Symantec Anti Virus Security Problems Exposed

Anti Virus software has long been a concern of the security community.  While it endeavors to protect the user’s workstation, in order to do it’s job, it requires a lot of system level permissions.  This week, at least with Symantec, that came home to roost.

Tavis Ormandy a researcher from Google announced that he’d found numerous critical security vulnerabilities in Symantec’s suite of anti-virus software.  That suite covers 17 enterprise software products and 8 consumer and small business products.

While some of the bugs are simple, others are quite fatal and would allow an attacker to remotely control the user’s computer.

One bug would allow the attacker to take over an entire enterprise by just sending an infected file or malicious link – without the user ever doing anything.  This is because the anti-virus software has to open files and links when they arrive to see if they are malicious and that code has the flaws in it.

Ormandy says these flaws are “as bad as it gets“.  He is the guy who has made a career out of finding security holes in security software. His previous finds include FireEye, Kaspersky, McAfee, Sophos and Trend Micro – pretty much everyone in the anti-virus business and then some.

While we do not know how actively hackers and foreign governments are exploiting these vulnerabilities, they probably will now if they have not been doing so in the past.

What is not clear is how come these vulnerabilities exist.  After all, security companies, more than anyone else, should understand the problem of vulnerable software.  Yet, apparently, they do not.

Chris Wysopal of software testing vendor Veracode had a number of comments to make about the situation.  He thinks that at least some of these vulnerabilities would have been detected by the software testing products his company makes.

Symantec has now patched these vulnerabilities, but that doesn’t mean that customers have applied these patches.  It also doesn’t mean that there aren’t other vulnerabilities not yet detected.

And since most of this code from Symantec and other vendors like them runs with very high privileges, this software is more likely to put your system at risk than, say, a word processor.

At a minimum, everyone needs to make sure that their anti-virus software is patched as soon as the patches are released.  When they are released to you, they will be released to the hackers as well.

Ormandy says that maybe the anti-virus vendors did not understand that they had a problem, but I have a hard time believing that.  More likely, they figured that they could get away with not spending too much effort at testing their software.  Mr. Ormandy is on a  mission to prove that theory wrong and I think he is doing pretty good at that mission.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

The Year Of The Voter List Breach

Early this year, we learned of a voter database of 191 million U.S. voters was found, unprotected on the Internet.   The list contained name, address, political party, telephone and voting record  (not who you voted for, but in which general elections and primaries).

For people who want to keep that information private, such as judges and prosecutors, the cat is now out of the bag.

Under U.S. law, that data is public and most states sell or give that data to politicians who use it to harass you.  Err, excuse me, call you at dinner time.

Now we have learned of a second voter database leak.  This time about 56 million voters.  This list contained some other information that comes fro the questions you choose to answer when they call you and merged from other public records.  The information exposed this time includes Christian values, bible study and gun ownership in 19 million of those profiles.

That is the result of you answering those questions when pollsters call you.  If you answer and talk to them, the data that you provide will get added to that generic database.  In addition, data from other public record sources can be merged.  I suppose the gun ownership question could come from gun licenses or maybe even background checks, but those records are not supposed to be public.

Now the same researcher, Chris Vickery of MacKeeper, said he has found a third voter database.

While the first two were stored on Amazon, this one is stored on Google.

And, I would not blame Amazon or Google for the breach.  These hosting providers give you tools to configure your security, but they are not responsible for how or if you use them.

This latest database contains 154 million records.  Besides your name, address and Congressional district, this database contains estimated income, ethnic background, gender, party information, whether the person was likely to have children and other information.

One of the challenges for Chris is to try and figure out who owns the database so that he can contact them.  Amazon and Google are unlikely to tell him for fear that they would get sued for giving that information out.  In this case there was a telltale sign and Chris called the company whom he thought might own it.  Turns out they did not, but they had a good idea of which of their customers might own it.

A few hours later, it was locked down.

Of course, we don’t know how many months it was available or who might have downloaded it before Chris discovered it.

The magnitude of these data breaches is breathtaking.  The 191 million record list includes the name of every registered voter in the U.S.  That means these other breaches are subsets of that data with the extra fields as a bonus for whoever finds it.

And likely, this is just the tip of the iceberg.  Stay tuned as the election season cranks up.

And maybe you should not tell people that you are a gun owner or do bible study, since these folks can’t seem to secure that data.

