Cisco Industrial switches affected by an unpatched flaw
17.2.2016 Vulnerebility
Cisco disclosed a DoS vulnerability affecting the IOS software running on the industrial switches belonging to the Industrial Ethernet 2000 Series.
Last week I wrote about a vulnerability affecting CISCO Universal Small Cell kits that allows unauthenticated remote users to retrieve devices’ firmware, now another vulnerability is worrying the customers of the IT Giants. The flaw coded as CVE-2016-1330 affects Cisco Industrial Ethernet 2000 Series Switches running IOS Software 15.2(4)E.
The flaw affects the way the devices processes Cisco Discovery Protocol (CDP) packets, an unauthenticated attacker with access to the network can send specially crafted CDP packets to the Cisco Industrial Switches to cause vulnerable devices to reload.
“A vulnerability in the processing of Cisco Discovery Protocol (CDP) packets by Cisco IOS Software for Cisco Industrial Ethernet 2000 Series Switches could allow an unauthenticated, adjacent attacker to cause an affected device to reload.” states the Cisco Security Advisory. “The vulnerability is due to improper processing of crafted CDP packets. An attacker could exploit this vulnerability by sending a crafted CDP packet to an affected device. An exploit could allow the attacker to cause the affected device to reload.”
Cisco has yet to release a patch to solve the issue and there are no workarounds, fortunately, the vulnerability hasn’t been exploited in the wild.
Cisco disclosed also a second vulnerability, coded as CVE-2016-1331, in Cisco Emergency Responder, a family of devices designed to allow emergency teams to identify the location of 911 callers. The vulnerability is a cross-site scripting (XSS) rated as medium-severity that allows unauthenticated attacker to execute arbitrary code in the context of the vulnerable web interface and access potentially sensitive browser information.
“A vulnerability in the web framework code of Cisco Emergency Responder could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system.” states the Cisco Advisory.”
“The vulnerability is due to insufficient input validation of some parameters passed to the web server. An attacker could exploit this vulnerability by convincing the user to access a malicious link or by intercepting the user request and injecting malicious code. An exploit could allow the attacker to execute arbitrary code in the context of the affected site or allow the attacker to access sensitive browser-based information.”
In a possible attack scenario, the attacker can trigger the vulnerability by tricking the victim into clicking on a malicious link or by injecting malicious code into an intercepted connection.
Also in this case, there is no patch available neither a workaround.
$103,000 stolen in Brain Wallets cracking attacks
17.2.2016 Computer Attack
A group of researchers discovered that roughly 1,000 brain wallets have been drained by cyber criminals that have stolen $103,000
The term brainwallet refers to the concept of storing Bitcoins in one’s own mind by memorization of a passphrase. The phrase is converted into a 256-bit private key with a hashing or key derivation algorithm (example: SHA256). That private key is used to calculate the final Bitcoin address.
This method was erroneously considered secure because malware based attacks are ineffective in stealing private keys, but now an expert demonstrated that brain wallets are not secure because the passwords can be easily cracked by an attacker. The researcher explained that brain wallets used no salt and passed plaintext passwords through a single hash iteration, this makes easy for hackers to crack brain wallet passwords. Another problem is represented by the fact that a form of the insecurely hashed passwords is stored in the Bitcoin blockchain giving more information for the attack to the hackers.
The researcher Ryan Castellucci demonstrated at the DEF CON conference last year how to crack brain wallets:
“Our implementation improves the state of the art by a factor of 2.5, with focus on the cases where side channel attacks are not a concern and a large quantity of RAM is available. As a result, we are able to scan the Bitcoin blockchain for weak keys faster than any previous implementation.” states the paper .
Now researchers at the University of Tulsa, Stanford University and the Southern Methodist University have discovered a new method to crack brain wallet passphrase faster respect the method elaborated by Castellucci.
The researchers published a paper demonstrating the efficiency of their Bitcoin Key Recovery Attacks, that is 2.5 times faster compared to Castellucci’s technique.
The researchers analyzed roughly 300 billion passwords and discovered that only less than 1,000 brain wallets used between September 2011 and August 2015.
“In this paper, we report on the first large-scale measurement of the use of brain wallets in Bitcoin. Using a wide range of word lists, we evaluated around 300 billion passwords. Surprisingly, after excluding activities by researchers, we identified just 884 brain wallets worth around $100K in use from September 2011 to August 2015.” researchers wrote in their paper.
“Our results reveal the existence of an active attacker community that rapidly steals funds from vulnerable brain wallets in nearly all cases we identify,” explained the researchers. “In total, approximately $100K worth of bitcoin has been loaded into brain wallets, with the ten most valuable wallets accounting for over three-quarters of the total value. Many brain wallets are drained within minutes, and while those storing larger values are emptied faster, nearly all wallets are drained within 24 hours.”
The passwords were derived from words available in dictionaries, the passwords were then compared to a list of all used Bitcoin addresses to determine which of them were associated with brain wallets.
Experts identified 884 brain wallets storing 1,806 BTC (worth approximately $100,000) and discovered that only 21 of them were not drained by cyber criminals.
It was disconcerting that in many cases, the accounts were drained within minutes or seconds, the researchers also noticed that there is no evidence that Bitcoin wallets containing larger amounts of money were protected by the owners with stronger passwords.
“We find that all but 21 wallets were drained, usually within 24 hours but often within minutes. We find that around a dozen “drainers” are competing to liquidate brain wallets as soon as they are funded.” continues the researchers.
The experts analyzed the Bitcoin transactions involving brain wallets and discovered that at least 14 entities were involved in the attacks.
“A few drainers are very successful while the rest do not make very much,” researchers wrote in their paper. “The top 4 drainers have netted the equivalent of $35,000 between them. The drainer who has emptied the most brain wallets — 100 in all — has earned $3,219 for the effort. But other drainers have stolen very little money. For example, one drainer stole from 78 different brain wallets but netted only $62 worth of bitcoin.”
The group of researchers will present the study, titled “The Bitcoin Brain Drain: A Short Paper on the Use and Abuse of Bitcoin Brain Wallets,” at the next Financial Cryptography and Data Security 2016 conference.
US Judge requests Apple to unlock San Bernardino shooter’s iPhone
17.2.2016 Apple
A US magistrate ordered Apple to help unlock San Bernardino shooter’s iPhone, be aware it is demanding a tool to bypass the security mechanism.
We discussed very often of the difficulties of the law enforcement in conducting investigations when suspects used devices that make use of encryption, the case that we are going to analyze is emblematic.
Apple must assist the FBI in unlocking the passcode-protected encrypted iPhone belonging to Syed Farook, one of the San Bernardino shooters in California.
The smartphone belonged to Syed Farook, who with his wife Tashfeen Malik killed 14 coworkers on December 2, 2015. Police intervened but failed to capture them alive because they died in a shootout with agents.
The agents seized the Syed’s smartphone, an iPhone 5C, but they were not able to access it because it is protected by a password. The authorities requested support to Apple with a court order issued by the US magistrate Sheri Pym.
After 10 wrong guesses, the iOS locks up requiring a sync with iTunes to restore, or automatically wipes the handset’s data, depending on the user settings.
The magistrate Sheri Pym is requesting Apple to find a way to supply software that prevents the phone from automatically wipe data when too many attempts fail. In this way, the police is free to run a brute-force attack to guess the PIN and overwhelm the security feature.
Apple have to unlock San Bernardino shooter's iPhone
Be aware, the magistrate hasn’t requested apple to crack its encryption, instead, it demands a tool to bypass the security mechanism.
As reported by The Register:
“It’s technically possible for Apple to hack a device’s PIN, wipe, and other functions. Question is can they be legally forced to hack,” stweeted Forensic scientist Jonathan Ździarski.
“Theory: either NSA/CIA dragnet and cryptanalysis capabilities are severely limited, or this is a test case to see how the courts respond.”
Judge Pym is requesting a software update working only on the Farook’s iPhone and running only on government or Apple property.
At this point Apple has two options, demonstrate that it cannot technically comply with the order or provide the requested software.
There is no such time, Apple has five days!
Kaspersky Security Bulletin. Spam and phishing in 2015
16.2.2016 Zdroj: Kaspersky Spam
According to Kaspersky Lab, in 2015
The proportion of spam in email flows was 55.28%, which is 11.48 percentage points lower than in 2014.
79% of spam emails were no more than 2 KB in size.
15.2% of spam was sent from the US.
146,692,256 instances that triggered the ‘Antiphishing’ system were recorded.
Russia suffered the highest number of phishing attacks, with 17.8% of the global total.
Japan (21.68 %) took the lead in the ranking of unique users attacked by phishers.
34.33% of phishing attacks targeted online financial organizations (banks, payment systems and online stores).
New domain zones in spam
In early 2015, we registered a surge in the number of new top-level domains used for distributing mass mailings. This was caused by the growth in interest among spammers for the New gTLD program launched in 2014. The main aim of this program is to provide organizations with the opportunity to choose a domain zone that is consistent with their activities and the themes of their sites. The business opportunities provided by New gTLD were enthusiastically endorsed by the Internet community, and active registration of new domain names is still ongoing.
In 2015, proportion of #spam was 55.28% down from 66.76% in 2014 #KLReport
Tweet
However, new domain zones almost immediately became an arena for the large-scale distribution of spam, as cybercriminals registered domains to spread mass mailings. At first, there was some logical connection between the theme of the spam and the domain name, but this changed as the year went on and the domain names used in mass mailings were, on the whole, not related to the subject of the spam. However, even now we still come across isolated cases where the connection is noticeable. For example, online dating sites are often placed in the .date zone.
This lack of any connection between the domain name and spam theme was mainly caused by the cost of new domains. The attackers try to choose the cheapest possible hosting because the sites will often be used just once for a specific spam mass mailing, so the domain name does not play a major role. Instead, the deciding factors tend to be the cost of the domains and the discounts that small registrars are willing to provide for bulk purchases.
Spammer tricks: methods for expressing domain names
Scammers try to make every email unique in order to bypass mass filtering and complicate the work of content filters. It is quite easy to make each text different by using similar characters from other alphabets, or by changing the word and sentence order, etc. But there is always the address of the spammer site – it can’t be changed so easily, and the whole point of sending out spam is for users to click a link to the advertised site. Over the years, spammers have come up with numerous ways to hide the spammer site from anti-spam filters: redirects to hacked sites, generation of unique links to short URL services, the use of popular cloud services as redirects, etc.
In 2015, 79% of spam emails were less than 2 KB in size #KLReport
Tweet
In 2015, in addition to the methods mentioned above, spammers also focused on ways of expressing domain names and IP addresses. Here we take a closer look at these tricks by studying examples taken from a variety of spam messages.
Special features of the IP protocol: different IP formats
The standard method of writing IP addresses IPv4 is the dotted-decimal format where the value of each byte is given as a decimal number from 0 to 255, and each byte is separated by a dot. However, there are other formats that browsers will interpret correctly. These are binary, octal, hexadecimal formats, and the format dword/Undotted Integer when every IP byte is first converted to a hexadecimal format, then all the bytes are written in one number in the order they were written in the IP address, and then this number is converted into the decimal system. All these formats can be combined by writing each part of the IP in a different way, and the browser will still interpret it correctly!
These techniques are exploited by spammers. They write the same IP addresses in many different ways, including the method of combining different formats:
oct – hex
oct – dword
hex – dword
Addresses in hexadecimal format can be written with and without dots separating the numbers:
Kaspersky Security Bulletin. Spam and phishing in 2015
Additionally, 4294967296 (256^4) can be added any number of times to the number in the Integer format, and the result will still be interpreted as the same IP address.
In 2015, 15.2% of spam was sent from the US #KLReport
Tweet
In the decimal format, the number 256 can be added to each part of the IP address any amount of times – as long as there is a three-digit result, the address will be interpreted correctly.
In the octal format, any number of leading zeros can be added to the IP address, and it will remain valid:
You can also insert any number of forward slashes in the address:
Although in some legal libraries IP addresses can be stored in different formats, it is prohibited to use any format other than the standard dotted-decimal in the URL (i.e., in the links being referred to).
Obfuscation of an IP address, or how many ways can a number be written in Unicode
We have already written about the obfuscation of key words in spam using various Unicode ranges.
The same tricks can be applied when writing IP addresses and domain names. With regards to an IP, in 2015 spammers often used Unicode numbers from the so-called full-size range. Normally, it is used with hieroglyphic languages so that Latin letters and numbers do not look too small and narrow compared to the hieroglyphics.
We also came across figures from other ranges – figures in a circle, figures that are underscored, etc.:
Obfuscation of domains
As mentioned above, this trick also works with domains. Unicode has even more letter ranges than numerical. Spammers often used multiple ranges in a single link (changing them randomly in every email, thereby increasing the variability within a single mass mailing).
To make the links even more unique, rather than obfuscating the spammer site itself the scammers obfuscated short URL services where the links to the main site were generated in large quantities:
Interpreting URL symbols
URLs contain special symbols that spammers use to add ‘noise’. Primarily, it is the @ symbol which is intended for user authentication on the site. A link such as http://login:password@domain.com means that the user wants to enter the site domain.com using a specific username (login) and password. If the site does not require authentication, everything that precedes the @ symbol, will simply be ignored. We came across mass mailings where spammers simply inserted the @ symbol in front of the domain name and mass mailings where the @ symbol was preceded with a random (or non-random) sequence:
It is interesting that this technique was used to obfuscate links; that is usually the prerogative of phishers. This method of presenting URLs can be used by fraudsters to trick users into thinking that a link leads to a legitimate site. For example, in the link http://google.com@spamdomain.com/anything the domain that the browser accepts is spamdomain.com, not google.com. However, in order to trick users, spammers have used another domain-related technique: they registered lots of domains beginning with com-. With third-level domains the links in emails looked like this: http://learnmore.com-eurekastep.eu/find
If you don’t look carefully, you might think that the main domain is learnmore.com, whereas it is in fact com-eurekastep.eu.
In addition to the @ symbol, scammers filled links with other symbols: www.goo&zwj.g&zwjl/0Gsylm.
For example, in the case above the “&zwj” fragment in the goo.gl domain has been inserted randomly in different parts of the domain making the link unique in each email. This insertion is called a zero-width joiner; it is used to combine several individual symbols in the Hindi languages as well as emoticons in one symbol. Within the domain, it obviously carries no semantic meaning; it simply obfuscates the link.
Yet another method of obscuring links is the use of a “soft hyphen” (SHY). In HTML, SHY is a special symbol that is not visible in the text, but if a word containing a special symbol doesn’t fit in at the end of a line, the part after the special symbol is moved to the next line, while a hyphen is added to the first part. Typically, browsers and email clients ignore this symbol inside links, so spammers can embed it anywhere in a URL and as often as they like. We came across a mass mailing where soft hyphens had been inserted in the domain more than 200 times (hexadecimal encoding):
As well as the soft hyphen there are other special symbols used in domains – the sequence indicator (& ordm;), the superscripts 1 and 2 (& sup1 ;, & sup2;) – that can be interpreted by some browsers as the letter “o” and the figures “1” and “2” respectively.
Reiteration of a popular domain name
Another original way of adding noise to links used by spammers in 2015 was the use of a well-known domain as a redirect. This trick is not new, but this time the fraudsters added the same well-known domain several times:
Emails without a URL
It is also worth mentioning those cases where no domains were used at all. Instead of a URL, a number of spam mailings contained a QR-code.
Other mass mailings prompted the user to enter a random sequence in a search engine; the link to the site appeared at the top of the search results:
World events in spam
The next Olympic Games in Brazil only take place in the summer of 2016, but already in 2015 fraudulent notifications of lottery wins dedicated to this popular sporting event were being registered. These included emails containing an attached PDF file that informed recipients that their address had been randomly selected out of millions of email addresses. In order to claim the prize it was necessary to respond to the email and provide specific personal information. In addition to the text, the attachments contained different graphical elements (logos, photos, etc.). The fake lottery win notifications, which were of a considerable length, were often sent out with attachments to bypass spam filtering.
In 2015, ‘Nigerian’ scammers exploited political events in Ukraine, the war in Syria, the presidential elections in Nigeria and earthquake in Nepal to convince recipients that their stories were genuine. The authors primarily sought help to invest huge sums of money or asked for financial assistance. These so-called Nigerian letters made use of the customary tricks to deceive recipients and extort money from them.
Emails about the war in Syria often mentioned refugees and Syrian citizens seeking asylum in Europe. Some emails were made to look as if they had been sent directly from refugee camps and contained complaints about the poor conditions.
Statistics
Proportion of spam in email traffic
In 2015, the proportion of spam in email traffic was 55.28%, which is 11.48 percentage points lower than the previous year.
The proportion of spam in email traffic, 2015
The most noticeable drop was registered in the first months of 2015 – from 61.86% in January to 53.63% in April. The fluctuations throughout the rest of the year were inconsiderable – within 1-2 percentage points.
Sources of spam by country
Sources of spam by country, 2015
In 2015, there was a slight change to the top three sources of spam: China (6.12%) dropped to fourth although the proportion of spam distributed from that country actually increased by 0.59 percentage points. Replacing it in third place was Vietnam (6.13%), which saw 1.92 percentage points added to its share. Russia (6.15%) remained in second place with an increase of 0.22 percentage points, while the US (15.16%) remained the undisputed leader despite a decrease of 1.5 percentage points.
In 2015, users in USA were targeted by 4.92% of worldwide malicious emails #KLReport
Tweet
As was the case in 2014 Germany came fifth (4.24%), with its contribution increasing by 0.24 percentage points. The rest of the Top 10 consisted of Ukraine (3.99%, +0.99 p.p.), France (3.17%, +0.62 p.p.), India (2.96%, no change), Argentina (2.90%, -0.65 p.p.) and Brazil (2.85%, +0.42 p.p.).
The size of spam emails
The size of spam emails in 2015
The proportion of super-short spam emails (under 2 KB) grew in 2015 and averaged 77.26%, while the share of emails sized 2-5 KB fell to 9.08%. The general trend of 2015 was a reduction in the size of emails.
Malicious attachments in email
The Top 10 malicious programs spread by email in 2015
The notorious Trojan-Spy.HTML.Fraud.gen remained the most popular malicious program sent by email. This program is a fake HTML page sent via email that imitates an important notification from a large commercial bank, online store, or software developer, etc. This threat appears as an HTML phishing website where a user has to enter his personal data, which is then forwarded to cybercriminals.
Trojan-Downloader.HTML.Agent.aax was in second, while ninth and tenth positions were occupied by Trojan-Downloader.HTML.Meta.as. and Trojan-Downloader.HTML.Meta.ay respectively. All three are HTML pages that, when opened by users, redirect them to a malicious site. Once there, a victim usually encounters a phishing page or is offered a download – Binbot, a binary option trading bot. These malicious programs spread via email attachments and the only difference between them is the link that redirects users to the rigged sites.
Third was Trojan-Banker.Win32.ChePro.ink. This downloader is a CPL applet (a Control Panel component) that downloads Trojans designed to steal confidential financial information. Most malicious programs of this type are aimed at Brazilian and Portuguese banks.
Email-Worm.Win32.Mydoom.l was in fourth place. This network worm spreads as an email attachment via file-sharing services and writable network resources. It harvests email addresses from infected computers so they can be used for further mass mailings. To send the email, the worm directly connects to the SMTP server of the recipient.
Next came Trojan.JS.Agent.csz and Trojan-Downloader.JS.Agent.hhi, which are downloaders written in JavaScript. These malicious programs may contain several addresses (domains) which the infected computer consecutively calls. If the call is successful, a malicious EXE file is downloaded in the temp folder and run.
Trojan-PSW.Win32.Fareit.auqm was in eighth position. Fareit Trojans steal browser cookies and passwords from FTP clients and email programs and then send the data to a remote server run by cybercriminals.
Malware families
Throughout the year, Upatre remained the most widespread malware family. Malware from this family downloads the Trojan banker known as Dyre/Dyreza/Dyzap.
MSWord.Agent and VBS.Agent occupied second and third places respectively. To recap, these malicious programs are DOC files with an embedded macro written in Visual Basic for Applications (VBA), which runs on opening the document. It downloads and runs other malware, such as Andromeda.VBS.Agent. As the name suggests, it uses the embedded VBS script. To download and run other malware on the user’s computer the malicious programs of this family utilize the ADODB.Stream technology.
The Andromeda family came fourth. These programs allow the attackers to secretly control infected computers, which often become part of a botnet. Noticeably, in 2014 Andromeda topped the rating of the most widespread malware families.
In 2015, #Japan (21.68 %) took the lead in the ranking of unique users attacked by phishers #KLReport
Tweet
The Zbot family came fifth. Representatives of this family are designed to carry out attacks on servers and user computers, and also for capturing data. Although ZeuS/Zbot is capable of carrying out various harmful actions, it is most often used to steal banking information.
Countries targeted by malicious mailshots
Distribution of email antivirus verdicts by country, 2015
For the previous three years, the Top 3 countries most often targeted by mailshots has remained unchanged – the US, the UK and Germany. However, in 2015, spammers altered their tactics and targets. As a result, Germany came first (19.06%, +9.84 p.p.) followed by Brazil (7.64%, +4.09 p.p.), which was only sixth in 2014.
The biggest surprise in Q3, and the whole of 2015, was Russia’s rise to third place (6.30%, +3.06 p.p.). To recap, in 2014 Russia was ranked eighth with no more than 3.24% of all malicious spam being sent to the country.
We would like to believe that despite the trend seen in recent quarters, the number of malicious mass mailings sent to Russia will decrease. As for the total number of malicious attachments sent via email, their number is likely to grow in 2016 and the theft of personal information and Trojan ransomware will occupy the top places.
Special features of malicious spam
In spam traffic for 2015 we registered a burst of mass mailings with macro viruses. The majority of emails containing macro viruses in Q1 were sent in attachments with a .doc or .xls extension and belonged to the Trojan downloader category designed to download other malicious programs.
As a rule, the malicious attachments imitated various financial documents: notifications about fines or money transfers, unpaid bills, payments, complaints, e-tickets, etc. They were often sent on behalf of employees from real companies and organizations.
In 2015, 34.33% of phishing attacks targeted clients of financial organizations #KLReport #banking
Tweet
The danger posed by macro viruses is not restricted to their availability and ease of creation. A macro virus can infect not only the document that is opened initially but also a global macro common to all similar documents and consequently all the user’s documents that use global macros. Moreover, the VBA language is sufficiently functional to be used for writing malicious code of all kinds.
In 2015, cybercriminals specializing in malicious spam continued to distribute malware in non-standard archive formats (.cab, .ace, .7z, .z, .gz). These formats were introduced long ago and are used by specialists in software development and installation, but they are largely unknown to ordinary users, unlike ZIP and RAR. Another difference is the high degree of file compression. These malicious archives were passed off as a variety of attachments (orders, invoices, photographs, reports, etc.) and contained different malicious programs (Trojan-Downloader.Win32.Cabby, Trojan-Downloader.VBS.Agent.azx, Trojan-Spy.Win32.Zbot .iuk, HawkEye Keylogger, etc.). The vast majority of emails were in English, though there were messages in other languages.
In 2014, cybercriminals were particularly active in sending out fake emails from mobile devices and notifications from mobile apps containing malware and adverts. In 2015, the mobile theme continued: malicious programs were distributed in the form of .apk and .jar files, which are in fact archived executable application files for mobile devices. Files with the .jar extension are usually ZIP archives containing a program in Java, and they are primarily intended to be launched from a mobile phone, while .apk files are used to install applications on Android.
In particular, cybercriminals masked the mobile encryption Trojan SLocker behind a file containing updates for Flash Player: when run, it encrypts images, documents and video files stored on the device. After launching, a message is displayed telling the user to pay a fee in order to decrypt his files. Another .jar archive contained Backdoor.Adwind written in Java. This multi-platform malicious program can be installed not only on mobile devices but also on Windows, Mac and Linux.
The attackers who send out malware in files for mobile devices are most probably hoping that recipients using email on a mobile device will install the malicious attachment.
With every year, cybercriminals are becoming more interested in mobile devices. This is primarily due to the constant increase in activity by mobile users (using messengers and other methods of exchanging data) and the migration of different services (e.g., financial transactions) to mobile platforms, and of course, one user may have several mobile devices. Secondly, it is due to the emergence of various popular apps that can be used by cybercriminals both directly (for sending out spam, including malicious spam) and indirectly (in phishing emails). For example, users of the popular messenger WhatsApp fall victim to not only traditional advertising spam but also virus writers. Mobile users should be especially careful because cybercriminal activity in this sphere is only likely to increase.
Phishing
Main trends
In 2015, the Anti-Phishing system was triggered 148,395,446 times on computers of Kaspersky Lab users. 60% (89,947,439) of those incidents were blocked by deterministic components and 40% (58,448,007) by heuristic detection components.
Methods of distributing phishing content
The methods used by cybercriminals to spread phishing content have long gone beyond the framework of email clients. For example, one of the most popular ways of distributing phishing pages is pop-up ads. In 2015, we came across a variety of fraudulent schemes utilizing this simple trick: the fake page automatically opens in the browser when a user visits certain sites, including legitimate ones, but uses pop-up advertising.
Cybercriminals used this technique to attack customers of Russian banks in the third and fourth quarters of 2015.
The fraudulent page to which the victim is redirected by a pop-up advert
Other popular themes of the year
As we mentioned in Q1, the contribution of the ‘Delivery company’ category is very small (0.23%), but it has recently experienced a slight increase (+0.04 p.p.). In addition, DHL, one of the companies in this category, was among the Top 100 organizations most often targeted by phishers.
This method – an email sent on behalf of a delivery firm – is often used by fraudsters to distribute malicious attachments, gather personal information and even collect money.
Phishing email sent on behalf of FedEx
The attackers are especially active in this category in the run-up to holidays when people tend to buy presents using popular delivery services.
Email tricks
Scammers have long made successful use of PDF attachments in phishing attacks. These files are usually a form for entering personal information that is sent to the fraudsters by pressing a button in the file. However, in 2015 we saw a surge of emails in which the text message and the link to the phishing page were included in the PDF document. The text in the body of the message was reduced to a minimum to bypass spam filtering.
These tricks are used against organizations in all categories. In 2015, many attacks of this type targeted banking and mail organizations.
Example of a phishing email. The body of the message contains only the text imitating the heading of the email to which this email is allegedly responding. The email has an attached PDF file that contains the link to the phishing page.
We came across numerous PDF files that redirected victims to phishing websites. The fraudsters encouraged the user to click on ‘View pdf File’ to read the contents of the file.
A phishing email with an attached PDF file containing a redirect to a phishing website
The geography of attacks
Top 10 countries by percentage of attacked users
Japan had the highest proportion of users subjected to phishing attacks (21.68%), a 2.17 p.p. increase from the previous year.
The percentage of users on whose computers the anti-phishing system was triggered out of the total number of users of Kaspersky Lab products in the country, 2015
Top 10 countries by percentage of attacked users
Japan 21.68%
Brazil 21.63%
India 21.02%
Ecuador 20.03%
Mozambique 18.30%
Russia 17.88%
Australia 17.68%
Vietnam 17.37%
Canada 17.34%
France 17.11%
Last year’s leader, Brazil (21.63%), fell to second place with a drop of 5.77 percentage points in the number of attacked users. It was followed by India (21.02%, -2.06 p.p.) and Ecuador (20.03%, -2.79 p.p.).
The distribution of attacks by country
Russia accounted for the greatest share of phishing attacks, with 17.8% of the global total, an increase of 0.62 percentage points compared to the previous year.
Distribution of phishing attacks by country in 2015
Behind Russia in second place was Brazil (8.74%, +1.71 p.p.), followed by India (7.73%, +0.58 p.p.), the US (7.52%, +0.32 p.p.), with Italy rounding off the Top 5 (7.04%, +1.47 p.p.).
Organizations under attack
The statistics on organizations used in phishing attacks are based on the triggering of the heuristic component in the anti-phishing system. The heuristic component is triggered when a user tries to follow a link to a phishing page and there is no information about the page in Kaspersky Lab’s databases.
Distribution of organizations subject to phishing attacks by category, 2015
In 2015, we saw significant growth in the proportion of phishing attacks on organizations belonging to the ‘Online finances’ category (34.33%, +5.59 pp): they include the ‘Banks’, ‘Payment Systems’ and ‘Online stores’ categories. Of note is the increase in the percentage of targeted organizations in the ‘Telephone and Internet service providers’ (5.50%, +1.4 p.p.) and ‘Social networking sites and blogs’ (16.40%, +0.63 p.p.) categories.
Top 3 organizations attacked
Organization % of detected phishing links
1 Yahoo! 14.17
2 Facebook 9.51
3 Google 6.8
In 2015, Yahoo! was once again the organization targeted most by phishers, although its share decreased considerably – 14.17% vs 23.3% in 2014. We presume this decrease is a result of the company combating these fake domains. We see that Yahoo!, as well as many other organizations, registers lots of domains that could theoretically be used by the attackers as they are derived from the original domain name.
Conclusion and forecasts
In 2015, the proportion of spam in email traffic decreased by 11.48 percentage points and accounted for 55.28%. The largest decline was observed in the first quarter; from April the fluctuations stabilized and were within a few percentage points. This reduction was caused by the migration of advertising for legal goods and services from spam flows to more convenient and legal platforms (social networks, coupon services, etc.), as well as by the expansion of the “gray” zone in mass mailings (mass mailings sent both to voluntary subscribers and to people who have not given their consent). We assume the share of spam will continue to decrease in 2016, though the decline will be insignificant.
The number of malicious and fraudulent messages, however, will increase. It is possible that the attackers will once again make use of their customary tricks as was the case in 2015 (mass mailings of macro viruses and non-standard attachment extensions). The mobile theme may also become yet another weapon in the cybercriminals’ arsenal to spread malware and fraudulent spam.
The number of new domains created by spammers especially for distributing mass mailings will continue to grow. We also expect to see an expansion in new domain zones used as spammer resources.
Nejnovější trojský kůň pro Linux -- jednoduchý a nesmírně účinný
16.2.2016 Viry
Ruská skupina kyberzločinců začala využívat nový trojan Fysbis. Ten má modulární podobu a dokáže krást data z Linuxu bez nutnosti přístupu k rootu.
Kyberšpionážní skupina známá jako Pawn Storm začala v rámci linuxových systémů jednoduchý, ale velmi účinný trojan, který pro svou nekalou činnost nepotřebuje žádná vysoká oprávnění.
Trojský kůň Fysbis umožňuje útočit prostřednictvím plug-inů. „Fysbis se dokáže nainstalovat do systému, aniž by k tomu potřeboval root privilegia,“ uvádějí výzkumníci z Palo Alto Networks, kteří na aktivity skupiny upozorňují. „Útočníci tak mají daleko širší možnosti.“
Primárně je Fysbis určený ke krádeži dat a jako takový ani nepotřebuje získat nadvládu nad celým systémem, k potřebným dokumentům či aktivitám uživatele, se dokáže dostat i bez ní.
A je tak prý důkazem, že takzvané pokročilé perzistentní hrozby (APT – Advanced persistent threat), často vůbec pokročilé být nemusejí, aby s nimi útočníci dosáhli svého cíle.
„Navzdory přetrvávající domněnce (a falešnému pocitu bezpečí), že Linux skýtá vyšší stupně ochrany, hrozba tu existuje a jeho zranitelnost zkouší zkušenější útočníci,“ uvádějí experti firmy Palo Alto.
Podle společnosti navíc může být odhalení útoků na Linux podstatně složitější než například v případě Windows, jelikož uživatelé Linuxu bezpečnostní opatření často podceňují.
I to může být důvod toho, proč útoků na linuxové systémy v posledních letech přibývá.
Pawn Storm, známá rovněž jako APT28, Sofacy nebo Sednit, je skupina útočníků, která o sobě dává vědět už od roku 2007. Od té doby si ke svým útokům vyhlédla vládní, bezpečnostní, ale i vojenské organizace, stejně jako média, ukrajinské politické aktivisty nebo kritiky Kremlu.
Často přitom útočí prostřednictvím tzv. zero day exploits – tedy útoků využívajících zranitelnosti softwaru, která ještě není obecně známá, cizí jí však není ani cílený spear-phishing využívající škodlivé e-mailové přílohy. Jednu ze svých přezdívek skupina získala po backdoorovém programu pro Windows Sednit, útočí však i na systémy Mac OS X, Linux či mobilní systémy.
Chcete 12 000 Kč? Slibují důvěřivcům peníze, pak je ale oberou
16.2.2016 Spam
Na internetu se doslova roztrhnul pytel se soutěžemi, jejichž hlavní cenou mají být poukázky na nákupy ve známých tuzemských obchodech. Háček je ale v tom, že žádné peníze lidé nedostanou. Místo toho naopak o peníze přijdou.
Nabídka na kupón do Penny Marketu v hodnotě 6000 Kč.
Začíná to docela nevinně. V internetovém prohlížeči se zobrazí reklama, která láká na mnohatisícové poukázky například do Penny Marketu. Vyhrát šest nebo 12 tisíc korun může každý uživatel po zodpovězení tří jednoduchých otázek.
