Cert.gov.md

CENTER OF SPECIAL TELECOMMUNICATIONS
CYBER SECURITY CENTER CERT-GOV-MD
BE WARNED, STAY PROTECTED.
November 2014
Newsletter
Dear Colleagues, Cyber Security Center CERT-GOV-MD is glad to announce its newsletter, as part of its proactive services. This newsletter compiles events of IT security for November 2014, and has the scope to inform you about the latest information security news, trends, tips and threads discovered. We hope this information will help you in your day-to-day activities, either if you are part of technical staff, dealing with sensitive information, or just a regular computer user. downgrade attacks (Page 1) BE WARNED, STAY PROTECTED,  Members of OSCE's Informal CERT-GOV-MD Team Working Group met on 7 November 2014 to discuss the implementation of Confidence Building Measures (CBMs)  Wirelurker: A New Era in iOS Malware (Page 2)  Case of CryptoPHP. System Beware of STARTTLS downgrade attacks administrators are target of social engineering attack (Page Two engineers from the Golden Frog, an international IT service provider, discovered that some Internet service providers are stripping STARTTLS flag from email traffic that forces sending server to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception. underground market in Brazil STARTTLS is a wildly used extension for plain text communication protocols, which allows to transmit email messages securely between sending and receiving servers. Under normal circumstances, before message transmission, the client  New advanced thread called inquires destination server whether it supports message encryption. If yes - a TLS "Darkhotel" targets hotel visitors session is initiated otherwise the message will be transferred in a plain text. A STARTTLS downgrade attack occurs when an attacker alters server response so that does not contain a STARTTLS option. The problem is that the user will not be notified that the message was sent unencrypted that jeopardizes its confidentiality Useful advices:
 iOS User Security Guide. Part 1 While it is not always possible to prevent STARTTLS downgrade attacks, it is recommended to use Pretty Good Privacy (PGP) or Secure/Multipurpose Internet Mail Extensions (S/MIME) for email encryption and digital signing in order to stay safe in the Internet. Members of OSCE's Informal Working Group met on 7 November 2014 to discuss the implementation of Confidence Building The meeting, organized by Swiss in 2013. The states also agreed to meet OSCE Chairmanship, took place at once a year in order to summarize the Vienna, Austria and brought together results and to discuss future steps of cyber-security experts and repre- CBMs' development. sentatives from over 50 countries. the meeting, participants The CBMs are risk-reduction reviewed cyber-security efforts at the sub- measures designed to enhance regional level and negotiated the transparency, reduce misperception development of a second set of CBMs. and escalation, and increase co- operation and stability between Read more at: states in the domain of cybersecurity. http://www.osce.org/cio/126475 The initial set of CBMs were adopted "As the world is increasingly interconnected, everyone shares the responsibility of securing cyberspace." - Newton Lee, a computer scientist. Wirelurker: A New Era in iOS Malware Case of CryptoPHP. Palo Alto Networks' research team discovered a malware that targets iOS devices from infected Mac computers. The malware was named "Wirelurker" as it are target of social spreads through a USB wire. engineering attack WireLurker was used to trojanize pirated Mac applications that were uploaded A security research team from Fox- to the Maiyadi App Store - is a site known to host pirated premium Mac, iPhone, IT – an information security Dutch and iPad applications. Victims downloaded these applications, installed them on firm, discovered a thread, called their OS X systems and ran them. On instantiation, WireLurker's entry code was CryptoPHP, which tricked system transparently executed, dropping malicious executable files, dynamic libraries and administrators into installing a configuration files prior to running the original pirated application. Upon installation backdoor on their web server. WireLurker monitored any iOS device connected via USB with an infected OS X computer and installed downloaded third-party applications or automatically Threat actors hosted several web sites in order to provide "free" for generated malicious applications onto the device, regardless of whether it is anyone access to pirated themes and plugins for Joomla, WordPress The interesting is that the malware uses unseen before on iOS platform attack and Drupal content management systems. After malicious plugin or  It is capable to automate generation of malicious iOS applications, through theme was installed, it established binary file replacement; an encrypted connection to the command-and-control server in Can infect installed iOS applications similar to a traditional virus; order to receive further instructions.  