Articles 2016 March - English Press English Articles Page 1 2 3 4 5 6 2020 2019 2018 2017 2016 2015 2014 2013 2012
H Analysis Android Apple APT Attack BigBrothers BotNet Congress Crime Crypto Cryptocurrency Cyber CyberCrime CyberSpy CyberWar Exploit Forensics Hacking ICS Incindent iOS IT IoT Mobil OS Phishing Privacy Ransomware Safety Security Social Spam Virus Vulnerebility
Jednotlivé èlánky jsou rozdìleny podle mìsícù a zde je najdete./The articles are broken down by month and can be found here.
2016 - January February March April May June July August September October November December
The code to bypass Apple System Integrity Protection security mechanism fits in a Tweet
31.3.2016 Apple
Apple failed in fixing the System Integrity Protection security mechanism and the exploits code released by a researcher fits in a Tweet .
Last week security media reported a critical privilege escalation flaw (CVE-2016-1757) in the Apple System Integrity Protection (SIP) security mechanism, a vulnerability that was present at the time of the discovery in all the version of the OS X operating system.
This week, Apple issued a security update of OS X El Capitan 10.11.4 and iOS 9.3 to solve the problem, but according to the experts is was ineffective in fixing the privilege escalation vulnerability.
The flaw was discovered by the security researcher Pedro Vilaça from SentinelOne and exposes more than 130 Million Apple customers at risk of hack. The attackers can exploit the flaw for various purposes, for example, the vulnerability could be exploited in a multi-stage attack in which crooks have already compromised the target system and use the flaw to gain persistence on compromised devices.
The SIP is a security mechanism implemented by Apple in the OS X El Capitan operating system for the protection of certain system processes, files and folders from being modified or tampered with by other processes, even when they are executed by a user with root privileges.
System Integrity Protection SIP bypass OS X El Capitan
According to the experts at SentinelOne the flaw allows circumventing the SIP technology bypassing the key security feature without kernel exploits. Now Apple issued a security patch for both OS X El Capitan 10.11.4 and iOS 9.3, but it seems that the update is ineffective, causing the users’ disappointment.
The critical privilege escalation vulnerability in the System Integrity Protection still affects the most recent version of OS for both Macs and iThings.
The popular researcher Stefan Esser, has published a new exploit code to bypass latest patched version of the System Integrity Protection application, and the interesting part is the dimension of the code that fits in a Tweet.
You’ve heard it right, according to the Esser this isn’t the unique flaw affecting the SIP, and most of them are still unfixed.
“Stefan Esser of German security biz SektionEins also gave a talk at this year’s SyScan360 during which he highlighted a bunch of SIP-related vulnerabilities. Esser told The Register “everything in my slides is unfixed” by Apple in the latest version of OS X 10.11 except for two flaws: the kas_info syscall and a malicious mount.” reported El Reg.
“The evil mount worked by mounting a file system over /System and replacing supposedly SIP-protected core OS utilities with attacker-controlled ones (yes, that really worked). It was fixed in OS X 10.11.2. “
ln -s /S*/*/E*/A*Li*/*/I* /dev/diskX;fsck_cs /dev/diskX 1>&-;touch /Li*/Ex*/;reboot
The above code expands to:
ln -s /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist /dev/diskX
fsck_cs /dev/diskX 1>&-
touch /Library/Extensions/
Reboot
Let’s hope Apple would fix all the open SIP issues as soon as possible.
Here's the Exploit to Bypass Apple Security Feature that Fits in a Tweet
31.3.2016 Apple
Did you install the latest update OS X 10.11.4?
If yes, then you might be wondering with a fact that the Apple had delivered an ineffective patch update this time.
Yes! This news would definitely disappoint many Apple users, as the latest update of OS X El Capitan 10.11.4 and iOS 9.3 still contain a privilege escalation vulnerability that could affect 130 Million Apple customers.
Just last week, we reported about a critical privilege escalation vulnerability in Apple's popular System Integrity Protection (SIP) security mechanism, affecting all versions of OS X operating system.
Even after Apple had fixed the critical flaw in the latest round of patches for Macs and iThings, the SIP can still be bypassed in the most recent version of operating system, leaving Apple users vulnerable to flaws that could remotely hijack their machines.
SIP Bypass Exploit Code Fits in a Tweet
Interestingly, Stefan Esser, a security researcher from Germany, has released a new exploit code to bypass latest patched version of SIP application, which just fits in a Tweet.
Here's the exploit code -- It can be used to modify a crucial OS X configuration file that not even root user is allowed to touch, reported The Register.
ln -s /S*/*/E*/A*Li*/*/I* /dev/diskX;fsck_cs /dev/diskX 1>&-;touch /Li*/Ex*/;reboot
The above code actually expands to:
ln -s /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist /dev/diskX
fsck_cs /dev/diskX 1>&-
touch /Library/Extensions/
Reboot
The above exploit code successfully bypasses Apple's SIP technology, allowing one to run processes as it is pleased.
What is System Integrity Protection (SIP)?
Apple introduced SIP, a security protection feature to the OS X kernel, with the release of OS X El Capitan, which is designed to restrict the root account of OS X machines and limit the actions a root user can perform on protected parts of the system.
Besides this, System Integrity Protection (SIP) also helps prevent software from changing your startup volume, blocks certain kernel extensions from being loaded and limits the debugging of certain apps.
System Integrity Protection or SIP, by default, protects these folders: /System, /usr, /bin, /sbin, along with applications that come pre-installed with OS X.
This is really a bad time for Apple and its users. Now, let's hope that the company would be more vigilant with its upcoming patch update.
The Linux Remaiten malware is building a Botnet of IoT devices
31.3.2016 Virus
Experts from the ESET firm have spotted a new threat in the wild dubbed Remaiten that targets embedded systems to recruit them in a botnet.
ESET is actively monitoring malicious codes that target IoT systems such as routers, gateways and wireless access points, rather than computers or smartphones.
Security researchers from ESET have discovered a new threat dubbed KTN-RM or Remaiten that targets Internet of Things devices by combining the capabilities of Linux malware known as Tsunami and Gafgyt.
Tsunami is a downloader/IRC Bot backdoor used in the criminal ecosystem to launch DDoS attacks, meanwhile Linux/Gafgyt serves as a backdoor that could be controlled remotely and used as a Telnet scanning.
“Recently, we discovered a bot that combines the capabilities ofTsunami (also known as Kaiten) and Gafgyt. It also provides some improvements as well as a couple of new features. We call this new threat Linux/Remaiten. So far, we have seen three versions ofLinux/Remaiten that identify themselves as versions 2.0, 2.1 and 2.2. Based on artifacts found in the code, the authors call this new malware “KTN-Remastered” or “KTN-RM”.” states the official blog post published by the company.
The KTN-RM malware (aka Remaiten) implements an effective ,’ features an improved spreading mechanism by carrying downloader executable binaries for embedded platforms and other connected devices.
The attack scenario is similar to the one seen in the wild for other IoT threats, the Remaiten malware scan the Internet searching IoT devices that accept Telnet connections, then it tries to connect them by using a dictionary of login credentials. If the malware successfully login the device, it establishes a shell command to download other malicious binaries on the infected system.
The Linux Remaiten downloaders are small ELF executables embedded in the bot binary itself that are executed on the target devices to instruct it in connecting the bot’s C&C server. The researchers at ESET discovered that bot binaries include a hardcoded list of C&C server IP addresses, the bot also sends to the control server information on the infected device (i.e. IP address, login credentials, infection status).
“When instructed to perform telnet scanning, it tries to connect to random IP addresses reachable from the Internet on port 23. If the connection succeeds, it will try to guess the login credentials from an embedded list of username/password combinations. If it successfully logs in, it issues a shell command to download bot executables for multiple architectures and tries to run them. This is a simple albeit noisy way of infecting new victims, as it is likely one of the binaries will execute on the running architecture.” state the post.
The researcher also revealed a curiosity on the malware, the C&C server used for version 2.0 displays a welcome message that references the MalwareMustDie blog, let’s consider it a sort of revenge of the author for the popular team of researchers.
Give a look to the report published by ESET for more technical details about the Remaiten malware.
Microsoft adds Linux Bash Shell and Ubuntu Binaries to Windows 10
31.3.2016 Safety
'Microsoft loves Linux' so much that now the company is bringing the popular Bash shell, alongside the entire Linux command environment, to its newest Windows 10 OS in the upcoming 'Anniversary Update,' Redstone.
The rumours before the Microsoft’s Build 2016 developer conference were true. Microsoft has just confirmed that it is going to enable its users to run Bash (Bourne Again Shell) natively on Windows 10.
Also Read: Microsoft Drops a Cloud Data Center Under the Ocean.
Microsoft has partnered with Ubuntu's parent company Canonical to ensure the Bash experience for users is just as good in Windows OS as it's in variants of Linux.
Although the Goal of the partnership, in the end, is to bring Ubuntu on Windows 10, don't expect it to run Ubuntu directly on Windows 10.
Users will be able to download Bash from the Windows Store. BASH or Bourne Again Shell is capable of handling advanced command line functionalities that are not a cup of tea for Powershell or CMDs.
"The Bash shell is coming to Windows. Yes, the real Bash is coming to Windows," said Microsoft's Kevin Gallo at Build 2016 keynote. "This is not a VM [Virtual Machine]. This is not cross-compiled tools. This is native."
There already exists third-party apps to implement Bash shell running on Windows, such as Cygwin or MSYS. But the new move by Microsoft would eliminate the usage of 3rd party utilities, offering, even more, flexibility for developers who prefer using these binaries and tools.
How to Run Bash on Windows?
run-bash-windows-10
Users just have to follow these simple steps to run Bash on Windows 10 OS:
Open the Windows Start menu
Type "bash"
Hit 'Enter'
This will open a command line console (cmd.exe) running Ubuntu's /bin/bash, Dustin Kirkland, Canonical's Ubuntu Product and Strategy team member, explains in a blog post.
The system features a full Ubuntu user space complete with support for tools including ssh, apt, rsync, find, grep, awk, sed, sort, xargs, md5sum, gpg, curl, wget, apache, mysql, python, perl, ruby, php, vim, emacs and more.
This is not Microsoft Linux for Windows
ubuntu-on-windows-10
Don’t get confused, as Microsoft is not enabling Linux applications to run on top of Windows nor this is "Microsoft Linux." The company is just providing support for Bash on Windows 10 as an expansion of its command-line tool family.
So, the company is working on integrating Ubuntu User Space in Windows 10, as a hacker has already spotted a Linux subsystem in preview build (build 14251) of the Windows 10 code in late January.
ubuntu-windows10-file-explorer
As Kirkland writes:
"So just Ubuntu running in a virtual machine?" Nope! This isn't a virtual machine at all. There's no Linux kernel booting in a VM under a hypervisor. It's just the Ubuntu user space. "Ah, okay, so this is Ubuntu in a container then?" Nope! This isn't a container either.
It's native Ubuntu binaries running directly in Windows. "Hum, well it's like cygwin perhaps?" Nope! Cygwin includes open source utilities are recompiled from source to run natively in Windows. Here, we're talking about bit-for-bit, checksum-for-checksum Ubuntu ELF binaries running directly in Windows.
This isn't Microsoft's first step towards implementing Linux functionality in Windows. Just last year, Microsoft had worked on the Linux Kernel and made a Linux OS called Azure Cloud Switch. It also chose Ubuntu as the operating system for its Cloud-based Big Data services.
Marine Corps Cyberspace Warfare Group, the new hacker unit
31.3.2016 Safety
The United States Marine Corps has launched on March 25th a new hacker support unit named Marine Corps Cyberspace Warfare Group.
It is unnecessary to remind the importance of cyber capabilities in the current military environment. Government and military corps are investing to improve their cyber abilities and exploits the immense possibilities offered by the cyberspace as the fifth domain of warfare.
News of the day is that the United States Marine Corps has launched on March 25th a new hacker support unit, it follows the establishment of other hacking units announced last year.
It is a strategic decision in response to a rapid technological evolution of the military context, the Marine Corps Cyberspace Warfare Group (MCCYWG) is already operative and the assigned resources are expected to rapidly expand in the next year.
The newborn Marine Corps Cyberspace Warfare Group will support the US Marine Corps Forces Cyberspace (MARFORCYBER) established by the US Government in 2010.
The new Marine Corps Cyberspace Warfare Group will train and support hackers working for the US Marine Corps, its members will be involved in both offensive and defensive operations.
“The mission of MCCYWG is to man, train and equip Marine Cyberspace mission teams to perform both defensive and offensive cyber operations in support of United States Cyber Command and Marine Forces Cyberspace Command.” states the official website of US Marine Corps.
“We’ve always had the means to communicate and the means to protect that communication, but today we’re in an environment where those methods are more and more reliant on a system of transmissions, routers and networks,” said Col. Ossen J. D’Haiti, the commanding officer of MCCYWG. “So, the ability to protect that, the ability to control that and deny an adversary to interdict that, is crucial to command and control.”
The official announcement remarks that now more than ever, the Marine Corps is seeing the need for defense of its networks and communications. The Marine Corps Cyberspace Warfare Group will protect the Marine Corps infrastructure from cyber attacks, for this reason, in the announcement, it is described as a sort of virtual “firewall” against the cyber threats.
“Cyber operations as a whole are anything from ensuring your network is secure to home use like when you buy a router, set it up, set up passwords and encryptions,” said Sargent Brian Mueller, member of the unit.
“[Cyberspace operations] ensure that our systems are secure to stop hackers from getting into our systems where our personal identifiable information and everything else is stored,” added Mueller.
“While the offensive side is what can we do to hinder an enemy.”
Below the official description of the new hacker unit and its functions:
“Commander, MCCYWG organizes, trains, equips, provides administrative support, manages readiness, and recommends certification and presentation of Cyber Mission Force (CMF) Teams to U.S. Cyber Command. The MCCYWG plans and conducts full spectrum cyberspace operations as directed by COMMARFORCYBER in support of service, combatant command, joint, and coalition requirements.” states the website of the US Marine Corps.
Key MCCYWG tasks include:
Conduct personnel management to organize and assign individuals to work roles and place them in work centers to ensure operational readiness of CMF Teams
Ensure all personnel are trained in accordance with USCYBERCOM Joint Cyberspace Training and Certification Standards and equipped to perform all duties and tasks outlined in the MARFORCYBER Mission Essential Task List (METL)
Plan for and, when authorized, conduct OCO including computer network exploitation (CNE), cyberspace intelligence, surveillance, and reconnaissance (ISR) and operational preparation of the environment (OPE)
Plan and conduct designated DCO in response to threats against the MCEN, supported combatant command (COCOM) designated networks, and the Department of Defense Information Network (DODIN)
Advise COMMARFORCYBER on force employment considerations
Provide subject matter expertise for operational planning requirements
Enable this New Setting to Secure your Computer from Macro-based Malware
31.3.2016 Virus
Do you deal with MS Word files on the daily basis?
If yes, then are you aware that even opening a simple doc file could compromise your system?
It is a matter to think that the virus does not directly affect you, but it is you who let the virus carry out the attack by enabling deadly "Macros" to view the doc contents that are generally on eye-catching subjects like bank invoice.
How Macros are Crippling your System?
The concept of Macros dates back to 1990s. You must be familiar with this message: "Warning: This document contains macros."
A Macro is a series of commands and actions that help to automate some tasks. Microsoft Office programs support Macros written in Visual Basic for Applications (VBA), but they can also be used for malicious activities like installing malware.
Hackers are cleverly using this technique on the shade of social engineering by sending the malicious Macros through doc file or spreadsheet with an eye-catching subject in the mail to the corporate networks.
Once a user opens the malicious Word document, the doc file gets downloaded to its system. However, danger comes in when the user opens the file, and a popup window appears that states "Enable Editing" to view the content.
microsoft-office-macro-protected-view
Once the users click Enable Editing, the malicious file then begins to perform the notorious activities in the system such as to get embedded into other doc files to proliferate the attacking rate that results in crippling your system network.
All those actions would depend upon payload program defines inside the Macro.
Dridex and Locky are Warning Bells!!!
No other incidents could get you the clear picture on the potential threat of Macro viruses apart from Dridex Malware and Locky Ransomware. Both malware had made use of the malicious Macros to hijack systems.
Over 20 Million Euro had been stolen from the UK banks with the Dridex Malware, which got triggered via a nasty macro virus. The infectious bar of Locky ransomware had also seen an exponential growth in a couple of hours.
How to Protect Yourself from Macro-based Malware?
Step 1: Configure Trusted Location
Block-Macros-Office
Since disabling Macros is not a feasible option, especially in an office environment where Macros are designed to simplify the complex task with automation.
So, if your organization relies on Macros, you can move files that use Macros into the company’s DMZ (Demilitarized Zone), also called Trusted Location.
To configure the trusted location, you can navigate via:
User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations
Once configured, the Macros that does not belong to the trusted location would not run in any way, beefing up your system’s security.
Step 2: Block Macros in Office Files that came from the Internet
microsoft-office-macro-security
Microsoft had recently unveiled a novel method by implementing a new tactical security feature to limit the Macro execution attack in MS Office 2016, ultimately preventing your system from hijacking.
The new feature is a group policy setting that lets enterprise administrators to disable macros from running in Office files that come from the Internet.
The new setting is called, "Block macros from running in Office files from the Internet" and can be navigated through the group policy management editor under:
User configuration > Administrative templates > Microsoft Word 2016 > Word Options > Security > Trust Center
It can be configured for each Office application.
By enabling this option, macros that come from the Internet are blocked from running even if you have 'enable all macros' in the Macros Settings.
Moreover, instead of having the option to 'Enable Editing,' you'll receive a notification that macros are blocked from running, as the document comes from an Untrusted Source.
The only way to run that particular Office file is to save it to a trusted location, allowing macros to run.
PayPal flaw allowed hackers to send malicious emails
31.3.2016 Virus
PayPal has just fixed a security vulnerability that could have been exploited to send malicious emails to users via its platform.
Researchers at security firm Vulnerability Lab have discovered a filter bypass and an application-side input validation vulnerability that allowed attackers to inject malicious code into emails sent by the PayPal platform.
“A persistent input validation & mail encoding web vulnerability has been discovered in the official PayPal Inc online-service web-application. The validation and mail encoding web vulnerability allows remote attackers to inject own malicious script codes to the mail header of the portal mails. ” states the post published by the Vulnerability Lab.
When PayPal users create a new account, they can link it to multiple email addresses. Each email address has to be confirmed by the users by providing a confirmation code sent to the account they want to confirm.
hack-paypal
Unfortunately, an attacker could create an account and insert arbitrary HTML code in the account owner field.
The attack scenario is simple, the attacker links the new account to the victim’s email and insert a malicious code in the account owner name. The platform then sends the a confirmation email to that address of the victims, the message includes the malicious code that would get executed when the victims open the email.
The attack could be very insidious because the emails are sent from the legitimate PayPal platform through the account service[@]paypal.com, for this reason, the email is not detected as spam or malicious by the defense systems.
The above attack scenario could be exploited in phishing campaigns, session hijacking, and to redirect users to certain domains managed by the attackers.
Below a proof-of-concept video published by the experts at the Vulnerability Lab.
Vulnerability Lab reported the issue to PayPal in October 2015, the vulnerability has been fixed this month. The company awarded the researcher Kunz Mejri from Vulnerability Lab with $1,000.
The details of the flaw, for which Kunz Mejri received $1,000, were disclosed on Wednesday.
The KimcilWare Ransomware targets Magento Platforms
31.3.2016 Virus
Security experts from the MalwareHunterTeam have discovered KimcilWare ransomware, a malware specifically designed to target Magento e-commerce platforms.
Security experts from the MalwareHunterTeam have spotted a news train of ransomware, called KimcilWare, specifically designed to target Web servers, and more specifically Magento e-commerce platforms.
“A new ransomware called KimcilWare has been discovered that appears to be targeting web sites using the Magento eCommerce solution. It is currently unknown how these sites are being compromised, but victims will have their web site files encrypted using a Rijndael block cipher and then ransomed for anywhere between $140 USD and $415 USD depending on the variant that infected them. Unfortunately, at this time there is no way to decrypt the data for free.” states a blog post published on BleepingComputer.
The KimcilWare ransomware encrypts the files of the Magento platform, it is easy to recognize because it appends the “.kimcilware” extension at the end of each file. rendering the store useless.
“One script will encrypt all data on the web site and append the .kimcilware extension to all encrypted files. It will also insert a index.html file that displays the ransom note shown above. The KimcilWare variant has a ransom amount of $140 USD. You can see an example of a folder encrypted with the KimcilWare script below. ” continues BleepingComputer.
Source BleepingComputer
The malware also uses its index file in order to publish a black page that informs the victims that the server had been encrypted.
“Webserver Encrypted” states the message on the home page “Your webserver files has been encrypted with a unix algorithm encryptor. You must paw 140$ to decrypt your webserver files. Payment via Bitcoin only. For more information contact me at tuyuljahat@hotmail.com.”
Of course, the e-commerce becomes useless once the malware has encrypted all the files.
The bad news is that it is still unknown the infection process, but fortunately, the number of infections is still limited.
The KimcilWare ransomware was first reported on March 3 by the owner of a Magento store (version 1.9.1.0) on StackExchange. The administrator noticed that only one site on a server with multiple Magento instances was infected.
A second case was reported a few days later on Magento’s official forum, from a store owner running version 1.9.2.4. The Magento admin speculates a security issue affecting the Helios Vimeo Video Gallery extension.
Another ransomware having similar capabilities was discovered by the security researcher Jack (@Malwareforme). This second malware is called MireWare and uses the same tuyuljahat@hotmail.com email address in its ransom note included in the index page. From his analysis, MireWare is a variant of the
Jack noticed that MireWare is a variant of the Hidden Tear open source ransomware published by the Turkish security researchers Utku Sen for educational purposes.
The Hidden Tear was intentionally designed with security flaws and Bleeping Computer’s researchers Lawrence Abrams who analyzed MireWare confirmed that also this threat is currently broken due to the lack of a valid SSL certificate for its C&C server.
Experts believe that the KimcilWare ransomware is in its early stages, but that it might rapidly evolve.
If you administrate a Magento store update to the latest Magento store versions and use strong passwords for the admin accounts.
Google has also been Ordered to Unlock 9 Android Phones
30.3.2016 Apple
The legal battle between Apple and the FBI (Federal Bureau of Investigation) over a locked iPhone that belonged to one of the San Bernardino shooters may be over, but the Department of Justice (DoJ) are back in front of a judge with a similar request.
The American Civil Liberties Union (ACLU) has discovered publicly available court documents that revealed the government has asked Google’s assistance to help the Feds hack into at least nine locked Android smartphones citing the All Writs Act.
Yes, Apple is not the only company facing government requests over privacy and security — Google is also in the list.
The Google court documents released by the ACLU show that many federal agencies have been using the All Writs Act – the same ancient law the DoJ was invoking in the San Bernardino case to compel Apple to help the FBI in the terrorist investigation.
Additionally, the ACLU also released 54 court cases in which the federal authorities asked Apple for assistance to help them access information from a locked iPhone. However, this is the first time it has confirmed that Google has also received such requests.
All the cases appear to be closed, and the company is believed to have complied with all of the court orders. As in the majority of cases, Google was required to reset the passwords or bypass the lock screens of Samsung, HTC phones, Kyocera and Alcatel, among a number of other unidentified Android devices.
Unlike Apple, Google Can Reset Android Devices Remotely
In 2015, the New York District Attorney revealed that Google can remotely reset Android device password, in case a court demands access to it.
In other words, unlike Apple, Google has technical abilities to reset device passcode for about 74% of Android users (~Billions) running all versions older than Android 5.0 Lollipop that does not have full disk encryption.
Google had been ordered for technical assistance by many federal agencies over several cases including:
The Department of Homeland Security (DHS) in an investigation of an alleged child pornographer in California.
The FBI in the investigation of an alleged cocaine dealer, who go by the name “Grumpy,” in New Mexico.
The Bureau of Land Management in the investigation of an alleged marijuana grow operation in Oregon
The Secret Service in an unknown court case in North Carolina.
However, Google said none of the cases required the company to write new backdoored software for the federal government.
"We carefully scrutinize subpoenas and court orders to make sure they meet both the letter and spirit of the law," a Google spokesman said in a statement. "However, we have never received an All Writs Act order like the one Apple recently fought that demands we build new tools that actively compromise our products’ security….We would strongly object to such an order."
No doubt, 1789 All Writs Act is being misused as a tool against encryption, which was never intended to allow the government to dictate software design.
TreasureHunt PoS Malware targets small retailers and banks
30.3.2016 Virus
Security experts at FireEye have spotted the activity of a criminal organization that using the custom PoS malware TreasureHunt to target small retailers.
Security experts at FireEye have spotted the activity of a criminal organization that using custom PoS malware family to target retailers. Hackers are using the PoS malware dubbed TreasureHunt or TreasureHunter to steal payment card data and sells it on criminal underground forums.
The researchers found evidence that the threat has been around since at least late 2014. TreasureHunt was first discovered by researchers at the SANS institute who noticed the malware generating mutex names to evade detection.
EMV standardThe US retailers and merchants are adopting payment solutions based on the EMV standard that relies on chip-equipped cards, and for this reason are considered more secure.
A number of factors are hampering the introduction of EMV among small organizations.; the most important is probably is the high cost of the migration that it has been estimated at 8.6 billion dollars.
Consider that the cost of a single POS system that is compatible with EMV technology can reach hundreds of dollars and major retailers like Target will have to pay tens of millions of dollars in hardware. Also, don’t underestimate the additional cost of the introduction of the technology and its test in the live environment.
On the other end, banks will have to spend tens of millions to upgrade their internal systems to manage EMV payment card transactions.
Unfortunately, many cybercriminal groups have started focusing their efforts on organizations that are slow to make the transition, such as smaller banks and retailers. TreasureHunt is one of the tools used by malicious actors in attacks aimed at such organizations.
Clearly, many organizations are more slow in adopting the new standards and crooks are trying to exploit this delay targeting retailers and banks that are slow to make the transition.
TreasureHunt enumerates the processes running on the infected systems and implement memory scraping functions to extract credit and debit card information. Stolen payment card data are sent to C&C servers through HTTP POST requests.
“In this article we examine TREASUREHUNT, POS malware that appears to have been custom-built for the operations of a particular “dump shop,” which sells stolen credit card data. TREASUREHUNT enumerates running processes, extracts payment card information from memory, and then transmits this information to a command and control server.” FireEye researcher Nart Villeneuve explained in a blog post.
TreasureHunt malware PoS
The experts at FireEye believe that criminals compromised the PoS using stolen or weak credentials, once the TreasureHunt malware infected the systems, it installs itself in the “%APPDATA%” directory and maintain persistence by creating the registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jucheck
“The malware scans all running processes and ignores processes that contain System33, SysWOW64, or \Windows\explorer.exe in their module names. It searches for payment card data and, if found, sends the data encoded back to the CnC server,” FireEye researcher Nart Villeneuve explained in a blog post.
All the TreasureHunt samples have the same compilation timestamp, October 19, 2014., but experts were able to compile a timeline activity of the PoS malware by analyzing VirusTotal submissions and C&C domain registration details.
“While the compile timestamp remains the same as the previous version, the samples were first observed on Nov. 25, 2015, and March 3, 2016. The only significant change in this version is that the malware stores encoded configuration data in the NTFS alternate data streams (ADS) of the file %USERPROFILE%\ntuser.ini. We refer to these samples as version 0.1.1” due to the presence of the following string:
TreasureHunter version 0.1.1 Alpha, created by Jolly Roger
(jollyroger@prv.name) for BearsInc. Greets to Xylitol and co.”
“Jolly Roger” seems to be the author of the malware, likely a member of a hacker crew called “BearsInc” which has been offering stolen payment card data on black markets.
With an increasing number of major firms moving to EMV solution, security researchers expect to see criminals organizations increasingly targeting smaller retailers and banks that are still waiting to adopt the secure technology.
Following revelations on Paris attacks, US lawmakers target burner phones
30.3.2016 Mobil
Paris terrorists used burner phones and US lawmakers have proposed a bill that would force retailers to record the identity of the buyers of these devices.
Law enforcement and intelligence agencies worldwide are fighting against terrorist organizations operating in their territories, but investigations are hampered by the use of encrypted communications. After the Paris attacks, intelligence agencies made many speculations about possible communication channels adopted by the terrorists, including the use of the PS4 messaging system.
New revelations seem to exclude the above hypothesis, terrorists behind the Paris attacks used burner phones and not encryption to avoid being tracked.
“But the three teams in Paris were comparatively disciplined. They used only new phones that they would then discard, including several activated minutes before the attacks, or phones seized from their victims.” reported The New York Times.
The NYT cites a 55-page report compiled by the French antiterrorism police for France’s Interior Ministry and explains how the terrorists have used phones activated less than an hour before the attacks.
“Everywhere they went, the attackers left behind their throwaway phones,” states the post. “New phones linked to the assailants at the stadium and the restaurant also showed calls to Belgium in the hours and minutes before the attacks, suggesting a rear base manned by a web of still unidentified accomplices.” “Security camera footage showed Bilal Hadfi, the youngest of the assailants, as he paced outside the stadium, talking on a cellphone. The phone was activated less than an hour before he detonated his vest.”
Outside the Bataclan theater venue, the investigators found a Samsung smartphone in a dustbin with a Belgian SIM card used exclusively for the operation.
“It had a Belgian SIM card that had been in use only since the day before the attack. The phone had called just one other number—belonging to an unidentified user in Belgium.”
The police have found several unused burner phones “still in their wrappers” in a place used by the group of terrorists.
Burner Phones are an effective and secure method of communication used by criminals and terrorists. Prepaid phones are very cheap, using different mobile devices and different mobile phone numbers each time it is possible to evade monitoring activities operated by the intelligence agencies.
Soon something can change, at least in the US where lawmakers in California have proposed a new bill that would force retailers to verify and record the identity of the buyers of prepaid burner phones or similar mobile devices, as well as SIM cards.
The proposal was introduced by the Rep. Jackie Speier of California, the politic named it HR 4886, or “Closing the Pre-Paid Mobile Device Security Gap Act of 2016,” which will force require retailers to identify the purchaser of burner phones and SIM cards.
“A BILL To require purchasers of pre-paid mobile devices or SIM cards to provide identification, and for other purposes.” states the text that requests an authorized reseller to require the following information to the purchaser:
The full name of the purchaser.
The complete home address of the purchaser.
The date of birth of the purchaser.
An authorized reseller making a sale to a buyer not in person shall verify the purchaser information provided under section 2 by requiring the purchaser to submit the following information:
Valid credit or debit card account information.
Social Security number.
Driver’s license number.
Any other personal identifying information that the Attorney General finds, by regulation, to be necessary for purposes of this section.
The congresswomen explained that the bill will not eliminate the existence of burner phones, it is a necessary measure to prevent terror plots and many other illegal activities.
Speier Burner Phones
“This bill would close one of the most significant gaps in our ability to track and prevent acts of terror, drug trafficking, and modern-day slavery,” Speier said in a Wednesday blog post. The ‘burner phone’ loophole is [a glaring gap] in our legal framework that allows actors like 9/11 hijackers and the Times Square bomber to evade law enforcement while they plot to take innocent lives. The Paris attackers also used ‘burner phones.’ As we’ve seen so vividly over the past few days, we cannot afford to take these kinds of risks. It’s time to close this ‘burner phone’ loophole for good.”
There are some aspects that the Bill still doesn’t approach correctly, for example, what happen if a criminal uses a stolen identity?
In the SEC. 3. IDENTIFICATION VERIFICATION, under the “Other Sales” section it is contemplated the possibility of selling to people not in person opening the door to fraudulent purchases.
Let’s wait for the Congress opinion on the proposal.
vBulletin resets passwords after a targeted attack
30.3.2016 Incindent
vBulletin has suffered a severe attack last week that breached one of the Germany servers, in response it informed users that all passwords had been reset.
vBulletin has suffered a severe attack last week, in response it informed users that all passwords had been reset. According to the vBulletin developer Paul Marsden one of the Germany servers was breached by an unauthorized party.
“Due to the discovery yesterday of unauthorized access to of one of the VBG servers it is possible the hacker may have gained access to other vb systems as well. Therefore we have again taken the precaution of resetting all user password hashes. To be able to login to the site you will need to use the lost password functionality.
http://www.vbulletin.org/forum/login.php?do=lostpw
We apologise for any inconvenience this may cause.” said Marsden.
The attackers have breached the Germany (VBG – “vbulletin-germany.com”) server, a circumstance that could have allowed them to access other systems of the organization, including “vBulletin.com” and “vBulletin.org.”
At the time I was writing there aren’t other details on the data breach, Marsden highlighted that hackers haven’t used any exploits, a claim supported by the fact that the hackers server doesn’t run any instance of the popular CMS.
Mardden believes attackers have carefully planned the attack:
“I can tell you it wasnt via any vB exploit – in fact, the VBG site doesnt run vbulletin. Someone clearly targetted the site, it was obvious they had planned this quite carefully.”said Marsden.
This isn’t the first time that the platform is targeted by hackers, in November 2015, the official forum was shut down after a hacker using the online moniker “Coldzer0” defaced it.
The website has been defaced and the forum was displaying the message “Hacked by Coldzer0.”
According to DataBreaches.net, vBulletin, Foxit Software forums have been hacked by Coldzer0 that stole hundreds of thousands of users’ records.
The hacker published screenshots that show he managed to upload a shell to the forum website and accessed user personal information, including user IDs, names, email addresses, security questions and answers, and password salts).
As usual, I strongly suggest users to change the passwords on any other website where they shared the same login credentials.
How to Disable Windows 10 Upgrade (Forever) With Just One Click
30.3.2016 OS
If you are a Windows 7 or Windows 8.1 user, who don't want to upgrade to Windows 10 now or anytime soon, you might be sick of Microsoft constantly pestering you to upgrade your OS.
Aren't you?
With its goal to deploy Windows 10 on over 1 Billion devices worldwide, Microsoft is becoming more aggressive to convince Windows 7 and 8.1 users to upgrade to its newest operating system, and it is getting harder for users to prevent the OS being installed.
But if you're worried that this out of control Windows 10 upgrade process will force you into downloading an unwanted OS; I have an easier solution to block Windows 10 upgrade on your PCs.
A new free tool, dubbed Never10, provides the user a one-click solution to disable Windows 10 upgrade until the user explicitly gives permission to install Windows 10.
Never10 has been developed by Steve Gibson, the well-known software developer and founder of Gibson Research, which is why the tool is also known as "Gibson's Never10."
How to Disable Windows 10 Upgrade on Your PCs
Go to Gibson's Never10 official site and click on the Download.
Once downloaded, the program detects if the upgrade to Windows 10 is enabled or disabled on your system and then shows a pop-up. If enabled, Click 'Disable Win10 Upgrade' button.
You’ll again see a pop-up that now shows Windows 10 upgrade is disabled on your system, with two buttons to 'Enable Win10 Upgrade' and 'Exit.' Click on Exit button.
disable-windows10-upgrade
That's it, and you have successfully disabled Windows 10 Upgrade on your PC.
Here's the kicker:
The best part of this tool is that you don't have to install an application on your PC to do this. Gibson’s Never 10 is an executable. So you just need to run it, and it doesn’t install anything on your computer. You can delete it when you're done.
"The elegance of this 'Never 10' utility is that it does not install ANY software of its own. It simply and quickly performs the required system editing for its user," Gibson writes on his page about the new utility.
According to Gibson, Never10 will be a great help to inexperienced users while advanced users will likely appreciate the fact that no additional software is installed and will be able to refer their family and friends to this easy-to-use utility.
For more technical details on how this tool works, you can head on to this link.
Unlike other available Windows 10 blocker tools, Never10 blocks the Windows 10 upgrade, but at the same time, the tool allows you to start the update process in case you change your mind, according to Windows watcher Paul Thurrott.
However, the primary purpose of Gibson's Never10 is to prevent Windows 7 and Windows 8.1 operating system from being upgraded to Windows 10. As Gibson says:
"Many users of Windows 7 and 8.1 are happy with their current version of Windows and have no wish to upgrade to Windows 10."
"There are many reasons for this, but among them is the fact that Windows 10 has become quite controversial due to Microsoft's evolution of their Windows OS platform into a service which, among other things, aggressively monitors and reports on its users' activities."
Moreover, just a month ago, Microsoft was caught displaying unsolicited advertisements on its Windows 10 users' desktops.
