The list of consumer brands adding two-factor authentication to their consumer accounts under the halo of protecting them from password thieves is growing daily. Apple, Microsoft, WordPress, and Evernote are some of these company to jump on the two-factor authentication bandwagon and trumpet the new levels of safety they’re offering their end users.

What most end users don’t realize is that the biggest benefit of implementing two-factor authentication is often just a public relations one.

There are a variety of two-factor authentication solutions available, and many of these can be just as vulnerable as password-based access systems. For starters, what makes the password so broken is the fact that the shared secret (the password) is stored right where it’s subject to attack (the website). Deploying many types of two-factor authentication doesn’t fundamentally change this model. In most two-factor authentication deployments, a user will be asked to share something else with a site (such as texted code), which will then be stored, again, where it’s subject to attack. Instead of fortifying the security, we’ve actually increased the amount of user information that’s shared.

That second device — the ‘something you have,’ as it’s commonly referred to in two-factor authentication descriptions — should improve security. But there are both usability and security elements working against it:

Usability

Deploying two-factor authentication means issuing tokens or embedding cryptographic keys in user devices, and both of those approaches require user participation. Experience to date has shown that, in cases where two-factor authentication is provided as an option, most users won’t use it —  the security is not worth the pain of the experience. Consumer usage rates are in the low single digits in opt-in models.

If two-factor authentication is suddenly required, many existing website users would find themselves without the necessary means to log in (such as a smartphone or a dongle). That’s a non-starter for consumer sites because it leads to their two least favorite things: increased cost via clogged support queues and declining customer satisfaction and traffic. So they default to the opt-in model and no one uses it.

Security

Most two-factor authentication technologies generate a one-time code for users to then provide to authenticate their identity. But this common implementation is not immune to today’s threats or emerging ones. Cyber thieves use Trojan-horse malware, for example, that tricks a person into approving an attacker’s transaction without knowing it. Malware on users’ phones that intercepts SMS messages and sends them to an attacker is also becoming more common.

Third-party authentication tokens are also dependent on the security of the issuer or manufacturer. Case in point is the March 2011 breach of RSA SecurID tokens. Companies that issued RSA’s two-factor dongles were simultaneously relying on RSA’s internal security. Telecom-based technologies, such as text messaging (SMS), lean on the security of the mobile provider, which is chosen by the user. A service using SMS, such as Facebook’s two-factor authentication, can be vulnerable to any number of telecom providers’ practices regarding reassignment of phone numbers or security of messages.

The swift reaction of many consumer sites to embrace two-factor authentication and their efforts to protect customer information are highly commendable. But this is a complicated problem that can’t be solved by ‘turning on two-factor.’ Until we address the foundational problem of secrets being shared between consumers and the sites they love, we can’t truly safeguard their information.

Jim Fenton is the chief security officer for OneID and is responsible for security design of the OneID identity system as well as oversight of the company’s corporate information security.

Two-factor authentication image via Shutterstock

Malicious search results are a constant problem for search engines, and Google is a whole lot better at filtering them out than Bing.

So says a report from German research firm AV-Test (PDF), which found that Bing served up five times as many malicious sites in search results than Google did over an 18-month period. Out of the 10 million search results delivered by both sites, Google served up 272 potentially nasty sites and Bing returned 1,285.

The situation is somewhat funny given Microsoft’s constant attacks on Google’s search results. But while there’s a lot of room for debate on that topic, it’s tough to argue with the numbers from the AV-Test report: Right now, Google is doing a better job at search than Microsoft is.

But while Bing still has room for improvement, it’s doing a far better job than Russian search site Yandex, which AV-Test says delivered 3,300 bad sites — twice as many as Microsoft’s search engine.

Yandex, understandably, isn’t particularly happy with the report and has many questions about how it the study was performed.

“Yandex uses its own proprietary antivirus technology to protect users from malicious software. Yandex marks the infected webpages in its search results in order to notify users of unsafe content. We just notify users of possible consequences and do not block access to the webpage completely,” the company said in a statement to VentureBeat.

In all, the report shows what should already be clear: The more sites search engines index, the more they have to worry about bad results. And no one has figured out a perfect way to drop that malware number to zero.

The firm released a report today explaining that malware called Winnti targeted the gaming companies with the capability to digitally sign itself in using stolen certificates — a way for it to fly into systems under the radar.

“The group’s main objective is to steal source codes for online game projects as well as the digital certificates of legitimate software vendors,” Kaspersky Lab explained in a blog post. “In addition, they are very interested in how network infrastructure, including the production of gaming servers, is set up, and new developments such as conceptual ideas, design, and more.”

Kaspersky first came into contact with the malware when a “popular online game” contacted security researchers to check out a virus that had spread to its users through an update server. The researchers discovered that the malware wasn’t aimed at attacking individual customers, but rather, it was accidentally distributed after the targeted server became infected.

While researching the virus, Kaspersky discovered that the malware was signed by a stolen digital signature and later determined that this is a specialty of the Winnti Group, as Kaspersky calls them. In order to attack all 35 of these companies, the Winnti Group set up over 100 “malicious campaigns” and different command and control servers per target.

Kaspersky believes that the attackers wanted to steal in-game currency and sell it for real money at a later time. The group also likely wanted gaming source code to find vulnerabilities or pirate games.

The majority of the targets are located in Southeast Asia, though some infections have been reported in the U.S. The researchers found Chinese characters while researching the malware, leading them to believe the Winnti group has Chinese origins or is at least Chinese-speaking.

hat tip Wired; You lose image via Shutterstock

On top of news that Bitcoin digital wallets were causing security headaches for customers, a new piece of malware spread through Skype might be using your computer to mine Bitcoins.

Russian security firm Kaspersky Lab revealed the malware in a blog post yesterday, saying the virus only infects PCs, though similar attacks have infected Macs. The malware is disseminated through Skype messages that social engineer you into clicking a link by saying something like, “I can’t believe this pictures of you!” When you click the link, the malware downloads and starts using up the CPU on your PC.