Installs third-party applications on non-jailbroken iOS devices through Currently the CryptoPHP is used for enterprise provisioning. injection of links and text into the The following are our recommendations to enterprises and users regarding webpages of the compromised prevention or mitigation of WireLurker or similar OS X or iOS malware threats: server. That allowed thread actors to  Employ an antivirus or security protection product for the Mac OS X system increase rank rating of the injected and keep its signatures up-to-date; web links in the popular search  In the OS X System Preferences panel under "Security & Privacy", ensure engines. It is estimated that "Allow apps downloaded from Mac App Store (or Mac App Store and CryptoPHP compromised more than 20 000 web sites. identified developers)" is set;  Do not download and run Mac applications or games from any third-party Systems administrators are advised to use the following Python scripts in app store, download site or other untrusted source. order to verify the presence of the  Keep the iOS version on your device up-to-date; CryptoPHP infection.  Do not accept any unknown enterprise provisioning profile unless an authorized, trusted party (e.g. your IT corporate help desk) explicitly instructs it/cryptophp/tree/master/scripts  Avoid powering your iOS device through chargers from untrusted or unknown sources.  Do not jailbreak your iOS device whitepaper-foxsrt-v4.pdf Review of malware underground market in New advanced thread Trend Micro Inc., a Japanese security software company, has published a report which describes current situation, prices and trends of Brazil's malware called "Darkhotel" targets underground market. The report reviled that a malware underground market at Brazil usually represents a post at Facebook, YouTube, Twitter, Skype, or WhatsApp in which Kaspersky global research team are offered for trade illegal products or services. It was also discovered that has published a threat intelligence Brazilian underground today is mostly specialized in banking domain. Therefore report, which revealed a new there are many offers regarding different banking malware such banking trojans, advanced persistent threat that credit card number checkers, crypters and other. Some offers include tools that targeted unsuspecting guests of were specifically created for attacks against products and services only available several high-end and luxury hotels. in Brazil. The Brazilian underground is also the only known market that offers Attackers abused hotels' Wi-Fi training services for future cybercriminals. networks to lure its victims into A cybercriminal can buy the following products at Brazilian underground: installation of fake GoogleToolbar,  Banking trojans. These are intended to intercept bank client credentials
Adobe Flash player or Windows and/or to redirect client payments to the cybercriminal. In order to do so banking trojans use techniques like Domain Name System poisoning, computers with spyware. The fake browser window or a specialized malware module called boware, attack method involved hotel's Wi- which is able to modify bar code of a payment slip of a Brazilian online Fi access login screen with a hidden store in the way the payment will be transferred to the attacker instead iframe to identify guest's first and of original seller. The prices are ranging from 155$ for Bolware kits to last names and to redirect its 386$ for banking trojan builders and more for banking trojan source browser to a malicious webpage. It was also discovered that only specific guests, like government  Crypters. Crypters are special software designed to modify a malware
servants and defence industry staff, in the way it cannot be detected by an antivirus. Crypters that can prevent were attacked, what means that the all security products from detecting malware are considered "100% fully attackers knew exact date and undetectable (FUD)." If they can only evade several security solutions, place of stay of its victim. Once they are only sold as "partial" crypters. The prices for FUD cryptes are attack succeeded all the traces of it ranging from 19$ to 39$ for 1 month license. were removed. It is estimated that  Credit card credentials and checkers. A credit card checker is a
the threat existed for more than five special software that allows to debit small amounts of money from years, before it was discovered. specified accounts in order to check if the card number is valid and is Use the following advices in order to ready for illegal transactions. The average price for a valid credit card stay safe while traveling: number varies from 31$ to 135$ in dependence on the card credit limit.  Before you travel: decide
 Phishing pages. Phishing page allows cybercriminal to steal personal
ahead of time what device(s) data, redirect victims to the original page and send stolen information via and data you will actually need, email. The price for a phishing pages usually consist 39$. and do your best to limit what  Social media followers/views/likes. As the number of
you take; do not take with you in followers/views/likes is one of the factors, which influences on the trip day-to-day devices; use position of the tweet, video or a post in the search results Brazilian underground market sellers offer social media followers to anyone devices like an inexpensive interested. The prices for Facebook likes vary from 8$ for 1000 likes to laptop or a throw-away prepaid 62$ for 10 000 likes. Instagram followers cost at average 35$ for 5000 cell phone purchased just for followers. 200 YouTube subscribers cost 8$ - the same price for 1000 YouTube views or 1000 Twitter followers.  During your journey: do not
use hotel or other public Brazilian malware underground market is also offering different services. Among computers for business needs;  Malware checking against security software services.