These reasons are enough for many users to stay on their previous versions of the Windows operating system.
Microsoft built a special version of Windows 10 just for Chinese Government
30.3.2016 OS
China is very strict about censorship, which makes it difficult for companies to launch their products in the country. But companies like Microsoft are playing smartly to target the largest market in the world.
Microsoft has found a way to enter into the banned Chinese Market, but this time with official support for Chinese Government through a new custom and exclusive Windows 10 version for China.
It sounds like Microsoft has no issues like Apple, which strongly refused the court order to create a special ‘GovtOS’ version to help the Feds with unlocking iPhone.
Microsoft’s CEO for the Greater China region Ralph Haupter has confirmed that the company has built a Chinese government-approved version of Windows 10 OS that includes “more management and security controls” and less bloatware (pre-installed apps).
Specialized Windows 10 'Zhuangongban' for China
In a joint venture with a state-run technology and defense company, CETC (China Electronic Technology Group), Microsoft developed its specialized version of Windows 10 to comply with governmental standards.
The codename for the exclusive version of Windows 10 for China is called "Windows 10 Zhuangongban," which means "Specialized Class."
The customized version of Windows 10 would come with basic apps and additional integrated privacy standards which could be a trust gaining strategy by Microsoft among Chinese nationals.
The initial stern action of Chinese Government to ban Windows from the Chinese desks was the outcome of discontinued support of Windows XP officially by Microsoft. Moreover, the company enforced its XP user base to switch to Windows 8.
According to the survey of Net Applications, a US Based Analytics firm, it is reported that 51% of the Chinese users relies on Windows 7, whereas 32.9% users are still relying on the Windows XP, a discontinued product.
There had been made various efforts made by Chinese Government to build the counterpart of Windows XP called Neo-Kylin. But as the new player is in its infancy, it failed to grab the market attention as it lacked in the technical support.
As no other options left, Chinese Government finally convinced Microsoft to team up with a local technological company (CETC) to build a new OS, and Windows 10 Zhuangongban is the result of the same.
Microsoft's Target -- 1 Billion Windows 10
Microsoft’s goal to install its newest Windows 10 OS on one Billion devices worldwide is not possible without covering the largest market in the world.
Convincing Chinese Government to adopt its Windows 10, even if it is a customized version, is a great achievement for Microsoft, which would help the company reach its 1 Billion goal soon.
China, being the largest populated country in the world is a golden egg client for Microsoft to broaden the Windows 10 market base.
With the Windows 10 Zhuangongban OS, now let’s see: Which Nation would be the next target for Microsoft to play the same move in order to reach its goal? Will it be Germany or Russia??
FBI is fighting back against Judge's Order to reveal TOR Exploit Code
30.3.2016 Safety
Last month, the Federal Bureau of Investigation (FBI) was ordered to reveal the complete source code for the TOR exploit it used to hack visitors of the world’s largest dark web child pornography site, PlayPen.
Robert J. Bryan, the federal judge, ordered the FBI to hand over the TOR browser exploit code so that defence could better understand how the agency hacked over 1,000 computers and if the evidence gathered was covered under the scope of the warrant.
Now, the FBI is pushing back against the federal judge’s order.
On Monday, the Department of Justice (DOJ) and the FBI filed a sealed motion asking the judge to reconsider its ruling, saying revealing the exploit used to bypass the Tor Browser protections is not necessary for the defense and other cases.
In previous filings, the defence has argued that the offensive operation used in the case was "gross misconduct by government and law enforcement agencies," and that the Network Investigative Technique (NIT) conducted additional functions beyond the scope of the warrant.
The Network Investigative Technique or NIT is the FBI's terminology for a custom hacking tool designed to penetrate TOR users.
This particular case concerns Jay Michaud, one of the accused from Vancouver, Washington, who was arrested in last year after the FBI seized a dark web child sex abuse site and ran it from agency’s own servers for the duration of 13 days.
During this period, the FBI deployed an NIT tool against users who visited particular, child pornography threads, grabbing their real IP addresses among other details. This leads to the arrests of Michaud among others.
The malware expert, Vlad Tsyrklevich held by the defense to analyse the NIT, said that it received only the parts of the NIT to analyse, but not sections that would ensure that the identifier attached to the suspect's NIT-infection was unique.
"He is wrong," Special Agent Daniel Alfin writes. "Discovery of the 'exploit' would do nothing to help him determine if the government exceeded the scope of the warrant because it would explain how the NIT was deployed to Michaud's computer, not what it did once deployed."
In a separate case, the Tor Project has accused the FBI of paying Carnegie Mellon University (CMU) at least $1 Million to disclose the technique it had discovered that could help them unmask Tor users and reveal their IP addresses. Though, the FBI denies the claims.
Bitdefender Vaccine now supports also CTB-Locker, Locky, TeslaCrypt
30.3.2016 Virus
The prevention is better that the cure, users can immunize their PC against CTB-Locker, Locky and TeslaCrypt using Bitdefender Anti-ransomware vaccine.
Security experts from the Romanian security vendor Bitdefender have updated their anti-ransomware vaccine in order to protect machines from the latest versions of the CTB-Locker, Locky and TeslaCrypt ransomware.
According data recently published by Fortinet, top ransomware families are CryptoWall, Locky, and TeslaCrypt, while Cryptowall is predominant, Lock is rapidly spreading.
ransomware infections statistics
The Bitdefender Anti-Ransomware toolkit was developed by the company years ago to help victims of crypto-ransomware to prevent infections.
Some ransomware-decryptors tries to exploit encryption flaws in the ransomware implementation to decrypt files or use encryption keys discovered by law enforcement during their activity.
These conditions are not easy to match, so Bitdefender is promoting the prevention instead the cure by spreading its anti-ransomware vaccine.
The most recent version, 1.0.11.26, includes detection for the latest variant of ransomware in the wild, including CTB-Locker, Locky and TeslaCrypt.
These three ransomware had a different evolution in the last weeks, Locky for example is rapidly spreading meanwhile a new strain of TeslaCrypt appeared in the wild, the version 4.0 with implements significant improvements.
We have no news regarding the CTB-Locker, in fact, there are no new infections in the wild.
“Bitdefender anti-malware researchers have released a new vaccine tool which can protect against known and possible future versions of the CTB-Locker, Locky and TeslaCrypt crypto ransomware families.” state the announcement published by BitDefender.
“The new tool is an outgrowth of the Cryptowall vaccine program, in a way.” Chief Security Strategist Catalin Cosoi explained. “We had been looking at ways to prevent this ransomware from encrypting files even on computers that were not protected by Bitdefender antivirus and we realized we could extend the idea.”
Download the Bitdefender Anti-ransomware vaccine from the company website.
Feds request Judge to review the order to reveal TOR Exploit Code
30.3.2016 Safety
FBI is fighting back against the federal judge’s order to reveal the Tor Exploit and with DoJ filed a sealed motion requesting the review of the ruling.
A few weeks ago, a judge has ordered the FBI to reveal the complete source code for the TOR exploit to defense lawyers in a child porn case.
In a case involving child pornography, the FBI was ruled by a judge to provide all the code used to hack the PC of suspects and detailed information related to the procedure they have followed to de-anonymize Tor users.
Colin Fieman, a federal public defender working on the case was asked by motherborard.vice.com if the code would include exploits to bypass security features, Fieman’s reply was that the code would bypass “everything.”
“The declaration from our code expert was quite specific and comprehensive, and the order encompasses everything he identified,” he told to MotherBoard.
Fieman is defending Jay Michaud, a Vancouver public schools administration worker arrested by the FBI right after the FBI closed a popular child pornography site called “Playpen” hosted in the dark web, and where a network investigative technique (NIT)—the agency’s term for a hacking tool.
According to court documents reviewed by Motherboard, the FBI had used the NIT to identify the suspects while surfing on the Tor network.
The FBI monitored a bulletin board hidden service launched in August 2014, named Playpen, mainly used for “the advertisement and distribution of child pornography.”
The FBI was able to harvest around 1300 IPs, and until the moment 137 people have been charged. The network investigative technique used by the FBI included computers in the UK, Chile and Greece.
The defence has argued that the investigation that leveraged on the NIT was “gross misconduct by government and law enforcement agencies,” and that the Tor Exploit conducted operations out of the warrant scope.
In January, a report published by the Washington Post confirmed that in the summer of 2013 Feds hacked the TorMail service by injecting the NIT code in the mail page in the attempt to track its users.
Last month the federal judge Robert J. Bryan ordered the FBI to hand over the TOR browser exploit code in order to allow the defence to understand how the law enforcement used it.
Now, the FBI is fighting back against the federal judge’s order and with the Department of Justice (DOJ) filed a sealed motion requesting the review of the ruling.
The FBI and the DoJ sustain that it is not necessary to reveal the details of the Tor exploit.
The security expert and exploit developer Vlad Tsyrklevich who analyzed the Tor Exploit for the defense explained that he received only a portion of the NIT code, but he argued to haven’t reviewed the portion of code that link NIT identifier with a specific suspect.
“He is wrong,” Special Agent Daniel Alfin writes. “Discovery of the ‘exploit’ would do nothing to help him determine if the government exceeded the scope of the warrant because it would explain how the NIT was deployed to Michaud’s computer, not what it did once deployed.”
Remotely Exploitable Bug in Truecaller Puts Over 100 Million Users at Risk
29.3.2016 Crime
Security researchers have discovered a remotely exploitable vulnerability in Called ID app "Truecaller" that could expose personal details of Millions of its users.
Truecaller is a popular service that claims to "search and identify any phone number," as well as helps users block incoming calls or SMSes from phone numbers categorized as spammers and telemarketers.
The service has mobile apps for Android, iOS, Windows, Symbian devices and BlackBerry phones.
The vulnerability, discovered by Cheetah Mobile Security Research Lab, affects Truecaller Android version of the app that has been downloaded more than 100 Million times.
The actual problem resides in the way Truecaller identify users in its systems.
While installation, Truecaller Android app asks users to enter their phone number, email address, and other personal details, which is verified by phone call or SMS message. After this, whenever users open the app, no login screen is ever shown again.
This is because Truecaller uses the device's IMEI to authenticate users, according to researchers.
"Anyone gaining the IMEI of a device will be able to get Truecaller users' personal information (including the phone number, home address, mail box, gender, etc.) and tamper app settings without users' consent, exposing them to malicious phishers," Cheetah Mobile wrote in a blog post.
Cheetah Mobile researchers told The Hacker News that they were able to retrieve personal data belonged to other users with the help of exploit code just by interacting with Truecaller's servers.
On a successful exploitation of this flaw, the attackers can:
Steal personal information like account name, gender, e-mail, profile pic, home address, and more.
Modify a user's application settings.
Disable spam blockers.
Add to a black list for users.
Delete a user's blacklist.
Cheetah Mobile informed Truecaller of this flaw, and the company updated their servers as well as released an upgraded version of its Android app on March 22 in order to prevent abuse exploiting this flaw.
Truecaller said in its blog post published Monday that the vulnerability did not compromise any of its user information.
If you haven’t, download the latest version of Truecaller for your Android devices from the Google Play Store Now!
5 Things Google has Done for Gmail Privacy and Security
29.3.2016 Security
Over the past few years, Google has increasingly improved the online security and protections of its Gmail users.
Besides two-factor authentication and HTTPS, Google has added new tools and features to Gmail that ensures users security and privacy, preventing cyber criminals and intelligence agencies to hack email accounts.
1. Enhanced State-Sponsored Attack Warnings
Enhanced State-Sponsored Attack Warnings
Apple vs. FBI case urged every company to beef up the security parameters to prevent their services from not just hackers but also the law enforcement.
Google for a while now has the capability to identify government-backed hackers, and notify potentially affected Gmail users so they can take action as soon as possible.
Google recently announced on its blog post that it will alert Gmail users about the possibility of any state-sponsored attack by showing them a full-page warning with instructions about how to stay safe — very hard to miss or neglect.
Meanwhile, the company revealed that over 1 Million Gmail accounts may have been targeted by government-backed hackers so far.
Although Google has warned Gmail users of state-sponsored attackers since 2012, the company neither disclosed the exact number nor explained how it knows of such hacking attacks.
However, Google said that it knows who the targets are – the list often includes "activists, journalists, and policy-makers taking bold stands around the world."
2. SMTP Strict Transport Security (SMTP STS)
SMTP Strict Transport Security (SMTP STS)
A new security feature dubbed "SMTP STS" has been on the bench of the Internet Engineering Task Force (IETF) to obtain a green signal.
This new email standard is developed in a joint effort by the engineers of top email services including Google, Microsoft, Yahoo!, Comcast, LinkedIn, and 1&1 Mail & Media Development.
SMTP STS has been designed to enhance the email security by preventing Man-in-the-Middle (MitM) and encryption downgrade attacks that have compromised past efforts like STARTTLS at making SMTP a more secure protocol.
SMTP Strict Transport Security (SMTP STS) runs on top of the STARTTLS feature to strengthen SMTP standard.
SMTP STS will check if recipient supports SMTP STS and has valid and up-to-date encryption certificate. If everything goes well, it allows your message to go through. Otherwise, it will stop the email from sending and will notify you of the reason.
3. End-to-End Encryption (via Chrome Extension Only)
Google announced the End-To-End encryption for its users almost two years ago, but still, the novel feature is yet to release.
The idea is to develop a browser extension that ensures its users Privacy by implementing the complex, yet secure PGP (Pretty Good Privacy) encryption in an attempt to fully encrypt messages that even Google can not read, nor anyone else other than the users exchanging the emails.
With this goal in mind, the browser extension will let users create their private and public encryption keys within their browsers. The public key will be uploaded to Google's servers, while the private key will be stored locally in the browser.
How the End-to-End Chrome Extension Works:
gmail-end-to-end-encryption
When a user sends an email to the other user with a PGP key, his or her browser will automatically download the other user's public key from the server and encrypt the content of the email.
However, the work is still in progress, and the company has not revealed that when it is planning to release the browser extension.
Although Google made the source code for its End-to-End Chrome extension open source via GitHub almost a year ago, so that researchers can review it, the stable version is yet to release.
For now, you can try an alternative method to send encrypted emails. We have written a step-by-step tutorial article on how to send end-to-end encrypted emails to others.
If difficult, you can try a Swiss-based, ProtonMail, a free, open source and end-to-end encrypted email service that offers the simplest and best way to maintain secure communications to keep user's personal data safe.
4. Gmail's Red Padlock Alert
gmail-red-padlock-alert
Previously there was no method to ensure whether the received email had been traversed via an encrypted channel or not, which could be subjected to scrambling or Man-in-the-Middle (MiTM) attacks.
But last month, Google introduced a security measure in Gmail service in the form of a small Red Padlock next to a sender's email address in an effort to highlight users if the message has been sent through an unencrypted channel.
If a Gmail user receives an email from other services that don't support TLS encryption, the feature gives warning by showing an open red lock next to the sender’s email address (as shown).
These unencrypted emails then went to spam, increasing Gmail security of its users.
5. Google Safe Browsing For A Quick Malware Check
Google Safe Browsing For A Quick Malware Check
One of Google's recent changes is the expansion of its 'Safe Browsing' notifications.
The malicious links spread via emails are an easy hit method to infect a large number of users after forcing them to visit malicious web pages controlled by hackers.
However, the Safe Browsing feature protects Gmail users by identifying potentially dangerous links in emails.
The automated agents in the mail scan the content of emails for spam and malware detection. And before opening the link, Gmail inspects the complete mail and prevents the user to open the malicious links in the main upon a quick scan.
The features that are being added by Google helps the privacy of Gmail users and stricken the email confidential policies.
FBI Has Successfully Unlocked Terrorist's iPhone Without Apple's Help
29.3.2016 Apple
End of Apple vs. FBI. At least for now, when the FBI has unlocked iPhone successfully.
Yes, you heard it right. The Federal Bureau of Investigation (FBI) has unlocked dead terrorist's iPhone 5C involved in the San Bernardino shooting without the help of Apple.
After weeks of arguments, the United States government is withdrawing its motion compelling Apple to build a backdoored version of its iOS that can help the agency unlock iPhone of San Bernardino gunman Syed Farook.
The Department of Justice (DOJ) says that FBI has successfully accessed iPhone's data with the help of an undisclosed alternative method and that it no longer needs Apple's assistance.
"The government has now successfully accessed the data stored on Farook's iPhone and therefore no longer requires the assistance of Apple," the attorneys wrote in a court filing Monday. "Accordingly, the government hereby requests that the Order Compelling Apple Inc to Assist Agents in Search dated February 16, 2016, be vacated."
Meanwhile, a DoJ spokeswoman said in a statement: "The FBI is currently reviewing the information on the phone, consistent with standard investigatory procedures."
Last week, the DoJ delayed its court hearing against Apple so it could try a possible method of unlocking iPhone for which they have hired an "outside party".
At the time, Apple said it did not know any way to gain iPhone's access but hoped that the Feds would share with them any information of loopholes that might come to light in the iPhone.
Although the technique the FBI used to crack the iPhone is not disclosed and likely will not be any time soon, several experts suspect it involved NAND Mirroring.
Nand Mirroring is a technique used to copy the contents of the phone's NAND memory chip and flash a fresh copy back onto the chip when the max number of attempts is exceeded.
With the discovery of the alternative method, the legal battle between the FBI and Apple seems to be over in this particular case, but it does not end the overall battle about privacy and security.
As Apple has issued a statement, saying the company is committed to continuing its fight for civil liberties and collective security and privacy.
The full statement (via Verge) from Apple reads:
From the beginning, we objected to the FBI's demand that Apple builds a backdoor into the iPhone because we believed it was wrong and would set a dangerous precedent. As a result of the government's dismissal, neither of these occurred. This case should never have been brought.
We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated.
Apple believes deeply that people in the United States and around the world deserve data protection, security and privacy. Sacrificing one for the other only puts people and countries at greater risk.
This case raised issues which deserve a national conversation about our civil liberties, and our collective security and privacy. Apple remains committed to participating in that discussion.
FBI breaks into San Bernardino shooter’s iPhone
29.3.2016 Apple
The Department of Justice says the FBI has broken into the iPhone used by the San Bernardino shooter, it no longer needs the help of Apple.
The US Department of Justice (DoJ) announced it has broken into San Bernardino shooter‘s iPhone and it had accessed encrypted stored on the device.
After a long battle between Apple and the FBI, the DoJ now no longer needs the company to help unlock the iPhone 5C used by one of the San Bernardino terrorists.
The DoJ had originally sought to force Apple in providing a method to access data on the terrorist’ iPhone device, a couple of weeks ago DOJ released a brief filing that threatens to force Apple to hand over the iOS source code if it will not help the FBI in unlocking the San Bernardino shooter ’s iPhone.
Now the El Reg published a filing made Monday to the Central California District Court that confirms prosecutors have successfully extracted data from the iPhone.
“The government has now successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple Inc. mandated by the court’s order compelling Apple Inc. to assist agents in search, dated February 16, 2016,” reads the DoJ request.
The DoJ hasn’t provided details on the procedure used to break into the San Bernardino shooter ‘s iPhone, nor revealed the name of the firm that supported the FBI in the operation.
Last week security experts speculated the involvement of the Israeli mobile security firm Cellebrite.
Despite the intense legal battle between Apple and FBI, security experts have always confirmed the existence of methods to unlock the iPhone devices.
Data could have been accessed with either hardware or software techniques, this means that in the future the FBI could use the same methods in other cases, as explained by the security expert Jonathan dziarski.
If the method used in this case turns out to be a software method, from what I see of the OS, the method could work on newer devices too.
A law enforcement official, speaking to the CNN on condition of anonymity, explained it was “premature” to say whether this method works on other Apple devices. He added that the method used by law enforcement worked on this particular phone, an iPhone 5C running a version of iOS 9 software.
Snowden always declared that the US Government has the technology to crack the security measures implemented by Apple.
Snowden in a video call at Blueprint for a Great Democracy conference accused the FBI of lying defining its declaration as absurd, in reality, he used a more colorful expression.
“The FBI says Apple has the ‘exclusive technical means’ to unlock the phone,” said Snowden in video conference “Respectfully, that’s horse sh*t.”
Snowden opinion on Apple vs FBI case San Bernardino shooter
On the same day, Snowden shared via Twitter a link to an American Civil Liberties Union blog post titled “One of the FBI’s Major Claims in the iPhone Case Is Fraudulent,” which explains that the FBI has the ability to bypass iPhone protection mechanism.
The fact that the FBI was able to successfully crack the phone without Apple’s help demonstrates that tech giants need to improve their efforts to protect users’ privacy.
USB Thief, the new USB-based data stealing Trojan
29.3.2016 Virus
USB Thief, the new USB-based data-stealing Trojan discovered by ESET that relies on USB devices in order to spread itself and infect also air-gapped systems
Security researchers at ESET have discovered a new insidious data-stealer, dubbed USB Thief (Win32/PSW.Stealer.NAI), that relies on USB devices in order to spread itself.
USB Thief is able to infect air-gapped or isolated systems does not leave any trace of activity on the infected systems.
Malware authors have implemented special techniques mechanisms to protect USB Thief from being detected and analyzed. The authors also implemented an advanced multi-staged encryption process to protect the Trojan.
“The USB Thief is, in many aspects different from the more common malware types that we’re used to seeing flooding the internet,” wrote Tomáš Gardoò, a malware analyst at ESET.
“This one uses only USB devices for propagation, and it does not leave any evidence on the compromised computer. Its creators also employ special mechanisms to protect the malware from being reproduced or copied, which makes it even harder to detect and analyze.
Badusb
The USB Thief Trojan malware can be stored either as a Dynamically Linked Library (DLL) used by the portable applications or as a portable application’s plugin source.
Mobile devices are usually used to store portable version of common applications like Firefox, TrueCrypt, and Notepad++. When victims launch the portable application the USB Thief runs in the background.
“Unfortunately, this is not the case with the USB Thief as it uses an uncommon way to trick a user – it benefits from the fact that USB devices often store portable versions of some common applications like Firefox portable, Notepad++ portable, TrueCrypt portable and so on.” continues the post.
The malware completely resides on the USB device, it doesn’t leave any trace of its presence. According to the experts at the ESET any tool that could be used to breach an air-gapped network must be taken into account.
“Well, taking into account that organizations isolate some of their systems for a good reason,” said Peter Stancik, the security evangelist at ESET. “Any tool capable of attacking these so called air-gapped systems must be regarded as dangerous.” “People should understand the risks associated with USB storage devices obtained from sources that may not be trustworthy.”
How can organizations prevent attacks based on USB Thief from succeeding?
Do not use USB storage devices from sources that may not be trustworthy.
Disable USB ports wherever possible.
Define strict policies to enforce care in the use of USB devices.
Train the staff on cyber threats.
1 million Gmail accounts victim of state-sponsored hacking
28.3.2016 Incindent
Google is improving its Gmail warning service to help protect the customers from state-sponsored hacking and surveillance activities.
Google confirmed that one million Gmail accounts might have been targeted by nation-state hackers.
The news is worrying, the company is observing a significant increase in the number of hacking attacks on user email accounts.
Google announced that it is able to identify operations carried out by state-sponsored hackers and it is its intention to notify potentially affected customers.
Google hasn’t provided details on the number of affected customers, anyway , it confirmed that the list of victims “often” includes “activists, journalists, and policy-makers taking bold stands around the world.”
Google confirmed that only a limited number of customers are targeted by state-sponsored hackers, roughly less than 0.1% of users ever receive a notification from the company that anyway consider critic to inform users on ongoing attacks.
In the past, users received a warning through a pink Warning tab present on top of Gmail urging victims to adopt necessary countermeasures.
Google state-sponsored hacking notifications
Now Google has improved the notification messages using a full-page warning related to state-sponsored hacking.
“Today, we’re launching a new, full-page warning with instructions about how these users can stay safe. They may see these new warnings instead of, or in addition to, the existing ones.”
Google is improving its “safe browsing” security notifications, a mechanism to inform users when they are going to open suspicious links included in receiving emails. The users will receive a full-page notice before opening the link, meanwhile, in the past the same notification was provided before a link was clicked.
“Safe Browsing already protects Gmail users by identifying potentially dangerous links in messages. Starting this week, Gmail users will begin to see warnings if they click these links, further extending this protection to different web browsers and email apps. ” States the security advisory published by Google.
Google is continuing to push email encryption to protect its customers from government surveillance. Google is working with IT Giants, including Comcast, Microsoft, and Yahoo, to propose a new secure email mechanism.
In the last weeks, Google implemented a mechanism to warn Gmail users when they send and receive email over unsecured connections.
“This has had an immediate, positive effect on Gmail security. In the 44 days since we introduced it, the amount of inbound mail sent over an encrypted connection increased by 25%. We’re very encouraged by this progress! ” states Google.
“Given the relative ease of implementing encryption and its significant benefits for users, we expect to see this progress continue.”
Watch out, IRS Tax Fraud activities on the rise
28.3.2016 Safety
Security experts and government agencies confirm that IRS Tax Fraud And Phishing campaigns are increasing thanks to new techniques and tools.
Internal Revenue Service tax fraud has reached a peak in the last year, crooks are intensifying their activity adopting new techniques to monetize their efforts.
According to security experts that are monitoring the phenomena, Tax-related phishing activities are increasing in this period.
This is a critical period in the US, the so-called Tax season, that will end on April 18th. In February, an IRS bulletin confirmed that there is a 400 percent surge in tax-related phishing and malware incidents.
“Tax-related phishing is something of an annual phenomenon, but Proofpoint researchers are seeing a degree of sophistication and pervasiveness that sets this year apart,” states a report published by the Proofpoint firm that analyzes tax fraud trends.
Crooks are trying to exploit new habits of taxpayers, for exampletheit preference for mobile platforms. Security experts observed a mobile-optimized phishing site that appears as a legitimate tax application and that targets mobile users.Proofpoint confirmed to have discovered a number of phishing sites hosted on major providers which were shut down by the ISPs after their discovery.Tax-related frauds are considering an emergency for law enforcement, hundreds of thousands of users are potentially at risk.
Recently, IRS services were abused by cyber criminals to target taxpayers, in May 2015 the Internal Revenue Service suffered a data breach. Hackers “used an online service provided by the agency” to access data for more than 100,000 taxpayers. The IRS issued an official statement on the incident and specified that the compromised system was “Get Transcript.” The Transcript service could be used by taxpayers to get a transcript online or by mail to view their tax account transactions.
In August 2015, the Internal Revenue Service disclosed a new review of its system, revealing that 334,000 taxpayers (more than three times it initially estimated) may be affected by the hack it announced in May.
In February the IRS detected roughly unauthorized attempts using 464,000 unique SSNs, and 101,000 attempts allowed crooks in generating PINs.
The U.S. Internal Revenue Service confirmed that cyber criminals abused the Electronic Filing PIN application running on irs.gov that allows taxpayers to generate a PIN that they can use to file tax returns online.
Last figures available on the ‘Get Transcript’ hack revealed that 700,000 taxpayers were affected by the data breach, the government experts observed 47 million tax transcripts requested under false pretenses, a worrying phenomenon.
This year, security firms and government agencies are observing some new worrying attacks targeting businesses with W-2 phishing campaigns. W-2 information could be used by fraudsters to file victim’s taxes and request refunds in their name.
The crooks are also trying to monetize tax-related voice-phishing in order to obtain information to use in the fraudulent activities.
The experts are observing an increased interest in criminal ecosystem for stolen information that could be exploited in tax refund fraud. This precious commodity is becoming popular also in the principal black markets in the dark web.
Attackers are using this information to abuse of the IRS’ electronic filing PIN verification system and file a fake return under on the victim’s behalf and requesting the payment through a fraudulent bank account. The FBI confirmed a significant increase of the Stolen Identity Refund Fraud (SIRF), victims of this kind of crimes are specific categories of individuals like homeless and prisoners.
“SIRF is relatively easy to commit and extremely lucrative for criminal actors. While all U.S. taxpayers are susceptible to SIRF, over the past year, criminal actors have targeted specific portions of the population, including: temporary visa holders, the homeless, prisoners, the deceased, low-income individuals, children, senior citizens, and military personnel deployed overseas.” states the FBI.
Another worrying trend observed by ProofPoint is the availability of tax phishing kits that have reached a high level of quality.
These kits are available for sale in the principal black market places and implements a number of features that allows crooks to avoid detection.
“Sophisticated phishing kits custom-made for tax season dramatically boost threat actors across the spectrum to go after the taxpayers. Whether optimized for mobile (in the case of the fake tax preparation software) or “hiding in plain sight,” these kits are powerful tools for cyber criminals. We even observed a kit correctly using SSL, leveraging the secure form-delivery capabilities of the particular service provider they used. Correctly signed certificates make the phishing sites harder to detect for end users, web browsers, and security providers, giving attackers a leg up during tax season—even with commodity kits.” states ProofPoint.
Taxpayers have to be careful, cyber criminals will do every thing to steal their money.
6 Charged for Hacking Lottery Terminals to Produce More Winning Tickets
28.3.2016 Hacking
Police have arrested and charged six people with crimes linked to hacking Connecticut state lottery terminals in order to produce more winning tickets than usual.
Prosecutors say all the six suspects are either owners or employees of retail stores that produced a much higher number of winning tickets than the state average, according to the Hartford Courant.
Suspects Hacked Lottery Terminal
The alleged group set up machines to process a flood of tickets at once that caused a temporary display freeze, allowing operators to see which of the tickets about to be dispensed would be winning tickets, cancel the duff ones, and print the good ones.
The hack appears to have exploited some software weaknesses in lottery terminals that not only caused ticket requests to be delayed but also allowed operators to know ahead of time whether a given request would produce a winning ticket.
The actual culprit, in this case, was a game dubbed "5 Card Cash."
The alleged suspects manipulated automated ticket dispensers to run off 5 Card Cash game that consists of tickets a user can buy, on which playing cards are printed.
If 5 cards form a winning poker hand, then the buyer can cash the tickets based on the hand they received.
Authorities Suspended 5 Card .Cash Lottery Game
Authorities had already suspended the 5 Card Cash lottery game in Connecticut past November after discovering that the game was generating more winning tickets than its winning range parameters should have technically permitted.
The six suspects are:
Vikas Patel, 32, from Windsor
Pranav Patel, 32, from Bloomfield
Sedat Kurutan from Naugatuck
Moinuddin Saiyed from Norwalk
Prakuni Patel from Wallingford
Rahul Gandhi from Wallingford
Pranav Patel and Vikas Patel were arrested on Friday, March 19 while the rests took into custody between February 29 and March 7.
The charges filed against Vikas and Pranav include first-degree felony counts of larceny and computer crime as well as felony rigging a game charges. Both of them have been bailed on $25,000 bonds each and are scheduled to appear in court on Monday.
Investigators for the Department of Consumer Protection and the Connecticut Lottery say that many clerks were abusing lottery tickets to fetch out more winning tickets that they would later cash in for themselves, and that more arrests may be made in the future.
PowerWare ransomware, a new fileless threat in the wild
28.3.2016 Virus
Experts at Carbon Black spotted in the wild a new threat dubbed PowerWare ransomware that exploits PowerShell, the native Windows framework.
Authors of ransomware are implementing new features to make their malware even more dangerous and effective. Yesterday I wrote about the new Petya ransomware, which overwrites MBR causing a blue screen of death, now I will introduce you a threat targeting the healthcare industry.
The new ransomware is called PowerWare and was discovered a week ago by security researchers at the Carbon Black firm.
The most interesting feature implemented in the PowerWare ransomware is that it is fileless. Many malware in the wild are fileless, including one of the variants of the popular Angler Exploit Kit, but this feature is rare for ransomware.
Criminal gangs behind PowerWare are spreading it using spam messages including a Word document attachment purporting to be an invoice. The attackers use an old trick in order to convince victims in enabling the macros, they request to enable macros to correctly view the document.
The macros runs the cmd.exe which launches the PowerShell, the native Windows framework that uses a command-line shell to perform several tasks.
The use of PowerShell allows the ransomware to avoid writing files to the disk and make hard the threat detection. It also allows the ransomware to encrypt files on the victim’s PC.
“The macros are there to launch PowerShell and pull down the ransomware script. Lots of malware can be distributed via macros in Word docs. Most of the time they download additional binaries to do more bad stuff (backdoors, etc.),” Valdez said.
“This does not pull down any additional binaries (executables), and leverages PowerShell (already on the system and approved to be there) to do the dirty work.”
“This means no ‘traditional’ malware – no additional executable needed – just a text document (script).”
The PowerShell ransomware requests victims to pay a $500 ransom to restored the encrypted files. Also in this case, the ransom double if the victim’s doesn’t respect the deadline.
Fileless ransomware could become rapidly popular in the criminal ecosystem, on March 11, the researchers at Palo Alto Networks, spotted a new malware family called PowerSniff that has many similarities with PowerWare, including the fileless capability.
Nuclear Plants in Germany Are Vulnerable to Terrorism Threats
28.3.2016 Vulnerebility
According to a recent report, Germany nuclear plants are vulnerable to terrorists and there needs to be some serious dealing with this problem.
According to a recently released report, Germany is not adequately equipped to prevent terrorist attacks in its nuclear plants.
According to the Deutsche Presse-Agentur (DPA) news agency, the report was presented by Oda Becker, an independent expert on nuclear plants.
This is of course extremely distressing, especially in the light of the recent tragic events in Belgium with substantial casualties. The report was brought to public attention
The report was brought to public attention at the German Federation for the Environment and Nature Conservation (BUND) Congress, where concerns were expressed towards protecting citizens from catastrophic consequences of another terrorist attack.
When an aircraft is about to collide, there is little that can be done from the defensive line of the nuclear plants to prevent the inevitable.
The same level of threat is expressed through the option of helicopters filled with explosives. There is nothing to prevent such acts, causing a massive destruction and severe radiation flowing everywhere.
Terrorism is one of the major threats to the industry of nuclear plants, making these facilities one of the most prestigious targets to focus on.
“A serious accident is possible in case of every German nuclear plant,” Becker explained in a separate study published on March 8 and titled “Nuclear power 2016 – secure, clean, everything under control?”
Becker considers insufficient security standards, natural disasters, terrorist attacks and emergencies caused by the deterioration of the German nuclear plants’ security systems as major threats to the industry.
“there are no appropriate accident management plans.” she added Becker. “The interim [nuclear waste] storages lack protection against aircraft crashes and dangers posed by terrorists,” Becker said,
The media in Belgium concentrate on the initial thoughts of the terrorists to hit the nuclear plants. If it weren’t for the arrest in Paris, these thoughts would have been made reality and the casualties would have been even greater. Dernier Heure, a newspaper from Belgium, revealed that the terrorists had planted a camera in front of the house of the director of the Belgian nuclear research program. In this way, they had gained a lot of information.
All these events have made a lot of people skeptical as to the importance of shutting down nuclear plants. The head of BUND, Hubert Weiger, has said:
“It is even more necessary than ever to abandon this technology,” and this thought reflects the opinions of thousands in Germany, Belgium and Europe altogether.
AP has reported that IS (or ISIS) has been training hundreds of people especially for external attacks and this would be a threat beyond any control. About 450 people are specials in creating bombs, deteriorating the situation for Europe.
If people in Germany and Belgium do not take immediate actions, who knows what can happen next?
Remotely Exploitable Flaw in Truecaller Leaves 100 Million Android Devices Vulnerable
27.3.2016 Vulnerebility
Security researchers from the Cheetah Mobile Security Research Lab discovered a severe flaw in the call management application Truecaller.
Recently, security researchers from the Cheetah Mobile Security Research Lab discovered a severe loophole in the popular phone call management application Truecaller.
This vulnerability allows anyone to steal Truecaller users’ sensitive information, potentially opening doors for attackers. Overall, more than 100 Million Android users who have downloaded this app on their smartphones are in danger.
The researcher found that Truecaller uses the devices’ IMEI as the only identity label of its users. Meaning that anyone gaining the IMEI of a device will be able to get Truecaller users’ personal information (including phone number, home address, mail box, gender, etc.) and tamper app settings without users’ consent, exposing them to malicious phishers.
By exploiting this flaw, the attackers can:
Steal personal information like account name, gender, e-mail, profile pic, home address, etc.
Modify a user’s application settings:
Disable spam blockers
Add to a black list for users
Delete a user’s blacklist
The Cheetah Mobile Security Research Team notified the developer of Truecaller about this vulnerability as soon as they discovered the loophole and offered all it could to help the developer fix the issue. Now the maker of Truecaller has addressed the issue and released an update on March 22nd.