As Ars Technica notes, “mining Bitcoins” refers to the process of earning Bitcoins for solving a “block,” or a number of encrypted Bitcoin transactions. When that block is solved, the transactions are processed and the solver gets a certain number of Bitcoins as a prize.

The malware is set up to connect a number of PCs to solve these blocks together, automating the process and earning the malware writer more Bitcoins, faster.

Kaspersky said the malware is getting nearly 2,000 clicks per hour. The majority of its victims live in Russia, Poland, Costa Rica, Spain, Germany and the Ukraine, according to Kaspersky. The firm warns that if your computer is running a lot of CPU, you should check to make sure you’re not infected.

Bitcoin image via zcopley/Flickr

When we first heard about the hack on Facebook, Apple, Twitter, and Microsoft that seemed to be connected, it looked like an infected website downloaded malicious software to employee computers when they accessed the site. But now, it seems that more than one infected website targeted specific visitors.

According to The Security Ledger, who spoke with Facebook chief security office Joe Sullivan, three different websites infected his employees’ Macs We know about iPhoneDevSDK, the iPhone development website that was serving malware to visitors, but this involved two other unnamed websites, including one that provided information about Android development.

Sullivan also said that Facebook was able to see a number of other companies infected by the same attack, though he did not name any of them. He did say, however, that the attack was not focused on the tech sector, as you might assume after Twitter, Apple, and Microsoft all reported similar attacks. Instead, it seems that the attack spanned across a number of industries.

The owner behind iPhoneDevSDK explained that he believes the malware writers were able to see what kinds of visitors were coming to the site and target specific people. For example, he wasn’t infected by visiting his own site, but those at Facebook were.

The malware dropped on the Mac computers is believed to be a trojan called Pintsized.A, which jumps into the system and encrypts its communications with the command and control server to make it very difficult to detect.

hat tip Ars Technica; Thumbs down image via Shutterstock

Updated 1:16pm PT

Android and iOS may be battling for the smartphone market crown, but its Android that’s the undisputed king of malware.

So claims a new report from security software company F-Secure(PDF), which says Android was home to 79 percent of mobile malware in 2012. Compare that to iOS, which accounted for less than a percent of the pie, F-Secure says.

The situation sounds pretty dire for Android, and in some ways it is. Android is the biggest target since it has the most mobile marketshare, and third party marketplaces list malicious apps that could siphon off information or send premium SMS messages to steal your money. But the use of “malware” here might be overstated. F-Secure stretches the definition of “malware” to include things like Android test tools (which “may be misused for malicious intent by irresponsible parties”) and “potentially unwanted software,” which could inflate the numbers.

It’s worth noting that F-Secure makes its bread by selling software to help counter the sort of threats its reporting. Not everyone feels F-Secure’s analysis is indicative of Android’s overall safety.

For a one take on this sort of stuff, consider this 2011 Google+ post from Google engineering manager Chris DiBona (found via a comment in TechCrunch’s own story on F-Secure’s report):

Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. If you work for a company selling virus protection for Android, RIM, or iOS, you should be ashamed of yourself.

If you read an analyst report about ‘viruses’ infecting iOS, Android, or RIM, you now know that analyst firm is not honest and is staffed with charlatans. There is probably an exception, but extraordinary claims need extraordinary evidence.

Being a Google engineering manager, however, DiBona is obviously biased as well.

The point is that there are clear issues with the F-Secure report and other reports like it. Without firm numbers, clear definitions, and specified threat sources, reports such as F-Secure’s could be considered FUD. But it’s important to note that there are real reports of Android malware, and we can’t outright dismiss them.

I’ve reached out to F-Secure for comment on the criticism, but a PR rep said that the company is “unavailable to respond at this time” due to it being nighttime in Finland, where the company is based. We expect to have more details on these unanswered questions soon.

SAN FRANCISCO — Symantec uncovered a new, earlier version of Stuxnet today, the malware that attacked Iran’s nuclear systems in 2010. This version, Stuxnet 0.5, predated the Stuxnet we all know, and it was created four years earlier than we expected.

Stuxnet 0.5 was active between 2007 and 2009, though Symantec researchers were able to trace its origins back to 2005. The Stuxnet we are familiar with was first created in 2009.

“We are now entering close to the end of the first decade of weaponized malware,” said Francis deSouza, Symantec’s president of products and services, who spoke at the RSA conference in San Francisco today.

The malware that later attacked Siemens SCADA systems controlling the motors in the Natanz nuclear facility originally attacked the valves that controlled a certain type of gas released into the centrifuges.

The earlier version was disseminated through infected USBs and sought out Siemens Step 7 project files. The malware was officially taken offline January 2009 when it stopped communicating with its command-and-control servers, but traces of it can still be found within Step 7 files on computers around the world.

It was built in part on the Flamer platform, the same one built, of course, Flame. The Russian security firm Kaspersky Lab discovered Flame last year and quickly called it one of the most sophisticated cyber-espionage tools ever.

The later version of Stuxnet was moved to the Tilded platform, relating it to Duqu.

Further differentiating itself, this Stuxnet 0.5 was slightly less sophisticated in that it didn’t move from system to system exploiting a vulnerability in Windows.

Nuclear plant image via Shutterstock

Facebook announced that it was hacked in a blog post today after some of its employees visited an infected mobile developer website in January. The company says it has found no evidence that the breach affected user data.

“They gained limited visibility into our systems,” Fred Wolens, a spokesperson for Facebook, told VentureBeat in an interview, “We’ve accelerated our program to disable Java in our environment.”

The company explained in the blog post that the laptops that were infected were “fully patched” and ran the most up-to-date antivirus software prior to the infection. It is currently working with law enforcement to dig into the hack’s details. The malware came through another issue with Java, the programming language that Oracle recently patched to fix a number of other issues. The Department of Homeland Security even recommended that people uninstall Java since hackers were finding new holes often.

“After analyzing the compromised website where the attack originated, we found it was using a ‘zero-day,’ previously unseen exploit to bypass the Java sandbox (built-in protections) to install the malware,” said Facebook in the blog post. “We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.”

