Tuesday, December 10, 2013

Adobe Critical Updates:
Flash Player, AIR, Shockwave Player

--

It's the fourth quarterly, second Tuesday of the month which means… 

It's Adobe Security Update Day!

Adobe is offering three critical security updates:

Adobe Flash Player v11.9.900.170
Adobe AIR v3.9.0.1380
Adobe Shockwave Player v12.0.7.148

Happily, there is no Adobe Acrobat / Adobe Player update required. The current version is 11.0.0.4.

Adobe Security Bulletins are available here:

Security updates available for Adobe Flash Player [and Adobe AIR]
These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content exists for CVE-2013-5331. Adobe Flash Player 11.6 and later provide a mitigation against this attack….

These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2013-5331).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2013-5332).
Security update available for Adobe Shockwave Player
This update addresses a vulnerability that could allow an attacker, who successfully exploits this vulnerability, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 12.0.6.147 and earlier versions update to Adobe Shockwave Player 12.0.7.148 using the instructions provided in the "Solution" section above.

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2013-5333, CVE-2013-5334).
. . .
NOTE: 

Adobe has changed their updating process yet again. Using Adobe's update pages is now simple and logical. Thank you Adobe!

However, Adobe is again preventing users from downloading full installers of the Adobe Flash Player. Instead, all you get is a small installer application that requires access to the Internet in order to download the software components. This of course is entirely contrary to the Mac user experience. It is also annoying and inconvenient. If you have several computers to update, tough luck! If you want to update computers that are not connected to the Internet, tough luck! IOW: Retrograde user-hostility. No thank you Adobe!

I was also annoyed to see the Adobe Flash Player installer phone home to six different Adobe IP addresses during the installation. Six? Seriously? Just to be complicated?

Thankfully, Adobe has not pulled this stunt with the Adobe AIR or Adobe Shockwave Player installers. However, the Adobe AIR installer phones home to four different Adobe IP addresses. Adobe, I thought the ideal was to make installations simpler!


*sigh*


Adobe Customer Accounts Hacked
-> Adobe's Customer Security Alert

--

On October 3, 2013, Adobe announced that their customer accounts had been hacked:

Adobe Hacked, Data for Millions of Customers Stolen
"Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders," Brad Arkin, Adobe's chief security officer, wrote in a security alert….
Important Customer Security Announcement
At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident….
Adobe now has a Customer Security Alert page that covers what occurred, how to determine if you are affected, what Adobe had done about the situation and what you need to do to protect yourself.

Customer security alert
What do I need to do?
  • If your Adobe ID and password were involved…
  • Changing your password…
  • Other websites…
  • Protect yourself against non-legitimate email “phishing” attempts…
. . .

Adobe is kindly offering both phone and live chat support for those concerned. Please read their 'Customer Security Alert' for details.


Thursday, November 14, 2013

iOS 7.0.4 Security Update

--


Apple has released the iOS 7.0.4 update. As with the previous three iOS 7 updates, this one patches a critical security hole. This update specifically patches the App Store app:
APPLE-SA-2013-11-14-1 iOS 7.0.4
iOS 7.0.4 is now available and addresses the following:

App Store 
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later.

Impact: App and In-App purchases may be completed with insufficient authorization.

Description:  A signed-in user may be able to complete a transaction without providing a password when prompted. This issue was addressed by additional enforcement of purchase authorization.

CVE-ID
CVE-2013-5193
IOW: Sounds like another kids-gone-wild-buying-stuff flaw in iOS. I'm glad that's locked again!

:-Derek



MacRumors Forum Accounts Hacked!
Change your password ASAP

--

In case you haven't heard, this week it was revealed that ~860,000 account passwords were hacked from the MacRumors.com forum website. Therefore: Change your MacRumors password immediately! And of course, use unique passwords at each and every website.

There are two dangers when website accounts are hacked:

1) The hackers will mess over your account at the source website. They can pretend to be you, say anything and do anything as you. They can change your password and lock you out.

2) If you were as dopey as I used to be and used the same ID and password at different websites, the hackers can get into and mess over those accounts as well!

