Chemical Safety Incidents
Posts Tagged ‘social media’
Thursday, May 23, 2013 @ 03:05 PM gHale
As manufacturing automation firms work social media closer into their enterprise, security has to beef up even more. One of those social media outlets, Twitter, is looking to hike its security posture by introducing two-factor authentication.
Its two-factor authentication, which Twitter calls “login verification,” will make it more difficult for the bad guys to take over an account.
Twitter users can now opt in to login verification by checking the box under “Account security” on their account settings page. Once they add their mobile phone number to their account and activate login verification, they will have to enter a six-digit code sent by SMS in addition to their password every time they log into the service.
Users can generate a temporary password to authorize applications for Twitter and other devices when using two-factor authentication. Even if users have activated login verification, they should still use a strong password that is difficult to guess, said Jim O’Leary, a member of Twitter’s security team.
In the last few weeks, Josef Blatter, FIFA, the BBC, CBS, The Associated Press, the Guardian and the Financial Times have been just some of the victims of hacked accounts. A group called the Syrian Electronic Army claimed responsibility for the attacks, accusing western media of spreading wrong information about the civil war in Syria. The attack on AP ended up with its official Twitter account sending out false reports of explosions in the White House that injured President Barack Obama.
While not perfect, the new two-factor authentication mechanism is a good step toward a secure Twitter experience.
Wednesday, May 15, 2013 @ 04:05 PM gHale
Cyber criminals behind the U.S. Department of Labor (DoL) watering hole attack also targeted employees of the U.S. Agency for International Development (USAID) through social engineering, researchers said.
One of the other attacks in the nine websites involved in the DoL watering hole attack involves the University Research Co. of Cambodia (urccabodia.org), said security researcher Eric Romang.
One of the main attacks vectors came from social engineering as Romang found at least two social media accounts – one Twitter and one Facebook account – ended up used by the cybercriminals to lure employees of USAID to urccambodia.org in an effort to trick them into installing a variant of the Poison Ivy malware.
On Twitter, the attackers posted several tweets between March 18 and April 10, many of which directly addressed official USAID Twitter accounts.
On Facebook, the cyber criminals created a bogus profile that appeared to belong to a woman named Kelly Black. They copied a picture from the web, and made the profile of a woman that appeared to be working for USAID.
The attackers managed to befriend several individuals from USAID and started posting links that “led to a new project.”
AlienVault experts, the ones who first spotted the DoL attack, said the command and control protocol used in the campaign matches the one used by a Chinese hacker group dubbed DeepPanda.
Microsoft released a patch for the Internet Explorer 8 vulnerability exploited in these attacks. However, the attackers have had enough time to leverage the security hole.
While Microsoft is urging users to patch or update to a new version, considering users often fail to keep their software updated, attacker might be able to leverage if for quite some time.
Monday, April 22, 2013 @ 05:04 PM gHale
As the automation industry draws closer and closer to social media, it only makes sense to harp on the fact users need to be plenty careful when trying to leverage the great potential that is out there.
Along those lines, Facebook closed various cross-site scripting (XSS) holes.
Discovered by security firm Break Security, the company’s chief executive, Nir Goldshlager, said the social network was vulnerable to attacks through its Chat feature as well as its “Check in” and Messenger for Windows components.
Thursday, January 24, 2013 @ 06:01 PM gHale
Up until January 17 third-party Twitter apps were able to gain access to direct messages (DMs) even if you didn’t grant them permission to do so.
Third-party apps could easily gain access to private direct messages because of a vulnerability caused by “complex code and incorrect assumptions and validations,” said Cesar Cerrudo, a security researcher at IOActive.
Cerrudo noticed the security hole while analyzing a web application that allowed users to sign into Twitter. When he signed in, Twitter warned him the app would read his tweets, see who he followed, follow new people, post new tweets, and update his profile.
However, there was no mention of accessing direct message. Yet, Cerrudo discovered the app was displaying all his private messages.
“The first time I signed in with Twitter on the application, it only received read and write access permissions. This gave the application access to what Twitter displays on its ‘Sign in with Twitter’ web page,” the researcher said.
“Later, however, when I signed in again with Twitter without being already logged in to Twitter (not having an active Twitter session – you have to enter your Twitter username and password), the application obtained access to my private direct messages. It did so without having authorization, and Twitter did not display any messages about this.”
