6 C
Tuesday, November 21, 2017
Home Tags RAM

Tag: RAM

Lurk trojan attack lands 18 behind bars in FSB dragnet Russia's FSB says it's tagged the gang that used the “Lurk” trojan to raid 1.7 billion roubles – about US$25 million – from financial institutions. Lurk was identified in 2012.

At the time, Kaspersky Labs said it was a “fileless” Trojan that ran in RAM.
Instead, it “uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process.“ Reuters says around 50 people have been arrested, and 18 of those are being held in custody in Moscow pending further investigation. As well as their successful heist, the attackers issued false payment instructions worth more than 2 billion roubles, but those were blocked. Only one of the victim institutions was named – Sberbank, which the interior ministry described as Russia's largest bank in terms of assets held. The FSB issued a statement (translate this link) saying it also seized “computer equipment, communications equipment, banking cards issued on the nominees, as well as financial documents and large sums of cash, confirming the illegality of their activities.” Kaspersky's ThreatPost says the Russian gang's attacks started 18 months ago.

After it's injected into the victim's processes, Lurk fetches further malware from C&C servers, and Kaspersky says the attackers used a compromised VPN to make their campaign harder to detect. The Lurk attack was a separate campaign to the Android SMS malware-slinging attacks on Sberbank last year. ® Sponsored: Rise of the machines
Bloatware creates easy pwnage Computers from many of the biggest PC makers are riddled with easy-to-exploit vulnerabilities in pre-loaded software, security researchers warn. The research from Duo Security shows that bloatware is not just a nuisance that causes a lag in system boot-up, but a security risk. Laptops from Acer, Asus, Dell, HP and Lenovo all have at least one security vulnerability that can lead to a full system compromise. Most of the vulnerabilities would be straightforward to exploit even for technically unsophisticated hackers, according to Duo Security. Lenovo copped an enormous amount of flack after it began bundling Superfish adware with some of its computers in September 2014.
Superfish adware was installed on some Lenovo PCs with a trusted root certification authority (CA) certificate, allowing an attacker to spoof HTTPS traffic. A machine with Superfish VisualDiscovery installed will be vulnerable to SSL spoofing attacks without a warning from the browser, as US CERT warned around the time the scandal broke in early 2015. Duo's research shows the Superfish controversy was but an extreme example of a wider security problem involving pre-installed software from multiple manufacturers. "The OEM software landscape is complicated and includes a depressing amount of superfluous tools for vendor support, free software trials, and other vendor-incentivized crapware," Duo Security researchers warn. "Some apps do nothing more than add a shortcut to launch your web browser to a specific site. "The OOBE [out-of-box experience] is annoying to most people for a number of reasons.
In addition to wasting disk space, consuming RAM, and generally degrading the user experience, OEM software often has serious implications on security.

A few examples include Superfish, which abused the Windows Platform Binary Table to install persistent adware on unwitting Lenovo users' personal computers.

The eDellRoot fiasco made a mess of the Windows root certificate store for Dell users." The two-factor authentication firm reckons "simple enhancements" like the consistent use of encryption, specifically transport layer security (TLS), would have significantly raised the bar for attackers. Laptop bloatware threat matrix [Source: Duo Security] Duo Security identified and reported twelve different vulnerabilities across all of the vendors: Dell – one high-risk vulnerability involving lack of certificate best practices, known as eDellRoot. Hewlett Packard – two high-risk vulnerabilities that could have resulted in arbitrary code execution on affected systems.

