Last weekend I attended ShmooCon, a yearly security conference held in Washington D.C. Today I want to explore several common themes I noted in many of the great technical presentations at the conference.

1) Operations

For many years, the community has been saying that security is facing an operations challenge, not simply one of just technology and cash flow. Simply put, most people aren’t following our advice. Administrators aren’t reviewing logs, systems are still unpatched and users are still running as administrators. Risk increases every day when people don’t do the right thing; this is the fundamental reason most people get successfully attacked.

In many ways, this flaw in operations is like having a horse. You build a great stable. You put in lights and a heater. You put nice locks on the doors. You build out the plumbing system so the horse can have fresh water and then finally … you buy a horse and put it in the stable.  Sadly, most companies get to this point and then, after spending tens of thousands of dollars on their horse, decide spending $100 on oats is too expensive and just toss scraps into the stable as time permits.

Sadly, we live in a world full of dead and starving horses.

Read the rest of this entry »

We discuss a variety of scams and social engineering-based attacks (FakeAV, email spam, hostageware, etc.) on this blog. Generally we point out new threats that are geared to exploit your computer’s security and trick you into parting with your hard-earned cash. Last night, however, I came across an even more insidious version of social engineering that was driving my sister-in-law to thoughts of homicide.

My nephew is 10. He has quite the creative imagination and when he gets something on his mind, it truly consumes him. I have him pegged to become the next Einstein or super villain seeking world domination. I’m not quite sure which direction he’ll go.

Last night he was showing me his recent birthday gifts – action figures and an Xbox game – from a brand new product line called “Skylanders.” On the surface, Skylanders is a fun interactive game similar to Pokemon, where you select a character and conquer the forces of evil. Once you start playing, however, its sinister design starts manifesting.

Each Skylanders character has unique stats that are used in the video game to determine how they match up against the ultimate bad guy, Chaos, and his evil minions. You simply place your little action figurine on a flat game controller called “the portal” and each character is brought to life within the video game. Once activated, you select which zone you want your character to play in. But oddly enough, certain Skylanders don’t perform terribly well in specific zones due to “environmental conditions.” Do you see where this is going?

Pokemon had the “Gotta Catch Them All” slogan and Skylanders abuses that scenario and then some.

As it turns out, Skylanders not only face environmental difficulties, but can also become hurt or die. Unlike most video games, a simple restart level or reset does not exist and a Skylander becomes unusable for several hours depending on the seriousness of its injury. If you’re not a good player or do not have the right characters for a particular zone, your Skylanders could all perish and you’re unable to play with them the rest of the day.

This exact situation happened to my nephew the night he opened his birthday present. As a newbie, he quickly killed off all his characters after competing in a zone his character set couldn’t conquer. He now had a game he couldn’t play for the rest of the day, nor could he pass anyway without investing in additional figurines. After a little soul-searching, the obvious conclusion for my nephew was that mom needed to purchase ALL the Skylanders so he could play uninterrupted.

The game itself already costs $59.99 for a Mac/PC version and $69.99 for Wii, PS3, Xbox or Nintendo 3d versions. Each figurine then runs an additional $7.99 or $19.99 for a themed three pack. If my nephew can weasel his mom into purchasing the entire collection, she’s looking at forking over $285!

I’m starting to think that a one-time charge of $89.99 for FakeAV is a bargain! These malware authors are in the entirely wrong business. The real hostageware is 10 year-olds coercing their parents into buying more Skylanders!

Join us online or at RJS Headquarters for a special security “Lunch & Learn.”

Date: Wednesday, November 9, 2011
Starting Time: 11:00 AM CST
Location: RJS Headquarters – Burnsville, MN  Map

Join us at RJS headquarters in Burnsville for a FREE RJS Security “Lunch & Learn.” This 90-minute event will provide attendees with a view of the current security landscape and best practice solutions to solve today’s hottest security issues.

You’ll learn advanced techniques on how to:
- Protect against data loss resulting from attacks or device theft
- Fight back against the malware tools hackers use to steal your data
- Keep your servers safe against network-based threats
- Safeguard your users from web-based attacks
- Eliminate application-level threats with patch management

Attendees will have a chance to win the new Amazon Fire!

Register for the onsite RJS Security Lunch & Learn.

Can’t join us in Burnsville? Register to view the live webcast.

Take a look at the below image. Would you click on the “Learn how to fix this”?

I asked a few RJS employees that same question this morning and everyone unequivocally said absolutely not.

