When we relayed the FBI/IC3 warning to travelers about a threat involving hotel Internet service overseas last week it produced a lot of requests for advice on how to respond to the threat. So a few of us researchers at ESET came up with a list of data security tips for travelers. These tips will help you keep your data safe while travelling in general, and defeat this particular threat (IC3 says a pop-up appears as you are signing in to the hotel Internet and asks you to update perform a software which is actually a malware infection).

Below the list are some additional strategies and one example of what not to do with your laptop and your car, wherever you happen to be driving. If you have more suggestions we would love to hear them. Please use the Comment section below to share.

1. Make sure your operating system and antivirus software are updated before you go on the road.
2. Backup your data before you head out (and store the backup in a safe place).
3. Consider leaving some data behind or move sensitive data from your laptop hard drive to an encrypted USB stick.
4. Make sure you have password protection and inactivity timeout engaged on all devices including laptops, tablets, and smartphones.
5. If possible, only use reputable hotel Internet service providers (ask the hotel who their provider is before you book).
6. If the hotel Internet asks you to update software in order to connect, immediately disconnect and tell the front desk.
7. If you use hotel Internet to connect to your company network use a VPN.
8. Do not use WiFi connections that are not encrypted with WPA (avoid WEP encrypted connections which are easily hacked).*
9. Consider getting a 3G or 4G hotspot and using that instead of hotel Internet.
10. Avoid online banking and shopping while on any hotel or public Internet connection.
11. Disable pop-ups in your web browser.

Bonus tip #1: If you are on the road and suspect that your Windows laptop has become infected you can get a free online scan from ESET.

Bonus tip #2: Don't assume your laptop is safe from malware when traveling just because it is a Mac. Consider installing a reputable antivirus product, for example, you could install a free 30-day trial of ESET Cybersecurity for Mac OS X before you head out on your travels.

What not to do when on the road with your laptop

Do not park your car and then place your laptop in the trunk. Place your laptop in the trunk before you reach the place you are going be parking. The reason? Someone who sees you place a computer in the trunk and then walk away from the vehicle knows the car is worth breaking into or stealing. A former colleague learned this the hard way in Venice Beach in 1996, back when a high-end laptop could cost over three grand.

WEP/WPA? How to know which encryption scheme an access point offers

If you are using a Windows 7 laptop you can see the encryption type for any available access point when you display the list of access points from the network icon in the Taskbar (typically lower right of the screen). You may have to hover over the point in the list to see the information. If you are using a MacBook you can Option-Click the Airport icon for a list that will display the encryption type of your current connection, and other connections, on hover.

(With many thanks to Aryeh Goretsky and Cameron Camp for their contributions to the tip list.)

Few days back, we found another Pastebin entry that contains a source which looks to be malicious botnet code. As I wrote in my earlier blog, malware authors also use Pastebin to trade botnet kits. Many times, snippets of a botnet help researchers understand the workings of the botnet and write detections for it.

The code posted was fairly simple to understand, appearing fully tested and complete. The code provides insights to the coding skills and techniques used by the botnet author. This bot uses fairly standard installation, copying itself into the WindowsSystem32 folder and then sending and receiving commands from a hard-coded control server. The source contains two interesting antianalysis functions, which check for the presence of a sandbox or tools such as OllyDbg or Wireshark. If it detects countermeasures, the bot terminates its process. Below are the two functions used for antianalysis:

BOOL bIsSandbox (void)

• Check GetModuleFileNameA() for presence of string “sample” in the PATH
• Or Check GetUserNameA() for presence of string like “HfreAnzr” or “sandbox” or “currentuser” or “vmware” or “nepenthes”
• Or Check GetComputerNameA() for presence of string like “ComputerName” or “COMPUTERNAME”
• Or Check GetModuleHandle() for presence of DLL like “SbieDll.dll” or “api_log.dll” or “dbghelp.dll” or “dir_watch.dll”
• If anything matches, terminate the bot process

DWORD WINAPI tScanner (LPVOID)

• Use FindWindowA() function to check for name “CommView”
• Or “TCPViewClass”
• Or “TCPView – Sysinternals: www.sysinternals.com”
• Or “PROCMON_WINDOW_CLASS”
• Or “OLLYDBG”
• Or “gdkWindowToplevel”
• Or “CommView – The Team ZWT 2008”
• Or “The Wireshark Network Analyzer”
• Or “SysAnalyzer”
• If anything matches, terminate the bot process

Both of the preceding function help a bot to terminate its process from being analyzed by researchers. The bot sends OS version, Username, botID, and other information to its hard-coded control server in the ns/clients.php?os=%s&name=%s&id=%i&loc=%s format and waits for other commands.

