Tuesday, March 17, 2009

Alert: DNS Trojan hijacks entire LAN

A new rash of Trojans has been detected that attempts to hijack entire local area networks (LAN) by masquerading as a DHCP server on the network. This allows the malware to set itself up as the domain name server (DNS).

This will allow for the possibility for even hardened or non-Windows machines to be misdirected to visit malicious sites in order to exploit any vulnerabilities that they might have.

Johannes Ullrich, CTO of the SANS Internet Storm Center highlighted the danger of this attack vector as "This kind of malware is definitely dangerous because it affects systems that themselves are not vulnerable. So all you need is one system infected in the network and it will affect a lot of other non-vulnerable systems."!


Monday, March 9, 2009

Caution: A more aggressive Downadup/Conficker Virus/Worm variant detected

A third version of Downadup has been identified by Symantec, which says the new variant gives infected machines more powerful instructions to disable anti-virus software and analysis tools, among other actions.

W32.Downadup.C is a modular component for machines currently infected with Downadup. This variant of Downadup, also called Conficker, is not attempting to self-replicate and appears to behave more like a Trojan than a worm, says Vincent Weafer, vice president of Symantec Security Response.

The W32 Downadup.C variant was discovered today in a Symantec honeypot and is still under investigation. Symantec expects to identify additional capabilities shortly, says Weafer, who adds that Symantec has not yet seen W32.Downadup.C in customer networks directly.

Earlier versions of Downadup did attempt to disable anti-virus software, but the third version represented in the Downadup.C module is designed mainly to provide more protective actions to infected Windows-based machines so they can better defend themselves from anti-virus software and other eradication methods.

“It’s more aggressive, it has more services,” says Weafer. more...

Tuesday, February 24, 2009

Employees walking out with your most valuable asset, your data!

A study of people who left or lost their jobs in 2008 found close to 60 percent kept company data after leaving. The survey, performed by the Ponemon Institute and sponsored by Symantec, included more than 900 responses and found that many of those who took the data did so by stealing paper documents and hard files.

Sometimes employees walk out with more than their walking papers when they clock out for the last time. more...

Sixty-one percent of the employees who stole business information took it in the form of paper documents or hard files. The next most popular method was downloading data onto a CD or DVD, which was done by 53 percent. Just fewer than 40 percent did it by sending documents as attachments to a personal e-mail account.

Equally troubling from an IT security perspective is that almost a quarter of the participants had the ability to access data even after they left the company, with 32 percent of these respondents admitting they accessed the system and their credentials worked.

Priority 1's Kryptique security consulting services can help you devise and execute a plan on securing your data on Mobile, LAN, WiFi, Web, File Servers, and SQL database servers. For immediate security please contact us here

Monday, February 23, 2009

A new SMS mobile worm!

This new worm, deemed SymbOS/Yxes.A!worm (also known as 'Sexy View', is targeting mobile devices running SymbianOS S60 3rd Edition (eg: Nokia 3250), but may run on a wider range of devices, as it has been reported to function on phones operating SymbianOS S60 3rd edition FP 1 (eg: Nokia N73).

It bears a valid certificate signed by Symbian, and installs as a valid application on factory mobile devices running S60 3rd Edition. The Yxes mobile worm is reported to be currently spreading in the wild.

The worm gathers phone numbers from the infected device's file system, and repeatedly attempts to send SMS messages to those. The messages feature a malicious Web address (URL); upon 'clicking' on the address in the received message, the recipients will download a copy of the worm (provided their phones/subscriptions allow for internet browsing).

Beyond propagating to as many users as possible via the strategy mentioned above, the worm's aim is to gather intelligence on the infected victim (such as serial number of the phone, subscription number) and post it to a remote server likely controlled by cyber criminals. Whatever the latter may do with such information is unknown as of writing.

Thursday, February 19, 2009

Encrypted, Authentication USB Javacard & flash drive

Aladdin Knowledge Systems has announced the general availability of the Aladdin eToken NG-FLASH 72K, the first product that combines the features of a USB encrypted flash drive and a unique, open Java Card technology with an advanced smartcard for the most secure strong authentication.

Eliminating the need for separate tokens for access and storage, Aladdin eToken NG-FLASH 72K combines up to four gigabytes of encrypted storage, and significantly more FLASH memory, with smartcard authentication technology to provide a unified secure, portable solution. Using eToken NG-FLASH 72K, users are now able to securely carry critical information, authenticate, develop and access files and applications from any computer – increasing productivity without compromising data security. Aladdin’s innovative open Java Card technology enables customers to future-proof their investment with all the features of eToken in one standardized platform.

