Chemical Safety Incidents
Newsletters
Posts Tagged ‘social media’
Thursday, May 23, 2013 @ 03:05 PM gHale
As manufacturing automation firms work social media closer into their enterprise, security has to beef up even more. One of those social media outlets, Twitter, is looking to hike its security posture by introducing two-factor authentication.
Its two-factor authentication, which Twitter calls “login verification,” will make it more difficult for the bad guys to take over an account.
RELATED STORIES
Dorkbot Spreads via Facebook Chat
New TDL Malware Releases
Malware Costs Consumers $4B a Year
‘Cyber risk Intelligence’ for Total Security
Twitter users can now opt in to login verification by checking the box under “Account security” on their account settings page. Once they add their mobile phone number to their account and activate login verification, they will have to enter a six-digit code sent by SMS in addition to their password every time they log into the service.
Users can generate a temporary password to authorize applications for Twitter and other devices when using two-factor authentication. Even if users have activated login verification, they should still use a strong password that is difficult to guess, said Jim O’Leary, a member of Twitter’s security team.
In the last few weeks, Josef Blatter, FIFA, the BBC, CBS, The Associated Press, the Guardian and the Financial Times have been just some of the victims of hacked accounts. A group called the Syrian Electronic Army claimed responsibility for the attacks, accusing western media of spreading wrong information about the civil war in Syria. The attack on AP ended up with its official Twitter account sending out false reports of explosions in the White House that injured President Barack Obama.
While not perfect, the new two-factor authentication mechanism is a good step toward a secure Twitter experience.
Wednesday, May 15, 2013 @ 04:05 PM gHale
Cyber criminals behind the U.S. Department of Labor (DoL) watering hole attack also targeted employees of the U.S. Agency for International Development (USAID) through social engineering, researchers said.
One of the other attacks in the nine websites involved in the DoL watering hole attack involves the University Research Co. of Cambodia (urccabodia.org), said security researcher Eric Romang.
RELATED STORIES
Timely Patch: Microsoft Closes Holes
Microsoft Offers Fix for IE 8 Bug
IE8 Exploit Already Available
Zero Day: IE 8 Falls Victim
One of the main attacks vectors came from social engineering as Romang found at least two social media accounts – one Twitter and one Facebook account – ended up used by the cybercriminals to lure employees of USAID to urccambodia.org in an effort to trick them into installing a variant of the Poison Ivy malware.
On Twitter, the attackers posted several tweets between March 18 and April 10, many of which directly addressed official USAID Twitter accounts.
On Facebook, the cyber criminals created a bogus profile that appeared to belong to a woman named Kelly Black. They copied a picture from the web, and made the profile of a woman that appeared to be working for USAID.
The attackers managed to befriend several individuals from USAID and started posting links that “led to a new project.”
AlienVault experts, the ones who first spotted the DoL attack, said the command and control protocol used in the campaign matches the one used by a Chinese hacker group dubbed DeepPanda.
Microsoft released a patch for the Internet Explorer 8 vulnerability exploited in these attacks. However, the attackers have had enough time to leverage the security hole.
While Microsoft is urging users to patch or update to a new version, considering users often fail to keep their software updated, attacker might be able to leverage if for quite some time.
Monday, April 22, 2013 @ 05:04 PM gHale
As the automation industry draws closer and closer to social media, it only makes sense to harp on the fact users need to be plenty careful when trying to leverage the great potential that is out there.
Along those lines, Facebook closed various cross-site scripting (XSS) holes.
RELATED STORIES
Spear Phishing: Energy Sector Targeted
Malware Hits Apache Servers
Blog Compromised Malware Injected
Spear Phishing Takes it Up a Notch
Discovered by security firm Break Security, the company’s chief executive, Nir Goldshlager, said the social network was vulnerable to attacks through its Chat feature as well as its “Check in” and Messenger for Windows components.
In the Chat window, for example, attackers were able to share links not adequately checked by Facebook. This enabled attackers to add disguised JavaScript commands to links that automatically inserted into href parameters by the Chat client. When users clicked on these specially crafted messages, the injected code executed on their systems.
The “Check in” service could end up manipulated by creating custom locations into which attackers were then able to inject JavaScript code through their settings. That client-side XSS code would then execute when users checked in at such a location.
Messenger for Windows could suffer a compromise by creating a Facebook page. Pages can send messages to all users. If JavaScript code entered as part of the page name, and the page sent out messages to users, the script would execute on users’ machines as soon as they logged into Messenger.
Thursday, January 24, 2013 @ 06:01 PM gHale
Up until January 17 third-party Twitter apps were able to gain access to direct messages (DMs) even if you didn’t grant them permission to do so.