Pro získání ceny pak musí uživatel ještě vyplnit své jméno a telefonní číslo a zavolat na „zákaznickou“ linku, aby si svou odměnu vyzvedl. Ale právě v tom je ten zakopaný pes, protože minuta hovoru je zpoplatněna částkou 50 Kč, na což koneckonců upozorňuje drobným písmem i samotná „výherní” nabídka.
Provozovatelé této služby se tak chrání před případnou snahou lidí o vrácení peněz.
Provozovatelé služby sami upozorňují drobným písmem na konci stránky, že hovor bude stát 50 Kč za minutu.
FOTO: Novinky
Že jde ve skutečnosti o podvod, upozorňuje ale i samotný Penny Market na svém Facebooku. Právě na ten se totiž obracejí nespokojení zákazníci, kterým přijde pěkně tučný telefonní účet.
„Neorganizujeme žádnou soutěž o dárkovou kartu v hodnotě 6000 Kč! Pokud se dostanete na webové stránky, které vypadají takto (obrázek v úvodu článku), jde o podvod,“ varovali na Facebooku zástupci Penny Marketu.
Billa, Lidl i Tesco
Penny Market přitom není jediným obchodem, který se v podobných soutěžích objevil. Poukázky s hodnotou 12 000 Kč jsou nabízeny také pro Billu, Lidl či Tesco. U soutěží, které probíhají na webech, jež nemají s danými obchodníky vůbec nic společného, by měli být lidé velmi obezřetní.
Soutěže o kupóny ve výše zmíněných řetězcích totiž byly ještě v pondělí večer nabízeny prostřednictvím serveru prizeselect.com-voucher.club, v úterý se však stránky jevily už jako nedostupné. Je ale více než pravděpodobné, že stejná výherní nabídka se v budoucnu objeví také na úplně jiné webové adrese.
V reklamách se objevují poukázky i na 12 000 Kč od jiných známých řetězců.
APT Groups don’t go under the grid after a successful attack!
16.2.2016 APT
What happened to some of the APT groups behind clamorous cyber attacks? Why they don’t go dark anymore after being outed, a behavior completely different from the past.
I’m sure everyone remembers the Sony attack occurred in 2014, when the US Government blamed the North Korean Government for the attack, materially executed by a hacking group dubbed GOP. In the past, the APT groups behind major attacks went underground for some time until the dust settles in, but now, more and more hacking crews remain active after a big score, using information gathered from the successful attack to target more victims.
Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab. Said expressed his opinion on the Sony hack.
“They didn’t disappear when the dust settled” ha said.
Last week, during the summit in Tenerife, Guerrero-Saade and Jaime Blasco provided some news about Sony hackers:
“It took us two years to correlate all of the information we had … The same people were launching campaigns using information from the Sony attack,”
Why threat groups don’t remain under the radar after a big score?
Kurt Baumgartner, principal security researcher at Kaspersky Lab argues that in the past APT groups “would immediately shut down their infrastructure when they were reported on”, “You just didn’t see the return of an actor sometimes for years at a time.”
Baumgartner used the example of Darkhotel, a Korean-speaking attack group mostly known for hacking WiFi networks at luxury hotels, with the purpose of targeting high -evel executives. Even thought Darkhotel its not attacking hotels anymore, they are not hidden neither, in fact in July was discovered that Darkhotel was using a zero-day Adobe Flash exploit (disclosed from the Hacking Team data breach),
“Within 48 hours, they took the Flash exploit down … They left a loosely configured server”.
Darkhotel doesn’t look worried about exposure, “The hotel [attack] activity focused on business travelers has come to an end, but the other operations are highly active,”.
It is assumed that several groups have a similar behavior, the Equation Group for example that many experts linked to the NSA is believed has changed communication methods to avoid detection.
“I would assume they are active but just changed their” communications, explained Costin Raiu, director of the global research and analysis team at Kaspersky Lab. “We don’t detect them anymore.”
This pattern is found over and over hackers groups, and it looks like notoriety doesn’t stop these groups anymore.
Facebook Offering You $1000 to Run Advertisement Against Terrorism
16.2.2016 Social Site
Facebook Offering $1,000 Credits If You Want to Run Advertisements Against ISIS and Terrorism
Over a past few times, we have seen a steady growth in the online recruitment of Jihadis from social networking sites by many radical groups.
ISIS has topped the online recruitment, and it is the only terror group that leverages the enormous power of Twitter and Facebook to radicalize young minds, spread its message and recruit foreign supporters to its fights.
Many ISIS militants maintain extremely active accounts on the popular social media platforms and have a strong presence on the most popular encrypted messaging app Telegram with more than 100,000 followers.
This issue had impacted the society deeply. Recent examples include last year’s Paris attack in which ISIS used some popular messaging apps to plot the attack.
As the Dark Siders of social media began to turn this platform into a Terror-Picker, the White Siders of the same social media came under a single roof to declare fight against terrorism, and rage cyber war against these anti-humans.
Facebook Buckled Up to Fight against Terrorism
Facebook is also on the main line up to join the fight against terrorism. The social media giant has also come up with a solution to minimize the presence of caliphate group from its social media platform.
Similar efforts have previously been made by Anonymous hacktivist group, who conducted various planned operation like OpISIS, OpParis, expunging ISIS channels from Twitter and Telegram.
Recently, Facebook introduced a new program, dubbed "Counter-Speech," that offers advertising credits up to $1000 for those who raise their voice against hate speeches & terror propagandas.
This new intelligent strategy would enlighten the immature minds of those who got influenced by the radicalized propaganda and created an automatic hatred towards the group (who tried to brainwash with their propagandas).
So, rather than vanishing or blocking the extremist Facebook pages that spread hatred among its followers, Facebook is focusing on educating more and more young minds in an effort to fight against terrorism.
The First Person to Receive $1000 Credit
Arbi-el-Ayachi - A German comedian had got benefited from the newly released Facebook plan when he released a video showing eating halal meat is poisonous to Christians, last year.
How did the idea strike?
The idea was formed by the current Facebook Chief Operating Officer Sheryl Sandberg while speaking at World Economic Forum last month.
Sandberg backed up this idea by referring to a recent attack conducted by the group in Germany called "Laut gegen Nazis" (an anti-neo nazi group) had attacked the Facebook page of the far-right NDP by getting members to like ("Like Attack") and post on the page.
"Rather than scream and protest, they got 100,000 people to like the page, who did not like the page and put messages of tolerance on the page, so when you got to the page, it changed the content and what was a page filled with hatred and intolerance was then tolerance and messages of hope" Sandberg stated.
Cyber World Fights Against Terrorism
Gradually, the massive operation to fight against terrorist organizations began to hit the headlines and grabbed the attention of several tech giants like Google, YouTube, and Twitter.
Youtube had wiped out more than 1000 dozens of radical videos from its database.
Twitter had expelled 1,25,000 accounts of Jihadi members since in mid 2015.
Google also rolled out a special advertising program for terrorist sympathizers who type extremism-related words in the search engine, but the "top" search results display anti-radicalized links.
Joint ventures like this would act as a Digital Age Shield to minimize the threat levels.
However, Facebook had not mentioned about the verification procedure for those credited $1000. So, it may be possible that those awarded credits could be used for personal promotions too...
How-to — Stealing Decryption Key from Air-Gapped Computer in Another Room
16.2.2016 Safety
Stealing Decryption Key from Air-Gapped Computer in Another Room
Air-gapped computers that are believed to be the most secure computers on the planet have become a regular target for researchers in recent years.
Air-gap computers are one that are isolated from the Internet or any other computers that are connected to the Internet or external network, so hackers can’t remotely access their contents.
But you need to think again before calling them 'Safe.'
A team of security researchers from Tel Aviv University and Technion have discovered a new method to steal sensitive data from a target air-gapped computer located in another room.
The team is the same group of researchers who had experimented a number of different methods to extract data from a computer. Last year, the team demonstrated how to extract secret decryption keys from computers using just a radio receiver and a piece of pita bread.
In 2014, the team devised a special digitizer wristband that had the ability to extract the cryptographic key used to secure data stored on a machine just by solely touching the chassis of the computer.
Extracting Secret Decryption Key in Seconds
Now taking its experiment a step further, the team of researchers, including Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer, recently discovered a similar way to extract secret decryption key within seconds, but this time, from an air-gapped machine.
Although hacking air-gapped machines to steal cryptographic keys has been carried out in past, this is the first time when such attack have successfully targeted computer running Elliptic Curve Cryptography (ECC).
Elliptic Curve Cryptography is a robust key exchange algorithm that is most widely used in everything from securing websites to messages with Transport Layer Security (TLS).
How Does the Method Work?
Researchers used a method known as Side-Channel Attack: An attack that extracts the secret cryptographic key from a system by analyzing the pattern of memory utilization or the electromagnetic outputs of the PC that are emitted during the decryption process.
"By measuring the target's electromagnetic emanations, the attack extracts the secret decryption key within seconds, from a target located in an adjacent room across a wall," reads the recently published paper [PDF].
Specifically, the team obtained the private key from a laptop running the popular implementation of OpenPGP, GnuPG. However, the developers of GnuPG have since rolled out countermeasures to this method, making GnuPG more resistant to side-channel attack.
Equipment Required:
The equipment used in the experiment hack included:
An antenna
Amplifiers
A software-defined radio
A laptop
During the experiment hack, the researchers first sent the target laptop a specific ciphertext (an encrypted message).
Now, during the decryption of the chosen ciphertext, the researchers measured the EM leakage of the laptop, "focusing on a narrow frequency band."
The signal was then processed, and a clear trace was produced, revealing the information about the operands used in the ECC, which in turn revealed the secret key.
This experiment was being carried out through a 15-centimeter thick wall, reinforced with metal studs, according to the researchers.
"The experiment...was conducted using a Lenovo 3000 N200 laptops, which exhibit a particularly clear signal," the paper reads. "The attacks are completely non-intrusive: we didn't modify the targets or open their chassis."
The security researchers successfully extracted the secret key after observing around 66 decryption processes, each lasting about 0.05 seconds, resulting in a total measurement time* of about 3.3 secs.
Future Challenges:
Future challenges for researchers include the challenges of non-chosen ciphertext attacks and attacking other cryptographic primitives (such as symmetric encryption). Moreover, minimizing the number of decryption operations in order to extract the secret key.
The team will present its work at the upcoming RSA Conference on March 3. To know in-depth explanation with technical details about the attack, we recommend you read the research paper [PDF].
*Note: When the team says the secret key was obtained in 'seconds', it is the total measurement time, and not how long the time would take for the attack to actually be carried out.
Ransomware demanded $3.6M after takes offline the Hollywood Presbyterian Medical Center
16.2.2016 Virus
Cyber criminals demanded $3.6M after a ransomware-based attack takes offline the systems at the Hollywood Presbyterian Medical Center.
In the “2016 Cyber Security Predictions: From Extortion to Nation-state Attacks” I published at the end of 2015 I have predicted the criminal practices of the extortion will reach levels never seen before.
“Cyber criminals will use threaten victims with ransomware and DDoS attack in an attempt to extort money to stop the attacks or to allow victims to rescue the locked files. Ransomware will be used to target IoT devices like SmartTV, wearables and medical devices.” I wrote in a blog post, and the facts are confirming my expectations.
In the last weeks, a new wave of ransomware targeted million users in Europe, but probably the news is more sensational when the victims are public services like hospitals or power facilities. In January, the Israeli Public Utility Authority suffered a serious incident that caused problems with the systems of the institution, now we discuss other disconcerting news, the computers at Hollywood Presbyterian Medical Center have been down for more than a week due to a ransomware infection.
A local computer consultant revealed to the media that the ransom being demanded was about 9,000 BTC, or just over $3.6 million dollars.
Now the situation has been restored and all the machines have been sanitized, while law enforcement is still investigating the case. Computers storing patients’ data, CT scans, Hospital’s documentation, and lab data went offline.
Hollywood Presbyterian Medical Center ransomware
Unfortunately, the staff at Hollywood Presbyterian Medical Center faced the paralysis of internal services due to the cyber attack.
[The Hollywood Presbyterian Medical Center] reported “significant IT issues and declared an internal emergency” Feb. 5, said hospital president and CEO Allen Stefanek.
The NBC Los Angeles reported the case of a patient that had to drive more than an hour to Palmdale to pick up medical tests in person.
Stefanek also added that hospital’s emergency room systems have been sporadically impacted by the ransomware forcing the displacement of some patients to other hospitals.
The Hospital continued to work but any activity relying on IT system was impacted, registrations and medical records were logged on paper.
The experts at the Hollywood Presbyterian Medical Center haven’t provided technical details about the incident, it is not clear which family of malware infected the systems.
Approximate machine improves the Bitcoin mining by 30 percent
16.2.2016 IT
A team of Illinois-based scientists have conducted a research to improve the Bitcoin mining process by 30 percent.
Bitcoin mining is becoming a process even more costly in terms of computational resources, but a team of Illinois-based researchers have conducted a study to speed up this process.
The group of scientists led by Indian Scientist Rakesh Kumar, and including Matthew Vilim and Henry Duwe, has developed a new machine for Bitcoin Mining called “Approximate Hardware.”
The experts will present their study at the Design and Automation Conference in June 2016.
According to the researchers the “Approximate” machine that could improve the Bitcoin mining process by 30 percent.
“We exploit this inherent tolerance to inaccuracy by proposing approximate mining circuits that trade off reliability with area and delay. These circuits can then be operated at Better Than Worst-Case (BTWC) to enable further gains. Our results show that approximation has the potential to increase mining profits by 30%” states a paper published by the researchers.
The Approximate system takes advantage of imperfections in the hardware system, such as False Positives and False negatives. False Positives are observed when errors are not present, but notified as a fake error. False Negatives are observed when we are in the presence of errors, but they are not notified.
The researchers have found a way to take the advantages of these imperfections in the system to make the Bitcoin mining process more efficient.
The Approximation system scans for the errors to improve the Bitcoin mining.
“Bitcoin mining is a particularly good candidate for approximation because its parallelism mitigates error propagation and a built-in verification system detects any false positives,” reads the paper. “Furthermore, we have identified adders as beneficial choices for approximation in hashing cores in a mining ASIC.” continues the paper. “However, not all approximate adders yield increases in profit. Profits are maximized by adders that minimize delay at the expense of area, and approximate adders should be chosen accordingly. Moreover, profits may be improved by operating the hashing cores at Better Than Worst-Case (BTWC) operating points, past their nominal frequencies”
If you want do deep in the research of the scientists, give a look to the paper titled “Approximate Bitcoin Mining,” but let me anticipate that it is not easy to read.
Russia Wants to Kick Foreign Tech Companies Out Of The Nation
15.2.2016 Safety
Someone wants to kick Microsoft, Google and Apple off from his land, but himself uses Gmail and Mac.
The newly appointed Internet Tsar German Klemenko, who is the first internet advisor of Vladimir Putin, wants to kick off American Giants from Russia.
In a 90-minute interview conducted by Bloomberg, Klemenko expressed his interest to vanish the presence of tech biggies of foreign countries from Russia.
Google & Apple have to Pay 18% more VAT
As part of this, Klemenko plans to hike the tax on foreign companies, including Google and Apple, by 18% VAT on their applications & services sold online.
russia-german-klimenko
It is estimated that Apple, Google and other companies are nearly gaining RUB 300 Billion (£2.7 Billion, US$4 Billion) in revenue every year from Russia.
"When you buy an app from Google Play or the App Store anywhere in Europe, VAT is charged at the place of payment, but not here in our banana republic," says Klemenko.
The proposed movement will be backed up by Andrey Logovoi, a parliament lawmaker and former KGB (Russia's Committee for State Security) agent, who have been accused by the UK of assassinating former agent Alexander Litvinenko in London.
Klemenko, as the first Internet advisor, is more focused to expand the Russian Internet Market by promoting the home-brew projects such as Yandex, Mail.ru , VK social network and much more.
Klemenko is making another movement to replace Windows Operating System with Customized Linux for the Government offices. He claimed that 22,000 municipal government are ready to install Linux.
This is the similar situational turn as China had followed earlier by building their customized Operating System named NeoKylin that underline the presence of National Internet Identity across the cyberspace.
Foreign Companies are Threat to National Security
Google track everything, responds to 32,000 requests a year from US agencies but it won’t answer one from Russia, according to Klimenko.
It seems that both the nations are unhappy with the worldwide surveillance programs conducted by the US intelligence agency NSA and its British counterpart GCHQ which indulge into one’s private life.
“We have to consider this as a kind of potential threat to our national security,” he said.
This stringent movement would put an end to the foreign snooping programs which is a major concern for the Millions and also would draw a Green Arrow vertically in the Russian Stock Exchange.
As Russia is getting inspired from China, as they have started to mark their signature in many diversified fields such as:-
The shipment of their own manufactured SmartPhone “Xiaomi” to many countries.
Implementing a Great Firewall.
Weibo, a Social Networking service which had reached beyond 100 million active users.
Baidu Search Engine.
And many more...
Kicking Off: A Feasible Option?
Kicking off foreign technologies from the nation would raise the eyebrows of many, as today's intended world is being linked via wires to achieve the connectivity and maintain a healthy relationships with the foreign counterparts.
“The way it’s done in North Korea or China with its firewall probably doesn’t fit us, but it’s only a matter of time,” Klimenko said. “It won’t be fatal if Google leaves Russia -- Yandex and Mail.ru have similar technologies.”
Keeping Espionage apart, the proposed plan would hinder the future unified developments which could benefit the nation.
If every country would follow the same crooked path, then our Mother Earth would not be different from other lifeless planets as all are being isolated in their boundaries.
Let's see what other demands are cooking up in the mind of Russia's new Internet Tsar!
Warning — Setting This Date On iPhone Or iPad Will Kill Your Device Permanently
15.2.2016 Apple
Don’t Try this at Home!
An interesting software bug has been discovered in Apple's iOS operating system that could kill your iPhone, iPad or iPod Dead Permanently.
Yes, you heard me right.
An issue with the date and time system in iOS had emerged recently when Reddit users started warning people that changing your iPhone's or any iOS device's date to January 1, 1970, will brick your iPhone forever.
Video Demonstration
You can watch the whole process in the video given below. Even regular recovery tricks do not work.
So, you are recommended to Not Try This Trick with your iOS device really – unless you book a trip to your local Apple Store.
While I don’t have any intention or desire to try it out with my iPhone 6s to confirm the authenticity of the bug, it is pretty much clear based on reports that seem legitimate.
YouTuber Zach Straley first discovered the issue, which was later confirmed by iClarified, who tested the trick on an iOS device.
Affected iOS Devices
This bug affects any iOS device that uses 64-bit A7, A8, A8X, A9 and A9X processors and runs iOS 8 or newer, including iPhones, iPads, and iPod touches. However, for those running on 32-bit iOS versions are not affected by this issue.
How the Bug Kills the iPhone?
Basically, the whole process is due to this:
Set up the date to January 1, 1970, via settings on your iOS device, Reboot your device, and you are done.
Your iPhone or iPad will no longer boot and will be stuck to the Apple logo. Even recovery mode restore or DFU mode will not let you restore your device; it will remain stuck on the bootup screen.
Your device will reportedly not come back, and the only way to get it back to work once again is to take your iOS device to an Apple Store.
The Only Way to Get Your iPhone Back
The bug is believed to be related to UNIX timestamp epoch that causes the kernel to crash. The only way to get it back is to open the device's casing and physically disconnect the battery from the logic board. This could only be done with the help of Apple's Genius Bar.
This process will reset the iPhone's date and allow it to boot.
While there isn't any other fix at the moment, Apple is expected to come up with a software update to fix and unbrick the affected iOS devices.
Though some users are saying that letting the battery drain could make the iPhone work once again, or changing the SIM card could fix the issue, or waiting for the device to back after 5 hours, you are still advised to not try this on your device as there is no guarantee these tricks are going to work.
Wanna Mine Bitcoins Faster? Researchers Find New Way to Do it
15.2.2016 IT
Wanna Mine Bitcoins Faster? Researchers Find New Way to Make Bitcoin
A new machine for Bitcoin Mining called "Approximate Hardware" would make Bitcoin mining easier.
Bitcoin had gained tremendous popularity over a few couple of years among the virtual currencies due to its decentralized principle.
Mining a single Bitcoin is not an ice cake walk, as it requires an enormous amount of computing power to dig Bitcoins.
To overcome this issue and mine Bitcoins faster, security researchers has conducted a study and made a new loophole in the mining process in an effort to mine the Bitcoins easily.
How to Mine Bitcoins Faster?
A team of Illinois-based researchers led by Indian Scientist, Rakesh Kumar, has designed a new hardware named "Approximate" that could reduce the pain of Bitcoin mining by 30 percent.
The proposed system would make use of the faults in the hardware system such as:
False Positives where an error is not present but notifies a fake error.
False Negatives where an error is present but does not notify the real error.
Therefore, by taking the advantages of imperfections in the system, the process of Bitcoin mining could get easier than the classical methods used today.
Approximate Bitcoin Mining
Approximation system is one such hardware that scans for the errors to make the mining somehow, simple.
"Bitcoin mining is a particularly good candidate for approximation because its parallelism mitigates error propagation and a built-in verification system detects any false positives," reads the paper. "Furthermore, we have identified adders as beneficial choices for approximation in hashing cores in a mining ASIC."
Dr. Kumar also had expressed that his team's goal is not building a perfect Bitcoin mining hardware, but their research work would inculcate to design much better mining hardware in the near future.
Also Read: Meet The World's First Person Who Hacked His Body to Implant a Bitcoin Payment CHIP
Kumar and his team, including Matthew Vilim and Henry Duwe, will present their work in a talk titled, "Approximate Bitcoin Mining," at the Design and Automation Conference (electronic design) in June 2016.
This Android Malware Can Root Your Device And Erase Everything
15.2.2016 Android
A new Android malware has been making waves recently that have the capability to gain root access on your smartphone and completely erase your phone's storage.
Dubbed Mazar BOT, the serious malware program is loaded with so many hidden capabilities that security researchers are calling it a dangerous malware that can turn your smartphone into a zombie inside hacker's botnet.
Mazar BOT was discovered by Heimdal Security while the researchers at the firm were analyzing an SMS message sent to random mobile numbers and locations.
How Mazar BOT Works
Despite other Android malware that distributes itself by tricking users into installing an app from third-party app stores, Mazar spreads via a spam SMS or MMS messages that carry a link to a malicious APK (Android app file).
Once the user clicks the given link, he/she'll be ending up downloading the APK file on their Android devices, which when run, prompts the user to install a new application.
This new Android app has a generic name, MMS Messaging, that asks for admin level privileges. Most of the users end up giving the root access to the malicious app due to its common name.
What Makes Mazar BOT So Nasty
Once gaining root access on the victim's device, Mazar BOT can do variety of nasty stuff on your Android devices, like:
Gain boot persistence to help survive device restarts
Send and Read your SMS messages
Make Calls to your contacts
Read the phone's state
Plague phone's control keys
Infect your Chrome browser
Change phone settings
Force the phone into sleep mode
Query the network status
Access the Internet
Wipe your device's storage (the most critical capabilities of all)
Mazar BOT Browses Internet Anonymously Using TOR
Besides these tasks, Mazar BOT can also download a legitimate TOR (The Onion Router) Android app on your smartphone and install it too, even without your consent or permission.
Using TOR app, the malware would be able to surf the Internet anonymously via the Tor network.
Once the malware installs TOR on victim's phone, Mazar BOT sends a "Thank you" message to an Iranian phone number (9876543210), along with the device's location.
In some instances, Mazar BOT also installs an Android app called Polipo Proxy that establishes a proxy on the device, allowing the malware's author to spy on victim's Web traffic and carry out Man-in-the-Middle (MitM) attacks.
Who is Behind This Awful Malware?
Mazar BOT is believed to be distributed by a Russia-based group of cyber-criminals.
One clue to this assumption is: Mazar BOT cannot be installed on Android smartphones in Russia, as its source code includes instructions on how to stop the malware installation process on phone configured with the Russian language.
Another clue is: There is an unwritten law in Russia that says "if cyber criminals don't go after Russians, Russian authorities will not go after them." Moreover, there is no such indication yet that this Mazar BOT campaign has affected anyone in Russia.
Until now, Mazar BOT for Android has been advertised for sale on several Russian underground (Dark Web) forums, but this is the first time this creepy code has been abused in active attacks.
How to Protect Yourself from Mazar BOT
There are standard protection measures you need to follow to remain unaffected:
NEVER click on links in SMS or MMS messages sent to your phone.
Go to Settings → Security → Turn OFF "Allow installation of apps from sources other than the Play Store" option.
Always keep an up-to-date Anti-virus app on your Android devices.
Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.
The IPT ruled that GCHQ spies can legally hack any electronic devices
15.2.2016 BigBrothers
The British Intelligence Agency GCHQ has a license to hack computers and devices, the UK’s Investigatory Powers Tribunal (IPT) ruled.
This means that the UK Government is giving full power to its intelligence agency to spy on Britons as well as people living abroad.
The verdict was issued on Friday after Privacy International and seven ISPs launched a legal challenge against the conduct of the CGHQ whom hacking operations were revealed by documents leaked by NSA whistleblower Edward Snowden.
The CGHQ is responsible of “persistent” illegal hacking of electronic devices and networks worldwide, the Investigatory Powers Tribunal (IPT) has been told.
The popular whistleblower Edward Snowden disclosed a collection of documents revealing the extent of surveillance programmes carried out by the Five Eyes alliance. Snowden revealed the existence of secret surveillance activities such as the Tempora operation and hacking platforms such as the Smurf suite.
GCHQ
GCHQ admitted for the first time that government monitoring station in Cheltenham carries out “persistent” and “non-persistent” Computer Network Exploitation (CNE) against targets in the UK and abroad.
In 2013, the tribunal was told, 20% of GCHQ’s intelligence reports contained information that was obtained through hacking operations.
The case has been brought in hearing at the IPT which deals with complaints against the surveillance operated by the UK intelligence. A four-day hearing is at the Rolls Building in central London.
“The [legal] regime governing CNE … remains disproportionate,” Ben Jaffey, counsel for Privacy International, told the tribunal. “Given the high potential level of intrusiveness, including over large numbers of innocent persons, there are inadequate safeguards and limitations.”
Jaffey highlighted that GCHQ’s hacking alter the targeted systems, an activity that is not considered legal by the authorities.
“The use of computer network exploitation by GCHQ, now avowed, has obviously raised a number of serious questions, which we have done our best to resolve in this Judgment,” reads the lengthy ruling from the Investigatory Powers Tribunal (IPT).
“Plainly it again emphasises the requirement for a balance to be drawn between the urgent need of the Intelligence Agencies to safeguard the public and the protection of an individual’s privacy and/or freedom of expression.”
The court has investigated the legality of the methods used by British intelligence
The tribunal investigated “investigates and determines complaints of unlawful use of covert techniques by public authorities infringing our right to privacy.”
In some cases, the GCHQ installed malware on targeted systems and hacked mobile devices with its Smurf suite.
In November 2015, for the first time the technological abilities of the UK’s National Crime Agency (NCA) have been revealed in a collection of documents, the British law enforcement agency has “equipment Interference” (EI) capabilities, which allow it to hack into mobile devices and computers.
Eric King, the deputy director of the Privacy International, who analyzed the document noticed that in a section there is the explicit reference to the capability of the UK law enforcement having the capability to conduct “equipment interference.”
“Equipment interference is currently used by law enforcement agencies and the security and intelligence agencies,” states the section. The documents also reveal that “more sensitive and intrusive techniques” are available to a “small number of law enforcement agencies, including the National Crime Agency.”
UK law enforcement already in hacking business according to IPBill. pic.twitter.com/SAGzw2w4Fh
— Eric King (@e3i5) 4 Novembre 2015
The GCHQ hacking operations were conducted under a self-imposed code of conduct, the IPT recognizes as legal these activities despite the chagrin of privacy advocates.
“We are disappointed that the IPT has not upheld our complaint and we will be challenging its findings,” said Scarlet Kim, legal officer at Privacy International.
I wonder at this point what will be the repercussions of such a decision on the international level. This decision authorizes in fact any government to hack systems of foreign states. We are in the far west.
Don’t set your iPhone’s Date to January 1, 1970 or your will brick it
15.2.2016 Apple
Another embarrassing problem for Apple iOS mobile devices (iPhone and iPad), setting the date of the devices to January 1st, 1970 will brick them. Don’t Try it!
Another embarrassing problem for Apple iOS mobile devices, a software flaw could be exploited to permanently kill your iPhone, iPad or iPod. The issue affects the Apple iOS date and time system and could be triggered by setting the date to January 1, 1970. The news appeared recently in Reddit discussions warning users about a flaw that could brick iPhone forever, and the presence of the flaw has been confirmed by iClarified.
“Setting the date of your iPhone to January 1st, 1970 will brick your device, according to users across the web and confirmed by iClarified. The bug will affect any 64-bit iOS device that is powered by the A7, A8, A8X, A9, and A9X. 32-bit iOS devices are reportedly not affected by this issue.” reported iClarified.
iPhone 6
Meanwhile on Reddit the users warned other Apple users sharing the following message:“When the date of a 64-bit iOS device is set to January 1, 1970, the device will fail to boot. Connecting the device to iTunes and restoring the device to factory defaults will not put the device back in working order. Instead, a physical repair is required. When connected to public Wi-Fi, iPhone calibrates its time settings with an NTP server. Theoretically, attackers can send malicious NTP requests to adjust every iPhone’s time settings to January 1, 1970, hence brick every iPhone connected to the same network.According to /u/sarrius, worldwide Apple Store are being made aware that disconnecting the battery and reconnecting fixes the issue. It should be common knowledge to all stores worldwide by tomorrow.”
Be careful and do not try to trigger the flaw with your iOS device, the YouTuber Zach Straley first published a Video PoC of the issue.
As explained in the video, after set up the date to January 1, 1970, trying to reboot the device users will notice that the iPhone or iPad will no longer boot and will be frozen displaying the Apple logo.
“Since a DFU or recovery mode restore will not unbrick your device, we strongly recommend that you do not try to test this bug. Users report that while a restore may succeed, the device will still fail to boot after the restore.” continues iClarified.
Let’s wait for a software fix from Apple.
Mazar Bot actively targeting Android devices and wiping them
15.2.2016 BotNet
A new malware dubbed Mazar Bot is threatening Android users and has the ability to gain root access to the mobile device and completely wipe it.
A new threat is threatening Android users, its name is Mazar BOT and has the ability to gain root access to the mobile device and completely wipe its storage.
Mazar BOT could be used by threat actors to recruit victims’ Android devices in a mobile botnet.
The experts at Heimdal Security spotted the Mazar BOT in live attacks while they were investigating an SMS message sent to random mobile numbers and locations. Mazar BOT spreads via a spam SMS or MMS that arrives with the following link (sanitized by Heimdal Security) to a malicious APK:
You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.mmsforyou [.] Net / mms.apk to view the message.”
Once the victim clicks the link above, he will download the APK file on their Android devices. When the file is executed it prompts the user to install a new application with a generic name, MMS Messaging, that asks for admin level privileges … and most of the users give them to the app.
The admin privileges allow the threat actors to perform the following operations:
Gain boot persistence to help survive device restarts
Send and Read your SMS messages
Make Calls to your contacts
Read the phone’s state
Plague phone’s control keys
Infect your Chrome browser
Change phone settings
Force the phone into sleep mode
Query the network status
Access the Internet
Wipe your device’s storage (the most critical capabilities of all)
The researchers at Heimdal Security observed that Mazar BOT is also able to download and install a legitimate TOR Android app on the infected device, even without the user’s interaction.
“In the next phase of the attack, the infection will unpack and run the TOR application, which will then be used to connect to the following server: http: // pc35hiptpcwqezgs [.] Onion.
After that, an automated SMS will be sent to the number 9876543210 (+98 is the country code for Iran) with the text message: “Thank you”. The catch is that this SMS also includes the device’s location data.” continues the post.
The mobile malware can use the Tor app to surf the Internet anonymously. The experts also noticed that Mazar BOT also installs an Android app called Polipo Proxy which acts as a local proxy for the user’s traffic. The Polipo Proxy could be used by attackers malware’s author to spy on victim’s Web traffic and carry out Man-in-the-Middle (MitM) attacks.
The experts believe that the Mazar BOT is operated by a Russian cyber criminal gang, it is curious that the malware cannot be installed on Android smartphones in Russia. The analysis of the source code of the malware revealed the presence of instructions on how to stop the malware installation process on phone configured with the Russian language.
Another clue that suggests the involvement of Russian bad actors is that the Mazar BOT is offered for sale on several Russian underground forums.
In order to protect mobile devices from this threat follow these simple suggestions:
Don’t click on links in SMS or MMS messages sent to your phone.
Go to Settings → Security → Disable the option “Allow installation of apps from sources other than the Play Store.”
Install and keep an up-to-date Anti-virus solution on your Android device.
Avoid unsecured Wi-Fi hotspots and keep your Wi-Fi turned OFF when not in use.
Iranian hackers compromised former IDF chief’s computer
15.2.2016 Hacking
According to Israel’s Channel 10 Iranian hackers succeeded in gaining access last year to the computer database of a retired Israeli army chief of staff.
Many reports published by security firms warn of the increasing threat represented by Iranian hackers. US and Israeli organizations represent a privileged target for these hackers, last year they used stolen private pictures of IDF’s women soldiers to breach Israeli military server.
According to a report published by the Israel’s Channel 10, hundreds of Israel’s current and former top security officials have been targeted by Iranian hackers.
The report reveals that Iranian hackers compromised computers of 1800 key figures worldwide, most of them from Israel including a former Israeli Army chief-of-staff.
The report speculated the involvement of the hackers belonging to the Iran’s Revolutionary Guards. Experts at the Israeli security firm Check Point Software Technologies promptly identified and blocked the attacks.
The Israeli experts also identified one of the Iranian hackers, Yasser Balachi, that accidentally displayed his email ID. Check Point’s head of security services Ron Davidson, confirmed that the man is a member of an organized group.
“Balachi said that he had not operated on his own initiative but for another cyber organization that commissioned the work,” said Ron Davidson.
Yet it is unclear even now what was the actual extent of the damage and what kind of information did they steal.
It is not clear which is the impact of the attack and which information was exposed.
Iranian hackers are becoming even more aggressive, in November computers at the US State Department and other government employees were targeted by them. The experts linked the attackers with the Iranian Revolutionary Guard, according to investigators the Facebook and e-mail accounts of US State Department officials focused on Iran were compromised to gather data about US-Iranian dual citizens in Iran and about the arrest of an Iranian-American businessman in Tehran in October.
The hackers have taken over social media accounts of junior State Department staff to launch a spear phishing campaign on the employees working in the State Department’s Office of Iranian Affairs and Bureau of Near Eastern Affairs and in the computers of some journalists.
Check Point experts confirmed that the Iranian hackers launched spear phishing attacks against their targets with the intent to infect them with spyware.
In December, a report published by Symantec revealed that Iranian hackers have been using malware to track individuals, including Iranian activists and dissidents.
The researchers identified two groups of Iran-based hackers, dubbed Cadelle and Chafer, which were distributing data stealer malware since at least mid-2014. The experts uncovered the command-and-control servers explaining that registration details indicate the Iranian hackers may have been operating since 2011.
There are a number of indicators that suggest both groups are based in Iran, the Cadelle and Chafer teams are most active during the day time within Iran’s time zone and primarily operate during Iran’s business week (Saturday through Thursday).
In June, experts at Clear Sky spotted a number of cyber-attacks launched from the Iran and targeting Israeli organizations and other entities in the Middle East.
Security experts at ClearSky uncovered a cyber espionage campaign dubbed Thamar Reservoir due to the name of its target Thamar E. Gindin. The investigation led the experts to date the Thamar Reservoir campaign back to 2011, threat actors adopted several attack techniques finalized to the espionage.
The majority of the victims of the Thamar Reservoir campaign was located in the Middle East (550) and belong to Middle East and Iranian diplomacy entities, defense and security industries, journalists and human rights organizations.
Who is behind the Thamar Reservoir campaign?
According to the researchers at ClearSky, the evidence collected suggest the involvement of Iranian hackers. The experts noticed several similarities with other attacks in the same geographic area such as:
Attacks conducted using the Gholee malware, which we discovered.
Attacks reported by Trend Micro in Operation Woolen-Goldfish.
Attacks conducted by the Ajax Security Team as documented by FireEye.
Attacks seen during Newscaster as documented by iSight.
No doubts, Iranian hackers will continue to launch cyber espionage campaigns likely with most advanced malware.
Man charged of Laundering $19.6 Million earned with PBX system hacking
15.2.2016 Hacking
Pakistani citizen Muhammad Sohail Qasmani admits laundering Millions from massive computer hacking and telecommunications fraud scheme.
A Pakistani citizen, Muhammad Sohail Qasmani (47) admitted laundering millions of dollars as part of a massive international computer hacking and telecommunications fraud scheme.
The man worked for a hacking crew that targeted US companies by hacking into their PBX systems.
The organization composed by hackers in Bangkok and Pakhistan targeted American firms identifying live phone extensions that weren’t assigned to a user, the operation was allegedly run by Noor Aziz, 53, from Karachi.
The hackers used these extensions to dial premium-rate phone lines they managed, the gang had reaped more than $50m from its victims.
Muhammad Sohail Qasmani laundered US$19.6M and transmitted money to roughly 650 individuals over four years, the prosecutors sustain that the fraud scheme was a highly professional and well organized.
The man set up 650 bank accounts in ten different countries, the accounts were used to collect the money coming from fraudulent phone lines. The man then forwarded the funds to the other hackers, keeping his commission.
Qasmani was arrested by the FBI on December 22, 2014, when he entered in the US, if convicted, the man risks a maximum sentence of 20 years in jail and a $250,000 fine.
“Thanks to the hard work of the prosecutors and agents on this case, Qasmani acknowledged his role in an international scheme that hijacked the telephone networks of US companies and ran up millions in bogus charges,” said the US Attorney Paul Fishman.
“Today, he admitted moving over $19 million in illicit proceeds across 10 countries and ensuring the dialers and hackers who perpetuated the scheme received their cut.” “The successful investigation of Qasmani is a testament to the dedication, hard work, and commitment of the men and women of the FBI, the Enforcement and Removal Operations of the U.S. Customs and Border Protection, and the State Department,”
While Qasmani will be sentenced in May, Aziz is still at large but present in the FBI’s Most Wanted list.
A flaw in CISCO Universal Small Cell allows firmware retrieval
15.2.2016 Vulnerebility
A flaw affecting the Cisco Universal Small Cell devices allows unauthenticated remote users to retrieve devices’ firmware, so Cisco urges patching these systems.
Other problems for the IT giant Cisco, the company is asking service providers using its Universal Small Cell solutions to update their systems and install a patch to solve a serious security issue.
The Cisco Universal Small Cell family is designed to help operators to integrate 3G and 4G small cell services into the IT infrastructure. The presence of the security issue could allow an unauthenticated remote attacker to access devices’ firmware and make a copy.
“A vulnerability in Cisco Universal Small Cell devices could allow an unauthenticated, remote attacker to retrieve firmware from a Cisco-hosted binary server.” states the Cisco’s advisory.
The advisory highlights a problem in the binary server that wasn’t properly enforcing the two-way certificate validation process, this means that the firmware retrieval process is not restricted to Universal Small Cell devices.
As a consequence, if an attacker is able to retrieve a valid key from a Universal Small Cell device he is able to decrypt the binary images and access information it contains, including the service provider configuration hints file that usually contains reserved information.
Of course, this information could be used by a threat actor to attack the Universal Small Cell devices of a specific service provider.
“The vulnerability is due to insufficient enforcement of the two-way certificate validation process by the Cisco-hosted binary server to ensure that only Cisco Universal Small Cell devices are able to download the firmware images and service provider configuration hints file. ” continues the advisory.”The hints file contains IP addresses of the device’s provisioned service provider Cisco Universal Small Cell RAN Management System. The binary images retrieved from the image distribution service could be decrypted by an attacker who has previously retrieved a valid key from the flash of a Cisco Universal Small Cell device.”
If your organization is using a Cisco Universal Small Cell solution you need to apply the patch asap.
Recently another flaw in Cisco ASA Software alerted the security industry, its exploitation could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.
Misconfigured MongoDB allowed manipulation of a Microsoft’s career portal
15.2.2016 Safety
A security expert discovered a misconfigured MongoDB installation behind a Microsoft’s career portal that exposed visitors to attacks.
The security expert Chris Vickery has discovered a new misconfigured MongoDB installation used by a Microsoft’s career portal. The misconfigured MongoDB installation exposed some information and enabled read/write access to the website.
The database also included information on other companies. The database, which is maintained by Punchkick Interactive, a mobile development company hired by Microsoft to manage the m.careersatmicrosoft.com, was promptly secured.
“Microsoft relies on Punchkick to handle the database that powers m.careersatmicrosoft.com. The bad news is that, for at least the past few weeks, this backend database has been exposed to the open internet and required no authentication at all to access.” Vickery wrote in a post published on the MacKeeper blog.
Vickery reported the issue to Microsoft on February 5, as proof of its severity he included a screenshot showing the name, email address, password hash, and issued tokens for Microsoft’s Global Employment Brand Marketing Manager, Karrie Shepro. Punchkick fixed the issue in just an hour.
“The good news is that as of February 5th, following my disclosure of the vulnerability to Punchkick and Microsoft, everything has been secured.”
The misconfigured database could be exploited by hackers to inject malicious code in the web pages used for the job listings and run watering hole attacks.
“The ability to craft arbitrary HTML into an official Microsoft careers webpage is, to say the least, a powerful find for a would-be malicious hacker. This situation is the classic definition of a potential watering hole attack.” Vickery added.
An attacker can use malicious exploit kits to compromise vulnerable visitors’ machines or run a phishing campaign against people searching for a job opportunity at Microsoft.
“In that scenario, any number of browser exploits could be launched against unsuspecting job-seekers. It would also be a fantastic phishing opportunity, as people seeking jobs at Microsoft probably tend to have higher value credentials,” Vickery added.
This incident demonstrates once again the importance of a proper security posture and the efficiency of the patch management process implemented by a company, even when dealing with third-party services.
Stolen card data of 100,000 Britons for sale on the clear web
15.2.2016 Incindent
A website on the clear web is offering for sale stolen card data from more than a million people worldwide including more than 100,000 Britons.
According to a report published by The Times, the website Bestvalid.cc is offering for sale stolen credit and debit card details of 100,000 Britons.
Banking details stolen from more than a million people worldwide goes for £1.67, the list of victims includes former senior adviser to the Queen, bankers, doctors and lawyers.
The site is available on the surface web since at least June and journalists are surprised that law enforcement hasn’t yes seized it.
“The National Crime Agency must act immediately to get this site closed. I will be writing to the NCA to bring this issue to their attention,” said Keith Vaz, chairman of the home affairs select committee.
Politicians are urging the intervention of the police, black marketplaces could be used by the organized crime and radical groups to fund terrorism and other illegal activities.
Aligned with the offer in many black markets hosted on dark web, Bestvalid.cc appears like an ordinary e-commerce, it includes a customer service and refund services for faulty products.
Users can buy stolen payment card data, often completed with further information (i.e. common answer to online banking security questions, postal address of the card holder) that could be used for more sophisticated scams.
A journalist at the Times paid for a lot of data including information from one person he is in contact. He paid in Bitcoin of course and received a package including debit card number, security code, expiry date, mobile phone number and postal address.
When the journalist presented the data to the victim, Laia Humbert-Vidan, 30, a radiotherapy physicist from London, said was disconcerted.
“I don’t feel like the police are able to protect anyone from online fraud. If they were, these types of sites would not exist in the first place.” said Laia Humbert-Vidan.
In the last months the underground market was flooded of data from major data breaches, including the TalkTalk and Carphone Warehouse,
Bestvalid is not hidden in the dark web, it is easy to access and it is one of the biggest websites offering stolen card data.
The cybercrime has a significant economic impact on the economy of every Government, it costs the UK £27 billion a year, and the Centre for Economics and Business Research estimated the same cost at £34 billion a year for businesses alone.
Apple má pěknou díru v iOS: Nastavte špatné datum a z iPhonu bude cihla
14.2.2016 Mobilní
Je až neuvěřitelné, na co lidi přijdou a co všechno může ublížit elektronice. Představte si, že když změníte datum a čas v 64bitových iOS zařízeních (iPhony počínaje 5s, novější iPady a iPody Touch) na 1. leden 1970, s příštím zapnutím už nenabootujete.
Pikantní je, že nepomůže ani připojení k počítači s iTunes a pokus o návrat do továrního nastavení. Musíte do servisu, kde takto „bricknutý“ stroj otevřou.
A neuvěřitelné zprávy pokračují. Vzhledem k tomu, že si systém natahuje aktuální čas z NTP serverů, stačí se připojit na Wi-Fi síť, se kterou si někdo „pohrál“ a nastavil její datum na krizový novoroční den roku 1970. Počítače budou fungovat normálně, Androidy také, ale ze všech připojených iPhonů se postupně stanou nepoužitelné cihly.
Co je na zprávě (původně vystavené na Redditu) pravdy? Nevím, rozhodně ji nehodlám ověřovat na redakčním iPhonu a to samé bych doporučil i vám. Jestli jste přece jen zvědaví, pusťte si následující video.
Zabezpečte si mobilní přístroje silně pomocí protokolu 802.1X
14.02.2016 Mobilní
Poradíme vám, jak zabezpečit mobilní zařízení s operačními systémy iOS a Android pomocí protokolu 802.1X při zachování uživatelské přívětivosti.
Když se uživatelé připojují pomocí zařízení s Androidem do sítě zabezpečené na podnikové úrovni, musí vyplnit mnoho nastavení – a to pro ně může být poměrně matoucí.
Když se ale připojují pomocí přístroje s iOS (iPad, iPhone nebo iPod Touch), musejí obvykle vyplnit jen uživatelské jméno a heslo. Přitom ale nemohou pokročilá nastavení 802.1X v zařízení upravit. Naštěstí ale existují přívětivý způsoby, jak to vyřešit.
Instalace certifikátů v Androidu
Pokud používáte metodu autentizace na základě certifikátu jako TLS, musíte nejprve nainstalovat digitální certifikát uživatele. Ten možná budete chtít načíst do Androidu i v případě, že nepoužíváte autentizaci na něm založenou.
U většiny metod autentizace můžete volitelně nainstalovat certifikát od příslušné autority, který autentizační server používá k zapnutí verifikace. Stejně jako u verifikace serveru ve Windows to může pomoci při ochraně před útoky MITM (člověk uprostřed). Digitální certifikáty jsou malé soubory s příponou jako .p12, .pfx nebo .crt.
V novějších verzích Androidu je instalace certifikátů jednoduchá. Po stažení certifikátu se automaticky otevře obrazovka pro jeho importování. Certifikát pojmenujte a jako způsob použití přihlašovacích údajů vyberte možnost Wi-Fi. Pokud není zabezpečení displeje telefonu aktivované, můžete být vyzváni, abyste jej zapnuli.
Po stažení uživatelského nebo CA certifikátu vás může Android automaticky vyzvat k jeho importu.
Pokud používáte starší verzi Androidu, může být nutné spustit proces importu ručně. Nejprve si stáhněte nebo přeneste certifikát do zařízení. Poté přejděte do nastavení Security (Zabezpečení) nebo Location & Security (Poloha a zabezpečení) a vyberte položku Install from SD card (Instalovat z SD karty).
Poznámka: Namísto SD karty se v některých telefonech uvádí „device storage“ (tj. podle jazykové verze úložiště či paměť zařízení). Pokud jste to ještě neudělali, budete vyzváni k vytvoření hesla pro úložiště přihlašovacích údajů.
Pamatujte si, že nainstalované certifikáty můžete vždy odstranit tak, že v nastavení zabezpečení použijete příkaz Clear credentials (Vymazat přihlašovací údaje), což vám následně v novějších verzích systému Android umožní odstranit PIN či heslo pro zZámek displeje.
Takový úkon však odstraní všechny vámi přidané certifikáty. Chcete-li odstranit jen ty uživatelské, vyberte z bezpečnostních nastavení položku Trusted credentials (Důvěryhodné přihlašovací údaje) a kartu User (Uživatel), kde se jednotlivé certifikáty zobrazí a kde je také možné je mazat.
Nastavení protokolu 802.1X v Androidu
Jakmile se pomocí Androidu poprvé připojíte do Wi-Fi sítě zabezpečené na podnikové úrovni, zobrazí se vám obrazovka s nastavením autentizace. Přestože mohou mít z jejího obsahu někteří uživatelé obavy, jsou na ní obvykle jen dvě povinná pole: identita (uživatelské jméno) a heslo.
Nastavení autentizace zobrazené během počátečního připojení lze později upravit přidržením prstu na názvu sítě.
Pokud se správná metoda EAP nevybere, zvolte metodu podporovanou autentizačním serverem –-- například PEAP, TLS, TTLS, FAST nebo LEAP. Pro většinu metod EAP můžete volitelně zadat certifikát CA, který je ale nutné nejprve nainstalovat, jak se popisuje v předchozí části. Pro TLS můžete také zadat certifikát uživatele, který už musí být nainstalovaný.
Zde jsou nastavení, která najdete při použití metod PEAP nebo TTLS:
Phase 2 authentication (Autentizace fáze 2): Určuje metodu vnější autentizace jako MS-CHAPv2 nebo GTC. Použijte podporovaný autentizační server a mějte na paměti, že MS-CHAPv2 je nejoblíbenější. Pokud nevíte, zkuste vybrat možnost None (Žádná).
Identity (Identita): Zde zadáte uživatelské jméno, které by v závislosti na konkrétní síti mohlo obsahovat také název domény, například jnovak@firma.cz.
Anonymous identity (Anonymní identita): Ve výchozím nastavení se uživatelské jméno (identita) posílá na autentizační server dvakrát. Poprvé nešifrované jako vnější identita (anonymní identita) a podruhé uvnitř kódovaného tunelu jako vnitřní identita. Ve většině případů nemusíte použít skutečné jméno pro vnější identitu, což slídilům zabrání ho zjistit. V závislosti na vašem autentizačním serveru však možná budete muset použít správnou doménu nebo oblast. Pro anonymní identitu doporučujeme používat náhodné uživatelské jméno jako např. „anonym“. Případně, pokud se budoue požadovat doména nebo oblast: „anonym@domena.cz“.
Enter password (Zadejte heslo): Zde samozřejmě zadáte heslo přidružené k zadanému uživatelskému jménu.
Tato nastavení můžete vždy v budoucnosti změnit. Jednoduše dlouze přidržte název sítě a vyberte možnost Modify network config (Upravit konfiguraci sítě).
Instalace certifikátů na zařízení s iOS
Pokud používáte metodu autentizace, založenou na certifikátu, jako je například TLS, musíte pro každé zařízení se systémem iOS stejně jako u systému Android nejprve nainstalovat digitální certifikát uživatele.
U zařízení s iOS však nemusíte ručně instalovat...
Police Arrest 16-year-old Boy Who Hacked CIA Director
13.2.2016 Crime
The teenage hacker, who calls himself a member of hacktivist group "Cracka with Attitude," behind the series of hacks on the United States government and its high-level officials, including CIA director, might have finally got arrested.
In a joint effort, the Federal Bureau of Investigation (FBI) and British police reportedly have arrested a 16-year-old British teenager who they believe had allegedly:
Leaked the personal details of tens of thousands of FBI agents and US Department of Homeland Security (DHS) employees.
Hacked into the AOL emails of CIA director John Brennan.
Hacked into the personal email and phone accounts of the US spy chief James Clapper.
Broke into the AOL emails of the FBI Deputy Director Mark Giuliano.
Federal officials haven't yet released the identity of the arrested teenager, but the boy is suspected of being the lead hacker of Cracka With Attitude, who calls himself Cracka, the South East Regional Organised Crime Unit (SEROCU) told the Daily Dot.
According to the report, Cracka is the same teenage hacker who recently leaked the personal information of 31,000 government agents belonging to nearly 20,000 FBI agents, 9,000 Department of Homeland Security (DHS) officers and some number of DoJ staffers.
Crime Unite Released a Statement
In a statement, the SEROCU confirmed that the unit had arrested a teenager on Tuesday in the East Midlands on suspicion of:
Conspiracy to commit unauthorised access to computer material contrary to Section 1 Computer Misuse Act 1990.
Conspiracy to commit unauthorised access with intent to commit further offences contrary to Section 2 Computer Misuse Act 1990.
Conspiracy to commit unauthorised acts with intent to impair or with recklessness as to the impairing operation of a computer contrary to Section 3 Computer Misuse Act 1990.
Accused Teen: Authorities Ruining My Life
The unit declined to provide any further information on the arrest, but while speaking to Motherboard, the arrested teenager denied being Cracka, saying "I am not who you think I am ;) ;) ;)"
"I am innocent until proven guilty so I have nothing to be worried about," the teen said. "They are trying to ruin my life."
Neither the Department of Justice (DoJ) nor the FBI have yet responded to comment on it.
Nasdaq to Use Bitcoin-style Blockchain to Record Shareholder Votes
13.2.2016 IT
The Nasdaq stock exchange and the Republic of Estonia have announced the use of Blockchain-based technology to allow shareholders of companies to e-vote in shareholder meetings even when they're abroad, according to Nasdaq's press release.
Global stock market giant is developing an electronic shareholder voting system implemented on the top of Blockchain technology that underpins Bitcoins.
Blockchain – the public and decentralized ledger technology underpins all Bitcoin transactions and logs each transfer of an asset in an encrypted "block" that is added to a permanent, transparent chain showing every deal associated with that asset.
Even some of the world's major banks are also considering the adoption of the Blockchain technology.
In the mid of last year, 9 of the World's renowned Banks, including JPMorgan, Royal Bank of Scotland, Goldman Sachs and Barclays, collaborated with New York-based financial tech firm R3 to create a new framework based on Blockchain.
Now, according to Nasdaq, shareholders of the companies listed on the Nasdaq OMX Tallinn Stock Exchange and other Estonian e-residents called "e-Estonians" will now be able to more frequently participate in voting processes without being physically present at a shareholder meeting.
Here's Why Blockchain Technology:
Estonia provides e-Residency that is a transnational digital identity available to people who start businesses online in the nation.
But if these individuals own stock in an Estonian publicly listed company, they are required to physically present or nominate someone else in the shareholder meetings to vote, which is quite a painful process.
However, by using a Blockchain technology a user would be given a so-called private key (a unique long number), assuring they are listed on the e-Residency records held by the Estonian government.
This record will then be sealed on the Blockchain and cannot be altered or tampered with. Now, this private key would be required by you to validate yourself whenever you go to vote in a shareholders meeting online.
So, this would allow the companies and e-Estonians to know for sure that the person voting online is the actual person they say they are.
This is not the first time Nasdaq is deploying Blockchain technology. Nasdaq is already using its own blockchain system, The Nasdaq Linq, that allows private securities issuance between an investor and company.
Nasdaq hopes to complete this blockchain project sometime in 2016.
Here's How to Decrypt Hydracrypt & Umbrecrypt Ransomware Files
13.2.2016 Virus
Over the last few years, we have seen several types of Ransomware malware that demand a whopping amount of money from users for the retrieval of their locked, compromised sensitive files.
We have also witnessed the birth of decryption solution for some of the Ransomware like Cryptolocker (partial), Coinvault, Rescue Kit.
One more solution has recently been released for decryption of newly emerging ransomware, dubbed as Hydracrypt and Umbrecrypt that are propagated through Angler Exploit Kit.
Both of the malware belong to CrypBoss ransomware family.
The source code of CrypBoss Ransomware was leaked last year on Pastebin, which was later analyzed by Fabian Wosar, a security researcher at Emsisoft.
With the help of CrypBoss Source code, Wosar was successfully able to crack the encryption algorithm of the ransomware and quickly made the decryption tool for CrypBoss and its variants (Hydracrypt and Umbrecrypt).
It is found that both Hydracrypt and Umbrecrypt share the same genealogy which got traced back to CrypBoss Ransomware with small modifications in the implementation by its authors.
"Unfortunately the changes made by the HydraCrypt and UmbreCrypt authors cause up to 15 bytes at the end of the file to be damaged irrecoverably" Wosar stated.
The damaged bytes in the encrypted files are trivial (in most of the cases) since it would be used as a buffer data or some trailing bytes, which could easily be re-build by using any file repairing tool (for those 15 bytes).
This doesn't affect much of the decryption process as 99 percent of the files are retrieved without any harm using the released decryptor tool that is available Free to download.
How to Decrypt Ransomware Files?
Double clicking the decryptor executable would initialize the decryption process, and you would get the key once the task gets completed. The time taken to crack the encryption would also depend upon your system's Flip-Flop power.
Once the decryption key is generated, it is better to save it as a hard copy (by writing down in the paper). Now you can run the decryptor tool and select the intended folders to get unlocked. Enter the key once the decryptor tool prompts for it.
To avoid a hotch-potch, users are advised to:
Run the decryptor for a small number of files initially to check whether the decryption procedure is being executed properly.
This would deliver the file ensurity and saves your time.
Make sure whether enough space is present in the hard-drive, so as to take place the decryption.
How to Ensure your Decrypted Data is Legit?
Here's How to Decrypt Hydracrypt & Umbrecrypt Ransomware Files
However, the security team also stated that the result of the Decryption might not be correct as the ransomware, unfortunately, does not leave any information about the original file behind.
To ensure the proper file recovery, initially you have to select the encrypted file along with its original version (somewhere in your cloud or anywhere) and pass it to the decryptor executable by a simple drag-and-drop.
[Note: If you haven't found such, then users can also get a random encrypted file and a random PNG image off the Internet.]
If the resultant output is legit, then you can carry out the same task with the remaining files. As the same algorithm is being followed in the remaining encrypted files, then you would get your files back as normal.
BlackEnergy infected also Ukrainian Mining and Railway Systems
13.2.2016 APT
Experts at Trend Micro discovered strains of BlackEnergy malware involved in the recent attacks against Ukrainian Mining and Railway Systems.
BlackEnergy was in the headlines when the security industry examined the power outage occurred in Ukraine in December 2015.
The BlackEnergy malware is a threat improved to target SCADA systems, the latest variant includes the KillDisk component developed to wipe the disks and make systems inoperable.
The Ukrainian government accused Russia of being involved in the attack that caused the power outages, but further analysis revealed that the BlackEnergy malware was not directly responsible for the outages.
Now Trend Micro announced that have spotted BlackEnergy and KillDisk samples on the systems of a Ukrainian mining company and a major railway operator.
The experts noticed that the systems at the mining company were also infected with multiple variants of KillDisk, these samples implements the same features observed in the KillDisk component that infected the power utilities in Ukraine.
The security researchers believe that the threat actors behind them is the same that targeted the Ukrainian power companies.
The researchers noticed many similarities between the samples, naming conventions, control infrastructure, and the timing of the attacks.
TrendMicro spotted several samples similar to the BlackEnergy variant that infected the Ukrainian power utility, the malware used the same command and control (C&C) servers.
“Like the attacks against the Ukrainian mining company, we also witnessed KillDisk possibly being used against a large Ukrainian railway company that is part of the national Ukrainian railway system. The file tsk.exe (SHA1: f3e41eb94c4d72a98cd743bbb02d248f510ad925) was flagged as KillDisk and used in the electric utility attack as well as against the rail company. This appears to be the only spillover from the Ukrainian power utility infection. However, we have no proof showing that BlackEnergy was present on the railway systems, it could be assumed that it was likely present somewhere in their network.” states a blog post published by Trend Micro.
The experts elaborated several theories about the attack, one of the most plausible is the offensive of a politically motivated persistent attacker that intends to hit Ukrainian critical infrastructure to destabilize the country.
“One is that the attackers may have wanted to destabilize Ukraine through a massive or persistent disruption involving power, mining, and transportation facilities,” Wilhoit said. “Another possibility is that they have deployed the malware to different critical infrastructure systems to determine which one is the easiest to infiltrate and subsequently wrestle control over. A related theory is that the infections in the mining and train companies may have just been preliminary infections, where the attackers are just attempting to test the code base.”
Whichever is the case, cyber attacks against critical infrastructures represent a serious threat against any government.
Microsoft Edge's InPrivate Mode Finally Keeps Your Activity Private
12.2.2016 Safety
Microsoft Edge's InPrivate Mode Finally Keeps Your Activity Private
Browsing the Web in 'Private Mode' is not as private as you think.
Microsoft has patched the Private Browsing Leakage bug in its newest Edge browser with the latest update.
When we talk about Browsers, only one thing which does not strike our mind is Internet Explorer or IE.
Even there were some trolls on Internet Explorer (IE) waving over the social medias such as "The best web browser to download other browsers."
In fact, it was justified as everyone downloads a new browser with IE in their newly installed Operating System.
Due to the continual taunts, Microsoft had scrapped the entire IE and made a new browser called "Edge Browser" (Codenamed "Spartan").
Edge was shipped as the default browser (along with IE) with Windows 10 devices and grabbed the attention of many eye pupils as it included all the features that other mainstream browsers have.
Well, History Repeats Itself
In January this year, it was reported that 'InPrivate' mode of the Edge browser is leaking users' web browsing data.
The InPrivate mode is nothing but Incognito or private support for Windows 10. It has been found storing your browsing history, cookies and cache in a WebCache file on the system, which could be found easily.
Precisely here:
\Users\user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
This issue made users feel a repulsive force again and they instantly switched back to other browsers like Firefox or Chrome as the protocols of private browsing mode was correctly followed.
The reported vulnerability was fixed which was included in the update KB 3135174.
The patch update listed as "Fixed issue with Microsoft Edge browser caching visited URLs while using InPrivate browsing."
Microsoft: Windows 10, Edge So Secure They Don't Need EMET
In another statement made by Microsoft, the company officially claimed that its Edge Browser is much more secure than any other browsers and does not need the support of any armour like EMET anymore.
Enhanced Mitigation Experience Toolkit (EMET) is a Windows tool that shields against the execution of software vulnerabilities in Windows Environment.
As of now, Windows had buried a security hole, but let's see what's more coming from the same family.
New York Police Used Cell Phone Spying Tool Over 1000 Times Without Warrant
12.2.2016 Mobil
The New York Police Department (NYPD) has admitted that it used controversial cell phone spying tool "Stingrays" more than 1,000 times since 2008 without warrants.
In the documents obtained by the New York Civil Liberties Union (NYCLU), the NYPD acknowledged that the department has used Stingrays to intercept personal communications and track the locations of nearby mobile phone users.
What are Stingrays?
In my previous article, I have explained the scope of Stingrays along with its working, how it cracks encryption and how the police agencies are using these cell phone spying devices equipped in its military surveillance technology DRTBox in order to:
Track people
Intercept thousands of cellphone calls
Quietly eavesdrop on conversations
Eavesdrop on emails and text messages
Stingrays are small cell phone surveillance devices that work by imitating cellphone towers, forcing all nearby phones to connect to them and revealing the owners' locations. These devices are small enough to be mounted on a plane.
The organization disclosed on Thursday that the NYPD has not obtained a proper warrant before using the cell phone spying device, instead obtained a "pen register order" from a lower-level court, typically used to collect phone call data for a specific mobile phone.
Moreover, the NYPD also does not have any written policy guidelines for Stingrays use. According to the NYCLU, this is the first time the nation's largest police agency has confirmed to using the controversial surveillance technology.
NY Police Used Stingrays 1,016 Times
While Stingrays were most commonly used for serious investigation purposes – like kidnapping, drug trafficking, rape, homicide, assault – the NY Police was also using these devices for investigating money laundering and ID theft.
The police records show that the department used Stingray 1,016 times between 2008 and May 2015, which indicates that the police have been largely relying on Stingrays surveillance and violating the privacy of New Yorkers.
"If carrying a cell phone means being exposed to military-grade surveillance equipment, then the privacy of nearly all New Yorkers is at risk," NYCLU executive director Donna Lieberman says.
"Considering the NYPD's troubling history of surveilling innocent people, it must at the very least establish strict privacy policies and obtain warrants [before] using intrusive equipment like Stingrays that can track people's cell phones."
Warrantless Surveillance
Last year, both the Department of Justice (DoJ) and the Department of Homeland Security (DHS) announced a policy that required the FBI and other federal authorities to obtain a proper court warrant before deploying these tracking devices.
Moreover, some states, including California, also passed a law that requires a court warrant for the use of Stingrays, DirtBoxes and similar tracking devices.
Still, these notorious spying devices continue to be used without warrants and the knowledge of citizens. The NYCLU suggests the departments change its policy "at a minimum" that requires officers to obtain a warrant prior to deploying such devices.
However, in response to this report, the NYPD is justifying itself by saying that they had used the surveillance technology in emergency situations in which the life or safety of someone was at risk and that too after applying for a court order and consulting a District Attorney.
A replica of AlphaBay market used to steal login credentials
12.2.2016 Incindent
Fraudsters operating on the AlphaBay darknet market have deployed a replica of the popular marketplace to steal login credentials from peers.
Paul Mutton, security experts at Netcraft, discovered a fake version of the Alphabay Market (pwoah7foa6au2pul.onion), one of the most popular black markets hosted in the dark web.
Paul Mutton speculates that fraudsters have deployed the fake version of the Alphabay Market in an attempt to steal login credentials.
“Fraudsters operating on the AlphaBay darknet market are using phishing attacks to steal login credentials from other criminals. In this particular attack, the phishing site mimics the address of one of AlphaBay’s Tor hidden services.” wrote Mutton.
AlphaBay is today one of the most interesting black markets, it offers any kind of illegal products and services. It emerged in 2014 following the seizure down of Silk Road, it was founded by members of Russian carding forum and today it is the most important black market for payment card frauds.
