Rooting Pokémons in Google Play Store
16.9.2016 Kaspersky Android
A few days ago we reported to Google the existence of a new malicious app in the Google Play Store. The Trojan presented itself as the “Guide for Pokémon Go”. According to the Google Play Store it has been downloaded more than 500,000 times. Our data suggests there have been at least 6,000 successful infections, including in Russia, India and Indonesia. However, since the app is oriented towards English-speaking users, people in such geographies, and more, are also likely to have been hit.
Analysis reveals that the app contains a malicious piece of code that downloads rooting malware – malware capable of gaining access to the core Android operating system, in this case for the purposes of unsolicited app install and adware.
Kaspersky Lab products detect the Trojan as HEUR:Trojan.AndroidOS.Ztorg.ad.
At least one other version of this particular app was available through Google Play in July 2016. Further, we have tracked back at least nine other apps infected with this Trojan and available on Google Play Store at different times since December 2015.
Trojan characteristics
The Trojan has many layers of defense in place to help it bypass detection. This includes a commercial packer that decrypts the original executable file to make it harder to analyze. The unpacked executable file contains useful code related to the malicious Pokémon Go guide, and one small and obfuscated module.
Process of infection
This small module doesn’t start when the user launches the app. Instead, it waits for the user to install or uninstall another app, then checks to see if that app runs on a real device or on a virtual machine. If it turns out that it’s dealing with a device, the Trojan will wait for a further two hours before starting its malicious activity.
The first thing it does is connect to its command-and-control (CnC) server and upload data about the device, including country, language, device model and OS version.
If the server wants the Trojan to continue it will respond with an ID string. Only if the Trojan receives this ID string will it make its next request to the CnC. If it doesn’t receive anything, it will wait for two hours and then resubmit the first request. This feature is included so that the control server can stop the attack from proceeding if it wants to – skipping those users it does not wish to target, or those which it suspects are a sandbox/virtual machine, for example. Among other things, this provides an additional layer of protection for the malware.
Upon receiving the second request, the CnC server will send the Trojan a JSON file containing a URL. The Trojan downloads file from the specified URL, decrypts it and executes. In our case the Trojan downloaded a file detected as HEUR:Trojan.AndroidOS.Ztorg.a. This file is obfuscated too.
After execution, the Trojan will drop and download some more files. All downloaded files are encrypted and most of them are local root exploit packs for vulnerabilities dating from 2012 to 2015, including one that was previously used by Hacking Team.
These other files represent additional modules of the Trojan and are detected by Kaspersky Lab as:
HEUR:Backdoor.AndroidOS.Ztorg.c, HEUR:Trojan.AndroidOS.Muetan.b, HEUR:Trojan.AndroidOS.Ztorg.ad, HEUR:Backdoor.AndroidOS.Ztorg.h, HEUR:Backdoor.AndroidOS.Ztorg.j, HEUR:Trojan-Dropper.AndroidOS.Agent.cv, HEUR:Trojan.AndroidOS.Hiddad.c. And a few clean tools like busybox and chattr.
Using these exploit packs the Trojan will gain root access rights to the device. After gaining root access, the Trojan will install its modules into the system folders, silently installing and uninstalling other apps and displaying unsolicited ads to the user.
Most of the other apps with this Trojan module available in Google Play had about 10,000 downloads (according to Google Play), but one – “Digital Clock” had more than 100,000 downloads.
MD5 of Malicious Files Mentioned in Article
8CB3A269E50CA1F9E958F685AE4A073C
0235CE101595DD0C594D0117BB64C8C3
Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor
15.9.2016 thehackernews Vulnerebility
Do you own an Android Smartphone from Xiaomi, HTC, Samsung, or OnePlus?
If yes, then you must be aware that almost all smartphone manufacturers provide custom ROMs like CyanogenMod, Paranoid Android, MIUI and others with some pre-loaded themes and applications to increase the device's performance.
But do you have any idea about the pre-installed apps and services your manufacturer has installed on your device?, What are their purposes? And, Do they pose any threat to your security or privacy?
With the same curiosity to find answers to these questions, a Computer Science student and security enthusiast from Netherlands who own a Xiaomi Mi4 smartphone started an investigation to know the purpose of a mysterious pre-installed app, dubbed AnalyticsCore.apk, that runs 24x7 in the background and reappeared even if you delete it.
Xiaomi is one of the world's largest smartphone manufacturers, which has previously been criticized for spreading malware, shipping handsets with pre-loaded spyware/adware and forked version of Android OS, and secretly stealing users' data from the device without their permission.
Xiaomi Can Silently Install Any App On your Device
After asking about the purpose of AnalyticsCore app on company’s support forum and getting no response, Thijs Broenink reverse engineered the code and found that the app checks for a new update from the company's official server every 24 hours.
While making these requests, the app sends device identification information with it, including phone's IMEI, Model, MAC address, Nonce, Package name as well as signature.
If there is an updated app available on the server with the filename "Analytics.apk," it will automatically get downloaded and installed in the background without user interaction.
"I couldn't find any proof inside the Analytics app itself, so I am guessing that a higher privileged Xiaomi app runs the installation in the background," Broenink says in his blog post.
Now the question is, Does your phone verify the correctness of the APK, and does it make sure that it is actually an Analytics app?
Broenink found that there is no validation at all to check which APK is getting installed to user's phone, which means there is a way for hackers to exploit this loophole.
This also means Xiaomi can remotely and silently install any application on your device just by renaming it to "Analytics.apk" and hosting it on the server.
"So it looks like Xiaomi can replace any (signed?) package they want silently on your device within 24 hours. And I’m not sure when this App Installer gets called, but I wonder if it’s possible to place your own Analytics.apk inside the correct dir, and wait for it to get installed," Broenink said.
Hackers Can Also Exploit This Backdoor
Since the researcher didn't find the actual purpose of the AnalyticsCore app, neither on Googling nor on the company's website, it is hard to say why Xiaomi has kept this mysterious "backdoor" on its millions of devices.
As I previously said: There is no such backdoor that only its creator can access.
So, what if hackers or any intelligence agency figure out how to exploit this backdoor to silently push malware onto millions of Xiaomi devices within just 24 hours?
Ironically, the device connects and receive updates over HTTP connection, exposing the whole process to Man-in-the-Middle attacks.
"This sounds like a vulnerability to me anyhow, since they have your IMEI and Device Model, they can install any APK for your device specifically," Broenink said.
Even on the Xiaomi discussion forum, multiple users have shown their concerns about the existence of this mysterious APK and its purpose.
"Don't know what purpose does it serve. Even after deleting the file it reappears after some time," one user said.
Another said, "if I go to battery usage app, this app is always at the top. It is eating away at resources I believe."
How to Block Secret Installation? As a temporary workaround, Xiaomi users can block all connections to Xiaomi related domains using a firewall app.
No one from Xiaomi team has yet commented on its forum about the question raised by Broenink. We'll update the story as soon as we heard from the company.
Meanwhile, if you are a Xiaomi user and has experienced anything fishy on your device, hit the comments below and let us know.
FBI Director — You Should Cover Your Webcam With Tape
15.9.2016 thehackernews Security
Should you put a tape or a sticker over the lens of your laptop's webcam?
Yes, even Facebook CEO Mark Zuckerberg and FBI Director James Comey do that.
Covering your laptop's webcam might be a hell cheap and good idea to guard against hackers and intruders who might want to watch your private life and environment through your devices.
In fact, Comey recently came out defending his own use of tape to cover his personal laptop's webcam.
People Are Responsible for Their Safety, Security & Privacy
During a conference at the Center for Strategic and International Studies, when Comey was asked that he still put tape over his cameras at home, he replied:
"Heck yeah, heck yeah. And also, I get mocked for a lot of things, and I am much mocked for that, but I hope people lock their cars… lock your doors at night. I have an alarm system. If you have an alarm system you should use it, I use mine."
Comey went on to explain that it was common practice at the FBI and other government offices to cover computers and laptops' webcams with tape or any physical cover.
"It’s not crazy that the FBI Director cares about personal security as well," he continued. "If you go into any government office, we all have our little camera things that sit on top of the screen, they all have a little lid that closes down on them, you do that, so people who do not have authority don’t look at you, I think that’s a good thing."
Comey believes that putting a cover over webcams is one of the "sensible things" that everyone should be doing to "take responsibility for their own safety and security."
While this practice is often made fun of, tapping your device's webcams is a good take away for you to adopt. We know the FBI and NSA's ability to spread malware and turn on device's webcam to spy on targets.
Edward Snowden Leaks revealed the NSA's Optic Nerve operation that was carried out to capture webcam images every 5 minutes from random Yahoo users, and in just six months, images of 1.8 Million users' were captured and stored on the government servers in 2008.
Internet of Things: Security Nightmare
However, putting a tape over the lens of your computer's webcam would not solve the problem, especially in this era when we are surrounded by so many Internet-connected devices that are a security nightmare.
Due to the insecure implementation, these Internet-connected or Internet of Things (IoTs) devices, including Security Cameras, are so vulnerable that hackers are routinely hijacking them and using them as weapons in cyber attacks.
So, it is far more easy for hackers to hack your security cameras, instead of your laptop's webcam, to keep track on you and your environment.
Do you feel the need to use a tape over your webcam? Let us know down in the comments.
ClixSense Data Breach, 6.6 Million users’ records stolen
15.9.2016 securityaffairs Crime
Hackers have breached the database of the advertising company ClixSense and stolen the details of 6.6 million users.
Here we are again to discuss a new data breach that exposed million user records of the advertising ClixSense service. ClixSense allows its clients to earn money online by paying surveys, free offers and paid per click advertising.
The popular security expert Troy Hunt who operates the breach notification service HaveIBeenPwned reported the ClixSense data breach that compromised at least 6.6 million user records, 2.4 million of which are already public.
The stolen data includes names, usernames, email addresses, passwords stored in plain text, account balances, dates of birth, payment information and IP addresses.
“In September 2016, the paid-to-click site ClixSense suffered a data breach which exposed 2.4 million subscriber identities. The breached data was then posted online by the attackers who claimed it was a subset of a larger data breach totalling 6.6 million records. The leaked data was extensive and included names, physical, email and IP addresses, genders and birth dates, account balances and passwords stored as plain text.
Compromised data: Account balances, Dates of birth, Email addresses, Genders, IP addresses, Names, Passwords, Payment histories, Payment methods, Physical addresses, Usernames, Website activity” wrote Hunt.
The company has confirmed the incident and reported a successful cyber attack that allowed hackers to gain access to its database server. It seems that attackers reached the database server with a lateral movement from an old server that had still been connected to it.
“It has come to our attention that this hacker did get access to our database server for a short period of time. He was able to gain access to this not directly but instead through an old server we were no longer using that had a connection to our database server. (This server has since been terminated).” reads the advisory published by the company. reads the official statement issued by the company.
“He was able to copy most if not all of our users table, he ran some SQL code that changed the names on accounts to “hacked account” and deleted many forum posts. He also set user balances to $0.00.”
The hackers were able to alter data in the archive, including account names and user balance that was set to zero, anyway the company informed to have restored the balance.
“We were able to restore the user balances, forum and many account names. Some of you were asked to fill out your name again as we did not want to restore this from our backup due to the amount of time it would have taken to get back online,” reads the statement.
In response to the incident, ClixSense has shut down the breached server, it has partially restored the backup, passwords have been reset and users have been advised to change their passwords.
The hackers published a post on Pastebin to announce the data breach and confirmed he had access to 6,606,008 user records in the database and the complete source code for the ClixSense website. According to the hackers, they released online a data sample after the ClixSense company initially denied being breached.
Let me close with a list of the most recent data breach, that flooded the criminal underground with hundred million credentials:
Myspace (360 million)
LinkedIn (167 million)
Rambler (100 million)
VK (100 million)
Tumblr (65 million)
VerticalScope (45 million)
Last.fm (43 million)
QIP (33 million affected)
Colin Powell’s emails leaked online. He calls Trump ‘National Disgrace’
15.9.2016 securityaffairs Hacking
A new batch of Colin Powell’s emails was leaked online by Russian hackers. Powel criticized both Presidential candidates, Trump and Clinton.
Powell’s emails sent in a couple of years have been published on the website DC Leaks in a section protected by a password that was available only to select news outlets. The Powell’s e-mails belong to a new batch not included in the Powell dump leaked a few years ago.
The emails report Powell’s correspondence with his strict collaborators, his team at a speakers bureau and journalists over a period of 26 months.
The emails, that span from June 2014 to the last month, includes the severe Powell’s comments on presidential candidates, Donald Trump and Hillary Clinton.
The data leakage was attributed to a group of Russian state-sponsored hackers, known as APT28 or Fancy Bear. The group is the same that recently leaked US athletics’ medical records stolen from the World Anti-Doping Agency.
According to an investigation conducted by researchers at security firm ThreatConnect, the hackers are linked to the Kremlin.
colin-powells-emails
Powell told the The New York Times that the leaked messages are authentic.
“An aide to Mr. Powell confirmed the hack and said, “They are his emails.”.”
Powell was highly critical of many politicians, in one of the hacked email, he calls Trump ‘National Disgrace and an international pariah.’
A message, dated June 23, 2016, was sent by Colin Powell to former Secretary of State Condoleezza Rice reads:
“if Donald were to somehow win, by the end of the first week in office he’d be saying ‘What the hell did I get myself into?'”
Colin Powell also criticized the Hilary Clinton’s campaign and the way she managed the theft of her emails.
“I would rather not have to vote for her, although she is a friend I respect,” Powell wrote. “A 70-year person with a long track record, unbridled ambition, greedy, not transformational, with a husband still d—ing bimbos at home (according to the NYP).”
The Clinton campaign’s “email ploy this week didn’t work and she once again looks shifty if not a liar,” Powell wrote on August 20 to someone he worked with at the White House. “Trump folks having fun with her.”
In a separate leaked email exchange reported by NBC News, Powell also criticized aides to Hillary Clinton for their attempts to involve him in the case of the theft of her email due the use of a private email server when she served as Secretary of State.
In other emails reported by BuzzFeed News, Colin Powell accuses Trump of having embraced a “racist” movement when he publicly questioned the validity of President Obama’s birth certificate.
“Yup, the whole birther movement was racist,” Mr. Powell wrote in an email to a former aide, according to BuzzFeed. “That’s what the 99% believe. When Trump couldn’t keep that up he said he also wanted to see if the certificate noted that he was a Muslim. As I have said before, ‘What if he was?’ Muslims are born as Americans everyday.” Reported the NYT.
It’s still not clear how the hackers have compromised the Powell’s Gmail account in order to steal the messages.
Some experts argued that Powell’s Gmail account was hacked because he shared the same login credentials with a web service that was compromised in the past. Colin Powell’s Gmail credentials were also used to access DropBox and this data are contained in Dropbox dump recently leaked online.
Colin Powell’s emails have been leaked a few months after the mysterious hacker Guccifer 2.0 hacked the Democratic National Committee. Powell’s e-mails were published on a password-protected portion of DC Leaks that was available only to select news outlets. So far, there have been no definitive reports on precisely how the messages were obtained by DC Leaks.
How to hack Google FR by exploiting a cross-site scripting flaw
15.9.2016 securityaffairs Android
The security expert Issam Rabhi (@issam_rabhi) has discovered a cross-site scripting vulnerability in Google France. The giant already fixed it.
A security expert from French security outfit Sysdream, Issam Rabhi (@issam_rabhi), discovered a cross-site scripting vulnerability in Google France. Yes, you‘ve got it right, the website of the IT giant was affected by one of the most common vulnerabilities. According to the OWASP Top Ten, the cross-site scripting is the third most popular issue affecting web applications.
Such kind of flaw could be exploited by a malicious attacker for various attacks, including defacements and traffic hijacking.
“XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.” reads the description provided by the OWASP TOP 10.
The experts reported the cross-site scripting vulnerability to Google on August 5th and the experts of the company fixed the vulnerability in just four days.
Rabhi published a Proof-of-concept for the attack on his website, below the exploitation step by step:
First we need to click the link below using Firefox browser:
https://www.google.fr/#q=Olympiade&mie=oly%2C%5B%22%2Fm%2F03tnk7%22%2C1%2C%22r%22%2C1%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2C0%5D
Then, to insert the following payload in the input field related to search:
<svg onload=alert(document.domain)>
Finally, the alert message box will pop up on the screen.
The expert did not submit the bug under the Google bug bounty program, anyway he received kudos from his colleagues.
Nezvaný návštěvník vydělává kyberzločincům peníze. Zobrazuje reklamu a volá na prémiové linky
14.9.2016 Novinky/Bezpečnost Android
Velký pozor by si uživatelé měli dát na nový škodlivý kód zvaný CallJam, který objevili bezpečnostní experti společnosti Check Point. Tento nezvaný návštěvník totiž dokáže z chytrého telefonu volat na placená čísla a tím uživateli pěkně prodražit pravidelné vyúčtování. Navíc zobrazuje reklamu na displeji přístroje, díky čemuž útočníci inkasují další peníze.
Výzkumníci odhalili škodlivý kód ve hře Gems Chest for Clash Royale, kterou bylo možné stahovat pro zařízení s operačním systémem Android v Google Play od letošního května. Od té doby si ji stáhly stovky tisíc lidí.
„CallJam přesměruje oběti na nebezpečné webové servery, které útočníkům generují podvodné příjmy. Aplikace zobrazuje na těchto webových stránkách podvodné reklamy namísto jejich zobrazení přímo na zařízení,“ varoval David Řeháček, bezpečnostní odborník ze společnosti Check Point.
Virus CallJam se maskoval za hru Gems Chest for Clash Royale.
FOTO: Check Point
Podle něj si nicméně hned po stažení aplikace mohli zběhlejší uživatelé všimnout, že je něco v nepořádku. „Ještě než malware zneužije infikované zařízení k volání na prémiová čísla, požádá aplikace o udělení oprávnění. Bohužel jak jsme často viděli i u podobných předchozích útoků, většina uživatelů udělí oprávnění dobrovolně a často bez čtení nebo plného pochopení možných následků,“ doplnil Řeháček.
Přístroj pak vytáčí předem vytipovaná čísla, která útočníkům vytvářejí zisk. Peníze jim mimochodem vydělává i reklama, kterou dokáže CallJam také zobrazovat.
„Hra dosáhla relativně vysokého hodnocení, protože uživatelé byli požádáni o ohodnocení hry ještě před spuštěním škodlivých aktivit pod falešnou záminkou a slibem dalších herních bonusů. Je to další příklad, jak mohou útočníci získat pro svou aplikaci vysoké hodnocení a distribuovat ji na oficiálním obchodu s aplikacemi a ohrožovat zařízení a citlivá data,“ konstatoval bezpečnostní odborník.
Objevená hra Gems Chest for Clash Royale, která zákeřný virus obsahovala, byla určena pro operační systém Android. Není nicméně vyloučeno, že CallJam budou útočníci maskovat za úplně jinou aplikaci, případně že se s ním pokusí napálit také uživatele jiných mobilních platforem.
Uzamkne displej mobilu
Na operační systém Android před nedávnem cílila také falešná verze hry Pokémon Go. Šlo o tzv. lockscreen, který uzamkne displej telefonu a tím jej zcela zablokuje. I tohoto záškodníka se počítačovým pirátům podařilo propašovat do oficiálního obchodu Google Play.
„Pokemon GO Ultimate je první zaznamenanou falešnou aplikací v Google Play s funkčností lockscreen. Ve skutečnosti není příliš škodlivá, jejím cílem je skryté klikání na porno reklamy,“ uvedl Petr Šnajdr, bezpečnostní expert společnosti Eset.
Záměr útočníků je tedy zřejmý. Nesnaží se uživatele nějak poškodit nebo odcizit jeho data. Pouze se snaží prostřednictvím umělého navýšení kliků na bannery zvýšit příjmy daných webů z reklamy. Zamčený displej nejde žádným způsobem odemknout.
V mnoha případech je jediným řešením tzv. tvrdý restart zařízení, který se dělá jednoduše vyndáním baterie nebo kombinací určitých kláves. I po restartu ale zvládne nezvaný návštěvník klikat na porno stránky na pozadí a tím ukrajovat výkon smarpthonu.
