Creators of SpyEye Virus Sentenced to 24 Years in Prison
21.4.2016 Virus
Two International hackers, Aleksandr Andreevich Panin and Hamza Bendelladj, have been sentenced to a combined 24 years and 6 months in prison for their roles in developing and distributing SpyEye banking trojan, a powerful botnet similar to the infamous ZeuS malware.
Both hackers were charged with stealing hundreds of millions of dollars from banking institutions worldwide.
Masterminds behind the development and distribution of the infamous "SpyEye" botnet have finally been sentenced to a combined total of 24 years and 6 months in prison.
Aleksandr Andreevich Panin and Hamza Bendelladj have been sentenced for their roles in developing and distributing SpyEye malware that is said to have caused hundreds of millions of dollars in losses to the financial sector, the U.S. Justice Department said on Wednesday.
SpyEye, a successor to the notorious Zeus banking malware, has affected financial institutions since 2009.
Once infected, the malware connects to the command-and-control servers controlled by attackers and steals the victim's personal and financial information, like online banking credentials and credit card information using keyloggers and Web injection.
Panin, a 27-year-old Russian programmer also known by the aliases 'Gribodemon' and 'Harderman,' was sentenced by the court to nine years, six months in prison for developing SpyEye as a successor to Zeus.
In 2010, Panin allegedly received the source code and rights to sell Zeus from Evginy Bogachev, aka Slavik, and incorporated many components of it into SpyEye. Bogachev, who is currently the FBI's most wanted hacker, remains at large.
Panin's associate Bendelladj, a 27-year-old Algerian national also known by the hacker alias as 'Bx1' and 'Happy Hacker,' who hacked 217 banks, donated more than $280 Million to Palestinian charities. He got a sentence of 15-year in prison for marketing and advertising the SpyEye malware on various online forums.
Bendelladj sold versions of SpyEye to almost 150 clients for prices ranging from $1,000 to $8,500 and one of his customers, 'Soldier,' had reported having made over $3.2 Million in just six months using the virus.
The Department of Justice (DoJ) has described SpyEye as a "preeminent malware banking Trojan," which was used to infect over 50 million computers worldwide from 2010 to 2012, causing nearly $1 Billion in financial losses to individuals and financial institutions globally.
Bendelladj was arrested in Thailand in January 2013 and extradited to the United States at the same year while Panin was detained in July 2013 while he was flying through Hartsfield-Jackson Atlanta International Airport.
RansomWhere, the free ransomware detection tool for Mac OS X
21.4.2016 Virus
The former NSA expert Patrick Wardle has designed RansomWhere, a free ransomware detection tool for the protection of Mac OS X systems.
The number of Ransomware-based attacks has risen in a dramatic way, every week the criminal underground community is presenting new threats with improved features that are causing significant economic losses to every industry.
Everyday security experts are detecting thousands of new ransomware samples, it is necessary a multi-layered approach to protect the systems from emerging threats. The traditional signature-based approach implemented by many antivirus solutions in many cases are not effective against a ransomware that rapidly changes.
Many antivirus vendors are improving their products by implementing behavior-based malware detection system, these solutions monitor for suspicious activities like the access to a large number of files, the use of encryption libraries, encrypting activities implemented by untrusted processes.
Now Mac users have a new defensive tool in their arsenal, it is a free generic ransomware detection tool dubbed RansomWhere.
RansomWhere
The tool implements a behavior-based malware detection system specifically designed for ransomware, this means that it continuously monitors the file system for the creation of encrypted files by suspicious processes. The tool was developed by Patrick Wardle, a former NSA expert who now leads a research team at the Synack security firm.
“RansomWhere? detects and blocks ransomware by detecting untrusted processes that are rapidly creating encrypted files. This is inherently reactive; and as such, the ransomware will likely encrypt a few files (ideally only two or three), before being detected and blocked. ” Wardle explained in a blog post.
The RansomWhere tool allows users to rapidly block the processes that are performing suspicious activities, then users have to decide the action to do to protect their system.
The tool works on the concept of “Trust,” it scans Mac apps and binaries that are signed with an Apple Developer ID and not by official Apple certificates.
The expert highlighted that the tool is not effective if ransomware abuses a signed Apple binary. Another limitation is that the tool inherently trusts applications that are already present on the system when it is installed, this means that is the system is already infected the malware could be not detected.
The expert demonstrated the efficiency of the RansomWhere against a number of threats, including the KeRanger and Gopher which is a proof-of-concept ransomware developed by Pedro Vilaca, last year.
The last limitation of the tool is that isn’t able to monitor activities on documents outside the user’s home directory, this means that sophisticated ransomware could move all the files outside the home directory and encrypt them.
Wardle highlighted the limitations of the tool explaining how it could be circumvented by attackers. The hacker Vilaca has already improved its PoC ransomware Gopher in order to deceive the monitoring operated by the RansomWhere tool.
Pirátský program napadl desítky tisíc počítačů, hacker dostal 9,5 roku vězení
21.4.2016 Kriminalita
K devíti a půl roku vězení odsoudil ve středu soud v americké Atlantě ruského hackera Alexandra Panina, který vytvořil a rozšiřoval program pro vykrádání bankovních účtů. Sedmadvacetiletý zločinec se k činu přiznal v rámci dohody s vyšetřovateli. Jeho software podle odhadu způsobil škody za miliardu dolarů.
Hacker Alexander Panin
Paninův pirátský program zvaný SpyEye podle americké policie napadl až 50 000 počítačů. Program byl na prodej v kriminálních komunitních sítích po celém světě za částky od 500 do 10 000 dolarů (až 240 000 korun). Koupilo si ho podle americké FBI nejméně 150 zákazníků.
Panin byl dopaden díky agentům FBI, kteří se vydávali za hackery a program zakoupili. Rus byl zatčen v lednu 2013 na atlantském mezinárodním letišti.
Google is a ‘Partially Dangerous’ Website … According to Google
21.4.2016 Safety
According to Google, Google is a ‘partially dangerous’ website because some pages on google.com contain deceptive content.
According to Google’s online transparency report, Google’s main search engine is a “partially dangerous” website. The company has advised that people should exercise caution when using it. The search engine could attempt to steal the personal information of its users or install malware on their computers.
The transparency report details how safe and private websites are and exposes those that are deemed potentially dangerous. In an awkward turn of events, that now includes Google itself, which apparently contains pages that have “deceptive content.”
Some pages on the domain reportedly install malware, steal personal information from their users and redirect users to other suspicious websites.
“Google is a “partially dangerous” website and people should be careful when using it, Google has warned. The site’s main search engine could try and steal the personal information of its users or install malware on their computers, according to Google’s unusually frank assessment of itself.” states the Independent.
“The warning comes as part of Google’s own online transparency report, which lists reports on how private and safe websites are – and calls out those that are potentially dangerous.”
google flash ad html5
“Users sometimes post bad content on websites that are normally safe,” a warning that shows on every potentially dangerous website reads. “Safe Browsing will update the safety status once the webmaster has cleaned up the bad content.” continues The Independent.
The company advises affected websites to head to its “Webmasters Help for Hacked Sites” page. That details the ways that Google can clean itself up, at which point it can ask for its status to be reviewed – by itself.”
A new strain of Teslacrypt implements sophisticated evasion
21.4.2016 Virus
The authors of the TeslaCrypt ransomware have improved it by implementing new sophisticated evasion techniques and targeting new file types.
The authors of the TeslaCrypt ransomware have introduced a couple of significant improvements, the new variant Version 4.1 has been in circulation for about a week. According to the experts at Endgame Inc., VXers have invested heavily in obfuscation and evasion techniques, and the malicious code can also encrypt new file extensions (.7z; .apk; .asset; .avi; .bak; .bik; .bsa; .csv; .d3dbsp; .das; .forge; .iwi; .lbf; .litemod; .litesql; .ltx; .m4a; .mp4; .rar; .re4; .sav; .slm; .sql; .tiff; .upk; .wma; .wmv; and .wallet).
“As our latest research on TeslaCrypt demonstrates, ransomware not only is becoming more widespread, but it is also becoming more sophisticated and adaptable. TeslaCrypt 4.1A is only a week old and contains an even greater variety of stealth and obfuscation techniques than its previous variants, the earliest of which is just over a year old.” states a report published by Endgame Inc.
The ransomware also targets backup files by deleting the Volume Shadow Copy, the new strain uses AES 256 for file encryption.
Like its predecessors, this new strain of Teslacrypt is spread as attachments of spam campaigns purporting to be shipping delivery notifications.
When the victims open the malicious .zip file sent as the attachment, a JavaScript downloader using Wscript is executed in order to download the TeslaCrypt ransomware from greetingsyoungqq[.]com/80.exe.
The Teslacrypt 4.1A ransomware also uses COM objects and deletes zone identifiers to evade the detection.
The ransomware also implements an anti-monitoring feature that terminates several Windows processes, including the Task Manager; Registry Editor; Command Shell, SysInternals Process Explorer and System Configuration.
This variant of TeslaCrypt maintains the persistence by making a copy of itself to the disk and creating a registry entry that points to the copy.
The ransomware attacks are the headlines in this first part of the year, and the situation is worsening.
“Only four months into 2016, as our timeline demonstrates, this may very well be the year of the ransomware attack. These kinds of opportunistic attacks can be very lucrative and sophisticated, and should increasingly be on the radar of both high-value organizations as well as individuals. ” close the post
Researcher releases Free Ransomware Detection Tool for Mac OS X Users
20.4.2015 Virus
Introducing RansomWhere, a free generic ransomware detection tool for Mac OS X users that can identify ransomware-like behavior by continually monitoring the file-system for the creation of encrypted files by suspicious processes.
This ransomware detection tool helps to block the suspicious processes and waits for the user to decide whether to allow or stop the process.
Ransomware has risen dramatically since last few years... so rapidly that it might have already hit someone you know.
With hundred of thousands of ransomware samples emerging every day, it is quite difficult for traditional signature-based antivirus products to keep their signature database up-to-date.
So, if signature-based techniques are not enough to detect ransomware infection, then what else can we do?
Some Antivirus companies have already upgraded their security solutions that detect suspicious behaviors like the sequential accessing of a large number of files, using encryption algorithms and key exchange mechanisms.
Here’s the latest ransomware detection tool for Mac OS X users:
RansomWhere? – a smart application that can identify ransomware-like behavior by detecting untrusted processes rapidly encrypting files, stop that suspicious process, and then alert the user.
How RansomWhere tool works
Patrick Wardle, a former NSA staffer who now leads research at bug hunting outfit Synack, has developed the RansomWhere tool, which aims at detecting and blocking generic ransomware on Mac OS X by regularly monitoring the user's local filesystem for the creation of encrypted files by any process.
"The ransomware will likely encrypt a few files (ideally only two or three), before being detected and blocked," Wardle wrote in a blog post.
This ransomware detection tool, by default, scans Mac apps and binaries that are signed with an Apple Developer ID and not by official Apple certificates.
If the tool detects any untrusted process, it suspends the suspicious process and alerts the user by showing a pop-up asking user to continue or terminate the process in question.
Wardle successfully tested RansomWhere against KeRanger as well as Gopher ransomware proof-of-concept, which was developed by a pro-Apple Mac hacker, Pedro Vilaca, last year.
Also Read: How Just Opening an MS Word Doc Can Hijack Every File On Your System.
Though Wardle admitted that his tool does not guarantee 100 percent result and that it could be circumvented by malicious hackers who can discover a way to bypass RansomWhere and avoid detection, it is always better to be somewhat safer than completely vulnerable.
Some known Limitations of RansomWhere tool?:
RansomWhere would not be able to help if any Ransomware malware abuses Apple-signed file or app.
RansomWhere detects ransomware infections after they have already encrypted some of your important files.
Files outside of your home directory are not protected by RansomWhere. So sophisticated ransomware could shift all your files outside home directory and lock them up.
Since hackers are always a step ahead of researchers, the RansomWhere tool has already been bypassed. Vilaca had tweaked his Gopher ransomware to bypass RansomWhere in a matter of minutes.
As mentioned in the limitations, Vilaca added just ten lines of code in its ransomware proof-of-concept to take the victim's files outside of the home directory and lock them up. You can watch the video above showing his hack.
China wants Apple's Source Code, but the Company Refused
20.4.2016 Safety
Apple's head of legal has denied all rumors about providing its complete source code or any backdoor to the Chinese government.
Apple officially confirmed that the Chinese government has asked Apple twice in the past two years to hand over the source code for its operating system, but the company refused in both the cases.
In a Tuesday hearing entitled "Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives," the police officials put allegations on Apple for handing over user data to Beijing while refusing the authorities at its home in the US.
However, speaking under oath at the congressional hearing, Apple's General Counsel Bruce Sewell denied the claims, saying "We have been asked by the Chinese government" for the source code behind the iPhone. But, "we refused."
The response came just after Indiana State Police Captain Charles Cohen accused Apple of providing its source code to China.
Neither Captain Cohen presented any evidence of his allegation, nor he claimed to know whether this was accurate. Instead, he cited media reports to prove his point.
"I saw several news stories that said Apple provided the source code for the iOS [operating system for iPhone and iPads] to China," Cohen said without pinpointing the publications.
The allegations on Apple have continued due to the company's refusal to help the Federal Bureau of Investigation (FBI) gain access to the iPhone used by the San Bernardino shooter Syed Farook.
The law enforcement officials have started accusing Apple of handing over its users information to the Chinese government for business purpose while refusing to cooperate with U.S. authorities for access to private data in criminal and terror investigation.
However, Apple's Swell apparently said: "We have not provided source code to the Chinese government. We did not have a key 19 months ago that we threw away. Those allegations are without merit."
On one hand where authorities want Apple to provide them access to valuable data in serious crimes, like terror, deaths, and rapes. On the contrary, technical experts argue that if the company creates a hole in its security, it will open all its customers to not just the government but also the potential hackers.
However, when it comes to complying with government request in serious crimes, Apple has provided data in 80 percent of cases originating from law enforcement in North America and 66 percent from China.
It was previously reported that in the wake of its legal battle with the US Department of Justice, Apple was working on encrypting iCloud backups that only the account owner would have access.
However, Mr. Sewell denied the reports, saying the company had made no such announcements about iCloud encryption plans. Moreover, such moves would further frustrate law enforcement agencies, who now can obtain iCloud data with a court warrant.
Anonymous presented OnionIRC, a chat service in the Dark Web
20.4.2016 Hacking
Anonymous announced OnionIRC, a new chatroom in the DarkWeb dedicated to teaching hacking and coding techniques and encryption mechanisms.
Anonymous, the most popular collective of hacktivists, has announced a new chatroom in the DarkWeb dedicated to teaching its sympathizers hacking and coding techniques and encryption mechanisms.
Anonymous used one of its Twitter accounts to spread the news, the chat service, named as OnionIRCm is hosted on the TorNetwork. Anyone that wants to get in touch with Anonymous members could access it.
Anonymous also published a video on YouTube announcing the chatroom and the service it offers.
In a video posted online, the group outlined the intentions of the chatroom.
“The OnionIRC is designed to allow for full anonymity and we welcome all to use it as a hub for all Anonymous operations, general free speech or any project or group concerned about privacy and looking to build a strong community,” stated the computerised voice now typical of Anonymous video messages.
“We also intend to strengthen our ranks and arm the current and coming generations of internet activists with education. Our plan is to provide classrooms where, on a scheduled basis, ‘teachers’ can give lessons on any number of subjects. This includes but is not limited to: security culture, various hacking tutorials, history lessons and promoting how to properly utilise encryption and anonymity software.”
The colleagues at HackRead first reported the Anonymous OnionIRC service and verified that it is still a project in its infancy that needs to be improved, and that has even scanty following.
“Just a few hours later, we checked the new service from Anonymous and to our amusement, there were only 20 people present in the room and out of the 20 just 3 to 4 users had an idea about the new service or even Anon ops. So uninformed were these clueless users in the chat room that they were learning about newly heard terms such as hacking.” states HackRead.
“The organizer, however, tried his best to teach them as comprehensively as possible. The organizer, appearing in the chat room as “Butts,” stated in an open chat session this Tuesday that:
“I wouldn’t expect there to be any planned lessons taught for a bit here.Things are just starting off and we want to see how things go for a bit, hopefully, build a bit of a user base, and then we’ll kick it off with some awesome in-house presentations.””
Internet users that want to access it can follow the procedere available on this link, it is very easy to access, users just need the IRC Client Hexchat and the Tor Browser.
Generic Ransomware Detection Comes to OS X
20.4.2016 Virus
With each new unrelenting ransomware sample, security researchers understand that no matter how quickly antivirus signatures are updated or how rapidly decryptors are built and shared, current defenses will continue to fall short. The problem is that most adequate defenses are sample-specific; Kaspersky Lab has built ransomware decryptors for CoinVault and Bitcryptor, and Cisco has a similar tool to unlock some TeslaCrypt infections, just to name two. Related Posts BlackBerry CEO Defends Lawful Access Principles, Supports Phone Hack April 19, 2016 , 4:55 pm Apple and FBI Faceoff at House Encryption Hearing April 19, 2016 , 4:12 pm 3.2 Million Servers Vulnerable to JBoss Attack April 18, 2016 , 2:11 pm Generic defense mechanisms are few and far between. Easy Sync Solutions’ CryptoMonitor, which was acquired in January by Malwarebytes, for example, detects and blocks numerous samples on the Windows side before they’re able to execute and begin encrypting files. On the OS X side there are admittedly few ransomware attacks, and even fewer generic detection mechanisms. Researcher Patrick Wardle, director of researcher at Synack and a known OS X hacker, today released his own generic OS X ransomware detector called RansomWhere? The utility monitors home directories on OS X machines for untrusted processes that are encrypting files. The user is presented with an alert while RansomWhere? blocks the process and waits for the user to decide whether to allow or terminate the process. “I saw that existing approaches aren’t working,” Wardle said “Antivirus has its shortcomings. KeRanger was signed with a legitimate Apple developer ID certificate that passed it off as a legitimate application. Gatekeeper is not going to block that. You’ve got to think outside the box and take an approach that is not specimen specific.” KeRanger surfaced last month and was quickly labeled the first functional OS X ransomware sample by researchers at Palo Alto Networks. KeRanger saddled itself aboard a Trojanized version of the Transmission BitTorrent client in an attempt to infect Mac users. The fact that it was signed with a real Apple cert gave it legitimacy and allowed it to slip native OS X protections. But the ransomware shot itself in the foot by including a three-day period during which it lay dormant. This gave researchers a window to inform Apple and Transmission to block the certificate and remove the malware from client downloads. “Ransomware is a great way for criminals to make a ton of money,” Wardle said. “If you hack a computer and get credit card numbers, most have no idea what to do with that [stolen] data. You have to approach someone to get money out of those credit cards. “Now, you can write ransomware, and maybe crack a version of an app, put it up on Pirate Bay, and get a ton of infections and send me ransoms in Bitcoin. That’s what’s driving this; it’s easy money and kinda crazy.” Wardle explains that his utility flags behavior as ransomware by first going through a number of checks, for example making a determination whether to trust a running process. Processes signed by Apple, or those approved by the user, are trusted, for example. It then monitors the behavior of untrusted processes to determine if new files that are created or modified are encrypted. If said processes create encrypted files quickly, the utility generates an alert that suspends the process and asks the user how to proceed. Wardle acknowledges that his 1.0 of version of the RansomWhere? utility has its limitations, and that the tool can be bypassed. Detection, he said, is reactive and the user is likely to lose a few files before an alert is generated and the offending process is suspended. The utility also will trust binaries signed by Apple and will not detect infections via injections into a signed binary. Wardle has published full technical details of how the utility detects ransomware and handles running processes. In the meantime, Wardle said he isn’t done. Future iterations of RansomWhere? would ideally monitor all files on an OS X machine, not just user directories. He’d also like to push detection into the kernel and afford more protection at that level. “This is the first tool where timing is paramount,” Wardle said.
Multigrain PoS malware exfiltrates stolen card data over DNS
20.4.2016 Virus
FireEye has discovered a new strain of POS malware dubbed Multigrain that steals card data from point-of-sale systems and exfiltrates it over DNS.
Security experts at FireEye have spotted a new strain of the NewPosThings PoS malware, dubbed Multigrain, that steals payment card data from point-of-sale (PoS) systems and exfiltrate it via DNS to avoid detection.
The technique is very effective because DNS traffic isn’t filtered by target organizations making hard the detection for the data exfiltration.
The VXers knows very well that sysadmins never inspect deeply the DNS packets, this exfiltration technique is unusual for this malware family, in the past a few malicious code implemented it (i.e. BernhardPOS and FrameworkPOS).
The experts at FireEye highlighted that administrators in sensitive environments that process payment card data will often monitor the HTTP or FTP traffic in order to detect data exfiltration activity. Organizations never block DNS service in order to resolve hostnames, they always trust this kind of traffic.
“FireEye recently discovered a new variant of a point of sale (POS) malware family known as NewPosThings. This variant, which we call “MULTIGRAIN”, consists largely of a subset of slightly modified code from NewPosThings.” states FireEye in a blog post. “The variant is highly targeted, digitally signed, and exfiltrates stolen payment card data over DNS. The addition of DNS-based exfiltration is new for this malware family; however, other POS malware families such as BernhardPOS and FrameworkPOS have used this technique in the past.”
The Multigrain infection is triggered by checking the multi.exe back-end PoS process, only if it is running on the machine the attack goes on.
Once Multigrain infects the PoS, it uses a crafted DNS query to inform the C&C server of a successful installation, then he starts scraping the memory of the PoS systems searching for payment card data (e.g. account number, expiry date and card security number).
“The malware collects the volume serial number and part of the MAC address and creates a hash of the concatenated value using the DJB2 hashing algorithm. The resulting hash is then combined with the computer name and a version number and all three components are then encoded with a custom Base32 encoding algorithm. The malware then makes a DNS query with this information to a hardcoded domain, notifying the attacker of a successful installation.” continues FireEye.
The report published by FireEye highlights the similarities to between the Multigrain and the NewPosThings codes. Among the similarities the memory-scraping mechanism and the DJB2 hashing algorithm that identifies the target machine.
“The malware collects the volume serial number and part of the MAC address and creates a hash of the concatenated value using the DJB2 hashing algorithm. The resulting hash is then combined with the computer name and a version number and all three components are then encoded with a custom Base32 encoding algorithm. The malware then makes a DNS query with this information to a hardcoded domain, notifying the attacker of a successful installation.” continues FireEye.
The report published by FireEye highlights the similarities between the Multigrain and the NewPosThings codes. Among the similarities the memory-scraping mechanism and the DJB2 hashing algorithm that identifies the target machine.
Viber adds End-to-End Encryption and PIN protected Hidden Chats features
20.4.2016 Security
Viber, the popular mobile messaging app announced Tuesday that it has added full end-to-end encryption for video, voice and text message services for its millions of users.
Here, the end-to-end encryption means only you and the person you are communicating with can read the content, and nobody in between, not even the company and if court orders company to provide user data, they will get only the heaps of encrypted data.
Viber is the latest messaging platform to join WhatsApp, Telegram, and Apple iMessage, who strengthened their default privacy features in recent times.
Founded in 2010 and acquired by Japanese e-commerce titan Rakuten for $900 Million in 2014, Viber is currently being used by more than 700 Million users globally across Android, iOS, Windows Phone, and desktop, the company claimed in a blog post published today.
The move comes just a couple of weeks after Facebook-owned Whatsapp messaging app implemented full end-to-end encryption by default for its one billion users.
Also Read: Cryptocat offers end-to-end encryption For Facebook Messenger.
Besides offering end-to-end encryption on all communication, the company will also provide a new PIN-protected hidden chat feature to help its users hide conversations from the main chat list, as well as Contact Authentication feature to verify contacts you're talking to.
All users need to update their app with the latest version of the company's software, Viber 6.0, take advantage of the features.
Once installed, your Viber app will now show you a padlock in conversations to confirm that your one-to-one and group messages are end-to-end encrypted.
Recommended Read: The Best Way to Send and Receive End-to-End Encrypted Emails.
However, users will probably need to wait few weeks before everyone's app updates to add the new end-to-end encryption on Android and iOS.
In the wake of Apple’s months-long battle with the Federal Bureau of Investigation (FBI) over an iPhone used by a San Bernardino terrorist, it seems like end-to-end encryption has become a trend and you’ll continue to see this in more applications and services.
“Restricted” NATO manual accidentally leaked to boat operators
20.4.2016 Security
Incredible, secret plans for NATO exercise Joint Warrior 161 were accidentally sent to Scottish fishermen and ferry operators emails.
During the First World War, allied forces were able to read a lot of German radio traffic because of codebooks falling into allied hands. Eerily reminiscent of those days, NATO forces recently ran into a similar scenario, however, through their own missteps.
Instead of being retrieved during a state of war and capture, plans for NATO exercise Joint Warrior 161 were accidentally sent to Scottish fishermen and ferry operators emails.
In an age where tensions are rising, justifiably or not, between NATO and Russia, the loss of the information teaches us lessons.
Security personnel needs to be especially concerned when transmitting sensitive information. In the case of Joint Warrior 161, codewords, ciphers, coordinates, and radio frequencies were released. Security experts need to assume there is someone attempting to gain access to sensitive information. Whether that information is security secrets of a country/alliances military or the intellectual property associated with a new product coming to market, there is always someone attempting to get that information.
Despite a Ministry of Defence (MoD) spokesperson claiming there was “no impact to the public, military personnel, or units participating in the exercise”, at what point does one ask if other potential breaches have gone unreported or even undiscovered? Reports show there is an under-reporting of breaches of sensitive information. While we see the major scenarios like the Office of Personnel Management (OPM), Target, or Home Depot, most breaches go unreported because of concerns over company reputation.
NATO microsoft
All personnel of an organization needs to understand they have a part to play in the security of sensitive information – whether military secrets or company intellectual property. Security personnel has a major role in ensuring the culture at an organization understands the procedures and levels of sensitive information that needs to be protected. While humans are our weakest link in the security chain, learning from incidents and regularly reviewing procedures and identifying sensitive information for protection.
Dave Snell, a retired naval officer, is a Security Professional with twenty years of experience working cyber intelligence, project management, and counter-terrorism operations.
Hackers spied on a US Congressman’s communication abusing the SS7 protocol
19.4.2016 Hacking
Security experts eavesdropped and geographic tracked a US Congressman only using his phone number by abusing the SS7 protocol.
Hackers eavesdropped and geographic tracked a US Congressman only using his phone number. Security experts will be no surprised, I wrote many articles on the topic explaining that security flaws in the SS7 protocol could be exploited by an attacker to spy on private phone calls, record them and monitor target’s movements.
In this case, the activity was authorized by the US Representative Ted Lieu in order to demonstrate how much we are vulnerable. The findings were shared by a broadcast Sunday night by 60 Minutes.
Once again the name of the German security expert Karsten Nohl is in the headlines, he is the hacker that was able to record any call made to or from the mobile device used by the US Representative and to track his location in real-time.
“First it’s really creepy,” the US Representative said. “And second it makes me angry. They could hear any call. Pretty much anyone has a cell phone. It could be stock trades you want someone to execute. It could be a call with a bank.”
While SR Labs had permission to carry out the surveillance, there’s nothing stopping malicious hackers from doing the same thing.
Also in this case, the hackers exploited the SS7 protocol, aka Signalling System No. 7.
SS7 is a set of protocols used in telecommunications ever since the late 1970s, enabling smooth transportation of data without any breaches.
Exactly one year ago, Channel Nine’s 60 Minutes has revealed the existence of a security hole in modern telecommunication systems that could be exploited by cyber criminals to listen in on phone conversations and read text messages.
The program explained that Nohl’s team, who is based in Berlin, were able to intercept data and geo-track every mobile user by exploiting a flaw in the SS7 signalling system.
The security issue in the SS7 signaling system could be exploited by criminals, terrorists and intelligence agencies to spy on communications. The SS7 protocol allows cell phone carriers to collect location data related to the user’s device from cell phone towers and share it with other carriers, this means that exploiting the SS7 a carrier is able to discover the position of its customer everywhere he is.
ss7 protocol surveillance
Besides allowing telecommunication companies to query the location of phones on other carriers’ networks, the SS7 protocol allows them to route calls and text messages through a proxy before reaching the legitimate destination. But you know very well that a proxy could allow an attacker to spoof the identity of the victims.
“The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.
The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.” reports The Washington Post.
The SS7 is widely adopted, it is currently used by more than 800 telecommunication companies around the world. The security experts know very well that the SS7 protocol allows sharing individuals’ subscriber data with any other entity implementing the same protocol.
This means that if a hacker is able to access the network is able to access a wealth of subscriber’s information.
The SS7 protocol is also used by telecommunication companies to offer a number of services to various industries. For example, telecommunication companies use the SS7 to offer banks a service that allows them to confirm the presence of a customer’s phone in a specific country to authorize its transaction avoiding fraudulent activities.
“As long as you have SS7 access, it’s extremely easy,” Les Goldsmith, a researcher from security firm ESD explained to Ars. “Any one of the telcos that has a roaming agreement with the target network can access the phone.” Goldsmith presented his study on the SS7 security at the last RSA conference in San Francisco.
The majority of the telecommunication companies intends to replace the SS7 protocol for more secure one, the Diameter, but they will maintain the backward-compatibility with the SS7 continuing to expose mobile users to the risk of hack.
According to 60 Minutes, intelligence agencies like the NSA exploit the SS7 protocol for their surveillance activities.
Lieu sharply criticized US agencies that may have turned a blind eye to such vulnerabilities.
“The people who knew about this flaw should be fired,” he said. “You cannot have 300 and some million Americans, and really the global citizenry, be at risk of having their phone conversations intercepted with a known flaw simply because some intelligence agencies might get some data. That is not acceptable.” said Lieu.
MIT builds Artificial Intelligence system that can detect 85% of Cyber Attacks
19.4.2016 Security
What if we could Predict when a cyber attack is going to occur before it actually happens and prevent it? Isn't it revolutionary idea for Internet Security?
Security researchers at MIT have developed a new Artificial Intelligence-based cyber security platform, called 'AI2,' which has the ability to predict, detect, and stop 85% of Cyber Attacks with high accuracy.
Cyber security is a major challenge in today's world, as government agencies, corporations and individuals have increasingly become victims of cyber attacks that are so rapidly finding new ways to threaten the Internet that it's hard for good guys to keep up with them.
A group of researchers at MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) are working with machine-learning startup PatternEx to develop a line of defense against such cyber threats.
The team has already developed an Artificial Intelligence system that can detect 85 percent of attacks by reviewing data from more than 3.6 Billion lines of log files each day and informs anything suspicious.
The new system does not just rely on the artificial intelligence (AI), but also on human input, which researchers call Analyst Intuition (AI), which is why it has been given the name of Artificial Intelligence Squared or AI2.
How Does AI2 Work?
The system first scans the content with unsupervised machine-learning techniques and then, at the end of the day, presents its findings to human analysts.
The human analyst then identifies which events are actual cyber attacks and which aren't. This feedback is then incorporated into the machine learning system of AI2 and is used the next day for analyzing new logs.
It's simple:
"The more data it analyzes, the more accurate it becomes."
In its test, the team demonstrated that AI2 is roughly 3 times better than similar automated cyber attack detection systems used today. It also reduces the number of false positives by a factor of five.
You can also watch the video for a quick overview of the way AI2 works.
According to Nitesh Chawla, computer science professor at Notre Dame University, AI2 "continuously generates new models that it can refine in as little as a few hours, meaning it can improve its detection rates significantly and rapidly. The more attacks the system detects, the more analyst feedback it receives, which, in turn, improves the accuracy of future predictions – that human-machine interaction creates a beautiful, cascading effect."
The team presented their work in a paper titled, AI2: Training a big data machine to defend [PDF], last week at the IEEE International Conference on Big Data Security in New York City.
So, let's see how AI2 helps create The Internet the safer place and how long it will take to be implemented into large-scale security platforms in the near future.
Centrum pro boj s kyberzločinem zprovoznilo O2
19.4.2016 Bezpečnost
Nové centrum kybernetické bezpečnosti, tzv. Security Expert Center (SEC), otevřela ve svém sídle v Praze firma O2. Má firmám i státním organizacím pomocí eliminovat rizika spojená s kybernetickými hrozbami. Novinka podle provozovatelů odpovídá potřebám zákona o kybernetické bezpečnosti závazného pro firmy a státní instituce pracující s citlivými daty.
Služby SEC umožňují podle provozovatele identifikovat klíčová aktiva společnosti (např. informační aktiva, lidské zdroje, procesy nebo systémy) a nastavit vhodný model jejich ochrany.
SEC vykonává bezpečnostní dohled, který umožní identifikovat zranitelnost IT infrastruktury. Potenciální kybernetické hrozby rozpozná SEC na základě anomálií chování jednotlivých infrastrukturních prvků. Služba zároveň zajišťuje komplexní nasazení bezpečnostních nástrojů, dohledových zařízení a ochrany včetně průběžného reportingu, analýz a návrhů nápravných opatření.
Službu si lze objednat jako jednorázovou nebo dlouhodobou. Na základě požadavků a potřeb zákazníka je možné implementovat celé řešení, nebo jen některou z částí, která je pro zákazníka kritická.
Jen v loňském roce podle O2 kybernetické útoky způsobily evropským firmám ztráty ve výši 62 miliard dolarů. Průměrný kybernetický útok přitom stojí firmu asi 1,2 procenta jejich příjmů.
Podle Jiřího Sedláka, ředitele SEC v O2 ITS, mají firmy a organizace často nasazené nástroje, vypracované postupy a bezpečnostní politiky, ale přesto účinnost ochrany nenaplňuje jejich představy. Důvodů je mnoho - od chybně nastavených cílů, nesprávné architektury, špatné implementace, chybějících zdrojů a know-how až po chybné časování nebo neschopnost kontrolovat a vymáhat tato opatření.
Google makes it mandatory for Chrome Apps to tell Users what Data they collect
19.4.2016 Security
Chrome apps and extensions make things easier, but they can also do terrible things like spy on web users and collect their personal data.
But, now Google has updated its browser’s User Data Policy requiring all Chrome extension and app developers to disclose what data they collect.
Furthermore, developers are prohibited from collecting unnecessary browsing data and must also use encryption when handling sensitive information from users.
Around 40 percent of all Google Chrome users have some kind of browser extensions, plugins or add-ons installed, but how safe are they?
The company plans to enforce developers starting this summer, to "ensure transparent use of the data in a way that is consistent with the wishes and expectations of users."
Google is making its Chrome Web Store safer for its users by forcing developers to disclose how they handle customers' data.
Google’s new User Data Policy will now force app developers, who use the Chrome Web Store to distribute their products, to be more transparent about their data collection practices.
In other words, the company wants its Chrome users to know what's happening when they use third-party apps and services that rely on its browser.
Also Read: Adware Companies buying popular Chrome extensions to inject Ads and Malware
According to Google, "Protecting our users is our key priority, and we believe this change will make sure users are better informed and allow them to choose how their user data is handled."
Here's the list of new requirements for developers:
Be transparent about the handling of user's data and disclose privacy practices.
Post a privacy policy as well as use encryption for handling personal or sensitive information of users.
Ask users to consent to the collection of their personal or sensitive data via a prominent disclosure, when the use of the data is not related to a prominent feature.
Besides this, developers are also restricted from collecting user's Web browsing activity that is not at all required for their app's main functionality.
Google has already started notifying app developers about the change in its privacy policy and is giving them 3 months from now to comply.
From July 15, 2016, any app or extension that violates any of the requirements mentioned above will be discarded from the Chrome Web Store. So the only way to be restored will be to comply with the new policies.
The Four Element Sword, weaponized document builder used in APT Attacks
19.4.2016 Virus
Experts analyzed a dozen attacks that leveraged on malicious RTF documents created using the same Four Element Sword builder.
Security experts at Arbor Networks’ Security Engineering and Response Team (ASERT) have spotted a tool used in advanced persistent threat (APT) attacks against organizations in East Asia.
The researchers have analyzed a dozen attacks that leveraged on malicious Rich Text File (RTF) documents that were all created using the same builder which it has dubbed ‘Four Element Sword.’
The experts also collected evidence that the hacking campaigns leveraging malicious RTF documents are still active.
All the attacks belong to long-running hacking campaigns operated by APTs, threat actors targeted Tibetans, Uyghurs, human rights groups in Taiwan and Hong Kong, and journalists.
The threat actors used popular RATs to compromise victim’s machines, including PlugX, Gh0stRAT, T9000, Kivars, Graber and Agent.XST.
The malware spreads via spear-phishing emails that came with malicious RTF documents in attachment. All the documents analyzed by Arbor Networks included code to exploit 2-4 vulnerabilities (CVE-2012-0158, CVE-2012-1856, CVE-2015-1641, CVE-2015-1770), the experts believe they were created by using the same builder.
The flaws CVE-2012-0158 and CVE-2012-1856 were first discovered in 2010 and fixed in 2012 by Microsoft. The flaws CVE-2015-1641 and CVE-2015-1770 were patched only last year.
“The Four Element Sword builder has been observed to utilize exploit code against four distinct vulnerabilities. Each malicious document created by the builder appears to leverage three or four of these vulnerabilities in the same RTF document, given a .DOC extension.” states the analysis published by Arbor Networks “Some targets may warrant the use of newer exploit code, while others running on dated equipment and operating systems may still fall victim to the older exploits.”
The nature of the targets and the techniques, tactics and procedures adopted by the threat actors lead the experts into belief the involvement of Chinese hackers.
The researchers at Arbor Networks also discovered that the Four Element Sword builder has been used by cyber criminal gangs in the wild, the details of these operations will be provided in future reports.
Hackers can spy on your calls and track location, using just your phone number
19.4.2016 Hacking
The famous ‘60 Minutes’ television show shocked some viewers Sunday evening when a team of German hackers demonstrated how they hacked into an iPhone used by U.S. Congressman, then recorded his phone calls and tracked his movement through Los Angeles.
Hackers leverage a security flaw in SS7 (Signalling System Seven) protocol that allows hackers to track phone locations, listen in on calls and text messages.
The global telecom network SS7 is still vulnerable to several security flaws that could let hackers and spy agencies listen to personal phone calls and intercept SMSes on a potentially massive scale, despite the most advanced encryption used by cellular networks.
All one need is the target's phone number to track him/her anywhere on the planet and even eavesdrop on the conversations.
SS7 or Signalling System Number 7 is a telephony signaling protocol used by more than 800 telecommunication operators around the world to exchange information with one another, cross-carrier billing, enabling roaming, and other features.
Hackers Hacked into US Congressman's Smartphone
With US Congressman Ted Lieu's permission for a piece broadcast Sunday night by 60 Minutes, Karsten Nohl of German Security Research Labs was able to hack into his iPhone, record phone call made from his phone to a reporter, and track his precise location in real-time.
During the phone call about the cell phone hacking, Lieu said: "First, it's really creepy, and second, it makes me angry."
"Last year, the President of the United States called me on my phone, and we discussed some issues," he added. "So if hackers were listening in, they'd know that phone conversation, and that is immensely troubling."
What's more awful is that the designing flaws in SS7 have been in circulation since 2014, when the same German researchers' team alerted the world to it. Some flaws were patched, but few apparently remain or intentionally left, as some observers argue, for governments to snoop on its targets.
The major problem with SS7 is that if any one of the telecom operators is hacked or employs a rogue admin, a large scale of information, including voice calls, text messages, billing information, relaying metadata and subscriber data, is wide open to interception.
The weakness affects all phones, whether it's iOS, Android, or whatever, and is a major security issue. Although the network operators are unwilling or unable to patch the hole, there is little the smartphone users can do.
How Can You Avoid this Hack?
The best mitigation is to use communication apps – that offers "end-to-end encryption" to encrypt your data before it leaves your smartphone – over your phone's standard calling feature.
Lieu, who sits on House subcommittees for information technology and national security, also argues for Strong Encryption that, according to the Federal Bureau of Investigation (FBI), make it harder to solve crimes.
Lieu strongly criticized the United States agencies, if any, that may have ignored such serious vulnerabilities that affect Billions of cellular customers.
"The people who knew about this flaw [or flaws] should be fired," Lieu said on the show. "You can't have 300-some Million Americans—and really, right, the global citizenry — be at risk of having their phone conversations intercepted with a known flaw, simply because some intelligence agencies might get some data."
Few of such apps that are popular and offers end-to-end encryption are Signal, WhatsApp, and Apple's iMessage service that keep users communications safe from prying eyes and ears.
IBM warns a spike in the number of PHP C99 Webshell Attacks
19.4.2016 Hacking
IBM Security has warned the WordPress community about a spike in the number of attacks leveraging a specific variant of the PHP C99 Webshell.
Security experts at IBM reported a spike in the number of cyber attacks pushing a variant of the popular C99 webshell in February and March, a 45 percent increase compared to the previous period. The C99 variant used in the attacks is currently detected by 37 of 56 antivirus software.
The experts noticed a common URL and file name, pagat.txt, in the attacks. The file includes an obfuscated PHP script, the attackers hide in this way a malicious code used to bypass the Web application firewall (WAF) that may be used to protect the website.
When the script is executed on the target system, an email is sent back to the attacker notifying that the server has been compromised.
Below the GET request observed in the attacks:
hxxp://www.victim.com/wp-content/themes/twentythirteen/pagat.txt.
Googling the pagat.txt file it is possible to have an idea of the number of compromised machines.
The C99 webshell installed on the server could be accessed from a browser and used to launch shell commands on the target. The attacker can use it to perform several actions, including the upload of malicious payloads.
“Most of the time, these webshell entry points result from vulnerabilities in third-party plugins (which we know often don’t undergo any security review during development) or an unpatched bug in the parent application. In fact, according to IBM X-Force, the largest percentage of CMS vulnerabilities are found in plugins or modules written by third parties.” reported IBM.
The researcher discovered that the specific variant of the C99 webshell used in the recent attacks is the same used by the Indonesian hacker Hmei7, that defaced more than 150,000 websites from all across the world.
In order to protect your website ensure that your WordPress installation is not affected by known vulnerabilities, install security plugins, and change default settings.
The CIA’s Massive Expansion in Social Media Surveillance is Just the Tip of the Iceberg
19.4.2016 Safety
The US intelligence is massively expanding in Social Media surveillance pushing new technologies, including artificial intelligence for data mining
In-Q-Tel, the CIA’s venture capital firm, has been pursuing various new technologies, including artificial intelligence for data mining, computer algorithms that can detect insider threats and robots which are able to seize delicate objects. This is according to a document The Intercept recently gained access to.
Of particular significance, however, is the research being conducted in the area of social media data mining and surveillance. In-Q-Tel’s portfolio includes an assortment of tech companies which aspire to delve further into this arena:
Dataminr provides a stream of data from Twitter to law-enforcement, and others, so that trends can be rapidly detected.
Geofeedia also involves the use of social media, but focuses on breaking news and also possesses the ability to track activist protests. Geotagged social media posts are collected and then viewed by the company’s clients, which include numerous law-enforcement agencies.
Dunami, a PATHAR product, is another tool used for data mining social media. It analyzes and summarizes networking, influence and the potential for radicalization, according to an investigation by Reveal. It is one of the surveillance tools utilized by the Federal Bureau of Investigation (FBI).
Boasting the ability to spot “gang incidents” and threats to journalists on Twitter, TransVoyant, founded by former Lockheed Martin Vice President Dennis Groseclose, provides a similar service which analyzes multiple data points for the purpose of decision-making. The firm has collaborated with the U.S. military in Afghanistan to integrate data from satellites, drones, radar and reconnaissance aircraft.
The CIA’s investments reveal a pattern, which demonstrates the agency’s elevated push towards monitoring social media platforms. At least part of the focus is on ISIS’ extensive use of social media for spreading propaganda, recruiting and other activities.
