Banking malware stole 36 million euros

• The Zeus trojan was used as part of a sophisticated malware attack that was able to steal an estimated 36 million euros from over 30,000 customers based at 30 different banks in Germany, The Netherlands, Spain and Italy
• The trojan infected victims’ PCs and Mobile phones, and intercepted their attempts to interact with their banks
• Victims were tricked into infecting their Mobiles when the trojan on the PC claimed it ‘needed to upgrade your online banking software’, and asked for additional information, including the number of your mobile phone
• The mobile version of the trojan targeted both Blackberry and Android devices
• The mobile infection was the key to the success of the trojan, as it allowed the attackers to intercept SMS messages containing the ‘TAN’ (Transaction Authentication Number) that the banks would send, and would need to be entered to confirm any large transactions
• This allowed the attackers to transfer money out of the victims account without alerting the victim, and the banks saw the transactions passing the additional fraud verification steps (SMS TAN), so were not alerted to a problem
• The trojan would initiate transfers ranging from 500 to 250,000 euros to various accounts around europe, where the funds would then be withdrawn by mules
• The Zeus trojan is also known for modifying the pages returned by online banking, to show the expected account balance and transactions. It would hide the transfers, and adjust the displayed balance to be correct, even after additional valid transactions. (See previous episode on man-in-the-browser attacks)
• The attack consisted of a number of steps:
• Victim accidentally visits malicious site, or is tricked into clicking a link by a phishing email or social media attack
• The victim visit their bank’s site and log in to their account to make a transaction
• The trojan modifies the code of the bank page, prompting the user to enter their mobile phone number and operating system
• The collected information is sent back to the attacker’s C&C server
• The attacker then sends a text message to the victim device, prompting the user to download the Zitmo (Zeus in the mobile) trojan, disguised as an ‘upgrade to the security of the online banking system’
• Each time the victim logs into their online banking, the trojan initiates transfer of money out of the victim’s account using their real credentials
• The banks recognize this as a large, high risk transaction, and as such, delay the transaction and request the user complete 2 factor authentication, the bank sends a TAN number to the user’s mobile
• The TAN SMS is intercepted by the trojan on the victim’s mobile device and delivered to the attacker’s C&C server, the victim never knows they received the text message
• Javascript injected into the online banking page via the PC trojan receives the TAN from the C&C server and authorizes the transfer
• The Eurograbber attack is now complete and the attackers transfer money out of a victim’s account
• This attack highlights the need for better phishing prevention by financial institutions
• All financial institutions should be using SPF and cryptographically signing all legitimate emails with DKIM. Then some type of DNS whitelist, that says ‘any domain on this list, will ALWAYS have a DKIM signature, if it does not, this email should be rejected’, similar to the recent HSTS standard for HTTPS
• Threatpost Coverage

Researcher developes 0day exploit against Samsung SmartTVs

• Luigi Auriemma, a researcher for Malta based security firm ReVuln, has developed a number of 0day exploits against Samsung SmartTVs
• He has apparently found some signature that allows him to scan networks to find the IP addresses of any connected SmartTV devices
• The exploit allows him to remotely image all storage devices connected to the TV, including the internal storage, but also any USB devices that happened to be attached
• The exploit could also allow an attacker to install custom firmware, malicious applications, operate any microphones or cameras connected to the TV, steal credentials stored on the device, overwrite the root certificate store to allow spoofing of HTTPS sites (allowing a successful man-in-the-middle attack), or keep a log of all content played on the TV
• The exploit can also be used to remotely control the device, using a feature allowing the TV to be controlled from a smartphone. This allows the attacker to have the same control over the device they would have if they were in the room, further allowing them to exploit the device
• Technical details were not disclosed, ReVuln is currently selling the vulnerability
• If your TV is connected to the internet behind a NAT router or firewall, such that it cannot be connected to directly from the internet, it is less vulnerable. However you still have to consider the case of an attacker cracking your WiFi and being able to access the device via the LAN, or SmartTV devices connected to office networks, as well as those devices in bars, cafes, hotels and the like.
• Luigi has previously disclosed other flaws in the Samsung SmartTVs

Researchers develop attacks that could cripple GPS receivers

• Using $2500 worth of gear, researchers from Carnegie Mellon were able to disrupt both customer and professional grade GPS receivers
• “A 45-second crafted GPS message could bring down up to 30 percent of the global GPS Continuously Operating Reference Stations (CORS), while other attacks could take down 20 percent of NTRIP networks ”
• Attacks were conducted against seven receiver brands including Magellan, Garmin, GlobalSat, uBlox, LOCOSYS and iFly 700, whereas Trimble was working with researchers to push out a patch for its affected products
• These new attacks are quite different than existing GPS spoofing attacks, the new research covers a much larger attack vector “by viewing GPS as a computer system”. This included analysis of GPS protocol messages and operating systems, the GPS software stack and how errors affect dependent systems
• The attacks include messing with the time, since GPS is used as a source of clock synchronization, allowing the attackers to trigger the UNIX epoch rollover or otherwise tamper with devices
• Full research paper

Feedback:

• URGENT VPS Question
• Few questions about Nginx
• Win8 Password Exploit?
• RSA encryption Video

Happy 18th Birthday to Chris Eadle from Jupiter Broadcasting, and his lovely lady friend Angela.