The world of big data.  It can me big breaches.

 

Information for this post came from Daily Dot.

Facebooktwitterredditlinkedinmailby feather

655,000 Healthcare Records Up For Sale

A hacker called thedarkoverlord is offering 3 unique medical databases for sale at prices ranging from 151 bitcoins to 607 bitcoins. Deep Dot Web got to look at images of the database, shown below.

DDW2

 

DDW1

One database has 48,000 records from a healthcare company in Missouri.

The second database has 210,000 records from a healthcare care company in the midwest.

The last database contains 397,000 records from a healthcare company in Georgia.

The hacker claims that he exploited a remote access vulnerability to access the data and he also said that the data was not encrypted.

Here is the scary part – kind of a warning.  The hacker said that if an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee, take the offer.   There is a lot more to come.

There is no telling – yet – where this data came from and is there more to come.

This is just another indicator that health care data is a hot topic because unlike credit cards, you cannot just get a new one.

It will be interesting to see how many more databases this hacker has for sale.

Information for this post came from Deep Dot Web.

Facebooktwitterredditlinkedinmailby feather

CFA Institute Says Don’t Become The Hacker’s Next Victim

The Infosec Institute says that malicious cyber activity cost the US between $24 billion and $120 billion and worldwide that number was $300 billion to $1 trillion (see here).  And that was in 2013!

For investment professionals (and other businesses as well), poor cyber security practices which lead to being hacked can cause a complete loss of client confidence – leading to a loss of clients.

That of course does not include fines and lawsuits.

Some investment pros ask why would hackers go after me and why do I have deal with cyber security.  The CFA Institute’s (Chartered Financial Analyst) answer?

Those were decent questions – 10 years ago.

Combine the huge amount of financial information that an investment professional keeps with the general lack of interest in cyber security that the CFA Institute says some investment professionals have, and you have a recipe for a cyber disaster.

So how do hackers complete their attack?  Here is the answer.

Step 1 – Reconnaissance

Check out social media posts. Information on online purchases that you shared about, other public information.  Google yourself and see what shows up.  If you Google me, you will find articles I wrote 20 years ago.  The Internet never forgets.

Given this, a hacker will identify a mark- say a particular high net worth individual.  The hacker will figure out what company(s) the mark is working with, maybe find employee’s LinkedIn profiles. Maybe find out who the managers are.  Once the hacker has zeroed in on the sucker, he  moves on to step 2.

Step 2 – Infiltration

So now we know who the hacker is going to try to attack.  He knows what sites the target visits and maybe he knows that he visits social media at lunch.  He finds out what the target’s interests are – hobbies, charities, sports, etc.

Now he crafts a spear phishing email – called that because it only targets one person.  He buys some domains that look very much like the real domains of the organizations that the target is associated with.

He crafts an email that seems very believable to the target.  Maybe it is a confirmation for a meeting associated with his favorite charity and entices him to click on the link in the email.

At this point, it is all over but the crying.

Step 3 – Escalation

The attacker has inserted a remote access trojan or RAT into that link which the target clicked on.  Now the attacker has control of the target’s PC, can do anything the target can do.  Maybe even capture every keystroke the target types (such as passwords).  If the target is a local administrator, he can change the configuration of the computer. If the target is a domain administrator, he can do even more and if he is an enterprise administrator – well, you don’t want to ask.

He can now, for example, find every file of interest on the target’s PC and network shares and send them to Russia.  What do you think the odds are of arresting that hacker in Russia?

Step 4 – Exploitation

Maybe the hacker uses the information to obtain lines of credit and forge identities.  Maybe he sells the data for other people to use.

Maybe he asks for a ransom to get the data back.  Even if the ransom is paid, the attacker may not give back the data.  Ransomware attacks are up ovewr 500% this year.  Because they work. In fact, the attacker could share the data with the media.  Just for revenge.

This is a very real and relatively easy to execute scenario and anyone who thinks they are immune from this is likely fooling him or her self.

There are steps you can take to improve your odds.  Watch what you share on social media.  Don’t use work computers (or PHONES or TABLETS) for personal email and browsing.  Carefully examine what links you click on.  Get educated – hire experts if you need to.

This is not a simple problem and there are no simple solutions.  The only solution which is a sure failure is to pretend it is not a problem.

While this post is geared to investment professionals, it really applies to almost everyone.  I recommend you consider the advice.