Facebook has not specified who the attackers are, and it very well may not know. The company does, however, say that it was “not alone in this attack” and that it wanted to tell the world about this hack quickly so that others can start their own remediation.

hat tip AllThingsD; Thumbs down image via Shutterstock

Iran is claiming that Stuxnet, the powerful virus that infected its nuclear power facilities in 2010 is back on the attack, targeting other power and governmental systems in the past few months.

The reports come out of Iranian news organization ISNA, according to the Associated Press, which quoted Iran’s provincial civil defense chief Ali Akbar Akhavan as confirming the events. Akhavan reportedly went on to say that the attacks were focused on Iran’s province of Hormozgan, including a power plant located there. The issue was supposedly mitigated by Iran, and suspected to be of U.S. and Israeli origin given that the virus Stuxnet is the suspected culprit.

Iran’s Culture Ministry may have also been a target, according to the New York Times.

Stuxnet is a computer virus that attacked Iran’s nuclear power plants systems in 2010, specifically the computers that controlled the fueling of its nuclear power plants. The attack was later believed to be a joint U.S. and Israel project as a result of growing fears that Iran was building nuclear weapons.

The virus attacks “SCADA” systems, or supervisory control and data acquisition. These systems control major physical infrastructure such as power plants, prison door systems, and electrical grids more. Stuxnet attacks SCADA specifically, shutting down the processes they control. SCADA systems are a scary target, as they control very important entities. For example, one researcher discovered that by hacking a SCADA system, he could open all the prison doors on a maximum security prison.

It is not uncommon to see malware reappear in the wild with slight tweaks that help it fool barriers put up against it. It has not been confirmed, however, whether the Stuxnet virus was behind these attacks.

Power plant image via Shutterstock

The FBI arrested 10 people associated with the a crime ring pushing the malware Yahos, according to an announcement today, saying the malware affected over 11 million people. Facebook’s security team helped the FBI by identifying both the criminals and the victims.

Yahos is a type of malware that steals bank account information, credit card numbers, and other personally identifiable information to siphon off money from its victims. Various criminals using Yahos have also created botnets to distribute the malware. The botnet Butterfly was shut down in connection to these arrests after lifting over $850 million from people around the world.

Facebook became involved in the fight after botnets also targeted the social network. As Ars Technica notes, the botnet spammed Facebook users with links leading to the malware. The malware then pretended to be a video plugin that needed installing. According to the FBI, Facebook was able to detect the infections, alert users, and otherwise “provide tools” for them to use in clean up. It was affected between 2010 and October 2012, which may indicate that the botnet was quietly shut down that month.

The 10 arrested individuals came from a number of different countries including the United States, Boznia and Herzegovina, Croatia, Macedonia, the United Kingdom, New Zealand, and Peru.

The FBI went on the recommend that consumers turn off a computer’s Internet access when it is not in use to minimize the risk of unwanted activity.

We have reached out to Facebook and will update upon hearing back.

Dead butterfly via jimmiehomeschoolmom/Flickr

Dave DeWalt — known for his big personality, top-secret government clearance, and work as former chief executive at McAfee — is taking over as chief executive for security company FireEye today.

“I’ve had a lot of CEO opportunities since  McAfee and this was the best I’ve seen,” said DeWalt in an interview with VentureBeat. “I’ve watched FireEye for many years. From McAfee, I thought it was tremendous technology. It made me a little nervous.”

DeWalt has served as chairman for FireEye since June and says he wanted to spend some time close to the company before jumping on as chief executive. Prior to this, he helped steer Intel’s acquisition of McAfee during his time at the antivirus company and has since advised the White House on the National Security Technology Advisory Council. Ashar Aziz, the founder and former chief executive of FireEye will step into the chief technology officer role.

DeWalt told me he wants to lead the company to an initial public offering as soon as possible. When I asked if he’d like that to happen by the end of 2013, DeWalt said, “Or sooner, it all depends. I believe the company is prepared for an IPO as soon as now. [But] with the fiscal cliff going on … probably not right now. First half of 2013, maybe we wait until the second half of 2013.”

FireEye protects businesses from malware and protects emails and files by watching viruses’ behavior. Traditionally, businesses used antivirus software that only looked at a signature, or a part of the malware that identified what it was. It then blocked known malware and kept the system safe from the threat. The only problem with this sort of protection is that malware changes quickly. Malware writers are well aware that if they change the identifier of their virus, they can easily slip through the anti-virus cracks.

What FireEye does is it connects your company’s network up to virtual machines, or separate computers that live in the same physical servers. The technology learns how your systems and apps work, what a normal day is like for them, and then watches for anything weird. Before anything is allowed into your network it passes through the virtual machines. If something is, in fact, weird, FireEye blocks it from ever entering the system.

“FireEye in a lot of ways has done with Palo Alto [Networks] has done, created an uber-box that sits on the perimiter, sits in the cloud, that lets us watch behavior in real time,” said DeWalt.

Palo Alto Networks is a firewall company that recently went public. The company’s technology also sits on the perimeter (as firewalls do) and only allows certain parts of an application to enter the network based on the IT department’s permissions.

“We’ve got tremendous head room and growth. We even announced some faster numbers than they had,” DeWalt said.

FireEye was founded in 2004 and is based in Milpitas, Calif. The company has taken funding from Sequoia Capital, Norwest Venture Partners, and Juniper Networks.

Dave DeWalt photo via FireEye

A special White House investigation couldn’t find any evidence of Chinese spying through Huawei telecommunications systems, according to Reuters‘ sources, though the U.S. recently warned businesses using the vendor that it “cannot be trusted to be free of foreign state influence.”

This comes after the White House investigated Chinese telecommunications vendors Huawei and ZTE last week, saying American companies should look for other partners for their communications needs. It seems the government issued this warning not based on evidence that the companies were spying for the Chinese government, but rather for the security vulnerabilities that already exist in their products.

