Verizon: Data Breaches Getting More Sophisticated: Via Threat Level.

Methods of stealing data are becoming increasingly sophisticated, but attackers are still gaining initial access to networks through known, preventable vulnerabilities, according to a report released by Verizon Business on Wednesday.

“Attacks are getting more sophisticated and more difficult to prevent,” said Wade Baker, research and intelligence principal for Verizon Business’s RISK Team, in an interview. “The attackers still usually get in the network through some relatively mundane attacks. But once they’re in, they’re getting more and more adept at getting the data they want and getting it effectively and silently. And we seem to be on a plateau in terms of our ability to detect [them].”

For example, while companies have been expanding their use of encryption to protect bank card data in transit and in storage, hackers have begun to use RAM scrapers to grab data during the few seconds it’s unencrypted and transactions are being authorized. [ Read more ... ]

"Evil Maid" Attacks on Encrypted Hard Drives: Via Schneier on Security.

Earlier this month, Joanna Rutkowska implemented the "evil maid" attack against TrueCrypt. The same kind of attack should work against any whole-disk encryption, including PGP Disk and BitLocker. Basically, the attack works like this:

Step 1: Attacker gains access to your shut-down computer and boots it from a separate volume. The attacker writes a hacked bootloader onto your system, then shuts it down.

Step 2: You boot your computer using the attacker's hacked bootloader, entering your encryption key. Once the disk is unlocked, the hacked bootloader does its mischief. It might install malware to capture the key and send it over the Internet somewhere, or store it in some location on the disk to be retrieved later, or whatever. [ Read more ... ]

Spoofed Cell Phone Texts Post Malware Threat: Via Threat Level.

LAS VEGAS — Researchers at Black Hat showed how to send spoofed messages to mobile phones that appear to be messages delivered by the user’s mobile carrier.

The hack allows an attacker to send the messages directly from the attacker’s phone to the recipient, bypassing the carrier’s server and therefore any protections the carriers have in place to block spoofed or otherwise suspicious messages.

The attack targets Multimedia Messaging Service (MMS) on GSM networks and could trick users into installing malicious code masquerading as a software update from the carrier or clicking on a malicious link.

Zane Lackey from ISEC Partners and independent researcher Luis Miras discussed how they set up a system to capture the header information in text messages, then used modified headers to send their own specially designed messages to phones on GSM networks.

They were able to spoof messages from any sender, including trusted administrative messages that theoretically only a carrier would send. In the latter case, the messages appear to come from 611, the number carriers use to send out alerts, update notifications and other messages. [ Read more ... ]

Vulnerabilities Allow Attacker to Impersonate Any Website: Via Threat Level.

LAS VEGAS — Two researchers examining the processes for issuing web certificates have uncovered vulnerabilities that would allow an attacker to masquerade as any website and trick the user into providing him with sensitive communications.

Normally when a user visits a secure website, such as Bank of America, Paypal or Ebay, the browser examines the website’s certificate to verify its authenticity.

However, IOActive researcher Dan Kaminsky and independent researcher Moxie Marlinspike, working separately, presented nearly identical findings at the Black Hat security conference Wednesday that demonstrated how an attacker can legitimately obtain a certificate with a special character in the domain name that would fool nearly all popular browsers into believing an attacker is whichever site he wants to be.

The problem occurs in the way that browsers implement Secure Socket Layer communications. [ Read more ... ]

Microsoft probes possible IE 7 phishing hole | CNET News.com: "An attacker can use an error message displayed by the latest Microsoft browser to send Web surfers to malicious Web sites that will display with the address of a trusted site, such as a bank, Aviv Raff, a developer in Israel, wrote on his Web site. Raff included an example where the error message directs the Web surfer to a site of his choice." [ Read more ... ]