Mobile banking and banking trojans

Florence Broderick    13 August, 2013
During 2012 there was an increase around 28% in mobile banking or M-Banking operations. Users can access their bank accounts from their mobile devices, mainly making use of a specifically created banking access applications. What benefits and problems bring us this new way of interacting with banks?
Source: http://qz.com/79818/why-you-should-access-online-banking-on-your-smartphone-rather-than-your-computer/
Specific applications for accessing banks accounts (downloaded mainly from official app stores like Apple Store or Google Play for the sake of security and availability) ease our access making it quicker and avoiding  in some way phishing attacks, that are more common in a “browser and link” environment.
But the use of this kind of applications involve other risks. Apps are supposed to be reviewed, tested and analyzed before making them available for users. Among other measures, Google Play uses “Bouncer”, an automatic system to dinamically analyze applications before making them public. Unfortunately it does not avoid this official shop hosting quite a lot of malware for these devices, hidden in legitimate applications as well as in applications which simulate belonging to real bank entities but only steals credentials. Apple Store implements a better protection, because of its policy being much more restrictive when allowing an application to be uploaded to the store.

So far, we have seen applications which simulate to be an official application, necessary to operate with a bank from a mobile device. These are usually offered from fraudulent repositories or from the official store (during a short time, until it is detected). But there are other ways. Although not too many cases of this kind has been detected, malware previously hosted in the device could try to steal information from the legitimate bank application. For infecting the device in first place, the user has to install an application that contains malware or that “is” malware, although it may come from an email attachment, or even an infected PC. Then, it would be enough to get keystrokes or network data sent by the legitimate application.

The guilty ones
Zeus (Zbot) malware with its multiple variants, is the most popular baking trojan. Programmed in C++ (and PHP for its “server” side) it was first seen during 2007 and supposed a real revolution in malware’s world, given its specialization and ability to obtain bank credentials while in Windows boxes. It has evolved during time, adapting and getting better to avoid new security systems.

Zeus could be purchased in black market for 2500-3000 €, providing a complete information arsenal for “learning to steal”. Aside, scammers may buy additional modules to improve funcionality or even use it as a service, renting infected botnets. In 2011 its source code was leaked, generating some other versions manteined by “the community”. SpyEye is a very popular banking trojan too, with quite a lot of plugins and advanced funcionality.
Zeus based malware is constantly improving, trying to make money selling the product. As an example, a new variant of banking malware “as a service” that showed up in 2013 is “KINS” (Kasper internet non security) developed from Zeus and adding SpyEye features.
Source: https://blogs.rsa.com/is-cybercrime-ready-to-crown-a-new-kins-inth3wild/

Malware and phones

While security in online banking improves, integrating the cell phone as a second factor authentication, malware (specially Zeus and its variants) had to adapt and infect as well these devices. So, the term “MitMo” (Man in the mobile) was established for a kind of Zeus variant that tried to avoid online bank security by infecting smartphones as well and, obtaining in this way the SMS used for authentication. The user (with her PC already infected) is asked to download and execute an application for his smartphone. This malware for mobile devices has to work together with the trojan infecting the victim’s system. By themselves, they are not expected to specifically steal bank information while in the smartphone.

But new variants for Android have been spotted, specifically designed for stealing users from a particular bank. Alerted about a malware that, aside from stealing all kind of information from the smartphone itself, it is able to communicate via POST commands to a C&C server. But the most interesting feature is that it is specifically programmed to obtain the bank account balance for users registered with Sberbank Russian bank (sending a SMS to a free number available for their clients). It also intercepts every SMS and calls related to this bank. So this may be considered the first approach to a basic feature in PC banking trojans, that have been programmed long ago sepecifically for every bank.
At the moment, it has been only detected in Russia, cradle (among other Eastern countries) for most of the sophisticated banking trojans.
 
Antonio Bordón Villar

(re) Introducing Evil Foca (DEFCON Edition)

Florence Broderick    7 August, 2013
Evil Foca was introduced in early April, as a tool to make local networks pentesters and auditors life easier. In a simple way and with a very simple interface too, it allows to automate different attacks, showing how insecure local networks may be “indoors”. Among them:

  • Man In The Middle (MITM) over IPv4 with ARP spoofing.
  • MITM over IPv4 with DHCP ACK injection.
  • MITM over  IPv6 with Neighbor advertisement spoofing.
  • MITM over IPv6 with SLAAC attack.
  • Rogue DHCPv6 attacks.
  • DoS (Denial of service) over IPv4 with ARP spoofing.
  • DoS over IPv6 with SLAAC DoS.
  • DNS Hijacking.
Even more, during DEF CON 21, celebrated a few days ago in Las Vegas, a new version of Evil FOCA (DEFCON Edition) was introduced. The main feature added for this version is the implementation of a full automated Web Proxy Auto-Discovery attack.

This presentation, quite successful according to some witnesses, showed live what you can get with IPv6 (enabled by default in Windows) MITM attacks, and how easy it is to leverage protocol vulnerabilities with Evil Foca.
IPv6 attacks with Evil Foca. New version does not include ads

Slides are available here:


You can now download Evil Foca from here: http://www.informatica64.com/EvilFoca/download.aspx

10 features that the city of the (near) future will have

María Cascajo Sastre    18 July, 2013

The city of the future will provide citizens with a more comfortable life thanks to M2M technology. Some advances are already making their way into our urban environments and many others will come soon. We have highlighted ten features that the city of the future will have. You can see many others in our web-section about Smart Cities.

Smart parking. There will be systems that will alert drivers when there is a free parking spot. Citizens will no longer waste their time looking for a place to park and the city will be less polluted. Did you know that by reducing the average time required to park a vehicle from 15 to 12 minutes can reduce CO2 emissions by 400 tonnes in a city such as Barcelona?

Intelligent transport system. You probably won’t have to wait to take advantage of this feature. Many public transport systems are already interconnected. This allows for different public transports to be coordinated and to provide information in real time.

Tele-care. Some medical consultations will no longer be necessary. There are monitorization systems for patients which keep their doctor up to date when something such as a rise in blood pressure or sugar occurs. 

Traffic management. Monitoring road systems will inform drivers about which route is best at any given time. Also, it will automatically manage the traffic lights in order to reduce congestion to the minimum taking into account the traffic volume at certain times of the day.

Smart grids. They will provide the necessary amount of electricity depending on the demand. This way the power efficiency will be maximized. There are some cities that are testing these systems, as Málaga, for instance.

Smart urban lighting. Why waste energy if nobody is on the street? Smart urban lighting will adjust the intensity of the light depending on the people who are around.

Waste management. Not all places generate the same kind or the same amount of waste. With smart containers and a good fleet management system, the routes can be tailored to any situation. Thanks to this kind of solution, the efforts in waste collection will be much more efficient.

Smart city maintenance. Citizens will now be able to rely on systems to notify the City Council of any damages in the urban elements through their smartphones. This way things will be repaired faster.

Smart taxi. Taxi fleet will be connected and customers will be able to book a taxi with an application. The localization system will notify the closest one without the need of human interaction. There are already some mobile applications for taxis, such as My Taxi.

Digital-signage. Urban ads will be tailored to each citizen and advertising will provide services. Whereas now we see many concert posters around the city, in the future the customer will have the chance to actually buy the ticket via the billboard.

FaaS: Visión global de Pentesting by Design

Florence Broderick    24 June, 2013
La idea que tenemos sobre seguridad es diferente sobre lo que históricamente las organizaciones han ido utilizando. ¿Realmente es lo que necesitaban? Pensamos que un sistema continuo de pentesting proporciona a la organización una revisión al día de como se encuentra su infraestructura. Algo hay claro y es que la seguridad cambia diariamente por lo que las revisiones de seguridad cada ‘equis’ meses puede no ser una buena solución. 
Nuestra primera medida, bajo el modo Pentesting by Design, se denomina FaaS, FOCA As A Service. ¿Qué es FaaS? Es un sistema capaz de enumerar, analizar y explotar los activos de una organización con el fin de encontrar agujeros de seguridad que podrían ser explotados por otros usuarios con fines maliciosos, provocando pérdidas a la organización. Es la evolución natural de la aplicación FOCA, Fingerprinting Organizations with Collected Archives. En la siguiente imagen se puede observar un esquema del modelo y lo que FaaS representa y es capaz de realizar.
Figura 1: Esquema del modelo
El punto de partida de nuestro sistema son tres valores principales que toda empresa u organización dispone en Internet, de manera explícita o implícita por desconocimiento. Los valores son los siguientes:

  • Dominio. Los dominios son la cara visible y un activo importante en la imagen de una organización o empresa. FaaS realizará un estudio sobre los dominios públicos y obtendrá información sobre ellos,  enumerándolos de tal manera que podrá realizar un proceso de pentesting sobre los activos a partir de los dominios públicos.
  • Metadatos. Los documentos publicados en la web por las organizaciones pueden llevar consigo información interesante para inferir datos sobre como se organiza la empresa, nombres de usuarios, mails, versiones de software y otros datos de interés que pueden ser utilizados en contra de la organización, por ejemplo para llevar a cabo un APT, Advanced Persistent Threat.
  • Servicios. FaaS encontrará los servicios públicos de una organización y realizará acciones para evaluar la seguridad de éstos. Todo servicio público es un punto crítico de una organización, ya que una mala configuración o una aplicación desactualizada puede provocar una intrusión y pérdida o daño en los activos de la organización.
El sistema proporciona una serie de módulos con los que FaaS organiza toda la información recogida y evaluada con las pruebas de análisis y explotación de recursos. El módulo de reporting es imprescindible para que los usuarios puedan entender todo lo realizado sobre sus activos. FaaS prioriza la notificación de vulnerabilidades y recomendaciones de seguridad en configuraciones catalogadas como erróneas, además de enumerar y mostrar los activos que contiene una organización.
Figura 2: Módulos de FaaS

Eleven Paths is growing

Florence Broderick    14 June, 2013

Eleven Paths is growing. Apart from the people who joined from the beginning (just two months ago!), we’ve been hiring new employees that will have a key role in any product and service we are planning. Chema described in his post some of the new hirings; since Eleven Paths was presented last week we have received many curriculums that are being analyzed, thank you for your interest!

