Natural gas pipeline operators in the United States have reportedly been the target of sophisticated phishing attacks since last year, and the Department of Homeland Security has been helping firms deal with incidents since March. “DHS’s Industrial Control Systems Cyber Emergency Response Team has been working since March 2012 with critical infrastructure owners and operators in the oil and natural gas sector to address a series of cyber intrusions targeting natural gas pipeline companies,” DHS spokesman Peter Boogaard told CNET on Tuesday. “The cyber intrusion involves sophisticated spear-phishing activities targeting personnel within the private companies. DHS is coordinating with the FBI and appropriate federal agencies, and ICS-CERT is working with affected organizations to prepare mitigation plans customized to their current network and security configurations to detect, mitigate and prevent such threats.”

The agency has been meeting with and advising companies privately and last week issued its first public warning. The DHS said that at least three confidential “amber” alerts have been issued beginning March 29th, all warning of a “gas pipeline sector cyber intrusion campaign” against multiple pipeline companies.

“ICS-CERT has recently identified an active series of cyber intrusions targeting natural gas pipeline sector companies,” an April 13th alert warned. “Multiple natural gas pipeline organizations have reported either attempts or intrusions related to this campaign. The campaign appears to have started in late December 2011 and is active today.”

The origins of the various attacks are unknown, and it is unclear if sensitive data has been compromised or if other negative consequences have resulted from the breaches. There are concerns that an employee can be tricked into opening a malicious link or download an attachment containing malware that might allow attackers to steal sensitive information, or even worse, manage to access the systems for controlling gas compressors or bulk power switching.

There are approximately 200,000 miles of interstate natural gas pipelines, which supply 25% of the nation’s energy.

Microsoft researchers recently discovered a piece of Mac OS X malware that exploits a three-year-old flaw in old versions of Office for Mac. The threat uses a multi-stage attack, just like a Windows virus would. While Microsoft did fix the problem in 2009, the software giant notes that not every machine is up-to-date. The company’s data indicates, however, that the malware is not widespread. “No operating system that exists outside a laboratory is entirely immune to malware,” Microsoft stated on its blog. “As different operating systems continue to gain in popularity they attract more attention from would-be attackers – especially since, as we see in the example analysis above, the techniques and understanding needed to do so may be much the same as those used against other platforms. And even though an operating system may include many risk-reducing mitigation technologies, any machine’s defenses against vulnerabilities are directly related to how current its security updates for applications are kept.” Microsoft concludes by warning users of Office 2004 for Mac, Office 2008 for Mac or Open XML File Format Converter for Mac to update their software in order to protect themselves from possible threats.

Read

Hacked websites are frequently used to infect PCs with malware, however the team at Lookout Mobile Security has discovered that hacked websites are specifically targeting Android-powered mobile devices for the first time. The malware, called NotCompatible, is a Trojan that poses as a system update but acts like a proxy redirect. After visiting an infected website, the Android mobile web browser will automatically begin downloading the NotCompatible malware, which is named “Update.apk.” Like any drive-by downloads, to become infected a user needs to install the downloaded application. The malware is found on a number of websites, but all have relatively low traffic. Lookout notes that the threat does not appear to cause any direct harm to an infected device, although it could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy. If an Android device has the “Unknown sources” settings disabled — thus disabling sideloading — the NotCompatible malware will be unable to install.

[Via Gizmodo]

Read

People who browse religious websites are more likely to have their computers infected with a virus than those who visit pornographic websites, according to Symantec’s annual “Internet Security Threat Report.” The firm found that websites with religious or ideological themes had triple the average number of threats than those featuring adult content. “It is interesting to note that websites hosting adult/pornographic content are not in the top five, but ranked tenth,” Symantec said. “We hypothesize that this is because pornographic website owners already make money from the Internet and, as a result, have a vested interest in keeping their sites malware-free; it’s not good for repeat business.” The report was based on information gathered from more than 200 countries through the Symantec Global Intelligence Network. Symantec blocked a total of 5.5 billion attacks last year, an 81% increase from 2010.

[Via Raw Story]

Read

The United States House of Representatives voted last Thursday to pass a piece of legislation called the Cyber Intelligence Sharing and Protection Act, or CISPA. The controversial bill now sits in the hands of the Senate and faces further modifications if it hopes to gain approval from the White House, which has already gone on record with a veto threat. Legions of Internet users expressed outrage when the bill was passed, and numerous protests are being staged. According to President Obama’s office, the bill would allow “broad sharing of information with governmental entities without establishing requirements for both industry and the government to minimize and protect personally identifiable information,” but what exactly is CISPA? Greg Vokes of Paralegal.net sought to make the answer as easy to digest as possible, and the result is a terrific infographic titled “WTF is CISPA?” that can be viewed below in its entirety.

