Yesterday, Microsoft’s Dick Craddock posted a blog entry describing a new feature that was recently added to Hotmail. This feature allows users to easily report when they think a friend’s email account has been hacked. Overall, this is quite a clever idea and a good move from Microsoft toward better securing its Hotmail service. This announcement comes hot on the tail of a publication of a report that shows that spammers are switching to using compromised accounts instead of directly sending mail from bots.

The idea behind the feature is that when an account is compromised, it is often used to spam the compromised user’s friends. This new system allows those friends to act as an early warning system in addition to Hotmail’s other account compromise detection features. Hotmail will even send notifications to Gmail and Yahoo!’s mail team if they find out that accounts from those providers have been hacked.

It’s very positive to see steps like this being added by online mail providers and I wouldn’t be surprised to see other providers follow suit. Microsoft is also enhancing its weak password detection in order to force users to use stronger passwords. This is also a good idea, as it will help protect users against attackers who manually guess their passwords but will be less effective at stopping account compromises from malware. Most modern data-stealing malware will intercept all Web passwords and send these back to the attacker so, unfortunately, it does not make much difference if your password is 123456 or if it looks like a cat ran across your keyboard.

Read the rest of this entry »

Provocative headline, isn’t it? Well, yes, but stay with me for a bit. Let me explain why lying online may be a good thing.

If you’re not worried about data breaches yet, you ought to be. It seems that data loss issues have been cropping up left and right. In an ideal world, sites and institutions would do a much better job of securing our data. However, we’re not yet in that ideal world so we just have to deal with the consequences.

Unfortunately, the advice that’s normally given tends to amount to “be careful about what you were already doing.” The truth is that once your data has been stolen, it’s out in the wild for online crooks to play with. You may not suffer immediate problems—not unless your financial information was leaked—but I’d still rather not have my email address in an online gang’s address book.

The bottom line is that everyone online—that means you and me, reader—has to be responsible for their data. Too many sites ask for too much information, which you may not want them to know. Does a message board really need to know how much money you earn, what industry you work for, or when your birthday is?

Read the rest of this entry »

In a recent Reuters article, Italian security researcher Rosario Valotta described a new zero-day attack on Microsoft’s Internet Explorer (IE) browser that he has named “cookiejacking.”  The main idea behind cookiejacking has actually been around for several years now—better-known names for this technique are side-jacking or session hijacking. However, what Rosario discovered is a new delivery for this attack that is based on social engineering users to help the attacker exploit a bug in IE.

According to the report, the vulnerability affects all versions of IE, including IE 9, on every version of the Windows OS. To exploit the flaw, the hacker must persuade the victim to drag and drop an object across the PC’s screen before the cookie can be hijacked.

The researcher cited an example where he used social engineering in the form of a puzzle to entice users to “undress” a photo of an attractive woman. For those of you interested in reading the full details of the attack, you can find it here.

Read the rest of this entry »

Following my recap of the first day of “Blackhat Europe,” here are a couple of choice highlights from day 2:

• Starting the day, Sebastian Muniz and Alfredo Ortega took the audience on a tour of the innards of the Cisco IOS (that’s a capital i for all you Mac users). I never looked at Cisco IOS in the past and this talk gave a really good overview. Some things were probably not new for those familiar with IOS but they were all new for me, including the fact that all processes on Cisco IOS share the same memory space, with no boundaries between them. This means that any process on the device can easily access the memory space of any other process. The presenters went on to give a very good talk on how to debug code on the IOS as well as how to carry out testing using fuzzing.
• Next up was the compulsory session on Stuxnet (it’s actually been nine months since it was discovered). Happily, however, Tom Parkers focused more on the field of malware attribution (i.e., looking for hints that may reveal who is behind a particular malware attack). Some things to consider include the level of technical knowledge required to create the malware (how many zero-day vulnerabilities were used, customer encyptors etc.), how much planning was required, what resources the attackers needed to test out the malware, and so on. Looking to see if the code was designed to bypass certain security solutions also indicated that the attackers have these security solutions installed on their test environments. Tom also looked at malware correlation—looking for parts of the malware code that are common among different attacks—linking those attacks together. All in all, an interesting talk and, if you are interested, a couple of his slides from the earlier “Blackhat DC” are up here.

Read the rest of this entry »

It’s been almost three weeks now since “Blackhat Europe” was held in Barcelona, Spain, wherein some of Trend Micro’s threat researchers attended interesting workshops and scheduled talks. Rather than give an in-depth rundown of each of the talks we attended, I wanted to give an overview of some of the highlights of overall event, at least from my perspective. By the way, if you do want more detailed information on the talks, Peter Van Eeckhoutte of the Corelan security team has an excellent blog series here and here.

• Roelof Temmingh and Andrew Macpherson hosted a very good workshop on how to extend the excellent open source intelligence tool Maltego to include your own custom functions. Most security researchers should already be familiar with Maltego but may not be aware that it is possible to customize it to suit your own needs. Want to write a tool to map people on a particular social networking site to their email address or to map a domain to some other information based on some internal company database you control? Well, Maltego is definitely worth a look here and is easy to extend using the Transform Distribution Server or Local Transforms. People have even coded application programming interfaces (APIs) to make everything even easier, including Ruby one from yours truly.
• Nitesh Dhanjani talked about some of the new attacks against Apple’s iOS, particularly looking at how the browser reacts to protocol handlers like skype:// or gtalk://. Nitesh gave an example showing how a Skype call can be triggered without any interaction using a simple iframe on a website. He also pointed out something that I was unaware of (I’m an n900 user), that iOS will hide the URL bar after visiting a site. That makes a lot of sense from a usability perspective (especially on the iPhone where every pixel of screen should be optimized for viewing). This is, however, a very useful feature for attackers creating phishing sites. If they see a request coming from an iOS device, they can put a fake URL bar at the top of the page with the legitimate banking website on it, hence fooling the user into believing they are on the correct page.

Read the rest of this entry »