He wasn’t able to determine the root cause, so he reported the vulnerability to Twitter. The social media company rushed to address it, saying there was a combination of complex code and incorrect assumptions and validations issue for the bug.
While it’s a good thing Twitter addressed the issue, Cerrudo said Twitter should have issued a warning or an advisory to let users know about the fix. That’s because third-party apps that already have permissions might still be able to access direct messages, unless they end up revoked.
Cerrudo advises users to check out the third-party application permissions and revoke all the apps that have access to direct messages without authorization.
Wednesday, January 9, 2013 @ 04:01 PM gHale
The email read just fine. It appeared to be an employee e-newsletter and asked recipients to visit a website to confirm they wanted to continue receiving the newsletter.
Another email carried an attachment it said contained the marketing plan the recipient had requested.
A third email bearing a colleague’s name suggested a useful website to visit.
All three emails were from legitimate sources, or so it seemed. As soon as anyone clicked on the website or attachment, they became victims.
Spear phishing 101.
All three cases are what information security experts at the Georgia Tech Research Institute (GTRI) say is the most challenging threat facing corporate networks today.
Generic emails asking employees to open malicious attachments, provide confidential information or follow links to infected websites have been around for a long time. What’s new today is the authors of these emails are now targeting their attacks using specific knowledge about employees and the organizations they work for. The inside knowledge used in these spear phishing attacks gains the trust of recipients.
“Spear phishing is the most popular way to get into a corporate network these days,” said Andrew Howard, a GTRI research scientist who heads up the organization’s malware unit. “Because the malware authors now have some information about the people they are sending these to, they are more likely to get a response. When they know something about you, they can dramatically increase their odds.”
The success of spear phishing attacks depends on finding the weakest link in a corporate network. That weakest link can be just one person who falls for an authentic-looking email.
“Organizations can spend millions and millions of dollars to protect their networks, but all it takes is one carefully-crafted email to let someone into it,” Howard said. “It’s very difficult to put technical controls into place to prevent humans from making a mistake. To keep these attacks out, email users have to do the right thing every single time.”
Howard and other GTRI researchers are now working to help email recipients by taking advantage of the same public information the malware authors use to con their victims. Much of that information comes from social media sites that companies and malware authors find helpful. Attackers find other information in Securities and Exchange Commission (SEC) filings, or even on an organization’s own website.
“There are lots of open sources of information that will increase the chances of eliciting a response in spear phishing,” Howard said. “We are looking at a way to warn users based on this information. We’d like to see email systems smart enough to let users know that information contained in a suspect message is from an open source and suggest they be cautious.”
Other techniques to counter the attacks may come from having access to all the traffic entering a corporate network.
To increase their chance of success, criminals attempting to access a corporate network often target more than one person in an organization. Network security tools could use information about similar spear phishing attempts to warn other members of an organization. And by having access to all email, security systems could learn what’s “normal” for each individual – and recognize unusual email that may be suspicious.
“We are looking at building behavioral patterns for users so we’d know what kinds of email they usually receive. When something comes in that’s suspicious, we could warn the user,” Howard said. “We think the real answer is to keep malicious email from ever getting into a user’s in-box, but that is a much more difficult problem.”
It’s difficult because organizations today depend on receiving, opening and responding to email from customers. Deleting or even delaying emails can have a high business cost.
“What we do requires a careful balance of protecting the user, but allowing the user to get his or her job done,” he said. “Like any security challenge we have to balance that.” These and other strategies will be part of Phalanx, a new product under development by GTRI researchers to protect corporate networks from spear phishing. It will be part of Titan, a dynamic framework for malicious software analysis GTRI launched last spring.
Among the challenges ahead are developing natural language algorithms that can quickly separate potential spear phishing attacks from harmless emails. That could occur by searching for language indicating a request such as “open this attachment” or “verify your password.”
GTRI researchers been gaining experience with corporate networks based on security evaluations they’ve done, and work with GTRI’s own network – which receives millions of emails each day. Fortunately, they say, it’s not just the bad guys who are learning more.
“The chief financial officers of companies now understand the financial impacts of spear phishing, and when they join forces with the chief information officers, there will be an urgency to address this problem,” he added. “Until then, users are the front line defense. We need every user to have a little paranoia about email.”
