Fanoušci Applu protestovali proti FBI, vadí jim kauza zabijákův iPhone
26.2.2016 Mobilní
Hned několik demonstrací se tento týden uskutečnilo v USA kvůli kauze o odblokování iPhonu islámského radikála, který loni v prosinci v kalifornském San Bernardinu společně se svou ženou zastřelil 14 lidí. Fanoušci Applu protestovali proti FBI a soudní mašinérii, která přikazuje americkému počítačovému gigantu udělat v iPhonech a iPadech „zadní vrátka“.
„Děkujeme Apple.“ „Svobodu si nenecháme vzít.“ „Neprolamujte zabezpečení našich iPhonů.“ Taková hesla mohli v tomto týdnu vidět lidé v ulicích velkých amerických měst. Dohromady několik stovek demonstrantů se sešlo před obchody Applu například v San Francisku či Los Angeles.
Crowd gathers at San Francisco Apple Store to protest FBI snooping https://t.co/a5S52u6nmI pic.twitter.com/VYS5Sv5lmX
— Cult of Mac (@cultofmac) 18. února 2016
Protesty v San Francisku
Rally planned at San Francisco Apple store next week in protest of FBI order. https://t.co/BepqtQZBGE pic.twitter.com/ltP9mxH2q8
— NBC Bay Area (@nbcbayarea) 19. února 2016
Protesty v San Francisku
Přišli vyjádřit podporu americkému počítačovému gigantu ve sporu s FBI a zároveň dát vyšetřovatelům najevo, že s jejich snahou o prolomení zabezpečení iPhonu vůbec nesouhlasí.
Demonstrace se obešly bez jakýchkoliv výtržností a bez nutnosti zásahu policie, trvaly několik hodin. Pořadatelé se na akcích nechali slyšet, že podobné akce budou opakovat, dokud „FBI nepřijde k rozumu“.
Experti FBI neuspěli
FBI se snažila do uzamčeného iPhonu dostat celé dva měsíce. Útočník měl ale svůj iPhone nastavený tak, aby se po zadání deseti nesprávných přístupových hesel automaticky vymazal, s čímž si bezpečnostní experti z FBI evidentně nedokázali poradit.
Vyšetřovatelé proto chtějí nyní po Applu, aby jim udělal „zadní vrátka“ do systému iOS. Ten využívají nejen chytré telefony iPhone, ale také počítačové tablety iPad.
Problém je ale v tom, že implementací takového nástroje do zmiňované mobilní platformy by byla FBI schopna obejít zabezpečení prakticky jakéhokoliv iPhonu nebo iPadu v budoucnosti. A nehraje roli, zda by šlo o přístroj teroristy nebo běžného občana.
Vedení Applu se tak logicky obává možného zneužití a nechce FBI vyhovět. Soud nicméně rozhodl, že americký počítačový gigant musí začít s FBI spolupracovat. Šéf Applu Tim Cook chce nicméně i toto nařízení ignorovat. [celá zpráva]
Stačí mi tři týdny, tvrdí McAfee
Zvrat v celém případu by nicméně mohl způsobit John McAfee, bývalý šéf stejnojmenné antivirové společnosti a mimochodem také velmi zkušený programátor. Ten totiž FBI nabídl, že zabezpečení zabijákova iPhonu obejde za pouhé tři týdny. [celá zpráva]
Útok v San Bernardinu byl nejtragičtějším od teroristických útoků v zemi v září 2001. Zradikalizovaný muslim Syed Farook a jeho žena Tashfeen Maliková tam na začátku prosince 2015 zastřelili 14 lidí. Později byli zabiti při přestřelce s policií.
NYT: Apple chystá lepší ochranu iPhonů, aby se do nich úřady nedostaly
26.2.2016 Mobilní
Přetahování Applu s americkými úřady o „zadní vrátka“ k iPhonům zdaleka nekončí. Firma chystá lepší zabezpečení a FBI zas chce odemknout další telefony.Zatímco se Apple přetahuje s FBI o to, jestli je správné pomáhat překonat vlastní zabezpečení iPhonu, pracuje podle New York Times také na tom, aby úřady měly v budoucnu s průnikem do mobilů ještě těžší práci.
Připravované vylepšení bezpečnosti má prakticky znemožnit přístup metodou, kterou teď chce FBI využít. Vyšetřovatelé po Applu chtějí speciální verzi operačního systému iOS, která by odstranila některé bezpečnostní prvky (např. automatické smazání dat po několika neúspěšných pokusech zadat PIN) komplikující prolomení hesla prostou výpočetní silou.
FBI využívá toho, že i když se Apple s iOS 8 zbavil přístupu k šifrovaným datům, ponechal si možnost updatovat firmware telefonu (včetně firmwaru kryptografického čipu Secure Enclave) bez toho, že by musel uživatel zadávat heslo. A podle NYT se má budoucí úprava týkat zřejmě této možnosti.
List o chystané změně bohužel nenabízí žádné další technické podrobnosti. A Apple oficiálně odmítl cokoli komentovat.
Kdo je na čí straně
Bitva o pomoc s hacknutím iPhonu se mezitím dočkala několika dalších kol. Agentura Pew Research vydala průzkum, podle kterého si 51 % Američanů myslí, že by Apple měl telefon odemknout. Jen 38 % řeklo, že by to dělat neměl, a 11 % dotázaných odpovědělo, že neví. Bohužel otázka, kterou výzkumníci kladli, se dá považovat – mírně řečeno – za příliš zjednodušenou.
As you may know, the FBI has said that accessing the iPhone is an important part of their ongoing investigation into the San Bernardino attacks while Apple has said that unlocking the iPhone could compromise the security of other users’ information. Do you think Apple: (1) Should unlock the iPhone (2) Should not unlock the iPhone (3) Don't Know.
Pew Research se totiž ptali na to, jestli má Apple telefon odemknout. Jenže tak případ nestojí – Apple sám od sebe telefon odemknout nemůže a FBI po něm chce vytvoření takové verze iOSu, která by to ulehčila. Její vznik by přitom znamenal, že by podobné věci mohla žádat i v dalších případech.
Aby toho nebylo málo, agentura Reuters společně s firmou Ipsos přišla s vlastním průzkumem, podle kterého je vše naopak: 46 % oslovených stojí za rozhodnutím Applu nepodrobit se soudnímu příkazu, 35 % s firmou nesouhlasí a 20 % řeklo, že neví. Otázka Reuters ovšem taky není zrovna přesná.
Na stranu Applu se každopádně postavil například šéf Facebooku Mark Zuckerberg nebo Mozilla, která nedávno spustila kampaň vysvětlující, proč je šifrování dobré:
Na opačnou stranu barikády se zase postavil například zakladatel Microsoftu Bill Gates, podle kterého by Apple v tomto konkrétním případě měl s vyšetřovateli spolupracovat.
A aby toho nebylo málo, ukázalo se, že slova o tom, že FBI jde o jeden jediný iPhone, nejsou tak úplně pravdivá. Americké ministerstvo spravedlnosti v současné době u různých soudů požaduje po Applu odemčení mnohem více přístrojů, napsaly New York Times. Novináři jich nakonec napočítali přinejmenším dvanáct.
Cisco fixes Command Injection vulnerability in CISCO ACE 4710 products
26.2.2016 Vulnerebility
Cisco has released security updates for the products CISCO ACE 4710 appliance to fix a high severity command injection vulnerability.
This week CISCO published a security advisory related a Command Injection Vulnerability (CVE-2016-1297) affecting its product Cisco ACE 4710 Application Control Engine Command. The vulnerability was reported to the company by Jan Kadijk, an expert at Warpnet BV.
The Cisco ACE 4710 Application Control Engine equipment is a protection solution designed to enhance application availability and performance and improve the resilience to cyber attacks.
The Cisco ACE 4710 Device Manager GUI doesn’t correctly validate user input exposing users to remote attack, authenticated attacker would execute any command-line interface commands with administrator privileges. The Cisco ACE 4710 Application Control Engine protection solution is in phasing out, CISCO no longer commercialize the solution since January 2014, but it is currently supporting it until January 31, 2019.
“A vulnerability in the Device Manager GUI of the Cisco ACE 4710 Application Control Engine could allow an authenticated, remote attacker to execute any command-line interface (CLI) command on the ACE with admin user privileges. ” states the CISCO advisory.
“The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by crafting a malicious HTTP POST request with injected CLI commands inside the value of a POST parameter value. An exploit could allow the attacker to bypass the role-based access control (RBAC) restrictions enforced by the Cisco ACE Device Manager GUI.”
The exploitation of the vulnerability is quite simple, the attacker needs to send specially crafted HTTP POST request with commands injected into the value of the POST parameter.
CISCO informed that the security flaw affects Cisco ACE 4710 appliances running A5 software versions up to A5(3.0) that have enabled the access to the Device Manager GUI.
The company has already released the security patches and suggested as a workaround to disable the Device Manager GUI.
CISCO confirmed that there is no evidence that the flaw has been exploited in the wild.
Recently CISCO has issued security advisories for vulnerabilities rated critical and high severity, among the flawed products there are the devices the Industrial Ethernet 2000 Series and CISCO ASA firewalls.
The new iPhone designed by Apple will be unhackable
26.2.2016 Apple
Apple has begun developing security features for the new iPhone to make it impossible for the law enforcement agencies to break into a locked iPhone
The news related to the request made by the FBI to Apple of unlocking the iPhone of Syed Farook, one of the San Bernardino shooters has raised the debate on the efficiency of encryption measures implemented to protect users’ privacy.
Apple’s CEO was categorical on the subject:
“The only way to get information — at least currently, the only way we know — would be to write a piece of software that we view as sort of the equivalent of cancer. We think it’s bad news to write. We would never write it,” Tim Cook explained in the interview.
While the US Government invites the company to implement a mechanism to allow law enforcement the access to mobile devices during the investigation on suspects, Apple is working on a new iPhone that will be unhackable even by the experts of the company.
According to the New York Times, Apple is studying new security features will not allow the use of hacking techniques to bypass the passcode that protects iPhone and iPad.
“Apple engineers have begun developing new security measures that would make it impossible for the government to break into a locked iPhone using methods similar to those now at the center of a court fight in California, according to people close to the company and security experts.” states a blog post published on the NYT.
The new iPhone will not allow law enforcement and intelligence agencies to bypass security measures implemented by Apple.
The US authorities have requested Apple to unlock 12 more iPhone devices, but if the company Apple agrees to one request, there is the concrete risk that it will be a huge number of similar requests.
Clearly Apple is also trying to benefit the story, refusing the FBI’s request it will reinforce its image of privacy with its customers.
“For all of those people who want to have a voice but they’re afraid, we are standing up, and we are standing up for our customers because protecting them we view as our job,” added Tim Cook in an interview with ABC News.
The DoD funded the Carnegie Mellon University’s research on Tor Hacking
26.2.2016 Hacking
A judge has confirmed that US Departement of Defense funded the Carnegie Mellon University to conduct research on the Tor hacking.
In November 2015, the researchers at the Tor Project publicly accused the FBI of paying the experts at the Carnegie Mellon University to deanonymize Tor users.
The experts at the Tor Project collected information about the attack technique elaborated in 2014 by Carnegie Mellon researchers on the popular anonymizing system.
In January 2014, the attackers used more than 100 Tor relays in an attempt to deanonymize suspects. Fortunately the researchers at the Tor Project removed from the network in in July 2014.
The Director of the Tor Project Roger Dingledine accused the FBI of commissioning to the Carnegie Mellon boffins a study on methods to de-anonymize Tor users. The FBI has paid at least $1 million track Tor users and to reveal their IP addresses as part of a large criminal investigation.
“Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes. We publicized the attack last year, along with the steps we took to slow down or stop such an attack in the future:
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
Here is the link to their (since withdrawn) submission to the Black Hat conference:
https://web.archive.org/web/20140705114447/http://blackhat.com/us-14/briefings.html#you-dont-have-to-be-the-nsa-to-break-tor-deanonymizing-users-on-a-budget
along with Ed Felten’s analysis at the time:
https://freedom-to-tinker.com/blog/felten/why-were-cert-researchers-attacking-tor/
We have been told that the payment to CMU was at least $1 million.” reads a blog post published by the Tor Project.
The FBI has paid at least $1 million to the researchers to find a way to de-anonymize users under investigations of law enforcement.
The research was funded by the Department of Defense (DoD) and the FBI obtained the information on alleged criminals after serving a subpoena to Carnegie Mellon’s Software Engineering Institute (SEI).
This means that the SEI research was funded by the DoD and not by the FBI.
Court documents confirmed that the experts at the Carnegie Mellon university had helped the law enforcement to de-anonymize suspects.
The evidence of the collaborations between the FBI and the Carnegie Mellon University has emerged also in a stand trial in federal court in Seattle in November 2015. The court was discussing the case of Brian Farrell, an alleged Silk Road 2 lieutenant, under investigation of the law enforcement that discovered his IP addresses belong to the suspect. A new filing in Farrell’s case states that a “university-based research institute” supported the investigation and helped the feds to de-anonymize Farrell.
According to a Homeland Security search warrant, between January 2014 and July 2014 a “source of information” provided law enforcement “with particular IP addresses” that had accessed the vendor side of Silk Road 2.
The Farrell’s advocates filed a motion asking the prosecution to provide further information on the involvement of the Carnegie Mellon researchers in the investigation and the hacking technique used to de-anonymize suspects.
The response of a federal judge was negative, the magistrate denied the motion this week explaining that authorities had not violated the Fourth Amendment rights identifying the suspects via their IP addresses.
“SEI’s identification of the defendant’s IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny. “
The judge confirmed that the identity of the suspects was identified by exploiting security vulnerabilities in the Tor network.
The Carnegie Mellon University always denied having received money for their research.