As an indication of just how engaged the CIA is in this pursuit:
“The latest round of In-Q-Tel investments comes as the CIA has revamped its outreach to Silicon Valley, establishing a new wing, the Directorate of Digital Innovation, which is tasked with developing and deploying cutting-edge solutions by directly engaging the private sector. The directorate is working closely with In-Q-Tel to integrate the latest technology into agency-wide intelligence capabilities.” states The Intercept.
“Over the last decade, In-Q-Tel has made a number of public investments in companies that specialize in scanning large sets of online data. In 2009, the fund partnered with Visible Technologies, which specializes in reputation management over the internet by identifying the influence of ‘positive’ and ‘negative’ authors on a range of platforms for a given subject. And six years ago, In-Q-Tel formed partnerships with NetBase, another social media analysis firm that touts its ability to scan ‘billions of sources in public and private online information,’ and Recorded Future, a firm that monitors the web to predict events in the future.”
Additionally, In-Q-Tel has established a unique technology laboratory known as Lab41. Based in Silicon Valley, it was designed to provide tools for the intelligence community to “connect the dots” in large data sets.
It should be noted that this particular CIA-backed surveillance technology is also being used by domestic law enforcement agencies and the private sector in order to spy on individuals, such as activists.
Interestingly, “Palantir, one of In-Q-Tel’s earliest investments in the social media analytics realm, was exposed in 2011 by the hacker group LulzSec to be in negotiation for a proposal to track labor union activists and other critics of the U.S. Chamber of Commerce, the largest business lobbying group in Washington. The company, now celebrated as a ‘tech unicorn’ — a term for start-ups that reach over $1 billion in valuation — distanced itself from the plan after it was exposed in a cache of leaked emails from the now-defunct firm HBGary Federal.”
Social Media Surveillance
Source: The Atlantic.com
News of continuing surveillance, involving the government, has always made a lot of people uneasy–in particular, civil liberties advocates. Mass surveillance always brings into question Fourth Amendment constitutional issues. And, the CIA’s investment endeavours, involving monitoring social media, are really just the tip of the iceberg.
As was recently reported in Security Affairs, the CIA has also waded into the health and beauty market with its funding of a new line of skincare products that would enable them to collect DNA. Clearista is a product line that markets itself as a “formula so you can feel confident and beautiful in your skin’s most natural state.” But, the CIA is far less interested in how you look after using these products than in the ability of the Clearista product to remove a thin outer layer of skin that could allow investigators to obtain unique biomarkers that can be used for DNA collection.
The CIA is not alone in its quest to expand its surveillance capabilities. Police departments across the country have been using Beware, an application developed by Intrado, which crawls billions of records in public and commercial databases. It searches for criminal records, Internet chatter and other data. The Beware algorithms then calculate a threat rating score which is assigned to an individual and that information is sent to the requesting law-enforcement officer. It is not, however, foolproof and misinformation can be generated which could be used against an individual.
The FBI has also acquired specialized surveillance software, having purchased SocioSpyder, an application for extracting information from social media sites. According to the product’s website, it “can be configured to collect posts, tweets, videos and chats on-demand or autonomously into a relational, searchable and graphable database.” SocioSpyder was developed by Allied Associates International, a U.S.-based contractor which has government and military and private companies as clientele. SocioSpyder is essentially a pre-configured web scraper for social media.
And, just in case the government misses something, in its far-reaching surveillance, an anti-encryption bill has been drafted in the Senate by Senators Richard Burr and Dianne Feinstein, following the death of an anti-encryption bill in California’s General Assembly last week. The bill, titled the Compliance with Court Orders Act of 2016, would require tech firms to decrypt customers’ data at a court’s request.
Add to that, the ruling by the Sixth Circuit Court of Appeals, which recently ruled that warrantless collection of cellphone location data is constitutional.
Privacy advocates have expressed concern over these new developments involving the government, technology and civil liberties. In particular, apprehension has been expressed in regard to the automated judgments that software targeting social media uses. Lee Rowland, a senior staff attorney with the American Civil Liberties Union commented that, “when you have private companies deciding which algorithms get you a so-called threat score, or make you a person of interest, there’s obviously room for targeting people based on viewpoints or even unlawfully targeting people based on race or religion.” She also warned that a dangerous trend has begun with government relying on tech companies to “build massive dossiers on people” using “nothing but constitutionally protected speech.”
Česká spořitelna varovala před podvodníky na Facebooku
18.4.2016 Podvod
Sociální síť Facebook se snaží znovu zneužít počítačoví piráti k šíření škodlivých kódů. Tentokrát si dokonce vytvořili rovnou celou podvodnou stránku, která na první pohled vypadá, jako by skutečně patřila České spořitelně. Právě zástupci této banky před novým podvodem varovali.
Podvodná stránka na Facebooku
FOTO: Česká spořitelna
„Upozorňujeme na podvodný profil na Facebooku, který jsme v posledních dnech zaznamenali a který se snaží vzbudit dojem, že patří České spořitelně. Podvodníci na tomto profilu nabízejí ‚nové internetové bankovnictví SERVIS 24‘,“ uvedli zástupci České spořitelny.
Falešný profil se jmenuje Ceska Sporitelna a odkaz na něm samozřejmě směřuje na podvodné stránky, jejichž prostřednictvím se snaží kyberzločinci vylákat od důvěřivců přihlašovací údaje k internetovému bankovnictví.
Tisícovka za přihlášení
Uživatele navíc motivují ke kliknutí na falešné stránky finanční odměnou. Každý, kdo se prostřednictvím uveřejněného linku do bankovnictví přihlásí, získá údajně odměnu tisíc korun.
Nejenže lidé žádné peníze nedostanou, ale prozrazením přihlašovacích údajů si zadělávají na pěkný problém. Počítačoví piráti jsou totiž už jen kousek od toho, aby jim mohli vybílit účet – stačí, aby propašovali virus na jejich chytrý telefon. Prostřednictvím něj pak budou schopni odchytávat potvrzovací SMS zprávy pro platby, jako tomu bylo už v minulosti.
Ukázka jedné z podvodných SMS zpráv, jejímž prostřednictvím se dokážou podvodníci dostat do chytrého telefonu.
FOTO: Česká spořitelna
„Důrazně varujeme před jakoukoli reakcí na výzvy uvedené na tomto profilu. V žádném případě neklikejte na nabízený odkaz a svoje údaje nevyplňujte nikam jinam než na oficiální stránky www.servis24.cz. Podvodníci by se pak jejím prostřednictvím mohli dostat k Vašim penězům! V případě jakýchkoliv pochybností nás kontaktujte na bezplatném telefonním čísle 800 207 207,“ konstatovali zástupci banky.
Obezřetní by tedy uživatelé měli být i v případě, že narazí na Facebooku či jiné sociální síti na podobné stránky, které ale ponesou jiný název. Není totiž vyloučeno, že škodlivé kódy budou počítačoví piráti šířit prostřednictvím jiného profilu. Vydávat se klidně mohou i za úplně jinou bankovní instituci.
Certifikáty pro HTTPS zdarma: Komunitní autorita Let's Encrypt spouští ostrý provoz
18.4.2016 Zdroj: Živě Zabezpečení
Projekt bezplatných certifikátů pro webové servery Let’s Encrypt po několikaměsíčním zkušebním provozu opouští betatestování a spouští ostrý provoz.
Beta program autoři spustili loni v září a od té doby vydali 1,7 milionů certifikátů, které jsou díky sponzorům důvěryhodné ve většině moderních webových prohlížečů. Nyní se pochlubili, že na svou stranu získali další dva silné partnery: Cisco a Akamai.
O Let's Encrypt je zájem
Cílem Let’s Encrypt není zničit současný trh s certifikáty, ale spíše umožnit základní důvěryhodné šifrování webových stránek a masové nasazení HTTPS:// napříč internetem. To je doposud problém, protože bez důvěryhodného certifikátu prohlížeče zobrazují varovná hlášení a autoři malých webů zpravidla nechtějí platit vedle domény a hostingu ještě za certifikát od důvěryhodné autority. Let’s Encrypt by tento základní problém mohl vyřešit, nabízí totiž přesně tento typ nejjednodušších certifikátů.
Jedinou šmouhou na kráse je ovšem to, že nasazení certifikátů není úplně nejjednodušší úkon a vyžaduje alespoň základní znalosti administrátorské práce a znalosti, jak vlastně certifikáty fungují. A o Let’s Encrypt to platí dvojnásob.
V ideálním případě by nájemce domény získal certifikát automaticky v rámci platby za doménu a jeho instalace na webovém serveru by proběhla maximálně automatizovaně v rámci standardizovaného API.
Experts discovered a number of flaws in the Avactis PHP Shopping Cart
18.4.2016 Vulnerebility
A group of experts at VoidSec used a Grey Box approach to assess the security posture of some important aspects of Avactis PHP Shopping Cart.
Avactis is an open source ecommerce Shopping Cart platform most used in US and UK. Security experts from VoidSec analyzed the e-commerce software discovered an impressive number of vulnerabilities. The group of experts composed of Maurizio Abdel Adim Oisfi, Andrei Manole, and Luca Milano used a Grey Box approach to assess the security posture of some important aspects of Avactis PHP Shopping Cart.
“The purpose of the present project is to assess the security posture of some important aspects of Avactis PHP Shopping Cart. The activity is performed through Web Application Penetration Test using Grey Box approach. The risk level of the vulnerabilities is calculated using the CVSS v3 score.” states the report published by the VoidSec team.
Let’s start from the findings of the assessment, the experts have discovered the following flaws:
Spreading of Files with Malicious Extensions on Upload New Design and Execution in some
circumstances
Non-Admin PHP Shell Upload via Stored XSS and CSRF Protection Bypass
Time-based blind SQL Injection on Newsletter subscription
Boolean-based SQL Injection on checkout.php
Admin orders.php Union/Error/Boolean/Time based SQL Injection
Directory Listing and Backup Download /avactis- conf/backup/ (works only on stock apache2 or
nginx)
PHP Shell upload (admin only)
XSS on checkout.php and product-info.php
Various Stored XSS in cart.php
Stored XSS in Image File Name and Order Comments Field
PHP Command injection on Admin Panel avactis-system/admin/admin.php?page_view=phpinfo
Cross Site Request Forgery in Frontend
Full Path Disclosure on Upload New Design and /avactis-layouts/storefront-layout.ini and /avactisconf/cache/
Incorrect Error handling (information disclosure)
Directory Listing /avactis-themes/ and /avactis-extensions/ and /avactis-system/admin/templates/
and /avactis-uploads/[hash]/ and /avactis-system/admin/blocks_ini/
No input Validation in Rating System
Various Reflected Self-XSS on Admin Panel
No e-mail confirmation on user creation
As you can observe the platform is affected by practically any kind of vulnerability, from Cross Site Request Forgery to Time based SQL Injection. It is worrying that the system appears quite open to hacking attacks, security issues like the lack of input Validation in Rating System and e-mail confirmation on user creation could allow a remote attacker to compromise the system impacting its logic.
Let’s consider for example the “Timebased blind SQL Injection on Newsletter subscription Description.”
The lack of filtering on an input parameter allows an attacker to access the database and, if gaining the necessary privileges, modify the contents through an SQL Injection attack (time-based).
The experts explained that the vulnerability affects the request for subscribing to the website newsletter.
POST
/productlist.php asc_action=customer_subscribe&email=mail@mail.it&topic[1]=1&topic [2]=2
Another worrying issue in the Avactis platform are various reflected SelfXSS on the admin panel that could be exploited by hackers to steal the session cookie, use an XSS Shell in ASP and insert a virusand send commands, cookies, keyloggers and so on.
Another interesting flaw it a PHP Shell upload, despite it is limited to admin.
An attacker with admin privileged can trigger the flaw to upload a PHP shell on the server by exploiting the picture uploading function that fails to check uploaded extensions. A malicious admin can insert in a legitimate picture some PHP code that will be executed when the uploaded file is opened. Below a PoC provided by the experts:
Below a PoC provided by the experts:
Create a real file JPG || PNG || GIF (ciao.jpg)
Edit its content adding “<?php system($_GET[‘cmd’]); ?> 3 – Rename the file in ciao.php
Upload that file on the server through whichever picture upload form on the administration side
Open the uploaded file
We could go on for hours, the common factor in all the flaws is the lack of content validation that causes the exposure of Avactis platform to many types of attacks.
I suggest you read the report that also include the solution for any vulnerability discovered in the assessment.
Lottery security director hacked random-number generator to rig lotteries
18.4.2016 Hacking
New evidence collected by prosecutors shows lottery machines were rigged to generate predictable numbers on specific days of the year.
Last year, the security director of a US lottery was discovered hacking the mechanism of the extraction in order to predict the winning tickets.
According to new details revealed by The Des Moines Register, the lottery boss won roughly $16.5 million in six years by hacking the random number generator.
The Lottery security director used a malicious DLL to manipulate the mechanism that was used to select to chose the winning tickets.
The case first came into the headlines in April 2015, when law enforcement started the trial of Eddie Raymond Tipton, 53, who was the former information security director for Iowa’s Multi-State Lottery Association (MSLA).
In July 2015, Tipton was accused of two fraud charges, according to a judge that investigated the case of the Hot Lotto lottery the security expert created a winning ticket worth $14.3 million (€12.65 million).
While it was not proved by the prosecutors as to how Tipton manipulated the lottery drawing that produced the fraudulent ticket, but he recruited the help of Robert Clark Rhodes II, 46, of Sugarland, Texas, to cash out the winnings.
Tipton had manipulated lottery drawings in several states, prosecutors also discovered that he operated with the support of Robert Clark Rhodes II, 46, to cash out the winning tickets.
Tipton was then sentenced to ten years in prison in September 2015.
In addition to that conviction, Eddie’s now facing additional felony criminal charges for allegedly manipulating drawing computers that he was responsible for building and programming.
While the prosecutors were investigating the case, MSLA audited internal systems, but they did not find any suspicious modification.
Law enforcement discovered that Tipton used a malicious dynamic-link library (DLL) that was discovered on one of the computers responsible for generating random numbers used in the mechanism for choosing the winning tickets.
The DDL differs from the legitimate one for a portion of code that was used by Tipton to invoke a different random generator algorithm to generate the winning numbers in a predictable way.
The DLL was developed to generate specific winning numbers on three days of the year, on two particular days of the week, and after a certain time of day.
“Examiners found out-of-place programs known as dynamic link libraries, or DLLs, that had been written onto the Wisconsin computer. The programs were designed to “redirect” a drawing if certain conditions were met, according to the complaint, helping orchestrate the outcome.
The drawing had to happen on three particular days of each year, two certain days of the week and at a certain time of day.” reported an article published on the The Des Moines Register.
“Then another program triggered the winning numbers to be drawn not at random, but using an algorithm Tipton could solve, according to the criminal complaint. The numbers could be predicted by anyone familiar with the random number generators, security procedures and the algorithm, Iowa Division of Criminal Investigation special agent Don Smith wrote in an affidavit.”
The six winning tickets linked to Tipton were drawn on November 23 or December 29 between 2005 and 2011 totaling over $16.5 million (€14.6 million).
The investigators were able to produce “the very same ‘winning numbers’ from the program that was supposed to produce random numbers.”
Tipton was able to deploy the malicious DLL into the systems used by the MSLA in other states across the US.
The DLL was discovered in the systems used in Iowa, Texas, Oklahoma, Colorado, and Wisconsin. To make harder the investigation Tipton programmed the DLL to self-delete after a specific period of time.
Prosecutors also filed a second complaint that includes also charges against Tipton’s brother, Tommie Tipton.
PhineasFisher explained how he breached the Hacking Team
18.4.2016 Safety
The hacker PhineasFisher published a detailed explanation of how he has hacked the Italian surveillance firm Hacking Team.
In July 2015, the surveillance firm Hacking Team suffered a serious security breach, unknown attackers have exfiltrated some 400Gbs of data (including emails, internal documents, and exploit source code), but since now no news regarding the attack was disclosed.
Now the hacker using the online pseudonymous ‘PhineasFisher‘ published a detailed explanation of how he has hacked the Italian surveillance firm.
PhineasFisher breached hacking team
PhineasFisher is the same hacker that breached the surveillance company Gamma International, that sells hacking tools including the popular spyware FinFisher.
PhineasFisher also shared his political ideology in the manifesto he published, the hacker explained that he breached the company to its questionable affairs with rogue governments.
The surveillance software sold by the Hacking Team was in fact abused by many governments against activists and political opponents.
“So easy it is to tear down a company and stop their abuses human rights. That is the beauty and the asymmetry of hacking: with only a hundred hours of work, one person can undo years of work of a multimillion-dollar company. The hacking gives us the possibility of the dispossessed fight and win.“ states the conclusion of the PhineasFisher’s message.
“Hacking Team is see themselves as part of a tradition of inspiring Italian [1] design. I see them Vincenzetti, your company, and their cronies police, police, and government, as part of a long tradition of Italian fascism. I want to dedicate this guide to the victims of the assault on the Armando Diaz school, and all those who have shed their blood on hands Italian fascists.”
Phineas Fisher decided to disclose the details of the hack to give a new blow to the Hacking Team that never left the business.
PhineasFisher breached hacking team Tweet
The hacker revealed to have used a zero-day exploit unknown vulnerability to breach the internal network of the company. The Phineas Fisher didn’t provide further details on the vulnerability he exploited, likely because it is still unpatched. He has also avoided disclosing how he has obtained the exploit.
“I did a lot of work and testing before using the exploit against Hacking Team. I wrote a backdoor firmware, and compiled several tools post-exploitation for embedded system. The backdoor serves to protect the exploit. Use the exploit only once and then return by the backdoor ago work harder to find and patch vulnerabilities.” the hacker wrote.
Once inside the network the hacker moved laterally accessing other servers, including the internal email system. Phineas Fisher was able to find the passwords of the on the system administrators, including the one belonging to Christian Pozzi. The hacker was inside, and with full administrative privileges and Pozzi’s credentials, he was able to control the entire network. The hacker confirmed to have breached also a separate network storing the company’s source code.
“One of my favorite pastimes is hunting the sysadmins. spying Christan Pozzi (sysadmin Hacking Team) got the server accesso Nagios gave me accessibility to sviluppo rete (network development in RCS source code). With a simple combination of Get-Keystrokes and Get-TimedScreenshot of PowerSploit [13], Do-Exfiltration of Nishang [14], and GPO, you can spy on any employee or even the entire domain.” stated the hacker.
Once exfiltrated the data, the hacker reset Hacking Team’s Twitter password by using the “forgot password” function and used the account to announce the data breach.
The hacker spent six weeks, nearly 100 hours of work, inside the Hacking Team network to exfiltrate the data.
I invite you to read the details of the hack disclosed by the hacker, despite it is impossible to verify their accuracy, it is interesting to note how the hacker described its alleged operation and the motivation behind the attack.
PhineasFisher is politically motivated and he is inciting the hacking community to follow his example.
Europol and Italian Carabinieri an international ATM Skimming network
18.4.2016 Hacking
The Italian law enforcement corp Carabinieri and the Europol have dismantled an international criminal group responsible for large-scale ATM skimming.
Last Week, the Italian law enforcement corp Carabinieri, in a joint operation with the Europol, has dismantled an international criminal group responsible for large-scale ATM skimming, forgery of documents and money laundering. The operation was codenamed “PLUTO,” the gang used a consolidated scheme to monetize its efforts, the criminals compromised ATMs in different EU Member States (Italy, Denmark and the UK) in order to steal card data and clone them. The cloned payment cards were used to withdraw large amounts of cash from ATMs outside the European Union (Indonesia and Belize).
The “cloned” cards were mainly used alongside with fake documents to purchase clothing and electronic equipment (mobile phones, computers, etc.) and resold them in the criminal underground.
On 14 April 2016, the Carabinieri announced to have identified and arrested the members of the organisations, most of them are Romanian nationals, that used sophisticated ATM skimming to compromise ATMs across Europe.
It has been estimated that the gang has stolen at least EUR 1.2 million.
16 individuals were arrested in Italy where the police have conducted numerous searches seizing the equipment used by the gang. The agents have found Micro camera bars, card readers, magnetic strip readers and writers, computers, phones and flash drives, and of course plastic cards.
“Organised criminal groups are always looking for new global opportunities to make money, especially in the criminal market of payment fraud. Operations such as this highlight the importance of using Europol’s secure tools for exchanging intelligence and for coordinating the crucial operational stages involved in complex international cases. The resounding success of such an operation is not the first nor will it be the last, as police officers and prosecutors, alongside EC3, continue in their tireless endeavours to make payment transactions safer for customers throughout Europe and beyond.” said Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3).
The investigation started in 2014, the Europol, provided a determinant analytical and forensic support to the Italian colleagues, a cooperation that allowed the police to identify and arrest the members of the gang.
The information collected during the investigation was also shared with other law enforcement agencies in Europe and overseas.
“Europol’s European Cybercrime Centre (EC3) initiated the case in 2014 and supported the involved law enforcement authorities in their efforts to identify the suspects. Operational meetings were held at Europol’s headquarters in The Hague and EC3 provided analytical and forensic support throughout the investigation including the deployment of a mobile office during the final action day to assist the Italian authorities.” states the official announcement published by the Europol.
Watch out! URL shorteners could leak sensitive content
17.4.2016 Safety
Two security researchers from Cornell Tech discovered that web URL shorteners operate in predictable way exposing sensitive data.
The security researchers Vitaly Shmatikov and Martin Georgiev from Cornell Tech discovered that web URL shorteners operate in predictable way, and this could result in the disclosure of sensitive information.
The duo analyzed the most popular URL shorteners, including the services implemented by Google, Bit.ly and Microsoft and discovered that attackers can enumerate short URLs to find a sensitive information available on the web. The researchers, for example, discovered short URLs pointing Microsoft OneDrive folders that are unlocked.
“short URLs produced by bit.ly, goo.gl, and similar services are so short that they can be scanned by brute force. Our scan discovered a large number of Microsoft OneDrive accounts with private documents. Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices.” Shmatikov in a blog post.
The experts also discovered that URL shorteners can reveal information that could allow to profile users.
“We also discovered many driving directions that reveal sensitive information for identifiable individuals, including their visits to specialized medical facilities, prisons, and adult establishments.”
The details of their analysis are included in a paper titled “Gone in Six Characters: Short URLs Considered Harmful for Cloud Services.”
Google and Microsoft have pushed introduced fixes to secure new shortened URL links, anyway old links remain vulnerable.
The researchers explained that shortened URLS are generated in a predictable way by combining domain names and a sequence composed of five- to seven-character. The result is a short URL, but its brevity and the knowledge of the generation mechanism introduces the basic vulnerabilities that could allow attackers to launch brute force attacks.
“The tokens are so short that the entire set of URLs can be scanned by brute force. The actual, long URLs are thus effectively public and can be discovered by anyone with a little patience and a few machines at her disposal.” explained Shmatikov “
The scan of 100 million URLs allowed the experts to discovere more than 1.1 million publicly accessible OneDrive documents including documents and executables.
“In our sample scan of 100,000,000 bit.ly URLs with randomly chosen 6-character tokens, 42% resolved to actual URLs. Of those, 19,524 URLs lead to OneDrive/SkyDrive files and folders, most of them live. But this is just the beginning.”
The random scan of Google-shortened URLs allowed the identification of 23,965,718 links, 10 per cent of them containing driving directions to sensitive locations including disease, abortion clinics, and strip clubs.
The duo demonstrated that shortening URL may expose sensitive content to third parties. The experts suggest the adoption of measures to limit automated scanning activities.
“Use your own resolver and tokens, not bit.ly. Detect and limit scanning, and consider techniques such as CAPTCHAs to separate human users from automated scanners. Finally, design better APIs so that leakage of a single URL does not compromise every shared URL in the account.” states the duo.
American company lost $100 million to BEC fraud
17.4.2016 Incindent
American company lost $100 million to email fraud, U.S. says
The Reuters Agency reported that an unidentified American company was the victim of a clamorous email fraud, scammers have stolen from the firm nearly $100 million.
According to the US authorities, fraudsters used a fake email address in order to pose as one of its legitimate business partners.
Reuters reported the US authorities have filed a civil forfeiture lawsuit in federal court in New York seeking to recover nearly $25 million derived from the fraud which is being held in at least 20 bank accounts around the world.
The authorities confirmed about $74 million has been returned to the US company.
According to Tom Brown, a former Manhattan federal prosecutor the complaint filed on Thursday “appears to be the largest email scam that I’ve seen.”
This is another clamorous case of BEC (business email compromise) scam suffered by a US company. A week ago, a report issued by the FBI revealed that cyber criminals have pilfered more than $2.3bn from 17,642 victims since 2013 with BEC attacks.
It is a critical situation, the number of business email compromise BEC scams continues to increase on a global scale.
“The Business Email Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. Formerly known as the Man-in-the-E-mail Scam, the BEC was renamed to focus on the “business angle” of this scam and to avoid confusion with another unrelated scam.” reports the statement issued in 2015 by Internet Crime Complaint Center (IC3) and the FBI.
cybercrime
The BEC scam has been going on from August to September and was discovered when a Cyprus-based bank noticed suspicious transfers.
According to authorities, the scammers created a fake email address that resembled that of one of the company’s vendors in Asia.
“The perpetrators then posed as a vendor while communicating with a professional services company that was hired to handle the details and logistics of vendor payments for the American corporation, the lawsuit said.” states the Reuters.
The lawsuit reported that scammers convinced the American company to send $98.9 million to an account at Eurobank Cyprus Ltd, which is the bank that noticed the suspect transfers.
The Eurobank without any forcing restrained nearly $74 million of the funds in September.
“The remaining $25 million was laundered through other accounts in locations including Cyprus, Latvia, Hungary, Estonia, Lithuania, Slovakia, and Hong Kong, authorities said.” continues the lawsuit.
The prosecutors have followed the money across banks worldwide, they requested foreign governments to restrain the accounts used in the BEC scam and 20 of them have refunded the stolen funds.
WordPress spustil šifrované HTTPS na všech doménách, které poskytuje
17.4.2016 Zabezpečení
WordPress již od roku 2014 podporuje bezpečnější HTTPS, zatím ale pouze na stránkách s poddoménou wordpress.com (např. https://barry.wordpress.com). Nově se ale podpora rozšiřuje i pro všechny ostatní weby, které jsou u WordPressu registrovány.
Veškeré weby registrované na WordPress.com nyní podporují HTTPS
Změna proběhne automaticky a není potřeba žádných úprav na straně zákazníka. Nyní by už měly všechny weby běžet na šifrovaném protokolu, což lze na první pohled poznat podle ikony zámku vedle adresy webu v prohlížeči.
Takový přechod rozhodně přispívá k bezpečnému pohybu na internetu a doufejme, že se stejnou cestou vydají i další velké společnosti. Zvýšená bezpečnosti není jediným přínosem HTTPS. Weby, které mají tento protokol implementován, jsou v třídícím žebříčku vyhledávače Google automaticky řazeny na vyšším pozice. Podrobnější informace o proběhlých změnách lze nalézt na stránkách WordPress.
Apple končí s QuickTime pro Windows, už ani neopraví známé bezpečnostní chyby
17.4.2016 Zranitelnosti
Apple končí s QuickTime pro Windows, už ani neopraví známé bezpečnostní chybyVčera, Milan Šurkala, aktualitaApple QuickTime pro Windows už má patrně své dny sečteny. Společnost Trend Micro upozornila Apple na dvě bezpečnostní chyby v QuickTime. Podpora této verze aplikace ale má být ukončena a chyby nebudou opraveny.
QuickTime už zdaleka není tak populární jak kdysi a jeho verze pro operační systém Windows má již své dny sečteny. Společnost Trend Micro totiž v 11. listopadu 2015 informovala společnost Apple o dvou kritických bezpečnostních chybách aplikace QuickTime pro Windows, jenž byly označeny jako ZDI-16-241 a ZDI-16-242. Apple dostal 120 dní na reakci, ale v podstatě se nic nedělo. Až ke konci této lhůty, 9. března 2015, na výzvu Apple prohlásil, že QuickTime pro Windows už nebude dále vyvíjen.
To ale současně znamená, že tyto dvě bezpečnostní chyby nebudou nikdy opraveny, půjde o tzv. zero-day problémy a Apple akorát doporučuje majitelům počítačů s operačním systémem Windows QuickTime odinstalovat. Návštěva nebezpečné webové stránky tak může být s nebezpečnou verzí QuickTime nepříjemným zážitkem, zatím ale není znám žádný útok, který by tyto zranitelnosti využil. Problém se netýká QuickTime ve verzi pro Mac OS X a Apple se rozhodl podporu ukončit např. proto, že dnes se ve velké míře využívá HTML5, které je obecně bezpečnější než pluginy instalované do prohlížečů.
Trojský kůň připravil banky o desítky miliónů korun
16.4.2016 Viry
Pouhých pár dní stačilo na to, aby kyberzločinci připravili hned několik bank o čtyři milióny dolarů, tedy v přepočtu o více než 95 miliónů korun. Použili k tomu sofistikovaného trojského koně, uvedl server Info Security.
Nový trojský kůň se jmenuje GozNym a objevili jej bezpečnostní výzkumníci společnosti IBM. Ti zároveň zjistili, že prostřednictvím zmiňovaného škodlivého kódu dokázali počítačoví piráti vysát peníze z více než dvou desítek finančních institucí.
Kromě bank jde například o družstevní záložny a nejrůznější platformy pro on-line platby. Většina poškozených institucí je v Americe a Kanadě, konkrétní firmy však výzkumníci s ohledem na probíhající vyšetřování jmenovat nechtěli.
Není tak vyloučeno, že se problémy netýkají také některé z finančních institucí, která působí na tuzemském trhu.
Zkřížili již existující hrozby
Jisté je nicméně to, že trojský kůň byl velmi sofistikovaný. Šlo totiž o kombinaci již existujících hrozeb, známých jako Nymaim a Gozi, ze kterých kyberzločinci vyrobili nového křížence. Na toho evidentně finanční instituce připraveny nebyly.
Právě křížení virů dělá bezpečnostním expertům v poslední době vrásky na čele. „Počítačoví zločinci se naučili kombinovat různé kousky škodlivých kódů. Tím dokážou vytvořit novou hrozbu daleko dříve, než tomu bylo v minulosti,“ upozornil bezpečnostní analytik Travis Smith ze společnosti Tripwire.
Obrana je daleko komplikovanější
„Nemusí tedy psát celý kód od začátku, čímž dokážou značně snížit čas potřebný k vytvoření nové hrozby,“ zdůraznil Smith s tím, že obrana proti takovým hrozbám je logicky daleko komplikovanější.
Jak se kyberzločincům podařilo propašovat trojského koně GozNym do tak velkého množství finančních institucí, zatím není jasné.
Na finanční instituce se hackeři zaměřili už loni. Tehdy se jim podařilo od více než 100 bank v 30 zemích světa ukrást dohromady na 300 miliónů dolarů (7,2 miliardy korun).
JBOSS Backdoor opens 3 million servers at risk of attacks
16.4.2016 Virus
Experts at Cisco Systems discovered more than 3 million vulnerable servers exposed on the Internet while scanning for the presence of JBOSS Backdoor
According to Cisco Systems, more than 3 million servers exposed on the Internet are potentially open to Samsam ransomware-based attacks because they’re running vulnerable software.
Attackers are targeting vulnerabilities in servers to spread ransomware, the experts from the Cisco IR Services Team discovered that hackers were using the JBoss as a vector for the infections.
“we began looking deeper into the JBoss vectors that were used as the initial point of compromise. Initially, we started scanning the internet for vulnerable machines. This led us to approximately 3.2 million at-risk machines.” wrote the Cisco researchers in a blog post.
The experts started their investigation by scanning for machines that were already compromised.
The web scanning activity allowed the researchers to discover about 2,100 compromised servers belonging to schools, governments, aviation companies, and other types of organizations. The hackers installed webshells to maintain the control over the infected systems.
Several of the compromised systems were running the Follett “Destiny” software, a management system commonly used by many school libraries to keep track of books.
jboss logo
Cisco reported the issue to the Follett Learning that develops the software and the company solved the vulnerability. The updated Destiny software is able to scan machines for signs of infection and removes any backdoors that was installed by attackers.
Experts at CISCO provided a series of recommendations to remove webshell from compromised servers.
“Our first recommendation, if at all possible, is to remove external access to the server. This will prevent the adversaries from accessing the server remotely. Ideally, you would also re-image the system and install updated versions of the software. This is the best way to ensure that the adversaries won’t be able to access the server.” states the blog post published by CISCO. “If for some reason you are unable to rebuild completely, the next best option would be to restore from a backup prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to production.”
Give a look to the post, it also includes some indicators that are associated with the presence of various webshells.
Urgent, Uninstall QuickTime for Windows Now
16.4.2016 Vulnerebility
Apple abandons the support for the Windows version of quicktime, everyone should follow Apple’s guidance to uninstall it to avoid attacks.
It is official, Apple will no longer provide security updates for the Windows version of the popular QuickTime.
It is important to uninstall the product that remains vulnerable to cyber attacks, recently experts discovered two remote code execution vulnerabilities that at this point will remain unfixed.
The announcement that QuickTime for Windows will be no longer supported was published by ZDI that obtained the news after Steven Seeley of Source Incite reported details of the two critical vulnerabilities.
The security vulnerabilities were reported to Apple on November 11, 2015, and the company communicated to ZDI on March 9 that it is deprecating QuickTime on Windows.
“First, Apple is deprecating QuickTime for Microsoft Windows. They will no longer be issuing security updates for the product on the Windows Platform and recommend users uninstall it. Note that this does not apply to QuickTime on Mac OSX.
Second, our Zero Day Initiative has just released two advisories ZDI-16-241 and ZDI-16-242 detailing two new, critical vulnerabilities affecting QuickTime for Windows.” reported Trend Micro in a blog post.
Both issues are heap corruption flaws that could be exploited by hackers for remote code execution. The attack scenario is simple and sees the victims accessing a maliciously crafted website or file.
“both of these are heap corruption remote code execution vulnerabilities. One vulnerability occurs an attacker can write data outside of an allocated heap buffer. The other vulnerability occurs in the stco atom where by providing an invalid index, an attacker can write data outside of an allocated heap buffer. Both vulnerabilities would require a user to visit a malicious web page or open a malicious file to exploit them. And both vulnerabilities would execute code in the security context the QuickTime player, which in most cases would be that of the logged on user.” continues Trend Micro.
At this point you have no choice, you must uninstall Quicktime now!
“Uninstalling QuickTime 7 also removes the legacy QuickTime 7 web plug-in, if present. Websites increasingly use the HTML5 web standard for a better video-playback experience across a wide range of browsers and devices, without additional software or plug-ins. Removing legacy browser plug-ins enhances the security of your PC.” states Apple.
What is the impact on OX users?
Apple informed users that the QuickTime plugin has been disabled in OS X and web browsers in order to protect them from cyber attacks leveraging the security flaws.
The US-CERT has issued an advisory on the vulnerabilities explaining the risks associated with the flaws.
“Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows,” states the US-CERT advisory.
At the time I was writing, security experts confirmed that they are not aware of any active attacks against these vulnerabilities currently.
Don’t waste time, uninstall QuickTime for Windows today.
Malware z Facebooku vám ukradne hesla, míří na prohlížeče Chrome
16.4.2016 Viry
Podvodnou kampaň, která uživatele nutí, aby si stáhli infikované rozšíření internetového browseru Google Chrome, popsali experti Esetu. Varují, že tak lidé mohou lehce přijít o svá hesla.
Kampaň běží na sociální síti Facebook. Jeho základem je škodlivý plugin do prohlížeče Google Chrome, který je ve skutečnosti upravenou verzí jinak legitimního doplňku pro tvorbu obrázků ve formátu GIF. Pokud si jej uživatel stáhne, může ztratit kontrolu nad svým profilem.
Eset v dubnu tuto hrozbu, kterou eviduje pod označením JS/Kilim.SO a JS/Kilim.RG, detekoval v desítkách zemí včetně České republiky.
„Útočníci se pomocí technik sociálního inženýrství snaží přesvědčit uživatele Facebooku, aby si přehrál video, které je nejčastěji nazváno My first video, My video či Privat video. Po kliknutí na odkaz se otevře falešná internetová stránka podobná YouTube, která místo přehrání videa žádá o instalaci infikovaného pluginu ‚My Gif‘, neboť jinak nebude údajné video možné přehrát,“ vysvětluje Miroslav Dvořák, technický ředitel Esetu.
Pokud si oběť nainstaluje škodlivý plugin, dojde k nákaze internetového prohlížeče a infiltrace pokračuje i dále. Jeho profil na sociální síti Facebook začne velmi rychle šířit odkaz na falešnou stránku s video obsahem mezi jeho přátele, změní přístupové heslo k jeho profilu na Facebooku a začne přidávat nové přátele, vytvářet facebookové stránky, měnit a skrývat příspěvky. Tato funkcionalita ale aktuálně není využívána.
Škodlivá kampaň se přitom šíří přes spam a infikované účty na Facebooku a je při tom podle Esetu velmi úspěšná.
V tuto chvíli cílí útoky pouze na uživatele internetového prohlížeče Google Chrome, ale neexistuje žádná záruka, že se v budoucnu nerozšíří i do dalších prohlížečů. Proto existuje riziko, že by se v budoucnu mohla stát mnohem nebezpečnější, pokud jejím prostřednictvím bude šířen i zákeřnější malware s novými schopnostmi, dodává Dvořák.
Jak se zachovat při nákaze?
Odinstalujte škodlivý plugin „Make a GIF“ z prohlížeče Chrome.
Zkontrolujte počítač spolehlivým antivirovým programem či on-line scannerem.
Po kontrole a vyčištění počítače si změňte heslo do Facebooku, případně tak učiňte prostřednictvím jiného bezpečného zařízení. Heslo si neměňte na zařízení s infikovaným internetovým prohlížečem.
Nový virus se šíří Facebookem jako lavina
15.4.2016 Viry
Doslova jako lavina se Facebookem šíří nový virus, před kterým v pátek varovala antivirová společnost Eset. Je velmi zákeřný, protože dokáže krást na této sociální síti uživatelské profily. Pak se automaticky šíří mezi další přátele. Virus se maskuje za doplněk pro internetový prohlížeč Google Chrome.
„Útočníci se pomocí technik sociálního inženýrství snaží přesvědčit uživatele Facebooku, aby si přehrál video, které je nejčastěji nazváno My first video, My video či Privat video. Po kliknutí na odkaz se otevře falešná internetová stránka podobná YouTube, která místo přehrání videa žádá o instalaci infikovaného pluginu My Gif, neboť jinak nebude údajné video možné přehrát,“ vysvětlil Miroslav Dvořák, technický ředitel společnosti Eset.
Útok je zákeřný především proto, že doplněk My Gif skutečně existuje a s počítačovými piráty nemá nic společného. V internetovém prohlížeči standardně slouží ke snadnému vytváření obrázků. Název si kyberzločinci vypůjčili pravděpodobně kvůli tomu, aby uživatele zmátli povědomým jménem.
Převezme kontrolu nad profilem
Pokud jim důvěřivci na trik skočí, dojde k nakažení internetového prohlížeče. Škodlivý kód převezme kontrolu nad profilem na sociální síti Facebook, změní heslo a prakticky okamžitě začne šířit mezi přátele odkaz na podvodné stránky. Na nich se samozřejmě ukrývá opět video, prostřednictvím kterého chtějí do cizích počítačů kyberzločinci propašovat opět falešnou aplikaci My Gif.
Nezvaný návštěvník zároveň zvládne přidávat nové přátele, vytvářet facebookové stránky a dokonce i měnit a skrývat již existující příspěvky. Podle bezpečnostních expertů zatím ale tyto funkcionality nejsou počítačovými piráty využívány.
Zotročené účty na Facebooku mohou samozřejmě počítačoví piráti zneužít k šíření dalších škodlivých kódů, které mohou být ještě sofistikovanější. Může jít například o vyděračské viry, jež zašifrují data na pevném disku, či nebezpečný bankovní malware, který má za úkol vybílit lidem účty.
V Česku i na Slovensku
Kromě již infikovaných účtů na Facebooku se falešný doplněk My Gif šíří také přes nevyžádané e-maily. „V tuto chvíli cílí útoky pouze na uživatele internetového prohlížeče Google Chrome, ale neexistuje žádná záruka, že se v budoucnu nerozšíří i do dalších prohlížečů. Proto existuje riziko, že by se v budoucnu mohl stát mnohem nebezpečnější,“ doplnil Dvořák.
Bezpečnostní experti společnosti Eset již nový virus, který se maskuje za doplněk pro internetový prohlížeč, zachytili v České republice. Dále pak také v Americe, Kanadě, Austrálii, Velké Británii, Rusku, Německu či například na Slovensku.
Pokud byl počítač škodlivým doplňkem My Gif infikován, je nutné jej nejprve odinstalovat z internetového prohlížeče Chrome. Dále je pak nezbytné zkontrolovat počítač antivirovým programem.
Uživatelé by nakonec neměli zapomenout ani na změnu hesla na Facebooku, aby se kyberzločinci nemohli na jejich profily znovu připojit.
Canadian Police obtained Master Key to Crack BlackBerry Messenger Encryption
15.4.2016 Mobil
BlackBerry has long been known for its stance on mobile security, as it was the first mobile phone maker to provide end-to-end encryption. But a new report revealed that the company has provided a master backdoor to law enforcement in its secure devices since 2010.
The Royal Canadian Mounted Police (RCMP) have been in possession of a global decryption key for BlackBerry phones since 2010, according to a new report from Vice News published yesterday.
The report suggests that the Canadian police used the master key to intercept and decrypt over 1 Million messages sent using its own encrypted and allegedly secure BlackBerry Messenger (BBM) service in a criminal investigation over the course of 2 years.
Single Encryption Key to Protect All Customers
The issue with Blackberry’s security mechanism is that the company uses a single global encryption key to protect all its regular customers, though the corporate BlackBerry phones use their own encryption keys generated by corporate servers.
During a court trial of a 2011 murder case, the RCMP revealed that it successfully unlocked around 1 Million messages sent between BlackBerry devices using the "appropriate decryption key."
However, the important question here is: How did the RCMP obtain that global key?
Neither the RCMP nor the prosecutor disclosed exactly how the police obtained the appropriate decryption key that can decrypt messages sent through the BlackBerry Internet Service.
Moreover, the report itself don't have a satisfying answer. However, the most logical answer is that BlackBerry itself gave Canada's federal authorities the access they wanted.
But besides this, the most important question now is Whether or not the RCMP still has the key.
After the closure of "Project Clemenza," a RCMP investigation into a mafia-related murder, BlackBerry changed its global encryption key. But it is believed that the RCMP still has the ability to decrypt BBM messages.
Recently in the battle with the Federal Bureau of Investigation (FBI) over device encryption, Apple set an example for all tech companies by refusing to comply with law enforcement for creating a backdoor into the iPhone of San Bernardino shooter Syed Farook.
The FBI later managed to hack into the iPhone using an alternate method, but Apple tried its level best to protect its customers' privacy and did not hand over backdoor in its secure device to law enforcement – though BlackBerry did just opposite of it.
BlackBerry has yet to comment on the matter.
Report: Nothing useful found on San Bernardino Shooter's iPhone
15.4.2016 Mobil
The San Bernardino terrorist's iPhone that the Department of Justice (DoJ) and the Federal Bureau of Investigation (FBI) said was critical in their investigation has absolutely nothing useful on it, at least so far.
Yes, the same iPhone that was subject of so much attention from the past few months.
Here's a brief look at what happened in recent months over the iPhone:
The DoJ and Apple were engaged in a legal battle over a court order that was forcing Apple to help the FBI access data on a locked iPhone tied to Syed Farook.
Farook was one of two terrorists involved in the San Bernardino shooting incident last year that left 14 people dead.
The FBI desperately wanted access to that locked iPhone, not because it was expecting any case-breaking evidence on Farook's work-issued iPhone, but it was just trying to gather all available information, leaving no stone unturned.
When Apple refused to comply with the court order, the FBI found an alternate hacking method and successfully hacked Farook's iPhone, dropping the lawsuit against Apple late last month.
