Banking malware stole 36 million euros

• The Zeus trojan was used as part of a sophisticated malware attack that was able to steal an estimated 36 million euros from over 30,000 customers based at 30 different banks in Germany, The Netherlands, Spain and Italy
• The trojan infected victims’ PCs and Mobile phones, and intercepted their attempts to interact with their banks
• Victims were tricked into infecting their Mobiles when the trojan on the PC claimed it ‘needed to upgrade your online banking software’, and asked for additional information, including the number of your mobile phone
• The mobile version of the trojan targeted both Blackberry and Android devices
• The mobile infection was the key to the success of the trojan, as it allowed the attackers to intercept SMS messages containing the ‘TAN’ (Transaction Authentication Number) that the banks would send, and would need to be entered to confirm any large transactions
• This allowed the attackers to transfer money out of the victims account without alerting the victim, and the banks saw the transactions passing the additional fraud verification steps (SMS TAN), so were not alerted to a problem
• The trojan would initiate transfers ranging from 500 to 250,000 euros to various accounts around europe, where the funds would then be withdrawn by mules
• The Zeus trojan is also known for modifying the pages returned by online banking, to show the expected account balance and transactions. It would hide the transfers, and adjust the displayed balance to be correct, even after additional valid transactions. (See previous episode on man-in-the-browser attacks)
• The attack consisted of a number of steps:
• Victim accidentally visits malicious site, or is tricked into clicking a link by a phishing email or social media attack
• The victim visit their bank’s site and log in to their account to make a transaction
• The trojan modifies the code of the bank page, prompting the user to enter their mobile phone number and operating system
• The collected information is sent back to the attacker’s C&C server
• The attacker then sends a text message to the victim device, prompting the user to download the Zitmo (Zeus in the mobile) trojan, disguised as an ‘upgrade to the security of the online banking system’
• Each time the victim logs into their online banking, the trojan initiates transfer of money out of the victim’s account using their real credentials
• The banks recognize this as a large, high risk transaction, and as such, delay the transaction and request the user complete 2 factor authentication, the bank sends a TAN number to the user’s mobile
• The TAN SMS is intercepted by the trojan on the victim’s mobile device and delivered to the attacker’s C&C server, the victim never knows they received the text message
• Javascript injected into the online banking page via the PC trojan receives the TAN from the C&C server and authorizes the transfer
• The Eurograbber attack is now complete and the attackers transfer money out of a victim’s account
• This attack highlights the need for better phishing prevention by financial institutions
• All financial institutions should be using SPF and cryptographically signing all legitimate emails with DKIM. Then some type of DNS whitelist, that says ‘any domain on this list, will ALWAYS have a DKIM signature, if it does not, this email should be rejected’, similar to the recent HSTS standard for HTTPS
• Threatpost Coverage

Researcher developes 0day exploit against Samsung SmartTVs

• Luigi Auriemma, a researcher for Malta based security firm ReVuln, has developed a number of 0day exploits against Samsung SmartTVs
• He has apparently found some signature that allows him to scan networks to find the IP addresses of any connected SmartTV devices
• The exploit allows him to remotely image all storage devices connected to the TV, including the internal storage, but also any USB devices that happened to be attached
• The exploit could also allow an attacker to install custom firmware, malicious applications, operate any microphones or cameras connected to the TV, steal credentials stored on the device, overwrite the root certificate store to allow spoofing of HTTPS sites (allowing a successful man-in-the-middle attack), or keep a log of all content played on the TV
• The exploit can also be used to remotely control the device, using a feature allowing the TV to be controlled from a smartphone. This allows the attacker to have the same control over the device they would have if they were in the room, further allowing them to exploit the device
• Technical details were not disclosed, ReVuln is currently selling the vulnerability
• If your TV is connected to the internet behind a NAT router or firewall, such that it cannot be connected to directly from the internet, it is less vulnerable. However you still have to consider the case of an attacker cracking your WiFi and being able to access the device via the LAN, or SmartTV devices connected to office networks, as well as those devices in bars, cafes, hotels and the like.
• Luigi has previously disclosed other flaws in the Samsung SmartTVs

