Evernote hacked – all users have to change passwords

This is how the nightmare of having a bad press starts:

Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service. As a precaution to protect your data, we have decided to implement a password reset.

More infos here.

evernote

The strange thing is that not all users received the notification per email.

If you wonder why you can’t login anymore to Evernote, this is the reason.

The only solution is to try to login on the website and click the link on top of the page (see marked with yellow):

evernote-home

 

 

Comparing the data breach with the ones at LinkedIn, Last.fm and others from last year, we can’t stop to wonder why Evernote didn’t learn from the mistakes of the others.

Simply hashing a password with salt is by far not enough anymore. But,it is definitely better than no salt at all. Even passwords with salt can be rather easily reversed because we are only talking about MD5. Imagine that if the attackers have also accounts at Evernote, they know their passwords. This means, that now they have the plain text password and its computed hash with salt. With enough computation power it is not hard to get the plain text of all passwords. And, because many users re-use passwords for multiple sites, including for the email address itself, imagine the consequences of such a breach.

However, the biggest problem is not the reverse engineering of passwords. It will take a while until someone, if at all, manages to figure out how to decrypt them.

The biggest problem is the fact that the emails and the names of the users were taken by criminals. This will automatically mean spear phishing attacks against these customers. The emails which could be sent would look extremely credible and because of the press coverage of this event, the emails will look even more credible.

I strongly suggest that if you had an account at Evernote you change your password now and use a strong password that you don’t use anywhere else.

And never click on links in emails that ask you to do something.

 

Sorin Mustaca

IT Security Expert

Posted on March 3, 2013, 6:28 pm
Posted in Security News | Tagged , ,

Avira users are protected against the MiniDuke Malware (Updated)

If you live on this planet, you must have definitely have heard of the new malware that is making use of a zero-day vulnerability in Adobe Reader.

This malware is called MiniDuke, and it is slowly but surely becoming the nightmare of any company:

  • it is polymorphic – there are thousands of variants in the wild.
  • it is using an exploit in a highly popular software product – Adobe Reader.
  • it starts its actions once the operating system is rebooted, so it cannot be easily associated with an action which the user did just before the infection.
  • the malware copies itself multiple times on the computer, so the cleaning it is rather complex.
  • it makes connections to various Comand and Control (C&C) servers around the world, so it can’t be easily stopped just by shutting down of few of these servers.
  • it can dynamically find other C&C servers using simple Google searches.
  • it uses Twitter to spread links to other C&C servers.
  • it obfuscates the downloads of the real payload containing the malware by downloading first GIF files (small icons)

exploit_code

All Avira users are protected and the malicious files are detected as

- EXP/MiniDukeGif.A – exploited GIF samples

- EXP/MiniDuke.A – exploited PDF samples

- TR/MiniDuke.A – the payload binaries

We were able to detect components used in MiniDuke in other malware dating from 2010.  Due to the high complexity, the analysis of the samples continues and an update will be posted here.

Because of the huge number of exploit samples currently we’re working on a generic exploit detection for the PDF and GIF files.

Update:

An engine update was released adding the generic detection of the payload as “TR/Crypt.XPack.gen” and “TR/Dropper.gen”.

 

Sorin Mustaca

IT Security Expert

Posted on February 28, 2013, 11:41 am
Posted in Malware Analysis | Tagged , , , ,

Microsoft, Apple, Facebook victims of Java exploits

We wrote several times that when Oracle fixed quickly the security holes in Java, it did not have enough time to address the source of the problem. This can be now seen more clear after big names in the IT industry like Microsoft, Apple and Facebook felt victims to Java exploits.

microsoft_logo          Apple Logo         facebook

                                            java

Microsoft communicated yesterday in their security blog that a certain number of computers were infected using a drive-by download caused, same as in the case of the other companies, by a Java zero-day exploit.

