Friday, June 27, 2014

Security Smorgasbord, vol 6 no 1

Paypal's 2-factor authentication is entirely broken:
Researchers at DUO Security claim to have found a way of bypassing a two factor authentication feature that secures logins to Paypal.com, eBay’s online payment service.

The vulnerability could allow an attacker who has stolen a Paypal customer’s user name and password to gain access to the account, even though the customer had enabled the more secure two-factor authentication option.
Two factor authentication is a big step up from the normal username/password.  Often it's implemented by sending you a random string of text and/or numbers via SMS to your phone.  This way, you need not only to steal the username and password, but the person's cell phone as well.  Unless the way the two factor authentication is implemented is broken.  Oops.  Paypal users, FYI.  Paypal said they're "working on it", whatever that means.

Why do you rob banks?  Because that's where the money is:
The experts at Kaspersky Lab have discovered evidence of a targeted attack against the clients of a large European bank. According to the logs found in the server used by the attackers, apparently in the space of just one week cybercriminals stole more than half a million euros from accounts in the bank.

The first signs of this campaign were discovered on 20 January this year when a C&C [Command & Control - Borepatch] server was detected on the net. The server’s control panel indicated evidence of a Trojan program used to steal money from clients’ bank accounts.

The experts also detected transaction logs on the server, containing information about which sums of money were taken from which accounts. All in all, more than 190 victims could be identified, most of them located in Italy and Turkey. The sums stolen from each bank account, according to the logs, ranged between 1,700 to 39,000 euros.

The campaign was at least one week old when the C&C was discovered, having started no later than Jan. 13 2014. In that time the cybercriminals successfully stole more than 500,000 Euros. Two days after GReAT discovered the C&C server, the criminals removed every shred of evidence that might be used to trace them. However, experts think this was probably linked to changes in the technical infrastructure used in the malicious campaign rather spelling the end of the Luuuk campaign.
If you bank online, you should check your account every day.

History repeats itself because nobody listens the first time:
The security industry is adding layers of defensive technologies to protect systems rather than addressing the most substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday.

Eugene Spafford, a noted computer security expert and professor of computer science at Purdue University, said software makers continue to churn out products riddled with vulnerabilities, creating an incessant patching cycle for IT administrators that siphons resources from more critical areas. The problem has grown so bad that today businesses are rushing to invest in many of the latest security technologies designed to detect infections without any ability to efficiently address them, Spafford said.

“Instead of building secure systems, we are getting further and further away from solid construction by putting layer upon layer on top of these systems,” Spafford said. “The idea is for vendors to push things out rather than get things right the first time.”
Spaf is one of the luminaries of the industry, and is absolutely correct here.  It's getting much worse with poorly coded apps for smart phones.  Just wait for the "Internet Of Things" to computerize your house ...

Is it OK for me to hate on Google Glass users?  Please?
Google Glass wearers can snoop on passcodes and other sensitive information with only a passing glance, according to a proof-of-concept demo by security researchers.

Researchers from the University of Massachusetts Lowell were able to use video streams from wearables like Google Glass and the Samsung smartwatch to capture four-digit PIN codes typed onto an iPad from around three metres away.
ASM826 has been posting about situational awareness.  Be aware of who's near you when you're at the ATM.

1 comment:

Old NFO said...

Yep, it's no longer the guy videotaping from tens of feet away... sigh