Be Careful What You Screenshot …

One of the latest stories from the security world is about a Christian pastor caught undertaking the kind of web browser activity you would not expect (or maybe you would) because he had taken a screenshot (presumably to capture the results of a search) which in addition to the information he expected, also contained the titles of web pages on other tabs.

However amusing (or not) we may find this story, it is a good reminder that whenever we distribute information of any kind it is worth bearing in mind stories like this and check.

  • If you are sending someone a screenshot, either make sure the rest of the screen does not contain information you do not want to be disclosed, or edit down the screenshot so that it only shows the area of interest (i.e. just the error message).
  • If you are forwarding an email onto someone who has not been part of the discussion, is there part of the email that you should possibly not share? Forwarding a whole chain of conversation has led in the past to legal action!
  • When sharing a Google document in editable form, does the revision history contain any embarrassing revisions? Anyone with rights to edit can browse through every version of that document!
Posted in General | Comments Off on Be Careful What You Screenshot …

Apache: Using X-Frame-Options To Evade Click-Jacking

Click-Jacking. It tells you all about it on the Wikipedia article.

This posting is about how to avoid security scans telling you to disable click-jacking, if you are using the Apache web server software. If you’re using IIS, you are on your own for now (but searching for “IIS X-Frame-Options” will get you started).

The aim here is to change the configuration of Apache to send an X-Frame-Options HTTP header saying “don’t embed this page in a frame”. This involves changing the Apache configuration file(s).

Firstly make sure that you are loading the Apache module to modify HTTP headers :-

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

This may be enabled by default on less minimalistic Linux distributions. Next for every virtual server add the following :-

Header always append X-Frame-Options DENY

The effective options (the other option may or may not be universally supported) for the word at the end are: DENY (don’t permit at all), and SAMEORIGIN (only permit from the same server).

Posted in Technical | Tagged , , | Comments Off on Apache: Using X-Frame-Options To Evade Click-Jacking

Ransomware for OSX

It turns out that ransomware is no longer just for Windows; OSX has it too.

If you use the OSX version of the Transmission Bittorrent client, you may want to check what version you are running because version 2.90 was in some cases infected with the first effective ransomware malware for OSX.

Posted in Active Attacks, Malware | Comments Off on Ransomware for OSX

Firewall Vulnerability Alerts

We are just about to enable something that will email people when there is a critical firewall alert relating to an attempted exploit.

During normal web browsing activity (although not when the web site is encrypted with https), the firewall keeps an eye on the “stuff” that is coming back from the web site. If it spots an attempt to exploit your web browser, it will block it, and log the details into the firewall logs.

We are then post-processing the firewall logs to send out these alerts.

What Should I Do With One?

First of all, don’t panic. You do not have to do anything if you receive an alert.

The firewall has blocked the attempted exploit, and the likelihood is that unless you are running an outdated web browser it wasn’t likely to work anyway. Of course if it was an attempted exploit against Adobe Flash, or Java, then it could well have worked if the firewall had not blocked it.

The alert is simply a mechanism to let you know that the firewall has protected you. It’s also an indicator that letting outdated software (web browsers, plugins like Flash and Java) loose on the Internet is going to lead to tears.

But I Keep Getting Them

In normal circumstances, just about anyone can expect the occasional alert from the firewall. If you keep getting alerts day after day (you shouldn’t get more than one alert per day!), then it may well be worth seeking advice because the level of alerts is unusual.

Amongst other things it may well be worth spending some time getting acquainted with security advice – if you’re getting attacked more often than is commonly the case, it makes sense to find out about protection.

What Is The “ANGLER Exploit Kit” ?

By far the most common vulnerability the firewall is blocking (at least to desktop machines; servers see a whole different bunch of exploits) is the various versions of the “ANGLER Exploit Kit”.

This is a particular version (i.e. it is sold by one particular gang of criminals) of a web-browser exploit kit. When you make a connection to a web server that has the ANGLER exploit kit installed, it will respond with various tuned attacks against your browser – so if you are running Internet Explorer, it won’t bother using Chrome vulnerabilities, and if you have Flash installed it will try to exploit that.

Essentially there are thousands of different ways of exploiting a vulnerability in your browser’s execution environment, and an exploit kit makes it easier for criminals to pick the right set of exploits to try against you.

Once it has successfully exploited your browser it will probably try to get your browser to download some more malicious malware that will persist on your machine, spy on what you are doing, and leak your banking credentials up into the cloud.