Here are some articles relevant to the MacRumors.com hyper-hack:

MacRumors Forums: Security Leak
Tuesday November 12, 2013 2:48 pm PST by Arnold Kim
Yesterday, the MacRumors Forums were targeted and hacked in a similar manner to the Ubuntu forums in July. We sincerely apologize for the intrusion, and are still investigating the attack with the help of a 3rd party security researcher. We believe that at least some user information was obtained during the attack.
In situations like this, it's best to assume that your MacRumors Forum username, email address and (hashed) password is now known. What this means for you, if you have a MacRumors Forums account, is the following:  
1. Change your password on our forums. If you have any problems, please contact us.  
2. If you used the same password on any other site, change it there also. . . 
Hack of MacRumors forums exposes password data for 860,000 users
by Dan Goodin - Nov 12 2013, 11:05pm EST
Readers who had MacRumors accounts would do well to follow Kim's advice and immediately change login credentials that use the same or similar password. They should also be vigilant of phishing attempts, since their user names and e-mail addresses have also been exposed.
MacRumors hacker who took 860,000 passwords speaks: “We’re not terrorists”
No plans to mass compromise accounts on other sites, post says.
by Dan Goodin - Nov 13 2013, 3:30pm EST
"We're not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason)," the user known simply as Lol wrote. "We're not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place."
He continued: "Consider the 'malicious' attack friendly. The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public."
In subsequent posts here and here, Lol expanded on the thinking behind the hack. "Outside of this hobby, *cough*, I do partake in whitehat activities and try to contribute to some open source projects etc. It builds quite the resumé." The MacRumors breach, Lol added, was taken on "to test myself. I never defaced the site, I never bragged about it anywhere, I just got in and got out."
Are hackers usually arrogant and superior in tone like this? Oh yes. But setting aside the overcompensation-for-personal-insecurity-issues, hackers are a good thing. This hacker is a self-proclaimed 'white hat', meaning that his aim is to test via hacking then reveal the security flaw to the creators of the source software or website.


Here is one description of a white hat hacker:

http://en.wikipedia.org/wiki/White_hat_hacker
The term "white hat" in Internet slang refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems. Ethical hacking is a term coined by IBM meant to imply a broader category than just penetration testing. White-hat hackers may also work in teams called "sneakers", red teams, or tiger teams.
Despite what this guy says, I'd get busy changing your password at MacRumors.com, and anywhere else you used the same password. Here's where to change your MacRumors password:

http://forums.macrumors.com/profile.php?do=editpassword

White Hat ≈ Hacker
Black Hat ≈ Cracker

I recently heard Leo Laporte of TWiT and Steve Gibson of Gibson Research Corporation (GRC) speculate that the terms 'Hacker' and 'Cracker' were dead, essentially replaced by 'White Hat' and 'Black Hat'. I've seen no evidence of this assertion. Within the computer community, all four words retain significant descriptive meaning. Despite drawbacks using either set of terms, I don't expect any of them will disappear from the technology vocabulary.

:-Derek



Saturday, October 26, 2013

Sandboxing Flash:
Safari 7 Is Adobe's Nanny

--

Adobe has been very naughty. Nanny is not pleased. So it's off to isolation in the sandbox with Adobe Flash, that retrobate obnoxious-ware of the Internet that has been more dangerous than useful.

Good news: Apple has joined the nanny crew and sent obstreperous, unreliable Flash off the sandbox in Safari 7.

As per the SANS Institute via NewsBites Volume 15 Number 083:
Adobe Flash Player is now sandboxed in Apple's Safari browser. Adobe has already released sandboxed versions of Flash for Firefox, Chrome, and Internet Explorer. When software is sandboxed, it is granted limited privileges on a system; it may be prohibited from writing to a storage device or altering data in memory. The sandboxed version of Flash for Safari is for machines running OS X 10.9 Mavericks.
SANS also provides a couple links with details about the change:




What's Sandboxing?

Let's see what Wikipedia says:
The sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization.
IOW: It's a safe space for isolating bad actors from good actors on your computer.

Note, however, that Java was supposed to be 'sandboxed'. That didn't work thanks to Oracle infesting it with code that leaped outside of the sandbox, directly into open computer space. Therefore, it's important to be wary of anything labeled as 'sandboxed' that may in fact be leaking sand into places you don't want it to go. Time will tell if the Flash 'sandbox' is actually safe or not.

And no, sorry but this sandboxed version of Flash does not sandbox on earlier versions of Apple's Safari. It is exclusively supported in OS X Mavericks 10.9 and above.