So in the end, it appears that there was nothing useful or helpful on the iPhone, as everyone expected.
Citing a law enforcement source, CBS News reports that "so far nothing of real significance has been found" on Farook's iPhone and that the agency is still analyzing data from the now-unlocked iPhone 5C.
However, it isn't at all surprising, as the iPhone in question was one of three used by Farook and his wife. The FBI previously admitted that both of them had destroyed their personal iPhones that were found crushed and dumped in a trash at his house.
The only remaining one was Farook's work phone that was recovered intact, making it highly unlikely of holding anything of real value. If there had been any digital evidence or anything sensitive on it, they would have destroyed it too.
Now all these FBI's efforts weren't just a big waste of time, but it might cause the federal agency a big damage as well.
In the wake of the court order over unlocking terrorist's iPhone, Apple is reportedly now working on fully encrypt iCloud Backups to make it even harder for law enforcement to access data stored on its servers.
The company has even hired Frederic Jacobs: one of the key developers of the World's most secure, open source and encrypted messaging app, Signal.
Meanwhile, several major tech companies, including Google, WhatsApp, and Facebook, have sided with Apple in defense of privacy and digital rights.
Recently, WhatsApp even announced full end-to-end encryption by default across its app, making itself unable to comply with any court order that demands access to the content of any conversation happens over its service.
Máte ve Windows QuickTime od Applu? Odinstalujte jej co nejdřív
15.4.2016 Zdroj: Živě Zranitelnosti
Přehrávač QuickTime byl v minulosti používán především pro zobrazení videoobsahu v kontejneru MOV. To však lépe zvládne i další konkurence a původní přehrávač Appu tak není třeba. Odinstalace je však na místě především kvůli jeho zranitelnosti. Na blogu bezpečnostní společnosti Trend Micro si můžete přečíst o dvou kritických chybách, které mohou vést k napadení systému.
whatis-hero-windowsxp-20100203.jpg
QuickTime měl smysl možná v době Windows XP, dnes jej pohodlně nahradí kvalitnější konkurence
Zpráva je důležitá především proto, že Apple s velkou pravděpodobností nebude vydávat pro QuickTime pod Windows další záplaty. Ta poslední zamířila k uživatelům v průběhu ledna a postarala se například o automatické odinstalování doplňku pro prohlížeče. Ačkoliv si QuickTime pod Windows společně s iTunes nevybudoval příliš dobrou pověst, jistě se najdou mnozí, kteří jej v systému (třeba nevědomky) stále mají.
Problém se týká Windows 7 a starších systémů. Apple nikdy QuickTime pro Windows 8 či Windows 10 nevydal. A pokud byste snad nevěděli, jak odinstalaci provést, Apple dokonce připravil stručný návod jak na to.
Microsoft Sues US Govt Over Unconstitutional Secret Data Requests
15.4.2016 Safety
Microsoft is suing the Department of Justice (DoJ) to protest the gag order that prevents technology companies from telling their customers when their cloud data is handed over to authorities.
In layman's terms, the Electronic Communications Privacy Act (ECPA) allows the government to issue gag orders saying that the people or companies involved in a legal case cannot talk about the case or anything related to it in public.
So, the government is continuously forcing tech companies to hand over their customers’ emails or personal records stored in the cloud servers without their clients' knowledge.
Microsoft has filed a lawsuit [PDF] against the DoJ, arguing that it is "unconstitutional" and violates constitutional protection of free speech to force the tech companies for not informing their customers when their stored data has been shared with authorities.
“We believe these actions violate two of the fundamental rights that have been part of this country since its founding. These lengthy and even permanent secrecy orders violate the Fourth Amendment, which gives people and businesses the right to know if the government searches or seizes their property.” Brad Smith, Chief counsel at Microsoft, said in a blog post.
“They also violate the First Amendment, which guarantees our right to talk to customers about how government action is affecting their data.”
According to Microsoft, the company has received nearly 2,600 gag orders in the past 18 months. Though the issue is not with the concept of government searches, but with the indefinite period of those orders.
Actually, the gag orders come with a definite time after which the company can reveal their customers if any police or FBI agent has checked or inspected their emails or files stored in the cloud.
But Microsoft said about 70 percent of all gag orders received by the company had no fixed end date, which means the company can never tell its users, even after the completion of the investigation.
“While today’s lawsuit is important, we believe there’s an opportunity for the Department of Justice to adopt a new policy that sets reasonable limitations on the use of these types of secrecy orders,” Brad said.
The gag orders are meant to protect nation investigations, but the US government is misusing it to carry out unconstitutional secret data searches without ever telling people.
Just like Apple, it is important for Microsoft to fight and win this battle for protecting users’ privacy, as well as their reputation.
Patch the VMware Client Integration Plugin asap
15.4.2016 Vulnerebility
VMware issued a security update to fix a critical vulnerability in the VMware Client Integration Plugin, apply it as soon as possible.
VMware issued a Security Advisory related to a critical security vulnerability (CVE-2016-2076) in the VMware Client Integration Plugin urging administrators to urgently apply the needed patch.
The flaw could be exploited by attackers to launch a Man in the Middle attack or Web session hijacking under certain conditions. The problem resides in the way the VMware Client Integration Plugin handles session content.
“The VMware Client Integration Plugin does not handle session content in a safe way. This may allow for a Man in the Middle attack or Web session hijacking in case the user of the vSphere Web Client visits a malicious Web site.” states the VMware advisory.
The vulnerability affects the following versions of the VMware Client Integration Plugin shipped with:
vCenter Server 6.0 (any 6.0 version up to 6.0 U2)
vCenter Server 5.5 U3a, U3b, U3c
vCloud Director 5.5.5
vRealize Automation Identity Appliance 6.2.4
The experts at VMware highlighted that in order to solve the issue, both the server side (i.e. vCenter Server, vCloud Director, and vRealize Automation Identity Appliance)
and the client side (i.e. CIP of the vSphere Web Client) need to be updated.
Below the procedure to install the security updates:
A) Install an updated version of:
– vCenter Server
– vCloud Director
– vRealize Automation Identity Appliance
B) After step A), update the Client Integration Plugin on the system
from which the vSphere Web Client is used.
Updating the plugin on vSphere and vRA Identity Appliance is
explained in VMware Knowledge Base article 2145066.
Updating the plugin on vCloud Director is initiated by a prompt
when connecting the vSphere Web Client to the updated version of
vCloud Director.
GozNym Trojan combines Gozi ISFB and Nymaim malware abilities
15.4.2016 Virus
The security experts from the IBM X-Force Research spotted a new threat dubbed GozNym Trojan that combines Gozi ISFB and Nymaim malware abilities.
What happens when two threats join their capabilities?
Two dangerous Trojans, the Nymaim and Gozi ISFB malware, have been merged to create a new banking Trojan called GozNym.
The GozNym Trojan is particularly insidious, according to the experts at the IBM X-Force Research, it is responsible for the theft of $4 million since it was first discovered a couple of two weeks ago.
According to the researchers, the new malware is currently involved in a campaign that is targeting business banking institutions, credit unions and retail banks.
“IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and GoziISFB malware. It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 U.S. and Canadian banks, stealing millions so far. X-Force named this new hybrid GozNym.” States a report published by the IBM X-Force Research.
The GozNym combines the best characteristics of both malware, it leverages on the Nymaim dropper and the stealing capabilities of the Gozi ISFB.
“From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.” continues the post.
The new banking trojan is spread via email messages that comes with documents embedding malicious macros.
Once GozNym has infected the victim’s machine, it is able to manipulate the browser in order to steal credentials and money from bank accounts my manipulating web session through webinjection mechanisms.
Limor Kessem, cybersecurity expert with IBM’s X-Force Research division, explained that the two malware behind the GozNym Trojan perfectly work together, in a much more effective way than apart.
The GozNym Trojan implements a two-stage malware dropper to compromise a victim’s computer.
“Nymaim is a two-stage malware dropper. It usually infiltrates computers through exploit kits and then executes the second stage of its payload once it is on the machine, effectively using two executables for the infection routine.” Continues the post. “Before merging into an actual hybrid, earlier versions of Nymaim used to fetch and inject Gozi ISFB’s financial module as a complete DLL into the infected victim’s browser to enable web-injections on online banking sites” states the report.
As usually happens in these cases, the birth of the new GozNym malware resulted from the availability of the source codes of the Nymaim and Gozi ISFB threats.
We will continue to follow the evolution of the new malicious code.
Anti-Encryption Bill Released, would Kill your Privacy and Security
14.4.2016 Safety
The United States anti-encryption bill will kill your Privacy.
In the wake of the Apple vs. FBI case, two leading Intelligence Committee Senators have introduced an anti-encryption bill that would effectively ban strong encryption.
Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA) released the official version of their bill today in response to concerns that criminals and terrorists are increasingly using encrypted devices to hide their plans and plots from authorities.
As its name suggests, the Compliance with Court Orders Act of 2016 [PDF] would require people and technology firms like Apple and Google to comply with court orders to decrypt phones and its data.
The draft copy of the Burr-Feinstein proposal was leaked last week, which has already faced heavy criticism from both the technology and legislative communities. Even the White House has declined to support the bill.
The official version of the anti-encryption bill seems to be even worse than the discussion draft.
The draft proposed that the orders could only be issued for crimes resulting in death or serious bodily harm, terrorism and espionage, Federal drug crimes, crimes against minors, or severe violent felonies.
However, the official version of the bill permits federal agencies to access the data they want under a court order.
No Individual or Company is Above the Law
The new bill would apply to:
Device manufacturers
Electronic communication services
Software manufacturers
Remote communication services
Providers of remote communication services
Providers of wire or electronic communication services
Any person who provides a product or method to facilitate communication or to process or store data.
That is a pretty wide list, Isn't that?
The senators say "the underlying goal [of the bill] is simple: when there's a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out."
Vice Chairman Feinstein stressed, "No individual or company is above the law."
Government Backdoor in Every Phone
Privacy advocates are worried about the possible effects of the bill, if successfully passed. According to the American Civil Liberties Union (ACLU), the bill is a "clear threat to everyone's privacy and security" and that the senators "should abandon their efforts to create a government backdoor."
Though we strongly believe that the bill won't pass, if passed, your data will be secured, but with a 'Backdoor' that can be accessed by the law enforcement to decrypt your data with a court order.
Skončila podpora pro SQL Server 2005, jeho provozování může být nebezpečné
14.4.2016 Hrozby
Včera skončila rozšířená podpora všech edic databázového systému SQL Server 2005, oznámil Microsoft. V praxi to znamená, že na tento systém již nebudou vydávány žádné bezpečnostní opravy a aktualizace.
Využívání nepodporovaného řešení s sebou samozřejmě nese možné komplikace souladu s potřebnými předpisy a normami daného odvětví a vyšší náklady na údržbu teď už zastaralého systému.
Zákazníci mají podle Microsoftu možnost přejít na řešení SQL Server 2014 nebo na cloudové řešení Azure SQL Database (pokud samozřejmě chtějí zůstat na platformě ohoto dodavatele).
V březnu byly také představené klíčové funkce nadcházející verze SQL Server 2016, jež zákazníkům přinese zvýšenou bezpečnost dat i poměrně výrazné zvýšení výkonu (30-100krát).
S novou verzí SQL Serveru navíc podle výrobce půjde využívat BI řešení na jakémkoliv zařízení či se bude možné propojit s cloudovými službami pro snížení nákladů či lepší škálovatelnost.
Journalist Matthew Keys gets 2-Year Prison term for helping Anonymous Hackers
14.4.2016 Hacking
Former Reuters journalist Matthew Keys, who was convicted last year of helping the Anonymous group of hackers, has been sentenced to 24 months in prison for computer hacking charges.
Keys was found guilty last year in October of giving Anonymous login credentials that allowed the group to deface the Los Angeles Times, a Tribune Media-owned newspaper, back in 2013.
After leaving the job at Tribune Company-owned Sacramento KTXL Fox 40 in 2010, Keys posted login credentials for the company's content management system (CMS) on a chatroom where hacking collective Anonymous planned out their operations.
The hacking collective then logged into the CMS and defaced an LA Times article that remained defaced for about 40 minutes before a journalist noticed and changed it back – though Keys still denies all allegations.
Keys faced a possible sentence of up to 25 years for three counts of hacking charges under the Computer Fraud and Abuse Act.
Although the US Attorney General's office recommended a 5-year sentence, Keys has been condemned to two years in jail that will be followed by 2 years of supervised release.
Keys is set to surrender on June 15, 2016. After sentencing, Keys went on Twitter and wrote: "When we do appeal, we're not only going to work to reverse the conviction, but try to change this absurd computer law, as best we can."
In a blog post published on Medium, Keys also said that he was innocent and that the charges against him are "baseless, absurd and entirely wrong." He also said he is committed to journalism no matter what happens.
"Whatever happens today, I hope I am able to continue serving the public with important stories of interest," Keys wrote. "Journalism is all I am good at, and I am not exactly sure what I will do if I am not able to do it anymore."
The Keys' case has drawn wide scale attention of media as he served as a deputy social media editor at Reuters. After he had been charged with the hacking crime in March 2013, Keys was released by Reuters from his position.
CISCO fixed a high risk security flaw in the UCS software
14.4.2016 Vulnerebility
CISCO has recently issued a security update to fix a high-risk security vulnerability affecting the UCS software and exploitable with a simple HTTP poke.
Cisco has recently patched a “high” risk security vulnerability (CVE-2016-1352) affecting its Unified Computing System (UCS) Central Software that could allow a remote attacker to gain remote control of the machines.
cisco UCS
According to the CISCO advisory the flaw resides in the Unified Computing System web framework and a remote unauthenticated attacker can trigger it to execute arbitrary commands on the targeted UCS control server by sending it a specially crafted HTTP request.
“A vulnerability in the web framework of Cisco Unified Computing System (UCS) Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on a targeted system.” states the CISCO advisory
“The vulnerability is due to improper input validation by the affected software. An attacker could exploit this vulnerability by sending a malicious HTTP request to an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system.”
The vulnerability has been reported by the security researcher Gregory Draperi.
The Unified Computing System software is designed to manage a large number of Cisco UCS servers at a time in data centers, this means that if the remote attacker is able to compromise it can theoretically open a door within the targeted network and easily move laterally.
Organizations running UCS Central Software versions 1.3(1b) and earlier need to update them to solve the problem.
The good news is that the Cisco Product Security Incident Response Team (PSIRT) is not aware of any attacks in the wild that exploited the vulnerability in the Unified Computing System.
iOS date bug could be triggered over Wi-Fi spoofing an NTP server
14.4.2016 Apple
A couple of security experts demonstrated that iOS date bug was still present in iOS devices and it was exploitable by spoofing an Apple NTP server.
Do you remember the Apple iOS date bug?
In February, the security community highlighted the existence of the embarrassing problem for Apple iOS mobile devices running 64-bit iOS 8 or higher, the issue affects the Apple iOS date and time system and could be triggered by setting the date to January 1, 1970. The news appeared in Reddit discussions warning users about a flaw that could brick iPhone forever.
“Setting the date of your iPhone to January 1st, 1970 will brick your device, according to users across the web and confirmed by iClarified. The bug will affect any 64-bit iOS device that is powered by the A7, A8, A8X, A9, and A9X. 32-bit iOS devices are reportedly not affected by this issue.” reported iClarified.
Meanwhile on Reddit the users warned other Apple users sharing the following message:“When the date of a 64-bit iOS device is set to January 1, 1970, the device will fail to boot. Connecting the device to iTunes and restoring the device to factory defaults will not put the device back in working order. Instead, a physical repair is required. When connected to public Wi-Fi, iPhone calibrates its time settings with an NTP server. Theoretically, attackers can send malicious NTP requests to adjust every iPhone’s time settings to January 1, 1970, hence brick every iPhone connected to the same network.According to /u/sarrius, worldwide Apple Store are being made aware that disconnecting the battery and reconnecting fixes the issue. It should be common knowledge to all stores worldwide by tomorrow.”
Apple issued a patch to fix the problems, but according to experts Matt Harrigan from PacketSled and Patrick Kelley from Critical Assets the issue could be still exploited remotely.
The problem, this time, affects the way the device manage the network time protocol (NTP), an attacker can spoof time server domains in order to trigger the issue.
The attacker can spoof the time server time.apple.com to send a “malicious” day’s timestamp that trigger the issue.
“Research from PacketSled and Patrick Kelley, CISSP, CEH, MCP at Critical Assets proves it possible to remotely brick iDevices over-the-air. The team built the exploit based on Zach Straley’s research which exposed a flaw in iOS when a user to manually set the date of an iPhone or iPad to January. 1, 1970.” states a blog post published on PacketSled.
In the video PoC published by the experts they demonstrate how set up a bogus Wi-Fi hotspot with a Raspberry Pi that spoof an Apple’s NTP servers to pass the 1/1/1970 date that triggers the iOS date bug.
iOS date bug Raspberry
When the device receives the data it reach an unstable state associated with a high temperature of the mobile (up to 54°C) that brick it.
“This starts a chain reaction of software instability resulting in an observed temperature up to 54°C… which is hot enough to brick a device.” continues the post.
The duo will publish soon a detailed paper on their test.
Apple solved the issue in the last iOS 9.3.1 update.
Also the FBI Director Comey puts a tape over the webcam
14.4.2016 Safety
During the Q&A session at Kenyon College last week, the FBI Director explained that he uses tape to mitigate the danger of cyber espionage.
Privacy and security are top priorities for some security experts that are aware of threat actors’ capabilities, so I’m not surprised that the FBI Director James Comey uses to cover his laptop webcam with a tape.
During the Q&A session at Kenyon College last week, the FBI Director explained that he uses tape to mitigate the danger of cyber espionage. It’s clear that the FBI Director Comey fears possible hacking campaign operated by nation-state hackers, Russia and China are most dreaded adversary in this sense.
During his speech, Comey has remarked in many passages that “absolute privacy” is a serious obstacle for the investigations conducted by the law enforcement.
In December, the FBI Director suggested the implementation of encryption techniques that could help authorities to defeat the end-to-end encryption used to protect the communications.
“The government doesn’t want a backdoor, but [it] hopes to get to a place where if a judge issues an order, the company figures out how to supply that information to the judge and figures out on its own the best way to do that,” said Comey in December. “It is a business model question,” he said. “The question we have to ask is: Should they change their business model?”Comey asking for the IT firms to be compliant with court orders by choosing the appropriate technology.
FBI Director Comey
Source Kenyon.edu
During the speech at the Kenyon College, Comey admitted fearing smarter hackers that could gain the control of the web camera in his personal laptop.
“I saw something in the news, so I copied it. I put a piece of tape — I have obviously a laptop, personal laptop — I put a piece of tape over the camera. Because I saw somebody smarter than I am had a piece of tape over their camera,” reported NPR.
Below the hilarious tweet published by the ACLU chief technologist Christopher Soghoian.
Comey is aware that a nation-state hackers could use zero-day exploits to hack his computer and access any its resource, even the webcam. The Federal Bureau of Investigation (FBI) itself has in its arsenal malicious codes that are able to carry on surveillance activities of this type.
In February 2014, a new collection of documents leaked by Edward Snowden revealed the existence of a surveillance program codenamed Optic Nerve that was operated by the Five Eyes intelligence agencies since 2008.
The news was reported by The Guardian, Optic Nerve is a program that allowed the GCHQ agency to collect images from webcam from more than 1.8 million Yahoo user accounts globally in a six-month period in 2008 alone.
” The collection of webcam material was probably secured by getting an “external warrant” under paragraph four of section 8 of Ripa.” “But section 8 permits GCHQ to perform more sweeping and indiscriminate trawls of external data if a minister issues a “certificate” along with the warrant. It allows ministers to sanction the collection, storage and analysis of vast amounts of material, using technologies that barely existed when Ripa was introduced.” reported The Guardian.
You must be aware that intelligence agencies have a number of weapons in their arsenal to target you. It is quite easy for them compromise your computer and exfiltrate sensitive data … and a tape on your webcam will not save you.
Microsoft pomocí hardwaru výrazně vylepší zabezpečení Windows 10
14.4.2016 Zabezpečení
Od konce července 2016 budou muset všechny nové počítače, tablety a smartphony s Windows 10 splňovat standard TPM 2.0. Microsoft tímto způsobem chce výrazně zvýšit zabezpečení těchto zařízení.
Snaha Microsoftu o vylepšení ochrany dat systémů s Windows 10 tentokrát dopadla na samotné výrobce hardwaru. Dodavatel operačního systému totiž bude využívat hardwarově koncipovanou funkci TPM (Trusted Platform Module) 2.0 a stanovil i minimální požadavky na zařízení s Windows 10 – a ty požadují, aby výrobci osadili svá zařízení příslušným čipem či firmwarem.
Čipy TPM jsou už dostupné řadu let, a to především v podnikových verzích osobních počítačů. Verze 2.0 ale nabídne hardwarovou vrstvu pro ochranu uživatelských dat, a to tak, že bude sama spravovat a ukládat kryptografické klíče v důvěryhodném úložišti (kontejneru).
„Požadavek na TPM se bude vynucovat prostřednictvím našeho programu Windows Hardware Certification," tvrdí Microsoft v blogu na svých stránkách.
Výrobci hardwaru tak budou muset do svých zařízení implementovat TPM 2.0, a to buď formou speciálního čipu, anebo prostřednictvím firmwaru. Funkce TPM přitom musí být defaultně aktivovaná, i když zatím není úplně jasné, zda tuto funkcionalitu budou moci uživatelé dodatečně zrušit.
TPM by mělo podle expertů vést ve Windows 10 k širšímu využívání dvoufaktorové autentizace pro zalogování do PC, aplikací či webových služeb. Například Windows Hello, což je biometrický autentizací systém Microsoft využívající tvář, otisk prstu či rozpoznání oční duhovky, bude nově možné spolu se šifrovanými klíči v TPM spolehlivě využívat k plnohodnotné autentizaci uživatelů.
Spousta firemních notebooků či tabletů s procesory od Intelu už TPM 2.0 zahrnuje, levnější PC ale zpravidla TPM nenabízejí, což se od 28. července musí změnit. A podobně jsou na tom i smartphony. TPM ale i nadále nebude muset být v mini-počítačích typu Raspberry Pi 3.
„Jendoznačným cílem je vytvořit z PC mnohem zabezpečenější platformu,“ tvrdí Kevin Krewell, analytik Tirias Research. Windows podle něj totiž dnes představuje jeden z nejméně chráněných operačních systémů.
Bezpečnostní experti vyzráli na vyděračský virus. K datům se dostanou i bez výkupného
14.4.2016 Viry
Na konci března začali počítačoví piráti hojně šířit nový vyděračský virus Petya. Na něj byla většina antivirových programů krátká, protože tento škodlivý kód byl v šifrování dat na pevném disku daleko rychlejší než jeho předchůdci. Bezpečností experti však nyní přišli na způsob, jak uživatelům data neporušená vrátit.
Vyděračských virů existuje nepočítaně, prakticky všechny ale pracují stejným způsobem. Poté, co se škodlivý kód uhnízdí v cizím počítači, zašifruje všechna uložená data na pevném disku a vyděrači za jejich zpřístupnění chtějí pod různými záminkami zaplatit výkupné.
To přitom nebývá vůbec nízké, zpravidla chtějí jeden bitcoin, tedy v přepočtu víc než deset tisíc korun. Zmiňovanou virtuální měnu nevolí náhodou, prakticky se totiž nedá vystopovat, což značně znesnadňuje odhalení počítačových pirátů.
Výkupné neplatit. Nikdy
Výkupné by ale lidé rozhodně platit neměli. Protože ani po odeslání peněz útočníkům se zpravidla ke svým datům nedostanou. Kyberzločinci jednoduše shrábnou peníze a už se neozvou.
Místo placení výkupného je nutné virus z počítače odinstalovat. Problém ale představují zašifrovaná data, ke kterým se většinou uživatelé už nedostanou.
V případě vyděračského viru Petya nicméně bezpečnostní experti ze serveru Heroku udělali průlom. Prolomili šifrování, které tento nezvaný návštěvník používá. Uživatelům tak dokážou uložená data rozkódovat, respektive opět zpřístupnit. A nechtějí za to ani korunu.
Klíč k odšifrování dat zveřejnili na svých stránkách. Do dekódování dat by se nicméně pro jistotu neměli pouštět méně zkušení uživatelé. Vhodnější je tuto činnost svěřit do rukou odborníků.
Na rychlosti záleží
Petya dělala bezpečnostních expertům vrásky na čele, protože pracovala daleko rychleji než podobné vyděračské viry. Ty potřebují na zakódování všech uložených dat poměrně dost času, klidně i několik hodin. Během toho může jejich práci zachytit antivirový program a zablokovat je ještě dřív, než v počítači nadělají nějakou větší neplechu.
Petya však nešifrovala všechna data, ale pouze tzv. MBR. Jde o hlavní spouštěcí záznam, díky kterému se v podstatě spouští celý operační systém. K zašifrovanému záznamu pak počítač nemá přístup a místo Windows spustí jen hlášku o nutnosti zaplatit výkupné.
Na zašifrování MBR přitom Petya potřebovala pouze pár sekund, proto antiviry prakticky neměly šanci škodlivý kód zachytit, jak Novinky.cz informovaly již dříve.
Microsoft opravoval závažné chyby, stáhněte si záplaty
14.4.2016 Zdroj: Živě Zranitelnosti
Microsoft opět uvolnil nadílku bezpečnostních záplat, kterými opravoval závažné i méně závažné chyby ve svých produktech.
Prostor opět dostaly oba internetové prohlížeče, kterými Microsoft disponuje. V obou případech jde o kritické aktualizace. Záplata, která se týká Microsoft Edge, řeší několik chyb, viz Microsoft Security Bulletin MS16-038 (další informace k záplatě).
V případě prohlížeče Internet Explorer se muselo mimo jiné korigovat, jakým způsobem prohlížeč validuje vstupy před nahráváním DLL knihoven i způsob nakládání s objekty v paměti. Záplata je označena jako kritická pro verzi 9 a vyšší je blíže popsána zde: Microsoft Security Bulletin MS16-037.
Problém s fonty i Office
Několik závažných bezpečnostních chyb bylo také třeba záplatovat v grafické komponentě Windows. Kvůli chybě ve způsobu, jakým se zpracovávají upravené vložené fonty však může dojít až ke spuštění škodlivého kódu na počítači nebo jeho ovládnutí. Typicky tak, že uživatel otevře dokument nebo webovou stránku obsahující speciálně upravené vložené fonty. Záplata je kritická nejen pro všechny podporované vydání Windows, ale i .NET Framework, Skype for Business 2016, Microsoft Lync 2013 a Microsoft Lync 2010, viz Microsoft Security Bulletin MS16-039.
Kritickou záplatu si vyžádal i problém odhalený a opravený v Microsoft XML Core Services v rámci Windows. Záplata je kritická pro Microsoft XML Core Services 3.0 na všech podporovaných verzích Windows. Koriguje se jí způsob, jakým MSXML parser zpracovává uživatelské vstupy (Microsoft Security Bulletin MS16-040).
V dubnu byly vydány ještě dvě důležité aktualizace. Jedna se týká kancelářského balíku Office (Microsoft Security Bulletin MS16-042). Záplata, která se týká celého spektra Office produktů upravuje způsob, jakým balíček zachází s objekty v paměti.
Záplatovaný Flash Player i .NET Framework
Dále byla ještě vydána aktualizace pro Adobe Flash Player, přičemž se týká i Windows 10. Onou záplatou se aktualizují (opravují) všechny problematické knihovny Adobe Flashe v rámci prohlížečů Internet Explorer 10, Internet Explorer 11 i Microsoft Edge - Microsoft Security Bulletin MS16-050.
Zbývající záplaty od Microsoftu mají maximální stupeň důležitý. Najdeme mezi nimi například záplatu, která opravuje problém v Microsoft .NET Frameworku. Je důležitá pro Microsoft .NET Framework 4.6 a Microsoft .NET Framework 4.6.1 -Microsoft Security Bulletin MS16-041.
S dalšími záplatami se řešil například problém ve Windows OLE (nekorektně fungující validace uživatelských vstupů) - Microsoft Security Bulletin MS16-044, ve Windows Hyper-V - především na 64-bitových platformách (Microsoft Security Bulletin MS16-045) i ve Client-Server run-time Subsystem (Csrss) v rámci Windows. K zneužití chyby je však třeba, aby se útočník přihlásil na dané zařízení a spustil na něm speciálně upravenou aplikaci - Microsoft Security Bulletin MS16-048.
Zároveň vyšla i nová verze bezplatného bezpečnostního funkce Microsoft Malicious Software Removal Tool. Pro tento měsíc je dostupné vydání s označením 5.35.
The Qbot malware is back with new evasion techniques
14.4.2016 Virus
Experts at BAE Systems revealed that the Qbot malware is back with new evasion techniques and very effective polymorphic capabilities.
Security experts at BAE Systems revealed that the Qbot malware is back, they discovered 54,517 infected machines most of them located in the United States (85%). Qbot first appeared in 2009 when was detected by Symantec, the new variant implements new features, including an advanced evasion technique.
Qbot, aka Qakbot, is a data stealer worm with backdoor capabilities. It is an old threat and was well-described by Symantec back in 2009.
The new variant is directly derived from the original Qbot source code that was improved in a significant way. The worm is able to infect all Windows versions, but it caused the system crash for XP machines.
“While all versions of Microsoft Windows the worm touched in the attack were compromised, a number of Windows XP machines crashed and failed to restart: despite its renewed potency, the programmers behind Qbot hadn’t built their bot to be compatible with older versions of Windows.” states the report.
The Qbot worm is spreading through compromised websites hosting the Rig Exploit Kit.
“In December 2015, several researchers reported that websites hosting the Rig Exploit Kit were serving an updated version of Qbot.” continues the report.
The experts discovered samples of Qbot that targeted US academic institutions and hospitals.
It is interesting to note that the new Qbot has the ability to traverse a network and spread its replica. The new variant of the worm is characterized by polymorphic capabilities that allow it to evade AV software.
“This level of polymorphism is carried out by the ‘gateway’ PHP script that runs on the C&C. Each time a new sample is retrieved, the C&C script will patch two large blobs within the binary template with randomly generated data to produce a new copy that will always have a different hash,” states the BAE report.
The polymorphic code of the worm is updated via a command and control servers, it is recompiled at regular interval.
“As can be seen the increment of the version number is quite linear. The incremented versions are not always ‘released’, that is, pushed for download from the C&C. For instance, there are days when two updated versions are released, having an increment in the minor version number of up to nine. We can assume that there is a separate pipeline that automatically re-compiles and re-encodes updated versions. This pipeline produces a new version approximately every six hours. The attackers then take the next available version from the pipeline and make it available for the bot upgrade from the C&C through the ‘updbot’ function.” states the post.
Unfortunately, the threat is rapidly spreading, the infection rate increasing at a fast pace.
Give a look to the report, it is full of interesting data.
So, FBI Director also Puts Tape Over His Webcam
13.4.2016 Safety
What do you do to protect your 'Privacy' while using your computer?
FBI Director James Comey uses tape to cover up his laptop webcam to ensure Privacy.
Yes, you heard it right. During the Q&A session at Kenyon College last week, Comey said that he uses tape to cover his laptop webcam in order to mitigate the danger of secret surveillance.
While giving a speech about encryption and privacy, Comey repeated his argument that "absolute privacy" hampers the law enforcement and has never existed in America – until now, when by default encryption offered by big tech giants created boundaries where law enforcement can't enter, even with a court order.
This isn't the first time Comey made this kind of statement. Comey has always suggested tech companies to adopt encryption techniques that help federal agencies intercept end-to-end encrypted communications when necessary.
But after his speech, Comey said something that generated hilarity on social media:
"I saw something in the news, so I copied it. I put a piece of tape — I have obviously a laptop, personal laptop — I put a piece of tape over the camera. Because I saw somebody smarter than I am had a piece of tape over their camera," reported NPR.
Comey’s worry about webcams is reasonable, especially when the Federal Bureau of Investigation (FBI) itself has used malware to hack into webcams to spy on targets.
On one hand Comey argues that the companies should not make devices that are unhackable to law enforcement, but on the contrary, he is doing exactly the same with his personal webcam.
So why is he having a double standard for his own privacy?
ACLU chief technologist Christopher Soghoian has a good example:
"FBI Director Comey has created a "warrant-proof webcam" that will thwart lawful surveillance should he ever be investigated. Shame on him," Soghoian tweeted.
However, keeping aside the hypocrisy of Comey, tapping your laptop's webcam is a good take away for you to adopt, as we know the ability of the FBI and NSA (National Security Agency) to spread malware and turn on webcam to spy on targets.
Edward Snowden Leaks revealed the NSA's Optic Nerve project that carried out to capture webcam images every five minutes from random Yahoo users. In just 6 months, 1.8 million users' images were captured and stored on the government servers in 2008.
Though putting a tape over the lens of your webcam would not stop hackers or government spying agencies from recording your voice, at least this would prevent them watching or capturing your live visual feeds.
Hacking Samsung Galaxy via Modem interface exposed via USB
13.4.2016 Mobil
Modems in a number of Samsung Galaxy devices are open to receiving AT commands over the USB cable even when they are locked
Do you know that modems in a number of Samsung Galaxy devices are open to receiving AT commands over the USB cable even when they are locked?
The circumstance is serious if we consider that is is very common to leave a locked phone on their desk believing that no one could access it.
A number of researchers and users are discussing the issue on Github, in particular, security experts Roberto Paleari and Aristide Fattori reported that devices connected via USB to a computer automatically expose, or can be forced to do it, a serial interface that interacts directly with the USB modem.
“This communication channel is active even when both USB tethering and USB debugging (i.e., ADB) are disabled,” they write, “and can be accessed even when the device is locked. An attacker who gains physical access to a (possibly locked) device can thus use this interface to send arbitrary AT commands to the modem. This permits to perform several actions that should be forbidden by the lock mechanism, including placing phone calls or sending SMS messages.”
Older mobile devices expose the USB serial modem by default, meanwhile, newer phones need to be forced, in this last scenario it is not necessary that the phone is unlocked.
In the case of old Samsung mobile and firmware versions (i.e. the GT-I9192 (Samsung S4 Mini with build I9192XXUBNB1)), is is sufficient to plug the smartphone into a Linux host to expose a usb serial modem which is then accessible by using the corresponding Linux device (e.g., /dev/ttyACM0). Once established the connection to the modem it is possible to send certain AT commands. The attacker can perform a number of operations exploiting this connection, using the AT command AT+USBDEBUG command he enables USB debugging, and AT+WIFIVALUE enables the device’s Wi-Fi.
The security duo developed a proof-of-concept to analyze the attack scenario.
“For our PoC we developed a very rough C tool, usbswitcher, that switches any attached Samsung device to USB configuration #2 (this is fine for the devices we tested, but your mileage might vary). The tool uses libusb to do the job, but the same task can probably be accomplished using the /sys/bus/usb pseudo-filesystem.
The trick we used to force the phone to switch the configuration is to first reset the USB device (via usb_reset()), and then switching the configuration (via usb_set_configuration()). Sometimes it doesn’t work at the first try, so just run usbswitchertwice to ensure the configuration is switched properly :-)”
On newer mobile and firmware versions the situation is more complex as explained by the researchers.
“Exploitation of this vulnerability on more recent firmware versions (e.g., latest versions of the Samsung S4 and Samsung S6 software) is not so straightforward: in the default configuration, when the device is connected it exposes to the host only a MTP interface, used for file transfer.
However, we discovered that an attacker can still access the modem by switching to secondary USB configuration. As an example, consider our test Galaxy S6 device. When USB debugging is off, the device exposes two USB configurations, with the CDC ACM modem accessible via configuration number 2.”
The possible consequences of the attack are obvious, the access to the modem allows the attacker to make phone calls and send SMS messages. The command ATD+123456 allow to starts a phone call to +123456, even when the device is locked.
Below the list of devices tested by the duo:
SM-G920F, build G920FXXU2COH2 (Galaxy S6)
SM-N9005, build N9005XXUGBOK6 (Galaxy Note 3)
GT-I9192, build I9192XXUBNB1 (Galaxy S4 mini)
GT-I9195, build I9195XXUCOL1 (Galaxy S4 mini LTE)
GT-I9505, build I9505XXUHOJ2 (Galaxy S4)
Windows 10 Blue Screen of Death Gets QR Code
13.4.2016 OS
If you are a Microsoft’s Windows user, you may have encountered the infamous Blue Screen of Death (BSOD).
The Blue Screen of Death generally appears when Windows encounters any critical error due to software or hardware issues, displaying a sad face and no information other than "Your PC ran into a problem."
However, now the company is apparently giving its infamous Blue Screen of Death a makeover.
With the Microsoft's Anniversary Update, the company is making the Blue Screen of Death a little helpful for its users.
Microsoft is adding QR code to its Blue Screen of Death (BSOD) in Windows 10 that will make it easier for users to identify potential issues with their devices.
The new QR codes are featured in the Redmond's latest Windows 10 Preview, Build 14316, which will debut this summer as the Windows 10 Anniversary Update.
Must Read: Step-by-Step Tutorial to Run Ubuntu on latest Windows 10 Preview Build.
Now, when your operating system fails, you will see not just a sad face, but a QR code that would be helpful in two ways:
You would be able to scan this code with your smartphone and be directed to a Web page that could include the details on the encountered error.
You could also call Microsoft support to figure out the problem by determining the source of the bug based on the specific QR code and even help you troubleshoot or fix it.
Though the change is not groundbreaking one, it will surely benefit millions of Windows 10 users whose hearts stop for a while when their screen goes blue.
The BSOD QR codes are expected to come out this summer when Microsoft releases the Windows 10 Anniversary Update.
Microsoft's Anniversary Update for Windows 10 will bring a lots of new features, including Ubuntu file system that will allow you to use Bash to run command-line Linux applications without a virtual machine.
How many of you think the BSOD QR codes would be useful?
Let me know in the comments below.
Apple iMessage flaw exposed chat history and more with a single click
13.4.2016 Apple
A group of security researchers has found a security flaw in the Apple iMessage that exposed chat history and sensitive data with a single click.
Recently WhatsApp has introduced the end-to-end encryption to protect its users from eavesdropping, many other companies are adopting the technical improvement, but there are some circumstances that still open their customers to cyber attacks.
This is the case of the Apple Messages app, aka iMessage, the company, in fact, has now solved a security vulnerability (CVE-2016-1764) in its Messages app that exposed chat history, including photos and videos, if the user could be tricked into clicking a malicious link with a social engineering attack.
The bug in the Apple Messages app was discovered six months ago and affected both laptop and desktop computers, the company fixed the vulnerability with a software update issued on March 21.
“Messages – Available for: OS X El Capitan v10.11 to v10.11.3
Impact: Clicking a JavaScript link can reveal sensitive user information
Description: An issue existed in the processing of JavaScript links. This issue was addressed through improved content security policy checks.
CVE-ID – CVE-2016-1764 : Matthew Bryan of the Uber Security Team (formerly of Bishop Fox), Joe DeMesy and Shubham Shah of Bishop Fox” states the security advisory issued by Apple.
Last Friday, the security experts that have found the issue disclosed more details about the vulnerability and published a proof-of-concept code.
“CVE-2016-1764, fixed by Apple in March of 2016, is an application-layer bug that leads to the remote disclosure of all message content and attachments in plaintext by exploiting the OS X Messages client. In contrast to attacking the iMessage protocol, it is a relatively simple bug. You don’t need a graduate degree in mathematics to exploit it, nor does it require advanced knowledge of memory management, shellcode, or ROP chains. All an attacker requires is a basic understanding of JavaScript.” explained the team in a blog post.
Below a video PoC published by the team.
The experts highlighted that the flaw did not affect the iMessage protocol, but it resides in the “client” software, the Apple’s iMessage. The unique versions affected by the issue are the ones that came with the El Capitan OS X, other Apple devices are not affected.
The attack is very dangerous because it could result in the theft of sensitive data and could be exploited remotely tricking users into clicking a specially crafted hyperlink arriving via instant message.
When the victim clicks on the link, a malicious JavaScript code is executed, this happens because the iMessage doesn’t implement properly the “sandboxing” mechanism. The attack not only allows the access of local data, if the target had synced their device to the iCloud, the attacker could gain access to all of their SMS text messages.
“The only user interaction required for a successful attack is a single click on a URL. Furthermore, if the victim has the ability to forward text messages from their computer (SMS forwarding) enabled, the attacker can also recover any messages sent to or from the victim’s iPhone.” states the team.
The researchers explained that the flaw resides in the iMessage implementation of the open source web-browser engine WebKit, and app’s ability of execute web scripts. Unfortunately, the Webkit feature is implemented by many other Web apps.
Apple applied a simple fix by blocking all hyperlinks containing JavaScript.
Is there electronic warfare behind the block of Swedish air traffic control systems?
13.4.2016 Security
Swedish experts warned of an electronic warfare attack on its air traffic control systems occurred in November. Is it electronic warfare?
Swedish experts suspect that the attack on its air traffic control systems last November was operated by Russian nation-state hackers, the Arlanda, Landvetter and Bromma airport reported the major problems.
The Swedish experts believe the cyber attacks were carried out by an elite hacking crew linked to the Russian military intelligence service GRU (Main Intelligence Directorate).
The attack had a significant impact on the country, the national air traffic control systems were unavailable on November 4, 2015. The air traffic controllers were unable to use their computers resulting in the cancellation of several domestic and international flights.
The official cause of the problems provided by the Swedish Civil Aviation Administration is a solar storm, but according to the Norwegian news agency aldrimer.no, Swedish experts notified NATO about a series of serious cyber attacks targeting the country.
A solar storm was really observed in the same period, but experts believe the Russians military might have been using it as a cover to test their electronic warfare capabilities on a live target.
“The message was passed on to NATO either by Sweden’s National Defence Radio Establishment (Försvarets radioanstalt, FRA) or the Swedish Military Intelligence and Security Service (Militära underrättelse- och säkerhetstjänsten, MUST),” a senior NATO source (who unsurprisingly asked to remain anonymous) told aldrimer.no.
Despite The Swedish Government is not in the NATO, the information about the attacks was shared with the organizations with representatives of neighboring countries (Norway and Denmark).
“… sources tell aldrimer.no that Swedish authorities at the same time sent urgent messages to NATO saying Sweden, which is not a member of the alliance, was under a serious cyber attack. Two separate warnings are thought to have been issued, then relayed to several NATO allies, including Norway and Denmark. The information provided by Sweden indicated that the Swedes believed the cyber attack was led by a so-called APT group (Advanced Persistent Threat) which previously has been linked to the Russian military intelligence service GRU.” states the aldremer.
The experts expressed their concerns about the possible further cyber attacks on that state power company Vattenfall.
The incident occurred in Sweden reportedly coincided with Russian electronic warfare activity in the Baltic Sea region. The activities included jamming attacks originated in Kaliningrad, in the south of Lithuania.
The jamming activities also targeted air traffic communication channels that might have resulted in the block of the Swedish air traffic control systems.
“At the time Sweden is believed to have issued a cyber attack warning, NATO reportedly detected Russia electronic warfare activity in the Baltic Sea region. Sources tell aldrimer.no that the activity included jamming of air traffic communication channels. The signals were reportedly traced to a large and fairly new radio tower located in the Russian enclave of Kaliningrad, south of Lithuania.
When aldrimer.no contacted national Computer Emergency Response Team (CERT) centres in Norway, Denmark, Finland, Estonia, Latvia and Lithuania about the possible cyber attack, they all declined to comment.”
The Sweden’s civil aviation administration is currently still investigating the event.
WebUSB API — Connect Your USB Devices Securely to the Internet
13.4.2016 Security
Two Google engineers have developed a draft version of an API called WebUSB that would allow you to connect your USB devices to the Web safely and securely, bypassing the need for native drivers.
WebUSB – developed by Reilly Grant and Ken Rockot – has been introduced to the World Wide Web Consortium's Web Incubator Community Group (W3C WICG), is build to offer a universal platform that could be adopted by browser makers in future versions of their software.