Aktualizace platformy iOS mění telefony a tablety v nefunkční cihly
14.9.2016 Novinky/Bezpečnost Apple
Na velmi nepříjemnou chybu mohou narazit uživatelé počítačových tabletů iPad a chytrých telefonů iPhone. Velká aktualizace operačního systému iOS 10 totiž obsahuje chybu, kvůli které se z mobilního přístroje může stát doslova nefunkční cihla.
Aktualizaci vydala firma Apple v noci na středu. A už pouhých pár hodin poté sociální sítě zaplavily stížnosti uživatelů, kteří ostatní upozorňovali na to, že s updatem nemusí být vše v pořádku.
Po neúspěšné aktualizaci na displeji telefonu zůstane hláška o tom, že přístroj je nutné připojit k počítači. Následně se však uživatel dozví, že přišel o svá data, pokud neprovedl dopředu zálohu.
View image on Twitter
View image on Twitter
Follow
PATJEM @patjem
Looks like an iPhone brick after iOS 10 OTA update @iCulture @MacRumors
7:40 PM - 13 Sep 2016
36 36 Retweets 7 7 likes
Jeden z uživatelů si stěžuje na chybu aktualizace na Twitteru.
Zástupci amerického počítačového gigantu zatím oficiálně chybu nepotvrdili. Postižených uživatelů jsou však přinejmenším desítky.
Jen při aktualizaci z telefonu a tabletu
Zatím nejí jasné, jakých konkrétních modelových řad s logem nakousnutého jablka se chyba týká. Zaznamenána totiž byla u novějších i starších iPadů a iPhonů. Jisté je nicméně to, že k problémům došlo vždy při aktualizaci přímo z chytrého telefonu nebo počítačového tabletu.
Tedy jinými slovy – pokud uživatelé update prováděli prostřednictvím počítače, k chybě podle zatím dostupných informací nedošlo.
View image on Twitter
Follow
Seth Weintraub ✔ @llsethj
Wow. iPad pro update failed. I don't even know if I have iTunes or a free USB port!
U: Have to do clean install wtf
7:35 PM - 13 Sep 2016
55 55 Retweets 31 31 likes
Chyba se týká iPhonů i iPadů
Se zablokovaným přístrojem po neúspěšné aktualizaci se údajně nedá nic dělat. Zprovoznit jej je možné pouze uvedením do továrního nastavení. Jak již bylo uvedeno výše, v takovém případě však uživatelé přijdou o uložená data, pokud před instalací neprovedli zálohu.
Stejný problém jako přes kopírák
Podobné případy nejsou nijak výjimečné. V nefunkční cihly proměnila iPhony a iPady také aktualizace, která vyšla v roce 2011.
Tehdy problém tvůrci vyřešili vydáním opravené verze iOS, která již podobné zablokování přístroje nezpůsobovala. Lze tedy předpokládat, že i v tomto případě se problémy vyřeší v některém z dalších updatů.
Kdy by však další aktualizace mohla vyjít, zatím není jasné.
Nový antimalware Kaspersky lépe zabezpečí spojení na citlivé stránky
14.9.2016 SecurityWorld Zabezpečení
Novou verzi Kaspersky Internet Security – multi-device, plně v češtině, uvedl na náš trh Kaspersky Lab. Uživatelům nabízí několik dalších možností, jak zabezpečit svá data na platformách Windows, Mac i Android.
Například verze pro Windows nově zahrnuje například funkci Secure Connection zajistí, že uživatelská data se nemohou během připojení k internetu zachycovat podvodníky. Doplňky Software Updater a Software Cleaner zase mohou pomoci opravit potenciální mezery v zabezpečení zařízení.
Kromě toho je nové řešení vybavené dalšími technologiemi, jako je několikaúrovňová ochrana finančních transakcí (Safe Money), prevence proti instalaci nevyžádaných aplikací (Application Manager, který byl dříve součástí doplňku Change Control) či blokování reklamních bannerů v prohlížeči (Anti-Banner).
Co se týče Secure Connection, tato funkce umožňuje pomocí kódování všech v rámci sítě poslaných i přijatých dat bezpečně se připojit k internetu. To je obzvlášť důležité při realizaci finančních operací, autorizace na webových stránkách nebo přesunu důvěrných informací.
Užitečná je hlavně během cestování, kdy se mnoho lidí častěji připojuje k nezabezpečeným Wi-Fi sítím, aby zůstali ve spojení. Secure Connection se může spouštět jak z hlavní nabídky produktu, tak i automaticky při připojení k veřejné Wi-Fi síti nebo vkládání důvěrných informací například na webové stránky bank, do online úložišť, platebních systémů, e-mailů, na sociální sítě, atd.
Cleaner zase monitoruje všechny aplikace nainstalované v počítači a upozorňuje na ty, které mohou představovat potenciální riziko. Uživatele upozorní v případě, že do jejich zařízení přibyl program bez jejich vědomí (například přídavný software během instalace jiné aplikace) nebo pokud nějaký program zpomaluje jejich zařízení, poskytuje neúplné nebo nesprávné informace o jeho funkcích, funguje na pozadí, zobrazuje bannery a zprávy bez povolení (reklama) nebo je využíván jen zřídka.
Danger je nejrozšířenější virovou hrozbou v Česku, šíří se přes nevyžádané e-maily
14.9.2016 Novinky/Bezpečnost Viry
Na pozoru by se měli mít uživatelé před počítačovým virem zvaným Danger. Tento nezvaný návštěvník se totiž v Česku šíří doslova jako lavina, a to především skrze nevyžádané e-maily. V žebříčku nejrozšířenějších hrozeb antivirové společnosti Eset mu aktuálně patří absolutní prvenství.
Nebezpečný virus, plným názvem JS/Danger.ScriptAttachment, je velmi nebezpečný. Otevírá totiž zadní vrátka do operačního systému. Útočníci pak díky němu mohou propašovat do napadeného počítače další škodlivé kódy, nejčastěji tak šíří vyděračské viry z rodiny ransomware.
Tyto škodlivé kódy začnou šifrovat obsah počítače a uživateli zobrazí oznámení, že za dešifrování počítače musí zaplatit, jinak se ke svým datům údajně již nikdy nedostane. Ani po zaplacení výkupného navíc nemají uživatelé jistotu, že se ke svým datům skutečně dostanou.
Virus je nutné z počítače odinstalovat a data následně pomocí speciálního programu odšifrovat. V některých případech to ale není možné.
Útočníci mohou zařízení ovládat na dálku
Druhou nejrozšířenější hrozbou je škodlivý kód Nemucod. „Společnost Eset v srpnu zaznamenala jeho novou verzi, která šíří do infikovaných zařízení tzv. backdoor, jenž umožňuje útočníkovi toto zařízení ovládat na dálku a bez vědomí jeho majitele,“ uvedl Miroslav Dvořák, technický ředitel společnosti Eset.
Přestože malwaru Nemucod patří ve statistikách hned druhá příčka, jeho podíl mezi zachycenými hrozbami byl pouze 5,4 procenta. I to dosvědčuje, jak velkou hrozbu představuje škodlivý kód Danger, který aktuálně statistikám vévodí.
Třetí místo pak patří viru Java/Adwind. Ten funguje také jako zadní vrátka do systému a je nejčastěji zneužíván pro napadání bankovních účtů. „Celkově představoval 3,8 procenta detekovaných případů,“ doplnil Dvořák.
Seznam deseti nejrozšířenějších hrozeb za měsíc srpen naleznete v tabulce níže:
Deset nejrozšířenějších počítačových hrozeb – srpen 2016
1. JS/Danger.ScriptAttachment (45,26 %)
2. JS/TrojanDownloader.Nemucod (5,4 %)
3. Java/Adwind (3,8 %)
4. PDF/Fraud (3,57 %)
5. VBA/TrojanDownloader.Agent.BOB (2,7 %)
6. VBA/TrojanDownloader.Agent.BRC (2,22 %)
7. VBA/TrojanDownloader.Agent.BPQ (2,06 %)
8. VBA/TrojanDownloader.Agent.BOJ (1,8 %)
9. VBA/TrojanDownloader.Agent.BNH (1,77 %)
10. VBA/TrojanDownloader.Agent.BPB (1,62 %)
Zdroj: Eset
The Project Zero Contest — Google will Pay you $200,000 to Hack Android OS
14.9.2016 securityaffairs Hacking
The Project Zero Contest — Google will Pay you $200,000 to Hack Android OS
Why waiting for researchers and bug hunters to know vulnerabilities in your products, when you can just throw a contest for that.
Google has launched its own Android hacking contest with the first prize winner receiving $200,000 in cash.
That's a Hefty Sum!
The contest is a way to find and destroy dangerous Android vulnerabilities before hackers exploit them in the wild.
The competition, dubbed 'The Project Zero Prize,' is being run by Google’s Project Zero, a team of security researchers dedicated to documenting critical bugs and making the web a safer place for everyone.
What's the Requirements?
Starting Tuesday and ending on March 14, 2017, the contest will only award cash prizes to contestants who can successfully hack any version of Android Nougat on Nexus 5X and 6P devices.
However, the catch here is that Google wants you to hack the devices knowing only the devices' phone numbers and email addresses.
For working of their exploits, contestants are allowed to trick a user into open an email in Gmail or an SMS text message in Messenger, but no other user interaction beyond this is allowed.
So, if you want to participate in 'The Project Zero Prize' contest, you are advised to focus on flaws or bug chains that would allow you to perform Remote Code Execution (RCE) on multiple Android devices.
"Despite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests," Project Zero security researcher Natalie Silvanovich said in a blog post while announcing the competition.
Therefore, the company has taken this initiative to run its own hacking contest in search of severe Android security vulnerabilities.
Contest Cash Prizes
First Prize: worth $200,000 USD will be awarded to the first winning entry.
Second Prize: worth $100,000 USD will be awarded to the second winning entry.
Third Prize: At least $50,000 USD will be awarded to additional winning entries.
Besides cash prizes, winners will also be invited to write a short technical report describing their entry, which will then be posted on the Project Zero Blog.
For more details about the contest, you can check out the Project Zero Security Contest Official Rules.
Microsoft and Adobe Rolls Out Critical Security Updates - Patch Now!
14.9.2016 securityaffairs Vulnerebility
You should not miss this month’s Patch Updates, as it brings fixes for critical issues in Adobe Flash Player, iOS, Xcode, the Apple Watch, Windows, Internet Explorer, and the Edge browser.
Adobe has rolled out a critical update to address several issues, most of which are Remote Code Execution flaws, in its widely-used Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. Whereas, Microsoft has released 14 security updates to fix a total of 50 vulnerabilities in Windows and related software.
First of all, if you have Adobe Flash Player installed and have not yet updated your software plugin, you are playing with fire.
Critical Flash Vulnerabilities Affect Windows, Mac, Linux and ChromeOS
Adobe has released its latest round of security patches to address critical vulnerabilities in Adobe Flash Player for Windows, Mac OS X, Linux and ChromeOS.
The Flash vulnerabilities could potentially allow an attacker to take control of the vulnerable system. So, users are strongly advised to update to Flash Player version 23.0.0.162 before hackers have their hands on it.
However, the best advice I can give you is to ditch this insecure, buggy software once and for all and significantly improve the security of your system in the process.
Even PornHub said Good Bye to Flash Player, so it's no longer an excuse for you to keep Flash on your PC ;)
Meanwhile, Microsoft has released its September 2016 Patch Update that includes 14 bulletins, seven of which earned its most dire "critical" rating and seven are rated as "important," addressing a total of 50 vulnerabilities.
Critical Zero-Day Exploit in the Wild
The most critical vulnerability addressed by Microsoft in the MS16-104 and MS16-105 update is a zero-day vulnerability in Internet Explorer (IE) and Edge.
Dubbed Microsoft Browser Information Disclosure Vulnerability (CVE-2016-3351), the zero-day flaw could allow an attacker to perform remote code execution attacks by tricking a victim to view a specially crafted webpage using Internet Explorer or Edge.
If exploited successfully, the attacker would gain the same user rights as the current user and could take control of an affected system, if the victim is logged on with administrative user rights, potentially allowing the attacker to install malware, modify or delete data, or even create new accounts with full user rights.
This informational disclosure bug was first reported by Proofpoint researchers with the help of Trend Micro in 2015, when they uncovered a massive malvertising campaign, dubbed AdGholas, actively exploiting the CVE-2016-3351 flaw.
The researchers also found another hacking group named GooNky actively exploiting the flaw. For in-depth details about the flaw, you can head on to Proofpoint's blog post.
Another critical bulletin MS16-108 affecting organizations using Exchange Server for their email platform addresses a file format parsing flaw that could be exploited by attackers using remote-code execution to get full control of the Exchange Server. This flaw affects all supported versions of Exchange Server.
To exploit the flaw, all an attacker needs is to send a malicious file to anyone in the organization and Boom! Exchange Server pre-parses to find out the file type, which would get the malicious exploit triggered before users even get the file.
Other Critical and Important flaws in Windows and its Software
Other critical Bulletins include MS16-106 that fixes five holes in the Windows Graphics Device Interface; MS16-107 that contains patches for Microsoft Office and SharePoint to address a total of 13 vulnerabilities; MS16-116 that fixes a RCE flaw in Microsoft OLE Automation mechanism and the VBScript Scripting Engine; and MS16-117 that includes critical fixes for Adobe Flash libraries contained in Internet Explorer 10 and 11 and Microsoft Edge.
Note: The MS16-11 fix requires users to first apply the Internet Explorer update (MS16-104) in order to be effective.
Important Bulletins include fixes for RCE flaws in Windows, SMBv1 Server and Silverlight; elevation of privilege flaws in the Windows Kernel and Windows Lock Screen; an information disclosure bug in the Windows Secure Kernel Mode; and a pair of information disclosure vulnerabilities in Windows PDF Library.
Users are advised to apply Windows as well as Adobe patches to keep away hackers and cybercriminals from taking control over your computer.
Microsoft Ends Tuesday Patches Trend
The September Patch Update was the last traditional Windows Patch Tuesday as the tech giant is moving to a new patching release model.
The future patch updates will bundle all patches together, and you will no longer be able to select which updates to install. The whole package of patches will be installed altogether, which will leave no chance for hackers to target vulnerabilities for which patches are already released.
In addition, the new "Monthly Rollup" will be combined and delivered to the users. Like the November patch update will also include all the patches from October.
Apply the security updates issued by Adobe and Microsoft asap
14.9.2016 securityaffairs Vulnerebility
Are you still using Adobe Flash Player? Are you browsing the web with IE or Edge? Does your company use an Exchange Server? Apply security updates asap!
It’s time to patch your systems, especially if you have installed Adobe Flash Player. Adobe has released Security updates to fix critical Flash vulnerabilities that affect any OS (Windows, Mac, Linux), including ChromeOS.
The security vulnerabilities in flash could be exploited by attackers to gain the control over the vulnerable system as explained by Adobe in an executive summary:
“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. ” reads the security advisory issued by Adobe.
Users are urged to update their Flash Player to the version 23.0.0.162.
security updates
Not only Adobe users are under the fire, Microsoft has released the September 2016 Patch Update that includes 14 bulletins addressing a total of 50 vulnerabilities. Seven vulnerabilities addressed in the last patch update have been rated as “critical,” other seven as “important.”
One of the vulnerabilities fixed by the update is a zero-day flaw (CVE-2016-3351) in the Internet Explorer (IE) and Edge, tracked as MS16-104 and MS16-105.
The CVE-2016-3351, so-called Microsoft Browser Information Disclosure Vulnerability, could be exploited by an attacker to remotely execute code by tricking a victim to visit a specially crafted webpage using Internet Explorer or Edge.
Once the victims visit the webpage, the attacker would gain the same user rights as the current user and could take control of the vulnerable system.
The vulnerability was first spotted by security experts at Proofpoint that worked with researchers from Trend Micro.
“Proofpoint researchers recently uncovered a massive malvertising campaign with colleagues at Trend Micro [2]. The actors, dubbed AdGholas, were notable for their use of steganography and careful targeting of the malicious ads for massive volumes of high-quality impressions – impressions that went to 1-5 million “average users” a day and specifically avoided researchers. Avoiding researchers and their virtual machines and sandboxes relied on exploiting an information disclosure zero-day in Microsoft Internet Explorer/Edge, among other techniques.” reads the analysis published by Proofpoint.
The exploitation of the zero-day was first reported by TrendMicro that uncovered a massive malvertising campaign, dubbed AdGholas, actively exploiting it. The same vulnerability was also exploited by another threat actor in the wild, a hacking crew known as GooNky.
“On September 13, 2016 Microsoft released a security bulletin [1] fixing the CVE-2016-3351 vulnerability, which included a patch for Internet Explorer and Edge browsers. This informational disclosure bug was first reported in 2015. During our work with Trend Micro on the AdGholas [2] campaign, we reported it again and it was assigned a CVE ID and patch. Briefly, this vulnerability is a MIME type check used to filter out systems that have certain shell extension associations, including .py, .pcap, and .saz. In some cases, certain extensions association including .doc, .mkv., .torrent, and .skype are required to trigger the next exploitation step.”
The Microsoft update also addresses another critical flaw in all the supported versions of the Exchange Server (MS16-108) widely adopted by organizations. In this case, attackers could exploit the bug using remote-code execution to get full control of the Exchange Server.
The attack scenario is simple, the attackers just need to send a malicious file to its victims, the vulnerability is automatically triggered when the Exchange Server pre-parses file to find out the file type.
As anticipated the Microsoft update addresses many other flaws, give a look at it.
Let me close with an information regarding the traditional Microsoft monthly update, this is the last Windows Patch Tuesday.
The future patch updates will bundle all patches together, this means that users will have to install the whole package of patches altogether.
Don’t waste time, patch your system asap.
Periscope Skimming, a new ATM threat spotted in the US
14.9.2016 securityaffairs Hacking
Secret Service warns of Periscope Skimming probes, it the first time that law enforcement discovered attacks against ATMs conducted with these devices.
The US Secret Service is warning banks and ATM vendors about a new ATM skimmer technology, the so-called ‘periscope skimming.’ The device is composed of a skimming probe that crooks connect to the ATM’s internal circuit board in order to steal card data.
The popular cyber security expert Brian Krebs published the images of the periscope skimming, the photos show the wires protruding from the periscope.
As explained by Krebs this is the first time that the periscope skimming is spotted by law enforcement in the US. The police have already discovered two installations of the periscope skimming in the country, the first one on August 19 in Greenwich, Connecticut, the second one on September 3 in Pennsylvania
“According to a non-public alert released to bank industry sources by a financial crimes task force in Connecticut, this is thought to be the first time periscope skimming devices have been detected in the United States.” wrote Brian Krebs in a blog post.
The new periscope skimming is able to store up to 32,000 payment card numbers, once installed on the ATM, it has a power autonomy up to 14 days.
In both installations case analyzed by the law enforcement, the cyber criminals had access to the insides of the cash machines (referred to as “top-hat” entry) by using a key, then they installed two devices connecting them by wiring.
One of the devices is the periscope skimming probe that is installed through a pre-existing hole on the frame of the motorized card reader. The probe connects the pad to the circuit board.
The second device is the so-called “skimming control device,” it is directly connected to the skimming probe and is composed of the battery source and data storage unit.
“The probe is set in place to connect to the circuit board and directly onto the pad that transfers cardholder data stored on the magnetic stripe on the backs of customer payment cards. The probe is then held in place with fast-drying superglue to the card reader frame.” wrote Krebs.
“According to the Secret Service, the only visible part of this skimming device once the top-hat is opened will be the wire extending from the periscope probe that leads to the second part of this skimmer — called a “skimming control device.” “
Authorities believe the samples of periscope skimming probes recently discovered are just prototypes, in fact, they lack hidden cameras or other methods of capturing bank customer’s PINs at the ATMs.
Krebs sustains that the incidence of such skimming scams will not decrease as more banks begin adopting chip-based payment cards. Most banks and financial institutions will continue to rely on the magnetic stripe to use the new generation of cards. It is likely that banks will continue to use the magnetic stripe at the ATM to check the correct insertion of the card in the slot of the cash machine.
