Google Aims at Phishing with Password Alert

April 29, 2015 – 7:40 PM

Phishing pages are tricky by nature: they look like standard login pages, but are actually faux sites run by people looking to receive and steal passwords. Google is taking steps to thwart this common and dangerous trap with its Password Alert service.

Password Alert is an open-source Chrome extension that Google and Google Apps for Work Accounts. Once you’ve installed it, it shows a warning if a user types her Google password into a site that isn’t a Google sign-in page. The idea is to protect from phishing attacks and also to encourage web denizens to use different passwords for different sites, a security best practice.

“The most effective phishing attacks can succeed 45% of the time, nearly 2% of messages to Gmail are designed to trick people into giving up their passwords, and various services across the web send millions upon millions of phishing emails, every day,” said Drew Hintz, security engineer and Justin Kosslyn from Google Ideas, in a blog post.

For consumer accounts, once Password Alert is installed and initialized, Chrome will remember a “scrambled” version of the Google Account password. So if a user types a password into a site that isn’t a Google sign-in page, an alert pops up warning of being at-risk of being phished.


New fileless malware found in the wild

April 21, 2015 – 5:24 AM

Since the discovery of the Poweliks fileless Trojan in August 2014, researchers have been expecting other similar malware to pop up.

The wait is over: Phasebot malware, which also has fileless infection as part of its routine, is being sold online.

“Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM instead of being installed in target computer’s hard drive,” Trend Micro Threat Response Engineer Michael Marcos explains.

Phasebot seems to be a direct successor of Solarbot.

Its detection evasion tactics include rootkit capabilities, encryption of communications with its C&C server by using random passwords, virtual machine detection.

“Phasebot can execute routines, per the instruction of the bot administrator, such as steal information via formgrabbers, perform distributed denial-of-service (DDoS) attacks, update itself, download and execute files, and access URLs,” Marcos shared.

The malware also sports an external module loader, which allows it to add and remove functionalities on the infected computer.


Researchers identify attack technique, all Windows versions at risk

April 13, 2015 – 6:27 PM

Researchers with Cylance have identified a new attack technique – built on a vulnerability identified nearly 20 years ago by Aaron Spangler – that can enable the theft of user credentials from PCs, tablets and servers running any version of Windows, according to a Monday post by Cylance.

The “Redirect to SMB” technique involves intercepting HTTP requests – which are used by many software products and can be intercepted via man-in-the-middle (MitM) attacks – and redirecting victims to a malicious Server Message Block (SMB) server, a Carnegie Mellon University CERT advisory indicated.

“If the redirect is a file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victim’s user credentials to the server,” the advisory said.

Cylance identified 31 exploitable software packages, some of which include Adobe Reader, Apple QuickTime, Apple Software Update, Internet Explorer, Windows Media Player, Excel 2010, Symantec’s Norton Security Scan, BitDefender Free, and Comodo Antivirus, according to the post.

The information that is stolen in the attack includes the victim’s username, domain and hashed password, the post stated.


No Backdoors in Truecrypt, Finds Code Review

April 7, 2015 – 8:51 AM

A long-awaited code review of encryption service Truecrypt has finally been completed, with the good news being that there are no deliberate backdoors in the “relatively well-designed” piece of software.

Cryptographic expert Matthew Green revealed the news in a blog post last week, claiming that the NCC Crypto Services group had found “no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.”

He continued:

“That doesn’t mean Truecrypt is perfect. The auditors did find a few glitches and some incautious programming — leading to a couple of issues that could, in the right circumstances, cause Truecrypt to give less assurance than we’d like it to.”

One major issue relates to the Windows version of Truecrypt’s random number generator (RNG), responsible for generating the all-important encryption keys.

A malfunctioning API in the software might fail to initialize and continue to generate keys even when it should stop, warned Green.

Another issue found by the auditors apparently relates to Truecrypt’s AES code and its ability to resist cache timing attacks.

The review means the crypto platform, abruptly abandoned last year, could be used to create new forked versions in the future.

Shortly after the original service was taken offline by its anonymous developers – who claimed it “may contain unfixed security issues” – a new group based in Switzerland said it would be co-ordinating efforts to make existing versions of the product available again and eventually to fork the code for future development.

“Truecrypt is a really unique piece of software. The loss of Truecrypt’s developers is keenly felt by a number of people who rely on full disk encryption to protect their data,” concluded Green.

“With luck, the code will be carried on by others. We’re hopeful that this review will provide some additional confidence in the code they’re starting with.”


New crypto-ransomware “quarantines” files, downloads info-stealer

April 7, 2015 – 8:46 AM

Trend Micro researchers have found and analyzed a new piece of crypto-ransomware: CryptVault encrypts files, makes them look like files quarantined by an AV solution, asks for ransom and, finally, downloads info-stealer malware.

It arrives on target computers after the user has been tricked into downloading and running a malicious attachment – a Javascript file – that downloads four files: the ransomware itself, SDelete (a MS Sysinternals tool that will be used to delete files), GnuPG (legitimate open source encryption tool), and a GnuPG library file.

The ransomware uses GnuPG to create an RSA-1024 public and private key pair that is used to encrypt and decrypt the files. It targets popular file types, mostly document, image, and database files.

“After encryption, the malware will change all associated *.vault file extensions to padlock icons. Each ‘locked’ and encrypted file will display a ransom note when opened,” Threat Response Engineer Michael Marcos explains.