Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    The security industry loves to talk about how “sophisticated” attacks can be. Usually this takes the form of us saying how advanced and sophisticated an attack is, what new methods were used to hide servers or make analysis harder, etcetera. However, it’s easy to forget that not all attacks need to be technically sophisticated; instead it can be in the social engineering used and how the attack is carried out.

    For example, a few months ago we talked about the Arid Viper campaign, a sophisticated attack that targeted users in Israel. However, that well-organized attack shared some of its attack infrastructure with Advtravel, which was far less sophisticated. Arid Viper was advanced; Advtravel was less so. How could this be the case? Weren’t targeted attacks supposed to be the work of educated, sophisticated attackers? Weren’t these attackers supposed to have nothing in common with “ordinary” cybercriminals?

    Let’s think about it for a moment. Are the skills needed to carry out a “targeted attack” that different from an ordinary cybercriminal attack? Fundamentally, they are not. While cybercriminals generally profit from activities like credit card fraud, they are not above selling their skills to attack specific targets with a planned goal in mind. If that is the case, why shouldn’t they reuse their existing tools? Why shouldn’t they reuse existing infrastructure?

    Even “large-scale” attacks that have affect the real world sometimes use surprisingly simple tools. Consider the attack on TV5 Monde: that was carried out using malware created with a VBScript toolkit. Instructions on how to use it could be found on Youtube. It was not a great challenge to get this tool to work properly.

    The sophistication of these attacks lies in how the tools are used. What social engineering was used to convince the targets to open malicious attachments/links? No sophisticated “persistent threat” is needed when an ordinary remote access tool (RAT) will do.

    These attacks are persistent, and it will be difficult – if not impossible – for an organization to stop all of them. An attacker will not go away merely because he has been stopped once, or twice, or even more times. There is no bulletproof, fool-proof solution that will stop all attacks. So, what can an organization do?

    An organization needs to realize that it can’t stop all attacks. What it can do is discover attacks that are in progress so that the damage from any particular one is mitigated. An intrusion detection system is no longer a luxury, but a necessity. This defends against not only common threats like RATs, but against sophisticated targeted attacks as well. There is no silver bullet to dealing with today’s threats; one must constantly keep up with current and future technology – both for offensive and defensive purposes – to understand the constantly changing threat landscape and the available defenses.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Up to now, there have been relatively few laws or regulations from government agencies that mandate just how companies should protect their data. In the United States, however, that may be about to change.

    Earlier this week, the United States Court of Appeals for the Third Circuit decided in FTC v. Wyndham Worldwide Corp. that the Federal Trade Commission (FTC) had the authority under existing law to regulate the cybersecurity practices of businesses. This sets a precedent that could change how and why companies protect the information of their users. In the long term, it also sends a message: the FTC is keeping an eye on how companies secure their data, and will punish those who fail to do so.

    To recap, the FTC is a body of the United States government that is mandated to enforce consumer protection laws via voluntary consent decrees, administrative complaints, or federal lawsuits. Historically, the FTC has concentrated what it considers to be unfair or deceptive business practices.

    The FTC has been battling Wyndham (a global hotel conglomerate) since 2012, when the latter suffered a breach that led to the personal details of more than 600,000 guests being stolen. Wyndham alleged that the FTC’s authority did not extend to punishing the hotel chain for the breach. The court, however, disagreed.

    In a very real way, this decision modernizes the authority of the FTC. It’s become clear that  multiple large-scale breaches are as large a threat to consumers as the more pedestrian issues the FTC has handled in the past. However, this is not as unprecedented as one may think: the FTC has kept an eye on how tech companies implement security and privacy policies. For example, the FTC pointed out at this year’s Black Hat convention that they’d settled with Snapchat over how the latter handled messages and photos.

    What does this mean for companies? Simply put, it means that promises of “security” and “privacy” can no longer can be glib phrases that, legally speaking, mean nothing. Instead, companies will actually have to make these promises happen, lest they be subject to an enforcement action that could cost millions. This raises proper cybersecurity from a nice to have thing (which, in many organizations, is still the case) to a must have item, in order to comply with the requirements of regulations. The FTC is watching for gross violations of cybersecurity and will punish those accordingly to set an example to others.

    The US is not alone in this. European regulators have also been moving to impose regulations, albeit from a slightly different approach (data protection versus business practices). In the end, whatever the approach may be, this is welcome news that should help keep the personal data of consumers safe and secure.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    We’re back to look inside the crystal ball of future technologies. This is the third post of the “FuTuRology” project, a blog series where the Trend Micro Forward-Looking Threat Research (FTR) team predicts the future of popular technologies.