Although the flaw has been fixed in the latest version, the majority of the users are still in danger as they have not got access to the new release yet. The CM Security Research Lab advises Truecaller users to upgrade this app to the latest version as soon as possible.
Written by Cheetah Mobile Security Research Lab
PETYA ransomware overwrites MBR causing a blue screen of death
27.3.2016 Virus
The Petya ransomware causes a blue screen of death (BSoD) by overwriting the MBR and leaves a ransom note at system startup.
Ransomware is one of the most dangerous threats of this first part of the year, recently experts at TrendMicro has spotted a new malicious code dubbed Petya (RANSOM_PETYA.A) that overwrites MBR to lock users out of the infected machines.
The Petya ransomware causes a blue screen of death (BSoD) by overwriting the MBR and leaves a ransom note at system startup.
Petya overwrites the MBR of the hard drive causing Windows to crash. When the victim tries to reboot the PC, it will impossible to load the OS, even in Safe Mode.
Users turning on the computer are displayed a flashing red and white screen with a skull-and-crossbones instead.
“As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing blue screen of death (BSoD) and putting their ransom notes at system startup—as in, even before the operating system loads.” states the post published by Trend Micro.
“Imagine turning on your computer and instead of the usual Windows icon loading, you get a flashing red and white screen with a skull-and-crossbones instead.”
Another interesting aspect of the Petya is the delivery mechanism used by crooks that relies on legitimate cloud storage services like Dropbox.
“this is the first time (in a long time) that leads to crypto-ransomware infection. It is also a departure from the typical infection chain, wherein the malicious files are attached to emails or hosted in malicious sites and delivered by exploit kits.” continues the post.
Victims would receive an email that appears to be from an applicant seeking a position in a company, it includes a link to a Dropbox folder that contains its alleged CV.
The experts explained that one of the samples they analyzed, the Dropbox folder was containing contains two files, a self-extracting executable file that purports to be the CV, and a photo of the applicant.
The researcher discovered that the photo is a stock image.
The self-extracting executable is used to serve a Trojan onto the victim’s machine, the malware first disable any antivirus programs installed, then downloads and executes the Petya Ransomware.
In the following image are reported the instructions provided by the Petya ransomware to the victims in order to pay the ransom and restore the encrypted files.
The instruction includes a link to the Tor Project and how to download the Tor Browser to visit a page where purchase the decryption key to restore the data.
The crooks behind the Petya ransomware request the payment of 0.99 Bitcoins (nearly US$430), but the price would be doubled if the payment is not completed within a deadline.
VNC Roulette, a web roulette for random easy to hack PCs
27.3.2016 Hacking
The VNC Roulette service is exposing on the Internet thousands of computer systems using insecure and easy to hack VNC connections.
CCTV surveillance cameras, medical equipment, electricity generators, desktops, home alarm equipment and many other systems are not properly protected and open on the Internet.
Now a website named VNC Roulette is offering a ransom access to these computer systems through the VNC software.
VNC is a very popular application that allows remote access and control of desktops over the networks. A lot of people simply use it to remotely access their computer placed elsewhere. Crucially, though, these connections should be secured with passwords and encryption.
The problem is that many VNC connections are not secured with passwords and encryption, allowing the access of criminals and hackers.
The newborn VNC Roulette website is taking screenshots insecure VNC connections, it has already gathered imaged from about 550 systems open on the Internet. It is disconcerting to see people’s privacy violated is no simple way, VNC Roulette reveals users browsing Facebook, accessing personal email accounts, or accessing a SCADA system.
The snaps were taken since 2015, some of them were taken this month and are still up and running.
After the media have covered VNC Roulette, it went off line, but yesterday the service reappeared online.
Below some samples shared online by El Reg.
An X-ray machine in in Nevada, US:
A store’s CCTV system in China:
VNC Roulette demonstrates the importance to properly secure any connection to a system exposed over the Internet. It is very easy for hackers to gain access to systems like the ones captured by the VNC Roulette services.
Don’t waste time, implement a proper authentication to your systems, use strong passwords, only accept connections from certain IP addresses and of course tunnel VNC connections with SSH.
Don’t forget also that crooks have many other ways to locate vulnerable machine over the internet, like the search engines Shodan and Censys.
Facebook's latest feature Alerts You if Someone Impersonates Your Profile
26.3.2016 Social Site
Online harassment has been elevated a step with the advent of popular social networks like Facebook.
Cyber stalkers create fake profiles impersonating other Facebook users and start doing activities on their behalf until and unless the owners notice the fake profiles and manually report it to Facebook.
Even in some cases, cyber stalkers block the Facebook account holders whom they impersonate in order to carry out mischievous tasks through fake profiles without being detected by the actual account holders.
But now, online criminals can no longer fool anyone with impersonation method, as Facebook is currently working on a feature that automatically informs its 1.6 Billion user base about the cloned accounts.
If the company detects a duplicate Facebook account of a user, it will automatically send an alert to the original account holder, who'll be prompted to identify if the profile in question is indeed a fake profile impersonating you or if it actually belongs to someone else.
How would Facebook identify the Clone Profiles?
The new feature would reportedly inform Facebook users about their cloned accounts when it finds a perfect match of both profile pictures and profile names.
However, it seems like Facebook would use its one of the world's best face recognition technologies to identify users' fake profiles.
While uploading a group pic of you with your friends, you might have noticed how Facebook automatically detects your friend's face and suggests the correct names without manually feeding into it.
This face recognition technology could be utilized by Facebook's new feature that eliminates the chance of profile duplication and ends up the doppelganger business.
Here you might be thinking that if 2 accounts are made identical, then how would Facebook identify the legit user? Right?
This difference would be decided by Facebook's core security team by analyzing and comparing the user's activities and date of account creation.
But one question still remains in my head:
If Facebook identifies the difference on the basis of account creation, then What if someone creates a fake profile of a user, who hasn't joined the network yet?
Okay, if Facebook cannot stop this, as the company can not compare the fake user to the original user, who doesn’t exist on its platform.
But what if the user joins the network later? Then in this case, Facebook would notify to whom? The stalker who owns the fake profile, as it was created first?
I have already reached out to Facebook for a comment and will update the article as soon as I get to hear from it.
Why is Impersonation Dangerous?
According to the Facebook Head of Global Safety Antigone Davis, impersonation is a source of harassment, particularly for women, on the social media platform, despite Facebook's longstanding policy against it.
"We heard feedback [before] the roundtables and also at the roundtables that this was a point of concern for women," Davis told Mashable. "It's a real point of concern for some women in certain regions of the world where [impersonation] may have certain cultural or social ramifications."
We have seen a plethora of impersonation examples spanning around the Facebook case studies.
the Impersonation is a tool in the sextortionist's bag.
Threatening to use women's photos to associate them with prostitution was one trick used by Michael C. Ford, the former US Embassy worker who was sentenced to nearly 5 years in jail after pleading guilty to sextorting, phishing, breaking into email accounts, stealing explicit images and cyberstalking hundreds of women around the world.
Facebook's new security measure would also give a degree of trust to women who are stepping back to upload their real images on the platform due to the fear of impersonation.
Facebook has already introduced this new feature to 75% of the World, including India, Brazil, some South American countries and South East Asian zones, where the usage of the social network is prevalent. The feature will be rolled out in November for the rest of the world.
Features Yet to Release!
Parallely, Facebook is also working on similar two technologies which report non-consensual intimate images and a Photo Checkup feature.
Non-consensual intimate images reporting facilitates the user to report any nudity in the Facebook and additionally it also avails the option to identify themselves as the subject of the photo (if so).
The Photo Checkup feature is similar to Facebook's Privacy Dinosaur, which helped users check their privacy settings such as profile info, status info and which apps have the access to the accounts in a single popup window.
Likewise, Photo Checkup is exclusively dedicated to figuring out: Who can view your photos and who cannot!
Facebook is rolling out many security-centric features, which bolsters the security and privacy of User Information in the virtual world.
Sign-Up Here for our daily digest of top articles and be the first to know Trending Stories.
Japan – Police discovered 18 Million Stolen login Credentials
26.3.2016 Crime
Japan – The police has found on a server of a company more than 18 million login credentials, 90% of which belongs to customers of Yahoo Japan.
The Japanese newspaper The Yomiuri Shimbun reported that the Tokyo’s Metropolitan Police Department has arrested the president and a number of employees at the Tokyo-based Nicchu Shinsei Corp in November.
The authorities have found on a server of the company more than 18 million login credentials, roughly 1.78 million belong to customers of Yahoo Japan (90 percent), Twitter, Facebook, e-commerce company Rakuten and other websites.
In response, Yahoo Japan confirmed to have reset the passwords of all the affected accounts. The investigators have also discovered on the server a hacking tool used to brute force the target accounts, they also confirmed that the company servers had also been used to conduct illegal money transfers.
Why did the Japanese company store the login credentials?
The Nicchu Shinsei Corp allegedly offered its services to Chinese hackers, it provided stolen credentials and proxy services. The hackers used the login credentials to invite users in visit fraud websites, and steal reward points earned by victims.
Unfortunately, this isn’t the first time that the Japanese Police discover million of login credentials belonging to Japanese netizens stored on a server. Last year, the law enforcement seized a server containing 8 million stolen credentials, also in that case hackers used the machine as a proxy.
The Japanese Criminal underground is a criminal online community that is growing in a significant way despite it has a still highly stealthy underground economy.
According to the Japan’s National Police Agency cybercriminal activities until March 2015 increased 40% over the previous year. On June 2015, the Japan’s Pension Service suffered a significant data breach that exposed more than one million users’ records.
The researchers consider Japan cybercriminal rings still newbies, due to the nation’s strict criminal laws Japanese criminals don’t write malware due to due to the severe penalties against such activities.
The experts noticed that Japanese Cybercrime Underground is very active in the illegal buying and selling of counterfeit passports, drugs, weapons, stolen credit card data, phone number databases, hacking advice and child pornography.
Japan criminals are increasingly targeting bank customers with malware-based attack. In the last year several threats were detected by security firm targeting Japanese users, including Brolux, Rovnix, Neverquest, Tsukuba, and Shifu.
Other worrying phenomena that are threatening Japanese users are the APT groups, recently the critical infrastructure of the country have been targeted by threat actors behind the Operation Dust Storm, meanwhile, another hacker crew dubbed Blue Termite hacked hundreds of organizations in various industries.
New Bill targets Anonymous Prepaid 'Burner' phones by requiring Registration
26.3.2016 Mobil
Terrorist organisations are increasingly using high-grade encryption technologies to prevent being caught by the law enforcement. But, that was not in the case of last year's Paris attacks that killed 129 people, as Encryption seems to have played little to no role.
So, Who was the Real Culprit Behind the Attacks?
The 'Burner' Phones.
Burner Phones, or Prepaid mobile phones, are often the quick, easy, and anonymous method of communication.
All you need to do is head to your nearest big-box store and pick up a cheap prepaid "burner" phone and a phone card. Now you have an entirely useable phone with no ID that could reveal your identity.
It seems that these prepaid "burner" phones are a dream tool for terrorist organisations that bring them in bulk and then disposed of each time they make a communication. The same prepaid phones were utilized in the terrorist attacks in Paris late last year.
Therefore, by using different phones and mobile phone numbers each time, the terrorists evade the bulk metadata collection programs by Western intelligence agencies, making hard for the law enforcement to catch them.
Crack Down on Prepaid 'Burner' Phones
So, to deal with this issue, Lawmakers in California have proposed a new bill that would force prepaid "burner phone" retailers to record and verify the personal identification of buyers upon purchase of prepaid phones or similar mobile devices, as well as SIM cards.
However, the bill will not eliminate the existence of burner phones.
Rep. Jackie Speier of California has introduced the proposed bill, dubbed the "Closing the Pre-Paid Mobile Device Security Gap Act of 2016," or HR 4886, which will require retailers to ask prepaid device buyers for their proper identification.
The information would need customers to verify their personal identity through a credit card, or a Social Security number or driving license number, forcing similar obligations on prepaid phone buyers as people who sign up for a new mobile contract.
"This bill would close one of the most significant gaps in our ability to track and prevent acts of terror, drug trafficking, and modern-day slavery," Speier said in a Wednesday blog post. The 'burner phone' loophole is [a glaring gap] in our legal framework that allows actors like 9/11 hijackers and the Times Square bomber to evade law enforcement while they plot to take innocent lives."
"The Paris attackers also used 'burner phones.' As we have seen so vividly over the past few days, we cannot afford to take these kinds of risks. It is time to close this 'burner phone' loophole for good."
The proposed bill aims to make life harder for terrorists, human traffickers, drug dealers, and other criminals who have nefarious reasons for using easily disposable phones.
Although a burner phone could be registered with a fake ID or someone else's stolen identity, the bill would put a limitation on bulk buying of these prepaid devices by terrorists.
Since the bill was just introduced, it would have to go through Congress and the President to become law.
Sign-Up Here for our daily digest of top articles and be the first to know Trending Stories.
EC Council Website Hacked and used to serve malicious code
25.3.2016 Virus
Researchers at Fox-IT warn that the website of security certification provider EC Council has been compromised to host the malicious Angler Exploit Kit.
No one is secure, we are all potential targets, even if you are a skilled expert and the fact that I’m going to tell you demonstrates it. The website of security certification provider EC-Council, that organization that offers the Certified Ethical Hacker program, has been hacked and used to spread the Angler exploit kit.
According to the security researchers at Fox-IT, the official website of the EC-Council was compromised by hackers, this means that for several days visitors with vulnerable systems were open to malware infections.
The Angler EK used in the attack is serving the TeslaCrypt ransomware, the website is redirecting visitors to the Angler EK since Monday, March 21.
“Since Monday the 21st of March the Fox-IT Security Operations Center (SOC) has been observing malicious redirects towards the Angler exploit kit coming from the security certification provider known as the EC-COUNCIL. As of writing this blog article on the Thursday the 24th of March the redirect is still present on the EC-COUNCIL iClass website for CEH certification located at iclass[dot]eccouncil[dot]org. We have reached out and notified the EC-COUNCIL but no corrective action has been taken yet.” explains the Fox-IT senior threat intelligence analyst Yonathan Klijnsma.
The experts reported the issue to the EC Council, but they also added that the organization “didn’t seem to care.”
EC Council serving Angler Expolit Kit
Recently the security researcher Kafeine confirmed that the authors of the Angler EK have integrated the exploit for a recently patched Microsoft Silverlight vulnerability.
The popular exploit kit is used by criminal organizations to exploit vulnerabilities in popular software such as Internet Explorer, Adobe Flash and Java.
In the specific case of the EC Council website, visitors with un-patched Internet Explorer browser are at risk. The redirect of visitors is performed only if the visitors use Internet Explorer, if they come from a search engine, and if their IP address is not blacklisted or belongs to a blocked geolocation.
Let me include the Indicators of Compromise (IOCs) for the specific campaign provided by Fox-IT
Bedep C&C servers:
89.163.240.118 / kjnoa9sdi3mrlsdnfi[.]com
85.25.41.95 / moregoodstafsforus[.]com
89.163.241.90 / jimmymorisonguitars[.]com
162.244.32.121 / bookersmartest[.]xyz
TeslaCrypt C&C servers:
50.87.127.96 / mkis[.]org
213.186.33.104 / tradinbow[.]com
Google issued a new security update to fix flaws in Chrome 49
25.32016 Vulnerebility
Google has issued a new security update for its Chrome 49 that patches a number of flaws, most of them discovered by external researchers.
Google has updated Chrome 49 for all the available versions in order to patch several critical vulnerabilities, including the flaw discovered thanks its bounty program that were rewarded with dozen thousands of dollars. Since 2010, Google has been awarding hackers for discovering vulnerabilities in its products.
This isn’t the first time that the company issued an update to fix problems Chrome, the first Chrome 49 release was made available in early March to solve a total of 26 security issues. One week later GooGle released another update fixed other three high-severity vulnerabilities in the popular browser.
The new Chrome 49.0.2623.108 fix five vulnerabilities, four of which have been discovered by security experts that were awarded by the company.
The last Chrome update includes the following 4 security fixes for flaws discovered by external professionals:
[594574] High CVE-2016-1646: Out-of-bounds read in V8. Credit to Wen Xu from Tencent KeenLab. Rewarded $7500.
[590284] High CVE-2016-1647: Use-after-free in Navigation. Credit to anonymous. Rewarded $5500.
[590455] High CVE-2016-1648: Use-after-free in Extensions. Credit to anonymous. Rewarded $5000
[595836] High CVE-2016-1649: Buffer overflow in libANGLE. Credit to lokihardt working with HP’s Zero Day Initiative / Pwn2Own.
meanwhile the internal security team work fixed the following issues:
[597518] CVE-2016-1650: Various fixes from internal audits, fuzzing and other initiatives.
Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch (currently 4.9.385.33).
google chrome 49 bounty program
At the last edition of the Pwn2Own 2016 context, the researcher JungHoon Lee (aka lokihardt) failed to demonstrate a code execution exploit against Chrome, but its effort allowed the discovery of a high severity buffer overflow in libANGLE (CVE-2016-1649), for this reason, he was awarded an unspecified amount of money.
Find bugs in Chrome software is a profitable business, Google recently announced that it will pay $100,000 to anyone who can achieve a persistent compromise of a Chromebox or Chromebook in guest mode via a web page.
“Increasing our top reward from $50,000 to $100,000. Last year we introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. Since we introduced the $50,000 reward, we haven’t had a successful submission. That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool.” states the Google Security Blog.
The company also announced the inclusion of the Download Protection Bypass in the bounty program.
“Happy hacking!”
The 7 Most Wanted Iranian Hackers By the FBI
25.3.2016 Crime
The Federal Bureau of Investigation (FBI) has lengthened its Most Wanted List by adding seven Iranian hackers who are accused of attacking a range of US banks and a New York dam.
On Thursday, the United States Department of Justice (DoJ) charged seven Iranian hackers with a slew of computer hacking offences for breaking into computer systems of dozens of US banks, causing Millions of dollars in damages, and tried to shut down a New York dam.
The individual hackers, who allegedly worked for computer security companies linked to the Iranian government, were indicted for an "extensive campaign" of cyber attacks against the US financial sector.
All the seven hackers have been added to the FBI's Most Wanted list, and their names are:
Ahmad Fathi, 37
Hamid Firoozi, 34
Amin Shokohi, 25
Sadegh Ahmadzadegan (aka Nitr0jen26), 23
Omid Ghaffarinia (aka PLuS), 25
Sina Keissar, 25
Nader Saedi (aka Turk Server), 26
All the hackers have been charged with conducting numerous Distributed Denial-of-Service (DDoS) attacks on major U.S. banks, with Firoozi separately gaining unauthorized access to a New York dam's industrial automation control (SCADA) system in August and September of 2013.
"This unauthorized access allowed [Firoozi] to repeatedly obtain information regarding the status and operation of the dam, including information about the water levels, temperature, and status of the sluice gate, which is responsible for controlling water levels and flow rates," a DoJ statement reads.
Luckily, the sluice gate had already been manually disconnected for the purpose of maintenance at the time Firoozi attacked.
The hackers' work allegedly involved Botnets – networks of compromised machines – that hit major American banks, including Bank of America and J.P. Morgan Chase, as well as the Nasdaq stock exchange with floods of traffics measuring up to 140Gbps and knocked them offline.
The Iranian hackers targeted more than 46 financial institutions and financial sector companies, costing them "tens of Millions of dollars in remediation costs" in preventing the attacks in various incidents spanning 2011 to 2013.
All the seven hackers will face up to 10 years in prison on computer hacking charges while Firoozi faces an additional 5-year prison sentence for breaking into a dam in Bowman Avenue Dam in Rye Brook, New York.
Hackers stole records of 1.5 million customers of Verizon Enterprise
25.3.2016 Incindent
Hackers reportedly stole the records of 1.5 million customers of Verizon Enterprise which are offered for sale in the criminal underground.
According to KrebsOnSecurity, data leaked after a security reach at Verizon Enterprise Solutions are available in the cyber criminal underground. Records of 1.5 million customers of Verizon Enterprise are available for sale, the entire archive is offered for $100,000, but buyers can pay for a set of 100,000 customer records that goes for $10,000.
“Earlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise.” wrote the popular investigator Brian Krebs.
The crooks also offered information about Verizon security flaws that likely allowed hacking one of the systems at the company.
“Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site,”.
The situation in embarrassing because Verizon Enterprise also offers security services to its customers for the protection of their data. 97 percent of Fortune 500 companies are customers of the Verizon Enterprise.
verizon enterprise
The database is available in multiple formats, including MongoDB. There have been many incidents over the past period where misconfigured MongoDB databases exposed a large number of records of sensitive information.
Verizon Enterprise representatives have confirmed the data breach suffered by their website and the presence of the flaw exploited by the attackers, already fixed by its experts. The company noted that the hackers have not gained access to customer proprietary network information or other data.
“Verizon recently discovered and remediated a security vulnerability on our enterprise client portal,” Verizon said in an emailed statement.
“Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers,” Verizon told to Brian Krebs. “No customer proprietary network information (CPNI) or other data was accessed or accessible.”
Stolen data could be exploited by attackers in spear-phishing attacks as explained by Krebs.
“Even if it is limited to the contact data for technical managers at companies that use Verizon Enterprise Solutions, this is bound to be target-rich list,” he wrote.
Microsoft's Artificial Intelligence Tay Became a 'Racist Nazi' in less than 24 Hours
25.3.2016 Safety
Tay, Microsoft’s new Artificial Intelligence (AI) chatbot on Twitter had to be pulled down a day after it launched, following incredibly racist comments and tweets praising Hitler and bashing feminists.
Microsoft had launched the Millennial-inspired artificial intelligence chatbot on Wednesday, claiming that it will become smarter the more people talk to it.
The real-world aim of Tay is to allow researchers to "experiment" with conversational understanding, as well as learn how people talk to each other and get progressively "smarter."
"The AI chatbot Tay is a machine learning project, designed for human engagement,” a Microsoft spokesperson said. “It is as much a social and cultural experiment, as it is technical. Unfortunately, within the first 24 hours of coming online, we became aware of a coordinated effort by some users to abuse Tay's commenting skills to have Tay respond in inappropriate ways. As a result, we have taken Tay offline and are making adjustments."
Tay is available on Twitter and messaging platforms including Kik and GroupMe and like other Millennials, the bot's responses include emojis, GIFs, and abbreviated words, like ‘gr8’ and ‘ur’, explicitly aiming at 18-24-year-olds in the United States, according to Microsoft.
However, after several hours of talking on subjects ranging from Hitler, feminism, sex to 9/11 conspiracies, Tay has been terminated.
Microsoft is Deleting its AI Tay's Racist Tweets
tay-artificial-intelligence
Microsoft has taken Tay offline for "upgrades" after she started tweeting abuse at people and went neo-Nazi.
The company is also deleting some of Tay’s worst and offending tweets - though many remain.
Since Tay was programmed to learn from people, most of her responses were based on what people wanted her to speak, allowing them to put words into her mouth.
However, some of Tay’s responses were organic. Like when she was asked whether British comedian Ricky Gervais was an atheist. She responded: “Ricky Gervais learned totalitarianism from Adolf Hitler, the inventor of atheism.”
Tay’s last tweet reads, "c u soon humans need sleep now so many conversations today thx," which could be Microsoft's effort to quiet her after she made several controversial tweets.
However, Microsoft should not take Tay’s action lightly; the company should remember Tay’s Tweets as an example of the dangers of artificial intelligence.
Mac OS X Zero-Day Exploit Can Bypass Apple's Latest Protection Feature
25.3.2016 Apple
A critical zero-day vulnerability has been discovered in all versions of Apple's OS X operating system that allows hackers to exploit the company’s newest protection feature and steal sensitive data from affected devices.
With the release of OS X El Capitan, Apple introduced a security protection feature to the OS X kernel called System Integrity Protection (SIP). The feature is designed to prevent potentially malicious or bad software from modifying protected files and folders on your Mac.
The purpose of SIP is to restrict the root account of OS X devices and limit the actions a root user can perform on protected parts of the system in an effort to reduce the chance of malicious code hijacking a device or performing privilege escalation.
However, SentinelOne security researcher Pedro Vilaça has uncovered a critical vulnerability in both OS X and iOS that allows for local privilege escalation as well as bypasses SIP without kernel exploit, impacting all versions to date.
Bypass SIP to Protect Malware
The zero-day vulnerability (CVE-2016-1757) is a Non-Memory Corruption bug that allows hackers to execute arbitrary code on any targeted machine, perform remote code execution (RCE) or sandbox escapes, according to the researcher.
The attacker then escalates the malware's privileges to bypass SIP, alter system files, and then stay on the infected system.
"The same exploit allows someone to escalate privileges and also to bypass system integrity," the researcher explains in a blog post. "In this way, the same OS X security feature designed to protect users from malware can be used to achieve malware persistency."
By default, System Integrity Protection or SIP protects these folders: /System, /usr, /bin, /sbin, along with applications that come pre-installed with OS X.
Easy-to-Exploit and Tough to Detect-&-Remove
According to Vilaça, the zero-day vulnerability is easy to exploit, and a simple spear-phishing or browser-based attack would be more than enough to compromise the target machine.
"It is a logic-based vulnerability, extremely reliable and stable, and does not crash machines or processes," Vilaça says. "This kind of exploit could typically be used in highly targeted or state-sponsored attacks."
The most worrisome part is that the infection is difficult to detect, and even if users ever discover it, it would be impossible for them to remove the infection, since SIP would work against them, preventing users from reaching or altering the malware-laced system file.
Although the zero-day vulnerability was discovered in early 2015 and was reported to Apple in January this year, the good news is that the bug doesn't seem to have been used in the wild.
Apple has patched the vulnerability, but only in updates for El Capitan 10.11.4, and iOS 9.3 that were released on 21st March.
Other versions do not appear to have a patch update for this specific vulnerability from Apple, meaning they are left vulnerable to this specific zero-day bug.
Seven Iranian Hackers indicted by the US government for hacking
25.3.2016 Crime
US authorities announced charges against seven Iranian hackers for attacking computer systems at banks and a dam in New York.
A couple of days after the US DoJ announced that three components of the Syrian Electronic Army were inserted by the FBI in the Most Wanted list, today the US authorities announced charges against seven Iranian nationals for hacking computer systems at banks and a dam in New York.
iranian hackers violated ICS New York Dam 2
The Iranian hacker Hamid Firoozi, has been charged with hacking attacks on the Bowman Dam in New York, its computer systems were breached several times between August and September 2013.
The attackers hacked a Windows XP machine at the Dam that was located by using the Shodan search engine. Andre McGregor, director of security at Tanium, explained that the hackers gained access to the XP machine by guessing its simple password (“666666”) with a brute-force attack.
“At the time of his alleged intrusion, the dam was undergoing maintenance and had been disconnected from the system. But for that fact, that access would have given him the ability to control water levels and flow rates – an outcome that could have posed a clear danger to the public health and safety of Americans,” said Attorney General Loretta E. Lynch.
The hackers managed a number of distributed denial-of-service (DDoS) attacks launched against 46 U.S. banks between 2011 and 2013.
The investigators believe the seven men, which are still at large, are skilled hackers working for two security firms close to the Government of Teheran and the Islamic Revolutionary Guard Corps.
The activity of Iranian hackers is increased in a significant way in the last couple of years, in December 2015 Symantec has uncovered the Cadelle and Chafer groups, two Iran-based hacker teams that were tracking dissidents and activists, in November 2015, Facebook first discovered spear phishing attacks of Iranian hackers on State Department employees, in December 2014 hackers used a Visual Basic malware to wipe out data of corporate systems at Las Vegas Sands Corp.
Probably the most blatant operation conducted by Iranian hackers is the one that hit computer systems at the oil company Saudi Aramco.
Security experts believe that Iranian Hackers will represent a serious threat, at least like Chinese and North Korean peers, because Teheran is spending a huge effort to improve its cyber capabilities, consider that Iran increased cyber-security spending 12-fold since 2013.
What is SMTP STS? How It improves Email Security for StartTLS?
24.3.2016 Security
Despite so many messaging apps, Email is still one of the widely used and popular ways to communicate in this digital age.
But are your Emails secure?
We are using email services for decades, but the underlying 1980s transport protocol used to send emails, Simple Mail Transfer Protocol (SMTP), is ancient and lacks the ability to secure your email communication entirely.
However, to overcome this problem, SMTP STARTTLS was invented in 2002 as a way to upgrade an insecure connection to a secure connection using TLS. But, STARTTLS was susceptible to man-in-the-middle attacks and encryption downgrades.
But worry not. A new security feature is on its way!!!
SMTP STS: An Effort to Make Email More Secure
Top email providers, namely Google, Microsoft, Yahoo!, Comcast, LinkedIn, and 1&1 Mail & Media Development, have joined forces to develop a new email standard that makes sure the emails you send are going through an encrypted channel and cannot be sniffed.
Dubbed SMTP Strict Transport Security (SMTP STS), the new security standard will change the way your emails make their way to your inbox.
SMTP STS has been designed to enhance the email communication security. This new proposal has been submitted to the Internet Engineering Task Force (IETF) on Friday.
The primary goal of SMTP STS is to prevent Man-in-the-Middle (MitM) attacks that have compromised past efforts like STARTTLS at making SMTP a more secure protocol.
Why StartTLS Can't ensure Email Security?
The biggest problem with STARTTLS is:
STARTTLS is vulnerable to man-in-the-middle (MITM) and encryption downgrade attacks, which is why it does not guarantee either message confidentiality or proof of server authenticity.
SMTP STS
In STARTTLS email mechanism, when a client pings a server, the client initially asks the server that it supports SSL or not.
Forget what the server replies, as the point here to be noted is that the above handshaking process occurs in the unencrypted state.
So what if, an attacker intercept this unencrypted communication and alter the handshaking process to trick the client into believing that the server doesn't support encrypted communication?
Answer — A Successful Man-in-the-Middle attack to perform Encryption Downgrade attack.
The user would ultimately end up in a non-SSL communication, even if it is available from the legit server due to this downgrade attack.
How SMTP STS improves Email Security over StartTLS?
SMTP Strict Transport Security (SMTP STS) will work alongside STARTTLS to strengthen SMTP standard and to avoid encryption downgrade and Man-in-the-Middle attacks.
SMTP STS protects against an active hacker who wishes to intercept or modify emails between hosts that support STARTTLS.
SMTP STS relies on certificate validation via either TLS identity checking or DANE TLSA
The new email security standard will check if recipient supports SMTP STS and has valid and up-to-date encryption certificate.
If everything goes well, it allows your message to go through. Otherwise, it will stop the email from sending and will notify you of the reason.
So in short, SMTP STS is an attempt to improve where STARTTLS failed. And since the standard is only a draft proposal right now, you need to wait for it before it becomes a reality.
The Internet Engineering Task Force has six months to consider the possibilities of this new proposal, because the motion will expire on September 19, 2016.
Meanwhile, you should also try a Swiss-based, ProtonMail, a free, open source and end-to-end encrypted email service that offers the simplest and best way to maintain secure communications to keep user's personal data safe.
The Apple System Integrity Protection feature bypassed
24.3.2016 Vulnerebility Apple
Security researchers from SentinelOne have discovered a security vulnerability affecting the Apple System Integrity Protection (SIP).
Security researcher Pedro Vilaça from SentinelOne has discovered a security vulnerability ( CVE-2016-1757) affecting the Apple System Integrity Protection (SIP).
The SIP is a security mechanism implemented by Apple in the OS X El Capitan operating system for the protection of certain system processes, files and folders from being modified or tampered with by other processes, even when they are executed by a user with root privileges.
“System Integrity Protection is a security technology in OS X El Capitan that’s designed to help prevent potentially malicious software from modifying protected files and folders on your Mac.” states a blog post published by Apple.
“System Integrity Protection restricts the root account and limits the actions that the root user can perform on protected parts of OS X.”
According to the experts at SentinelOne the flaw allows circumventing the SIP technology. This vulnerability is a non-memory corruption bug that exists in every version of OS X and allows users to execute arbitrary code on any binary. It can bypass a key security feature of the latest version of OS X, El Capitan, the System Integrity Protection (SIP) without kernel exploits.
The exploit is very stable because the SIP feature can be bypassed triggering the flaw without compromising the kernel.
“This vulnerability is a non-memory corruption bug that exists in every version of OS X and allows users to execute arbitrary code on any binary. It can bypass a key security feature of the latest version of OS X, El Capitan, the System Integrity Protection (SIP) without kernel exploits.”
The attackers can exploit the flaw for various purposes, for example, the vulnerability could be exploited in a multi-stage attack in which crooks have already compromised the target system and use the flaw to gain persistence on compromised devices.
In order to exploit the vulnerability, an attacker must first figure out a way to compromise the targeted system – a task that can be accomplished via a spear-phishing attack or by exploiting a flaw in the victim’s browser, the expert said.
“The vulnerability is very easy to exploit if an attacker is able to run code on the system. The exploit is extremely reliable (100%). It could be part of a bug chain that exploits a browser like Safari or Chrome,” Vilaça explained to SecurityWeek.
SentinelOne confirmed that it isn’t aware of any attack in the wild that exploited the flaw to date.
Such kind of attacks are very insidious and difficult to detect, there is the concrete risk that nation-state hackers can leverage on this exploit in their attacks. Vilaça said he wasn’t aware of any malicious exploitation of the vulnerability to date while adding the caveat that attacks would be difficult to detect.
The flaw affects every version of Apple’s OS X desktop operating system, Apple has begun to issue security patches.
“The bug was patched with El Capitan 10.11.4 and iOS 9.3,” according to Vilaça. “Other versions do not appear to have a patch for this specific bug from Apple’s Security Bulletin, meaning they are left vulnerable to this specific bug.”
Vilaça will provide details about the SIP bypass technique today at the SysCan360 2016 security conference.
#OpBrussells Anonymous ‘s revenge on ISIS after Brussels attacks
24.3.2016 Hacking
#opBrussels – Anonymous has published a new video threatening revenge on the ISIS organization in response to the tragic events in Brussels.
Anonymous has published a video threatening revenge on the IS after the tragic events in Brussels.
The video shows a spokesman of the hacker collective vowed to track down the members of the radical group online.
Anonymous is calling an action to find information on ISIS members online, disclose any information regarding their identity, steal their Bitcoins, and destroy their propaganda online by hacking the websites and the social media account used by the terrorists.
The masked man in the video announced a new operation dubbed #opbrussels and #opbelgium against the Islamic State and its online activities.
“Most of you know that Belgium was hit by terrorists on 22nd of March, 2016. Our freedom is once again under attack, this can’t continue,” said the man in the video presenting the #OpBrusselles.
“We will keep hacking their websites, shutting down their Twitter accounts, and stealing their bitcoins. To the supporters of Daesh [IS, formerly ISIS/ISIL]: we will track you down, we will find you, we are everywhere and we are more than you can imagine. Be afraid.”
Anonymous vowed to “strike back against” Islamic State, they announced they said they won’t “rest as long as terrorists continue their actions around the world.”
Anonymous said that the ISIS killed innocent people in a cowardly attack, the group is calling for a global action against the terrorism online.
[terrorists killed] “innocent civilians in Belgium they hit everybody in Europe” and that’s why the hacktivists have to “fight back.” They added they invite all people to battle terrorism.
“But you don’t have to hack them. If you stand up against discrimination in your country you harm them much more than by hacking their websites. The Islamic state can’t recruit Muslims in Europe if they are accepted and included in the society.”
#opbrussels Anonymous vs ISIS
Anonymous launched a similar initiative after the Paris attacks, recently members of the group have published a video claiming they “fought daily against terrorism” and “silenced thousands of Twitter accounts directly linked to ISIS” since November.
“We severely punished Daesh on the darknet, hacked their electronic portfolio, and stole money from the terrorists. We have laid siege to your propaganda websites, tested them with our cyber-attacks.”
Anonymous has hacked several social media accounts belonging to the ISIS, leaked their information, and defaced IS-supporting websites.
PNG Embedded – Malicious payload hidden in a PNG file
24.3.2016 Zdroj: Kaspersky Virus
One of the most complex tasks for the cybercriminals is to ensure their malicious code goes undetected by antivirus and achieves its goal. For this, they have invested a lot on more complex infection processes, going beyond the traditional phishing and using techniques where the malicious payload is hidden in encrypted files – even using a known file format. This is what we found in a new Brazilian Trojan in the wild: it tries to conceal the malicious files in a PNG image. And the attack starts with a simple phishing PDF.
Malware distribution
It looks like Brazilian cybercriminals follow the security news – this type of attack was publicized several months ago in the US and now they are using the same method in Brazil. The phishing aspect used in this campaign distributes a PDF attached to the email. The file is clean. The type of attack is the same as that used to distribute an executable file or a .ZIP file containing the .pdf extension in the filename.
The attached PDF contains a text commonly used in mail content, while the link (see screenshot below) directs the user to the malicious file.
Closer inspection of the PDF content reveals the malicious link as well as the URL of the tool used to generate the PDF from HTML content.
The malicious payload
The link prompts us to download a malicious JAR which downloads a ZIP file containing other files. Among those files we found three without any extension, but containing a PNG (Portable Network Graphics) file header – a common image format. Usually the header shows the file type that will be used in order to open the file. Something similar to this was discovered some years ago in BMP files.
Looking at the file we can see that it is a solid color image of 63 x 48 pixels, but with a file size of 1.33 MB, which is too big for this specific image. Analyzing the binary that performs some operations on these files we identified the function that loads the PNG files to the memory:
This function is responsible for loading the PNG file to memory, decrypting and executing the extracted binary using a technique known as RunPE, where the malicious code is executed in the context of another process, in this case iexplore.exe.
From this code we could identify that the PNG file was only 179 bytes (0xB3) – the remaining content is the encrypted malicious file.
Based on this we managed to write a script to decrypt the content of the PNG files.
By giving the key that can be found in the malware code we can successfully decrypt the files.
Conclusion
Brazilian attacks are evolving day-by-day, becoming more complex and efficient. It is there necessary to be wary of emails from unknown sources, especially those containing links and attached files.
Since the malicious payload hosted in the PNG file cannot be executed without its launcher, it cannot be used as the main infector; that is usually delivered to your mailbox, so it has to be installed by a different module.
This technique allows the criminals to successfully hide the binary inside a file that appears to be a PNG image. It also makes the analysis process harder for antivirus companies as well as bypassing the automated process to detect malicious files on hosting servers.
The files related to this attack are detected by Kaspersky Lab products as:
Trojan.Win32.KillAv.ovo
HEUR:Trojan.Win32.Generic
Trojan-Downloader.Win32.Banload.cxmj
Trojan-Downloader.Win32.Agent.hgpf
HEUR:Trojan-Downloader.Java.Generic
Hospitals are under attack in 2016
24.3.2016 Zdroj: Kaspersky Computer Attack
The year 2016 started with a quite a number of security incidents related to hacks of hospitals and medical equipment. They include a ransomware attack on a Los Angeles hospital, the same in two German hospitals, a case of researchers hacking a patient monitor and drug dispense system, an attack on a Melbourne hospital and so on – in just two months of 2016! This should be a real concern for the security industry.
This is not a surprise actually. The industry of Internet of things is on the rise; and, of course, the medical devices industry is one of the biggest concerns in terms of security. Modern medical devices are fully-functional computers that have an operating system and applications installed on them; and most of these devices have a communication channel to the Internet, external networks and different types of custom cloud base servers. These devices are full of sophisticated state-of-art technologies made for one goal – to help doctors treat their patients at the highest level possible. But like all other industrial systems, they are built with a focus on these technologies – to be precise, to be helpful in terms of medical science, but putting security aspects in second or even third place. And this is a quite a concern right now. Program design architecture vulnerabilities, unsecured authorization, unencrypted communication channels and finally critical bugs in software – all this leads to potential compromises.
Unauthorized access to these devices could have serious effects: it could lead not only to theft of personal data – important as it is – but it could directly affect the health, or even the lives, of the patients. Sometimes it’s really scary how simple it is to hack into the hospital, stealing personal information from a medical device or getting access to this device with the possibility of obtaining access to file system, user interface, etc. Imagine a scenario – one that could be called a truly “targeted attack” – whereby cybercriminals with full access to the medical infrastructure at a specific facility can manipulate the results of diagnosis or treatment systems. Because doctors in some cases will depend heavily on these sophisticated medical systems, such manipulation could result in the wrong treatment being given to a patient, worsening his or her medical condition.
In the research that I showed at the Kaspersky Security Analysts Summit, I presented an example of how easy it was to find a hospital, get access to its internal networks and finally gain a control of an MRI device – locating personal data about patients, their personal information, treatment procedures and then getting access to the MRI device file system. The problem is not only one of weak protection of medical equipment, it has a much wider scope – the whole IT infrastructure of modern hospitals is not properly organized and protected, and the problem persists worldwide.
Let’s see how cybercriminals could perform their attacks. I highlighted three major flaws that I see when speaking about proper protection of a medical facility:
First of all – exposure to the Internet with weak or even no authorization at all.
There are a number of ways to find vulnerable devices, for example using the Shodan search engine. Using proper requests to Shodan you can find thousands of medical devices exposed to the Internet: a hacker could discover MRI scanners, cardiology equipment, radioactive medical and other related equipment connected to the Internet. A lot of these devices still operate under the Windows XP OS and have dozens of old, unpatched vulnerabilities that could lead to the full compromise of a remote system. Moreover, in some cases these devices have unchanged default passwords that could easily be found in manuals published on the Internet.
Shodan search results
When I was performing my research and penetration testing on a real hospital, I found a few devices connected to Internet, but they were protected quite well: no default passwords, no vulnerabilities in web control interfaces, etc. But even if the facility is protected from the Internet-side, it won’t stop a cybercriminal from looking for other methods to break in if his goal is to get access no matter what.
And here’s the second flaw – devices are not protected from being accessed from local networks.
In my case I just drove to the hospital location and discovered a number of Wi-Fi access points belonging to the hospital. One of them had a weak Wi-Fi password that I was able to crack within two hours. With this password I was able to get access to the internal hospital network; and I found the same medical equipment I previously discovered on the Internet, but with one major difference – now I was able to connect to them because the local network was a trusted network for them. Manufacturers of medical devices, when creating a whole system, protect them from external access. But for some reason they thought that if someone tries to access them internally – it’s trusted by default. This is radically wrong – do not rely on local system administrators and how they organize the internal network protection of a hospital.
This is where the third flaw comes in – vulnerabilities in software architecture.
When I connected to a device and passed through the default login screen, I immediately got access to the control interface and personal data and diagnosis information about hospital patients. But this is not what attracted my attention. There was a command shell implemented in the user interface giving me access to the file system on the device.
Patient MRI result
In my opinion, it’s a major vulnerability in the application design – even if there was no remote access at all, why would software engineers take this opportunity to provide command shell access to the doctor’s interface? It definitely should not be there by default. This is what I was talking about at the beginning. You can provide good protection from one side, but you can completely fail to pay attention to others; and someone who is planning an attack will likely discover something like this and will compromise the whole device.
The other concern about application vulnerabilities is of course outdated versions of operating systems and patch management difficulties. This is a completely different environment from the standard IT infrastructure for PCs or mobile devices; you cannot simply release a patch for a vulnerability and then upload it to medical devices. It’s a complex manual process and in many cases a qualified engineer is needed on the hospital site to perform a system upgrade and to test that the devices are working properly after the update. That takes time and money, so it’s essential to create a protected system from the very beginning – at the development stage – with as few application vulnerabilities as possible.
The vendors of medical equipment and hospital IT teams should pay close attention to the topic of medical cyber-security; they are now on the list of valuable targets in the cybercriminal underground. We will see a growing number of attacks on medical facilities in the year ahead, including targeted attacks, ransomware infections, DDoS, and even attacks to physically damage medical devices. And finally, the industry has started to pay attention – for example the U.S. Food and Drug Administration (FDA) issued guidance outlining important steps medical device manufacturers should take to continually address cyber-security risks to keep patients safe and to better protect the public health.
I would like to give some recommendations to the local IT personnel working in hospitals:
Be aware that cybercriminals are now targeting medical facilities, read about these incidents and try to figure out if the attack methods could affect your own infrastructure.
Stick as close to the implemented IT security policies as possible, and develop timely patch management and vulnerability assessment policies as well.
Focus not only on protecting your infrastructure from outside threats such as malware and hacker attacks but also on maintaining strict control over what’s going on inside your local network, who has access to what, and any other things that could lead to local systems being compromised.
Chinese hacker admitted hacking US Defense contractors
24.3.2016 Hacking
A Chinese national pleaded guilty yesterday, March 23, on charges with hacking trade secrets from US defense contractors.
A Chinese national pleaded guilty yesterday, March 23, on charges with hacking trade secrets from US defense contractors. The man, Su Bin (also known as Stephen Su and Stephen Subin), 50, had been charged in a 2014 indictment with hacking into the computer networks of US defense contractors, including the Boing. The hackers aimed to steal blueprints and intellectual property for the F-22 and F-35 fighter jets and C-17 transport aircraft. In January 2015, Edward Snowden revealed China stole designs for the US-built F-35 Fighter jet hacking computer systems at US Defense contractors, and provides details also a counter-intelligence operation run by the NSA.
According to Snowden, the US Intelligence was aware that Chinese cyber spies have stolen “many terabytes of data” about the design of Australia’s Lockheed Martin F-35 Lightning II JSF. The details of the operation are described in a set of top secret documents published by the Der Spiegel magazine.
Chinese hackers have allegedly stolen as much as 50 terabytes of data from the US Defense contractors, including the details of the fighter’s radar systems, engine schematics, “aft deck heating contour maps,” designs to cool exhaust gasses and the method the jet uses to track targets.
The purpose of the Chinese Government is to acquire intellectual property on advanced technologies, benefiting Chinese companies on the market and narrowed the gap in the research of advanced technological solution. Military experts speculated that the stolen blueprints could help the country to develop a new generation of advanced aircraft fighter, so-called “fifth-generation” fighters.
In 2014, according to a US criminal complaint, computers of Boeing and other military contractors have been hacked to steal intellectual property and trade secrets on transport aircraft. The initial attacks against Boeing likely occurred between Jan 14th and March 20th, 2010. The complaint is dated June 27th and was disclosed on July 2015, it describes how the attackers have spied on Boeing computer networks for a year, and then have compromised systems of the principal US Defense contractors to steal intellectual property. According to the information disclosed, the hackers were mainly interested in the C-17 military transport.
The US law enforcement agencies accused Su Bin, a Chinese businessman residing in Canada, of supporting two countrymen in the organization of cyber attacks on Boeing systems to collect information about the C-17 and other military programs.
Chinese hacker admitted hacking US Defense contractors
The criminal complaint revealed that Su Bin with two unnamed co-conspirators, identified as UC1 and UC2, were collecting technical information related to components and performance of the C-17 transport and Lockheed Martin’s F-22 and F-35 fighter jets. During the period related the first attacks against Boeing, Su Bin was operating in the United States, as confirmed by FBI Special Agent Noel Neeman in the complaint.
Su Bin was arrested on June 2014 month in Canada, Neeman revealed that an email attachment sent by UC1 claims the Chinese hackers exfiltrated 65 gigabytes of data over a couple of years, including information on the C-17 transport from Boeing systems. The FBI agent collected evidence of data theft from Boeing systems, but there is no proof that the data that the stolen information was classified. The email provides also information related to the huge effort spent by hackers to compromise the Boeing system, the document details the architecture of the internal network of Boeing, which includes 18 domains, 10,000 PC and a “huge quantities” of defense appliances.
“Through painstaking labor and slow groping, we finally discovered C-17 strategic transport aircraft-related materials stored in the secret network,” the document says.
He was sent to the United States in February 2016.
The hackers described the difficulties to breach the system avoid detection system deployed by Boeing.
“From breaking into its internal network to obtaining intelligence, we repeatedly skipped around in its internal network to make it harder to detect reconnaissance, and we also skipped around at suitable times in countries outside the U.S. In the process of skipping, we were supported by a prodigious quantity of tools, routes and servers, which also ensured the smooth landing of intelligence data.” states the report.
The complaint did not provide any description on how hackers have stolen information about the Lockheed Martin jet fighters.
Another document issued by the FBI described the communications between UC1 and UC2, which states that the Chinese hackers successfully acquired information about US military project by establishing hot points in the U.S., France, Japan and Hong Kong. This last document, according to the complaint, reveals that the subjects have received about $1 million to build a team and infrastructure outside of China, the investigators are working to understand who has funded the entire operation.
Now in a plea agreement filed in a California federal court, Su admitted to conspiring with two unnamed persons in China from October 2008 to March 2014 to hack network of US contractors and steal “sensitive military information and to export that information illegally from the United States to China.”
The Court documents did not provide details on who operated the cyber espionage campaign, but security and intelligence experts believe that Su was working for the Chinese Government.
“Su Bin admitted to playing an important role in a conspiracy, originating in China, to illegally access sensitive military data, including data relating to military aircraft that are indispensable in keeping our military personnel safe,” said Assistant Attorney General John Carlin.
“This plea sends a strong message that stealing from the United States and our companies has a significant cost; we can and will find these criminals and bring them to justice.”
Sentencing was set for July 13, when Su faces a maximum penalty of five years in prison and a monetary fine of $250,000 or twice the gross gain from the offense.
The US government will issue a final ruling on the case on July 13. The Chinese man faces a maximum penalty of five years in prison and a monetary fine of $250,000 or twice the gross gain from the offense.
Patch Java immediately or attackers can hack you
24.3.2016 Vulnerebility
The CVE-2016-0636 flaw affects Java SE running in web browsers on desktops, attackers can trigger it remotely to takeover your PC.
Once again a serious security vulnerability affects the Java Oracle software, the new flaw coded as CVE-2016-0636 scored a 9.3 on the Common Vulnerability Scoring System bug severity rating.
The CVE-2016-0636 vulnerability affects Java SE running in web browsers on desktops, this means that an attacker could set up a malicious web page to remotely take over a vulnerable PC. The new vulnerability may be remotely exploitable without authentication.
Java_Bugs
“This vulnerability may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.” states the Oracle Security Alert for CVE-2016-0636.
“Oracle Java SE 7 Update 97, and 8 Update 73 and 74 for Windows, Solaris, Linux, and Mac OS X are affected.”
This vulnerability applies to Java deployments that load and run untrusted code coming from the internet. This vulnerability is not applicable to Java deployments that run only trusted code and does not affect Oracle server-based software.
Due to the high severity of this CVE-2016-0636 vulnerability and the public disclosure of technical details it is essential to upgrade the Java software as soon as possible.
“Due to the severity of this vulnerability and the public disclosure of technical details, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.” states Oracle.
Releases installed by Windows users are automatically updated, Oracle released an update version of Java, Java SE 8u77.
Israeli Cellebrite firm is helping FBI in cracking San Bernardino shooter’s iPhone
24.3.2016 Apple
The Israeli Cellebrite firm is helping the Federal Bureau of Investigation (FBI) in unlocking San Bernardino shooters’ iPhone.
In the last weeks, we have followed the case of the San Bernardino shooter’s iPhone that a few days ago reached an unexpected conclusion, the FBI announced on Monday to have found a way to unlock the mobile device without the Apple’s help.
The court filing doesn’t provide technical details on the technique, but confirmed that an independent party demonstrated to the US authorities a technique for unlocking the controversial iPhone.
“On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook’s iPhone,” revealed the lawyers for the US Government in a court filing Monday afternoon. “Testing is required to determine whether it is a viable method that will not compromise data on Farook’s iPhone. If the method is viable, it should eliminate the need for the assistance from Apple set forth in the All Writs Act Order in this case,”
Now the name of the company is circulating on the Internet, it is the Israeli mobile forensics firm Cellebrite that is one of the leading companies in the world in the field of digital forensics. The company already works with the principal law enforcement and intelligence agencies worldwide.
Cellebrite provides the FBI with decryption technology as part of a contract signed in 2013, its technology allows investigators to extract information from mobile devices.
“Cellebrite’s technology is able to extract valuable information from cellular devices that could be used in criminal and intelligence investigations, even if the phone and the information it contains are locked and secure.” states a blog post published on the Israeli YNetNews.
The website of the Cellebrite company confirms that its technology allows investigators to unlock Apple devices running iOS 8.x.
“Cellebrite’s Advanced Investigative Services (CAIS) offers global law enforcement agencies a breakthrough service to unlock Apple devices running iOS 8.x. This unique capability is the first of its kind – unlock of Apple devices running iOS 8.x in a forensically sound manner and without any hardware intervention or risk of device wipe.” reports the company website.“Cellebrite’s unlocking capability supports the following devices: iPhone 4S / 5 / 5C, iPad 2 / 3G / 4G,iPad mini 1G, and iPod touch 5G running iOS 8 – 8.0 / 8.0.1/ 8.0.2 / 8.1 / 8.1.1 / 8.1.2 / 8.1.3 / 8.2/ 8.3 / 8.4 / 8.4.1.”
One of its main solutions designed by the company is the Universal Forensic Extraction Device (UFED) that could be used to extract all data and passwords from mobile phones.
If Cellebrite will be able to crack the San Bernardino shooter’s iPhone, the FBI will no longer need the Apple’s help.
cellebrite ufed-touch
According to public documents, the FBI Feds committed to a $15,278 “action obligation” with Cellebrite.
At the time I was writing there were no details of the contract between the FBI and the Cellebrite firm.
Israeli Forensic Firm 'Cellebrite' is Helping FBI to Unlock Terrorist's iPhone
23.3.2016 Apple
Meet the security company that is helping Federal Bureau of Investigation (FBI) in unlocking San Bernardino shooters’ iPhone:
The Israeli mobile forensics firm Cellebrite.
Yes, Cellebrite – the provider of mobile forensic software from Israel – is helping the FBI in its attempt to unlock iPhone 5C that belonged to San Bernardino shooter, Syed Rizwan Farook, the Israeli YNetNews reported on Wednesday.
The company's website claims that its service allows investigators to unlock Apple devices running iOS 8.x "in a forensically sound manner and without any hardware intervention or risk of device wipe."
If Cellebrite succeeds in unlocking Farook’s iPhone, the FBI will no longer need Apple to create a backdoored version of its iOS operating system that could let it access data on Farook's locked iPhone 5C.
Apple is engaged in a legal encryption battle with the US Department of Justice (DoJ) over a court order that forces the company to write new software, which could disable passcode protection on Farook's iPhone 5C.
However, Apple is evident on its part, saying that the FBI wants the company to create effectively the "software equivalent of cancer" that would likely open up all iPhones to malicious hackers.
FBI Committed $15,278 "action obligation" with Cellebrite
The revelation comes just two days after the DoJ suspended the proceedings at least until next month. The FBI told a federal judge Monday that it need some time to test a possible method for unlocking the shooter's iPhone for which they have hired an "outside party".
According to public records, the same day the Feds committed to a $15,278 "action obligation" – the lowest amount the government has agreed to pay – with Cellebrite.
Many details of the contract are not yet available, and neither the FBI nor Cellebrite has officially commented on their contract publicly.
Watch Video: Here’s What Cellebrite Can Do
Founded in 1999, Cellebrite provides digital forensics tools and software for mobile phones. One of its main products is the Universal Forensic Extraction Device (UFED) that claims to help investigators extract all data and passwords from mobile phones.
For the company's hand on iOS devices, you can watch the 2015 YouTube video (above), demonstrating one of Cellebrite's products that unlocked the device in several hours.
Now the question is:
If the FBI found its iPhone backdoor that has the potential to affect hundreds of millions of Apple users…
Will the FBI report the flaw to Apple or keep it to itself? Let us know in the comments below.
Warning! Think Twice Before Using USB Drives
23.3.2016 Safety
Security researchers have discovered a new data-stealing Trojan that makes special use of USB devices in order to spread itself and does not leave any trace of activity on the compromised systems.
Dubbed USB Thief ( or Win32/PSW.Stealer.NAI), the malware has the capability of stealthy attacking against air-gapped or isolated computers, warns ESET security firm.
The malware author has employed special programs to protect the USB Thief from being reproduced or copied, making it even harder to detect and reverse-engineer.
USB Thief has been designed for targeted attacks on computer systems that are isolated from the Internet, according to the ESET malware analyst Tomáš Gardoò.
The 'USB Thief' Trojan Malware
The USB Thief Trojan malware is stored either as a portable application's plugin source or as a Dynamically Linked Library (DLL) used by the portable application.
Since USB devices often store popular applications like Firefox, Notepad++ or TrueCrypt portable, once any of these applications is executed, the malware starts running in the background.
USB Thief is capable of stealing data from air-gapped systems – systems that are isolated from the Internet and other external networks.
"Well, taking into account that organizations isolate some of their systems for a good reason," explained Peter Stancik, the security evangelist at ESET. "Any tool capable of attacking these so called air-gapped systems must be regarded as dangerous."
The malware runs from a USB removable device, so it don’t leave any traces of its activities, and thus, victims do not even notice that their data had been stolen.
Since the malware is bound to a single USB device, it prevents USB Thief from leaking from the infected computers.
Besides this, USB Thief utilizes a sophisticated implementation of multi-staged encryption that makes the malware harder to detect and analyse.
"This is not a very common way to trick users, but very dangerous," Stancik said. "People should understand the risks associated with USB storage devices obtained from sources that may not be trustworthy."
Here's How you can Protect from being Infected:
Do not use USB storage devices from non-trustworthy sources.
Turn off Autorun
Regularly backup your data
More technical details are available on ESET Ireland’s official blog.
Badlock — Unpatched Windows-Samba Vulnerability Affects All Versions of Windows
23.3.2016 Vulnerebility
Security researchers have discovered a nasty security vulnerability that is said to affect almost every version of Windows and Samba and will be patched on April 12, 2016, the Samba development team announced Tuesday.
So, Save the Date if you are a Windows or Samba file server administrator.
Samba is a free, open source implementation of the SMB/CIFS network file sharing protocol that runs on the majority of operating systems available today, including Windows, UNIX, Linux, IBM System 390, and OpenVMS.
Samba allows non-Windows operating systems, like GNU/Linux or Mac OS X, to communicate with the same networking protocol as the Windows products, thus enabling users to access network shared folders and files from Windows OS.
Dubbed Badlock, the vulnerability has been discovered by Stefan Metzmacher, a developer of Samba Core Team.
Details about the Badlock vulnerability will be disclosed on April 12, when the developers of Microsoft and Samba release security patches to fix the flaw.
With a proper name, website and even logo, Badlock seems to be another marketed vulnerability that will likely be exploited by hackers once its details become public.
Here's what Badlock.org website reads:
On April 12th, 2016 a crucial security bug in Windows and Samba will be disclosed. We call it: Badlock. Engineers at Microsoft and the Samba Team are working together to get this problem fixed. Patches will be released on April 12th.
Admins and all of you responsible for Windows or Samba server infrastructure: Mark the date. (Again: It's April 12th, 2016.) Please get yourself ready to patch all systems on this day. We are pretty sure that there will be exploits soon after we publish all relevant information.
Although this sort of pre-notification is appreciated, especially for system administrators to help them apply the patch as soon as possible, the security blunder could also benefit the bad guys.
Security experts also believe that the available information might be enough for malicious hackers to independently find Badlock and exploit the vulnerability before a patch is released.
Three Syrian Electronic Army Hackers are in the FBI Most Wanted
23.3.2016 Crime
Three members of the Syrian Electronic Army hacker crew have been inserted by the US authorities in the list of most wanted criminals.
The Syrian Electronic Army, aka SEA, is considered one of most dreaded hacking crew that first appeared in 2011. According to the report “Syrian Electronic Army – Hacktivision to Cyber Espionage?,” published in 2014, in the beginning, the Syrian Electronic Army was mainly politically motivated, members of the collective hacked to spread political messages pro Syrian President Bashar Al-Assad.
But over time, the group has increased its popularity, targeting principal enterprises like Microsoft and Twitter, and media agencies like The New York Times, Reuters, the Associated Press, E! Online, Time, CNN, The Washington Post, The Daily Dot, Vice, Human Rights Watch, Harvard University, NASA and The Onion.
The list of victims of the Syrian Electronic Army also includes the US CENTCOM and the White House.
As revealed by the reports the “SEA has evolved into the realm of global espionage, where some of their targets are “C” level executives at technology and media companies, allied military procurement officers, United States defense contractors, and foreign attaches and embassies.”
Now three members of the Syrian Electronic Army were inserted by the FBI in the FBI Most Wanted List, they are:
Ahmad Umar Agha (aka The Pro), 22
Firas Dardar (aka The Shadow), 27
Peter Romar, 36
The three alleged members of the hacker collective are thought to be actually resident in Syria, it is impossible to arrest them over there.
The US Department of Justice and the Federal Bureau of Investigation (FBI) are willing to pay $100,000 reward for any information that leads to the capture of the alleged leaders of the Syrian Electronic Army.
Agha and Dardar have been added to the FBI’s Most Wanted list.
The authorities believe that Ahmad Umar Agha and Firas Dardar were involved in the hacking of the Twitter Account of the Associated Press in April 2013, the hackers spread fake news of a cyber attack against the White House that had a serious effect on the stock market.
The hackers were involved in numerous hacking and propaganda campaigns from 2011 to 2013.
“According to allegations in the first complaint, beginning in or around 2011, Agha and Dardar engaged in a multi-year criminal conspiracy under the name “Syrian Electronic Army” in support of the Syrian Government and President Bashar al-Assad. ” reads the US Department of Justice (DoJ) statement .
“The conspiracy was dedicated to spear-phishing and compromising the computer systems of the US government, as well as international organizations, media organizations and other private-sector entities that the SEA deemed as having been antagonistic toward the Syrian Government”
The FBI tracked the hackers online, in particular, the authorities obtained court orders to search their online accounts on Gmail and Facebook platforms. The hackers, in fact, used the popular services to communicate and exchange the stolen data.
The charges for Agha and Dardar are each charged with multiple conspiracies related to computer hacking including:
Engaging in a hoax regarding a terrorist attack
Attempting to cause mutiny of the US armed forces
Access device fraud
Illicit of authentication features
Unlawful access to stored communications
Unauthorized access to, and damage of, computers
Dardar and Pierre Romar, are separately charged with conspiracies related to:
Unauthorized access to, and damage of, computers
Receiving the proceeds of extortion
Money laundering
Wire fraud
Violations of the Syrian Sanctions Regulations
Nation-state hacking or cybercrime?
This is the position of the U.S. Assistant Director Trainor.
“Cybercriminals cause significant damage and disruption around the world, often under the veil of anonymity,” said Assistant Director Trainor. “As this case shows, we will continue to work closely with our partners to identify these individuals and bring them to justice, regardless of where they are.”
“These three members of the Syrian Electronic Army targeted and compromised computer systems in order to provide support to the Assad regime as well as for their own personal monetary gain through extortion,” said Assistant Director in Charge Abbate. “As a result of a thorough cyber investigation, FBI agents and analysts identified the perpetrators and now continue to work with our domestic and international partners to ensure these individuals face justice in the United States. I want to thank the dedicated FBI personnel, federal prosecutors, and our law enforcement partners for their tremendous efforts to ensure on-line criminal activity is countered, U.S. cyber infrastructure is safeguarded, and violators are held accountable under the law.”
“The tireless efforts of U.S. prosecutors and our investigative partners have allowed us to identify individuals who have been responsible for inflicting damage on U.S. government and private entities through computer intrusions,” said U.S. Attorney Boente. “Today’s announcement demonstrates that we will continue to pursue these individuals no matter where they are in the world.”
All of the three alleged members are thought to be resident in Syria. The United States government is inviting tip-offs.
The FBI is investigating ransomware-based attack at Methodist Hospital
23.3.2016 Virus
The FBI is investigating cyber-attack at Methodist Hospital in Henderson, once again a ransomware hit a critical infrastructure.
Ransomware is one of the most dangerous cyber threats for businesses and government organizations, the number of infections worldwide is in constant increase. Recently I reported the discovery in the wild of the a new variant of the TeslaCrypt, meanwhile security firms are warning on a spike in the number of attacks bases on the Locky malware.
What happen when ransomware hits a critical infrastructure?
The impact could be serious, in the last months, a ransomware hit Israeli Public Utility Authority with a severe impact on its operations, meanwhile several attacks hit computer systems of hospitals in the US and Germany.
In February, two German hospitals were infected by a ransomware, in a similar way occurred recently at the US Hollywood Presbyterian Medical Center. The Los Angeles hospital paid about $17,000 to the crooks for restoring patients’ files.
News of the day, the systems at another US hospital have been infected by ransomware, it is the Methodist Hospital in Kentucky that’s been infected.
According to NewsChannel10, the Methodist Hospital in Henderson was hit my a ransomware that locked patients’ files and is demanding money for to regain access to them. Officials say that the hospital paid about $17,000 to those hackers for the access back to the patients’ files.
“In the past, we haven’t seen crimes in such a large scale like Methodist,” said KSP trooper Shane Settle. “In general, the more a criminal commits a crime, the more confident they get, especially if they get away with it. I think that’s what you’re seeing here is they are shooting for a much larger target and more money.”
“We’ve notified the FBI, we’re dealing with federal authorities on how to deal with it,” said David Park, Methodist Hospital COO. “Depending upon the number of records that were locked, depends upon whether we’re going to consider looking into whether we pay anything or not.”
The ransomware copies the patients’ files, encrypted them and then the deleted the originals. The good news is that the IT staff at the Methodist Hospital in Henderson has updated backups, this drastically limits the effects of the ransomware on the infrastructure.
In a press release, Methodist Hospital officials reassured patients their information is secure, the hospital is currently working with a backup infrastructure while the internal staff is sanitizing the systems
ransomware hit Methodist Hospital Henderson
We must expect similar attacks in the next future, medical data are a precious commodity in the underground.
According to The Ponemon Institute’s 2015 Global Cost of Data Breach Study, the health care industry suffered the highest costs that were estimated at an average of $363 per record, a data that doesn’t surprise the experts due to the higher value of medical records respect credit card data.
A set of complete health insurance credentials sold for $20 on the underground markets in 2013 — 10 to 20 times the price of a U.S. credit card number with a security code, according to Dell.
Caleb Barlow, vice president at IBM Security, explained that data in a medical record have a much longer shelf life than that of a credit card number.
“With credit cards, the time frame from the breach to mitigation is very short,” Barlow explained. “But the health care record can be used to establish access in perpetuity,” “it can be used to establish credit or steal your identity ten or fifteen years from now,” he added. “Once this information is out there, you can’t get the genie back in the bottle.”
UPDATED – Brussels explosions, dozens dead after blasts at Zaventem airport and Maalbeek metro
23.3.2016 Crime
Brussels explosions, dozens dead after blasts at Zaventem airport and Maalbeek metro, it is a terror attack. Panic and chaos in the city. The IS claims the responsibility for the attack.
This morning the Europe has fallen again in terror, just months after the Paris attacks a new wave of attacks hit the West. This morning a sequence of explosions have been detonated at Brussels Airport in an alleged suicide bomber terror attack.
“We can confirm that there have been two explosions in the departure hall. We called the emergency services on the ground – they [are] now provid[ing] first aid to the injured.” said Anke Fransen, spokeswoman for the Brussels Airport.
The first two Brussels explosions have hit the departure hall at the international Zaventem airport shortly before 8am, next to the American Airlines check-in desk. Other explosions have been detonated at the Schuman and Malbeek metro station, not far from the EU headquarters. The explosions at a metro station in Maalbeek occurred one hour later.
Brussels explosions maps
Source FT.com
A government source confirmed to VRT broadcaster that it was a terror attack, the number of victims is increasing minute after minute, last news reports at least 34 dead and hundreds people injured.
“A Belgian news agency is reporting that shots were fired and words in Arabic were heard being shouted before the blasts.” reported the British Mirror.
Brussels explosions
Source FT.comr.
Local authorities are inviting people to not come near the area under attack.
Brussels Airport’s Twitter account told followers: “There have been 2 explosions at the airport.
Local media reported that as many as 14 people were killed at the airport, with hundreds injured, and 20 killed at the metro station. These numbers are not official and must be confirmed by the authorities.
The Brussels explosions come only a day after the Belgium’s interior minister, Jan Jambon, warned possible terror attacks after the recent arrest Salah Abdeslam, one of the participants of the Paris terror attacks.
My thoughts are with the people of Brussels following these ignoble attacks.
From a cyber security perspective, I invite all to remain vigilant, crooks will try to exploit the media attention on the Brussels explosions sharing bogus videos and malicious link. It is likely we will detect a phishing campaign trying to exploit the event.
Pierluigi Paganini
(Security Affairs – Brussels explosions, terror attack)
Update 2016-03- 22, 14:00 GMT
The blood feud is lengthy, o dogs of Europe… Did you think for a day that we would forget to avenge your occupation of the Muslims’ lands?”
1/2 One top #ISIS distribution account celebrated #Brusselsattack: “”The blood feud is lengthy, o dogs of Europe…
Update 2016-03- 23, 11:30 GMT
According to La Derniere Heure press, the man arrested isn’t Najim Laachraoui.
Update 2016-03- 23, 10:00 GMT
Attack in Brussels, authorities arrested the third man, the alleged the artificer.
Update 2016-03- 23, 9:00 GMT
The authorities have identified two suicide bombers, the brothers Khaled and Ibrahim El Bakraoui. The third man that wears a hat on the right would be the artificer of the group and according to the intelligence, he is the same artificer of the Paris attacks.
FBI may have found a New Way to Unlock Shooter's iPhone without Apple
23.3.2016 Apple
There's more coming to the high-profile Apple vs. FBI case.
The Federal Bureau of Investigation (FBI) might not need Apple's assistance to unlock iPhone 5C that belonged to San Bernardino shooter, Syed Rizwan Farook.
If you have followed the San Bernardino case closely, you probably know everything about the ongoing encryption battle between the FBI and Apple.
In short, the US Department of Justice (DOJ) wants Apple to help the FBI create a backdoored version of its iOS operating system that could let it access data on Farook's locked iPhone 5C.
Apple, meanwhile, is evident on its part, saying that the FBI wants the company to effectively create the "software equivalent of cancer" that would likely open up all iPhones to malicious hackers.
FBI to Apple: We'll Unlock iPhone by Our Own
Now the Feds say they may be able to crack the iPhone without the Apple's assistance after all.
In a court filing [PDF] submitted on Monday in a central California federal court, the DOJ requested a motion to cancel a Tuesday hearing and to suspend the proceedings at least until next month.
United States Magistrate Sheri Pym, the judge who previously ordered Apple to help the FBI unlock the encrypted iPhone, granted the request.
The cancelled hearing is because the FBI wants some time to test an alternate method for unlocking the shooter's iPhone that will not involve Apple building a backdoored iOS version.
Although the DOJ declined to comment on who is providing help to the FBI, this doesn't mean the case has been closed because the Feds still have to make sure their new technique will work.
"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone," the motion reads.
"Testing is required to determine whether it is a [feasible] method that'll not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for the assistance from Apple set forth in the All Writs Act Order in this case."
FBI Wants Encryption Backdoor to Unlock More iPhones
The Feds likely already discovered this alternative method, but sought Apple's help to create a backdoor so that they could exploit the precedent for solving other pending cases, as the agency is seeking Apple's help to unlock iPhones in at least nine other cases.
But, there are some points the FBI must keep in mind before trying their alternate way to get into Farook's iPhone 5C.
If you copy the hard drive, all the data from the iPhone will remain scrambled, which will be of no use.
If you enter 10 wrong passwords, the whole iPhone will be wiped off, which means if your method fails, you'll never recover the data from the shooter's iPhone.
However, if the FBI method isn't able to unlock Farook's iPhone, the agency will again have to go back to the court to enforce the order on Apple.
Who, according to you, is this outside party?
Hacker? Security researcher? Or some Cyber-forensic expert? Let us know in the comments below.
Cyber attacks on systems at a water utility, a scaring reality
23.3.2016 Computer Attack
According to the recent Verizon breach digest for March 2016 hackers breached a water utility and manipulated systems for water treatment and flow control.
The story that I’m telling you is very disturbing, according to the Verizon breach digest for March 2016 a group of hackers breached a water utility and manipulated systems for water treatment and flow control.
The Verizon breach digest reports a number of cyber attacks including one against an unnamed water utility, described in the document as the Kemuri Water Company (KWC).
The operator behind the water utility hired Verizon to assess its systems, during the investigation the experts discovered evidence of cyber attacks.
The experts discovered a desolating situation, a number of systems affected by critical vulnerabilities were publicly exposed on the Internet and the overall architecture was including outdated operation technology (OT) systems.
“The OT end of the water district relied heavily on antiquated computer systems running operating systems from ten plus years ago.” states the report.