Even if we feel sorry that such an incident took place in the above companies, there is one lesson to be learned from this: anybody can become a victim. When visiting a specially crafted page that makes use of the exploit, it is possible to download and execute malicious content without consent.

If you didn’t uninstall Java until now, it is not too late to do it now.

Here is written how to get rid of Java.

Make sure you keep your antivirus up to date.

We have good protection for home users and for businesses.

Do not forget that in Microsoft’s case some Macs got infected. We have free protection for Macs.

 

Sorin Mustaca

IT Security Expert

Posted on February 25, 2013, 11:12 pm
Posted in Security News | Tagged , , , , ,

The BKA Trojan still spreading through emails containing fake invoices

Even though the fraudsters behind the BKA Trojan (aka Ransom Trojan) have been caught by the police, there are still a lot of emails spreading the Trojan in circulation.

One of these emails drew my attention because it was addressed directly to me and because of the way in which it is constructed.

hse24-rechnung

The email pretends to come from the well-known online shopping portal hse24.de and it is addressed to only the recipient in the From field.

It contains in the body the first and last name taken probably from the email address, thus being very convincing for the unaware user. The same formula is used to name the attachment – a zip archive with the name “Rechnung <first name> <last name>.zip” / “Invoice <first name> <last name>.zip”.

What is really interesting, inside the ZIP archive there is another ZIP archive called “Bestellung 16.02.2013 – Rechnung” / “Order 16.02.2003 – Invoice” containing a .com file. However, a brief analysis shows that this is just a normal executable created with Visual Studio containing the trojan ’TR/Ransom.Foreign.acdb.1′. This method of packing the malware is very clever, because very few security solutions on gateways and most certainly no local solution, scans on more than one layer recursively inside archives. Using this technique the cybercriminals ensured that the payload goes through the security checks on its route to the user’s inbox.

Avira users don’t have to worry about this, all products detect this file as ’TR/Ransom.Foreign.acdb.1′.

 

Sorin Mustaca

IT Security Expert

Posted on February 18, 2013, 9:43 am
Posted in Malware Analysis | Tagged , , , , , ,

Improve your security #11: Enable two-factor authentication

It might sound complicated, but remember that with more security the usability (how easy is to use the service) always suffers a little bit. The reward at the end is that you can sleep in peace that nobody will enter in your universe unless you want that.

We have published a couple of articles in which we present in a step-by-step approach how to configure this authentication method for the most common services like

For even more security tips, check out the entire series.

Sorin Mustaca

IT Security Expert

Posted on February 17, 2013, 11:17 pm
Posted in Improve your security, Security News | Tagged ,

Improve your security #10: Make backups

It is said that three things are certain in life: we are born, we pay taxes and we die.

Adding a little bit of IT facts on top of this, I can add a fourth certain thing: hardware fails. It is only a question of when and not if it fails. And when it fails, you want to make sure that you have your data securely stored somewhere where you can always access it without too much hassle.

There are many ways how to secure your data thanks to the cloud services, the affordable prices of hard drives, network attached storage and the existence of  so many free backup solutions.

But, what exactly does ”backup” mean?

Backup, or Backing Up  represents in the IT the process of making a copy of some data with the purpose of being able to restore it in case of data loss (e.g.: this is what is happening when hardware fails).

How can one make a backup of his data?

There is a simple and a complicated answer to this question.

Let’s start with the simple answer and if you feel that this solution doesn’t fit to you, then read the complex answer.

 

Simple backups

The simplest backup possible is a synchronization of your files on an external medium like an USB hard drive, a Network Attached Storage (NAS), an FTP server or in an online service. Synchronization means nothing else than to mirror your files on the external medium.

A synchronization can be performed in real time or on a schedule.

Real time synchronization means that there is a service working in background on your computer and monitors the files which are changed. As soon as it detects that one or more files which it was configured to monitor were changed, it tries to copy them to the external medium (USB, or cloud service). This has the advantage that your backup is always up to date, but it also has sometimes the disadvantage that it slows down your computer if you have configured to backup many folders.