    In the last two installments of this series, we introduced our future technology threat landscape project and started to paint a picture of how the healthcare industry might look like in a few years.

    Part I: A Look at Impending Threats to Popular Technologies

    Part II: Wearables and Smart Medical Devices, Gears for a Data-Driven Healthcare Future

    Today, the plan is to speculate over other healthcare technologies that are further out into the future and could provide opportunities for attackers and threats to healthcare users.

    • 3D Scanning and Printing 
      This technology is quickly becoming mainstream as hardware keeps getting cheaper every year. It might get to a point where an accurate enough scanning of limbs and body anatomy should enable physicians to 3D-print personalized prosthetics, from body casts for temporary immobilization to limb replacement for a more permanent treatment. We’re talking about the possible birth of customized bionics at a massive scale.The current generation has seen the repercussion of sharing intimate pictures with others over the internet. Should 3D scanning become more available, scanned files would be as much the targets of blackmail and extortion by cybercriminals as 2D photos of today.
    • Lab-on-a-Chip Drugs 
      More cool stuff in the future of this exciting field? How about the so-called “incredible shrinking laboratory” or lab-on-a-chip drugs? These are pills or patches that can deliver the right dosage of medicine needed automatically. This is possibly based on body parameters taken from an external sensor or cloud-based algorithmic diagnosis. It looks like the patient needs 10 milligram of this particular drug mixture? Coming right up!

      Varying drug composition and dosage has its technological difficulties, I’m sure of that. Once these are overcome and we have such a device in the market, an attacker’s interception of those drug parameters might be fatal. Even delaying drug delivery could be bad enough.  This can possibly be the ultimate, pay-or-die ransomware of the future. Denial of health service, anyone?
    • Smart Clothing 
      We’re not only talking about t-shirts with fitness sensors and gimmicks – there have been attempts at those lately – but there’s a wider spectrum of things that could be coming in the future. How about exoskeletons? No, we’re not going to get adamantium bones or retractable claws anytime soon. We’re talking about devices that can help impaired bodies to move thanks to servo motors for enabling people with muscle atrophy or paralysis to perform physical activities.Sounds too out there? These have already been explored for military use to help individuals to carry more weight or absorb more impact in the battlefield. As 3D scanning and printing devices advance and become cheaper, they could accommodate more therapeutic uses for more mundane illnesses.Sport enthusiasts, especially those in extreme sports, can use smart clothing as protective gear. Now that’s something I wouldn’t mind trying myself.
    • Robotic Caregiving 
      Speaking of robots or looking like one with an exoskeleton fitted on your body, we might also see more of robotic caregiving soon. Robots as assistants to nursing staff is not unthinkable. Medical practice equipments are becoming increasingly robotic in nature as the high productivity of using them justifies the investment. This opens the door for robotic surgery for those highly automated operations where the surgeon can give the exact instructions and the machine can execute them exactly as programmed. These are already being used in some fields but can become commonplace as the technology becomes more accurate and affordable.In theory a hacker could access the robot leading to physical harm, but in real life, that’s not likely to happen – and is more the realm of science fiction. For the amount of work involved in getting into the network, reversing the firmware, and controlling the robot, it is easier to inflict harm using traditional real-world means.This ties in nicely with the subject of IoT (Internet of Things) hacking or internet-connected device hacking. The idea is that anything with an online connection can be attacked. Again, the likelihood of being a target is directly related to the kind of device we’re talking about. I won’t go into detail but, whether the attack is likely or not, devices that involve a higher risk obviously need more defense. An internet-connected car needs more protection than an internet-connected toaster. The same goes for any medical device that is physically connected to or directly affects a human body.
    • Data Visualization and Analysis 
      With the latest advances in this field, doctors might be able to visualize 3D scans coming from magnetic resonance imaging (MRI) or X-ray computed tomography (X-ray CT) scans through augmented reality superimposed on the patient’s imaging data. Visualization technology similar to the Oculus Rift can be used to enter the patient’s innards, fully understand their state, give a more accurate diagnosis, get a closer look at the data, and plan for an important surgical procedure. I don’t know if I should be happy for those doctors or scared at the prospect.

