Displaying items by tag: Malware

The Point of Sale (PoS) station is probably one of the most targeted devices in recent years. There are multiple reasons for this: older operating systems, the need to POS users to have admin rights, generic logons for the “windows” accounts, and more. Most PoS softare is very resistant to attempts to properly secure it including getting all sorts of bent out of shape when you try to apply restrictive security policies to them. I have even seen them stop working because the removable drive mount option is removed from USB ports using a group policy object.

Back in August of 2014 while covering DEFCON 22 we sat in on a talk about how insecure the UEFI BIOS was and how it could potentially grant a malicious person ring zero access to your system. The talk was given by Corey Kallenberg and Xeno Kovah and they showed just how easy it would be to plant non-removable malware into the UEFI BIOS as well as how easy it would be to kill the BIOS remotely by affecting only two lines of code in the BIOS.

Despite a valiant attempt to label P2P transfers and BitTorrent as the devil Microsoft and others are looking to move this direction for updates and other services. In the latest build of Windows 10 the new P2P updating mechanism was found hiding out as an option in the code. Fortunately Microsoft does give you a few options when it comes to this new feature.

The word torrent conjures up many things. To the average person the word torrent means a way to get movies, TV shows and other media online for free. To the MPAA, RIAA and other copyright holders it is a bad thing that must be stopped. To a technically minded person it is a protocol that allows you to quickly share data be many people by splitting the data out between multiple systems or seeds. The more seeds the faster the information is shared. This concept has led to more than a few side projects including a secure seeded chat application and now perhaps a new way to serve web pages.

So the big Sony Hack that everyone was talking about and that the US government blamed on Korea might not have been state sponsored after all. Despite the FBI’s initial (and way too fast) conclusion that the source of the attacks were from North Korea there was ample evidence that this was not the case from the start. Anyone familiar with the way an attack happens knows that the majority are going to be pushed through multiple proxies and will have some sort of obfuscation to hide who is doing what including using code that might have been used before.

The targeting of travelers is something that is a very old idea. To the would-be attacker you are getting a target that is not familiar with their surroundings and (in many cases) has a lot of money on them. In the “old days” the target was the cash they brought with them. This quickly changed to a number of scams to get access to their credit card numbers and the cash that they protected. Still the idea was to go after the traveler because they were easy targets when they were out and about.

There appear to be developments in the way that Shellshock is used to push malware around. According to new information the Bash Bug is now being used to send malware out through the use of compromised SMTP gateways. The clever attackers are trying to use altered headers (from, to, subject) to force the SMTP gateway to pull down additional code that contains the Shellshock attack.

Since the beginning of 2014 the IT world has been rocked by more than a few major breaches. The number of credit cards and user information now up for sale is staggering. So how have these attacks managed to get in and make off with so much data so quickly? Of course there are the usual suspects in these cases, weak passwords and users downloading malware on their systems that allow a potential attacker into their system.

Black Hat 2014 Las Vegas, NV – Today we had the chance to talk with Karl Sigler, Threat Intelligence Manager at Trustwave who walked us through the latest version of Backoff. For those of you that do not know Backoff is a new threat that targets POS systems through remote desktop or other remote access systems. The vector of attack is very simple, port scan for common RDP ports, perform a basic dictionary attack on any systems found, deposit the malware and cash in on the credit card information that flows through.

One of the biggest issues in security is not the number of bad guys out there or the number of zero day exploits that exist in the wild. Sadly it is that far too many companies and people do not update their devices and software. Now I know that it is a pain to run updates on every device you own, but in most cases these updates are important. This is the case we find with the recent brouhaha over a version of cryptolocker (SynoLocker) that appears to target Synology NAS devices with an older (and unpatched) version of Disk Station Manager (DSM).