On April 16, we found a Pastebin entry selling the latest version of the infamous SpyEye botnet (Version 1.3.48) for a much lower price than we’ve seen elsewhere. (This botnet is mainly used to steal banking information.) The quote was just US$150 including three months hosting, after that it’s $15 per month. This version was first seen in October 2011, according to the XyliBox blog. The Pastebin seller of this SpyEye release included all the information about the software, injection types, and plug-ins supported–along with the MSN ID “blackhatsale@live.com.” Here is the screenshot from Pastebin:

Further research shows from multiple freelancing project websites shows price quotes of up to $1,500. Here are a couple of project entries found on those websites:

The source code for SpyEye Version 1.3.45 had already been leaked, and a lot of technical information about this botnet is available on the web. Fortunately, we obtained a live sample (with an active control server) created by the latest release (the version ID is hard-coded in the build and sent to the control server along with other information). We proceeded to reverse engineer the latest version to look for any differences.

After unpacking and reversing the latest sample, we found it behaved similarly to the description in the Prevx blog (so we will skip the full details). The only difference we found is the XOR key used to decrypt the config.bin file from the resource section. For this binary, the XOR key used is 0x4C. Here is the snippet of the decryption algorithm to decrypt config.bin:

Note the slight difference between the keys used by the sample we analyzed and the sample analyzed by the Prevx blog. (Was this intentional by the SpyEye author?) The decrypted config.bin file is nothing but a password-protected ZIP file whose password is stored in the C3 resource section in plain text. Here is the screenshot of the unzipped contents:

The unpacking/decryption routine of the ZIP files and the infection method of this bot are the same as in the prior version. We next searched network activity to look for variations. The binary, as expected, sends an HTTP POST request with encrypted data shown below:

1. Just in time for Tax Season

Starting today we began receiving emails from INTUIT at a bankofamerica.com email address (it’s spoofed). These emails notify the recipient of a problem between the IRS and Social Security and ask him to “use the following link” to review the information. The link leads to a Blackhole Exploit kit that will exploit the users PC and install many pieces of malware.

Based on the Android malware that we’ve seen so far, one of the principal motivations to develop and spread malware on Android is to gain financial profit. We often see deceptive applications that send SMS messages to premium-rate numbers without the user’s consent or that run man-in-the-middle attacks to forward SMS messages to an attacker with a user’s mTANs (Mobile Transaction Numbers). In the latter case, the attacker uses the information to defeat the two-factor authentication security scheme used by several banks and financial entities around the world. Examples of this last type of threat are the well-known Trojan bankers Zeus and SpyEye, which includes in the latest versions of its PC malware a new module that targets Android. In general, those malicious applications are not complex compared with more sophisticated threats. However, the situation may have changed: With the recent discovery of a new Android malware that has the man-in-the-middle functionality but, unlike Zeus and SpyEye, also can be controlled remotely and can grab the initial password from a mobile device without infecting the user’s PC.

The malicious application targets specific well-known financial entities posing as a Token Generator application. In fact, when the application is installed, the malware uses the logo and colors of the bank in the icon of the application, making it appear more credible to the user:

When the application executes, it shows a WebView component that displays an HTML/JavaScript web page that pretends to be a Token Generator. The web page also appears to be from the targeted bank (same variant of the malware but with different payload):

To get the fake token, the user must enter the first factor of authentication (used to obtain initial access to the banking account). If this action is not performed, the application shows an error. When the user clicks “Generar” (Generate), the malware shows the fake token (which is in fact a random number) and sends the password to a specific cell phone number along with the device identifiers (IMEI and IMSI). The same information is also sent to one of the control servers along with further data such as the phone number of the device. The malware finds the list of control servers from an XML file inside the original APK. This information, along with other parameters of the malware, are loaded and stored in another XML file inside the device:

The first two lists are used to run the man-in-the-middle attack because they filter the incoming SMS messages to get only the ones that have mTANs. If the originating address and message body are found in the “catch” list, the content is sent to the default control server. The SMS can also be forwarded to the number specified in the XML if it is configured in the “catch” list with the attribute “toSms.”