The fake website mimics the login page of the Alphabay black market, including the CAPTCHA protection mechanism.
When Alphabay users login to the bogus website are redirected to the legitimate AlphaBay Market.
In order to replicate the legitimate website it was necessary to reproduce also the .onion address that is associated to the hidden service. This address is derived from the public key used to authenticate the connection, this means that it is very difficult to convincingly impersonate the site without having access to the owner’s key pair.
Fraudsters have computed a partial match using tools such as scallion and generate a similar address like pwoah7f5ivq74fmp.onion.
“However, in the case of this phishing attack, the fraudster has simply created a lookalike domain on the public internet, using the address pwoah7foa6au2pul.me.pn.” wrote Mutton.
“This phishing attack makes use of a me.pn domain, which was likely chosen because addresses under this domain can be registered for free, and the “.me.pn” string bears a (somewhat tenuous) similarity to the .onion TLD, at least in terms of its length.”
As explained by Mutton, this phishing attack is another example of fraudsters defrauding fraudsters.
It’s obvious that similar attacks represents a threat only for new users who are deceived by the replica, meanwhile AlphaBay veteran members will never fall victim of such kind of attack.
The FBI requests $38 Million to counter the threat of Going Dark
12.2.2016 Crime
The FBI requests $38 Million to counter the threat of Going Dark, in particular asking more economic resources to break encryption when needed.
The FBI Director James Comey has highlighted in different occasions the difficulties faced by law enforcement when dealing with encryption during their investigations.
Now, the FBI is making its request for budget for the next year, in particular asking more economic resources to break encryption when needed.
Giving a look at the FBI’s Fiscal Year 2017 Budget Request document it is possible to find a specific session titled “Going Dark” that reports the following text:
“Going Dark: $38.3 million and 0 positions The requested funding will counter the threat of Going Dark, which includes the inability to access data because of challenges related to encryption, mobility, anonymization, and more. The FBI will develop and acquire tools for electronic device analysis, cryptanalytic capability, and forensic tools. Current services for this initiative are 39 positions (11 agents) and 31.0 million.”
The FBI asked for $38.3 more million on top of the $31 million already requested in 2015 (a total of $69.3 million) to improve its capabilities to get encrypted data and de-anonymize Internet users.
These numbers demonstrate a significant effort of law enforcement to overwhelm the “going dark” problem.
In December, the FBI’s Director James Comey called for tech companies currently providing users with end-to-end encryption to review “their business model” and stop implementing it.
The end-to-end encryption allows users to communicate securely on the internet making impossible for law enforcement to eavesdrop the traffic.
The IT giants implemented the end-to-end encryption in response to the disconcerting revelations of the NSA whistleblower Edward Snowden about mass surveillance operated by the US Government.
FBI director-James-Comey-img-103113 encryption Going Dark
“FBI Director James Comey on Wednesday called for tech companies currently offering end-to-end encryption to reconsider their business model, and instead adopt encryption techniques that allow them to intercept and turn over communications to law enforcement when necessary.” reported The Intercept.
In the past, the FBI’s Director James Comey already requested IT giants to insert a backdoor in their product to allow law enforcement to decrypt data, but the reply of the companies was negative.
The US authorities have been pressuring companies like Apple and Google in public hearings to provide law enforcement access to decrypted communications whenever there’s a lawful request.
Given the negative response of the IT companies, it is normal that the FBI and intelligence agencies will opt for hacking techniques to break encryption.
“The days of reliable wiretaps are vanishing. [Hacking] is the next best thing for the FBI,” Christopher Soghoian, the principal technologist at the American Civil Liberties Union, told to Lorenzo Bicchierai from MotherBoard.
It is likely the FBI will spend that money to buy hacking tools, including spyware and zero-day exploits, for its investigations.
“38.3 million dollars buys a hell of a lot of malware and zero-day exploits,” added Soghoian.
The FBI already used hacking techniques during its investigations, in particular to de-anonymize criminals on the dark web. A few weeks ago emerged more details on the operation conducted against TorMail in 2013.
Máte root Androidu? Pozor na neoficiální obchody, obsahují malware
12.2.2016 Mobilní
Uživatelé by si měli dávat pozor, pokud stahují aplikace odjinud, než z oficiálního Google Play Store. Bezpečnostní firma odhalila appstory s nebezpečnými aplikacemi.
Čtyři neautorizované obchody s aplikacemi pro Android obsahují aplikace, které se pokouší získat root access do přístrojů, hlásí americká společnost zaměřující se na digitální zabezpečení Trend Micro.
Celkem firma našla 1 163 Androidích balíčků s aplikacemi obsahující malware ANDROIDOS_LIBSKIN.A. Tento malware poskytne aplikaci root access, tedy přístup prakticky ke všem funkcím telefonu.
Takto nakažené aplikace byly staženy v celkem 169 zemích mezi 29. lednem a 1. únorem z obchodů Aptoide, Mobogenie, mobile9 a 9apps.
„Už jsme kontaktovali tyto obchody a informovali je o nebezpečí, ale v době psaní tohoto textu jsme ještě neobdrželi žádné potvrzení z jejich strany,“ napsal Jordan Pan, bezpečnostní analytik pro mobilní zařízení Trend Micro.
Bezpečnostní experti dlouho odrazovali uživatele od používání obchodů třetích stran, které nemají takovou kontrolu kvality jako Play Store. Google ošetřuje všechny aplikace, které do jeho obchodu mají vstoupit – i presto občas dovnitř škodlivý program pronikne. O ten se však Google obvykle rychle postará.
Malware v aplikacích nalezených firmou Trend Micro je vložen mezi normálně fungující aplikace, jako hry nebo programy na streaming hudby. Je o to nebezpečnější a může stáhnout další aplikace do mobilu bez uživatelova vědomí. Může také sbírat data o uživateli. U malwaru standardní funkcí jsou též vyskakovací okna, přesvědčující uživatele ke stažení dalších škodlivých aplikací či přímo virů.
Hey, Apple User! Check If You are also Affected by the Sparkle Vulnerability
12.2.2016 Apple
A pair of new security vulnerabilities has been discovered in the framework used by a wide variety of Mac apps leaves them open to Man-in-the-Middle (MitM) attacks.
The framework in question is Sparkle that a large number of third-party OS X apps, including Camtasia, uTorrent, Duet Display and Sketch, use to facilitate automatic updates in the background.
Sparkle is an open source software available on GitHub under the permissive MIT license by the Sparkle Project with the help of numerous of valuable contributors. The framework supports Mac OS X versions 10.7 through 10.11 and Xcode 5.0 through 7.0.
The Sparkle vulnerabilities, discovered by Radek, a security researcher, in late January and reported by Ars reporter, affect Apple Mac apps that use:
An outdated and vulnerable version of the Sparkle updater framework.
An unencrypted HTTP channel to receive info from update servers.
What's the Issue?
The first loophole is due to the improper implementation of Sparkle Updater framework by the app developers.
The app developers are using an unencrypted HTTP URL to check for new updates, rather than an SSL encrypted channel.
As a result, an attacker in the same network could perform MitM attacks and inject malicious code into the communication between the end user and the server, potentially allowing an attacker to gain full control of your computer.
Video Proof-of-Concept Attack
You can watch the proof-of-concept (PoC) attack video that shows a working attack conducted against a vulnerable version of the Sequel Pro app:
Another proof-of-concept attack was shared by fellow researcher Simone Margaritelli using an older version of VLC Media Player, which has now been updated to patch the vulnerability.
Margaritelli showed how he exploited the flaw on a fully patched Mac running a then-latest version of VLC media player using a technique that streamlines the attack by letting it work with the Metasploit exploit framework.
Another less severe bug in Sparkle has also been discovered by Radek that could be exploited against poorly configured update servers, potentially allowing an attacker to replace an update file with a malicious one.
sparkle-vulnerability
The Sparkle vulnerabilities affected both Mac OS X Yosemite and the most recent version of OS X El Capitan.
Who's Affected?
The Sparkle vulnerabilities affects third-party apps outside of the Mac App Store, which is downloaded from the Internet manually by the user and uses an outdated version of the Sparkle.
Although the actual number of affected apps is not known, Radek estimated the number could be "huge."
Among the affected apps are uTorrent (version 1.8.7), Camtasia 2 (version 2.10.4), Sketch (version 3.5.1), and DuetDisplay (version 1.5.2.4).
Check if You're Affected
Check this list of apps that use Sparkle Updater framework. If you have installed any of these apps on your Apple Mac, you could probably be at risk of being hacked.
Note: Not all of the listed apps communicate over unencrypted HTTP channels or use an outdated version of the framework.
How to Protect Yourself against the Issues?
Although Sparkle has provided a fix for both the vulnerabilities in the newest version of the Sparkle Updater, it is not so easy to install the patch.
Radek warns in an email that the major problem is that developers who created their apps are required to update Sparkle framework inside their apps, which is not trivial.
As the update process requires a developer to:
Download the latest version of Sparkle Updater
Check if the latest version of Sparkle is compatible with their app
Create some test cases, verify update and others
Address this security issue and publish new version of their app
Once this completes, users can check for the app update and download the newest version of the particular app on their computers.
Until this is done, users who are not sure if an app on their computers is safe should avoid unsecured Wi-Fi networks or, alternatively, use a Virtual Private Network (VPN).
In the meanwhile, if you get a prompt for an app update, rather than updating the app via the update window itself, simply visit the app's official website and download the latest version from there, just to make sure that you’re downloading what you actually intend to.
US Intelligence confirms the ISIS used chemical weapons
12.2.2016 Hacking
According to Fox News, the Director of National Intelligence confirmed to the Senate that the Islamic State has used chemical weapons.
In December, a European Parliament report warned that the ISIS organization has already smuggled CBRN material into the EU, the risk of WMD attacks is real.
The intelligence experts speculate the IS has recruited experts with chemistry, physics and computer science degrees to wage attacks with weapons of mass destruction.
“ISIS actually has already acquired the knowledge, and in some cases the human expertise, that would allow it to use CBRN materials as weapons of terror.” said Wolfgang Rudischhauser, Director of the Weapons of Mass Destruction Non-Proliferation Centre at NATO.
The shocking revelation is included in a report of the European Parliament that confirm the ISIS “may be planning to try to use internationally banned weapons of mass destruction in future attacks.”
According to Fox News, the Director of National Intelligence James Clapper confirmed to the Senate on Tuesday that the Islamic State has used weapons of mass destruction (WMDs).
The Islamic State group has used chemical weapons on the battlefield, Clapper did not provide info where WDMs had been used, but he confirmed that in many cases members of the ISIS have used the threaded weapons.
“(The Syrian government) has used chemicals against the opposition on multiple occasions since Syria joined the Chemical Weapons Convention. ISIL has also used toxic chemicals in Iraq and Syria, including the blister agent sulfur mustard,” he stated.
Fox News already published images and videos demonstrating the member of the ISIS were testing chemical weapons. The images showed burns and blistering on
“Photos taken by the Kurds in northern Iraq last summer and fall and reviewed by Fox News show burns and blistering on the skin that a source on the ground there said are consistent with the use of chemical agents. The agents were described as “odorless, colorless and absorbed through the clothing,” causing burns or illness hours later.” wrote FoxNews.
This is the first official confirmation from the US intelligence community that members of the Islamic State have used WMDs. The fear of a possible attack in Europe or US is high, a chemical weapon deployed in a city could kill thousands of unarmed citizens.
isis chemical weapons
“The perceived success of attacks by homegrown violent extremists in Europe and North America, such as those in Chattanooga and San Bernardino, might motivate others to replicate opportunistic attacks with little or no warning, diminishing our ability to detect terrorist operational planning and readiness,” he stated.
The availability of Chemical weapons definitely raises the level of danger of the threat from the radical group.
Once again identity thieves use stolen SSNs in IRS attack
12.2.2016 Computer Attack
The IRS detected roughly unauthorized attempts using 464,000 unique SSNs, and 101,000 attempts allowed crooks in generating PINs.
The U.S. Internal Revenue Service (IRS) recently confirmed that cyber criminals abused the Electronic Filing PIN application.
The Electronic Filing PIN application is running on irs.gov and allows taxpayers to generate a PIN that they can use to file tax returns online. The information necessary to obtain this PIN is the name, date of birth, mailing address and of course, the SSN.
Unfortunately, for identity thieves is quite easy to obtain SSNs online from the dumps resulting from the numerous data breaches occurred in the last months.
SSN numbers, for example, along with other PII are easy to acquire in the various black markets, data breaches of Anthem and CareFirst have made available on the market data related to million customers.
The criminals use this information with an automated bot that is able to generate PINs for the E-File service. In January, the Internal Revenue Service detected roughly unauthorized attempts using 464,000 unique SSNs, and the bad news is that 101,000 attempts allowed crooks in generating PINs.
The agency highlighted that its systems were not breached and no taxpayer data has been exposed.
“The IRS recently identified and halted an automated attack upon its Electronic Filing PIN application on IRS.gov. Using personal data stolen elsewhere outside the IRS, identity thieves used malware in an attempt to generate E-file PINs for stolen social security numbers. An E-file pin is used in some instances to electronically file a tax return.” the IRS said in a statement. “No personal taxpayer data was compromised or disclosed by IRS systems.”
“IRS cybersecurity experts are currently assessing the situation, and the IRS is working closely with other agencies and the Treasury Inspector General for Tax Administration. The IRS also is sharing information with its Security Summit state and industry partners,”
The tax agency already notified the users that have been impacted, it sent an email to inform that their accounts have been secured against tax-related identity theft.
A similar incident occurred in May 2015 when the Internal Revenue Service’s Get Transcript system was accessed by unauthorized parties using stolen information.
More than 100,000 taxpayers were impacted by unauthorized accesses, meanwhile the total number of accounts breached exceeded 300,000.
Deep Web Search Engines to Explore the Hidden Internet
11.2.2016 Safety
Do you know: There is a vast section of the Internet which is hidden and not accessible through regular search engines and web browsers.
This part of the Internet is known as the Deep Web, and it is about 500 times the size of the Web that we know.
What is DEEP WEB?
Deep Web is referred to the data which are not indexed by any standard search engine such as Google or Yahoo.
The 'Deep Web' refers to all web pages that search engines cannot find, such as user databases, registration-required web forums, webmail pages, and pages behind paywalls.
Then, there's the Dark Web or Dark Net – a specific part of that hidden Deep Web.
Deep Web and Dark Web are the intriguing topics for the Netizens all around. But when you hear the term 'Deep Web' or 'Dark Web,' you usually categorize them into one.
If yes, then you are wrong.
What is DARK WEB?
Dark Web is where you can operate without been tracked, maintaining total anonymity.
The Dark Web is much smaller than the Deep Web and is made up of all different kinds of websites that sell drugs, weapons and even hire assassins.
These are hidden networks avoiding their presence on the Surface Web, and its URLs are tailed up with .onion.
These [websitename].onion domains are not indexed by regular search engines, so you can only access Dark Web with special software -- called 'The Onion Browser,' referred to as TOR.
TOR is free, and anyone can download it.
Many of us heard about the Dark Web when the largest online underground marketplace Silk Road was taken down following an investigation by United States federal authorities.
But, what if, you can still be able to dig the Darknet contents with your regular browsers, without the need of TOR?
Here's How to Surf & Search the Deep Web without TOR
Solution: Deep Web Search Engines
Search engines like Google are incredibly powerful, but they can't crawl and index the vast amount of data that is not hyperlinked or accessed via public DNS services.
However, there are Deep Web Search Engines that crawl over the TOR network and bring the same result to your regular browser.
Some of such Dark Web Search Engines are:
Onion.City
Onion.to
Not Evil
Memex Deep Web Search Engine
Here are some Deep Web Search Engines:
The WWW Virtual Library
Collection of Deep Web Research Tools
Surfwax
IceRocket
Stumpedia
Freebase
TechDeepWeb
These Deep Web search engines talks to the onion service via Tor and relays, resolve the .onion links and then deliver the final output to your regular browser on the ordinary World Wide Web.
However, there is one consequence of browsing Deep or Dark Web on a regular browser. Working this way will make these .onion search results visible to you, me, and also, for Google.
Moreover, tracker-less search engines are also popular in the TOR culture – like Disconnect, DDG, IXQuick – which ensures your privacy searches.
Importance of TOR
It is worth noting that mere access via TOR is not considered as an illegal practice but can arouse suspicion with the law.
TOR has long been used by Journalists, Researchers, or Thrill seekers in heavily censored countries in order to hide their web browsing habits and physical location, crawl the Deep Web and exchange information anonymously.