During the next days seven new employees will join us, but in this post we want to emphasize the hiring of the person who will be the responsible of our crazy ideas lab, Sergio de los Santos.
Many of you already know Sergio from his last company, Hispasec, where he was the manager of the SOC, the antifraud service, and the early warning service SANA; but maybe you also know him from famous service una-al-día, a pioneer in spanish language that is incredibly popular (if you are not subscribed, please do it now! 😉 )
Actually, there is an unanimous opinon that all his articles have an incredible quality (both from the technical and the redaction point of view). Sergio has a huge experience and knowledge about security and he has been a influential speaker in many presentations talking about different aspects of current malware and threats, or about his book ‘Máxima seguridad en Windows’.


Charla de Sergio de los Santos sobre malware from a diaz on Vimeo.

Eleven Paths is indubitably happy to hire profesionals like Sergio. He will lead our crazy ideas lab from Málaga; this new lab will develop fast and agile protoypes of those ideas we think can change and improve the world. When we talk about such ideas, we get some strange reactions, but we do think that there is a huge space for radical innovation about security. Sergio needs help, mainly developers, in Málaga, so if you live around and you are interested, do not hesitate to send us your resume!
Welcome Sergio!

Security should be transparent, but ready when needed

Florence Broderick    12 June, 2013

Security should be totally transparent for users; this was one of the key messages we discussed last week during the press conference we did with several journalists when launching Eleven Paths; nowadays users are overwhelmed with technical words hard to understand  (VPN, Firewall, Antivirus, patches, phishing, malware, ransomware, etc.) that makes them angrier and as a result, they tend to ignore any security measures. Security vendors often seem to build products and services only for security specialists or geeks.

Of course we need security products and services for security specialists or geeks, and they will take advantage of those products, but we also need implicit security in any technology, without forcing a user to become a specialist. Criminals perfectly know that it is easier to target normal users (that use online banking, stores sensible information, connects to social networks, etc.) than an enterprise with tons of security specialists.
During the press conference we visually explained this concept with ‘The Big Bang Theory’ characters: nowadays security is designed for people like Leonard, Sheldon, Howard o Raj, specialists or geeks. But we also want to create products for people like Penny.

I always mention the same example that I learnt from Hugh Thompson’s keynote during RSA Conference 2012; he perfectly explains the role of security using an analogy with asymmetric/uneven bars in artistic gymnastics. There is always a person (known as the spotter) that helps the gymnast to jump to the bars and then the spotter appears or disappears depending on the difficulty of the movement; the spotter is always ready to protect the gymnast when it’s needed:
  • The spotter is continuosly adapting to the gymnast’s movements
  • The spotter knows perfectly the gymnast and detect when there could be any risk
  • The spotter appears and disappears depending on the gymnast’s needs
Security should be like the spotter: transparent, but protecting the user when needed.

What is the difference between M2M and IoT?

Beatriz Sanz Baños    14 May, 2013

Once a trend, the Internet of Things has become a reality that is changing the world in which we live. However, buzzwords can sometimes lead to confusion and cause questions to arise. So, are IoT and M2M the same thing? What is the difference between them?

Interestingly enough, this same question has spurred a discussion on Quora, and has been tackled by professionals within the industry. Some use both terms interchangeably, whereas others are adamant that they are not to be confused.

First of all, we can be certain that these two concepts do indeed have different meanings. Most conclude that Internet of Things is a broader concept, which will evolve from M2M and other technologies.  

Simply put, Machine-to-Machine is where “Machines” use network resources to communicate with remote application infrastructure for the purposes of monitoring and control, either of the “machine” itself, or the surrounding environment. The potential interconnection of smart objects and the way we interact with the environment is what The Internet of Things is envisioned to be, where the physical world will merge with the digital world.

In an attempt to explain the relationship between both concepts, Matt Hatton compares M2M to the plumbing of Internet of Things. M2M is what provides The Internet of Things with the connectivity that enables capabilities, which would not be possible without it.

M2M with Internet protocols could be considered a subset of Internet of Things and understood from a more vertical and closed point of view. On the other hand, the Internet of Things encompasses a more horizontal and meaningful approach where vertical applications are pulled together to address the needs of many people.

The beginning

Florence Broderick    13 May, 2013

It is widely known that writing the first post is always a difficult task, but it is a compelling one. It’s the start of a new path that you don’t know where it will end.

At Eleven Paths we are completely sure we want to enjoy this path, and offer products and services that will help you in many of your tasks; not only we have been working in security for the last 15 years and we share a clear vision of the needs of companies or you and I as people, but we are going to take advantage of those more than 15 years of experience to hire the ideal team, the team that will achieve that any product we work on will be developed with care, and will become solutions for many problems, security or not, that we face everyday.

Stay tuned, there will be surprises.