Cybercriminals need to ensure that their malicious creations will not be information; assume the sites detected by security solutions when used. Experienced fraudsters rarely you visit (even hotel rooms) use publicly available file scanners because these usually send scanned may be subject to video, audio, files to security companies for detection. Cybercriminals offer malware- or other monitoring. checking services for as little as 12$ for one month license.  After you return: erase all
 SMS-spamming services. Some spammers outsource spam sending
at prices ranging from 155$ for 5,000 text messages to 1,159$ for temporary used accounts and 100,000 messages. devices; change passwords -  Training services. What distinguishes the Brazilian underground from
that will render the stolen ones others is the fact that it also offers training services for anyone who wants useless; reset the temporary to become a cybercriminal. The most of the trainings courses are devices to the factory-default focused on fully undetectable crypter programming and fraud training. state to remove any installed The trainings are selling as how-to videos. The buyer can usually get training support services via Skype. iOS User Security Guide. Part 1 This guide is designed for end users who own an iOS 7.x or iOS 8.x device and want to make beneficial security changes to their device to improve the overall mobile experience in regards to security, safety and privacy. Cyber Security Center CERT-GOV- Security Improvement Instructions. Included are steps to follow to beneficially MD is the governmental cyber improve the security posture of your iOS device. emergency response team, created within S.E. Center of Special Run the Latest Software Version. Bugs and security vulnerabilities are
inevitable, so it is important to utilize the latest software version available Telecommunications on 18.08.2010 for your device. Many devices will inform you when an update is Government decision nr. 746 available, but you can manually instigate an update check to see if your "Regarding the updated action plan device has a newer update available. In order to check if your device is Moldova - NATO". running the latest software version navigate to "Settings" -> "General" - > "Software Update"; Note: preferably use a Wi-Fi network to download Central point of contact the system update, to reduce cellular data usage Enable device passcode. This prevents someone from picking up your
CERT-GOV-MD is the central point device and accessing your data. In order to setup a password navigate of contact for all cyber security to "Settings" -> "Passcode" (or "Touch ID & Passcode"); problems for public administration Enable SIM card lock. Enabling SIM card lock prevents a thief from
authorities in the Republic of abusing your cellular service and costing you money. In order to setup a SIM card lock navigate to "Settings" -> "Phone" -> "SIM PIN" (you will Alerting us about security incidents have to introduce default password for SIM, which is usually "1111"). After the SIM lock feature is activated choose "Change PIN" to ensure By e-mail to [email protected]
that no one can bypass this security measure. Be sure to remember your By telephone on (+373 22) 820-900
(ask for the CERT-GOV-MD) on Enable device auto-lock. Auto-lock will automatically lock your device
business days from 8:00 to 17:00 after it goes unused for a certain period of time. This potentially prevents someone from picking up your device and accessing your data. In order Find us on the Web: to activate auto-lock feature navigate to "Settings" -> "General" -> "Auto- www.cert.gov.md
BE WARNED, STAY PROTECTED
Enable restrictions. This feature allows you to prevent some of your
device capabilities, like in-app purchases, to be used without entering a password. This can be useful for parental control or in case, you do not want your relatives, who can access the device, to see or to do more than they should. In order to enable restrictions navigate to "Settings" - > "General" -> "Restrictions"; Safari fraudulent website warning. Safari has the ability to warn you if
a web site is suspected to be a phishing or fraudulent website designed to trick you into divulging personal information. In order to ensure that "Fraudulent Website Warning" setting is set to "on" navigate to "Settings" While every precaution will be taken in the preparation of information, notifications and alerts, CERT-GOV-MD assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.

Source: http://cert.gov.md/fileadmin/user_upload/newsletter/2014/Newsletter_November_2014_EN.pdf