You might be surprised to learn that this is a legitimate image from our friends at Google. The problem is, security experts have been telling users to ignore the “you might be infected” pop ups for years. I have to ask, “Google, what were you thinking?”  

In their defense, Google is earnestly trying to assist people with a FakeAV variant that hijacks the browser and proxies it via a hostile server. Props to Google for notifying users who are actually infected, but isn’t it counter intuitive to do so with a suspicious-looking call-out like this?

Needless to say, it won’t be long before a malware campaign exploits this very image to spread FakeAV to unknowing users. Despite Google’s best intentions, they’re actually contributing to the problem.

In an amazing, coordinated sting operation involving 12 different countries, the FBI announced they have successfully taken down two Latvian cyber gangs who netted an incredible $74 million dollars in scams.

Gang #1 tricked 960,000 victims into purchasing fraudulent software to remove several different variants of FakeAV scareware, which they of course injected into their personal computer in the first place. The scammers averaged a haul of $75 per infection for a grand total of $72 million dollars. The FBI was able to break the backbone of the criminal operation by seizing bank accounts and several servers in multiple countries.

The second gang targeted Minnesota’s premier newspaper, the Star Tribune. Utilizing a tactic called “malvertising,” the cyber criminal group created a fake advertising agency, purchased online ad space and then altered the ad’s code so that site visitors became infected with FakeAV scareware.  This small cyber crime team of two was able to score over $2 million in the scam. They were arrested by Latvian police and are facing wire fraud and computer fraud charges in the United States.

Sophos has an accompanying article that covers this as well, along with a discussion on “why do virus writers do it?”

Fakefrag is a relatively new addition to the Scareware family that was introduced last fall. Instead of behaving like the familiar FakeAV variants, this one tries to convince you into purchasing the offered protection by exploiting a supposed hard disk problem. Normally Scareware is just a plain nuisance and can be easily removed. This new variant, however, is more similar to Hostageware. If you allow it to run long enough, it will completely cripple your PC until you provide your credit card at which point everything will be magically restored!

A few thoughts on malware:

- Last week, Microsoft released their key findings report on malware infection rates of Windows by OS versions. Windows 7 is by far Microsoft’s securest OS to date.

- Mac OSX is also extremely secure. Basically the only way you can defeat it is by exploiting holes in the installed software and tricking the end user into providing their admin password thus giving the malware free run of the system.

- Ubuntu and other Linux distributions separate the user from escalated admin privileges. The admin password is required to make major system changes.

- Malware authors will always take the path of least resistance. It’s all about return on investment.

We’re entering an age where the OS is extremely secure and the weakest link is the end user. The obvious path of least resistance for a malware author is via social engineering, as evidenced by the aforementioned Fakefrag. Why go through all the hard work of attacking a hardened OS when the right sales pitch can net you a willing end user with a readily available credit card? Just ask the AppleCare center which was flooded with calls from Mac owners looking for assistance in removing the FakeAV variant MacDefender.

Check out this fantastic video by Symantec on what Fakefrag can do to your computer:

I read several reports last week of a new variant of FakeAV aimed at Mac OS X. The FakeAV disguises itself as the product “MacDefender” and is a classic example of the hostageware we know and love. It’s making the rounds on the web via search engine optimization (SEO) poisoning. When people click on the false links, they are presented with a FakeAV popup claiming their computer is infected. Naturally, the only way to fight off the “infection” is to break out your credit card and purchase MacDefender to remove the malware it has found.  

Once again targeting the Mac OS X, a new form of malware was recently identified by CSIS, a Danish security company. This first of its kind “Crimeware Kit” has been released under the name “Weyland-Yutani BOT” and produces malware based upon the Zeus and SpyEye form-grabbing banking Trojans. The Crimeware kit uses a web-inject template to generate URLs for SEO poisoning that lead to the above MacDefender FakeAV installation. This partially-redacted video on YouTube shows the form-grabber in action demonstrating how the malware grabs user credentials from browser sessions. CSIS states that the malware currently runs under Firefox only, but the authors will certainly have versions for Safari and Chrome soon as well.

An update on Sony:

Much like HB Gary Federal, Sony didn’t bother to update their web server… ever. According to congressional testimony, Sony used an unpatched Apache web server with no firewall. What’s worse is this issue was brought to Sony’s attention by an employee several months ago and apparently nothing was done to remedy the situation, which is truly inexcusable.