Five medium-to-low-risk vulnerabilities were also identified. Asus – one high-risk vulnerability that allows for arbitrary code execution as well as one medium-severity local privilege-escalation flaw. Acer – two high-risk vulnerabilities that allow for arbitrary code execution. Lenovo – one high-risk vulnerability that allows for arbitrary code execution. Every vendor shipped with a preinstalled update that had at least one vulnerability, resulting in arbitrary remote code execution and thereby complete compromise of the affected machine. "OEM updaters are highly privileged, easy to exploit, and not difficult to reverse engineer – coupled with limited security review, this creates a perfect storm for an attacker," Duo concludes. Duo's study of OEM updates was put together by Darren Kemp, Chris Czub and Mikhail Davidov. El Reg passed on Duo's research to Acer, Asus, Dell, HP and Lenovo with a request for comment. No word back, as yet. ® Bootnote Kit accessed included the Acer Aspire F15 (UK version); Asus TP200S and Asus TP200S (Microsoft Signature Edition); Dell Inspiron 14 (Canada version) and Dell Inspiron 15-5548 (Microsoft Signature Edition); HP Envy, HP Stream x360 (Microsoft Signature Edition) and HP Stream (UK version); and Lenovo Flex 3 and Lenovo G50-80 (UK version). Sponsored: Rise of the machines
Not that kind of crack.Geoff Parsons Apple's encryption battle Feds: New judge must force iPhone unlock, overturning ruling that favored Apple Amazon will restore Fire OS‘ encryption support in the spring What is a “lying-dormant cyber pathogen?” San Bernardino DA says it’s made up [Updated] San Bernardino DA says seized iPhone may hold “dormant cyber pathogen” [Update] To get back at Apple, GOP congressman introduces pointless bill View all…The custom firmware that the FBI would like Apple to produce in order to unlock the San Bernardino iPhone would be the most straightforward way of accessing the device, allowing the federal agency to rapidly attempt PIN codes until it found the one that unlocked the phone. But it's probably not the only way to achieve what the FBI wants.

There may well be approaches that don't require Apple to build a custom firmware to defeat some of the iPhone's security measures. The iPhone 5c used by the San Bernardino killers encrypts its data using a key derived from a combination of an ID embedded in the iPhone's processor and the user's PIN.

Assuming that a 4-digit PIN is being used, that's a mere 10,000 different combinations to try out. However, the iPhone has two protections against attempts to try every PIN in turn.

First, it inserts delays to force you to wait ever longer between PIN attempts (up to one hour at its longest).
Second, it has an optional capability to delete its encryption keys after 10 bad PINs, permanently depriving access to any encrypted data. The FBI would like to use a custom firmware that allows attempting multiple PINs without either of these features.

This custom firmware would most likely be run using the iPhone's DFU mode.

Device Firmware Update (DFU) mode is a low-level last resort mode that can be used to recover iPhones that are unable to boot.

To use DFU mode, an iPhone must be connected via USB to a computer running iTunes. iTunes will send a firmware image to the iPhone, and the iPhone will run that image from a RAM disk.

For the FBI's purposes, this image would include the PIN-attack routines to brute-force the lock on the device. Developing this firmware should not be particularly difficult—jailbreakers have developed all manner of utilities to build custom RAM disks to run from DFU mode, so running custom code from this environment is already somewhat understood—but there is a problem.

The iPhone will not run any old RAM disk that you copy to it.
It first verifies the digital signature of the system image that is transferred. Only if the image has been properly signed by Apple will the phone run it. The FBI cannot create that signature itself. Only Apple can do so.

This means also that the FBI cannot even develop the code itself.

To test and debug the code, it must be possible to run the code, and that requires a signature.

This is why it is asking for Apple's involvement: only Apple is in a position to do this development. Do nothing at all The first possibility is that there's simply nothing to do.

Erasing after 10 bad PINs is optional, and it's off by default.
If the erase option isn't enabled, the FBI can simply brute force the PIN the old-fashioned way: by typing in new PINs one at a time.
It would want to reboot the phone from time to time to reset the 1 hour delay, but as tedious as the job would be, it's certainly not impossible. It would be a great deal slower on an iPhone 6 or 6s.
In those models, the running count of failed PIN attempts is preserved across reboots, so resetting the phone doesn't reset the delay period.

But on the 5c, there's no persistent record of bad PIN trials, so restarting the phone allows an attacker to short-circuit the delay. Why it might not work Obviously, if the phone is set to wipe itself, this technique wouldn't work, and the FBI would want to know one way or the other before starting.
It ought to be a relatively straightforward matter for Apple to tell, as the phone does have the information stored in some accessible way so that it knows what to do when a bad PIN is entered. But given the company's reluctance to assist so far, getting them to help here may be impossible.Update: It turns out that this bug was fixed in iOS 8.1, so it probably wouldn't work after all. Acid and laserbeams One risky solution that has been discussed extensively already is to use lasers and acid to remove the outer layers of the iPhone's processor and read the embedded ID. Once this embedded ID is known, it's no longer necessary to try to enter the PIN directly on the phone itself.
Instead, it would be possible to simply copy the encrypted storage onto another computer and attempt all the PINs on that other computer.