Connecting USB Devices to the Web
WebUSB API allows USB-connected devices, from keyboards, mice, 3D printers and hard drives to complex Internet of Things (IoTs) appliances, to be addressed by Web pages.
The aim is to help hardware manufacturers have their USB devices work on any platform, including Web, without having any need to write native drivers or SDKs for a dedicated platform.
Besides controlling the hardware, a Web page could also install firmware updates as well as perform other essential tasks.
However, the draft API (Application Program Interface) is not meant to be used for transferring files to or from flash drives.
"With this API hardware manufacturers will have the ability to build cross-platform JavaScript SDKs for their devices," Google engineers wrote in the draft project description.
"This will be good for the Web because, instead of waiting for a new kind of device to be popular enough for browsers to provide a specific API, new and innovative hardware can be built for the Web from day one."
Privacy and Security Concerns
The Google engineers also outlined security concerns.
WebUSB will include origin protections, like a type of the Cross-Origin Resource Sharing (CORS), to restrict the Web pages from requesting data from other domains except the one from where they originate.
This means a Web page could not be able to exploit your USB device to access your PC, or your important files or any files that your computer or the USB device itself may hold.
To address the issue of USB devices leaking data, WebUSB will always prompt the user to authorize a website or web page in order to detect the presence of a device and connect to it.
For now, the WebUSB is only a draft of a potential specification, which hasn't been officially adopted by W3C. WebUSB remains a work in progress at the current, though you can check out the full WebUSB codebase on GitHub.
How to decrypt Petya Ransomware for Free
13.4.2016 Virus
Ransomware has risen dramatically since last few years and is currently one of the most popular threats on the Internet.
The Ransomware infections have become so sophisticated with the time that victims end up paying ransom in order to get their critical and sensitive data back.
But if you are infected with Petya Ransomware, there is good news for you.
You can unlock your infected computer without paying the hefty ransom. Thanks to the Petya author who left a bug in the Ransomware code.
What is Petya Ransomware?
Petya is a nasty piece of ransomware that emerged two weeks ago and worked very differently from any other ransomware.
The ransomware targets the victims by rebooting their Windows computers, encrypting the hard drive's master boot file, and rendering the master boot record inoperable.
Also Read: How to Decrypt CoinVault and Bitcryptor Ransomware
A master boot record (MBR) is the information in the first sector of any hard disk that identifies how and where an OS is located while a master boot file is a file on NTFS volumes that includes the name, size, and location of all other files.
Once done, the infected PC restarts and the Petya ransomware code is booted rather than the operating system, displaying a ransom note that demands 0.9 Bitcoin (approx. US$381) in exchange for the decryption key to recover the system's files.
Now, without the decryption password, the infected PC would not boot up, making all files on the startup disk inaccessible.
However, a researcher who goes by the Twitter handle @leostone has developed a tool that generates the key Petya requires decrypting the master boot file.
Here's How to Unlock your Petya-infected Files for Free
The researcher discovered a weakness in the nasty malware's design after Petya infected his father-in-law's PC.
According to security researcher Lawrence Abrams from the Bleeping Computer, the key generator tool developed by Leostone could unlock a Petya-encrypted PC in just 7 seconds.
In order to use the Leostone's password generator tool, victims must remove the startup drive from the Petya affected computer and connect it to another Windows computer that's not infected.
The victim then needs to extract data from the hard disk, specifically:
the base-64-encoded 512 bytes that start at sector 55 (0x37h) with an offset of 0.
the 64-bit-encoded 8-byte nonce from sector 54 (0x36) offset 33 (0x21).
This data then needs to be used on this Web app (mirror site) created by Leostone to generate the key. The victim will then retrieve the key Petya used to decrypt the crucial file.
Here's a Simple Tool to Unlock your Files For Free
Since the Leostone's tool is not a straight-forward method, extracting the encrypted data is not easy for many victims.
The good news is that Fabian Wosar, a separate researcher, has created a free tool called the Petya Sector Extractor that can be used to easily extract the data in seconds.
In order to use Petya Sector Extractor, victims must run the tool on the uninfected Windows computer that is connected to the infected hard drive from the affected computer.
Abrams provided this step-by-step tutorial that will walk victims through the entire process.
This is a great solution to decrypt your infected files, but most likely, the Petya authors have already heard about this tool and are modifying their code to disable the solution. So, there is no guarantee the tool will continue to work indefinitely.
British Govt vs Lauri Love, it’s battle for encryption keys
13.4.2016 Safety
The British Government is attempting to force the hacktivist Lauri Love to hand over his encryption keys to access data stored in his seized laptop.
Lauri Love is the hacktivist accused of breaking into Government networks, now the UK NCA wants to oblige him to hand over encryption keys to equipment seized from his home.
The hacktivist started a legal action against the NCA to attempt to have his property returned.
The list of victims of the hacktivist includes the FBI, the Federal Reserve Bank and the US Missile Defence Agency.
US Prosecutors believe that Lauri Love is a member of a hacker crew, they sustain that he was also involved in the hacking campaign the OpLastResort launched by Anonymous against the US Government.
Anonymous threatened the US Government due to its position against the young talented hacktivist Aaron Swartz. Aaron Swartz has committed suicide on January 11, 2013 in New York City. He is fighting extradition to the US where authorities can condemn him to up to 99-years in prison.
On that occasion, the US legal system demonstrated its inefficiency in the treatment of hacktivist.
The Home Office is seeking a court order in the form of a ‘direction’ in the civil proceeding against Love. If Love will refuse to comply with the direction he will be charged with contempt of court.
“Love is also being ordered to provide witness statements informing the court whether two particular files encrypted with TrueCrypt software contain data from the US Senate and Department of Energy.” reported the British Computing website.
“I don’t have any alternative but to refuse to comply,” Love told The Intercept. “The NCA are trying to establish a precedent so that an executive body — i.e., the police — can take away your computers and if they are unable to comprehend certain portions of data held on them, then you lose the right to retain them. It’s a presumption of guilt for random data.”
Today Lauri Love appeared in a London court as NCA attempts to get his encryption keys, but the judgment in the encryption demand case is reserved until 10 May.
Love’s advocates remarked that the hacktivist did not profit from the attacks he participated.
The authorities have no intention to return the seized laptop, they augmented their decision sustaining that the device contains pirated films.
Hackeři nepotřebují znát heslo, jednoduše ho smažou
13.4.2016 Zranitelnosti
Bezpečnostní experti kladou uživatelům neustále na srdce, že mají používat sofistikovaná hesla a nikomu je nesdělovat. Jenže občas ochrana heslem nestačí, jak ukazuje nově objevená chyba. Počítačoví piráti se díky ní dostanou do cizí sítě celkem jednoduše, heslo prostě smažou. V ohrožení je podle serveru The Hacker News více než 135 miliónů uživatelů.
Novou trhlinu objevil bezpečnostní výzkumník David Longeneck v zařízení Arris SURFboard SB6141. Jde o modem, který slouží k připojení k internetu přes kabelovou televizi. Hojně je využíván především v USA, není ale vyloučeno, že stejný model využívají také někteří tuzemští uživatelé.
Chyba se týká modemu Arris SURFboard SB6141
Chybu mohou počítačoví piráti zneužít dvěma různými způsoby. V první řadě mohou na dálku restartovat zařízení, a tím odpojit všechny připojené počítače od internetu až na tři minuty. A to samozřejmě opakovaně.
Daleko horší ale je, že trhlina jim dovoluje také obnovit na dálku tovární nastavení této brány do světa internetu. Co to znamená v praxi? Je jedno, jak má uživatel sofistikované přístupové heslo, tímto krokem jej kyberzločinci jednoduše smažou. Pak už jen stačí naťukat přednastavené defaultní hodnoty, které klidně vyčtou z volně dostupných návodů na internetu.
Jediný způsob, jak se mohou lidé bránit, je odpojit modem od internetu.
Swati Khandelwal ze serveru The Hacker News
„Chyba je velmi nešťastná. Jediný způsob, jak se mohou lidé bránit, je odpojit modem od internetu,“ uvedl Swati Khandelwal ze serveru The Hacker News. Podle něj totiž v současnosti neexistuje pro trhlinu žádná oprava.
Výrobce routeru – společnost Arris – se zatím k problému oficiálně nevyjádřil. Není tedy jasné ani to, zda pracuje na aktualizaci firmwaru, která by zjednala nápravu.
Nabízí se také otázka, zda podobnou chybu neobsahují i další síťové prvky tohoto výrobce.
Útoků na síťové prvky přibývá
Právě na síťové prvky, jako jsou modemy a routery, se počítačoví piráti v poslední době zaměřují stále častěji. A není se čemu divit. Březnová studie Cisco Annual Security Report ukázala, že devět z deseti internetových zařízení má slabá místa.
Když kyberzločinci získají přístup k routeru nebo modemu, dokážou napáchat daleko větší neplechu, než kdyby propašovali nezvaného návštěvníka jen do počítače. S pomocí škodlivých kódů, jež do těchto síťových prvků nahrají, mohou například odposlouchávat komunikaci nebo přesměrovávat internetové adresy.
Přesně to udělali už v minulosti díky zranitelnosti známé jako „rom-0“. Místo serverů, jako jsou například Seznam.cz nebo Google.com, se poškozeným zobrazila hláška o nutnosti instalace flash playeru. Místo té se ale do PC stáhnul další virus. Útočníci tak rázem měli přístup nejen k routeru, ale i k připojenému počítači.
Atmos, the Citadel Trojan successor is in the wild
12.4.2016 Virus
Security experts from the Heimdal Security firm are issuing an alert on the Atmos malware which is the successor of the dreaded Citadel Trojan.
Months ago, the author of the dreaded Citadel malware was sentenced to prison, but in the same period, a new improved variant resurged in the wild. The new strain of Citadel malware, called Atmos, is now targeting banks in France and it was also served with the Teslacrypt ransomware.
Atmos has been active since late 2015, but the experts have discovered it in the wild only recently.
Citadel was first spotted in 2011, its authors used the code of the ZeuS Trojan code to create the new threat.
“Dimitry Belorossov, a/k/a Rainerfox, has been sentenced to four years, six months in prison following his guilty plea for conspiring to commit computer fraud. Belorossov distributed and installed Citadel, a sophisticated malware that infected over 11 million computers worldwide, onto victim computers using a variety of infection methods.” stated the announcement issued by the FBI.
“In 2012, Belorossov downloaded a version of Citadel, which he then used to operate a Citadel botnet primarily from Russia. Belorossov remotely controlled over 7,000 victim bots, including at least one infected computer system with an IP address resolving to the Northern District of Georgia. Belorossov’s Citadel botnet contained personal information from the infected victim computers, including online banking credentials for U.S.-based financial institutions with federally insured deposits, credit card information, and other personally identifying information.”
The Citadel malware is a powerful data stealer, it was mainly used in banking frauds, but it has the ability to carry out a large number of fraudulent operations.
In the second half of 2012, security experts began to see Citadel variants designed to breach networks of government and private companies.
On June 5 2013, the Microsoft Digital Crimes Unit announced that its experts were working with the FBI to shut down the Citadel botnet and to arrest its operators.
Atmos botnet
Today security experts at Heimdal security are issuing an alert on the Citadel successor, Atmos.
The researchers discovered that the new Citadel variant was heavily modified respect its predecessors. It utilizes the same web injection mechanisms implemented by ZeuS, a circumstance that leads the experts into belief that it was designed with the same intent.
The researchers confirmed that only a few sample was discovered in the wild targeting French banks.
Giving a look at the technical details shared by the Heimdal Security, we note that C&C servers are located in Vietnam, Canada, Ukraine, Russia, the US and Turkey and the overall Atom botnet is already composed of more than 1000 machines.
Below the list of Indicators of Compromise tied to the new Atmos Trojan:
http://iguana58[.]ru/plugins/system/anticopy/adobe[.]exe
http://tehnoart[.]co/sr[.]exe
http://3dmaxkursum[.]net/tmp/sys/config[.]exe
http://iguana58[.]ru/plugins/system/anticopy/adobe[.]exe
http://mareikes[.]com/wp-includes/pomo/svhost[.]exe
http://mareikes[.]com/wp-includes/pomo/server[.]exe
I invite you to read the Heimdal’s Alert, Atmos have to be considered a very dangerous threat, especially for the private industry.
Na Českou spořitelnu míří další vlna phishingu. Tentokrát i s SMS
12.4.2016 Zrdroj: Živě Phishing
Na klienty České spořitelny míří další phishingový útok. A zatímco v březnu se jednalo o běžný e-mail, který obsahoval odkaz na podvodnou přihlašovací stránku, tentokrát útočníci použili o kus sofistikovanější metodu. Rozesílají totiž SMS zprávy, kde je identifikace podvodu složitější.
Možné podoby podvodné SMS zprávy (zdroj: ČS)
Zprávy mají hned několik podob – některé upozorňují na neoprávněnou platbu, další na možnost cizího přihlášení do bankovnictví a nechybí ani předstírané technické potíže s nutností kontroly údajů. Všechny však končí stejně – odkazují na weby s podvodným přihlašovacím formulářem. Tam potenciální oběť zadá přihlašovací údaje, které jsou uloženy do databáze útočníků.
Nebezpečnost spočívá především v tom, že se zprávy tváří jako z běžné SMS brány, kterou podobné instituce používají. Podvod tak lze rozpoznat především díky pomlčkovým kombinacím v doméně a případně podle chybějícího HTTPS zabezpečení na přihlašovací stránce.
Windows bude na BSOD zobrazovat i QR kód. Ulehčí hledání chyby
12.4.2016 Zrdroj: Živě Bezpečnost
Modré obrazovky smrti se největší změny dočkaly s příchodem Windows 8, kdy je Microsoft převlékl do modernějšího vzhledu a přidal smutného smajlíka. Vyhledání problému, který pád systému způsobil, stále spočívá v ručním vyhledání chybového kódu. To by se mohlo v budoucích sestaveních Windows 10 změnit. V testovacím buildu se objevila funkce QR kódů, které by mohly odkazovat na řešení.
Podoba QR kódu na modré obrazovce smrti (zdroj: Reddit)
Informaci o nové možnosti modrých obrazovek poprvé zveřejnil web MicrosoftInsider.es, následně ji potvrdili i uživatelé Redditu. QR kód zatím odkazuje na stejnou stránku windows.com/stopcode. Snadno si však můžeme představit, že by odkaz vedl na web Microsoftu s popisem a řešením konkrétního problému.
Zádrhelem však mohou být nepřipravení uživatelé, kteří nemají v telefonech nainstalované čtečky QR. Těm nezbyde nic jiného než rychlé opsání kódu chyby.
Při velkém hacku unikly údaje o všech voličích z Filipín
12.4.2016 Zrdroj: Lupa Incidenty
Filipínská volební komise (COMELEC) neochránila data o voličích a údaje o 55 milionech lidí jsou k dispozici na internetu.
Útočníci, kteří se označují za Anonymous Phlippines, 27. března napadli webové stránky Filipínské volební komise (COMELEC) a o několik dní později LulzSec umístili databázi voličů online.
Podle zahraničních zdrojů bylo důvodem hacku vyvolat tlak na zlepšení zabezpečení hlasovacích přístrojů ještě před volbami, které se budou na Filipínách konat 9. května.
COMELEC tvrdí, že v hacknutých datech nejsou „žádné citlivé informace“ a hackeři „nezískali nic hodnotného“. Trend Micro je ale jiného názoru, takže to vypadá na klasickou PR taktiku zamlčování a vymýšlení si.
V uniklých datech se mají nacházet citlivé osobní informace, včetně hesel a digitálních otisků prstů. S ohledem na velikost úniku může jít o největší únik vládních dat v historii. Doposud prvenství držel nejspíš únik dat z OPM v loňském roce s údaji o 20 milionech amerických občanů.
Média upozorňují, že uniklá data se dají využít ke krádežím identit a podvodům, protože obsahují mnohem více informací, než pouze data o voličích, která jsou (nebo by měla být) dostupná přímo na webu Filipínské volební komise.
V celém rozsahu úniku jde o šestnáct databází a 355 tabulek – některé z nich mají vztah k obsahu webu a mechanismu voleb jako takovému, ale část obsahuje přímo údaje voličů – z nich jméno, příjmení, datum narození a voličské identifikační číslo jsou v šifrované podobě, ale další údaje nikoliv, ať už jde například o adresu bydliště nebo místo narození. V některých tabulkách jsou ale i jména a příjmení, jména rodičů, data narození, čísla pasů a další data nešifrovaná.
Mezi údaji jsou podle všeho i ty, které zadávali samotní voliči v rámci plánování schůzek při registraci k volbám. Je jich méně, ale obsahují i další osobní údaje – například e-mailový kontakt, plná jména obou rodičů, daňový identifikátor a další.
Jako u každého úniku i zde pochopitelně platí, že není jisté, nakolik jsou zveřejněná data autentická, zda do nich někdo nezasáhl a podobně.
Filipínská volební komise také zdůrazňuje, že samotné volby a volební systém nemají s hacknutým webem (a z něj získanými databázemi) žádné spojení a jde o zcela rozdílné systémy. Ale jako všechno, i toto je potřeba brát s rezervou.
How Certificate Transparency Monitoring Tool Helped Facebook Early Detect Duplicate SSL Certs
12.4.2016 Security
certificate-transparency-log-monitoring-service
Earlier this year, Facebook came across a bunch of duplicate SSL certificates for some of its own domains and revoked them immediately with the help of its own Certificate Transparency Monitoring Tool service.
Digital certificates are the backbone of our secure Internet, which protects sensitive information and communication, as well as authenticate systems and Internet users.
The Online Privacy relies heavily on SSL/TLS Certificates and encryption keys to protect millions of websites and applications.
As explained in our previous article on The Hacker News, the current Digital Certificate Management system and trusted Certificate Authorities (CAs) are not enough to prevent misuse of SSL certificates on the internet.
In short, there are hundreds of Certificate Authorities, trusted by your web browsers and operating systems, that has the ability to issue certificates for any domain, despite the fact you already have one purchased from another CA.
An improperly issued certificate could be used in man-in-the-middle (MITM) attacks to compromise encrypted HTTPS connections, putting millions of users' privacy at risk.
To solve CA trust issues, Google had launched 'Certificate Transparency' project in the year 2013, enabling anyone to detect easily fraudulent and stolen certificates.
Explained — What is Certificate Transparency
what-is-certificate-transparency
Before proceeding you should read: What is Certificate Transparency and how it could help individuals and companies to quickly identify if any Certificate Authority has issued forged certificates for their domains, mistakenly or maliciously.
Are you Back? OK.
First, let's talk about how Facebook and other large organizations manage their multiple subdomains, blogs, marketing and events websites?
Typically, these sites are built and hosted separately from the company’s core platform. For example, the portal for Facebook Live (https://live.fb.com/) is hosted and managed by WordPress VIP services.
How Facebook Early Detected Duplicate SSL Certificates
facebook-forged-SSL-certificate
Facebook security team shared an incident with The Hacker News:
Earlier this year, Let's Encrypt issued some duplicate digital certificates signed for multiple fb.com subdomains, and the Facebook’s own-developed Certificate Transparency monitoring service immediately detected those certificates within an hour.
However, later the Facebook’s core security team found that those certificates were actually requested by one of its hosting vendors, employed for managing fb.com subdomains for several of its microsites.
"The vendor had authorization from another Facebook team to use Let's Encrypt, but that was not communicated to our security team," David Huang and Brad Hill, Security Engineers at Facebook explain in a blog post.
"The investigation was completed in a matter of hours, and the certificates were revoked. We found no indications that these certificates were ever controlled by unauthorized parties, and we were able to respond before they had been deployed on the production hosts."
That's how Certificate Transparency and its monitoring service helps Facebook to manage all of its active digital certificates efficiently and quickly respond to such threats.
It is worth noting that Certificate Transparency system does not come with any in-built monitoring, and alert service i.e. CT do not automatically notify domain owners if any new certificate (legitimate/forged) has been issued for their domain.
So, the domain owners are themselves responsible for remaining vigilant and checking the logs regularly. Otherwise, if no one checks, suspicious behaviors will go undetected.
However, the Facebook security team was able to immediately detect fraudulent certificates with the help of its experimental monitoring tool.
Also Read: How Certificate Transparency helps to Detect Forged SSL Certificates
How Does Facebook Certificate Transparency Monitoring Tool Work?
Simply… It continuously scans all public Certificate Transparency logs and alerts when any CA issues a new certificate for root domain and subdomains of facebook.com and fb.com.
"Facebook advocates for CT because it offers the ability to know the certificates a CT-enforcing browser will trust," the Facebook engineer says.
"We recommend other organizations start monitoring CT logs to understand issuance for domains they control."
Certificate Transparency overall is an open framework that involves browser vendors, monitors, as well as Certificate Authorities. Whereas, Facebook's CT Monitoring Service works independently and does not require additional participation from browser vendors or CAs.
Though Facebook's Certificate Transparency Monitoring service does not provide an option to revoke detected forged certificates, it provides information required to revoke rogue certs.
"The process for revoking them still requires that you ask the issuing CA to revoke them or ask the browser vendors to blacklist them," Facebook Spokesperson told The Hacker News via email.
On asking, Is it possible to monitor rogue certificates issued by CAs, who have not yet adopted CT, Facebook spokesperson replied:
"Technically, yes. Plenty of certs in the CT logs are uploaded by web crawlers (3rd-party) rather than by the issuing CAs themselves, so it is already possible to monitor certs issued by non-participating CAs."
For now, Facebook's Certificate Transparency Monitoring service is only being used for company's own domains.
But, Facebook confirmed that it would soon make its experimental Certificate Transparency Monitoring Service available to everyone for free in the coming months.
certificate-transparency-monitoring-service
Certificate Transparency project aims to mitigate flaws in the structure of the SSL certificate system by introducing an extra layer of verification.
With Certificate Transparency, Digital signature itself will not be enough, and the web server also has to prove that the certificate is registered with CT log before it can be trusted.
Despite Google's hard effort on pushing every CA to adopt Certificate Transparency, its adoption is still in a very early stage.
Facebook Spokesperson says:
Currently, Google's Root Certificate Policy requires that EV (Extended Validation) certificates must be logged to CT. This means that CAs must log EV certs to CT (whether they like it or not). Otherwise, their EV certs won't work in modern browsers. However, CAs can still issue DV (Domain Validation) certs without logging them to CT.
Chrome is working on a short-term solution with a new "expect-ct" feature that will allow sites to detect any certificates seen by browsers that are hidden from CT logs. Long term, browsers may require CT for all certs, which will address this problem.
The idea behind this design is to encourage all Certificate Authorities to log every certificate before issuing them.
Stay Tuned to our Facebook and Twitter Page. Stay Secure.
Forensic Firm that Unlocked Terrorist's iPhone 5C is Close to Crack iPhone 6
12.4.2016 Apple
The FBI didn't disclose the identity of the third-party company that helped them access the San Bernardino iPhone, but it has been widely believed that the Israeli mobile forensic firm Cellebrite was hired by the FBI to put an end to the Apple vs. FBI case.
For those unfamiliar in the Apple vs. FBI case: Apple was engaged in a legal battle with the Department of Justice over a court order that was forcing the company to write software, which could disable passcode protection on terrorist's iPhone, helping them access data on it.
However, Apple refused to comply with the court order, so the FBI hired an unknown third-party firm, most likely Cellebrite, who managed to successfully hack the locked iPhone 5C used by the terrorist in the San Bernardino shooting incident last year.
The new method helped the Federal Bureau of Investigation (FBI) to hack iPhone 5C, but that wasn't the FBI's victory as the method didn't work on iPhone 5S and later iPhone models.
Cellebrite is on its Way to Hack the Locked iPhone 6
Now, Cellebrite is reportedly "optimistic" about Hacking the more Secure iPhone 6.
CNN reports that an Italian architect, named Leonardo Fabbretti, met with Cellebrite last week whether the company could help him gain access to a locked iPhone 6 that belonged to his dead son.
Fabbretti's son, Dama Fabbretti, was passed away from bone cancer last September at the age of 13. However, before his death, the son added his father's thumbprint to allow him to access the phone.
Fabbretti was trying to access the messages, notes, and photos of his dead son on the iPhone 6, but unfortunately, the phone had a restart. It now required the passcode for unlocking, and his father doesn't know the code.
Fabbretti initially contacted Apple on March 21, and the company reportedly tried to help the grieving father, but they found that the iPhone was not backed up to the cloud. Expressing sympathy, the company told him that there was nothing they could do.
Hacking iPhone 6 for Free
Cellebrite-hack-iphone6
After watching Fabbretti's story in the news, Cellebrite offered to help the man by hacking the iPhone 6 for free. Fabbretti met with the company employees last week at its office in northern Italy and said:
"The meeting went well. They were able to download the directories with the iPhone's content, but there is still work to be done in order to access the files."
According to the company, there are chances of accessing the files on locked iPhone 6 that contain photos and conversations of the son with the dad, along with a handful of videos taken just 3 days before his son died.
Both Cellebrite, as well as Apple, have yet to comment on the case.
If the Cellebrite gets the success in creating a new method to unlock iPhone 6, undoubtedly the company will sell its tool to the FBI agents to solve their several pending cases, in the same way, it helped the agency accessing the terrorist's locked iPhone 5C.
How to restore files encrypted by the Petya ransomware in less than 7 seconds
12.4.2016 Virus
Security Researchers have developed a decryption tool to restore the files encrypted by the Petya ransomware with a key generated in less than 10 seconds.
Security researchers have analyzed the code of Petya ransomware in order to devise a method to allow victims to restore encrypted files. The experts have been able to develop a decryption tool that should allow victims to generate keys in a few seconds.
The Twitter user @leostone announced to have elaborated a method to generate passwords in less than a minute. The user also developed a website to help victims generate keys for restoring encrypted files.
In order to generate a decryption key, the victim just needs to provide certain information on the infected drive. The researcher Fabian Wosar from Emisoft as developed an application that is able to automatize the process extracting data from infected Petya drives and generate the key for the data rescue.
The security experts Lawrence Abrams, who contribute at BleepingComputer.com blog, has prepared a guide on how to use the tool.
Abrams explained that the tool scans the infected drive searching for the Petya bootcode. Once detected the code, it selects it and allow users to simply copy both the sectors and nonce associated with it. These data (a Base64-encoded 512 bytes verification data and a Base64-encoded 8 bytes nonce) could be used to generate the password through the @leostone’s website.
“An individual going by the twitter handle leostone was able to create an algorithm that can generate the password used to decrypt a Petya encrypted computer. In my test this, this algorithm was able to generate my key in 7 seconds.” wrote Abrams in a blog post.
To discover the password, the user has to physically remove the drive from the infected machine and attach it to either a Windows machine or a USB drive docking station and to launch the Wosar’s tool.
“To use Leostone’s decryption tool you will need attach the Petya affected drive to another computer and extract specific data from it. The data that needs to be extracted is 512-bytes starting at sector 55 (0x37h) with an offset of 0 and the 8 byte nonce from sector 54 (0x36) offset: 33 (0x21). This data then needs to be converted to Base64 encoding and used on the https://petya-pay-no-ransom.herokuapp.com/ site to generate the key.” continues Abrams.
“Unfortunately, for many victims extracting this data is not an easy task. The good news is that Fabian Wosar created a special tool that can be used to easily extract this data. In order to use this tool, you need to take the encrypted drive from the affected computer and attach it to a Windows computer that is working properly. If your infected computer has multiple drives, you should only remove the drive that is the boot drive, or C:\ drive, for your computer.”
Once obtained the password, users should be able to reconnect their encrypted drive and enter it to restore the files encrypted by the Petya ransomware.
The identity of @leostone is still a mystery, he only explained to have decided to work on his decryption method after his father in law was infected by the Petya ransomware.
Unfortunately, it is likely that operators behind the Petya will soon improve their malware releasing a newer version with stronger encryption.
What is Certificate Transparency? How It helps to Detect Fake SSL Certificates
11.4.2016 Security
what-is-certificate-transparency-log
Do you know there is a huge encryption backdoor still exists on the Internet that most people don't know about?
I am talking about the traditional Digital Certificate Management System… the weakest link, which is completely based on trust, and it has already been broken several times.
To ensure the confidentiality and integrity of their personal data, billions of Internet users blindly rely on hundreds of Certificate Authorities (CA) around the globe.
In this article I am going to explain:
The structural flaw in current Digital Certificate Management system.
Why Certificate Authorities (CA) have lost the Trust.
How Certificate Transparency (CT) fixes issues in the SSL certificate system.
How to early detect every SSL Certificates issued for your Domain, legitimate or rogue?
First, you need to know Certificate Authority and its role:
Certificate Authority and its Role
Rogue-SSL-Certificate-Authority
A Certificate Authority (CA) is a third-party organization that acts as a central trusted body designed to issue and validate digital SSL/TLS certificates.
There are hundreds of such trusted organizations that have the power to issue valid SSL certificate for any domain you own, despite the fact you already have one purchased from another CA.
...and that's the biggest loophole in the CA system.
SSL Chain-of-Trust is Broken!
Last year, Google discovered that Symantec (one of the CAs) had improperly issued a duplicate certificate for google.com to someone else, apparently mistakenly.
This was not the first time when the power of CA was abused or mistakenly used to issue forged digital certificates that put millions of Internet users' privacy at risk.
In March 2011, Comodo, a popular Certificate Authority, was hacked to issue fraudulent certificates for popular domains, including mail.google.com, addons.mozilla.org, and login.yahoo.com.
In the same year, the Dutch certificate authority DigiNotar was also compromised and issued massive amounts of fraudulent certificates.
Since the chain of trust has been broken, millions of users were subject to the man-in-the-middle attack.
Further, the documents leaked by Edward Snowden revealed that the NSA (National Security Agency) intercepted and cracked massive numbers of HTTPS encrypted web sessions, indicating that some so-called trusted CAs are widely suspected to be controlled or under the authority of Governments.
What if, Government asks any of these ‘trusted-turn-evil’ certificate authorities to issue duplicate SSL certificates for secure and popular websites like, Facebook, Google or Yahoo?
That's not just my speculation; it has already happened in the past when Government organizations and state-sponsored hackers have abused trusted CAs to get fake digital certs for popular domains to spy on users.
Examples of Incidents that involved Governments
1.) In 2011, forged digital certificates issued by DigiNotar CA were used to hack Gmail accounts of approximately 300,000 Iranian users.
2.) In late 2013, Google discovered fake digital certificates for its domains were being used by the French government agency to perform man-in-the-middle attacks.
forged or fake SSL certificates
3.) In mid-2014, Google identified another incident: National Informatics Centre (NIC) of India was using unauthorized digital certificates for some its domains.
You can see here, how easy it is to compromise the security of HTTPS websites protected by other well-behaved CAs.
Do you still Blindly Trust CA Organizations?
The DigiNotar and Comodo incidents worked as a wake-up call, ending an era of blindly trusting CAs to issue digital certificates.
Problem: How are you supposed to check whether a rogue certificate for your domain has been issued to someone else, probably a malicious attacker?
Solution: Certificate Transparency or CT, a public service that allows individuals and companies to monitor how many digital security certificates have been issued secretly for their domains.
In 2013, Google started an industry-wide initiative, called Certificate Transparency (CT), an open framework to log, audit, and monitor certificates that CAs have issued.
What is Certificate Transparency system?
What is Certificate Transparency system
The Certificate Transparency (CT) framework includes:
Certificate Logs
Certificate Monitors
Certificate Auditors
Certificate Transparency requires CAs to publicly declare (to Certificate Log) every digital certificate they have generated.
Certificate Log offers users a way to look up all of the digital certificates that have been issued for a given domain name.
It is worth noting that Certificate Transparency model does not replace traditional CA-based authentication and verification procedure though it is an additional way to verify that your certificate is unique.
Certificate logs have three important qualities:
1. Append-only: Certificates records can only be added to a log. They can not be deleted, modified, or retroactively inserted into a log.
2. Cryptographically assured: Certificates Logs use a special cryptographic mechanism known as ‘Merkle Tree Hashes’ to prevent tampering.
3. Publicly auditable: Anyone can query a log and verify its behavior, or verify that an SSL certificate has been legitimately appended to the log.
In CT, Digital Certificate contains a Signed Certificate Timestamp (SCT), which proves that it has been submitted to the log before being issued.
Google, DigiCert, Symantec, and a few other CAs are currently hosting public logs.
Facebook-Certificate-Transparency-Monitoring-Service
Although CT does not prevent CA from issuing forged certificates, it makes the process of detecting rogue certificates much easier.
Such transparency offers them the ability to quickly identify digital certificates that have been issued mistakenly or maliciously and help them mitigate security concerns, such as man-in-the-middle attack.
Earlier this year, Certificate Transparency system and monitoring service helped Facebook security team to early detect duplicate SSL certificates issued for multiple fb.com subdomains.
In a separate article, I have provided details about Facebook’s Certificate Transparency Monitoring Service that is designed to discover SSL issues instantly and automatically.
Facebook confirmed to The Hacker News (THN) that it will soon make its experimental Certificate Transparency Monitoring Service available for free to the broader community in the coming months.
Certificate Transparency Search tool
Sounds interesting?
Comodo has launched a Certificate Transparency Search tool that lists all issued certificates for any given domain name.
If you find a fraud certificate issued for your domain, report respective CA and address it immediately.
InfiltrateCon 2016: A Lesson in Thousand-Bullet Problems
11.4.2016 Safety
Last week vulnerability developers, security researchers, and even a couple of friendly govies descended upon my native Miami for two daily servings of novel implants, exploits, and the latest in offensive research. To contrast the relaxed bikini-clad environment, an adversarial tone was set by conference badges in the form of survival paracord bracelets with Infiltrate dogtags. In good spirits, white-, grey-, and black-hats sparred for tech supremacy and today I’d like to share some thoughts on insightful talks that forecast the intricacies and stumbling blocks that await us as defenders.
This industry has seen its fair share of military analogies for cyberconflict (including Chris Hoff’s brilliant 2015 SAS keynote) and this conference did not disappoint in that area. Kicking off Infiltrate, Nate Fick (CEO of Endgame) brought to bear his wealth of experience in the Marines to the current situation in infosec to great effect. Perhaps doing a disservice to an insightful talk, I’d like to recall some key concepts of Nate’s keynote that build up to a cohesive argument for understanding the role of escalation dominance in our space:
‘A dollar of offense almost always beats a dollar of defense’. Let that sink in.
‘One of the tenets of civilized societies is that governments have a monopoly on the legitimate use of force’, a just-war theory concept worth remembering when the preposterous suggestion of ‘hacking back’ is thrown around as a legitimate option for companies.
‘What level of hacking warrants a bullet, rendition, or a drone?’. This is not a trivial question in our space. As Nate discussed, if we are going respect the cyber-equivalent of a monopoly on the legitimate use of force so that only the government is allowed to conduct offensive cyber-operations in retaliation for an attack on private industry, and we expect this to function as some form precedent-based deterrence, then we should have a clear idea of what offenses merit certain types of retribution.
This is all by way of preparing the ground for the concept of ‘escalation dominance’. As Nate stated, “Escalation dominance, if you don’t have it then don’t fight someone who does”. And that is to say, “You can only deter an adversary if you have the escalatory capability to beat them all the way up the ladder”. I hope these serve as timely takeaways as companies weigh the possibility of ‘hacking back’, an option that is sure to yield meager gains when compared to the next play that awaits on the escalatory ladder.
Further highlights, include Joe Fitzpatrick’s talk on hardware implants titled ‘The TAO of Hardware, the Te of Implants’. Joe is one of those rare unicorns that focuses on hardware security and showcased his skills by trying to convince us of the ease and accessibility of hardware implants. A common misconception is that hardware implants are so difficult to design and expensive to manufacture that they’re only available to the most well-resourced and technologically-capable tier of attackers but Joe shows that this is clearly no longer the case. A valuable takeaway was his starting premise, that the role of a good hardware implant is simply to provide software access and then back off entirely.
As ‘Cyber-Pathogens’ are all the rage with kids these days, I want to discuss Travis Morrow and Josh Pitt’s talk on ‘Genetic Malware’. The title is a reference to their analogies to different types of attack targeting, in this case that of bioweapons and chemical weapons. In reality, the intention is to provide a framework (now public) with which to execute Gauss-style attacks: malware binaries whose final payload is encrypted in such a way as to only decrypt and execute on a specific victim system thereby stumping third-party research efforts to reverse engineer and understand the ultimate objective of the attackers.
Travis and Josh’s E.B.O.W.L.A. (Ethnic BiO Weapon Limited Access) framework drastically lowers the entry threshold for attackers to perform Gauss-style attacks by encrypting their payloads based on specific environment variables on the victim system, environmental factors like IP range or time ranges to trigger, or even a one-time pad based off of a specific system binary. This strategy for buying time was ultimately effective in the case of Gauss whose encrypted payload remains a mystery to this day and, if popularized, will surely prove an interesting challenge for the anti-malware industry going forward.
Finally, as a result of the historic work done by Katie Missouris to help launch the federal government’s first public bug bountry program, Lisa Wiswell of the newly formed Department of Defense Digital Defense Service joined us with an articulate plea to enlist the best and brightest to ‘Hack the Pentagon’ (within scope) and help better defend the country. The crowd was accommodating and we can only hope this program proves a success if only to set precedent for further friendly outreach efforts between the US government and the larger infosec community (in all of its monochromed haberdashery).
Petya ransomware encryption has been cracked
11.4.2016 Virus
Petya ransomware hit companies hard, but the good news is that there are now tools available to get the encrypted files and locked computers back.
The ransomware not only encrypts the victims’ files, but also their disk’s Master File Table (MFT), and it replaces the boot drive’s existing Master Boot Record (MBR) with a malicious loader.
Nearly two weeks ago a malware analyst that goes by the handle Hasherezade created a decoder that extracted the key Petya victims had to input in order to reverse the damage, but it only worked if the system was not rebooted after the infection (Stage 1).
But on Friday an unidentified programmer that goes by “Leo Stone” published another tool that manages to extract the key even if the computer was rebooted (Stage 2).
Apparently, his father in law fell victim to Petya, and didn’t want to pay the ransom, so Leo Stone went exploring to find a possible fix. The code for the tool (and technical details about his search) can be found on GitHub.
The tool can also be accessed here, and is ready for use. The only problem is that in order to use it, one has to extract two pieces of information from the infected disk, and that’s not that easy for tech-unsavvy users.
Luckily, Emsisoft researcher Fabian Wosar created another tool that will allow victims to the extract this info, but they will have to have another uninfected computer available and know how to remove a hard drive from one computer and attach it to another.
For more information about the whole process, check out these instructions by Bleeping Computer’s Lawrence Abrams.
When you finally input the info into Leo Stone’s tool and get the key, simply insert it into the ransomware lock screen, and wait for the damage to be reversed.
Mapping the Dark Web searching for illegal content
11.4.2016 Hacking
Recently the intelligence firms Intelliagg and Darksum have issued an interesting report on the Dark Web and related mapping.
We have discussed several times about Deep Web and Dark Web, discussing the reason why the hidden part of the web is even more dangerous.
However the darknets aren’t a prerogative of criminal organizations, a good portion of the content it host is legal as demonstrated by a recent global survey commissioned by the Centre for International Governance Innovation (CIGI).
The research demonstrates that 71% consider necessary the shut down of the dark net (36% strongly/35% somewhat), likely because the hidden part of the web is associated in the headlines with criminal activities.
Another interesting result emerged from the research is that citizens in some countries are much more likely than others to believe the “dark net” should be shut down. Indonesia (85%) and India (82%) lead the ranking, followed by Mexico (80%), China (79%), Egypt (79%). Bringing up the rear are Kenya (61%), South Korea (61%) and Sweden (61%).
It is not clear in fact if people interviewed were made aware of the legal usage of dark net before answering the question.
The Dark Web is a place crowded of cyber criminals and hackers that host the most popular black markets, but it a serious mistake to forgot that it is also a precious environment for journalists, activists, whistleblowers and political dissidents that escape from the censorship and repression.
Many experts ask me if there is a way to discover the real proportions between illegal and legal contents in the dark web, and I always explain that it depends on the sample that we use for the elaboration of the statistics.
Recently the intelligence firms Intelliagg and Darksum have issued an interesting report that tried to provide a reply to the above question. The researchers involved in the study focused their analysis on the Tor network that represent a significant portion of the dark web,but not its totality.
The experts used a spider software to crawl the Tor network and collect the information used in the study.
“We compiled our census of the dark web using the Darksum ‘collection software’, a ‘spider’ or software application that crawls through the web following links in order to compile an index of its pages, and Intelliagg’s ‘machine-learning intelligence classification system’ – complex algorithms that are ‘trained’ by humans then sent off to classify data automatically.” states the report.
“Our classification system was ‘trained’ using data that had been classified manually from 1,000 sites on the dark web. It proceeded to classify the remaining data automatically without human supervision. This automated method proved to be 94% as accurate as it would have been had this process been entirely done by hand, meaning that nine times out of 10 our algorithms came to the same conclusion as an experienced analyst”
The experts run their spiders two weeks in February 2016 focusing their analysis on selected dark web services, including pornography, fake documentation services, drugs, carding sites, financial fraud sites, weapons, blogs.
According to the experts, the Tor network is currently composed of approximately 30,000 distinct .onion addresses that result active.
The spiders accessed websites in a total of 32 different languages, the vast majority of information on the hidden services network is in English, followed by German and Chinese.
Of the 29,532 .onion identified during the sampling period, only 46% percent could be accessed, the remaining part is related to C&C infrastructure used to manage botnet, file-sharing applications or chat clients.
“A total of 29,532 ‘.onion’ addresses were identified during the sampling period. Of these, fewer than half were accessible at some point during this period. The remaining 54% (which were not analysed further) were probably only up on the dark web for a very short period of time. This could be for many reasons: commonly that they were addresses relating to ‘command and control’ servers used to manage malicious software, chat clients, or file-sharing applications” continues the study.
The real surprise is related to the hidden services automatically analyzed by the experts, 48% can be classified as illegal under UK and US law. By analyzing manually a separate sample composed of 1,000 hidden services the experts found about 68% of the content to be illegal.
Below the percentages of content associated with each category.
Let me suggest to give a look to the report.
Vyděračské viry se šíří skrze Flash Player. Používají jej stovky miliónů lidí
11.4.2016 Viry
Oblíbený program Flash Player od společnosti Adobe, který slouží k přehrávání videí na internetu, má kritickou bezpečnostní chybu. Tu už začali zneužívat počítačoví piráti k šíření vyděračských virů. Vývojáři z Adobe už naštěstí vydali aktualizaci na opravu nebezpečné trhliny.
Chyba se týká všech podporovaných platforem, tedy operačních systémů Windows, Mac OS X či Chrome OS, uvedl server iDigital Times. Podle něj stačí, aby uživatel navštívil podvodné stránky, na kterých mu bude nabídnuto video k přehrání.
Právě prostřednictvím něj se na pevný disk dostane nezvaný návštěvník. Uživatel přitom nemusí vůbec nic stahovat, stačí, když prostě spustí přehrávání. Kvůli chybě tím otevře zadní vrátka do svého operačního systému. V něm se pak uhnízdí vyděračský virus zvaný Cerber.
Požaduje výkupné
Na napadeném stroji dokáže virus Cerber udělat pěkný nepořádek. Nejprve zašifruje všechna data uložená na pevném disku. Za jejich zpřístupnění pak útočníci požadují výkupné, a to klidně i několik tisíc korun.
Kyberzločinci se zpravidla snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení pokuty. Ta byla údajně vyměřena za používání nelegálního softwaru apod. I proto jim celá řada lidí již výkupné zaplatila.
Zaplatit zpravidla chtějí v bitcoinech, protože pohyby této virtuální měny se prakticky nedají vystopovat. A tím logicky ani nelegální aktivita počítačových pirátů.
Ani po zaplacení výkupného se uživatelé ke svým datům nedostanou. Místo placení výkupného je totiž nutné virus z počítače odinstalovat. Zpřístupnit nezálohovaná data je už ale ve většině případů nemožné.
S aktualizací neotálet
Právě kvůli závažnosti nově objevené trhliny vydali prakticky okamžitě vývojáři společnosti Adobe aktualizaci, která ji opravuje. Stahovat ji je možné buď prostřednictvím automatických aktualizací, nebo přímo z webových stránek společnosti Adobe.
S ohledem na závažnost chyby, by uživatelé s aktualizací neměli v žádném případě otálet.
Flash Player používají k přehrávání videí na internetu stovky miliónů lidí. Právě kvůli velké popularitě se na něj často soustředí počítačoví piráti. Těm se například minulý měsíc podařilo objevit jinou kritickou chybu, kvůli které mohli do počítače propašovat prakticky libovolný škodlivý kód.
Researchers devised a reCaptcha breaking system effective against Google and Facebook
11.4.2016 Safety
A group of boffins discovered vulnerabilities in the reCaptcha systems of Google and Facebook and devised an attack method.
The security experts Suphannee Sivakorn, Iasonas Polakis, and Angelos D. Keromytis have devised an attack technique against Facebook and Google reCaptcha. The boffins from the Department of Computer Science at Columbia University have discovered security vulnerabilities in the reCaptcha systems of the IT Giants and have devised an attack technique that allows them to automatically influence risk analysis and bypass the protection system.
The technique could be used to launch large-scale attacks.
In a first phase, the researchers tested the accuracy of their reCaptcha breaking system, in a second phase they compared their attack technique with other captcha-breakers to conduct an economic analysis of their method.
The experts also proposed a series of mitigation techniques against attacks like the one they have elaborated.
The research focused on the Google’s reCaptcha system that implements an “advanced risk analysis,” it analyze requests to determine the difficulty of returned captcha. The researchers tested their attack method in offline mode, the captcha-breaking system obtained a 41.57 percent success rate at 20.9 seconds per challenge.
“As such, we evaluate our system in an offline mode, where no online information or service is used. Under such restrictions, and running on commodity hardware, our attack solves 41.57% of the captchas while requiring only 20.9 seconds per challenge, with practically no cost.” reads the paper published by the experts.
The researchers tried to automatically break 2,235 Google captchas obtaining a percentage of success of 70.78 in resolving reCaptcha challenges, at a rate of 19 seconds per challenge.
In live tests the success rate was higher because image repetition of the reCaptcha.
“We ran our captcha-breaking system against 2,235 captchas, and obtained a 70.78% accuracy. The higher accuracy compared to the simulated experiments is, at least partially, attributed to the image repetition; the history module located 1,515 sample images and 385 candidate images in our labelled dataset” continues the experts.
The team of experts also evaluated the efficiency of their method against the Facebook’s image captcha, and the results were very good. The team reached an accuracy of 83.5 percent on 200 images.
The method appears more effective against the Facebook reCaptcha system because Google is using low-quality photos that in many cases are no easily distinguishable also for a human.
The technique devised by the experts is more efficient when the targeted reCaptcha system uses high-resolution images that are easier to analyze.
The reCaptcha breaking system devised by the group is superior to Decaptcher, a popular system that charges $2 per 1000 solved image captchas that has only a 44.3 percent accuracy.
When dealing checkbox captcha, at a selling price of $2 per 1,000 solved captchas, the token harvesting attack devised by the team could obtain $104 – $110 daily, per IP address.
“Assuming a selling price of $2 per 1,000 solved captchas, our token harvesting attack could accrue $104 – $110 daily, per host (i.e., IP address). By leveraging proxy services and running multiple attacks in parallel, this amount could be significantly higher for a single machine.” states the paper.
When dealing with checkbox captchas, the system could run a rate of 1,200 requests per hour without being blocked. The attack could peak at 2,500, reaching between 52,000 and 55,000 requests per day, and 59,000 in the weekend.
The team shared the results of their study with Google and Facebook. While Google used the information to improve its reCaptcha system, Facebook hasn’t yet implemented enhancements.
WordPress pushes Free HTTPS Encryption for all its blogs
11.4.2016 Safety
WordPress announces “HTTPS Everywhere, Encryption for All WordPress.com Sites,” millions websites will be secured without users’ effort.
WordPress is pushing free default SSL for all the website running the popular CMS and hosted on WordPress.com, that means over 26% of websites based on the most popular CMSs on the web will be secured (Statistics by W3techs).
On Friday, WordPress announced that it has partnered with the Let’s Encrypt project in order to offer free HTTPS support for all of its users on WordPress.com blogs.
According to the systems engineer Barry Abrahamson from WordPress’ parent company Automattic, the roll out will be transparent without impact on the users.
“Today we are excited to announce free HTTPS for all custom domains hosted on WordPress.com. This brings the security and performance of modern encryption to every blog and website we host. Best of all, the changes are automatic — you won’t need to do a thing.” Abrahamson wrote in a blog post.
“This brings the security and performance of modern encryption to every blog and website we host.” “For you, the users, that means you’ll see secure encryption automatically deployed on every new site within minutes. We are closing the door to un-encrypted web traffic (HTTP) at every opportunity.”
FanceBox plugin WordPress 2
That is great, more security, for free and without any effort! The Internet will be a better place, users will be protected from eavesdropping. The massive introduction of Web encryption provides more than security to the users, the protocol enhancements like SPDY and HTTP/2 have reduced in a significant way the performance gap between encrypted and unencrypted web traffic.
Digital certificates will be offered by the Let’s Encrypt initiative starting from January.
“The Let’s Encrypt project gave us an efficient and automated way to provide SSL certificates for a large number of domains. We launched the first batch of certificates in January 2016 and immediately started working with Let’s Encrypt to make the process smoother for our massive and growing list of domains.” added Abrahamson.
Summarizing … WordPress.com is activating HTTPS on all its websites without requesting users intervention.
Be careful Amazon is selling products infected with malware
10.4.2016 Virus
Beware, even things on Amazon come with embedded malware… this is the disconcerting discovery made by the expert Mark Olsen.
The security expert Mike Olsen warned about the presence of malware in products sold through the Amazon service. Olsen was searching for outdoor surveillance cameras on Amazon for a friend’s home. He has found an interesting offer on Amazon, a deal for a set of 6 poe cameras and recording equipment.
Once in possession of the outdoor camera set, he tried to install its control software on the friend’s machine. By logging into the admin webpage he noticed the interface showed the camera feed, but none of the normal controls or settings was available.
Olsen suspected that an error in the code was causing the strange behavior so he decided to give a close look at the software. Inspecting the code he noticed an iframe linking to suspicious host name.
“Being one of those guys who assumes bad CSS, I went ahead and opened up developer tools. Maybe a bad style was hiding the options I needed. Instead, what I found tucked at the bottom of the body tag was an iframe linking to a very strange looking host name.” wrote Olsen in the blog post.
Who is brenz.pl? Simple, let’s ask it to Google.The domain is known to be a bad domain used for fraudulent activities, including malware-based attacks. Searching for more information online, we can find more information about the domain.
Virus Total also reports it as a malicious domain, meanwhile, experts at Sucuri confirmed in a blog post dated 2011 that they used to see brenz.pl being used to distribute malware back in 2009.“Malware. See this page or just simply go through this google search for more information. My guess is many people have missed this. The seller has great ratings and the products are a good deal. So be careful what you buy!” wrote Olsen.
A month ago, a user in a forum discussion reported the presence of a link to the malicious domain in the firmware running on commercial products.
“Just a caution for those upgrading the SC10IP’s firmware…I have come across a version with malware embedded in all the HTML pages.” reporetd the user.”each HTML file contains an iframe link to www. brenz. pl, which is (was) a malware distribution site. The site is recognised by Chrome’s malware detection, so you get a big warning not to proceed. It has also been taken over by CERT PL, so i presume it can’t cause any harm now.”Watch out! Now you know that even products sold on Amazon could be infected.”
Second, Amazon stuff can contain malware.” wrote Olsen.
Security experts shut down the dreaded Linux Mumblehard botnet
10.4.2016 BotNet
Researchers and law enforcement in a joint effort shut down the Mumblehard botnet composed of more than 4000 Linux machines.
Security experts have shut down a spam botnet, known as Mumblehard, composed of more than 4,00o Linux machines.
In May 2015, researchers from ESER revealed the sophisticated Mumblehard spamming malware infected thousands of Linux and FreeBSD servers going under the radar for at least five years.
The infected machines were part of a botnet used, in the preceding five years, to run spam campaign, a version of the Mumblehard malware was uploaded for the first time to the VirusTotal online malware checking service in 2009.
At that time, security experts at ESET have monitored the botnet during the previous 7 months by sinkholing one of its C&C servers and observing 8,867 unique IP addresses connected to it, with 3,000 of them joining in the past three weeks.
Today the botnet was dismantled, the experts speculate that operators behind the Mumblehard botnet are highly skilled developers that designed a custom “packer” to conceal the Perl-based source code that made it run, a backdoor, and a mail daemon that was able to send large volumes of spam messages.
The experts that accessed the C&C infrastructure used for the Mumblehard botnet, discovered an interesting automatic delisting mechanism from Spamhaus’ Composite Blocking List (CBL)
“Another interesting aspect of the Mumblehard operation revealed by our access to the C&C server was the automatic delisting from Spamhaus’ Composite Blocking List (CBL).” reported a blog post published by ESET. “There was a script automatically monitoring the CBL for the IP addresses of all the spam-bots. If one was found to be blacklisted, this script requested the delisting of the IP address. Such requests are protected with a CAPTCHA to avoid automation, but OCR (or an external service if OCR didn’t work) was used to break the protection.”
Researchers from ESET worked with Estonian law enforcement and an industry partner to shut down the Mumblehard botnet, a complex operation conducted by “sinkholing” the control infrastructure.
In February the experts took control of the Internet address belonging to the command server, by analyzing the incoming traffic they were able to estimate that the malicious infrastructure was composed at least of 4,000 machines.
Despite the researchers shut down the botnet, they are still investigating how the attackers composed a so large infrastructure. The researchers initially suspected that attackers compromised websites running WordPress CMS, but further analysis excluded this hypothesis.
“We knew some of the victims had been compromised through an unpatched CMS such as WordPress or Joomla, or one of their plugins. Forensic analysis of the C&C server suggests that computers running the Mumblehard bot agents were not initially compromised from that specific server.” states the report.
“The scripts we found were only to be run where PHP shells had already been installed. Perhaps Mumblehard’s operators were buying access to these compromised machines from another criminal gang?”
Cyber Justice Team claims a massive Data Leak from the Syrian Gov
10.4.2016 Hacking
The Cyber Justice Team claims a massive Data Leak from the Syrian Government, more than 43 GB of Data available Online
The hacker group named Cyber Justice Team leaked 10 GB of compressed data (when decompressed are over 43 GB of data) from several Syrian government and private companies.
The group claimed to have hacked Linux server belonging to the Syrian regulatory commission for IT services, the Syrian National Agency for Network Services.
The group has uploaded the files to the MEGA file hosting service and announced the data hack on PasteBin and also published the password of the breached server.
Is it a fresh dump?
According to security experts from Risk Based Security (RBS) who analyzed the archive most of the leaked information comes from past data breaches.
“The first pass at reviewing the data sparked a sense of some more deja vu, as many of the files appeared to include domains from previous, smaller defacements and leaks,” states a blog post published by RBS. “Further analysis confirmed our initial suspicions.”
The data dump contains 38,768 folders, it includes 274,477 files from 55 different website domains, belonging to government agencies and private companies.
The vast majority of files in the data dump were default Plesk files, Joomla!, and Cportal (phpnuke-cms) setups. The attackers may have exploited known vulnerabilities in outdated software.
“That said, our analysis shows the data appears to originate from nans.gov.sy, the Nation Agency for Network Services, and contains data from 55 Syrian domains, 25 of which being .gov.sy: 2 .org.sy; 1 com.sy and the remainder with the generic .sy. Most of the domains affected in the breach are either inactive or older domains that are no longer in use. Very few of the domains appear to be of some importance to the people of Syria.” states the RBS.
The hacker group of the Cyber Justice Team is an opponent of both the Syrian Government and the IS, both oppressors of the Syrian people.
For more details on the data dump give a look to the report published by Risk Based Security (RBS).
No Password Required! 135 Million Modems Open to Remote Factory Reset
9.4.2016 Hacking
More than 135 Million modems around the world are vulnerable to a flaw that can be exploited remotely to knock them offline by cutting off the Internet access.
The simple and easily exploitable vulnerability has been uncovered in one of the most popular and widely-used cable modem, the Arris SURFboard SB6141, used in Millions of US households.
Security researcher David Longenecker discovered a loophole that made these modems vulnerable to unauthenticated reboot attacks. He also released his "exploit" after Arris (formerly Motorola) stopped responding to him despite a responsible disclosure.
The Bug is quite silly: No Username and Password Protection.
Arris does not provide any password authentication set up on the modem’s user interface, thus allowing any local attacker to access the administration web interface at 192.168.100.1 without the need to enter a username and password.
This issue allows a local attacker to 'Restart Cable Modem' from the 'Configuration page' of the administrative interface at http://192.168.100.1/, as shown. This is nothing but a Denial of Service (DoS) attack.
Bingo! By clicking 'Restart Cable Modem' manually will disable victim's modem for 2 to 3 minutes and every device on that network will lose access to the Internet.
However, three minutes of no Internet connectivity is bearable, but the same administrative panel provides an option to Factory Reset the modem as well i.e. wipe out modem's configuration and settings.
If an attacker clicks this option, your modem will go offline for 30 minutes as re-configuration process takes as long as an hour to complete. Though, sometimes you need to call your Internet Service Provider (ISP) to reactivate the modem.
How to Perform DOS Attack Remotely?
David revealed that an attacker can also reset your modem remotely, as the application doesn't verify whether the reboot or reset the modem command comes from the UI interface or an external source.
This remote attack is known as a Cross-Site Request Forgery (CSRF) attack that allows an attacker to use social engineering techniques to trick users into clicking on a specially crafted web page or email.
For example: A web page including <img src="http://malicious_url/"> tag could call any of the following URLs:
http://192.168.100.1/reset.htm (for restart)
http://192.168.100.1/cmConfigData.htm?BUTTON_INPUT1=Reset+All+Defaults (for factory reset)
"Did you know that a web browser does not care whether an 'image' file is really an image?," Longenecker explains. "Causing a modem to reboot is as simple as including an 'image' in any other web page you might happen to open."
"Of course, it is not a real image, but the web browser does not know that until it requests the file from the modem IP address – which of course causes the modem to reboot."
Are the flaws easy to Patch?
However, these flaws are easily patchable that only requires Arris to create a firmware update such that:
The UI requires authentication (username and password) before allowing someone to reboot or reset the modem.
The UI validates that a request originated from the application and not from an external source.
However, the bad news is that there's no practical fix for the flaws. Since cable modems are not consumer-upgradable, even if Arris releases a fix, you would need to wait for your ISPs to apply the fix and push the update to you.
Arris has recently addressed the flaws with a firmware update.
"We are in the process of working with our Service Provider customers to make this release available to subscribers," said the company's spokesperson.
"There is no risk of access to any user data, and we are unaware of any exploits. As a point of reference, the 135 million number is not an accurate representation of the units impacted. This issue affects a subset of the ARRIS SURFboard devices."
FBI reveals BEC attacks pilfered $2.3bn from US companies
9.4.2016 Incindent
According to a report recently issued by the FBI, cyber criminals have pilfered more than $2.3bn from 17,642 victims since 2013 with BEC attacks.
According to the FBI, cyber criminals have stolen more than $2.3bn from 17,642 victims since 2013 in BEC attacks.
The situation is critical, the number of business email compromise BEC scams continues to increase on a global scale.
“The Business Email Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. Formerly known as the Man-in-the-E-mail Scam, the BEC was renamed to focus on the “business angle” of this scam and to avoid confusion with another unrelated scam.” reports the statement issued in 2015 by Internet Crime Complaint Center (IC3) and the FBI.
Scammers use to pretend to be executives that send emails to employees that tricked into thinking the messages are legit, hand over sensitive information to the attackers.
The attackers use the stolen data to steal money to the victims or resell them in the cyber criminal underground.
“FBI officials are warning potential victims of a dramatic rise in the business e-mail compromise scam or “B.E.C.,” a scheme that targets businesses and has resulted in massive financial losses in Phoenix and other cities.” states the new alert issued by the FBI.
Attackers focus their attack on all the internal staff that in charge to manage bank accounts and can make wire transfers. Businesses that work with foreign suppliers or that regularly perform wire transfer payments are a privileged target for scammers.
“The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.”
According to the FBI, since January 2015, there was a 270 per cent rise in BEC attacks against victims in every U.S. state and in at least 79 countries.
Each company has lost between $25,000 and $75,000 per attack.
A number of illustrious victims suffered BEC scams, In January 2015 crooks stole over $50 million from aircraft systems manufacturer FACC, in March 2016 data belonging to all current and past Seagate employees were stolen due to a W-2 phishing campaign.
Recently, security experts at Trend Micro discovered a Business Email Compromise Campaign leveraging on the Olympic Vision keylogger that targets Middle East and Asia Pacific Companies.
The FBI warned companies to improve authentication mechanisms for their services, for example, by adopting multi-factor authentication processes. It is essential to train employees in the BEC attack techniques in order to avoid being victims of scammers.
The CIA is funding a skincare line for the DNA extraction
9.4.2016 Safety
According to documents obtained by The Intercept, the CIA is looking with a great interest in a new skincare line for DNA extraction on crime scenes.
According to documents obtained by The Intercept, the CIA is funding a new skincare line that can allow the agency to collect DNA.
“SKINCENTIAL SCIENCES, a company with an innovative line of cosmetic products marketed as a way to erase blemishes and soften skin, has caught the attention of beauty bloggers on YouTube, Oprah’s lifestyle magazine, and celebrity skin care professionals. Documents obtained by The Intercept reveal that the firm has also attracted interest and funding from In-Q-Tel, the venture capital arm of the Central Intelligence Agency.” states the Intercept.
The CIA if particularly interested in the Clearista a product line that boasts a “formula so you can feel confident and beautiful in your skin’s most natural state.”
The CIA is interested in the ability of the Clearista product in removing a thin outer layer of skin that could allow investigators to obtain unique biomarkers that can be used for DNA collection.
The product is not invasive, it is able to remove the layer of skin just by using a special detergent and water.
“Skincential Science’s noninvasive procedure, described on the Clearista website as “painless,” is said to require only water, a special detergent, and a few brushes against the skin, making it a convenient option for restoring the glow of a youthful complexion — and a novel technique for gathering information about a person’s biochemistry.”reports the Intercept.
The CIA intends to use the skincare line for DNA extraction, as confirmed by the Russ Lebovitz, the chief executive of Skincential Science.
“Our company is an outlier for In-Q-Tel,” said Lebovitz “If there’s something beneath the surface, that’s not part of our relationship and I’m not directly aware. They’re interested here in something that can get easy access to biomarkers.”
Lebovitz highlighted that the CIA is interested in easy methods for the DNA extraction, but he admitted having no idea of the CIA’s intent of the technology.
It is likely the CIA would use the Clearista for DNA extraction directly on crime scenes.
Na odblokování nových iPhonů jsme krátcí, přiznali vyšetřovatelé z FBI
9.4.2016 Ochrany
Vedení společnosti Apple si může oddechnout. Americký Federální úřad pro vyšetřování (FBI) patrně neví o žádné kritické chybě v operačním systému iOS, která by ohrožovala desítky miliónů uživatelů po celém světě. Zpřístupnit data z iPhonu teroristy ze San Bernardina se vyšetřovatelům podařilo prostřednictvím speciálního nástroje, který stačí pouze na starší iPhony.
Se zmiňovaným nástrojem se FBI dokáže dostat pouze do iPhonu 5C a starších jablečných smartphonů. Na iPhone 5S a novější přístroje je prý metoda vyšetřovatelů krátká. Potvrdil to šéf FBI James Comey na konferenci o šifrovacích technologiích, která se konala tuto středu v Ohiu.
„Máme nástroj, který však nepracuje na všech iPhonech,“ prohlásil podle agentury Reuters Comey. Žádné bližší informace však prozradit nechtěl.
Vyšetřovatelům pravděpodobně s prolomením zabezpečení iPhonu pomohla společnost Cellebrite se sídlem v Izraeli. Firma britské stanici BBC potvrdila, že s americkými vyšetřovateli spolupracuje, ale více nesdělila.
Na svých internetových stránkách nicméně Cellebrite prohlašuje, že jeden z jejích nástrojů umí dekódovat a extrahovat data z iPhonu 5C.
Apple pomoc odmítal
Vyšetřovatelé z FBI se do uzamčeného iPhonu islámského radikála nemohli dostat dlouhé dva měsíce. Jeho iPhone 5C byl nastaven tak, aby se po zadání deseti nesprávných kódů automaticky vymazal, s čímž si bezpečnostní experti z FBI původně nedokázali poradit.
Soud proto Applu v únoru nařídil, aby tuto funkci vypnula, což však není technicky možné. Proto vyšetřovatelé chtěli po americkém softwarovém gigantu vytvořit v operačním systému iOS „zadní vrátka“, což však vedení Applu odmítalo.
Vyšetřovatelům z FBI se nakonec podařilo do uzamčeného zařízení dostat. Detaily o průniku však nezveřejnili.
Chyba prý neexistuje
Tím rozpoutali vášnivou diskusi mezi bezpečnostními experty. Vše totiž nasvědčovalo původně tomu, že FBI ví o kritické bezpečnostní chybě v operačním systému iOS, který využívají právě chytré telefony iPhone a počítačové tablety iPad. O té neměli mít potuchy ani vývojáři z Applu.
Čerstvé prohlášení šéfa FBI však nyní nasvědčuje tomu, že uživatelé v ohrožení nejsou. Jinými slovy vyšetřovatelé neznají žádnou chybu, díky níž by byli schopni zpřístupnit libovolné zařízení s logem nakousnutého jablka.
Útok v San Bernardinu byl nejtragičtějším od teroristických útoků v zemi v září 2001. Zradikalizovaný muslim Syed Farook a jeho žena Tashfeen Maliková tam na počátku loňského prosince zastřelili 14 lidí. Později byli zabiti při přestřelce s policií.
WordPress enables Free HTTPS Encryption for all Blogs with Custom Domain
9.4.2016 Security
WordPress enables Free HTTPS Encryption for all Blogs with Custom Domains
Do you own a custom domain or a blog under the wordpress.com domain name?
If yes, then there is good news for you.
WordPress is bringing free HTTPS to every blog and website that belongs to them in an effort to make the Web more secure.
WordPress – free, open source and the most popular a content management system (CMS) system on the Web – is being used by over a quarter of all websites across the world, and this new move represents a massive shift over to a more secure Internet
WordPress announced on Friday that it has partnered with the Electronic Frontier Foundation's "Let's Encrypt" project, allowing it to provide reliable and free HTTPS support for all of its customers that use custom domains for their WordPress.com blogs.
Now every website hosted on wordpress.com has an SSL certificate and will display a green lock in the address bar.
"For you, the users, that means you'll see secure encryption automatically deployed on every new site within minutes. We are closing the door to unencrypted web traffic (HTTP) at every opportunity," Wordpress said in its blog post.
HTTPS has already been available for all sub-domains registered on wordpress.com, but with the latest update, the company will soon offer free SSL certs for its custom domains that just use the WordPress backend.
In short, users with custom domains (https://abcdomain.com) will now receive a free SSL certificate issued by Let's Encrypt and on behalf of Wordpress, and have it automatically deployed on their servers with minimal effort.
Until now, switching web server from HTTP to HTTPS is something of a hassle and expense for website operators and notoriously hard to install and maintain it.
However, with the launch of Let's Encrypt, it is now easier for anyone to obtain Free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates for his/her web servers and set up HTTPS websites in a few simple steps.
Now WordPress is also taking advantage of this free, open source initiative for its websites.
So you might have a question in your mind:
What do I need to do to activate HTTPS on my WordPress blog?
You do not need to worry about this at all. WordPress.com is activating HTTPS on all of its millions websites without having you to do anything.
Let's Encrypt is trusted and recognized by all major browsers, including Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer, so you need not worry about its authenticity.
However, in case you don't own a WordPress blog, but you want a free SSL certificate from Let's Encrypt, here is a step-by-step guide on How to Install Let's Encrypt Free SSL Certificate On Your Website.
The Open-source vulnerabilities database (OSVDB) shuts down permanently
9.4.2016 Security
,The Open Sourced Vulnerability Database (OSVDB) shut down permanently in response to the lack of assistance from the industry.
The Open Sourced Vulnerability Database (OSVDB) shut down permanently, the news was reported in a blog post published by the maintainers of the project. The decision was made in response to the lack of assistance from the industry.
“As of today, a decision has been made to shut down the Open Sourced Vulnerability Database (OSVDB), and will not return. We are not looking for anyone to offer assistance at this point, and it will not be resurrected in its previous form.This was not an easy decision, and several of us struggled for well over ten years trying to make it work at great personal expense.” wrote Brian Martin (aka Jericho), one of the leaders of the OSVDB project.
“The industry simply did not want to contribute and support such an effort. The OSVDB blog will continue to be a place for providing commentary on all things related to the vulnerability world”
The maintainers highlighted that the project will not be resurrected, the group behind the OSVDB will keep alive their blog for providing commentary on all things related to the vulnerability world.
The OSVDB was founded in 2002 and launched in March 2004, it is an open-source project that catalogued more than 100,000 computer security vulnerabilities over the time, among its founders there was the popular HD Moore who developed the Metasploit framework.
The OSVDB was free for non-commercial use, its first sponsor and commercial partner was the Risk Based Security, the project also received donations from the security company High-Tech Bridge.
The project was an amazing repository for security experts and hackers, but many vendors were not happy for its activity.
One of the reasons behind the project shutdown is the impossibility to make bulk downloads of the content for no paying users, the website was deployed in the CloudFlare network in order to prevent scrapers’ activity.
Due to the impossibility to download a large volume of data from the DB, the archive did lose interest in the project by companies and users.
What will happen to OSVDB data?
According to HD Moore, the data will not be made available.
Google may adopt Apple's Swift Programming Language for Android
8.4.2016 Mobil
Almost two years back, Apple introduced Swift programming language at its World Wide Developers Conference (WWDC) to the developers who build software applications for Apple devices.
Swift was designed to make it easier for developers to create apps for Apple's mobile platform. Usually developers write complete app code and then compile it to see output, but Swift helps them see results in real time instantly while writing code.
Now, reports have been emerged that the search engine giant is also considering making Swift programming language a "first class" language choice for programmers making apps for its Android platform.
In between an ongoing legal battle with Oracle over Android, Google is planning to bring Swift into the Android platform with at least two major third-party developers — Facebook and Uber, reports The Next Web.
Around the time when Apple officially made Swift an open source language, executives from Google, Facebook and Uber attended a meeting in London to discuss the Apple's very popular Swift programming language.
The move is very likely due to Google's ongoing legal dispute with Oracle. The dispute started when Oracle sued Google for copyright in 2010, claiming that the search engine improperly used its Java APIs and baked them into its Android mobile OS.
However, Google argued that the Java APIs in question were necessary for software innovation, allowing different apps to talk to each other, and, therefore, could not be copyrighted.
Google almost won the initial lawsuit in 2012, but a Federal court reversed the decision in 2014 in Oracle's favor. Google then reached out to the US Supreme Court to take the case, but Supreme Court declined to hear its appeal.
Most recently, Oracle announced its intent to seek $8.8 Billion in damages from Google.
Although the final decision is yet to be made, which could possibly prohibit Google from using the copyrighted APIs, the company has started planning a shift towards other open source languages.
Last year, Google announced that the future Android builds (from Android N) will not use Java API, rather will make use of OpenJDK – an open source version of Oracle’s Java Development Kit (JDK).
OpenJDK is still controlled by Oracle, but at least, Google is legally cleared to implement it.
So, any official implementation of Swift into Android would not replace Java immediately, though. Google would make it easier for developers to build their Android apps with Swift, right alongside Java most often used for Android apps today.
Adobe fixes CVE-2016-1019 Zero-Day exploited to serve ransomware
8.4.2016 Vulnerebility
Cyber criminals are exploiting the Flash player zero-day vulnerability (CVE-2016-1019) affecting Flash Player 21.0.0.197 and earlier disclosed by Adobe.
Cyber criminals are already exploiting the Flash player zero-day vulnerability (CVE-2016-1019) affecting Flash Player 21.0.0.197 and earlier (CVE-2016-1019) disclosed by Adobe this week.
Researchers at security firm Proofpoint confirmed that cyber gangs are exploiting it to distribute a ransomware dubbed Cerber.
The hackers exploited the Flash Zero-day vulnerability to infect machines running Flash Player 20.0.0.306 and earlier on Windows 10 and earlier.
“A critical vulnerability (CVE-2016-1019) exists in Adobe Flash Player 21.0.0.197 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.” reported the advisory published by Adobe a couple of days ago on the Flash Player zero-day vulnerability.
The Flash player zero-day vulnerability is a memory corruption bug that exists in an undocumented ASnative API, it can be exploited by attackers for remote code execution. The popular security expert Kafeine reported the inclusion of the zero-day flaw in the Magnitude exploit kit.
“On April 2, 2016, Proofpoint researchers discovered that the Magnitude exploit kit (EK) [1] was successfully exploiting Adobe Flash version 20.0.0.306. Because the Magnitude EK in question did not direct any exploits to Flash 21.0.0.182, we initially suspected that the exploit was for CVE-2016-1001 as in Angler [2], the combination exploit “CVE-2016-0998/CVE-2016-0984″ [3], or CVE-2016-1010.” reported ProofPoint.
“Despite the fact that this new exploit could potentially work on any version of Adobe Flash, including a fully patched instance of Flash, the threat actors implemented it in a manner that only targeted older versions of Flash. In other words, equipped with a weapon that could pierce even the latest armor, they only used it against old armor, and in doing so exposed to security researchers a previously unreported vulnerability,” states Proofpoint “We refer to this type of faulty implementation as a ‘degraded’ mode, and it is something that we have observed in the past with CVE-2014-8439 and CVE-2015-0310 in Angler.”
Adobe explained that a mitigation was had been in the version 21.0.0.182 released in March, anyway it has solved the issue with the release of Flash Player 21.0.0.213, which also fixes other 23 vulnerabilities.
It is interesting to note that experts at FireEye noted that the zero-day exploit code for the CVE-2016-1019 presents many similarities to exploits leaked as a result of the clamorous Hacking Team hack.
“The exploit’s code layout and some of the functionalities are similar to the leaked HackingTeam exploits, in that it downloads malware from another server and executes it.” states the analysis published by FireEye.
More than 135 million ARRIS cable modems vulnerable to remote attacks
8.4.2016 Vulnerebility
Attackers can exploit the flaws in the ARRIS SURFboard cable modems to remotely knock out the device, more than 135 million device open to attacks.
The security expert David Longenecker reported security vulnerabilities affecting the popular broadband cable SURFboard modems produced by the ARRIS (formerly Motorola). The ARRIS SB6141 model is available for sale for around $70 US, it is able to support over 150 megabit speeds and works with all almost every US Internet provider.
Attackers can exploit the flaws in the ARRIS SURFboard modems to remotely knock out the device for a period of time that could reach 30 minutes, more than 135 million devices are at risk.
The attackers can rebooting the SURFboard modems remotely without authentication due to the presence of cross-site request forgery vulnerability.
“Rebooting one remotely is so easy, it doesn’t even require a password.” states Longenecker in a blog post. “Certain SURFboard modems have an unauthenticated cross site request forgery flaw. The modems have a static IP address that is not consumer-changeable, and the web UI does not require authentication – no username or password is required to access the administration web interface.”
An unauthenticated attacker can access the user interface of the cable modems. A local attacker can access the administration web interface (192.168.100.1) without being authenticated.
“With access to a local network, it is a trivial matter to reboot the modem serving that network, causing a denial of service while the modem reboots. Granted the modem only takes about 3 minutes to reboot, but for those three minutes, Internet access is offline. Additionally, activity sensitive to network outages (long downloads or remote desktop sessions, for example) may abort. 192.168.100.1/reset.htm” added the expert.
This means that a local attacker is able to restart the device, same result is possible to obtain if he uses a social engineering trick to convince the victim into clicking the following link:
http://192.168.100.1/cmConfigData.htm?BUTTON_INPUT1=Reset+All+Defaults
This reset of the cable modems is a time-consuming process that can take as long as a half hour and that in some cases could need the support of the internet service provider (ISP) to restore the normal operation.
Longenecker discovered a second flaw, a cross site request forgery (CSRF), in the SURFboard modems that could be abused by attackers to launch the above command without using the device user interface.
“In this case, the intended design is for a user to access the SURFboard administration interface, and then click a link to execute a reboot. The application though does not verify that the command was issued from the administration UI. When an application does not verify that a command was issued from within the application, the possibility of CSRF exists.”
“Did you know that a web browser doesn’t really care whether an “image” file is really an image? Causing a modem to reboot is as simple as including an “image” in any other webpage you might happen to open – which is exactly the approach taken on the RebootMyModem.net proof of concept:
<img src=”http://192.168.100.1/reset.htm”>
Of course it’s not a real image, but the web browser doesn’t know that until it requests the file from the modem IP address – which of course causes the modem to reboot. Imagine creating an advertisement with that line of code, and submitting it to a widely-used ad network…”
The good news is that the vulnerabilities are easy to patch, the vendor just needs to issue a firmware update that implements an authentication mechanism for the reboot and reset of the cable modems, and implement a mechanism to prevent CSRF attacks.
The bad news is that cable modems could not be upgraded by the end-user, instead the patches have to be distributed by ISP once it is available … and we all know the problems related to patch management processes.
FBI: naše metoda pro odemknutí telefonu bude fungovat jen na iPhonu 5C
8.4.2016 Ochrany
Spor mezi FBI a Applem o asistenci při odemknutí iPhonu 5C skončil tím, že federální služba našla způsob pro obejití ochrany. Veřejnost a především Apple potom zajímá, jakým způsobem se k datům v zamknutém telefonu dostala. V rozhovoru pro CNN se jeden ze zástupců FBI nechal slyšet, že způsob odemknutí Applu nesdělí, protože by mohl chybu opravit. Zároveň však dodal, že tato metoda funguje jen u modelu iPhone 5C či starších.
Apple | Právo | Bezpečnost
FBI už Apple nepotřebuje. K datům z iPhonu se dostala svépomocí a spor končí
S velkou pravděpodobností se tak jedná o potvrzení způsobu, s nímž přišel třeba Edward Snowden. Ten spočívá ve zkopírování flash paměti a pokusy o prolomení bezpečnostního zámku provádět na tomto klonu. Metoda však může fungovat pouze u iPhonů s čipsetem Apple A6 a staršími. To znamená právě model 5C, případně 5. Od verze 5S s čipsetem A7 integroval Apple do svých telefonů bezpečnostní koprocesor obsahující část zvanou Secure Enclave. Ta ověřuje integritu hardwaru a v případě, že zaregistruje jeho změny, odstaví část systému nebo hardwaru z provozu. To je mimo jiné důvod nedávného rozhořčení nad nemožností svépomocí vyměňovat čtečku otisků prstů Touch ID.
Neaktualizované aplikace bývají příčinou napadení, české firmy to ale podceňují
8.4.2016 Zabezpečení
Až 85 % českých menších a středních podniků podceňuje softwarové aktualizace, tvrdí průzkum GFI. Většina podniků prý má dobře ošetřené updaty softwaru Microsoftu, nicméně podceňuje „záplatování“ softwaru třetích stran, jako Adobe, Google či Mozilla.
Podle organizace National Vulnerability Database, která sleduje globální zranitelnosti softwarových systémů, jsou dlouhodobě nejzranitelnější aplikace, několikanásobně více než operační systémy či hardwarové systémy.
K nejzranitelnějším aplikacím se podle ní řadí webové prohlížeče, Java a aplikace zdarma od Adobe jako Flash Player, Reader, Shockwave Player či AIR. A právě na tento software se soustřeďuje pozornost hackerů, kteří se snaží prostřednictvím bezpečnostních děr napadnout počítače a podnikovou síť.
Firma GFI nedávno vykonala lokální průzkum, kde zjišťovala, jak se k tomuto problému staví tuzemské firmy. A zjištění jsou podle ní alarmující. Například s problémy nedostatečně dělaných softwarových aktualizací se často setkává 23 % českých SMB společností, ojediněle 62 %.
Hlavními překážkami správně prováděného patch managementu ve firmách jsou přitom nedostatečné povědomí o problematice (54 %), obavy, že po aktualizaci nebude něco fungovat (46 %) a vysoká cena specializovaných nástrojů (41 %).
Z nástrojů pro patch management, které se v českých fimách používají, jde převážně o služby WSUS (46 %) a Windows Update (43 %)
„Tam, kde dobře fungují automatizované aktualizace, jako například u operačních systémů, je úroveň zranitelnosti nižší,“ říká Zdeněk Bínek, zodpovědný za prodej řešení GFI Software v ČR a na Slovensku a dodává: „Problém nastává u aplikací třetích stran, kde uživatelé často aktualizaci manuálně zamítnou a tím vystaví svůj počítač a celou firemní síť možným útokům.“
Podle něj může být vhodným přístupem využít centralizované nástroje, které dokážou jednak s pomocí simulovaných útoků vyhodnotit zranitelnost infrastruktury a jednak dovolí automaticky instalovat aktualizace na jednotlivé počítače bez potřeby zásahu uživatele.
FBI: Náš odblokovací nástroj na iPhony nefunguje na nové modely
8.4.2016 Zabezpečení
V kauze zašifrovaného iPhonu střelce ze San Bernardina je jasno. FBI si sehnala člověka, který telefon odblokuje. Univerzální řešení ale úřady nemají.
Dnes 8:56 Jan Beránek
Sdílet na Facebooku Odeslat na Twitter Sdílet na Google+
Nálepky: Apple Bezpečnost iPhone Šifrování WhatsApp
Prolomili zabezpečení u iPhonu 5C, ale dál se zatím nedostali. Podle agentury Reuters to přiznal šéf FBI James Comey. „Máme nástroj, který funguje jen na některých telefonech,“ tvrdil na šifrovací konferenci v Kenyon College v Ohiu. Podle agenta jejich technika nefunguje u modelů od verze 5S výše.
Ačkoliv nejde technologie vyšetřovatelů použít pro novější modely, FBI to nevzdává. Zkouší se k univerzálnímu klíči dostat za pomoci soudů. Přístup k zašifrovaným iPhonům by se agentům totiž hodil i v jiných případech než jen u přestřelky v San Bernardinu.
A je to právě otázka, jestli má výrobce telefonů poskytovat úřadům nástroj na odemykání zašifrovaných mobilů, nebo ne, která která poslední měsíce lomcuje Silicon Valley.
"Potěšila nás podpora celé Ameriky. Vydržíme. Věříme tomu, že máme zodpovědnost za ochranu vašich dat a vašeho soukromí. Dlužíme to našim zákazníkům a dlužíme to i této zemi,“ dokončil Tim Cook svůj proslov na prezentaci nových produktů.
Každopádně šifrování začalo být zase sexy. Kompletní šifrování veškeré komunikace třeba ohlásil WhasApp. Komunikační aplikace posbírala zatím miliardu uživatelů. A všichni budou teď mít šifrované nejen zprávy, ale i videa nebo obrázky.
Podle vyjádření firmy, i hlasové hovory. Koneckonců, majitel WhatsAppu, Facebook, si bere ochranu soukromí za jeden ze svých cílů, ať už to může znít jakkoliv paradoxně.
Podvodníci to zkouší přes SMS, pak důvěřivcům vybílí účet
8.4.2016 Podvod
Nový trik začali v posledních dnech zkoušet počítačoví piráti na tuzemské uživatele. Vylákat přihlašovací údaje k internetovému bankovnictví se snaží prostřednictvím SMS zpráv. Poté jim už zpravidla nic nebrání v tom, aby lidem vybílili účet. Před novou hrozbou varovali zástupci České spořitelny.
SMS zprávy se snaží vzbudit dojem, že je odesílá Česká spořitelna. Ta přitom s klientem skutečně touto formou v některých případech komunikuje. I jinak velmi ostražití uživatelé se mohou nechat relativně snadno napálit.
Jedna z podvodných zpráv informuje o zablokování internetového bankovnictví, tedy služby Servis 24. „Vážení kliente České spořitelny, dosáhli jste maximálního možného počtu pokusů o přihlášení do služby Servis 24. Pro odblokování Vašeho účtu se přihlaste zde. Vaše Česká spořitelna,“ tvrdí podvodníci.
Pod slovem zde se přitom ukrývá odkaz na podvodné webové stránky, kde chtějí počítačoví piráti po uživateli zadat přihlašovací údaje k internetovému bankovnictví. Pokud to důvěřivci skutečně udělají, dají kyberzločincům přímý přístup ke svému bankovnímu účtu.
Ukázka jedné z podvodných SMS zpráv
Na odkaz se snaží uživatele přinutit kliknout i další zpráva: „Vážený kliente, právě Vám na Váš účet dorazila neoprávněná platba. Zkontrolujte Váš účet na stránce ceskasporitelna-servis24.cz.“ SMS zprávy na náhodně vybraná telefonní čísla, mohou přitom přijít i lidem, kteří účet u spořitelny vůbec nemají.
Nová hrozba se logicky týká pouze majitelů chytrých telefonů. Starší mobily bez webových prohlížečů a přístupu k internetu totiž nedovedou odkazy v SMS zprávách otevírat.
Útočníci se zaměří na potvrzovací zprávy
Pokud se počítačoví piráti dostanou k přihlašovacím údajům do internetového bankovnictví, jsou jen krůček od vybílení účtu. Stačí, aby se jim podařilo na chytrý telefon propašovat dalšího nezvaného návštěvníka, který dovede odchytávat SMS zprávy pro potvrzení plateb.
To by přitom pro ně nemělo být kdovíjak složité. Číslo své oběti díky první podvodné SMS zprávě s odkazem na falešné stránky spořitelny už mají.
Na podobné zprávy by proto lidé neměli vůbec reagovat. „Důrazně varujeme před jakoukoliv reakcí na tyto výzvy! V žádném případě neklikejte na odkaz v SMS zprávě. Podvodníci by se tak totiž mohli dostat k vašim penězům! V případě jakýchkoliv pochybností nás kontaktujte na bezplatném telefonním čísle 800 207 207,“ varovali zástupci České spořitelny.
Podobně by lidé měli postupovat i v případě, že jim přijde SMS zpráva, ve které se podvodníci budou vydávat za jiný finanční institut. V případě neobvyklého chování chytrého telefonu nebo internetového bankovnictví, by se měli obrátit na svou banku.
The FBI director confirmed the purchase of a tool to hack the shooter’s iPhone, but …
8.4.2016 Apple
The FBI Director James Comey confirmed the Agency had purchased a hacking tool to crack the San Bernardino shooter’s iPhone, but …
The FBI has found a way to unlock any Apple iPhone, this is the opinion of the majority of security experts. Apple has expressed its concerns about the technique adopted by the Feds to access data on the San Bernardino shooter’s iPhone.
On Wednesday, the FBI Director James Comey made a strange affirmation, the official said the technique used in the San Bernardino case does not work on an iPhone 5S or later.
Speaking to the audience at the biennial political science conference at Kenyon College in Ohio, Comey explained the limits of the method used for unlocking iPhones.
“It’s a bit of a technological corner case, because the world has moved on to [iPhone] 6’s,” Comey said. “This doesn’t work on sixes, doesn’t work on a 5S. So we have a tool that works on a narrow slice of phones. I can never be completely confident, but I’m pretty confident about that.” reported the CNN.
FBI director James-Comey on iPhone cracking tool
Comey confirmed the agency used a tool bought from a private source, most likely the Israeli mobile forensic firm Cellebrite, because Apple refused to help the DoJ in cracking into the San Bernardino terrorist iPhone.