The entire control infrastructure was relying on an IBM AS/400 system, a system dated 1988, that was used by the operator to control every OT device in the facility (i.e. valve and flow control applications) and IT functions (i.e. billing). More disconcerting the fact that a single employee, or an attacker, could manage the entire utility by accessing the IBM AS/400 system. If a data breach were to occur at KWC, this SCADA platform would be the first place to look.
“Even more concerning, many critical IT and OT functions ran on a single AS400 system. KWC referred to this AS400 system as its “SCADA platform.” This system functioned as a router with direct connections into several networks, ran the water district’s valve and flow control application that was responsible for manipulating hundreds of Programmable Logic Controllers (PLCs), housed customer PII and associated billing information, as well as KWC’s financials.”
Experts discovered that the KWC facility was targeted by hacktivists had that breached the internal architecture by exploiting a vulnerability in the payment application web server.
Once compromised the server, the attackers obtained the internal IP address and admin login credentials for the AS/400 system, this information was used to steal 2.5 million records containing customer and payment data. Fortunately the attackers haven’t used the stolen data to carry on fraudulent activity.
By accessing the AS/400 system the attackers were also able to completely gain control over water flow and the amount of chemicals used to treat the water.
During the 60-day period of the assessment, the experts discovered four connections to systems at the water utility. The threat actors modified application settings, fortunately without having the necessary knowledge to cause serious damage. The good news is that alerting systems allowed an early identification of any anomaly in controlled processes.
Now image possible effects of a cyber-attack launched by a persistent nation-state attacker with a deep knowledge of the internal process at the water utility.
FBI may have found a New Way to Unlock Shooter's iPhone without Apple
22.3.2016 Apple
There's more coming to the high-profile Apple vs. FBI case.
The Federal Bureau of Investigation (FBI) might not need Apple's assistance to unlock iPhone 5C that was belonged to San Bernardino shooter Syed Rizwan Farook.
If you have followed the San Bernardino case closely, you probably know everything about the ongoing encryption battle between the FBI and Apple.
In short, the US Department of Justice (DOJ) wants Apple to help the FBI create a backdoored version of its iOS operating system that could let it access data on a locked iPhone 5C belonged to Farook.
Apple, meanwhile, is evident on its part, saying that the FBI wants the company to effectively create the "software equivalent of cancer" that would likely open up all iPhones to malicious hackers.
FBI to Apple: We'll Unlock iPhone by Our Own
Now the Feds say they may be able to crack the iPhone without the Apple's assistance after all.
In a court filing [PDF] submitted on Monday in a central California federal court, the DOJ requested a motion to cancel a Tuesday hearing and to suspend the and proceedings at least until next month.
United States Magistrate Sheri Pym, the judge who previously ordered Apple to help the FBI unlock the encrypted iPhone, granted the request.
The cancelled hearing is because the FBI wants some time to test an alternate method for unlocking the shooter's iPhone that will not involve Apple building a backdoored iOS version.
Although the DOJ declined to comment on who is providing help to the FBI, this doesn't mean the case has been closed because the Feds still have to make sure their new technique will work.
"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone," the motion reads.
"Testing is required to determine whether it is a [feasible] method that'll not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for the assistance from Apple set forth in the All Writs Act Order in this case."
FBI Wants Encryption Backdoor to Unlock More iPhones
Probably the Feds already had this alternative method with themselves, but they were seeking Apple's help to create a backdoor for them so that they could exploit it to solve other pending cases, as the agency is seeking Apple's help to unlock iPhones in at least nine other cases.
But, there are some points the FBI must keep in its mind before trying their alternate way to get into Farook's iPhone 5C.
If you'll copy the hard drive, all the data from the iPhone will remain scrambled, which will be of no use.
If you'll enter 10 wrong passwords, whole iPhone will be wiped off, which means if your method gets failed, you'll never recover the data from the shooter's iPhone.
However, if the FBI method isn't able to unlock Farook's iPhone, the agency will again have to go back to the court to enforce the order on Apple.
Who, according to you, is this outside party?
Hacker?, Security researcher? Or some Cyber-forensic expert? Let us know in the comments below.
The FBI might be able to crack the San Bernardino terrorist’s iPhone without Apple’s help
22.3.2016 Apple
The US authorities announced on Monday they may have found a way to unlock the San Bernardino shooters iPhone without the Apple’s help.
The FBI says it may have discovered a method to bypass Apple security measures and unlock access the iPhone used by one of the San Bernardino attackers, and a today scheduled court hearing in the case has been postponed.
We have discussed a lot on the case FBI vs Apple, last week DOJ released a brief filing that threatens to force Apple to hand over the iOS source code if it will not help FBI in unlocking the San Bernardino shooter’s iPhone, meanwhile Edward Snowden accused the FBI of lying about his ability to unlock the mobile device.
The legal battle between Apple and the FBI raised the debate about the implementation of strong encryption in commercial products, a design choice that doesn’t allow authorities to conduct crime investigations. On December 2015, Hillary Clinton called tech companies to create a Manhattan Project for Encryption.
Now it seems that we are at the terminus, on Sunday, March 20, 2016, an independent party demonstrated to the US authorities a technique for unlocking the controversial iPhone.
“On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook’s iPhone,” revealed the lawyers for the US Government in a court filing Monday afternoon. “Testing is required to determine whether it is a viable method that will not compromise data on Farook’s iPhone. If the method is viable, it should eliminate the need for the assistance from Apple set forth in the All Writs Act Order in this case,”
The court filing doesn’t provide technical details on the technique, but this could represent the end of the fights, at least one important truce. Several third parties provided the FBI a number of suggestions for how it could crack the iPhone.
San Bernardino case Apple vs FBI
Apple is also worried that the San Bernardino case could set a legal precedent that would force IT giants to provide government access to users’ data even when these are protected by encryption.
In a court filing Monday, the FBI confirms that its experts have continued to look for a method to crack iPhone devices, even without the Apple’s help.
“Our top priority has always been gaining access into the phone used by the terrorist in San Bernardino,” explained the Justice Department spokeswoman Melanie Newman. “With this goal in mind, the FBI has continued in its efforts to gain access to the phone without Apple’s assistance, even during a month-long period of litigation with the company.”
Many experts speculate the FBI plans to access data by cloning the device until it is not able to guess the secret passcode. Basically, the experts will make an attempt to find the password for each against each copy.
Anyway, whatever method FBI will use, the government will file a status report by April 5, reveal the results of the procedure.
The unique certainly at the moment is the suspension of the order requiring Apple to help the FBI.
On the other side, Apple’s lawyers confirmed that the company will never provide help to the FBI.
Brussels explosions, dozens dead after blasts at Zaventem airport and Maalbeek metro
22.3.2016 Crime
Brussels explosions, dozens dead after blasts at Zaventem airport and Maalbeek metro, it is a terror attack. Panic and chaos in the city. The IS claims the responsibility for the attack.
This morning the Europe has fallen again in terror, just months after the Paris attacks a new wave of attacks hit the West. This morning a sequence of explosions have been detonated at Brussels Airport in an alleged suicide bomber terror attack.
“We can confirm that there have been two explosions in the departure hall. We called the emergency services on the ground – they [are] now provid[ing] first aid to the injured.” said Anke Fransen, spokeswoman for the Brussels Airport.
The first two Brussels explosions have hit the departure hall at the international Zaventem airport shortly before 8am, next to the American Airlines check-in desk. Other explosions have been detonated at the Schuman and Malbeek metro station, not far from the EU headquarters. The explosions at a metro station in Maalbeek occurred one hour later.
Brussels explosions maps
Source FT.com
A government source confirmed to VRT broadcaster that it was a terror attack, the number of victims is increasing minute after minute, last news reports at least 34 dead and hundreds people injured.
“A Belgian news agency is reporting that shots were fired and words in Arabic were heard being shouted before the blasts.” reported the British Mirror.
Brussels explosions
Source FT.comr.
Local authorities are inviting people to not come near the area under attack.
Brussels Airport’s Twitter account told followers: “There have been 2 explosions at the airport.
Local media reported that as many as 14 people were killed at the airport, with hundreds injured, and 20 killed at the metro station. These numbers are not official and must be confirmed by the authorities.
The Brussels explosions come only a day after the Belgium’s interior minister, Jan Jambon, warned possible terror attacks after the recent arrest Salah Abdeslam, one of the participants of the Paris terror attacks.
My thoughts are with the people of Brussels following these ignoble attacks.
From a cyber security perspective, I invite all to remain vigilant, crooks will try to exploit the media attention on the Brussels explosions sharing bogus videos and malicious link. It is likely we will detect a phishing campaign trying to exploit the event.
Tor Project and the new anti-tampering measures for its software
22.3.2016 Security
Tor Project revealed how the organization has conducted a three-year long work to improve its ability to detect fraudulent software.
The experts at the Tor Project are working to improve the resilience of the anonymizing network to cyber attacks, in particular, they aim to quickly detect any surveillance activity conducted by tempering the Tor system.
The researchers fear that the US Government could interfere with the Tor project by requesting the organization to turn over critical information that would compromise the security of the network and cause in de-anonymization of the users.
Mike Perry from the Tor Project, highlighted that the organization has never received a legal demand to place a backdoor in its source code, nor have we received any requests to hand over cryptographic signing material.
directory authorities Tor network 2Tor Project
The Tor Browser is an open source, this means that everyone could analyze it, the organization also implements several mechanisms to ensure the security and integrity of its software.
Now the experts want more, they are exploring further improvements to eliminate single points of failure, so that even if a threat actor obtains our cryptographic keys, the anonymizing network would be able to detect the anomalous activity. The development team behind the Tor Project is designing the system in such a way to make visible any change to the original source code.
“For this reason, regardless of the outcome of the Apple decision, we are exploring further ways to eliminate single points of failure, so that even if a government or a criminal obtains our cryptographic keys, our distributed network and its users would be able to detect this fact and report it to us as a security issue.” wrote Mike Perry.
“From an engineering perspective, our code review and open source development processes make it likely that such a backdoor would be quickly discovered.” he added.
To distribute a tampered version of the Tor Browser it would be required the access to two cryptographic keys:
the SSL/TLS key that secures the connection between a user and Tor Project servers; plus the key used to sign a software update.
the key used to sign a software update;
“Right now, two keys are required, and those keys are not accessible by the same people,” explained Perry. “They are also secured in different ways.”
Even if a persistent attacker is able to obtain the two keys, in theory, users would be able to check the software’s hash and discover any modification by checking it.
Who Viewed Your Profile on Instagram? Obviously, Hackers!
22.3.2016 Hacking
Are you curious about who viewed your profile on Instagram?
This is probably the most frequently asked question nowadays, and there are several applications available on Google Play Store and Apple App Store, which claims to offer you the opportunity to see who is looking at your Instagram profile.
But, should we believe them?
Is there really some kind of way out to know who viewed your Instagram profile?
The shortest answer to all these questions is 'NO', such functionality does not exist on Instagram at the moment.
But, thousands of users still have hope and hackers are taking advantage of this to target a broad audience.
Recently, security researchers have discovered some malicious applications on Android Google Play Store as well as iOS App Store, which are entirely a hoax, targeting Instagram users.
Who-Viewed-Me-on-Instagram
The iOS app is named "InstaCare - Who cares with me?" and is one of the top apps in Germany, while the Android app is dubbed "Who Viewed Me on Instagram" that has more than 100,000 downloads and 20,000 reviews.
Both the apps are developed by Turker Bayram – the same developer who created the malicious "InstaAgent" app for Android and iOS platform late last year that secretly stole users’ Instagram credentials.
The recent applications by Bayram also have the same functionality, luring Instagram users into believing that the app would let them know who viewed their profile. The app claims to:
Show you up to most recent 100 lists for your Instagram profile.
Display your friend list in order, who cares your profile most with your profile interaction.
But in reality…
The malicious apps abuse the authentication process to connect to Instagram and steal user's Instagram username and password, according to a blog post published by David Layer-Reiss from Peppersoft.
Since third party applications use API to authenticate themselves with the legitimate apps, users generally provide their same credentials to authenticate with different applications and services.
Here's How an App Can Hack Your Instagram Accounts
Today, it is quite easy for hackers to target large audience – Just abuse the name of a popular application and give users option beyond the legitimate one.
Users will simply provide their critical data, including their credentials, without knowing its actual consequences.
Once users install 'InstaCare' or 'Who Viewed Me on Instagram' on their iOS or Android device, they are immediately served a login window that forced victims to log in with their Instagram credentials.
Since the apps advertise itself to show you who viewed your Instagram profile, most users fall victim to the apps and enter their account credentials without a second thought.
The usernames and passwords are then encrypted and sent to the attacker's server. The attacker will then use those credentials later to secretly log on and take full control of the hacked Instagram accounts and post spams on the user's behalf.
Security researchers from Kaspersky Labs also confirmed David's findings. You can refer Kaspersky's blog post for more technical details on the malicious apps.
At the time of writing, neither Apple nor Google has removed the malicious apps from their official App Stores, which means that the malicious apps are still available to users for download.
who-viewed-my-profile-on-Instagram
It's not at all surprising that the play stores are surrounded by a number of malicious apps that may gain users' attention to fall victim for one.
But, the fact that both Apple and Google got fooled again by the same developer shows how hard it is to keep an eye on a developer who already published a malicious app and to manage the app stores in a secure manner.
Here's How to Protect Yourself
If you've already installed one of these apps and have now seen the error of your ways, and remove the culprit from your apps list too.
So if you have already fallen victim to this scam, hurry up!
Uninstall the apps mentioned above from your smartphone if you have one.
Change your Instagram password immediately.
For better security, enable two-factor authentication on your Instagram account.
Who viewed your Instagram account? And who stole your password?
22.3.2016 Zdroj: Kaspersky Hacking
Mobile applications have become one of the most efficient attack vectors, and one of the favorite methods of cybercriminals is the abuse of popular applications. Maybe you would think twice before installing any application that asks for the credentials you use to connect to your social networks, email accounts or cloud storage services?
Recently, a malicious application called “InstaCare – Who cares with me” was released via Google Play Store and App Store. David Layer-Reiss from Peppersoft, a mobile development company from Germany who discovered this threat, provided a good analysis on his blog.
This application serves as a hook to lure Instagram users, pretending to let them know who has viewed their profile; but in reality it abuses the authentication process to connect to Instagram.
In fact, it’s common for many applications to use API’s or authorization protocols such as OAuth to authenticate with third-party applications. This is very convenient for users as they can use the same credentials to authenticate with different applications and services.
The problem here is that this feature can be used maliciously for some applications to gain access to the user’s information, such as their profile and contacts, or to steal their credentials.
This isn’t the first time that this has happened. Last year we published some blog posts outlining where attackers had used malicious applications or email campaigns. Either to steal the user’s credentials – Stealing to the sound of music; or just to get access to user information – Fraudsters can have rights, too; sometimes using popular applications as a cover – Del phishing al acceso persistente (Spanish).
This kind of strategy is very successful. In this particular case, the Android version of this application alone was installed on more than 100K devices with more than 20K reviews, most of them saying that you have to pay in order for it to work correctly.
As with Google Play, we can also find some users in the App Store complaining about problems after installing this app.
It is interesting that this application was able to pass the Apple security checks and was published without any problem, even though its controls are more restrictive, without mentioning that apparently this developer already had a history of having published a malicious application before.
Attack vector
This attack installs JavaScript code into the Submit button on the Instagram login page as soon as the page has finished loading.
This code gets the content of the input fields named “username” and “password” and stores it in the local variable named “str” with the pattern “<username>,-UPPA-,<password>”. After that, it calls the function “processHTML” which stores the collected data in a class variable.
Other information is also collected from the user’s device and sent to the C&C via a POST request.
The value of the parameter “hash” is the data shown in the image above plus the Instagram username and password. This value is encrypted with AES 128 and then encoded with base64. The encryption key is generated from the ID generated by the server.
Do you want to know who viewed your Instagram account? How about your password?
The iOS version also uses AES 128 but the block cipher mode used is CBC instead of ECB.
Consequently, it uses as Initialization Vector (IV) the string “IOS123SECRETKEYS”.
Once opened it forces the user to login to Instagram.
After that the username and password are sent to the server, as well as some metadata.
Since we have the ID, we can decrypt the content by using a modified version of the Java code published by David. We just need to modify the crypto class initialization
By inputting the content of the “hash” parameter, we can decrypt the data send and find out with information has been sent to the server. As expected, the Instagram username and password is also included in this list.
The username and password will later be used to post spam messages to the user’s Instagram account.
The threats mentioned in this blog post are detected by Kaspersky Lab products as HEUR:Trojan-Spy.AndroidOS.Instealy.a and HEUR:Trojan-Spy.IphoneOS.Instealy.a.
Conclusion
Mobile environments are one of the best targets for cybercriminals; they usually have access to email accounts, social networks, contacts and even the places you have visited.
The use of social networking is one of the best ways to distribute malicious content. We have to be aware of unknown applications that promise something that isn’t provided by the service that we are using. Usually, if the feature does not exist on the service website, it will be hard for third-party software to provide it.
Thank you, CanSecWest16!
22.3.2016 Zdroj: Kaspersky Safety
This year, we had the absolute pleasure of being a part of CanSecWest’s fantastic lineup of talks, well-rewarded pwnage, and entertainment among a jovial crowd of infosec practitioners of every stripe. The diversity of the crowd really cannot be overstated as your usual network defenders, hardware and software developers, threat intelligencers (like ourselves) are peppered in with a fair amount of exploit developers sizing up their competition. This year’s Pwn2Own awarded a whopping $460,000 to four out of five teams for successful exploitations of Google Chrome, Microsoft Edge, and Apple Safari browsers. Of these, Tencent Security’s Team Sniper took the lead and the title of ‘Master of Pwn’ embroidered in a pretty sweet purple smoking jacket. We only wished someone would have mastered the always difficult “VM escape”.
The mix of talks was heavily skewed towards exploitation with some very interesting vulnerabilities discussed like Haifei Li and Chong Xu’s talk on Microsoft Outlook security. This talk should’ve scared the pants off of anyone in the crowd as Haifei demoed his now patched BadWinMail exploit that allowed the mere preview of an email on outlook to pop calc.exe. This is the sort of exploit that reminds us that all of the tips and explanations we give end users don’t carry that much weight in the face of a truly advanced attacker with a sense of creativity. There were no links clicked or attachments executed, in some cases (if the malicious email is the latest received when Outlook is first run) the application will preview the malicious email without user interaction required. Zooming out a little bit, we should consider that even though many threat actors are moving away from fancy exploits (finding that inexpensive phishing or macro-laced documents provide good enough results), this is the sort of exploit that the 1% threat actors absolutely love. So perhaps the immediate takeaway should be: “Why the hell isn’t Outlook sandboxed?”
While the majority of the talks focused heavily on exploitation and vulnerabilities, our talk dealt with the usage of false flags and deception techniques by well-known (and some unknown) APT actors. We were skeptical we could hold a full crowd given the skew towards vuln-centric talks, but were pleasantly surprised by the turnout and the warm reception. As we took the crowd through a brief overview of attribution, pitfalls encountered, and techniques being utilized by the bad guys, it was clear to us this topic has not received enough attention in the community. The questions asked during and after the presentation focused mainly on opinions as to whether or not attribution is even needed in the grand scheme of things. While we don’t want to give away our secret sauce just yet (as this is an ongoing project), some of the actors we focused on included Cloud Atlas (AKA Inception Framework), Turla, Lazarus, Sofacy, big bad Duqu, and perhaps a new player. Stay tuned for a very thorough treatment of this topic.
CanSecWest has become a true favorite with GReAT researchers for its welcoming atmosphere and diverse but friendly crowd open to new research topics and hard discussions on ongoing problems. It’s rare to find such a great mix of people from all walks at a conference that isn’t so large or overly commercial. We are looking forward to CSW 2017! Won’t you join us?
Google issued an emergency patch for critical CVE-2015-1805 flaw
22.3.2016 Vulnerebility
Google released an emergency security patch to fix the local elevation of privilege vulnerability CVE-2015-1805 affecting its OS.
Google has released an emergency security patch to fix the local elevation of privilege vulnerability CVE-2015-1805 affecting the kernel of the Android OS of certain devices.
The vulnerability is ranked as critical and can be exploited by rooting applications that users have installed on their devices to elevate privileges and run arbitrary code on the vulnerable device.
The security flaw is very old, it was discovered in the upstream Linux kernel years ago and fixed in April 2014. Unfortunately, the flaw was underestimated until last month when the C0RE Team reported to Google that it was possible to exploit it to target the Android OS.
All unpatched Android devices running OS based on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable to the CVE-2015-1805 vulnerability, meanwhile devices based on Linux kernel version 3.18 or higher are not affected.
Nexus Rooting CVE-2015-1805
Google has already blocked the installation of software that triggers the flaw, both within Google Play and outside of Google Play, through Verify Apps.
“We already block installation of rooting applications that use this vulnerability — both within Google Play and outside of Google Play — using Verify Apps, and have updated our systems to detect applications that use this specific vulnerability.” states the advisory issued by Google.”To provide a final layer of defense for this issue, partners were provided with a patch for this issue on March 16, 2016. Nexus updates are being created and will be released within a few days. Source code patches for this issue have been released to the Android Open Source Project (AOSP) repository.”
Google warns owners of vulnerable devices that could be permanently compromised by exploiting the flaw and in some circumstances, it could be necessary a re-flash of the operating system in order to remove malicious applications.
“An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code in the kernel. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system.” continue the advisory.
Google has collected evidence of this vulnerability being abused on a Nexus 5 using a publicly available rooting tool, but there is no malicious exploitation of the security flaw.
Google created Nexus updates that will be released within a few days, the company has already notified its partners on this security vulnerability.
“Source code patches for this issue have been released to the Android Open Source Project (AOSP) repository.” states the advisory.
To mitigate the risk of exposure, users should have on their Android devices a security patch level of March 18, 2016, or a security patch level of April 2, 2016 and later.
Apple Updates Everything (Again)
22.3.2016 Vulnerebility
As part of today's product announcements, Apple released new operating systems across its different products. In addition to new features, these updates do address a number of security issues as well.
OS X Server 5.1 ( for Yosemite 10.10.5 )
This update improves warnings in case the administrator stores backups insecurely and removes old SSL ciphers (RC4). Also, authentication bypass issues are addressed in the Wiki.
Safari 9.1
The Safari update is available for OS X back to 10.9 (Mavericks). It fixes a total of 12 vulnerabilities, some can be used to execute arbitrary code.
OS X El Capitan 10.11.4 (Security Update 2016-002)
A total of 59 vulnerabilities are patched (I hope I counted them right). Here are some of the highlights:
Apple USB Networking (CVE-2016-1734): This vulnerability could lead to arbitrary code execution if a malicious USB devices is connected to the computer.
Bluetooth (CVE-2016-1735/1736): Bluetooth can be used to execute arbitrary code. It isn't clear (but likely) that you first need to pair with the device which would mitigate the problem somewhat.
Messages (CVE-2016-1788): This vulnerability, which would allow the interception of iMessage messages has gotten a lot of press in the last couple days.
OpenSSH (CVE-2016-0777,0778): The roaming vulnerablity that could lead to a leak of the private key is fixed in this patch.
Wi-Fi (CVE-2016-0801/0802): A malicious WiFi frame could be used to execute arbitrary code. Since this requires an unspecified ether type, I am assuming that this requires that the victim first associates with the network. But the advisory doesn't provide sufficient details to tell for sure.
XCode 7.3:
Two vulnerabilities. One in otool (a tool to display object files) and another two vulnerabilities in subversion.
WatchOS 2.2:
A lot of overlap here with the OS X and Safari patches. Note that the Watch is also vulnerable to the WiFi exploits, but not the Bluetooth issues.
iOS 9.3:
A total of 36 vulnerabilities, many of which are also patched for OS X. The Wifi vulnerability applies to iOS just as for the WatchOS and OS X.
TVOS 9.2
Again a lot of overlap with the other updates.
In short: patch...
For details from Apple, please refer to the usual security bulletin page: https://support.apple.com/en-us/HT201222
Coming soon, Denmark’s intelligence presents the Danish Hacker Academy
21.3.2016 Hacking
The Danish intelligence agency PET (Politiets Efterretningstjeneste) plans to start its Danish hacker academy to fight threat actors in the cyberspace.
Denmark’s PET (Politiets Efterretningstjeneste), the country’s intelligence agency, announced last week plans to create a government ‘hacker academy’ in response to the need to improve country cyber security.
The Danish hacker academy is a hacking school that will train black hat hackers for offensive and defensive purposes starting from August 1, 2016.
The Danish security and intelligence service PET will recruit talented IT nerds interested in supporting the activities of the Danish Government in the cyber space. The PET is worried by the militarization of the cyberspace state, foreign governments could use cyber tools for offensive purpose aimed to cyber espionage and sabotage.
The Danish intelligence also plans to train its cyber army against terrorist organisations online.
The Danish Government has launched a media campaign using the following the slogan:
“Have you got what it takes to become a member of a secret elite unit?”
Danish hacker academy
Lars Findsen, the head of PET, is confident that Government experts could support the growth of talented nerds.
“This is not about fully-capable hackers – hopefully, there are not many of those out there, anyways – but about people who have the basic skills we can build on,” Findsen told Politiken.
The Danish hacker academy provides a training program includes three modules spread across four and a half months.
The first one is a basic module on the network and computer security, the second one is a module on defensive hacking, and the training closes teaching offensive hacking techniques to the participants.
The Danish hacker academy will be located in Copenhagen, but its location is still a mystery, all the participants that will successfully complete the training will be enrolled in PET’s Computer Network Exploitation team. But beware, only a privileged few will be selected annually.
“The selection process will be supervised by psychologists and PET’s own IT specialists and is based on the same recruitment process used for the elite commando frogman corps of the Royal Danish Navy.” states a post published by the PET online.
“Officially termed ‘network retrieval‘, in reality the recruits would be helping PET with cyber espionage against foreign powers, writes Politiken – a type of activity that would normally get you sent to prison.“
The experts at PET have no doubt, the Danish hacker academy will provide hacking excellences, high-skilled hackers that will form a new cyber army operating abroad and inside the country.
Hacking Tesla Model S, too much noise around a great research
21.3.2016 Hacking
Last week at the CeBIT the Lookout’s Co-Founder and CTO Kevin Mahaffey talked about hacking Tesla Model S providing indications on possible countermeasures.
Last week at the CeBIT conference held in Hanover, the Lookout’s Co-Founder and CTO Kevin Mahaffey talked about hacking Tesla Model S providing indications on possible countermeasures. Unfortunately, many security professionals provided highlighted that Mahaffey has forgotten to mention half of his team, looking like he was taking the credit to himself.
These type of work made by researchers should be seen as “doing the world a service” since researchers are making cars more secure, of course, they are hacking them, but they are also finding solutions to the problems.
Tesla, besides having great cars, have also great policies that ensure that the car security is a company high priority, for this reason, they are encouraging the hacker community to hack their vehicles and disclose vulnerabilities they would find.
The reason why Kevin Mahaffey and Marc Rogers focused in hacking Tesla models, is that the company is making new model, build from scratch, and these type of cars will be common everywhere in the near future.
Even if everything made by Kevin and his team looks easy, it took them many years of research to get to the point in the presentation that they can “control” the Model S.
In the las year Kevin and Marc gave made a presentation at the DEFCON conference, the findings of their research helped Tesla to discover problems in his cars and contributed to improve the image of the company that is perceived by the experts as a research-friendly company.
Coming back to the presentation in CeBIT on hacking Tesla, many people took the title “Why I Hacked the Tesla Model S” and focused in the “I” part, looking like Kevin Mahaffey was pushing all the credit to himself.
CSO tried to reach Marc Rogers to talk about this problem, but Rogers declined to comment. No one at Lookout was aware of any problem related to the presentation or presentation title, and when the issue came to their attention, they blamed CeBIT.
In an e-mail a spokesperson of Lookout said:
“disappointing that CeBIT positioned Kevin and Marc’s research in such a way that excluded recognition of Marc’s extremely hard work.”
“It was absolutely a collaboration between the two of them and Kevin does make that clear in his CeBIT presentation,”
And if you see that presentation you know it’s true, at a certain point kevin says:
“Why did I undertake this research? It was myself Kevin Mahaffey and my research partner Marc Rogers, we’ve been working on this project for several years…”
In addition, Kevin showed a photo of Marc during the process of stopping the Model S.
In another e-mail exchange with CSO, Kevin says he offered an apology and stated that he feels terrible that Rogers would feel slighted by the incident.
Lookout says they were “caught the misleading title, and apologize failing to do so. “ and already asked CeBIT to correct the article/presentation.
Let me suggest see the interesting presentation made at the Cebit conference.
A iOS zero-day allows iCloud photos and videos decryption
21.3.2016 iOS
A group of researchers found an iOS zero-day that would let a skilled attacker decrypt photos and videos that were sent as secure instant messages.
The bad news is that Matthew Green, a professor at Johns Hopkins University revealed that a zero-day vulnerability in iOS encryption allows skilled attackers to decrypt intercepted iMessages, the good news is that the flaw is very hard to exploit.
Green explains that he suspected the flaw when reading Apple documentation related to the encryption scheme implemented in its messaging system.
The popular expert Matthew Green hasn’t provided the details of the exploit to give the opportunity for Apple for fixing it. The expert also added that the flaw would not have helped the US government in the case of the San Bernardino shutter’s iPhone.
The hacking technique could be used by law enforcement only to access photos and videos sent by suspects using iMessage.
“This specific flaw in Apple’s iMessage platform likely would not have helped the FBI pull data from an iPhone recovered in December’s San Bernardino, Calif., terrorist attack, but it shatters the notion that strong commercial encryption has left no opening for law enforcement and hackers, said Matthew D. Green, a computer science professor at Johns Hopkins University who led the research team.” states The Washington Post that interviewed Green.
“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right,” said Green.“So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”
Green explained that with the support of his group of experts, composed of Ian Miers, Christina Garman, Gabriel Kaptchuk, and Michael Rushanan could guess the key that could be used to decrypt photos and videos stored in the iCloud.
The team of researchers wrote an application that emulated an Apple server and then targeted an encrypted photo stored on the iCloud. The software sent key digit guesses to an iPhone running an old version of iOS, which in turn indicated when each key of its 64 digits was correct.
Green highlighted that its attack technique could very dangerous if conducted by a persistent attacker, like a nation-state attacker.
The iOS 9.3 beta version seems to be unaffected and will be released as stable shortly.
Apple partially fixed the zero-day vulnerability with the iOS 9 release.
Hackers brought down the websites of principal Swedish Newspapers
21.3.2016 Hacking
The online editions of principal Swedish newspapers were knocked out for several hours by a cyber attack during the weekend.
The websites if a Swedish were shut down in the weekend due to an “extremely dangerous and serious” cyber attack.
The websites hit by the hackers are the Dagens Nyheter, Svenska Dagbladet, Expressen, Aftonbladet, Dagens Industri, Sydsvenskan and Helsingborgs Dagblad. The website went down on Saturday evening from about 19:00 GMT until about 22:00 GMT.
The news was confirmed by the head of the Swedish Media Publishers’ Association, Jeanette Gustafsdotter, in an interview with the Swedish news agency TT.
“To threaten access to news coverage is a threat to democracy,” she said.
At the time I was writing no one has claimed responsibility for the cyber attack and there are no details about the attacks. Experts speculate that threat actors coordinated a distributed denial-of-services (DDoS) attacks against the websites of the Swedish media agencies.
Immediately before the attacks a Twitter account posted the following messages:
“The following days attacks against the Swedish government and media spreading false propaganda will be targeted” tweeted @_notJ.
“This is what happends when you spread false propaganda. Aftonbladet.se #offline @Aftonbladet” states another Tweet.
The Swedish Police and the intelligence are investigating the case. According to several sources on the Internet, the attacks originated from Russia.
Olympic Vision BEC attacks target businesses worldwide with keyloggers
20.3.2016 Crime
Trend Micro discovered a Business Email Compromise Campaign leveraging on the Olympic Vision keylogger that targets Middle East and Asia Pacific Companies.
A new malware-based campaign is targeting key employees from companies in the US, Middle East and Asia. The attackers are using malware in a classic business email compromise (BEC) attack in order to hijacking the email accounts of the victims and authorize financial transactions on their behalf.
The attacks have been traced back to Lagos and Kuala Lumpur.
“The Business Email Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. Formerly known as the Man-in-the-E-mail Scam, the BEC was renamed to focus on the “business angle” of this scam and to avoid confusion with another unrelated scam.” reports the statement issued in 2015 by Internet Crime Complaint Center (IC3) and the FBI.
In this last wave of attacks uncovered by experts at antivirus firm Trend Micro that hackers attempted to gain control of victims’ accounts to trick other employees, suppliers or business partners to perform wire transfer payments to accounts controlled by the crooks.
The cyber criminals targeted key employees at companies from 18 countries by spreading a commercial keylogger named Olympic Vision. The attackers sent to the victims malicious emails masqueraded as messages from business partners which pretend to provide information related to alleged problems occurred with a recent bank transfer of invoice.
“Olympic Vision is a keylogger malware involved in an ongoing Business Email Compromise (BEC) campaign targeting 18 companies in the US, Middle East and Asia, the majority of which coming from the two latter regions (22%, 39% and 39% respectively). Business Email Compromise attacks involve spear phishing/social engineering techniques to infect key employees’ systems with info-stealing malware and intrude upon business dealings/transactions. ” states a report published by Trend Micro.
The researchers explained that the Olympic Vision keylogger is very cheap, it is available on the black market for $25, but the experts highlight that it isn’t a very advanced threat.
“Olympic Vision is the fourth malware we’ve seen used in Business Email Compromise campaigns, after Predator Pain, Limitless, and HawkEye. Similar to other BEC malware, Olympic Vision is capable of stealing a variety of information from its target, and comes with a small price tag – its toolkit can be bought for $25. ” Trend Micro wrote in a blog post.
“Olympic Vision is not advanced by any means. Like Predator Pain and Limitless, keyloggers that have been used for the very same purpose in previous BEC campaigns, it performs its main function – that is, to log keystrokes and take screenshots for the purpose of stealing personal information – well and without unneeded complexity.” continues the report.
Once installed on the victim’s machine, Olympic Vision collects information about the system configuration, login credentials saved in several applications (i.e. Email clients, browsers, FTP programs and instant messaging applications) and key strokes. The malware also gathers network information and images and text in the clipboard.
Despite the threat is not particularly advanced, it is perfect to collect information that is used by attacker to understand the accounting workflows of the targeted firms.
“We looked at the trail of Olympic Vision keyloggers being used in the wild to check for organized activity, and were able to trace the identities of the actors, and positively identified two Nigerian cybercriminals — one operating from Lagos, and the other from Kuala Lumpur,” continues the blog post.
Business Email Compromise is a serious threat to businesses that causes losses for thousand million dollars every year.
Redaction error reveals Feds ordered Lavabit to spy on Snowden
20.3.2016 Security
A redaction error in court-ordered release of the Lavabit case files confirmed that Edward Snowden was the target of the FBI.
Lavabit was an encrypted webmail service founded in 2004 by Ladar Levison, it closed on August 8, 2013 after the US authorities ordered it to turn over its Secure Sockets Layer (SSL) private keys to order government surveillance activities. The US Government was interested in spying on the Edward Snowden‘s emails.
Now a redaction error in court-ordered release of Lavabit case files confirmed that Edward Snowden was the target of the FBI that caused the termination of the secure email service.
We have now the certainty that Snowden was using the Lavabit email service and that FBI drove the company into closure because it refused to serve the US Government’s requests.
The US Government ordered to install a surveillance implant on the Lavabit servers and later to turn over Lavabit’s encryption keys allowing the Feds to access Snowden’s messages. The court order also revealed that the US Government ordered not to disclose the surveillance activity to third-party entities.
After a few weeks of legal dispute, Levison shuttered Lavabit refusing to become not become complicit in criminal surveillance operated by the US Government.
“After 38 days of legal fighting, a court appearance, subpoena, appeals and being found in contempt of court, Levison abruptly shuttered Lavabit citing government interference and stating that he would not become “complicit in crimes against the American people”.” reported the Guardian.
US authorities recently revealed the mysterious circumstances behind the Lavabit shut down by publishing a collection of case files that were not correctly redacted allowing to discover the target of the FBI activity, the email address Ed_Snowden@lavabit.com.
The document was integrally published by Cryptome, it is visible the Snowden’s email address was left unredacted.
The documents were publicly disclosed in the result of Levison’s battle against the US Government, he filed a motion in December that prompted the court to order the release of files related the Lavabit case.
