100’000 .ch domain names are secured with DNSSEC!

Imagine you want to visit your online banking website «www.example-bank.ch». Now, instead of getting the correct IP address your computer gets manipulated information and connects you to a website that is owned by a criminal. You wouldn’t notice but disclose your online banking credentials to the attacker.

Luckily, DNSSEC is here to help. The extension of DNS protects you from being misled and helps you reach exactly the address you typed into your browser. A complex cryptographic process makes sure, that you’re always at the right place.

100’000 .ch domain names are signed with DNSSEC

In late December 2019 the .ch zone achieved a milestone with 100’000 DNSSEC secured domains. DNSSEC adds digital signatures to DNS answers and helps to mitigate attacks on DNS name resolution.

The percentage of .ch domain names that are signed is still below 5%, but is rising thanks to a few registrars like Infomaniak, OVH, Firestorm and netzone that sign domain names for their customers by default. The number of DNSSEC signed .ch domain names rose 54% from 1.1.2019 to 1.1.2020.

By January 1st 2020 the .ch zone contained 100’065 domain names that are secured with DNSSEC

Top .ch domain names are just average regarding domain name security

Continue reading “100’000 .ch domain names are secured with DNSSEC!”

DNSSEC Usage in Switzerland is on the rise after widespread attacks on the Domain Name System

Attacks on the DNS System

Cyber attacks on the DNS system are not new. Cache poisoning, Domain Hijacking and BGP injections of routes to public DNS resolvers happen regularly, but they usually don’t get much attention as they target the Internet’s core infrastructure and are not directly visible to end users in most cases. This time it was different. The recent widespread DNS hijacking attacks on several Mid East, North African and European and North American governments and infrastructure providers, published by Ciscos Talos showed that DNS attacks are a real threat to cyber security. Netnod, one of the affected infrastructure providers issued a statement, that called, amongst other domain security mechanisms, for the implementation of the DNS Security Extensions (DNSSEC).

The analysis of these attacks also convinced the Internet Corporation for Assigned Names and Numbers (ICANN) that there is an ongoing and significant risk to key parts of the System (DNS) infrastructure. ICANN issued a call for “Full DNSSEC Deployment to Protect the Internet” across all unsecured domain names.

The question is if these attacks and the awareness that DNSSEC is an absolute essential base layer protection for domain names had some effects on the Implementation of DNSSEC Switzerland?

More DNSSEC signed domain names

As a ccTLD operator SWITCH publishes the number of DNSSEC signed .ch and .li domain names every month. While the number of signed domain names is still very low at around 3-4% we see a rise in the numbers of signed domain names for two years now.

Continue reading “DNSSEC Usage in Switzerland is on the rise after widespread attacks on the Domain Name System”

Retefe with a new twist

A few months ago, we blogged about the banking trojan Retefe (Blog post in German) that was and still is targeting Switzerland. First off, Retefe is different because it only targets Switzerland, Austria and Sweden (and sometimes Japan). Contrast this to many other banking Trojans, which have a much more global and dynamic target list. Not only that, but the Retefe infrastructure also prevents computers from not affected countries to connect to its systems by using geo-location aware access lists and filters. The second unique property of Retefe is the fact, that it only modifies the operating system by adding a fake root certificate and by changing the DNS server for domain name resolution. After infection, the installer removes itself, which makes life hard for anti-virus software trying to detect a malicious Retefe component or activity.

Since a few days, Retefe is back again with a new twist. It still targets the same countries and the same banks. Not too exciting, the spam campaign has changed. However, in this wave Retefe is picky and only installs itself on selected computers. And some icing to the cake, it also installs another malware called DOFOIL. In this blog post, we give a technical analysis of the new Retefe.
Continue reading “Retefe with a new twist”

Swiss economy makes online security its priority

Switzerland is one of the safest countries in the world. To make also the Internet a secure place in Switzerland, the Swiss online economy has started the Swiss Internet Security Alliance (SISA). The goal of the alliance is to make Switzerland the “cleanest” Internet country in the world! The organization launched an online security check today which allows internet users to clean and protect their systems.