“The people we bought this from, I know a fair amount about them, and I have a high degree of confidence that they are very good at protecting it, and their motivations align with ours,” Comey said.
Comey hasn’t provided further details on the hacking tool it has bought and its limitation, but security experts believe the problems for the Feds started after the introduction of security measures implemented with the A7 chip, used in the iPhone 5S and later versions.
The FBI will support authorities involved in similar cases, for example in the investigation conducted by the Police in Arkansas in a homicide case that involved two teens accused of killing a couple. In this case, the FBI will unlock the iPhone and iPod belonging to the suspects.
The Feds will also offer their support in a drug investigation case in Brooklyn, this time the seized mobile is an iPhone 5S that runs iOS 7.
FBI vs Apple
Comey added that the US Government is evaluating the opportunity to reveal Apple the method it has used in order to crack the San Bernardino shooter’s iPhone.
“We tell Apple, then they’re going to fix it, then we’re back where we started from,” he said. “We may end up there, we just haven’t decided yet.”
FBI claims its iPhone Hacking Tool can't Unlock iPhone 5S, 6S and 6S Plus
7.4.2016 Apple
Although everyone, including Apple, was worried about the iPhone hacking tool used by the Federal Bureau of Investigation (FBI) to access data on iPhone belonged to the San Bernardino shooter, the FBI director said the hack does not work on an iPhone 5S or later.
FBI Director James Comey said Wednesday that the agency was able to avoid a prolonged legal battle with Apple by buying a tool from a private source to hack into terrorist Syed Farook’s iPhone 5C.
Apple was engaged in a legal battle with the Department of Justice (DOJ) for a month over a court order that forces the company to write new software, which could disable passcode protection on Farook's iPhone to help them access data on it.
Apple refused to comply with the order, so the FBI worked with a third-party firm, most likely the Israeli mobile forensic firm Cellebrite, and was successfully able to access data on the locked iPhone used in the San Bernardino shooting incident last year.
But speaking to the audience during a keynote address at the biennial political science conference at Kenyon College in Ohio, Comey said the FBI's new method for unlocking iPhones does not work on most iPhone models, according to CNN.
"It's a bit of a technological corner case, because the world has moved on to [iPhone] 6’s," Comey said, describing the flaw in response to a question. "This doesn't work on sixes, doesn't work on a 5S. So we have a tool that works on a narrow slice of phones. I can never be completely confident, but I'm pretty confident about that."
FBI agrees to help unlock other iPhones (Pending Cases)
Reportedly, the FBI agreed to help the Police in Arkansas in the homicide case by unlocking an iPhone and iPod belonging to two teens accused of killing a couple.
Besides this, the agency was trying to solve another Brooklyn case, in which an iPhone 5S that runs iOS 7 was seized in the course of a drug investigation.
But now it seems that the FBI may have to find out other options to solve its pending cases that involve newer iPhones.
Although Comey didn't elaborate on why its new hack didn't work on more advanced iPhones, it is very likely due to the Secure Enclave protections that Apple implemented with the 5S' A7 chip, which is present in all later iPhones.
Law Enforcement Agencies Worried About WhatsApp end-to-end Encryption
This isn’t the only issue bothering the FBI. Now WhatsApp supports end-to-end encryption by default for its over 1 Billion global users, which is why the FBI is worried that criminals and terrorists will take advantage of this move to hide their crime- or terrorism-related communications.
According to FBI General Counsel James Baker, the decision by the Facebook-owned messaging app to end-to-end encrypt its global offerings presents them with "a significant problem" because terrorists and criminals could "get ideas."
"If the public does nothing, encryption like that will continue to roll out," Baker told Washington on Tuesday. "It has public safety costs. Folks have to understand that, and figure out how they are going to deal with that. Do they want the public to bear those costs? Do they want the victims of terrorism to bear those costs?"
Google opravil 39 chyb v Androidu, 15 kritických
7.4.2016 Zranitelnosti
Uživatelé Androidu se mohou cítit bezpečněji, Google vydal rozsáhlou bezpečnostní aktualizaci systému.
Google vydal jednu z největších měsíčních aktualizací Androidu, opravující 39 chyb, z nichž 15 bylo vyhodnoceno jako kritických a 4 mohly vést až k úplné ztrátě kontroly nad systémem.
Součástí je i oprava chyby označované jako CVE-2015-1805, na kterou Google upozornil před dvěma týdny a které lze zneužít i prostřednictvím veřejně dostupné rootingové aplikace.
Jak se v posledních měsících ukazuje, komponenty, jejichž prostřednictvím Android zpracovává média, jsou častým zdrojem závažných mezer – aktuální aktualizace obsahuje rovnou devět patchů pro chyby související s media codecem, mediaserverem nebo knihovnou pro práci s multimédii (Stagefright), jichž byl schopný hacker zneužít k úplnému ovládnutí přístroje.
Další komponenty, kterých se nápravná aktualizace týká, zahrnují Android Kernel, DHCP klient či moduly Qualcomm. Patchování se však týká i méně závažných chyb, které však například prostřednictvím Bluetoothu či nejrůznějších ovladačů, mohly aplikacím dávat větší práva, než jaká vyžadovaly oficiálně.
Podle Googlu však žádná z těchto chyb, vyjma CVE-2015-1805, zneužita nebyla nebo alespoň o tom společnost nemá žádné informace.
Na chybovost systému dohlíží takzvaný Android Security Team, a to prostřednictvím bezpečnostních systémů Verify Apps a SafetyNet – první skenuje zařízení na hrozby pramenící z aplikací stažených na Google Play, druhý z aplikací stažených mimo Google Play.
Samotný Android je však ve svých novějších verzích čím dál tím bezpečnější a jestliže s aktualizací přijde některý z výrobců, uživatelé jsou vyzýváni k tomu, aby ji instalovali pokud možno co nejdříve.
Anonymous Philippines hacked the COMELEC. It is the biggest government related data breach
7.4.2016 Hacking
Anonymous Philippines hacked the COMELEC database, the incident exposed records of more than 55 million voters, it is the biggest gov-related data breach.
A few days ago I reported the news on the availability online of a database containing data of more than 50 million Turkish citizens, now IT security community is discussing another clamorous data breach occurred in the Philippine where a massive data breach have exposed the records of more than 55 million voters. The data breach occurred a few weeks before the national elections in the Philippines, scheduled for 9 May.
A couple of weeks ago, on 27 March 2016, Anonymous Philippines has hacked the Philippines’ Commission on Elections (COMELEC) website, they defaced it, but a second hacker collective, LulzSec Pilipinas has published online the entire database of the COMELEC.
Anonymous Philippines warned COMELEC to improve the security of the vote-counting machines.
Anonymous Philippines data breach
In a first time, COMELEC officials downplayed the data breach declaring that no sensitive information was compromised.
“I want to emphasise that the database in our website is accessible to the public,” declared the Comelec spokesperson James Jimene.“There is no sensitive information there. We will be using a different website for the election, especially for results reporting and that one we are protecting very well,” he added.
The archive is full of sensitive data, including personal and passport information and fingerprint data, and unfortunately, not all the records were encrypted.
LulzSec Pilipinas released 16 databases from the Comelec website for a total number of 355 tables.
“Every registered voter in the Philippines is now susceptible to fraud and other risks after a massive data breach leaked the entire database of the Philippines’ Commission on Elections (COMELEC). ” reported Trend Micro who is investigating the case.
“Based on our investigation, the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible for everyone. Interestingly, we also found a whopping 15.8 million record of fingerprints and list of peoples running for office since the 2010 elections.”
This is the biggest government-related data breach,it exposed more than double of the number of records exposed in the US government’s Office of Personnel Management (OPM) hack that resulted in 21.5 million people being exposed to an unknown party.
And now …
More than 55 million voters are exposed to the risk of cyber attack. Cyber criminals and state-sponsored hackers can use the information to carry on a wide range of malicious activities, including scams, espionage campaigns and extortion. In previous cases of
“In previous cases of data breach, stolen data has been used to access bank accounts, gather further information about specific persons, used as leverage for spear phishing emails or BEC schemes, blackmail or extortion, and much more.” concluded TrendMicro.
How to Run Ubuntu on latest Windows 10 Insider Preview Build 14316
7.4.2016 OS
How to Run Ubuntu on latest Windows 10 Insider Preview Build 14316
As reported last week, Microsoft will launch an 'Anniversary Update' for Windows 10 that will bring Ubuntu file system, allowing you to use Bash to run command-line Linux applications without a virtual machine.
However, you do not have to wait until this summer to run Bash (Bourne Again Shell) on your Windows 10 OS, as Microsoft has released the first preview build of the Windows 10 Anniversary Update to the members of its Insider program.
Don't expect it to run Ubuntu directly on Windows 10, as this is basically Ubuntu user-space packages running natively on Windows 10 by the company coming up with real-time translation of Linux system calls into Windows system calls.
This new Bash Shell support features a full Ubuntu user space complete with support for tools including ssh, apt, rsync, find, grep, awk, sed, sort, xargs, md5sum, gpg, curl, wget, apache, mysql, python, perl, ruby, php, vim, emacs and more.
Windows 10 build 14316's biggest addition is running native Bash on Ubuntu in Windows 10, and you can install the new preview build to test this feature.
Here's How to Run native Bash on Ubuntu on Windows
Step 1: Enroll in the Windows Insider program and Select "Advanced Windows Update options" under "System Settings."
How to Run Ubuntu on latest Windows 10 Insider Preview Build 14316
Step 2: Set your update ambition to "the fast ring".
How to Run Ubuntu on latest Windows 10 Insider Preview Build 14316
Step 3: Now turn ON "Developer Mode" via Settings → Update & security → For developers, as this new feature is specifically meant for developers.
How to Run Ubuntu on latest Windows 10 Insider Preview Build 14316
Step 4: You now need to check for new updates (Insider Preview Build 14316), apply all updates, and then Restart your system.
How to Run Ubuntu on latest Windows 10 Insider Preview Build 14316
Step 5: Turn ON the new Windows feature, "Windows Subsystem for Linux (Beta)".
How to Run Ubuntu on latest Windows 10 Insider Preview Build 14316
Note: You need a 64-bit version of Windows. Without it, you won't see the new option.
Step 6: Reboot your system.
Step 7: Now Press the Start button and type 'Bash' or simply open Command Prompt and type 'bash.' This will launch a console window powered by Ubuntu's user-space.
How to Run Ubuntu on latest Windows 10 Insider Preview Build 14316
Bingo! Now experience Bash just as good as it's in variants of Linux.
Other New Features in Build 14316
Other new features in Build 14316 include improvements to the Microsoft Edge browser, new Skype Universal Windows Platform app, support for new emoji, and a new toggle that lets you switch between light and dark mode themes for Windows Settings, clock, calculator, and other apps.
However, Keep in mind that this is just a preview of upcoming Windows feature, so there may be some bugs, and some features may also change before they are launched for all Windows users this summer.
TA530 group, spear phishing meets ransomware
7.4.2016 Virus
A threat actor named TA530 group, has been targeting executives in an attempt to infect their machine with various malware, including ransomware.
Ransomware continues to represent one of the greatest threat for the Internet users, the FBI recently issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware.
Security firms are assisting to a rapid increase in the number of infections caused by the ransomware, US and Canada issued a joint warning about the recent surge in ransomware-based attacks. The most disconcerting aspect of the situation is the continuous improvement of such kind of malware and the techniques adopted by criminal organizations to spread it.
Today we will discuss a new threat that adopts a singular strategy to infect the victims, it relies on spear-phishing attacks to compromise users’machines.
Security firms use to observe spear-phishing attacks for espionage purposes, however, the adoption of these techniques in the criminal field contributes increasing their effectiveness.In a spear-phishing attack
In a spear-phishing attack, threat actors use a deep knowledge of the potential victims to target them, clearly this approach allows them to tailor the operation.
According to security experts at Proofpoint, a threat actor, named TA530 group, has been targeting executives and other high-level employees in an attempt to compromise their machine with various malware, including the CryptoWall ransomware.
Other threats in the malware arsenal of the TA530 are:
Ursnif ISFB – banking Trojan configured to target Australian banks
Fileless Ursnif/RecoLoad – Point of Sale (PoS) reconnaissance Trojan targeted at Retail and Hospitality. It was first featured in Kafeine’s blog [1] in July of 2015, which suggests that it has been in distribution since 2014; shortly after, it was described with more detail by Trend Micro [2].
Tiny Loader – a downloader used in campaigns targeting Retail and Hospitality verticals. We have not observed it download secondary payloads, but previously it has been used to download malware such as AbaddonPOS [3].
TeamSpy/TVSpy – RAT utilizing Teamviewer [4], primarily targeted at Retail and Hospitality
CryptoWall – File encrypting ransomware targeted at a variety of companies
Nymaim – Installs a banking Trojan [5] primarily targeted at Financial companies
Dridex Botnet 222 – banking Trojan botnet with UK targeting. Proofpoint first observed this botnet when it was dropped by Bedep in January 2016 [6]
The attackers were able to profile victims, targeting specific industries and geographic areas.
The approach is simple, targeting executives there is a high likelihood that victims will pay to restore high-value information and usually people in these positions are more likely to have access to corporate online bank accounts and other online services.
“Additionally, TA530 customizes TA530 customizes the e-mail to each target by specifying the target’s name, job title, phone number, and company name in the email body, subject, and attachment names. On several occasions, we verified that these details are correct for the intended victim. While we do not know for sure the source of these details, they frequently appear on public websites, such as LinkedIn or the company’s own website. The customization doesn’t end with the lure; the malware used in the campaigns is also targeted by region and vertical.” states the blog post published Tuesday
The TA530 group targets tens of thousands of recipients in US, UK, and Australian organizations, the figures are very interesting if we consider that are related to spear-phishing attacks.
“We observed TA530 at times targeting only a specific and narrow vertical, such as Retail and Hospitality. At other times, the campaigns appear more widespread. Overall, the volume of messages targeting each vertical is shown below:
The experts believe that the TA530 will intensify his spear-phishing campaign including new malicious payloads into its arsenal and adopting news delivery methods.
“Based on what we have seen in these examples from TA530, we expect this actor to continue to use personalization and to diversify payloads and delivery methods,” states ProofPoint. “The personalization of email messages is not new, but this actor seems to have incorporated and automated a high level of personalization, previously not seen at this scale, in their spam campaigns.”
Hacking Team přišel o licenci, v Evropě už nemůže prodávat špionážní software
7.4.2016 Hacking
Společnost Hacking Team, která dodává vládám a tajným službám po celém světě software pro sledování telefonní a internetové komunikace, musela loni řešit problémy týkající se uniklé databáze svých klientů. Nyní má tento italský podnik další velký problém – v Evropě už nebude moci prodávat svůj špionážní software.
Z kauzy týkající se uniklé databáze, která obsahovala stovky gigabajtů dat o klientech společnosti Hacking Team a která kolovala od poloviny loňského roku internetem, se italský podnik po několika měsících vzpamatoval. V letošním roce se tak podle serveru The Hacker News již naplno rozjela výroba špionážního softwaru na zakázku.
Právě kvůli tomu se ale společnost Hacking Team na domovském trhu stala trnem v oku italskému ministerstvu pro hospodářský rozvoj (MISE). To zrušilo těmto bezpečnostním expertům oprávnění vyvážet programy do celé Evropy. Pro své podnikání tak budou muset nyní lidé z Hacking Teamu žádat o udělení individuální licence pro každý trh, což nemusí být zas tak snadné.
Teoreticky tedy může vedení italského podniku dál podnikat mimo USA, možnosti šíření špionážního softwaru se ale značně zkomplikují.
Ukradená databáze prozradila téměř vše
Hacking Team je jednou z největších společností svého druhu. Špionážní software a další bezpečnostní programy nabízí tato italská firma prakticky do celého světa, svou vlastní bezpečnost přesto v loňském roce podcenila. Hackerům se tak podařilo dostat k databázi klientů a zakázek.
Z ní bylo možné snadno získat prakticky všechny nástroje, které byly používány ke šmírování a sledování lidí snad ve všech koutech světa. Společnost Hacking Team nabízela hned několik různých „bezpečnostních“ produktů.
Hlavní obchodovatelnou surovinou ale byl program Remote Code System. Ten dovoluje snadnou infiltraci do chytrých telefonů i počítačových tabletů, aby je bylo možné odposlouchávat. Využívá k tomu chyby v operačních systémech a dalších programech.
Miliónový byznys
Na seznamu klientů požadujících tvorbu virů budila v našich končinách největší pozornost česká společnost Bull, která v době úniku databáze vystupovala už pod jménem Atos IT Solutions and Services. Ta podle všeho nakupovala šmírovací programy pro českou policii, konkrétně pro Útvar zvláštních činností.
Ze zveřejněných e-mailů vyplývalo, že jen během letošního a minulého roku policisté poptávali u italských vývojářů možnost infikovat zařízení potenciálního návštěvníka mnoha dalších internetových stránek včetně velkých bank.
Na seznamu klientů byly kromě České republiky také Saúdská Arábie, Kazachstán, Omán, Jižní Korea, Libanon či Mongolsko. Jen za loňský rok si společnost Hacking Team měla přijít na několik desítek miliónů eur. Z České republiky mělo plynout údajně 690 000 eur, tedy více než 18,6 miliónu korun.
Personalisovaný ransomware: příloha obsahuje jméno i pracovní pozici oběti
7.4.2016 Zdroj: Živě.cz Viry
Bezpečnostní společnost Proofpoint upozorňuje na další typ malwaru, kteří se začíná šířit pomocí e-mailových příloh. Zajímavý je však tentokrát především způsob, kterým chtějí útočníci donutit oběť k otevření přílohy. Zprávy proto rozesílají s osobními údaji nejen v předmětu zprávy - jméno cíle se objevuje také v textu e-mailu a především potom v názvu přiloženého dokumentu. Jak je vidět na screenshotu níže, může se jednat třeba o zinscenované řešení konfliktu na pracovišti.
Ukázka sofistikovaného e-mailu cíleného na konkrétní obět (zdroj: Proofpoint)
Podle Proofpointu se přiložený soubor nejčastěji stará o instalaci tzv. ransomware – tedy malwaru, který zašifruje uživatelská data a dešifrovací klíč je možné získat až po zaplacení tučného výkupného. To však bez záruky, že bude opravdu fungovat a uživatel se ke svým datům dostane. Podobným způsobem však mohou útočníci instalovat i další typy malwaru jako je ten s názvem Ursnif ISFB, který se snaží získat bankovní údaje.
Útoky jsou cíleny nejčastěji na management firem – jejich pracovní pozice nejčastěji nesou označení jako finanční ředitel či viceprezident. Informace mohou útočníci snadno získat třeba z profesní sítě LinkedIn, kde je snadno spojí i s fyzickou adresou firmy, případně mohou do e-mailu zahrnout i jména skutečných kolegů.
Německá policie si došlápla na hackery. Zátahy probíhaly také v Nizozemsku či Kanadě
7.4.2016 Hacking
Německá policie podnikla v celé zemi rozsáhlý zátah proti počítačovým pirátům. Ve všech 16 spolkových zemích provedla prohlídky ve 175 bytech a firmách namířené proti 170 podezřelým osobám. Podobné zátahy se konaly také v Nizozemsku, Lucembursku, Francii a Kanadě, sdělily ve středu podle agentury DPA generální státní zastupitelství a policejní prezidium v Koblenzi.
Zadrženi byli dva muži podezřelí z trestné činnosti spojené s počítači. Hlavní podezřelý podle sdělení orgánů činných v trestním řízení pochází z Porýní-Falce. Druhý zadržený je ze Sárska a při domovní prohlídce u něj byly nalezeny drogy a také zbraně.
Mezinárodně koordinované akce se zúčastnilo na 700 policistů, kteří zajistili více než 300 počítačů a nosičů dat. Podle poskytnutých informací zadržený hacker působil po celém světě a na internetu poskytoval jiným počítačovým pirátům nástroje pro trestnou činnost.
„K nabízeným službám patřil například speciální software, který maskoval cizí škodlivé programy (jako jsou viry či trojské koně) před antivirovými programy," uvedly státní zastupitelství a policie. Tento takzvaný malware byl pak využíván například ke zjišťování přístupových hesel a bankovních informací a následně k okrádání a vydírání.
Jaká škoda byla takto způsobena, nelze podle generálního státního zástupce Jürgena Brauera zatím říci. Nejprve je třeba projít rozsáhlé datové soubory, které byly zadrženy. To zřejmě potrvá delší dobu.
'Hacking Team' Loses License to Sell Surveillance Malware Outside Europe
7.4.2016 Safety
'Hacking Team' Loses License to Sell Surveillance Malware Outside Europe
Hacking Team – the infamous Italy-based spyware company that had more than 400 GB of its confidential data stolen last year – is facing another trouble.
This time not from other hackers, but from its own government.
Hacking Team is infamous for selling surveillance spyware to governments and intelligence agencies worldwide, but now it may not be allowed to do so, as the Italian export authorities have revoked the company's license to sell outside of Europe.
Almost a year after it was hacked and got all its secrets leaked online, Hacking Team somehow managed to resume its operations and start pitching new hacking tools to help the United States law enforcement gets around their encryption issues.
Hacking Team had sold its malware, officially known as the Galileo Remote Control System, to authorities in Egypt, Morocco, Brazil, Malaysia, Thailand, Kazakhstan, Vietnam, Mexico, and Panama.
Hacking Team had also signed big contracts with the Federal Bureau of Investigation (FBI) and the Drug Enforcement Administration (DEA), making almost $2 Million from both.
However, the Italian Ministry of Economic Development (MISE) said the company would now have to get an 'individual' license, revoking the Hacking Team's "global authorization" to export its Galileo spyware.
Hacking Team's spokesperson Eric Rabe confirmed the news on Tuesday, after the Italian outlet Il Fatto Quotidiano first reported of its licence revocation.
So, the company can still sell its Galileo spyware within the European Union without getting any special license, but the sales outside of Europe will require permission on a country-by-country basis.
Of course, it is then again up to the Italian officials whether to approve or refuse any requests from Hacking Team.
Journalists and activists frequently criticized Hacking Team for selling its spyware to nations with poor records on human rights. Hacking Team formerly had the licence to export its spyware to 46 countries.
The List includes the USA, Brazil, Ecuador, Egypt, Ethiopia, Indonesia, Israel, India, Japan, South Korea, Kuwait, Malaysia, Saudi Arabia, Nigeria, Qatar, Singapore, South Africa, Thailand, Turkey, United Arab Emirates, and Vietnam.
Ubuntu issued a patch to fix a number of Kernel Vulnerabilities
7.4.2016 Vulnerebility
Ubuntu has patched a number of flaws affecting the Linux kernel, it is urging users to apply the patch if they’re running 14.04 LTS or any derivative builds.
Ubuntu has patched a number of vulnerabilities affecting the Linux kernel, it is urging users to apply the patch if they’re running 14.04 LTS or any derivative builds.
According to the security advisory issued by Ubuntu yesterday, the list of bugs includes a use-after-free vulnerability (CVE-2015-8812) and a timing side-channel vulnerability (CVE-2016-2085), and a couple of flaws that open the Kernen to denial of service.
The use-after-free flaw was reported by Venkatesh Pottem, an attacker can exploit it to crash the system or possibly execute arbitrary code.
The timing side-channel vulnerability in the Linux Kernel affects the Extended Verification Module (EVM), an attacker can trigger it to compromise the. The flaw was reported by Xiaofei Rex Guo.
A third vulnerability is caused by the failure in enforcing limits on data “allocated to buffer pipes” that would’ve exhausted resources.
ubuntu12
Below the description provided for the remaining flaws fixed by the patch.
“David Herrmann discovered that the Linux kernel incorrectly accounted file descriptors to the original opener for in-flight file descriptors sent over a unix domain socket. A local attacker could use this to cause a denial of service (resource exhaustion). (CVE-2016-2550)” states the advisory. “It was discovered that the Linux kernel did not enforce limits on the amount of data allocated to buffer pipes. A local attacker could use this to cause a denial of service (resource exhaustion). (CVE-2016-2847)”
If you are using Ubuntu 12.04 LTS you urgently need to update it to fix the above vulnerabilities with the following package version:
Ubuntu 14.04 LTS:
linux-image-3.13.0-85-powerpc-smp 3.13.0-85.129
linux-image-3.13.0-85-powerpc-e500mc 3.13.0-85.129
linux-image-3.13.0-85-powerpc64-smp 3.13.0-85.129
linux-image-3.13.0-85-generic 3.13.0-85.129
linux-image-3.13.0-85-generic-lpae 3.13.0-85.129
linux-image-3.13.0-85-powerpc64-emb 3.13.0-85.129
linux-image-3.13.0-85-powerpc-e500 3.13.0-85.129
linux-image-3.13.0-85-lowlatency 3.13.0-85.129
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
Locky: the encryptor taking the world by storm
7.4.2016 Zdroj: Kaspersky Virus
In February 2016, the Internet was shaken by an epidemic caused by the new ransomware Trojan Locky (detected by Kaspersky Lab products as Trojan-Ransom.Win32.Locky). The Trojan has been actively propagating up to the present day. Kaspersky Lab products have reported attempts to infect users with the Trojan in 114 countries around the world.
Analysis of the samples has shown that this Trojan is a brand new ransomware threat, written from scratch. So, what is Locky, and how can we protect against it?
Propagation
In order to spread the Trojan, cybercriminals sent out mass mailings with malicious loaders attached to spam messages.
Initially, the malicious spam messages contained an attached DOC file with a macro that downloaded the Locky Trojan from a remote server and executed it.
An early-stage spam message with a malicious document attached
A fragment of the malicious macro
Kaspersky Lab products detect files with malicious macros as Trojan-Downloader.MSWord.Agent and HEUR:Trojan-Downloader.Script.Generic.
We should note that in modern versions of Microsoft Office, automatic execution of macros is disabled for security reasons. However, practice shows that users often enable macros manually, even in documents from unknown sources, which may lead to some damaging consequences.
At the time of writing, the malicious spam is still being sent, but instead of the DOC files being attached there are now ZIP archives containing one or more obfuscated scripts in JavaScript. The messages are mostly in English, though some bilingual variants have appeared.
Spam message in English with the archive attached
Message in German and English with the archive attached
The user is prompted to manually launch the scripts.
Contents of the archive attached to the message
Fragment of the archived script
When launched, the script downloads the Locky Trojan from a remote server and launches it.
Kaspersky Lab products detect these script loaders as Trojan-Downloader.JS.Agent and HEUR:Trojan-Downloader.Script.Generic.
Geography of attacks
Kaspersky Security Network has reported Locky attacks in 114 countries. Below is a list of countries where the Trojan was detected most often:
Country Number of attacks
Germany 3989
France 2372
Kuwait 976
India 512
China 427
South Africa 220
United States 188
Italy 128
Spain 105
Mexico 92
We should note that these statistics only include cases where the actual Trojan was detected, and does not include early-stage detections reported as malicious spam or malicious downloaders.
The geography of Trojan-Ransom.Win32.Locky attacks
As we can see, the Trojan carries out attacks in practically all regions of the world. We can assume which countries the cybercriminals see as their main targets based on the list of languages used on the ransom payment webpage (see details below).
How it works
The Locky Trojan is an executable file, about 100 kb in size. It is written in C++ using STL, and is compiled in Microsoft Visual Studio. When launching, it copies itself to %TEMP%\svchost.exe and deletes the NTFS data stream Zone.Identifier from its copy – this is done to ensure that when the file is launched, Windows does not display a notification saying that the file has been downloaded from the Internet and may be potentially dangerous. The Trojan then launches from %TEMP%.
Once launched, the Trojan checks for the presence and the contents of the below registry keys.
Path Type Value
HKEY_CURRENT_USER\Software\Locky\id REG_SZ Infection ID
HKEY_CURRENT_USER\Software\Locky\pubkey REG_BINARY Public RSA key in MSBLOB format
HKEY_CURRENT_USER\Software\Locky\paytext REG_BINARY Text shown to the victim
HKEY_CURRENT_USER\Software\Locky\completed REG_DWORD Status (whether encryption is completed)
If data already exists in the registry keys (this is the case if the Trojan has launched before, but its previous session aborted for some reason), Locky reads that data and continues with the infection process.
If launched for the first time, the Trojan performs the following actions:
Contacts C&C and reports infection;
Receives a public RSA-2048 key and infection ID from C&C, saves them in the registry;
Sends information about the language of the infected operating system, receives the cybercriminals’ ransom demand text that will be shown to the victim, saves the text in the registry;
Searches for files with specific extensions on local disk drives, encrypts them;
Deletes shadow copies of files;
Registers itself for autostart (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run);
Searches for and encrypts files with specific extensions on network drives and on network file resources with no assigned drive letter;
Displays the cybercriminals’ ransom demands to the victim;
Terminates its process and removes itself.
Fragment of code that determines the language of the operating system
File encryption
The Trojan searches for files matching a given list of extensions. Then, these files are encrypted as described below.
List of file extensions that are subject to encryption
For each file that matches an extension on the list, the Trojan generates a new 128-bit key and encrypts the file’s contents with the algorithm AES-128 in CTR mode. The encrypted file is given the name <16 HEX characters as ID><16 random HEX characters>.locky. Then the following structure is added to the end of the file:
Structure appended by the Trojan to the end of an encrypted file
In C language syntax, this structure may be described as follows:
struct file_data
{
uint32_t start_marker; //Structure start marker = 0x8956FE93
char id[16]; //Infection ID
uint8_t aes_key[256]; //AES key encrypted with RSA-2048
uint32_t name_marker; //Name start marker encrypted with AES (= 0xD41BA12A after decryption)
uint8_t orig_name[520]; //Original file name encrypted with AES
WIN32_FILE_ATTRIBUTE_DATA attr; //Original file attributes encrypted with AES
};
1
2
3
4
5
6
7
8
9
struct file_data
{
uint32_t start_marker; //Structure start marker = 0x8956FE93
char id[16]; //Infection ID
uint8_t aes_key[256]; //AES key encrypted with RSA-2048
uint32_t name_marker; //Name start marker encrypted with AES (= 0xD41BA12A after decryption)
uint8_t orig_name[520]; //Original file name encrypted with AES
WIN32_FILE_ATTRIBUTE_DATA attr; //Original file attributes encrypted with AES
};
Appended structure described in C language syntax
Ransom demands
After encrypting the user’s files, the Trojan displays the following message with the cybercriminals’ ransom demands.
Ransom demand in English
Ransom demand in German
The ransom message contains the address of the cybercriminals’ ‘secret server’ where they placed information about the ransom they demand for the decryption program. All four links in the message lead to the same website in the Tor network.
During the early spamming campaigns, the ransom payment page looked like this:
Early version of Locky’s ransom demand page
On this page, the cybercriminals suggested that the victims pay in bitcoins to decrypt the affected files on their computer. They also gave recommendations about where and how to get the cryptocurrency.
The contents and the design of the page changed with time. Today, the page is available in more than 20 languages (that can be selected from a dropdown list), and looks like this:
Latest version of Locky’s ransom payment page
If we look at the page’s source code, we will see a complete list of supported languages. The cybercriminals obviously see the corresponding countries as the main targets for this ransomware Trojan. Interestingly, Russian and other CIS languages are not on the list. For some reason the cybercriminals are not that keen on targeting users in countries where those languages are spoken – something that KSN statistics confirm.
List of languages supported on Locky ransom payment page
Communication with C&C
The Trojan’s code contains between one and three C&C IP addresses. On top of that, the code contains an algorithm generating new C&C addresses (DGA, domain generation algorithm) depending on the current day, month and year. With this algorithm, six C&C addresses are generated each day. The pseudo-code to illustrate the DGA Locky algorithm is highlighted in the screenshot below.
Pseudo-code of Locky C&C domain generation algorithm
Communication with a C&C is performed using the HTTP protocol. The Trojan sends a POST request to an address with the format http://<cnc_url>/main.php; the transmitted data is encrypted with a simple symmetric algorithm.
Let’s have a look at the possible types of transmitted parameters.
Notification about infection and request for key.
id=<infection id>
&act=getkey&affid=<partner id contained in the Trojan’s body>
&lang=<language of the operating system>
&corp=<whether the OS is a corporate OS>
&serv=<whether the OS is a server OS>
&os=<OS version>
&sp=<version of OS service pack>
&x64=<whether the OS is 32- or 64-bit>
Judging by the affid parameter, Locky is distributed via an affiliate, or partnership, program.
Sending list of encrypted paths.
id=<infection id>
&act=report&data=<list of paths>
For each disk drive it has handled, the Trojan sends the C&C a list of all paths to all encrypted files.
Sending statistics for each handled disk drive.
id=<infection id>
&act=stats&path=<path>
&encrypted=<number of files encrypted>
&failed=<number of errors>
&length=<total size of encrypted files>
It should be noted that the cybercriminal collects very detailed statistics for each infection. Other ransomware families that we analyzed earlier were not this thorough at collecting statistics.
Countermeasures
Kaspersky Lab products protect against the Locky ransomware Trojan at all stages of the attack:
The anti-spam module detects emails sent by the Trojan’s distributors;
Script loaders are detected by static and heuristic signatures of email and file antivirus with the verdicts Trojan-Downloader.MSWord.Agent, Trojan-Downloader.JS.Agent, HEUR:Trojan-Downloader.Script.Generic;
The Trojan’s executable file is detected by file antivirus signatures as Trojan-Ransom.Win32.Locky;
Unknown samples of Locky are proactively detected by the System Watcher module with the verdict PDM:Trojan.Win32.Generic.
Preventing infections
Locky is a typical ransomware Trojan, and it exhibits no major differences from other ransomware families in its internal arrangement or its principles of operation. However, it caught the attention of researchers because it was so active and so widespread. According to KSN data, Kaspersky Lab products have blocked Locky attacks in over 100 countries around the world – no other ransomware Trojan to date has attacked so many countries at once.
To protect yourself from this ransomware Trojan, follow these preventive measures:
Do not open attachments in emails from senders you don’t know;
Back up your files on a regular basis and store the backup copies on removable storage media or in cloud storages – not on your computer;
Regularly run updates for your antivirus databases, operating system and other software installed on your computer;
Create a separate network folder for each user when managing access to shared network folders.
Italian Government revoked Hacking Team ’s global export license
7.4.2016 Safety
The government authority who oversees the export of “dual use” technologies revoked the Hacking Team ’s global export license.
On July 2015, the Italian surveillance company Hacking Team suffered one of the worst data breaches in the history. Unknown attackers have exfiltrated some 400Gbs of data, including internal emails, exploit source code and invoices.
A few months later, the company has resumed its operations and started working with a new set of tools for its arsenal.
In October, Motherboard obtained a copy of a non-public email sent by the CEO David Vincenzetti to a mailing list made of potential and current customers on October 19.
Vincenzetti announced a totally new cyber arsenal, he defined its new tools as game changers,
[Hacking Team is] “finalizing brand new and totally unprecedented cyber investigation solutions, game changers, to say the least.”
Now the company has received another blow, the Italian Government authority who oversees the export of “dual use” technologies, named “Autorità per l’esportazione beni a duplice uso,” has revoked the “global authorization” to export its surveillance software at the end of March.
The authority is controlled by the Italian Ministry of Economic Development (MISE) that revoked “with immediate effect” the global authorization granted to the company the year before.
According to the Italian newspaper Il Fatto Quotidiano that first reported on the news, the MISE revoked the authorization two years before the deadline of April 30, 2018.
What will happen?
The Hacking Team will have to ask permission for every sale of its spyware to clients outside the European Union. The Hacking Team can still sell its surveillance software to organizations within the European Union without express authorization.
According to the Il Fatto Quotidiano one of the reasons for the revocation is the diplomatic situation with the Egyptian Government that is accused of covering the truth on the murder of Italian student Giulio Regeni.
According to an anonymous email received by the Italian Government, Regeni was abducted, tortured and killed by the Egyptian secret services.
A source close to Hacking Team referred Vincenzetti went on to reassure its employees that the situation is under control and is not new for the company, a similar restriction was imposed to the organization between October 2014 and April 2015.
The Italian newspaper Il Corriere Della Sera a couple of weeks ago has revealed that the Italian authorities have launched an investigation on the Hacking Team in order to examine it conduct when exporting the surveillance software, an activity referred to past sales.
The company always explained that all the sales were conducted in accordance with current laws and regulations.
Let’s sit and wait to see the response of the lawyers of the company.
One Billion WhatsApp Users are now protected by End-to-End Encryption
6.4.2016 Security
Whatsapp now implements end-to-end encryption for all versions of the most popular messaging and voice calling application.
Great news for privacy advocates and WhatsApp users, the software now implements end-to-end encryption for all versions of the most popular messaging and voice calling application. On Tuesday, the company announced the significant improvement to its 1 billion users with a blog post and also published a white paper the technical details for its end-to-end encryption system.
“WhatsApp has always prioritized making your data and communication as secure as possible. And today, we’re proud to announce that we’ve completed a technological development that makes WhatsApp a leader in protecting your private communication: full end-to-end encryption.” states the company blog post.
The paper highlights that the encryption protocol implements by Whatsapp uses perfect forward secrecy, this means that “even if encryption keys from a user’s device are ever physically compromised, they cannot be used to go back in time to decrypt previously transmitted messages.”
It was a necessary improvement to improve the privacy and security of its users.
“We live in a world where more of our data is digitized than ever before,” explained Jan Koum, a WhatsApp co-founder.”Every day we see stories about sensitive records being improperly accessed or stolen. And if nothing is done, more of people’s digital information and communication will be vulnerable to attack in the years to come. Fortunately, end-to-end encryption protects us from these vulnerabilities.”
WhatsApp uses the Axolotl protocol, aka known as Signal protocol or double ratchet that is a key management algorithm developed by Trevor Perrin with support from Moxie Marlinspike in 2013. The protocol is also used by the popular Signal encrypted messaging and voice app.
“As of today, the integration is fully complete. Users running the most recent versions of WhatsApp on any platform now get full end to end encryption for every message they send and every WhatsApp call they make when communicating with each other. This includes all the benefits of the Signal Protocol — a modern, open source, forward secure, strong encryption protocolfor asynchronous messaging systems, designed to make end-to-end encrypted messaging as seamless as possible.” Moxie wrote on its blog.
From now every message, file, photo, video, and voice and chat message user sends, is end-to-end encrypted by default.
In November 2014, WhatsApp implemented the encryption by default on Android OS with the collaboration of the Open Whisper company announcing the plan to extend it to all the other platforms, that is exactly what the company have done.
The implementation was applauded by privacy advocates and civil libertarians, including the popular Christopher Soghoian of the American Civil Liberties Union.
AMERIČTÍ HACKEŘI SE ZAMĚŘILI NA PRESTIŽNÍ ADVOKÁTNÍ KANCELÁŘE
6.4.2016 Incidenty
Koordinovaný útok na počítačové sítě tří nejprestižnějších advokátních kanceláří ve Spojených státech vyšetřuje Federální úřad pro vyšetřování (FBI).
Agenti se domnívají, že pachatelům šlo o důvěrná data klientů napadených kanceláří, s nimiž chtěli obchodovat. Mezi poškozenými jsou advokátní kanceláře Cravath Swaine & Moore LLP a Weil Gotshal & Manges LLP, které zastupují banky na Wall Street a společnosti zařazené do žebříčku Fortune 500. Advokátní skupina Cravath následně vydala prohlášení, podle něhož k útokům došlo již loni v létě a kancelář při nich nepřišla o žádná důvěrná data.
Tomu však někteří bezpečnostní experti příliš nevěří a varují, že advokátní kanceláře jsou velmi lákavým cílem kyberútoků. „Zatímco většina firem si vytváří a ukládá důvěrná data interně, advokátní kanceláře mají tendenci získávat a shromažďovat velmi cenná data od svých klientů, která jednotliví advokáti sdílí po celou dobu kontraktu. To představuje velkou výzvu pro IT a bezpečnostní týmy těchto firem: na jednu stranu musí být taková data přístupná advokátům a zaměstnancům kanceláře odkudkoli zvenčí, ovšem na druhou stranu je potřeba s takto shromážděnými daty nakládat velmi opatrně,“ míní bezpečnostní specialista společnosti Rapid7 Tod Beardsley.
Ochránit taková data je o to těžší, že nejrespektovanější advokátní kanceláře mají jejich část uloženu ve starších systémech. „Cravath Swaine & Moore, ale i mnoho jejich vrstevníků, nepočítá svou historii na léta, nýbrž na staletí,“ upozorňuje Beardsley. „Tyto firmy musely archivovat důvěrná data po celá desetiletí a zároveň inovovat svoje komunikační technologie a IT infrastrukturu, ale také současně držet krok s rychle se měníním nebezpečním kybernetických hrozeb,“ uzavřel expert.
DALŠÍ TŘI AMERICKÉ NEMOCNICE CÍLEM RANSOMWARE ÚTOKU
6.4.2016 Viry
Americká FBI vyšetřuje tři případy napadení IT systémů nemocnic ve Spojených státech škodlivým ransomware. Takzvaný vyděračský vir šifruje počítače a jejich obsah, načež útočník požaduje za jejich odblokování výkupné.
Nejnovější útoky se soustředily na zdravotnická zařízení v Kalifornii a Kentucky, konkrétně na kentuckou Methodist Hospital a kalifornské Chino Valley Medical Center a Valley Hospital Desert. Podle dosavadních informací žádná z nemocnic nezaplatila výkupné a všem se podařilo obnovit jejich systémy, aniž by útočník narušil chod zařízení a ohrozil citlivá data pacientů.
Metodistická nemocnice v Kentucky však musela vyřadit z provozu všechny své počítače a aktivovat záložní systém.
„Methodist Hospital momentálně funguje ve stavu nouze z důvodu napadení počítačovým virem, který omezil využívání elektronických služeb. Na odstranění tohoto problému pracujeme, do té doby budou naše internetové služby a elektronická komunikace omezeny,“ uvedla nemocnice na svých internetových stránkách.
Fred Ortega, mluvčí kalifornských zařízení Chino Valley Medical Center a Valley Hospital Desert, rovněž potvrdil napadení IT infrastruktury obou nemocnic. „Nicméně většina systémů kritické infrastruktury byla již uvedena zpět do režimu online,“ ujistil.
K útokům došlo několik týdnů poté, co ransomware vyřadil z provozu počítače v jiném zdravotnickém zařízení - Hollywood Presbyterian Medical Centre v Los Angeles. Představitelé nemocnice útočníkovi za odblokování počítačů zaplatili. V případě kentucké Methodist Hospital útočil známý ransomware Locky, který zašifroval soubory, včetně obrázků, a přidal jim příponu „.locky“. Tento vir se nejčastěji dostane do systému elektronickou poštou jako příloha nevyžádané zprávy a požaduje od příjemce, aby povolil makra, jinak si nebude moci přílohu přečíst. Jakmile dojde k infiltraci počítače oběti, zobrazí se na displeji zpráva s pokyny, jak zaplatit výkupné za odblokování počítače.
BANKOVNÍ TROJAN PRO ANROID DOKÁŽE OBEJÍT 2FA
6.4.2016 Mobilní
Android/Spy.Agent.SI krade přihlašovací údaje do mobilního bankovnictví z více než 20 aplikací známých bank. Malware se maskuje jako Flash Player, včetně legitimně vypadající ikony. Díky schopnosti zachytávání SMS komunikace překoná i dvoufaktorové ověření identity uživatele.
Malware se stahuje z několika serverů, které byly registrovány na konci ledna a začátku února. Zajímavostí je, že URL adresy ke škodlivému APK balíčku se mění každou hodinu. Jde o klasickou metodu, jak co nejdéle odolávat detekčním mechanismům antivirových programů.
Po stažení a instalaci aplikace požádá uživatele o přístup do zařízení s administrátorskými právy. Po udělení oprávnění škodlivou aplikaci nejde klasickou cestou odinstalovat. Ikona aplikace, která se vydává za Flash Player, se v uživatelském rozhraní skryje, takže na první pohled to vypadá, že k instalaci vůbec nedošlo, malware však už na pozadí provádí svou činnost.
