[This blog was primarily written by Xiaoning Li of Intel Labs, with assistance from Peter Szor of McAfee Labs.] In February 2013, the Adobe Product Security Incident Response Team (PSIRT) released security advisory APSA13-02. In that report they listed two vulnerabilities (CVE-2013-0640 and CVE-2013-0641) that were widely exploited. At Intel Labs and McAfee Labs we Read more…
What is the Financial industry thinking about these days? Symantec sponsored a lunch at Net.Finance, where we invited attendees to have lunch and talk about how to increase traffic to and usage of eCommerce as a way of doing business and conducting tra…
It has become increasingly common for personal and professional social media accounts to become ‘hacked’, or taken over by someone who doesn’t own the account. Twitter’s help center points out that this occurs from weak passwords, a pre-existing password-collecting virus on your computer or by entrusting your login credentials to malicious third-party websites and applications. Read more…
You’ve done it. You’ve graduated at last. Your whole life is in front of you. Now is the time to make plans, embrace the world, take responsibility, make a statement, do some good and make this place better than how you found it. And this should go without saying, but please don’t be stupid. I’m Read more…
Mother’s Day is celebrated in many countries on May 12 and it’s a day for children, regardless of age, to express their love to their mother by giving her a gift. Spam messages related to Mother’s Day have begun flowing into the Symantec Probe Network. Clicking the URL contained in the spam message automatically redirects the recipient to a website containing a bogus Mother’s Day offer upon completion of a fake survey.
Figure 1: Survey spam targeting Mother’s Day
Once the survey is completed, a page is then displayed asking the user to enter their personal information in order to receive the bogus offer.
Figure 2: Fake survey
Figure 3: Bogus Web page asking for personal information
We recently blogged about the persistence of spam with .pw URLs and not surprisingly a lot of the Mother’s Day spam messages contain .pw top-level domain (TLD) URLs. The following are some examples of the From header using .pw URLs that we have identified to date:
Figure 4: Another dodgy website related to Mother’s Day
Symantec is observing an increase in spam volume related to Mother’s Day, which can be seen in the following graph.
Figure 5: Volume of Mother’s Day spam
The following are some of the Subject lines observed for these spam attacks:
Symantec advises our readers to use caution when receiving unsolicited or unexpected emails. We are closely monitoring Mother’s Day spam attacks to ensure that readers are kept up to date with information on the latest threats.
Have a safe and happy Mother’s Day!
Get out your diary, there is another day that you have to work into the schedule – Change Your Password Day! And no – there is no obligation to buy a flower, pin or a wristband – not that I ever have a problem with purchasing them! Tuesday 7 May 2013 is Change Your Password Read more…
Microsoft has issued Security Advisory 2847140 in response to reports regarding public exploitation of a vulnerability affecting Internet Explorer 8. Other versions such as Internet Explorer 6, Internet Explorer 7, Internet Explorer 9, and Internet Exp…
If you haven’t heard, Google Glass, the latest gadget from the Silicon Valley giant, has set the media and tech world abuzz, with both admiration and controversy surrounding the device. Google Glass was released to the public last week and combines smartphone technology with wearable glasses that is reminiscent of something seen on Star Trek. Public, in this case, actually means beta testers (called Glass Explorers) who had to apply for the chance to purchase the spectacles in advance by writing a 50 word essay using the hashtag, #ifihadglass. Those chosen had the opportunity to purchase the device for $1,500 USD.
Along with the admiration of a device that appears to do everything, comes controversy. The 8,000 individuals who were able to purchase the device were bound to a restrictive end user license agreement, in which the product would be deactivated and rendered useless if sold, loaned, or transferred to a third party. This was discovered after one winner decided to put his glasses on EBay and was contacted by Google. However, it appears there were no restrictions against modifying or rooting the device other than the loss of warranty and technical support.
Recently, James Freeman, a security researcher from the United States blogged about his acquisition of Google Glass from Google’s headquarters in Mountain View, California. His blog post set the press and Google scrambling after he posted a picture showing that he had rooted the device. Freeman wasn’t part of the Glass Explorer beta test, he simply had the privilege of purchasing the device as an attendee of Google I/O in 2012. His main motivation in purchasing Google Glass was device customization. In order to make customize the device, he had to “jailbreak” or “root” it.
The foundation of Google Glass is Android 4.04. As with any operating system, there are publicly known vulnerabilities and exploits. In this case, the author analyzed an unnamed exploit which relies on a symlink traversal and a race condition to see if he could apply it to Glass. To gain full root access, Freeman realized he needed to open the Debug menu on Glass. The Debug menu is typically locked on smartphones and requires a PIN to access it, but this was not the case with Google Glass. Freeman discovered that the Debug menu on Glass was not locked down and allowed for easy access to the device:
“Even if you wear Glass constantly, you are unlikely to either sleep or shower while wearing it; most people, of course, probably will not wear it constantly: it is likely to be left alone for long periods of time. If you leave it somewhere where someone else can get it, it is easy to put the device into Debug Mode using the Settings panel and then use adb access to launch into a security exploit to get root.
The person doing this does not even need to be left alone with the device: it would not be difficult to use another Android device in your pocket to launch the attack (rather than a full computer). A USB “On-The-Go” cable could connect from your pocket under your shirt to your right sleeve. With only some momentary sleight-of-hand, one could “try on” your Glass, and install malicious software in the process.”
Although the vulnerability in Google Glass allows for anyone with malicious intent to install malware to their heart’s desires, it does require physical access to the device. As those in the security community know, while this vulnerability is a definite flaw security wise, if you can have physical access to a device, it is not completely secure. This is why Linux distributions have a single user mode for forgotten or lost root passwords. If you have physical access to the device or computer, it can be considered insecure.
Wearable devices will give malware authors another avenue to exploit, as evidenced by their transition from desktops to mobile devices. Enterprising and creative malware authors will always try to find a way to exploit a vulnerability in anything, and it will only be a matter of time before it happens.
In theory, Glass or any device that can be worn and used to record at the same time can have security implications. We might not be far away from clever ways for these devices to be used against us. For example, privacy risks such as being recorded inconspicuously wherever you are and theft possibilities, such as having your ATM PIN recorded. These problems just scratch the surface—the list of security concerns might be endless.
Last week, Symantec posted a blog on an increase in spam messages with .pw URLs. Since then, spam messages with .pw URLs have begun showing up even more.
Figure 1. .pw TLD spam message increase
Symantec conducted some analysis into where these attacks are coming from in terms of IP spaces. As expected, Symantec observed a large quantity of mail being sent from an IP range and then moving to another IP range. While this is an expected behavior, there was an interesting twist. There were multiple companies (with different names) hosting .pw spammers using the same physical address in Nevada.
Examining messages found in the Global Intelligence Network, Symantec researchers have found that the vast majority of spam messages containing .pw URLs are hit-and-run (also known as snowshoe) spam. The top 25 subject lines from .pw URL spam from May 1, 2013 were:
In addition to creating anti-spam filters as needed, Symantec has been in contact with Directi and working with the registrar to report and take down the .pw domains associated with spam. Symantec believes that collaborating with the registrar is a more progressive and holistic approach to solving this problem.