Third-party apps could easily gain access to private direct messages because of a vulnerability caused by “complex code and incorrect assumptions and validations,” said Cesar Cerrudo, a security researcher at IOActive.
RELATED STORIES
Facebook App for iOS Flawed
Facebook Flaw: Webcam Recording
Bug Fixed for Twitter Sign In
Twitter SMS Vulnerability
Cerrudo noticed the security hole while analyzing a web application that allowed users to sign into Twitter. When he signed in, Twitter warned him the app would read his tweets, see who he followed, follow new people, post new tweets, and update his profile.
However, there was no mention of accessing direct message. Yet, Cerrudo discovered the app was displaying all his private messages.
“The first time I signed in with Twitter on the application, it only received read and write access permissions. This gave the application access to what Twitter displays on its ‘Sign in with Twitter’ web page,” the researcher said.
“Later, however, when I signed in again with Twitter without being already logged in to Twitter (not having an active Twitter session – you have to enter your Twitter username and password), the application obtained access to my private direct messages. It did so without having authorization, and Twitter did not display any messages about this.”
He wasn’t able to determine the root cause, so he reported the vulnerability to Twitter. The social media company rushed to address it, saying there was a combination of complex code and incorrect assumptions and validations issue for the bug.
While it’s a good thing Twitter addressed the issue, Cerrudo said Twitter should have issued a warning or an advisory to let users know about the fix. That’s because third-party apps that already have permissions might still be able to access direct messages, unless they end up revoked.
Cerrudo advises users to check out the third-party application permissions and revoke all the apps that have access to direct messages without authorization.
Wednesday, January 9, 2013 @ 04:01 PM gHale
The email read just fine. It appeared to be an employee e-newsletter and asked recipients to visit a website to confirm they wanted to continue receiving the newsletter.
Another email carried an attachment it said contained the marketing plan the recipient had requested.
A third email bearing a colleague’s name suggested a useful website to visit.
RELATED STORIES
Spear Phishing Continues Growth Curve
Phishing Report: Comparing Browsers
Browser Add-On Goes Phishing
Phishing Ends in DNS Record Catch
All three emails were from legitimate sources, or so it seemed. As soon as anyone clicked on the website or attachment, they became victims.
Spear phishing 101.
All three cases are what information security experts at the Georgia Tech Research Institute (GTRI) say is the most challenging threat facing corporate networks today.
Generic emails asking employees to open malicious attachments, provide confidential information or follow links to infected websites have been around for a long time. What’s new today is the authors of these emails are now targeting their attacks using specific knowledge about employees and the organizations they work for. The inside knowledge used in these spear phishing attacks gains the trust of recipients.
“Spear phishing is the most popular way to get into a corporate network these days,” said Andrew Howard, a GTRI research scientist who heads up the organization’s malware unit. “Because the malware authors now have some information about the people they are sending these to, they are more likely to get a response. When they know something about you, they can dramatically increase their odds.”
The success of spear phishing attacks depends on finding the weakest link in a corporate network. That weakest link can be just one person who falls for an authentic-looking email.
“Organizations can spend millions and millions of dollars to protect their networks, but all it takes is one carefully-crafted email to let someone into it,” Howard said. “It’s very difficult to put technical controls into place to prevent humans from making a mistake. To keep these attacks out, email users have to do the right thing every single time.”
Howard and other GTRI researchers are now working to help email recipients by taking advantage of the same public information the malware authors use to con their victims. Much of that information comes from social media sites that companies and malware authors find helpful. Attackers find other information in Securities and Exchange Commission (SEC) filings, or even on an organization’s own website.
“There are lots of open sources of information that will increase the chances of eliciting a response in spear phishing,” Howard said. “We are looking at a way to warn users based on this information. We’d like to see email systems smart enough to let users know that information contained in a suspect message is from an open source and suggest they be cautious.”
Other techniques to counter the attacks may come from having access to all the traffic entering a corporate network.
To increase their chance of success, criminals attempting to access a corporate network often target more than one person in an organization. Network security tools could use information about similar spear phishing attempts to warn other members of an organization. And by having access to all email, security systems could learn what’s “normal” for each individual – and recognize unusual email that may be suspicious.
“We are looking at building behavioral patterns for users so we’d know what kinds of email they usually receive. When something comes in that’s suspicious, we could warn the user,” Howard said. “We think the real answer is to keep malicious email from ever getting into a user’s in-box, but that is a much more difficult problem.”
It’s difficult because organizations today depend on receiving, opening and responding to email from customers. Deleting or even delaying emails can have a high business cost.
