Malware Catches Up with Macs

Malware effecting Apple computersFull Disclosure: I used to be one of those Mac users who wasn’t too concerned with malicious links and suspicious emails because, hey, I use a Mac and Macs aren’t that susceptible to malware. … Oh how I miss those days.

Mac malware is on the rise, with an estimated 600,000 computers affected but the Flashback Trojan at the moment and another exploit taking advantage of a security flaw in outdated Microsoft Office for Mac files. Here’s some information on the Flashback Trojan’s effects, from PCMag:

The Java flaw exploited by the so-called Flashback Trojan dates back to February, but Apple did not release a patch until April 3. As a result, approximately 550,000 Macs were infected, according to data released this week from anti-virus vendor Doctor Web.

Doctor Web today provided a few more details about the proliferation of the Flashback Trojan. Almost 350,000 of the affected devices were in the U.S., with about 125,000 in Canada, and 75,000 in Great Britain.

In the U.S., Manhattan-based Macs saw the largest number of traceable infections at about 5,000, followed by Brooklyn, Los Angeles, and Chicago. But the whereabouts of almost 18,000 affected Macs was unknown, Doctor Web said.

In Canada, Toronto was hardest hit (14,000), while Londoners were most-impacted in the U.K. (almost 20,000). For more details, see the map below.

As PCMag’s Security Watch noted yesterday, Mac users did not have to download or even interact with the malware to become infected. Websites exploited a Java flaw that let Flashback.K download itself onto Macs without warning. It then asked users to supply an administrative password, but even without that password, the malware was already installed.

And this is how the Microsoft Office exploit works (from PCWorld):

Continue Reading

Lessons From the TweetDeck Security-Induced Outage

TweetDeck Taken Offline Because of Security BreachThe recent Tweekdeck issue can teach us two very important lessons: 1. You can’t find all the bugs in-the-lab because there are some issue that will only effect a small, small portion of your user base and those bugs will more often than not only be found in the hands of users, in-the-wild. 2. Security Testing doesn’t just including making sure hackers can’t get into your app. It should also test your app for proper handling of confidentiality, integrity, availability, non-repudiation, authorization and authentication. It’s this last one in particular that caught Tweetdeck off guard. In case you missed the story, here’s a recap from TechCrunch:

Twitter has taken its Tweetdeck app offline after an apparent bug has possibly given some Tweetdeck users access to others’ accounts.

A Sydney, Australia-based Tweetdeck user named Geoff Evason says he discovered today he was somehow able to access hundreds of Twitter and Facebook accounts through Tweetdeck. In an email to TechCrunch, he explained the situation like this:

“I’m a tweetdeck user. A bug has given me access to hundreds of twitter and facebooks account through tweetdeck. I didn’t do anything special to make this happen. I just logged in one day, the account was was slower than normal, and I could post from many more accounts.”

Get more details at TechCrunch >>>

Luckily the person who found this bug, Geoff Evason, wasn’t malicious or a hacker. He could have done cruel things with these twitter accounts and potentially caused even more damage with access to the private information people tend to share on Facebook. Instead, he did a little poking around to prove the bug was valid (like any good tester does) and went about getting the issue addressed and corrected.

The incident was so severe that Twitter (who owns Tweetdeck) took the entire application offline until the issue could be pin pointed and resolved. Kudos to Twitter for treating this as seriously as it did, but the question is, now what? What caused this bug? Was there an update that effected the app? Will Twitter do some comprehensive regression testing to make sure there are no other unnoticed issues? It should probably do some digging to make sure those other facets of security are up to par.

Continue Reading

You Are Losing the Battle With Hackers. Yes, You.

You Have Been Hacked“We’re not winning. … I don’t see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it’s an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security.”

That’s a quote from Shawn Henry, the FBI’s top cyber cop who has spent two decades with the bureau, from a recent interview with the Wall Street Journal. And he’s not alone in thinking that there needs to be fairly substantial changes to software and network security.

James A. Lewis, a senior fellow on cybersecurity at the Center for Strategic and International Studies, said that as gloomy as Mr. Henry’s assessment may sound, “I am actually a little bit gloomier. I think we’ve lost the opening battle [with hackers].” Mr. Lewis said he didn’t believe there was a single secure, unclassified computer network in the U.S.

“There’s a kind of willful desire not to admit how bad things are, both in government and certainly in the private sector, so I could see how [Mr. Henry] would be frustrated,” he added.

Big companies, small start-ups, utility providers, government agencies, no one is safe from hackers and many networks are less secure than organizations think.

Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy. Too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking—or the costs they may have already suffered unknowingly—by operating vulnerable networks, he said. …

Mr. Henry said FBI agents are increasingly coming across data stolen from companies whose executives had no idea their systems had been accessed.