The U.S. government fears that these vulnerabilities may open doors for hackers (likely from any nation state) to come in and siphon off data from Huawei’s customers.

Soon after the report was initially released, Huawei responded, calling the claims “baseless suggestions” that “recklessly threaten American jobs and innovation, do nothing to protect national security, and should be exposed as dangerous political distractions.”

The Chinese Commerce Ministry also stepped in, saying the government was playing with “suggestive guesswork.” It seems, however, that while the U.S. can’t prove Huawei is guilty of spying on Americans, the security issues are enough of a threat when a seemingly increasing number of cyber attacks in the U.S. are traced back to Chinese IP addresses.

Huawei image via HuaweiPress/Flickr

It sucks when viruses clog your PC, slow it to a crawl, and generally make your life miserable. But what if it put your life in danger? With medical facilities all around the United States running outdated software that can’t install new security patches, that very well may become the case.

According to the Technology Review, 664 medical machines at Beth Israel Deaconess Medical Center in Boston ran outdated operating systems that it could not upgrad despite that many older Windows operating systems are huge targets for malware.

The main issue is that the manufacturers of medical equipment don’t often allow the hospitals to upgrade their operating systems or patch security holes, said Kevin Fu, a researcher and associate professor at the University of Massachusetts, Amherst, at an industry conference last week. The fear here is that if the hole is patched, or the software somehow changes, that the device will no longer be FDA complaint. If it isn’t FDA complaint, a hospital can’t use it. But the huge downfall is that without these security updates and the latest operating systems, malware is literally slowing down the machines that doctors and nurses are using to save lives.

Botnets, or strings of computers that can be controlled to launch mass attacks or otherwise work in unison for the hacker’s profit, are a particular problem for hospitals.

Indeed, Fu says its “not unusual” for these machines to not perform properly, the hospitals relying on a “fallback model,” otherwise known as someone watching over the patient. Malware hinders the devices to a point where they can no longer record data.

As the Technology Review points out, hospitals don’t have to report security issues unless someone has actually been hurt as a result of the device’s malfunction. In 2009, the FDA also encouraged hospitals to work it out with the manufacturers themselves.

via Technology Review; Hospital image via Shutterstock

Researchers announced a new malware called miniFlame today that may be monitoring and stealing data from specific, highly profitable victims. It is a sister to the Flame malware that made headlines earlier this year.

The malware was found by Kaspersky Lab after it discovered and began monitoring the command and control servers of Flame. It recorded communications between Flame and the command and control servers as expected, but there was a separate, unexpected entity communicating with the same server. That turned out to be miniFlame.

MiniFlame is an extension of cyber espionage malware Flame in that it can be used as a plug in but is also capable of operating as its own entity. Kaspersky says it is a “high precision, surgical attack tool” that is likely reserved for bigger, more profitable targets. Indeed, researchers believe that Flame has infected up to 6,000 people, while miniFlame has only attacked around 60 people, or one percent of Flame’s pool.

The malware is one of the four strains of viruses Kaspersky found after analyzing code from Flame’s command and control servers. There, researchers discovered communications protocols for IP, SPE, SP, and FL. “FL” was quickly identified as Flame. SPE is today’s miniFlame. Kaspersky says SP is likely an older version of SPE. IP is yet to be found and is the youngest of the four.

Flame was discovered earlier this year and was quickly labeled one of the most advanced cyber espionage tools known. It targets the Middle East and is packed with modules that all perform some sort of spying technique such as turning on the computer’s microphones to record audio and taking screen shots when certain communications apps are open such as email or Skype. Gauss was found soon thereafter targeting systems in Lebanon, specifically programmed to steal bank account login credentials and other associated data.

Gauss can also use miniFlame as a plug-in, which strengthens the idea that the Flame and Gauss malware writers were in some way connected. When Gauss uses miniFlame, however, it refers to it as “John.”

Flame is similarly connected to the Stuxnet and Duqu viruses, as it shares a separate module with the two.

MiniFlame doesn’t target specific regions, but there are several variations of miniFlame that target places like Pakistan and Iran. There have also been some cases found in France. Thus far, researchers have only found six of these variants but believe there are up to six more. Those currently under watch were created between 2010 and 2011, though the protocol for miniFlame, SPE, was created in 2007.

Unlike Flame or Gauss, the creators of miniFlame can control the computer it infects through a backdoor miniFlame sets up. Once in it listens to commands that all go by names. These include:

• Fiona: Writes files to the machine
• Sonia: Data stealing, sends files back to the command and control servers
• Sam: Puts the computer to sleep for “specified amount of time”
• Barbara: Takes a screenshot if a specific application is open

Others include Elvis, Eve, Drake, Charles, Alex, and Tiffany.

How miniFlame actually gets installed onto victims’ computers is still unknown. Researchers believe it could be deployed from the command and control server when Flame and Gauss infect the system, though it can operate without the aid of Flame and Gauss.

hat tip Wired; Candles image via Shutterstock; Flame command and control server image via Kaspersky Lab

Rovio’s Bad Piggies game may not be available via Google Chrome, but that isn’t stopping bad guys from creating fake, malicious versions of the app and putting them in the Chrome Web Store.

Data protection company Barracuda Networks discovered and installed a number of the purported Bad Piggies games and discovered that they were indeed up to no good.

While all of the Bad Piggies apps listed in the Chrome Web Store are fake, some do something different, injecting ads into popular pages like MSN.com and IMDB.com when Chrome users navigate to them.

For the record, this sort of activity isn’t a violation of Google’s program policies: Google does allow developers to display ads alongside web pages as long as the activity is declared to users.

But it gets worse. Turns out that some of the apps also require permissions to “access your data on all websites,” which could allow them to access Chrome users’ passwords and other sensitive info.

These kinds of fake apps are nothing new, but in spite of that, it’s telling that Chrome users continue to install them. (It’s also telling that Google allows them to stay online.) Barracuda Networks says that as of Oct. 2, 80,000 Chrome users have installed the ad-injecting plugins.