Android/Spy.Agent.SI komunikuje se vzdáleným serverem. V pravidelných intervalech 25 sekund odesílá na server informace o infikovaném zařízení – model, IMEI, jazyk, verze SDK a instalovaných aplikacích. Z těch ho nejvíce zajímají bankovní aplikace. Pokud dojde ke shodě s cílovými aplikacemi, dojde k útoku.
Nejde o nic složitého. Při zapnutí legitimní aplikace malware zablokuje otevření aplikace a požaduje zadání přístupových údajů v podvodném okně. Samozřejmě v reálu k žádnému ověření zadaných údajů nedochází, místo toho Android/Spy.Agent.SI získaná data ihned odesílá na vzdálený server. Podobný způsobem se snaží získat přístup i do Google účtu.
Výměna informací mezi zařízení a serverem je kódována. Vše kromě ukradených přihlašovacích údajů, které se odesílají v plain textu.
Pak už při podvodné platbě zbývá jen obejít ověření pomocí SMS zprávy. Opět jde o jednoduchý proces. Malware odešle text smsky na server a zároveň zamaskuje, že by nějaká SMS na zařízení vůbec přišla. Útočník tak může nepozorovaně okrádat uživatele a převádět peníze na vlastní účty.
Android/Spy.Agent.SI prozatím útočí jen v Austrálii, Novém Zélandě a Turecku.
TÝDNY OD OBJEVENÍ MALWARE LOCKY STÁLE NAPADÁ A ŠIFRUJE INFIKOVANÉ POČÍTAČE. JAK TO DĚLÁ A JAK SE BRÁNIT?
6.4.2016 Viry
Win32/Filecoder.Locky.A je ramsonware, který šifruje více než 100 typů souborů (od obrázků až po databáze) na pevných, vyměnitelných i síťových discích. Po spuštění se nakopíruje do lokace %temp%\svchost.exe a přidá do registrů záznam, který zajistí spuštění při každém startu infikovaného počítače.
K infekci dochází při otevření infikované přílohy e-mailu. Příloha se většinou „tváří“ jako Word nebo Excel soubor, která však obsahuje škodlivé makro. Pamětníci si jistě pamatují, že ze makroviry nejsou nic nového, jen na nějaký čas téměř zcela vyklidily pole. Společnost ESET zaznamenala variantu, která v infikované příloze nemá Locky přímo, ale stahuje jej pomocí trojanu Nemucod.
Po infekci počítače Locky zašifruje soubory a na pozadí plochy zobrazí výzvu k zaplacení výpalného. Všechny instrukce ohledně platby odkazují na TOR a platba probíhá v bitcoinech.
Jaká je obrana?
Na ransomware platí jedině pravidelná záloha. Vzhledem k faktu, že Locky dokáže šifrovat i síťové disky, musí jít o offline úložiště. Pak není problém počítač zformátovat a použít zálohy. Druhou variantou je samozřejmě virtuální prostředí, u kterého se dá vrátit do některého z předchozích stavů operačního systému.
Důležitou úlohu hraje i pravidelně aktualizovaný antivirový program (nejlépe se zapnutým systémem včasného varování) a operační systém, včetně programů třetích stran (Adobe, Java apod.)
PŘEHLEDNĚ: Aféra Panama Papers
6.4.2016 Incidenty
Kauza Panama Papers v posledních dnech otřásá světovou politickou a obchodní scénou a dotýká se i České republiky. O co přesně jde a jaké jsou technické detaily?
O co jde: Únik dat advokátní kanceláře Mossack Fonseca je považován za vůbec největší v historii, alespoň co se týče samotného objemu informací. Hacknuté emaily obsahovaly 2,6 TB dat a to včetně 4,8 milionů emailových zpráv a 2,2 milionů PDF.
Počet osob zasažených kauzou neustále stoupá, a zřejmě jen tak nepřestane. Panama Papers obsahují informace o desítkách vlivných politiků napříč světem, z minimálně 40 zemí včetně Velké Británie, Francie, Ruska, Číny, Indie nebo České republiky.
Poukazují také na společnosti, ve kterých si politici, jejich blízcí příbuzní či spolupracovníci schovávali finance, aby z nich nemuseli odvádět daně. Od neděle se zpráva nezastavitelně šíří médii a rozhodně nehodlá ustat.
Čísla: Úniky, dle předběžných zpráv, zahrnují 11,5 milionu důvěrných dokumentů z let 1970 až 2015. 2,6 terabytů dat zahrnuje 4,8 milionů emailů, 3 miliony databázových souborů, 2,2 miliony PDF souborů, 1,1 milion obrázků a 320 000 textových dokumentů.
Jak se to stalo: Detaily nejsou úplně jasné, ale zástupce advokátní kanceláře Mossack Fonseca potvrdil zprávy kolující médii, že únik pochází z hacknutého emailu. Není jisté, jak útok přesně proběhl, ale testy externích bezpečnostních vyšetřovatelů naznačují, že firma Mossack Fonseca neměla zašifrované emaily standardními TLS protokoly.
Takový emailový útok mohl proběhnout „mnoha způsoby,“ říká Zak Maples, starší bezpečnostní konzultant ve firmě MWR InfoSecurity, kyberbezpečnostní agentuře. Zdá se, že byl napaden samotný server společnosti namísto jednotlivých emailových schránek, a to především kvůli množství ukradených informací, napsal dále v emailu.
„Tento únik je pravděpodobně součástí pokusu o zkompromitování společnosti,“ dodává Maples. „Útočníci možná napadli Mossack Fonseca skrze server a zvýšili oprávnění administrátorovi domény nebo emailovému administrátorovi, a díky těmto oprávněním pak zpřístupnili a postahovali všechna data, nacházející se na serveru emailů.“
Kdo jsou útočníci: Stručně? Nikdo neví. Zdroj je neznámý, a to pravděpodobně i pro ty zpravodajské agentury, které o uniklých datech informovaly jako první. Dle zpráv komunikoval hacker skrze bezpečně šifrovaný chat a email.
Postoj společnosti: Mossack Fontesa odmítá jakákoli pochybení. Říká, že pouze asistovala svým klientům v zakládání regulérních společností. „Ač jsme mohli být obětí úniku dat, nic v tomto nelegálně získaném balíku dokumentů nenaznačuje, že bychom provedli cokoli špatného nebo nezákonného, což sedí k naší 40 let pečlivě budované reputaci dělat byznys tím správným způsobem,“ uvedla advokátní kancelář v prohlášení. „Nikdo samozřejmě nemá rád, když je jejich majetek ukraden, a my uděláme cokoli, co bude v našich silách, aby byli viníci přivedeni před spravedlnost.“
Česko: 283 jmen Čechů a Češek figuruje v Panama Papers. V Česku má data k dispozici pouze jediná instituce, a to České centrum pro investigativní žurnalistiku. Slibuje, že do měsíce se lidé dozví všechna jména Čechů v listech obsažená.
Budoucnost: Zatím prvním velkým ohlasem je zmatečné odstoupení Islandského premiéra, který je do kauzy zapleten. Jak se bude situace vyvíjet dál, není zcela jisté, avšak na další otřesy na politické i podnikatelské scéně stačí jen počkat. Rozhodně se též bude probírat stav zabezpečení emailových schránek a serverů velkých podniků, které si podobné datové úniky zkrátka nemohou dovolit.
Miliardový WhatsApp je nyní kompletně šifrovaný. Soudy i NSA mají prý smůlu
6.4.2016 Zabezpečení
Letos v zimě WhatsApp oznámil, že jej používá již více než miliarda surfařů a o dva měsíce později přispěchala s přelomovou zprávou i společnost Open Whisper Systems, které komunikátoru poslední dva roky pomáhá v nasazování vlastní šifrovací technologie Signal Protocol.
Všechny části WhatsAppu jsou nyní podle bezpečnostních specialistů šifrované způsobem end-to-end a to včetně hlasové komunikace, takže službu nemůže nikdo snadno odposlouchávat a žádná státní autorita nemůže po provozovateli požadovat dešifrovací klíč, protože ten jej prostě nemá.
WhatsApp je nyní kompletně end-to-end šifrovaný, takže se k obsahu žádným způsobem nedostane ani provozovatel a to třeba i po soudní žádosti, naléhání NSA aj.
Vzhledem k tomu že je WhatsApp pravděpodobně nejpoužívanějším komunikátorem na světě (jeho hlavním konkurentem bude nejspíše Messenger od Facebooku), silné zabezpečení kritizují některé země, jejichž bezpečnostní agentury se děsí, že nebudou moci nikoho snadno odposlouchávat.
Komunikační službu před dvěma lety koupi Facebook, který ze ni zaplatil okolo 19 miliard amerických dolarů.
Hacker reveals How to Bypass iPhone 6s Lock Screen Passcode [Video]
6.4.2016 Apple
Apple gave you a reason to turn your Siri OFF.
A critical security flaw in Apple's newest iPhones running the latest version of the iOS operating system allows anyone to bypass the phone's lockscreen and gain access to personal information.
The iPhone lockscreen bypass bug only works on the iPhone 6S and iPhone 6S Plus, as these devices take advantage of the 3D Touch functionality that is used to bypass the lockscreen passcode and access photos and contacts.
The lockscreen bypass bug is present in iOS 9.2 and later, including the latest iOS 9.3.1 update, released last week.
Anyone with physical access to an affected iPhone can gain access to the victim's photos, emails, text and picture messages, contacts, and phone settings, according to the Full Disclosure mailing list.
Here's How to bypass iPhone's Lockscreen
Step 1: If you own iPhone 6S or 6S Plus, first lock your device.
Step 2: Invoke Siri and speak 'Search Twitter.'
Step 3: When Siri asks what you want to search for, reply her: 'at-sign Gmail dot com' or any other popular email domain, as the aim is to find a tweet containing a valid email address.
Step 4: Once you get the results, tap on a tweet with a valid email address.
Step 5: Now 3D Touch that email address in order to bring up the contextual menu.
Step 6: Tap 'Create New Contact.'
Step 7: Now add an image in order to view all the images on the device.
You may have to give Siri access to the Photo Library. You can even see contacts on the iPhone by using the 'Add to Existing Contact' option instead.
Video Demonstration:
You can also watch the video demonstrating the security issue.
However, it's as simple to access user's personal data on a locked iPhone as to fix the bug yourself while waiting for Apple to roll out a permanent fix.
Here's how to Fix the iPhone Lockscreen Bug
The vulnerability can be temporarily fixed by just disabling Siri from the lockscreen though it will cripple your iOS 9.3 or iOS 9.3.1 experience.
Go to the Settings → Touch ID & Passcode and Disable Siri on the Lockscreen.
Alternatively, you can just remove Photos access from Siri, so that anyone with the advantage of the flaw can not view any of your personal pictures.
Go to Settings → Privacy → Photos and then prevent Siri from accessing pictures.
Of course, Siri could still ask your permission to view photos on the iPhone when somebody would try to abuse the security issue.
Facebook uses Artificial Intelligence to Describe Photos to Blind Users
6.4.2016 Privacy
Today the Internet has become dominated by images, and it’s the major feature that got Facebook to a Billion daily users.
We can not imagine Facebook without photos, but for Millions of blind and visually impaired people, Facebook without photos has been the reality since its launch.
But not now! Facebook has launched a system, dubbed Automatic Alternative Text, which describes the contents of pictures by telling blind and visually-impaired users what appears in them.
Blind and visually-impaired people use sophisticated navigation software known as screen readers to make their computers usable. The software turns the contents of the screen into speech, but it can't "read" pictures.
However, Facebook's Automatic Alternative Text or AAT uses object recognition technology that can decode and describe photos uploaded to the social network site using artificial intelligence and then provide them in a form that can be readable by a screen reader.
Video Demonstration
ATT tool, led by Facebook's 5-year-old accessibility team, has already made its way to iOS devices and would soon be available for Android and the Web as well.
Facebook says its AAT tool The more images it scans, the more sophisticated the software will become. While still in its early stages, the AAT technology can reliably identify objects and activities in categories including:
Appearance - baby, eyeglasses, smiling, beard, jewellery, shoes and selfie
Environment - outdoor, sky, grass, tree, mountain, snow, ocean, beach, water, wave, sun
Food - pizza, ice cream, dessert, sushi, coffee
Transport - aeroplane, train, bus, boat, car, motorcycle, bicycle, road
Sports - tennis, basketball, baseball, golf, swimming, stadium
The move by the social network giant is a bigger step forward for blind and visually-impaired users, although it only works in English at the current.
So in order to see the AAT technology in action for yourself, iOS users using iOS’s built-in screen reader can Go to Settings → General → Accessibility, and activate VoiceOver.
The company will soon bring the new functionality to other mobile platforms as well as languages. You can see the video demonstration to know how AAT tool works for someone using a screen reader.
Adobe to issue Emergency Patch for Critical Flash Player Vulnerability
6.4.2016 Vulnerebility
Adobe has been one of the favorite picks of the Hackers to mess with any systems devoid of any operating systems, as Flash Player is a front runner in all the browsers.
Hackers have already been targeting Flash Player for long by exploiting known vulnerabilities roaming in the wild.
Despite Adobe's efforts, Flash is not safe anymore for Internet security, as one more critical vulnerability had been discovered in the Flash Player that could crash the affected system and potentially allow an attacker to take control of the system.
Discovered by a French Researcher Kafeine, FireEye's Genwei Jiang, and Google's Clement Lecigne, the flaw affects Adobe Flash Player 21.0.0.197 and its earlier versions for Windows, Macintosh, Linux and Chrome OS.
The vulnerability, assigned under CVE-2016-1019, also expands back to Windows 7 and even towards Windows XP.
Adobe had also confirmed that the newly discovered vulnerability in its Flash Player is being exploited actively in the wild.
Update Adobe Flash Player Software
This issue caused the Adobe engineers to urgently work on a mitigation method and release an emergency update under Flash Player 21.0.0.182, which is expected to get released this Thursday.
Usually, Adobe releases its patch on the second Tuesday of the month, the same day as Microsoft, but rolls out emergency patches on an ad hoc basis, analyzing the seriousness of the bug.
The endless Adobe updates and upgrades had failed to ensure the user security in the real time scenario. So it's high time for users to disable or completely uninstall Adobe Flash Player.
Believe or not, Adobe Flash Player is dead and its time has passed.
In January last year, YouTube moved away from Flash for delivering videos.
Although in between Flash made an effort to beef up its security in a bid to justify its existence, things got a bit heated when Firefox became aware of a critical bug and blocked the Flash plugin entirely.
Facebook’s Security Chief publicly called for Adobe to announce a kill date for Flash. In fact, Google Chrome has also begun blocking auto-playing Flash ads by default.
Adobe to patch Flash Player zero-day vulnerability actively exploited in the wild
6.4.2016 Vulnerebility
A new Flash Player zero-day vulnerability (CVE-2016-1019) has been actively exploited by threat actors in attacks against systems running Windows XP and 7.
Once again a zero-day vulnerability in the Adobe Flash Player 21.0.0.197 is threatening Internet users worldwide. The news was spread by Adobe that issued a security alert on Tuesday anticipating an imminent release for a security patch.
The vendor, which will release a security patch as early as April 7, has credited Kafeine of Proofpoint, Genwei Jiang of FireEye, and Clement Lecigne of Google for reporting the issue.
The bad news is that according to the company, the Flash Player zero-day vulnerability (CVE-2016-1019) has been actively exploited by threat actors. Adobe is aware of cyber attacks exploiting the CVE-2016-1019 have been launched against systems running Windows XP and Windows 7 with Flash 20.0.0.306 and earlier.
“A critical vulnerability (CVE-2016-1019) exists in Adobe Flash Player 21.0.0.197 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.” states the advisory published by Adobe on the Flash Player zero-day vulnerability.
Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 7 and Windows XP with Flash Player version 20.0.0.306 and earlier.”
Flash Player zero-day vulnerability
The Flash Player zero-day vulnerability affects the Player 21.0.0.197 and earlier versions for Windows, Mac, Linux and Chrome OS. The advisory confirms that the Flash Player version 21.0.0.182 released in March introduced a mitigation that prevents attackers from triggering the flaw.
“A mitigation introduced in Flash Player 21.0.0.182 currently prevents exploitation of this vulnerability, protecting users running Flash Player 21.0.0.182 and later. Adobe is planning to provide a security update to address this vulnerability as early as April 7. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.”
The vendor also published some suggestions on mitigations, users have to run Flash installation 21.0.0.182 or later due to the mitigation recently introduced.
“To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.”
Unfortunately, similar events are becoming too frequent, this is the third time that Adobe released a Flash Player update this year. The first updated was released in February, meanwhile, a second update was released in March, when Adobe fixed a number of flaws including the CVE-2016-1010.
Kyberzločinci mají na mušce routery, uživatelé jejich zabezpečení podceňují
6.4.2016 Viry
Na routery – brány do světa internetu – se zaměřují kyberzločinci stále častěji. Využívají toho, že zabezpečení těchto internetových zařízení uživatelé především v domácnostech velmi podceňují, někdy to ale platí i o firmách. Na routery například cílí nový virus Kaiten, před kterým varovala ve středu antivirová společnost Eset.
Záškodník Kaiten, který bývá někdy pojmenován také jako KTN-Remastered nebo KTN-RM, kombinuje funkcionality již známých škodlivých kódů. Přesto podle bezpečnostních expertů představuje pro uživatele poměrně velké riziko.
Březnová studie Cisco Annual Security Report totiž ukázala, že devět z deseti internetových zařízení má slabá místa.
Během samotného útoku virus hledá skulinu, kde je firmware hardwaru zranitelný.
Pavel Matějíček, manažer technické podpory společnosti Eset
A právě to nahrává počítačovým pirátům. „Kaiten představuje hrozbu pro všechny, kdo mají router či jiný přístupový bod, na který se dá připojit z internetu. Během samotného útoku virus hledá skulinu, kde je firmware hardwaru zranitelný. Pokud uspěje, stáhne škodlivý kód shodný pro všechny platformy a snaží se jej spustit,“ uvedl Pavel Matějíček, manažer technické podpory společnosti Eset.
Právě s pomocí staženého škodlivého kódu pak útočníci dokážou router na dálku ovládnout a dělat si s ním prakticky cokoliv, co je napadne. Mohou například odposlouchávat komunikaci nebo přesměrovávat internetové adresy.
Přesně to udělali už v minulosti díky zranitelnosti známé jako „rom-0“. Místo serverů, jako jsou například Seznam.cz nebo Google.com, se poškozeným zobrazila hláška o nutnosti instalace flash playeru. Místo té se ale do PC stáhnul další virus. Útočníci tak rázem měli přístup nejen k routeru, ale i k připojenému počítači.
Jak se bránit
Hlavní problém je v tom, že routery není možné chránit antivirovými programy, jako je tomu u počítačů. I tak ale nejsou uživatelé úplně bezbranní. „Hlavní způsob, jak této hrozbě předejít, představuje upgrade firmwaru routeru na aktuální verzi a nepoužívat mnohdy triviální přednastavené přihlašovací jméno a heslo. Rovněž je vhodné zvážit přihlašování k routeru pouze z vnitřní sítě a nikoliv z internetu,“ dodal Matějíček.
Do konfigurace routerů by se nicméně neměli pouštět méně zkušení uživatelé. Mohou totiž nevhodným nastavením způsobit více škody než užitku. Paradoxně tak mohou klidně otevřít zadní vrátka pro útočníky.
PŘEHLEDNĚ: Jak probíhá útok na router?
1. Internetem se šíří virus, který cílí na routery. Napadnout tyto brány do světa internetu může buď přímo při procházení zavirovaných webů, nebo prostřednictvím některého počítače v dané síti, který je již zavirován.
2. Ve chvíli, kdy se virus zabydlí v routeru, dokáže zcela zablokovat internetové připojení na všech počítačích, a to i chytrých mobilech a tabletech zapojených v síti.
3. U většiny doposud zaznamenaných útoků virus začal následně zobrazovat výzvu k instalaci aktualizace flash playeru. Snaží se tak vzbudit dojem, že stránky nejdou spustit právě kvůli neaktuálnosti pluginů.
4. Výzva se zobrazovala i v případech, kdy byly do adresního řádku zadány regulérní weby, které ve skutečnosti k zobrazování obsahu flash player nepotřebují – například Seznam.cz nebo Google.com.
5. Místo aktualizace si lidé stáhnou do počítače virus. Zobrazování hlášek i na regulérních webech je možné právě kvůli tomu, že kyberzločinci ovládají přímo samotný router. Ve skutečnosti tedy žádné ze zadaných serverů vir neobsahují.
6. I když antiviry z napadeného počítače virus odstraní, stále nemají uživatelé vyhráno. Zdroj dalších hrozeb se totiž ukrývá přímo v samotném routeru. A k němu nemá drtivá většina bezpečnostních aplikací vůbec žádný přístup.
7. Řešením je uvést router do továrního nastavení. Jak na to, to se lidé dozvědí z návodů dodávaných k zařízení. Pokud si nejsou uživatelé jisti, jak správně router nastavit, je vhodné tuto činnost přenechat odborníkovi.
8. Není vyloučeno, že chování viru útočníci upraví. Tím, že se nachází přímo v routerech, může totiž i přesměrovávat stránky na podvodné weby. V takovém případě pak kyberzločinci mohou získat přístup ke všem on-line účtům.
9. Pokud pozorujete ve své síti podobné problémy, můžete zjistit velmi snadno pomocí chytrého telefonu, zda je router zavirován. Místo wi-fi se stačí připojit k webu prostřednictvím mobilního připojení. Pokud se výzva k instalaci aktualizace nezobrazí, je router zavirován.
Homeland Security – US Consular Consolidated Database vulnerable to cyber attacks
6.4.2016 Safety
According to the results of an internal review, the US passport and visa Consular Consolidated Database (CCD) database is open to intrusion.
According to the results of an internal review of the US State Department, the Consular Consolidated Database (CCD) is vulnerable to cyber attacks.
The State Department considers the CCD as an “unclassified but sensitive system,” it contains more than 290 million passport records, 184 million visa records, and 25 million records on US citizens living abroad.
The CCD is a critical source of information for the US Government because it includes data related to anyone who has applied for a U.S. passport or visa in the past two decades.
Records include personal information, photos, fingerprints, Social Security or other identification numbers.
The experts at the US State Department’s cyber defenses performed the internal audit several months ago.
An official at the US State Department confirmed that many vulnerabilities have been already fixed, but according to information collected by the ABC News many flaws are still in place.
“We are, and have been, working continuously … to detect and close any possible vulnerability,” State Department spokesman John Kirby said in a statement to ABC News.
“Vulnerabilities have not all been fixed,” the source said, and added that “there is no defined timeline for closing [them] out,” revealed an internal congressional anonymous source.
“I know the vulnerabilities discovered deserve a pretty darn quick [remedy],”
The representatives at US State Department considered the vulnerabilities very hard to exploit due to the level of permissions necessary to modify the Consular Consolidated Database.
“CCD allows authorized users to submit notes and recommendations directly into applicants’ files. But to alter visa applications or other visa-related information, hackers would have to obtain “the right level of permissions” within the system -– no easy task, according to State Department officials.” reports the ABC News.
Security experts consider the presence of flaws in the Consular Consolidated Database archive a serious threat because they could be exploited by threat actors to doctor visa applications or exfiltrate sensitive data.
The discovery raised serious concerns about the possible consequences of a cyber attack on the CCD. State-sponsored hackers could use them to provide fake identities on the US soil, but most disconcerting is a possible abuse made by terrorist groups.
“Every visa decision we make is a national security decision,” explained the top State Department official, Michele Thoren Bond, in a recent House panel.
The US State Department and other government sources say that there is no evidence that the database has been breached.
According to ABC News, the audited systems will be overhauled in the coming years.
WhatsApp turns on End-to-End Encryption by default for its 1 Billion Users
5.4.2016 Security
WhatsApp Just Switched on End-to-End Encryption by Default for its One billion Users
WhatsApp is updating its messaging app so that every text message and voice call will be encrypted for the company’s one billion users.
Yes, Whatsapp has finally implemented full end-to-end encryption, as promised a year ago.
This means, from now every message, image or voice call you made will be secured by end-to-end encryption so that only you and the person you're communicating with can read the content of the message, and nobody in between, not even WhatsApp.
In other words, this also means that WhatsApp would not be able to comply with any court order that demands access to the content of any conversation happens over its service.
Starting today, you will see a notification on your WhatsApp conversation screen as your messenger becomes end-to-end encrypted, as shown in the screenshot.
"This is because your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them," Whatsapp says.
Also Read: The Best Way to Send and Receive End-to-End Encrypted Emails
Additionally, you will be able to see a small lock icon below the profile of the recipient that ensures your conversation is secured with encryption.
"All of this happens automatically: no need to turn on settings or set up special secret chats to secure your messages," the company adds.
How to verify if someone is trying to spy on your conversation?
Well, the latest version of WhatsApp mobile application offers you an option to verify the keys of the other users with whom you are communicating, ensuring prevention from the man-in-the-middle attack.
Whatsapp key verification can be done by scanning a QR code, or by comparing a 60-digit number, under newly introduced "verify security code" option in the WhatsApp.
"WhatsApp users can opt in to a preference which notifies them every time the security code for a contact changes."
verify the keys
About a year ago, Facebook partnered with ‘Open Whisper System’, company behind the popular Signal and TextSecure encryption apps, to integrate the Signal's Open source strong encryption protocol into WhatsApp messaging app.
However, there is one point to be noted that if several users are sending texts in a group chat and one of the users is running an older version of WhatsApp that doesn’t support encrypted messages, all the conversation going through that group chat will remain unencrypted.
Nebezpečný virus jde po penězích. Maskuje se za aktualizaci Facebooku
5.4.2016 Viry
Na pozoru by se měli mít uživatelé Facebooku. Internetem totiž již od minulého týdne koluje falešná mobilní aplikace, která se vydává za oficiálního klienta zmiňované sociální sítě. Ta je poměrně nebezpečná, protože ve smartphonu dokáže odchytávat SMS zprávy z bank pro potvrzování jednotlivých plateb. Počítačoví piráti tak mohou důvěřivcům relativně snadno vybílit účet.
Nový virus se maskuje za aktualizaci Facebooku. (Ilustrační foto)
Před novým nezvaným návštěvníkem v chytrých telefonech varovali zástupci Air Banky: „Pokusy útočníků nás nepřestávají překvapovat. Nově to zkouší tak, že vám s pomocí viru zablokují mobilní aplikaci pro přístup na Facebook a nabídnou vám instalaci nové.“
„Pokud se vám něco takového stane, rozhodně nic neinstalujte. Jinak by útočníci mohli získat přístup k vašim ověřovacím SMS, které vám chodí pro potvrzování plateb. Místo toho raději rovnou celý telefon resetujte do továrního nastavení,“ stojí v doporučení banky.
Podle zkušeností uživatelů se nový virus maskovaný za oficiální aplikaci Facebooku šíří na platformě Android. Není ale vyloučeno, že podobný škodlivý virus nenapadá také konkurenční mobilní operační systémy.
V ohrožení i klienti jiných bank
Nová hrozba necílí pouze na klienty Air Banky. Teoreticky může odchytávat přihlašovací údaje prakticky jakékoliv bankovní instituce v Česku.
Pokud tedy uživatelé zaznamenali podivné chování aplikace Facebook na svém smartphonu, případně byli v posledních dnech vyzváni k instalaci nějaké aktualizace a skutečně ji provedli, měli by se co nejdříve obrátit na svou banku. Tím minimalizují riziko neoprávněného odčerpání peněz ze svého účtu.
Právě na chytré telefony se zaměřují počítačoví piráti v poslední době stále častěji. Minulý měsíc například bezpečnostní experti varovali před trojským koněm nazývaným Macher. Ten také dokáže odchytávat potvrzovací SMS zprávy, díky čemuž mohou počítačoví piráti snadno vybílit lidem účty.
APT6 compromised the US government networks for years
5.4.2016 Incindent
The federal bureau of investigation issued an alert related the APT6 state-sponsored hacking group that has compromised the US Government networks for years.
The FBI revealed that “a group of malicious cyber actors have compromised and stolen sensitive information from various government and commercial networks” since at least 2011.
The alert was published online by AlenVault on the Open Threat Exchange platform.
“The FBI has obtained and validated information regarding a group of malicious cyber actors who have compromised and stolen sensitive information from various government and commercial networks. This group utilized the domains listed herein in furtherance of computer network exploitation (CNE) activities in the United States and abroad since at least 2011. Research and analysis indicate that these domains were associated with the command and control (C2) of customized malicious software. Furthermore, these domains have also been used to host malicious files – often through embedded links in spear phish emails. Any activity related to these domains detected on a network should be considered an indication of a compromise requiring mitigation and contact with law enforcement.” states the FBI CYWATCH A-000067-DM.
The nature of the attacks, the usage of custom-made hacking tools, and the targets of the threat actors suggests it is a group of state-sponsored hackers.
The alert includes a list of 59 Indicators of Compromise, it is a collection of websites used by hackers as command and control servers to carry spear phishing campaigns on target organizations. The domains used by the hackers were dismissed in late December 2015. The IoCs provided by the Feds could allow private actors to monitor their networks searching for the presence of the threat.
The group, identified as APT6 compromised the US government infrastructure for years exfiltrating sensitive data.
It wasn’t the first time that US Government networks are breached by foreign hackers, last year a group of nation-state attackers, likely Chinese hackers, breached the systems of the Office of Personnel Management.
The problem is there is no certainty that the US Government completely blocked these hackers, in fact some experts speculate they might still be within Government networks.
Lorenzo Bicchierai from Motherboard reached Kurt Baumgartner, a researcher at the Russian security firm Kaspersky Lab, for a comment on the APT6.
“This is one of the earlier APTs, they definitely go back further than 2011 or whatever—more like 2008 I believe,” said Baumgartner.
Baumgartner hasn’t provided information regarding the origin of the threat, anyway experts believe that China and Russia have the necessary cyber capabilities to infiltrate the government networks.
Be Careful, APT6 is in the wild so report any suspicious activity linked to the IoCs included in the alert.
Silk Road 2.0 Dark-Web Admin Pleads Guilty
5.4.2016 Hacking
An admin of Silk Road 2, named Brian Farrell, who helped maintain the notorious dark web site by providing customer and technical support, approving and suspending vendors, and promoting staff members, has pleaded guilty and could face 8 years in prison.
The 28-year-old man, who used the moniker "DoctorClu," had been accused last year of being the right-hand to the creator of Silk Road 2.0, the copycat website inspired by the notorious online illegal drug marketplace.
Silk Road 2.0 was shuttered in November 2014 after its creator Blake Benthall aka "Defcon" was arrested whose own criminal case is pending in federal court in New York.
Silk Road has been described as "one of the most extensive, sophisticated, and widely-used illegal marketplaces on the internet today."
According to the Department of Justice, Silk Road 2.0 had generated "sales of at least approximately $8 Million in the United States currency per month" since it began in November 2013.
In a March court filing [PDF], Farrell admitted that not only was he the site administrator, but he also served as "informal spokesman" for Defcon.
Farrell also admitted that he led a Denial-of-Service (DoS) attack on Tor Market, a competitor to the Silk Road 2.0.
Farrell may Face 8 Years in Prison and up to $5,000,000 in Fine
Last month, Farrell pleaded guilty to one count of distribution of cocaine, heroin, and methamphetamine that carries a minimum 5 years sentence in prison and a fine of up to $5,000,000.
Although both Farrell's lawyers and prosecutors have agreed to recommend a sentence of 8 years, the judge is allowed to impose a tougher sentence if he chooses, according to the plea agreement.
By comparison, Ross Ulbricht, the creator of original Silk Road, was convicted of running the notorious site and sentenced in 2015 to a dual life sentence.
Farrell was arrested in Seattle in January 2015. At the same month, when federal agents asked Farrell if he could help them identify other top people involved with Silk Road 2.0, Farrell responded by saying, "You are not going to find much of a bigger fish than me."
In February 2016, US District Judge denied Farrell's motion to compel disclosure of the method federal investigators used to find him out.
However, later the judge confirmed that Carnegie Mellon University researchers from its Software Engineering Institute were hired by the Federal Bureau of Investigation (FBI) to research breaking into Tor network back in 2014.
Though the Tor Project Director Roger Dingledine accused the Feds of paying the CMU, at least, $1 Million to disclose the technique they'd discovered to unmask Tor users, the FBI denied the claims.
Farrell is due to be sentenced in federal court in Seattle on June 3, 2016.
Keep Windows machines infected abusing Windows Desired State Configuration (DSC)
5.4.2016 Virus
Two forensics experts have demonstrated how to abuse the Windows Desired State Configuration (DSC) feature to gain persistence on the compromised machine.
At the last Black Hat Asia, the forensics experts Matt Hastings and Ryan Kazanciyan from Tanium have demonstrated how to abuse the Windows Desired State Configuration (DSC) feature to gain persistence on the compromised machine.
The DSC is a PowerShell extension implemented in Windows Server 2012 R2 and Windows 8.1, it allows administrators to:
Install or remove server roles and features
Manage registry settings
Manage files and directories
Start, stop,and manage processes and services
Manage local groups and user accounts
Install and manage packages such as .msi and .exe
Manage environment variables
Run Windows PowerShell scripts
Fix a configuration that has drifted away from the desired state
Discover the actual configuration state on a given node
The duo has released the DSCompromised framework of Powershell scripts and modules that could be used by attackers to abuse DSC and maintain persistence on the infected Windows machine in a covert way.
In their presentation the experts highlighted that they haven’t exploited any zero-day flaw in DSC neither they have identified ways to escalate privileges with DSC.
Their attack technique works in the DSC pull mode, in this scenario compromised windows machine send requests over HTTPS to servers either located on the Internet or within a local network.
The points of strength of the technique are its flexibility in implementing the persistence mechanism, it is covert to most security tools and allows automatic re-infection of the targeted host.
What are its limitations?
The attack is very difficult to learn and use despite the availability of PowerShell scripts issued by the duo- The attack requires PS 4.0 on victim and the use of a command and control infrastructure and Admin privileges on the victim host.
DSC compromise attack
“If not properly remediated, DSC will automatically re-infect the victim by re-dropping the file and re-executing the malware without notifying the user,” explained Kazanciyan.
“We have yet to see an example of this attack happening in the wild – that doesn’t mean it isn’t happening – but it does give us hope that we can get this out there so that red and blue teams are aware.”
The experts also provided useful suggestions on the attack in order to prevent its exploitation in the wild by cyber criminals. The Powershell 3 and later are able to log the execution of malicious script like the ones used by Hastings’ and Kazanciyan’s attack.
The experts are inviting hackers to contribute to the theirDSCompromised framework which is available on GitHub.
Give a look to the Slides of the presentation or download the audio.
Pentagon si nechá hackovat systémy, vyplatí stovky tisíc dolarů
5.4.2016 Zabezpečení
Korporace jako je Microsoft, Facebook, ale i Mozilla pravidelně vyplácí odměny hackerům, kteří objeví bezpečnostní díry v jejich produktech a místo zneužití je nahlásí. O něco podobného se chce pokusit i americké Ministerstvo obrany a vyhlásilo proto program Hack the Pentagon.
Podle The Next Web je to vůbec poprvé, kdy se některá z vládních institucí odhodlala k tomuto typu prověření svých bezpečnostních systémů. Na rozdíl od běžných společností, jako je Google, které umožňují zapojení do programu komukoliv, si Pentagon bude hackery vybírat.
Samotné schválení přihlášky bude záviset na ochotě pracovat ve Spojených státech, trestní bezúhonnost a zájemce také nesmí žít v zemi, na které americká vláda uvalila obchodní sankce. Pro každého přijatého uchazeče je vyhrazena částka minimálně 150 tisíc dolarů, přičemž sumy se budou zvyšovat podle úspěšnosti.
Najděte zranitelnost ve Windows a dostanete až 100 000 dolarů
Pro pilotní program se Ministerstvo obrany spojilo s odborníky ze společnosti HackerOne, která se specializuje právě na tento typ testování. Zájemci se mohou hlásit do pilotního programu, který bude probíhat od 18. dubna do 12. května.
Personal Data of 50 Million Turkish Citizens Leaked Online
5.4.2016 Incindent
Personal details of nearly 50 Million Turkish citizens, including the country's President Recep Tayyip Erdogan, have been compromised and posted online in a massive security breach.
A database, which contains 49,611,709 records, appeared on the website of an Icelandic group on Monday, offering download links to anyone interested.
If confirmed, the data breach would be one of the biggest public breaches of its kind, effectively putting two-thirds of the Nation's population at risk of identity theft and fraud.
However, The Associated Press (AP) reported on Monday that it was able to partially verify the authenticity of 8 out of 10 non-public Turkish ID numbers against the names in the data leak.
50 Million Turkish Citizens' Personal Data leaked Online
The leaked database (about 6.6 GB file) contains the following information:
First and last names
National identifier numbers (TC Kimlik No)
Gender
City of birth
Date of birth
Full address
ID registration city and district
User's mother and Father's first names
To prove the authenticity of the data, the group of hackers published the personal details of Turkish President Recep Tayyip Erdogan, along with his predecessor Abdullah Gul, and Prime Minister Ahmet Davutoglu.
The attack seems to be politically motivated, as the hackers wrote the following message on the database's front page, featuring Erdogan's profile:
"Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?"
Lessons Posted by Hackers
Besides the leaked database, the hackers also provided some lessons to learn from this leak. Under the heading Lessons for Turkey, the hackers wrote:
'Bit shifting isn't encryption,' referring to the fact that the data was improperly protected.
'Index your database. We had to fix your sloppy DB work.'
'Putting a hardcoded password on the UI hardly does anything for security,' though the hackers didn't specify in what UI.
'Do something about Erdogan! He is destroying your country beyond recognition.'
Under the heading Lessons for the United States, the hackers addressed US citizens, asking them not to elect Republican front-runner Donald Trump since he 'sounds like he knows even less about running a country than Erdogan does.'
Links to Download the Database
The database is available online on a Finland-based server. Though the source of the leaked data is currently unknown, it is likely from a Turkish public administration office that deals with users' personal information.
If the authenticity of all 50 Million records gets verified, the breach will be the biggest leaks after the one that occurred in U.S. government's Office of Personnel Management (OPM) in April 2015 that…
...compromised the personal information of over 22 Million U.S. federal employees, contractors, retirees and others, and exposed Millions of sensitive and classified documents.
Flaw in CISCO FirePower Firewall allows malware evade detection
5.4.2016 Virus
A flaw in the family of CISCO FirePower Firewall devices allows malware to bypass detection mechanism.
Cisco is releasing security updates to fix a critical vulnerability (CVE-2016-1345) that affects one of its newest products, the FirePower firewall. The flaw has been discovered by security researchers at Check Point Security.
According to the security advisory published by Cisco, an attacker can remotely exploit the flaw to allow malware bypass detection measured implemented by the FirePower firewall.
“A vulnerability in the malicious file detection and blocking features of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass malware detection mechanisms on an affected system.” states the advisory.
The vulnerability is related the improper input validation of fields in HTTP headers. The attacker can remotely exploit the flaw by sending a specifically crafted HTTP request to a vulnerable system.
“A successful exploit could allow the attacker to bypass malicious file detection or blocking policies that are configured for the system, which could allow malware to pass through the system undetected.” continues the advisory.
Cisco ranked the vulnerability as “high severity” so it has promptly released the security updates that solve the issue in Cisco Firepower System Software 5.4.0.7 and later, 5.4.1.6 and later and 6.0.1 and later.
Cisco confirmed that systems Cisco Firepower System Software that has one or more file action policies configured and is running on any of the following Cisco products are vulnerable:
Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services
Advanced Malware Protection (AMP) for Networks, 7000 Series Appliances
Advanced Malware Protection (AMP) for Networks, 8000 Series Appliances
FirePOWER 7000 Series Appliances
FirePOWER 8000 Series Appliances
FirePOWER Threat Defense for Integrated…
At the time I was writing there isn’t no news regarding systems compromised by exploiting the vulnerability. Impacted Cisco hardware
A simple way to discover if a system is affected by the vulnerability is to check Cisco configurations (Policies>Access Control>Malware and File), if the policy is set on “Block Files, Block Malware, or Detect Files” the system is vulnerable.
The vulnerability also impacts the versions 2.9.8.2 and later of the Snort open source network-based intrusion detection system, users can download the updates on its official website.
Is the hack of an email server behind the Panama Papers?
5.4.2016 Incindent
Which is the source of Panama Papers? According to Mossack the hackers breached its systems, according to the experts its email server was breached.
The Panama Papers is a huge trove of strictly confidential documents from the Panamanian law firm Mossack Fonseca was leaked online during the weekend, it is largest data leaks ever.
The entire archive of the firm contains more than 11.5 Million files including 2.6 Terabytes of data related the activities of offshore shell companies used by the most powerful people around the world, including 72 current and former heads of state.
It’s important to clarify that many clients of the Mossack Fonseca weren’t breaking any law and that the services offered by the firm are legal. Of course, such kind of services could have been abused to evade taxes.
The Panama Papers case is exposing the offshore activities of hundreds of politicians and public figures around the world, including , Vladimir Putin and the Iceland’s prime minister David Gunnlaugsson. Be careful, despite one of the most illustrious figures of the Panama Papers is Vladimir Putin his name does not appear in the leaked documents.
Panama Papers
According to Bloomberg, the co-founder of the Mossack Fonseca firm, Ramon Fonseca, confirmed to the Panama’s Channel 2 the authenticity of the leaked documents.
The Panama Papers documents were shared with the German newspaper Suddeutsche Zeitung by an anonymous source and the International Consortium of Investigative Journalists (ICIJ).
The journalists of the ICIJ have investigated the documents for an entire year and now are disclosing their disconcerting findings.
The Panama Papers include emails, bank records, and invoices, but how is it possible? Who is the anonymous source and how it has exfiltrated the data from the computers at the Mossack Fonseca?
According to Ramon Fonseca, the confidential documents had been obtained illegally by hackers, likely the data breach affected an e-mail server of the company last year.
The media agency El Espanol confirmed this hypothesis, Mossack Fonseca firm sent an email to its clients confirming that it is investigating the causes of the data breach and that it’s taking “all necessary steps to prevent it happening again”.
“This firm, considered the largest platform figureheads of Latin America and has a large portfolio of Spanish customers, said in a statement that it has opened an investigation after confirming that “unfortunately” has suffered an “attack on your server email”.” reported the El Espanol.
“Mossack Fonseca says it is taking “all necessary steps to prevent it happening again”; which has “reinforced” its security systems; and is working with “expert consultants” to determine the exact information they have accessed “unauthorized persons”. The firm, through its Director of Marketing and Sales, apologizes to its customers and offers an email to clarify any further questions.”
The ICIJ has identified more than 214,000 organizations for a total turnover of several billion dollars.
Infamous Hacker 'Guccifer' appears in US Court after Extradition
5.4.2016 Safety
Marcel Lazar Lehel aka "Guccifer" – an infamous Romanian hacker who hacked into the emails and social networking accounts of numerous high profile the US and Romanian Politicians – appeared in the United States court for the first time after extradition.
Following Romania's top court approval last month, Guccifer was extradited to the United States recently from Romania, his home country, where he had already been serving a hacking sentence.
Lehel has been charged with cyber-stalking, unauthorized access to a protected computer and aggravated identity theft in a nine-count indictment filed in 2014 in a federal district court in Alexandria, the U.S. Justice Department said in a statement.
Lehel "hacked into the email and social media accounts of high-profile victims, including a family member of two former U.S. presidents, a former U.S. Cabinet member, a former member of the U.S. Joint Chiefs of Staff and a former presidential advisor," according to the indictment.
The international black hat hacker came to the limelight after allegedly accessing personal emails and photos belonging to the family of former US President George W. Bush and posting unofficial emails sent to then-Secretary of State Hillary Clinton on the Internet.
