viaForensics » Security Archives – viaForensics

viaForensics to Kick Off Digital Detectives Podcast Series

lhaas — Fri, 20 Jan 2012 16:39:45 +0000

Gallivan, Gallivan and O’Melia (GGO, LLC), the e-discovery experts driving the move toward accessible, affordable e-discovery solutions, have partnered with Legal Talk Network to produce the ‘Digital Detectives’ series of podcasts for 2012. The Digital Detectives series aims to inform legal and technology professionals on a wide range of emerging topics in e-discovery, computer forensics, information security, litigation, and trial technologies.

In the podcast series, Sharon Nelson and John Simek invite experts to discuss important topics of interest to litigators, corporate counsel, computer forensics and e-discovery professionals….

The monthly podcast series will kick off 2012 with guest Andrew Hoog, Chief Investigative Officer at viaForensics, in a discussion on Smartphone Security. In February, Digital Detectives will host Neil Squillante of TechnoLawyer, discussing the “Top Resources for Staying Current in E-Discovery”.

Find the complete library of Digital Detectives podcasts on the Digital Talk Network site at http://legaltalknetwork.com/podcasts/digital-detectives/. Gallivan Gallivan & O’Melia (GGO) is proud to sponsor the efforts of visionary educators and thought leaders in litigation technology and e-discovery.

via Digital WarRoom Sponsors Digital Detectives Podcast Series, Currently Featuring Bruce Olson on Cost Effective E-Discovery for Small Cases.

U.S. Shuts Down Megaupload File-Sharing Site, Anonymous Retaliates With DDoS Attacks

lhaas — Fri, 20 Jan 2012 14:25:48 +0000

The battle is heating up:

A day after the Internet was abuzz with protests of the proposed SOPA and PIPA anti-piracy bills, the Department of Justice took a major action against many of the top executives of Megaupload, a popular file-sharing site that the government says was the basis for an “international organized criminal enterprise allegedly responsible for massive worldwide online piracy of numerous types of copyrighted works”. Prosecutors revealed indictments against seven people, all of whom are foreign nationals, as part of the case. As a result of the indictments and shutdown of Megaupload, Anonymous retaliated with a series of DDoS attacks against sites owned by Justice, Universal Music and the Motion Picture Association of America…

“According to the indictment, for more than five years the conspiracy has operated websites that unlawfully reproduce and distribute infringing copies of copyrighted works, including movies – often before their theatrical release – music, television programs, electronic books, and business and entertainment software on a massive scale. The conspirators’ content hosting site, Megaupload.com, is advertised as having more than one billion visits to the site, more than 150 million registered users, 50 million daily visitors and accounting for four percent of the total traffic on the Internet,” Justice Department officials said in a statement.

via U.S. Shuts Down Megaupload File-Sharing Site, Anonymous Retaliates With DDoS Attacks | threatpost.

Hackers steal $6.7 million in bank cyber heist

lhaas — Thu, 19 Jan 2012 15:00:45 +0000

We’ve been preaching for years that organizations needs to take a more proactive approach to their security. Services, such as our liveForensics, add additional layers of security to protect against such breaches.

Unfortunately, the Postbank’s fraud detection system hasn’t performed as it should, and the crime was discovered only after everyone returned to work after the holiday break. Apparently, it should not come as a surprise – according to a banking security expert, “the Postbank network and security systems are shocking and in desperate need of an overhaul.”

The post office and the police have confirmed that the breach happened and that the National Intelligence Agency (NIA) is involved in the investigation. The bank has issued a statement saying that none of its customers’ bank accounts were affected by the heist.

The investigation will hopefully reveal whether the backdoor into the compromised computer was installed by the employee unwittingly or whether the employee was recruited by the gang to allow them access.

via Hackers steal $6.7 million in bank cyber heist.

RSA chief: Last year’s breach has silver lining

lhaas — Wed, 18 Jan 2012 21:49:09 +0000

Silver lining of last year’s security breach is that it has lead to stronger security and better awareness of security issues.

On another topic, Coviello says businesses are rushing and therefore missing an opportunity to build security into virtual and cloud environments as they adopt them.

“[A]s much as I’ve preached for three or four years that we have an opportunity to get it right this time as we virtualize our environments and we go to cloud [by building] security in, it just isn’t happening,” he says. “We’re making the same mistakes all over again.”

The problem is that businesses crave the functionality and savings of virtualization and cloud at the expense of security. “[I]t’s just unfortunately the way the world works sometimes, that people want to get the benefits of a new technology wave and don’t always think through all the security ramifications,” Coviello says.