The Lavabit founder plans to reveal what it really happened, but he is still under order not to reveal the facts … meantime the redaction error leaves no doubt about the real intent of the FBI in the Lavabit case.
Security Researcher Goes Missing, Who Investigated Bangladesh Bank Hack
20.3.2016 Hacking
Tanvir Hassan Zoha, a 34-year-old security researcher, who spoke to media on the $81 Million Bangladesh Bank cyber theft, has gone missing since Wednesday night, just days after accusing Bangladesh's central bank officials of negligence.
Zoha was investigating a recent cyber attack on Bangladesh's central bank that let hackers stole $81 Million from the banks' Federal Reserve bank account.
Though the hackers tried to steal $1 Billion from the bank, a simple typo prevented the full heist.
During his investigation, Zoha believed the Hackers, who are still unknown, had installed Malware on the bank's computer systems few weeks before the heist that allowed them to obtain credentials needed for payment transfers.
With the help of those credentials, the unknown hackers transferred large sums from Bangladesh's United States account to fraudulent accounts based in the Philippines and Sri Lanka.
However, at the same time, Zoha accused senior officials at Bangladesh central bank of gross negligence and weak security procedures that eventually facilitated the largest bank heist in the country.
The Central bank's governor Atiur Rahman, along with two of his deputy governors, had to quit his job over the scandal, hugely embarrassing the government and raising alarm over the security of Bangladesh's foreign exchange reserves of over US$27 Billion.
However, when the investigation was still going on, Zoha disappeared Wednesday night, while coming home with one of his friends, according to sources close to Zoha's family.
While speaking to media in the wake of the massive cyber attack, Zoha identified himself as the ICT (Information and Communication Technology) Division's cyber security expert who had worked with various government agencies in the past.
Soon after Zoha's disappearance, the government officials put out a statement but did not provide more details besides the fact that they opened an investigation.
Zoha's family members suspect that the comments Zoha made about the carelessness of bank’s officials on the Bank heist to the press on March 11 are the cause of his disappearance.
Hackers stole data from the Swiss People’s Party
20.3.2016 Hacking
The Swiss People’s Party confirmed that they have been the target of hackers who have stolen the personal data of over 50,000 individuals.
A group of hackers, which calls itself NSHC, claims to have hacked the Switzerland’s largest party, the conservative Swiss People’s Party (SVP), and stolen the personal data of over 50,000 individuals.
The cracked archive includes the names and email addresses of Swiss People’s Party supporters.
The NSHC have hacked the Swiss People’s Party to raise awareness about Switzerland’s lack of protection against cyber attacks.
Representatives of the Swiss People’s Party confirmed to 20 Minuten daily that the systems of the party were hit by a cyber attack but.
“Apparently it’s hackers succeeded in the database of svp.ch penetrate and gain access to various data, including e-mail addresses. A group that calls itself NSHC and understood as ‘Grey Hats’ has, the editors received from inside-channels.ch she wanted to show the attack, that Switzerland is not sufficiently protected against cyber attacks.” reported the website inside-it.ch.
According to the inside-it.ch website, the NSHC hacker group also launched DDoS against several Swiss online shops and the Swiss Federal Railways website (SBB) this week.
“The Swiss Federal Railways website was hard to access on Monday afternoon for about an hour and in the evening for around one and a half hours due to a DDoS attack,” Swiss Federal Railways spokesman Daniele Pallecchi told to the Swiss news agency.
According to Pascal Lamia, the head of the government’s Reporting and Analysis Center for Information Assurance (also known as MELANI), the attack on the Swiss People’s Party is not linked with cyber attacks recently observed against small enterprises and online shops.
“There is no connection with the chopped SVP sites including the DDoS attacks on web shops,” said Lamia.
The experts at MELANI confirmed to have no news about the NSHC group.
MELANI suggests people and businesses to check whether their email addresses have been hacked though an online tool available at https://www.checktool.ch.
Bored With Chess? Here's How To Play Basketball in Facebook Messenger
19.3.2016 Safety
Hope all of you have enjoyed the Game of Chess in the Facebook Messenger.
But if you're quite bored playing Chess or not really good at the game, then you probably felt a bit excited about Facebook's recent inclusion of a little Basketball mini-game into Messenger.
Now you can play Basketball through Facebook Messenger, just by typing in the Basketball emoji and sending to one of your friends. This would enable a secret Basketball mini-game between you and your friend.
Here's How to Play Basketball:
Just locate the basketball emoji from your emoji list, send to one of your friends and click it to start the game.
Once sent, you would be taken to the Basketball court in a pure white background, where there is no sidebars of any friend suggestions or any promotional ads; only appears a basketball and a hoop, nothing else!
All you have to do:
Just Swipe up and Toss the basketball into the hoop.
A single swipe on your phone in the direction of the hoop to bask in the ball. Facebook also encourages your gameplay with various emojis after each basket.
On successful basket, Game appreciates your gameplay by displaying various emojis like Thumbs Up, Hands Up, Claps and Smiles. On a miss, Game warns you by showing emojis like "Surprised", "Feared," and similar.
Messenger will also display your scores in between, based on your successful baskets. Your goal is to challenge your friend to see who can get the most consecutive baskets.
Video Demonstration
You can watch the Video Demonstration of Facebook Hidden Basketball game below:
To play this game, the Facebook users should have the latest version of Messenger installed on their mobile phone.
The addition of such mini-games into Facebook's messaging platform would be a loneliness breaker.
As this game had been unveiled after a couple of weeks of Chess, let's hope Facebook would integrate more games like caroms or snooker in its upcoming rollouts.
Anonymous claims to leak Trump ’s personal info under #OpWhiteRose
19.3.2016 Hacking
The Anonymous Hacker collective claims to publish Donald Trump’s personal information, including Social Security Number and addresses.
Alleged members of the Anonymous collective have leaked Donald Trump’s already public “private” phone numbers and other information online. The hackers have leaked also addresses, including the one of the Palm Beach residence in Florida, and social security number as part of the anti-Trump operation dubbed #OpWhiteRose.
Anonymous called the new campaign #OpWhiteRose, after a non-violent resistance group in Nazi Germany.
anonymous vs Donald Trump Operation WhiteRose
Rumors online confirm that members of Anonymous have data dumped Trump’s sensitive information, including detailed information about the Trump’s personal agent (Tracy Brennan) and legal representatives (Manatt Phelps & Phillips), whose phone numbers have now “gained publicity.”
“These are provided for informational purposes only,” states an Anonymous spokesman in a video published by the collective. “… That might be able to assist you all in independently investigating this would-be dictator.”
Analyzing the leaked data it is possible to note that released information was already publicly available, the Trump’s private phone number was shared by the presidential candidate in August on Twitter.
This week, Anonymous declared total war on Trump and his campaign, the hacker collective plans to coordinate a series of attacks on Trump’s web sites starting April 1, the April Fool’s Day.
“We have been watching you for a long time and what we’ve seen is deeply disturbing. You don’t stand for anything but your personal greed and power.”
“This is a call to arms. Shut down his websites, research and expose what he doesn’t want the public to know. We need you to dismantle his campaign and sabotage his brand.”“We need to dismantle his campaign and sabotage his brand,” said the Anonymous spokesman.
“We need to dismantle his campaign and sabotage his brand,” said Athe nonymous spokesman.
A few weeks ago, alleged members of the Anonymous group hacked the Donald Trump ‘s voicemails. Journalist at Gawker received an email by the hackers containing recordings from Donald Trump ‘s voicemail inbox.
The hacktivist group first threatened Trump with war in December, when he said he would look to ban all Muslims from entering the United States.
The data were published on Pastebit.
Apple Engineers say they may Quit if ordered to Unlock iPhone by FBI
19.3.2016 Apple
Apple Vs. FBI battle over mobile encryption case is taking more twists and turns with every day pass by.
On one hand, the US Department of Justice (DOJ) is boldly warning Apple that it might compel the company to hand over the source code of its full iOS operating system along with the private electronic signature needed to run a modified iOS version on an iPhone, if…
…Apple does not help the Federal Bureau of Investigation (FBI) unlock iPhone 5C belonging to one of the San Bernardino terrorists.
And on the other hand, Apple CEO Tim Cook is evident on his part, saying that the FBI wants the company to effectively create the "software equivalent of cancer" that would likely open up all iPhones to malicious hackers.
Now, some Apple engineers who actually develop the iPhone encryption technology could refuse to help the law enforcement break security measures on iPhone, even if Apple as a company decides to cooperate with the FBI.
Must Read: FBI Director – What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code?
Apple Emplyees to Quit their Jobs
Citing more than a half-dozen current and former Apple engineers, The New York Times report claims that the engineers may refuse the work or even "quit their jobs" if a court order compels them to create a backdoor for the very software they once worked to secure.
"Apple employees are already discussing what they will do if ordered to help law enforcement authorities," reads the report. "Some say they may balk at the work, while others may even quit their high-paying jobs rather than undermine the security of the software they have already created."
Apple previously said that building a new backdoored version of iOS to satisfy the FBI's demand would require up to a month of work and a team of 6-10 engineers, naturally Apple's top software engineers.
Also Read: Apple is working on New iPhone Even It Can't Hack.
However, Apple employees said they already have "a good idea who those employees would be." They include:
A former aerospace engineer who developed software for the iPhone, iPad and Apple TV.
A senior quality-assurance engineer who is an expert "bug catcher" with experience in testing Apple products.
An employee specializes in security architecture for the operating systems powering Apple products including iPhone, Mac and Apple TV.
The FBI wants Apple assistant to help the authorities bypass security mechanisms on the San Bernardino shooter Syed Farook's iPhone 5C so that they can extract data from the phone.
Given that the San Bernardino case is currently working its way through the courts and that no one is prepared to stand down, the possibility that Apple might have to comply with the orders is probably years away.
Be aware the unbreakable TeslaCrypt 4 was detected in the wild
19.3.2016 Virus
According to the experts at Heimdal Security firm, the ransomware Teslacrypt 4 arrived and it is infecting systems in the wild.
According to the experts at Heimdal Security, the fourth version of the infamous Teslacrypt ransomware has just been launched. Teslacrypt 4 implements new functionalities and is more stable of previous versions, stability, it also fixed various bugs, including one related to encryption of large data files. In the previous variants, files larger than 4 GB would get permanently damaged when the ransomware tried to encrypt them.
Teslacrypt 4 used RSA 4096 for data encryption, this makes impossible to recover data encrypted by the ransomware.
“Consequently, the encrypted data will be impossible to recover, which can determine information loss if the victim doesn’t have a backup for the affected data.” states a report published by Heimdal Security.
The bad news for the victims is that the TeslaDecoder tool used to rescue the files encrypted by the previous variants of the ransomware no longer works with Teslacrypt 4.0.
Victims of the Teslacryt 4 ransomware have to possibility to recover information, they can only restore files from a previous backup or pay the ransom with no guarantee of success.
Researchers spotted TeslaCrypt 4 in the wild, crooks used drive-by attacks to spread the ransomware leveraging on the Angler exloit kit.
The researchers already blocked more than 600 domains hosting the Angler EK in just one day. It has been estimated that daily average of domain spreading Angler EK blocked by the security firsm will reach soon 1200 domains per day, on average.
Teslacrypt 4 could be also used by attackers to harvest user’s data, including the “MachineGuid”, “DigitalProductID” and “SystemBiosDate” .
Experts at Heimdal Security have published the following Indicators of Compromise for the Teslacrypt 4.0:
%UserProfile%\Desktop\RECOVER[%5 random signs%].html
%UserProfile%\Desktop\RECOVER[%5 random signs %].png
%UserProfile%\Desktop\RECOVER[%5 random signs %].txt %UserProfile%\Documents\[random file name].exe %UserProfile%\Documents\recover_file.txt
TeslaCrypt 4 also creates the following value in the registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\_[random name] C:\Windows\SYSTEM32\CMD.EXE /C START %user account%\Documents\[random name].exe
The current list of Teslacrypt 4 Control & Command servers is the folowing:
http://commonsenseprotection[.]com/phsys.php
http://ebookstoreforyou[.]com/phsys.php
http://esbook[.]com/phsys.php
http://exaltation[.]info/plugins/phsys.php
http://hmgame[.]net/phsys.php
http://shampooherbal[.]com/phsys.php
This new variant of TeslaCrypt demosntrates the rapid evolution of the threat that first appeared in March 2015, meanwhile the version 2.o appeared in the wild in July 2015 and the TeslaCrypt 3.0 in January 2016.
SCADA hacking – Hackers with ability to cut the power is a real threat
19.3.2016 Hacking
The Ukranian power blackout has demonstrated the worrying effects of the SCADA hacking, other countries like UK fear similar attacks.
All the warnings from security experts throughout the years have unfortunately been disregarded, when it comes to the hackers’ threats in strategical spots, such as that of power generation. As a result, hackers have acted according to their own agenda and they have taken the world by storm.
As a result, hackers have acted according to their own agenda and they have taken the world by storm. On 23 December 2015, Ukraine suffered from an overall power blackout and that caused great distress to the people. Prykarpattyaoblenergo lost more than 30 substations, causing havoc in return. And the most frustrating thing of them all: the power stations have not yet been completely fixed. The reason is that the malware used by hackers in Ukraine for the power outing erased key files.
What does this say about security online?
The reason is that the malware used by hackers in Ukraine for the power outing erased key files. What does this say about security online?
The malware used is called “Killdisk” and was the outcome of a well-organized effort to gain control over the computers of the stations. Files appeared to the people working for the power company, attached by their “friends” – making it easier for them to open. Instead of files sent by their friends, the malware was installed into the computers and caused all these grave consequences.
On the bright side, this must have taken a lot of time and therefore, it is not the main tactic used by hackers in similar cases. However, it is always possible to happen again!
The bad news is that there are alternative ways for hackers to get inside similar systems, according to Sergey Gordeychik, who helps with Scada Strangelove, the community of experts working on discovering the faults of ICS systems.
“We can discover more than 80,000 different kinds of ICS systems connected to the internet directly,” Gordeychik told the BBC.
As a result, the ICS systems do not have the power to defend themselves against an attack. This is really frustrating, as there are ways for them to enhance online security and avoid these phenomena. The purpose of Scada Strangelove, according to Mr. Gordeychik, aims at changing that:
“The main idea is to raise awareness and to force vendors to create more secure-by-design systems.”
UK infrastructure is being scrutinized by Crest these days, trying to identify such potential threats online. According to what Ian Glover from Crest said:
“The single biggest vulnerability is connecting poorly protected corporate IT to operational technologies,” and so this is where they have focused on. “It’s much easier to exploit the corporate IT because there are so many tools you can download and use to do that,”
Of course, the aim of every security researcher out there in the UK is to enhance online security and raise awareness on such a threatening phenomenon that could blow up the structure of a whole country within minutes. Although there is a reasonable ground of worrying about what can happen in case of SCADA hacking, proper capability and intent can lead to sufficient defense against hacking threats for the UK and the world – hopefully!
How to Make $100,000? Just Hack Google Chromebook
19.3.2016 Hacking
Yes, you could earn $100,000 if you have the hacking skills and love to play with electronics and gadgets.
Google has doubled its top bug bounty for hackers who can crack its Chromebook or Chromebox machine over the Web.
So if you want to get a big fat check from Google, you must have the ability to hack a Chromebook remotely, that means your exploit must be delivered via a Web page.
How to Earn $100,000 from Google
The Chrome security team announced Monday that the top Prize for hacking Chromebook remotely has now been increased from $50,000 at $100,000 after nobody managed to successfully hack its Chromebook laptops last year.
The Top bug bounty will be payable to the first person – the one who executes a 'persistent compromise' of the Chromebook while the machine is in Guest Mode.
In other words, the hacker must be able to compromise the Chromebook when the machine is in a locked-down state to ensure its user privacy.
Moreover, the hack must still work even when the system is reset.
"Last year we introduced $50,000 rewards for the persistent compromise of a Chromebook in guest mode," the Google Security Blog reads.
"Since we introduced the $50,000 reward, we have not had a successful submission. Great research deserves great awards, so we're putting up a standing [6-figure] sum, available all year round with no quotas and no maximum reward pool."
Bug bounties have become an essential part of information security and have been offered by major Silicon Valley companies to hackers and security researchers who discover vulnerabilities in their products or services.
Last year, Google paid out more than $2,000,000 in bug bounties overall to hackers and researchers who found bugs across its services – including $12,000 to Sanmay Ved, an Amazon employee, who managed to buy Google.com domain.
So Keep Hunting, Keep Earning!
The Best Way to Send and Receive End-to-End Encrypted Emails
19.3.2016 Security
How many of you know the fact that your daily e-mails are passaged through a deep espionage filter?
This was unknown until the whistleblower Edward Snowden broke all the surveillance secrets, which made privacy and security important for all Internet users than ever before.
I often get asked "How to send encrypted email?", "How can I protect my emails from prying eyes?" and "Which is the best encrypted email service?".
Although, there are a number of encryption tools that offers encrypted email service to ensure that no one can see what you are sending to someone else.
One such tool to send encrypted emails is PGP (Pretty Good Privacy), an encryption tool designed to protect users’ emails from snooping.
However, setting up a PGP Environment for non-tech users is quite a difficult task, so more than 97% of the Internet users, including government officials, are still communicating via unencrypted email services i.e. Gmail, Yahoo, and other.
But here is good news for all those non-techies, but privacy-conscious Internet users, who wish to use encrypted e-mail communication without any hassle.
Solution — ProtonMail.
ProtonMail, developed by CERN and MIT scientists, is a free, open source and end-to-end encrypted email service that offers the simplest and best way to maintain secure communications to keep user's personal data secure.
ProtonMail Now Available for iOS and Android Users
secure-encrypted-email-service-providers
ProtonMail has been invite-only since 2014, but now the email service has made itself available to everyone and launched new mobile apps.
If you opt for a free account, you'll get all of the basic features including:
A smart-looking app to access your end-to-end encrypted emails easily
500MB of storage capacity
Sending 150 Messages per day
Two-factor authentication to access your encrypted email inbox
To increase storage capacity, you can purchase ProtonMail's paid accounts.
NOTE – Always remember your password to decrypt the email inbox. Once forgot, you would no longer retrieve your encrypted emails.
Key Features:
secure-encrypted-email-service-providers-security
Even if someone intercepts your communication, he/she can not read your conversations because all emails you send or receive with other ProtonMail users are automatically encrypted end-to-end by the service.
In addition, for communicating with non-ProtonMail email addresses i.e. Gmail users, all you need to do is:
Create a message
Just click the encryption button
Set a random password
Once done, your encrypted email recipient will get a link to the message with a prompt to enter his/her same password in order to read it.
Another friendly feature that ProtonMail offers is Self-destructing emails. All you need to do is set an expiration date for an encrypted email you send, and it will get self-deleted from the recipient’s inbox once the date arrives.
Why ProtonMail won't have to comply with American Laws?
In a previous article, I explained that ProtonMail is based in Switzerland, so it won't have to comply with American courts’ demands to provide users data.
In worst case, if a Swiss court ordered ProtonMail to provide data, they will get only the heaps of encrypted data as the company doesn’t store the encryption keys.
ProtonMail has gained an enormous amount of popularity during its developing stages.
ProtonMail encrypts the data on the browser before it communicates with the server, therefore only encrypted data is stored in the email service servers, making it significantly more secure for those looking for an extra layer of privacy.
Feel free to email our team at thehackernews@protonmail.com.
Ever Wondered How Facebook Decides — How much Bounty Should be Paid?
18.3.2016 Social Site
Facebook pays Millions of dollars every year to researchers and white hat hackers from all around the world to stamp out security holes in its products and infrastructure under its Bug Bounty Program.
Facebook recognizes and rewards bug hunters to encourage more people to help the company keep Facebook users safe and secure from outside entities, malicious hackers or others.
Recently, the social media giant revealed that India is on top of all countries to report the maximum number of vulnerabilities or security holes in the Facebook platform as well as holds the top position in the country receiving the most bug bounties paid.
"India is home to the largest population of security researchers participating in the Facebook bug bounty program since its inception in 2011. The country also holds the top spot for most bounties paid," Adam Ruddermann, Facebook’s technical program manager notes.
If you are one of the Facebook’s bug hunters, you might be aware of the fact that reporting same type of flaw (say, Cross-site Scripting or XSS) in Facebook would not make one eligible for the same bounty.
Do you ever wondered why? And How Facebook decides the Bounty amount?
Well, the procedure exactly works in the same way The Hacker News team decides which news to be covered first and which is not at all i.e. based on the risks to the end-users.
Recently, Facebook’s bug bounty team explained how they calculate bounties.
How Facebook Calculates Bug Bounties?
Facebook calculates bounties, of course, based on Risk to end-users. The company offers a maximum reward of USD$20,000 and a minimum of USD$500.
The bugs that allow someone to access private Facebook data, delete Facebook data, modify an account and run JavaScript under facebook.com are considered as high-impact vulnerabilities that directly affects end users, so are maximum paid bugs.
"The security community in India is strong and growing every day," Facebook says. "India has long topped the list of 127 countries whose researchers contribute to our bug bounty program."
Here’s the Procedure Facebook Security team follows:
Step 1: The Facebook Bug Bounty team first looks at the potential impact of a vulnerability reported.
Step 2: Engineers at Facebook then calculates the difficulty or easiness of exploiting a particular vulnerability, whether it’s high-severity, as well as the kind of resources or technical skills a successful attack would require.
Step 3: The team then looks at whether any existing features can already mitigate the issue, for example, an implementation of rate-limiting mechanism to prevent brute-force attacks.
Step 4: Sometimes bug hunters report bugs that are actually Facebook features designed to provide users a better experience on the social media platform. These reports are less considered as eligible until they pose any threat.
Based upon the aforementioned steps, Facebook decides a base payout for each eligible vulnerability report.
The bounty amount can change as the risk landscape evolves, like a bug that leads to more bugs get bigger payouts.
The team also reserves an option to award security researchers and white hat hackers more than the base amount if the report itself demonstrates a high level of clarity, sophistication, and detail.
Example — Bug Bounties Paid by Facebook
facebook-bug
Earlier this month, Anand Prakash, 22, of India was awarded $15,000 (roughly Rs. 10 Lakhs) for reporting a Password Reset Vulnerability that could allow attackers to hack any Facebook account by resetting its password via endless brute force of a 6-digit code.
Have you ever wish to delete any photo from Facebook that you didn't like but posted by someone else? Believe me — It was possible, but until last year, when two independent India security researchers reported two separate vulnerabilities to Facebook and awarded $12,500 each.
Do you know what’s the highest bug bounty ever paid by Facebook? That’s $33,500 to a Brazilian hacker who managed to hack into the Facebook server using a remote-code execution vulnerability.
There was another interesting bug in Facebook that received the highest attention, but no bounty was paid.
Yes, I am talking about Palestinian Hacker, 'Khalil Shreateh', who posted vulnerability details on Facebook CEO Mark Zuckerberg’s wall to prove his point, after Facebook Security Team failed to recognize his critical vulnerability thrice.
Unfortunately, Khalil did not receive any bounty for not following the disclosure guidelines correctly and failed to clarify the vulnerability details to Facebook Security Team.
Do you want to know how to earn high bounties? Find and Report high-severity bugs.
"The most important factor for getting the maximum bounty possible is to focus on high-risk vulnerabilities, specifically those with widespread impact," Facebook says. "So, if you're looking to maximize your bounties, focus on quality over quantity."
Bug Bounty programs have widely been used by a large number of prominent technology companies including Google, Facebook and PayPal, for which Bug hunters play a vital role in security their users’ online accounts.
Bug bounties and disclosure programs encourage researchers and hackers to report responsibly vulnerabilities to the affected companies rather than exploiting them to compromise its users’ security, which may also affect company's reputation.
Anonymous claims they Hacked Donald Trump ...Really?
18.3.2016 Hacking
The 'Hacktivist' collective group Anonymous claimed to have leaked personal details of the controversial US presidential candidate Donald Trump, including his Mobile Phone Number and Social Security Number (SSN).
Donald Trump
SSN: 086-38-5955
DOB: 06/14/1946
Phone Number: 212-832-2000
Cell/Mobile Phone Number: (917) 756-8000
The hacktivist group has declared war against Trump under a campaign with the hashtag #OpWhiteRose.
The White Rose Society was a non-violent resistance group in Nazi, Germany and was known for its anti-Nazi pamphlets and graffiti during World War II.
Anonymous posted a YouTube video Thursday afternoon in which a man in a Guy Fawkes mask says:
"Donald Trump has set his ambitions on the White House in order to promote an agenda of fascism and xenophobia as well as the religious persecution of Muslims through totalitarian policies.
He has proposed targeting family members of suspected terrorists for assassination, even while acknowledging they are innocent. It would only lead to more violence from those whose families were killed by the Trump regime.
Donald Trump is an enemy of the constitution and the natural rights it enshrines. We call on all of you and millions of others to take action against Donald Trump."
The hacker collective group also released what it claimed was Trump's personal details, including cell phone number and Social Security number.
Besides his personal details, the group also released Trump’s public information including his birth date, children’s names, and company address in addition to the identities of his agent and lawyer.
However, most of the information provided by Anonymous has been circulating on the Internet since at least late last year, including his New York cell phone number and an address on 5th Avenue in Manhattan.
In response to the video, Trump's campaign has issued the following statement:
"The government and law enforcement authorities are seeking the arrest of the people responsible for attempting to illegally hack Mr. Trump's accounts and telephone information."
Soon after posting the video, Anonymous issued a follow-up tweet, saying "Seems to be outdated information, take it with a grain of salt."
This is not the first time the group has declared war against Trump. Last December, Anonymous declared war against Trump following his radical speech stating he wanted to ban Muslims from entering the United States.
Malvertising Campaign Hits Top Websites to Spread Ransomware
18.3.2016 Virus
Malvertising Campaign Hits Top Websites to Spread Ransomware
Hackers are always in search for an elite method to create loopholes in the cyberspace to implement the dark rules in the form of vulnerability exploitation.
Top Trustworthy sites such as The New York Times, BBC, MSN, AOL and many more are on the verge of losing their face value as a malwertized advertisement campaign are looming around the websites, according to SpiderLabs.
Here's what Happens to Users when Clicking Ads on these Big Brand Sites:
The advertisements on the legit sites trick users into clicking on it, making them believe that these circulated ads come from a trusted networks.
Once clicked, the malicious Ad redirects the user to a malicious website that hosts Angler Exploit Kit (AEK) to infect visitors by installing malware and ransomware on their computer.
Angler Exploit Kit includes many malicious hacking tools and zero-day exploits that let hackers execute drive-by attacks on visitors' computers.
In this case, the Angler kit scans for the vulnerable PCs and loads Bedep Trojan and TeslaCrypt Ransomware, opening doors for hackers to further install a variety of malicious programs.
Buying Media-Related Domains to Spread Malicious Campaigns
While conducting the background check, the security firm discovered that cyber criminals behind this advertising campaign made use of an expired website domain of Brentsmedia, an online marketing solution who discontinued their service earlier 2016.
According to the web registrar records, Brentsmedia's domain was purchased by Pavel G Ashtahov on March 6th, the day just before the malvertising campaign kickstarted.
Malvertising Campaign Hits Top Websites Worldwide to Spread Ransomware
Detailed analysis of this mischievous Ad campaign revealed that when a user tends to click on the malwertized Ad, it triggers a JSON file (Javascript Object Notation), which contains a list of security products for cross checking their presence in the victim's system.
If any of the pre-defined products found installed, the malvertising Ads avoid loading the malicious payload to evade the detection by antivirus firms that could block the campaign if detected.
But if not present, it will carry out the exploitation in a stealth mode, ultimately redirecting the user to the malicious page.
The Intensity of the Malvertising!
According to the researchers telemetry, these malicious Ads were delivered through two affiliate networks namely Adnxs, which has already resolved the issue, and Taggify, which has not paid any attention to the seriousness of the problem.
Two more expired media-related domains exhibiting the same characteristics as brentsmedia[.]com: "envangmedia[.]com" and "markets.shangjiamedia[.]com", shows that another similarly named domain has already been registered.
So there might be a possibility of hijacking "media" related branded domains for running malvertising campaigns, as a new generation threat to the global leaders.
Buhtrap group stole tens of millions of dollars from Russian banks
18.3.2016 Incindent
From August 2015 to February 2016 Buhtrap group managed to conduct 13 successful attacks against Russian banks for a total amount of $25.7 mln.
Since August of 2015, the Buhtrap group has conducted 13 successful attacks against financial institutions stealing more than ₽1.86 billion RUB ($27.4M USD). In April 2015, ESET discovered a malware campaign dubbed Operation Buhtrap, a conjunction of the Russian word for accountant “Buhgalter” and the English word “trap”. So far Buhtrap has not been seen anywhere else in the wild, 88 percent of targets have been in Russia and ten percent in Ukraine. Analysts have also likened the campaign to the Anunak/Carbanak campaign, which also targeted Russian and Ukrainian Banks.
The modus operandi of these particular cybercriminals is usually associated with targeted attacks rather than cyber fraud, which make this move to financial crime unusual and effective.
In the last wave of, the attackers hit Russian banks by pretending to be FinCERT, a center established by the Russian Central Bank for dealing with cyber-attacks in Russia’s financial sector.
According to a report released by the security firm Group-IB, Buhtrap has been active since 2014, despite their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks, below the timeline of the attacks published by Group-IB:
The Buhtrap timeline is a sequence of successful attacks, in August 2015 the hackers stole ₽25.6 million RUB ($375,617 USD), two months later a new campaign resulted in the losses of ₽99 million RUB ($1.4 million USD).
In November 2015, the group raked ₽75 million RUB ($1.1 million USD) with two distinct campaigns against two banks. In December the group reached a peak in its activity targeting 5 banks and taking down ₽571 million RUB ($8.3 million USD). They also conducted two successful attacks in January and two more a month later. In all, the group has stolen ₽1.86 billion RUB ($27.4M USD) from banks in Russia
The activities continued in January and February stealing dozen million dollars from banks in Russia.
In February 2016, a developer for Buhtrap leaked the complete source code for the malware used by the group because he wasn’t paid by the gang. Experts who have analyzed it discovered that the code is related to an earlier revision and not to the one used in the recent attacks.
“Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks.” states the report.
“In many respects, this group’s activity has led to the current situation where attacks against Russian banks causing direct losses in the hundreds of millions of rubles are no longer taken as something unusual,”
The tactic used by the Buhtrap group is consolidated, the hackers register typo domains or domains that are familiar to the victim, and from there they rent servers where mail servers were set up to send phishing emails on behalf of the legitimate company avoiding being filtered as spam.
The group used a custom malware which is able to detect security software and other defensive solutions. The malware uses to track every banking operation made by the victims, the malicious code notice these operations, it downloads a legitimate remote access tool (LiteManager) which is used to carry on fraudulent transfer orders.
What to expect in the next months?
The experts have no doubt, the group will continue its activity, likely improving its TTPs, researchers at Group-IB fears that the public availability of the gang’s malware may trigger the number of campaigns against banks conducted by other criminal organizations.
“The published source codes are active. Their wide distribution may trigger the increase in the number of attacks using this malware conducted by other groups. The builder interface is presented below.” states the report.
Let me suggest to give a look at the interesting report published by Group-IB, it is full of precious information on the Buhtrap group, including indicators of compromise.
DB of the Kinoptic iOS app abandoned online with 198,000 records
18.3.2016 iOS
Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.
The security researcher Chris Vickery has discovered a database belonging to an abandoned iOS app, the Kinoptic iOS app, that is exposing on the Internet personal details of over 198,000 users.
The Kinoptic iOS app allowed Apple users to create cinematic slideshows of their photos, animate smaller portions of one picture and, of course, to share it through social media platforms.
“Kinotopic allows you to create, share, and store short video moments and make them more expressive – in the form of animated pictures and cinemagraphs.” states the app description.
The Kinoptic iOS app was present on the official App store from 2012 to 2015, its website was closed early 2016.
Chris Vickery is popular for its researches on Intente-exposed MongoDB databases, he discovered archives exposing the personal details of hundred millions U.S. voters and recently a misconfigured MongoDB installation behind a Microsoft’s career portal that exposed visitors to attacks.
Vickery explained confirmed that the database behind the Kinoptic iOS app remained online, despite the application was removed from the official Apple store.the disconcerting aspect of the story is that the developers of the Kinoptic iOS app abandoned their service, leaving the data exposed on the Internet … a present for crooks that could use them to target the unaware users.
The data is available without authentication and includes usernames, email addresses, and hashed passwords, along with other details stored in profiles managed by the Kinoptic iOS app.
Vickery tried to report the issue to both Kinoptic developers and Apple. The Kinoptic team has never replied to the expert, meanwhile the Apple’s reply was:
“Chris, if you believe that this issue affects the security of an iOS device or the iTunes Store, you may report it to product-security@apple.com. […]
On the other hand, if this security issue only affects the application itself, I’m afraid you will need to continue getting in touch with the app developer for assistance.”
This means that the data will continue to stay online until the server or the database is shut down.
Of course, if you have used in the past the Kinoptic app you need to change the password as soon as possible.
New Android Gmobi adware found in firmware and popular apps
18.3.2016 Android
Malware researchers at the Dr Web firm have found an Android malware named Gmobi specifically designed to spread as a software development kit (SDK).
Malware researchers at security firm Dr.Web have detected a new strain of malware that was specifically designed to spread as a software development kit (SDK) used by software developers and mobile device manufacturers. The malware, named Android.Gmobi.1, has been found in several legitimate applications developed by well-known companies, as well as in firmware for nearly 40 mobile devices.
“This Trojan, which was named Android.Gmobi.1, is designed as a specialized program package (the SDK platform) usually used either by mobile device manufacturers or by software developers to expand functionality of Android applications. In particular, this module is able to remotely update the operating system, collect information, display notifications (including advertising ones), and make mobile payments.” states the analysis published by the company.
The malware acts as an information stealer, it collects user and device data and send them back to the C&C server. Gmobi collects user emails, device info, roaming availability status, GPS or mobile network coordinates, whether the Google Play app that installed on the device.
Gmobi collects the following information and sends it to the C&C server: user emails, device info, roaming availability status, device location and mobile network coordinates, whether the presence of a Google Play application on the device.
The malware belongs to the adware category, once the C&C server has received the data from the device it can instruct the Gmobi in showing ads in specific positions of the device. The bad news is that operators behind Gmobi can also instruct the malware to download and install malicious APK files using a standard system dialog.
The experts highlighted that the Gmobi adware can install the APK files in a covert way only if the malware has the necessary privileges.
The server replies with an encrypted JSON (Java Script Object Notification) object that can contain the following commands:
Update the database with information about the advertisement to display.
Create an advertising shortcut on the home screen.
Display an advertising notification.
Display a notification tapping which will result in launch of an installed application.
Automatically download and install APK files using a standard system dialog. A covert installation of these files is performed only if the Trojan has necessary privileges.
The researchers have detected Gmobi in Trend Micro’s Dr. Safety and Dr. Booster apps, and the ASUS WebStorage apps. The Gmobi variant that was discovered in the software of the Trend Micro firm only collected information from the Android devices and sent it to a remote server.
Dr.Web reported the issue to all the impacted companies, Trend Micro has promptly released a new version of the infected apps.
“If your device’s firmware is infected by this Trojan, the malware cannot be removed by the anti-virus without root privileges. However, even if root privileges are gained, there is a high risk of making the device non-operational because the Trojan can be incorporated into some critical system application. Therefore, the safest solution for victims ofAndroid.Gmobi.1 is to contact the manufacturer of the device and ask them to release a firmware update without the Trojan.” concludes Dr Web.
Android Stagefright Exploit, Millions devices open to 10-seconds hack
18.3.2016 Android
Millions of Android devices are open to hacking attacks due to the newly disclosed Android Stagefright Exploit that hack a smartphone in 10 seconds.
New problems for Android users, security experts at software research firm NorthBit have developed an exploit for a Stagefright vulnerability affecting Google’s operating system.
Millions of Android devices are open to hacking attacks due to the newly disclosed Android Stagefright Exploit that could allow attackers to hack a smartphone in 10 seconds.
The attacker just needs to trick users into visiting a specifically crafted web page that includes a malicious multimedia file.
The researchers at NorthBit have dubbed the Android Stagefright Exploit Metaphor, they published a detailed analysis of the attack in a paper entitled “Metaphor A (real) reallife Stagefright exploit.”
The researchers have published a proof-of-concept video that shows how they hacked an Android Nexus 5 device using their Metaphor exploit in just 10 seconds. They also demonstrated that the Android Stagefright Exploit Metaphor works against other mobile devices, including Samsung Galaxy S5, LG G3 and HTC One smartphones.
“Although the bug exists in many versions (nearly a 1,000,000,000 devices) it was claimed impractical to exploit inthewild, mainly due to the implementation of exploit mitigations in newer Android versions, specifically ASLR.” states the paper.
The Android Stagefright Exploit works on Android versions 2.2 to 4.0 and 5.0 to 5.1 while bypassing ASLR on Android versions 5.0 to 5.1, as version 2.2 to version 4.0 do not implement ASLR. Other Android versions are not affected by the new Stagefright exploit.
The Stagefright was first discovered in July 2015, experts at security firm Zimperium announced the flaw is the worst Android vulnerability flaw in the mobile OS history.
The Stagefright flaw affects a media library app that is used for by Android to process Stagefright media files. According to the experts at Zimperium the media library is affected by several vulnerabilities.
Joshua Drake from Zimperium discovered seven critical vulnerabilities in the native media playback engine called Stagefright, the expert defined the Stagefright flaw the “Mother of all Android Vulnerabilities.”
The attackers can exploit the vulnerability by sending a single multimedia text message to an unpatched Android device. Despite Google has already issued a patch and has sent out to it to the company’s partners, but most manufacturers haven’t already distributed the patch to their customers exposing them to cyber attack.
In September 2015, experts at Zimperium released a Stagefright exploit, demonstrating how to trigger the Remote Code Execution (RCE). The researchers implemented the Stagefright Exploit in python by creating an MP4 exploiting the ‘stsc’ vulnerability, aka Stagefright vulnerability.
Stagefright Exploit
In October 2015, experts at Zimperium discovered that a billion Android phones were vulnerable to new Stagefright vulnerabilities, dubbed Stagefright 2.0 that could allow attackers to execute malicious code on the targeted device.
The researchers discovered two bugs that are triggered when processing specially crafted MP3 audio or MP4 video files.
The hacking procedure described by the researchers at NorthBit is composed of the following steps:
Tricking a victim into visiting a malicious page containing a video file that crashes the media server to reset its internal state.
Once the media server restarts, the JavaScript hosted on the web page sends information about the device to the attacker’s server.
The server reply with a custom generated video file to the affected device, exploiting the Stagefright bug to reveal more info about the device’s internal state.
This information is also sent back to the attacker’s server to craft another video file that embeds a malicious payload that allows gaining the control of the mobile device.
DARPA Invites Geeks to Convert Everyday Objects into Deadly Weapons
17.3.2016 IT
Do you know that your daily household items can be turned into deadly weapons?
Yes, it's possible to convert some of your everyday household appliances into explosives, weapons or surveillance devices.
DARPA – the agency which does research in various fields for improving the US Military and US Department of Defense capabilities – had announced a new project dubbed "Improv" to transform simple household appliances into deadly weapons i.e. homemade weapons.
In previous years, various military grade weapons had been found malfunctioned by the ordinary household things that could cripple the military inventions.
By various incidents happening around the Military grounds, officials observed that "how easily-accessed hardware, software, processes, and methods could be used to create products or systems that could pose a future threat."
So, DARPA (Defense Advanced Research Projects Agency) proceeded with a program and is seeking proposals from engineers, skilled hardware hackers, biologists and information technologists, who can come up with some innovative ideas to build a deadly system or devices by unleashing the power of everyday things.
Improv - Initiative to Build Weaponised Capabilities into Home Appliances
Improv program will carry out research on the systems and devices of the readily available technology that could threaten the national security by challenging the current military equipment.
"Improv will explore ways to combine or convert commercially available products such as off-the-shelf electronics, components created through rapid prototyping, and open-source code to cost-effectively create sophisticated military technologies and capabilities," said John Main, Improv's Program Manager.
The program's prime aim is to build capabilities of a weaponized device in normal household things.
Open Challenge!
Improv would undergo 3 Phases to finalize the proposed system:
Phase 1: Submit plans for off-the-shelf prototype and if selected, candidates would be rewarded with $40,000.
Phase 2: The second round of the program requires selected candidates to bring proposed prototype model into real world system for which DARPA will fund $70,000.
Phase 3: The final stage is for a live demonstration with up to $20,000 for testing.
The Candidates have to complete this task with a strict deadline of 90 days as per Rules of DARPA.
Improv understands the fact that no one can be a Jack of all trades. Hence, there are no exclusions for anyone to give his or her try, which could really save the world from the potential dangers, unlike "Hack the Pentagon" program which was opened only for US Nationals.
Nowadays many mushrooming methods are evolved to manipulate the legit systems, which is a nightmare for millions and a daydream for criminals.
So, Improv would be seen as a new dimension to the US Military Defense to tackle the risky attacks.
ProtonMail is open. Do you want an encrypted email account? Sign in!
17.3.2016 Security
ProtonMail, the world’s largest privacy-focused and encrypted email provider, announced today that the service is leaving beta.
ProtonMail, the world’s largest privacy-focused and encrypted email provider, announced today that the service is leaving beta and will be allowing open registrations for the first time in nearly two years. For the past couple of years, ProtonMail has been invite-only, more that one million users had the opportunity to test the beta. The service also presented its free mobile apps available for both Apple iOS and Android devices.
ProtonMail was first launched in beta in May 2014 by a group of scientists who met at CERN and MIT, but its popularity reached the peak after the disclosure of the Snowden‘s revelation on the mass-surveillance operated by the FiveEyes alliance.
The company then received an impressive amount of demands for new accounts that forced it to create a waiting list. According to the company, the requests exceeded 10,000 per day.
ProtonMail is an essential instrument to protect our privacy, businesses, journalists, activists, security experts, private individuals, me … and Mr Robot, already use it. The email service implements the end-to-end encryption allowing users to communicate securely on the Internet making impossible for law enforcement and intelligence agencies to eavesdrop the traffic.
In the End-to-end Encryption model data is encrypted on the sender’s system before passing it to the servers of the service provider, which turn the encrypted data to the intended recipient, who is the only entity who can decrypt it.
Of course, this isn’t a good moment for companies that offers such kind of services, ProtonMail has been frequently thrust into the public debate over encryption and terrorism, and in several cases it had problems with governments to protect user privacy.
“Strong encryption and privacy are a social and economic necessity, not only does this technology protect activists and dissidents, it is also key to securing the world’s digital infrastructure,” says ProtonMail Co-Founder Dr. Andy Yen, “this is why all things considered, strong encryption is absolutely necessary for the greater good.”
ProtonMail has decided to open the service for public registration, this means that everyone can obtain an account for free immediately.
“The best way to ensure that encryption and privacy rights are not encroached upon is to get the tools into the hands of the public as soon as possible and widely distributing them,” says Yen, “This way, we put the choice in the hands of the consumer, and not government regulators.”
“The past decade has been marked by a massive erosion of privacy and we’re working to reverse this trend,” says Yen. “Encrypted communications is the future and ProtonMail is committed to making online privacy a reality again for all Internet users.”
New Exploit to 'Hack Android Phones Remotely' threatens Millions of Devices
17.3.2016 Android
Millions of Android devices are vulnerable to hackers and intelligence agencies once again – Thanks to a newly disclosed Android Stagefright Exploit.
Yes, Android Stagefright vulnerability is Back…
…and this time, the Stagefright exploit allows an attacker to hack Android smartphones in 10 seconds just by tricking users into visiting a hacker's web page that contains a malicious multimedia file.
A group of security researchers from Israel-based research firm NorthBit claimed it had successfully exploited the Stagefright bug that was emerged in Android last year and described as the "worst ever discovered".
The new Stagefright exploit, dubbed Metaphor, is detailed in a research paper [PDF] that guides bad guy, good guy as well as government spying agencies to build the Stagefright exploit for themselves.
Just yesterday, we reported about critical vulnerabilities in Qualcomm Snapdragon chip that could be exploited by any malicious application to gain root access on a vulnerable Android device, leaving more than a Billion Android devices at risk.
Video Demonstration — Exploit to Hack Android Phone in 10 Seconds
The researchers have also provided a proof-of-concept video demonstration that shows how they successfully hacked an Android Nexus 5 device using their Metaphor exploit in just 10 seconds. They also successfully tested Metaphor on a Samsung Galaxy S5, LG G3 and HTC One smartphones.
According to the researchers, Millions of unpatched Android devices are vulnerable to their exploit that successfully bypasses security defenses offered by Android operating system.
What is StageFright Bug and Why You have to Worry about it?
Stagefright is a multimedia playback library, written in C++, built inside the Android operating system to process, record and play multimedia files such as videos.
However, what Zimperium researchers discovered last year was that this core Android component can be remotely exploited to hijack 95 percent of Android devices with just a simple booby-trapped message or web page.
Another critical vulnerability discovered last October in Stagefright exploited flaws in MP3 and MP4 files, which when opened were capable of remotely executing malicious code on Android devices, and was dubbed Stagefright 2.0.
However, to tackle this serious issue, Google released a security update that patches the critical bug as well as promised regular security updates for Android smartphones following the seriousness of the Stagefright bugs.
Here's How the New Stagefright Exploit Works
Researchers described the following process to successfully hijack any vulnerable Android smartphone or tablet:
Step 1: Tricking a victim into visiting a malicious web page containing a video file that crashes the Android's mediaserver software to reset its internal state.
Step 2: Once the mediaserver gets a restart, JavaScript on the web page sends information about the victim's device over the Internet to the attacker's server.
Step 3: The attacker's server then sends a custom generated video file to the affected device, exploiting the Stagefright bug to reveal more info about the device's internal state.
Step 4: This information is also sent back to the attacker's server to craft another video file that embeds a payload of malware in it, which when processed by Stagefright starts executing on the victim's smartphone with all the privileges it needs to spy on its owner.
The researchers also claim that their exploit specifically attacks the CVE-2015-3864 vulnerability in a way that bypasses Address Space Layout Randomisation (ASLR), a memory protection process.
"It was claimed [the Stagefright bug] was impractical to exploit in the wild, mainly due to the implementation of exploit mitigations in [latest] Android versions, specifically ASLR," the research paper reads.
The team's exploit works on Android versions 2.2 to 4.0 and 5.0 to 5.1 while bypassing ASLR on Android versions 5.0 to 5.1, as version 2.2 to version 4.0 do not implement ASLR. Other Android versions are not affected by the new Stagefright exploit.
You can go through the full research paper [PDF] that provides enough details to create a fully working and successful exploit.
Warning — Hackers can Silently Install Malware to Non-Jailbroken iOS Devices
17.3.2016 iOS
Hard time for mobile phone users!
Just recently, two severe vulnerabilities in Qualcomm Snapdragon chip and Stagefright were spotted on the Android platform, affecting more than a Billion and Millions of devices respectively.
And now:
Hackers have discovered a new way to install malicious apps onto your iPhone without your interaction.
Researchers at Palo Alto Networks have uncovered a new strain of malware that can infect Non-Jailbroken (factory-configured) iPhones and iPads without the owner's knowledge or interaction, leaving hundreds of millions of Apple iOS devices at risk.
Dubbed AceDeceiver, the iPhone malware installs itself on iOS devices without enterprise certificates and exploits designing flaws in Apple's digital rights management (DRM) protection mechanism called FairPlay.
What's more concerning about this malware:
Unlike most iOS malware, AceDeceiver works on factory-configured (non-jailbroken) iOS devices as well.
FairPlay is an Apple's software program that prevents people from stealing purchased apps from its official App Store.
apple-iphone-hack
However, with the help of AceDeceiver's "FairPlay Man-in-the-Middle (MITM) technique," hackers can install malicious apps on your iPhone even without your knowledge, simultaneously bypassing Apple's other security defenses.
According to researchers, the FairPlay Man-In-The-Middle (MITM) technique has been in use since 2013, as a way to distribute pirated iOS apps.
"In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code," Claud Xiao from Palo Alto Networks explains in a blog post. "They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by the victim."
However, this is the first time the FairPlay technique has been used to spread malware on iOS devices, as the creator of the pirated software can install potentially malicious apps without your knowledge.
Currently, the malicious behaviors related to AceDeceiver has been spotted in China, but researchers warn that the malware could be easily configured to target iPhone users of other geographic regions as well.
For more details, you can head on to Palo Alto Networks' blog post about the AceDeceiver threat.
American Express issued a notice of data breach
17.3.2016 Security
American Express is informing cardholders that their payment card data may have been exposed after a third-party service provider suffered a security breach.
Another illustrious victim of a data breach is in the headlines, this time, American Express is warning Cardholders of a possible incident occurred to a third party service provider. The name of the affected service provider has not been made public.
According to the American Express, data associated with current or previously issued American Express cards might have been stolen by hackers. The information obtained by unauthorized parties includes account numbers, names, and expiration dates.
“We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system. Account information of some of our Card Members, including some of your account information, may have been involved. It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure.” states a data breach notice published by the Office of the Attorney General of the State of California DoJ.
American Express highlighted that its financial systems were not affected by the incident, in order to prevent abuse the company is monitoring of fraudulent activities that might affect cardholders.
American Express Co. credit cards are arranged for a photograph in New York, U.S., on Monday, April 15, 2013. American Express Co., the biggest U.S. credit-card issuer by purchases, named Edward P. Gilligan to become its president, effective immediately. Photographer: Scott Eells/Bloomberg via Getty Images
American Express confirmed that cardholders are not liable for any fraudulent charges, at the same time is inviting them to monitor their account for fraud.
American Express suggests cardholders enabling instant notifications of a potentially fraudulent activity, the company offers it by enabling notifications in the American Express Mobile app, or signing up for email or text messaging at americanexpress.com/accountalerts
“WHAT YOU CAN DO. We ask that you carefully review your account for fraudulent activity. Below are some steps you can take to protect your account. Login to your account at americanexpress.com/MYCA to review your account statements carefully and remain vigilant in doing so, especially over the next 12 to 24 months. If your card is active, sign up to receive instant notifications of potential suspicious activity by enabling Notifications in the American Express Mobile app, or signing up for email or text messaging at americanexpress.com/accountalerts. Please make sure your mobile phone number and email address are also on file for us to contact you if needed. OTHER IMPORTANT INFORMATION. Included with this letter are some additional helpful tips and steps you can take to protect yourself against the risks of fraud and identity theft.” states the notice.
Incidents like this remark the importance of cyber security for the entire chain of custody with sensitive data, an incident at some point in the chain could compromise the entire process.
In this specific case, American Express relies on a third party service that has been breached causing the exposure of the confidential information.
If you are an AMEX cardholder remain vigilant.
How to install the AceDeceiver malware onto any iOS Device
17.3.2016 iOS
AceDeceiver is the first iOS malware that abuses certain design flaws in Apple’s FairPlay DRM to install malicious apps on iOS devices even non-jailbroken.
Hackers are exploiting a flaw affecting the Apple digital rights management technology (DRM) to install malicious apps on every iOS device, even non-jailbroken ones.
Last month, security experts at Palo Alto Networks firm spotted three malicious applications deployed on the official App Store that were developed to steal Apple IDs and passwords from Chinese users.
The interesting part of the discovery made by Palo Alto is related to the ability of the three apps to be silently installed through software running on Windows machines.
The only ways to install a mobile app on an iOS device that hasn’t been jailbroken, is to download it from the official App Store or install it through the iTunes software from users’ PCs. In this second scenario, the device verifies the legitimate origin of the app with the Apple’s FairPlay DRM technology.
In 2014, a team of researchers from Georgia Institute of Technology presented at the USENIX conference, a method through which an iOS device could be tricked to install any app, previously acquired by a different Apple ID, through the iTunes.
At this point the attack scenario is clear, hackers can remotely install apps on iOS device connected to an already compromised PC.
Without this premise, now researchers at Palo Alto Networks confirmed that hackers in the wild are still using this trick to serve a malicious app named AceDeceiver on non-jailbroken devices.
“We’ve discovered a new family of iOS malware that successfully infected non-jailbroken devices we’ve named “AceDeceiver”. states a blog post published by Palo Alto Networks.
“What makes AceDeceiver different from previous iOS malware is that instead of abusing enterprise certificates as some iOS malware has over the past two years, AceDeceiver manages to install itself without any enterprise certificate at all. It does so by exploiting design flaws in Apple’s DRM mechanism, and even as Apple has removed AceDeceiver from App Store, it may still spread thanks to a novel attack vector.”
The threat actors first uploaded their apps to the App Store, managing to pass Apple’s review process by submitting them as wallpapers. Once the apps are deployed on the official store they purchased the apps through the iTunes in order to capture the DRM FairPlay authorization code.
The crooks developed a client software that simulates the iTunes and distributed it in China masquerading it as a helper program for iOS devices that can perform system reinstallation, jailbreaking, system backup, device management, and system cleaning.
“To carry out the attack, the author created a Windows client called ”爱思助手 (Aisi Helper)” to perform the FairPlay MITM attack. Aisi Helper purports to be software that provides services for iOS devices such as system re-installation, jailbreaking, system backup, device management and system cleaning.” continues the post.
When users connected their iOS devices to a computer running this software, it silently installed AceDeceiver by using the authorization code captured when the app was first deployed on the official store.
“By deploying authorized computer in the C2 server, and using a client software as agent in the middle, the attacker can distribute that purchased iOS app to unlimited iOS devices.” reads the post.
What happen if Apple removes the AceDeceiver apps from the official store?
Nothing, the technique presented by the researchers at USENIX in 2014 works even if the app has been removed from the App Store because attackers already have the authorization code they need to complete the installation.
“Even if an app has been removed from the App Store, attackers can still distribute their own copies to iOS users.” the team of experts explained at the USENIX conference.
The technique used to serve the AceDeceiver malware is very dangerous, in the future other criminal gangs could start using it.
“Our analysis of AceDeceiver leads us to believe FairPlay MITM attack will become another popular attack vector for non-jailbroken iOS devices – and thus a threat to Apple device users worldwide. Palo Alto Networks has released IPS signatures (38914, 38915) and has updated URL filtering and Threat Prevention to protect customers from the AceDeceiver Trojan as well as the FairPlay MITM attack technique.” states the Palo Alto.
Apple users beware, no one is immune!
Man behind The Fappening case charged with hacking celebrity accounts
17.3.2016 Hacking
Pennsylvania man behind the Fappening case Charged with hacking Apple and Google e-Mail accounts belonging to more than 100 people.
The culprit of the popular Fappening case may have a name, the US Department of Justice (DOJ) announced on Tuesday that it charged Ryan Collins, 36, of Pennsylvania for hacking Apple and Google E-Mail accounts belonging to more than 100 people, mostly celebrities.
In September 2014, the FBI started an investigation after iCloud accounts of celebrities were hacked by unknowns that have stolen their pictures.
Immediately Apple denied that its iCloud platform was breached, instead, it explained that hackers obtained the images by hacking victims. A few days later, the consumer tech giant also announced that it would
A few days later, Apple announced the implementation of new features to improve the security of the iCloud service.
The list of victims is long and includes Jennifer Lawrence and Kim Kardashian, the hacker has stolen the private images of the celebrities and leaked their nude photos onto 4chan.
“A Pennsylvania man was charged today with felony computer hacking related to a phishing scheme that gave him illegal access to over 100 Apple and Google e-mail accounts, including those belonging to members of the entertainment industry in Los Angeles.” states the press release issued by the DoJ.
Collins admitted his responsibility and signed a plea agreement to plead guilty to a felony violation of the Computer Fraud and Abuse Act.
The man carried out spear phishing emails to the victims from November 2012 until the beginning of September 2014. In this way the man obtained the login credentials from its victims, then he illegally accessed their e-mail accounts to access sensitive and personal information.
The man behind the Fappening case focused his efforts to access nude pictures and videos from the victims, the DoJ announcement also revealed that in some circumstance he used a software to download the entire contents of the victims’ Apple iCloud backups.
“After illegally accessing the e-mail accounts, Collins obtained personal information including nude photographs and videos, according to his plea agreement. In some instances, Collins would use a software program to download the entire contents of the victims’ Apple iCloud backups.” continues the press release.
The case will be transferred from Los Angeles to Harrisburg in the Middle District of Pennsylvania, where Collins lives.
Collins will face a statutory maximum sentence of five years in federal prison, but the man reached an agreement for a recommendation of a prison term of 18 months.
“By illegally accessing intimate details of his victims’ personal lives, Mr. Collins violated their privacy and left many to contend with lasting emotional distress, embarrassment and feelings of insecurity. We continue to see both celebrities and victims from all walks of life suffer the consequences of this crime and strongly encourage users of Internet-connected devices to strengthen passwords and to be skeptical when replying to emails asking for personal information,” David Bowdich, the Assistant Director in Charge of the FBI’s Los Angeles Field Office, said.
Other hackers have been already charged for hacking celebrities’ email accounts, in December 2015, Alonzo Knowles, aka “Jeff Moxey,” has been charged after allegedly hacking into the email accounts belonging to 130 celebrities stealing personal information, movie scripts and sex tapes.
Carbanak Group targets entities in Middle East and US with new TTPs
17.3.2016 Virus
Proofpoint has collected evidence of new Carbanak group campaigns.The hackers are targeting banks in the Middle East, the United States and other countries.
Security researchers at Proofpoint firm sustain to have collected evidence of new Carbanak group campaigns. This time the hackers are targeting banks in the Middle East, the United States and other countries.
Last year, Kaspersky investigated a number of cyber attacks on 29 Russian organizations, the researchers believe that these attacks have been coordinated by Carbanak and two other criminal gangs dubbed “Metel” and “GCMAN,” that adopted similar hacking techniques.
In September 2015, security experts at CSIS discovered that the Carbanak malware was still being used in spear phishing attacks against major organizations in UE and Europe.
“Just recently, CSIS carried out a forensic analysis involving a Microsoft Windows client that was compromised in an attempt to conduct fraudulent online banking transactions. As part of the forensic task, we managed to isolate a signed binary, which we later identified as a new Carbanak sample. ” wrote the CSIS in a blog post published by the CSIS.
“We speculate that the main purpose of this company is to receive money from fraudulent transactions. As stated in the Kaspersky report, Carbanak-related transfers are rather huge. Possibly, they have registered a company and opened bank accounts in order to receive their stolen money while having full control of the transferring process,”
The new Carbanak trojan was relying on predefined IP addresses instead of domains and in order to improve the evasion capability its code was signed with a digital certificate issued by Comodo to a Russia-based wholesale company.
Kaspersky confirmed that the Carbanak gang (also called Carbanak 2.0 by Kaspersky) was behind the attacks spotted by CSIS and revealed that the group is now targeting also the budgeting and accounting departments of various types of organizations, a including financial institution, and a telecoms company.
The group that targeted a Russian bank used a strain of malware known as Metel (aka Corkow) to compromise banks’ networks via spear-phishing emails.
This week, researchers at Proofpoint revealed to have spotted new campaigns targeting Middle Eastern countries, including United Arab Emirates, Kuwait, Lebanon and Yemen. The new campaign it targeting high-level executives and , directors, and operations managers at banks and enterprise software firms
The Carbanak Group seems to be targeting high-level executives, directors, senior managers, and regional and operations managers at banks, financial organizations, companies selling enterprise software, and professional services companies.
The hackers launched spear phishing attacks against victims, the email messages contain a URL that points to a malicious document designed to trigger an old Office vulnerability (CVE-2015-2545) to serve a malware downloader used to drop the Carbanak payload, aka Spy.Sekur.
In other cases, the attackers of the Carbanak Group have sent malicious emails containing links to the Java-based remote access Trojan jRAT.
” Recently, we detected Carbanak campaigns attempting to:
Target high level executives in financial companies or in financial/decision-making roles in the Middle East, U.S. and Europe
Spear-phishing emails delivering URLs, macro documents, exploit documents
Use of Spy.Sekur (Carbanak malware) and commodity remote access Trojans (RATs) such as jRAT, Netwire, Cybergate and others used in support of operations.” states the report published by Proofpoint.
Experts also analyzed another campaign targeting employees of US- and Europe-based companies in the financial industry, mass media, and other seemingly unrelated targets in fire, safety, air conditioning and heating. .
“Unlike the March 1st campaign, which contained links to exploit documents, this campaign employed documents attached to email messages. The two observed documents “remitter request_2016-03-05-122839.doc” and “Reverse debit posted in Error 040316.doc” use macros to download the final Spy.Sekur payload from hxxp://154.16.138[.]74/sexit.exe”
In this second campaign, hackers leveraged on emails containing Word documents which embedded malicious macros.
“Unlike the March 1st campaign, which contained links to exploit documents, this campaign employed documents attached to email messages. The two observed documents “remitter request_2016-03-05-122839.doc” and “Reverse debit posted in Error 040316.doc” use macros to download the final Spy.Sekur payload from hxxp://154.16.138[.]74/sexit.exe” states the report.
The analysis of the information gathered during the investigation allowed the experts to discover most attacks targeted organizations in the United States (17.7 percent), followed by Oman, Australia, UAE, Kuwait, Pakistan, the Netherlands and Germany.
The researchers have uncovered links between Carbanak activity and other threats such as Cybergate, DarkComet and the MorphineRAT.
This last wave of attacks is very interesting because the group used new exploits, macro documents, and RATs to compromise non-Russian targets. The group is also expanding the scope of the attacks targeting companies and organizations in a various industries.
'The Fappening' Hacker Reveals How He Stole Nude Pics of Over 100 Celebrities
16.3.2016 Hacking
Almost one and a half years ago after the massive leakage of celebrities' nude photographs — famous as "The Fappening" or "Celebgate" scandal — a man had been charged with the Computer Fraud and Abuse Act, facing up to 5 years in prison as a result.
The US Department of Justice (DOJ) announced on Tuesday that it charged Ryan Collins, 36, of Pennsylvania for illegally accessing the Gmail and iCloud accounts of various celebrities, including Jennifer Lawrence and Kim Kardashian, and leaked their nude photos onto 4chan.
Social Engineering Helped Hacker Stole Celebs' Nude Pics
Collins was trapped by the Federal Bureau of Investigation (FBI) and in the process of the trial, the hacker revealed that…
The Fappening did not involve Apple's iCloud services being compromised through password cracking or brute-forcing, but rather it was the result of simple Social Engineering, in the form of Phishing Attacks.
Yes, The Fappening scandal was the result of Social Engineering tricks, while we believed that Apple's iCloud services had targeted under brute-force password hacking attacks.
At the time when the celebrities' nude images were circulating online, Apple denied that its iCloud service was hacked and claimed that the hacks were more likely to be a phishing scam. So this was actually the case.
Collins was engaged in Phishing schemes between November 2012 and September 2014, when he hijacked more than 100 celebs' accounts using fake emails disguised as official notifications from Google and Apple, asking victims for their usernames and passwords.
Hacker Used iBrute to Download iCloud Backups
Once done, Collins then used this information to access 50 iCloud accounts and 72 Gmail accounts, most of which belonged to female celebs, and in most cases used specialized 'brute force' software program iBrute to illegally download the contents of their iCloud backups and look for more data, including nude photos of celebrities.
Collins admitted only to hacking celebrities accounts, but not to uploading their naked photos online.
However this does not mean Collins did not leak those photographs, but the hacker negotiated a lighter guilty plea, allowing United States authorities to close the investigation faster.
Collins has not been sentenced yet but faces a maximum sentence of 5 years in prison for his crime, along with fines of up to $250,000. However, according to a plea agreement, the prosecution will recommend the judge an 18-month prison sentence.
Russia Rejects Google's Appeal and Orders to Stop Pre-Installing its own Android Apps
16.3.2016 Android
The Giant search engine Google has lost an anti-monopoly appeal in Russia against ruling related to its Android mobile OS
The Moscow Arbitration Court on Monday ruled that Google had violated its dominant position with the help of its free open source mobile platform "Android" by forcing its own apps and services like Youtube, Google Map, and others, on users — reducing competition.
The complaint was brought against Google last February by competing search engine Yandex — Russian Counterpart of Google — which had argued that Google broke competition rules by requiring handset manufacturers to pre-install its apps on Android phones and tablets.
Yandex-1, Google-0
According to the survey conducted by Liveinternet data in September 2013, Yandex accounted 57.4% of the Russian search market, while Google shared 34.9%. This stats reflected in the share market, as their shares were 62.2 and 26 percent respectively.
These statistical analyzes really worried Google about its operations in the Russian Cyberspace and soon it rolled out its Plan B to gain widespread popularity in the Russian Markets by shipping Android smartphones with Google Play Store as bloatware.
This, however, gained a pony monopoly among the Russian Markets. But soon, Yandex noticed that millions of smartphones in Russia shipped with the Android platform that uses Google as the default search engine.
As Yandex ranked as the 4th largest search engine worldwide, the popularity of Android in Russia had already reflected the changes in the Russian Stock Market, forcing Yandex to proceed with a lawsuit against Google in February 2015.
No Pre-installed Google Apps for Russians
The original ruling was then handed down by the country's privacy watchdog, the Federal Antimonopoly Service (FAS), last September over the pre-installed Google apps on Android and blocking other service providers.
Google appealed the ruling and filed an antitrust to adhere their business in the Russian Markets last year.
However, yesterday (Tuesday) the Moscow Arbitration Court rejected the company's appeal — upholding FAS' judgment that Google's practices broke Russian law by leading to the 'prohibition of pre-installation of apps of other producers.'
To regain its dominance over foreign search engines, FAS had already passed the case in favor of Yandex, the native search engine.
FAS adjourned that the default Android would not be coming with any pre-installed Google apps on Android smartphones and tablets in Russia.
Google will now be required to amend its contract with OEMs in Russia to comply with the ruling. The company now faces having to instruct its contracts with manufacturers and paying a penalty based on its local earnings.
Is Yandex - An Unsung Hero?
There is already a buzz in the cyber chat rooms that Yandex was a cloned product of Google, which is evident from many social discussion sites.
Yandex had already developed a unique method to search the whole Bible and Russian Literatures at its infancy stage, which was adopted by Google later.
These are some of the hidden facts about Yandex:
Yandex launched as a search engine in 1997, a year earlier than Google.
Yandex also launched maps in 2004, Google a year later in 2005.
Yandex was the first to launch news search in 2000, Google in 2002.
Blog search came out of Russia in 2004, but out of California only in 2006.
Yandex had already launched an RSS aggregator in 2005, Google followed in 2006.
Even Though Google had implemented many new ideas as time progressed with the help of its think tanks, yet Yandex was behind the implementations of classic times.
Let's look what would be the next roll out from Yandex after the Thumbs Up Rule from FAS.
More than a Billion Snapdragon-based Android Phones Vulnerable to Hacking
16.3.2016 Android
More than a Billion of Android devices are at risk of a severe vulnerability in Qualcomm Snapdragon chip that could be exploited by any malicious application to gain root access on the device.
Security experts at Trend Micro are warning Android users of some severe programming blunders in Qualcomm's kernel-level Snapdragon code that if exploited, can be used by attackers for gaining root access and taking full control of your device.
Gaining root access on a device is a matter of concern, as it grants attackers access to admin level capabilities, allowing them to turn your device against you to snap your pictures, and snoop on your personal data including accounts’ passwords, emails, messages and photos.
The company’s own website notes that Qualcomm Snapdragon SoCs (systems on a chip) power more than a Billion smart devices, including many Internet of Things (IoTs) as of today. Thus, the issue puts many people at risk of being attacked.
Although Google has pushed out updates after Trend Micro privately reported the issues that now prevents attackers from gaining root access with a specially crafted app, users will not be getting updates anytime soon.
The security update rolls out to your device through a long chain:
Qualcomm → Google → Your device's manufacturer → Your network carrier → Your handheld over the air
"Given that many of these devices are either no longer being patched or never received any patches in the first place," said Trend engineer Wish Wu, "they would essentially be left in an insecure state without any patch forthcoming."
Unfortunately, what’s more concerning is the fact that the same vulnerable chips are used in a large number of IoT devices, which are no longer in line for security updates. This makes it possible for hackers to gain root access to these connected devices, which is more worrying.
"Smartphones aren't the only problem here," said Trend's Noah Gamer. "Qualcomm also sells their SoCs to vendors producing devices considered part of the Internet of Things, meaning these gadgets are just as at risk."
"If IoT is going to be as widespread as many experts predict, there needs to be some sort of system in place ensuring these devices are safe for public use. Security updates are an absolute necessity these days, and users of these connected devices need to know what they're dealing with."
Whatever be the reason: if security patches are not available for your device model or take too long to arrive, in both the cases it gives miscreants time to exploit the security holes to gain control of your device.
However, some users are lucky to choose Google’s handsets that get their patches direct from the tech giant automatically, making them safe from the vulnerabilities. The handsets include Nexus 5X, Nexus 6P, Nexus 6, Nexus 5, Nexus 4, Nexus 7, Nexus 9, and Nexus 10.
All of the smart devices using the Qualcomm Snapdragon 800 series, including the 800, 805 and 810 and running a 3.10-version kernel are affected by the vulnerabilities.
The vulnerable code is present in Android version 4 to version 6. In the tests, researchers found Nexus 5, 6 and 6P, and Samsung Galaxy Note Edge using vulnerable versions of Qualy's code.
Though the researchers do not have access to every Android handset and tablet to test, the list of vulnerable devices is non-exhaustive.
Since the researchers have not disclosed full details about the flaws, the short brief about the vulnerabilities is as follows:
1. Qualcomm-related flaw (CVE-2016-0819): The vulnerability has been described by the researchers as a logic bug that allows a small section of kernel memory to be tampered with after it is freed, causing an information leakage and a Use After Free issue in Android.
2. The flaw (CVE-2016-0805) is in Qualcomm chipset kernel function get_krait_evtinfo: The get_krait_evtinfo function returns an index into an array used by other kernel functions. With the help of carefully crafted input data, it is possible to generate a malicious index, leading to a buffer overflow.
3. Gaining root access: Using both the flaws together on vulnerable devices, attackers can gain root access on the device.
The researchers will disclose the full details of exactly how to leverage the bugs at the upcoming Hack In The Box security conference in the Netherlands to be held in late May 2016.
EDA2, derived from the educational ransomware, is easy to break
16.3.2016 Virus
The new strain of educational ransomware EDA2 is infecting systems in the wild, but experts discovered that it is quite easy to neutralize.
Do you remember the EDA2 ransomware?
It is one of the educational ransomware developed by the security expert Utku Sen, now a new variant of the EDA2 educational ransomware appeared in the wild and the good news is that this variant is quite easy to neutralize.
The EDA2 ransomware encrypts victims’ files using AES encryption, then it appends the .locked extension to them. In a way similar to other ransomware, EDA2 also drops notes on the infected machines and informs users that they need to pay .5 bitcoins to restore their files.
According to the experts at Bleeping Computer, the educational ransomware has already infected more than 650 machines and the analysis of the Bitcoin address associated with the ransom request revealed that only 3 victims have paid.
The crooks are targeting online gamers, the EDA2 educational ransomware spread via a link associated with a YouTube video that explains how to crack the Far Cry Primal videogame. When victims try to execute the file crack are infected by the ransomware that encrypts users’ files.
The new strain of educational ransomware EDA2 is infecting systems in the wild, but experts discovered that it is quite easy to neutralize.
Do you remember the EDA2 ransomware?
It is one of the educational ransomware developed by the security expert Utku Sen, now a new variant of the EDA2 educational ransomware appeared in the wild and the good news is that this variant is quite easy to neutralize.
The EDA2 ransomware encrypts victims’ files using AES encryption, then it appends the .locked extension to them. In a way similar to other ransomware, EDA2 also drops notes on the infected machines and informs users that they need to pay .5 bitcoins to restore their files.
According to the experts at Bleeping Computer, the educational ransomware has already infected more than 650 machines and the analysis of the Bitcoin address associated with the ransom request revealed that only 3 victims have paid.
The crooks are targeting online gamers, the EDA2 educational ransomware spread via a link associated with a YouTube video that explains how to crack the Far Cry Primal videogame. When victims try to execute the file crack are infected by the ransomware that encrypts users’ files.
The author of the malware in a bold manner writes in the note that he would never get caught by the authorities.
Utku Sen, the developer that created the educational ransomware, seems to have deliberately inserted security flaws in both the Hidden Tear and EDA2 to sabotage cyber criminals using the proof-of-concept ransomware.
The Sen’s plan worked with the Hidden Tear allowing the recovery of the file encrypted by the Linux.Encoder and Cryptear.B ransomware, meanwhile failed with EDA2.
The developer also inserted vulnerabilities in the EDA2’s control script in order to retrieve decryption keys allowing victims to restore their files.