“We have found their data in the middle of other investigations,” he said. “They are shocked and, in many cases, they’ve been breached for many months, in some cases years, which means that an adversary had full visibility into everything occurring on that network, potentially.”

Mr. Henry said that while many company executives recognize the severity of the problem, many others do not, and that has frustrated him. But even when companies build up their defenses, their systems are still penetrated, he said. “We’ve been playing defense for a long time. …You can only build a fence so high, and what we’ve found is that the offense outpaces the defense, and the offense is better than the defense,” he said.

Continue Reading

Buffer Overflows Attacks Get Much, Much Harder

It’s been almost 16 years since Aleph One published his classic article titled Smashing The Stack For Fun And Profit. In it, Aleph One (whose real name is Elias Levy) laid out a template for executing buffer overflow attacks that any computer-savvy hacker could follow. Back then, developers were more naive about writing code with rigorous boundary checking, and most applications written in C and C++ had exploitable buffer overflow vulnerabilities. With the growth of connected applications over the Internet (written in C and C++, of course), hackers and worm writers remotely felled software from giants like Microsoft, Oracle, Sun Microsystems, and others. Buffer overflows became the scary monster security vulnerability of the late 90s and early 2000s, and even today discovering a buffer overflow is the grand discovery of all security exploits – conferring black-belt status on whoever finds one.

Since then, a lot has changed. Both Intel and AMD have made a number of improvements to x86, and modern computer architectures have made it much harder to exploit buffer overflows. In addition, newer compilers and operating systems have added a number of tricks that make exploiting compiled applications more difficult.

One of those techniques is Address Space Layout Randomization, or ASLR. Exploiting a buffer overflow requires knowing the location of certain memory addresses. It used to be that those addresses were predictable for a given application, but newer operating systems can shake them up each time the app loads. It’s like shuffling a deck of cards and then expecting you to figure out which card is the queen of spades on the first try. If you shuffle it the same way every time, I’ll figure it out pretty quick. But if you make your shuffle truly random, then I’m out of luck.

Microsoft will be improving their implementation of ASLR in Windows 8 to make it much harder to predict the location of addresses for an application as well as all the supporting libraries surrounding the application. That means it will be even harder for an attacker to predict addresses, which makes buffer overflows much harder.

Want to learn more? Ars Technica has a great post about how ASLR will be used to improve the security of IE10. Also, check out this article by Paul Makowski about all the things that have changed with computer security since 1996 that make buffer overflows so much harder to exploit.

Why Security Testing Is So Important

Voting BoothsYou can do just about anything online these, so much so that it feels like an inconvenience if you can’t complete a task online. But some things are just best left the old fashioned way.

Take, for example, the act of voting. I’m not talking about voting for American Idol (which you actually can do online now), I’m talking about voting in a major, official election. While paper absentee ballots may seem outdated, voting has proved to fragile and tamper-tempting to be shifted online. We wouldn’t know that though without some good, solid security testing.

A few years ago an e-voting system was created for Washington, D.C. and in 2010 its developers reached out to security testing experts to put the system through its paces. It failed miserably. The story is surfacing again now because the processes and results of the testing were recently officially published. The testers didn’t find some exceptionally complicated flaw only detectable with a lot of out-of-the-box thinking, they were able to completely infiltrate and manipulate the program. There’s The H with some details:

“Within 48 hours of the system going live, we had gained near complete control of the election server”, the researchers wrote in a paper that has now been released. “We successfully changed every vote and revealed almost every secret ballot.” The hack was only discovered after about two business days – and most likely only because the intruders left a visible trail on purpose. …

The security experts investigated common vulnerable points such as login fields, the virtual ballots’ content and file names, and session cookies – and found several exploitable weaknesses. Even the Linux kernel used in the project proved to have a well known vulnerability. They were also able to use the PDFs generated by the system to trick the encryption mechanism, while unsecured surveillance cameras provided additional insights into the infrastructure. While the open source nature of the code made their work somewhat easier, they believe that attackers would have been able to make quick headway even if the system had been proprietary.

Continue Reading

SQL Injections Still Top Threat

SQL Injection No. 1 ThreatGuess what? The No. 1 biggest security threat to your website is still SQL injections (not one of those hacker collectives that have been taking down websites left and right recently). SQL injections aren’t anything new – they’ve been on the Open Web Application Security Project‘s list of Top 10 threats since 2004 … when they started compiling the list.

Despite being on the security radar for literally years, injections still make up the vast majority of security issues today. From PCWorld (emphasis added):

SQL injection attacks have been around for more than ten years, and security professionals are more than capable of protecting against them; yet 97 percent of data breaches worldwide are still due to an SQL injection somewhere along the line, according to Neira Jones, head of payment security for Barclaycard.