However, one of the main reasons behind the rise of TOR is NSA's Surveillance Programs.
After the Assange-Snowden revelations in the past years, public fears about their privacy getting compromised over the Internet.
The reliability of the Internet had been lost that demanded the Ciphers come into action to thwart the Federal Agency's efforts. So comes the need of TOR.
With the help of TOR, the web users could roam around the Internet beyond any fear, keeping themselves and their real identities hidden from federal and intelligent agencies.
This is why TOR is being one of the favorite targets of federal agencies.
Since Tor has long been a target of the government intelligence agencies, most online users do not feel safe to use Tor anymore.
To known how easy it is for government agencies to unmask Tor users, you can read these articles:
How Spies Could Unmask Tor Users without Cracking Encryption
How Hacking Team and FBI planned to Unmask A Tor User
Who lurks in the 'Dark Web'?
According to the recent survey conducted by researchers Daniel Moore and Thomas Rid (in their book Cryptopolitik and the Darknet), it is found that 57% of the Dark Web is occupied by unauthorized contents like Pornography, Illicit Finances, Drug Hub, Weapon Trafficking, counterfeit currency flow and many more.
The netizens had given the shade of illegalities to Dark Web. This is why today Dark Web is being defined as something that is illegal instead of a 'Pool of Information.'
However, there are countless reasons to use Dark Web. But, ultimately, it depends on the surfer what to surf?
Sidelining Darkweb for criminal offenses often gray out the legitimate purposes inside Dark Web.
In the end, I just want to say:
Knowledge is Free! Happy Surfing!
ENCRYPT Act of 2016 — Proposed Bill Restricts States to Ban Encryption
11.2.2016 Security
The last year's ISIS-linked terror attacks in Paris and California has sparked debate on Encryption, and the intelligent agencies started reviving their efforts to weaken encryption on various encrypted products and services.
But, there is some Good News!
California Congressman and Texas Republican are now challenging state-level proposals to restrict US citizens' ability to encrypt their smartphones.
On Wednesday, California Congressman Ted Lieu, one of four members of Congress, and Texas Republican Blake Farenthold, a member of the House Oversight and House Judiciary committees, introduced a new bill in Congress that…
…attempts to ban states efforts to implement their own anti-encryption policies at a state level while a national debate on Encryption is ongoing.
The bill, called "Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016" – in short, "ENCRYPT Act of 2016" – would stop states from individually trying to make major companies change their technology to fulfil law enforcement requirements.
The bill comes almost a month after two state bills in California and New York proposed to ban the sale of smartphones equipped with strong cryptography that cannot be unlocked and accessed by the manufacturer.
ENCRYPT ACT of 2016
Here's what the "ENCRYPT Act of 2016" reads [PDF]:
A State or political subdivision of a State may not order or request that a manufacturer, seller, developer, or provider of covered products or services:
Design, alter or modify the security features in its product or service in an effort to allow the surveillance of its users, or to allow the physical search of such product or service by any federal agency or instrumentality of a State, a political subdivision of a State, or, of course, the United States.
Have the ability to decrypt or otherwise provide intelligible information that is encrypted or otherwise rendered unintelligible using its product or service.
Although the privacy advocates have largely applauded the new bill, it would need to pass both the House of Representatives as well as the Senate, and signed by the President in order to take effect.
However, many federal officers, including FBI Director James Comey, would not be so happy with the proposed bill, as they forced major companies to provide backdoor access to their services.
As Comey previously stressed, "There're plenty of companies today that [offer] secure services to their customers and still comply with court orders. There are plenty of folks who make good phones [and can] unlock them in response to a court order."
But in my opinion, no backdoors can help law enforcement, and intelligence agencies tackle terrorism.
Would Handing Over a Backdoor to the Federal Agencies Help?
As I previously said, "Technically, there is no such backdoor that only the government can access. If surveillance tools can exploit the vulnerability by design, then an attacker who gained access to it would enjoy the same privilege."
Even if these backdoors are not creating vulnerabilities for hackers to attack, we do not trust the government asking for backdoor encryption keys.
Recently Department of Justice or DoJ got hacked by an unknown hacker who leaked personal data belonging to roughly 20,000 FBI agents and 9,000 DHS employees on Monday.
A similar thing happened last year when the US Office of Personnel Management (OPM) got hacked multiple times, exposing extremely sensitive security records of over 21.5 Million government employees.
These incidents prove that the government agencies fail to protect its most sensitive data, so can't be trusted to keep these backdoor encryption keys safe from hackers.
Million CISCO ASA Firewalls potentially vulnerable to attacks
11.2.2016 Vulnerebility
A flaw in Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.
It’s a bad period for IT manufacturers, recently the security community has discovered serious and anomalous vulnerabilities affecting popular products like Juniper equipment and Fortinet Forti OS firewalls.
Now, it is now the turn of Cisco, the product line Cisco ASA firewall, a family of devices that is offered for sale as an appliance, blades or even virtual systems.
The Cisco ASA Adaptive Security Appliance is an IP router that acts as an application-aware firewall, network antivirus, intrusion prevention system, and virtual private network (VPN) server.
The part of this that is most pressing is that Cisco claims that there are over a million of these deployed.
Security experts David Barksdale, Jordan Gruskovnjak, and Alex Wheeler of Exodus Intelligence have discovered a critical buffer overflow vulnerability (CVE-2016-1287) that received a CVSS (Common Vulnerability Scoring System) score of 10.
“The algorithm for re-assembling IKE payloads fragmented with the Cisco fragmentation protocol contains a bounds-checking flaw that allows a heap buffer to be overflowed with attacker-controlled data. A sequence of payloads with carefully chosen parameters causes a buffer of insufficient size to be allocated in the heap which is then overflowed when fragment payloads are copied into the buffer. Attackers can use this vulnerability to execute arbitrary code on affected devices.” is the summary published by Exodus Intel.
It is quite easy for an attacker to exploit the vulnerability in CISCO ASA by sending crafted UDP packets to the vulnerable system. An exploit could allow the attacker to obtain full control of the system
The impact is serious considering that over a million of CISCO ASA firewall has been already deployed worldwide.
“A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the Advisory published by CISCO.
“The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.”
Which are the affected devices?
The Cisco ASA Software running on the following products may be affected by this vulnerability:
Cisco ASA 5500 Series Adaptive Security Appliances
Cisco ASA 5500-X Series Next-Generation Firewalls
Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Cisco ASA 1000V Cloud Firewall
Cisco Adaptive Security Virtual Appliance (ASAv)
Cisco Firepower 9300 ASA Security Module
Cisco ISA 3000 Industrial Security Appliance
If you have one of them patch it as soon as possible.
Zjistili jsme neobvyklou aktivitu, zkoušejí podvodníci nový trik
11.2.2016 Phishing
Česká spořitelna varovala před novými podvodnými e-maily, které se v posledních dnech šíří internetem. Podvodníci se v nich vydávají za pracovníky internetového bankovnictví Servis24 a tvrdí, že na účtu uživatele byla zjištěna neobvyklá aktivita. Ve skutečnosti se z něj pouze snaží vylákat přihlašovací údaje.
FOTO: koláž Novinky.cz
Dnes 11:03
„Zjistili jsme neobvyklou aktivitu ve vašem účtu. Pro vaši vlastní bezpečnost vám doporučujeme: Přihlaste se do Servis24 a okamžitě oznamte jakékoli neoprávněné aktivity,“ vyzývají podvodníci ve phishingové zprávě.
Jak je vidět na obrázku v úvodu článku, uživatelé si u tohoto spamu mohou na první pohled všimnout chybějící diakritiky a některých dalších chyb. Také odesílatel e-mailu je chybný, nejde o oficiální adresu České spořitelny.
Takto vypadá falešná stránka Servis24.
FOTO: Česká spořitelna
Pokud důvěřivci na odkaz ve zprávě skutečně kliknou, dostanou se na podvodné stránky připomínající skutečné internetové bankovnictví Servis24. „Podvodníci se prostřednictvím podvodné zprávy snaží vylákat vaše přihlašovací údaje na podvodné přihlašovací stránce,“ varovali zástupci České spořitelny.
Grafika podvodné stránky je poměrně povedená. Že se jedná o falešnou stránku služby Servis24, mohou nicméně pozornější uživatelé opět poznat podle chybné internetové adresy.
Skutečná podoba služby Servis24
FOTO: Česká spořitelna
„Buďte k e-mailům z neznámých zdrojů velmi obezřetní. Pokud máte podezření, že jste podvodný e-mail obdrželi, nereagujte na něj a v žádném případě neklikejte na odkaz, který je součástí podvodné zprávy. Jestliže jste již na odkaz klikli a vyplnili požadované údaje, ihned kontaktujte klientskou linku České spořitelny na bezplatném telefonním čísle 800 207 207,“ doplnili zástupci banky.
Podobně by lidé měli postupovat nejen v případě, že mají účet u České spořitelny, ale také v případě jiných finančních institucí. Pokud se tedy takovýmto způsobem nechali od kyberzločinců napálit, měli by co nejdříve kontaktovat svou banku.
Současné kyberútoky - mimořádný zisk pro zločince, velká výzva pro firmy
11.2.2016 Počítačový útok
Až desítky milionů dolarů může přinést zločincům jediná kampaň. Jejich práce se totiž výrazně profesionalizuje -- ukazuje se tedy, že pro současné ataky zločinců je nezbytná koordinovaná obrana.
Dohodu o úzké spolupráci v oblasti kybernetické bezpečnosti uzavřely Cisco a Národní bezpečnostní úřad (NBÚ). Cílem je nejen sdílet informace o aktuálních hrozbách, ale i o nových bezpečnostních trendech či postupech.
Cisco kromě zmíněné spolupráce s NBÚ oznámilo i výsledky nedávné studie Cisco Annual Security Report. Podle ní do války v kybersvětě vstupují žoldáci -- týmy kyberpirátů se profesionalizují, disponují špičkovou výbavou a nechávají se najímat na útoky. Například jediná kampaň založená na exploit kitu Angler mohla ročně přinést zločincům až 34 milionů dolarů.
Útočníci prý také stále častěji sahají k legálním zdrojům, které využívají pro své útoky. Pro šíření svých kampaní využívají vlastní infrastrukturu, které vypadá zdánlivě bezpečně.
Například počet zneužitých WordPress domén vzrostl od února do října 2015 o 221 procent. Drtivá většina útoků pak využívá nezabezpečené DNS servery. Autoři studie zjistili, že DNS protokol se stal jedním z pilířů kybernetického útoku v 92 procentech případů.
Dříve používané metody obrany i bezpečnostní strategie jsou proti pokročilým typům jsou podle studie prakticky neúčinné. To vede k tomu, že klesá důvěra manažerů ve schopnost jejich firem ubránit se kybernetickým útokům.
Jak zjistil Cisco Annual Security Report, pouze 45 procent organizací na světě důvěřuje svému stávajícímu zabezpečení proti kybernetickým útokům. V porovnání s výsledky z minulých let toto číslo přitom setrvale klesá.
V celé řadě firem totiž může škodlivý kód existovat v síti až 200 dní, aniž by byl detekován. Právě zkrácení času, po který má útočník přístup k napadené síti je jedním z klíčových prvků bezpečnostních strategií.
„Zabránit proniknutí škodlivého kódu do sítě je dnes prakticky nemožné. Bezpečností strategie musí být založena na schopnosti co nejrychleji napadení odhalit,“ tvrdí Michal Stachník, generální ředitel Cisco ČR.
NBÚ už úzce spolupracuje s dalšími komerčními subjekty, jako je třeba CZ.NIC či Microsoft. Dohoda NBÚ s Ciscem byla oznámená na konferenci CyberSecurity 2016, jejímž pořadatelem je vydavatelství IDG Czech Republic.
Té se letos zúčastnilo více než 300 návštěvníků a kromě tradičních přednášek byla její součástí například i panelová diskuze na téma Ochrana proti pokročilým hrozbám a organizovanému kybernetickému zločinu, jíž se zúčastnili Vladimír Rohel, NBÚ, Karel Šimek, Cisco; Ivo Němeček, Cisco; Tomáš Přibyl, Security Consultant, Jaroslav Dvořák, ÚOOZ a Bohuslav Zůbek z MV ČR.
Cisco zmapovalo virus Angler. Záškodníci na něm vydělají až 34 milionů dolarů ročně
10.2.2016 Viry
Cisco vydalo souhrnnou bezpečnostní zprávu Annual Security Report, ve které zmapovalo aktivitu malwaru Angler, který se mimo jiné specializuje i na útoky typu ransomware, v rámci kterých virus zašifruje uživatelské soubory na počítači a žádá výkupné – zpravidla skrze bitcoin.
Výnosy z jedné malwarové kampaně postavené na softwaru Angler
Podle Cisca dokáže Angler za jediný rok v rámci jedné kampaně přinést až 34 milionů dolarů, je totiž schopen napadnout až 147 serverů každý měsíc a z každého provést až 90 tisíc útoků na klientská zařízení. Ty jsou úspěšné asi v 10 % případů a 3 % obětí pak výkupné skutečně zaplatí. Při průměrné sumě okolo 300 amerických dolarů se konečně dostáváme k cílové částce několika desítek milionů dolarů za celý rok.
Jak může probíhat napadení PC ransomwarem s využitím některého ze zranitelných serverů s Wordpressem
Zpráva si zároveň všímá chabého zabezpečení ve firmách. V 85 % z nich se na podnikových počítačích nacházejí stopy po některém z kybernetických útoků, které zneužívají rozšíření webových prohlížečů.
Gmail bude bezpečnější. Pokusí se lépe detekovat phishing
10.2.2016 Bezpečnost
Google vylepší svůj Gmail o dvě bezpečnostní novinky. Ta první se týká šifrovaného spojení. Pokud bude příjemce (nebo odesílatel) zprávy používat poštovní službu, která nepodporuje šifrované (TLS), Gmail na to upozorní drobnou stavovou ikonou, taková zpráva totiž mezi oběma službami putuje v prostém textu.
Druhá drobná úprava se týká identifikace odesílatele. Pokud se bude Googlu zdát, že se odesílatel vydává za někoho jiného, upozorní na to příjemce symbolem otazníku u jeho avataru. V opačném případě se pokusí zobrazit v případě firem logo aj.
Autentizovaný a nautentizovaný příjemceu
Zatím však není jasné, jestli už jsou novinky skutečně nasazené, při interních testech mě totiž zatím Inbox a Gmail při komunikaci s testovacím poštovním serverem na nic podobného neupozornily.
Jak se kradou stránky na Facebooku? Nenaleťte na phishing
10.2.2016 Sociální sítě
Je zvláštní, jak ochotně lidé uvěří něčemu tak zjevně nesmyslnému. A jak snadno přijdou o účet na Facebooku i stránky s ním spojené.
Na Facebooku se mi ozval jeden ze správců firemních stránek s „Dobrý den, na zdi nám k jednomu příspěvku přibyl komentář – The Last Warning your account will be disabled permanent because your accounts have been reported by other users“. Kompletní příspěvek můžete vidět na obrázku níže a na první pohled je zcela jasné, že nejde o nic jiného, než o klasický phishing.
Podstatné je jen jedno. Moment překvapení a paniky spojené s tím, že „jsme něco provedli a Facebook nám smaže stránku“. Musíte brát v úvahu to, že oslovený člověk moc nerozumí počítačům, nemá žádné zkušenosti a nedokáže rozpoznat, jaká zpráva pochází od Facebooku a jaká ne. A tak místo nahlášení (a tím i skrytí) útočného komentáře klikne.
Přes původní adresu cutt.us/sBW8P?page-security2016 (u které Chrome zobrazuje rudé varování) jej to přivede na page-secuurity2016.cf/index.htm (Chrome protestuje i zde) a tím na formulář pro zadání e-mailu, hesla a data narození. Pokud tohle dotyčný udělá, tak během pár sekund přijde o účet na Facebooku, protože právě předal někomu zcela cizímu přihlašovací údaje.
Ale to není všechno, po odeslání se ještě objeví formulář pro zadání údajů platební karty, tak detailních, že útočník získá okamžitou možnost z ní čerpat peníze.
Po kliknutí už skončíte na stránce „Facebook Safetý“, což je ta, která přidává ony příspěvky a komentáře na cizí stránky.
Jak na podobné věci reagovat?
Přejít na podvodnou stránku (což je autor příspěvku či komentáře) a tam využít menu (v záhlaví vpravo) a stránku nahlásit. Pak se vrátit zpět k příspěvku/komentáři a nahlásit jej také (v pravém horním rohu). Tím se příspěvek zároveň odstraní z vaší stránky, což je také dost důležité k tomu, aby na něj neklikali vaši fanoušci.