The best way to avoid naughty Flash from putting your computer at risk is to make certain it is up-to-date:



--

Friday, September 27, 2013

'I'm not dead yet!'

--

[No graphic here because Google borked]

For those concerned: I'm working through a lot of important processes at the moment that require my diversion from keeping the Mac-Security blog up-to-date. My apologies.

However, I've hopefully provided all the required resources in my 'Friends of Mac-Security' list at the right of this page. The only other items I'd add would be to regularly check for updates from Adobe and Java updates from Oracle. Thankfully, Apple automatically and reliably alerts users to updates.

Quick notes:
• There have be a few recent species of Mac malware crawling out of the malware rat holes. You can read about them at 'The Secure Mac' linked in the 'Friends of…' list at the right.
• Adobe, Oracle and Apple have provided a huge slew of critical security updates over the past two weeks.
• Also of vital note, the Touch ID system on the iPhone 5S has been 'cracked' or circumvented by a variety of methods. IOW: It ain't perfect. In fact, it met the widespread expectation of not being much of an improvement over older fingerprint scanners. I can't personally recommend using it as anything but part of a multi-factor authorization system. Apple has kind-of, sort-of done that by integrating the requirement of a passcode for certain user behaviors and after 5 failed attempts at logging in with a fingerprint. I'll write in depth about this subject at another time.

Thanks for checking here for new posts! I expect I'll get the writing engine back up and running this weekend with a summary of what's new over the last few weeks.

:-Derek

[No graphic here because Google borked]

--

Saturday, August 31, 2013

Java 6 UNSAFE At Any Version:
*Shoot On Sight!*
It's Java 7 Update 25 or nothing.

--

The Java experience over the last couple years has been like living in a horror movie. Once Oracle got their hands on Java, they ruined it. Shame on you Oracle! I hate you.

This past week, Apple used their XProtect technology, found in OS X 10.6.8 onwards, to block all versions of Java earlier than 6u51. Here is Apple's security announcement from Thursday:
APPLE-SA-2013-08-29-1 OS X: Java Web plug-in blocked
Due to multiple security issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to:

Java 6 update 51
Java 7 update 25

More information on Apple-provided updates is available at
http://support.apple.com/kb/HT5797

Information on blocked web plug-ins will be posted to:
http://support.apple.com/kb/HT5660
OK. Except that's not good enough! According to Information Week, there is NO safe version of Java 6:

Hackers Target Java 6 With Security Exploits 
Mathew J. Schwartz | August 26, 2013 11:35 AM | Information Week
Warning to anyone still using Java 6: Upgrade now to Java 7 to avoid being compromised by active attacks.

That alert came via F-Secure anti-malware analyst Timo Hirvonen, who reported finding an in-the-wild exploit actively targeting an unpatched vulnerability in Java 6 following the recent publication of related proof-of-concept (POC) attack code. The Java runtime environment (JRE) bug (CVE-2013-2463), was publicly revealed when Oracle released Java 7 update 25 in June 2013, which remains the most recent version of Java. . . .

The safe bet now is to expect no new Java 6 updates. Oracle's Java 6 download page reads: "Updates for Java 6 are no longer available to the public. Oracle offers updates to Java 6 only for customers who have purchased Java support or have Oracle products that require Java 6."

According to statistics released in March 2013, at least 47% of all Java users in the United States were still running Java version 6.

What risk do Java 6 users now face from the new vulnerability that's being exploited? According to vulnerability information provider Secunia, the bug could be "exploited by malicious local users to disclose certain sensitive information, manipulate certain data, and gain escalated privileges and by malicious people to conduct spoofing attacks, disclose certain sensitive information, manipulate certain data, cause a DoS (denial of service), bypass certain security restrictions, and compromise a vulnerable system."
CONCLUSION:

If you are running ANY version of the JavaAppletsPlugin.plugin that is older than version 7u25, TRASH IT! Then restart any web browser you may have open.

Not kidding here folks! You do not want to get PWNed.

Here is where to find your Java plugin on OS X:

/Library/Internet Plug-ins/JavaAppletPlugin.plugin

Check the version number of the plugin via Get Info (⌘-I). If you see anything except "Java 7 Update 25", then doom shall reign upon your computer! You have been warned.


BUT GET THIS!