But the firewall has blocked it.

How Can I Protect Myself At Home?

At work, the firewall protects you (except if the web site is encrypted with https). But at home?

There are two methods you can use to protect yourself at home. If you are engaged with work activities, there is lot of sense using the VPN (see http://ithelp.port.ac.uk/questions/433/ for instructions). With the VPN turned on, all your Internet activity will go via the firewall (wherever you may be), so you will gain the benefit of the added protection of the UoP firewall.

If that is not an option you are comfortable with, then you can look at more conventional methods of protection, which are detailed below.

Check Your Anti-Virus Protection

Although not a guarantee of protection, having anti-virus protection on your PC is certainly a last level of defence against getting infected with something nasty. It is not just a matter of having an anti-virus product installed, you should also periodically check that it is still healthy and getting updates.

It is not unknown for people to not be aware that their antivirus subscription has lapsed and they are not getting updates. How do we know this? Because such people get infected.

Different antivirus products operate differently, but if you happen to be using Windows Defender (built into Windows 10), then hit the Start button, search for Defender, and then run “Windows Defender” (which should appear in the search results).

You should then be able to get to a screen looking like :-

2016-03-01_1440

As long as the “Definitions last updated” field reads as the current day, then updates are being applied.

Is Your Browser Updated?

The very first avenue of attack for an Internet hacker is the browser you are using. If it has not been updated recently, then it is almost certainly vulnerable to being exploited. Recent versions of browsers try to update themselves automatically, but automatic things go wrong occasionally!

For details of updating browsers see the relevant link below :-

But I Need IE6 For …?

If you require an ancient web browser version for a particular site (such as your bank), then there are two recommendations :-

  1. Contact your supplier and complain about having to use an insecure web browser.
  2. Use your ancient browser only for the site in question; use a modern browser for everything else. It’s perfectly possible to run more than one web browser; even at the same time!

Flash: Just Say No, or at Least Opt In

The Adobe Flash plugin is the attackers weak spot of choice at the moment. It seems to be riddled with vulnerabilities and rarely a week does not go by without a firewall content update to combat Flash vulnerabilities.

The extremist solution to this problem is to remove the Flash plugin, but there are all those sites that still insist on using Flash for interesting (or fun) content. There is an intermediate level of protection you can use (at least with Chrome).

To do this, find Chrome’s Settings menu item, click on the Show Advanced option, scroll down to Privacy, click on Content Settings, and scroll through the pop-up until you see the settings for Plug-ins :-

2016-03-01_1525

Select the “Let me choose when to run plug-in content” and then the Finished button. Once enabled, flash content will appear on a web page like the following :-

2016-03-01_1528

If you want to enable the plugin for a particular part of the page, move the mouse pointer into the relevant area and right-click. The menu that appears will have a “Run this plug-in” item to select. Once selected the content will be downloaded and run.

Posted in Active Attacks, Firewall | Tagged , , , , , | Comments Off on Firewall Vulnerability Alerts

Ransomeware shuts local authority

Lincolnshire Council’s information systems were held to ransom on Tuesday, 26 Feb – for £1m to reinstate access.  The breach was caused by a member of the council clicking on a link within a spam email.

So what can you do so it doesn’t happen here?

University “Managed Service” computers will have security updates installed automatically.  However, if you are using a ‘department’ or ‘project’ computer then extra caution is required.  If you are unsure – contact IS on ext 7777 for advice.

  1. Backup your important data to your Google drive.   If it’s already on your Google drive then you should be OK.  If your data is  really critical to you then copy to an external drive.  Ask your service delivery manager for advice.
  2. Don’t click email attachments, especially if you’re not expecting it.   
  3. Make your computer safe.    Invest in an anti-virus or anti-malware software from a reliable company.
  4. Update the operating system, security programs and other applications need to be kept updated or they just don’t  work properly.   Make sure the automatic updating is turned on.
  5. If you’re a victim of ransomware attack – don’t panic and don’t pay.   The payment won’t guarantee that your data will be  restored.
Posted in Uncategorized | Comments Off on Ransomeware shuts local authority

Have You Received An Invoice Spam?

 

The following is one of a number of spam messages that I received yesterday; all carefully filed away in the spam folder.

To Whom It May Concern,

Please find attached an invoice relating to Penalty Charge Notice Number IA54236946 along with a copy of the contravention.


In order to prevent this fine from escalating further we have paid this fine on your behalf. Should you have any queries concerning these charges please don’t hesitate to contact me.