“The principal reason for this is to ensure that customers are putting the card into the slot correctly, as embossed letters and numbers running across odd spots in the card reader can take their toll on the machines over time. As long as the cardholder’s data remains stored on a chip card’s magnetic stripe, thieves will continue building and placing these types of skimmers.” explained Krebs.
How to avoid such kind of attacks?
Users have to avoid using ATMs that may be easier to access from the top-hat, try to use cash machine installed in the wall at a bank and do not use ATMs located in not protected places.
Sports doping agency WADA confirms attack by Russian cyber spies
14.9.2016 securityaffairs BigBrothers
World Anti-Doping Agency (WADA) confirms that Russian hackers breached its Anti-Doping Administration and Management System (ADAMS) database.
Hackers breached the World Anti-Doping Agency (WADA) and have stolen Olympic athletes’ medical records, the hack was confirmed by the agency. According to the WADA, the hackers accessed the Anti-Doping Administration and Management System (ADAMS) database, security experts speculate the involvement of the “Russian cyber espionage group operator by the name of Tsar Team (APT28), also known as Fancy Bear.”
The hackers obtained the access to the system by stealing credentials through a spear phishing attack against an “International Olympic Committee (IOC)-created account for the Rio 2016 Games.”
Hackers exploited the attention on the Olympic Games in order to trick the victims with a classic social engineering attack.
“The World Anti-Doping Agency (WADA) confirms that a Russian cyber espionage group operator by the name of Tsar Team (APT28), also known as Fancy Bear, illegally gained access to WADA’s Anti-Doping Administration and Management System (ADAMS) database via an International Olympic Committee (IOC)-created account for the Rio 2016 Games. The group accessed athlete data, including confidential medical data — such as Therapeutic Use Exemptions delivered by International Sports Federations (IFs) and National Anti-Doping Organizations (NADOs) — related to the Rio Games; and, subsequently released some of the data in the public domain, accompanied by the threat that they will release more.” reads the statement issued by the WADA that regrets the cyber attack.
Segui
WADA ✔ @wada_ama
WADA Confirms Attack by Russian Cyber Espionage Group: http://ow.ly/gYik304aJxX
17:47 - 13 Set 2016 · Canada, Canada
265 265 Retweet 80 80 Mi piace
The hackers have released files claiming that top US athletes were authorized by the WADA to take performance-enhancing substances, the WADA agency, the atletes and the federations have denied the circumstance.
sports federations and athletes themselves have gone public to deny any wrongdoing.
The Fancy Bear published the announcement of the data breach and the related file on a website using their name. (Be careful before visiting the site, Fancy Bear is one of the most dangerous APT that in several attacks leveraged on zero-day exploits). Below the message published by the group on the site that also included medical records of the athlete.
“Greetings citizens of the world. Allow us to introduce ourselves… We are Fancy Bears’ international hack team. We stand for fair play and clean sport.
We announce the start of #OpOlympics. We are going to tell you how Olympic medals are won. We hacked World Anti-Doping Agency databases and we were shocked with what we saw.”
“We will start with the U.S. team which has disgraced its name by tainted victories. We will also disclose exclusive information about other national Olympic teams later. Wait for sensational proof of famous athletes taking doping substances any time soon.”
Serena Williams, for example, was allowed to take oxycodone, hydromorphone, prednisone and methylprednisolone in 2010, 2014 and 2015, despite the substances are banned by the WADA.
According to RT.com, Williams was allowed also to take some of other drugs by Dr. Stuart Miller from the International Tennis Federation (ITF).
The WADA director general Olivier Niggli confirmed the involvement of Russian hackers in the statement issued by the agency.
“WADA condemns these ongoing cyber-attacks that are being carried out in an attempt to undermine WADA and the global anti-doping system,” said Niggli. “WADA has been informed by law enforcement authorities that these attacks are originating out of Russia,” he continued. “Let it be known that these criminal acts are greatly compromising the effort by the global anti-doping community to re-establish trust in Russia further to the outcomes of the Agency’s independent McLaren Investigation Report,” Niggli continued.
According to the experts, the hackers hit the WADA agency in response to accusations of government-sponsored doping for Russian athletics, some of them were even banned from the Olympic Games this summer.
Stay Tuned …
324,000 Financial Records leaked online, who is the victim?
14.9.2016 securityaffairs Crime
A hacker leaked a data dump containing more than 320,000 Financial Records apparently stolen from an Israeli payment processor.
Another data breach is in the headline, roughly 324,000 financial records have been leaked online.
The financial data appears to have been stolen either from payment processor BlueSnap or its customer Regpack, a hacker published a link to the archive (a file Titled named “Bluesnap_324K_Payments.txt”) on his Twitter account @0x2Taylor.
The hacker who published the link to the stolen data, claimed it belongs to the BlueSnap company. BlueSnap is an e-commerce solutions provider that specializes in global payment processing, it allows customers’ websites to accept payments from their clients by offering merchant facilities.
BlueSnap was founded in Israel back in 2001, its name was originally Plimus, it was rebranded as BlueSnap when it was acquired in 2011.
Regpack is a company that provides online event registration solutions, it has been using BlueSnap’s payment platform since 2013.
The records include names, email addresses, IP addresses, physical addresses, phone numbers, invoices, the last four digits of credit card numbers, and even CVV codes.
Be careful, even if full card data has was not disclosed, the leaked CVVs and other info can be used by crooks to conduct card-not-present transactions.
At the time I was writing, both BlueSnap and Regpack denied having been a victim of a data breach.
The news was shared by the popular cyber security expert Troy Hunt, who has analyzed the leaked records verifying their genuinity.
Hunt highlighted the presence of invoices related to Jewish company, another circumstance that suggests the involvement of one of the mentioned companies.
“Now it’s possible that the data has come from another unnamed party, but it’s highly unlikely. Not only could I not pick a pattern in the data suggesting it was sourced from elsewhere, but the CVVs just shouldn’t have been there,” Hunt wrote in a blog post. “We’ve got 899 totally separate consumers of the Regpack service (so it’s not from one of them) who send their data direct to Regpack who pass payment data onto BlueSnap for processing. Unless I’m missing a fundamental piece of the workflow (and I’m certainly open to suggestions on what this might be), it looks like accountability almost certainly lies with one of these two parties.”
Hunt contacted both companies for a comment that denied any incident after forensic investigations.
If you want to check if your data are included in the dump , visit the breach notification service website managed by Hunt, the popular https://haveibeenpwned.com/.
How to Hack Smart Bluetooth Locks and IoT Devices — Check this Out
13.9.2016 thehackernews Hacking
Bluetooth Low Energy, also known as Bluetooth Smart or Bluetooth 4, is the leading protocol designed for connecting IoT devices, medical equipment, smart homes and like most emerging technologies, security is often an afterthought.
As devices become more and more embedded in our daily lives, vulnerabilities have real impact on our digital and physical security.
Enter the Bluetooth lock, promising digital key convenience with temporary and Internet shareable access. The problem is, almost all of these locks have vulnerabilities, easily exploited via Bluetooth!
DEF CON always has the coolest new hacks and security news, and this year was no exception. The hacking conferences are a great way to get a pulse on the general status of the security world, what people are interested in, worried about, or looking to exploit.
This year clearly had an uptick in Internet of Things (IoT) devices and ways to hack them.
Obviously, we had to go and take a look at the Bluetooth lock hack, and we are not the only ones.
There were articles in a number of security and general tech sites about how vulnerable some of these locks are – a shocking 75% of them could be hacked relatively easily, and one reported to have great security could actually be broken into with a screwdriver.
The locks were from companies like BlueLock, Kwikset, Noke, August, BitLock, and QuickLock.
How to Hack a Bluetooth Lock:
How to Hack a Bluetooth Lock
There have been a number of different researchers who have tackled this problem, but Anthony Rose and Ben Ramsay out of Merculite Security did a great job of thoroughly going through a significant number of them, documenting the hacks and contacting the manufacturers.
Look for plaintext passwords: Many of the locks had passwords but were simply transmitting them in plaintext. Anyone with a decent Bluetooth sniffer like Ubertooth and some effort has just owned your password
Replay the signal: OK, great you’ve built in awesome encryption and I can't possibly hope to read and decrypt the signal you just sent to that lock. But I just capture and replay what you just sent, and the door opens wide.
Man in the Middle: Here I am, using one of the many Man in the Middle tools to sit in the middle of your connection and control everything you're transmitting to the device. There's *definitely* no way I could change what you’re transmitting (say, to keep the deadbolt from hearing a "lock" command).
The great news is that we found a video of Zero_Chaos and Granolocks at Pwnie Express that show all of this stuff in action and tools you can actually use to detect these hacks in action.
Locks are not the only Bluetooth devices shown to be vulnerable. Here’s a quick list of just some of the devices that have already been found vulnerable:
Cars
Teakettles and coffee machines
Medical devices (including implanted ones)
Fitness trackers
This news should be worrying for people who have invested in a cheap Bluetooth lock for their convenience, and such attacks could be a real problem just waiting to happen.
Here's How Hackers Can Disrupt '911' Emergency System and Put Your Life at Risk
13.9.2016 thehackernews Hacking
What would it take for hackers to significantly disrupt the US' 911 emergency call system?
It only takes 6,000 Smartphones.
Yes, you heard it right!
According to new research published last week, a malicious attacker can leverage a botnet of infected smartphone devices located throughout the country to knock the 911 service offline in an entire state, and possibly the whole United States, for days.
The attacker would only need 6,000 infected smartphones to launch automated Distributed Denial of Service (DDoS) attacks against 911 service in an entire state by placing simultaneous calls from the botnet devices to the emergency numbers.
However, as little as 200,000 infected mobile phones could knock the 911 emergency call system offline across the entire US.
Where does the Problem Lies?
Researchers from Ben-Gurion University of the Negev's Cyber-Security Research Center say the problem is in the fact that current US Federal Communications Commission (FCC) regulations demand all calls to 911 must immediately be routed to emergency services, regardless of the caller's identifiers.
In other words, mobile carriers re-route all 911 emergency calls to a local Public Safety Answering Point (PSAP) without even verifying the caller's identity or whether the caller is subscribers to the mobile network.
These identifiers could be a phone's International Mobile Subscriber Identity (IMSI) and International Mobile Station Equipment Identity (IMEI) codes, which tell whether the caller is a subscriber to their service and identity of the mobile equipment, respectively.
How can Attackers Carry Out such Attacks?
All an attacker need is a mobile botnet to launch TDoS (Telephony Denial of Service) attacks. The attack can be carried out in two ways:
By infecting smartphones with malware, or
By buying the smartphones needed to launch the TDoS attack.
The researchers Mordechai Guri, Yisroel Mirsky, and Yuval Elovici note in a paper [PDF] that an attacker could exploit cellular network protocols by placing a rootkit or persistent, low-level malware within the baseband firmware of a mobile phone.
The rootkit can then mask and randomize all cellular identifiers, causing the cell phone to have no genuine identification within the cellular networks.
"Such anonymised phones [bots] can issue repeated [911] emergency calls that can not be blocked by the network or the emergency call centers, technically or legally," the team notes in the paper.
Secondly, an attacker could simply buy 6,000 or 200,000 smartphones, which could cost $100,000 or $3.4 Million – a small sum for state-sponsored attackers – to jam 911 emergency system in an entire state or across the whole country respectively.
This TDoS attack should not come as a surprise, as during the 9/11 terror attack on the Twin Towers in New York City, thousands of legitimate callers collectively dialing 911 caused DDoS attacks on both telephony network as well as the emergency reporting system.
Of course, the team did not perform this attack in an actual, nationwide system. It created a small simulated cellular network based on North Carolina's 911 network and attacked it instead.
The team bot-infected Samsung Galaxy S3, S4 and S5 smartphones running Android 4.4 and 5.x operating system to test their work.
How can we prevent such DDoS campaign against our Emergency Services?
Such attacks are currently difficult to block, as PSAPs have no way to blacklist fake calls. Also, blocking at the network level is not possible beyond selectively turning off cellular service in bot-infested areas.
However, researchers suggest some countermeasures that can mitigate such attacks, which includes:
Storing IMEIs and other unique identifiers in a phone's trusted memory region (like ARM-processor design TrustZone), where malware can not alter them.
Implementing a mandatory "Call Firewall" on mobile devices to block DDoS activities like frequent 911 calls.
Since these changes would require government cooperation, security professionals, cellular service providers, emergency services, and others, it is hard to expect such significant changes in reality anytime soon.
For in-depth and detailed information about the attack and possible mitigation procedures for US authorities, you can head on to the research paper [PDF] titled, '9-1-1 DDoS: Threat, Analysis and Mitigation.'
Gugi: from an SMS Trojan to a Mobile-Banking Trojan
13.9.2016 Kaspersky Virus
In the previous article, we described the mechanisms used by Trojan-Banker.AndroidOS.Gugi.c to bypass a number of new Android 6 security features. In this article, we review the entire Gugi mobile-banking Trojan family in more detail.
The use of WebSocket by Gugi
The mobile-banking Trojan family, Trojan-Banker.AndroidOS.Gugi is interesting due to its use of the WebSocket protocol to interact with its command-and-control servers. This protocol combines the advantages of HTTP with those of commonly used sockets: there is no need to open extra ports on a device, as all the communication goes through standard port 80. At the same time, real-time data exchange is possible.
It is worth noting that even though this technology is user-friendly, it is not that popular among attackers. Among all the mobile Trojans that utilize WebSocket technology, more than 90% are related to the Gugi family.
WebSocket Usage in Mobile SMS Trojans
We registered the first case of WebSocket technology use in mobile Trojans at the end of December 2013. It was Trojan-SMS.AndroidOS.FakeInst.fn. Judging by the code, the Trojan was created by the same malefactors who created the Trojan-Banker.AndroidOS.Gugi family.
During the initial registration, the FakeInst.fn Trojan uploads a large amount of device-related data to its server. The data includes the telephone number, the carrier information, IMEI, IMSI, etc.
From the server, the malware may receive a JSON file with the following commands (and data for the commands):
SMS – send a text message with specified text to a specified number;
intercept – enable or disable the interception of incoming SMS messages;
adres – change a command-and-control server address;
port – change a command-and-control server port;
contacts – send a bulk SMS message with specified content to all the contact numbers listed on the infected device.
In addition, the Trojan steals all outgoing SMS messages.
In the middle of January 2014, just a couple of weeks after discovering FakeInst.fn, a new version of the Trojan appeared. The malware was no longer using WebSocket; instead the communication was performed with the help of the HTTP protocol (GET and POST requests). Among all the installation packages of the Trojan, we could discover only two (dating back to the middle of March 2014) that utilized WebSocket. Everything seemed to indicate that the attackers decided to drop the technology for a while. They started to use it again almost two years later, in the Gugi family.
From SMS Trojans to Mobile Banking Trojans
Two years after finding the first version of Trojan-SMS.AndroidOS.FakeInst.fn, which utilized WebSocket, a new Websocket-using Trojan appeared, Trojan-Banker.AndroidOS.Gugi.a.
There are multiple matches in the Gugi code (variable and method names) with the Trojan-SMS.AndroidOS.FakeInst.fn code. The major changes within Gugi were the addition of a phishing window to steal the device user’s credit-card data and the use of WebSocket. Within all the Gugi mobile-banking Trojan family installation packages detected by us, WebSocket technology is used to communicate with the command-and-control server. Thus, the attackers had switched from Trojan-SMS to Trojan-Banker.
Evolution of the Trojan-Banker.AndroidOS.Gugi
The evolution of the Gugi Trojan can be split into two stages:
“Fanta”
The first stage started in the middle of December 2015. The word “Fanta” is used within the name of all versions of the Trojan related to this stage, for example, “Fanta v.1.0”.
On request from the command-and-control server, Gugi Trojan version 1.0 could perform the following actions:
stop its operation;
steal all the contacts from the device;
steal all the SMS messages from the device;
send an SMS message with specified text to a specified number;
send a USSD request;
steal SMS messages from a specified group/conversation.
In late December 2015, we spotted the next version of Gugi, “Fanta v.1.1”. Its major difference from the previous version was that the code had a way of disabling the phishing window (we would like to remind you that Gugi can also be used as an SMS Trojan). Another new feature allowed contacts to be added to the infected device at the request of the server. This version was spread much more actively than the first one.
At the beginning of February 2016, we detected two new versions of Gugi, “Fanta v2.0” and “Fanta v2.1”. These versions had an increased focus on banking. First, they came with a new phishing window for stealing the username and password from the mobile banking software of one of the largest Russian banks. Secondly, the Trojan code introduced the list of phone numbers of two Russian banks. All incoming SMS messages from these numbers were not only sent to the malefactors’ server (like other SMS messages) but were hidden from the user.
These versions had a phishing window, shown either on request from the server or right after the smartphone had booted up. The window would not close until the user had entered their data.
Then, in the middle of March 2016, we found “Fanta v.2.2”. This became the most popular version of al, accounting for more than 50% of all of the installation packages related to the “Fanta” stage. Starting from this version, phishing windows were drawn over banking applications and Google Play.
Phishing window over Google Play Store
One more phishing window started to appear, right before the window for stealing credit-card data. This window read: “Link your credit card to Google Play Store and get 200 rubles for any apps!”
Additionally, starting from this version, the Trojan actively fights its removal. If the malware has Device Administrator rights, then its removal is possible only after disabling those rights. Therefore, whenever the Trojan does not have Device Administrator rights, it aggressively demands such permission, drawing its window over the device settings window.
In April 2016, we found the most recent “Fanta” version to date, “Fanta v.2.3”. That version had only one significant change: if the user disables the Device Administrator rights for the Trojan, then the malware changes the device password, effectively blocking the device.
All versions of “Fanta” are detected by the Kaspersky Lab products as Trojan-Banker.AndroidOS.Gugi.a.
“Lime”
The first file related to the second stage, “Lime”, was found a week before “Fanta v2.3” appeared, at the beginning of April 2016.
The installation package code for “Lime” seems to have been rewritten from the Fanta stage. The code, as well as the version names, had the word “Fanta” excluded and replaced with “Lime” in some lines. The same Trojan name, “Lime”, is seen in the administration panel through which the malefactors control this malware.
Trojan’s administration panel
Versions of the Trojan relating to the “Lime” stage do not change the device password when Device Administrator rights are disabled.
The first file discovered by us in April 2016 was version 1.1 and, judging by the code, was a test file. The next installation package related to the “Lime” stage was discovered in the middle of May 2016. It had the same version number, 1.1, but improved functionality.
The major change in version 1.1 of the “Lime” stage was that it showed new phishing windows. At that time, the Trojan could attack five banking apps of various Russian banks. Additionally, it had a new command to get the list of rules for processing incoming SMS messages. These rules define which messages should be hidden from the user and which messages should be replied to with specific messages.
Further, during the course of May 2016, we discovered files labelled 1.2 and 1.5 by the authors, even though the features of the files had not been changed.
Meanwhile, a new version of the Android OS, version 6.0, was released with security features that did not let the Trojan function properly. In June, we found a new version of the Trojan, 2.0, in which the malefactors had added support for Android 6. On Android 6 devices, the Trojan first requests permission to draw over other apps. Then, using the permission to its own advantage, it practically blocks the device, forcing the user to give Device Administrator rights to the malicious application as well as permission to read and send SMS messages and make calls.
Versions 3.0 and 3.1, which were found in July, have the same features as version 2.0 and utilize the same command-and-control server but different ports. Only one installation package for each version has been found by us. At the same time, version 2.0 continues to be actively spread.
All of the “Lime”-stage versions are detected by Kaspersky Lab products as Trojan-Banker.AndroidOS.Gugi.b and Trojan-Banker.AndroidOS.Gugi.c.
Transmission
The Trojan is actively transmitted via SMS spam, with a link to phishing web pages that show a message indicating that the user has, supposedly, received an MMS picture.
Information about MMS message on phishing website
If the “show” button in the message is clicked, then the Trojan-Banker.AndroidOS.Gugi will be downloaded onto the device. It is highly likely that the name of the Trojan downloaded from such a websi фte will be similar to img09127639.jpg.apk.
As we have written in a previous post, we have encountered an explosive growth of Trojan-Banker.AndroidOS.Gugi attacks. August revealed 3 times as many users attacked by Gugi as in July, and almost 20 times as many as in June.
An amount of Kaspersky Lab mobile product users attacked by Trojan-Banker.AndroidOS.Gugi mobile-banking Trojan family
Today, the biggest number of attacks is performed by Lime version 2.0. All of the known active command-and-control servers of this Trojan are related to Lime versions 1.5 – 3.1. Not a single “Fanta” server known to us has been accessible since the middle of August 2016.
More than 93% of attacked users were located in Russia.
2 Israeli teens arrested for allegedly running the vDoS booter
13.9.2016 securityaffairs Hacking
The Israeli law enforcement arrested two youngsters suspected of operating the infamous vDoS booter.
Israeli authorities have arrested two alleged operators of a DDoS service, named vDOS, as the result of an investigation conducted by the FBI.
The popular security investigator Brian Krebs reported that the duo behind the vDOS booter service had earned more than $600,000 in the past two years. It has been estimated that the service was used to launch 150,000 DDoS attacks, its customers can rent it for a price that ranges between $20 and $200 per month. According to the experts, the vDOS booter has been active around since 2012.
“vDOS — a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline — has been massively hacked, spilling secrets about tens of thousands of paying customers and their targets.” wrote Krebs in its analysis.
The security expert investigated the vDOS booter after he obtained its database in July 2016. The database was leaked after the booter service was hacked. Data included in the archive points to two young men in Israel as the masterminds of the service. He discovered that other young hackers, mostly from the US attack service, were involved as support services.
Krebs analyzed configuration files and real IP addresses that suggested the involvement of two Israeli nationals, Itay Huri and Yarden Bidani, who used the aliases P1st and AppleJ4ck. The Krebs’ website was hit by a DDoS attack that peaked at nearly 140 Gbps, just after the popular expert disclosed his findings on the suspects.
While Krebs was disclosing the findings of his analysis, Israeli media reported the arrest of the young men under indication of the FBI.
The Israeli law enforcement arrested the two alleged owners of vDoS and placed them under house arrest for 10 days banning them using the Internet and any telecom equipment for 30 days.
The duo recently published a technical paper on DDoS attacks on the website of Israeli company Digital Whisper, the Twitter account he was using reports vDoS as his personal website.
The vDOS website (vdos-s.com) is now offline. ù
New MySQL Zero Days — Hacking Website Databases
13.9.2016 securityaffairs Vulnerebility
Two critical zero-day vulnerabilities have been discovered in the world's 2nd most popular database management software MySQL that could allow an attacker to take full control over the database.
Polish security researcher Dawid Golunski has discovered two zero-days, CVE-2016-6662 and CVE-2016-6663, that affect all currently supported MySQL versions as well as its forked such as MariaDB and PerconaDB.
Golunski further went on to publish details and a proof-of-concept exploit code for CVE-2016-6662 after informing Oracle of both issues, along with vendors of MariaDB and PerconaDB.
Both MariaDB and PerconaDB had fixed the vulnerabilities, but Oracle had not.
The vulnerability (CVE-2016-6662) can be exploited by hackers to inject malicious settings into MySQL configuration files or create their own malicious ones.
Exploitation Vector
The above flaw could be exploited either via SQL Injection or by hackers with authenticated access to MySQL database (via a network connection or web interfaces like phpMyAdmin).
"A successful exploitation [of CVE-2016-6662] could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running," Golunski explained in an advisory published today.
This could result in complete compromise of the server running the affected MySQL version.
The researcher also warned that the vulnerability could be exploited even if SELinux or AppArmor Linux kernel security module is enabled with default active policies for MySQL service on the major Linux distributions.
The flaw actually resides in the mysqld_safe script that is used as a wrapper by many MySQL default packages or installations to start the MySQL service process.
The mysqld_safe wrapper script is executed as root, and the primary mysqld process drops its privilege level to MySQL user, Golunski examined.
"If an attacker managed to inject a path to their malicious library within the config, they would be able to preload an arbitrary library and thus execute arbitrary code with root privileges when MySQL service is restarted (manually, via a system update, package update, system reboot, etc.)"
The researcher will soon release details and full exploit code for CVE-2016-6663, the flaw that allows low-privileged attackers to make exploitation trivial.
No MySQL Patch Available Yet
Golunski reported the zero-day flaws to Oracle on July 29 and other affected vendors on July 29.
While Oracle acknowledged and triaged the report, scheduling the next Oracle CPUs for October 18, 2016, MariaDB and PerconaDB patched their versions of the database software before the end of August.
Since more than 40 days have passed and the two vendors released the patches to fix the issues, Golunski said he decided to go public with the details of the zero-days.
Temporary Mitigation:
Until Oracle fixes the problem in its next CPU, you can implement some temporary mitigations, proposed by the researcher, for protecting your servers.
"As temporary mitigations, users should ensure that no MySQL config files are owned by the mysql user, and create root-owned dummy my.cnf files that are not in use," Golunski wrote.
But remember, the above mitigations are just workarounds, so you are advised to apply vendor patches as soon as they become available.
GovRAT 2.0 continues to target US companies and Government
13.9.2016 securityaffairs Virus
Vxers developed a new version of GovRAT, called GovRAT, that has been used to target government and many other organizations in the US.
GovRAT is an old cyberespionage tool, it has been in the wild since 2014 and it was used by various threat actors across the years.
Security experts from the threat intelligence company InfoArmor first spotted the malware in 2015.
GovRAT a hacking platform that allows the malware creation, it comes bundled with digital certificates for code signing. The same digital certificates were initially offered for sale on the black marketplace TheRealDeal Market hosted on the Tor network. In 2015, GovRAT was offered for sale at 1.25 Bitcoin, but experts observed the creator also offering it is private sales.
The GovRAT tool digitally signs malicious code with code-signing tools such as Microsoft SignTool, WinTrust, and Authenticode technology. The experts consider that final customer for GovRAT are APT groups targeting political, diplomatic and military employees of more than 15 governments worldwide.
The author of the GovRAT who goes online with the moniker “bestbuy” had been offering the its source code, including a code-signing digital certificate, for nearly 4.5 Bitcoin on the TheRealDeal black market.
The availability of source code in the wild allows anyone to modify the source code and improve it, and it is what is happening with the GovRAT 2.0.
Vxers recently released a new version of the RAT, so-called GovRAT 2.0 that has been used by hackers to target the US Government and other organizations in the country.
After the first report published by InfoArmor, Bestbuy started using also the moniker “Popopret.”
The RAT was delivery through spear-phishing and drive-by downloads attacks. Among the victims government and military organizations. Stolen data from military organizations were also offered for sale on the black market.
The new strain of GovRAT 2.0 includes several new features, including improved detection evasion methods, remote command execution, automatically mapping hard disks and network shares.
According to experts from InfoArmor, government and military agencies have been increasingly targeted by threat actors leveraging the threat.
Below the complete list of features introduced in the GovRAT 2.0 reported in the report “GOVRAT V2.0 ATTACKING US MILITARY AND GOVERNMENT” published by InfoArmor.
Access C&C with any browser.
Compile C&C for Linux OR Windows.
Cannot be reversed without the private key. 0day anti-debugging.
Automatically maps all hard disks and network disks.
Creates a map of files to browse even when the target is offline.
Remote shell/command execution.
Upload files or Upload and Execute files to target.
Download files from target. All files are compressed with LZMA for faster downloads and encrypted on transport.
Customized encryption for communications. No two machines will use the same key (ever).
SSL Support for communication. (you have to get your own *Valid* SSL certificate to use this).
Does not use SOCKS libraries. Uses special Windows APIs to communicate and cannot be blocked.
C&C creates a one-time password every time the user logs in for extra security.
Comes with source for FUD keylogger that sends keys to another server.
Excellent for long term campaigns where a stable connection is needed.
Another interesting feature implemented by the malware is its ability to spread via USB devices and network shares like a worm.
The prices range from $1,000 for basic binary and the code for the command and control, up to $6,000 for a complete package that includes the source code of every component of the malicious infrastructure and the extra modules.
Security experts have discovered several offers for credentials for many U.S. government domains, including gsa.gov, va.gov, nasa.gov, nps.gov, faa.gov and state.gov, and domains related to the U.S. military, such as navy.mil, mail.mil, army.mil and af.mil.
“On one of the underground communities in the TOR network, the same bad actor is selling compromised credentials relating to FTP servers of various US Government entities” reads the report. “In addition to NOAA.gov, USPS.gov and CDG.gov, the bad actor is selling several credentials for subdomains at JPL.NASA.gov and NAVY.mil:”
The credentials have also been used multiple GovRAT 2.0 attacks, experts also observed the use of other 33,000 credentials stolen from US government, research and educational organizations provided by the malware creator by the hacker known as “PoM,” aka Peace_of_Mind or Peace.
“There is another bad actor identified as “PoM,” who is a partner of popopret, and is selling 33,000 records with credentials related to the US Government and various research and educational organizations.” reads the report. “In the post description, he outlines that the data was hashed but he was able to decrypt it and can potentially use it for “accessing other agencies,” as well as for use in SE (social engineering) and spear phishing campaigns. PoM provides the stolen data of government and military employees to other actors using GovRAT v2.0 for highly targeted malware delivery. After a thorough analysis, it was determined that most of this data was accessed from the hacked National Institute of Building Sciences (http://www.nibs.org/) website. It contains numerous members from the research, educational, government and military community. “
For more details on GovRAT 2.0, give a look at the report published by InfoArmor.
Hacking wannabe hackers: watch out Facebook Hacker Tools!
13.9.2016 securityaffairs Hacking
Everyone is a potential victim, even the wannabe hackers that try to exploit Facebook Hacker Tools to hack into friends’ accounts.
When dealing with cybercrime everyone, is a potential victim, even the hackers, this is the case of a Crimeware-as-a-Service hack that turns wannabe crooks into victims.
For those who are looking to hack the Facebook accounts of others, there is a marketplace of Facebook Hacker tools that promise to allow it without specific knowledge.
Crooks are using Google Drive to host a new Facebook Hacker Tools that allows attackers to steal credentials from potential hackers who try to hack other users’ accounts on the Facebook social network.
Experts from the firm Blue Coat Elastica Cloud Threat Labs (BCECTL), now owned by Symantec, have discovered several versions of the Facebook Hacker Tools, including Faceoff Facebook Hacker, Skull Facebook Hacker and Scorpion Facebook Hacker.
“When they deploy this CaaS service, it becomes very easy for users to conduct cyberattacks,” said BCECTL director Aditya Sood.
The way the Facebook Hacker Tools work is very simple, typically they will ask the wannabe hacker that uses the tool to provide the Facebook profile ID of his victim. Then it displays some fake error messages and asks the user to provide an activation code to hack into the profile.
Experts at BCECTL discovered similar attacks by analyzing the files hosted on Google Drive. Links to several Facebook Hacker tools were being actively distributed and shared on Google Drive.
“It’s hard to list the numbers, but we have discovered multiple instances [seven-plus] on Google Drive at the moment,” Sood said. “We haven’t checked on other cloud services or standard domains.” added Sood.
Hackers abuse the web publishing functionality included in cloud services like Google Drive. One of the tools used by the crooks allows an attacker to send to the wannabe hacker a Google Drive link that takes them to a “Facebook Friend’s Account Hacker” document. Of course, the wannabe hacker that intends to hack his friend’s account needs to provide his Facebook login credentials.
Once the wannabe hacker has provided his credentials they are sent back to the operator behind the scam.
Stolen credentials could be offered for sale in the underground market or used for a wide range of illegal activities.
Such kind of attacks is particularly insidious for enterprise, the credentials of their employees could be exposed allowing attackers to access company resources. Attackers can target business users stealing their credentials and launch more sophisticated attacks in the future.
Let’s think for example of the possibility to steal login credentials of an employee that works as system administrators or that manage sensitive financial data of the company.
A growing number of companies are passing to cloud services, for this reason, it is essential to carefully evaluate the risks of exposure to such kind of attack linked to the use of social media.
“We are living in a world where these social networks have become part and parcel of our lives,” Sood explained. “Cybercriminals can abuse this information and other tools, and sell that access to users.”
In order to prevent such kind of attacks, it is essential to adopt a proper security posture promoting awareness inside the companies.
It is important to educate employees in a correct and safe use of social media even in the workspace.
Another important aspect to consider is the incident response, one such kind of attacks against an employee is discovered.
The adoption of cloud security solution could also help to mitigate the risk of attacks.
PCI PIN Transaction Security requests upgradeable credit card readers
13.9.2016 securityaffairs Security
The Payment Card Industry Security Standards Council (PCI Council) updates its standard to reduce fraudulent activities against PoS systems.
The number of credit card frauds involving Point-of-Sale continues to increase, in the last months, numerous attacks targeted retails and hotels worldwide.
The Payment Card Industry Security Standards Council (PCI Council) has responded with the definition of a new standard to reduce fraudulent phenomena, the organization plan to improve the security of PoS systems by making them upgradeable in an easy way.
Last week, the PCI council issued the version 5.0 of the PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements.
pci-pos-standard
A close look at the standard allowed the experts to notice the new requirements for the payment industry, in particular:
The adoption of a new control that allows the upgrade of the firmware running on PoS readers. “The device must support firmware updates. The device must cryptographically authenticate the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted”
Core Physical Security Requirements also include Tamper-proofing items so that the device can become inoperable in response to an attack. “The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings.”;
The devices have to be immune to side-channel attacks (i.e. monitoring of electromagnetic emanations) that could result to leaking keys;
The device must execute self-test upon start-up to verify anomalies that could bring it in a compromised state. “The device performs a self-test, which includes integrity and authenticity tests upon start-up and at least once per day to check whether the device is in a compromised state. In the event of a failure, the device and its functionality fail in a secure manner. The device must reinitialize memory at least every 24 hours.”
The new standard aims to contrast the intensification of card skimming attacks and intends to improve the security of the payment industry.
Banks are observing a similar trend, the popular investigator Brian Krebs recently published an interesting post that warns about an alarming increase of skimming attacks for both American and European banks.
“Skimming attacks on ATMs increased at an alarming rate last year for both American and European banks and their customers, according to recent stats collected by fraud trackers.” wrote Krebs. “The trend appears to be continuing into 2016, with outbreaks of skimming activity visiting a much broader swath of the United States than in years past.”
The FICO Card Alert Service issued several warnings about a spike in ATM skimming attacks.
On April 8, FICO noted that its fraud-tracking service recorded a 546 percent increase in ATM skimming attacks from 2014 to 2015.
PoS devices that are hard to upgrade represent a serious problem for the payment industry. Upgradeable card-reading kit are expensive and the lack of proper security posture retards the adoption of necessary countermeasures. Making card readers upgradeable should mean a significant improvement of the point of sale security.
The banking industry continues to be under attack, recently chip-and-PIN technology started to be adopted in the US because it would improve the security of the customers, merchants, and financial institutions.
The new standard will be effective from September 2017 and will replace the current version 4.1.
Motherboard shows us how surveillance software works
13.9.2016 securityaffairs BigBrothers
Surveillance is a profitable business, Motherboard has published a never-before-seen 10-minute video showing a live demo of a surveillance software.
Recently, the iPhone hack carried out with the NSO Group‘s Pegasus raised the debate about the use of surveillance software. Who uses them? How? Are we able to defend our machines from a so invasive surveillance?
NSO Group is just one company in a profitable market, to give you an idea of it I invite you to give a look to the Transparency Toolkit, a project that gathers open data on surveillance and human rights abuses and makes free software to examine them. The official page of the project includes tools and case studies.
Hacking Team, Gamma International, NSO Group, Blue Coat, and Verint are only the first names of surveillance firms that passed in my mind while I’m writing this post, but the list is very long.
These firms design solutions that are used by law enforcement and intelligence agencies during their investigations. The expensive solutions proposed by the surveillance firms allows to spy on computers and smartphones, unfortunately, their abuses in the wild are very common. Many governments used them in the past to track dissidents and oppositions, in many cases the use of surveillance solutions represented a severe violation of human rights.
Despite we can read thousands of good posts on the topic, it isn’t so easy to see a live demo of surveillance systems, but the popular journalist Lorenzo Bicchierai has published an interesting post on Motherboard with the intent to show us how government spyware infects a computer.
“Motherboard has obtained a never-before-seen 10-minute video showing a live demo for a spyware solution made by a little known Italian surveillance contractor called RCS Lab. Unlike Hacking Team, RCS Lab has been able to fly under the radar for years, and very little is known about its products, or its customers.” wrote Bicchierai.
Motherboard published a video related to a live demo presented by an expert from the Italian surveillance firm RCS Lab. The video shows how the company’s spyware Mito3 could be used to spy on an unaware suspect.
“Mito3 allows customers to listen in on the target, intercept voice calls, text messages, video calls, social media activities, and chats, apparently both on computer and mobile platforms. It also allows police to track the target and geo-locate it thanks to the GPS. It even offers automatic transcription of the recordings” reads a confidential brochure obtained by Motherboard.
RCS Lab’s spyware Mito3 allows attackers to launch MiTM attacks against the victims injecting malicious content in the connection to any website he intends to visit. The software is very easy to use as explained in the post.
“An agent can choose whatever site he or she wants to use as a vector, click on a dropdown menu and select “inject HTML” to force the malicious popup to appear, according to the video.”reported MotherBoard.”
“Mito3 allows customers to listen in on the target, intercept voice calls, text messages, video calls, social media activities, and chats, apparently both on computer and mobile platforms. It also allows police to track the target and geo-locate it thanks to the GPS. It even offers automatic transcription of the recordings” reads a confidential brochure obtained by Motherboard.
RCS Lab’s spyware Mito3 allows attackers to launch MiTM attacks against the victims injecting malicious content in the connection to any website he intends to visit. The software is very easy to use as explained int he post.
“An agent can choose whatever site he or she wants to use as a vector, click on a dropdown menu and select “inject HTML” to force the malicious popup to appear, according to the video.”reported MotherBoard.”
In the video the RCS employee chooses the mirc.com website (IRC chat client) as attack vector then inject with malware in order to compromise the target machine. When the victim visits the mirc.com website, it displays a fake Adobe Flash update installer pops up that is created by the surveillance software by injecting the malicious code. The user is urged to click install in order to proceed the navigation on the website, allowing the surveillance spyware to infect his machine.
I wish to thank Motherboard and Lorenzo Bicchierai for their post that gives us more information on surveillance practices.
Hacking wannabe hackers: watch out Facebook Hacker Tools!
12.9.2016 securityaffairs Social
Everyone is a potential victim, even the wannabe hackers that try to exploit Facebook Hacker Tools to hack into friends’ accounts.
When dealing with cybercrime everyone, is a potential victim, even the hackers, this is the case of a Crimeware-as-a-Service hack that turns wannabe crooks into victims.
For those who are looking to hack the Facebook accounts of others, there is a marketplace of Facebook Hacker tools that promise to allow it without specific knowledge.
Crooks are using Google Drive to host a new Facebook Hacker Tools that allows attackers to steal credentials from potential hackers who try to hack other users’ accounts on the Facebook social network.
Experts from the firm Blue Coat Elastica Cloud Threat Labs (BCECTL), now owned by Symantec, have discovered several versions of the Facebook Hacker Tools, including Faceoff Facebook Hacker, Skull Facebook Hacker and Scorpion Facebook Hacker.
“When they deploy this CaaS service, it becomes very easy for users to conduct cyberattacks,” said BCECTL director Aditya Sood.
The way the Facebook Hacker Tools work is very simple, typically they will ask the wannabe hacker that uses the tool to provide the Facebook profile ID of his victim. Then it displays some fake error messages and asks the user to provide an activation code to hack into the profile.
Experts at BCECTL discovered similar attacks by analyzing the files hosted on Google Drive. Links to several Facebook Hacker tools were being actively distributed and shared on Google Drive.
“It’s hard to list the numbers, but we have discovered multiple instances [seven-plus] on Google Drive at the moment,” Sood said. “We haven’t checked on other cloud services or standard domains.” added Sood.
Hackers abuse the web publishing functionality included in cloud services like Google Drive. One of the tools used by the crooks allows an attacker to send to the wannabe hacker a Google Drive link that takes them to a “Facebook Friend’s Account Hacker” document. Of course, the wannabe hacker that intends to hack his friend’s account needs to provide his Facebook login credentials.
Once the wannabe hacker has provided his credentials they are sent back to the operator behind the scam.
Stolen credentials could be offered for sale in the underground market or used for a wide range of illegal activities.
Such kind of attacks is particularly insidious for enterprise, the credentials of their employees could be exposed allowing attackers to access company resources. Attackers can target business users stealing their credentials and launch more sophisticated attacks in the future.
Let’s think for example of the possibility to steal login credentials of an employee that works as system administrators or that manage sensitive financial data of the company.
A growing number of companies are passing to cloud services, for this reason, it is essential to carefully evaluate the risks of exposure to such kind of attack linked to the use of social media.
“We are living in a world where these social networks have become part and parcel of our lives,” Sood explained. “Cybercriminals can abuse this information and other tools, and sell that access to users.”
In order to prevent such kind of attacks, it is essential to adopt a proper security posture promoting awareness inside the companies.
It is important to educate employees in a correct and safe use of social media even in the workspace.
Another important aspect to consider is the incident response, one such kind of attacks against an employee is discovered.
The adoption of cloud security solution could also help to mitigate the risk of attacks.
Mal/Miner-C mining malware leverages NAS devices to spread itself
12.9.2016 securityaffairs Virus
Experts from Sophos discovered Mal/Miner-C, a malware designed to abuse resources of the infected machine to mine Monero (XMR) cryptocurrency.
Malware researchers from security firm Sophos have analyzed a new strain of malware detected as Mal/Miner-C that was designed to abuse resources of the infected machine to mine Monero (XMR) cryptocurrency.
The experts discovered that the new malware leverages network-attached storage (NAS) devices as attack vector.
The authors of Mal/Miner-C sued the NSIS (Nullsoft Scriptable Install System) scripting language to develop it.
One of the most interesting features of the Mal/Miner-C malware is its ability to abuse FTP servers in an effort to spread itself.
Some samples analyzed by the researcher included a module, called tftp.exe, which randomly generates IP addresses and attempts to connect to them using a predefined list of login credentials.
If the threat is able to successfully connect to an FTP service, then it copies itself to that server and modifies the .html and .php files stored on it by injecting the code that generates an iframe referencing the malicious code uploaded to the server.
“If the embedded credentials are able to successfully connect to an FTP service, it tries to copy itself to the server and modify an existing web-related file with the extension .htm or .php in an attempt to further infect visitors to the host system.” reads the analysis from Sophos.
“If a file with this extension is found, the threat injects source code that creates an iFrame referencing the files info.zip or Photo.scr. “
When an unaware user visits a website compromised by the malware, he is presented with a “save file” dialog that serves the malicious files, then is the victim downloads and open them will infect its PC with Mal/Miner-C.
According to Sophos, more than 1.7 million infections were observed in the first half of 2016, but they were associated to only 3,150 unique IP addresses because the malware copies itself to every folder on a compromised FTP server.
The experts focused their investigation on the search for vulnerable devices on the internet. A first scan with the Censys search engine identified just under 3 million FTP servers worldwide.
Then the researchers tried to connect anonymously to the FTP services with a scanning script in order to find “Anonymous FTPs with write access”
The results were as follows:
IP numbers of FTP servers on original list: 2,932,833.
FTP servers active during the test: 2,137,571 Active servers allowing anonymous remote access: 207,110.
Active servers where write access was enabled: 7,263.
Servers contaminated with Mal/Miner-C: 5,137.
The malware targeted various types of FTP servers, but Sophos experts noticed it mostly targeted Seagate’s Central NAS product. This specific NAS provides a public folder that cannot be deleted or deactivated, the attackers use to upload the malware in the folder in hopes that they will be executed by users once they are discovered.
Be careful, the malware is not able to infect the device but exploits to infect other to spread in the wild.
The experts also analyzed the wallets used by the cybercriminals behind the campaign and determined that infected machines mined roughly $86,000 in Monero.
LuaBot is the first Linux DDoS botnet written in Lua Language
11.9.2016 securityaffairs Virus
The researcher MalwareMustDie discovered LuaBot, a trojan completely coded in Lua language that is targeting Linux platforms to recruit them in DDoS botnet.
Let’s continue our tour in Linux security, focusing on malicious code specifically designed to target such systems.
The popular security researcher MalwareMustDie, who recently reported the new ELF trojan backdoorLinux/Mirai, also discovered a Trojan that infects Linux systems involved in distributed denial of service (DDoS) attacks.
The malware was dubbed Linux/Luabot beacause it is written in the Lua programming language (version 5.3.0) and targets the Linux based systems.
Lua is a lightweight multi-paradigm programming language, it is cross-platform since it is written in ANSI C. It was designed primarily for embedded systems and clients.
Web servers and Internet of Things (IoT) devices are privileged targets of the Linux/Lua botnet.
“On Mon, Aug 29, 2016 at 5:07 PM I received this ELF malware sample from a person (thank you!). There wasn’t any detail or comment what so ever just one cute little ARM ELF stripped binary file with following data:” wrote the researcher in a blog post.
“This is a new ELF botnet malware, coded in Lua [link] language ( @$LuaVersion: Lua 5.3.0). It is the first time to find an lua language ELF compiled malware, specifically in ARM cpu architecture, so let’s call it as “Linux/LuaBot”.”
The analysis of the binary revealed the signature of Sample Matrix RSA-4096 Certificate, it’s a trace of the MatrixSSL certification used by the bot clients to establish secure HTTPS connections.
The binary also included the MatrixSSL’s code libraries for encryption operations and a MalwareMustDie also noticed it included a hardcoded coder’s message (“Hi. Happy reversing, you can mail me: [REDACTED .ru email address].”) reported in the following image.
The bot was controlled by a C&C server hosted in the Netherlands on the infrastructure of dedicated server hosting service WorldStream.NL.
MalwareMustDie also discovered a portion of code labeled as “penetrate_sucuri,” likely referencing the implementation of avoidance mechanism that are able to elude the popular Sucuri Web Application Firewall.
The researcher has no doubt, this is a very complex and effective botnet, the author of the Linux/Lua botnet implemented a command interface that could be exploited to run crypted remote commands.
“If you see carefully in the above description, there are the “cmdline”, and “cmdline args” spotted in several parts in ELF reversed code, forensics results and also source code trace too.” explained MalwareMustDie.
“The hacker can do a lot of things with it via a crypted remote commands pushed to his bots through this command interface, so this bot can be used to execution for the Lua script. So one of the botnet functionality is the remote execution via this interface.” states the analysis.
A rapid test on the online scanning service VirusTotal demonstrated that the binary was still fully undetected (FUD) state at the time of the analysis.
MalwareMustDie received after his first analysis the DDoS component used by the Linux/Lua botnet, it was the missing component it was searching for. Also in this case, the module was written in Lua and has zero-detection rate.
“This sample [link] is explaining the “missing link” of the DDoS function expected from this botnet. This module was coded in Lua and using the same static compilation environment, with zero detection ratio too. This additional ELF could be “the payload” that we are waiting for. This module is explaining a lot of detail on how the attack is performed, a simple download and execution command executed by the infected nodes from remote access via shell or internal command line interface is enough to trigger this attack.” explained the researchers.
According to MalwareMustDie the number of ELF malware that are surfacing on the Internet is rapidly growing.
“There are plenty new ELF malware coming & lurking our network recently & hitting out Linux layer IoT and services badly.” explained the researcher.
The data is confirmed also by the investigation conducted by other research teams, a joint research conducted by Level 3 Communications and Flashpoint allowed the identification of a million devices infected by the Bashlite malware.
The BASHLITE malware includes the code of the ShellShock exploit and it had been used by threat actors in the wild to run distributed denial-of-service (DDoS) attacks.
It could infect multiple Linux architectures, for this reason, crooks used it to target Internet of Things devices.
In June, experts from the security firm Sucuri spotted a botnet composed of tens of thousands of CCTV devices that had been used by crooks to launch DDoS attacks against websites.
I suggest you reading the MalwareMustDie analysis on the Luabot, it is full of interesting data.
CVE-2016-6399 – CISCO disclosed unpatched flaw in ACE products
11.9.2016 securityaffairs Vulnerebility
Cisco disclosed the existence of the CVE-2016-6399 flaw that can be exploited by remote unauthenticated attackers to trigger DoS conditions in ACE products.
Experts at Cisco have disclosed the existence of a high-severity vulnerability, tracked as CVE-2016-6399, that can be exploited by remote unauthenticated attackers to trigger DoS conditions in some of Application Control Engine (ACE) products.
The good news is that there is no evidence that the CVE-2016-6399 vulnerability has been exploited in the wild, the bad news is that some CISCO customers experienced problems after an Internet research project triggered the vulnerability.
Researchers behind the research project had been scanning SSL/TLS servers on the Internet, including the CISCO customers.
“A vulnerability in the SSL/TLS functions of the Cisco ACE30 Application Control Engine Module and the Cisco ACE 4700 Series Application Control Engine Appliances could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device.” reads the Cisco Security Advisory.
The problem affects Cisco ACE 4710 Application Control Engine appliances and Cisco ACE30 Application Control Engine modules.
The Cisco ACE 4710 Application Control Engine equipment is a protection solution designed to enhance application availability and performance and improve the resilience to cyber attacks.
CVE-2016-6399 CISCO ACE 4710 products
The network appliances implement load-balancing and application delivery features. The root cause of the security issue is the insufficient input validation checks in SSL/TLS code that can be exploited remotely by an unauthenticated attacker to trigger devices to reload by sending them specially crafted SSL/TLS packets.
“The vulnerability is due to incomplete input validation checks in the SSL/TLS code. An attacker could exploit this vulnerability by sending specific SSL/TLS packets to the affected device. An exploit could allow the attacker to trigger a reload of the affected device.” continues the advisory.
The flaw was discovered while the Cisco experts were handling customer support requests.
The products affected by the CVE-2016-6399 vulnerability reached the end of life in July 2013, but CISCO is still offering support for them, the company plan to do it until January 2019. Cisco has promised to release software updates that address the issue.
At the time I was writing there is no workaround, Cisco plan to release software updates as soon as possible.
I suggest you give a look to the CISCO security advisory that included useful information on the flaw, including the indicators of compromise (IoC) that can help customers to avoid attackers to exploit the flaw.
PIL filed in Court to Ban ‘Pokémon Go’ in India for Hurting Religious Sentiments
10.9.2016 thehackernews IT
Pokémon GO has yet not been officially launched in India, but the location-based augmented reality game has already fueled a privacy debate and request for Ban.
Isn't that weird?
A Gujarat resident, Alay Anil Dave has recently filed a Public Interest Litigation (PIL) in the Gujarat High Court against Niantic, developers of Pokémon Go, over allegations that the game is hurting religious sentiments of Hindus and Jains by showing virtual eggs in places of worship of different religious groups.
The launch date of Pokémon GO for India has not been announced so far, but millions of Indians have already downloaded the game from 3rd-party app markets and playing it on the streets.
However, there are many still waiting for an official release of the game in India, as they don’t want to end up installing malicious versions of Pokémon GO that could install malware on their phones, allowing hackers to compromise their devices.
Pokémon GO has become the most successful game launch of all time with more than 500 Million downloads in just over two months and has been making rounds since its inception just over two months ago.
This game is reported to have almost as many daily active users on Twitter.
Also Read: 6 Important Things You Should Know Before Playing Pokémon GO
In fact, Niantic Labs CEO John Hanke just announced that the Pokémon Go game app is coming to the Apple Watch on stage at Apple's iPhone 7 event on Wednesday.
How Does Pokémon GO Hurt Religious Sentiments?
But Why does Petitioner want India to Ban Pokémon GO?
Actually, this augmented reality game requires gamers to walk around homes, parks and local surroundings to find new Pokémon characters, as well as achieve goals like hatching incubating eggs.
One can find the most common Pokémon in the distance of 2km eggs, with the rarest ones in the 10km eggs. But, Niantic didn't know that some Indians have a problem with these eggs.
"People playing the game get their points in the form of eggs which generally appear in the places of worship of different religious groups. To find eggs in temples of Hindus and Jains is blasphemous, and therefore my client has sought ban on the game from the country," Dave's lawyer said.
However, we talked to some security experts and privacy advocates in India, who shared their opinions on the case.
Dinesh Bareja, Information security professional, and researcher at IndiaWatch, provided a statement to The Hacker News, saying:
"Such PIL are frivolous and just designed to get the person his few moments of fame. Chasing a virtual image into a temple or any other place cannot be termed desecration of the place of worship and, like many other PIL this is also going to be a waste of the valuable time of the Hon'ble Court."
Another Information security professional, who wants to remain anonymous, told us:
"Some Hindu temples still have a tradition of Bali of Animals [Animal sacrifice]. So painting all Hindu temples as a symbol of non-violence and hurting religious sentiments isn't true."
The Editor of Cyber Secure India Portal said,"There seems no strength in the PIL, frankly speaking. However, the PIL may just be appropriate, if the person who has filed the PIL, should have obtained a legitimate licensed copy of the game; otherwise, the charge may be dropped. Further, the fact that egg was found is a question of perception, being an animated pictorial representation."
Pokémon Go, Privacy and National Security
Along with hurting religious sentiments by displaying eggs in houses of worship, the PIL also cites that Pokémon Go could be used by the CIA to create maps of sensitive "areas currently unavailable in Google Maps."
Adv. Prashant Mali, Cyber Security Law Specialist Lawyer, told The Hacker News that he is primarily concerned about privacy and accidents occurred due to this game.
"It has become a fashion to file a PIL and get cheap and fast publicity. There are other games which children play which has a lot more violence and some games do promote sexual violence," Mali said.
"I feel Government at this rate of censorship may appoint a Censor Board like films to moderate even video games. When the game gets launched in India, they may take care of religious feelings by default now it is an illegal game so the PIL may get dismissed even."
The PIL also raised some concerns over the game, like an infringement of the right to privacy, a threat to the life of players who walk around the street to catch Pokémons, game’s influence on the minds of children and "behavior as an Indian," among others.
“All the maps are via open maps, already in the public domain so that issue is sorted. Use of AR in sensitive areas from government viewpoint can be a problem. To avoid this, use of camera phones and recorders should be banned in such sensitive declared as it is not just one game that can cause issues.” an anonymous follower comments.
The PIL was heard on Wednesday by a division bench of Chief Justice R. Subhash Reddy and Justice Vipul Pancholi, and notice by the Gujarat High Court has been issued to Niantic Inc. of the US, which has yet to respond.
If Pokémon GO gets banned in India, it will not be the first country to do so. Last month, Iran officially banned Pokémon GO within the country due to certain "security concerns."
Doctor Web discovers the first Linux Trojan that is written in Rust language
10.9.2016 securityaffairs Virus
Experts from Dr Web discovered a new Linux Trojan called Linux.BackDoor.Irc.16 that is written in the Rust programming language.
It is a prolific period for Vxers working on Linux Trojan, a new strain was recently spotted by experts from Doctor Web. The new Linux Trojan has been named Linux.BackDoor.Irc.16 and is written in the Rust programming language.Rust is a general-purpose, multi-paradigm, compiled programming language promoted by Mozilla Research. It is designed to be a “safe, concurrent, practical language.”
“Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. “
“Unlike the majority of its counterparts, Linux.BackDoor.Irc.16 is written in Rust, a programming language whose creation was sponsored by Mozilla Research. ” reported Dr. Web in a blog post.
The Linux.BackDoor.Irc.16 Linux Trojan implements the features of a classical backdoor that allow attackers to remotely control the infected system by sending it via the IRC (Internet Relay Chat) protocol.
Once the Linux Trojan is executed it connects to a specific public chat channel that is indicated in its configuration, then it waits for commands.
According to malware researchers from DrWeb, the Linux Trojan is able to execute just four commands: It can connect to a specified chat channel; send cybercriminals information about an infected computer; send cybercriminals data about the applications running in a
Connect to a specified chat channel;
Gather information on the infected host and send them back to the crooks;
Send crooks data about the applications running in the system;
Delete itself from an infected machine;
The experts spotted a first stable version in 2015, according to Dr Web, the Linux.BackDoor.Irc.16 backdoor was designed to be a cross-platform malware. The experts who have analyzed the threat speculate it is a prototype for an ongoing project, they noticed in fact that it Linux Trojan is not able to replicate itself and the IRC channel used as C&C infrastructure are no more active.
“Doctor Web’s analysts believe that Linux.BackDoor.Irc.16 is, in fact, a prototype (Proof of Concept), because it cannot replicate itself, and the IRC channel used by the Trojan to receive commands from cybercriminals is not currently active.” reported Dr Web.
Recently other Linux malware were spotted in the wild by security experts such as the Linux.Rex.1 that is capable of self-spreading and create a peer-to-peer botnet and Linux.Lady that is used by crooks to mine cryptocurrency.
Oh, It's On Sale! USB Kill to Destroy any Computer within Seconds
9.9.2016 thehackernews Hacking
Remember Killer USB stick?
A proof-of-concept USB prototype that was designed by a Russian researcher, Dark Purple, last year, to effectively destroy sensitive components of a computer when plugged in.
Now, someone has actually created the Killer USB stick that destroys almost anything – such as Laptops, PCs, or televisions – it is plugged into.
A Hong Kong-based technology manufacturer is selling a USB thumb drive called USB Kill 2.0 that can fry any unauthorized computer it's plugged into by introducing a power surge via the USB port. It costs $49.95.
How does USB Kill 2.0 work?
As the company explains, when plugged in, the USB Kill 2.0 stick rapidly charges its capacitors via the USB power supply, and then discharges – all in a matter of seconds.
The USB stick discharges 200 volts DC power over the data lines of the host machine and this charge-and-discharge cycle is repeated several numbers of times in just one second, until the USB Kill stick is removed.
"When tested on computers, the device isn't designed or intended to erase data," the company says. "However, depending on the hardware configuration (SSD [solid-state drive] vs. platter HDD [hard disk drive]), the drive controllers may be damaged to the point that data retrieval is impractical."
"Any public facing USB port should be considered an attack vector," the company says in a news release. "In data security, these ports are often locked down to prevent exfiltration of data or infiltration of malware, but are very often unprotected against electrical attack."
When And For Whom USB KILL Would Be Useful?
USB Kill stick could be a boon for whistleblowers, journalists, activists, and, not to forget, cyber criminals, who want to keep their sensitive data away from law enforcement as well as cyber thieves.
It is like, if you're caught, kill yourself. In the same fashion as terrorists do. Here I mean to kill the data from your laptop if the law enforcement has caught your laptop. And USB Kill stick does the same for you.
However, the company claims to have developed USB Kill 2.0 stick for the sole purpose of allowing companies to test their devices against USB Power Surge attacks and to prevent data theft via "Juice Jacking" attacks.
Video Demonstration
You can watch the video demonstration below by the company that shows USB Kill 2.0 stick in action.
The company claims about 95% of all devices available on the market today are vulnerable to power surge attacks introduced via the USB port.
However, the only devices not vulnerable to USB kill attacks are recent models of Apple's MacBook, which optically isolate the data lines on USB ports.
Juice jacking is a type of cyber attack wherein malware installed on a computer can surreptitiously copy data from a smartphone, tablet or other computers using a USB charging port that doubles as a data connection, typically over USB.
While USB Kill 2.0 has been "designed and tested to be safe," the company warns that the USB stick "is a high-voltage device" and is only meant for "responsible adults." Also, the company's website "strongly condemns the malicious use of its products."
USB Kill 2.0 also comes with a USB Protection Shield, called Test Shield, sold for additional $15.70, which is designed to allow testing of the USB Killer stick without destroying the host machine.
Google Chrome to Label Sensitive HTTP Pages as "Not Secure"
9.9.2016 thehackernews Safety
Although over three months remaining, Google has planned a New Year gift for the Internet users, who're concerned about their privacy and security.
Starting in January of 2017, the world's most popular web browser Chrome will begin labeling HTTP sites that transmit passwords or ask for credit card details as "Not Secure" — the first step in Google's plan to discourage the use of sites that don't use encryption.
The change will take effect with the release of Chrome 56 in January 2017 and affect certain unsecured web pages that feature entry fields for sensitive data, like passwords and payment card numbers, according to a post today on the Google Security Blog.
Unencrypted HTTP has been considered dangerous particularly for login pages and payment forms, as it could allow a man-in-the-middle attacker to intercept passwords, login session, cookies and credit card data as they travel across the network.
In the following release, Chrome will flag HTTP pages as "Not secure" with a neutral indicator in the address bar of incognito mode, where users may have higher expectations of privacy.
Then, in the future, Chrome will flag all HTTP sites as "Not secure" with the same red triangle indicator the browser currently uses to indicate a broken HTTPS website.
"Chrome currently indicates HTTP connections with a neutral indicator," Emily Schechter wrote in a blog post. "This doesn't reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you."
This isn't the first time when Google is taking steps to encourage site owners to switch to HTTPS. Two years back, Google also made some changes to its search engine algorithm in an effort to give a ranking boost to the websites that use encrypted HTTPS connections.
Last month, Google also implemented HTTP Strict Transport Security (HSTS) on its main domain (google.com) in an effort to prevent users from navigating to websites using the insecure HTTP.
Google reported that today, more than half of the websites visited by Chrome users are already encrypted.
Not only Google, but Mozilla has also been encouraging users to adopt HTTPS through its Let's Encrypt project that provides free SSL/TSL certificates for website owners to help them implement HTTPS for their services. (Here's How to Install Free SSL Cert).
A malicious pairing of cryptor and stealer
9.9.2016 Kaspersky Virus
We have already seen some cryptor attacks where malicious programs with different functions have been used in combination. For example, one version of the Shade cryptor checks victim computers for signs of accounting activity; if it finds any, it doesn’t encrypt the files, but instead installs remote control tools in the infected system. The bot can then be used by cybercriminals to steal money, a much more profitable outcome than just receiving a ransom to decrypt some files.
The owners of the RAA cryptor, however, took a different tack. The Trojan is delivered in emails that mostly target corporate users. After a successful infection, RAA executes its main task, i.e. encrypts the user’s files. However, it doesn’t stop there: some versions of RAA also include a Pony Trojan file, which steals confidential information from the infected computer. Using the stolen data, the cybercriminals can gain access to the victim’s mail clients and other resources. We can assume that the owners of RAA use these resources to carry out targeted attacks – sending out emails with the cryptor malware to the addresses on the victim’s contact list. This substantially improves the probability of subsequent infections.
In this article, we will provide details of how a pair of malicious programs – a new version of the RAA cryptor and the Pony stealer Trojan – work in unison.
The RAA cryptor
The RAA cryptor (Kaspersky Lab verdict: Trojan-Ransom.JS.RaaCrypt) was first detected in June 2016. It caught the attention of researchers and analysts due to the fact that it was written entirely in JavaScript, which is a rarity when it comes to ransomware cryptor Trojans.
We recently detected a new version of this Trojan that has a few differences from earlier known modifications. Let’s have a closer look at this particular sample, which has been assigned the verdict Trojan-Ransom.JS.RaaCrypt.ag.
Propagation
The body of this new version of RAA is a script in JScript (with a .js file extension). The malicious script is sent to potential victims attached to a spam message in a ZIP file with the password ‘111’.
The attack is aimed primarily at corporate users: the message mimics finance-related business correspondence, and the script’s name is similar to those shown below:
Счета на оплату _ август 2016 согласовано и отправлено контрагенту для проведения оплаты _aytOkOTH.doc.js (Invoice_August 2016 approved and sent to contractor for payment _aytOkOTH.doc.js)
Счета на оплату _ август 2016 согласовано и отправлено контрагенту для проведения оплаты _EKWT.doc.js (Invoice_August 2016 approved and sent to contractor for payment _ EKWT.doc.js)
“Let’s presume we made a concession when we allowed you to postpone your due payment.
“We understand you may have difficulties, but do we have to wait for another two months? To be honest, we don’t really want to go to court. Please make all the payments in next few days.”
The message includes a notice saying:
“The company… notifies you that in line with internal security regulations, all outgoing emails are subject to asymmetric encryption. Dear client, your password for this message is 111.”
People who know what ‘asymmetric encryption’ is will probably just smile at this; however, the message is obviously targeting a different audience.
It should be noted that sending malicious content in a password-protected archive is a well-known trick used by cybercriminals to prevent anti-malware systems installed on mail servers from unpacking the archive and detecting any malicious content. To unpack an archive like this, the anti-malware product must automatically retrieve the password from the message, which isn’t always possible.
For an infection to occur, users have to unpack the archive themselves and launch the .js file.
Script obfuscation
The code of the malicious script was deliberately obfuscated to complicate things for malware analysts. The content of the script looks like this in the source code:
Fragment of the obfuscated code
If we restore the line breaks and indents, it becomes obvious that the obfuscation involves renamed variables and functions, as well as strings hidden in the global array. After de-obfuscation and function renaming, the same section of code becomes much easier to read.
Fragment of de-obfuscated code
The script is nearly 3,000 lines long. Most of this is taken up by an implementation of the legitimate DLL CryptoJS, and an implementation of the RSA encryption procedure, which was also taken from public sources by the cybercriminals.
How the Trojan works
To lull the victim into a false sense of security, the RAA cryptor demonstrates a fake Microsoft Word document immediately after it launches. This document is in fact an RTF file specially crafted by the cybercriminals. (The document is contained in the Trojan’s body encoded in Base64 format.)
The fake document displayed to the victim
While the user is reading the message about a document that’s supposedly not being displayed properly, the Trojan is doing its dirty work:
Registers itself to be autostarted with Windows;
Deletes the registry key associated with the VSS service (to prevent the restoring of files from shadow copies);
Sends a request to the C&C server (unlike all previous versions of this Trojan, this version doesn’t wait for the delivery of keys from the server – the request is only sent so the cybercriminals can collect statistics);
Proceeds to search for files and encrypts them.
Key generation
Unlike earlier RAA modifications, this version of the cryptor does not request an encryption key from the C&C. Instead, the Trojan generates a session key on the client. To do so, it calls the WinAPI function RtlGenRandom which is considered a cryptographically secure generator of pseudorandom numbers.
To ensure it can call WinAPI functions from JS code, the Trojan uses a legitimate third-party OCX component called DynamicWrapperX. The Trojan stores it in its body in a Base64-encoded format, and installs it in the infected system. RAA has both 32-bit and 64-bit versions of DynamicWrapperX so it can attack systems running under both Windows architectures.
The Trojan encrypts the generated session key with an RSA algorithm (the public RSA-2048 key is contained within the script) and saves it to a file with the name “KEY-…”, where the multiple periods stand for a unique 36-character infection ID.
File encryption
RAA searches for and encrypts files with the extensions .doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar, .csv whose names do not contain the substrings “.locked”, “~”, “$”.
When searching for files, the Trojan skips folders named “WINDOWS”, “RECYCLER”, “Program Files”, “Program Files (x86)”, “Windows”, “Recycle.Bin”, “RECYCLE.BIN”, “Recycler”, “TEMP”, “APPDATA”, “AppData”, “Temp”, “ProgramData”, and “Microsoft”.
When processing each file, RAA uses the session key to generate a file key and initialization vector (IV). The contents of the files are encrypted in different ways depending on the file size:
0 to 6,122 bytes: the file is encrypted in full.
6,123 to 4,999,999 bytes: three fragments are selected for encryption in different sections of the file. The first, 2000- to 2040-byte fragment is selected at the beginning of file; the location and size of the two other fragments depend on the size of the first fragment and the overall size of the file.
5,000,001 to 500,000,000 bytes: two fragments of 90000-125000 bytes are selected for encryption (from the beginning and end of the file).
500,000,001 bytes and larger: not encrypted.
A string is added at the end of the encrypted file that contains “IDNUM” (infection ID), “KEY_LOGIC” (indexes to construct the file key from the session key), “IV_LOGIC” (indexes to construct the IV from the session key), and “LOGIC_ID” (possible values are “1”, “2” or “3” – the selected encryption method depending on the file size). The encrypted file is given the additional extension .locked.
The string added to the end of the encrypted file
Ransom demand
When the files are encrypted, RAA displays a file with the cybercriminals’ demands and contacts in WordPad. The Trojan fills the text template with a 36-character ID which is unique for each case.
The file containing the cybercriminals’ demands
The cybercriminals suggest that the victims purchase a file decryption key and software from them. Two methods of communication are available: email and the Bitmessage service. The victim is expected to pay for the decryption key in bitcoins.
Plus a stealer Trojan
The damage caused by the Trojan is not limited to encrypting files. Like some of the earlier versions of RAA, the version we are examining has some added features. The Trojan contains an executable file encoded in Base64, which it writes to the hard drive at ‘C:\Users\<username>\Documents\ii.exe’ and launches after it has finished encrypting files. Analysis revealed that ‘ii.exe’ is none other than Pony, a known password-stealing Trojan (detection verdict: Trojan-PSW.Win32.Tepfer.gen).
Pony has proved to be an unusually long-lived Trojan. Its early versions supposedly emerged back in 2011, while in December 2013, as reported by the mass media, it stole the credentials of over 2 million users.
Naturally, after all that time Pony’s source code appeared on the web at some point. Analysis showed that the executable file we are analyzing here was constructed using Pony source code.
Pony: confidential data theft
To recap, Pony’s main task is to collect confidential information from an infected computer and then send it to the cybercriminals.
Step 1. Stealing information
Below is a short list of the information that Pony hunts for.
Passwords stored in web browsers
Microsoft Internet Explorer Google Chrome Opera
Mozilla Firefox K-Meleon Яндекс.Браузер
Flock
Credentials to dozens of the most popular FTP clients
CuteFTP 6\7\8\9\Pro\Lite FTP Navigator FlashFXP 3\4
FileZilla FTP Commander Bullet Proof FTP Client
SmartFTP TurboFTP FFFTP
COREFTP FTP Explorer ClassicFTP
SoftX.org FTPClient LeapFTP FTP CONTROL
FTPVoyager LeechFTP WinFTP
FTPGetter ALFTP BlazeFtp
Robo-FTP 3.7 NovaFTP FTP Surfer
LinasFTP Cyberduck WiseFTP
Accounts with the most widespread mail clients
Microsoft Outlook Mozilla Thunderbird The Bat!
Windows Live Mail Becky! Internet Mail Pocomail
IncrediMail
Various cryptocurrency wallet files
PPCoin Primecoin Feathercoin
ProtoShares Quarkcoin Worldcoin
Infinitecoin Fastcoin Phoenixcoin
Craftcoin
The Trojan also has the following capabilities:
Pony steals the user’s digital certificates.
Pony stores a list of the most widespread combinations that users use as passwords. Using this list, it attempts to gain access to the accounts on an infected computer.
Step 2. Data encryption and sending
Before sending the collected information to cybercriminals, Pony encrypts it using the RC4 algorithm. When doing so, the Trojan keeps records of the checksums for the obtained data (slightly modified results of the CRC32 algorithm are used.) The sequence is as follows:
Calculate the checksum of the non-encrypted data.
Write the obtained value next to the input data.
Encrypt input data with the RC4 algorithm using the key that the cybercriminals specified when they compiled the Trojan.
Calculate the checksum of the encrypted data.
Write the obtained value next to the input data.
Generate a random 4-byte key
Encrypt the input data with the RC4 algorithm using the generated key.
Generate a data package ready for sending that can be described with a ToSend structure (see below)
struct ToSend
{
dword random_key;
byte* double_encrypted_data;
};
1
2
3
4
5
struct ToSend
{
dword random_key;
byte* double_encrypted_data;
};
A non-encrypted fragment of the generated report
Fragment of the report that is ready for sending. The encryption key is highlighted in red
When the data is brought up to the required form, Pony sends it to the cybercriminals.
Two alleged members of Crackas With Attitude group arrested for hacking US Gov Officials
9.9.2016 securityaffairs Hacking
U.S. authorities have arrested two alleged members of the Crackas With Attitude group involved in dumping details of officials with the FBI and the DHS.
The FBI has identified and arrested two men from North Carolina men that are suspected to be members of the notorious ‘Crackas With Attitude‘ hacker group that dumped details of government agents last year.
The hackers leaked the personal details of 31,000 government agents belonging to nearly 20,000 FBI agents; 9,000 Department of Homeland Security (DHS) officers and some number of DoJ staffers.
Crackas with Attitude went in the headlines due to the of senior officials at the CIA, FBI, the White House, Homeland Security Department, and other US federal agencies.
In October 2015 the group violated the CIA Director’s personal email account and leaked sensitive files including a top-secret application for a security clearance.
In January 2016, a hacker associated with the Crackas With Attitude group has accessed accounts belonging to the director of National Intelligence, James Clapper. The group also broke into the AOL email of the FBI Deputy Director Mark Giuliano.
The two suspects arrested by the authorities are Andrew Otto Boggs (22), of North Wilkesboro, N.C., who went online with the handle “INCURSIO,” and Justin Gray Liverman (24), of Morehead City, who used the handle “D3F4ULT.”
According to a press release by Department of Justice, the two men were arrested on Thursday morning on charges of computer hacking.
“Andrew Otto Boggs, aka “INCURSIO,” 22, of North Wilkesboro, North Carolina, and Justin Gray Liverman, aka “D3F4ULT,” 24, of Morehead City, North Carolina, were arrested today on charges related to their alleged roles in the computer hacking of several senior U.S. government officials and U.S. government computer systems.” reads the press release.
“According to charging documents filed with the court, Boggs and Liverman conspired with members of a hacking group that called itself “Crackas With Attitude.” From about October 2015 to February 2016, the group used “social engineering” hacking techniques, including victim impersonation, to gain unlawful access to the personal online accounts of senior U.S. government officials, their families, and several U.S. government computer systems. “
In February, British police and the FBI arrested a 16-year-old British teenager suspected of being a member of the dreaded group.
“In some instances, members of the conspiracy uploaded private information that they obtained from victims’ personal accounts to public websites; made harassing phone calls to victims and their families; and defaced victims’ social media accounts,” reads the press release.According to the FBI officials, between October 2015 to February 2016, the hacking group used social engineering in order to trick the victims into revealing their account number, password, and other details.
The two men will have their initial appearances at the federal courthouse in Alexandria next week in front of U.S. Magistrate Judge Theresa Carroll Buchanan.
Over 33 Million QIP.ru accounts hacked compromised in an old data breach
9.9.2016 securityaffairs Hacking
Another old and huge data breach was reported to LeakedSource, more than 33 million QIP records from 2011 have been compromised.
Once again we are here to discuss a data breach, the victim is the Russian instant messaging service Quiet Internet Pager (QIP.ru.). According to the breach notification service LeakedSource, the leaked dump includes details of more than 33 Million users and the data breach dates back to June 2011.
LeakedSource @LeakedSource
Another old mega breach added: 33 million QIP.ru records from 2011. Search yourself on #LeakedSource at https://www.leakedsource.com/
04:56 - 9 Set 2016
4 4 Retweet 4 4 Mi piace
Records belonging to 33,383,392 Quiet Internet Pager (QIP) were disclosed by the same hacker that recently that leaked tens of millions of accounts stolen from several popular services, including the Russian web portal Rambler, Mail.ru, Last.fm , Dota ,L inkedIn , Myspace, and VerticalScope.
Security experts from HEROIC who have analyzed the leaked confirmed that records include email addresses, usernames, and passwords in plain text.
The experts believe the archive dates back to 2009-2011, a close look at the compromised accounts reveals that one of three is associated with Mail.Ru email addresses, followed by Yandex (2.5 million), Rambler (2 million) and Gmail (925,000).
Also in this case, Top passwords are 123456, 123123, 111111 and 123456789.
FBI Arrests Two Hackers Who Hacked US Spy Chief, FBI and CIA Director
9.9.2016 thehackernews Hacking
US authorities have arrested two North Carolina men on charges that they were part of the notorious hacking group "Crackas With Attitude."
Crackas with Attitude is the group of hackers who allegedly was behind a series of audacious and embarrassing hacks that targeted personal email accounts of senior officials at the CIA, FBI, the White House, Homeland Security Department, and other US federal agencies.
Andrew Otto Boggs, 22, of North Wilkesboro, N.C., who allegedly used the handle "INCURSIO," and Justin Gray Liverman, 24, of Morehead City, who known online as "D3F4ULT," were arrested on Thursday morning on charges related to their alleged roles in the computer hacking, according to a press release by Department of Justice.
A 16-year-old British teenager suspected of being part of the group was arrested in February by the FBI and British police.
Although court documents did not name the victims, the hacking group had allegedly:
Hacked into the AOL email of CIA director John Brennan and released personal details.
Hacked into the personal emails and phone accounts of the US spy chief James Clapper.
Broke into the AOL email of the FBI Deputy Director Mark Giuliano.
Cracka also leaked the personal details of 31,000 government agents belonging to nearly 20,000 FBI agents; 9,000 Department of Homeland Security (DHS) officers and some number of DoJ staffers.
"In some instances, members of the conspiracy uploaded private information that they obtained from victims’ personal accounts to public websites; made harassing phone calls to victims and their families; and defaced victims’ social media accounts," reads the press release.
According to the FBI officials, between October 2015 to February 2016, the hacking group used social engineering in order to trick the victims into revealing their account number, password, and other details.
Boggs and Liverman will be extradited next week to the Eastern District of Virginia, where federal prosecutors have spent months building a case against Crackas With Attitude.
Banking Trojan, Gugi, evolves to bypass Android 6 protection
9.9.2016 Kaspersky Android
Almost every Android OS update includes new security features designed to make cybercriminals’ life harder. And, of course, the cybercriminals always try to bypass them.
We have found a new modification of the mobile banking Trojan, Trojan-Banker.AndroidOS.Gugi.c that can bypass two new security features added in Android 6: permission-based app overlays and a dynamic permission requirement for dangerous in-app activities such as SMS or calls. The modification does not use any vulnerabilities, just social engineering.
Initial infection
The Gugi Trojan is spread mainly by SMS spam that takes users to phishing webpages with the text “Dear user, you receive MMS-photo! You can look at it by clicking on the following link”.
Clicking on the link initiates the download of the Gugi Trojan onto the user’s Android device.
Circumventing the security features
To help protect users from the impact of phishing and ransomware attacks, Android 6 introduced a requirement for apps to request permission to superimpose their windows/views over other apps. In earlier versions of the OS they were able to automatically overlay other apps.
The Trojan’s ultimate goal is to overlay banking apps with phishing windows in order to steal user credentials for mobile banking. It also overlays the Google Play Store app to steal credit card details.
The Trojan-Banker.AndroidOS.Gugi.c modification gets the overlay permission it needs by forcing users to grant this permission. It then uses that to block the screen while demanding ever more dangerous access.
The first thing an infected user is presented with is a window with the text “Additional rights needed to work with graphics and windows” and one button: “provide.”
After clicking on this button, the user will see a dialog box that authorizes the app overlay (“drawing over other apps”).
System request to permit Trojan-Banker.AndroidOS.Gugi.c to overlay other apps
But as soon as the user gives Gugi this permission, the Trojan will block the device and show its window over any other windows/dialogs.
Trojan-Banker.AndroidOS.Gugi.c window that blocks the infected device until it receives all the necessary rights
It gives the user no option, presenting a window that contains only one button: “Activate”. Once the user presses this button they will receive a continuous series of requests for all the rights the Trojan is looking for. They won’t get back to the main menu until they have agreed to everything.
For example, following the first click of the button, the Trojan will ask for Device Administrator rights. It needs this for self-defense because it makes it much harder for the user to uninstall the app.
After successfully becoming the Device Administrator, the Trojan produces the next request. This one asks the user for permission to send and view SMS and to make calls.
