The Security Skeptic

by Matt Piscitello

Backoff point-of-sale attacks, Disconnect app gets disconnected, SOX gets ignored, celeb cyber scandals, and advances in detecting SMS phishing are on this week’s Top 5 #InfoSec Reads.

Backoff Sinkhole Reveals Sorry Point-Of-Sale Security

Kaspersky Labs believes that the number of point-of-sale terminals in the United states that are infected with Backoff malware infection count could over a thousand. This estimate is based on their analysis of sinkholed C&C servers that Kaspersky estimates represents 5% of the command infrastructure. Backoff is one of several malware that have recently targeted point-of-sale terminals and these have raised awareness of how poorly secured measures and vulnerable these terminals are. Why does it feel like all the innovation appears to be on the lawless side of the fence?

Why Google Banned a Privacy Tool Called ‘Disconnect Mobile’ From the Android App Store

Google took down an app that monitors other apps on Android phones and prevents them from collecting data. Google policies prohibit one app from interfering with another, and the founders of Disconnect believe Google mistook the app as an ad-blocker. Disconnect claims its app protects from invisible tracking and malware and notes that Apple allows the iPhone version in its store. Ad-block apps are generally used to avoid annoying spam, but ads are a driving force of cyber economics. They’re also one of the easiest malware-delivery-systems, as they can be tailored to guarantee clicks. Innovations that work against malware are too few to be suppressed. Fortunately for users, the Google Play store isn’t the only place (or way) to download Disconnect.

Why Are Security Pros Blasé About Compliance?

Despite its helpful guidelines in addressing insider threats, and despite its being federal law, most IT and security professionals are not compliant with the SOX act (Sarbanes-Oxley). If technology is the first defense against cyber-attack then government security regulations are the rulebooks. It’s no wonder companies like Target and other retailers were breached if they weren’t even meeting minimum security requirements from the regs, and it’s no wonder that 2014 has been baby-town frolic for anyone with a malware toolkit.

FBI and Apple investigate nude celebrity photo hack

For the scant few who sequester themselves to information security news only, a few prominent female celebrities had risqué photos stolen and revealed to the public. This variety of cybercrime is visited on women of all ages regularly, but, no surprise, this case got the notice of the FBI. Jeremiah Grossman’s written a great set of security tips for celebs who weren’t victimized by “selfie-gate”

Security rEsrchRs find nu way 2 spot TXT spam

Was that difficult to read? Researchers from Symantec have written an academic paper to demonstrate that using lexical variants (variations of how humans spell, abbreviate, shorthand…) is a potentially useful way to seed out SMS spam from real text messages with low false positive rates. The academic paper is available at Cornell University Library.

by Matt Piscitello

Buggy ransomware, more China hacking, innovation in Android security, social media acceptable use, and a lesson in phishing URL composition are this week's top infosec reads.

ZeroLocker – a new destructive encrypting ransomware

Hot on the heels of newGOZ is ZeroLocker, the latest incarnation of cryptolocker. This nasty variant will infect and encrypt personal data on your C: \. To make matters worse, ZeroLocker’s developers made a particularly devastating bungle that can leave you without a decryption key, regardless of whether you pay the ransom (which can be paid in bitcoin!). While ZeroLocker has disastrous implications, we should focus on the insights that this design snafu offers us. Popular media often paints hackers as hyper-intelligent, sometimes megalomaniac, masterminds of the web, able to outsmart their law enforcement antagonists at every turn. Events like this present security experts with yet another example to debunk that misconception.

China may be targeting medical firms for IP data

A state-sponsored Chinese group may be attacking medical and pharmaceutical companies for intellectual property. This is the first reported incident of China’s activity with consumer data. According to the article, the healthcare sector is well known for underinvesting in security, which makes it an easy target for criminals that appear to be organized, well funded and sophisticated. Security experts quoted in the aritlcle point out that that China is unlikely to be the only country operating like this (cyber criminals concerned with personal information usually originate in Eastern Europe), that SMBs have no real way to stop state-funded cyber-attacks through conventional means, and that less democratic countries engage in this kind cyber espionage to protect their country’s corporations.

CISO’s offered new way to secure Android devices

North Carolina State University and Germany’s Darmstadt Technical University have developed the Android Security Modules (ASM), a software that creates a way for developers to “plug-in” security features to make the Android market safer for users. Researchers say it will be a small effort to keep the ASM updated alongside the Android OS changes, and could make Android a viable option for BYOD projects. The only hitch is that Google needs to get on board. ASM also faces the uphill task of making over Android’s reputation for poor security. ASM has stiff competition with existing BYOD products, and people can be insufferably resistant to changes when it comes to security, regardless of how innovative and promising the changes are. Consultants speculate that while ASM may not see immediate integration with the current Android model, there’s hope that it will find its niche in the future.

21 Must Haves in Your Social Media Policy

This list is chiefly concerned with acceptable use for professional social media, and most of these guidelines are good practice and etiquette for personal accounts as well. Recommendation 11, however applies universally:  “Google has a long memory. Be smart about what you post.” The article also points at the lack of clear laws relating to social media use, leaving grey areas for employees, employers, or individuals to interpret. In addition to the consequences listed in the article, there are other ramifications that may not immediately be apparent.  Social media companies are also big data collectors or companies that monetize private information, so it’s no stretch to imagine that future employers include social media activity in a background check. Check out The Security Skeptic’s STH blog post for more social media AUP insights.

Is It a Phish? Common Deceptions in Phishing URL composition

Visual deception remains an important weapon in a phisher’s arsenal. In this Security Skeptic post, Dave uses data from the APWG’s eCrime eXchange to illustrate the many ways that phishers attempt to convince recipients that the hyperlinks they “see” are legitimate. Sleight of hand? You bet.