skimmer in consumerist here photos of skimming devices are also included.

Here’s a link to download a pdf on what a skimmer looks like

Below is a suggestion on how to put a stop to it by a reader on consumerist

Tweet This Post