It is interesting that Android 6 has introduced dynamic request capability as a new security features
Earlier versions of the OS only show app permissions at installation; but, starting from Android 6, the system will ask users for permission to execute dangerous actions like sending SMS or making calls the first time they are attempted, or allows apps to ask at any other time – so that is what the modified Gugi Trojan does.
TSystem request for dynamic permission
The Trojan will continue to ask the user for each permission until they agree. Should the user deny permission, subsequent requests will offer them the option of closing the request. If the Trojan does not receive all the permissions it wants, it will completely block the infected device. In such a case the user’s only option is to reboot the device in safe mode and try to uninstall the Trojan.
TRepeating system request for dynamic permission
A standard banking Trojan
With the exception of its ability to bypass Android 6 security features, and its use of the Websocket protocol, Gugi is a typical banking Trojan. It overlays apps with phishing windows to steal credentials for mobile banking or credit card details. It also steals SMS, contacts, makes USSD requests and can send SMS by command from the CnC.
The Trojan-Banker.AndroidOS.Gugi family has been known about since December 2015, with the modification Trojan-Banker.AndroidOS.Gugi.c first discovered in June 2016.
Victim profile
The Gugi Trojan mainly attacks users in Russia: more than 93% of attacked users to date are based in that country. Right now it is a trending Trojan – in the first half of August 2016 there were ten times as many victims as in April 2016.
TUnique number users attacked by Trojan-Banker.AndroidOS.Gugi.
We will shortly be publishing a detailed report into the Trojan-Banker.AndroidOS.Gugi malware family, its functionality and its use of the Websocket protocol.
All Kaspersky Lab products detect all modifications of the Trojan-Banker.AndroidOS.Gugi malware family.
Warning! This Cross-Platform Malware Can Hack Windows, Linux and OS X Computers
8.9.2016 thehackernews Virus
Unlike specially crafted malware specifically developed to take advantage of Windows operating system platform, cyber attackers have started creating cross-platform malware for wider exploitation.
Due to the rise in popularity of Mac OS X and other Windows desktop alternatives, hackers have begun designing cross-platform malware modularly for wide distribution.
Cross-platform malware is loaded with specialized payloads and components, allowing it to run on multiple platforms.
One such malware family has recently been discovered by researchers at Kaspersky Lab, which run on all the key operating systems, including Windows, Linux, and Mac OS X.
Stefan Ortloff, a researcher from Kaspersky Lab’s Global Research and Analysis Team, first discovered the Linux and Windows variants of this family of cross-platform backdoor, dubbed Mokes, in January this year.
Now, the researcher today confirmed the existence of an OS X variant of this malware family, explaining a technical breakdown of the backdoor in a post on Securelist.
Alike the Linux and Windows variants, the OS X backdoor variant, Backdoor.OSX.Mokes.a, specializes in capturing audio-video, obtaining keystrokes as well as taking screenshots every 30 seconds from a victim’s machine.
The variant is written in C++ using Qt, a cross-platform application framework that is widely being used for developing applications to run on various software and hardware platforms.
The backdoor also has the capability to monitor removable storage like when a USB drive is connected to or removed from the computer.
It can also scan the file system for Office documents, including .docx, .doc, .xlsx, and .xls files.
The OS X backdoor can also execute arbitrary commands on the victim’s computer from its command and control (C&C) server.
The backdoor establishes an encrypted connection with its command and control server and communicates using AES-256 encryption, which is considered to be a secure encryption algorithm.
Ortloff notes, right after execution, the OS X sample he analyzed copies itself to a handful of locations, including caches that belong to Skype, Dropbox, Google, and Firefox. This behavior is similar to the Linux variant that copied itself to locations belonging to Dropbox and Firefox after execution.
The researcher has not attributed the Mokes backdoor family to any hacking group, state-sponsored hacker or country, nor he detailed about the OS X backdoor’s infection vector and how widespread it is.
However, based on the currently available information, the backdoor seems to be a sophisticated piece of malware.
Cross-platform Mokes backdoor OS X exists and is spreading in the wild
8.9.2016 securityaffairs Vulnerebility
Malware researchers from Kaspersky Lab confirmed the existence of an OS X variant of the Mokes backdoor discovered in January by Kaspersky.
Malware researchers from Kaspersky Lab confirmed the existence of an OS X variant of a recently discovered family of cross-platform backdoors. The backdoors family was named Mokes and a strain of malware was first spotted in January, but its existence was confirmed only this week.
“Back in January this year we found a new family of cross-platform backdoors for desktop environments. After the discovery of the binaries for Linux and Windows systems, we have now finally come across the OS X version of Mokes.A. It is written in C++ using Qt, a cross-platform application framework, and is statically linked to OpenSSL. This leads to a filesize of approx.” wrote Kaspersky.
The malicious code is able to steal various kinds of data from an infected system, including screenshots, Office-Documents (docx, .doc, .xlsx, and .xls files), Keystrokes, and Audio-/Video-Captures.
The Mokes backdoor also allows hackers to execute arbitrary commands on the victim’s computer, it works on Linux, Windows and also OS X.
The sample of OS X Mokes backdoor recently analyzed by Kaspersky was unpacked, but researchers believe it’s packed as the Linux variant spotted in January.
Once executed, the Mokes backdoor copies itself to a handful of locations, choosing the first available in the following locations:
$HOME/Library/App Store/storeuserd
$HOME/Library/com.apple.spotlight/SpotlightHelper
$HOME/Library/Dock/com.apple.dock.cache
$HOME/Library/Skype/SkypeHelper
$HOME/Library/Dropbox/DropboxCache
$HOME/Library/Google/Chrome/nacld
$HOME/Library/Firefox/Profiles/profiled
After the malware establish a first connection with its C&C server using HTTP on TCP port 80, the backdoor communicates via TCP port 443.
The researchers discovered that the User-Agent string is hardcoded in the binary, once the server receive it, it replies with “text/html” content of 208 bytes in length. Then the encrypted connection is established using the AES-256-CBC algorithm.
The strange things that characterized the story is that despite the malware researchers spotted the first samples of backdoor in January, the number of infections samples did not increase.
Stefan Ortloff, the researcher with Kaspersky Lab’s Global Research and Analysis Team which identified the family of Mokes backdoor hasn’t provided details on the infection vector.
The report published by Kaspersky also includes the IoC for the detection of the backdoor.
Here’s How to Hack Windows/Mac OS X Login Password (When Locked)
7.9.2016 thehackernews Hacking
A Security researcher has discovered a unique attack method that can be used to steal credentials from a locked computer (but, logged-in) and works on both Windows as well as Mac OS X systems.
In his blog post published today, security expert Rob Fuller demonstrated and explained how to exploit a USB SoC-based device to turn it into a credential-sniffer that works even on a locked computer or laptop.
Fuller modified the firmware code of USB dongle in such a way that when it is plugged into an Ethernet adapter, the plug-and-play USB device installs and acts itself as the network gateway, DNS server, and Web Proxy Auto-discovery Protocol (WPAD) server for the victim's machine.
The attack is possible because most PCs automatically install Plug-and-Play USB devices, meaning "even if a system is locked out, the device [dongle] still gets installed," Fuller explains in his blog post.
"Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list."
How does the Attack Work?
You might be wondering: Why your computer automatically share Windows credentials with any connected device?
That is because of the default behavior of Microsoft Window’s name resolution services, which can be abused to steal authentication credentials.
The modified plug-and-play USB Ethernet adapter includes a piece of software, i.e. Responder, which spoofs the network to intercept hashed credentials and then stored them in an SQLite database.
The hashed credentials collected by the network exploitation tool can later be easily brute-forced to get clear text passwords.
Apparently, to conduct this attack, attackers would require physical access to a target computer, so that they can plug in the evil USB Ethernet adapter. However, Fuller says the average time required for a successful attack is just 13 seconds.
You can watch the video demonstration below that shows Fuller's attack in action.
Fuller successfully tested his attack against Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 Enterprise and Home (but not Windows 8), as well as OS X El Capitan and OS X Mavericks. He’s also planning to test it against several Linux distros.
Fuller tested the attack with two USB Ethernet dongles: the USB Armory and the Hak5 Turtle. For more detailed explanation, you can head on to his blog post.
CVE-2016-3862 flaw – Silently hack millions Androids devices with a photo
7.9.2016 securityaffairs Vulnerebility
The CVE-2016-3862 flaw is a remote code execution vulnerability that affects the way images used by certain Android apps parsed the Exif data.
Are you an Android user? I have a bad news for you, an apparently harmless image on social media or messaging app could compromise your mobile device.
The last security updates issued by Google have fixed the Quadrooter vulnerabilities, that were threatening more than 900 Million devices, and a critical zero-day that could let attackers deliver their hack hidden inside an image.
The flaw, coded as CVE-2016-3862, is a remote code execution vulnerability in the Mediaserver. It affects the way images used by certain Android applications parsed the Exif data included in the images.
“Exchangeable image file format (officially Exif, according to JEIDA/JEITA/CIPA specifications) is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (includingsmartphones), scanners and other systems handling image and sound files recorded by digital cameras. ” reads Wikipedia.
The flaw was first discovered by the security researcher Tim Strazzere from the SentinelOne firm, who explained that it could be exploited by hackers to take complete control of the device without the victim knowing or crash it.
“Strazzere told me that as long as an attacker can get a user to open the image file within an affected app – such as Gchat and Gmail – they could either cause a crash or get “remote code execution”; ergo they could effectively place malware on the device and take control of it without the user knowing.” explained Forbes.
The victim doesn’t need to click on the malicious image, neither on a link, because as soon as it’s data was parsed by the device it would trigger the CVE-2016-3862 vulnerability.
“The problem was made even more severe as a malicious hacker wouldn’t even need the victim to do anything. “Since the bug is triggered without much user interaction – an application only needs to load an image a specific way – triggering the bug is as simple as receiving a message or email from someone. Once that application attempts to parse the image (which was done automatically), the crash is triggered,” Strazzere explained.
What does it mean?
Just one photo containing a generic exploit can silently hack millions of Android devices, is a way similar to the Stagefright exploits that allowed the attackers to hack a smartphone with just a simple text message.
“Theoretically, someone could create a generic exploit inside an image to exploits lots of devices. However, due to my skill level, I had to specifically craft each one for the devices. Though once this is done, Gchat, Gmail, most other messengers or social media apps would likely allow this to trigger.”
Strazzere developed the exploits for the affected devices and tested them on Gchat, Gmail and many other messenger and social media apps.
Strazzere did not reveal the names of the other apps that are also affected by the CVE-2016-3862 vulnerability, it also added that the list of vulnerable software includes “privacy-sensitive” tools. Any mobile app implementing the Android Java object ExifInterface code is likely vulnerable to the vulnerability.
CVE-2016-3862 android flaw
The vulnerability is similar to last year’s Stagefright bug (exploit code) that allowed hackers to hijack Android devices with just a simple text message without the owners being aware of it.
Google Android version from 4.4.4 to 6.0.1 are affected by the CVE-2016-3862 vulnerability, of course, the devices that installed the last update.
Google has already delivered a patch to fix the vulnerability, as usual, this doesn’t mean that your mobile has already applied it because the patch management depends on handset manufacturers and carriers.
So, if you are not running an updated version of the Android OS, you probably are vulnerable to the image-based attack.
Google rewarded Strazzere $4,000 as part of its Android bug bounty and added another $4,000, as the researcher had pledged to give all $8,000 to Girls Garage, a program of the nonprofit Project H Design for girls aged 9-13.
The Missing Piece – Sophisticated OS X Backdoor Discovered
7.9.2016 Kaspersky Vulnerebility
Backdoor.OSX.Mokes.a is the most recently discovered OS X variant of a cross-platform backdoor which is able to operate on all major operating systems (Windows,Linux,OS X). Please see also our analysis on the Windows and Linux variants.
This malware family is able to steal various types of data from the victim’s machine (Screenshots, Audio-/Video-Captures, Office-Documents, Keystrokes)
The backdoor is also able to execute arbitrary commands on the victim’s computer
To communicate it’s using strong AES-256-CBC encryption
Background
Back in January this year we found a new family of cross-platform backdoors for desktop environments. After the discovery of the binaries for Linux and Windows systems, we have now finally come across the OS X version of Mokes.A. It is written in C++ using Qt, a cross-platform application framework, and is statically linked to OpenSSL. This leads to a filesize of approx. 14MB. Let’s have a look into this very fresh sample.
“Unpacked” Backdoor.OSX.Mokes.a
Its filename was “unpacked” when we got our hands on it, but we’re assuming that in-the-wild it comes packed, just like its Linux variant.
Startup
When executed for the first time, the malware copies itself to the first available of the following locations, in this order:
$HOME/Library/App Store/storeuserd
$HOME/Library/com.apple.spotlight/SpotlightHelper
$HOME/Library/Dock/com.apple.dock.cache
$HOME/Library/Skype/SkypeHelper
$HOME/Library/Dropbox/DropboxCache
$HOME/Library/Google/Chrome/nacld
$HOME/Library/Firefox/Profiles/profiled
Corresponding to that location, it creates a plist-file to achieve persistence on the system:
After that it’s time to establish a first connection with its C&C server using HTTP on TCP port 80:
The User-Agent string is hardcoded in the binary and the server replies to this “heartbeat” request with “text/html” content of 208 bytes in length. Then the binary establishes an encrypted connection on TCP port 443 using the AES-256-CBC algorithm.
Backdoor functionality
Its next task is to setup the backdoor features:
Capturing Audio
Monitoring Removable Storage
Capturing Screen (every 30 sec.)
Scanning the file system for Office documents (xls, xlsx, doc, docx)
The attacker controlling the C&C server is also able to define own file filters to enhance the monitoring of the file system as well as executing arbitrary commands on the system.
Just like on other platforms, the malware creates several temporary files containing the collected data if the C&C server is not available.
$TMPDIR/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots)
$TMPDIR/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures)
$TMPDIR/kk0-DDMMyy-HHmmss-nnn.kkt (Keylogs)
$TMPDIR/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data)
DDMMyy = date: 070916 = 2016-09-07
HHmmss = time: 154411 = 15:44:11
nnn = milliseconds
If the environment variable $TMPDIR is not defined, “/tmp/” is used as the location (http://doc.qt.io/qt-4.8/qdir.html#tempPath).
Hints from the author
The author of this malware again left some references to the corresponding source files:
Detection
We detect this type of malware as HEUR:Backdoor.OSX.Mokes.a
IOCs
Hash:
664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c
Files:
$HOME/LibraryApp Store/storeuserd
$HOME/Library/com.apple.spotlight/SpotlightHelper
$HOME/Library/Dock/com.apple.dock.cache
$HOME/Library/Skype/SkypeHelper
$HOME/Library/Dropbox/DropboxCache
$HOME/Library/Google/Chrome/nacld
$HOME/Library/Firefox/Profiles/profiled
$HOME/Library/LaunchAgents/$filename.plist
$TMPDIR/ss*-$date-$time-$ms.sst
$TMPDIR/aa*-$date-$time-$ms.aat
$TMPDIR/kk*-$date-$time-$ms.kkt
$TMPDIR/dd*-$date-$time-$ms.ddt
Hosts:
158.69.241[.]141
jikenick12and67[.]com
cameforcameand33212[.]com
User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Russia's Largest Portal HACKED; Nearly 100 Million Plaintext Passwords Leaked
7.9.2016 thehackernews Hacking
Russia's Largest Portal HACKED; Nearly 100 Million Plaintext Passwords Leaked
Another data breach from 2012, and this time, it's Russia's biggest internet portal and email provider Rambler.ru.
Rambler.ru, also known as Russia's Yahoo, suffered a massive data breach in 2012 in which an unknown hacker or a group of hackers managed to steal nearly 100 Million user accounts, including their unencrypted plaintext passwords.
The copy of the hacked database obtained by the breach notification website LeakedSource contained details of 98,167,935 Rambler.ru users that were originally stolen on 17 February 2012, but went unreported.
The leaked user records in the database included usernames, email addresses, ICQ numbers (IM chat service), social account details, passwords and some internal data, the data breach indexing site said in a blog post.
The data breach was reported by the same hacker using the daykalif@xmpp.jp Jabber ID who handed LeakedSource over 43.5 Million user records from another 2012 hack suffered by the Last.fm music streaming service.
According to LeakedSource, none of the passwords were hashed, meaning the company stored its user's password in an unencrypted plain text format that could allow the company as well as hackers to see passwords easily.
This is something similar to the VK.com breach, in which 171 Million users’ accounts were taken from the Russian social networking site, where passwords were also stored in plaintext format, without any hashing or salting.
Again, as expected, the most common passwords used by Rambler.ru users, includes "asdasd," "123456," "000000," "654321," "123321," or "123123."
LeakedSource has added the data into its database; so Rambler.ru users can check if they have been compromised by searching their account at Leaked Source’s search engine.
Rambler.ru is the latest victim to join the list of "Mega-Breaches" revealed in recent months, when hundreds of Millions of online credentials from years-old data breaches on popular services, including LinkedIn, MySpace, VK.com, Tumblr, and Dropbox, were exposed online.
Rambler has yet to respond to the incident.
The Bottom Line:
Users are advised to change their passwords for Rambler.ru account as well as other online accounts immediately, especially those using the same passwords.
Moreover, I always encourage users to make use of password managers that create strong and complex passwords for different websites as well as remember them on your behalf.
I have listed some of the best password managers that could help you understand the importance of password manager as well as choose one according to your requirement.
Warning! Just an Image Can Hack Your Android Phone — Patch Now
7.9.2016 thehackernews Apple
Own an Android smartphone? Beware, as just an innocuous-looking image on social media or messaging app could compromise your smartphone.
Along with the dangerous Quadrooter vulnerabilities that affected 900 Million devices and other previously disclosed issues, Google has patched a previously-unknown critical bug that could let attackers deliver their hack hidden inside an innocent looking image via social media or chat apps.
In fact, there is no need for a victim to click on the malicious photo because as soon as the image’s data was parsed by the phone, it would quietly allow a remote attacker to take control over the device or simply crash it.
The vulnerability is similar to last year's Stagefright bug (exploit code) that allowed hackers to hijack Android devices with just a simple text message without the owners being aware of it.
The Stagefright flaw affected more than 950 Million Android devices and resided in the core Android component Stagefright — a multimedia playback library used by Android to process, record and play multimedia files.
However, the recent vulnerability (CVE-2016-3862) resided in the way images used by certain Android applications parsed the Exif data in an image, SentinelOne's Tim Strazzere, the researcher who uncovered the vulnerability, told Forbes.
Any app using Android's Java object ExifInterface code is likely vulnerable to the issue.
An Image Received...? Your Game is Over
Making a victim open the image file within an affected app like Gchat or Gmail, a hacker could either cause a victim's phone to crash or remotely execute malicious code to inject malware on the phone and take control of it without victim’s knowledge.
"Since the bug is triggered without much user interaction – an application only needs to load an image a specific way – triggering the bug is as simple as receiving a message or email from someone," Strazzere said. "Once that application attempts to parse the image (which was done automatically), the crash is triggered."
According to Strazzere, attackers could develop a simple exploit inside an image to target a large number of vulnerable Android devices.
Strazzere crafted exploits for the affected devices and found that it worked on Gchat, Gmail and most other messenger and social media apps, though he did not disclose the names of the other non-Google apps affected by the flaw.
When will I expect a Fix?
All versions of Google's operating system from Android 4.4.4 to 6.0.1 are vulnerable to the image-based hack, except today's update that fixed the vulnerability.
The researcher even successfully tested his exploits on a handful of phones running Android 4.2 and Amazon devices and found that the devices remain unpatched, leaving a large number of users of older Android devices exposed.
So, if you are not running an updated version of operating system and/or device, you probably are vulnerable to the image-based attack.
Google has delivered a patch to fix the issue, but given the shaky history of handset manufacturers and carriers rolling out security patches, it is not known how long the companies will take to update vulnerable Android devices.
Google rewarded Strazzere with $8,000 as part of the company's Android bug bounty program.
CSTO Ransomware, a malware that uses UDP and Google Maps
7.9.2016 securityaffairs Virus
CSTO ransomware it is able to query the Google Maps API to discover the victim’s location and connects to the C&C via UDP.
Ransomware is considered by the security experts one of the most dangerous threats to Internet users and organizations across the world.
Malware authors are developing new malicious codes that implement new features to improve evasion and spreading abilities.
Security researchers at BleepingComputer have reported a new ransomware dubbed Cry or CSTO because it pretends to come from the inexistent organization Central Security Treatment Organization.
The CSTO ransomware was first spotted by the malware researcher MalwareHunterTeam.
Once infected a machine the CSTO ransomware encrypts files and append the .cry extension to them. Like the Cerber ransomware, also the CSTO sends information to its command and control server via UDP.
After infecting a computer, the CSTO ransomware collects information on the host (Windows version, installed service pack, OS version, username, computer name, and CPU type) that sends via UDP to 4096 different IP addresses, but only one of them is the C&C server.
The Vxers have chosen the UDP protocol in an attempt to hide the location of the C&C server.
The threat requests the payment of a 1.1 Bitcoins (more than $600) ransom in order to decrypt the files.
The CSTO ransomware implements a singular feature, it leverages websites such as Imgur.com and Pastee.org to host information about victims, it is able to query the Google Maps API to discover the victim’s location using SSIDs of nearby wireless networks .
The ransomware uses the WlanGetNetworkBssList function to get the nearby SSIDs, in this way it is able to determine the victim’s location, but it is not clear how the malware uses this information.
“Furthermore, it will also use public sites such as Imgur.com and Pastee.org to host information about each of the victims. Last, but not least, it will query the Google Maps API to determine the victim’s location using nearby wireless SSIDs.” reported bleepingcomputer.com.
The threat encrypts the file, it uploads host information along with a list of encrypted files to Imgur.com by compiling all details in a fake PNG image file and sending it to a certain album.
Imgur, in turn, assigns a unique name for the image file and notifies it to the CSTO ransomware and then broadcasts the filename over UDP to inform the C&C server.
Similar to other ransomware, the Cry ransomware deletes the Shadow Volume Copies using the command vssadmin delete shadows /all /quiet. In this way it prevents victims from restoring the encrypted files.
The threat gains the persistency by creating a randomly named scheduled task that is triggered every time the user logs into Windows. The task also drops ransom notes on the desktop of the infected machine.
The ransom note includes instructions on how to access the Tor network to reach the payment site used by the authors.
“The ransom notes created by the Central Security Treatment Organization Ransomware contain links to a TOR payment site that has a Window title of User Cabinet. When a user visits this site, they will be prompted to login using the personal code from their ransom note.” continues bleepingcomputer.com.
The payment site includes a support page and offers victims the possibility to decryption just one file for free as proof that it is possible to decrypt all the locked files.
The researchers tested the free decryption feature, but it failed, another good reason to avoid paying the ransom.
Pokemon-fan VXer developed the Linux Umbreon rootkit
6.9.2016 securityaffairs Virus
Security researchers from TrendMicro have published an interesting analysis on the Linux Umbreon rootkit, a new malware developed by a Pokemon-fan VXer.
Malware researchers from TrendMicro have obtained samples of a new strain of Linux rootkit from one of its trusted partners.
The new rootkit family was called Umbreon (ELF_UMBREON family), from the name of one of the Pokémon characters. It targets Linux systems, including embedded devices and any other system running both Intel and ARM processors
According to the experts, the Umbreon Rootkit was developed Umbreon in early 2015 by a VXer that has been active in the cybercriminal underground since at least 2013. It has been claimed in the criminal underground forums that Umbreon is very effective in evading the detection.
“Rootkits are persistent threats intended to be hard to detect/observe. Its main purpose is to keep itself (and other malware threats) stealthed and totally hidden from administrators, analysts, users, scanning, forensic, and system tools.” Trend Micro senior threat researcher Fernando Mercês says. “They may also open a backdoor and/or use a C&C server and provide an attacker ways to control and spy on the affected machine.”
Umbreon is classified as a ring 3 rootkit (or usermode rootkit) because it works on User mode (ring 3), this means it does not install kernel objects onto the system, but hooks functions from core libraries that are used by various applications as an intermediary level to system calls.
“[Umbreon] hooks functions from core libraries that are used by programs as interfaces to system calls that run important operations in a system such as reading/writing files, spawning processes, or sending packets over the network. It is perfectly possible to spy on and change the way things are done within an operating system, even from user mode.”
Once compromised the targeted system, the rootkit creates a valid Linux user that could be used by attackers to access it via any authentication method supported by Linux via pluggable authentication modules (PAMs), including SSH.
The researchers from TrendMicro focused their analysis on the Espeon backdoor component, a non-promiscuous libpcap-based backdoor written in C that spawns a shell when an authenticated user connects to it. (The attackers also named this component after a Pokémon –
Once again, the author used the name of a Pokémon for its components. Espeon allows an attacker to establish a connection to its machine, working as a reverse shell to bypass firewalls.
Espeon is able to capture all the traffic from the Ethernet interface of the infected machine.
In order to remove the Umbreon Rootkit from the infected systems it is possible to use a Linux Live CD and follow the steps:
Mount the partition where the /usr directory is located; write privileges are required.
Backup all the files before making any changes.
Remove the file /etc/ld.so.<random>.
Remove the directory /usr/lib/libc.so.<random>.
Restore the attributes of the files /usr/share/libc.so.<random>.<arch>.*.so and remove them as well.
Patch the loader library to use /etc/ld.so.preload again.
Unmount the partition and reboot the system normally.
The procedure is feasible because the Umbreon is a ring 3 (user level) rootkit.
In order to detect the Umbreon Rootkit it is possible to use the YARA rules published by TrendMicro.
Vir dokáže napíchnout webkameru a poté vydírat oběť kompromitujícími záběry
6.9.2016 Novinky/Bezpečnost Viry
První malware, který dokáže zneužít webkameru na monitoru počítače nebo notebooku a pořizuje citlivé či kompromitující záběry jeho uživatele, aby jej pak útočník mohl vydírat, objevila izraelská bezpečnostní společnost Diskin Advanced Technologies (DAT).
Podle analytičky společnosti Gartner Avivah Litan jde o trojského koně pojmenovaného Delilah, který se šíří prostřednictvím webových stránek s pornografickým obsahem a herních webů. Zatím však není zcela jasné, zda útočníci využívají spíše technické nebo softwarové zranitelnosti obětí.
Mnoho lidí si přelepuje webkamery neprůhlednou páskou.
Delilah je velmi sofistikovaný malware, který vyžaduje vysokou úroveň zapojení lidských operátorů, aby mohl vybrat nejvhodnější „kandidáty“ pro útok. „Jde o malware, který se připojuje k webkameře oběti, aby mohla být natočena bez jejího vědomí. Po instalaci shromažďuje velké množství osobních informací, takže později může uživatele počítače vydírat, nebo jím manipulovat. Ve hře jsou také informace o rodině nebo pracovišti oběti,“ upozorňuje Avivah Litan. Vydíraná oběť pak může na příkaz útočníka provádět činnosti, které poškozují jeho zaměstnavatele.
Pro komunikaci s napadenými uživateli využívají útočníci šifrované kanály jako například VPN nebo TOR. Analytická společnost Gartner zaznamenala podle analytičky Avivah Litan obavy řady svých klientů, kteří se domnívají, že jejich zaměstnanci jsou vydíráni těmito útočníky a působí v jejich prospěch.
„Potenciál zneužití webových kamer je opravdu velký. Mnoho lidí, včetně známých osobností, si proto webkamery na monitorech a laptopech přelepuje neprůhlednou páskou. Mediálně známý je například případ zakladatele Facebooku Marka Zuckerberga,“ říká Petr Šnajdr, bezpečnostní expert společnosti ESET. Přelepenou webkameru má i ředitel americké federální bezpečnostní služby FBI James Comey, který o tom promluvil na dubnovém setkání se studenty Kenyon Colledge v Ohiu. „Viděl jsem to ve zprávách, tak jsem to okopíroval,“ vysvětlil. „Nalepil jsem si kus pásky přes kameru svého osobního notebooku, protože jsem to viděl u někoho chytřejšího.“
Technologie, která dokáže na počítači spustit webkameru a nerozsvítit přitom kontrolku nahrávání, je na světě už dlouho. Nazývá se Remote Administration Tool (RAT). Je to software, který dokáže na dálku ovládat systém, a to i bez vědomí uživatele počítače. Nahrané video umí následně automaticky poslat přes internet kamkoli na světě.
Tenhle web prozradí, jestli se vaše jména a hesla nacházejí v hacknutých databázích
6.9.2016 cnews.cz Hacking
Dropbox otočil a přiznal, že jej v roce 2012 skutečně hackli. Nešlo jen o spárování účtů Dropboxu a skutečně napadeného LinkedInu, jak ještě tvrdil nedávno. Firma to potvrdila magazínu Motherboard s tím, že uniklá databáze obsahovala údaje 68 680 741 účtů. Útočníci se dostali k e-mailům, ale také zahashované podobě hesel. Zhruba polovinu chránil starý algoritmus SHA-1, druhou půlku pak bezpečnější bcrypt. Všechny hashe prý byly solené, takže měly další stupeň ochrany.
Útočníci se tak nedostali ke skutečnému heslu, ale zároveň není nereálné jej rozlousknout. Bezpečnostní expert Troy Hunt ověřil, že uniklá databáze je skutečná. Otestoval na ni svůj i manželčin účet. Na cracknutí hesel použil Hashcat a prý to ani moc dlouho netrvalo.
Troy Hunt mimochodem provozuje užitečný web haveibeenpwned.com, na kterém si může každý ověřit, jestli se jeho uživatelské jméno nebo heslo někdy objevilo v podobných hackerských úlovcích. Aktuálně eviduje téměř 1,4 miliardy účtů ze 130 stránek. „Vede“ MySpace s 359 miliony ohroženými účty, pak následuje LinkedIn (164 milionů) a Adobe (152 milionů). Databáze Dropboxu je šestá největší.
Můžete stránce důvěřovat? Spíš ano. Troy Hunt je veřejně známá osoba a zaměstnanec Microsoftu. Do jeho vyhledávače navíc nezadáváte hesla, ale pouze e-maily nebo uživatelská jména. Ta lze samozřejmě zneužít k zasílání spamu, ale Hunt údaje neprodává a útočníci už tyto údaje z napadených účtů stejně znají. Jen pozor, vyhledávač je často nedostupný a napíše vám chybu „Oh no - catastrophic failure!“ Nezbývá než počkat.
Únik z Last.fm byl rozsáhlejší, než se zdálo. Opět čas měnit hesla
6.9.2016 Lupa Hacking
Vypadá to, že co se týká bezpečnosti, nemůžete nikomu věřit. A pokud tvrdí, že se skoro nic nestalo, tak to skoro vždy znamená ve skutečnosti kolosální malér.
V roce 2012 z Last.fm uniklo 43 milionů hesel, ale jak velký a nebezpečný únik to byl, se dozvídáme až teď, když jsou všechny e-maily i k nimi patřící hesla dostupná.
Last.fm před léty problém zveřejnil, ale oznámení se tradičně zabývalo hlavně zlehčováním a zametáním pod koberec. Navíc se ukázalo, že hesla jsou čistě MD5, takže bezproblémově rozlousknutelná. Což prakticky znamená, že níže uvedení Leaked Sources všechna hesla získali za dvě hodiny práce.
TIP: Takže opět, vaše heslo je kompromitované a je čas ověřit ho přes www.haveibeenpwned.com a www.leakedsource.com . A nezapomeňte i na to, že únik (taky 2012) z Dropboxu je také veřejný a podobně velký.
Tradičně platí, že lidé v roce 2012 používali stále stejná chronicky známá hesla. Podíváte-li se na deset nejpoužívanějších, najdete totéž, co v ostatních únicích: oblíbené číselné kombinace, heslo „heslo“, ale také ukázku zvrácené logiky lidí, kteří si jako heslo dávají název služby či slovo bezprostředně se službou související („music“).
Heslo Počet použití
123456 255 319
password 92 652
lastfm 66 857
123456789 63 984
qwerty 46 201
abc123 36 367
abcdefg 34 050
12345 33 785
1234 30 938
music 27 975
Uniklá databáze uživatelů z Last.fm navíc obsahuje nejenom e-maily a MD5 hesel, ale také uživatelská jména, datum založení účtu a data týkající se reklamy. V databázi je 43 570 999 účtů. Pokud vás zajímá další žebříček, stavte se u Leaked Source.
Nejvíce e-mailů pochází z @hotmail.com (9,3 milionu), ale těsně následuje Gmail (8,3 milionu). Ze Seznam.cz je zde 70 697 účtů.
Únik 68 milionů hesel z Dropboxu v roce 2012 potvrzen
6.9.2016 Lupa Hacking
Pokud ještě stále neberete vážně e-mail od Dropboxu o nutnosti změnit heslo, tak byste měli. Hesla z roku 2012 skutečně unikla.
V úniku (hacku) hesel z Dropboxu je možné získat informace o celkem 68 680 741 účtů. Hesla samotná nejsou v čitelné podobě a jakkoliv je u řady použit bcrypt, neznamená to, že byste se mohli spolehnout na to, že vaše prastaré heslo nikdo nerozlouskne.
Autenticitu hesel potvrzuje i Troy Hunt, v datech našel jak své staré heslo z roku 2012, tak heslo k účtu jeho manželky. Vedle hesel přes bcrypt je ale řada hesel jen přes SHA1 – což odpovídá i tomu, že zhruba v době úniku Dropbox přecházel právě na podstatně bezpečnější bcrypt. A také opouštěl původní SHA1 podobu bez saltu - nové uložení přes bcrypt je saltované (některé zdroje ale uvádí, že i SHA1 je saltované).
Dropbox na zpřístupnění uniklé databáze zareagoval tím, že v uplynulém týdnu všem účtům, které mohou být postižené, poslal upozornění, že je nutné, aby si nastavily nové heslo, a to staré jim zneplatnil. Pokud vám tedy takovýto e-mail došel, jste mezi těmi, jejichž heslo uniklo. Nevěříte-li, stačí si to ověřit klasicky přes www.haveibeenpwned.com nebo www.leakedsource.com.
Už v roce 2012 se Dropbox zachoval správně, únik dat ohlásil a uživatelům, u kterých měl podezření na únik, už tehdy heslo resetoval. Bohužel až dodnes se nevědělo, kolik hesel přesně se útočníkům (či útočníkovi) podařilo získat.
Zajímavé na úniku je, že se hovoří o tom, že za ním stojí poměrně základní bezpečnostní chyba jednoho z tehdejších zaměstnanců Dropbopxu – používal stejné heslo na více místech a útočníkům se podařilo k němu dostat. A poté se nějak dostali k výše uvedeným datům. Z toho plyne dobré poučení, že by hesla používaná lidmi „ve firmě“ měla být zásadně odlišná od těch, které používají „na internetu“. Nezbývá než doufat, že tohle si firmy typu Dropboxu dokáží uhlídat – nakonec technická řešení v podobě správců hesel pro firmy a týmy by tomu mohla napomáhat více než dostatečně.
TIP: Pokud vy sami používáte Dropbox a ukládáte tam cokoliv jiného než nějaké náhodné hlouposti, tak je dobré vědět, že už poměrně dlouho umožňuje dvoufaktorové ověření a je velmi jednoduché si ho pořídit – potřebné kódy si můžete generovat třeba přes Google Authenticator.
Heslo z LinkedIn stejné jako k Dropbox účtu
Samotný hack Dropboxu podle všeho neproběhl tak, že by se snad útočníci dostali přímo do systému Dropboxu, celé to vypadá na ještě další zanedbání pravidel – tedy uložení dat někam, kde uložena být nemají. To ale Dropbox přiznal už v roce 2012, kdy v oznámení o hacku uvedl, že se útočníkovi v zásadě podařilo dostat na účet u Dropboxu, kam si zaměstnanec firmy uložil data související s projektem – dost dobře možná právě projektem "migrace ze SHA1 na bcrypt.
Jediná vada na kráse oznámení z roku 2012 byla, že Dropbox problém asi přeci jenom trochu zlehčil. Tehdy tvrdil, že vlastně šlo o únik e-mailů zákazníků, který by mohl vést tak maximálně ke spamu. O tom, že unikla i hesla, se tehdy nějak mírně zapomněli zmínit. V roce 2012 se navíc nepředpokládalo, že by mohlo jít o tolik účtů (60 milionů účtů znamenalo zhruba 60 % všech uživatelů, které Dropbox v roce 2012 měl).
Ještě absurdnější je to, že útočníci získali heslo zaměstnance Dropboxu pro LinkedIn, které se shodovalo s jeho heslem u Dropboxu. Z LinkedIn se k účtu navíc dostali tak, že se objevil v úniku tamních hesel. Jde tedy o podobný problém jako při nedávném hacknutí řady účtů na Twitteru. Postiženo bylo dost poměrně prominentních lidí, včetně Marka Zuckerberga.
This Malware Can Transfer Data via USB Emissions from Air-Gapped Computers
6.9.2016 thehackernews Virus
Air-gapped computers that are isolated from the Internet or other networks and believed to be the most secure computers on the planet have become a regular target in recent years.
A team of researchers from Ben-Gurion University in Israel has discovered a way to extract sensitive information from air-gapped computers – this time using radio frequency transmissions from USB connectors without any need of specialized hardware mounted on the USB.
Dubbed USBee, the attack is a significant improvement over the NSA-made USB exfiltrator called CottonMouth that was mentioned in a document leaked by former NSA employee Edward Snowden.
Unlike CottonMouth, USBee doesn't require an attacker to smuggle a modified USB device into the facility housing the air-gapped computer being targeted; rather the technique turns USB devices already inside the facility into an RF transmitter with no hardware modification
required.
Moreover, USBee does not involve any implant in USB firmware and drivers to execute the attack.
"We introduce a software-only method for short-range data exfiltration using electromagnetic emissions from a USB dongle," researchers wrote in a research paper published Monday. "Unlike other methods, our method doesn't require any [RF] transmitting hardware since it uses the USB's internal data bus."
The researchers stress the attack method of USBee is solely based on software, though it has to met certain conditions to execute. They are:
The protected computer must be infected with the malware, most probably, with the help of an insider.
Any USB device must be plugged into that infected air-gapped computer.
The attacker has to be near the compromised device, usually at maximum 3-5 meters.
USBee turns the targeted computer's USB ports into mini Radio Frequency (RF) transmitters by modulating the data fed at high-speed to plugged-in devices.
USBee will then send a string of '0' bits to a USB port in such a way that makes the device generate detectable emissions between 240MHz and 480MHz frequencies, according to Mordechai Guri, one of the researchers.
Now, by writing sequences of '0' and '1', attackers can generate a carrier wave from the rapid voltage changes and then use binary frequency shift keying (B-FSK) to encode useful data.
Since the attack is meant to steal binary data, attackers wouldn’t be able to steal any large files, but could get their hands on keys, passwords, and other small bits of sensitive data stored on the targeted computer.
Also Read: How NSA successfully Broke Trillions of Encrypted Connections.
USBee transmits data at about 80 bytes per second, which is fast enough to steal a 4096-bit decryption key in less 10 seconds.
The USBee malware offers ranges of around 9 feet when data is beamed over a USB thumb drive to 26 feet when the USB device uses a short cable that acts as a transmitting antenna.
The researchers' attack method sounds really impressive, but it's still a theoretical attack that can be deployed in real-world scenarios and be effective.
It's not the first time the researchers at Ben-Gurion came up with the technique to target air-gapped computers. Their previous research of hacking air gap computers include:
DiskFiltration attack that can steal data using sound signals emitted from the hard disk drive (HDD) of the targeted air-gapped computer;
BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys;
AirHopper that turns a computer's video card into an FM transmitter to capture keystrokes;
Fansmitter technique that uses noise emitted by a computer fan to transmit data; and
GSMem attack that relies on cellular frequencies.
You can watch a short video of the recent attack given above, while more details can be found in the paper [PDF] titled, 'USBee: Air-Gap Covert-Channel via Electromagnetic Emission from USB.'