As per Mathew J. Schwartz' article at Information Week:
While Java 6 is now under the gun, the latest version of Java 7 also sports at least one serious unpatched vulnerability. Fortunately, however, no technical details about that vulnerability have been publicly released. The bug, dubbed "issue 69," was discovered by veteran Java bug hunter Adam Gowdiak, CEO of Polish research firm Security Explorations, and reported to Oracle on July 18, 2013.
IOW: There is already a known security hole in even Java 7 Update 25.

Therefore, even if you MUST use Java on the Web, the very safest thing to do is to: 
Just Turn Java OFF.

Here is where Oracle now lets you, at long last, turn Java off inside its 'Control Panel' on OS X:


Here's how to get there:

1) Open 'System Preferences...' from the Apple Menu.

2) If you have Java 7 Update 25 installed, you'll see the 'Java' System Preferences button in the bottom 'Other' section of the window. CLICK IT.

3) The 'Java' Preferences pane opens, except it then insists upon running its 'Java Control Panel' in Java as a separate window. (o_0)

4) Click on the 'Security' tab. That will bring up the interface pictured above.

5) If you don't already have the 'Security Level' jammed up to 'Very High', do that FIRST. (You do NOT want it set any lower unless you are at a specifically known safe web page. Of course remember to jam it back UP to 'Very High' again BEFORE you leave that specific web page).

6) Then check OFF the box near the top that is labeled "Enable Java content in the browser". IOW: There should be NO check mark in that box, as seen in the interface pictured above. I have the cursor in the picture pointing at the box.

7) Click the 'Apply' button on the bottom right of the window.

8) Click the OK button. The Java Preferences will close.

What a PITA.

Yes, Apple has very kindly and wisely provided Safari v6.0.5 and higher that automatically stops Java from working on web pages without specific user approval. What a great feature! But I'm providing the instructions above for those who wish to be extra safe. That means you the user take the extra step to make certain no Java malware is going to be able to attack your machine. Consider it paranoia if you will. But this added safety, short of removing the Java plug-in entirely, is available for you to use. It's what I'm using on my Macs.

Meanwhile, when the current known security hole in Java 7u25 begins being exploited in the wild, watch for yet-another Java security update!

Did I mention that I hate you Oracle? :-P


--

Thursday, August 29, 2013

The Safe Mac's Malware Dictionary

--

My net bud/colleague Thomas Reed has published a Malware Dictionary at his website, The Safe Mac. You can access his Malware Dictionary here:

The Safe Mac : Malware Dictionary

Here's a list of terms featured in Thomas's Malware Dictionary:

adware
backdoor
black hat hacker
bot
botnet
click fraud
command-and-control server
cross-site scripting
definitions
denial-of-service (and distributed denial-of-service)
drive-by download
dropper
exploit
false positive
hacktool
heuristics
in the wild
keylogger
malware
on-access scanning
on-demand scanning
payload
phishing
proof of concept
PUA
ransomware
RAT
rootkit
signatures
spyware
trojan
variant
virus
vulnerability
watering hole
white hat hacker
worm
zero-day

I've added a link to The Safe Mac : Malware Dictionary on the right side of the page under Friends of Mac-Security.





Wednesday, August 28, 2013

iOS (and Android) Security Leaks Uncovered

--

Dan Goodin, one of the reliable writers at Ars Technica, has posted an article discussing an academic paper published by scientists at Microsoft Research and Indiana University. It's well worth a read:

iOS and Android weaknesses allow stealthy pilfering of website credentials
Scientists call on Apple and Google to mitigate "origin crossing" attacks.
Both OSes fail to ensure that browser cookies, document files, and other sensitive content from one Internet domain are off-limits to scripts controlled by a second address without explicit permission....
. . .
"Our research shows that in the absence of such protection, the mobile channels can be easily abused to gain unauthorized access to a user's sensitive resources," the researchers—who besides Wang, included Rui Wang and Shuo Chen of Microsoft and Luyi Xing of Indiana University—wrote. "We found five cross-origin issues in popular [software development kits] and high-profile apps such as Facebook and Dropbox, which can be exploited to steal their users' authentication credentials and other confidential information such as 'text' input. Moreover, without the OS support for origin-based protection, not only is app development shown to be prone to such cross-origin flaws, but the developer may also have trouble fixing the flaws even after they are discovered."
(Bolding above mine).