Aladdin eToken NG-FLASH 72K allows users to carry their network, application, and Web credentials together with their digital certificates and encryption keys – all on-board the secured smartcard chip within Aladdin’s patented and certified USB device. All Aladdin eToken smartcards are now offered using the Java Card platform, providing enhanced security and customization to Aladdin’s USB-based smartcard for strong authentication. More...

Wednesday, February 18, 2009

Secure your laptop with BitLocker and TPM

Figure 1. Summary of components in BitLocker

BitLocker Drive Encryption

BitLocker Drive Encryption is an integral security feature of Windows Vista that provides considerable offline protection for data and the operating system. BitLocker helps ensure that data stored on a computer running Windows Vista is not revealed if the computer is tampered with when the installed operating system is offline. It optionally uses a Trusted Platform Module (TPM) to provide enhanced protection for data and to help ensure the integrity of early startup components. This can help protect data from theft or unauthorised viewing by encrypting the entire Windows volume.

Overview of BitLocker Drive Encryption Functionality
BitLocker offers a seamless end-user experience with systems that have a compatible TPM microchip and basic input/output system (BIOS). A compatible TPM is defined as a version 1.2 TPM with the appropriate BIOS required to support the Static Root of Trust Measurement, as defined by the Trusted Computing Group (https://www.trustedcomputinggroup.org). The TPM interacts with BitLocker to help provide seamless protection at system startup.

BitLocker also offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a universal serial bus (USB) flash drive that contains a startup key. These additional security measures provide multifactor authentication and higher assurance that the computer will not start or resume from hibernation until the user presents the correct PIN or USB flash drive. Figure 1 above shows a summary of the BitLocker components.

BitLocker enhances data protection by bringing together two major functions: full drive encryption and the integrity checking of early startup components.

Full Drive Encryption
Drive encryption helps mitigate unauthorised data access by unauthorised users from breaking the Windows Vista file and system protection on lost or stolen computers. This protection is achieved through the encryption of the entire Windows Vista volume and any additional volumes on the hard drive. With BitLocker, all user and system files are encrypted, including the system memory paging and hibernation files.

Integrity Check of Early Startup
An offline attack is a scenario in which an attacker starts an alternative operating system to gain control of a computer system. Integrity checking the early startup components helps to ensure that data decryption is performed only if those components appear unmodified and that the encrypted drive is located in the original computer. BitLocker stores measurements of core startup components in the TPM chip. Every time the computer is started, Windows Vista verifies that the startup components have not been modified. If the files have been modified, Windows Vista alerts the user and refuses to release the key required to access the Windows partition. The system then goes into a recovery mode, prompting the user to provide a recovery key to allow access to the startup volume.

The system also uses recovery mode if a disk drive is transferred to another system. Recovery mode requires a recovery key that is generated when BitLocker is enabled, and that key is specific to one computer. As a result, BitLocker is intended for enterprises with a management infrastructure in place to store the recovery keys, such as Active Directory. Otherwise, the potential exists for data loss if a computer enters recovery mode and the recovery key is unavailable.

BitLocker can also be used on computers without a compatible TPM. Using BitLocker in this way provides the volume encryption capabilities but not the added security of integrity validation on early startup files. Instead, a USB flash drive provides the encryption key at startup.

Thursday, February 12, 2009

Secure ATM Networking Via Cellular with Digi International

Automated Teller Machines (ATMs) offer the height of banking convenience. Financial institutions strive to keep their machines online 24 hours a day, seven days a week, to satisfy customer demand. Downtime means frustration for customers and potential revenue loss for banks.

A national banking institution wanted to ensure greater uptime and reduce installation costs and monthly telecommunications fees for 650 off-premise ATMs. These ATMs were located at sites not owned or managed by the bank, such as grocery and convenience stores, gas stations, and sports venues. Managing installation and securing wire-line facilities in these locations would have been time consuming, inconvenient, and costly. The Digi Transport WR cellular router was just the right solution, providing:

Quick and easy deployment with existing IP infrastructure
Wireless connections enabled ATMs to be relocated or removed easily
Flexible interfaces: serial (async/sync), Ethernet, GPS, Wi-Fi, USB and telemetry
Secure connections with stateful firewall inspection, integrated VPN and PCI compliance
High speed cellular interfaces: GSM GPRS/EDGE/HSPA and CDMA EV-DO
Remote management software and custom scripting

Secure data transfer is a requirement for mission-critical applications where highly sensitive information is transmitted, such as ATMs. The Digi Transport line of upgradeable cellular routers provides data transmission through secure VPN connections supporting the Internet Protocol Security (IPsec) tunnel with DES or Triple DES (3DES). With built-in support for ATM protocols, including SNA and x.25 over IP, along with multiple serial ports (async or sync), the Digi Transport makes remote ATM installation easier and safer than ever before.

Now you can...Replace hardwired network connections to ATMs with Secure wireless cellular link. more...