Of course, the defense against these sorts of extensions remains the same: Check the permissions. A browser extension should be able to do just a small subset of things, and in most cases, checking your data on all websites isn’t one of them.

We’ve reached out to Google for comment and will update when the company responds.

Sometimes it’s hard to imagine just how contagious a botnet can be, and then sometimes you see them from space. Security researchers at F-Secure created this look at ZeroAccess botnet infections today, across the United States and the world.

Image if each one of those red triangles represented the flu. That’s essentially what they are, little indications of virtual wheezes and sneezes your computer is suffering from under ZeroAccess’s infiltration. The botnet was first discovered in 2010, and continues to evolve and pop up in the hundreds of thousands around the world.

It is considered a trojan, downloaded when a person visits a secretly compromised site. Once installed on the computer, it pushes advertisement pop-ups to the user, and will redirect browsers to advertising websites. The malware writers make money off of the advertising, and for every installation that can trick people into.

While the botnet isn’t new, the representation shows just how real and destructive a botnet like this can be. Its creators are smart enough to change the malware frequently to make sure it gets through anti-virus software.

As per usual, people should be careful about what websites they visit, vetting links and pop ups to make sure they’re trustworthy. ZeroAccess, like most malware, is generally distributed on “high risk” websites, such as pornography sites, but can also be found on legitimate websites that have been compromised.

Don’t hold your breath for a vaccination.

Flame, the malware related to the infamous Stuxnet that hit Iranian nuclear systems in 2010, may have three sisters in the wild, according to new research by Russian security firm Kaspersky Lab.

Kaspersky Lab first announced the existence of Flame in May, saying it was deployed around two years prior in 2010, and had already affected thousands of computers. Work may have even started on the malware as early as 2007. It targeted a number of countries in the Middle East, and was called one of the most advanced cyber espionage tools to date.

Since May, Kaspersky Lab has been studying Flame’s command and control servers, or the server that receives any data Flame steals and regularly communicates with the malware. When researchers first accessed the command and control server’s dashboard, they immediately assumed it was created by “script kiddies,” or young, inexperienced hackers. The writers also avoided using what Kaspersky calls “professional terms,” including bot, botnet, infection, or malware-command. Instead, they used words like backup, blog, and download. Kaspersky realized that the simplicity of the C&C home as well as the verbiage used was meant to trick anyone who might have audited the server.

In addition to learning about how the malware writers configured their “home base,” Kaspersky also found logs that displayed the nickname of the hacker, along with when the hacker did work on the C&C. Researches hid the nicknames in its analysis report, but provided the initials O, D, H, and R, indicating that there were four separate developers. Each had a different job and accessed a different amount of files within the system .

The four hackers also built four protocols, which communicated with different “clients,” or pieces of malware.

“A close look at these protocol handlers revealed four different types of clients codenamed SP, SPE, FL and IP,” said Kaspersky in its analysis. “We can confirm that the Flame malware was identified as client type FL. Obviously, this means there are at least three other undiscovered cyber-espionage or cyber-sabotage tools created by the same authors: SP, SPE and IP.”

What these three do and whether they are currently active is unknown.

The Flame virus, however, is enough to indicate what the sisters could do. While active, Flame unpacked 20 different modules that spied on the infected computer in different ways. It could tell when you had a communication app open, such as GMail or instant message, and take periodical screen shots to record your conversations. Flame could also turn on the computer’s microphone to record audio happening in the vicinity.

hat tip Wired; Fire equipment image via Shutterstock

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

A report from Duo Security found that over 50% of Android devices have unpatched vulnerabilities.

Duo Security offers two-factor authentication for mobile phones. This finding was based on a vulnerability assessment conducted by Duo’s mobile app called X-Ray, which scans mobile devices for security gaps. The app became available to consumers a couple of months ago and has since collected information from over 20,000 Android devices.

The results are concerning, considering that hackers and malware can exploit these gaps to gain control of phones, and considering carriers are notoriously slow at fixing vulnerabilities.

Duo’s CTO will be presenting the full study tomorrow at Rapid7′s United Summit conference in San Francisco. He promised to follow up next week on the company blog with full results, statistical methodology and the company’s plans for X-Ray in the future. Read his blog post.

Companies like Google have to be especially cautious when it comes to security. They build out whole departments dedicated to protecting its internals tech, so it’s no wonder the search giant bought its own little security company today, VirusTotal.

The company announced the acquisition in a blog post. It did not disclose terms of the deal.

Virus Total is free for everyone to use and attempts to help the regular consumer detect malware without having to install software. You simply enter a file or URL on the company’s homepage and click “Scan It!” VirusTotal’s technology sifts through the information and reports back to you whether you’ve got safe content or something that might have malware in it.

It’s a simple but really helpful tool. But you shouldn’t use it for sensitive documents, as VirusTotal will share that content with security professionals to analyze as well.

Is your helpful tool going the way of so many services that get bought by the big guys? No. It seems Google plans to keep the technology up and running, and, in return, gain from the employees’ expertise in the security industry. The two were partners prior to the acquisition.

“Security is incredibly important to our users and we’ve invested many millions of dollars to help keep them safe online,” a Google spokesperson told VentureBeat in an e-mail. “VirusTotal also has a strong track record in web security, and we’re delighted to be able to provide them with the infrastructure they need to ensure that their service continues to improve.”

via Mikko Hypponen, hat tip The Next Web; Computer image via Shutterstock

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Toll fraud — no, it’s not driving through the E-ZPass lane when you pay cash. It’s a growing threat to your smartphone, and it’s one of the biggest of the year, according to a recent study by security company Lookout Mobile.

“It’s abundantly clear that toll fraud is taking over,” said Derek Halliday, Lookout Mobile’s lead security project manager in an interview with VentureBeat. “Malware developers are following the money and that’s something you can expect them to do. The money is in toll fraud. It’s the simplest way for a malware writer to steal money.”