There are many tools that provide a real time synchronization, most of them offering also a basic gratis version. Some examples are Dropbox, Bitcasa, Memopal, CX and others. It is not recommended to have more than one such tool installed and active on your computer because this will seriously slow down your hard drive and the overall performance of your computer.

Scheduled synchronization means that a sync of your files is only performed at specific pre-configured time intervals or events. For example, you could schedule a backup every day at noon while you are in the lunch break. Or, you can schedule a backup when the computer is in idle mode (usually when the screen saver starts).

You can use several gratis tools to perform a scheduled synchronization. A nice synchronization tool comes from Microsoft and it is called SyncToy, but it can only work with folders on local mediums like hard drives or shared network folder (in other words, it supports only Samba). If you are a computer geek, you can also give RSync a try.

 

Complex backups

Simple file synchronization should be enough for most users, but there are cases when you want to backup more data in a secure way. Example of complex backups are incremental backup, differential backup and reverse delta backup.

In the incremental backup you create once a full backup and several snapshots from that point on. If you want to fully restore the backup, you need to restore all incremental backups until the full backup in the exact reverse order.

My favorite tool to create incremental backups is Duplicati because it also allows to encrypt the files before you upload them to the external medium. The great news is that Duplicati comes with support for various mediums like  FTP, Cloudfiles, WebDAV, SSH (SFTP), Amazon S3 and others.

In the differential backup you create a full backup and each time you create a snapshot, all differences between the full backup and the current state are saved. If you want to fully restore the backup, you need to restore only the latest snapshot and the full backup.

In the reverse delta backup, you create a full backup and then several snapshots that contain only the differences from the full backup.

The perfect examples of such tools are the rdiff (the base of CVS) and Apple’s Time Machine.

 

No matter of which method you use, make sure that you respect the golden rule of backup – which I see as common sense:

Don’t keep your backup in the same place with the files that you backed up.

If something bad happens, you will lose both.

 

Want to know more about how you can improve your security? Check the full series here.

Sorin Mustaca

IT Security Expert

Posted on February 13, 2013, 10:01 pm
Posted in Security News | Tagged , , , , , ,

Didn’t you uninstall Java already?

If you didn’t uninstall it, then think again about this.

Here is how to uninstall or deactivate Java from your system.

Oracle has announced that they fixed with the update on February 1st only a part of the problems originally planned to be fixed. The second part of the problems will be fixed with the update to be delivered on February 19th.

Is this the end of the story ?

java

No, I think that this is just the beginning. There will be more bugs and as we wrote already, Oracle has received various vulnerability reports from security researchers around the world. Their only reaction was to remain silent instead of providing a timeline when the fixes for those problems will be released to customers.

As a consumer, you definitely don’t need Java on your system. If any website asks for Java, then they don’t want to take the time to find a serious alternative.

 

Sorin Mustaca

IT Security Expert

Posted on February 13, 2013, 1:13 pm
Posted in Security News | Tagged , ,

Security 101: February 2013

Nowadays, a lot of people are shopping online. To do that, they greatly rely on internet banking. What precautionary steps or systems are used to make sure users have a secure transaction?

The most important thing to do is to make sure that your computer is not infected with malicious software. For this, you will need to have a security product installed and make sure it is up-to-date. It is also good that full system scans are performed regularly. In case you have a mobile device (smartphone, tablet, or notebook) and you access the internet via WiFi, make sure that the connection to the wireless network is secured (WPA2 Personal will do). If you perform any online banking via a website and not via an app, enter the name of the bank by yourself and do not use links that have been received from anywhere or are saved locally (malware can alter them). Once on the desired website, and before you login, make sure that the SSL seal used is the one of the original website deploys. You can easily check it by clicking on the small lock icon near the address field or on the bottom-right corner.

feb2013

 

 

As time passes, there will be new viruses going around the internet. How does the antivirus (AV) work to determine whether a code is malicious instead of it being a false detection?