The iPhone's lock-outs and wiping would be irrelevant in this scenario. Why it might not work The risk of this approach is not so much that it won't work, but that if even a tiny mistake is made, the hardware ID could be irreparably damaged, rendering the stored data permanently inaccessible. Jailbreak the thing The iPhone's built-in lockouts and wipes are unavoidable if running the iPhone's operating system... assuming that the iPhone works as it is supposed to.
It might not.

The code that the iPhone runs to enter DFU mode, load a RAM image, verify its signature, and then boot the image is small, and it should be simple and quite bullet-proof. However, it's not impossible that this code, which Apple calls SecureROM, contains bugs.
Sometimes these bugs can enable DFU mode (or the closely related recovery mode) to run an image without verifying its signature first. There are perhaps six known historic flaws in SecureROM that have enabled jailbreakers to bypass the signature check in one way or another.

These bugs are particularly appealing to jailbreakers, because SecureROM is baked into hardware, and so the bugs cannot be fixed once they are in the wild: Apple has to update the hardware to address them.

Exploitable bugs have been found in the way SecureROM loads the image, verifies the signature, and communicates over USB, and in all cases they have enabled devices to boot unsigned firmware. If a seventh exploitable SecureROM flaw could be found, this would enable jailbreakers to run their own custom firmwares on iPhones.

That would give the FBI the power to do what it needs to do: it could build the custom firmware it needs and use it to brute force attack the PIN.
Some critics of the government's demand have suggested that a government agency—probably the NSA—might already know of such a flaw, arguing that the case against Apple is not because of a genuine need to have Apple sign a custom firmware but merely to give cover for their own jailbreak. Why it might not work Of course, the difficulty with this approach is that it's also possible that no such flaw exists, or that even if it does exist, nobody knows what it is.

Given the desirability of this kind of flaw—it can't be fixed through any operating system update—jailbreakers have certainly looked, but thus far they've turned up empty-handed.

As such, this may all be hypothetical. Ask Apple to sign an FBI-developed firmware Apple doesn't want to develop a firmware to circumvent its own security measures, saying that this level of assistance goes far beyond what is required by law.

The FBI, however, can't develop its own firmware because of the digital signature requirements. But perhaps there is a middle ground.

Apple, when developing its own firmwares, does not require each test firmware to be signed.
Instead, the company has development handsets that have the signature restriction removed from SecureROM and hence can run any firmware.

These are in many ways equivalent to the development units that game console manufacturers sell to game developers; they allow the developers to load their games to test and debug them without requiring those games to be signed and validated by the console manufacturer each time. Unlike the consoles, Apple doesn't distribute these development phones.
It might not even be able to, as it may not have the necessary FCC certification.

But they nonetheless exist.
In principle, Apple could lend one of these devices to the FBI so that the FBI would then be responsible for developing the firmware.

This might require the FBI to do the work on-site at Cupertino or within a Faraday cage to avoid FCC compliance concerns, but one way or another this should be possible. Once it had a finished product, Apple could sign it.
If the company was truly concerned with how the signed firmware might be used, it might even run the firmware itself and discard it after use. This would relieve Apple of the burden of creating the firmware, and it could be argued that it was weakening Apple's first amendment argument against unlocking the firmware. While source code is undoubtedly expressive and protected by the first amendment, it seems harder to argue that a purely mechanical transformation such as stamping a file with a digital signature should be covered by the same protection. Why it might not work Apple may very well persist in saying no, and the courts may agree. Andrew Cunningham Stop the phone from wiping its encryption keys The way the iPhone handles encryption keys is a little more complex than outlined above.

The encryption key derived from the PIN combined with the hardware ID isn't used to encrypt the entire disk directly.
If it were, changing the PIN would force the entire disk to be re-encrypted, which would be tiresome to say the least.
Instead, this derived key is used to encrypt a second key, and that key is used to encrypt the disk.

That way, changing the PIN only requires re-encryption of the second key.

The second key is itself stored on the iPhone's flash storage. Normal flash storage is awkward to securely erase, due to wear leveling.

Flash supports only a limited number of write cycles, so to preserve its life, flash controllers spread the writes across all the chips. Overwriting a file on a flash drive may not actually overwrite the file but instead write the new file contents to a different location on the flash drive, potentially leaving the old file's contents unaltered. This makes it a bad place to store encryption keys that you want to be able to delete.

Apple's solution to this problem is to set aside a special area of flash that is handled specially.

This area isn't part of the normal filesystem and doesn't undergo wear leveling at all.
If it's erased, it really is erased, with no possibility of recovery.

This special section is called effaceable storage. When the iPhone wipes itself, whether due to bad PIN entry, a remote wipe request for a managed phone, or the built-in reset feature, this effaceable storage area is the one that gets obliterated. Apart from that special handling, however, the effaceable area should be readable and writeable just like regular flash memory. Which means that in principle a backup can be made and safely squirreled away.
If the iPhone then overwrites it after 10 bad PIN attempts, it can be restored from this backup, and that should enable a further 10 attempts.

This process could be repeated indefinitely. This video from a Shenzhen market shows a similar process in action (we came at it via 9to5Mac after seeing a tweet in February and further discussion in March). Here, a 16GB iPhone has its flash chip desoldered and put into a flash reader.

A full image of that flash is made, including the all-important effaceable area.
In this case, the chip is then replaced with a 128GB chip, and the image restored, with all its encryption and data intact.

The process for the FBI's purposes would simply use the same chip every time. By restoring every time the encryption keys get destroyed, the FBI could—slowly—perform its brute force attack.
It would probably want to install a socket of some kind rather than continuously soldering and desoldering the chip, but the process should be mechanical and straightforward, albeit desperately boring. A more exotic possibility would be to put some kind of intermediate controller between the iPhone and its flash chip that permitted read instructions but blocked all attempts to write or erase data. Hardware write blockers are already routinely used in other forensic applications to prevent modifications to SATA, SCSI, and USB disks that are being used as evidence, and there's no reason why such a thing could not be developed for the flash chips themselves.

This would allow the erase/restore process to be skipped, requiring the phone to be simply rebooted every few attempts. Why it might not work The working assumption is that the iPhone's processor has no non-volatile storage of its own.
So it simply doesn't remember that it is supposed to have wiped its encryption keys, and thus will offer another ten attempts if the effaceable storage area is restored, or that even if it does remember, it doesn't care.

This is probably a reasonable assumption; the A6 processor used in the iPhone 5c doesn't appear to have any non-volatile storage of its own, and allowing restoration means that even a securely wiped phone can be straightforwardly restored from backup by connecting it to iTunes. For newer iPhones, that's less clear.

Apple implies that the A7 processor—the first to include the "Secure Enclave" function—does have some form of non-volatile storage of its own. On the A6 processor and below, the time delay between PIN attempts resets every time the phone is rebooted. On the A7 and above, it does not; the Secure Enclave somehow remembers that there has been some number of bad PIN attempts earlier on.

Apple also vaguely describes the Secure Enclave as having an "anti-replay counter" for data that is "saved to the file system." It's not impossible that this is also used to protect the effaceable storage in some way, allowing the phone to detect that it has been tampered with.

Full restoration is similarly still likely to be possible. There is also some risk to disassembling the phone, but if the process is reliable enough for Shenzhen markets, the FBI ought to be able to manage it reliably enough. This last technique in particular should be quite robust.

There's no doubt that Apple's assistance would help a great deal; creating a firmware to allow brute-forcing the PIN would be faster and lower risk than any method that requires disassembly.

