Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Jonathan Leopando (Technical Communications)




    There is one truly remarkable aspect about the social media services that people take for granted: they don’t ask their users for anything. You can talk with as many friends, take as many selfies, post as many status messages, all without paying anything.

    That may be true at face value, but that’s not really true. It’s said that “if you’re not paying for it, you’re the product.” In the world of social media, that’s definitely true. Social media companies all need to pay the bills (and more); the most common way of doing so is by selling ads.

    More than selling ads, these ads are targeted – based on what you do, say, and share on these sites. The social networks will even try to sell this as a feature, hailing these as “relevant” ads.

    Is my personal information being sold?

    Not really. The information that social networks hold about any user is far too valuable to be sold off. That information is why social media companies are worth billions of dollars. What the information is used for is to allow advertisers and marketers to target users with remarkable specificity.

    For example, an advertiser who wants to sell car accessories may choose exactly who they want to show their ads to: it can be something along the lines of males of a specific age group, who already “likes” certain car makes, etcetera. (Purely out of coincidence, this week a gathering of advertisers and marketers is being held in New York as part of Advertising Week.)

    Note that in theory, all of this information is anonymized. In practice, this means that your name is not attached to the information. However, depending on how much information you give about yourself – and what privacy settings you used – someone might be able to identify you anyway.

    In the future, not only could your data be used to customize your ads – you yourself could be used in advertising. Under proposed policy changes your name and picture can be used for advertising within Facebook as well – without you giving your direct consent. So, for example, if you “like” a certain brand, they can use your picture in their Facebook.

    Yes, I want my ads to be relevant to me. I don’t mind brands that I like letting others know that I like them.

    Some users may actually welcome these developments. Others, however, will be more skeptical. Some may even consider it equivalent to stalking, while others will just find it “creepy”.

    Others may object at this point - hang on, I didn’t agree to this! As a matter of fact, you did. By merely agreeing to use any social media site, you agree to their terms. If, unfortunately, due to the network effect you need to use a social network to stay in touch with others… you’re basically out of luck.

    Whatever the case, this is something that people should be mindful about. Social media sites will use your data to profit – and not necessarily by “selling” your information. You may not be paying with money, but you’re paying with your information.

    There are two things users can do. First, be careful about what you do share: social media sites can’t profit off what they don’t have. Secondly, if privacy controls and opts-out exist – use them. You may not always have a choice to protect your information, but if you do, use them – in order to send a message about how you value your information.

    Of course, if you’re on social media, the sites themselves are not the only potential parties you may want to protect your data from. Other users and third-party apps are on this list. To learn how to use the privacy features of social networks to your full advantage, you can consult our digital life e-guide, How to Protect Your Privacy on Social Media.

     
    Posted in Social | Comments Off



    The annual gathering in the Las Vegas heat known as DEF CON is always… interesting. Newly discovered potential threats that are talked about in DEF CON are always intriguing, to say the least. There were plenty of good talks, but there were several common threads that piqued my interest.

    Unconventional Threats

    By “unconventional” I mean threats against devices that people outside of the security community  and even some inside it  would not consider to be targets. Charlie Miller and Chris Valasek talked about how cars could be “hacked” if an attacker gained access to the car’s internal networks. Another talk, smartly called “Home Invasion 2.0″, discussed how many networked devices – like home automation systems, baby monitors, and even toilets  are insecure. This has been discussed by our researchers before, as well as by our CTO in our 2013 predictions. The insights they’ve shared then are similar to the concerns raised in the talks I mentioned earlier: the fact that these systems were not designed with attacks in mind.

    Designing secure systems  as opposed to systems that “just work”  is hard. It takes more time, it takes more resources, and it takes more money. It also requires awareness on the vendor’s part that their system needs to be secured in the first place.

    These unconventional threats will be a significant problem moving forward. We are seeing devices connected to the Internet that have few good reasons, if any, to be online. Hopefully it wouldn’t take long before the importance of securing these devices will be realized.

    Conventional Threats Still Ripe Targets

    Don’t mistake that conventional threats have gone away. Chema Alonso’s talk discussed the serious risks of IPv6 in existing networks  thanks in part to OSes enabling it by default. There was also a release and demo of a new tool called Evil FOCA . Said tool enabled ordinary man-in-the-middle attacks.