As soon as the initial registration is done, the malicious application creates a scheduled system event to program the execution of itself at some point in the future. The time when this event occurs depends on the values “timeConnection” and “period,” which are defined in a configuration file. When this happens, a background service starts that creates and executes a thread which listens for commands sent from control servers. These commands update most of the configuration settings–the server list, the catch/delete list and phone number used to receive the stolen mTANs, and the initial password. However, there are other interesting commands that add self-update or spyware capability to the malware:

1. sendContactList: Obtains the list of contacts stored in the device (name and number) and uses an open-source framework to  serialize the list of contacts to send them to the control server.
2. updateUrl: Contains the URL used to download an APK file in the download folder of the SD card. The APK could be an update of the same malware or another malicious application. Once the APK is downloaded, a custom user interface is loaded with the text and title sent by the control server, to trick the user to install the new application.

Kaspersky Anti-Virus Personal Pro 4.0 achieved the best results in testing conducted by the information portal ZDNet. The test, organized by the French editorial team of the highly popular information portal ZDNet, pitted against one another the six most popular anti-virus programs for home…

Read more:
Top Scores for Kaspersky Anti-Virus Software

OK so just hold on there before we even start. It is very important that we make our message on this subject clear from the outset. If we say that the greatest risks to financial data security come from inside the business, we are not saying that firms should inherently mistrust their accountancy staff or any other employees.

AVG is delighted to introduce our community to AVG’s own mobile security specialist, Elad Shapira. Elad is part of AVG Mobilation team working as a mobile security researcher. He specializes in Android app coding, penetration tests and mobile device risk assessment.

The world's largest information security event, the annual RSA Conference, is over for another year. Most of the more than 18,000 people who attended the 2012 gathering are probably back home now, getting ready to go into the office. What will be top of mind for them, apart from “How did I manage to survive 5 days of non-stop security-speak?”

This was the twenty-first year the event was held and, if the last 20 years are anything to go by, one thing that most conference attendees are not thinking about right now is the enormous gap between security discourse at the show and security reality down at street level. To illustrate my point I will contrast one unhelpful platitude I heard last week, with something that happened to a friend of mine on the last day of the show, something that directly links data security to life and death.

First, the platitude: “You don't need antivirus any more.” This piece of nonsense was suggested to me in several conversations I had with attendees on the floor of the RSA exhibition hall. It has also been discussed in the Wired article: Is Antivirus Software a Waste of Money?

If you read between the lines you get the picture: Some security experts figure they are safe enough without AV. But listen closely and I doubt you will hear anyone willing to stake their career on advising companies, in a professional capacity, to abandon AV protection. (You also have to wonder exactly what AV software those experts were using that let them down so badly they want to abandon this basic layer of information protection.)

Now to my friend's street-level information security experience. She was walking her dog near the courthouse in a city of considerable size (that will remain nameless to protect the innocent, the guilty, and the accused). On the sidewalk she sees a USB stick and picks it up. Seeing nobody around, and thus unable to determine ownership of the device or any data that it might contain, she takes it home and plugs it into her computer (which is equipped with AV software that automatically scans USB devices when you insert them–she's a security expert but not one of those “you don't need AV” security experts).

There were no viruses on the device, but there were dozens of documents, mainly Microsoft Word .doc and Adobe .pdf files. Judging by the file names she figured they contained some serious legal content. So next comes the moral dilemma: Do I try to open a file or two to determine ownership, thereby risking accusations of “snooping” from the owner when I get their drive back to them? And what is the alternative? It's hard to imagine a classified ad or flyer stapled to the neighborhood telephone poles that says “Found: One USB drive containing over 200Kb of legal documents, please call me if you think it belongs to you.”

My friend did not reveal what was in the two documents she opened, and from which she was able to determine who owned the drive (which has now been reunited with its owner). All she said was: “It was serious stuff, scary life and death stuff that's likely to be in the news soon and frankly I was very uncomfortable that it was in my possession.”

So, as thousands of security experts continue to absorb all they heard at RSA last week about the cutting edge technologies that will take information security to the next level, I'm scratching my head and asking myself: Why were the files on that USB device not encrypted? After all, they were created with two applications that are capable of file encryption: Microsoft Word and Adobe Acrobat.

Ignore the chorus of crypto experts who pipe up saying “those encryption schemes have been hacked.” That is surely not the point. The point is that twenty-one years after the first RSA Conference, big name criminal attorneys and the para-legals they employ don't yet understand enough about information security to take cheap, basic, and practically-effective defensive measures. Makes you wonder just how much of an impact the information security industry has really had.

Perhaps security experts should take a break from grabbing media attenton with contrarian views on basic data protection like antivirus software and spend some time talking security to mere mortals at street-level. Indeed, maybe it's a good moment for us all to think about the reality of what information security means to most people today. Here's one thing it shouldn't mean: an unencrypted USB key holding someone's life or death, lying on the sidewalk.

Go here to see the original:
Information Security Disconnect: RSA, USB, AV, and reality