Speaking at the Infosecurity Europe Press Conference in London last week, Jones said that hackers are taking advantage of businesses with inadequate and often outdated information security practices. …

In October 2011, for example, attackers planted malicious JavaScript on Microsoft’s ASP.Net platform. This caused the visitor’s browser to load an iframe with one of two remote sites. From there, the iframe attempted to plant malware on the visitor’s PC via a number of browser drive-by exploits.

Continue Reading

The App Store of Malware (I mean, Banned Apps)

Having just finished Steve Jobs biography, and being of the school of gated platforms – at least for my phone, where I don’t want to deal with bugs the way I might in my work laptop (sorry Matt B and the uTest IT team) – I found this concept very interesting.

According to the BI article, “Android Hackers Plan App Store of Banned Apps,” a group of Android Developers are looking to start their own app store for all the banned and rejected apps that didn’t make the cut.  The article includes a quote from the potential founder that, “apps removed from the Market include, one-click root apps, emulators, tether apps, Visual Voicemail apps, and more.”

It sounds great but we already know about the growing number of malware on phone operating systems, the Android especially.  The other alternative for apps is to create mobile-specific landing pages (i.e. HTML5 apps), like Grooveshark (music) and Untappd (beer reviews) have done, making the apps available via your mobile browser.  Since their launch, Untappd has launched a native app for iOS and Android but has not shared details on traffic comparisons.  [It won’t be applicable to most mobile users but we cover some security exploits and common attacks in our Security Testing whitepaper.]

Am I the only one uber-sensitive about the integrity of my phones OS and Apps?  Would you download an app that isn’t scrutinized for security?

The Password is Password (but don’t tell anyone)

You don’t have to be an expert in security testing to understand the importance of a strong password. With hacking incidents at an all-time high, you might assume that users everywhere have taken the appropriate steps to prevent thieves and miscreants from highjacking their accounts, stealing their information and pretty much ruining their lives.

Of course, you assumed wrongly. As Mashable recently pointed out, the most popular password is…wait for it…password! There are some other gems on their list of the 25 Worst Passwords of 2011, but here are the top finishers:

  1. password
  2. 123456
  3. 12345678
  4. qwerty
  5. abc123
  6. monkey
  7. 1234567
  8. letmein
  9. trustno1
  10. dragon

So if you see a your own password on this list please stop what you’re doing and change it now, because there’s nothing funny about a stupid password….

Continue Reading

Missile Firing Predator Drones + Virus = Bad News

We recently wrote about the need for security testing on medical equipment, but it looks like an even larger virus threat has come to light – on U.S. Predator and Reaper drone weapons systems.

While an unofficial source said they suspect it’s benign, they also added, “But we just don’t know”.  The thought of an attack drone being hacked is a chilling to say the least.  Jalpnik has a nice write-up of some of their historic missions (and the virus) but this seems to reinforce the hypothesis that the United States is entering a “Code War”.

Here’s the crux:

The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system.

We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

For those interested, we have a new whitepaper on Software Security Testing.

uTest & Veracode Join Forces To Protect Against Security Breaches

Every few weeks, it seems like there’s another major security breach to the website, gaming system or native app of a big global brand.  And that doesn’t even include the hundreds (thousands?) of hacks into the properties of smaller enterprises, SMBs and startups that consumers may (or may not) hear about.

In fact, a few months ago we wrote about The Top Security Hacks of 2011, and referenced that the attacks on Playstation were estimated to have cost Sony $24 billion dollars– nearly 10x their revenue for the same period.

So here’s the point: Would you rather look back and say your company overshot and used too many systems for security testing?  Or get that nauseaus, sinking feeling in your gut when your CIO wakes you at 2:00am and says the company has spent too little?

That’s why– as the cornerstone of uTest’s showstopping announcement yesterday– we announced the launch of uTest Security Testing that leverages the talents of new and existing white hat security professionals within our crowdsourced community.  Since we now offer the first crowdsourced, real-world security testing in the world…there’s a new kid in town to join the collective effort to protect your company, and customers’, private data.

Moreover, we’ve joined forces with industry leader Veracode to provide seamless access to their complementary, cloud-based application security verification services.  Veracode has scalable, policy-driven application risk management programs that help identify and eradicate numerous vulnerabilities by leveraging best-in-class technologies from vulnerability scanning to penetration testing and static code analysis.

As a result, companies will have access to a cost-effective, powerful combination of automated (Veracode) and real-world (uTest) testing that mitigates security risks across the entire software development lifecycle.

We’re thrilled, honored and excited to be partnering with Veracode.  And we’re certain that our joint offering– as a complement to organizations’ in-house security testing– will offer tech executives peace-of-mind at a price with infinitely fewer zeroes than $24,000,000,000.