Trojský kůň cílí na Windows 10, útočníci mohou lidem vysát bankovní účty
25.2.2016 Viry
Pěkné vrásky na čele dokáže uživatelům operačního systému Windows 10 udělat nová verze trojského Gozi. Ta se soustředí v napadeném stroji na jedinou činnost – snaží se získat přihlašovací údaje k internetovému bankovnictví a další verifikační nástroje, které jsou k tomu potřeba. Pak mohou kyberzločinci účet snadno vybílit.
Pokud se lidé na napadeném stroji přihlásí prostřednictvím prohlížeče Edge ke svému bankovnímu účtu, naservírují počítačovým pirátům své přihlašovací údaje jako na zlatém podnosu.
Trojský kůň Gozi je bezpečnostním expertům dobře znám. Poprvé se na scéně objevil už v roce 2007, tedy před devíti lety. Od té doby jej ale kyberzločinci nasazují v různě upravených verzích znovu a znovu.
To se týká i aktuálního případu, na který nyní upozornil server Security Week. Nově modifikovaná verze Goziho se soustředí výhradně na stroje s operačním systémem Windows 10, protože dokáže škodlivým kódem infikovat nový internetový prohlížeč Microsoft Edge. Ten je přitom v desítkách přednastaven jako defaultní browser.
Pokud se lidé na napadeném stroji přihlásí prostřednictvím prohlížeče Edge ke svému bankovnímu účtu, naservírují počítačovým pirátům své přihlašovací údaje jako na zlatém podnosu. Díky tomu jsou kyberzločinci jen krůček od skutečných peněz, stačí jim už jen propašovat virus na chytrý telefon uživatele, aby mohli odposlouchávat jejich potvrzovací SMS zprávy.
Dobrou zprávou nicméně je, že drtivá většina nejpoužívanějších antivirových programů si s tímto nezvaným návštěvníkem dovede poradit. Majitelé strojů s aktualizovaným antivirem se tak nemají příliš čeho obávat.
Zda se prostřednictvím nové hrozby podařilo již nějaké uživatele o jejich úspory připravit, zatím není známo.
Telemetrie ve Windows 10, co se posílá Microsoftu?
25.2.2016 Bezpečnost
Telemetrie ve Windows 10 je některými nazývána šmírování, jinými posílání nevinných diagnostických dat. Ve skutečnosti lze ve Windows 10 nastavit čtyři úrovně telemetrie a tím ovlivnit, co je Microsoftu posíláno.
Na serveru The Register vyšel článek o nastavení telemetrie ve Windows 10. Telemetrie může být nastavená na jednu ze čtyř úrovní: Security, Basic, Enhanced a Full.
Při úrovni Security se posílá minimum informací, jen ty, které mají za cíl bezpečnost Windows, tedy třeba výstup Malicious Software Removal Tool, Windows Defender, Connected User Experience a nastavení telemetrie. Bohužel úroveň Security si mohou nastavit pouze uživatelé Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise a IoT Core.
Úroveň Basic přidává informace o hardware a software. Enhanced doplňuje informace o tom, jak jsou Windows a aplikace používány. Toto je výchozí úroveň Windows 10 Enterprise, Windows 10 Education a IoT Core.
Definice úrovně Full je trochu ošidná. Jestli vaše Windows například oznámí pád aplikace a specialisté v Microsoftu si s tím nebudou vědět rady, mohou požádat o automatické zaslaní doplňujících informací. To mohou být výstupy programů msinfo32.exe, powercfg.exe a dxdiag.exe, dále klíče v registru a také soubory, které můžou pád způsobovat. A právě Full je výchozí nastavení pro Windows 10 Home a Pro.
The Register tedy doporučuje nastavit úroveň na Basic, nebo lépe na Security, jestli máte příslušnou verzi Windows. Nastavení úrovně telemetrie je v Feedback & Diagnostics a je také popsáno v dokumentu od Microsoftu.
Nedávno jsme přinesli vlastní analýzu odesílané telemetrie ve Windows 10, která nepřinesla žádnému překvapivé odhalení. Možná také právě pro to, že podle obrázků k článku byla úroveň telemetrie nastavena jako Basic, tedy základní.
Zadní vrátka by ohrožovala více než šifrování bez nich
25.2.2016 Mobilní
FBI dlouhodobě tvrdí, že potřebuje zákonem stanovený přístup k zašifrované komunikaci a datům. Pracovní skupina svolaná na Harvardově univerzitě dospěla k závěru, že to není dobrý nápad.
Případ zašifrovaného iPhonu jednoho z pachatelů ze San Bernardina je jen šarvátkou ve sporu mezi zejména FBI a velkými technologickými společnostmi, které Snowdenova odhalení přiměla více se zabývat šifrováním pro koncové uživatele.
Od slov k činům přistoupil právě Apple už s iOS 8, zatímco například Google vyžaduje nakonec až od Androidu 6.0 Marshmallow, aby zašifrování zařízení bylo výchozím stavem, a to jen pro zařízení nově dodaná teprve s Marshmallow.
Vrcholní představitelé FBI vyslovují dlouhodobě obavy o to, že jim rozvoj technologií znemožní vyšetřování a přístup k důkazům:
V říjnu 2014 pronesl ředitel FBI James Comey:
Právo nedrží krok s technologiemi a z toho plyne závažný problém v oblasti veřejné bezpečnosti… Ti, na kterých spočívá ochrana veřejnosti, se nedokáží vždy dostat k důkazům nutným ke stíhání zločinu a zabraňování terorismu… Máme zákonné oprávnění a potřebné soudní příkazy, ale často nám schází technická možnost přístupu.
FBI tuto obavu vystihuje příměrem „going dark“ — potřebné důkazy a poznatky se jim jakoby „ztrácejí ve tmě“.
Po teroristickém útoku na evropské půdě se zpravidla nechá obdobně slyšet i některý evropský politik. Například po masakru redakce Charlie Hebdo vystoupil David Cameron s požadavkem, že k obsahu každé komunikace musí být možnost dostat se na základě soudního příkazu.
Na obranu potřeby šifrování se v Americe ozvala řada osobností a Obamova administrativa se na podzim 2015 rozhodla prozatím nechystat žádná zákonná opatření, kterými by přístup k šifrovaným datům vynucovala. Ředitel FBI Comey se však nevzdává a nadále doufá v „dialog s průmyslem“ a v řešení „dobrovolná“…
Celkově se však nestmívá, ale naopak projasňuje
Celkový pohled na otázku hrozby šifrování se rozhodli vypracovat v Berkmanově středisku pro Internet a společnost při Harvardově univerzitě. Rok se scházela pracovní skupina složená z odborníků vládních i nevládních a k prvnímu únoru vydala souhrnnou zprávu. Účastníci skupiny z řad současných vládních zaměstnanců ovšem nejsou pod zprávou podepsáni — nemohou být.
Pracovní skupinu vedl profesor Jonathan Zittrain, dále bývalý ředitel amerického národního protiteroristického střediska Matt Olsen, a výzkumník a publicista Bruce Schneier.
Příměr „going dark“ vůbec neodpovídá celkové skutečnosti, ani zřejmému směru jejího dalšího vývoje.
Zpráva připouští, že v některých určitých případech mohou vyšetřovatelé narazit na nemožnost dostat se k datům podezřelého nebo pachatele, ale celkově se skutečnost vyvíjí spíše k dostupnosti více dat a více způsobů sledování.
Mimoto by jakákoli úmyslná zadní vrátka oslabila ochranu dat vůči kterémukoli útočníkovi — ochranu už beztak povětšinou chatrnou.
Dále zpráva dovozuje, že šifrování takové, ke kterému má klíč jen původce dat a popřípadě zamýšlený příjemce, je běžným uživatelům dostupno stále jen omezeně. Proti jeho většímu rozšíření působí jednak obchodní zájmy společností, které často vydělávají na analýze dat svých uživatelů — a tedy k nim potřebují přístup — jednak obliba služeb cloudových.
Dalším činitelem je roztříštěnost trhu a dostupných řešení, pročež je často nad síly nebo ochotu běžného uživatele zajistit si šifrování „od konce po konec“.
Ostatně jakmile si uživatel i zašifrovaného iPhonu zazálohuje jeho obsah do iCloudu, získá tím k obsahu přístup Apple.
Z pouhé pohodlnosti většiny uživatelů, popřípadě jejich nedostatečné schopnosti, zůstává tak naprostá většina dat k dispozici úřadům, přinejmenším pod soudním příkazem, a není proč čekat v tomto ohledu brzkou zásadní změnu. Přitom povaha internetu zároveň znemožňuje — přinejmenším v demokratických zemích — zabránit v šifrování „od konce po konec“ nemnoha těm, kterým za to stojí.
Mimoto vzniká obrovské množství metadat, která z podstaty není možné skrýt před provozovateli služeb, a potažmo tedy před úřady.
Autoři zprávy upozorňují také na rozvoj internetu věcí, který namísto všeobecného „zhasínání“ spíše „rozsvěcuje“ nové zdroje dat, jež lze sledovat. Co na tom, že se někdo bude domlouvat zašifrovaným mobilem, lze‑li ho odposlechnout například mikrofonem v protipožárním čidle, nebo třeba v televizoru; lze‑li jeho pohyb sledovat mnoha zařízeními, která kolem nás před pěti, deseti lety ještě nebyla.
Tři účastníci připojili ke zprávě vlastní pohled:
Profesorka Susan Landau (například spoluatorka pojednání „Klíče pod rohožkou“) soudí, že nad potřebou vyšetřovatelů zločinu převažuje potřeba ochrany před průmyslovou špionáží a špionáží od cizích států, zejména v době BYOD.
Varuje, že poskytování zvláštního přístupu k datům by jen otevřelo nová nebezpečí — už proto, jak je těžké vyvarovat se softwarových chyb.
Obdobně Bruce Schneier upozorňuje, že je technologicky nemožné vytvořit zadní vrátka taková, která by brala v potaz něčí občanství, morálku nebo to, zda dotyčný drží v ruce správný papír od soudu.
Je prý krátkozraké zaměřovat pozornost jen na zločin a terorismus, zabezpečení chrání proti mnohem širšímu spektru hrozeb.
Připomíná, že dostatečně motivovaný a vybavený útočník beztak pronikne kamkoli. Všeobecné šifrování jen nastavuje laťku výše, a tak odděluje sledování cílené od hromadného.
Využívání stávajících zranitelností jen vyjde dráž, než kdyby měly státní složky přístup zaručen, lze k tomu doplnit ještě od Susan Landau.
Profesor Jonathan Zittrain vyjádřil, že sice chápe, že pro bezpečnostní složky je nepříjemné muset hledat v technologiích slabá místa, ale snahu omezit proto, jakých technologií se na Internetu vůbec smí užívat, by vyjádřil příměrem spálit dům, abychom upekli prase.
Poukazuje na to, že v řadě případů by mohl dešifrování zařízení nařídit odsouzenému soud, a neuposlechnutí by zakládalo pohrdání soudem.
Výroky FBI (nebo kohokoliv obdobného) je v zásadě třeba chápat jako jakousi veřejnou licitaci ve snaze ulehčit si práci — ve snaze však slepé k celkové šíři zájmů společnosti.
Stačí mi tři týdny. Zabezpečení zabijákova iPhonu obejdu, nabídl McAfee FBI
25.2.2016 Mobilní
Spor mezi vyšetřovateli americké FBI a elektronickým gigantem Applem o odblokování iPhonu islámského radikála, který v prosinci v kalifornském San Bernardinu společně se svou ženou zastřelil 14 lidí, by mohl mít zajímavé rozuzlení. John McAfee, bývalý šéf stejnojmenné antivirové společnosti a mimochodem také velmi zkušený programátor, totiž FBI nabídl pomoc. Zabezpečení jablečného smartphonu prý zvládne obejít.
McAfee o možnosti spolupráce s FBI informoval v článku na serveru Business Insider, ve kterém otevřeně vyzval, ať se na něj vyšetřovatelé obrátí.
Nezapomněl zdůraznit, že za svou pomoc nechce žádný honorář a že mu to nebude díky týmu zkušených programátorů, které má k dispozici, trvat ani příliš dlouho. „Zabere nám to zhruba tři týdny,“ prohlásil sebevědomě.
Pokud budete nutit Apple k jinému postupu, bude to začátek konce Ameriky.
„Hacknout iPhone sice není zas tak jednoduché ve srovnání s konkurenčními smarpthony, ale jsem si jistý, že to zvládneme. Pokud naopak budete nutit Apple k jinému postupu, bude to začátek konce Ameriky,“ prohlásil McAfee na adresu FBI.
Je ale velmi nepravděpodobné, že by vyšetřovatelé nabídky bývalého antivirového magnáta skutečně využili. Už jen kvůli jeho nedávným opletačkám se zákonem. V roce 2012 se totiž zodpovídal z údajné vraždy.
I když byl McAfee hlavní tažnou silou stejnojmenné antivirové firmy, v posledních letech se svým kolegům stále více oddaloval. Jeho chování mělo být údajně velmi nevyrovnané a často se měl stýkat také s kriminálníky.
Apple spolupráci odmítl
FBI má navíc v současnosti všechna esa v rukávu. Soud v USA totiž minulý týden nařídil společnosti Apple, aby vyšetřovatelům pomohla iPhone odkódovat. Jde o první takové rozhodnutí soudu, který musel zvážit, zda má právo na soukromí v digitálním prostoru přednost před národněbezpečnostními zájmy.
Federální žalobci si u soudu stěžovali, že s nimi Apple odmítá spolupracovat. A firma stanovisko nezměnila ani po výroku soudkyně. Šéf Applu prohlásil, že nařízení bude ignorovat, protože ohrožuje bezpečnost a důvěru zákazníků, i když vláda žádala o možnost použít software na odkódování pouze v tomto jediném případě. [celá zpráva]
Útok v San Bernardinu byl nejtragičtějším od teroristických útoků v zemi v září 2001. Zradikalizovaný muslim Syed Farook a jeho žena Tashfeen Maliková tam zkraje prosince zastřelili 14 lidí. Později byli zabiti při přestřelce s policií.