    BYOD was under fire, too. Problems with WPA2-Enterprise wireless access were the subject of two separate talks  and were punctuated by DEF CON itself shutting down its own secure wireless network midday on the last day of the conference! In some ways, the problem is less broken protocols and more broken processes. Secure protocols exist, but aren’t used because they’re more difficult to use.

    In short: just because “unconventional” threats are increasing does not mean “conventional” threats will go away. But I’d like to make the point that in so many cases, security “problems” are of a human nature, not always a technical one.

    The Snowden Factor

    Of course, you couldn’t talk about DEF CON without talking about the issues raised by Edward Snowden’s revelations. After all, DEF CON founder Jeff Moss (known by his handle, The Dark Tangent) asked “feds” to stay away this year. Attendees expressed just how they felt about the matter with (multiple) Snowden cutouts making the rounds of the hallways and by attending talks by the American Civil Liberties Union (ACLU) on this matter. No one paying attention to the ACLU’s position will be surprised by what was said today, but the depth of concern (to say the least) among attendees should not be underestimated. Whatever one feels about Snowden, the impact will be felt for quite some time.

    It’s quite a turnaround from just last year, where NSA head General Keith Alexander actually had a well-attended talk. (Alexander was also present at Blackhat this year.) Privacy against government surveillance has always been a worry with the DEF CON audience, but the concern this year was, without doubt, unprecedented.

    Conclusions

    What DEF CON 21 boils down to is this: good security is hard. For new, Internet-enabled gadgets, we’re finding out what happens when unsecured systems are targeted by smart people trying to break them. In the “post-PC era”, it will only become harder as more and more targets come online. Things could get interesting  in all senses of the word.

     
    Posted in Bad Sites, Internet of Everything, Mobile | Comments Off



    As more and more users entrust parts of their digital lives to the cloud, they’re increasingly running into a problem: it doesn’t always last forever. More specifically, cloud services that people have relied upon are just like any other business: they can close their doors.

    Just in the past few weeks, here are some cloud services that have shut down or drastically changed their offerings:

    But some changes to these services resulted to significant “birth pains”. Take for example MySpace, which has been rolling out new features for some time and relaunched a new branding last June. Some commended this relaunch, but its remaining loyal users became upset as this restart deleted their content.

    The rapid pace of innovation when it comes to mobile and cloud services means that, unfortunately, services which fail to succeed and become profitable quickly shut down as well – even if they have many users who depend on them. So, what can you, as a user do, to minimize the risk if this does happen to you?

    There’s not much you can do about services that use data that isn’t yours (like, say, video and music streaming services). However, for your own data – like documents, pictures, and news feeds – there are steps you can take.

    Remember the traditional 3-2-1 rule about backups: at least three copies, in at least two different media, with at least one copy off-site. Storing your data in the cloud fulfills the last two requirements, but it also means that you should keep copies of your data outside of any particular service’s own closed cloud.

    This means, for example, storing a copy of your movies and pictures on your device (or even another cloud service). For every cloud service you use, the procedure would be different, but the concept is the same: make sure your data exists in some form outside of any app or service’s own servers.

    Preparing for a cloud service going offline may seem like an extreme precaution. Aside from a service going completely away, there are many other scenarios where you’d like to access data in a cloud offline: you’re in a location with non-existent/insecure/expensive Internet access, or the service goes down due to maintenance and/or a security breach.

    For cloud services provider, it is best if they announce any major changes (or shutdown) months ahead. The recent shutdown of Google Reader was a good example of effective announcement, as it resulted to minimal effect to the users (other than searching for an alternative service, of course). The MySpace gaffe, unfortunately, shows that changes or improvements can turn awry.

    The underlying fact: “going to the cloud” is not an excuse to manage your data poorly. You still have to be responsible for your data and avoid putting all your eggs in one basket. For more information on how to protect your data in the cloud, you may read our Digital Lifestyle E-Guide Keeping Your Cloud Data in Check.

     
    Posted in Social | 1 TrackBack »



    Trend Micro researchers have uncovered a targeted attack launched against government agencies in various countries. The email claimed to be from the Chinese Ministry of National Defense, although it appears to have been sent from a Gmail account and did not use a Chinese name.

