SCADA systems and their ilk simply aren’t designed for security. You do ont want these systems to be acessible by the internet…it is just too easy to take control of them. Get ALL infrastructure systems completely OFF the Internet.
Second water utility reportedly hit by hack attack • The Register.
Whoopsie.
Apple’s new “Siri” feature, the voice-activated personal assistant built into the iPhone 4S, leaves owners’ spanking new smartphones partially unguarded.
Those of us who work in the security arena have often banged on about the importance of securing your smartphone with a password or passcode to prevent unauthorised access.
Most mobile phone manufacturers have recognised that as so many people use their smartphones to manage their their diaries, their private communications, and their social lives, it’s good to have some form of security.
Which leaves Apple with some egg on its face regarding Siri.
Even if an iPhone 4S is locked with a passcode, a complete stranger can come up to your smartphone, press the button and give Siri a spoken command.
via Has Siri left your iPhone 4S unlocked? | Naked Security.
HTC screwed up big time here. If you are using the stock HTC Sense UI(and most folks are) they have enabled a backdoor into the phones base operating system that essentially allows any app with simple permissions to sniff everything on or about the phone and send it back. Android itself is not at fault HTC made modifications w of Android that caused this.
In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users’ devices, easier remote analysis, corporate evilness – it doesn’t matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.
That is not the case. What Trevor found is only the tip of the iceberg – we are all still digging deeper – but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:
the list of user accounts, including email addresses and sync status for each
last known network and GPS locations and a limited previous history of locations
phone numbers from the phone log
SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don’t expect it to read your phone log or list of emails.
But that’s not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed (granted, some of which may be already available to any app via the Android APIs):
active notifications in the notification bar, including notification text
build number, bootloader version, radio version, kernel version
network info, including IP addresses
full memory info
CPU info
file system info and free space on each partition
running processes
current snapshot/stacktrace of not only every running process but every running thread
list of installed apps, including permissions used, user ids, versions, and more
system properties/variables
currently active broadcast listeners and history of past broadcasts received
currently active content providers
battery info and status, including charging/wake lock history
and more
Cars with OnStar’s built-in technology will begin having their where-abouts monitored in December, even if their owners opt-out of the service, according to a new privacy statement issued by the vehicle navigation and emergency notification service this week.
via OnStar to Track Speed, Location of Cars, Even After Users Opt Out | threatpost.
In order to execute their attack, Rizzo and Duong use BEAST Browser Exploit Against SSL/TLS against a victim who is on a network on which they have a man-in-the-middle position.
So in order to “break” the AES component of SSL 3.0 you have to already have compromised the client/server in another way by inserting yourself inside the data stream? no big deal here. If the machine/s are already compromised then all other security is moot. This is nothing to be concerned about..keep your machine clean and this “attack” is no big deal.
via New Attack Breaks Confidentiality Model of SSL, Allows Theft of Encrypted Cookies | threatpost.
p2p software is a great thing but highly dangerous when not properly configured. By default p2p software shares files..sometimes everything on your hard drive depending on the program used. A good gateway firewall is your best bet if you don’t have airtight file security on your networks.
The hackers were believed to have used peer-to-peer software on one police computer to grab user names and passwords used for further access.
via Hackers Claim Third Attack on Arizona Police – FoxNews.com.
You can waste time creating a new MBR then trying to clean ALL the infected files from not just the rootkit but it’s buddies as well. Save your clients time and money and their security. Backup/format/reload.
An antivirus of its own
Just like Sinowal, TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.
TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.
TDSS module code which searches the system registry for other malicious programs
TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc. TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.
This ‘antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.
Which malicious programs does TDL-4 itself download? Since the beginning of this year, the botnet has installed nearly 30 additional malicious programs, including fake antivirus programs, adware, and the Pushdo spambot.
TDSS downloads
Notably, TDL-4 doesn’t delete itself following installation of other malware, and can at any time use the r.dll module to delete malware it has downloaded.
Botnet access to the Kad network
One of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?
We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet. The initial steps of how TDSS makes use of Kad are given below:
The cybercriminals make a file called ktzerules accessible on the Kad network. The file is encrypted and contains a list of commands for TDSS.
Computers infected with TDSS receive the command to download and install the kad.dll module.
Once installed, kad.dll downloads the file nodes.dat, which contains the publicly accessible list of IP addresses of Kad network servers and clients.
The kad.dll module then sends a request to the Kad network to search for the ktzerules file.
Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.
Encrypted kad.dill updates found on the Kad network
Below is a list of commands from an encrypted ktzerules file.
SearchCfg – search Kad for a new ktzerules file
LoadExe – download and run the executable file
ConfigWrite – write to cfg.ini
Search – search Kad for a file
Publish – publish a file on Kad
Knock – upload a new nodes.dat file to the C&C which contains a list of Kad server and clients IP addresses, including those infected with TDSS.
I am seeing more and more infections on client computers using this rootkit. The common vector i see if either flash or IE ActiveX exploits. It is nearly time to just block flash at the firewall as well as ActiveX.
‘Indestructible’ rootkit enslaves 4.5m PCs in 3 months • The Register.
This is a Microsoft employee giving another examination of Stuxnet. It’s over an hour..you can see a Ted video here as well.
