Community news and analysis: August 2014

Posted on September 9, 2014 - 16:56 by ccondon

The most widely read piece of security news this past month has undoubtedly been the impact of the widespread Backoff point-of-sale (PoS) malware family. Backoff is suspected to be the culprit behind several recent data breaches at major companies. US-CERT issued an advisory on 31 July warning that “seven PoS system providers/vendors have confirmed that they have had multiple clients affected,” and the U.S. Secret Service “currently estimates that over 1,000 U.S. businesses are affected.” Full advisory here.

Our partners have covered this topic in depth, as have other reputable sources in the security community. Below are some sources of actionable information from people we know and trust.

Backoff Malware: What You Should Know (Qualys)

Is Your Point of Sale Machine Protected Against Attacks? (ESET)

6 Tips to Keep Your Data Safe (Sophos)

An Analysis of the Backoff PoS Malware (Fortinet)

Malware analysis

Krysanec Android Trojan disguises itself as legitimate apps (ESET)

Fortinet’s Axelle Apvrille analyses the AdThief/iOS malware that stole revenue from 22 million ads (PDF via Virus Bulletin)

Android “Heart App” virus spreads quickly, author arrested within 17 hours (Sophos)

Two IRCbots: DorkBot and its twin, NgrBot (Fortinet)

Other security news

In support of efforts to encourage the use of SSL across the Web, Google announced this past month that they will begin using HTTPS as a ranking signal. Sites using SSL may get a slight boost in Google’s search rankings, and it’s possible this might increase over time. On the heels of Google’s news, our partners at CloudFlare announced that they’re working on making SSL free for all their customers, including free customers.

If your website is already serving over HTTPS, you can use this free tool from Qualys to test security and configuration. Want more information about what Google’s changes might mean for websites and their administrators? Check out DreamHost’s writeup.

Mozilla: Public key pinning released in Firefox

Automattic acquired BruteProtect, a WordPress plugin and service that protects sites from malicious logins and helps site owners keep updated. Automattic says they intend to build this functionality into Jetpack, which is neat news for the security-conscious WordPress community.

In mid-August, CloudFlare launched Tinfoil Security, a service that helps site owners find web application vulnerabilities. The free plan on their pricing tier allows webmasters to check for XSS vulnerabilities.

Plugin vulnerabilities in popular CMSes this month: Slider Revolution for WordPress, Akeeba Backup extension for Joomla, Custom Contact Forms for WordPress (Sucuri).

Community news and analysis: July 2014

Posted on August 4, 2014 - 17:05 by ccondon

July may bring out the summer sloth in all of us, but you wouldn't know it from last month's news cycle. Here's our monthly roundup of security news and malware analysis from our partner community.

Featured news

Google launched Project Zero to ‘significantly reduce the number of people harmed by targeted attacks.’ In the announcement post, Google’s Chris Evans made clear that they’re intentionally not limiting the scope of the project, though they do intend to engage in the traditional practice of hunting and reporting security vulnerabilities. You can follow the Project Zero blog here.

Mozilla is improving malware detection in Firefox: The latest version of the browser will use Google’s Safe Browsing service to check whether downloaded files are listed as malicious. According to the team at Mozilla, tests indicate this feature cuts in half the amount of malware that makes it through to users. Score.

Google is revamping their malware warnings in Chrome. The new warnings have a starker look and tone—take a peek.

Malware analysis

The latest variant of Simplocker Android malware encrypts archive files, demands a higher ransom, and is harder to remove. Get details from ESET here.

ESET also analyzed a new strain of the Win32/Aibatook banking malware, which has been spreading via Japanese adult websites since April 2014. The campaign is tailored against two Japanese banks and uses a Java vulnerability to target Internet Explorer users.

Bad passwords on point-of-sale terminals lead to card-stealing Backoff malware. More from Sophos.

Soraya malware combines Zeus- and Dexter-like techniques: read Fortinet’s technical analysis.

Injected malware redirects mobile users to porn app (Sucuri).

Updates to the Asprox botnet: new C&C command, better encryption. Read more (Fortinet).

Even more security news

How ZeroCMS could have avoided cross-site scripting vulnerability CVE-2014-4710 (Qualys).

The half-life of an IE vulnerability is now 17 days—down from 30 days in 2009 (Qualys).

Still not sure of your botnet terminology? SiteLock has you covered with Botnets 101.

Shylock banking malware C&C infrastructure seized in international takedown operation led by UK’s National Crime Agency (Sophos).  

What do carnivals and cybersecurity have in common? We’re not sure, but Internet Identity’s Paul Ferguson ties them together nicely in this short and sweet video on the security advice he’d give CEOs.

Sucuri on backups—the forgotten website security pillar.

Seeking a security research intern in Cambridge, MA

Posted on July 28, 2014 - 17:04 by ccondon

StopBadware is a unique place to work, as any of our staff will tell you. We have roots in academia and branches across the technology industry; we operate in a highly technical space, but our focus is helping people. We're a small team with a huge mission—and we're hiring! 

We're looking for an intern to help drive some of our core research programs for fall 2014 and beyond. This is a one-of-a-kind role with tons of flexibility and room for growth. You'll work with a couple of us in our sunny startup space in Cambridge, Mass.