Guccifer was also responsible for cracking into the AOL email Account of Bush’s Sister, Dorothy Bush Koch and targeted several high-profile celebrities, including Actor Leonardo DiCaprio, 'Sex and the City' author Candace Bushnell, Comedian Steve Martin, Actress Mariel Hemingway, Biographer Kitty Kelley, and much more.
The same hacker brought the extramarital romantic relationship between former US Secretary Colin Powell and Romanian Diplomat Corina Cretu by hijacking Colin’s AOL email Account and circulating his 'very personal emails.'
Possible Sentence of 20 years in Prison
Lehel has been charged with a total of 9 counts of US-Federal indictments, which includes:
Three counts for Wire Fraud
Three counts of gaining unauthorized access to protected computers
One counts of cyber stalking
One count of aggravated identity theft
One count of obstruction of justice
Though the total sentence is not confirmed, the charges Guccifer faces collectively carry with them a possible sentence of maximum 20 years in prison, Assistant U.S. Attorney Maya Song said in court Friday.
If you want to explore more about the Guccifer Hacks or Leaks, you may visit the website named 'The Smoking Gun' to which he published the leaked contents (don't expect a Wikileaks model).
Guccifer was serving as a Taxi Driver when Romania's DIICOT anti-organized crime and terrorism unit arrested him.
Guccifer was sentenced for intrusion charges to popular profiles by the Romanian court to four years in jail in 2014 "with the aim of getting ... confidential data" and is serving another three-year term for other offenses.
Guccifer kickstarted his career as a Hacker at the age of 35. Interestingly, a documentary had been prepared by the Norton Groups on Guccifer, which details his hacking career.
Microsoft Pays $13,000 to Hacker for Finding Authentication Flaw
5.4.2016 Vulnerebility
A security researcher has won $13,000 bounty from Microsoft for finding a critical flaw in its main authentication system that could allow hackers to gain access to a user's Outlook, Azure and Office accounts.
The vulnerability has been uncovered by UK-based security consultant Jack Whitton and is similar to Microsoft's OAuth CSRF (Cross-Site Request Forgery) in Live.com discovered by Synack security researcher Wesley Wineberg.
However, the main and only difference between the vulnerabilities is that: Flaw discovered by Wineberg affected Microsoft's OAuth protection mechanism while the one discovered by Whitton affected Microsoft's main authentication system.
Microsoft handles authentication across its online services including Outlook, Azure and Office through requests made to login.live.com, login.windows.net, and login.microsoftonline.com.
Now, for example, if a user browses to outlook.office.com, he/she redirects to a login.microsoftonline.com URL that contains 'wreply' parameter for specifying which domain the user wants to access.
How Does the Vulnerability Work?
If the particular user is already logged in, a POST request is made back to the domain specified in wreply with a value containing a login token for the user. The service the user wants to authenticate on consumes that token and logs the user in.
According to Whitton, the authentication URL provided by Microsoft is vulnerable to Cross-Site Request Forgery (CSRF) attacks.
The CSRF attacks could allow an attacker to create a malicious URL, which, when accessed by an already authenticated user, would send the login token to the attacker controlled server.
Now, with the help of the token, the attacker could gain complete access to the victim's account.
"The token is only valid for the service that issued it – an Outlook token can not be used for Azure, for example," Whitton noted in his blog post. "But it would be simple enough to create multiple hidden iframes, each with the login URL set to a different service, and harvest tokens that way."
The good news is that Microsoft patched the vulnerability within two days after Whitton reported it to the company on January 24. The company also paid out $13,000 to the researcher as part of its bug bounty program.
Hackeři prý získali osobní údaje téměř 50 miliónů Turků
5.4.2016 Incidenty
Skupina hackerů umístila na internet databázi, která prý zahrnuje osobní údaje o téměř 50 miliónech tureckých občanů. Informovala o tom v pondělí agentura AP. Dodala, že se jí v několika případech podařilo autentičnost údajů potvrdit.
Databáze údajně obsahuje přes 49,6 miliónu záznamů a prozrazuje důležité osobní informace. Lidem zahrnutým v této databázi tak může hrozit, že se stanou terčem krádeže totožnosti a podvodů.
Podle agentury AP jde o jeden z největších úniků informací tohoto druhu.
Loni v dubnu americké úřady oznámily, že hackeři získali přístup k osobním údajům více než 22 miliónů současných a bývalých vládních zaměstnanců, dodavatelů a uchazečů o zaměstnání.
Únik roku? Hackeři zveřejnili státní databázi 50 milionů občanů Turecka
5.4.2016 Incidenty
Hackeři vystavili na Torrent obří databázi čítající záznamy 49 611 709 obyvatelů Turecka. Údajně se jedná o únik ze státní IT struktury, což by pro Turecko znamenalo velkou ostudu a problém. Únik je zatím poměrně čerstvý a pravost dat se prověřuje, ale podle prvních reakcí na Twitteru to vypadá, že se skutečně jedná o soupis většiny obyvatel Turecka.
Průvodní stránka na adrese http://185.100.87.84/ a ukázka ze získané databáze
Problém není jen to, že databáze unikla, ale že nebyla dostatečně silně zašifrovaná. Podle hackerů, kteří k úniku připravili i malý informační web, se ani o plnohodnotné šifrování nejednalo a databáze byla vůbec ve velmi špatném technickém stavu.
Databáze obsahuje o každém občanovi základní údaje zahrnující jméno, příjmení, pohlaví, bydliště, rodné jméno, jména otce a matky, datum a místo narození a místo registrace. Celá databáze má 6,6 GB a zatím se přesně neví, co vlastně pokrývá. Záznamů je sice bezmála 50 milionů, ale evidovaných obyvatelů Turecka téměř 75 milionů. Databáze všech obyvatel to tedy zjevně není.
Jak píše The Register, čin je pravděpodobně politicky motivovaný a míří proti kontroverznímu tureckému prezidentovi. Tvůrci si rovněž rýpli do aktuálního kandidáta na post amerického prezidenta Donalda Trumpa, který je podle nich ještě méně schopný vést zemi než turecký prezident Recep Tayyip Erdoğan.
Why malware like the Samsam ransomware are so dangerous for hospitals?
4.4.2016 Virus
The FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware, why it is so dangerous?
It is emergency, every week security experts launch an alert on a new ransomware, the extortion practice is becoming a profitable business for criminal gangs worldwide. Recently the US and Canada issued a joint warning about the recent surge in ransomware infections. According to the Reuters, the FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware, that targeted several hospitals. The law enforcement Agency also shared IoC for the Samsam threat to help organizations monitoring for infections.
The law enforcement Agency also shared IoC for the Samsam threat to help organizations monitoring for infections.
“The FBI is distributing these indicators to enable network defense activities and reduce the risk of similar attacks in the future,” the advisory said.” states the advisory.Among the victims of the Samsam Ransomware there is the MedStar non-profit group that manages 10 hospitals in the Baltimore and Washington area.The bad actors behind the attack on MedStar requested 45 Bitcoins (about US$18,500) for restoring the encrypted files.
MedStar did not pay the Ransom because it has a backup of the encrypted information, a situation rare that advantage the attackers behind ransomware-based campaigns.
The IT department of the MedStar Hospital detected the infection at an early stage and was able to stop the Samsam Ransomware from infecting internal systems.
The MedStar incident demonstrates that a proper security posture, an early response and the implementation of effective best practices like data backup are necessary steps for a right approach to prevent damage from ransomware-based attacks.
In the specific case, the Samsam ransomware is not a new threat, it has been around since last few years targeting businesses and organizations worldwide.
Samsam is considered a very interesting threat by experts because it doesn’t require the victim’s interaction.
Typical victims get a ransomware infection by clicking on a malicious link, by opening an attachment or through a malvertising, but the Samsam ransomware targets servers instead end-users.
The threat first exploits unpatched vulnerabilities in JBoss application servers by using JexBoss, an open-source penetration testing tool. Once exploited the flaws, the attackers get remote shell access to the infected servers and install the Samsam ransomware onto the targeted Web application server.
Once the server has been compromised, attackers use it to spread the ransomware client to Windows machines and encrypt their files.
“The Samas infection chain diagram illustrates how Ransom:MSIL/Samas gets into the system. It starts with a pen-testing/attack server searching for potential vulnerable networks to exploit with the help of a publicly-available tool named reGeorg, which is used for tunnelling. Java-based vulnerabilities were also observed to have been utilized, such as Java-based vulnerabilities were also observed to have been utilized, such as CVE-2010-0738 related to outdated JBOSS server applications.
It can use other information-stealing malware (Derusbi/Bladabindi) to gather login credentials as well. When it has done so, it will list the stolen credentials into a text file, for example, list.txt, and use this to deploy the malware and its components through a third party tool named psexec.exe through batch files that we detect as Trojan:BAT/Samas.B and Trojan:BAT/Samas.C.” states a blog post published by Microsoft on the threat.”
Such kind of threat is particularly insidious for any organizations, especially the ones that works directly with the public, like transportation services and hospitals.
The number of ransomware infections in the healthcare industry is rapidly increasing, the threats in many cases are able to cause the paralysis of the infrastructure with serious damages in the middle and long term.
In February, two German hospitals were infected by a ransomware, in a similar way occurred recently at the US Hollywood Presbyterian Medical Center. The Los Angeles hospital paid about $17,000 to the crooks for restoring patients’ files.
Recently the systems at the Methodist Hospital in Kentucky that’s been infected. According to NewsChannel10, the Methodist Hospital in Henderson was hit my a ransomware that locked patients’ files and is demanding money for to regain access to them. Officials say that the hospital paid about $17,000 to those hackers for the access back to the patients’ files.
DB with records of 50 Million Turkish Citizens Leaked Online. Are they recycled data?
4.4.2016 Incindent
A database containing records of 50 Million Turkish Citizens appeared online in the weekend. Is it a new or a recycled archive?
Details of almost 50 Million Turkish citizens have been leaked online, the bulk data was hosted on a server with the IP address 185.100.87.84. The archive was published during the weekend, the publishers claim they it belongs to 49,611,709 Turkish citizens, the complete 1.5GB archive (mernis.sql.tar.gz – 1.5GB compressed – 6.6GB uncompressed) is available for download on both Torrent and Magnet URL.
The archive includes also the personal details of the President Recep Tayyip Erdogan.
The above data is usually included in a standard Turkey ID card, but at the time I was writing it is not known the source of the personal information data is currently unknown.
It is not clear if the archive was populated with older data from other security breached, like the one that suffered the country in 2009.
Experts speculate that data have been stolen from a government agency managing data of Turkish citizens.
Below the message left by the hackers that appear to be politically motivated:
“Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?”
Hackers have something against Erdogan, … and Trump
Lesson to learn for Turkey:
Bit shifting isn’t encryption.
Index your database. We had to fix your sloppy DB work.
Putting a hardcoded password on the UI hardly does anything for security.
Do something about Erdogan! He is destroying your country beyond recognition.
Hackers have found a baffling situation, it seems administrators hardcoded the password in one of the user interface they accessed.
“Putting a hardcoded password on the UI hardly does anything for security.”
Ransomware attacks on Hospitals put Patients at Risk
4.4.2016 Virus
Just last week, the Federal Bureau of Investigation (FBI) issued an urgent "Flash" message to the businesses and organisations about the threat of Samsam Ransomware, but the ransomware has already wreaked havoc on some critical infrastructure.
MedStar, a non-profit group that runs 10 hospitals in the Baltimore and Washington area, was attacked with Samsam, also known as Samas and MSIL, last week, which encrypted sensitive data at the hospitals.
After compromising the MedStar Medical System, the operators of the ransomware offered a bulk deal: 45 Bitcoins (about US$18,500) for the decryption keys to unlock all the infected systems.
But unlike other businesses or hospitals, MedStar did not pay the Ransom to entertain the hackers.
So, you might be thinking that the hospitals lost all its important and critical data. Right?
But that was not the case in MedStar.
Here's How MetStar Successfully dealt with SAMSAM Ransomware
MetStar sets an example for all those businesses and organisations that pay ransom amount to attackers, motivating their criminal minds to spread the infection further.
The IT department of the MedStar Hospital was initially able to detect the intrusion in their servers and stop the Ransomware from spreading further in its internal network by shutting down most of its network operations.
Besides this, the IT engineers successfully restored three main clinical information systems from the backups (rest of the restoration process is in progress) – a practice that all organisation should follow.
This quick and active approach of hospital’s IT department ultimately saved not only the hospital reputation but also the lives of admitted patients, said Ann Nickels, a spokeswoman for the nonprofit MedStar medical system.
Even though the prevention of Ransomware attack is complex, it is noticeable from the MedStar incident that the automatic backup is not an optional step but a must-follow step, to prevent these kinds of attacks.
What is Samsam and How Does it Work?
Ransomware has been around since last few years targeting businesses and organisations, but Samsam is yet the most interesting innovation of ransomware that requires no human interaction from the target.
Typical ransomware infects victim's machine by a malicious email link or attachment or a malicious advertisement. But Samsam ransomware doesn't target humans. It targets servers.
Samsam first exploits the unpatched vulnerabilities in both JBoss application servers by using JexBoss, an open-source penetration testing tool.
The hacker then uses these exploits to get remote shell access to the affected server and install Samsam onto the targeted Web application server.
Now, the hacker uses the infected server to spread the ransomware client to Windows machines and encrypt their files. Once the server is compromised, there is no communication with the command and control network.
You can find more detailed information about Samsam here.
Why Hospitals are Soft Target?
With the advent of Ransomware, we have seen an enormous growth in the malware business.
The countless transactions of Bitcoins into the dark web wallets had energized the Ransomware authors to spread and adopt new methods of infection for the higher successful rate.
Nowadays ransomware had been a soft target for both Corporates and Hospitals.
Since earlier this year, at least, a dozen hospitals have been affected by ransomware, enforcing them to pay the ransom as per the demand by freezing the central medical systems.
Technological advancement in the medical arena had digitalized patients data in the form of Electronic Medical Record (EMR) to save them into the hospital’s central database.
Since the delay in patients treatment by temporary locking down their data could even result in the patient’s death, the ransomware attackers seek 100% guarantee ransom by infecting hospitals.
Due to this reason, in most of the cases, hospitals generally agrees to pay the ransom amount to the attacker in order to obtain the decryption keys from the attackers.
Recently, Hollywood Presbyterian Medical Centre in Los Angeles paid US$17,000 to the ransomware attackers to (or "intending to") regaining access to their patient's data.
Followingly, many more hospitals like Methodist Hospital in Henderson and Kentucky, Chino Valley Medical Center and Desert Valley Hospital in California have been infected with Ransomware and became fresh victims of the ransomware attacks.
The Panama Papers — Biggest leak in History Exposes Global Corruption
4.4.2016 Incindent
A huge trove of confidential documents from the Panamanian law firm Mossack Fonseca was made public on Sunday in what's known as One of the World’s Largest Data Leaks ever, called The Panama Papers.
Over 11.5 Million Leaked Files including 2.6 Terabytes of Data
Even larger than the NSA wires leak in 2013, the "Panama Papers" includes 2.6 Terabytes of private data, exposing an enormous web of offshore shell companies frequently used by many of the richest and most powerful members around the globe to evade taxes, hoard money, and skirt economic sanctions.
Shared with German newspaper 'Suddeutsche Zeitung' by an anonymous source, the leaked documents then passed on to the International Consortium of Investigative Journalists (ICIJ) – in which 370 Reporters from 100 News Media organizations looked into the massive leak for a year.
After a year-long investigation, ICIJ and its reporting partners began publishing a series of leaks on Sunday based on the Panama Papers, which involves more than 11.5 Million files including emails, invoices and bank records, and implicates 72 current and former heads of state.
World's Top Leaders and Rich Personalities Exposed
Panama-Papers-Leak
According to ICIJ, the leaked documents range from 1977 to December 2015 and include details on 214,000 offshore shell companies with links to 140 politicians including the President of Argentina, the King of Saudi Arabia and Prime Minister of Iceland.
The Panama Papers has unearthed 12 current and former world leaders, including monarchs, presidents, and prime ministers, who have been using offshore tax havens, including a $2 Billion paper trail that leads to Russian President Vladimir Putin.
Though Putin himself isn't directly implicated in the leak, a number of his family members and close friends are involved.
The documents exposed that Sergey Roldugin, one of Putin's oldest friends, owns 3 offshore companies worth over $100 Million: International Media Overseas, Sonnette Overseas and Raytar Limited.
The leaked documents also include details on at least 33 people and enterprises blacklisted by the United States, including Mexican drug lords and a number of terrorist organizations.
"The files contain new details about major scandals ranging from England's most infamous gold heist, an unfolding political money laundering affair in Brazil and bribery allegations convulsing FIFA, the body that rules international soccer," the ICIJ wrote in its overview of the leak on Sunday.
Besides this, over 500 Indians figure is on the Mossack Fonseca’s list of offshore companies, foundations, and trusts. The list has names of big personalities including film stars Amitabh Bachchan and Aishwarya Rai Bachchan to DLF owner K.P. Singh along with 9 members of his family.
According to the German newspaper, Mossack Fonseca is the world's fourth-biggest offshore law firm that enables their clients to keep their financial affairs secret, no matter how shady, citing some of its clients, which include "criminals and members of various Mafia groups," along with government officials and their relatives and close associates.
The leaks also revealed that some global banks including HSBC, UBS, Deutsche Bank, Credit Suisse, and others have worked with Mossack Fonseca to create offshore accounts.
In response to the ICIJ's report, Mossack Fonseca issued a statement saying that the firm, as a registered agent, is only helping its clients incorporate companies and that it conducts thorough due diligence in every case it meets and quite often exceeds 'all relevant local rules, regulations and standards to which the firm is bound.
German intelligence Agency BND spied on Netanyahu
4.4.2016 Privacy
The German Intelligence Agency BND has intercepted the Office of the Israeli Prime Minister Benjamin Netanyahu among others.
According to the German weekly Der Spiegel, the German intelligence Agency BND (Bundesnachrichtendienst) has reportedly been spying on Israel for years. The Prime Minister Benjamin Netanyahu’s Office is one of the main targets of the espionage activity, the German intelligence also targeted the British Ministry of Defense, the Organization of the Petroleum Exporting Countries (OPEC), the International Monetary Fund (IMF) , and the interior ministers of Austria and Belgium.
“The Federal Intelligence Service has intercepted friend countries and international organizations. The Der SPIEGEL information confirmed the Office of the Israeli Prime Minister and the US State Department were their objectives.” reported the Der Spiegel.
The BND gathered emails, phone calls and faxes from embassies and consulate belonging the US, UK, France, Sweden, Spain and other countries.
The Prime Minister’s Office has declined to comment on the news.
Merkel Netanyahu German Intelligence BND
The news follows the revelations made by The Der Spiegel magazine in November 2015, when it reported German Intelligence Agency BND “systematically spied” on its allies and several international organizations.
According to The Der Spiegel magazine, the German Intelligence Agency BND has also been spying on several US Government organizations, including the NASA, the US State Department, the US Air Force, and American diplomats across Europe.
In November 2015, the RBB Radio and Spiegel Online claimed that the BND is responsible for cyber espionage on its own account on several embassies and administrations of “European states and allies”.
“the BND had systematically spied on ‘allies’ across the world, including on the interior ministries of the United States, Poland, Austria, Denmark and Croatia.” states the Spiegel.
According to the Der Spiegel, the German Secret Service spied on the US delegation at the European Union in Brussels and the UN in New York, the US Treasury, and several embassies in Germany, including those of the US, France, Britain, Sweden, Portugal, Greece, Spain, Italy, Switzerland, Austria and the Vatican.
The German intelligence appears very active, the German spies also spied on the Geneva-based International Committee of the Red Cross and Oxfam.
Following the above events, in May the German intelligence BND had stopped sharing surveillance information with the NSA. The data were collected from a surveillance station located in Bad Aibling in Bavaria, the same center used by the German intelligence to monitor events in the Middle East.
US and UK Will Simulate a Cyber Attacks on nuclear plants in 2016
4.4.2016 Security
US and UK are planning to simulate a cyber attacks on nuclear plants, to test their resilience in the light of the nuclear security summit.
In the light of the recent events with the terrorist attacks in Europe, the fear of other similar threats becomes greater by the minute. Coordinates cyber attacks on nuclear plants would have dramatic repercussion on the Homeland security of any government that needs to address this risk in the national cyber stratgy.
This has led the governments of the US and the UK to take measures, as well as try to prepare as best as they can. As part of this preparation, the two countries have decided to simulate cyber attacks on nuclear plants to test how safe this environment is proven to be.
The nuclear security summit was hosted in Washington, governments need to enhance the security measures and address the fears regarding the protection of critical infrastructure in Europe.
Cyber Attacks on nuclear plants
A similar simulation was held last year, with the countries testing out how banks would react against a cyber-attack.
However, alongside the simulation, there are many other details to take care of. Among them, the exchange of nuclear waste between the UK and the US is something that needs to discuss. According to this deal, Euratom is going to be turned into a place where cancer is diagnosed and treated. So, this is a deal that will improve the life in Europe and will offer a way towards progressing in Medicine.
The White House has issued an announcement, related to the upcoming nuclear security summit. In this announcement, they refer to the importance of boosting security:
“We all need to do more together to enhance nuclear security performance, to dissuade and apprehend nuclear traffickers, to eliminate excess nuclear weapons and material, to avoid production of materials we cannot use, to make sure our facilities can repel the full range of threats we have already seen in our neighbourhoods, to share experiences and best practices, and to do so in ways that are visible to friends, neighbours, and rivals – and thereby provide assurance that we are effectively executing our sovereign responsibility,”
Cooperation between nations seems like the best way to handle a threat as substantial as nuclear terrorism.
So, the UK is going to commit towards cooperating with other countries and sharing the knowledge acquired with them. This is definitely a great step ahead!
CloudFlare considers 94 percent of the Tor traffic as “per se malicious”
3.4.2016 Virus
Experts at CloudFlare revealed that 94 percent of the Tor traffic they see is “per se malicious,” but Tor Project opposes it.
The experts from the Content delivery network (CDN) CloudFlare revealed that 94 percent of the Tor traffic they ordinary see is “malicious.”
It is not a mystery that Tor is becoming a favored tool of cyber criminals so many websites are blocking Tor users or degrading the services they receive, and CloudFlare has analyzed this issue in a blog post entitled “The Trouble with Tor.”
CloudFlare is not condemning the Tor network, in the post it highlights its importance for Anonymity online.
“Based on data across the CloudFlare network, 94% of requests that we see across the Tor network are per se malicious.” wrote Matthew Prince, the CloudFlare CEO.
A large portion of traffic on the Tor Network is generated by illegal activities that harm Internet users, for example according to data provided by Project Honey Pot, 18% of global email spam, roughly 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network. In
In response to a large number of websites adopt many types of restrictions for Tor users like the CAPTCHA verification.
“That doesn’t mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network.” continues Prince.
CloudFlare allows its customers to choose how they want to handle the traffic coming from Tor, they can whitelist all Tor traffic, block all traffic, use CAPTCHAs, or use a JavaScript challenge that checks the user’s browser.
Experts at CloudFlare believe that users will have two long term solutions, create a Tor version of their website that will accept only Tor traffic, or get the Tor Browser to make the distinction between human and automated traffic.
So What’s Next?
CloudFlare is working to reduce problems of navigation for the Tor users, limiting for example, the impact of CAPTCHAs.
“CloudFlare is working to reduce the impact of CAPTCHAs on Tor users without in any way compromising their anonymity and without exposing our customers to additional risk. Over the coming weeks and months we will roll out changes designed to make the lives of legitimate Tor Browser users easier while keeping our customers safe,” Prince said.
In response to the data published by CloudFlare, the developers behind the Tor Project released the “Fact sheet,” a report that analyzed the impact of the CloudFlare actions on the Tor users.
The experts are accusing CloudFlare of blocking the access of Tor users to major websites, like Amnesty International.
In many cases, Tor users are displayed annoying CAPTCHAs that might get users surfing with unsafe browsers in revealing their location.
“On one hand, the problematic CAPTCHAs might get users to access websites via unsafe browsers that can reveal their location, which can represent a serious risk for human rights activists and other groups for which anonymity is crucial. On the other hand, new users might believe they are not using Tor correctly, which could lead to them abandoning Tor altogether.” states the Tor Project.
“CloudFlare’s CAPTCHA system results in de facto censorship, since Tor users either cannot access a site or are deterred from using a site because of the obstacles presented by the CAPTCHAs” the Tor Project said.
The members of the Tor Project are disappointed with CloudFlare that ignored the issue at least since 2013.
The experts at the Tor Project have argued that the malicious Tor traffic seen by CloudFlare is generated by a “tiny fraction of the millions of daily Tor users.”
“While many Tor relays appear as “malicious” from CloudFlare’s point of view, the abuse is likely coming from a tiny fraction of the millions of daily Tor users” states the Tor Project.
“When a connection to a website travels over Tor, it will exit the network via one of the thousand exit relays set up by volunteers all over the world. The largest exit nodes transport more than 70,000 connections at a given moment. If a small number of these connections contains what CloudFlare qualifies as ‘malicious traffic’ (spam, typically), CloudFlare will consider any subsequent connection as ‘malicious’,” added the Tor Project“Because exit relays are picked (usually at random) by the Tor client, a single bad guy could have all relays qualified as transporting ‘malicious traffic’.”
Hacking connected lightbulbs to breach Air-Gapped networks
3.4.2016 Hacking
Two of security researchers have shown how hackers can target connected lightbulbs to exfiltrate sensitive data from Air-Gapped networks.
Two of security researchers from the Weizmann Institute have shown how hackers can target connected lightbulbs to steal sensitive data from Air-Gapped networks.
The two researchers are Adi Shamir, the popular co-inventor of the RSA algorithm, and PHD student Eyal Ronen.
The experts highlighted that for both devices, the communications between the controllers and the lightbulbs were not encrypted allowing them to analyze communication protocol.
The hacking technique relies on modulate light pulses in two commercial bulbs, a Philips Hue and a LimitlessLED, to transfer data up to 100 meters away.
If the attackers are able to access the network hosting connected lightbulbs they can hack into them exploiting the lack of authentication and generate light signals that are unobservable to the human eye.
“All they needed was to subtly modulate light pulses in two bulbs on the market to convey data to a telescope up to 100 meters away, or have them create a strobe effect to bring on seizures. Both attacks were possible because authentication on the lightbulbs – a Philips Hue and a LimitlessLED – were found wanting, allowing anyone who could locate the devices to send commands.” wrote Thomas Fox-Brewster on Forbes.
The two experts presented their work at the IEEE Privacy and Security Symposium in Germany last week. In the case of the LimitlessLED, hackers that successfully access them can sniff the traffic and syphon an unencrypted Wi-Fi password used to connect to the bulb.
The Philips Hue lightbulbs are not affected by security bugs, but anyway hackers can exploit their abilities to manage the intensity of the light with 256 brightness levels.
The hardware used to carry out the attack is composed of a laptop, a TAOS TC3200 Color light-to-frequency converter, an Arduino tiny computer and a telescope, the overall cost of the equipment is less than $1,000.
The experts deployed a controller, connected to a PC running a malware, where the lightbulb was installed.
A telescope focused on the bulb was used to capture the rises and falls in the frequency of the light emitted from the lightbulbs and turn them to the Arduino.
The laptop is used to process bulk information gathered from the Arduino, the researchers explained their technique could allow to leak more than 10KB per day through the connected lightbulbs.
The technique could be effective to exfiltrate private encryption keys and passwords from an “air-gapped” network.
The experts also highlighted that hackers can control the light intensity to “create strobes in the most sensitive frequencies,” creating a shocking effect.
“Such an attack could be directed at hospitals, schools and other public buildings using connected LEDs,” the paper read.
The research conducted by the experts confirms the necessity of a “security by design” approach for all the devices belonging to the Internet of Things.
“I think it’s a very big problem, not just with the specific attack we’ve shown with the lights. We should speak about how we do security in IoT,” Ronen said to Forbes. “The main issue [in the lightbulbs] is that there are not enough security measures.”
A NIST guide tells enterprises how to secure email systems
3.4.2016 Safety
For the first time in a decade, the US National Institute of Standards and Technology (NIST) has updated its secure email guide.
The last effort of the NIST Agency in the development of email security guidelines is dated 2007 when it published the NIST SP 800-45, Version 2 – Guidelines on Electronic Mail Security.
The new NIST guide is a document composed of 81 pages that aim to give recommendations and guidelines for enhancing trust in email.
This guideline applies to Government IT environment, but it is also useful for private organizations of any size.
The recommendations in NIST guide for secure email include suggestions on the practices to adopt for securing the environments around enterprise mail servers and mail clients. This guide also provides recommendations and guidance for email digital signatures and encryption (via S/MIME), recommendations for protecting against spam messages.
Security email needs a multidisciplinary approach that involves secure solutions, effective configurations and trained personnel.
“Email communications cannot be made trustworthy with a single package or application. It involves incremental additions to basic subsystems, with each technology adapted to a particular task.” states the NIST guide on secure email.
NIST secure email guide
Encryption is essential to secure email systems, the guide urge administrators to build out a cryptographic key management system (CKMS) and use keys to protect email sessions.
“As with any cryptographic keying material, enterprises should use a Cryptographic Key Management System (CKMS) to manage the generation, distribution, and lifecycle of DKIM keys. Federal agencies are encouraged to consult NIST SP 800-130 [SP800-130] and NIST SP 800-152 [SP800-152] for guidance on how to design and implement a CKMS within an agency.”
Despite the numerous incidents occurred in the last years, the NIST still considers trustable the DNS due to the numerous security enhancements, including the DNS Security Extensions (DNSSEC), which is a set of extensions to DNS that provide to DNS clients origin authentication of DNS data, authenticated denial of existence, and data integrity.
The NIST guide highlights the importance of the S/MIME (Secure Multipurpose Internet Mail Extensions) for secure email messages.
“Secure Multipurpose Internet Mail Extensions (S/MIME) is the recommended protocol for email end-to-end authentication and confidentiality. S/MIME is particularly useful for authenticating mass email mailings originating from mailboxes that are not monitored, since the protocol uses PKI to authenticate digitally signed messages, avoiding the necessity of distributing the sender’s public key certificate in advance. This usage of S/MIME is not common at the present time, but is recommended.” states the guide.
The guide included a warning to the organizations that rely on cloud services for their email, in particular on services offered by a third party.
Organizations need to make sure any email sent by third parties will pass SPF checks, the verification is simple because the enterprise administrator should include the IP addresses of third-party senders in the enterprise SPF policy statement RR.
The NIST guide is out for public comment until May 1st, I suggest you to read it.
The website of the Hungarian Government temporarily shut by cyberattack
3.4.2016 Hacking
Officials confirmed that the Hungarian government website came under attack from outside the country. The access to many websites was blocked.
The Hungarian Government announced that its computer network was targeted by a major cyber attack that temporarily blocked the access to several websites.
The attacks hit the main Hungarian government website and many other sites, including the one belonging to the Hungarian Academy of Sciences.
According to the Hungarian official, the cyber attacks were launched by threat actors from outside the country.
Hungarian Government website
Government experts revealed that more than more than 62,000 cyber attacks have hit its systems in a single day.
The Hungarian Interior Ministry declared that Government experts had been able to restore access to the affected websites.
As usually happens in these cases, the attribution of the attack is very hard.
At the time I was writing there aren’t other news of the attacks.
F-Secure provides more details on the Petya ransomware
2.4.2016 Virus
The best way to address a threat is to know it so security experts at F-Secure shared a detailed analysis on the new Petya ransomware.
Several days ago, I wrote about a new singular Ransomware dubbed Petya that captured the attention of security experts because it causes a blue screen of death (BSoD) by overwriting the MBR.
Now security firm F-Secure has issued an alert on the Petya ransomware, sharing the results of its analysis about the threat.
The malware encrypts the entire disk instead of encrypting files on the infected system like any other ransomware,
The Petya ransomware encrypts the filesystem’s master file table (MFT) making impossible for the operating system the access to any file and making the machine unusable.
The MFT contains at least one entry for every file, including the MFT itself.
” Specifically, it will encrypt the filesystem’s master file table (MFT), which means the operating system is not able to locate files.” wrote Jarkko Turkulainen, F-Secure senior security researcher.
“It installs itself to the disk’s master boot record (MBR) like a bootkit. But instead of covert actions, it displays a red screen with instructions on how to restore the system.”
Why encrypt the MFT?
Because the encryption of an MFT is less consuming than the encryption of all the files contained on the disk, and the result is the same.
Even restoring the MBR with recovery system won’t help, because the MFT remains encrypted.
The attack of a generic ransomware is very slow respect an attack based on the Petya ransomware, this means that victims aware of the threat could act to limit the effects of the malware.
Petya is able to compromise the MFT in a few seconds, causing the system crash and forcing a restart, and according to F-Secure experts, in an enterprise environment there would be no time to take mitigation measures.
Another effect of the Petya infection is that the victim would need to use a machine different from the infected computer to pay the ransom.
Petya operates in two stages, in the first one is the main dropper that performs the following operations:
Infects the MBR using direct \\.\PhysicalDrive manipulation.
Generates a set of crypto keys, including a disk encryption 16-byte key consisting of ASCII characters. It also wraps up a special decryption code, which only the server can open. This code contains the actual disk encryption key.
Saves the crypto keys to disk for later use in the MBR infection code.
Shuts down the machine without any warning to boot to MBR code.
In the second phase, once infected the PC, the machine boots to MBR code, which:
First checks to see if the disk is infected.
If not, it will present a fake CHKDSK screen and will encrypt the MFT using the shared secret as the encryption key.
Uses salsa20 for disk encryption, and destroys the key after encryption.
Presents the red “skull screen” and then the screen with Tor hidden service URLs, and the “decryption code”, which is an encrypted message only the server can open.
The Petya ransomware implements a custom Elliptic Curve encryption scheme for file encryption, the dropper ships with a 192-bit public key and secp192k1 curve parameters hardcoded in the code.
Wanting to make a critical to the authors, the Petya ransomware doesn’t implement a mechanism for paying the ransom, instead, it just share a URL with victims.
“Somewhat ironically, in making it harder for victims to pay a ransom, Petya’s authors may have also lowered their own chances of profiting from it” F-Secure security advisor Sean Sullivan explained to Dark Reading. “As a result, the likelihood of the same technique being used more widely will depend on the success malware authors have in monetizing Petya.”
It is important to notice that only the server can restore the encryption key used to encrypt the files with the EC algorithm.
“The only way to restore the machine without the help of the server is to catch the salsa20 key inline of the infection process, using debuggers. Not a very attractive counter measure for the average computer user:).” states F-Secure.
Ransomware is a serious threat, this form of digital extortion is becoming a common and profitable practice in the criminal underground.In recent months, ransomware samples like
In recent months, many ransomware strains like TeslaCrypt, Locky and CryptoWall have infected a large number of victims worldwide.
The U.S DHS issued an alert warning users of the threat. The alert, issued late Thursday, warned consumers and businesses about the “devastating” consequences of a ransomware attack.
“In early 2016, destructive ransomware variants such as Locky and Samas were observed infecting computers belonging to individuals and businesses, which included healthcare facilities and hospitals worldwide. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it.” states the alert.
“The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), is releasing this Alert to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.”
Tipy pro zastavení Ransomware
2.4.2016 Viry
V posledních několika týdnech, rychlost Ransomware útoků dramaticky zvýšil. Dokonce i v populárním zprávách, které jsme viděli několik nemocnic nahlásit hlavní infekce a jak Spojené státy a Kanada vydávání varování. Zde je několik rychlých tipů, aby se zabránilo Ransomware infekcí.
Zabránit spuštění souborů v% AppData% Adresáře
Obecně platí, že většina ransomware běží ve velkém měřítku spoléhat buď na využití souprav nebo spam motory. V obou případech je pro malware vykonat to obvykle zdržuje v různých dočasných adresářů v systému Windows (% AppDada%). Je možné zakázat možnost spouštět binární soubory v těchto adresářích pomocí zásad skupiny nebo bezpečnostní politiky, což znamená, když uživatel poklepe na Invoice.exe, malware nebude možné spustit. Toho se dosahuje pomocí zásad omezení softwaru a příklad je uveden na tomto blogu v tom, jak umožnit toto.
Výhodou tohoto postupu je, že se také může zabránit některé jiné formy škodlivého softwaru z provádění také.
Plně záplatované Systems, Java, Shockwave, Flash (kol)
Exploit soupravy spoléhají na zranitelná místa v klientském počítači se dostat malware vykonat. Obvykle se jedná o zranitelnosti v Javě, Shockwave, Flash a Adobe Reader. S Windows Update, mnoho systémy jsou nyní automaticky nakonfigurován tak, aby získat aktualizace. To nebylo až do nedávné doby, například, že Flash integrované auto-updater. Ujistěte se, jsou tyto aktualizace zabrání zneužití stavebnic ze úspěch. Jak již bylo řečeno, občas využívají soupravy se používají 0 jednodenní využije, ale jedná se o poměrně vzácný jev.
Zakázat e-maily se spustitelným Přílohy
Mnoho ransomware e-maily pomocí nástavce s spustitelné soubory, jednoduše zakázání e-maily s spustitelné soubory budou uživatelům zabránit přijímání. Podívejte se také na e-maily s "dvojitými přípon". Dalším častým trikem je příloh s názvem souboru zip, který může obsahovat spustitelný soubor nebo html dokumentu (s použitím jiných triků stáhnout spustitelný). Naučí uživatele, aby na místě těchto abnormálních e-mailů, takže nemají jejich vyřízení je klíčové.
Udržení silné zálohy
V neposlední řadě je důležité silných záloh je klíčové. Je-li Ransomware infekce stane, existují jen dvě možnosti pro organizaci: Obnovení ze zálohy nebo zaplatit výkupné. Jsou-li k dispozici zálohy, může to být hádka, ale nároky výkupné zarážející již nejsou jedinou cestou k úplné uzdravení.
Použití "vakcíny"
Všechny ransomware rodiny potřebují nějaký mechanismus, který zajistí, že oběť stroj není šifrována pomocí více klíčů. Typickým mechanismem je uložit veřejný klíč v registru (nebo jiných artefaktů), tak následných infekcí (nebo popravy stejné malware binární) používat pouze originální získané klíč. Tam byly pokusy o vytvoření vakcíny, které zneužívají tuto potřebu útočníků jinak naočkovat napadených počítačů. Ty mohou vést k šetření na případ od případu, aby zjistili, zda poskytují hodnotu.
Přizvukovat s komentáře, pokud tam jsou jiné techniky jste použili, aby pomohl zastavit šíření ve svých organizacích.
Do hackers have hacked election to make Peña Nieto President?
2.4.2016 Hacking
A Columbian hacker claims he helped the candidate Enrique Peña Nieto in winning the Mexican presidential election in 2012.
Until now we have seen something of similar only in the TV series, but the reality could overwhelm the fiction because a Columbian hacker claims he helped Enrique Peña Nieto in winning Mexican presidential election.
The hacker named Andrés Sepúlveda revealed to have operated in a team with peers to install a malware to monitor opponents during the 2012 campaign as part of a hacking campaign codenamed ‘black propaganda.’
The hackers helped Enrique Peña Nieto win Mexico’s 2012 presidential election, they manipulated the event it in nine countries across Latin America. The hackers have installed malware with the intent to spy on target machines and steal data, they also used a botnet to manage PSYOPs on the social media trying to influence the final decision of the voters.
The hacker, who is currently serving a 10-year prison sentence for hacking crimes related to Colombia’s 2014 presidential election, released an interview to Bloomberg explaining that he was hired by the Miami-based political consultant Juan José Rendón.
“My job was to do actions of dirty war and psychological operations, black propaganda, rumors—the whole dark side of politics that nobody knows exists but everyone can see” the man told to Bloomberg.
Sepúlveda added that his primary motivation was political, he hacked in opposition to what he defined “dictatorships and socialists governments.”
The political consultant Juan José Rendón denied to have hired Sepúlveda for illegal activities and confirmed that he paid him in 2005 for the development of a web site.
“He is delusional,” Rendón said in a phone call. “All the things he describes are exactly like the TV show Mr Robot.”
“Can you really change the will of the people through social networks? Maybe in Ukraine or Syria where there is no alternatives. But here (in the Americas) where there is TV, a free press and door to door campaigns, it is not so influential,” he added.
Sepúlveda confirmed to have had a $600,000 budget to undermine the presidential campaigns Nieto’s opponents, Josefina Vázquez Mota and Andrés Manuel López Obrador.
The hacker team compromised computers at the headquarters of the two candidates in order to monitor communications and exfiltrate sensitive data, including speech drafts and campaign schedules.
They also managed a PSYOP through the principal social networks by using a multitude of fake Twitter accounts to fuel the public debate on the Peña Nieto’s political plan and discrediting his rivals, all these accounts were carefully managed in a way to appear legitimate.
“He wrote a software program, now called Social Media Predator, to manage and direct a virtual army of fake Twitter accounts. The software let him quickly change names, profile pictures, and biographies to fit any need. Eventually, he discovered, he could manipulate the public debate as easily as moving pieces on a chessboard—or, as he puts it, “When I realized that people believe what the Internet says more than reality, I discovered that I had the power to make people believe almost anything.”” reported Bloomberg.
Sepúlveda confirmed to have used a strategy similar to the ‘black propaganda’ in order to influence the opinion of voters in other elections in several countries, including Venezuela, Nicaragua, Panama, Honduras, El Salvador, Colombia, Costa Rica and Guatemala.
Unfortunately, the man has destroyed most of the evidence of his support to the politic candidates in various presidential campaigns.
Which is the Peña Nieto’s position?
The Office of the President issued the following statement:
“We reject any relationship between the 2012 presidential campaign team and Andrés Sepúlveda or that there was a contract with the consultant J.J. Rendón.”
Remotely unlock doors exploiting a flaw in HID Door Controllers
2.4.2016 Hacking
Experts from Trend Micro have discovered a serious flaw in HID door controllers that could be remotely exploited by hackers to open the doors.
Security experts at Trend Micro have discovered a serious flaw in door controllers developed by the HID access control systems manufacturer that could be exploited by hackers to send one malicious UDP request to a door and automatically unlock it and/or deactivate the alarm if the door has that feature enabled.
HID door controllers have the appearance of a black box that is located next to securitized doors. Users can swipe their card to open the door, once the door is unlocked the LED turns green.
Some HID door controllers also offer the possibility to connect the devices to a local network in order to allow system administrators to manage them.
The expert Ricky “HeadlessZeke” Lawshae from Trend Micro discovered that the models of door controllers VertX and Edge are affected by a design flaw in their management protocol.
The experts discovered that HID door controllers run a special daemon dubbed discoveryd, which listens on port 4070 for UDP packets that carry on instruction for the door controllers
“HID’s two flagship lines of door controllers are theirVertX and Edge platforms. In order for these controllers to be easily integrated into existing access control setups, they have a discoveryd service that responds to a particular UDP packet. ” states TrendMicro.
“A remote management system can broadcast a “discover” probe to port 4070, and all the door controllers on the network will respond with information such as their mac address, device type, firmware version, and even a common name (like “North Exterior Door”).”
The expert also discovered another security issue related to the above service that also implements a debugging function that allows a remote administrator to instruct HID door controllers to blink its LED for a number of times.
The admin can instruct a specific controller to blink by sending a “command_blink_on” command with the door’s ID. The researcher noticed that by appending a Linux command after the ID, wrapped in backticks, the device will execute it due to improper input sanitization.
In response to a blink command, the Discoveryd service builds up a path to /mnt/apps/bin/blink and calls system() to run the blink program passing the number of blink as an argument.
“A command injection vulnerability exists in this function due to a lack of any sanitization on the user-supplied input that is fed to the system() call. Instead of a number of times to blink the LED, if we send a Linux command wrapped in backticks, like `id`, it will get executed by the Linux shell on the device.”
The attacker can exploit The system() call, which runs with root privileges, to instruct the door controllers to execute a generic command with one single UDP packet.
If you use the HID door controllers, you need to urgently download the latest firmware versions.