You know those commercials that say, “Text 555555 to get a new ringtone everyday!”? When you text to that number, a trusted chain of about five steps happens:

1. A customer texts the number, alerting an aggregator — working for the ringtone provider — that he wants to order daily ringtones.
2. Through the aggregator, the ringtone provider sends a confirmation text message to the customer (or sometimes two depending on that country’s regulations) to the customer.
3. That customer approves the charges and starts getting ringtones.
4. The customer is billed through his wireless carrier.
5. The wireless carrier receives payment and sends out the ringtone payment to the provider.

Make sense? Here’s how the malware, notably the most popular form called FakeInst, works:

1. A customer downloads an app that sends out an SMS message to that same ringtone provider.
2. The ringtone provider sends the confirmation message, but instead of reaching the smartphone owner, the malware blocks and confirms the text message before the user ever knows.
3. The malware writers further jumps in between the wireless carrier and the ringtone provider, pretending to be an aggregator, and collects the money you just paid through your bill.

Toll fraud strains such as FakeInst are also able to get past antivirus software by masquerading as a new and unique piece of malware. Antivirus software comes packed with a knowledge bank of what different malwares look like and receives updates as new malware is found. But Fakeinst’s malware writers are able to sneak past antivirus walls simply by inserting a new element, such as an image, into the code. It makes the malware just different enough that the antivirus software can’t detect it.

The majority of phones infected have been Androids, but that’s likely because Android phones are able to download apps from anywhere, as opposed to iOS devices, which only accept apps from Apple’s App Store. But that doesn’t mean your iPhone isn’t susceptible.

“In general the method of fraud — and toll fraud in particular — can be cross platform,” said Halliday “Anything that’s able to send a message.”

And protecting yourself against toll fraud really comes down to some simple measures. Halliday suggests your should check your phone bill, be aware of what you’re downloading, and to make sure the marketplace you’re downloading from is trusted.

The bulk of those affected by these types of attacks are not in the United States. Eastern Europe and Russia are the countries being hit the hardest right now. This may be due to lax regulations on confirmation text messages or a variety of unsafe application marketplaces.

That’s only dealing with hackers interesting in making money off of you, however. What about the threats that users face when it comes to those that break into devices for moral or political reasons. Hacker collectives such as Anonymous often take down websites and steal information to make a point more than to profit.

“The trends we’ve seen over the past year do point to people who are trying to make a buck. That’s far and away the biggest trend we’ve seen. When you look at things like hacktivism and the risk … I think it all comes back to what the average user’s exposure to those types of risk is.”

Halliday says people should employ “a healthy degree of skepticism” in all their activities online, but for now toll fraud just might be a bigger threat.

Images via Lookout Mobile

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Getting your data back might cost you big time. Same for not having “those pictures” spread all over the Internet. And that’s just one of the new attack vectors targeting Android phones in the past few months, according to security firm McAfee.

Source: McAfee

Malware samples found so far

Mobile malware tracked by McAfee has exploded this year, growing almost 700 percent over 2011 numbers. Almost all of it, perhaps 85 percent, targets smartphones running Android.

The attacks range from the traditional and fairly well known email-with-bogus-attachments to the downright Machiavellian: drive-by downloads. Similarly to desktop drive-bys, simply visiting a site initiates the attack.

Once they’re in, your data can be held hostage as “ransomware” threatens deletion — or publication — unless you pay up.

Users still need to authorize an install, but as McAfee says, “when an attacker names the file Android System Update 4.0.apk, most suspicions vanish.” That’s because it looks like an official update to the Android operating system.

In the past three months alone, McAfee has seen 2.7 million new websites on 300,000 new domains that are either infected or created specifically by malware authors to trap the unwary.

The big surprise in the huge increase on Android isn’t that Android is being attacked: Google’s smartphone platform has been a key focus for the bad guys for some time. The big surprise is that Google has not managed to stem the tide in any significant way.

Source: McAfee

Mobile malware by platform … where’s iOS?

Security concerns on Android should not be news to Google, and Google should be putting security at the top of its list of priorities. But Google’s Bouncer software, which is supposed to be protecting users by scanning apps on Google Play for any malicious code or behavior, often appears to be asleep at the switch and easily fooled.

Shades of London Olympics Widget, anyone?

Even worse, Bouncer can only scan Google Play, the official Android app store, not Amazon’s Android market, or any of the other Android markets that appear.

That’s bad news for Android users, bad news for Android, and bad news for Google. McAfee’s “Total Mobile Malware by Platform” graphic doesn’t even show Google’s biggest competitor in the smartphone war: Apple’s iOS.

See that tiny purple sliver? IOS is buried in there, somewhere. Security is so tiny an issue, in spite of a recent SMS spoofing issue, an in-app purchasing problem, and one discovered Trojan on the app store, Apple doesn’t even get its own slice.

The answer can’t just be the standard “educate the users.” The users aren’t going to get it on their own.

Google needs to do more to ensure its mobile platform is safe and secure.

photo credit: kk+ via photo pin cc

Oracle patched the hole in Java 7 that allows hackers to secretly download malware to your computer today in an uncharacteristic update to its software, according to Forbes. But it seems the company knew about the issue far longer than the rest of us.

Oracle usually only pushes out updates to its Java software on a quarterly basis, and many did not expect the company to provide a patch for this hole. Indeed, researchers suggested people who did not need to use Java should turn it off just in case. But while the patch is a positive step toward protecting Java users, security researchers at Security Explorations are saying that they told Oracle about the issues four months ago.

The security firm released a list of all the vulnerability reports it supposedly sent to Oracle in April, as well as confirmation that the Java creator received the bug reports. In it, Oracle says it received the report, and pushes a code update in June, but “continues to investigate” other existing issues into August.

The vulnerability in Java 7 Runtime allowed malware writers to push viruses to both PC and Mac computers since both are compatible with the software. It reminded researchers of the Java vulnerability that enabled the Flashback virus that forced Mac users to realize that the Apple-made computers are not impervious to malware. Exploits seen in the wild, however, only attacked PC computers, more than likely because PCs are a larger, more profitable market for hackers.

People “caught” the virus by visiting infected websites. The malware executed a download when the webpage opened, and it did not give any signals that it was downloading other than a few people who saw a “loading” sign over a java icon pop up and disappear.

The vulnerability was even being sold as part of an exploit kit in the hacker underground market. Find the patch for the hole on Java’s website.

via Forbes; Oracle HQ image via Mark Coggins/Flickr

A newly discovered vulnerability in Java 7 may let hackers attack Apple computers, bringing back memories of the recent Flashback trojan that may have been stealing up to $10,000 a day in ad revenue.

The hole was found in Oracle’s latest Java 7 runtime and exploits are already seen using the vulnerability to attack Windows PCs. The virus enters a computer when the user visits a website. That’s it. The website may appear blank, but in the background, the malware is downloading to the computer. According to CNET, some may see the word “loading” over the Java icon for a second.

Because the malware takes advantage of a hole in Java 7, it could lead malware writers to attack Mac systems that also use Java.

“Exploit kits” are now being sold in black markets that include the vulnerability — meaning we could see some real malware taking advantage of the hole soon.

The vulnerability nods to the Flashback trojan, which some say affected hundreds of thousands of Mac computers earlier this year, and gamed Google to steal advertising revenue in searches. The trojan helped Mac users realize that though Apple products have been predominately the “safer” option between a Mac and a PC, they aren’t invincible. Flashback also exploited a hole in Java, which was later patched by Apple.

As CNET notes, Oracle only updates its Java runtime software once a quarter and doesn’t often deviate from that pattern. Thus, the only way to really ensure your safety against the vulnerability is to fully uninstall Java 7. This may be a pain for some who use it regularly, and for third parties may come out with patches of their own. But otherwise, it’s probably a good idea to take it offline before someone really exploits the hole.

via Cnet; Oracle image via Peter Kaminski/Flickr

Researchers at security firms Kaspersky Lab and Crysys Lab released tools today to detect if your computer is infected by the Gauss virus, a piece of malware that focuses on stealing bank account login credentials.

Gauss was discovered yesterday by Kaspersky Lab, and its function is to steal access credentials to Lebanese banks. These include the Bank of Beirut, BlomBank, EBLF, ByblosBank, Credit Libanais, and FransaBank. It also steals information for Citibank and PayPal. On top of that, the malware grabs browser history, cookies, passwords, system configurations, and more. Researchers have not been able to get much information about the builders themselves, as the command and control servers were shut down, leaving the malware in limbo.

Gauss is related to a number of high-profile viruses including Stuxnet, which became famous after attacking nuclear plants in Iran in 2010, and its sister malware, Duqu. It is also related to the recently infamous Flame, which has been referred to as a major advancement in cyberespionage.

Gauss and Flame are closer together in relation. Kaspersky says the two share nearly identical features and were built off of the same code base. The firm says Stuxnet’s creators probably worked closely with those of Gauss and may have even shared source code.

Find the Kaspersky detector here and the Crysys detector here.

via The New York Times; Image via Shutterstock

---

Big Data and Predictive/Real-time Analytics startups: Are you looking to jumpstart development & accelerate market traction? Sign up for the SAP Startup Focus program to receive technology, support, resources and community to help you develop new applications on SAP HANA, a cutting edge database platform. Get started here, and enter promo code “VB2013″ on the form.

---

Kaspersky Lab announced that it’s discovered a new piece of malware that specializes in obtaining login information for bank accounts in the Middle East. It’s called Gauss and is linked to Flame, Stuxnet, and Duqu.

“Gauss is a complex cyberespionage toolkit, with its design emphasizing stealth and secrecy; however, its purpose was different to Flame or Duqu,” said Kaspersky Lab chief security expert Alexander Gostev in a statement. “Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information.”

Kaspersky found the malware after digging deeper into Flame, a virus uncovered in May that was billed as one of the most advanced cyberespionage tools to date. Researchers said the malware has “striking resemblances” to Flame in the way it was designed. It seems Gauss shares the same source code from which Flame was built. But its actions are slightly different. While Flame installed a keylogger, turned on the computer’s microphone to record audio, and monitored “communications apps” such as IM, Gauss is focused on obtaining financial information.

Gauss is tailored to steal “access credentials” to Lebanese banks, which include the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank, and Credit Libanais. Non-Lebanese entities that are also targets include Citibank and PayPal. This information, along with browser history, cookies, passwords, system configurations, and more, is sent back to the command and control servers. The malware, however, is in a veritable holding pattern since the command and control servers were shut down in July.

Kaspersky estimates that the number of infections are in the tens of thousands, but as of May around 2,500 infections were recorded. This is lower than Stuxnet, but higher than Flame, which Kaspersky says had around 700 infections.

In June, Kaspersky linked Flame to Stuxnet, the famous malware that hit Iran’s nuclear infrastructure in 2010. Many of Flames functions looked identical to those of Stuxnet’s, spurring Kasperky to dig deeper into the connection. Now the research firm says the two may have had creators that worked closely together, even sharing some of the same source code.

Gauss is the latest member of the family.

hat tip Wired; Image via Shutterstock

With cybercrime on the rise, it’s become increasingly important to protect organizations against it. Bit9 combats advanced persistent threats that standard virus protection software, like McAfee and Symantec, do not.

The technology uses real-time sensors, monitoring, and application control to protect endpoints and servers from malicious attacks. The “whitelisting” feature allows only trusted programs to run and blocks banned software. If a breach occurs, Bit9 Parity will lock down the system so no new software can run.

This is the largest round in Bit9′s history, just about doubling its total funding raised over previous rounds. The company has grown 100 percent each year for the past two years and currently protects more than 700 organizations across multiple industries, like education, finance, enterprise, government, healthcare, retail and utilizes, from cyber attacks.

Bit9 is based in Waltham, Massachusetts.

A purported Iran scientist working for the Atomic Energy Organization of Iran e-mailed an SOS to F-Secure Chief Research Officer Mikko Hypponen this weekend, saying the AEOI was under a cyber attack.

Hypponen, who is well-regarded in the security community, published a blog post this morning saying he can’t confirm the details, or even existence of the attack, but he can confirm that the e-mails were being sent from within the AEOI.