Apple is working on New iPhone Even It Can't Hack
25.2.2016 Apple
Amid an ongoing dispute with the United States government over a court order to unlock iPhone 5C of one of the San Bernardino shooters Syed Farook…
...Apple started working on implementing stronger security measures "even it can't hack" to achieve un-hackability in its future iPhones.
The Federal Bureau of Investigation (FBI) is deliberately forcing Apple to create a special, backdoored version of iOS that could let them brute force the passcode on Farook's iPhone without erasing data.
However, the FBI approached the company to unlock the shooter's iPhone 5C in various ways like:
Create a backdoor to shooter's iPhone.
Disable the Auto-destruct feature after numerous tries.
Increase the brute force time to try out all combinations.
Minimize the time of waiting for a window after each try.
..and much more
Apple is still fighting the battle even after the clear refusal to the court that it will not provide any backdoor access to the agency that would affect its users’ privacy and security in near future.
New iPhones will be Unhackable
Apple has taken this sensitive issue on top priority in their stack to solve the privacy and security of public by covering any existing way out (if any).
According to the New York Times, Apple is working on new security measures that would prevent the governments or federal enforcements from using passcode bypassing techniques to access iPhones or any iOS devices in the future.
This breakthrough would ensure that the upcoming Apple products would not be subjected to any susceptibility by any means.
In short, the main highlight of this move is that even Apple could not be able to intercept into their customer data whether it is for criminal identification demand from FBI or any government spying agency like NSA.
In San Bernardino shooter's case, Apple helped the FBI in every possible way by providing iCloud Backup of Farook and suggesting other alternative ways to view his iPhone data.
But, Apple refused to the FBI Request and Californian Judge demands for the backdoor creation in order to pull out the terrorist data from iPhone 5C.
"The only way we know would be to write a piece of software that we view as sort of the software equivalent of cancer. We think it's bad news to write. We would never write it. We have never written it," stated Apple CEO Tim Cook in an interview.
Government wants Apple to Unlock 12 More iPhones
As Cook's statement has a silent underlined meaning that the company could write a code snippet exclusively for this device to make a breakthrough in Farook's case.
But if Apple agrees to one request, then the company would be flooded by the FBI and the CIA requests to unlock more iPhones of criminals in near future.
The recent request made by the United States government to unlock 12 more iPhones is just a starter of the above-explained scenario.
Tech biggies like Google, Facebook, and WhatsApp, has favored Apple's decision regarding the User Privacy, but the politicians like Presidential Candidate Donald Trump criticized the Apple's decision, making a controversial statement to "Boycott Apple" on Twitter.
The looping requests of the FBI, battles in Social Medias and much more controversies made Apple rethink about the security of their future products. And since the company doesn't want to fly in the face of danger, it decided to bolster the security in its forthcoming iPhone releases.
Author of the Angler EK integrated recently Silverlight exploit
25.2.2016 Exploit
The security researcher Kafeine confirmed that the authors of the Angler EK have integrated the exploit for a recently patched Microsoft Silverlight vulnerability.
Ransomware is becoming one of the most dreaded cyber threats for netizens, security experts noticed a surge in the number of cyber attacks aimed to spread malware like Cryptowall and TeslaCrypt. Exploit kits like the Nuclear EK and the Angler EK are the privileged vectors to serve this specific family of malware, cyber criminals constantly improve their code in order to compromise the largest possible number of victims.
The security expert Kafeine has recently discovered that the authors of the Angler EK have added the code of a Silverlight exploit leveraging on the CVE-2016-0034 vulnerability.
The flaw was fixed by Microsoft in January with the MS16-006 critical bulletin, an attacker can exploit it for remote code execution. The Silverlight flaw discovered by the experts in Kaspersky Lab as a result of an investigation on the Hacking Team arsenal disclosed in July 2015.
According to Microsoft, the remote code execution vulnerability can be exploited by an attacker that set up a website to host a specially crafted Silverlight application.
When Microsoft users will visit the bogus website, the exploit will allow an attacker to obtain the same permissions as the victim.
On February 18, 2016, Kafeine noticed that the author behind Angler had added code for the Silverlight exploit, according to the expert the integration was completed on February 22.
Anton Ivanov, a senior malware researcher at Kaspersky confirmed that an exploit for the Silverlight exploit has been integrated to the Angler EK.
Kafeine explained that the CVE-2016-003 exploit has been used to spread a variant of the TeslaCrypt ransomware, the attacks works only with Silverlight version previous the current one, Silverlight 5.1.41212.0.
Angler EK dropping Teslacrypt via silverlight 5.1.41105.0 after the “EITest” redirect 2016-02-22 (Kafeine blog post)
The experts at Ars Technica who analyzed the HAcking Team’s leaked emails noticed communications between a Russian developer named Vitaliy Toropov and the staff of the Hacking Team.
The man sold an Adobe Flash Player exploit to the Hacking Team for $45,000 in 2013 and also offered a Silverlight exploit.
“Now your discount on the next buy is -5k and -10k is for a third bug. I recommend you the fresh 0day for iOS 7/OS X Safari or my old Silverlight exploit which was written 2.5 years ago and has all chances to survive further in next years as well. ” Toropov wrote to Hacking Team member Giancarlo Russo.
Experts at Kaspersky started analyzing Toropov’s exploits, including a Silverlight Microsoft Silverlight Invalid Typecast / Memory Disclosure that was dated back 2013 and that he had published.
Kaspersky issued a YARA rule to detect the exploit in the wild, and on November 25th, the company detected the Toropov’s exploit on a user’s machine. Later another sample of the exploit was uploaded from Laos to a multiscanner service.
“After implementing the detection, we waited, hoping that an APT group would use it. Since Vitaliy Toropov was offering it to Hacking Team, we also assumed that he sold it to other buyers, and what good is a zero-day if you don’t use it? Unfortunately, for several months, nothing happened. We had already forgotten about this until late November 2015.” Kaspersky researchers wrote in a blog post. “On November 25th, one of our generic detections for Toropov’s 2013 Silverlight exploit triggered for one of our users. Hours later, a sample was also uploaded to a multiscanner service from Lao People’s Democratic Republic (Laos).”
The analysis of the exploit revealed that the exploit was compiled on July 21, 2015, after the Hacking Team data was leaked online. Kaspersky immediately reported the existence of the exploit to Microsoft.
It’s unclear if this Silverlight exploit is the same offered by Toropov in 2013,
“One of the biggest questions we have is whether this is Vitaliy Toropov’s Silverlight zero-day which he tried to sell to Hacking Team. Or is it a different one? Several things make us think it’s one of his exploits, such as the custom error strings. Of course, there is no way to be sure and there might be several Silverlight exploits out there. One thing is for sure though – the world is a bit safer with the discovery and patching of this one.” wrote Kaspersky researchers.
Judge Confirms Government Paid CMU Scientists to Hack Tor Users for FBI
25.2.2016 Hacking
Everything is now crystal clear:
The security researchers from Carnegie Mellon University (CMU) were hired by the federal officials to discover a technique that could help the FBI Unmask Tor users and Reveal their IP addresses as part of a criminal investigation.
Yes, a federal judge in Washington has recently confirmed that the computer scientists at CMU's Software Engineering Institute (SEI) were indeed behind a hack of the TOR project in 2014, according to court documents [PDF] filed Tuesday.
In November 2015, The Hacker News reported that Tor Project Director Roger Dingledine accused the Federal Bureau of Investigation (FBI) of paying the CMU, at least, $1 Million for providing information that led to the criminal suspects identification on the Dark Web.
After this news had broken, the FBI denied the claims, saying "The allegation that we paid [CMU] $1 Million to hack into TOR is inaccurate."
Meanwhile, the CMU also published a press release, saying the university had been subpoenaed for the IP addresses it obtained during its research.
The revelation came out as part of the ongoing case against Brian Richard Farrell, an alleged Silk Road 2 lieutenant who was arrested in January 2014. It has emerged that the federal officials recruited a "university-based research institute" that was running systems on the Tor network to help authorities uncover the identity of Farrell.
University Researchers Helped FBI Hack TOR
Now, a recent filing in one of the affected criminal cases has confirmed both the name of the "university-based research institute" and the existence of a subpoena.
Some earlier allegations by the TOR project seem to be wrong. The research was funded by the Department of Defense, which was later subpoenaed by the FBI.
Here's what the Tuesday court order, by US District Judge Richard Jones, filed in the case of Farrell reads:
"The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute (SEI) of Carnegie Mellon University (CMU) when SEI was conducting research on the Tor network which was funded by the Department of Defense (DOD)."
"Farrell's IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU."
Farrell is charged with conspiracy to distribute drugs like cocaine, heroin, and methamphetamine through the Silk Road 2.0 dark web marketplace.
$1.73 Billion to UnMask TOR Users?
Last summer, the DoD renewed a contract worth over $1.73 Billion with the SEI, which according to CMU, is the only federally funded research center that focus on "software-related security and engineering issues."
Carnegie Mellon University's SEI came under suspicion for the TOR hack due to the sudden cancellation of the talk from SEI researchers Michael McCord and Alexander Volynkin on de-anonymizing Tor users at Black Hat 2014 hacking conference.
More details on the matter are still unclear, but the judge confirmed few facts about the TOR and stated that "Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network."
Asus Faces 20 years of Audits Over Poor Wi-Fi Router Security
25.2.2016 Safety
Currently, Asus is undergoing through a troublesome situation after a lawsuit had been filed by the US Federal Trade Commission (FTC) regarding its Router Insecurity.
On Tuesday, FTC settled charges with Asus, where the hardware manufacturing company agrees to:
Undergo Independent Security Audits Once in 2 years, for the Next 2 Decades.
This action had been taken as the result of security negligence in Asus Wireless Routers that put the home and corporate networks of hundreds of thousands of consumers at risk.
If Asus is found to violate the agreement, the company could end up paying a civil penalty of up to $16,000 for each violation.
Asus Router Security Blunders
Since Asus markets its products under the label of Secure and Intelligent routers through its website, following flaws would splash its level of security and intelligence.
1. Default Username & Password: ADMIN
In 2014, a serious security issue had been brought to the public regarding the default password of Asus products. It was discovered that Asus had been shipping their routers with both Username and Password fields with "default" as preset.
Even a script kiddie with this predictable credential could gain the unauthorized access to any router and hack into victim’s network. In 2014, many Asus routers were compromised in such a manner.
Additionally, Asus did not bother to notify its customers to change the default usernames and passwords in order to maintain the security and privacy of their network.
2. Easily Hackable Router Admin Panel
During the investigation, the FTC uncovered that nearly all the security measures taken by Asus had been dodged.
One of the prevalent security vulnerability uncovered that allowed hackers to gain the admin panel and disable the security settings via the web interface.
3. Asus AiCloud & AiDisk Vulnerable to Remote Hacking
"Security Negligence" episodes of Asus are not yet over.
The cloud service offered by Asus named AiCloud and AiDisk also suffered from the critical vulnerabilities that allowed an attacker to access your Hard Disk remotely from any part of the world, resulting in complete system compromise.
AiCloud offers the customer to browse through the files (in a cloud) that facilitate users to use it as a mini-cloud after plugging the USB Hard drive into the router.
Man-in-the-Middle (MITM) attacks were easy to get executed in between because the login details were unencrypted during the transmission.
The issue had been reported back in January 2014, but ASUS did not advise its users to upgrade their firmware after patching up the vulnerability, which shows the clear case of negligence.
4. 'Check for Upgrades' is an Illusion
Regular updates are usually a vulnerability killer in all aspects. But it is different in the case of Asus.
According to the collective reports, FTC found that the button named "Check for Upgrades" is just a dummy without any special functions embedded.
It is believed that the administrators did not import the latest patches into the Upgrade database; making it available for its users via push; whenever a user scans for any notifications.
In short, hackers are licensed to mess with the security features of any Asus routers; hence after making an ice cake entry to the filthy admin policies of Asus Routers.
The FTC isn't just unhappy about ASUS's bogus security claims, but it’s also unhappy with the company's response time.
All the complaints under a nutshell are enough to figure out the laxity in security measures taken by Asus.
Internet of Thing (IoT) Devices at Risk
This situation of hallucinated security would become even worse when Internet of Thing (IoT) devices are compromised. Since routers are the gateway to the IoT devices, an attacker could easily execute the self-defined commands to those devices.
Jessica Rich, Director of the FTC's Bureau of Consumer Protection, says:
"The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks. Routers play a key role in securing those home networks, so it's critical that companies like ASUS put reasonable security in place to protect consumers and their personal information"
Asus made it very clear to follow the right path: To notify the users whenever any update is available and also provide appropriate instructions to protect its users.
The disclosure of these silly vulnerabilities is just an eye-opener for other Router vendors to buckle up the security of themselves as well as their customers.
The weaknesses mentioned above in ASUS products came into the limelight in 2014, but after a month, 300,000 home and mini routers manufactured by D-Link, Micronet, Tenda, TP-Link, and others had been compromised by the same methods.
Remotely hacking a Nissan LEAF via vulnerable APIs
25.2.2016 Hacking
The security expert Troy Hunt discovered that it is possible to remotely control features of a Nissan Leaf via API.
The popular security expert Troy Hunt discovered a security vulnerability affecting the API implemented by Nissan to manage the LEAF cars from a mobile device. Other experts have confirmed the existence of the flaw, the vulnerability had been discussed publicly on a French-language forum since December.The vulnerability could be exploited by hackers to remotely manage some features of the popular electric car.
The vulnerability could be exploited by hackers to remotely manage some features of the popular electric car.
Nissan provided both Android and iOS applications to remotely manage the vehicle from a mobile device.