Remember that if a hacker wants to target a particular high net worth individual,  it may well be easier to get their through his advisors.

Information for this post came from the CFA Institute.

Facebooktwitterredditlinkedinmailby feather

FBI Doesn’t Need Warrant To Hack Your Computer, Court Says

Judge Henry Coke Morgan Jr of the District Court in the Eastern District of Virginia says that the FBI can hack your computer without a warrant.

Judge Morgan said that the defendant  “has no reasonable expectation of privacy in his computer”, in part because the FBI only collected limited information.

The defendant is involved in a child porn case, which does not make him a very likable defendant.

As part of the investigation, the FBI took over a site called Playpen. When they did that, they changed the site so that it downloaded malware onto the computers of any visitors so that they could get information from the user’s computer.

In this case, the FBI actually did get a warrant, but the judge said that they really didn’t need to, because users don’t have an expectation of privacy on the Internet.  According to the judge, the Fourth Amendment does not apply here.

The FBI doesn’t call it hacking, they call it a Network Investigation Technique or NIT and they could, according to this judge, do that you you or me, without a warrant, suspicion or probable cause and without any judicial oversight.

Of course, whether the malware the FBI placed on some computer did other things, such as break the computer or make it susceptible to hackers or capture more data than the FBI – apparently without a warrant – is entitled to, is less than clear.

Also remember that this malware that the FBI is deploying could be buggy.  How do you know if the data collected by the malware is even accurate or came from the computer that the FBI said that it did.  After all, the FBI is not disclosing this malware.  There is another motion in this case to disclose this malware, which the judge, apparently, has not ruled on yet.  But you would need more than the malware; you would need the entire chain of custody process from the user’s computer to the time it was used in court.  Otherwise, what we know is that some data was collected from some computer and stored and some data, possibly different, was presented in court.  Not very compelling.

It is likely that the judge had little understanding of what he was approving and after all, many people think that people who view child porn  should be locked up and the key thrown away, which is hard to argue with.  But the problem is that once the precedent is created, that logic can be used on any other case.  It is the proverbial slippery slope.

It is not clear whether this defendant has the money to appeal this decision is not clear.  Hopefully they will,

Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather

Psst! Want to Buy A Server? $6 Please

The Russian security firm Kaspersky Labs reported last week that they had found a dark web marketplace selling access to servers – possibly yours and mine – for as little as $6 and as much as $6,000.

The key benefit of these servers is that since they are not actually the hacker’s servers, if they are able to use them in a way that forwards thier illegal business, it is going to be hard to trace things back to them.  Obviously, if they access that server (to administrate it) from their Comcast Internet connection in their living room, the odds of them getting caught goes up.  A lot!

The web site, xDedic, brokers access to these hacked servers.  As of last week, Kaspersky had a list of around 70,000 servers that were available.

This week, a hundred thousand servers got added to that list, making the pool around 170,000.

In the grand scheme of things 170,000 servers is not that many, but xDedic is just one web site.

Interestingly, after the first list was released, Brazil and China were the top two countries for available servers.  After this new list came out this week, the top two countries are the U.S. and the U.K.  In some way, that makes sense, because there are a lot more servers here and the quality of the servers (in terms of performance and capacity) is likely better.

These servers are likely some of the ones used to promote male enhancement drugs and other spam, as well as to deliver malware.

From a business standpoint, if the volume of malicious content being served up by these servers is sufficient, it will gain the attention of groups like the Electronic Crimes Task Force run by the U.S. Secret Service and you may get a knock on the door from the men in black.

While there is some discussion on the ‘net about whether the second list – the one that added the 100,000 additional servers – is legit, no one seems to be arguing whether the first list of 70,000 servers is legit. And at least some news sources are now saying that second list is, in fact, real.

And, as servers are sold in this forum, their IP address comes off the list, so the 70,000 or 170,000 number may represent only servers that have not been sold yet.  How many servers churn through that web site in a month is unclear.

When hackers use these servers, it is their goal that you can still use it as well.  That gives them cover, so the smart ones will work real hard to make sure that they don’t interrupt your work.  This means that your server could be on the list and you would not even know it.  Not something that any reputable business wants to happen.  How many of these web sites there are selling hijacked access is also unknown.  Based on spam that I see, it is probably a large number.

 

Information for this post came from Computerworld.

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed