5 Myths of Virtualization Security: You May Be More Vulnerable Than You Think

  Myth No. 1: My Existing Endpoint Security Will Protect My Virtual Environment While most traditional endpoint security solutions are virtual-aware and provide some low levels of protection for virtual environments, this protection is too limited. It simply isn’t enough to cope with modern threats. Also, the performance brain, especially in large deployments, can cripple your virtual machines. Depending on the virtualization platform used — VMware, Citrix, Microsoft, etc. — your traditional endpoint security suite probably can recognize virtual endpoints. In many cases, however, this physical software can’t bring its full toolset of antimalware to the virtual world, and it can perform only basic tasks, like on-access scanning. Worse, traditional endpoint security software can create security gaps as a result of slowing down the network — like security being disabled altogether. Myth No. 2: My Existing Antimalware Doesn’t Interfere With My Virtual Environment Operations The truth is, it does. Performance issues actually can create security gaps that didn’t exist in your physical environment. Traditional endpoint security uses an agent-based model. Basically, each physical and virtual machine has a copy of the security program’s agent on it, and this agent communicates with the server while performing its security tasks. This works fine for physical machines, but if you have 100 virtual machines, then you have 100 instances of this security agent plus 100 instances of its malware signature database running on a single virtual host server. This high level of duplication causes massive performance degradation and wastes tons of storage capacity. In this model, if a dozen of your virtual machines simultaneously start running a normal security scan, all the...

Banking malware sniffs out data sent over HTTPS

Careful online banking users can sometimes spot that something is amiss when malware installed on their computer pops up phishing pages or adds fields to legitimate banking forms. But the Emotet banking malware doesn’t bother with that, and sniffs out data sent over secured connections instead. According to Trend Micro researchers, German users are particularly in danger from this malware family, although infections have also been spotted in the rest of the EMEA region, as well as in North America and the Asian-Pacific region. The variants targeting German users are delivered to the victims via fake bank transfer notifications and shipping invoices. Clicking on the embedded links triggers the download of the malware. The first thing that the malware then does when run is contact its C&C, from which it downloads additional files, including the configuration file that contains information about targeted banks. “Another downloaded file is a .DLL file that is also injected to all processes and is responsible for intercepting and logging outgoing network traffic. When injected to a browser, this malicious DLL compares the accessed site with the strings contained in the previously downloaded configuration file,” the researchers explained. “If strings match, the malware assembles the information by getting the URL accessed and the data sent. The malware saves the whole content of the website, meaning that any data can be stolen and saved.” The malware is also capable of hooking into a number of network APIs, which allow it to sniff out data sent over...

Critical flaw exposes admin passwords of nearly 32,000 servers

Over 30,000 servers with Supermicro baseboard management controllers (BMCs) on their motherboards are offering up administrator passwords to anyone who knowns where to look, warns Zachary Wikholm, a senior security engineer with the Security Incident Response Team of hosting provider CARI.net. This confidential information is made available because the company has created the password file in plain text, and the file can be downloaded by simply connecting to port 49152. “You can quite literally download the BMC password file from any UPnP enabled Supermicro motherboard running IPMI on a public interface,” says Wikholm, and adds that this is not the only file that is vulnerable to such an attack. “All the contents of the /nv/ directory are accessible via browser including the server.pem file, the wsman admin password and the netconfig files.” The vulnerability still endangers servers despite Supermicro fixing the issue with a new IPMI BIOS version, as the fix requires administrators to reflash their systems with the new IPMI BIOS and this is not always possible. Wikholm has stepped in and has devised a temporary fix for them. “Most of the systems affected by this particular issue also have their ‘sh’ shell accessible from the SMASH command line. If you login to the SMASH via ssh and run the command ‘shell sh’, you can drop into a functional SH shell. From there you can actually kill all ‘upnp’ processes and their related children, which provides a functional fix,” he shared, but added that the fix lasts just as long as the system isn’t disconnected or rebooted. With the help of John Matherly – the creator of Shodan,...

banking malware invasion

new piece of banking malware is being delivered via tax- and invoice-themed phishing campaigns, Danish security company CSIS is warning. Dubbed “Dyreza,” the malware targets users of a number of major online banking services in the US and the UK: Bank of America, Natwest, Citibank, RBS, and Ulsterbank. “The code is designed to work similar to ZeuS and as most online banking threats it supports browser hooking for Internet Explorer, Chrome and Firefox and harvests data at any point an infected user connects to the targets specified in the malware,” shared CSIS researcher Peter Kruse. The Trojan is currently being delivered through emails purportedly coming from the aforementioned financial institutions and, once run, the attached malicious file beacons back to its C&Cs. The malware also allows attackers control browser traffic and perform Man-in-the-Middle attacks. By having this opportunity to read all the encrypted traffic between the victims’ browser and the financial institutions’ servers, they can also try to circumvent 2-factor authentication. “We believe this is a new banker trojan family and not yet another offspring from the ZeuS source code,” says Kruse. “Still it’s unclear if this is provided as a “Crime as a Service” or if it’s a full circle criminal outfit.” They managed to track down some of the malware’s C&C servers, and have even accessed parts of them and found a customized “money mule” panel with several accounts in Latvia. Kruse also warns users to be wary of future spam campaigns delivering the Trojan, as there are indications that the crooks will try to push it onto users by masquerading it as a Flash Player...

Control access to buildings and work areas

Each one of us has a responsibility to ensure that our building is secure. When you enter the building from a side door or after hours, make sure the door closes properly and check to see that no one has slipped in behind you. If you see someone you don’t know wandering around, don’t be afraid to grab a co-worker and ask which room they’re looking for or who they’re visiting. It’s better to be safe than...