Timthumb WordPress Hack

Posted by admin on 20/Sep/2011 in Security Alert Log | 0 comments

Many of the themes used with WordPress sites (the content management system in use on this web site) have used a popular image re-sizing script called Timthumb (http://www.binarymoon.co.uk/projects/timthumb/).

This script is used by hundreds of thusands of sites and is quite popular in the WordPress theming community. It was discovered last month that a vulnerability existed within certain versions of the script (http://code.google.com/p/timthumb/issues/detail?id=212). If you are using a WordPress theme with your mobile WordPress web site then it is highly likely that the Timthumb WordPress Hack can be exploited on your site (depending on when you last updated your theme). The author of the Timthumb script has provided a fix that you should apply to your site now.

It’s Not Personal

Most hacked sites are just black hat SEO scam artists trying to increase their own site ranking for whatever purposes. It’s not personal so don’t panic if you find you have been hacked. Don’t take it personally, they are not out to get you in particular.

Sites being hacked have always been a problem, if yours has never been hacked then consider yourself to be lucky. You have to do your best to make sure this kind of thing doesn’t happen but it still can.

Android SpyEye Spitmo Discovered

Posted by SmsMyCustomers FSecure on 13/Sep/2011 in Security Alert Log | Comments Off

It was going to happen sooner or later…

Trusteer reports that an Android variant of Spitmo (SpyEye for mobile) has been discovered.

(more…)

New Android Riskware

Posted by SmsMyCustomers FSecure on 8/Sep/2011 in Security Alert Log | Comments Off

We have just encountered a number of Android riskware applications that target subscribers in the China region.

The suspect applications cover a variety of topics, including horoscopes, farm and pet games/info and the Chinese calendar, to name a few. Below is a screenshot of the permissions requested by one of these applications:

(more…)

Are You Monitoring Your Business’s Google Place?

Posted by SmsMyCustomers FSecure on 6/Sep/2011 in Security Alert Log | Comments Off

Running a small business can be a difficult job (particularly in today’s economic climate). Competition can be very cut-throat … and dirty tricks are sometimes played by the unethical.

For example: In 2003, Saad Echouafni, owner of Orbit Communications (a satellite television reseller), paid for an Ohio botmaster (Richard Roby) to DDoS the websites of two competitors. In 2005, Roby, the botmaster, was convicted of computer crimes in US federal court. Investigation into Roby’s crimes revealed a link to Echouafni and a co-conspirator (Paul Ashley) who also pleaded guilty to related crimes in 2005. Echouafni paid bail and fled US jurisdiction.

Reportedly, at the height of the DDoS attacks, Rapid Satellite and WeaKnees were offline for two weeks. It’s quite an interesting tale and you can read more here: Feds bust DDoS ‘Mafia’, by Kevin Poulsen.

Wow, a DDoS Mafia, circa 2003. But what’s the situation in 2011? (more…)

Diginotar Hacked by Black.Spook and Iranian Hackers

Posted by SmsMyCustomers FSecure on 5/Sep/2011 in Security Alert Log | Comments Off

Diginotar is a Dutch Certificate Authority. They sell SSL certificates.

Somehow, somebody managed to get a rogue SSL certificate from them on July 10th, 2011. This certificate was issued for domain name .google.com.

What can you do with such a certificate? Well, you can impersonate Google — assuming you can first reroute Internet traffic for google.com to you. This is something that can be done by a government or by a rogue ISP. Such a reroute would only affect users within that country or under that ISP.

But why would anybody want to intercept Google? Well, this is not really about the search engine at www.google.com. This is about the Gmail servers at mail.google.com and Google Docs at docs.google.com and maybe Google+ at plus.google.com.

We saw a similar attack in May (via Certificate reseller instantssl.it in Italy). That case was tied to Iran. So is this one. It’s likely the Government of Iran is using these techniques to monitor local dissidents.

Iran does not have its own Certificate Authority. If they did, they could just issue rogue certificates themselves. But since they don’t, they need such certificates from a widely trusted CA. Such as Diginotar.

(more…)

Facebook to Prevent 3rd-party Apps From Seeing Your Information Via Your Friends

Posted by SmsMyCustomers FSecure on 25/Aug/2011 in Security Alert Log | Comments Off

On Tuesday of this week, Facebook announced significant changes to their profile controls and sharing options. The roll out of these changes begins today, August 25th. You’ll find an excellent summary of the changes by Jason over on our Save and Savvy blog.

Meanwhile, we’ve been busy digging into the details and reading between the lines.