    It is clear that the current state and evolution of technology will give new toys to all human fields. Healthcare is no exception. However, added risks make this industry more prone to attacks and life-threatening repercussions. Healthcare technologies need to be thought of in advance. Developers need to build in some level of security from the get-go because, in this case, even a casual or accidental screw up can be crippling, literally.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Issues surrounding the Android mediaserver component continue. It has been brought to our attention that a vulnerability (CVE-2015-3823) could (theoretically) be used for arbitrary code execution as well. On August 23, Google raised the severity of this vulnerability to “critical”, indicating that code execution was possible. We have previously discussed how this bug in the mediaserver component of Android could lock devices in an endless reboot loop.

    To recap, the vulnerability is an integer overflow in parsing .MKV files, which causes the device to fall into an endless loop and heap overflow when reading video frames. Users could encounter a malicious .MKV file via a malicious app or by opening a malicious video file.

    We earlier noted how this could be used to, in effect, stop the device from working. If this vulnerability is used to run arbitrary code, then the attacker would be able to run code with the permissions of mediaserver. The code is shown below:

    If an attacker exploits this heap overflow successfully, they would be able to run their code with the same permissions that mediaserver already has as part of its normal routines. Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk. However, unlike “good” exploits, it is very difficult to control the flow of execution. This makes a practical exploit much more difficult.

    End users can block this threat from the onset by downloading Trend Micro Mobile Security (TMMS), which can detect threats like malicious apps that may exploit this vulnerability. We also recommend that device manufacturers regularly patch their devices’ OS to prevent users suffering from attacks such as the ones discussed.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Data breaches rarely make for sensational news. Media outlets may report about them but public interest often dies down after a week or two.

    Or that was the case until the Ashley Madison breach happened. The recent leak of the Ashley Madison accounts is the culmination of a month-long digital stand-off between the site that blatantly encourages people to have affairs and a hacktivist group called the Impact Team.

    Last July, Ashley Madison reported that they became victims of a data breach. The Impact Team took credit, demanding that the site and another related site be taken offline permanently. The hackers then proceeded to leak snippets of account information as well as company information, including internal company servers.

    The group made good with their threat as the accounts soon found their way into the Deep Web. The leaked information had several revelations. For example, 15,000 accounts had either a .mil or .gov email address. Combing through the addresses, other media outlets have found that work emails were frequently used in accounts.

    (Funnily enough, the leak presented proof that the site practiced some security measures not found in other sites. For example, the passwords were stored using some form of encryption and not just in plaintext.)

    Some have pointed out that users shouldn’t have expected their information to be kept safe, considering the very nature of the website. But removing the moral implications of the site, Ashley Madison assured customers that their information would be kept private and even offered a paid service to delete user data permanently—which it failed to do on both counts.

    Addressing Data Breaches

    This leak proves that many organizations are not ready to deal with a data breach: either by preventing one in the first place or managing one after it’s occurred. This is very problematic given the real-world implications of data breaches.

    “Reputational risk is real if you do not actually invest in next-generation cybersecurity. The hackers of the world will bypass the traditional security defenses that are advocated by major standards organizations like the Payment Card Industry Security Standards Council (PCI SSC),” says Tom Kellermann, chief cybersecurity officer for Trend Micro in an interview.

    This is so much so in the case of Ashley Madison or many other sites working on the premise of keeping its users actions discreet and private.

    In an ideal scenario, security measures against data breaches should be put in place even before such incidents occur. For example, organizations should assess the type of data that they ask from users. Do they really need certain specifics beyond contact and financial information? Even non-essential nuggets of information can be seen as sensitive—especially when used as building blocks to complete a victim’s profile.

    Encrypting sensitive information and restricting access to it goes a long way in mitigating possible intrusions, especially from internal hackers. Some have speculated that the Ashley Madison breach was an inside job; if that were the case, stricter access control could have made it harder to get the data.

    When it comes to data breaches, it is no longer an issue of “if” but “when.”  So even with these preventive measures in place, organizations should assume that there is an intruder in the network. With that thought, continuous monitoring of systems should be implemented to look for suspicious activity.

    With all these in mind, organizations need to deploy  a concrete multi-layered defense system as a proactive step against data breaches, as follows:

    • Deploy web application firewalls (WAF) to establish rules that block exploits especially when patches or fixes are still underway.
    • Deploy data loss prevention (DLP) solutions to identify, track, and secure corporate data and minimize liability.
    • Deploy a trusted breach detection system (BDS) that does not only catch a broad spectrum of Web-, email- and file-based threats, but also detects targeted attacks and advanced threats.

    But what should orgs do after a data breach happens? Firstly, they should confirm if a breach did occur. Victims should learn of the breach from the affected organization, never from the media. Orgs need to state all that they know about the incident, such as the time the incident occurred.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice