Cyber Security Institute

Wednesday, May 29, 2013

Hackers exploit Ruby on Rails vulnerability to compromise servers, create botnet

Hackers are actively exploiting a critical vulnerability in the Ruby on Rails Web application development framework in order to compromise Web servers and create a botnet. The Ruby on Rails development team released a security patch for the vulnerability, which is known as CVE-2013-0156, back in January. “It’s pretty surprising that it’s taken this long [for an exploit] to surface in the wild, but less surprising that people are still running vulnerable installations of Rails,” said Jeff Jarmoc, a security consultant with security research firm Matasano Security, Tuesday in a blog post.



Malware’s typical network behaviour makes it easier to spot: Palo Alto

The hardest part of maintaining a security defence is figuring out the things we don’t know – but by applying monitoring to all network traffic and simplifying accessibility to analytics tools, it’s easier than ever to ferret out new malware and seal perimeters that have been compromised by mobile devices, a Palo Alto Networks analyst has advised. While the security solutions market has been flooded with new options for identifying and dealing with malware, “you need to be able to feed it into something that’s actionable, and is going to help the business and actually give you some protection,” Williamson told CSO Australia after his presentation at the AusCERT 2013 security conference. Analysis of 839 different pieces of malware, and 204 million logs, also found that 55% of all malware uses custom UDP (User Datagram Protocol) packets to communicate with command-and-control (C&C) servers; therefore, when a scan of network activity shows that 1.5% of traffic is comprised of unknown UDP packets, Williamson said, it’s not hard to figure out where it’s coming from.


Tuesday, May 28, 2013

91% of targeted attacks start with spear-phishing email

These emails are part of the operations of an emerging and active targeted threat called Safe campaign, the operations of which are documented in the research paper by Trend Micro. These spear-phishing emails contain a malicious attachment and encourage a recipient to open a harmful attachment by attracting him with contextually relevant content. From a threat perspective, Trend Micro has identified five key target organisations including government ministries, technology companies, media outlets, academic research institutions and non-governmental agencies.



Saturday, May 25, 2013

Hottest job on market: Cybersecurity professionals

“We’re the largest provider of cybersecurity solutions to the federal government, so we know that we’ve got to help build that talent pipeline,” said Diane Miller, Northrop’s program director for the CyberPatriot contest, on the sidelines of the March event.


Friday, May 24, 2013

AusCERT 2013: Visibility critical when selling IT security to execs, says Foxtel CSO

Hard-to-find security skills and the rapid pace of malware evolution make a strong relationship with a managed security services (MSS) provider as important as maintaining the internal tools to keep business executives apprised of IT-security risk, Foxtel information security manager Kevin Shaw has advised. Properly informing those relationships, however, remains one of the security executive’s biggest ongoing challenges: different expectations, changing technologies, malleable business objectives – and the constant dread of being the one confessing a security breach to a risk and audit committee or angry CEO – all force security executives to be as proactive as possible when it comes to managing risk. “I want to know that if someone adds a new server, that I can come back through my actionable intelligence and confirm that box has the right agents, has been hardened for the criteria we’ve mandated,” Shaw said. Under Shaw’s guidance, Foxtel has maintained a long-term MSS relationship with Symantec, which provides extra skilled staff that not only keep apprised of new threats, but monitor the company’s infrastructure 24/7 for signs of malicious activity.



Zeus variants are back with a vengeance

After analyzing the feedback from the company’s Smart Protection Network, Trend Micro researchers have noted an upswing in attempted Zeus / Zbot Trojan infections. After being practically non-existent in January, the rest of the months up until the beginning of May have witnesses a continuos rise in numbers of attempted Zeus/Zbot Trojan infections, Trend Micro researchers pointed out. The main goal of the malware is the same as before: stealing any type of online credentials, including those user for online banking, and any kind of personal information that might be of use to criminally-minded individuals. They now create two different folders on the system: one to stash a copy of themselves, and the other to host the stolen and encrypted information and the configuration file they download from a remote server.



Scanner identifies malware strains, could be future of AV

When it comes to spotting malware, signature-based detection, heuristics and cloud-based recognition and information sharing used by many antivirus solutions today work well up a certain point, but the polymorphic malware still gives them a run for their money. At the annual AusCert conference held this week in Australia a doctorate candidate from Deakin University in Melbourne has presented the result of his research and work that just might be the solution to this problem. “Using structures, you can detect approximate matches of malware, and it’s possible to pick an entire family of malware pretty easily with just one structure,” he shared with CSO Australia.