Despite those shortcomings, Coviello says businesses are accelerating the overhaul of their traditional security to adopt defensive models that are advocated by RSA, particularly automating security analysis and response.

“You would like to think that people would come to these conclusions and act on them more quickly,” he says, “but there’s such competition –whether it’s budget, whether it’s business initiative, whether it’s overhauling their own infrastructure, whether it’s this crazy economy we’re working with — it never goes as fast as you think it should or could.”

via RSA chief: Last year’s breach has silver lining.

No-permission Android App Gives Remote Shell

Thomas Cannon — Tue, 20 Dec 2011 14:45:46 +0000

I have been working at viaForensics as the Director of R&D for about 5 months now, and in that time I’ve been involved in some exciting research projects. I haven’t had the opportunity to blog on our company site yet so I thought I’d take a little time out and record a video to demonstrate an Android issue that is of interest to many of our clients.

When talking with people and reading posts on the web I’ve often heard people say that the Android permission system protects their device such that apps without certain permissions are therefore safe to install. The permissions system on Android is a fantastic idea and generally well implemented, it gives apps just enough permissions or capabilities to perform the required functions without exposing capabilities that could be used in a dangerous way. It is a step up in protection when compared with a typical desktop system but this increased protection can give rise to a false sense of security.

Putting aside the issue of users ignoring the permissions when installing apps, can we rely solely on permissions to decide if an app is safe? There are multiple controls in Android and its ecosystem that protect a user and their device, but one should not automatically assume that installing an app, even if it requires no permissions, is safe.

To demonstrate this we’ve built an app which requires no permissions and yet is able to give an attacker a remote shell and allow them to execute commands on the device remotely from anywhere in the world. The functionality we are exploiting to do this is not new, it has been quietly pointed out for a number of years, and was explained in depth at Defcon 18 [1]. It is not a zero-day exploit or a root exploit. We are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel. This has been tested on Android versions ranging from 1.5 up to 4.0 Ice Cream Sandwich, and it works in a similar way on all platforms.

Please see the video below with accompanying audio for further explanation.

Link to video: Android No-permissions Reverse Shell

I should also mention here a recent paper by Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang from NCSU who have developed a tool to detect capability leaks in Android devices. Using their tool they found a number of capability leaks, such as being able to send an SMS, in various Android applications usually added by OEMs. Malicious applications can call the vulnerable apps and exploit the lack of protection around permission/capability use and therefore do not need to request permissions themselves. In a similar way we’ve exploited the Android Web Browser, although we are not exploiting a vulnerability due to bad coding, but rather using the functionality it legitimately offers to other applications.

In this demonstration Android’s power and flexibility were perhaps also its downfall. Other smartphone platforms may not offer the controls we are bypassing at all, and the multi-tasking capabilities in Android allowed us to run the attack almost transparently to the user. This power combined with the open nature of Android also facilitates the customisation of the system to meet bespoke security requirements. This is something we have even been involved in ourselves by implementing a proof of concept Loadable Kernel Module to pro-actively monitor and defend a client’s intellectual property as it passed through their devices. It is no surprise that we have seen adoption of Android research projects in the military and government as it can be enhanced and adapted for specific security requirements, perhaps like no other mobile platform before it.

I hope this demo was of interest and that it generates some discussion around the best ways to select and use apps which offer the least risk to your device and data.

Update 20-Dec-2011: As mentioned these issues are not new and have been discussed before. Updated to include a link to one such talk which does a good job of explaining some of the issues (thanks Tim):
[1] Defcon 18 Presentation “These Aren’t The Permissions You’re Looking For” by Tim Wyatt, David Luke Richardson and Anthony Lineberry. PDF Link.

Cloud Services Credentials Easily Stolen Via Google Code Search

lhaas — Wed, 16 Nov 2011 15:22:18 +0000

Security researchers have found that sensitive data stored on public cloud services can be easily accessed thieves with a little Google know-how. Researchers are warning companies not to store critical data on the public cloud:

“It is not a good idea to put sensitive data out in the cloud right now — at least not until there are intrusion-detection systems that would let users see these types of searches on their cloud services,” says Fran Brown, managing director at Stach & Liu. “Companies are pushing forward on the cloud because they want the functionality, but they’re not seeing the risk.”

In an online demonstration, Brown showed how an attacker who knows Google and some simple facts about cloud services authentication can easily find the access codes, passwords, and secret keys needed to unlock data stored in public cloud services environments such as Amazon’s EC3.