It sounds like the AEOI may have been hit with an infrastructure-targeting malware attack, similar to those that have plagued the Middle East since 2010 starting with Stuxnet. However, there’s no independent confirmation of this attack’s existence.

According to the e-mail, the malware shut down the AEOI “automation network” in its Natanz and Fordo facilities. The “scientist” specifically mentions Siemens hardware, which could be a reference to SCADA systems, or control systems that electronically monitor and power various pieces of industrial infrastructure. These systems were targeted by the Stuxnet virus that brought down part of Iran’s nuclear fuel systems in 2010. He also mentions that the malware turned on computer’s volumes to high and blasted what appeared to be ‘Thunderstruck’ by AC/DC. Cyber criminals have to have a little humor too.

Iran has been the target of quite a few new pieces of malware this year, including the latest Flame malware that many describe as one of the biggest advancements in cyber espionage to date. The virus comes with 20 different modules that, when unpacked, spy on the infected computer, sending data back to its command and control servers. It detects when you’re using a communications app such as IM or Gmail, and takes screenshots to record your conversation. It can also turn on the computer’s microphone and record audio in the vicinity, sniff network traffic, log your keystrokes, and more.

Some say the U.S. and Israel came together to create Flame — the same is said of Stuxnet.

A similar piece of malware called Madi was also uncovered recently. Madi enters the system through phishing e-mails. When an attachment in the e-mail is opened and installed, Madi opens up a decoy Word Document or PowerPoint presentation, while quietly downloading the malware in the background. Like Flame, the trojan knows when a communications app is open and takes screenshots, as well as records audio, and logs keystrokes.

Both Flame and Madi attack critical infrastructure firms and government entities.

Whether or not this new attack is real, whether it is associated with either malware, and whether this is a new strain, are all still unknown. See the full e-mail below:

I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom.

According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used. The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down. I only know very little about these cyber issues as I am scientist not a computer expert.

There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing ‘Thunderstruck’ by AC/DC.

We have reached out to Hypponen and F-Secure and will update with more information upon hearing back.

Image via Shutterstock

A new piece of malware called Madi is spreading in the Middle East, and it has a number of the same characteristics as the Flame virus — known to be a major step in cyber-espionage.

The year-old malware comes in the form of a phishing email, which social engineers, or dupes, unsuspecting recipients into opening an attachment. Once open, the malware installs on your system and a real Word document or PowerPoint presentation pops up to make the viewer believe the attachment was legitimate. In one of these cases, the Word document showed an article titled, “Israel’s Secret Iran Attack Plan: Electronic Warfare” by The Daily Beast. Another attachment opened a PowerPoint file (see image above) with “serene images.” The malware in this case was executed on the victim’s system as they paged through the presentation.

The malware is named Madi after the text file it downloads (mahdi.txt) and a number of other places the name is found within the virus. “Mahdi,” as Seculert points out, is a word referencing the savior in Islamic tradition.

Seculert observed the malware’s transmissions to the command and control servers, which occasionally communicated using Farsi. The command and control servers were based in Canada, though Seculert traced early transmissions from the virus back to an original server in Iran.

Madi is capable of keylogging, recording audio, taking screenshots when a communications application (such as IM) is open, and harvesting other types of data from the infected computer. This is very similar to the recently popularized Flame virus. Flame was discovered by Kaspersky Lab, a Russian security analyst firm that is also working with Seculert on Madi. Flame, on the other hand, has already been touted as one of the major pieces of malware to be afraid of today, showing what cyber-espionage can really do.

Kaspersky reports that Madi targets Middle Eastern government entities, “critical infrastructure engineering firms,” financial institutions, and places of research.

Kaspersky is coming out with a second profile of what the malware can do. We will be on watch for any developments.

Image via Kaspersky Lab

With more than 900 million monthly active users, Facebook has become a significant attraction for app developers. But that considerable user base has also attracted another, less desirable group: malware and virus writers.

Facebook has caught onto this, which is why it’s introducing Malware Checkpoint, a new security feature that’s meant to make it easier for users to remove malware threats before they spread on the social network.

Here’s how the feature works: Once a Facebook user suspects his computer has been infected with malware, he can opt into Malware Checkpoint, and Facebook will lock his account. Users can then run either McAfee’s Scan and Repair or Microsoft’s Security Essentials. Facebook will then allow them to once again access their accounts.

During the process, Facebook prompts users with a fairly informative bit of text: “Often, users who are infected with malware are tricked into running a malicious program, which infects their machine with malware. Remember, you should never run programs from sources that you don’t trust.”

Malware Checkpoint is the latest in a series of anti-malware measures Facebook has taken in recent months. In April, Facebook introduced the Anti-Virus Marketplace, a portal that offers users anti-virus products from Microsoft, Sophos, and others.

Facebook’s goal is clear: Make the platform more secure by making it easier for users to protect their systems. The big question is, of course, whether putting the tools directly in the hands of users will make them more or likely or less likely to take control over their own security. That’s a concern for any major platform (just ask Microsoft), and it’s a sign of maturity that Facebook is now moving to answer it itself.

Image credit: Lightspring/Shutterstock

Hundreds of thousands of people will likely be kicked off the Internet next week when the FBI shuts down servers hosting the “DNSChanger” virus.

The group behind the DNSChanger virus, which affected some 4 million computers around the world, was shut down in November by the FBI, but the virus still persists on many PCs. In the last stage of the FBI’s Operation Ghost Click, it will shut down temporary DNS servers on Monday, July 9. When those servers are shut down, it will kick off anyone who still has the DNSChanger virus on his or her machine.

There are still an estimated 275,000 infections around the world, a considerable drop from the 650,000 machines that were still infected in November. The drop can be attributed to efforts by the FBI and computer security companies, which have prompted people to check for the virus and remove it.

If you are concerned about your computer having the virus, Trend Micro has instructions for both PC and Mac users to check for it.

Image credit: John David Bigl III/Shutterstock