Why NSA spied on inexplicably unencrypted Windows crash reports

The National Security Agency's X-KEYSCORE program gives the spy agency access to a wide range of Internet traffic. Any information that isn't encrypted is, naturally, visible to passive Internet wiretaps of the kind the NSA and other intelligence agencies use. This in turn will typically expose such things as e-mails, online chats, and general browsing behavior.

And, according to slides published this weekend by Der Spiegel, this information also includes crash reports from Microsoft's Windows Error Reporting facility built in to Windows.

These reports will tell eavesdroppers what versions of what software someone is running, what operating system they use, and whenever that software has crashed. Windows also sends messages in the clear whenever a USB or PCI device is plugged in as part of its hunt for suitable drivers.

Read 3 remaining paragraphs | Comments

2014 Threats Predictions: Social Media Changes Keep Users Off Balance

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Aditya Kapoor.

In order to maximize profits, cyberattackers quickly adapt to popular forms of communication; they go where their victims go. Sometimes they even seem to get there first. Every time a new medium gains popularity, fast-moving attackers find the new medium’s flaws and take advantage of its new users. This tactic works because many new services haven’t fully worked out security measures even as their popularity skyrockets.

Email and traditional Internet messaging (Yahoo, Google Talk, MSN, and others) have seen plenty of malware attacks. When we use these “old” systems, most of us know to not open attachments or click on links from strangers. But new systems often seem fresh and different when we first use them.

A survey by McKinsey’s iConsumer report (published by Forbes) confirms the obvious: email usage has been declining for years (36% of users in 2012, down from 42% in 2008), while social media usage rose to 26% in 2012 from a meager 15% in 2008. Overall, people are still communicating primarily by email, but its use continues to drop. More and more people now connect and interact via services such as Facebook, Twitter, Snapchat, Instagram, LinkedIn, WhatsApp, and others. These services are available on any device.

As we flocked to Facebook, it was new and seemed safe. But starting in 2008 and peaking in late 2009, Koobface malware was one of the primary threats against Facebook users. Until it lost steam in 2011, Koobface employed a lot of advanced features in its botnet: using URL-shortening services to send malicious links, hijacking users’ accounts, autoresolving CAPTCHAs, and other methods. Many of these features are still present in similar but much smaller threats.

Three categories of attacks on social media are the most prevalent: data theft, money theft, and profile and network-identity theft. This triumvirate isn’t likely to diminish because its appeal is fundamental to the goals of cybercriminals.

Data theft: malware installation

Social media features change rapidly; many users have a hard time determining what is legitimate versus what is not. Attackers take advantage of the confusion of ever-changing applications and policies. Recently we have seen numerous social-engineering tactics that trick users into installing an application for a service that does not exist. These campaigns use a similar tactic: Users receive an email purportedly from a social media company with a link to a “new” app. After clicking the link, they are asked to download a plug-in, which installs malware and steals information. For example, one recent attack sent an email with a “voice message notification” apparently from WhatsApp. Listening to the message, however, added the user’s machine to a botnet. These methods are not new, but mixing the malware message with social media often confuses users who don’t know what the norm is.

Money theft: spam and scam

Scammers also use fake notification systems that masquerade as updates from social media sites. A notification email apparently from a social media site claims there are unread messages. Clicking the message redirects users to fake pharmaceutical items, for example. Some users buy these items, sending money to crooks.

Scammers are quick to use new communication mechanisms and abuse them to generate money or steal personal information. Recently criminals used Snapchat in a pay-per-install affiliate model: Users received nude pictures and in order to see more snaps, they had to download an application, which in turn paid the spammer money for the installation.

Snapchat has become very popular for the wrong reasons—such as sending explicit images—because the service promises to delete the images after a set time. Recently scammers used Snapchat to show “leaked” pictures; users had to enter their Facebook login credentials to access the information. You can guess where the login information went—to the scammer’s server.

Profile and network-identity theft: Spearphishing on social media

Social media sites like Facebook have done a lot of work to keep their users safe. It is difficult for scammers to pose a malicious link to another user who is not in the friend network. But a social network is only as strong as the weakest link, which can compromise the entire friend network because we tend to trust our friends and what they post. (Security blogger Dancho Danchev writes about one example in “Continuing Facebook ‘Who’s Viewed Your Profile’ Campaign Affects Another 190k+ Users, Exposes Malicious Cybercrime Ecosystem.”)