“What we do requires a careful balance of protecting the user, but allowing the user to get his or her job done,” he said. “Like any security challenge we have to balance that.” These and other strategies will be part of Phalanx, a new product under development by GTRI researchers to protect corporate networks from spear phishing. It will be part of Titan, a dynamic framework for malicious software analysis GTRI launched last spring.
Among the challenges ahead are developing natural language algorithms that can quickly separate potential spear phishing attacks from harmless emails. That could occur by searching for language indicating a request such as “open this attachment” or “verify your password.”
GTRI researchers been gaining experience with corporate networks based on security evaluations they’ve done, and work with GTRI’s own network – which receives millions of emails each day. Fortunately, they say, it’s not just the bad guys who are learning more.
“The chief financial officers of companies now understand the financial impacts of spear phishing, and when they join forces with the chief information officers, there will be an urgency to address this problem,” he added. “Until then, users are the front line defense. We need every user to have a little paranoia about email.”
Monday, December 3, 2012 @ 05:12 PM gHale
Just over 90 percent of cyber attacks begin with a spear phishing email, according to Trend Micro.
Spear phishing is growing form of attack that makes use of information about a target to make attacks more specific and “personal.”
RELATED STORIES
Phishing Report: Comparing Browsers
Browser Add-On Goes Phishing
Phishing Ends in DNS Record Catch
DNS Records Hacked
These attacks may, for instance, refer to their targets by their specific name or job position, instead of using generic titles like in broader phishing campaigns.
The goal of a spear phishing attack is to trick the victim into either opening a malicious file attachment or clicking a link to a malware- or an exploit-laden website, which could compromise the victim’s network.
According to a Trend Micro report 94 percent of targeted emails use malicious file attachments as the payload or infection source. The remaining six percent use alternative methods such as installing malware through malicious links.
“We fully expect to see a resurgence of malicious email as targeted attacks expand and evolve,” said Rik Ferguson, director of security research and communications at Trend Micro. “Experience has shown us that criminals continue to abuse tried and trusted methods to directly leverage intelligence gathered during the reconnaissance for targeted attacks.”
Ferguson said the abundance of information on individuals and companies online makes the job of creating extremely credible emails very easy.
The most commonly used file types for spear phishing attacks accounted for 70 percent of them. The main file types were .RTF (38 percent), .XLS (15 percent) and .ZIP (13 percent).
Executable (.EXE) files were not as popular among cybercriminals because emails with .EXE file attachments end up detected and blocked by security systems, Trend Micro said.
The most highly targeted industries for spear phishing were government and activist groups, the research found. Information about government agencies and appointed officials is all over on the Internet and often posted on public government websites.
Because activist groups are highly active in social media, and are also quick to provide member information — in order to facilitate communication, organize campaigns or recruit new members — member profiles are highly visible targets.
Trend said 75 percent of email addresses for spear phishing targets come through web searches or using common email address formats.
If firms are going to tackle spear phishing they’ll need to make sure they have the right protection in place though. One form of protection, antivirus software, is sometimes very weak at detecting new malware threats.
In one study, security firm Imperva team ran a collection of 82 new malware files through the VirusTotal system that checks files against around 40 different antivirus products, finding the initial detection rate was zero.
Tuesday, November 20, 2012 @ 04:11 PM gHale
New phishing attacks rely on blogging and social media websites as part of the command and control (C&C) server.
The attacks start with an attachment called “AutoCleanTool.rar,” said researchers at security firm FireEye. When the file unzips and executes, users see a small application window which prompts them to enter their full email address and its associated password.
RELATED STORIES
Facebook Adds Layer of Defense
Hacker Talk: DDoS, SSQL Hot Topics
Attack Vector: Zero Days Open for 10 Months
ZENworks Asset Management Bug
Once the user logs in the information, the data ends up saved into the Windows registry, after which it transmits to the attackers by the malware.
In the meantime, the program creates a directory structure and a malicious DLL file drops in a couple of locations.
Once the DLL (NetCCxx.dll) loads, the malware first checks to see if it can connect to the Internet by using a GET request.
Then, it starts contacting a number of domains, all of which are on Chinese social media and blogging websites such as baidu.com, zuosa.com, people.com.cn, tongxue.com and alibado.com.
From these websites, the malware starts downloading a series of .jpg image files representing Japanese animation characters.
While the pictures look innocent, in reality they contain an “unknown padding,” 471 bytes in size, after the “Endofimage” marker. This “unknown padding” allows it to update itself.
The data it takes from one image becomes part of a new .ini file that contains configuration details. Another part of the retrieved data contains the URL for an additional image file, which in turn contains more configuration information.