Read

A new security vulnerability in Skype has been discovered that allows a third-party script to reveal users’ remote and local IP addresses, according to GHacks. The script, which was uploaded to Github, allows users to lookup the IP addresses of any online Skype accounts. The code then initiates the contact addition process, but does not complete it. The log file will instead display the local and remote IP of the requested Skype user, even if the user is not added to the list of contacts. An IP address can be used to determine the location and Internet service provider of the user, and the only method of protecting against this vulnerability would be to use a virtual private network or proxy to hide the IP address.

Read

The “Flashback” virus that originated on a series of WordPress blogs and went on to infected more than 600,000 Mac computers last month may have generated its creators thousands of dollars each day. According to antivirus software firm Symantec, the Flashback malware has been generating revenue for its authors by hijacking users’ ad clicks, and due to the widespread nature of the infection, the authors could have been generating up to $10,000 per day. “Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click,” the firm explained, adding that Google never receives the intended ad click. Symantec notes that ad-clicking Trojans are nothing new and a botnet of 25,000 infections could generate an author up to $450 per day.

Read

The United States House of Representatives has voted to pass the controversial Cyber Intelligence Sharing and Protection Act (CISPA), talk of which has swept the Internet over the past few weeks. The House vote was moved up to Thursday night, and CISPA passed as 248 members of Congress voted for the bill and 168 voted against. The bill is sponsored by Representatives Mike Rogers (R-Michigan) and Dutch Ruppersberger (D-Maryland), and it now faces further modifications in the Senate if it is to avoid being vetoed by the White House. President Barack Obama has indicated that he intends to veto the bill if it makes it to his desk, noting that as it is written now, the legislation would allow “broad sharing of information with governmental entities without establishing requirements for both industry and the government to minimize and protect personally identifiable information.” The American Civil Liberties Union issued a statement following the vote. “Cybersecurity does not have to mean abdication of Americans’ online privacy,” said ACLU legislative counsel Michelle Richardson. “As we’ve seen repeatedly, once the government gets expansive national security authorities, there’s no going back. We encourage the Senate to let this horrible bill fade into obscurity.”

Read

Apple may be the most valuable company in the world, but when it comes to security, the Cupertino-based company doesn’t hold a candle to Microsoft. Kaspersky Lab co-founder and chief executive Eugene Kaspersky on Wednesday told CBR that Apple is a decade behind Microsoft in terms of computer security. ”I think they are ten years behind Microsoft in terms of security,” Kaspersky said. “For many years I’ve been saying that from a security point of view there is no big difference between Mac and Windows. It’s always been possible to develop Mac malware, but [Flashback] was a bit different. For example it was asking questions about being installed on the system and, using vulnerabilities, it was able to get to the user mode without any alarms.” More than 600,000 Macs were infected by the Flashback trojan virus before it was discovered earlier this month and the exploit it used to infect OS X PCs was patched. “Apple will understand very soon that they have the same problems Microsoft had ten or 12 years ago,” Kaspersky said. ”They will have to make changes in terms of the cycle of updates and so on and will be forced to invest more into their security audits for the software.”

Read

Security firm Sophos on Tuesday indicated that a surprisingly high level of malware has been found on Mac computers — the firm’s research revealed that one in every five Mac computers is harboring some kind of Windows malware. Of the 100,000 customers sampled through Sophos’s antivirus offerings, 20% of users were found to be carrying one or more instances of Windows malware. The firm highlighted that Windows malware on a Mac won’t cause any harm, however, unless the computer also runs a Windows partition in addition to OS X. The company’s research found that just 2.7% of Macs that installed the company’s free anti-virus software were infected by OS X malware. Nearly all of the OS X malware discovered was an iteration of the “Flashback” trojan called “Flshplyr.” Sophos said that cybercriminals may find Macs to be targets because OS X users are less likely to be running an anti-virus software, however Macs can get viruses and the right software can keep a user’s computer safe. A second pie chart follows below.

Read

Security firm Trusteer warned this week of a trojan that is capable of stealing an individual’s credit card information from hotels. The firm’s intelligence team discovered the remote access trojan being sold on underground forums for $280. The malware is designed to capture screenshots from point-of-sale applications that access credit card numbers and expiration dates. These systems are located on front-desk computers at hotels, and they are often unmanaged and do not contain anti-virus protections software that would stop a trojan of this type. The malware’s creators also include instructions on how to use VoIP-based social engineering to trick front-desk clerks into installing the trojan.