Offering more security
The founding of the Swiss Internet Security Alliance is a sign of its members’ commitment to making the Internet a secure place in Switzerland. The association brings together expert knowledge from representatives of various sectors and promotes information-sharing amongst competitors.

Overcoming challenges together
The Swiss Internet Security Alliance focuses on its main assets – the knowledge, experience and technical expertise of its members. Its members asut, Centralway, credit suisse, cyscon Schweiz, Lucerne University of Applied Sciences and Arts, Hostpoint, Migros Bank, PostFinance, Raiffeisen, Sunrise, Swisscard, Swisscom, SWITCH, UBS, upc cablecom and Viseca have longstanding experience in dealing with online security. The association is open to other interested parties. More information can be found in the press release:

https://www.switch.ch/about/news/2014/sisa.html

Comprehensive security check
Upon founding the association, the Swiss Internet Security Alliance is launching a security check. The Swiss Security Check provides protection on three levels.

Users with outdated or incorrectly configured software who are therefore subject to a security risk, will find this out within seconds.
If there is suspicion of malware, the malware cleaner helps with the diagnosis and resolution of the problems.
A cyber vaccine completes the protection and keeps electronic pests at bay.

The Swiss Security Check is free and can be accessed here:
http://www.swiss-isa.ch

Please follow @swiss_isa on Twitter!

Retefe Bankentrojaner

E-Banking ist seit seiner Entstehung ein attraktives Tummelfeld für Betrüger. Oft wird auf spezielle Schadsoftware, auf sogenannte Bankentrojaner, zurückgegriffen, um arglosen Opfern Geld abzuziehen.

Die meisten dieser Bankentrojaner basieren auf technisch betrachtet ziemlich komplexen Softwarekomponenten: Verschlüsselte Konfigurationen, Man-in-the-Browser-Funktionalität, Persistenz- und Updatemechanismen, um einige zu nennen. Im letzten halben Jahr hat sich eine gänzlich neue Variante behauptet, welche erst im Februar 2014 einen Namen erhielt: Retefe. Nur wenig wurde bis an hin publiziert, einer der Hauptgründe ist sicherlich, dass die Schadsoftware nur in wenigen Ländern (CH, AT, SE, JP) agiert und nur einige ausgewählte Banken angreift. TrendMicro (Blogartikel: Operation Emmental (DE), (EN)) und SWITCH-CERT möchten hiermit nun etwas detaillierter über diesen Trojaner berichten.

Das Besondere am Retefe Bankentrojaner ist seine Schlichtheit. Das infizierte System wird wie folgt manipuliert:

Auf dem PC des Opfers wird der Eintrag des DNS-Servers auf einen bösartigen DNS-Server geändert.
Auf dem PC des Opfers wird ein gefälschtes Root-Zertifikat installiert, siehe auch unser kürzlich veröffentlichten Blogartikel zu diesem Thema.

Nach der Infektion löscht sich die Installationsroutine selbst. Ausser dem manipulierten System bleibt nichts zurück, was es schwierig für Antiviren-Programme macht, im Nachhinein eine Infektion festzustellen.

An Eleganz ist diese Schadsoftware schwer zu übertreffen: Sie verzichtet auf die in der Einführung genannten Softwarekomponenten und minimiert damit die Komplexität. Es scheint auch, dass es aus Betrügersicht heutzutage ökonomischer ist, schlicht und einfach neue Opfer-PCs mittels Spam-Kampagnen zu infizieren.

Wie sieht der Modus Operandi konkret aus?

Modus Operandi eines möglichen Schadenfalls

Continue reading “Retefe Bankentrojaner”

IT-Security-Links #58

Troopers14: 27 talks from this years Security Conference Troopers are available online….
HITB2014: …as well as a choice of presentation slides from Hack-in-the-box…
IPv6 Security: …and the recently held IPv6 Business Conference.
Kasperky has uncovered the Luuuk banking fraud campaign which stolen half a million euros in a single week from a single bank.
Phishing goes Mobile: Hackers have trojanized a legitimate Mobile Banking App and redistributed it on Google Play.
Update on the “legal” spyware tool “Remote Control System”: Kaspersky discovered a number of related mobile malware modules and 326 Command & Control Server.
Security experts reproduce NSA’s Advanced Network Technology catalog using off-the-shelf components.
A Swiss Google alternative: Swisscows.ch is a new search engine which promises “No tracking“.
A 20-year-old integer overflow vulnerability in the LZO compression algorithm – used by many scientific and open source projects – has finally been patched.

