Computer Security Updates Week 1 of Sep 2013

Refer to Computer Security Updates Week 5 of Aug 2013; the biggest news was Yahoo reported that China to probe big IT firms after Snowden leaks.

For this week / last week, here are / were the biggest news.
  • Kaspersky: NetTraveler is back with new tricks.
  • USA Today: NSA uses supercomputers to crack Web encryption, files show.
  • Symantec: G20 Summit used as bait to deliver Backdoor.Darkmoon.
  • Symantec: Cynical spammers exploit deepening Syria crisis.
  • Fortinet Blog: Implementing Wireless Security.
  • Reuters: New York Times, Twitter hacked by Syrian group.
  • Eset Blog: Mobile banking apps pose “serious” safety risks, financial watchdog warns.
  • HP helps enterprises accelerate software security assessment, assurance and protection.
  • Yahoo News: Facebook says no to Putrajaya’s request for details on 197 users.
  • Trend Micro's 'Trend Ready' Cloud Security Verification Program gains momentum.

Sep 5, 2013 - NetTraveler is back with new tricks

Kaspersky Lab researchers today announced a new attack vector of NetTraveler (also known as ‘Travnet’ or “Netfile”), an advanced persistent threat that has already infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.

Immediately after the public exposure of the NetTraveler operations in June, 2013, the attackers shut down all known command and control systems and moved them to new servers in China, Hong Kong and Taiwan. They also continued the attacks unhindered, just like the current case shows.

Over the last few days, several spear-phishing e-mails were sent to multiple Uyghur activists. The Java exploit used to distribute this new variant of the Red Star APT has a higher success rate than the previously used Office exploits, having been patched by Oracle in June 2013.

“So far, we haven’t observed the use of zero-day vulnerabilities with the NetTraveler group. To defend against those, although patches don’t help, but technologies such as Automatic Exploit Prevention and DefaultDeny can be quite effective fighting advanced persistent threats”, - Costin Raiu, Director of Global Research & Analysis Team at Kaspersky Lab says.

Get more details.

USA Today - Sep 6, 2013 - NSA uses supercomputers to crack Web encryption, files show

USA Today reported that the leaks by Edward Snowden suggest evidence that NSA, alongside British GCHQ, have obligatory, cracked Internet encryption standard which was created to provide online privacy.

Compromising attempts were made towards encryption standard such as SSL and VPN targeting smartphones and tablets.

The operation was allegedly code named Bullrun.

The report also stated that compromising towards encryption traffics for the 'big four' providers were attempted - Google, Yahoo, Facebook and Microsoft's Hotmail.

These findings contradicts the PRISM's accounts which allegedly associated 'big four' in collaborating with government agencies.

Get more details.

Sep 5, 2013 - G20 Summit Used as Bait to Deliver Backdoor.Darkmoon

Ahead of this week's G20 summit in Saint Petersburg, Russia, Symantec discovered that attackers are leveraging the meeting's visibility as a bait in targeted attacks.

One particular campaign that Symantec has identified is targeting multiple groups. They include financial institutions, financial services companies, government organizations, and organizations involved in economic development. The email (see image below) purports to be sent on behalf of a G20 representative. Attached to the email is a RAR archive file. The victim will be shown a non-malicious document. What is interesting about these documents is that each of them has track changes enabled and contains the reported comments from the UK called out in the original e-mail.

The malicious executable that runs in the background is known as Poison Ivy. Symantec detects this executable as Backdoor.Darkmoon. Backdoor.Darkmoon is a well-known remote access Trojan (RAT) that has been used in various targeted attack campaigns over the years, including The Nitro Attacks which Symantec reported on in 2011.

Get more details.

Aug 30, 2013 - Cynical Spammers Exploit Deepening Syria Crisis

As the international community coordinates its response to the deepening crisis in Syria, scammers have once again demonstrated their skill at using current, high-profile events to their advantage.

Symantec Security Response has recently identified a scam message that claimed to be from The Red Cross. The message explains how the conflict is creating a humanitarian crisis and urges people to support The Red Cross and The Red Crescent.

Curiously, the email includes a link to the actual British Red Cross website, but urges that donations over £500 GBP ($775 USD) be sent through MoneyGram or Western Union money transfer services. The British Red Cross does currently have an appeal for donations for victims of the conflict in Syria but it does not use these payment services.