[Via SC Magazine]

Read

The “Flashback” trojan virus affecting at least 600,000 Macs was discovered last week that is capable of intercepting passwords and other private data. The discovery prompted Apple to release a Java update for OS X users that removed a number of common variants of the virus. Securelist on Saturday found another Mac trojan that is also spread through Java exploits, however. The malware, called Backdoor.OSX.SabPub, can take screenshots of a user’s current session, execute commands on an infected machine and connect to a remote website to transmit the data. It is not clear how users get infected with the trojan, but because of the low number of instances and the trojan’s backdoor functionality, Securelist speculates that it is most likely used in targeted attacks, possibly launched through emails containing a URL pointing to two one of websites hosting the exploit.

Read

Trend Micro on Wednesday named Research In Motion’s BlackBerry 7 OS as the most secure mobile operating system in a new report titled “Enterprise Readiness of Consumer Mobile Platforms.” The security firm compared four of the top mobile operating systems — Android 2.3, iOS 5, Windows Phone 7.5 and BlackBerry 7 — and found the Waterloo-based company’s platform best met the demands of enterprise users. BlackBerry 7 scored a 2.89 rating, which was based on a number of factors including built-in security, application security, authentication, device wipe, device firewall and virtualization. RIM was followed by Apple’s iOS 5 with a 1.7 rating, Microsoft’s Windows Phone 7.5 with a 1.61 rating and Google’s Android 2.3 operating system with a 1.37 rating. Researchers from Trend Micro, Altimeter Group and Bloor Research praised the Blackberry 7 operating system for its corporate grade security and manageability, while the iPhone’s lack of removable storage and Windows Phone 7.5′s for overall performance were applauded. Google’s Android platform received negative comments, however, with researchers claiming the platform’s fragmentation has proven to be a barrier for enterprises.

[Via The Inquirer]

Read

The security of the Android mobile platform has always been a topic of debate. Due to Google’s open ecosystem and less invasive app policing policies, researchers argue that the Google Play marketplace is home to numerous malicious apps. Reports have surfaced over the past few years that claimed even applications from legitimate companies — such as Facebook, Skype and Path — were exploiting Android permissions and secretly accessing data. Paul Brodeur of Leviathan Security had a simple question: what data can an app access when it has no permissions? What he found may be shocking.

Brodeur created a special Android application that explores what data can be harvested from a device when the app has no permissions. The researcher found that his application was able to access the SD card, various system information and unique handset identification data. Access to the SD card provided Brodeur with information to all files that were not hidden, including photos, backups and any external configuration files. He states, however, that “while it’s possible to fetch the contents of all those files, I’ll leave it to someone else to decide what files should be grabbed and which are going to be boring.”

The second slew of information the application was able to access was located in the /data/system/packages.list file, which allowed the software to determine what apps are currently installed on a device. Brodeur was also able to scan each installed application’s directory to determine whether sensitive data could be read and accessed. This feature could be used by malware in an attempt to find apps with weak-permission vulnerabilities.

The last piece of information Brodeur’s application was able to gather regards a handset’s identifiable information. Without the “PHONE_STATE” permission, an application is not able to read the International Mobile Equipment Identity (IMEI) or International Mobile Subscriber Identity (IMSI). With no permissions, however, Brodeur’s app was still able to access the GSM and SIM vendor IDs. The researcher was also able to access the /proc/version pseudofile, which reveals the kernel version, Android ID and name of the custom ROM installed, if there is one.

Brodeur cautions Android users about suspicious applications, claiming any installed app can execute these actions without any user interaction or permissions. The researcher goes on to note that even without an Internet permission, he was able to use something called the URI ACTION_VIEW Intent to open a browser and export any collected data.

The researcher’s application was tested on Android 4.0.3 Ice Cream Sandwich and Android 2.3.5 Gingerbread.

Read

U.K.-based Android and iOS app developer Gareth Wright recently discovered a security hole in Facebook’s native mobile apps that can be used to steal a user’s personal information. Facebook’s Android and iOS apps do not encrypt login credentials, instead storing them in plain text files and allowing the information to be easily accessed and transferred over a USB connection, or more likely, through a malicious app. Wright explained in a blog post that Facebook’s plist file, or property list file containing personal data, is stored insecurely and not set to expire for 2,000 years. Once a plist file is copied to another device, one can simply open the normal Facebook app and will automatically be logged in the user’s account. Wright’s claims were confirmed by TheNextWeb, which also discovered that Dropbox’s iOS app includes the same security hole. The vulnerabilities do not require a device to be jailbroken or rooted, and exploits can be performed with a simple file explorer.

Update: Dropbox reached out to BGR regarding the issue, the company’s statement can be found after the break. 

“Dropbox’s Android app is not impacted because it stores access tokens in a protected location,” the company said. “We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user’s device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices.”

Read [Gareth Wright's blog] Read [TheNextWeb]