IT-Security-Links #44

“Tomdep”-Malware: Symantec has discovered a worm-type threat which targets servers running Apache Tomcat.
Brute force attack: Github faced a Brute force password-guessing attack. Github did a reset of passwords and personal access tokens and informed their users.
Internet route hijacking: Renesys published a blog post about ‘Targeted Internet Traffic Misdirection’.
LG Smart-TVs phone home: The british IT consultant Jason Huntley discovered that his TV talks to LG servers everytime he changes a channel – even after he disabled the ‘Collection of watching info’ option. LG says that’s not personal information.
Forensics: Sandro Süffert published a comprehensive slideset on Memory Forensics for Windows, Mac and Linux.
Awareness: The website eBanking – but secure is now also available in a smartphone optimized version.
Ransomware: According to Microsoft, Ransomware is on the rise, especially in Europe.

German:

Offenbar gab es einen Einbruch in das Netz des EU-Parlaments: Hacker konnten demnach ohne grossen Aufwand auf vertrauliche E-Mails und persönliche Dokumente zugreifen. Ein Grossteil der EU-Politiker verwendet immer noch Windows XP.

IT-Security-Links #39

FBI warns of bank-robbing Beta Bot malware that disables antivirus.
Biometrics are not safe: iPhone 5S fingerprint sensor hacked by Germany’s Chaos Computer Club
ENISA presents in a 5-page paper a first “taste” of current developments related to the Threat Landscape 2013.
F-Secure released their 50-page Threat Report for H1/2013. It’s about the latest trends, incidents and developments in malware.

German:

Bund bricht Überwachungsprojekt ab: Grössere Probleme bei der Ablösung des Lawful Interception Systems (LIS) des Bundes.
Paypal-Sicherheit: Erfahrungen mit dem “Paypal Bug Bounty Programm” und der Behebung von Sicherheitslücken beim Zahlungsdienstleister.

IT-Security-Links #38

How should you react after NSA Bullrun program revelations? Focus on your companys security practices! Recommendations from information security and cryptography experts.
Banking-Malware: Hesperbot (or Hesperus) is a newly discovered and sophisticated malware that steals user information, mainly online banking credentials. Vikas Taneja analyzed a recent binary.
Vodafone-Hack in Germany: Phishing attacks are likely after an insider stole personal information on as many as two million (mobile-) customers.
CISO/CRO: Should the Chief Information Security Officer also be Chief Risk Officer? A discussion about the different roles in an enterprise.
‘Connected Mobility’: George Reese on authentication flaws in the Tesla Model S.

German:

Das Bundeskriminalamt in Österreich stellte am Donnerstag seinen Cybercrime-Report 2012 vor. Mit mehr als 10.000 hat sich die Zahl der angezeigten Fälle im Vergleich zum Vorjahr mehr als verdoppelt.

IT-Security-Links #37

E-Banking: A new banking trojan called ‘Hesperbot’ has been discovered targeting online banking users in Turkey, the Czech Republic, Portugal and the United Kingdom. The aim of the attackers is to obtain login credentials and to get victims to install a mobile component of the malware on their Symbian, Blackberry or Android phone.
Tor & Malware: The number of Tor users has more than quintupled over the last weeks. Researchers from the Dutch security firm Fox-IT traced the Tor traffic to a botnet, known as SBC, using the “Mevade.A” or “Sefnit” malware families. Tor can be used to hide C&C servers.
Mobile Malware ‘Obad’: How does this malware get onto mobile devices? Kaspersky has discovered four basic methods used to distribute different versions of Backdoor.AndroidOS.Obad.a.. And for the first time malware is being distributed using botnets that were created using completely different mobile malware.
NSA & Snowden: According to documents revealed by Edward Snowden, NSA and GCHQ – the US and British intelligence agencies – have successfully cracked much of the online encryption. Bruce Schneier says, Government and industry have betrayed the internet – and us. And he suggests five ways to stay safe.
Android Tools: The Infosec Institute published a list of Security and Hacking apps for Android devices.