Payment for this invoice will be taken by Direct Debit 9 working days from the date of this email.


Please refer to page 2, point 3.6 in your Terms and Conditions for information on Traffic Offences.



Regards,

Buddy


[invoice54236946.doc application/msword (23129 bytes)]

If you received something similar (and you probably did), the following may be of some interest.

Of course it was a spam message, and of course the attachment was a malware payload (which would not have been detected by the majority of anti-virus engines). The interesting thing (and an opportunity to demonstrate something) was that many of us will have received a number of copies.

I saved 14 copies of the attachment (don’t try doing this unless you really know what you are doing), and all were different. The files were all multi-part MIME files containing a JavaScript and a binary. The binaries were all different.

Loading one of them into VirusTotal revealed only 3 AV products detected malware :-

2016-01-07_0907

Three on the day after; on the day itself it was only two.

This illustrates several things :-

  1. Malware writers are still attempting to infect computers with nothing more sophisticated than click-to-infect where you rely on someone doing something less than clever.
  2. Malware writers are producing malware that morphs per message. It is possible that this invoice malware has a different binary signature for every single copy that was sent out (and it was probably millions sent out).
  3. Anti-virus products don’t detect this malware at the initial stages (a 5% detection rate is small enough to say “don’t”).
Posted in Active Attacks, Email | Comments Off on Have You Received An Invoice Spam?

OSX Malware: Yes It Does Exist!

One of the messages that we are regularly trying to push is that malware on Apple devices can and does exist. We have even encountered a few infected Apple laptops! It is easy to overlook amongst the ever rising flood of Windows-based malware that OSX malware is also a problem.

(Sourced from https://www.av-test.org/en/statistics/malware/ and yes there is something about January 2016)

The grand total for each month is a bit deceptive; whilst there are hundreds of millions of different malware payloads each month, most of them are variations on a theme. Initially the comparison with OSX malware instances is amusing :-

(Sourced from: http://www.bleepingcomputer.com/news/apple/2015-was-the-worst-in-history-for-osx-malware/)

After all 100,000,000 is far greater than 1,000; a hundred thousand times greater in fact. But you will probably find the overall total is far lower than it appears to be, and it essentially does not matter – the risk of getting infected with malware is not directly related to the number of malware instances there are out there.

It is in fact related to the number of infections and the behaviour patterns of the person who gets infected. Refusing to believe that OSX computers can get infected is one behaviour pattern that increases your chances of getting infected!

After all, the number of malware payloads out there in the wild is irrelevant; it is the malware payload that is running on your computer that counts.

So if you are running OSX, what should you do? Various things :-

  1. Keep your major version of OSX up to date. As of 2016-01-06, you must not be running anything earlier than 10.9, and there is really very little reason not to upgrade to 10.11.
  2. Keep your minor version of OSX up to date. You should check for updates in the App store every couple of weeks (or more often) and apply updates when they become available.
  3. Consider running an additional anti-virus package such as Sophos. Whilst Apple provides its own anti-malware protection mechanisms (including a conventional anti-virus product), it can make sense to run additional protection.
  4. Avoid clicking on links in messages (of any kind).
  5. Avoid downloading software from untrusted sources – peer to peer networks are infamous sources of malware-infected software packages. In fact always download software from it’s original source – the company (or freeware developer) that actually wrote it.
  6. Consider periodically (once a week if you regularly install software, but at least once a month) running a package such as KnockKnock which checks what your Mac starts automatically.
Posted in Active Attacks, Malware | Tagged , | Comments Off on OSX Malware: Yes It Does Exist!

Who Would Want To Hack My ${Device} ?

One of the most common things you hear when talking about security to ordinary people is a variation on the question asked in the subject: Who would want to hack my desktop, laptop, phone, router, intelligent thermostat, smoke detector, etc.

The easy answer is that any cyber-criminal who wants plausible deniability would.

Any cyber-criminal redirects their network activity through a collection of compromised devices which can include some surprisingly modest devices – I wasn’t joking about smoke detectors!

Of course routing rogue traffic through your devices isn’t the only thing that is possible – they can use their access to your devices to sniff on what you are doing or use their access to further compromise other devices. Whilst you may not visit your bank’s website using your smoke detector, once someone has access to your smoke detector, they can use that access to attack other devices on your network.

With or without lots of technical details, the fix is to keep things updated – not just the obvious computers like your laptop, but also the devices that come under the banner of the “Internet of Things”.