Round-UP:

• BBC News – The hum that helps to fight crime
• Intel announces new ATOM based SoC servers. Dual-core w/ HT and density in excess of 1000 cores per rack
• GhostShell hackers release 1.6 million NASA, FBI, ESA accounts
• Researcher from last week’s MySQL vulns posts more, faster online password cracking
• Eric Schmidt says that Google Fiber ‘is a real business’ and plans to expand it
• FreeBSD Could Miss Year End Funding Target By Nearly 50%
• FreeBSD foundation gets 650 new donations in the last three days raising $43196
  
• Ho, ho, Bing: NORAD Tracks Santa switching from Google to Microsoft

The post 2-Factor Trojan | TechSNAP 88 first appeared on Jupiter Broadcasting.

Samsung creates new Log Structured File System, F2FS for NAND Flash

• Also known as the Flash-Friendly File System
• A file system designed to take advantage of, and avoid some of the drawbacks to SSDs and other flash based storage devices
• It is based on the concept of a Log Structured File System, with some redesign (LSFS is a very old design, based on assumptions that did not come true)
• What is a Log Structured File System
  • Proposed in 1988
  • Stores data in a circular log file, constantly writing new changes to the head of the log
  • Recovers more easily from unexpected shutdowns
  • Based on the assumption that writes need to be faster, as reads will be almost free due to caching
  • Gains speed, especially on rotary devices because writes are done contiguously, instead of seeking to various places
  • SSDs reduce seek times, making discontiguous reads no longer a performance detriment
  • Requires a garbage collection process, where blocks at the tail of the log that are still in use (not superseded by updated blocks) must be rewritten to the head of the log so that the tail can be overwritten by the new head
  • Most modern implementations are not actually circular, but rather break the disk up into segments, and garbage collect the least used segments
• F2FS was designed by Samsung to allow Android based devices to make better use of their eMMC storage
• F2FS is focused on SSDs and other block devices rather than raw NAND devices
• There are other Log Structured File System implementations such as NILFS and BSD-LFS
• There is a FreeBSD project NANDFS to implement a Log Structured File System on raw NAND devices, removing the controller logic/layer from an SSD and allowing the file system to make all of the decisions

WoW exploit allows attackers to kill entire cities

• On October 7th, all player and even NPC characters in a number of cities of various servers in the MMO World of Warcraft started dying mysteriously
• Videos show characters just falling over dead in rapid succession
• Forum Thread reporting the issue
• A hotfix has been applied to resolve the issue
• Official Blizzard Response

Mozilla pulls Firefox 16 from website due to flaw

• Mozilla has removed the Firefox 16 downloads from their website, reverting to offering 15.0.1
• A vulnerability was found in Firefox 16 that could allow a malicious website to determine what URLs you had visited, and have access to the URLs and possibly URL parameters, which could disclose sensitive information or authentication tokens
• The vulnerable version was pulled from the download page less than a day after it was posted
• No users were automatically updated to Firefox 16, only users to manually downloaded it are vulnerable
• All users of Firefox 16 should downgrade to 15.0.1, any users still using 16 will be automatically upgraded to 16.0.1 when it is released
• Firefox 16 was released with patches for 24 known vulnerabilities , 21 of which were labelled critical
• BBC Coverage

Microsoft issues a slew of bad DMCA requests

• Microsoft has stepped up its automated DMCA requests, causing it to incorrectly ask Google to censor/remove search results linking to AMC Theatres, the BBC, Buzzfeed, CNN, HuffingtonPost, TechCrunch, RealClearPolitics, Rotten Tomatoes, ScienceDirect, Washington Post, Wikipedia, the U.S. Government and many more sites
• In another request the software giant seeks the removal of a URL on Spotify.com
• Claiming to be attempting to prevent unauthorized distribution of the Windows 8 Beta, Microsoft listed 65 “infringing” web pages, nearly half of which have nothing to do with Windows 8

Thanks to GoDaddy, take a peek at their Data Center:

• Tech.GoDaddy.com – Data Center – YouTube

Feedback:

• What I wish the new hires “knew”.
• What will be in the news the week in October when Allan is at Euro BSD Con?
• Setting up a large scale monitoring system for Linux/Mac/Windows?
  • Often times a function of the driver for the RAID controller, even under Linux/BSD
  • Many controllers offer some type of SNMP agent
• Hegemon8’s batch of questions
• A few Linux SysAdmin questions
• What is an IPKVM?
  • IP-KVM is KVM (keyboard video mouse), over IP
  • Original KVMs allowed you to manage multiple machines from a single keyboard/monitor/mouse
  • IP-KVMs allow you to do this remotely, over the internet, most IP-KVMs also include ‘virtual media’, which allows you to mount DVD or USB images from your client machine, allowing you to rescue or install the OS from across the world
  • I regularly use IP-KVM to manage servers all over europe from my desk
  • Most IP-KVM systems support SSL
• Varnish instead of NGINX in front of Apache?
  • Varnish can be faster, but has no support for something like FastCGI to handle applications
  • Varnish does not support SSL
  • Varnish is probably less useful during a DDoS attack, because it uses 1 thread per connection, whereas NGINX uses a fixed number of threads and is event driven. For a large number of simultaneous connections, NGINX will likely use less system resources
  • Varnish is fast and awesome
• Some guy names Chris asks about ISPs tracking users

Round-Up:

• DHS Issued False ‘Water Pump Hack’ Report; Called It a ‘Success’
• Is TLS provably secure? There is no right answer
• Verizon Details Their Uses for Location Data – Like Tracking Demographics at Large Events
• Cybercrime gang recruiting botmasters for large scale attacks on US banks, because EU banks require 2 factor auth for wire transfers
• Your tax dollars at work: local cops now paid with federal money to troll IRC
• India Minister of Telecom says Telcos should switch to charging only for data, rather than voice calls
• OnLive acquired for just under $5 million
• IETF started HTTP/2.0, including HSTS support

The post Best Tool for the Job | TechSNAP 80 first appeared on Jupiter Broadcasting.