German:

Gravierende Mängel: Die Geschäftsprüfungsdelegation des Schweizer Parlaments hat einen Bericht zur Informatiksicherheit im Nachrichtendienst des Bundes (PDF) veröffentlicht. Auslöser war ein Datendiebstahl vergangenen Jahres. Die Delegation stellt dem Geheimdienst und dem Verteidigungsdepartement kein gutes Zeugnis aus.

IT-Security-Links #23

Phishing: Patrick Nelson at Technewsworld wrote about 6 steps how to identify and deal with bogus banking e-mails.
IE8 Exploit: If you (still) use Internet Explorer Version 8, note that a newly discovered vulnerability is being actively exploited. MS published an advisory and released an intermediate “stopgap” fix. (CVE-2013-1347)
Ransomware: botfrei.de is reporting a new wave of ransomware infections. The malware downloads illegal pictures to the victims harddisk. Read how to get rid of the malware and the pictures.
Online Banking: Read why to chose a Web-based platform for mobile banking instead of a Mobile app.
Watering Hole Attacks are an attractive alternative to Spear Phishing, Jaeson Schultz explains on the Cisco blog.

Update:

‘The Onion’ explains how its Twitter account was hacked.

German

Der aktuelle SWITCH Security- und Privacy-Report 4/13 (PDF) ist online.

IT-Security-Links #18

U.S. banking institutions are now in the fifth week of distributed-denial-of-service attacks. Read the Lessons learned on bankinfosecurity.com
A more or less new malware called “Darkleech” infected thousands of Apache servers. The attackers retain control of the servers they infect by replacing the SSH daemon with a modified one. Read in the sucuri.net blog how to identify the infection.
Advanced Persistent Threats get more advanced, persistent and threatening. At least according to John Leyden who reviewed FireEye’s latest advanced threat report.
Even security professionals have bad password security habits. That’s the result of a survey done at RSA Conference 2013.

German:

Der SWITCH-CERT Security- und Privacy-Report (PDF) für März ist zum kostenlosen Download verfügbar.
Wie man USB-Sticks mit TrueCrypt verschlüsselt, dazu gibt es auf botfrei.de eine neue Anleitung.

IT-Security-Links #17

The anti-spam organization Spamhaus faced a large DDoS attack the last days – probably after blacklisting CyberBunker IPs. Cloudflare who helped mitigating the attack reporting about it in their blog quite proudly. And Russia Today did an interview with CyberBunker spokesman Kamphuis, who claimed that “Spamhaus is a major censorship organization“.
VSkimmer: McAfee revealed a Trojan for sale that can steal credit card information from card readers connected to Windows PCs.
“Internet Census 2012”: An anonymous researcher published the results of an “Internet Census” – an internet-wide IPv4-scan conducted misusing 420,000 insecure embedded devices connected to the public internet. “This is one of the few situations where a botnet is formed with good intentions“, Rapid7 admits in their blog.
“Security Awareness Trainings are a waste of time.” – An interesting standpoint from Bruce Schneier.
Palo Alto just published their “Modern Malware Review” (PDF), a review of it can be found at TechWorld.

IT-Security-Links #13

Cybersecurity company Mandiant Corp published a 74-page report that purportedly traced a series of cyberattacks on U.S. companies to a Shanghai-based unit of the Chinese army.
According to Seculert some hackers in turn created malicious versions of Mandiants report that were infected with computer viruses. “When opening the attachment it is exploiting a vulnerability in Adobe Reader to automatically install a malware, which downloads additional malicious components.”. Adobe released patches for this vulnerability also last week.
China’s defense ministry issued a strong denial and insisted that the report was flawed: “China Says Army Is Not Behind Attacks in Report” (NYT).
What changed from discovery of Stuxnet in 2010? Seems there is still a lot of catching-up to do: Pierluigi Paganini wrote about SCADA Systems Security on the Infosec Blog.
“Certified online banking trojan in the wild.” Jean-Ian Boutin, who works for the Antivirus company Eset, has discovered trojans that carry a valid digital signature.
“Hacks Related to Apple” – A timeline created by F-Secure.