From my POV, it has been known for years that using iOS meant a restriction on user-added security. Therefore, for example, you are being tracked over the Internet using most iOS web browsers. Whereas, I have total control over Tracking Cookies on my Macs. This means, your privacy as well as security is being compromised whenever you're on iOS, as opposed to the added security measures possible on OS X.


But what's discussed in the article goes to a much deeper point where even the iOS SDK, via Xcode, is instantiating these security flaws into developer applications. That's very bad and means this problem is not going to be solved simply by an iOS update. Xcode has got to be upgraded, then all the applications that have instantiated the security flaw code will have to be recompiled and redistributed in updates.


As ever, I'm grateful to researchers who uncover these problem. This isn't another memory management mess. It's something new to me and required a couple readings to understand. I expect we'll be hearing more about this problem as developers sort out whether their apps are vulnerable or not.



~ ~ ~ ~ ~

[Ars trolls postscript: Lately I've been extremely displeased with what I call 'ars trolls' and unprofessional writers at Ars Technica. You can read my recent documentation of their shameful behavior HERE. However, I have consistently found Dan Goodin and the other computer security writers at Ars Technica to be excellent. I continue to recommend their work.]

--

Saturday, August 17, 2013

Apple's iOS App Store FAILs Recent
Proof-Of-Concept Malware Test,
Apple Adjusts iOS In Response

--
Just a quickie post to point out a recent proof-of-concept test of the Apple iOS App Store:

Remotely Assembled Malware Blows Past Apple’s Screening Process
Research unmasks a weakness of Apple’s App Store: new apps apparently are run for only a few seconds before approval.
- By David Talbot on August 15, 2013, MIT Technology Review
 “The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed,” says Long Lu, a Stony Brook University researcher who was part of the team at Georgia Tech, led by Tielei Wang, that wrote the Apple-fooling app.
. . . 
The paper was slated for a talk Friday at the Usenix conference in Washington, D.C. Tom Neumayr, an Apple spokesman, said the company made some changes to its iOS mobile operating system in response to issues identified in the paper. Neumayr would not comment on the app-review process.
As ever: Apple is never perfect. They're simply better than the alternatives. Nonetheless, I wish Apple was more proactive, performing intense security testing on their own software rather than waiting for a breach like every other software developer. That's why I champion the white hat hackers and their cattle prodding of Apple's security efforts.












Tuesday, August 6, 2013

TorBrowser Security HELL:
Manually Update TorBrowser to
v2.3.25-10 or above NOW!

--

If you are a TorBrowser user and have not updated it since June 2013, it is URGENT, CRITICAL, IMPORTANT that you manually (automatic update FAILs!) to the most recent version NOW! Got that? NOW!

There is a nasty bug in TorBrowser whereby the version of Firefox it uses will NOT update you to the latest version. It literally LIES to you that you have the latest version. My screenshot image above proves this! If that version happens to be Firefox v17.0.6, you are living in Security HELL. Tor is betraying you and letting evil SURVEILLANCE RATS compromise your anonymity. IOW: It's a total Tor FAIL.


Therefore, if you are using TorBrowser v2.3.25-8 or -9 you must MANUALLY go to the Tor website, download the latest version and install it NOW!


https://www.torproject.org


Because I attempt to keep this blog on the level of an average Mac user, and because this SEVERE compromising of TorBrowser has been vastly covered elsewhere, I'm not going to provide details here. Instead, here is a series of links describing the problem as well as theories as to who the evil SURVEILLANCE RATS might be:


Tor security advisory: Old Tor Browser Bundles vulnerable

Investigating Security Vulnerability Report

- Mozilla Security Blog

Attackers wield Firefox exploit to uncloak anonymous Tor users

Publicly available exploit threatens all Tor users unless they take action now. 
-Dan Goodin @ars technica

Update: Researchers say Tor-targeted malware phoned home to NSA

JavaScript attack had a hard-coded IP address that traced back to NSA address block. 
-Sean Gallagher @ars technica

There we go

by Cryptocloud_Team » 05 Aug 2013 13:34





To the TOR Project:


The TorBrowser project is not working. You have GOT to either keep up with EVERY Firefox update or program in a SERIOUS auto-updating system. REMOVE the LIAR code in your implementation of Firefox that tells the user it is up-to-date with the browser when it is NOT!


IOW: Using TorBrowser is DANGEROUS, potentially a way to HURT users rather than protect them. Therefore, immediate change in the project is REQUIRED NOW. You can't delay and expect TorBrowser to maintain its reputation. It won't. It will be marked as a FAILed project. Consider my warning here as one very deliberate mark AGAINST TorBrowser. I'll continue to rail on about this problem UNTIL you fix it permanently. I'm that vehement about real Internet user security. 


Please communicate with me and my Mac security interest group about this situation. We'd be pleased to assist.


:-Derek Currie





















Critical Adobe Security Update:
Digital Editions v2.0.1

--

We now have another insecure Adobe application to worry about. This time it's Adobe Digital Editions.

Adobe WHAT?

Here is how Adobe describes their application-with-critical-security-holes, Digital Editions:
Adobe® Digital Editions software offers an engaging way to view and manage eBooks and other digital publications. Use it to download and purchase digital content, which can be read both online and offline. Transfer copy-protected eBooks from your personal computer to other computers or devices. Organize your eBooks into a custom library and annotate pages. Digital Editions also supports industry-standard eBook formats, including PDF/A and EPUB.
For those who care, and those who use Digital Editions, here is the Security Bulletin:

http://www.adobe.com/support/security/bulletins/apsb13-20.html
Adobe has released a security update for Adobe Digital Editions for Windows and Macintosh.  This update addresses a vulnerability in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installation using the instructions provided in the solution section above.

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2013-1377).
Yes, another bad memory management security hole, the #1 source of security holes in modern coding.

And yes, another way for a mere application on your Mac to allow a malware rat to 'take control' of your entire computer. It doesn't get worse. (o_0)That's a terrific reason to NOT install Digital Editions, or if you can, uninstall it until Adobe get their act together and seriously sandbox the thing.



--

Saturday, July 27, 2013

Ongoing:
"The biggest cyber crime case filed in U.S. history"

--

This story has been buried in the conventional press over the last two days. Therefore, I am doing my part to emphasize its importance. If you're interested in hacking and cyber-crime, be sure to give this article a read:

US Indicts Hackers In Biggest Cyber Fraud Case In History
DAVID JONES AND JIM FINKLE, REUTERS JUL. 26, 2013, 6:16 AM

http://www.businessinsider.com/us-indicts-hackers-in-biggest-cyber-fraud-case-in-history-2013-7

Here are a few highlights (emphasis mine):
NEWARK, N.J./BOSTON (Reuters) - Federal prosecutors said on Thursday they have charged five men responsible for a hacking and credit card fraud spree that cost companies more [than] $300 million and two of the suspects are in custody, in the biggest cyber crime case filed in U.S. history.

They also disclosed a new security breach against Nasdaq, though they provided few details about the attack.

Other companies targeted by the hackers include a Visa Inc licensee, J.C. Penney Co, JetBlue Airways Corp and French retailer Carrefour SA, according to an indictment unveiled in New Jersey. . . .

Authorities in New Jersey charged that each of the defendants had specialized tasks: Russians Vladimir Drinkman, 32, and Alexandr Kalinin, 26, hacked into networks, while Roman Kotov, 32, mined them for data. They allegedly hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Ukraine. . . .

The five hid their efforts by disabling anti-virus software of their victims and storing data on multiple hacking platforms, prosecutors said. They sold payment card numbers to resellers, who then sold them on online forums or to "cashers" who encode the numbers onto blank plastic cards. . . .

"There is an enormous shadow economy that exists in Eastern Europe. In some countries, sophisticated hackers are seen as national assets," he [Thomas Kellermann, VP of Trend Micro] said. . . .

Among the breaches cited in the New Jersey indictment, prosecutors charged that the group was responsible for the theft of more than 130 million credit card numbers from U.S. payment processor Heartland Payment Systems Inc beginning in December 2007, resulting in approximately $200 million of losses....

~ ~ ~

After reading through this article, I can't help but believe much of our Corporate Oligarchy is more than a little embarrassed with their poor comprehension of computer security; Thus the burying of this story in the press.

There's A LOT more news about this incredible hacking crime spree yet to come. Keep an eye out.