The AV developers have a lot of personnel and systems that receive malicious files from different sources. Before these malicious files are blacklisted by the antivirus product, they are checked – either manually or via automated systems – to see if they are really malware. They are also checked against a database of safe files to ensure that they are not falsely blacklisted. Blocking malware only via a (smart) signature is becoming less and less popular and effective as the amount of new malware every day increases in the thousands. The new methods of detecting malware are more and more intelligent as they make use of heuristic and generic detections which are all now tied to cloud based services. Even with these types of detection systems, the AV programmers also test their products against known good files in order to avoid most false positives. Last but not least, when the product goes through many changes, public beta tests are also organised to allow the AV developers to generate feedback from the real world.

 

 

 

Posted on February 12, 2013, 11:06 am
Posted in Security 101 | Tagged , , ,

Old Facebook likejacking scam in use again: “[SHOCKING] At 14, she did that in the public school”

We wrote last year a couple of times about Facebook likejacking scams. A likejacking scam is an attempt to lure Facebook users to click on a post in order to see something very interesting. For example, “Dad walks in on Daughter… Embarrassing” , „This spider is brutal“, “Who visited your Facebook Profile”, “I Will NEVER TEXT Again After Seeing THIS!! on CLICK HERE TO SEE.” and many others.

This time, a pretty old trick was used again, “[SHOCKING] At 14, she did that in the public school”.

facebook-likejacking-again

Once a user that is logged in on Facebook clicks on the link, he would see this:

facebook-likejacking-again-site

Facebook considers the link suspicious, but probably because of the fact that the link is pretty new, it was not yet blocked at the date of publishing this article. The user is asked via a slideup on the top of the screen if he thinks that the link is spam or not. Of course, in the hope of seeing a “shocking” image, most of the users ignore the warning and click on. On the website, the user is prompted to click on a link which would automatically post on the user’s wall the picture in the above image.

In other cases we have seen malware offered to be downloaded as a codec needed to visualize the incredible video.

We recommend the readers to not click on such pictures no matter who posted them. Don’t forget, that your friends might have also become victims of these scams.

 

Sorin Mustaca

IT Security Expert

 

Posted on February 11, 2013, 9:14 pm
Posted in Social Networks | Tagged , , ,

The BKA/Ransom Trojan comes now with child pornography (updated)

The so called “BKA Trojan” (BKA stands for German Federal Criminal Police) malware which is also known as the Ransom trojan in other countries, has found a more convincing way to fool computer users to pay. Now, together with other eight possible misdeeds,  the user is accused of hosting and distributing child pornography materials from his computer. The computer is identified via IP address and geo-ip location (see top right corner).

 

Same as the other variants known, the malware locks the user’s computer and asks 100€ (135 USD) to be paid via UKash or paysafe in order to unlock the computer, not destroy the data on it and not be condemned and punished. The cybercriminals are constantly trying new texts in order to look as convincing as possible.

The malware is distributed via drive by downloads as an executable file with temporary names. Once executed, a file having various names and the size of around 53KB is being used.

A brief analysis of the malware shows that immediately after execution it sets various registry keys so that the computer doesn’t start anymore in the normal way. In this mode  the user is forced to pay the ransom. Our tests have shown that with this variant, even booting in Safe mode and Safe Mode with confirmation will cause a blue screen (BSOD). This means that the only way to remove the malware is to boot the computer via a Rescue System and perform a full system scan and cleanup.

All Avira products detect the malicious files as  TR/Winlock.JQ and TR/Ransom.EB.

 

Update:

Starting with the engine version 8.2.10.246  all variants of the trojan are detected with a generic detection as TR/Dropper.VB.Gen.

 

Sorin Mustaca

IT Security Expert

Alexander Vukcevic

VLAB Manager, Germany

Posted on January 31, 2013, 4:51 pm
Posted in Malware Analysis | Tagged , , , ,