    Figure 1. Fake message

    The document contains a malicious attachment, which exploits a vulnerability (CVE-2012-0158) in Microsoft Office (all versions from Office 2003 to Office 2010 were affected) that was patched more than a year ago. The exploit is used to drop a backdoor onto the system, which steals login credentials for websites and email accounts from Internet Explorer and Microsoft Outlook. (It also opens a legitimate “dummy” document, to make the target believe that nothing malicious happened.) Any stolen information is uploaded to two IP addresses, both of which are located in Hong Kong.

    This particular attack was aimed primarily at both personnel belonging to Europe and Asia governments. The message was sent to 16 officials representing European countries alone. The topic of the email – and the attached document – would be of interest to these targets. In addition, the information stolen and where it was stolen from – is very consistent with targeted attacks aimed at large organizations that use corporate mainstays like Internet Explorer and Outlook.

    It’s worth noting, however, that Chinese media organizations were also targeted by this attack. The backdoor itself has also been detected in the wild – but, interestingly, it has been most frequently seen in China and Taiwan, with a more limited presence in other Asian countries.

    The vulnerability used in this attack is one that is commonly used by targeted attacks. High-profile campaigns like Safe and Taidoor have made use of this vulnerability; if anything it’s a commonly targeted flaw in sophisticated campaigns.

    Trend Micro products already detect all aspects of this threat – the message and C&C servers are now blocked; the malicious attachment is detected as TROJ_DROPPER.IK and the backdoor itself as BKDR_HGDER.IK. In addition, Deep Discovery was able to protect our customers by heuristically detecting the malicious attachment using the ATSE (Advanced Threats Scan Engine).

    Based on analysis by Jayronn Bucu.

     



    Last week, security researchers announced a new vulnerability for Android phones which could allow installed apps to be modified without the user being aware of it. Almost all Android devices are vulnerable, as the vulnerability has existed since Android 1.6 (Donut), and currently only the Samsung Galaxy S4 has been patched to protect against it.

    The vulnerability – known in some quarters as the “master key” vulnerability – has attracted considerable media attention, but it has not always been accurately reported. We have updated Trend Micro Mobile Security to protect our users, but at the same time we wish to clarify what’s going on, what the threat is, and what users can do.

    What’s this “master key” vulnerability?

    The vulnerability is related to how Android apps are signed. All Android apps have a digital signature from their developer, which verifies that the app actually did come from the developer and was not modified en route. An app can only be updated if the new version has a matching signature from the same developer.

    This particular vulnerability is in that last step. What researchers have found is a way for attackers to update an already installed app even if they do not have the original developer’s signing key. In short, any installed app can be updated with a malicious version.

    Note that technically, there is no “master key” that has been breached. Yes, any app can be modified and used for malicious purposes, but there’s no “master key” in the first place.

    What are the risks?

    This vulnerability can be used to replace legitimate apps on an Android device with malicious versions. Apps with many permissions – like those from the phone’s manufacturer or the user’s service provider – are at particular risk.

    Once on the device, they can behave in the way that any malicious app would, except the user would think they were a completely legitimate app. For example, a modified/Trojanized app for a bank would continue to work for the user, but the credentials would have been sent to an attacker.

    What can users do to protect themselves?

    We’ve updated our Trend Micro Mobile App Reputation Service to detect apps that abuse this vulnerability, but so far we have not found any. Nonetheless, for users of Trend Micro Mobile Security, we have released an update to the pattern to ensure that we will detect apps that target this particular vulnerability. (All users with pattern version 1.513.00 or later are covered. Apps found exploiting the vulnerability will be detected as Android_ExploitSign.HRX) This is sufficient to ensure that our users are protected from this threat.

    We strongly suggest disabling the ability to install apps from sources outside of Google Play. This setting can be found under Security in the system settings of Android devices.

    Google has made some steps to protect users. They’ve modified the backend of their online store so that apps that try to exploit this problem are blocked. Thus, users who do not download apps from third-party stores or sideload APK files should not be at risk from this threat. The company also released a fix for the vulnerability and distributed it among OEMs. Hopefully, the importance of this update will prevent delays in its deployment.

    Update as of July 11, 2013 3:43 AM PST

    We were able to find a report that features a different approach for the same attack to bypass Android signature checking, this time using a Java Zipfile implementation vulnerability. We are currently working on the solution, and malicious apps that will be found using this technique will be detected as AndroidOS_ExploitSign.HRXA.

     
    Posted in Exploits, Mobile | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice