WordPress vulnerability puts mobile visitors at risk

      No Comments on WordPress vulnerability puts mobile visitors at risk

Today one of our colleagues came into our office and said, “Hey guys, I’ve been infected.” I thought to myself, yeah, how bad can this be? After a bit of digging we found the results were worth it; it turned out to be a really “interesting ” case of mobile redirected threats localized for each […]

Highlights from the SyScan 2014 Conference

      No Comments on Highlights from the SyScan 2014 Conference

syscan image.png

An industry conference is always a good place to learn and get updates on the latest security trends. I recently attended the Symposium on Security for Asia Network (SyScan), an annual conference held in Singapore, which brings together computer security researchers from around the world. This year, security myths were dispelled and several interesting topics were discussed at the conference. The following is a list of some of the topics and demonstrations I found interesting at this year’s conference.

Smart cars at risk
Most cars today contain Engine Control Units (ECUs), computers that enable the engine to communicate with other vehicle components. Researchers at SyScan 2014 explained how they managed to simulate a car environment on their desktop using second-hand ECU devices purchased from online Web stores. The researchers managed to carry out basic automotive actions such as acceleration, braking and steering, as well as gain an understanding of the underlying proprietary protocols of the car. What this means is that once an attacker gains control of the ECU, they can basically control the car.

Being able to control a car’s ECU is far more dangerous than being able to manipulate its automation functions such as opening closing windows and turning lights on and off. It is pretty scary if adequate controls are not put in place to prevent an attacker from gaining control of the ECU. This could become more problematic as more and more cars become part of the Internet of Things (IoT). Microsoft has recently tested the latest version of their Windows in-vehicle infotainment system, while Apple already unveiled CarPlay, an entertainment system that enables users to see their iPhone interface on a car’s built-in display.

Mobile point-of-sale infected with malware
2014 has seen the emergence of several point-of-sale (PoS) malware, some of which were involved in several high-profile attacks against the retail industry. Today, mobile point-of-sale (mPOS) terminals have also become a target. mPOS devices are often used for card payments, especially for small and medium-sized businesses.

Most mPOS devices run on Linux, and researchers at SyScan were able to compromise and take over an mPOS device by using removable drives or Bluetooth. To prove their claims, they installed the game Flappy Bird on the device, and then played it on the device’s LCD screen using the PIN input buttons as the controls.

The researchers highlighted how mPOS devices can be hit by malware that can keep track of payment information and subsequently share the records online, or perform special functions such as making  the device accept payment from cards using any PIN code.

The proliferation of RFID and NFC devices
Today, everyone interacts with radio frequency identification (RFID) and near field communication (NFC) enabled devices. They are present in our door-entry cards, transport cards and contactless credit cards. Radio waves are everywhere!

The “RFIDler”, a low-level RFID communication open-source platform prototype presented during the conference, is used to read and write common types of tags. The platform will soon be available to the general public. It was interesting to see how easily it can be used, as well as the potential damage it can cause. For example, an existing card can be duplicated in a couple of seconds. According to the platform’s author, even if a card format is unknown, the platform is extensible and a new card format can be added in less than a week.

Now that a common extensible reader and writer exist, how long will it be before these devices become targeted by attackers??

Mobile security versus anonymity
Users who cannot live without their smartphones may have already thought about the consequences of losing their devices. To help ease those fears, a researcher at SyScan 2014 presented a hardened Android Read-Only Memory (ROM) solution that he created, dubbed Cryptogenmod. Cryptogenmod is based on Cyanogenmod, an open-source operating system for mobile devices based on Android. The  aim is to provide a minimal ROM with remote and physical access protection. Remote protection is achieved by reducing the attack surface, so there will not be a Web browser or an app store on the smartphone. Physical access protection is more complex and is achieved by using secure application containers, strong encryption, and some indicators of a negative operational environment.

Other safeguards were described including one which detects if a SIM card is removed or a debugger is attached. If one of these actions is detected, the application containers will be unmounted and require a passphrase to be opened again, while the phone will be locked automatically and require the owner to login again. With this solution, should you lose your phone, your data will remain secure. However, I am not sure if users want a device that is connected but does not allow them to surf the Web or even use the camera (which is known to leak the user’s location). That sounds like a not-so-smartphone.

Overall, while smartphones are still a hot topic I expect to see the Internet of Things dominate industry discourse for the foreseeable future as people gradually delegate tasks to smart devices in order to save themselves time and effort.

To find out more, check out the videos and published papers at SyScan’s main website.

Heartbleed in OpenSSL: Handeln Sie jetzt!

      No Comments on Heartbleed in OpenSSL: Handeln Sie jetzt!

ghp-outbreak-flamer-threat-hero-2.jpg

Letzte Woche wurde eine Schwachstelle mit dem Namen „Heartbleed“ in der beliebten Bibliothek mit Kryptografiesoftware OpenSSL entdeckt (http://heartbleed.com). OpenSSL ist weit verbreitet und wird häufig in Verbindung mit Anwendungen und Webservern wie Apache und Nginx verwendet. Die Schwachstelle ist in den OpenSSL-Versionen 1.0.1 bis 1.0.1f enthalten und ermöglicht es Angreifern, den Arbeitsspeicher der betroffenen Systeme auszulesen. Durch den Zugriff auf den Arbeitsspeicher können die Angreifer Zugang zu privaten Schlüsseln erhalten, wodurch es ihnen möglich wird, SSL-verschlüsselte Kommunikation zu entschlüsseln und mitzulesen und sich als Service-Anbieter auszugeben. Die Daten im Arbeitsspeicher können auch andere vertrauliche Daten wie Benutzernamen und Kennwörter umfassen.

Heartbleed ist keine Schwachstelle von SSL/TLS, sondern ein Softwarefehler in der Heartbeat-Implementierung von OpenSSL. SSL/TLS ist nicht defekt, sondern nach wie vor der Goldstandard für die Verschlüsselung von Daten bei der Übertragung über das Internet. Aufgrund der Beliebtheit von OpenSSL verwenden aber laut dem Netcraft-Bericht über Webserver wahrscheinlich ca. 66 % des Internets, also zwei Drittel der Webserver, diese Software. Unternehmen, die OpenSSL verwenden, sollten daher so schnell wie möglich ein Update auf die neueste, korrigierte Version (1.0.1g) durchführen oder OpenSSL ohne die Heartbeat-Erweiterung neu kompilieren.

Als weltweit führende Zertifizierungsstelle hat Symantec bereits Maßnahmen zum Schutz seiner eigenen Systeme ergriffen. Unsere Root-Zertifikate sind nicht gefährdet, aber wir haben gemäß unseren Best Practices sämtliche Zertifikate auf Webservern, die die betroffenen Versionen von OpenSSL verwendet haben, neu verschlüsselt.

Symantec empfiehlt seinen Kunden, nach der Aktualisierung oder Neukompilierung ihrer Systeme unabhängig vom Aussteller alle Zertifikate auf ihren Webservern zu ersetzen, um das Risiko einer Sicherheitsverletzung zu mindern. Symantec stellt allen seinen Kunden kostenlose Ersatzzertifikate bereit.

Darüber hinaus rät Symantec seinen Kunden, die Kennwörter der Verwaltungskonsole für SSL und Code Signing zurückzusetzen. Dies zählt ebenfalls zu den Best Practices und wir empfehlen allen Unternehmen, auch ihre Kunden dazu aufzufordern, nach der Behebung des Problems auf ihren Systemen dieselben Maßnahmen durchzuführen. Wir werden mit unseren Kunden eng zusammenarbeiten, um die Auswirkungen der Sicherheitsrisiken zu minimieren, die sich durch diese Schwachstelle ergeben.

Zur besseren Übersicht fassen wir die Maßnahmen hier noch einmal zusammen:

Unternehmen:

  • Alle Unternehmen, die OpenSSL verwenden, sollten ein Update auf die neueste, korrigierte Version der Software (1.0.1g) durchführen oder OpenSSL ohne die Heartbeat-Erweiterung neu kompilieren.
  • Ersetzen Sie nach der Umstellung auf eine korrigierte Version von OpenSSL die Zertifikate auf ihren Webservern.
  • Gemäß Best Practice sollten abschließend nach Möglichkeit die Benutzerkennwörter zurückgesetzt werden, da diese im Arbeitsspeicher eines gefährdeten Servers sichtbar gewesen sein können.

Verbraucher:

  • Machen Sie sich bewusst, dass Ihre Daten von unbefugten Dritten eingesehen worden sein können, wenn Sie einen betroffenen Service-Anbieter verwendet haben.
  • Lesen Sie alle Nachrichten der von Ihnen verwendeten Anbieter. Sobald ein betroffener Anbieter seine Kunden dazu auffordert, die Kennwörter zu ändern, sollten Sie dies unverzüglich tun.
  • Fallen Sie nicht auf mögliche Phishing-E-Mails herein, in denen Sie zur Aktualisierung Ihres Kennworts aufgefordert werden. Rufen Sie immer nur den offiziellen Domänennamen der Website auf, um nicht auf eine gefälschte Website zu gelangen.

Heartbleed no OpenSSL: a hora de agir é agora!

      No Comments on Heartbleed no OpenSSL: a hora de agir é agora!

ghp-outbreak-flamer-threat-hero-2.jpg

Semana passada, uma vulnerabilidade conhecida como “Heartbleed” foi encontrada na popular biblioteca de software criptográfico OpenSSL (http://heartbleed.com). O OpenSSL é amplamente usado, muitas vezes com aplicativos e servidores Web como Apache e Nginx. As versões do OpenSSL de 1.0.1 até 1.0.1f contêm essa vulnerabilidade, que pode ser explorada por invasores para ler a memória dos sistemas. O acesso à memória pode levar os invasores a obterem chaves secretas, permitindo que eles decifrem e interceptem comunicações criptografadas por SSL e se façam passar por provedores de serviços. Os dados na memória também podem conter informações confidenciais, inclusive nomes de usuário e senhas.

O Heartbleed não é uma vulnerabilidade do SSL/TLS, e sim um bug de software na implementação da extensão heartbeat do OpenSSL. O SSL/TLS não foi enfraquecido; ele ainda é o padrão ouro para criptografia de dados em trânsito na Internet. Porém, devido à popularidade do OpenSSL, aproximadamente 66% dos servidores da Internet ou dois terços dos servidores Web (segundo o relatório da Netcraft sobre servidores Web) podem estar utilizando esse software. Recomenda-se às empresas que usam o OpenSSL que o atualizem para a última versão corrigida do software (1.0.1g) ou recompilem o OpenSSL sem a extensão heartbeat o mais rápido possível.

Sendo a principal autoridade de certificação do mundo, a Symantec já tomou medidas para reforçar seus sistemas. Nossas raízes não correm risco; no entanto, estamos seguindo as melhores práticas e recriamos as chaves de todos os certificados nos servidores Web que contêm as versões afetadas do OpenSSL.

Depois que as empresas atualizarem ou recompilarem seus sistemas, a Symantec recomenda que os clientes substituam todos os seus certificados em servidores Web, seja qual for o emissor, para reduzir os riscos de violações à segurança. A Symantec oferecerá certificados substitutos gratuitos para todos os clientes.

Por fim, a Symantec solicita aos clientes que redefinam as senhas de seus consoles de gerenciamento SSL e com assinatura de código. Mais uma vez, trata-se da melhor prática; encorajamos as empresas a solicitarem que seus clientes finais façam o mesmo depois que os sistemas tiverem aplicado a correção. Continuaremos a trabalhar com nossos clientes a fim de minimizar o impacto dos riscos de segurança provenientes dessa vulnerabilidade.

Para sua conveniência, eis um resumo das etapas a serem seguidas:

Para empresas:

  • Todos aqueles que usam o OpenSSL 1.0.1 até 1.0.1f devem atualizá-lo para a última versão corrigida do software (1.0.1g) ou recompilar o OpenSSL sem a extensão heartbeat.
  • As empresas também devem substituir o certificado nos respectivos servidores Web após migrarem para uma versão corrigida do OpenSSL.
  • Por fim, como melhor prática, também é recomendável que as empresas redefinam as senhas dos usuários finais que possam ter ficado visíveis na memória de um servidor comprometido.

Para os consumidores:

  • Esteja ciente da possibilidade de seus dados terem sido vistos por um terceiro se você tiver usado um provedor de serviços vulnerável.
  • Monitore as notificações enviadas pelos fornecedores que você usa. Se um fornecedor vulnerável comunicar aos clientes que devem alterar suas senhas, os usuários devem seguir essa instrução.
  • Evite possíveis e-mails de phishing enviados por invasores solicitando a atualização de sua senha; para evitar acessar um site fraudulento, atenha-se ao domínio oficial do site.

OpenSSL et Heartbleed : stoppez l’hémorragie !

      No Comments on OpenSSL et Heartbleed : stoppez l’hémorragie !

ghp-outbreak-flamer-threat-hero-2.jpg

La semaine dernière, une faille baptisée « Heartbleed » a été détectée dans la bibliothèque de chiffrement OpenSSL (http://heartbleed.com). Cette bibliothèque est particulièrement utilisée sur des applications et serveurs Web comme Apache et Nginx. Concrètement, les versions 1.0.1 à 1.0.1f d’OpenSSL présentent une faille que des attaquants peuvent exploiter pour lire la mémoire des systèmes hôtes. Ainsi, ils pourront accéder aux clés secrètes qui leur permettront de décrypter et d’intercepter les communications sécurisées via SSL, voire même de se faire passer pour des fournisseurs de services. Mais le danger ne s’arrête pas là puisque les données en mémoire pourront également contenir des informations sensibles, telles que des noms d’utilisateur et des mots de passe.

Heartbleed ne constitue en rien une vulnérabilité des protocoles SSL/TLS. Il s’agit en fait d’un bug logiciel dans l’implémentation de l’extension OpenSSL « heartbeat ». Bref, la technologie SSL/TLS n’est aucunement remise en question. Elle est et demeure la référence absolue en matière de cryptage des transferts de données sur Internet. Le problème provient de l’omniprésence d’OpenSSL. D’après un rapport Netcraft, deux tiers des serveurs Web sur Internet seraient équipés de ce logiciel. Toutes ces entreprises devront donc passer à la dernière version corrigée de la bibliothèque (1.0.1g) ou recompiler OpenSSL sans l’extension heartbeat dès que possible.

De son côté, en tant que leader mondial des autorités de certification, Symantec a déjà pris un certain nombre de mesures pour renforcer ses systèmes. Bien que nos certificats racines ne soient pas exposés, nous avons décidé d’appliquer les bonnes pratiques de rigueur, à savoir la redéfinition des clés de tous les certificats sur les serveurs Web équipés des versions vulnérables d’OpenSSL.

Une fois leurs systèmes mis à jour ou recompilés, Symantec recommande aux entreprises de remplacer tous leurs certificats – quel qu’en soit l’émetteur – sur leurs serveurs Web afin de limiter les risques de violations de sécurité. Pour les y encourager, nous offrirons à tous nos clients la possibilité de remplacer gratuitement leurs certificats.

Enfin, par simple mesure de précaution, Symantec demande à ses clients de réinitialiser les mots de passe de leur console de gestion de certificats SSL et Code Signing. Nous encourageons également les entreprises à inciter leurs clients à en faire de même une fois leurs systèmes corrigés. De notre côté, nous poursuivrons notre coopération avec nos propres clients pour minimiser l’impact de cette vulnérabilité sur leur sécurité.

Pour vous faciliter la tâche, nous dressons ici un point rapide sur les mesures à prendre :

Entreprises :

  • Si vous utilisez les versions OpenSSL 1.0.1 à 1.0.1f, installez la dernière version corrigée du logiciel (1.0.1g) ou recompilez votre version existante sans l’extension heartbeat.
  • Une fois la version corrigée d’OpenSSL installée, remplacez également le certificat du serveur Web concerné.
  • Enfin, par mesure de précaution, réinitialisez vos mots de passe utilisateur. En effet, ces derniers auront pu être décryptés dans la mémoire des serveurs compromis.

Particuliers :

  • Si votre fournisseur de services a été touché par Heartbleed, il est possible que vos données aient été interceptées par un cybercriminel.
  • Restez attentifs aux avis des éditeurs et fournisseurs dont vous êtes client. Si ces derniers vous demandent de modifier votre mot de passe, faites-le sans tarder.
  • Méfiez-vous des éventuels e-mails de phishing vous demandant de modifier votre mot de passe. Pour éviter de vous retrouver sur un site Web frauduleux, limitez-vous au domaine du site officiel.

OpenSSL, afectado por la vulnerabilidad Heartbleed: actúe cuanto antes

      No Comments on OpenSSL, afectado por la vulnerabilidad Heartbleed: actúe cuanto antes

ghp-outbreak-flamer-threat-hero-2.jpg

La semana pasada, se descubrió que la vulnerabilidad «Heartbleed» (http://heartbleed.com) había afectado a la conocida biblioteca de software criptográfico OpenSSL, que se utiliza con aplicaciones y servidores web como Apache y Nginx, además de para otros muchos usos. En determinadas versiones de OpenSSL (de la 1.0.1 a la 1.0.1f, ambas incluidas), existe el riesgo de que los ciberdelincuentes accedan a la memoria de los sistemas, obtengan las claves secretas necesarias para descifrar y espiar las comunicaciones protegidas mediante la tecnología SSL, y suplanten a los proveedores de servicios. Además, es posible que los datos de la memoria contengan información confidencial, como nombres de usuario y contraseñas.

Heartbleed no es una vulnerabilidad de la tecnología SSL/TLS, sino un error de programación en la implementación de la extensión heartbeat de OpenSSL. Esto no quiere decir que SSL/TLS haya dejado de funcionar; al contrario, sigue siendo la tecnología líder para cifrar los datos que se transmiten por Internet. Sin embargo, debido a la popularidad de OpenSSL, es posible que actualmente use el software afectado en torno al 66 % de Internet, el equivalente a dos tercios de los servidores web (según el informe sobre servidores web de Netcraft). Las empresas que usan OpenSSL deberían pasarse a la versión 1.0.1g, en la que el problema ya está solucionado, o recompilar OpenSSL sin la extensión heartbeat lo antes posible.

Symantec ya ha tomado medidas para reforzar la seguridad de sus sistemas, como corresponde a la principal autoridad de certificación del mundo. Nuestras raíces están a salvo, pero aun así estamos siguiendo los protocolos recomendados y hemos modificado las claves de todos los certificados de los servidores web que utilizaban las versiones de OpenSSL afectadas.

Symantec recomienda a las empresas que, tras actualizar o recompilar sus sistemas, sustituyan todos los certificados de los servidores web (independientemente de quién los haya emitido) para evitar posibles incidencias de seguridad. Tenemos previsto facilitar a todos nuestros clientes nuevos certificados gratuitos.

Por último, instamos a los clientes a que, por precaución, cambien las contraseñas de las consolas de gestión de certificados SSL y de firma de código (Code Signing). Una vez restablecida la seguridad de los sistemas, es recomendable que las empresas también pidan a sus clientes que cambien las contraseñas.

Seguiremos colaborando con nuestros clientes para reducir al mínimo las consecuencias de esta vulnerabilidad, pero a continuación resumimos los pasos básicos para protegerse.

En el caso de las empresas, recomendamos:

  • actualizar las versiones de OpenSSL afectadas (de la 1.01 a la 1.0.1f, ambas incluidas) a la versión 1.0.1g, o bien recompilar OpenSSL sin la extensión heartbeat;
  • sustituir el certificado del servidor web tras adoptar una versión segura de OpenSSL;
  • restablecer por precaución todas las contraseñas de los usuarios, ya que alguien podría haberlas obtenido al infiltrarse en la memoria del servidor.

Por su parte, los consumidores deberían:

  • saber que, si los proveedores de los servicios que utilizan se han visto afectados por Heartbleed, es posible que la confidencialidad de sus datos no esté garantizada;
  • estar pendientes de los avisos que reciban y cambiar las contraseñas si el proveedor de un servicio afectado se lo solicita;
  • fijarse bien en quién envía los mensajes de correo electrónico en los que se solicita un cambio de contraseña y asegurarse de que los enlaces conducen al sitio web oficial, ya que podría tratarse de intentos de phishing.

Bebês Oferecidos para Adoção em 419 Scam

      No Comments on Bebês Oferecidos para Adoção em 419 Scam

Uma variação de 419 scam de e-mails está sendo usada por fraudadores para tirar proveito de casais desprotegidos que querem adotar um bebê. Cuidadosamente as vítimas são atraídas para um falso processo de adoção, que em seguida, solicita dinheiro para cobrir despesas jurídicas e administrativas.

Enquanto a maioria dos últimos 419 golpes estão ligados à simplicidade e ingenuidade das vítimas, alguns criminosos online já começam a fazer um grande esforço para se comunicar diretamente com a vítima para conquistar a sua confiança. Os golpes são bem estudados e apresentados de forma convincente, inclusive demonstram histórias de vida real para deixá-los mais autênticos.

Fig1_9.png

Figura 1. e-mail malicioso usando uma história de adoção

Ao invés de usar os discursos mais populares para simular fraudes online usuais, tais como ganhar na loteria ou a morte de uma pessoa famosa, este tipo de fraudador adota uma abordagem diferente. A mensagem acima foi enviada para destinatários ocultos (por meio de uma conta de webmail hackeada originária da Hungria, mas encaminhada a partir da Itália) e exigia uma resposta a um diferente remetente. Estas são características típicas de um golpe de pagamento antecipado. Por isso, a Symantec decidiu investigar mais a fundo para ver como o cibercriminoso pedia dinheiro em troca de um serviço falso.

Com a finalidade de tornar esta narrativa de adoção a mais legítima possível, o fraudador nos fez passar por várias fases antes de, finalmente, chegar ao ponto em que fomos convidados a enviar dinheiro. Durante a nossa correspondência que se estendeu por 11 mensagens de respostas e réplicas de e-mail – durante mais de dois meses – o criminoso digital nos informou com riqueza de detalhes a história da mãe da criança e os regulamentos envolvidos para a adoção privada e independente. Eles ainda foram tão longe a ponto de fornecer um formulário de adoção falso e fotos do bebê.

Fig2_4.png

Figura 2. Fotos dos bebês oferecidos para adoção

fig3_1.png

Figura 3. Formulário falso de adoção usado para convencer as vítimas

Quando o fraudador finalmente decidiu pedir dinheiro, a quantia solicitada foi de US$2.500 para cobrir as taxas de entrada do processo de adoção no tribunal. Inclusive, o cibercriminosos informou a forma de um pagamento em duas parcelas – uma de US$ 1.500 e outra de US$ 1.000 – via transferência bancária eletrônica. O criminoso solicitou que os pagamentos fossem enviados desta forma para a transação parecer mais legítima e a vítima ter mais confiança no esquema.

Fig4_3.png

Figura 4. E-mail do crimonoso virtual pedindo dinheiro

Quando o fraudador fornecia um nome e endereço para receber o pagamento por transferência bancária, assumimos que essa informação era falsa. No entanto, olhando para este endereço, de forma aprofundada, tivemos uma descoberta surpreendente.

O endereço solicitado para o envio era do escritório de um legítimo advogado especializado em adoção e leis familiares (que não possuía nenhuma conexão com este esquema). Isso comprova que a maioria dos criminosos utiliza qualquer nome falso para cometer uma fraude de pagamento antecipado, roubando a identidade de uma pessoa real para a fraude parecer mais convincente. O alvo desavisado pode procurar o nome e confirmar que a pessoa é um advogado legítimo que atua Estados Unidos. Tudo ”faz sentido”, eles enviam o dinheiro e se tornam mais uma vítima da fraude.

A execução deste golpe de adoção sinaliza uma nova abordagem com 419 e-mails de SCAM. Em entrevista à The Economist, há dois anos, foi relevado pela Symantec como alguns fraudadores de pagamento antecipado mudaram a sua abordagem e enviam mensagens de e-mail que parecem legítimos. Nenhuma destas narrativas é muito sofisticada, isto porque os golpistas procuram vítimas que se “auto-selecionam”.

Este exemplo serve como um lembrete de que nem todos os esquemas fraudulentos de pagamento antecipado são tentativas ociosas para obter das vítimas mais ganhos financeiros. Alguns fraudadores usam táticas criativas, como esta narrativa sobre adoção, com convincentes detalhes da vida do bebê e formulários aparentemente oficiais. Não há dúvida de que a imaginação e criatividade dos criminosos vai continuar a evoluir no futuro.

Heartbleed, Y2K and misplaced worry.

      No Comments on Heartbleed, Y2K and misplaced worry.

brook-heartbleed-blog-1.pngOver the past week news about the Heartbleed OpenSSL vulnerability draws some similarities and also some dissimilarities to the Y2K bug; remember that?  In early 1999, there were stories of people building our survival bunkers in the basements of their homes in order to prepare for the potential fallout from the Y2K bug.  As you may recall IT companies scrambled, airlines were fraught with angst , and governments paid very large sums of money to ensure the sky wouldn’t fall down on us.  As we know now New Year’s Day 2000 came and went with nary a hitch, although companies were left to pay some hefty Y2K consultant bills (it was reported at the time that AT&T paid over $500 million USD) and many families across the globe were left with fully stocked basements, a surplus of books on modern Armageddon, candles and canned soup.

brook-heartbleed-blog-2.pngFast forward 15 years later and a new bug; Heartbleed was discovered in the popular OpenSSL cryptographic software library. This vulnerability, which may affect up to two-thirds of the internet, allows an attacker to withdraw a server’s most vital secrets including passwords and private SSL certificate keys.  Although this bug surely won’t cause nuclear missiles to launch, companies and families need to be more concerned about this bug rather than the one that caused people to build bunkers in their backyards.  The Heartbleed bug appears to have been around for two years and was only discovered by two teams of researchers little more than a week ago.  However, much like the argument over who discovered “America”, it appears this vulnerability has been discovered and exploited in the past by black hat Leif Ericksons; modern day digital Vikings bent on pillaging data.

A recent blog by internet services company NetCraft,  said the SSL tsunami has yet to arrive.  Discouragingly, by the morning of Friday the 11th of April 2014, only 30,000 of the possible pool of 500,000 affected SSL certificates have yet to be replaced. This is akin to Y2K being a reality and IT professionals refusing to patch ’00 date bugs on servers in favor of sealing the hatch on their secure bunker. By now every hacker knows about this vulnerability; it’s a race against time and you should take action now to ensure that you take the steps required to take the required action to fix your site.

This is real and every hour that goes by, unpatched servers become more and more exposed to attack.  The first step is to get out of our blissful bunkers of ignorance and check our domains to see if the servers are vulnerable.  Symantec’s Domain Checker should be your first port of call – it allows you to check your site for Heartbleed.  If you are not affected by Heartbleed be certain to tell your customers – they really need to know and believe you me they will be grateful that you have told them.  However if you have been affected, start by reading our Knowledgebase article on the subject and take the following steps:. 

  1. Upgrade your servers to OpenSSL 1.0.1g or recompile without the Heartbeat extension.
  2. Change your password to your Symantec SSL console (if applicable).  Note that Symantec Managed PKI for SSL was not affected and you do not need a new Administrator ID.
  3. Replace your SSL certificates on your impacted servers; replacement SSL certificates are offered at no charge for existing Symantec SSL customers.  Keep your details the same to avoid having to go through authentication again.
  4. Test your configuration and installation.  Note it is a best practice to always install the intermediate certificate with your end-entity certificate. 
  5. Upon successful completion revoke any certificates that were replaced in step 3.
  6. Consider resetting customer’s passwords on any server that could have been compromised.

One final piece of advice, you may have to do this on your intranet sites as well.  Don’t trust your firewall to keep out hackers, they find their way behind firewalls every day by either infecting the menu at your favorite take-out place or by changing the rules.  If you want more up to date information on Heartbleed or any other threats follow us on Twitter, Facebook and bookmark our corporate Heartbleed update page.

Expect Beautifully Packaged Spam along with Your Easter Gifts!

      No Comments on Expect Beautifully Packaged Spam along with Your Easter Gifts!

Contributor: Azam Raza

Easter, like all other celebrations is meant to be a day of jubilation, which of course means gifts, shopping, and spreading cheer. However, cheer is not the only thing that is being spread this holiday. Spammers have also started spreading their handiwork. With just a few days left before Easter, the volume of spam is on the rise.

Each year Symantec observes certain categories of spam using Easter as a theme and this year is no different. Let’s take a look at some of the different types of spam Symantec sees year-over-year, as well as some samples from this year.

Replica goods spam
With gifts being at the core of many major celebrations, product spam (replica goods spam in particular) is the spam category Symantec observes the most. In this spam, items such as fake watches and jewelry are promoted using catchy subject lines and product images. Email header examples include:

From: “WorldOfWatches” <johnwatson@[REMOVED]>

Subject: Challenge Ends Easter weekend

From: “DailyPromos” <aacpu@[REMOVED]>
Subject: Our pick today is- easter14

Easter Spam 1.png

Figure 1. Easter themed replica goods spam

Health spam
Pharmacy or medication spam is another spam category we see a lot of when we get close to any holiday season. These spam mails usually contain links to pharmacy sites which pretend to sell medication online without prescription. Season’s greetings are usually displayed as banners on these sites to add a festive touch.

Easter Spam 2 edit.png

Figure 2. Easter themed pharmacy spam

Weight loss spam is another subcategory of health spam which is seen in multiple languages. Weight loss medicines touted in these messages range from approved medication to stories about herbal extracts from exotic plants. Email header examples include:

From: “Mackenzie Burns” <monday@[REMOVED]>

Subject: Begin eating this fruit and lose the fat before Easter Sunday

Product spam
Major retailers and brands offer large discounts and sales during holiday celebrations and spammers take advantage of this. Spammers often craft their emails to make them appear to be from known retailers and brands but they usually include links leading to fake sites. Offers of gift coupons are also common. The products seen in this type of spam can range from kids toys to SUVs. Email header examples include:

Subject: Spring Sale Event on all Cars, Trucks, and SUVs!

From: Auto-Dealer-Online <williamw@[REMOVED]>

Easter Spam 3 edit.png

Figure 3. Product spam with Easter banner

Easter Spam 4 edit.png

Figure 4. Gift coupon spam seen this season

Personalized gifts
Personalized gifts are getting popular these days and spam promoting personalized messages on Easter eggs and Easter bunnies are proving popular among spammers. Most of these spam mails have links to fake sites and some of them even have links to inappropriate content. Email header examples include:

From: Easter Bouquets <rebekkahFAjhLg@[REMOVED]>

Subject: Make the Easter bunny jealous! Easter flowers

Easter Spam 5 edit_0.png

Figure 5. Spam offering personalized Easter bunny letters for children

Casino spam
Online casino and gambling spam show up in larger volumes during holiday periods. Casino spam entices victims with a signup bonus, reward points, and chances of winning a fortune. Email header examples include:

From: AU_AllSlots @ <AllSlots@[REMOVED]>

Subject: 25-free spins on Gold-Factory this-Easter  

419 scam spam
Nigerian spam routinely makes the rounds during all holiday festivals with news of lucky draws and donations. Symantec has observed 419 spam pretending to be from orphanages and charity organizations asking for donations for the unfortunate. Unsolicited emails asking for personal information should always be treated with caution. Examples of email headers include:

Subject: HappyEasterInAdvance,

From: suzanne122@[REMOVED]

Something else which caught our attention this year is the volume of Easter spam in foreign languages. Easter themed attacks in foreign languages are usually about gifts and goodies, like the cupcake and gingerbread delivery spam shown here:

Portuguese

Subject: Páscoa                                                             |Subject: Easter

From: “Cupcake” <contato@[REMOVED]>

Russian

From: Пасхи <vamdetal@[REMOVED]>                       | From: pasha

Subject: Скоро Пасха                                                    | Subject: Almost Pasha

From: Пряники <sladkie.pashi@[REMOVED]>             | From: Gingerbread

Subject: Кондитерская мастерская                              | Subject: Confectionery masterskaâ

Symantec wishes all our customers a very happy Easter, and we also advise you to be cautious of these spam campaigns. Always exercise caution when dealing with unsolicited or unexpected holiday themed emails. Do not click on links in emails that look suspicious. Remember to update your antispam signatures to safeguard your personal information and give you the peace of mind to celebrate the wonderful Easter celebrations.