Anyone considering supporting charities should be cautious and make sure that they are using the charity’s official website.

Symantec has also seen other scams claiming to be from people in Syria, looking for help in moving money out of the country, ostensibly to protect their wealth or to start up a business. These scams promise a share of the sender's vast fortune and use the seriousness of the situation to try to solicit a prompt reply.

Get more details.

Fortinet Blog - Aug 29, 2013 - Implementing Wireless Security

Fortinet Blog detailed a few basic best practices for wireless security implementation.

1.) strong and robust passwords.

2.) change the default Service Set Identifier (SSID) on the router access point (AP) to something that doesn’t provide any clues to the company’s name or location.

3.) Implement device management solution - to manage which device can do what.

4.) Implement additional security fundamentals such as Web filtering, anti-spam, application control, anti-virus, Intrusion Prevention System (IPS), data loss prevention (DLP) and VoIP support.

Get more details.

Reuters - Aug 28, 2013 - New York Times, Twitter hacked by Syrian group

Reuters reported that Syrian Electronic Army (SEA) claimed credit for the Twitter and Huffington Post hacks in a series of Twitter messages.

Obviously political driven, the attack disrupted the service of the web sites by redirecting users to other servers which produced no output.

CloudFlare published an article which gave us insights on the happenings for this incident - great job done.

In a nutshell,  here are few key points to take note:

  • The registry for was hacked; its name servers at the registry listed as and The correct name servers should have been DNS.EWR1.NYTIMES.COM and DNS.SEA1.NYTIMES.COM.
  • At the registry, Verisign rolled back changes to the name servers and added a so-called registry lock to
  • The registrar of the primary domain the Syrian Electronic Army was using as a name server for the domains they hacked revoked the domain's registration this afternoon.
  • This was a very spooky attack. MelbourneIT is known for having higher security than most registrars.
  • An e-mail obtained by Matther Key, an independant journalist, indicates that the hackers used a MelbourneIT domain reseller account as part of the attack.

Get more details.

Eset Blog - Aug 28, 2013 - Mobile banking apps pose “serious” safety risks, financial watchdog warns

According to a post on Eset Blog, the Financial Conduct Authority, a British watchdog, is to conduct a study on risks posed by banking apps.

Apps is the way for mobile computing. Apps not only simplify tasks, most also provide means for access to low level resources such as disk storage as well as many behind-the-scene security and authentication process.

Hence, security for mobile apps is critical for the whole industry to pay attention to.

Get more details.

Aug 28, 2013- HP Helps Enterprises Accelerate Software Security Assessment, Assurance and Protection

HP today announced HP Fortify Static Code Analyzer (SCA) 4.0, delivering a new approach that enables organizations to assess the security of software up to 10 times faster than previous versions of the solution through more accurate and parallelized static application security testing.

It is marketed as a tool for software security testing.

The explosive growth in new cloud and mobile technologies has significantly increased the demand for new software development. This in turn has put a strain on many organizations’ ability to do thorough security testing prior to application deployment. As a result, secure development practices have declined, decreasing the effectiveness of software vulnerability discovery.

Some time earlier, certain quarters have been calling for software vendors to take up responsibilities for software security vulnerabilities which include bearing the damage costs than just supplying software patches and being sorry about it.

Get more details.

Yahoo News - Aug 28, 2013 - Facebook says no to Putrajaya’s request for details on 197 users

Yahoo News reported that Facebook had rejected, on 7 occasions, requests from Putrajaya for information on 197 users in a Global Government Requests report published by Facebook themselves.

The report's illustration shows that Malaysian government made the most requests comparing with ASEAN countries like Singapore, Thailand, Philippines and Cambodia.

Get more details.

CUPERTINO, Calif. and SAN FRANCISCO, Aug. 27, 2013 - Trend Micro's 'Trend Ready' Cloud Security Verification Program Gains Momentum

Trend Micro's "Trend Ready for Cloud Service Providers" program was established in 2012 as a testing ground to verify compatibility of the Trend Micro's security solutions with well-known global cloud providers.

The "Trend Ready" designation indicates that the installation, activation and functionality of Trend Micro solutions will seamlessly operate within each cloud provider's ecosystem. By participating in the program, cloud service providers are confirming to their customers that their cloud infrastructures will work with Trend Micro security products.

Get more details.


Anonymous said…
This comment has been removed by a blog administrator.