:-Derek




Wednesday, July 17, 2013

FileSteal.D Trojan Horse variant discovered:
aka Hackback.D
aka KitM.D,
aka Janicab.D

--

Via some file name spelling trickery, a nasty script and fraudulent use of an Apple developer security certificate, a new variant of the FileSteal malware has shown up on the net. This malware series has had four different names, depending upon what 'professional' anti-malware company 'discovered' it. IOW: It's a case of the usual deliberate lack of sharing and cooperation among the 'professionals'. Just shoot me. I'm simply going to call it Trojan.OSX.FileSteal, which was the source name. I listed the other names in this article's title. As far as I know, the current variant is the fourth in the series, therefore FileSteal.D. I am always pleased to be corrected when I am incorrect.

This series of malware is extremely easy to make inert by way of Apple revoking it's faked developer security certificate. The dangerous period is between a variant's release and  Apple's revocation its security certificate.


What it does:

A) FileSteal commonly shows up as an email attachment, pretending to be an innocent document file. But it could just as easily hide out somewhere on the web, looking just as innocent.


B) As a Trojan horse, no matter what you see as the file name and file icon, it is actually an application. The faked file name and icon trick is done via some file name spelling trickery of which I was not previously aware. A special "right-to-left override (RLO) character" in the name makes the characters that follow it read backwards from how it is actually spelled. Therefore 'FDP.app' at the end of the real file name can appear instead on screen as 'ppa.PDF', making you and OS X think you are looking at a PDF file, which it is NOT.  Creepy, eh?  I'm going to send you off to read the relevant article by my net bud Thomas Reed for further explanation. Don't worry about the malware being called 'Janicab'. It's still just FileSteal.D.


New Signed Malware called Janicab
http://www.thesafemac.com/new-signed-malware-called-janicab/


C) If you are fooled into opening the application, it installs itself somewhere into your system then tosses a launch script into one of the various login items folders inside one of your Library folders. These login item folders could include:

/Library/LaunchAgents/

/Library/LaunchDaemons/
~/Library/LaunchAgents/

OR theoretically it could list itself into your user account's Login Items list located here:


~/Library/Preferences/com.apple.loginitems.plist


OR the app can run as a system cron job process.

IOW: It gets booted every time you log into your computer.


D) When running, the malware opens a back door to your computer, grabbing and sending anything it likes off to a malware wrangler site on the net. It has been known to take screenshots, record audio and send off user files to the malware wrangler location. Some researches are calling this 'spyware' behavior. I personally would call it a bot.


Cures:

The cures for this malware depends upon the variant installed. The new variant FileSteal.D, aka 'Janicab', plugs itself into the system using a cron job process. Therefore, one easy way to eliminate it is to remove all your system's cron jobs. Thomas Reed's article provides a simple Terminal command you can use.


From my reading, it appears that Intego, Sophos and F-Secure are staying on top of this malware series. Their anti-malware programs, if kept up-to-date, should be able to detect the infection and remove it. Apple also has been speedily revoking these malware apps' security certificates.


ClamXav will likely catch whether you have been infected. Or perhaps I should say that friends in my Mac security discussion group are attempting get the malware's signature into the ClamAV database.


~~~~~

Here are some related articles, in reverse chronological order, about the FileSteal series for your perusal:


2013-07-16

Signed Mac Malware Using Right-to-Left Override Trick

2013-07-15
New back-to-front Mac malware records audio and grabs screenshots on infected computers
http://grahamcluley.com/2013/07/mac-malware-janicab/

2013-05-21
Yet Another FileSteal Variant Found Today
http://www.intego.com/mac-security-blog/yet-another-filesteal-variant-found-today/

2013-05-17
Two New Variants of Backdoor Trojan Found Targeting Activists
http://www.intego.com/mac-security-blog/two-new-variants-of-backdoor-trojan-found-targeting-activists/

2013-05-17
Mac malware signed with Apple ID infects activist’s laptop
Backdoor took screenshots, sent them to attackers.
http://arstechnica.com/security/2013/05/mac-malware-signed-with-apple-id-infects-activists-laptop/

~~~~~

BTW: Thomas Reed maintains a reasonable current list of Mac malware HERE:

Thomas and I have not compared lists recently, and you're going to see some differences in what is named what and what is different from what. This is all thanks to the unprofessional naming chaos innate amidst today's competing anti-malware companies. Some time Thomas and I will bump heads again and coordinate our lists. In the meantime, I consider Thomas' Mac malware list to be the best.


--