Posted in General | Tagged | Comments Off on Who Would Want To Hack My ${Device} ?

Forged @port.ac.uk Emails

As many are undoubtedly aware, there have been a number of instances where email has been forged so that it appears to be from someone with an email address ending in @port.ac.uk. In the cases IS has investigated, the email forgeries have not involved an account compromise.

Whilst account compromises do happen, email forgeries can take place without being able to get in to the sender’s account.

IS are investigating technical counter-measures, but none of the candidates can be implemented easily nor are such measures likely to be 100% effective. In the meantime, please be aware that emails with an address ending in @port.ac.uk may be forged.

Detecting such forgeries is a more of an art than a science – or the counter-measures would be simple to implement. However there are usually some hints available :-

  • The sender address (or the “From” header) may contain a name that conflicts with the email address – such as “Sarah Williamson-Blythe <mike.meredith@port.ac.uk>”.
  • The salutation (“Hi!” , “Dear _”, etc.) may be unusually formal or unusually informal. How do people normally start an email to you?
  • The end of the email (or the “signature”) may look unusually plain, or different to that you normally see.
  • The subject may include suggestions of urgency (“Urgent”, “Priority”, “Immediate”, etc.).
  • The message itself may ask you to do something that you wouldn’t ordinarily expect to see from the sender. Such as click on a link to pay some fees, enable a quota, etc. Or send the supposed sender data that they need.
  • The language used within the message or the subject may be particularly ungrammatical (although not everyone has memorised “Eats, Shoots, and Leaves”) or uses Americanizations.
  • If you start to reply, and the email address changes (i.e. what appears next to “To”) then there is something suspicious going on.

If an email is suspicious in any way, it is advisable to contact the alleged sender to see if they really did send it. Essentially these forged messages are ordinary (or not so ordinary) spam messages that use a forged @port.ac.uk to gain credibility.

How Email Is Forged

Without getting too technical, the underlying network protocol that is used to transmit email between servers (SMTP) is very old, and was originally designed in the era when Internet services were very trusting.

Because it is so trusting, it will accept any headers including setting the sender address to “mike.meredith@port.ac.uk”.

Attempts have been made to improve the security of email over the decades (yes it is that old), but most of which are optional extensions that are aimed more at combating spam than dealing with forgeries.

Blocking The Forger’s Network Address

It is not uncommon for people to suggest blocking the network address used to send the forged emails. It is not a bad idea as such, because there are anti-spam measures that are very similar (RBLs).

However the blocking of a single network address can be compared to locking a stable door after the horse has bolted. It is likely that once such a network address has been used, the forger will use a different network address in the future. Essentially in almost all circumstances it isn’t possible to block a network address quickly enough for it to be effective.

 

Posted in Active Attacks, Email | Comments Off on Forged @port.ac.uk Emails

The Xcode Ghost In Your Apps

We are seeing a number of instances where people have installed legitimate applications from the Apple App store, and their phone is communicating with the Xcode Ghost malware infrastructure across the network. This sort of malware infection is a bit unusual as :-

  1. This is the first serious outbreak of malware to be found in the Apple app store.
  2. This is almost identical in concept to one of the classic security attacks (Reflections on Trusting Trust).
  3. Specific versions of normal, legitimate, and fairly widely used applications were “trojaned” by a malware author.

The answer to the problem of what to do with an infected device is simple: Upgrade the applications in use. Indeed if you are not sure if you are infected or not then upgrade.

What Is Xcode?

Xcode is a suite of applications produced by Apple for use by developers. The developers use Xcode to compile source code into the binary language that computers understand. Every application on your iThingie (iPhone or iPad, plus Apple laptops and desktops) has been compiled by Xcode.

Or by a version of Xcode that has been “hacked” so that applications built with it are loaded with malware.

How Did This Happen?

Versions of Xcode distributed by Apple are and were safe. What the malware author did was to produce “hacked” versions of Xcode and made them available at alternative download sites.

For some reason, some application developers of legitimate applications downloaded Xcode from those alternative download sites, and the applications they compiled was “trojaned” with malware.

What Was The Damage?

The trojaned applications sent data that the application had access to via the network to the malware author’s command and control servers. The data that was sent was relatively benign, but passwords associated with known to be infected applications should be changed.

Links

Posted in Malware, Technical | Tagged , , , , , | Comments Off on The Xcode Ghost In Your Apps