Researchers develop attacks that could cripple GPS receivers

• Using $2500 worth of gear, researchers from Carnegie Mellon were able to disrupt both customer and professional grade GPS receivers
• “A 45-second crafted GPS message could bring down up to 30 percent of the global GPS Continuously Operating Reference Stations (CORS), while other attacks could take down 20 percent of NTRIP networks ”
• Attacks were conducted against seven receiver brands including Magellan, Garmin, GlobalSat, uBlox, LOCOSYS and iFly 700, whereas Trimble was working with researchers to push out a patch for its affected products
• These new attacks are quite different than existing GPS spoofing attacks, the new research covers a much larger attack vector “by viewing GPS as a computer system”. This included analysis of GPS protocol messages and operating systems, the GPS software stack and how errors affect dependent systems
• The attacks include messing with the time, since GPS is used as a source of clock synchronization, allowing the attackers to trigger the UNIX epoch rollover or otherwise tamper with devices
• Full research paper

Feedback:

• URGENT VPS Question
• Few questions about Nginx
• Win8 Password Exploit?
• RSA encryption Video

Happy 18th Birthday to Chris Eadle from Jupiter Broadcasting, and his lovely lady friend Angela.

Round-UP:

• BBC News – The hum that helps to fight crime
• Intel announces new ATOM based SoC servers. Dual-core w/ HT and density in excess of 1000 cores per rack
• GhostShell hackers release 1.6 million NASA, FBI, ESA accounts
• Researcher from last week’s MySQL vulns posts more, faster online password cracking
• Eric Schmidt says that Google Fiber ‘is a real business’ and plans to expand it
• FreeBSD Could Miss Year End Funding Target By Nearly 50%
• FreeBSD foundation gets 650 new donations in the last three days raising $43196
  
• Ho, ho, Bing: NORAD Tracks Santa switching from Google to Microsoft

The post 2-Factor Trojan | TechSNAP 88 first appeared on Jupiter Broadcasting.

Barnes and Noble POS Terminals compromised, debit card pin numbers stolen

• Barnes and Noble discovered on Sept 14th that a number of the PIN Pads for its Point of Sales system had been compromised
• Barnes and Noble did not go public with the information until this week at the request of investigators
• Tampered PIN Pads were found in 63 stores all over the country, including California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania, and Rhode Island
• The retailer reported that only about 1% of their PIN pads had been tampered with, but when the compromise was discovered on Sept 14th, they disconnected all PIN pads at their 700 stores
• It appears that a coordinated criminal enterprise infected PIN pads with malware that would record credit/debit card numbers and PIN numbers
• B&N recommends that you change your debit card PIN number and watch your debit and credit accounts for unauthorized transactions
• Online purchases were not affected
• Official Announcement from Barnes and Noble

Avaition Blogger finds that he can determine what security screening he will get from this boarding pass

• Frequent Flyer John Butler wrote a blog post this week, after he was able to determine what level of security screening he was going to be subjected to at the airport by reading the unencrypted barcode on his boarding pass
• This raises the possibility that terrorist or smuggling groups could buy multiple tickets, then check each and use the ones that subjects them to the less intense screening process
• The barcodes also appear to lack any form of MAC (Message Authentication Code), to protect them from unauthorized modification
• It is unclear if a modified barcode would work, or if it is checked against a central database
• It is illegal under US law to tamper or alter a boarding pass
• The vulnerability appears to be confirmed by reading the specifications for the system published by the IATA (International Air Transport Association)
• Every airport I’ve been through (YYZ, YHM, YYC, CDG, WAW, AMS) has not had any way to avoid the screening process, it appears that only the TSA allows you to pass through security without the basic screening. I have been randomly selected for additional screening (chemical residue test) twice

Serious bug in Linux kernel results in EXT4 data corruption

• A bug was accidently introduced in Linux Kernel version 3.6.2, and then backported into 3.4 and 3.5
• The bug has to do with the way the superblock and journal are updated, and can result in extensive data corruption, especially if a filesystem is unmounted shorted after it was mounted
• A patch was posted, but was found to not fully solve the problem, so a second patch was posted later
• Kernel 3.4.x is reaching end of life, and may not get an official patch

Dreamhost decides to change its SSH keys without notifying customers

• DreamHost, a large shared web hosting provider, generated new SSH keys for all of its servers on Wednesday
• DreamHost claims it is the “result of a security maintenance which we are performing to prevent exploitation of weak or outdated keys”
• It seems like an excessive step, unless one or more of the SSH host private keys were compromised, in which case that is huge security news
• If the keys were compromised, this means that someone could impersonate the DH server and log the login attempts, capturing valid username and password combinations
• DreamHost made a number of mistakes:
• Not giving users a heads up about the change before it happened, no email was sent, just a blog post that users were directed two when they contacted support about the error message
• The blog post encourages users to just delete the old SSH key from their known_hosts and accept the new one, without verifying its authenticity
• DreamHost did not publish a list of the fingerprints of the new keys, so that customers could verify the authenticity of the new keys they are presented with when they connect
• The purpose of SSH fingerprints is to verify the identity of the remote host, they work in much the same way as SSL certificates except that there is no central certificate authority, it is up to the user to verify the identity of the key the first time. The main goal is to notify the user if the key suddenly changes, suggesting that you are not infact connecting to the intended server, but to some other server that may be trying to get your credentials or perform a man-in-the-middle attack on you
• An attacker that is able to perform a man-in-the-middle attack during a time when a user is willing to just ignore the security warning (or even, take the additional steps OpenSSH requires before allowing you to accept a new key), could be very successful

Mathematician finds that Google and others were using weak keys for DKIM

• Mathematician Zachary Harris got an email from a Google headhunter for a job as a Site Reliability Engineer
• Seeing as he is not an expert in that field, he assumed that the email was a phishing scam
• He examined the headers, and determined that it was signed with the proper DKIM keys, appearing to actually be from Google
• DKIM (DomainKeys Identified Mail), is a process where all outbound email is cryptographically signed with a private key, that can then be verified against a public key published in DNS, such that only emails that are actually from the domain can be signed with the key, it is a common anti-spam and anti-phishing mechanism
• He noticed that Google was only using 512bit keys for DKIM,
• Harris explored other sites and found the same problem with the keys used by Amazon, Apple, Dell, eBay, HP, HSBC, LinkedIn, Match.com, PayPal, SBCGlobal, Twitter, US Bank and Yahoo
• He found keys in 384, 512 and 768 bits, despite the fact that the DKIM standard calls for a minimum of 1024 bit keys
• A 384-bit key can factor on a laptop in 24 hours, while a 512-bit keys can be factored in about 72 hours using Amazon EC2 for around $75
• In 1998 it was an academic breakthrough of great concerted effort to crack a 512 bit key. Today anyone can do it by myself in 72 hours on AWS

Feedback:

• How do you keep your Linux (and BSD) servers (safely) up to date?
• How to host multiple web servers behind a single external IP?
• FreeBSD on the Raspberry Pi?
• How does FreeBSD Jail Networking…. Work?
• ISP birding by routing through a VPS?
• Sean wants to say THANKS!

While having lunch at EuroBSDCon, a FreeBSD developer recognized me from the Linux Action Show. He just so happened to be one of the main USB developers, and proceeded to correct (yell at) me. He recently expended a great deal of effort to improve support for webcams and other USB devices under FreeBSD 9.1 (and therefore PC-BSD as well). As further evidence of this, once we were done talking, someone walked up and handed him a USB ethernet adapter that was not supported, a hardware donation to drive development.

• Allan and Stefan speaking at EuroBSDCon 2012 another
• Shots of the conference: 1 2 3 4

Roundup

• Apple removes Java from all OS X Web browsers
• Facebook publishes modified version of Open Compute hardware spec to work with regular leased datacenter space
• Diigo Emergency Announcement – Domain Hijacked
• Chinese Telco manufacturer Huawei offers access to its source code to allay security concerns
  
• Demo of “serious” networking vulnerabilities cancelled at HP’s request
• US says it will retaliate against cyber attacks, if it can figure out how, and who did it…
• Obama agrees to exclude social networks for new Cyber Security plans
• CyanogenMod Android ROM accidently logged your swipe to unlock gestures

The post Breaking DKIM | TechSNAP 81 first appeared on Jupiter Broadcasting.