Hunt was at a workshop held Norway when one of his students owning a Nissan LEAF reported that the app for iOS was using only the Vehicle Identification Number (VIN) to authenticate users. The knowledge of the Nissan LEAF’s VIN could allow attackers to control air conditioning and access driving data, including power consumption and travel distance.
The analysis of the API revealed the possibility to access them without any kind of authentication.
Hunt conducted a series of tests with the support of the researchers Scott Helme that demonstrated how to take control of the vehicle remotely. An attacker could exploit the flaw to turn on the AC of a parked car draining its battery, but the Australian expert Troy Hunt confirmed that it is not possible to remotely control the engine neither lock or unlock the vehicle.
How to obtain a target’s VIN?
Hunt explained that all the Nissan LEAF vehicles he analyzed have the same VIN, except for the last five digits. An attacker can try all possible combinations of these digits to send commands to the vehicle.
Hunt reported the issue to Nissan on January 23, but a vulnerability is still unpatched. Waiting for the fix, users can disable the service from the configuration menu.
Operation Blockbuster revealed the Lazarus Group Activities
25.2.2016 Hacking
The Operation BlockBuster Coalition has disclosed the results of its investigation on the activities of the Lazarus Group that is believed to be behind the Sony Pictures hack.
State-sponsored hackers allegedly behind the Sony Pictures hack have been linked to other security breach suffered by a number of companies in South Korea.
The FBI blamed the North Korea, the Bureau released the findings of its investigation that indicated the involvement of the Government of Pyongyang in the Sony Hack.
“As a result of our investigation, and in close collaboration with other US Government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions,” the FBI said Friday in a statement.
The US law enforcement suspect the involvement of the North Korea’s Unit 121, which is the group of hackers working under the direction of the General Bureau of Reconnaissance.
Experts at Kaspersky have linked the group to the hacking operations Dark Seoul and Operation Troy. According to Kaspersky the hacking crew has been active since at least 2009 and is still operating undercover.
Kaspersky Lab, alongside with a number of security firms including Novetta, AlienVault, Invincea, ThreatConnect, Volexity, Symantec, and PunchCyber have published reports related to the activities of the Lazarus Group.
The group of security firms formed an alliance called Operation Blockbuster that issued the detection signatures to neutralize the hacking tools used by the APT.
The Lazarus Group ’s arsenal includes the Destover wiper malware, the same used against the systems of the Sony Pictures Entertainment.
“The group deployed multiple malware families throughout the years, including malware associated with Operation Troy and DarkSeoul, the Hangman malware (2014-2015) and Wild Positron / Duuzer (2015). The group is known for spearphishing attacks, which include CVE-2015-6585, which was a zero-day vulnerability at the time of discovery.” states a report published on SecureList.
Researchers at Kaspersky Lab revealed that the Lazarus Group’s malware is mostly custom-tailored and appears highly sophisticated.
The activity of the Lazarus Group surged in 2014 and 2015, the experts of the firm composing the Operation Blockbuster team noticed a number of similarities across a number of attacks worldwide.
The researchers discovered that malware used in the attacks linked to the Lazarus Group reused several components, including at least six user-agents.
“Studying multiple coding quirks within any given malware variant actually revealed these to be coding conventions implemented across both different malware families as well as entirely new samples. A simple example of code reuse is the networking functionality that includes a half-dozen hard-coded user-agents with the misspelling ‘Mozillar’ instead of Mozilla.” states the post.
The experts also noticed other similarities in the modus operandi of the threat actors, such as the use of BAT files to delete malware pieces after infections and the password reuse in the malware droppers.
“These BAT files are generated on the fly and, while they serve their purpose of eliminating initial infection traces, they ironically double as a great way to identify the malware itself by honing in on the path-placeholder strings that generate the randomly-named BAT files on the infected systems,” Kaspersky Lab said in its report. “A high-confidence indicator of correlation is the reuse of a shared password across malware droppers used to drop different malware variants. The droppers all kept their payloads within a password-protected ZIP under the resource name ‘MYRES’. The dropper contains the hardcoded password ‘!1234567890 dghtdhtrhgfjnui$%^^&fdt‘ making it trivially easy for an analyst to reach the payload. “
The researchers confirmed that the group is still active and is currently working to new weapons to add to its arsenal.
Instalace Linuxu byly zavirované už při stahování
24.2.2016 Viry
Kyberzločinci se velmi často zaměřují na počítače s operačním systémem Windows. Jejich pozornosti ale neunikají ani další platformy, na konci minulého týdne si vzali například na mušku také uživatele Linuxu. Podařilo se jim napadnout oficiální stránky jednoho z distributorů, kvůli čemuž si uživatelé stahovali zavirované instalace.
Oficiální webové stránky distribuce Linux Mint
Problémy se týkají uživatelů distribuce Linux Mint, varoval Český Národní bezpečnostní tým CSIRT. Pouze však těch, kteří instalaci stahovali ze stránek linuxmint.com.
„Pokud jste 20. února stahovali ISO obrazy ze stránek distribuce Linux Mint, tak byste měli být na pozoru. Stránky totiž byly hacknuty a útočník změnil odkazy pro stažení ISO souborů na server nabízející upravené verze,“ upozornil bezpečnostní analytik Pavel Bašta z týmu CSIRT, který je provozován sdružením CZ.NIC.
V tzv. ISO obrazech jsou běžně distribuovány instalace operačních systémů, jde v podstatě o balík jednotlivých součástí dané platformy, který je možné snadno vypálit na CD nebo DVD nosič. Vzhledem k tomu, že tyto balíky jsou zpravidla dosti velké, uživatelé neměli žádnou šanci poznat, že instalace je o pár megabajtů větší kvůli integraci záškodníka.
Antiviry mohou být bezradné
Jak upozornil server Hacker News, škodlivý virus v čisté instalaci operačního systému otevíral útočníkům zadní vrátka ke všem uloženým datům. Snadno prostřednictvím něj mohli do napadeného stroje propašovat další nezvané návštěvníky.
Kolik lidí si závadné instalace stáhlo, bezpečnostní experti neupozornili. V současnosti by však již na stránkách Linux Mint měly být všechny soubory nezávadné.
Nejlepším řešením, jak se tohoto záškodníka zbavit, je smazat celý operační systém a nainstalovat jej znovu. Kvůli tomu, že byl virus součástí systému už během instalace, si s ním totiž některé antivirové programy nemusí poradit.
Vyděračský virus cílil na Linux
Kybernetické útoky na platformu Linux nejsou tak výjimečné, jak by se mohlo na první pohled zdát. Na konci minulého roku se například na tento operační systém zaměřil vyděračský virus z rodiny ransomware.
Útok probíhal úplně stejně jako na platformě Windows. Útočníci se snažili v majiteli napadeného stroje vzbudit dojem, že se k zašifrovaným datům dostane po zaplacení pokuty. Ta byla údajně vyměřena za používání nelegálního softwaru apod.
Ani po zaplacení výkupného se uživatelé ke svým datům nedostali. Místo placení výkupného je totiž nutné virus z počítače odinstalovat.
Just One Device? No, Government wants Apple to Unlock 12 More iPhones
24.2.2016 Apple
Until now, the FBI is asking for Apple's help in unlocking the iPhone belonging to one of the terrorists in the San Bernardino shootings that killed 14 and injured 24 in December.
However, in addition to iPhone 5C belonged to San Bernardino shooter Syed Farook, the U.S. Justice Department is looking at court orders forcing Apple to help officials unlock at least 12 iPhones.
Citing sources, the Wall Street Journal reported that the federal authorities want to extract data from iPhones seized in a variety of criminal investigations are involved in undisclosed cases where prosecutors are compelling Apple to help them bypass iPhone's lockscreen.
Although more details of these cases are not yet publicly disclosed, these dozen or so cases are all distinct from San Bernardino shooter's case and involve many iPhones using an older iOS version that has fewer security barriers to bypass.
Also Read: Police Reset Shooter's Apple ID that leaves iPhone Data Unrecoverable.
However, Apple is fighting government demands in all these cases and, in a number of cases, had objected the US Justice Department's efforts to force its company through an 18th-century law called the All Writs Act, according to which, the courts can require actions to comply with their orders.
Bill Gates wants Apple to Help the FBI
Apple's refusal to unlock iPhone linked to one of the San Bernardino shooters has escalated a battle between the technology company and the U.S. Federal Bureau of Investigation.
Although many Big Fishes in Technology industry including Facebook, WhatsApp, and Google supported Apple's stand, many politicians including Donald Trump have criticized and opposed Apple.
...and the latest in the opposition of Apple's decision is Microsoft co-founder, Bill Gates.
"Nobody's talking about a backdoor," Gates told Financial Times. "This is a specific case where the government is asking for access to information. They are not asking for some general thing, they are asking for a particular case."
However, in a separate interview later Tuesday with Bloomberg, Gates said he was "disappointed" with headlines based on the FT report claiming that he supported the FBI in its ongoing battle with Apple, saying "that does not state my view on this."
In past, Microsoft had collaborated closely with the US government agencies to allow its users' communications to be intercepted.
Microsoft helped the NSA (National Security Agency) to circumvent its own encryption and built a series of backdoors into Outlook.com, Skype, and SkyDrive to ease difficulties in accessing online communications, according to documents leaked by Edward Snowden.
Mother of San Bernardino Victim Supports Apple
Though the FBI, DoJ, and politicians like Donald Trump are unable to understand the importance of privacy, a mother who lost his son in San Bernardino, California terrorist attack last December says, Right to Privacy 'makes America great.'
Also Read: Now We Know – Apple Can Unlock iPhones, Here's How to Hack-Proof your Device.
Carole Adams, whose son Robert was killed in the terrorist attack last year, has supported Apple's stand on encryption and said the company is within their rights to protect the privacy of all United States citizens.
The battle between Apple and the FBI, in which the agency is asking the company to create a backdoored version of iOS for unlocking the shooters' iPhone 5C, is taking new twists and turns every day, so let's see who wins.
How to Hack a Computer from 100 Meters by Hijacking its Wireless Mouse or Keyboard
24.2.2016 Hacking
No matter how secure you think your computer might be, something malicious can always happen. As a Computer is an open book with right tools and talent.
The same is proved by a group of security researchers by hacking into a computer with no internet, and no Bluetooth devices.
Yes, it is possible for attackers to Hack Your Computer through non-Bluetooth devices such as your wireless mouse and keyboard and install Malware or Rootkit onto your machine.
That innocent-looking tiny dongle plugged into your USB port to transmit data between your wireless mouse, and the computer is not as innocent as it pretends to be.
What's the Vulnerability?
Security researchers from the Internet of things security firm Bastille have warned that wireless keyboards and mice from seven popular manufacturers including Logitech, Dell, Microsoft, HP and Lenovo are…
…vulnerable to so-called MouseJack attacks, leaving Billions of computers vulnerable to hackers.
The flaw actually resides in the way these wireless mice and their corresponding radio receivers handle encryption.
The connection between the tiny dongle and the mouse is not encrypted; thus, the dongle would accept any seemingly valid command.
How to Hijack Wireless Mouse and Hack Computer?
Wireless mice and keyboards communicate via radio frequency with a USB dongle inserted into the PC. The dongle then sends packets to the PC, so it follows the mouse clicks or keyboard types.
While most wireless keyboard manufacturers encrypt traffic between the keyboard and the dongle in an effort to prevent spoofing or hijacking of the device.
However, the mice tested by Bastille did not encrypt their communications to the dongle, allowing an attacker to spoof a mouse and install malware on victim's PC.
With the use of around $15-$30 long-range radio dongle and a few lines of code, the attack could allow a malicious hacker within 100 meters range of your computer to intercept the radio signal between the dongle plugged into your computer and your mouse.
The hacker can, therefore, send packets that generate keystrokes instead of mouse clicks, allowing the hacker to direct your computer to a malicious server or website in mere seconds.
During their tests, researchers were able to generate 1000 words/minute over the wireless connection and install a malicious Rootkit in about 10 seconds. They tested several mice from Logitech, Lenovo, and Dell that operate over 2.4GHz wireless communications.
Video Demonstration of MouseJack Attack
Who are Affected?
The following is the list of the wireless keyboard and mouse manufacturers whose non-Bluetooth wireless devices are affected by the MouseJack flaws:
Logitech
Dell
HP
Lenovo
Microsoft
Gigabyte
AmazonBasics
Billions of PC users with wireless dongles from any of the above manufacturers are at risk of MouseJack flaw. Even Apple Macintosh and Linux machine users also could be vulnerable to the attack.
These mice are separate from Bluetooth mice that are not affected by this security issue.
Many Wireless Devices will Never Receive any Patch
The researchers have already reported the security issue to all the seven manufacturers, but as of today, only Logitech has released a firmware update that blocks MouseJack attacks.
However, there are a wide number of cheaper mice that don't have updatable firmware, due to which all of them will remain vulnerable forever, which could be a major issue in business environments where peripherals are often utilized for several years before being replaced.
Although Lenovo, HP, Amazon, and Gigabyte did not comment, a Dell spokesperson advised the users of the KM714 keyboard and mouse combo to get the Logitech firmware patch via Dell Tech Support and the KM632 Combo users to replace their devices.
Here's the list of affected devices, so if you are using one of them, it might be time to check for updates, and if not available, replace your existing peripheral.
For more in-depth knowledge, you can refer this white paper explaining technical details.
Anonymous hacked the France’s Ministry of Defense portal CIMD (Centre d’Identification des Materiels de la Defense)
24.2.2016 Hacking
Anonymous hacked the CIMD portal managed by the France’s Ministry of Defense to protest against French foreign arms trade operations.
The Anonymous collective has hacked one of the websites managed by the France’s Ministry of Defense, the CIMD (Centre d’Identification des Materiels de la Defense). The hacktivists accessed the database and leaked it online to protest against the country’s foreign arms trade operations.