Fight against Cyber Crime is On the Right Track

Panda Security’s anti-malware laboratory, has published its Quarterly Report for Q1, analyzing the IT security events and incidents from January through March 2013. Despite the numerous security incidents that took place during the first quarter of the year, the fight against cyber crime is on the right track, and though there is still a long way to go, international co-operation among security agencies is beginning to pay off and criminals around the world are being brought to justice.



New Computer Attacks Traced to Iran, Officials Say

Investigators began looking at the attacks several months ago, and when the Department of Homeland Security issued a vaguely worded warning this month, a government official told The New York Times that “most everything we have seen is coming from the Middle East.” They said the evidence was not specific enough to conclude with confidence that the attacks were state-sponsored, but control over the Internet is so centralized in Iran that they said it was hard to imagine the attacks being done without government knowledge. While the attackers have been unsuccessful to date, they have made enough progress to prompt the Homeland Security warning, which compared the latest threat to the computer virus that hit Saudi Aramco, the world’s largest oil producer, last year.


CommonKey Brings Password Management To Small Teams

Instead of focusing only on the needs of the individual user or offering a complex solution for the enterprise, it provides a password management system which allows small businesses the ability to share passwords securely across a team. The bootstrapped, Baltimore-based startup was co-founded this October by Andrew Stroup, a civilian engineer who currently works at the Department of Defense, and Michael Cohen, whose programming background is in the medical sector.


2013 will see an explosion in malware

According to the German security company AV-Test, malware has exploded to unprecedented levels in the past five years. More troublingly, they anticipate seeing over 60 million new pieces of malicious software by the end of the 2013. AV-Test went on to say that the system has already recorded “over 20 million samples of new malware between January and the beginning of May.” To put those numbers in context, AV-Test didn’t reach 20 million new samples until August of last year.


Thursday, May 23, 2013

Telling the FBI Your Company Has Been Hacked

As cyber attacks against U.S. companies move markets, drain tens of millions dollars from bank accounts, siphon off trade secrets, and threaten critical infrastructure, the mantra among government officials is: sharing (information) is caring. The government’s desire to increase information sharing on cyber intrusions with the private sector is at the heart of an executive order issued in February—and it was a point underscored at a New York City Bar Association event on Monday, when Mary Galligan, who is an FBI “cyber cop,” urged corporations to come forward with information about attacks on their networks.


Twitter steps up security with two-factor authentication option

After a long string of high profile attacks on accounts held by government and news agencies, Twitter is finally stepping up its game. Twitter users can simply access their security settings to find the new feature and opt-in to require a verification code to be sent via SMS each time they sign in.


Malware fight goes public on the web

That’s according to the Australian Communications and Media Authority, which has released a web page of statistics it sends to internet service providers (ISPs) about the infections. The authority released the data in the hope it would help reduce malicious software, or malware, infections in Australia and raise awareness about how many devices are known to be infected. The web page, published on Tuesday as part of National Cyber Security Awareness Week, contains detailed statistics of malware infections reported daily to about 130 ISPs and other network operators through the Australian Internet Security Initiative (AISI).


New Citadel malware variant targets Payza online payment platform

A new variant of the Citadel financial malware is targeting users of the Payza online payment platform by launching local in-browser attacks to steal their credentials, according to researchers from security firm Trusteer. Citadel is a Trojan program designed primarily to steal online banking credentials, but is also associated with the Reveton ransomware, which locks down computers and displays rogue alerts claiming to come from law enforcement agencies. Like most banking Trojan programs, Citadel’s hooks into the browser process can modify Web pages opened on infected computers in real time. These rogue local website modifications are known as Man-in-the-Browser (MitB) attacks and are harder for victims to spot than regular phishing attacks because the URLs displayed in the browser address bar are those of legitimate websites. The new Citadel variant discovered by Trusteer researchers contains MitB code that alters the form fields users are asked to fill in on Payza’s log-in page.


Wednesday, May 22, 2013

Keeping Up With the Andromeda Botnet

Last March, [TrendMicro] blogged about the Andromeda, a well-known botnet that surfaced in 2011 and is making a comeback this year. Just months after my report, we are still seeing notable activities from the said botnet, in particular a sudden boost of GAMARUE variants last week. The Andromeda botnet is a spam botnet that delivers GAMARUE variants, which are known backdoors and have a noteworthy way of propagating via removable drives. However, just months after the first post, they are seeing a trend in which a majority of WORM_GAMARUE variants are affecting India, Turkey, and Mexico.