And there’s lots of details to consider:

(more…)

Windows XP

Posted by SmsMyCustomers FSecure on 24/Aug/2011 in Security Alert Log | Comments Off

Let’s compare the major computer operating systems at the moment. We have Windows XP, Windows Vista and Windows 7. We have various Linux distributions. And we have Mac OS X.

Of these, obviously Windows XP has the weakest security, by far. And Windows XP has the biggest marketshare, too. Globally close to half of all computers still run XP. And today, Windows XP is ten years old. Ten years is an eternity in this business. So it’s no wonder XP’s security architecture is not up to date.

As a result, attackers right now would be stupid* o spend their time and money targetting any other operating system. That makes no sense as long as they have this huge, easy low hanging fruit. Obviously XP is going away.

And Why Would this Bother Mobile Phone Users?

Ever plugged your phone in to your computer to do a file synch, an update or to transfer files? How about hooking your phone up to your homes XP Wi-Fi network? Think about it.

As we can see from this chart, Windows 7 will pass in XP in the near future and will become the most common operating system.

And when XP’s marketshare drops low enough, attackers need to start looking around. Some will focus on Windows 7. Others will look at OS X, Android, iOS and so on. The attackers have never had it so good. The easiest target is also the most common target. This can’t change quick enough.

Do a good deed today. Uninstall an installation of XP.

Mobile malware to steal photos from your phone

Posted by SmsMyCustomers FSecure on 16/Aug/2011 in Security Alert Log, Trojans | Comments Off

A good deal of this year’s mobile malware was developed in China. And Chinese mobile malware tends to include stuff such as backdoors, password stealers and spy tools.

Knowing that Chinese malware likes to spy, we’ve been keeping an eye out for various functions, such as photo scraping. Stealing photos from a phone could be used for harassment and blackmailing.

We didn’t have to look for long. A member our Threat Response team just found something interesting in a Symbian malware sample.

Here are our analyst’s notes

The code of Trojan:SymbOS/Spinilog.A (md5: b346043b4efb1e9834a87dce44d6d433) includes a class named CMyCameraEngine which inherits and implements the Symbian class MCameraObserver. This enables the trojan to receive control when an image has been captured with the camera. Spinilog.A then encodes the raw bitmap to a JPG, which it saves to the phone’s memory. This feature seems to still be unused and possibly incomplete as the constructor of the CMyCameraEngine class is not called in the code. Other data stolen by the trojan is more traditional such as the content and details of SMS and e-mail messages, phone call details and calendar and contact information.

So while this particular backdoor won’t yet steal your photos, it’s clear which direction we’re headed to.

Anonymous Ops Britian and BART

Posted by SmsMyCustomers FSecure on 15/Aug/2011 in In The News, Security Alert Log | Comments Off

Here’s a new maxim for politicians, policy makers and public administrators: curtail, censor or otherwise limit communications technology in the real-world — expect online reprisals.

Hacker collective Anonymous released a “press release” on Saturday announcing OpBritian, a reaction to UK Prime Minister David Cameron’s suggestions that social media should be restricted in a time of crisis.

And while Anonymous states that actions by rioters were “violent”, they have no love for police authority, and so the enemy of my enemy is my friend. Besides promising online hacks, Anonymous has called for rebellion peaceful real-world protests on October 15th.

(more…)

CellTrust’s Sean Moshir Selected to Present at 2011 Cyber Security Training Conference in Colorado Springs

Posted by admin on 15/Aug/2011 in Press Releases | 0 comments

Lecture will Focus on Secure Mobile Messaging and Communication for Government.

SCOTTSDALE, ARIZONA, USA – August 15, 2011 – CellTrust Corporation, the recognized leader in secure mobile messaging (www.celltrust.com), announced today that Sean Moshir, Chief Executive Officer of CellTrust, is speaking on August 18 at the the 2011 Cyber Security Training Conference, hosted by the Information Systems Security Association (ISSA), an international not-for-profit organization of information security professionals and practitioners.Moshir will be among speakers including Travis Johnson, Special Agent Cybercrime Division, FBI, and Robert D. Rego, Brigadier General, Special Assistant for Cyber Issues, Air Force Space Command (AFSPC), the Keynote speaker at the event.

Moshir will address mobile vulnerabilities as part of the conference’s Essential Information Assurance track, and he will discuss strategies for secure mobile messaging and communication.