Anonymous accuses the French Government of selling weapons to repressive regimes like the Saudi Arabia. The France authorities are also responsible accused by Anonymous of using surveillance and hacking tools, as demonstrated by the documents leaked by Wikileaks following the hack of the surveillance firm Hacking Team.
The incident was disclosed on February 22 by Anonymous, the users were
A “Our web portal will be temporarily unavailable due to maintenance actions” message was displayed to the users of the CIMD portal.
Hackers leaked online the database dump containing sensitive information, including army supplier data and partners information, alongside with login and FTP credentials and PHP sessions.
The archive includes usernames paired with cleartext passwords.
As proof of the hack, Anonymous also leaked the pictures of the CIMD admin panel, experts that visioned the images speculate the web portal was running a dated CMS.
“As a side note, after testing the vast majority of CMSs listed in Softpedia’s Webscripts section, I can say that the army’s portal looks like a very old content management platform, if not one custom made just for France’s Ministry of Defense.” wrote Catalin Cimpanu in a blog post published by Softpedia.
Anonymous highlighted the presence of a series of press articles in the CIMD archive that report the foreign arms trade operations of the French Government.
Anonymous also shared the link to report published by Amnesty International in 2012 that listed France as the world’s second largest arms trader.
Below the links to the leaked data
Operation Dust Storm, hackers Target Japanese Critical Infrastructure
24.2.2016 Hacking
Japanese commercial and critical infrastructure organizations have been targeted a long-running campaign dubbed Operation Dust Storm.
Security firm Cylance have uncovered a long-running hacking campaign dubbed ‘Operation Dust Storm’ targeting commercial and critical infrastructure organizations in Japan.
Threat actors behind the Operation Dust Storm have been active since at least 2010, the hackers targeted several organizations in Japan, South Korea, the US, Europe, and other Asian countries.
Experts believe that the group is well-organized and well-funded, a circumstance that lead the researchers to speculate the involvement of a nation-state actor.
The researchers at Cylance revealed that the threat actors started focusing on Japanese organizations since 2015, they hackers breached networks of Japanese organizations in the electricity generation, oil and natural gas, transportation, finance, and construction industries.
The list of victims includes an automaker, the Japanese subsidiary of a South Korean electric utility firm, and an oil and gas company.
The hackers demonstrated the availability of unique backdoors and zero-day exploits in their arsenal, used to launch watering holes and spear phishing attacks. In a number of attacks conducted in May 2015, the group also used several Android backdoors against targets in South Korea and Japan.
Fortunately the attacks launched by the group behind Operation Dust Storm were not sophisticated. The researchers spotted the group in 2011, when the hackers relied on Adobe Flash Player (CVE-2011-0611) and Internet Explorer (CVE-2011-1255) zero-day vulnerabilities to deliver a strain of malware dubbed Misdat.
“Very little public information was available throughout 2010 on this threat, despite the group’s primary backdoor gaining some level of prominence in targeted Asian attacks” states the report published by Cylance “It wasn’t until June 2011 that Operation Dust Storm started to garner some notoriety from a series of attacks which leveraged an unpatched Internet Explorer 8 vulnerability, CVE-2011-1255, to gain a foothold into victim networks. “
In October 2011, the hackers targeted gathering intelligence about the Libyan crisis following the death of Muammar Gaddafi. In 2012, the group leveraged the Internet Explorer zero-day (CVE-2012-1889) for their cyber espionage campaigns.
Experts at Cylance noticed a significant reduction of the Operation Dust Storm in March 2013, after the publication of the Mandiant’s analysis of the Chinese APT group dubbed APT1.
In February 2014 the group behind Operation Dust Storm appeared again, it launched a series of attacks leveraging a new Internet Explorer zero-day exploit (CVE-2014-0322) used in watering hole attacks.
The researchers at Cylance have no doubts, the attacks against Japanese critical infrastructure will rapidly increase in the future.
“However, our team believes that attacks of this nature on companies involved in Japanese critical infrastructure and resources are ongoing and are likely to continue to escalate in the future.” Cylance concluded.
Use of acid and lasers to access data stored on iPhones
24.2.2016 Apple
While Apple is refusing to support the FBI in the case of San Bernardino shooter Snowden says the FBI can use decapping technique to crack iPhones.
Over the last days, there is a huge discussion between Apple and FBI in relation to the access to San Bernardino terrorist Syed Farook’s iPhone. FBI demand to hack the phone so the agency obtains full access to the Farook’s iPhone data with Apple’s assistance; however Apple rejects the demand backing it up by the idea of protection of the privacy of all iPhone users. Moreover, Apple publicly announced its dismiss of the court order since the provision of such access would generate a backdoor into Apple products which in turns would provide unrestricted access to experts and criminals to Apple customer data, thus open opportunity of spying on Apple users in terms of intercepting phone calls, text messages and tracking their location through GPS.
The current debate has merged into an argument regarding the Apple digital rights and protection of privacy of its clients against the FBI argument concerning Farook’s possible links to terrorist networks as well as future prevention of terrorist plots declaring that security and justice are more significant concerns in comparison to privacy (Ghosh, 2016).
In accordance with FBI statements the access to the San Bernardino terrorist Syed Farook’s iPhone 5c data is only possible through the Apple assistance in terms of creating a backdoor due to the fact that FBI had already tried other methods such as returning the iPhone to its home Wi-Fi network aiming at backing up automatically San Bernardino perpetrator’s data to the iCloud but unsuccessfully because Farook seemed to have disabled the automatic update function. Another FBI’s unsuccessful technique is associated with the attempt to access Farook’s iCloud account through resetting his Apple ID; however the resetting provoked Apple Security Measure which averted the backup of the iPhone data.
But Edward Snowden, former NSA whistleblower thinks otherwise. According to him FBI is not limited only to this way to access Farook’s iPhone 5c content, but instead, FBI can rely on the use of acid and lasers to access the iPhone data with no need of Apple to hack the iPhone.
“The problem is, the FBI has other means… They told the courts they didn’t, but they do. The FBI does not want to do this,” said Snowden“
The mechanism proposed by Snowden is well-known as „chip decapping” (Ghosh, 2016).
Process of chip decapping
Chip decapping is a method during which the main processor chip is physically processed to extract its contents. The first step is the use of acid to get rid of the chip’s encapsulation followed by a laser drill down into the chip with the purpose of displaying the share of the memory which comprises the iPhone’s distinctive ID so-called UDID data.
The next step involves the placement of tiny probes on the spot where the data is, in order to display gradually the UDID and the algorithm utilized to resolve it. After the extraction of the information, the FBI is enabled to transfer it to a super computer so the missing passcodes can be recovered through trying all probable combinations whereas one unlocks the phone data. Furthermore, due to the fact that the mechanism is implemented outside the iOS the danger that the data will be wiped out or self-destruct is limited. Of course, this method also has weaknesses, and the most significant one is the occurrence of a minor mistake during the implementation of the method can lead to chip destruction which in turns means that all access to the phone’s data will be permanently lost (Goodin, 2016).
Infrared laser glitching
During an interview with an independent researcher conducted by the media (ABC News), the decapping technique was discussed so the interviewee shared his/her opinion that this method will have doubtful success against an iPhone and it’s likely to result in permanent loss of the content.
In addition, the interviewee suggested that the use of infrared laser glitching would be a better option because the chance to lose the data is slightly reduced. The method is associated with the slight piercing of the chip followed by getting access to UID data through an infrared laser (Goodin, 2016).
Furthermore, this particular method proved to be effective in the past by the hardware hacker Chris Tarnovsky who conducted an attack which led to damage on the microcontroller disabling the lockdown of Xbox 360 game console. To perform his attack, Tarnovsky used an electron microscope, well-known as ion beam workstation which enabled him to examine the chip in terms of nanometer scale. As a result, he had the ability to manipulate and control its individual wires utilizing microscopic needles. Therefore, such methods are technically doable against an iPhone but these methods lack the practicality due to the fact that the degree of destroying forever the hardware is significantly high and the use of these mechanisms is immensely high (Goodin, 2016).
The federal magistrate judge has ordered Apple to produce software which will be able to work against all older iPhones which lack modifications. This new software will provide the possibility of updating even when an iPhone has used “secure enclave” protections, in other words the software will have functions to bypass secure enclave protections. The only thing that Apple is required to do is to change the digital signature on very little cost thus the software will be able to run on different devices (Goodin, 2016).
Nebezpečné triky počítačových pirátů
24.22016 Hacking
Počítačoví piráti neustále hledají nové příležitosti, jak se dostat lidem do PC. Často jim přitom nejde pouze o získání citlivých dat, důmyslné podvody jim vydělávají velké peníze.
Internet je velice užitečný nástroj, ale zároveň představuje velmi nebezpečné „hřiště“. Každý den totiž podle bezpečnostních expertů vzniknou tisíce nových virů, které počítačoví piráti šíří právě prostřednictvím této celosvětové počítačové sítě.
A v jejich šíření jsou kyberzločinci stále vynalézavější. Poctivě sledují, jaká témata uživatele na internetu nejvíce zajímají, a na ta se poté zaměřují. V poslední době se například celosvětovou počítačovou sítí šíří „dosud nezveřejněná senzační videa“ nejrůznějších celebrit. Pro jejich přehrání je ale údajně nutná aktualizace přehrávače. Místo té si však lidé do počítače stáhnou virus.
Tento nezvaný návštěvník pracuje na napadeném stroji nepozorovaně. Nesnaží se získat uživatelská data ani odposlechnout cizí hesla. Jeho hlavním úkolem je využít výpočetní výkon sestavy, který jim pomůže získat virtuální peníze, jež pak smění za skutečnou hotovost. Čím více počítačů podobným způsobem zotročí, tím rychleji si vydělají.
Mobily jsou zlatý důl
Podobný nezvaný návštěvník se ale nemusí zabydlet pouze v počítači, v dnešní době dokážou kyberzločinci bez větších obtíží zotročit například i chytrý telefon. Takový úlovek je pak pro piráty doslova zlatý důl.
Většina bankovních účtů je totiž jištěna proti neoprávněnému čerpání financí právě prostřednictvím mobilů – pomocí SMS zpráv. Když se dostanou kyberzločinci do chytrého telefonu, mají bankovní účet doslova již na dosah ruky.
Útočníci vyzvou například prostřednictvím nevyžádané pošty klienty internetového bankovnictví k instalaci bezpečnostní aplikace do mobilního telefonu. Ve skutečnosti se však nejedná o bezpečnostní aplikaci, ale hlášku vygenerovanou virem v počítači. S tím by si měla většina antivirových programů při důkladném hledání poradit.
Účet na Facebooku byl zneužit
Vylákat přihlašovací údaje se snaží počítačoví piráti pomocí sociální sítě Facebook. Rozesílají nevyžádané e-maily, ve kterých se vydávají za bezpečnostní službu Facebooku (Facebook Security). „Náš systém obdržel zprávy od ostatních uživatelů o zneužití vašeho účtu, kvůli čemuž bude účet deaktivován. Potvrdit svůj účet můžete na adrese supportinc16xat.ua. Pokud nepotvrdíte, váš účet se automaticky vypne natrvalo,“ tvrdí podvodníci ve spamové zprávě.
Problém nastane ve chvíli, kdy uživatelé skutečně na přiložený odkaz kliknou. „Jedná se o snahu vylákat z uživatelů jejich přihlašovací údaje. Odkaz ve zprávě vede na phishingovou stránku požadující zadání přihlašovacích údajů pro přístup do Facebooku,“ varoval před novou hrozbou bezpečnostní analytik týmu CSIRT.CZ Pavel Bašta.
Ukázka nevyžádaného e-mailu, ve kterém podvodníci loudí přihlašovací údaje k Facebooku.
Že se jedná o podvodnou zprávu, mohou uživatelé poznat hned na první pohled. Obsahuje totiž řadu chyb a některé věty jsou srozumitelné jen s velkou dávkou důvtipu. Na druhou stranu na zmiňované sociální síti skutečně stránka Facebook Security existuje a je dokonce i ověřená. S podvodníky ale samozřejmě nemá nic společného. Ti si pouze vypůjčili její jméno.
Stránka Facebook Security informuje uživatele o aktuálních hrozbách a správném nastavení účtu. Právě proto by se mohli někteří uživatelé nechat podvodným emailem snadno napálit. [celá zpráva]
Aktualizace Flash Playeru je scareware
Na pozoru by se měli mít v posledních dnech uživatelé počítačů od společnosti Apple. Jako lavina se totiž internetem šíří škodlivý virus, který se vydává za aktualizaci populárního programu Flash Player právě pro operační systém Mac OS X.
Ve skutečnosti jde ale o tzv. scareware. „Ten se pak pokouší přesvědčit uživatele k zavolání na linku podpory pod záminkou vyřešení údajného technického problému,“ varoval Bašta z týmu CSIRT, který je provozován sdružením CZ. NIC.
Virus se vydává za aktualizaci populárního programu Flash Player.
O žádné stránky technické podpory ve skutečnosti samozřejmě nejde. Scareware přesměruje uživatele na podvodný web, který obsahuje další hrozby. Tak se do počítače dostanou další nezvaní návštěvníci.
Podobně pracují viry z rodiny scareware prakticky vždy. Snaží se v uživateli vzbudit dojem, že je s jejich počítačem něco špatně, a místo skutečné pomoci jej přesměrují na podvodné stránky. U lidí zpravidla v takových situacích sílí negativní emoce, že je s jejich strojem něco špatně, a nejsou tolik pozorní – snadno si pak do PC pustí další škodlivé viry.
V současnosti se falešná aktualizace Flash Playeru šíří výhradně na strojích s operačním systémem Mac OS X od Applu. Není ale vyloučeno, že se v dohledné době objeví totožná hrozba cílící také na majitele strojů s Windows nebo Linuxem. [celá zpráva]
Neobvyklá aktivita v internetovém bankovnictví
Česká spořitelna varovala před novými podvodnými e-maily, které se v posledních dnech šíří internetem. Podvodníci se v nich vydávají za pracovníky internetového bankovnictví Servis24 a tvrdí, že na účtu uživatele byla zjištěna neobvyklá aktivita.
Ve skutečnosti se z něj pouze snaží vylákat přihlašovací údaje. „Zjistili jsme neobvyklou aktivitu ve vašem účtu. Pro vaši vlastní bezpečnost vám doporučujeme: Přihlaste se do Servis24 a okamžitě oznamte jakékoli neoprávněné aktivity,“ vyzývají podvodníci ve phishingové zprávě.
Ukázka nové podvodné zprávy
Pokud důvěřivci na odkaz ve zprávě skutečně kliknou, dostanou se na podvodné stránky připomínající skutečné internetové bankovnictví Servis24. „Podvodníci se prostřednictvím podvodné zprávy snaží vylákat vaše přihlašovací údaje na podvodné přihlašovací stránce,“ varovali zástupci České spořitelny.
„Buďte k e-mailům z neznámých zdrojů velmi obezřetní. Pokud máte podezření, že jste podvodný e-mail obdrželi, nereagujte na něj a v žádném případě neklikejte na odkaz, který je součástí podvodné zprávy. Jestliže jste již na odkaz klikli a vyplnili požadované údaje, ihned kontaktujte klientskou linku České spořitelny na bezplatném telefonním čísle 800 207 207,“ doplnili zástupci banky. [celá zpráva]
Údajná zvuková zpráva dokáže zablokovat antivirus
Celý útok má prakticky vždy stejný scénář. Uživateli přijde e-mail, který na první pohled vypadá, jako by byl odeslán přímo z Facebooku. Pozornější příjemci si ale mohou všimnout, že e-mailová adresa je odlišná a zpravidla na úplně jiné doméně.
I odesílatele ale zvládnou počítačoví piráti v dnešní době bez větších obtíží zamaskovat. Není tedy vyloučeno, že se v nadcházejících dnech objeví podvodné zprávy, jejichž legitimitu nebude možné ověřit podle odesílatele.
Uživateli přijde e-mail, který na první pohled vypadá, jako by byl odeslán přímo z Facebooku. (Ilustrační foto)
V podvodné zprávě kyberzločinci tvrdí, že uživatel obdržel na Facebooku novou audiozprávu. Ta má být údajně uložena v archívu v příloze e-mailu. Ve skutečnosti se však v ní ukrývá nebezpečný malware, který příjemce aktivuje otevřením archívu.
Tento nezvaný návštěvník dokáže v počítači udělat pěknou neplechu. Zablokuje firewall, a dokonce i některé antivirové programy a zároveň uživateli znemožní přístup na internetové stránky prodejců bezpečnostních utilit. Tímto způsobem mohou útočníci propašovávat do počítačů stále další a další viry, aniž by si toho uživatel všiml. Kvůli zablokovaným bezpečnostním programům má totiž většina lidí falešný pocit bezpečí. [celá zpráva]
Slibují důvěřivcům peníze, pak je ale oberou
Na internetu se doslova roztrhl pytel se soutěžemi, jejichž hlavní cenou mají být poukázky na nákupy ve známých tuzemských obchodech. Háček je ale v tom, že žádné peníze lidé nedostanou. Místo toho naopak o peníze přijdou. Začíná to docela nevinně.
V prohlížeči se zobrazí reklama, která láká na mnohatisícové poukázky například do Penny Marketu. Vyhrát šest nebo 12 tisíc korun může každý uživatel po zodpovězení tří jednoduchých otázek.
Nabídka na kupón do Penny Marketu v hodnotě 6000 Kč.
Pro získání ceny pak musí uživatel ještě vyplnit své jméno a telefonní číslo a zavolat na „zákaznickou“ linku, aby si svou odměnu vyzvedl. Ale právě v tom je ten zakopaný pes, protože minuta hovoru je zpoplatněna částkou 50 Kč, na což koneckonců upozorňuje drobným písmem i samotná „výherní“ nabídka. Provozovatelé této služby se tak chrání před případnou snahou lidí o vrácení peněz.
Že jde ve skutečnosti o podvod, upozorňuje ale i samotný Penny Market na svém Facebooku. Právě na ten se totiž obracejí nespokojení zákazníci, kterým přijde pěkně tučný telefonní účet. „Neorganizujeme žádnou soutěž o dárkovou kartu v hodnotě 6000 Kč! Pokud se dostanete na webové stránky, které vypadají takto (obrázek vlevo), jde o podvod,“ varovali zástupci Penny Marketu.
Penny Market přitom není jediným obchodem, který se v soutěžích objevil. Poukázky s hodnotou 12 000 Kč jsou nabízeny také pro Billu, Lidl či Tesco.
IRS is warning taxpayers of a new surge in tax-related incidents
23.2.2016 Incindent
It is a nightmare for taxpayers according to an IRS bulletin there is a 400 percent surge in tax-related phishing and malware incidents.
This year the IRS already reported 1,026 malware and phishing incidents, compared to 254 this time last year.
The IRS is warning taxpayers of newer forms of attacks aiming victims into disclosing credentials to third-party tax preparation service accounts.
“The Internal Revenue Service renewed a consumer alert for e-mail schemes after seeing an approximate 400 percent surge in phishing and malware incidents so far this tax season.” states the bulletin. “The emails are designed to trick taxpayers into thinking these are official communications from the IRS or others in the tax industry, including tax software companies. The phishing schemes can ask taxpayers about a wide range of topics. E-mails can seek information related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information.”
The IRS Commissioner John Koskinen used the adjective “dramatic” to describe this surge in tax-related incidents inviting taxpayers to watch out for scammers.
“This dramatic jump in these scams comes at the busiest time of tax season,” said Koskinen. “Watch out for fraudsters slipping these official-looking emails into inboxes, trying to confuse people at the very time they work on their taxes. We urge people not to click on these emails.”
IRS building
Threat actors are very interested in using the tax season as a lure, in a common attack scenario victims receive an email containing links to the domain used to serve malware. In other cases, the attackers used emails with attachments that include documents embedding malicious macros. Once the victims open the document, the macro drops a malware on the victim’s machine, including dreaded ransomware like CryptoLocker, TeslaCrypt and Locky.
These are the alarming statistics provided by the IRS:
There were 1,026 incidents reported in January, up from 254 from a year earlier.
The trend continued in February, nearly doubling the reported number of incidents compared to a year ago. In all, 363 incidents were reported from Feb. 1-16, compared to the 201 incidents reported for the entire month of February 2015.
This year’s 1,389 incidents have already topped the 2014 yearly total of 1,361, and they are halfway to matching the 2015 total of 2,748.
Recently IRS services were abused by crooks to target taxpayers, in May 2015 the Internal Revenue Service was breached by hackers that “used an online service provided by the agency” to access data for more than 100,000 taxpayers. The IRS issued an official statement on the incident and specified that the compromised system was “Get Transcript.” The Transcript service could be used by taxpayers to get a transcript online or by mail to view their tax account transactions.
In August 2015, the Internal Revenue Service disclosed a new review of its system, revealing that 334,000 taxpayers (more than three times it initially estimated) may be affected by the hack it announced in May.
A couple of weeks ago the IRS detected roughly unauthorized attempts using 464,000 unique SSNs, and 101,000 attempts allowed crooks in generating PINs.
The U.S. Internal Revenue Service confirmed that cyber criminals abused the Electronic Filing PIN application running on irs.gov that allows taxpayers to generate a PIN that they can use to file tax returns online.
Ricochet — Most Secure Peer-to-Peer Encrypted Messenger that Sends No Metadata
23.2.2016 Safety
There are several encrypted messaging apps for mobile and desktop platforms that shipped with "The Most Secure" tagline but ends up in de-anonymizing the real identity of its users in some or the other way.
In fact, very few encrypted messaging apps available today deal with the core problem of Metadata.
The majority of apps offer end-to-end encryption that kept the content of your messages away from prying eyes, but your metadata will still be accessible to them, which is enough to know who you really are, and who you're talking to.
But, one messenger app stands out of the crowd by providing superb anonymity to its users, and it is dubbed as "Ricochet."
Ricochet is a peer-to-peer instant messaging system available for Windows, Mac, and Linux and you can trust it as the app has already cleared its first professional security audit carried out by cyber security company NCC Group.
What's so Promising about Ricochet?
Ricochet — Most Secure Peer-to-Peer Encrypted Messenger that Sends No Metadata
Unlike other encrypted messaging clients, Ricochet makes use of TOR hidden services in an effort to maintain its users’ anonymity.
With the help of hidden services, a user's traffic never leaves The Onion Router (TOR) network, which makes it much harder for prying eyes or any attacker to see where the traffic is going or coming from.
Peer-to-Peer Connection: No Servers! No Operators!
Ricochet does not trust anyone in maintaining the privacy of its users; thus, the developers have implemented their app with no server or operator support that could be compromised exposing your personal details.
"The concept with Ricochet is: how can we do messaging without any server in the middle—without trusting anything to forward your messages to your contacts" John Brooks (Ricochet program's maintainer) stated.
"That turns out to be exactly one of the problems that hidden services can solve: to contact someone, without anybody in the middle knowing who you are or who you're contacting."
Here's How Ricochet Works
Ricochet supports cross-platform and is very easy to use even for non-technical users.
Your Username: A Unique .Onion Address
tor-network
Every Ricochet client hosts a Tor hidden service, and once you sign up for Ricochet, that is actually your Ricochet ID: a unique .onion address.
Only the one with this .onion address can contact you and send messages, which means the contacts connect to you through Tor and not through any intermediate server, making it extremely harder for anyone to know your real identity from your address.
Ricochet Creates Huge Spike in Hidden Addresses
tor-onion-network
Security researcher Alan Woodward has noticed an unprecedented spike in the number of unique .onion hidden addresses on the Tor network in month of February.
The Statistics shared by the Tor project shows that the number of unique .onion sites has increased by more than 25,000 within 2-3 days.
Researcher believed that this sudden rise could be due to the popularity of Ricochet that creates unique .onion address for every registered user.
Your Messages: End-to-End Encrypted By Default
Besides this, Ricochet also encrypts the contents of your messages by default.
So, to start chatting with someone over Ricochet, you should first know his/her unique Ricochet ID that is being auto-generated at the time of the Ricochet Installation.
Moreover, once the connection is terminated by either the sender or the receiver, the remaining one would not be able to communicate or send messages to the other.
Ricochet Takes Your Security Seriously
The audit by NCC Group discovered a security flaw that could be exploited to deanonymize users, but the good news is that the issue has been resolved in the latest release, Ricochet 1.1.2.
The security vulnerability was independently discovered by a member of the Ricochet community.
Ricochet has been around since 2014 and is now far secured than any other existing encrypted messaging apps. But the app is still in the dogfooding stage, as Brooks referred to the "Be Careful" statement on the project's official website:
"Ricochet is an experiment. Security and anonymity are difficult topics, and you should carefully evaluate your risks and exposure with any software."
Download Now!
Brooks has already made the option to report the vulnerabilities publicly.
Currently, the app runs on the desktop platform including Windows, Mac, and Linux, and we could expect the mobile version of the app in coming future.
You can download Ricochet for your desktop here.
As for now, Brooks is looking to get funding from open source community for the further development of Ricochet itself, such as implementing a file-sharing feature.
Pay-by-Selfie – MasterCard is replacing the customer password with his selfie
23.2.2016 Security
MasterCard announced the extension of the ‘pay-by-selfie’ facial recognition technology to 14 countries this summer, this means no more passwords.
The giant multinational financial services corporation MasterCard announced the extension of the ‘pay-by-selfie’ facial recognition technology to 14 countries this summer. In October Mastercard announced the creation of a new payment method based on the Identity Check App which lets users complete financial transactions by using their face.
Mastercard wants to increase the security with biometric technology and improve the user experience making easy to authenticate users for ordinary operations like payments.
“As the world gets increasingly digital, this will be the next wave of technology that will change the consumer experience of shopping digitally,” Ajay Bhalla, president of enterprise security solutions for MasterCard told to USAToday. “It’s all part of our role in making commerce available anywhere, any time, on any digital device.”
Pay-by-Selfie
Pay-by-Selfie – Mastercard
How does it work?
The pay-by-selfie’ facial recognition technology is simple to use, a customer only needs to download the Identity Check app. When a merchant requires identifying the user before purchase, the customer will get a push notification to his mobile device which triggers the mobile app. At this point, it is enough to take a selfie to authorize the purchase.
Mastercard conducted tests in several countries before the introduction of the technology, and now it considers it as a mature technology to be introduced in strategic market like the British one.
The technology will drastically reduce the risk of identity fraud because it will be harder for hackers to take a victim’s pictures without the users’ interaction. Data provided by Get Safe Online, revealed that the top 10 internet fraud campaigns between September 2014 and August 2015 cost the UK over £268 million.
The company is proud to have reduced the attack surface if the customers don’t rely on the user inputting passwords that could be easily phished by fraudsters.
I had no opportunity to test the technology, but the first attack scenario that I have in mind is the infection of a mobile device that is able to steal a customer selfie end submit it in stealth way when a transaction must be authorized. A similar malware needs to have access to the camera, the local storage, the applications and needs the ability to intercept the push notifications.
Mastercard is investing in the biometric authentication, including iris and voice recognition technologies, most advanced studies are pushing the use of heartbeat via a connected bracelet device.
According to Fortune, other banks are introducing biometric technology to improve security of their customers, HSBC is working on the voice recognition and touch identification, meanwhile Barclays introduced voice recognition to its private banking division in 2013.
Mobile malware evolution 2015
23.2.2016 Zdroj: Kaspersky Mobil Virus
The year in figures
In 2015, Kaspersky Lab detected the following:
2,961,727 malicious installation packages
884,774 new malicious mobile programs – a threefold increase from the previous year
7,030 mobile banking Trojans
Trends of the year
Rise in the number of malicious attachments the user is unable to delete.