Tuesday, May 21, 2013

Cyber crime ‘costs small companies £800m a year’

The Federation of Small Businesses (FSB) said issues such as hacking, data security breaches and computer viruses were a “barrier to growth” that could no longer be ignored. An FSB report found that cyber crime is costing its 200,000 members a combined £785m a year – or £3,750 for every small business. Over the past year, 41pc of the group’s members have been a victim of cyber crime, often through frauds carried out by a customer or client, or so-called “card not present” situations (when purchases are made online, over the phone or by mail order).


Monday, May 20, 2013

New Security Intelligence Solution, EnCase® Analytics, Unveiled by Guidance Software

  Guidance Software (NASDAQ: GUID), the World Leader in Digital Investigations™, today announced EnCase® Analytics, a complete security intelligence solution that leverages endpoint analytics to produce a clear picture of security risk and exposure to unknown threats. EnCase Analytics focuses on the endpoints (end-user devices and servers) – the targets of threats and where they ultimately hide – and assesses risks and threats with a bird’s-eye view of the activity of every endpoint and server, enterprise-wide. “For those of us on the front-line responsible for catching new, hard-to-detect security threats that bypass the perimeter, time to detection is very important,” said Colby Clark, director of Incident Management for FishNet Security. EnCase Analytics addresses this challenge by delivering a complete security intelligence solution that collects the appropriate data from the enterprise endpoints, assembles it in a security-oriented data structure, and through the use of pre-built and ad-hoc intuitive reports, provides the security analyst with deep insights into lurking threats.


Friday, May 17, 2013

In a sea of malware, viruses make a small comeback

The term virus is frequently used as a catch-all for malicious software, but actually describes a very specific type of program that infects files and replicates, noticeable impairing a computer. But Microsoft has noticed that viruses—which have been present on around 5 percent of the computers the company regularly polls—have increased in prevalence in some regions, wrote Tim Rains, director of the company’s Trustworthy Computing section. In the fourth quarter of last year, viruses were present on about 7.8 percent of computers scanned by the company, he wrote. In some locations, such as Pakistan, Indonesia, Ethiopia, Bangladesh, Somalia, Egypt and Afghanistan, the percentage of computers with viruses ranged from 35 to 44 percent, he wrote.


Thursday, May 16, 2013

New Mac spyware found in the Oslo Freedom Forum

F-secure is reporting on new malware found for OS X, which appears to be a backdoor application that so far is known to take screenshots of the user’s computer and then attempt to upload them to remote servers. It’s a small application called and was found on the Mac of an African activist who was a member of of the Oslo Freedom Forum. When installed, the application is appended to the current Mac user’s log-in items so it runs whenever the affected user account is logged in. It then takes regular screenshots that it places in a visible folder in the user’s home directory called MacApp. It then tries to upload them to the URLs “” and “,” which either are not working or are issuing “public access forbidden” error messages.


DHS Eyes Sharing Zero-Day Intelligence With Businesses

The DHS pitch: We’ll share intelligence gleaned from the U.S. government’s vast stockpile of zero-day vulnerabilities—purchased from bug hunters and resellers—to help block zero-day threats. “It is a way to share information about known vulnerabilities that may not be commonly available,” Homeland Security secretary Janet Napolitano said Wednesday at the Reuters Cybersecurity Summit in Washington, D.C., reported Reuters. The DHS proposal is a continuation of the February 2013 executive order and related presidential policy directive issued by President Obama, which created a public-private cyber-threat information sharing regime, as well as voluntary private sector cybersecurity standards.


Wednesday, May 15, 2013

Researchers develop industrial systems that watch for breaches

University researchers have developed a methodology for enabling networked devices in an industrial control system (ICS) to police each other for abnormal behavior that would indicate a compromise. The idea is to make it possible for devices, such as machinery on a factory assembly line, to spot the problem unit and then isolate it from the network before it can do any damage, researchers from North Carolina State University said Wednesday.



Beware The Coming SEC Regulations On Cybersecurity

Having been CEO of a public company and now as CEO of a global enterprise software company which provides cyber security and compliance solutions to many public companies, I can attest to the growing complexities and pressures of supply (threats and risk to operations) and demand (regulatory requirements) that must be managed on a daily basis. In his April 9 letter to the SEC Chair, Senate Commerce Chairman Jay Rockefeller (D-W.Va.) urged the SEC to step-up the requirements on its guidance (issued in October 2011) for companies to disclose information about their ability to defend against attacks on their networks. “Investors deserve to know whether companies are effectively addressing their cyber security risks — just as investors should know whether companies are managing their financial and operational risks,” the letter said. From this experience I’ve learned that corporate risk is idiosyncratic and varies from company to company, but the SEC looks at it all the same.