LinkedIn has become fertile ground for attackers. By watching for the updated status of executives or sales people and their new connections, online spies might gain a competitive edge or knowledge of unannounced products.

What’s coming

The social media landscape is changing rapidly, with new services being introduced faster than they can be secured. Scammers and malware authors abuse these services and make the most of them while people are still learning about the new security risks. When the security bar is raised high enough, these scammers move on to newer mass communication methods. Their methodologies and motives remain largely the same.

In the coming year we are likely to see an increase in corporate espionage via social networks such as LinkedIn. It’s a good idea to verify a message even when a known person tries to contact you on social networking sites. A simple IM or email to verify identity is enough to keep scammers at bay.

Scammers will use apps like Poke and Snapchat to prompt victims to “win a free iPad,” for example, by visiting a website within 10 seconds. Some unsuspecting users will give out their information as fast as possible, succumbing to rush tactics.

A continuing worry about social media services is the false sense of privacy they encourage. We will continue to see children and adults become complacent and share private pictures and other information. Parents need to talk to their kids who use social media about safe sharing practices.

In the coming year social media attacks will continue and mature, as attackers find new ways to craft their attacks. We expect spam and phishing attacks will gain momentum. In the corporate world, stealing data related to business social networks and contacts will become a greater target than passwords or credit card information.

2014 Threats Predictions: Everyone Wants a Piece of Big Data

This post is the first in a series of articles that will expand on the recently released McAfee Labs 2014 Threats Predictions. In this and upcoming posts, McAfee Labs researchers will offer their views of new and evolving threats we expect to see in the coming year. This article was written by Dr. Igor Muttik and Ramnath Venugopalan.

Big Data is a popular term. The concept feels important, and menacing, because we know that the amount of knowledge available on the Internet is enormous and it grows at a staggering rate. But data accessible via the Internet is only the tip of an iceberg: The Internet as we know it is only the public part of massive amounts of online data. Knowledge is power; that hasn’t changed. And extensive knowledge (which Big Data provides) leads to a lot of power.

Those of us who often shop online notice that commercial websites are getting better at focused personal advertising; sometimes they identify our interests even before we realize them ourselves. Commercial sites gather and share (often indirectly, via ad providers) information about web pages we visit. In 2014 we expect commercial companies will become more effective and more aggressive in tracking consumers by analyzing their growing pieces of Big Data. Driven by further adoption of “do not track” functionality in browsers, we foresee an accelerated shift from tracking based on cookies toward fingerprinting based on browsers and behavior. As a result, there will be deeper and wider online tracking and an increasing number of privacy concerns. Unprotected users will continue to lose control over who analyses and records their online actions and when it happens. Staying anonymous when browsing will be harder next year.

Security companies are also creating Big Data stores, but the data we gather is very different from the information that commercial interests and cybercriminals seek. Security products do not need personally identifiable information to discover malware, spam, and other intrusions—only the data to uncover new attacks.

Tracking consumers using Big Data is easy. However, discovering new and unknown intrusions is much harder as we deal with professionally organized malware-writing gangs. Despite their efforts, we predict that machine learning and data analytics based on Big Data will improve the discovery of targeted attacks and persistent threats in 2014.

Many large-scale organizations are deploying Big Data analytics, at the cost of millions of dollars, to identify threats within their environments. In 2014 and beyond, however, we expect to see the first signs of evasion maneuvers targeting Big Data analytics as malware and spam gangs, for example, will attempt to poison security telemetry to make their activities less noticeable.

UK CPNI Releases Spear Phishing Paper

Original release date: December 30, 2013

The United Kingdom's Centre for the Protection of National Infrastructure (CPNI) has recently released a paper titled "Spear Phishing - Understanding the Threat;" this document provides guidance on how spear phishing attacks work, whether you are likely to be a target, and the steps organizations can take to manage the risks. CPNI is the UK's government authority for providing physical, personnel and information security advice to critical national infrastructure.

US-CERT encourages users and administrators to review the CPNI document as well as US-CERT ST04-014, "Avoiding Social Engineering and Phishing Attacks."

This product is provided subject to this Notification and this Privacy & Use policy.