Friday, September 26, 2014

The weak have one weapon

"The weak have one weapon: the errors of those who think they are strong." Georges Bidault, a French politician from the Second World War, used this quote to point out the biggest danger that society were already facing at the time: not recognizing its own mistakes.


Over a half century later, his words come to our mind when learning some of the multiple dangerous implications of Shellshock, a security hole on how Bash manages environment variables, for the future of the Internet as we know it. ELF_BASHLITE.A is the technical name of the first discovered malware specifically designed to exploit this vulnerability, which allows to perform brute force techniques to steal login credentials through some simple commands, impersonating identities and refusing service on any vulnerable server connected to the Internet (which today are the vast majority).

This kind of implementation errors along with bad boys’ malicious intentions have led analysts at Kaspersky antivirus firm to explain with great detail the internal and technical operation of some phishing campaigns targeting ‘boleto’ users. Boleto is a payment system widely used in Brazil. The combination of code injection techniques to generate such documents and their IDs impersonation prevent the code bar of being read by the bank’s reader when the victim try to pay the ‘boleto’ and the alphanumeric identifier redirecting to a bank account that is not real. Other times, extortion is performed through malicious links which change its barcode, either interfering on customer/server communication (man in the middle, man in the browser), either spreading malware that dynamically modifies the ‘boletos’ downloaded on mobile devices.

Banks remain targets of criminal gangs. Tinba, a banking Trojan that has evolved over time, recently received a new variant. Historically this lightweight Trojan injected processes in the system that allowed itself to capture user’s traffic and actions in order to steal his banking login credentials. This new version includes improvements to protect itself against new security measures and redirects access requests to banks’ websites to similar URLs handled by cybercriminals. Once the data is entered, the user is sent back to the real page, but the information has already been stolen.

Malware is evolving quickly, so it is not surprising that both security companies and the police use robots for automated analysis. Virus Bulletin, an event being held these days in Seattle, provided us an overview of how Malware Investigator, the tool used by the FBI for these purposes, works. Actually the FBI is gradually opening its doors to this type of tools to private and public companies, and citizens, what helps to improve their efficiency.

Earlier this week we told you about Apple's decision to encrypt customer information on the device itself by default, making it impossible for the company to know what's inside, and therefore being unable to provide access to law enforcement agencies. Today we learn the other side of the scale, represented by James Corney, director of the FBI, who warns of the danger of such strategies: they "allow people to place themselves above the law", which certainly makes the work of the agency more difficult and plays against citizens: "There will come a day when it will matter a great, great deal to the lives of people of all kinds that we be able to with judicial authorization gain access to a kidnapper's or a terrorist or a criminal's device."

We ended up this post the opinion of SecurityArtWork’s guys on the risks of the Internet of things. Miguel A. Juan tells the story of one of his friends, expert in computing, who discovers by chance that the office coffee machine has a 3G direct line with support service. It is apparently a brilliant idea since the service can notice when something goes wrong and send a technician, but it involves some risks, given that such devices, present in most offices, could be hackable and become one more vector of corporate information theft.

Here you have six critical issues for CIGTR’s daily news pill responding our desire to keep you informed of everything happening on digital security.

0 comments:

Post a Comment