Malware Behind Oldest, Most Active Spam Botnet Gets Refresh

One of the largest and most notorious spam botnets, known for sending out millions of spam messages every day, has gotten a new communications mechanism that makes it more resilient to take downs, according to security researchers’ analysis. A team of security experts from Dell (NSDQ:Dell) SecureWorks, Damballa Labs and the Georgia Institute of Technology have discovered a new domain name generation algorithm that is part of the Pushdo malware’s back-up command-and-control mechanism. The report, issued by Damballa and Dell SecureWorks, found the malware associated with Pushdo can evade both intrusion detection and prevention systems as well as most antimalware technologies by mimicking legitimate connection attempts to benign websites to confuse signature-based systems.


Tuesday, May 14, 2013

DDoS Attack Bandwidth Jumps 718%

“When you have average—not peak—rates in excess of 45 Gbps and 30 million packets per second, even the largest enterprises, carriers and, quite frankly, most mitigation providers, are going to face significant challenges.” In the first three months of 2013, 77% of DDoS attacks targeted bandwidth capacity and routing infrastructure, while 23% were application-level attacks that didn’t overwhelm targeted networks through packet quantity, but rather by disrupting critical applications or processes running on a server. The report also found that between the fourth quarter of 2012 and the first quarter of 2013, the total number of attacks increased marginally—by only 2%—while attack duration increased by 7%, from 32.2 hours to 34.5 hours. While 55% of all attacks came from China at the end of last year, by March 2013 that had dropped to 41%, followed by the United States (22%), Germany (11%), Iran (6%) and India (5%).


IE10 & Chrome is still the safest browser to use [corrected]

NSS Labs released their latest report on browsers, it shows that though not perfect, Chrome and IE10 is the far ahead of the rest.  But it can be subjective in post report review.
See the full report at:

Monday, May 13, 2013

HBGary Announces Next-Gen Responder™ Pro

In a move to significantly close the gap between discovery and mitigation of targeted attacks, HBGary, a subsidiary of ManTech International Corporation, unveiled the next-generation version of Responder™ Pro, the de facto industry standard in automated Windows® physical memory analysis. By leveraging Digital DNA™ 3.0, HBGary’s flagship technology, Responder™ Pro 2.1 detects the latest rootkits, trojans, zero-days, and malware variants currently undetected by anti-virus, IOCs (indicators of compromise), and other signature-based solutions.

Multi-stage exploit attacks for more effective malware delivery

In the cybercrime world, the de-coupling of the first stage from the payload is designed to make sure that an exploit kit is as generic as possible and can deliver all possible payloads, provided that the payloads only need native execution (either as a standalone executable – files with an “.exe” file extension, or DLL registration via RegSvr32 – files with a “.dll” extension). By utilizing an extra stage, the attack is more likely to bypass some security products: the initially exploited process (Java) launches another Java process (second stage) that appears less suspicious, and only that second stage process runs the final, native payload (the persistent malware dropper).


Sunday, May 12, 2013

The Onion reveals how Syrian Electronic Army hacked its Twitter   Read more: http://www.itproportal.

The Onion staff put their laughing-making on hold last week when the Syrian Electronic Army hacked its Twitter account — the latest in a growing list of publications invaded by the group. “In summary, they phished Onion employees’ Google Apps accounts via 3 separate methods,” the site’s tech team explained in a blog post. The slow, calculated attack began early this month, when the Syrian Electronic Army (SEA) sent emails to some of the site’s employees.  The messages (example below) implored The Onion’s reporters to “Please read the following article for its importance,” with a link to what appeared to be a Washington Post story. [Interesting, the attackers modified their social engineered email attack to be a password reset email, after the Onion IT department told everyone to change their passwords.]


Welcome to the red team!

You may not know that ‘red teaming’ refers to the practice of “viewing a problem from an adversary or competitor’s perspective.  It seems that one of the best ways to get into a system is to be the first to find a new vulnerability in the software that no-one else has spotted.  This ‘zero day’ vulnerability can be used to get malware of some kind into an organization, and, from then on, the red team own the IT system.  And that’s why it’s a good idea to pay a team of experts rather than wake up one day and find the bad guys have found their way into your IT infrastructure.