The Cyber Security Training Conference brings together U.S. Department of Defense (DOD), information technology professionals, and industry partners, to share ideas and exchange information on ways to further protect and strengthen the defensive posture of information systems, including briefings and panel discussions focusing on current and proposed Information Assurance policies, strategies and initiatives. (more…)

F-Secure / Bellshouth Phishing

Posted by SmsMyCustomers FSecure on 25/Jul/2011 in Scams, Security Alert Log | Comments Off

We were tipped by an alert user (thanks Walt) about this phishing scam targeting F-Secure and Bellsouth.

The fake email used in the attack looks like this:

Please disregard such obvious phishing emails and delete them. Similar attacks have been targeting other operators and other antivirus companies as well.

On 25/07/11 At 02:06 PM

On Android threats Spyware:Android/SndApps.A and Trojan:Android/SmsSpy.D.

Posted by SmsMyCustomers FSecure on 15/Jul/2011 in Security Alert Log, Trojans | Comments Off

The following is an excellent writeup on a new Android spyware app and trojan (Spyware:Android/SndApps.A and Trojan:Android/SmsSpy.D) that are doing the rounds. The article comes from the fantastic guys and girls over at F-Secure.

Android malware seems to be all the rage at the moment. Here’s a few comments on a couple interesting side issues we’ve been discussing as we’ve seen them crop up during analyses.

First up: there was a recent report on suspicious applications found the official Android Market. The apps in question have since been taken off the Market, but our threat hunting team still come across them in forums and other such locations, usually promoted as ‘free apps’.

The applications themselves appear to be straightforward games. At some point however, it looks like additional services were added to the apps.

The earlier versions didn’t ask for anything other than Internet access

(more…)

Cloned Android Apps: Symbiosis or Parasitic?

Posted by SmsMyCustomers FSecure on 8/Jul/2011 in Security Alert Log | Comments Off

There was a recent report of a malicious Android package installation being hosted on a fake “Android Market”-lookalike site, which was pushed to users from an advertisement link. The distribution strategy itself is not new. We saw variations of this happening with Google advertisements 2 years back, though in that case it was rogue or scareware that was being pushed by the advertisements. What is interesting about the case is: Android application repackaging. We’ve seen this tactic being used quite frequently in the last few months, as it seems to be the favored “quick” way for malware authors to produce new Android malware. What’s also interesting is that this seems to be a popular way for developers to produce “new”, clean applications. We’ve been seeing a rash of repackaged applications posted on the official Android Market. (Android apps are written in Java, and so they have a very low threshold for cloning, there are no real barriers to reverse engineer them.) (more…)

Congratulations!!! You won £2m pounds: SMS 419 Scams

Posted by SmsMyCustomers FSecure on 8/Jul/2011 in Scams, Security Alert Log | Comments Off

Topi Kanniainen, from Digitoday contacted us regarding an SMS advance fee fraud (419) scam message that he received. It turns out that a member of our Threat Research team has also received such a message, back in January — he saved it. Here’s what it looks like: Here’s ukmobilelotto.com: Google Apps? The (cloud friendly) scammers probably built and paid for it using stolen funds. So what happens if you call the number? Believe it or not, there’s actually somebody on the other end of these phone numbers that answer if called. If they think you sound vulnerable, they’ll attempt to scam you in a variety of ways. We called the number from Topi’s SMS with one of our “burn” phones and uploaded the results to the Labs’ YouTube channel. (more…)

JailbreakMe Lulz

Posted by SmsMyCustomers FSecure on 8/Jul/2011 in Security Alert Log | Comments Off

Perhaps you’ve heard the news? JailbreakMe 3.0 went live yesterday. What’s JailbreakMe? It’s an easy way to jailbreak an Apple iOS device using a PDF (related) vulnerability. It’s done with a “drive-by” style exploit. All somebody needs to jailbreak their (newer) iPad/iPhone/iPod is to visit jailbreakme.com and to touch the free/install button. The German Federal Office for Information Security has issued a warning about this. They’re concerned about the potential for targeted malicious attacks using trojanized versions of the JailbreakMe exploit. And that’s certainly possible, in theory We’ve been asked: do we anticipate any attacks against iOS devices? Targeted attacks? No, not really. It could happen, but we don’t really anticipate any as such. However, we wouldn’t be at all surprised if some AntiSec hacker group attempted something “for the lulz”. And just how would somebody attack iOS devices? Via attachments? Attachments? No. E-mail is so not the attack vector in this case (never was on an iOS device). What folks should be careful with are their social media apps, particularly Twitter. A Twitter account belonging to Fox News was recently hacked and used to declare the death of Barack Obama. That hacked account could just have easily posted malicious links. (more…)