The days of feeling secure by simply performing packet inspection at your network edge are long past. These SPI (stateful packet inspection) devices or firewalls were the first generation of network security that many of us first experienced in the late 1990s. In the first half of that decade, we also saw a parallel rise of devices and/or applications that performed more complicated duties such as IDS and IPS (intrusion detection and intrusion prevention). In the last six to ten years, those threat detection and remediation duties have now been rolled into DPI (deep packet inspection) devices that offer UTM (unified threat management) for your networks in a single device. These very powerful firewalls are now fast and capable enough to inspect all seven layers of network traffic to block threats of all types at the network perimeter.
Upgrade Your Front Door
Today every network connects to the Internet, and every network needs good perimeter defenses; this is, in effect, the lock on the front door. Firewalls serve as the first layer of your defense system and stand between you and the outside world of the Internet. For many years, firewalls simply performed SPI. This means that each data packet’s header is examined to verify its validity. Unfortunately, this is roughly akin to asking people at the airport if they are carrying a weapon and then taking them on their word. Trust but verify. These limited SPI capabilities are what you see in the $49 SPI firewalls or integrated in your cable or DSL modems, though some wireless routers improve upon this basic functionality. Read more
Microsoft said yesterday (3/24/14), that users of Word 2010 (and to some extent, other versions) are under active attack “in the wild” (that is, in real life). There is a temporary “fix” available, see content of the linked article for more details.
Attackers used phishing and zero-days to infect Windows, Mac, and Linux users.
by Dan Goodin – Feb 10 2014, 2:33pm MST
Calling it the most sophisticated malware-driven espionage campaign ever discovered, researchers said they have uncovered an attack dating back to at least 2007 that infected computers running the Windows, OS X, and Linux operating systems of 380 victims in 31 countries.
The “Mask” campaign, which gets its name from a string of text found in one of the malware samples, includes a variety of components used to siphon encryption keys, key strokes, Skype conversations, and other types of sensitive data off infected computers. There is also evidence that the Spanish-speaking attackers had malware that ran on devices running both Apple’s iOS and Google’s Android mobile operating systems. Victims include government agencies, embassies, research institutions, private equity firms, activists, energy companies, and companies in other industries. The sophistication of Mask makes it likely that the campaign is the work of attackers sponsored by a well-resourced nation-state, said researchers from Kaspersky Lab, the Moscow-based security company that discovered it.
Mask—or “Careto” as its Spanish slang translation appears in source code analyzed by Kaspersky—joins a pantheon of other state-sponsored malware campaigns with names including Stuxnet, Flame, Duqu, Red October, Icefog, and Gauss. Unlike more opportunistic crimeware campaigns that generate revenue by targeting anyone with an Internet-connected computer, these “advanced persistent threats” (APTs) are much more determined. They’re tailored threats that are aimed at specific people or organizations who possess unique data or capabilities with strategic national or business value.
“With Careto, we describe yet another sophisticated cyberespionage operation that has been going on undiscovered for more than five years,” Kaspersky Lab researchers wrote in a detailed analysis published Monday. “In terms of sophisticated, we put Careto above Duqu, Gauss, RedOctober, or Icefog, making it one of the most complex APTs we observed.”
The attackers relied on highly targeted spear phishing e-mails to lure targeted individuals to malicious websites. In some cases, attackers impersonated well-known websites, such as those operated by The Guardian and The Washington Post. One of the exploits recently used by the attackers targeted CVE-2012-0773, a highly critical vulnerability in Adobe’s Flash Player that made it possible to bypass the sandbox security protection Google Chrome and other browsers rely on to prevent websites from executing malicious code on end-user computers.
“What makes ‘The Mask’ special is the complexity of the toolset used by the attackers,” the Kaspersky analysis stated. “This includes an extremely sophisticated malware, a rootkit, a bootkit, 32- and 64-bit Windows versions, Mac OS X and Linux versions, and possibly versions of Android and iPad/iPhone (Apple iOS).”
Kaspersky researchers first stumbled onto Mask after noticing that it exploited a vulnerability in older versions of Kaspersky antivirus products to hide itself. The vulnerability has been patched for an unspecified amount of time, but attackers were exploiting the vulnerability on machines that continued to run older versions of the Kaspersky software.
Like Stuxnet and many other pieces of malware used in the last five years, Mask code was digitally signed, in this case with a valid certificate issued to a fake company called TecSystem Ltd. Such digital credentials are designed to bypass warnings delivered by Windows and other operating systems before executing programs that haven’t been vouched for by credentials issued by a recognized certificate authority. The malware uses encrypted HTTP or HTTPS channels when communicating with command and control servers.
Researchers were able to take control of some of the domain names or IP addresses hosting the control servers that Mask-infected computers reported to. In all, the researchers observed 1,000 separate IP addresses in 31 countries connect. They also found traces of 380 different victim identifiers designated by the Mask naming convention. The Mask campaign was abruptly shut down last week within hours of being revealed in a short blog post.
“For Careto, we observed a very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files and so on,” the Kaspersky analysis noted. “This is not very common in APT operations, putting the Mask into the ‘elite’ APT groups section.”
Post updated to add “slang” to the third paragraph.
Source: ars technica
You probably haven’t heard of HD Moore, but up to a few weeks ago every Internet device in the world, perhaps including some in your own home, was contacted roughly three times a day by a stack of computers that sit overheating his spare room. “I have a lot of cooling equipment to make sure my house doesn’t catch on fire,” says Moore, who leads research at computer security company Rapid7. In February last year he decided to carry out a personal census of every device on the Internet as a hobby. “This is not my day job; it’s what I do for fun,” he says.
Organized hackers in Ukraine and Russia stole more than $1 million from a public hospital in Washington state earlier this month. The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years.