This way, the malware can update itself without the security software noticing it. Furthermore, the data from the .jpg file can also update the entire framework and even add new components.
“Network communications like this could easily slip under the radar. All the domains and URLs accessed by the malware are legitimate. Though they seem to all be Chinese in origin, there is not really enough for most traditional security defenses to detect outright,” FireEye’s J. Gomez said.
“IT security personnel should be aware of these types of threats as they can go undetected for extended periods of time until traditional signature-based security solutions receive detection updates (if at all).”
Tuesday, November 20, 2012 @ 02:11 PM gHale
Facebook will begin turning on secure browsing for its millions of users in North America, which will make HTTPS the default connection option for all sessions and will give users a baseline level of security and help prevent some common attacks.
While at first thought, this may seem more consumer-oriented than manufacturing automation-focused, but with more manufacturers using social media as an e-commerce tool and an arrow in their marketing quiver, this could add one more layer of defense.
RELATED STORIES
Hacker Talk: DDoS, SSQL Hot Topics
Attack Vector: Zero Days Open for 10 Months
ZENworks Asset Management Bug
Java SE Zero Day Fix can Wait
Facebook users have had the option of turning on HTTPS since early 2011 when the company reacted to attention surrounding the Firesheep attacks. However, the technology was not the default protection and users had to manually make the change in order to get the better protection of HTTPS. When users have to take that extra step, they often just go with the default settings.
Now, users will have to manually turn HTTPS off if they don’t want it, a distinction that is a major change, especially for Facebook’s massive user base, which has become a major target for attackers.
Facebook is under constant attack by hackers. One of the common techniques used to compromise users is a man-in-the-middle attack, through which attackers intercept traffic between a client and the server it should be going to. This type of attack is much easier when that traffic remains unencrypted and attackers really don’t need to do much in order to get it.
HTTPS encrypts the connection between the user’s machine and the server on the other end, obscuring it from attackers, even if they are able to sniff the traffic on the wire or on a wireless connection. The technology is by no means “the silver bullet” for Web-based attacks, but it can slow down or cut out some basic types of attacks.
Using HTTPS also won’t protect you if there is malware on your machine that’s capable of logging keystrokes. But it is an important change for Facebook, something that has become not just a social network but also an e-commerce platform.
Thursday, July 19, 2012 @ 04:07 PM gHale
Social media attacks continue to abound these days, but with manufacturing automation professionals looking to boost their presence on sites like Facebook, there needs to be a word of warning.
That is because malware infecting machines are getting users to open a malicious link in a fake Facebook email notification, security officials said.
RELATED STORIES
Breach: Change LinkedIn Password
States Hacked; Data Leaked
Hacking to Force Stronger Security
System Hacked, Victim Unaware
Everything looks legit about the alert with one big exception: the domain name for the sender’s URL is Faceboook.com, not Facebook.com, said researchers at SophosLabs.
“If you click on the link in the email, you are not taken immediately to the real Facebook website,” said Graham Cluley. “Instead, your browser is taken to a website hosting some malicious iFrame script (which takes advantage of the Blackhole exploit kit, and puts your computer at risk of infection by malware).”
Those who do click the “See Photo” button in the email are taken to the malicious site and before they can react, their browser redirects them to a random, unknowing person’s Facebook page and not the page of the person who supposedly sent the email.
Sophos said the malicious code is Troj/JSRedir-HW and is continuing to investigate.
Thursday, April 19, 2012 @ 04:04 PM gHale
Social media continues to grow in usage throughout the industry; it remains a solid marketing tool. The problem is, however, security for the media remains suspect and hard to control from a corporate perspective.
Twitter is just one case in point. Two distinct malicious spam campaigns are currently targeting Twitter users and taking them to compromised sites serving rogue AV and scareware software, said security software provider GFI.
RELATED STORIES
Socially Engineered Emails a Threat
IT Security: Physical, not Just Cyber
McAfee: Abundant Gaps in Security
GOP Sen.’s Offer Own Security Bill
The messages are short (“a must see LINK”, “young girls are waiting LINK”) and are spewed from bot and compromised accounts. Both contain links to a .tk domain.
Following the link in the first message lands victims on a page (detectoptimizersupervision(dot)info) serving the bogus Windows Antivirus 2012, currently detected by only 3 of the 42 AV solutions used by VirusTotal.
The offered variant changes every three to six hours.
The second one redirects users to a website where the Blackhole exploit kit drops a first rogue AV then redirects to another page offering another one named Windows Antivirus Patch.
Twitter is aware of the campaigns and is working toward taking the messages down, but just in case, users should avoid links to .tk URLs.