Cybercriminals actively using phishing windows to conceal legitimate apps.
Growth in the volume of ransomware.
Programs using super-user rights to display aggressive advertising.
Increase in the quantity of malware for iOS.
Main methods of monetization
Mobile malware continues to evolve towards monetization, with malware authors trying to ensure their creations are capable of making money from their victims.
Stealing money from user bank accounts
Mobile Trojans targeting user bank accounts continue to develop – in 2015, we detected 7,030 new mobile banking Trojans. Some malicious mobile programs work in combination with Windows-based Trojans to capture mTAN passwords (one-time passwords used in two-factor authentication) that are used for authorizing bank transactions. Many of the other mobile programs used to steal money from user bank accounts operate independently.
Some mobile malware is capable of overlaying the on-screen display of a legitimate banking app with that of a phishing window that imitates the app. The most notable examples of this type of program are Trojan Trojan-SMS.AndroidOS.OpFake.cc and the representatives of the Trojan-Banker.AndroidOS.Acecard family. One of the OpFake.cc modifications can imitate the interface of more than 100 legitimate banking and finance apps. The Acecard family can imitate at least 30 banking apps and also has functionality to overlay any app that the C&C server commands.
In Q2 2015, we wrote about Trojan-Spy.AndroidOS.SmsThief.fc whose malicious code was embedded in a legitimate banking app without affecting its performance. This meant it was highly unlikely a user would notice the malware.
The authors of mobile malware are taking an increasingly integrated approach to stealing money: it is no longer limited to special banking Trojans targeting banking apps.
An example of this approach is Trojan-SMS.AndroidOS.FakeInst.ep. What the users see is a message, purportedly from Google, demanding that they open Google Wallet and go through an ‘identification’ procedure that involves entering their credit card details (one of the reasons given is the need to combat cybercrime). The window cannot be removed until the victim enters their credit card details.
Once users enter the required data, it is sent to attackers, and the window closes. Meanwhile, the Trojan continues to steal information and send additional information to its owners about the smartphone and its user.
Against a background of slowing growth in the number of specialized banking Trojans, the total number of apps that can steal money from users is growing. This comes at a time when banking Trojans are becoming more sophisticated and versatile – they are often capable of attacking customers of dozens of banks located in a variety of countries. This means cybercriminals do not need lots of different files to attack the customers of different banks.
Ransomware
The amount of Trojan-Ransom families doubled in 2015 compared to the previous year, while the number of detected modifications increased 3.5 times. This means some criminals are switching to ransomware to steal money, and those who were already doing so are continuing to create new versions of the malware. Yet another key indicator confirming the importance of this class of threat is the number of people who were attacked: in 2015, this figure increased fivefold.
In most cases when these Trojans block a device, the user is accused of committing some alleged misdemeanor, and has to pay to unblock the device – the ransom can range from $12 to $100. The blocked device is rendered inoperable – the user only sees a window with the ransom demand. Some Trojans are capable of overlaying system dialog boxes, including those used to switch off the phone.
The window opened by Fusob
At the end of the year we detected several Trojan downloaders that downloaded Trojan-Ransom.AndroidOS.Pletor in the system. These Trojan downloaders exploit vulnerabilities in the system to gain super-user privileges on the device and install Trojan-Ransom malware in the system folder. Once installed, this Trojan is almost impossible to remove.
SMS Trojans remained a serious threat, particularly in Russia. These programs send paid text messages from an infected device without the user being aware. Although their share in the overall flow of mobile threats continues to decline, the number of SMS Trojans in absolute terms remains substantial.
Some SMS Trojans are not limited to the sending of text messages to premium numbers; they can also connect the user to paid subscriptions. In 2015, we kept track of how Trojan-SMS.AndroidOS.Podec – still one of the most popular Trojans among cybercriminals – was developing. This Trojan boasts an unusual feature: its main method of monetization is paid subscriptions. It is capable of bypassing Captcha, and its latest modifications have “lost” the ability to send text messages as its creators have focused on subscriptions.
Aggressive advertising
In 2015, we recorded an increase in the number of programs that use advertising as the main means of monetization. The trend of the year was Trojans using super-user privileges. In the first quarter of 2015, the mobile malware TOP 20 contained just one Trojan of this type; by the end of the year they made up more than half of the rating. Despite the fact that these Trojans are designed to download and install advertising applications without the user’s knowledge, they can cause a lot of problems. Once installed, they try to root the device and install their own components in the system making them difficult to remove. Some of them remain on a smartphone even after resetting to factory settings. As a result, the user is inundated with annoying ads on the device. They can also install lots of other programs, including malware, on the device without the user being aware. There have been cases of this type of program being distributed in the official firmware of devices or being pre-installed on new phones.
Malware in official stores
In early October 2015 we came across several Trojans in the official Google Play Store that stole user passwords from the Russian social network VKontakte. These were Trojan-PSW.AndroidOS.MyVk.a and Trojan-PSW.AndroidOS.Vkezo.a. About a month later we detected a new modification of the Trojan Vkezo which was also distributed via Google Play Store. The attackers published these Trojans 10 times in the official app store under different names over a period of several months. The number of downloads for all versions of these Trojans was put at between 100 000 and 500 000. Yet another Trojan detected in Google Play Store was Trojan-Downloader.AndroidOS.Leech; it was also downloaded between 100 000 and 500 000 times.
Malware for iOS
In 2015, the number of malicious programs for iOS increased 2.1 times compared to 2014.
The recent emergence of malicious apps in the App Store once again demonstrated that, contrary to popular belief, iOS is not invulnerable to malware. The attackers did not hack App Store, but instead posted a malicious version of Apple’s Xcode, a free set of tools that developers use to create applications for iOS, on the Internet.
Apple’s Xcode is officially distributed by Apple, but it is unofficially spread by third parties. Some Chinese vendors prefer to download the development tools from local servers. Someone posted an Xcode version containing malicious XcodeGhost on a third-party server in China. Malicious code is embedded in any application compiled using this version of Xcode.
XcodeGhost infected dozens of applications. Initially it was thought that 39 infected apps had bypassed the Apple testing procedure and had been successfully downloaded to the App Store. The most popular of them was WeChat, a free messenger installed on more than 700 million user devices. Apple removed the infected apps. However, the hacked version of Xcode was available for about six months, so the total number of infected applications might be much higher, not least because the source code for XcodeGhost was published on Github.
In early June, Trojan.IphoneOS.FakeTimer.a, a malicious program for iPhone, was detected. The Trojan targets users in Japan and can be installed on any iPhone because the attackers used an enterprise certificate to sign the Trojan. The malicious program uses phishing techniques to steal money. A similar version of the Trojan for Android – Trojan.AndroidOS.FakeTimer.a.that – has already been around for several years.
Statistics
In 2015, the volume of mobile malware continued to grow. From 2004 to 2013 we detected nearly 200,000 samples of malicious mobile code. In 2014 there were 295,539 new programs, while the number was 884,774 in 2015. These figures do not tell the whole story because each malware sample has several installation packages: in 2015, we detected 2,961,727 malicious installation packages.
From the beginning of January till the end of December 2015, Kaspersky Lab registered nearly 17 million attacks by malicious mobile software and protected 2,634,967 unique users of Android-based devices.
The number of attacks blocked by Kaspersky Lab solutions, 2015
The number of users protected by Kaspersky Lab solutions, 2015
Geography of mobile threats
Attacks by malicious mobile software were recorded in more than 200 countries.
The geography of mobile threats by number of attacked users, 2015
The number of recorded attacks greatly depends on the number of users in a country. To evaluate the danger of infection by mobile malware in various countries we calculated the percentage of our users who encountered malicious applications in 2015.
TOP 10 countries by the percentage of attacked users
Country % of attacked users*
1 China 37
2 Nigeria 37
3 Syria 26
4 Malaysia 24
5 Ivory Coast 23
6 Vietnam 22
7 Iran 21
8 Russia 21
9 Indonesia 19
10 Ukraine 19
* We excluded those countries in which the number of users of Kaspersky Lab mobile security products over the reported period was less than 25,000.
** The percentage of attacked unique users as a percentage of all users of Kaspersky Lab mobile security products in the country
China and Nigeria topped the ranking, with 37% of users of Kaspersky Lab mobile security products in those countries encountering a mobile threat at least once during the year. Most of the attacks on users in Nigeria were carried out by advertising Trojans such as the Ztrorg, Leech, and Rootnik families that make use of super-user privileges, as well as by adware.
In China, a significant proportion of the attacks also involved advertising Trojans, but the majority of users encountered the RiskTool.AndroidOS.SMSreg family. Careless use of these programs can lead to money being withdrawn from a mobile account.
Types of mobile malware
Over the reporting period, the number of new AdWare and RiskTool files detected grew significantly. As a result, their share in the distribution of new mobile malware by type also increased noticeably – from 19.6% and 18.4% to 41.4% and 27.4%, respectively.
Distribution of new mobile malware by type in 2014 and 2015
When distributing adware programs, rather primitive methods are used to attract the attention of users to the advertisements: apps are created using the icons and names of popular games or useful programs. Of course, there are lots of popular games and legitimate applications, so a lot of fake advertising apps can be generated. The more fake applications that are used, the more effective the monetization of click activity is. Yet another way of distributing adware is by embedding an advertising module in a legitimate application. This can be done by the author of the application as well as by those who want to make money by exploiting an app’s popularity: when the advertising module is embedded in a clean app without the author’s knowledge, the profits from advertising go to those who added the advert, not the author. Unlike fake apps, this complex app contains some useful functionality.
The growth in the volume of adware is caused by the increasing competition among developers of these programs. The legitimate programs that use various advertising modules are often too aggressive. Increasingly, advertising modules are delivering as much advertising as possible to the user in a variety of ways, including the installation of new adware programs. Sometimes the adware programs installed on a device can make it almost impossible to use because the user is constantly fighting with advertising windows.
RiskTool programs are especially popular in China. This is because SMS payments for content are very popular in the country. Almost any game that includes so-called internal purchases (for additional levels of a game, for example) contains an SMS payment module. In most cases, the user is notified about the potential risks associated with such purchases, but we also consider it necessary to inform our users about the risks. Because the games in question are popular, the number of RiskTool applications is constantly increasing. The main contributor to that growth was the RiskTool.AndroidOS.SMSReg family of programs.
Although AdWare and RiskTool programs do not cause direct harm to users, they can be very irritating, while RiskTool programs installed on mobile devices can lead to financial losses if used carelessly or manipulated by a cybercriminal.
The proportion of SMS Trojans in the overall flow of mobile threats decreased almost 2.4 times – from 20.5% to 8.7%. However, in 2015 we detected even more new SMS Trojans than in 2014. Activity by this type of malicious program dropped drastically in mid-2014. This was the result of an AoC (Advice-of-Charge) system being introduced by Russian operators that led to a reduction in the number of so-called affiliate programs distributing SMS Trojans, the majority of which targeted users in Russia.
Top 20 malicious mobile programs
Please note that the ranking of malicious programs below does not include potentially unwanted programs such as RiskTool or AdWare.
Name % of all attacked users*
1 DangerousObject.Multi.Generic 44.2
2 Trojan-SMS.AndroidOS.Podec.a 11.2
3 Trojan-Downloader.AndroidOS.Leech.a 8.0
4 Trojan.AndroidOS.Ztorg.a 7.6
5 Trojan.AndroidOS.Rootnik.d 6.9
6 Exploit.AndroidOS.Lotoor.be 6.1
7 Trojan-SMS.AndroidOS.OpFake.a 5.6
8 Trojan-Spy.AndroidOS.Agent.el 4.0
9 Trojan.AndroidOS.Guerrilla.a 3.7
10 Trojan.AndroidOS.Mobtes.b 3.6
11 Trojan-Dropper.AndroidOS.Gorpo.a 3.6
12 Trojan.AndroidOS.Rootnik.a 3.5
13 Trojan.AndroidOS.Fadeb.a 3.2
14 Trojan.AndroidOS.Ztorg.pac 2.8
15 Backdoor.AndroidOS.Obad.f 2.7
16 Backdoor.AndroidOS.Ztorg.c 2.2
17 Exploit.AndroidOS.Lotoor.a 2.2
18 Backdoor.AndroidOS.Ztorg.a 2.0
19 Trojan-Ransom.AndroidOS.Small.o 1.9
20 Trojan.AndroidOS.Guerrilla.b 1.8
* Percentage of users attacked by the malware in question, relative to all users attacked
First place is occupied by DangerousObject.Multi.Generic (44.2%), used in malicious programs detected by cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.
Trojan-SMS.AndroidOS.Stealer.a, which was the TOP 20 leader in 2014, came 28th in 2015.
Four places in the TOP 20 are occupied by Trojans that steal money from mobile or bank accounts as their main method of monetization. They are Trojan-SMS.AndroidOS.Podec.a, Trojan-SMS.AndroidOS.OpFake.a, Trojan.AndroidOS.Mobtes.b and Backdoor.AndroidOS.Obad.f. Trojan-SMS.AndroidOS.Podec.a (11.2%) is in second place. This Trojan remained among the top three most popular mobile threats throughout 2015. To recap, the latest versions of this Trojan no longer send paid text messages. The Trojan is now fully focused on paid subscriptions, making use of CAPTCHA recognition. Trojan-SMS.AndroidOS.OpFake.a (5.6%) in 7th place is another long-term resident of the TOP 20. In 2014 it finished in 8th place and remained in the rating throughout all of 2015.
Yet another Trojan – Trojan-Ransom.AndroidOS.Small.o (1.9%) – blocks the victim’s phone and extorts money to unblock it. This mobile Trojan-Ransom program was very popular at the end of 2015 and became the only ransomware program to make the TOP 20. It first appeared in the ranking in the third quarter of 2015 in 11th place; it came 19th in the overall TOP 20 for 2015. The Trojan mostly spreads as a porn video player and targets Russian-speaking audiences.