Such data is routinely stored by application developers and system administrators who don’t know that their simple text files might be indexed by search engines and discoverable with a simple Google code search, Brown says.

“We found literally thousands of keys stored this way, any one of which could be used to take control of computers in the cloud, shut them down, or used to launch attacks on other computers on the same service,” he states.

via Cloud Services Credentials Easily Stolen Via Google Code Search – Dark Reading.

FBI takes out $14M DNS malware operation

lhaas — Mon, 14 Nov 2011 15:11:46 +0000

Closing out a two-year investigation, U.S. law enforcement has reportedly shut down a huge Internet fraud scheme centered in Estonia that it says “injected malware in more than four million computers in over 100 countries while generating $14 million in illegitimate income.” Infected computers include over 500,000 U.S. computers, including some belonging to NASA.

The damage done goes beyond just collecting illegitimate income:

The FBI went on to note the harm inflicted by the defendants was not merely a matter of reaping illegitimate income. The defendants also inflicted the following:

Unwitting customers of the defendants’ sham publisher networks were paying for Internet traffic from computer users who had not intended to view or click their ads.

Users involuntarily routed to Internet ads may well have harbored discontent with those businesses, even though the businesses were blameless.

And then there is the harm to the users of the hijacked computers. The DNSChanger malware was a virus more akin to an antibiotic-resistant bacterium. It had a built-in defense that blocked anti-virus software updates. And it left infected computers vulnerable to other malware.

via Layer 8: FBI takes out $14M DNS malware operation.

Digital download service Steam suffers a security breach

Jon Pisani — Fri, 11 Nov 2011 15:29:21 +0000

The digital download giant Steam suffered a massive security breach earlier this week. A press release issued by Steam Founder Gabe Newell reads:

Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

Mobile security exploits double in 2011, IBM says – channelbuzz.ca

lhaas — Tue, 25 Oct 2011 14:59:35 +0000

What sets viaForensics apart from other security organizations? Our proactive forensic approach, that’s what.

Andrew Hoog would certainly agree with the need for including forensics in daily operational activities. The CIO for Chicago-based viaForensics says his firm provides a unique way for companies to safeguard against mobile app threats and other nefarious cyber-attacks.

In a nutshell, viaForensics is a digital forensics and security firm. It has developed a mobile app security service and it provides a continuous forensic monitoring solution.

“More of our emphasis has been applying forensics proactively to complex security problems. Forensics is a key component to the mobile app security work that we do among other techniques,” he said. “We apply forensics also to more traditional security problems like monitoring and protecting key assets.”

Hoog explained that’s the defining difference between what viaForensics offers versus other security vendors. To its credit, the young firm has been working with a number of Canadian government and law enforcement agencies of late.

“In the past, forensics was a reactive thing that people brought in for certain instances. But if you bring it in in real-time, or proactively, it’s a significant game-changer,” he continued. “What we bring that’s different is a combination of traditional (security) techniques and our forensics layer. We’re on the cutting edge of forensics . . . the other guys may use their traditional techniques or they may buy some software but they’re always going to be a year behind the cybercriminals.”

via Mobile security exploits double in 2011, IBM says.

Researchers crack W3C encryption standard for XML

lhaas — Mon, 24 Oct 2011 16:45:43 +0000

Researchers have demonstrated that they can decrypt data in XML documents, which may give pause to those who rely on Web-based services to handle sensitive data:

XML Encryption is used widely as part of server-to-server Web services connections to transmit secure information mixed with non-sensitive data, based on cipher-block chaining. It can be used, for example, to encrypt credit card information for a payment within an XML-based purchase order, so that the general data can be accessed by everyone who needs to have access to it while access to the financial data is limited to the people or systems authorized to process it.

But that encryption is apparently very weak, as Juraj Somorovsky and Tibor Jager of Ruhr University Bochum demonstrated. “We were able to decrypt data by sending modified ciphertexts to the server, by gathering information from the received error messages,” the pair wrote in their paper, presented at ACM. They were able to demonstrate that the exploit worked on both a popular open-source implementation of W3C XML Encryption and on the implementation of every company that responded to their disclosure.

Fixing the vulnerability will require a total rewrite of the W3C standard. “There is no simple patch for this problem,” Somorovsky said in a statement issued by Ruhr University Bochum. “We therefore propose to change the standard as soon as possible.”

via Researchers crack W3C encryption standard for XML.