Tuesday, November 20, 2012 @ 04:11 PM gHale
New phishing attacks rely on blogging and social media websites as part of the command and control (C&C) server.
The attacks start with an attachment called “AutoCleanTool.rar,” said researchers at security firm FireEye. When the file unzips and executes, users see a small application window which prompts them to enter their full email address and its associated password.
Once the user logs in the information, the data ends up saved into the Windows registry, after which it transmits to the attackers by the malware.
In the meantime, the program creates a directory structure and a malicious DLL file drops in a couple of locations.
Once the DLL (NetCCxx.dll) loads, the malware first checks to see if it can connect to the Internet by using a GET request.
Then, it starts contacting a number of domains, all of which are on Chinese social media and blogging websites such as baidu.com, zuosa.com, people.com.cn, tongxue.com and alibado.com.
From these websites, the malware starts downloading a series of .jpg image files representing Japanese animation characters.
While the pictures look innocent, in reality they contain an “unknown padding,” 471 bytes in size, after the “Endofimage” marker. This “unknown padding” allows it to update itself.
The data it takes from one image becomes part of a new .ini file that contains configuration details. Another part of the retrieved data contains the URL for an additional image file, which in turn contains more configuration information.
This way, the malware can update itself without the security software noticing it. Furthermore, the data from the .jpg file can also update the entire framework and even add new components.
“Network communications like this could easily slip under the radar. All the domains and URLs accessed by the malware are legitimate. Though they seem to all be Chinese in origin, there is not really enough for most traditional security defenses to detect outright,” FireEye’s J. Gomez said.
“IT security personnel should be aware of these types of threats as they can go undetected for extended periods of time until traditional signature-based security solutions receive detection updates (if at all).”
Tuesday, November 20, 2012 @ 02:11 PM gHale
Facebook will begin turning on secure browsing for its millions of users in North America, which will make HTTPS the default connection option for all sessions and will give users a baseline level of security and help prevent some common attacks.
While at first thought, this may seem more consumer-oriented than manufacturing automation-focused, but with more manufacturers using social media as an e-commerce tool and an arrow in their marketing quiver, this could add one more layer of defense.
Facebook users have had the option of turning on HTTPS since early 2011 when the company reacted to attention surrounding the Firesheep attacks. However, the technology was not the default protection and users had to manually make the change in order to get the better protection of HTTPS. When users have to take that extra step, they often just go with the default settings.
Now, users will have to manually turn HTTPS off if they don’t want it, a distinction that is a major change, especially for Facebook’s massive user base, which has become a major target for attackers.
Facebook is under constant attack by hackers. One of the common techniques used to compromise users is a man-in-the-middle attack, through which attackers intercept traffic between a client and the server it should be going to. This type of attack is much easier when that traffic remains unencrypted and attackers really don’t need to do much in order to get it.
HTTPS encrypts the connection between the user’s machine and the server on the other end, obscuring it from attackers, even if they are able to sniff the traffic on the wire or on a wireless connection. The technology is by no means “the silver bullet” for Web-based attacks, but it can slow down or cut out some basic types of attacks.
Using HTTPS also won’t protect you if there is malware on your machine that’s capable of logging keystrokes. But it is an important change for Facebook, something that has become not just a social network but also an e-commerce platform.
Thursday, April 19, 2012 @ 04:04 PM gHale
Social media continues to grow in usage throughout the industry; it remains a solid marketing tool. The problem is, however, security for the media remains suspect and hard to control from a corporate perspective.
Twitter is just one case in point. Two distinct malicious spam campaigns are currently targeting Twitter users and taking them to compromised sites serving rogue AV and scareware software, said security software provider GFI.
The messages are short (“a must see LINK”, “young girls are waiting LINK”) and are spewed from bot and compromised accounts. Both contain links to a .tk domain.
Following the link in the first message lands victims on a page (detectoptimizersupervision(dot)info) serving the bogus Windows Antivirus 2012, currently detected by only 3 of the 42 AV solutions used by VirusTotal.
The offered variant changes every three to six hours.
The second one redirects users to a website where the Blackhole exploit kit drops a first rogue AV then redirects to another page offering another one named Windows Antivirus Patch.
Twitter is aware of the campaigns and is working toward taking the messages down, but just in case, users should avoid links to .tk URLs.