But if the FBI is truly desperate to bypass the PIN lockout and potential disk wipe, there do appear to be options available to it that don't require Apple to develop the firmware.
Exclusive Microsoft researchers, in partnership with academia, have published a paper detailing how they have dramatically increased the speed of homomorphic encryption systems. With a standard encryption system, data is scrambled and then decrypted when it needs to be processed, leaving it vulnerable to theft. Homomorphic encryption, first proposed in 1978 but only really refined in the last decade thanks to increasing computing power, allows software to analyze and modify encrypted data without decrypting it into plaintext first. The information stays encrypted while operations are performed on it – provided you have the correct key, of course. This has major advantages from a security standpoint. Hospital records can be examined without compromising patient privacy, financial data can be analyzed without opening it up to theft, and it's perfect for a computing environment where so much data is cloud-based on someone else's servers. There is, of course, a problem. The first fully working homomorphic encryption system, built by Craig Gentry (now an IBM Research cryptographer), was incredibly slow, taking 100 trillion times as long to perform calculations of encrypted data than plaintext analysis. IBM has sped things up considerably, making calculations on a 16-core server over two million times faster than past systems, and has open-sourced part of the technology. But, in a new paper [PDF], Microsoft thinks it's made a huge leap forward in applying the encryption system to deep learning neural networks. Professor Kristin Lauter, principle research manager at Microsoft, told The Register that the team has developed CryptoNets that process the encrypted data. The team claims that its optical recognition system is capable of making 51,000 predictions per hour with 99 per cent accuracy. The key to Redmond's approach is in the pre-processing work. The researchers need to know in advance the complexity of the arithmetic circuit that is to be applied to the data. They need to structure the neural network appropriately and keep data loads small enough so the computer handling them isn't over-worked. To make this possible, the team developed the Simple Encrypted Arithmetic Library (SEAL) – code which it revealed last November. Detailed parameters have to be set up before the data run is attempted, to keep multiplication levels low. In testing, the team used 28 x 28-pixel images of handwritten words taken from the Mixed National Institute of Standards and Technology (MNIST) database and ran 50,000 samples through to train the system. They then tried a full run on an additional 10,000 characters to test accuracy. The test rig was a PC with a single Intel Xeon E5-1620 CPU running at 3.5GHz, with 16GB of RAM, running Windows 10. They structured the data in parallel, and the computer ran 51,739 predictions per hour with an accuracy rate of 99 per cent. There's still a lot of work to be done, Lauter said, but the initial results look very promising and could be used for a kind of machine learning-as-a-service concept, or on specialist devices for medical or financial predictions. "I'm not in that part of the company's decision-making process, so can't guarantee when Microsoft will have a product using this technology," she said. "But from a research point of view, we are definitely going towards making it available to customers and the community." ® Sponsored: Application release and deployment for dummies
When your formerly speedy PC starts to stutter and drag, you may be inclined to pin the blame on your antivirus. Hey, it's an easy target, right? Chances are good, though, that any slowdown is due to things like over-filled hard drives or too many programs running in the background. IObit's Advanced SystemCare Ultimate 9 has the answer for you—it combines antivirus protection with a full suite of system tune-up tools. At $29.99 per year for three licenses, it costs a less than many competing standalone antivirus products. Unfortunately, the core antivirus protection didn't hold up in my testing.  IObit's main window reports your current security status and features three extra-large glowing icons that launch a Quick, Full, or Custom Scan. Tested on my standard clean virtual machine, the full scan took 26 minutes, which is good, given that the current average is almost 40 minutes. Some antivirus products actively avoid rescanning known good files, making repeat scans very fast. AVG AntiVirus (2016) and Total Defense Anti-Virus (2015) zoomed through a repeat scan in about one minute. IObit doesn't seem to attempt this kind of scan optimization. Easy StartWhen you launch IObit's installer, you see a simple screen with one big button that simultaneously accepts the product license and launches the installer. The install process completed. To finish the process, I updated antivirus definitions and activated the product to enable real-time protection. After I finished activation, the program presented me with a big screen full of additional features and settings, most of which were flagged as enabled. Clicking a link activated the features that weren't enabled by default: Surfing Protection, Registry Deep Clean, and Secure File Deletion. I noticed that even though I activated the program, it still displayed an advertisement across the bottom, offering me an 80 percent discount on IObit's Drive Booster 3 Pro, along with "super gifts." This kind of internal advertising is found throughout the program. The Action Center notifies you about security problems, but also touts special deals on other IObit products. An Exclusive Offers button on the scan-complete screen likewise takes you to an advertising page. Some users may find these elements annoying. Mediocre Malware ProtectionIObit uses Bitdefender's antivirus engine, so, in a perfect world, its lab-test scores would track precisely with the excellent scores attained by Bitdefender Antivirus Plus 2016. However, the independent labs state very clearly that test results apply only to the actual product that was tested. None of the labs include IObit in testing, so the only test results I can rely on are my own. My own testing shows that IObit's protection doesn't track with Bitdefender's at all. To start my malware-blocking test, I open a folder containing my current set of malware samples. The minimal file access that occurs when Windows Explorer checks a file's name, size, and creation date is enough to trigger real-time protection in many antivirus products, including IObit. After a few minutes, it had eliminated 75 percent of the samples. Bitdefender wiped out 79 percent at this point, but the set of samples caught on sight by the two products didn't completely match. IObit missed some that Bitdefender caught, and caught one that Bitdefender missed. When I continued the test by launching the samples that weren't wiped out immediately, the two products diverged further. Some of the samples IObit caught after launch managed to install executable traces on the test system, a problem that didn't happen with Bitdefender. Overall, IObit detected 82 percent of the samples and scored 7.9 of 10 possible points. Bitdefender detected 93 percent and managed 9.3 points. That's the top score among products tested using this same set of samples. Bitdefender shares that top score with Avast Pro Antivirus 2016. Tested using my previous malware collection, Webroot SecureAnywhere Antivirus (2015) managed a perfect 10 points. In order to precisely compare how thoroughly different antivirus products fend off malware attacks, I necessarily use the same set of thoroughly analyzed samples for quite a while. My malicious URL blocking test, on the other hand, always uses the very latest malware-hosting URLs, supplied in a daily feed by MRG-Effitas. I load URL after URL, noting whether the antivirus keeps the browser from reaching the URL, wipes out the payload during download, or sits idly twiddling its thumbs. I continue until I've captured data for 100 active malware-hosting URLs. Throughout this test, IObit teetered back and forth, almost evenly balanced between wiping out downloads and completely missing all detection. I began to think that its Surfing Protection component wasn't designed for this sort of test. Near the end, though, that component did kick in to block precisely one URL at the browser level. IObit's overall score of 50 percent protection is a little better than the current average, but nowhere near Bitdefender's 74 percent protection. Top scorers in this test are McAfee AntiVirus Plus (2016) and Symantec Norton Security Premium, each with 91 percent protecton. See How We Test Malware Blocking Poor Protection Against PhishingThe Surfing Protection browser add-in serves to block both malware-hosting URLs and other types of dangerous URLs. That includes phishing sites, those nasty frauds that masquerade as PayPal, your bank, or some other secure site, attempting to steal your login credentials. Given that this component blocked access to just one in 100 malware-hosting URLs, it couldn't fare worse in the antiphishing test unless it earned a big fat zero. It actually scored better than that, but still failed to impress. For this test, I gather URLs that have been reported as fraudulent, but that haven't yet been verified and blacklisted. I launch each URL on five test systems, each protected in a different way. One system uses the product under testing, of course, and another uses Norton, a long-time antiphishing winner. The other three rely on protection built into Chrome, Firefox, and Internet Explorer. Since the nature of current phishing sites varies from day to day, I report results as the difference between the detection rate of the product and of the other four test systems. IObit's detection rate was a full 76 percent lower than Norton's, which puts it in the bottom quarter of recent products, score-wise. Kaspersky Anti-Virus (2016) came very close to tying with Norton, while Bitdefender is the only recent product that actual outperformed Norton in this test. All three browsers handily beat IObit, despite Chrome having an apparent bad day. The lesson is clear—don't turn off your browser's fraud protection, because IObit won't take its place. See How We Test Antiphishing Clean and OptimizeAntivirus is just part of what you get with this product. IObit's full-scale system tune-up utility, similar to Iolo System Mechanic 14, is included in Advanced SystemCare Ultimate. Note, though, that while you can use the Iolo product on any number of computers, cleanup with IObit is limited to the three licenses that come as part of your subscription. Once you get past the Antivirus page, the rest of this product is devoted to system cleanup and optimization. The Clean and Optimize page lets you launch a scan to clean up unwanted junk that may be slowing your system, among other things. Just half of these modules are enabled by default, probably because those not enabled can take a long time to finish. I was mildly surprised to find Spyware Removal and Security Defense in this collection (the latter says it will prevent spyware installation). I would think those belong with the antivirus. The components that are enabled by default sweep your system for spyware, boost your Internet speed, fix broken shortcuts, eliminate junk files and Registry items, and sweep away activity traces that could compromise your privacy. Running a scan using just these components took just a couple of minutes. On completion, it offered a summary of found problems with the option to dig in for detail and even exempt certain items from cleanup. Most users will probably just click the big Fix button. Before making any changes, IObit creates a rollback record. That way if by some mischance the cleanup causes trouble, you can undo its changes using the Rescue Center. As with the antivirus scan, the final page offered an Exclusive Offer button, encouraging me to buy more IObit products. The components not checked by default serve to defrag the Registry and hard drives, check for drive errors, optimize system settings for speed, and fix Windows vulnerabilities. I started a scan using all of the components, and was pleasantly surprised to find that it took just a few minutes more. The process of fixing found problems took about 30 minutes this time, since it included installing a few Windows updates and partially defragging the hard drive. But that's really quite a reasonable time to perform those deeper optimizations. Speed UpApparently speeding up your system isn't quite the same as optimizing it, so IObit offers a separate Speed Up page with four choices: Turbo Boost, Startup Accelerate, Deep Optimization, and App/Toolbar Cleaner. Turbo Boost is something you'll use sparingly, for times when you really need every ounce of performance. It terminates unnecessary applications and services and sweeps the system to release RAM that's allocated but not in use. Note that IObit maintains a tiny desktop widget that reports RAM and CPU usage—you can click its broom icon to sweep for RAM that can be released. By default, Turbo Boost operates in Work Mode. You can configure it to use Game Mode, which terminates even more services. Economy Mode aims to minimize power consumption so you can keep using a laptop whose battery is low. The Startup Accelerate component simply lists the programs that launch at system startup and lets you manage them. On the basic Startup Accelerate page, I couldn't figure out what to do. The two items listed just had Ignore in the Action column, and when I clicked it for one, that item vanished. Clicking the link for advanced configuration made things clearer. In this mode, I found I could set each item to enabled, disabled, or delayed, much like the similar feature in Norton. Its Deep Optimization list displayed Windows features, including Intelligent Disk Accelerate and Fast Startup, but reported them already optimized. Other tabs listed add-ins that launch with various browsers and non-essential Windows services. When I clicked for details under Deep Optimization, IObit offered a laundry list of settings to speed hard drive access, network connections, and overall system speed. Finally, the App/Toolbar Cleaner didn't show a thing, because it didn't find any suspicious browser apps or plugins. Avast and Panda Antivirus Pro 2016 offer similar toolbar clean-up tools. Toolbox and Action CenterYou may be a bit overwhelmed the first time you open IObit's Toolbox page. This page sports more than two dozen icons representing various types of utilities from IObit. Some are not currently installed, but can be downloaded (represented by a down-arrow icon overlay). Some of those must be purchased separately. Others are, those with no icon overlay, are already present, but may require payment for Pro features. To help you deal with icon overload, IObit now includes the option to put your favorite tools at the top. The only one of the toolbox items that's related to antivirus protection is a button for IObit Malware Fighter. Given this product's abysmal performance in our testing, I can't imagine why you'd choose to install it. As noted earlier, the Action Center tab touts a "VIP exclusive offer" to purchase other IObit products at drastically slashed prices. If you're not interested, just click the link to hide these offers. You'll also find IObit's software updater list in the Action Center. On my test system, Chrome, Firefox, and Java all needed update. IObit handled them as automatically as possible, though finalizing the Java update did require my participation. Given that Java and browsers are subject to extreme scrutiny by malefactors seeking security holes, keeping them up to date is very important. Not the Antivirus You're Looking ForIObit Advanced SystemCare Ultimate 9 uses Bitdefender's antivirus engine, yet its test results don't come close to Bitdefender's. The independent antivirus labs don't include it in testing. And where Bitdefender is the only current product that has beaten Norton in our antiphishing test, IObit scored near the bottom. As an antivirus, this product doesn't impress. Our Editors' Choice picks for commercial antivirus protection are Webroot SecureAnywhere Antivirus, Kaspersky Anti-Virus, and Bitdefender Antivirus Plus. All three cost $10 more than IObit, but that's a well-spent 10 bucks, as they offer much, much better protection. If you want antivirus plus system optimization, choose one of these products and add a top-rated tune-up product.
Slow RAM partition in the GTX 970 leads to false advertising claim.
Sophos security researchers detail the retail malware threat landscape and explain how Canada has nearly eliminated retail credit card fraud. Malware known as "RAM scr**er" software routinely infiltrates retail environments and steals information, according to researchers from security firm Sophos. In a session titled "Buy Candy, Lose Your Credit Card—Investigating POS RAM Scraping Malware" late last month at the RSA Conference, Chester Wisniewski, senior security advisor at Sophos, detailed the current risk landscape for retail malware. In an interview with eWEEK, Wisniewski noted that when he submitted his topic to the RSA Conference in June 2013, it was well before the disclosures by Target and Neiman Marcus about data breaches. Target first revealed it was the victim of a data breach Dec. 19 and Neiman Marcus disclosed its breach Jan. 13. Wisniewski said that while the Target and Neiman Marcus breaches have increased the interest in retail malware, including RAM scr**ers, the issue has been ongoing for the last several years. "Looking back five years ago, we didn't see this kind of stuff, as that was when standards like PCI DSS [Payment Card Industry Data Security Standard] were just getting started," Wisniewski said. "In order to steal credit card [information] back then, all you had to do was infect a computer with an everyday regular PC virus and get the excel spreadsheet that had all the information in it." Wisniewski asserted that five years ago, most organizations did not have proper controls to protect credit card data. Once PCI DSS came into play, security controls making it more difficult for attackers to steal information came in to play. Starting in 2010, Wisniewski said that the first real incident of RAM scr**er malware was reported to be attacking credit card data. RAM scr**er malware skims through memory on point-of-sale (POS) devices looking for credit card information that it can steal. That information is then encrypted to a file that the attacker is able to access. In 2011, Wisniewski said that Sophos started seeing RAM scr**er malware more commonly in its own security investigations, particularly in the hospitality industry across major hotel chains. Infection Wisniewski said that he has yet to actually be able to definitely prove how RAM scr**er malware gets onto systems. "We believe that, in nearly every instance, it comes in via a phishing email," Wisniewski said. "It's usually a poisoned attachment." In one case that Sophos investigated, an employee at the hotel chain actually installed the malware after being bribed by an attacker, Wisniewski said.

The other common factor in the retail breaches that Sophos has investigated is the use of a Microsoft Windows operating system for payment card transaction processing. "One of our recommendations is for organizations to move away from using a magnetic stripe reader hooked up to an embedded Windows XP point-of-sale machine," Wisniewski said. Wisniewski recommends that retailers use POS terminals that connect directly with a payment processor service to solve the malware problem. In his view, RAM scr**er malware is not infecting the actual POS terminals, but is infecting the Windows machines they connect with. With chip and PIN credit cards, payment processing is always done with a payment processor and not a Windows PC, which is also why Wisniewski recommends moving away from magnetic stripes for credit card use in the United States. Wisniewski noted that in Canada, where he is based, retailers have all shifted to chip and PIN with great results. "All Canadian retailers have moved to having their point-of -sale terminals communicate directly with the payment processor rather than going through a PC," Wisniewski said. "That has eliminated almost all of the retail card fraud in Canada." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Cyber-attackers targeting transaction data increasingly use software that monitors memory for unencrypted card numbers and account information. Security professionals are focusing on the tools that attackers use to steal the credit card data and account information from point-of-sale (POS) terminals and computerized cash registers as the likely source of massive breaches at retailers Target and Neiman Marcus. The most probable suspect is software known as a random access memory, or RAM, scr**er, which steals data in its unencrypted form from the main memory of an infected computer. While neither Target nor Neiman Marcus have disclosed what tools the attackers used, security experts suspect that POS terminals at both retail chains had been compromised with scr**ers, which then stole credit card data and other account information. Reuters first reported the link Jan. 12. "They are grabbing at the stage before it is encrypted," Chester Wisniewski, senior security advisor at Sophos, told eWEEK. "They are doing the same thing that the NSA does. You read it before it is encrypted or after it is decrypted, then you don't have to break the encryption." On Jan. 11 Neiman Marcus confirmed that online thieves had breached its computer systems.

The acknowledgement followed Target's admission in December that online thieves stole more than 40 million credit card records and 70 million other account records containing sensitive data during a data breach that started at the big-box store chain on Nov. 29, also known as Black Friday. Both attacks were first reported by security journalist and researcher Brian Krebs. Target apologized to its customers on Jan. 13, as it kicked off a public relations campaign to undo the damage done to the company by the 19-day attack. Neiman Marcus made its own short apology on Jan. 11. "The security of our customers' information is always a priority, and we sincerely regret any inconvenience," the official Neiman Marcus Twitter account stated on Jan. 11. "We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after purchasing at our stores." While RAM scr**ers are a key tool used in the attacks, the technology is not new. In 2009, Verizon flagged scr**ers as an emerging threat, even though they only accounted for 4 percent of the cases in its data set at the time. Current versions of RAM scr**ers include a malware threat alternatively known as Trackr and Alina, which have targeted the retail, service, health care, food services, education, hotel and tourism industries. Credit card issuer Visa posted alerts in April and August 2013, warning that attackers had focused on grocery stores and retail chains with the malware.  "The malware is configured to 'hook' into payment application binaries," the company stated in its updates. "These binaries are responsible for processing authorization data, which includes the full magnetic stripe data." While past RAM scr**ers have been fairly simple, more modern versions are getting sophisticated.

The programs are looking for a wider variety of data and taking steps to hide their tracks, such as encrypting stolen data, Sophos' Wisniewski said. In addition, attackers have added legitimate-sounding file names to deceive victims and linked the code using botnet functionality, according to a blog post published by Sophos in July 2013. "The attackers are getting much smarter," said Wisniewski.