More than half (12 out of 20) of the entries in the ranking are Trojans that use aggressive advertising as their primary means of monetization. They are Trojan-Downloader.AndroidOS.Leech.a, Trojan-Spy.AndroidOS.Agent.el, Trojan-Dropper.AndroidOS.Gorpo.a, Trojan.AndroidOS.Fadeb.a, and two modifications each of Trojan.AndroidOS.Guerrilla, Trojan.AndroidOS.Rootnik, Trojan.AndroidOS.Ztorg and Backdoor.AndroidOS.Ztorg. Unlike the usual advertising modules, these programs do not contain any useful functionality. Their goal is to deliver as many adverts as possible to the recipient using a variety of methods, including the installation of new advertising programs. These Trojans can use super-user privileges to conceal their presence in the system folder, from where it will be very difficult to dislodge them. We have come across such Trojans before, mostly in China. There was a burst of activity by these programs in 2015: most of them targeting users in China, although these Trojans have started being actively distributed worldwide. The code of the Trojans often contained the word oversea.
The other two places in the TOP 20 are occupied by Exploit.AndroidOS.Lotoor modifications used to obtain local super-user privileges.
Mobile banking Trojans
In 2015, we detected 7,030 mobile banking Trojans, which is 2.6 times less than in 2014 when 16,586 were detected. It should be noted that although the number of new malware programs fell from the previous year, these programs have become more adept and malign, and the areas of interest among cybercriminals now includes banks in numerous countries. Many mobile banking Trojans act independently, without any computer component, and target customers of dozens of banks around the world.
Number of mobile banking Trojans detected by Kaspersky Lab solutions in 2015
56,194 users were attacked by mobile banking Trojans at least once during the year.
Geography of mobile bankers
The number of attacked countries is growing: attacks by mobile banking Trojan were registered in 137 countries and territories worldwide vs 90 countries in 2014.
Geography of mobile banking threats in 2015 (number of users attacked)
Top 10 countries attacked by mobile banking Trojans (ranked by number of users attacked):
Country Number of users attacked
1 Russia 45690
2 Germany 1532
3 Ukraine 1206
4 US 967
5 Kazakhstan 804
6 Australia 614
7 South Korea 527
8 France 404
9 Belarus 380
10 Poland 324
As in the previous year, Russia topped the rating of countries attacked by mobile banking Trojans. Among the newcomers were South Korea, Australia, France and Poland. Lithuania, Azerbaijan, Bulgaria and Uzbekistan left the TOP 10.
Just how popular mobile banking Trojans are with cybercriminals in each country can be shown by the percentage of users who were attacked by these Trojans during the reporting period, relative to all attacked users.
TOP 10 countries by the percentage of users attacked by mobile banking Trojans relative to all attacked users
Country % of all attacked users*
1 South Korea 13.8
2 Australia 8.9
3 Russia 5.1
4 Austria 3.0
5 Belarus 1.9
6 US 1.8
7 Tajikistan 1.7
8 Ukraine 1.6
9 France 1.6
10 Uzbekistan 1.6
* Percentage of users attacked by mobile banking Trojans, relative to all attacked users of Kaspersky Lab’s mobile security products in the country.
A substantial portion of mobile banking attacks in South Korea were caused by representatives of the Trojan-Banker.AndroidOS.Wroba family. These Trojans are designed to steal mobile bank accounts of the largest Korean banks as well as mTans.
In Australia, the Trojan-Banker.AndroidOS.Acecard family was responsible for most infection attempts. This family is a new stage in the evolution of Backdoor.AndroidOS.Torec.a, the first Trojan for Android that made use of Tor. We detected this Trojan at the beginning of 2014, while the first banking modifications appeared in mid-2014. At that time the Trojan was distributed mainly in Russia, and only in 2015 did it begin to spread actively in Australia. One modification, which we detected in November 2015, is able to overlay the interfaces of 24 banking apps with a phishing window. Five of those apps belong to Australian banks, another four each belong to banks based in Hong Kong, Austria and New Zealand, three each to banks in Germany and Singapore, plus the PayPal app. In addition, there are modifications which target banks in the US and Russia.
Phishing windows of the Acecard Trojan
Stealing user logins and passwords by displaying a phishing window instead of the genuine app interface is not a new trick. We first came across it back in 2013 in Trojan-SMS.AndroidOS.Svpeng. In our IT threat evolution in Q1 2015 report we mentioned Trojan-SMS.AndroidOS.OpFake.cc which was capable of attacking at least 29 banking and financial apps. The latest modification of this Trojan can now attack 114 banking and financial apps. Its main goal is to steal the login credentials for bank accounts. It also overlays the windows of several popular mail applications.
In Russia, which ranked third in the TOP 10, Trojan-Banker.AndroidOS.Faketoken and Trojan-Banker.AndroidOS.Marcher were the most popular programs used by attackers. Starting in April, we saw a sharp drop in the number of attempts to infect users with representatives of the Trojan-Banker.AndroidOS.Marcher family. During the five months from April to August, the number of attacks using this Trojan decreased fivefold. It is possible that the cybercriminals were preparing attacks on users in other countries during that time, because until September 2015 activity by this family was limited almost exclusively to Russia. From September, however, about 30% of the attacks using this Trojan targeted users in Australia, Germany and France.
The aforementioned Trojan-Spy.AndroidOS.SmsThief.fc was distributed in Russia. The attackers added their code to the original banking app without affecting its performance, making this Trojan more difficult to detect.
Mobile Trojan-Ransom
In 2015, the amount of the Trojan-Ransom families doubled compared to 2014. The number of modifications detected during the same period increased 3.5 times and accounted for 6,924.
Over the reporting period, mobile ransomware attacked 94,344 unique users which is five times more than in 2014 (18,478). The share of unique users attacked by Trojan-Ransom programs relative to all users attacked by mobile malware increased from 1.1% to 3.8% during the year.
Mobile ransomware attacks were registered in 156 countries and territories at least once during the year.
Geography of mobile ransomware threats in 2015 (number of users attacked)
TOP 10 countries attacked by Trojan-Ransom malware by the number of attacked users:
Country Number of attacked users
1 Russia 44951
2 Germany 15950
3 Kazakhstan 8374
4 US 5371
5 Ukraine 4250
6 UK 2878
7 Italy 1313
8 Spain 1062
9 Iran 866
10 India 757
Russia, Germany and Kazakhstan were the countries attacked most often by ransomware.
In Russia and Kazakhstan, the Trojan-Ransom.AndroidOS.Small family was most active, in particular the modification Trojan-Ransom.AndroidOS.Small.o, the most popular Trojan-Ransom program in 2015.
The Trojan-Ransom.AndroidOS.Pletor family also remained very popular in 2015. Interestingly, this first mobile encryptor Trojan was developed by the same group of cybercriminals as Trojan-Banker.AndroidOS.Acecard.
In Germany, Trojan-Ransom.AndroidOS.Fusob was the most actively distributed family.
Windows opened by the Fusob Trojan
The US came fourth in the ranking. The Trojan-Ransom.AndroidOS.Fusob family was especially popular in the country, although the Trojan-Ransom.AndroidOS.Svpeng family was also actively used.
This ranking depends to a large extent on the number of users in each country, so it is interesting to view a rating that shows the proportion of users attacked by Trojan-Ransom malware relative to all attacked users in the country.
TOP 10 countries attacked by Trojan-Ransom malware – share of users relative to all attacked users in the country.
Country % of all attacked users*
1 Kazakhstan 15.1
2 Germany 14.5
3 US 10.3
4 Canada 8.9
5 Netherlands 8.8
6 UK 8.3
7 Switzerland 6.9
8 Austria 6.4
9 Ukraine 5.9
10 Australia 5.5
* Percentage of users attacked by Trojan-Ransom malware, relative to all attacked users of Kaspersky Lab’s mobile security products in the country
Russia, which accounted for the largest number of attacked users, was not in the TOP 10. The leaders of the ranking were Kazakhstan, Germany and the US.
Conclusion
Despite the fact that the first advertising Trojans exploiting super-user privileges for their own purposes appeared a few years ago, in 2015 their number increased substantially and started spreading rapidly. In the first quarter of 2015 the most popular threats included just one Trojan of this type, but by the end of the year these programs accounted for more than half of the TOP 20. They are distributed using all available means – via other advertising programs, via app stores and can be even pre-installed in some devices. The number of advertising Trojans using super-user privileges will most likely continue to grow in 2016.
We have already seen cases when advertising Trojans were used to spread malicious mobile programs. There is every reason to believe that attackers will increasingly use these Trojans to infect mobile devices with malware.
We also came across cases where super-user privileges were utilized by other types of malware, especially ransomware.
Trojan-Ransom malware is likely to continue evolving in 2016. We expect the popularity of these programs among attackers to grow and their global reach to increase.
Another type of Trojan that we intend to continue monitoring closely in 2016 is Trojan-Banker. There are already lots of banking Trojans that do not require additional software on the victim’s computer. These Trojans operate independently, and only need to infect the user’s phone to steal his money. They are able to steal logins and passwords for mobile banking accounts by overlaying the legitimate banking app interfaces with a phishing window. The Trojans can also steal credit card data using phishing windows. In addition, they have functionality to intercept communications between a client and a bank – stealing incoming text messages and forwarding calls to the attacker. In 2016, banking Trojans will attack even more banking institutions and will use new distribution channels and new data theft technologies.
As the functionality of mobile devices and mobile services grows, the appetite of cybercriminals who profit from mobile malware will grow too. Malware authors will continue to improve their creations, develop new technologies and look for new ways of spreading mobile malware. Their main aim is to make money. In these circumstances, neglecting to protect your mobile devices is extremely risky.
Ratopak Trojan – Russian banks under attack
23.2.2016 Virus
Financially-motivated actors have targeted employees of at least six Russian banks into installing the Ratopak Trojan, experts have found evidence of an extended hacking campaign.
According to the Symantec security firm, a cyber criminal gang financially -motivated has targeted employees of Russian banks.
The threat actors have been using a Trojan called Ratopak to gain control over the victim’s machine and exfiltrate data. The experts spotted several attacks since October, the attack chain starts with fake Central Bank employment emails sent to the staff of Russian financial institutions. In the attempt to trick victims, the threat actors behind the malicious campaign have registered that domain cbr.com.ru that is similar to the official domain used by Russia’s Central Bank cbr.ru.
The domain is referenced by the content of the fake emails and it is used by the cyber criminals as a repository for the Ratopak Trojan.
Source Symantec Report
The Ratopak Trojan implements a number of backdoor features, including logging keystrokes and stealing clipboard data.
“Trojan.Ratopak was likely used because it can allow the attacker to gain control of the compromised computer and steal information. The threat can open a back door on the computer and allow the attacker to perform a variety of actions, including logging keystrokes, retrieving clipboard data, and viewing and controlling the screen. It can also be used to download other malicious files and tools. The narrow focus of the attacks and the use of Ratopak could be a hint to what the attackers were after.” states a blog post published by Symantec.
The malware is signed with stolen certificates and the sample analyzed by Symantec were specifically developed to target Russian or Ukrainian users.
“The threat also checks the language of the compromised computer. If it isn’t Russian or Ukrainian, then the malware stops its attack. Ratopak may also terminate and delete itself if it recognizes that it is being run on a virtual machine or a researcher’s computer.” continues the post.
Researchers said many of the infected computers had been running accounting and document management software designed to allow users to securely exchange documents with government organizations for tax purposes.
The malware experts at Symantec noticed that the presence of a software developed by the Russian company SBI running on many of the infected machines. The application developed by SBI is an accounting application and is referred to as “buh.” (“accountant” in Russian language). The threat actors inserted the word buh in the URLs in an effort to avoid deceive victims that normally work with the software developed by the SBI.
“A common link between several of the victims was a piece of software created by SBIS, a Russian company that develops, among other things, accounting and payroll applications. In URLs used by SBIS, their accounting software is referred to as “buh” (buh.sbis.ru/buh/ for example. “Buh” is the Russian term for accountant).” states Symantec “The attackers behind these attacks used “buh” in their URLs, knowing their victims would be running SBIS accounting software. By using this string in their URLs, the attackers can disguise their attack by making their activities look like normal traffic. This approach has led other researchers to label Trojan.Ratopak as “Buhtrap””
In April 2015, experts at ESET spotted a malware campaign dubbed Operation Buhtrap, a conjunction of the Russian word for accountant “Buhgalter” and the English word “trap”. So far Buhtrap has not been seen anywhere else in the wild, so is not likely to be widespread. Approx. 88 per cent of targets were located in Russia and ten per cent in Ukraine. Analysts linked the campaign to the Anunak/Carbanak campaign, which also targeted Russian and Ukrainian Banks.
“Although we believe it to be a different campaign, it shares some similarities with Anunak/Carbanak in terms of techniques, tactics and procedures it use.”
The modus operandi of these particular cybercriminals was associated with targeted attacks rather than cyber fraud, which make this move to financial crime unusual. Their method of delivery is by email using an attached invoice document or s hoax contract.
Experts at Symantec confirmed their suspects about the motivation of the attackers that appear to be one of the Russian criminal rings specialized in attacks against banks and financial institutions.
“While there is no conclusive evidence of the attacker’s goal, the attacks appear to be financially motivated. The specificity of the targets−employees at certain banks using accounting software to send the government tax information−certainly points towards this goal,” states Symantec.
Recently other groups targeted Russian banks, the most popular are the Carbanak and Anunak, reportedly stole $1 billion from 100 banks worldwide. A few weeks ago Kaspersky uncovered the operation of Carbanak 2.0.
The experts at Kaspersky Lab discovered that Carbanak cybergang is back and other groups are adopting similar APT-style techniques to steal money, including the Metel and GCMAN hacking crews.