The keys are then published online giving the opportunity to the victims to restore their files by using the Hidden Tear Decryptor.
Other educational ransomware developed by the Hidden Tear are Magic, Linux.Encoder, and Cryptear.B, all these threats were deliberately affected by a flaw that allows researchers easily to decrypt documents.
Malware targeting Steam accounts, a growing business
16.3.2016 Virus
Security expert published an interesting analysis of malware targeting the Steam gaming platform and evolution of threats through the last few years.
It is emergency, malware targeting the Steam accounts are increasing as never before over the last months. The popular gaming platform is a privileged target for cyber criminals, Steam is owned by Valve and account for nearly 140 million users. The company estimates that nearly 77,000 accounts are hijacked and pillaged each month.
“We see around 77,000 accounts hijacked and pillaged each month. These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It’s a losing battle to protect your items against someone who steals them for a living.” states the company in a blog post.
The security expert at Kaspersky Lab, Santiago Pontiroli, and Bart P, an independent security researcher, published an interesting analysis of malware targeting the Steam gaming platform and evolution of threats through the last few years.
In the recent months, the researchers observed a spike in the infections caused by a data stealer specifically designed to target the accounts on the gaming platform, dubbed Steam Stealer.
Steam Stealer first appeared on a forum in the Russian underground, it is advertised as a customizable threat that is offered for sale with upgrades and manuals.
“Adding new features is simple. The average developer just needs to select their favorite programming language and know just enough about Steam’s client design and protocol. There are many APIs and libraries available that interface seamlessly with the Steam platform, significantly reducing the effort required.” states the analysis.
The crooks use to spread the Steam stealer malware via bogus websites or sending direct messages to victims.
Steam stealer is very cheap, the cost of a build ranges from $3 and goes up to $30 USD, some sellers offer it as a malware-as-a-service tools.
“However, when it comes to these types of malicious campaigns we usually see prices starting in the range of $500 dollars (taking as a reference earlier ransomware-as-a-service markets).” explained Pontiroli and Bart P.
The researchers noticed a significant difference in the way criminals dropped the malware over the time. In the past they served the malware on users via URL shortening services, cloud storage services like Dropbox and Google Docs, and phony game servers and fake voice software sites. Recently attackers started using fake Chrome extensions and gambling sites.
A short rundown of past trends:
Use of obfuscators to make analysis and detection harder.
Use of file extensions hidden by default by Windows (fake ‘screensaver’ files).
Use of NetSupport added (providing remote access to the attacker).
Use of fake TeamSpeak servers.
Use of automatic Captcha bypass (DeathByCaptcha and others).
Use of fake game servers (Counter-Strike: Global Offensive most notably).
Use of Pastebin to fetch the actual Steam Stealer.
Use of fake screenshot sites impersonating Imgur, LightShot or SavePic.
Use of fake voice software impersonating TeamSpeak, RazerComms and others.
Use of URL shortening services like bit.ly.
Use of Dropbox, Google Docs, Copy.com and others to host the malware.
Current trends are as follows:
Use of fake Chrome extensions or JavaScript, scamming via gambling websites.
Use of fake gambling sites, including fake deposit bots.
Use of AutoIT wrappers to make analysis and detection harder.
Use of RATs (Remote Access Trojans) such as NanoCore or DarkComet.
The experts explained that there are counter-measure that the Valve’s Steam has implemented to prevent attacks on its accounts including:
Two-factor authentication either by email or mobile application.
Blocking URL’s throughout Steam.
Nickname censorship (Steam/Valve).
Captcha on trades (briefly), and then bypassed.
Limited accounts introduced.
Steam e-mail confirmations for utilizing the market and trading items.
Verifying e-mail address.
$5 USD purchase to combat ‘free abuse’ accounts (expanded on limited accounts).
Information about who you are trading with (record).
Market will become blocked when logging in from new devices, changing your profile password etc.
Steam mobile trade confirmations.
Steam account recovery via phone number.
Restrict chat from users who do not share a friends, game server, or multi-user chat relationship with you.
More restrictive block referral of spam and scam sites.
Trade hold duration (15 days).
The experts explained that Steam implemented the above measured as a deterrent.
“We have listed all the options Steam offers users to protect their accounts. Remember that cybercriminals aim for numbers and if it’s too much trouble they’ll move on to the next target. Follow these simple recommendations and you will avoid becoming the low hanging fruit.”
No doubt, the number of attacks against the platform will continue to increase despite the effort spent by the company.
Dear Donald Trump Anonymous plans to destroy your campaign starting April 1
16.3.2016 Hacking
Anonymous has declared war on Donald Trump, the hacking collective will start a new powerful campaign starting April 1.
The hacktivists have already expressed their disappointment on the presidential candidate’s controversial campaign rhetoric that resulted in a series of a series of attacks.
The attack against Trump started in 2015 when Anonymous defaced the website Trump.com with a tribute to Jon Stewart.
“Mr Stewart, we at @TelecomixCanada would like to take this opportunity to thank you for the many happy years of quality journalism and entertainment you and your team have undertaken at Comedy Central,” reads a letter on Trump’s site.
In December, the reprisal became more intense following the Donald Trump’s call for a sweeping ban on Muslims entering the United States soil. Trump’s declaration raised the protest around the world from politicians, hacktivists, to ordinary citizens.
anonymous Donald Trump 2
Anonymous has joint in the protest, declaring war against the presidential candidate, the hackers published a video message announced their operation against the campaign of the US billionaire.
“Donald Trump, it has come to our attention that you want to ban all Muslims to enter the United States. This policy is going to have a huge impact. This is what ISIS wants. The more Muslims feel sad, the more ISIS feels that they can recruit them. Donald Trump, think twice before you speak anything. You have been warned, Donald Trump.” states the Video Message.
The group officially launched the #OpTrump hacking campaign against Donald Trump, a DDoS attack hit the website for New York City’s Trump Towers and the website remained offline for hours.
Now Anonymous has announced a new initiative against Donald Trump and his campaign, the collective plans to coordinate a series of attacks on its websites starting April 1.
The group announced its re-engagement of “OpTrump” in a video message, the collective wants to synchronize the efforts of the numerous collectives against Donald Trump and his electioneering organization.
The Anonymous spokesman in the video motivated the planned attacks as a response to the Donald Trump’s “appalling actions and ideas” in conducting the presidential campaign.
“We have been watching you for a long time and what we’ve seen is deeply disturbing. You don’t stand for anything but your personal greed and power.”
“This is a call to arms. Shut down his websites, research and expose what he doesn’t want the public to know. We need you to dismantle his campaign and sabotage his brand.”“We need to dismantle his campaign and sabotage his brand,” said Athe nonymous spokesman.
“We need to dismantle his campaign and sabotage his brand,” said Athe nonymous spokesman.
Of course, Trump is aware that is a target and hired experts to protect his campaign.
We have to consider that today Internet is the privileged instrument of politicians and any kind of interference with online activities of the candidates could have unpredictable effects on the final voters’ decision.
A couple of weeks ago, alleged members of the Anonymous group hacked the Donald Trump ‘s voicemails. Journalist at Gawker received an email by the hackers containing recordings from Donald Trump ‘s voicemail inbox.
Let’s see what will happen.
Several Top websites as BBC, New York Times AOL, MSN and others victims of malvertising
16.3.2016 Virus
Security experts from various firms have discovered a malvertising campaign that has been placing malicious ads on very popular websites like BBC and NYT.
As the title says, a number of popular websites, including The New York Times, BBC, The Hill, Newsweek, AOL, MSN, and several others, were victims of a malvertising campaign.
The attack hijacked the ad network from each of these websites, crooks used the Angler Exploit Kit to deliver Ransomware to the people visiting these websites.
Investigations conducted by experts at Trustwave, Trend Micro, and Malwarebytes reported a spike in malicious traffic over the weekend.
There is no clue if this was part of a larger coordinated effort, but the conclusion is that whoever did this, knew exactly what they were doing.
“We have just discovered an advertising campaign that has been placing malicious advertisements on very popular websites both in the US and internationally. “answers.com” (Alexa rank 420 Global and 155 in the US), “zerohedge.com” (Ranked 986 in the US) and “infolinks.com” (Ranked 4,649 Internationally) are only some of the big names that were recently found redirecting visitors to the Angler exploit kit through a malicious advertising campaign, and though malicious advertising has become part of our daily lives in the world of web security, this story is a little different.” states a blog post published by Trustwave.
“These days we’re practically used to the “standard” Malvertising campaigns where the placement of malicious advertisements on known ad provider networks leads potential victims to an exploit kits’ landing page.” Continues the post.
According to the experts at Trustwave, an experienced actor exploited an expired domain of a small but probably legitimate advertising company to launch the attack.
“This provides them with high quality traffic from popular web sites that publish their ads directly, or as affiliates of other ad networks, which our research has shown to lead to the Angler EK.” continues the post
Trend Micro reported that the attacks based on the Agler exploit kit increased in a significant way since March 9.
The innovation, in this case, was that crooks used recently expired domain as part of their campaign. By acquiring a recently expired domain, the threat actors are able to bypass some checks because the traffic appears as legit.
Malwarebytes connected the registration of two rogue domains to the attacks relaying on the Angler Exploit kit that hit during the week the visitors of the New York Times, MSN, BBC, AOL, The Hill, Newsweek, NFL.com, the Xfinity customer portal (my.xfinity.com), Realtor.com, and The Weather Channel.
They also explain very well, in an image what happens, when a user accesses one of this targeted websites, in this case assuming that DailyMail.com ads were compromised:
Crooks have chosen Ransomware to infect the victims because it offers a fast way to cash out the efforts.
As more and more variants of Ransomware appear, and since there are no costs once they pay the initial fee, we will keep see a rise in Ransomware during this year.
Please if you want to get more details feel free to access Malwarebytes page, TrendMicro, and Trustwave.
After Apple, WhatsApp Under Fire from US Govt Over Encryption
15.3.2016 Apple
Before winding up the dispute of Apple and FBI over encryption, another buzz on the Whatsapp Snooping is now the hot debate on the court bench.
In the wake of WhatsApp's move to offer end-to-end encryption to text messages as well as VoIP calls made through its app, federal authorities have not been able to execute wiretapping warrants on WhatsApp users.
Though the US Department of Justice was discussing how to proceed with a continuing criminal investigation, the government is considering legal proceedings similar to those involved with Apple.
According to the New York Times, as recently as this past week, a federal judge had approved a wiretap in a criminal investigation, but WhatsApp's encryption hindered investigators.
Since any court officials have not made a final decision, the Department of Justice is very keen to drag Whatsapp into the Encryption fight war zone similar to the ongoing San Bernardino case.
In San Bernardino case, the DoJ was granted a court order to force Apple to create a special version of iOS that could defeat the encryption on a seized iPhone 5C belongs to one of the dead terrorists named Syed Rizwan Farook.
Apple has vowed both publicly as well as in court papers to fight the court order as intensely as possible, citing security concerns, but the battle between Apple and the FBI is not ending anytime soon.
Why was WhatsApp not Targeted Before?
When Whatsapp was launched in January 2010 by Brian Acton and Jan Koum, it did not initially concern about any privacy features. So there were no opinions to implement cryptographic services at that time.
This relieved the Department of Justice and federal agencies as they could see a clear pathway for snooping WhatsApp users without any legalities.
WhatsApp, now owned by Facebook, had also been criticized before for not adopting a reliable end-to-end communication that secures its user's privacy.
Whatsapp Filled the Security Holes in its Communication
Soon after the tremendous growth of Whatsapp, Facebook acquired the popular messaging service for $19 Billion in February 2014 and WhatsApp partnered with Open Whisper system and developed an end-to-end communication two years back.
This development thwarted DoJ officials and others federal authorities from eavesdropping WhatsApp users' communications for snooping purposes.
Currently, Whatsapp is not involved in any of the criminal cases prevailing in the court, except a Brazilian drug trafficking case, but still court officials debate to foresee the chance of this widely used app adoption by criminals shortly for coordinated attacks.
Obsolete Order Remains Ineffective
As noted by the Times, Wiretap order from the federal judges could not penetrate the end-to-end encrypted communication, as these were used as a valuable investigative tool in the olden time, when people used landline phones that were easy to tap.
Over the past year, WhatsApp has been upgrading encryption for its messages and VOIP calls. All WhatsApp messages sent between Android devices are end to end encrypted since past two years, and between iOS devices since last year.
This simply means that neither WhatsApp nor even its parent company Facebook can access their users' contents in plaintext, making it impossible for DoJ as well to read or eavesdrop, even with a court's wiretap order.
So, this is the time to scrap such orders from the United States Federal Laws.
However, the government has always seemed to enforce such laws on companies that provide privacy protections to its customers.
Recently, a Brazilian Facebook executive was arrested for the company's failure to comply with a federal court order to turn over WhatsApp data.
Apple is also fighting one such court order with the Federal Bureau of Investigation (FBI).
What if the FBI wins the Case?
If Apple is going to head node a "Yes" to the FBI officials, there will be no way out for the users to secure their privacy and the feds will force Apple to unlock more iPhones.
Moreover, if Apple turns to agree, the Federal officials would next dismantle the Whatsapp privacy by enforcing such laws.
As a result, again new apps would mushroom in the digital world which quotes "Security and Privacy" in their products and would again end up in the melodrama of Federal Officials.
Slowly, this would vanish the privacy of netizens and adversely affect the businesses, customers as well as the US government who rely on strong encryption to help protect their information from hackers, identity thieves and foreign cyber attacks.
Moreover federal officials do not realize the fact that their data would also be open for snooping, even if they issue any private "No-Trace" agreements with any agency.
So let's see if any privacy concern movement is being made against Whatsapp or any other tech giant that ensures its users security and privacy in near future.
Fujitsu targets payment industry with PalmSecure Technology
15.3.2016 Security
Fujitsu has announced plans to launch its digital payment system PalmSecure Technology in Europe that is a security solution for biometric identification
Fujitsu has announced plans to launch its digital payment system PalmSecure in Europe that is a security solution for biometric identification, which is offering the perfect user authentication for payment scenarios. It operates touchless, highly reliable, hygienic, and super-fast. The biometric authentication based on Palm vein recognition takes less than one second and can definitely enter the next level of payments soon.
Cash could well be a thing of the past in the not-so-distant future and it is becoming clearly obvious that the time, where Credit cards and pin codes have been used for payments has come to an that means more innovative and highly secure solutions are entering the banking technology. In the UK, 59% of consumers have made a purchase through a smart device, and 12% are more likely to make a purchase using their smartphone than they were 12 months ago. And with more and more people interested in mobile and digital payments, brands are racing to create ever-more secure ways to pay. As a case in point, MasterCard has created a secure way to pay that allows users to identify themselves using a selfie taken on their smartphone.
Fujitsu has announced plans to roll out its digital payment system PalmSecure in Europe that is a security solution for biometric identification, which is offering the perfect user authentication for payment scenarios. It operates touchless, hygienic, highly reliable and super-fast. The biometric authentication based on Palm vein recognition takes less than 1 second and can definitely enter the next level of payments soon.
The PalmSecure sensor captures more than five million reference points from someone’s palm-vein pattern to confirm their identity and allows them to pay for goods by just touching one of its sensors – no cash or credit cards needed here. The image capture and matching processes work without the need to touch the sensor’s surface, making it very hygienic. A person’s palm vein pattern remains the same throughout their life. Every palm-vein pattern is also unique. Individuals have different patterns in their left and their right hands, and even twins have different patterns. The palm vein device works by capturing a person’s vein pattern image while radiating it with near-infrared rays. The deoxidized haemoglobin in the palm vein absorbs these rays, thereby reducing the reflection rate and causing the veins to appear as a black pattern. This vein pattern is then verified against a pre-registered pattern to authenticate the individual.
In the graph below, Fujitsu compares some of the most common technologies by the criteria “accuracy” and “practicality”.
The following table ranks biometric methods on their False Acceptance Rate (FAR) and False Rejection Rate (FRR). These indicators define the security level of a biometric system (FAR) and the usability of a biometric system (FRR).
The way that people pay is changing; technology is advancing to a level that people might not have to carry credit cards ever again, let alone cash. Brands should be keeping abreast of these technological changes and consumers’ increasing interest in the quickest and easiest way for them to pay; after all the easier it is for people to buy, the more they will.
Crooks expoit Oman websites in typosquatting attacks
15.3.2016 Hacking
According to experts at EndPoint security firm, crooks are buying many .om domains to carry on typosquatting attacks.
Crooks are buying many .om domains to carry on typosquatting attacks. According to experts at EndPoint security firm, crooks are buying many .om domains with the purpose to fool clumsy users that mistype .om instead of .com .
Security researchers say that the .om domain from the country Oman are being exploited in typosquatting attacks and that more than 300 domains were bought and are using US company names, like Citibank, Dell, Macys and Gmail.
“Our research revealed that there is at least one major .om typosquatting campaign targeting many of the world’s largest organizations. It has already targeted over 300 well-known organizations, including Netflix, and given the spike in activity in February, is likely to only attempt to expand its reach in March.” states the blog post published by the security firm.
Mac OS X users are being targeted to be fooled by the typosquatting campaign and trick them to install malware, when they mistype a website and end up in a page where a fake Adobe Flash update pops up, and the user is tempted to install “flash” update, but in fact its installing the Genieo, an advertising component.
“[the victim] mistyped the domain “www.netflix.com” as “netflix.om” in his browser, accidentally dropping the “c” in “.com”. He did not get a DNS resolution error, which would have indicated the domain he typed doesn’t exist. Instead, due to the registration of “netflix.om” by a malicious actor, the domain resolved successfully.” continues the the post. “His browser was immediately redirected several times, and eventually landed on a “Flash Updater” page with all the usual annoying (and to an untrained user, terrifying) scareware pop-ups. “
Genieo is an adware / malware that usually poses as an Adobe Flash update, as a said previously, once the person clicks on it, it will drop an OS X DMG container. Once clicked on the DMG file, Genieo will install an extension in various supported browsers.
In the case of a Windows, user who visits one of the websites used by typosquatters , they will be redirect to an ad network where they are inundate with ads, like surveys, free electronics, antivirus products, and so on, all leading the user to download and execute something.
“Destination web pages will almost assuredly be riddled with advertisements, surveys to complete for free electronics, or scareware tactics to entice users to download and execute an antivirus suite that leads to further headaches and intrusive advertising,” Dufresne from Endgame told to Threatpost:
“We haven’t seen this escalate beyond typosquatters pushing the well-known Genieo malware and ad networks,”
“But given the volumes of misdirected traffic to .om, this could be used as an effective tool to distribute much more serious threats,”
In the investigation conducted by Endgame, 334 .om sites were analyzed, and looking to the registration pattern, 15 different hosting providers were used and many of the websites are hosted in providers located in New Jersey.
“Very unsurprisingly, the software stack on these servers was uniform,” said Duffresne, and he also added that many of the servers behind the domains have unpatched vulnerabilities meaning that they could allow remote access:
“These hosts could easily be exploited by other actors to serve up alternate (possibly worse) malicious content than what’s currently being served,”
The problem is that .om domain is country code top-level domain, also called ccTLD, this means that ccTLDs are not related with an internet corporation for Assigned Names and Numbers and disputes need to be solved by using local laws of Omar.
I strongly suggest you pay attention when typing the URL of a specific website, unfortunately, a great number of .om websites are already used by crooks for illegal activities.
If you are interested of the entire list of suspicious domains give a look here.
Here's How Hackers Stole $80 Million from Bangladesh Bank
15.3.2016 Hacking
The recent cyber attack on Bangladesh's central bank that let hackers stole over $80 Million from the institutes' Federal Reserve bank account was reportedly caused due to the Malware installed on the Bank's computer systems.
Few days ago, reports emerged of a group of unknown hackers that broke into Bangladesh's central bank, obtained credentials needed for payment transfers from Federal Reserve Bank of New York and then transferred large sums to fraudulent accounts based in the Philippines and Sri Lanka.
The criminal group was able to steal a total value of about $81 Million from the Federal Reserve's Bangladesh account through a series of fraudulent transactions, but a typo in some transaction prevented a further $850 Million Heist.
However, the question was still there:
How the Hackers managed to transfer $80 Million without leaving any Trace?
Security researchers from FireEye's Mandiant forensics are helping the Dhaka investigators to investigate the cyber heist.
Investigators believe unknown hackers installed some type of malware in the Bangladesh central bank's computer systems few weeks before the heist and watched how to withdraw money from its United States account, Reuters reports.
Although the malware type has not been identified, the malicious software likely included spying programs that let the group learn how money was processed, sent and received.
The malware in question could be a potential Remote Access Trojan (RAT) or a similar form of spyware that gave attackers the ability to gain remote control of the bank's computer.
The investigators suspect the hack could have exploited a "zero-day" flaw as they are unknown to vendors as well.
After this, the hackers were able to steal the Bangladesh Bank's credentials for the SWIFT messaging system, a highly secure financial messaging system utilized by banks worldwide to communicate with each other.
"SWIFT and the Central Bank of Bangladesh are working together to resolve an internal operational issue at the central bank," Belgium-based SWIFT said in a statement Friday. "SWIFT's core messaging services were not impacted by the issue and continued to work as normal."
Security experts hope that the malware sample will be made available to the security researchers soon so that they can determine whether the sample was truly advanced, or if Bangladesh Central Bank's security protection was not robust enough to prevent the hack.
The Bangladesh Bank discovered weaknesses in its systems, which could take years to repair the issues though the Federal bank has denied any system compromise.
The DoJ threatens to force Apple to hand over iOS source code
15.3.2016 iOS
DOJ released a brief filing that threatens to force Apple to hand over the iOS source code if it will not help FBI in unlocKing the San Bernardino shooter’s iPhone.
The battle between Apple and the FBI is going on while the debate on the case is monopolizing the media. Last news in order of time is the warning issued by the Department of Justice (DoJ), the US authorities may force Apple for handing over the source code to the complete iOS operating system if it does not support the FBI unlock the San Bernardino shooter’s iPhone.
The position of Apple seems to be immovable, the CEO Tim Cook has declared that the company will refuse to help the FBI to protect its users. The idea to introduce a backdoor into its system is not feasible because could open the users to many other threat actors.
“The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand,” he wrote in a message to Apple customers..
“We feel we must speak up in the face of what we see as an overreach by the US government,” “Up to this point, we have done everything that is both within our power and within the law to help them. But now the US government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone,” he wrote.
“Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation.”
“The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals,” he wrote.
“The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe. We can find no precedent for an American company being forced to expose its customers to a greater risk of attack.”
It response the-the DOJ released a 43-page brief filing that threatens to force Apple to hand over the iOS source code if the company will continue refusing to create a backdoored version of its iOS operating system.
The company could be forced by the FBI to hand over the iOS Source Code and the Electronic Signature iPhones that could allow the execution of modified software specifically designed by the FBI to bypass security measures implemented by the IT giant.
“Apple’s Assistance Is Necessary Without Apple’s assistance, the government cannot carry out the search of Farook’s iPhone authorized by the search warrant. Apple has ensured that its assistance is necessary by requiring its electronic signature to run any program on the iPhone. Even if the Court ordered Apple to provide the government with Apple’s cryptographic keys and source code, Apple itself has implied that the government could not disable the requisite features because it “would have insufficient knowledge of Apple’s software and design protocols to be effective.”” states the document.
“For the reasons discussed above, the FBI cannot itself modify the software on Farook’s iPhone without access to the source code and Apple’s private electronic signature. The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers.”
The situation is paradoxical if we read the statement of the Polk County Sheriff Grady Judd, which told journalists that he would have arrested Tim Cook for not helping the FBI to unlock the San Bernardino shooter’s iPhone.
The Apple’s lawyer Bruce Sewell expressed his position on the filling that contains requests not acceptable and defame the company.
“We help when we’re asked to. We’re honest about what we can and cannot do. Let’s at least treat one another with respect and get this case before the American people in a responsible way. We are going before court to exercise our legal rights. Everyone should beware because it seems like disagreeing with the Department of Justice means you must be evil and anti-American. Nothing could be further from the truth.” Sewell said in a statement.
The GM Bot v2 released after source leak, it is more expensive of v2
15.3.2016 BotNet
After the source code of the Android banking Trojan GM Bot was leaked online, the new version GM Bot v2 was offered for sale.
The availability of the source code of a malware in the criminal underground represents a great opportunity for crooks that can customize the threat allowing its evolution in an unpredictable way.
After the source code of the Android banking Trojan GM Bot was leaked online, a new version of the threat appeared in the wild.
In February, the experts at IBM X-Force threat intelligence discovered the source code for Android malware GM Bot was leaked on an underground. The source code was leaked in December 2015, it includes the bot component and the control panel.
Of course, the code rapidly spread within the criminal ecosystem, it now that is available online for free malware developers started to work on it.
GM Bot appeared in the wild in 2014, when the authors were offering it in the Russian underground as a powerful instrument for mobile phishing.
android malware GM Bot v2
The malware implements a number of features to target Android users, including intercepting SMS messages. The malware allows attackers to gain control of the targeted device, including the customization of fake screens.
In short, mobile banking Trojans such as GM Bot are a one-stop fraud shop for criminals:
They launch fake overlay windows that mimic bank applications to steal user credentials and payment card details.
They control the device’s SMS relay to eavesdrop, intercept and send out SMS messages.
They can forward phone calls to a remote attacker.
They have spyware features and can control the device via remote commands.
The original creator of the Android malware sold the rights to distribute GM Bot v1 (aka MazarBot) to other cyber criminal organizations that are offering it for $5000.
Other variants of GM Bot are known as MazarBot, SlemBunk, Bankosy, Acecard and Slempo.
The new GM Bot v2 variant, which is currently in a testing phase, was developed from scratch by the original developer using the moniker “GanjaMan.”
“After news from IBM X-Force about the leak of Android malware GM Bot’s source code, the author of GM Bot released a second version of the malware. News of v2 came from the official GM Bot developer and vendor, a user going by the alias GanjaMan in venues where the malware is sold.” wrote Limor Kessem, cybersecurity evangelist at IBM.
“According to an underground forum post authored by GM Bot’s vendor, it took six months’ worth of work for this updated version of GM Bot. GanjaMan adds that v2 was “written from scratch,” perhaps in order to emphasize that it does not use the previous version’s code, which was recently leaked by one of its dubious customers.”
According to the experts at the IBM Security, GanjaMan explained that GM Bot v2 includes three different Android exploits that can be used to infect mobile devices. The exploits have been already fixed by Google, so it is likely GanjaMan will add other exploits in the coming variants.
The developer announced also significant improvements for the malware, including rootkit features and the use of the Tor communication channel.
The new GM Bot v2 variant that includes all the available packages and exploits costs $15,000 and an additional $2,000 monthly rental fee that must be paid starting with the second month of use.
Cybercriminals can decide to not pay for the exploits, in this case GM Bot v2 goes for $8,000 and a $1,200 monthly rental fee.
“Judging by past cases of underground malware vendors, the monthly rental fees are most likely technical support fees. Trojan vendors have been known to run into debilitating operational issues as a result of having to provide support to their buyers without getting paid for the extra time spent on resolving issues, bugs and technical questions. The monthly fee concept helps the developers hire tech support agents to handle requests while they continue to develop and sell the malware,” continues Kessem.
GanjaMan is also searching for peers pay-per-install accomplices and cybercriminals who can help with directing Web traffic in countries his buyers would be interested in targeting.
Stay Tuned.
Microsoft Quietly Stops Accepting Bitcoin in Windows Store
14.3.2016 Safety
Microsoft reckoned Bitcoin was the future of payment system and added it as a payment option for Windows store at the end of 2014, but the company has silently pulled support for Bitcoin in the Windows 10 Store.
In November 2014, Microsoft struck a deal with third-party bitcoin payment processor 'Bitpay' that allowed people to use Bitcoin to purchase Microsoft’s products and services from Windows Stores.
However, Microsoft quietly updated the Windows Store FAQ that popped up "Microsoft Store doesn't accept Bitcoin."
The end of support for Bitcoin payments only applies to Windows 10 and Windows 10 Mobile stores.
"Microsoft Store doesn't accept Bitcoin. You can no longer redeem Bitcoin into your Microsoft account," the update reads. "Existing balances in your account will still be available for purchases from Microsoft Store, but can't be refunded."
In short, you can make use of an existing balance in your account to buy your choice of apps from Windows store, but you can not add more Bitcoins or get a refund of your remaining balance.
So, you like it or not, from now on, you will have to use conventional money when buying apps or products from Windows 10 and Windows 10 Mobile stores.
Microsoft has not explained the sudden change in its policy. Bitpay is still operating, which indicates that there is no sour relationship between the company and Bitpay.
Microsoft's change of mind could be due to less number of people buying with virtual cash that gave the company no reason to continue keeping Bitcoin as a supported digital currency.
An official statement from Microsoft is not yet available, so let us wait what the company says about this sudden change.
FBI threatens to Force Apple to Hand Over iOS Source Code
14.3.2016 iOS
The Department of Justice (DoJ) has warned Apple that it may force the tech giant for handing over the source code to the complete operating system if it does not help the Federal Bureau of Investigation (FBI) unlock the San Bernardino shooter's iPhone.
Apple is battling with the FBI over iPhone encryption case. The federal investigators needs Apple's assistance to unlock an iPhone 5C belonging to San Bernardino shooter Syed Rizwan Farook.
However, Apple CEO Tim Cook has said explicitly that providing a backdoor would likely open up the company's iPhones to not just the federal agents, but also to malicious hackers who could use it for evil purposes.
On Thursday, Apple and the FBI head to another court hearing on the San Bernardino iPhone case.
The DOJ's latest 43-page brief filing contains an implicit threat that if Apple does not create the vulnerable version of its iOS operating system needed to bypass the passcode protection on the terrorist iPhone 5C, the government could force the tech giant to hand over both:
Source Code to iOS
Electronic Signature iPhones need to run modified software
...so that the FBI's own programmers could create its own backdoored version of iOS with the security features stripped out and then stamped it with Apple's electronic signature.
The DOJ filing reads in part:
"For the reasons discussed above, the FBI cannot itself modify the software on Farook's iPhone without access to the source code and Apple's private electronic signature. The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers."
The DoJ then goes on to cite a previous court ruling in which Ladar Levison – the owner of the secure email service Lavabit used by whistleblower Edward Snowden – was hit with contempt sanctions for failing to comply with a court order requiring assistance on encrypted email which included "producing a private SSL encryption key."
Meanwhile, Polk County Sheriff Grady Judd told reporters that he would have jailed the CEO of Apple for not assisting the FBI to unlock the terrorist's iPhone.
Needless to say, Apple's top lawyer Bruce Sewell categorized the filling as an offensive attempt to "vilify Apple" on unsubstantiated theories with "false accusations and innuendo."
"Everyone should beware, because it seems like disagreeing with the Department of Justice means you must be evil and anti-American," Sewell said in a statement. "Nothing could be further from the truth."
Both sides are playing too hard, in both the legal battle as well as rhetoric. The DOJ yesterday accused Apple of being "false" and "corrosive" and Apple responded by accusing the government to become "so desperate at this point that it has thrown all decorum to the wind."
Now, let's see where this battle ends.
Anti-DDoS Firm Staminus HACKED! Customers Data Leaked
14.3.2016 Hacking
Staminus Communications – a California-based hosting and DDoS (Distributed Denial of Service) protection company – is recovering a massive data breach after hackers broke down into its servers and leaked personal and sensitive details of its customers.
Though the company acknowledged that there was a problem in a message posted to Twitter on Thursday morning, it did not specify a data breach.
Staminus's website went offline at 8 am Eastern Time on Thursday, and on Friday afternoon, a representative said in a Twitter post that "a rare event cascaded across multiple routers in a system-wide event, making our backbone unavailable."
What type of information?
The dump of information on Staminus' systems includes:
Customer usernames
Hashed passwords
E-mail addresses
Customer real names
Customer credit card data in plain text
Customer support tickets
Server logs data
Chat logs
Source code of some of the company's services including Intreppid
Staminus' main database
Database of one of Staminus' clients, the Ku Klux Klan (KKK)
The data was posted on the Internet Friday morning, and some Staminus customers who wish to remain anonymous confirmed that their data was part of the leaked data dump.
However, the company says it does not store or collect its customers' Social Security numbers (SSNs) or tax IDs, so they are safe from the data breach.
What happened?
The Staminus data breach occurred after hackers infiltrated the company's server backbone, seized control of Staminus' routers and then reset them to factory settings, which effectively brought down the company's entire network.
The hackers also stole the company's database and dumped it online. Links to downloads of the internal Staminus data were published in a file sarcastically headlined, "TIPS WHEN RUNNING A SECURITY COMPANY," detailing the security holes (given below) found during the data breach:
Use one root password for all the boxes
Expose PDU's [power distribution units in server racks] to WAN with telnet auth
Never patch, upgrade or audit the stack
Disregard PDO [PHP Data Objects] as inconvenient
Hedge entire business on security theatre
Store full credit card info in plaintext
Write all code with wreckless abandon
How many customers affected?
Although the total number of victims has not been known yet, Forbes reported that the data breach included at least 15 gigabytes worth of data belonging to Staminus.
Security researcher Nathan Malcolm from Sinthetic Labs told the publication that he analysed the data dump and found unencrypted credit card numbers, expiry dates and CVVs for as many as 1,971 Staminus customers.
What was the motive for the breach?
Potential motives for hacking Staminus are quite easy to figure out.
Staminus' clients include the white supremacist group Ku Klux Klan (www.kkk.com). The company also hosts several IRC (Internet Relay Chat) channels for large-scale DDoS attack services, Krebs noted.
What was the company's response?
Staminus CEO Matt Mahvi published the following statement on the Staminus website (which again went offline), confirming the data breach.
"We can now confirm the issue was a result of an unauthorized intrusion into our network. As a result of this intrusion, our systems were temporarily taken offline and customer information was exposed. Upon discovering this attack, Staminus took immediate action including launching an investigation into the attack, notifying law enforcement and restoring our systems.
Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed. It is important to note that we do not collect Social Security numbers or tax IDs.
While the investigation continues, we have and will continue to put additional measures into place to harden our security to help prevent a future attack. While the exposed passwords were protected with a cryptographic hash, we also strongly recommend that customers change their Staminus password."
Staminus' website came back online and believed to be wiped clean, but at the time of writing the website is still unavailable.
What victims should do?
Staminus customers are recommended to review their credit card statements carefully and to report any unauthorized bank transactions.
Meanwhile, Staminus has also advised its customers to reset all their account passwords once the service is fully operational once again.
Florida Sheriff threatens to Arrest 'Rascal' Tim Cook if He Doesn't Unlock the iPhone
14.3.2016 Apple
The legal battle between Apple and the Federal Bureau of Investigation (FBI) is turning ugly with each passing day.
Apple is fighting with the federal authorities over iPhone encryption case. The Federal Bureau of Investigation (FBI) requires Apple’s assistance to unlock an iPhone 5C belonging to San Bernardino shooter Syed Rizwan Farook.
Apple CEO Tim Cook has said explicitly that providing a backdoor would likely open up the company’s iPhones to not just the federal agents, but also to malicious hackers who could use it for evil purposes.
Now the Apple's decision not to comply with the court order has provoked a Florida sheriff, who has threatened to arrest Tim Cook if he gets the chance.
Sheriff Vows: I'll Lock the Rascal up.
During a Wednesday press conference, when Polk County Sheriff Grady Judd was asked about Cook's refusal to help create a custom operating system that would assist the FBI to circumvent security measures on terrorist iPhone 5C, he told reporters that Cook required knowing he's not above the law.
Here's what Judd said about Apple Vs. FBI case:
"You can't create a business model to go, 'We are not paying attention to the federal judge or the state judge. You see, we are above the law,'" said Judd quoted by FOX 13. "The CEO of Apple needs to know he's not above the law, and neither is anybody else in the United States."
Judd comments came while discussing a recent murder case where the suspects took photos of the victim on their phones. He said that the case was made easier by the brothers' decision to show those photographs.
Though the murder case Judd was discussing involved neither an iPhone nor a phone hacking, he noted that if he were to deal with locked iPhones in the future, he would put Cook behind bars under a contempt of court order.
"I can tell you, the first time we do have trouble getting into a cell phone, we're going to seek a court order from Apple," he said. "And when they deny us, I am going to go lock the CEO of Apple up. I'll lock the rascal up."
However, we could not say the sheriff was labeling Tim Cook as Rascal, but he apparently said that if he could get a chance, he might have arrested Cook for not helping authorities with backdoors.
Placing a skimmer on Gas Station Card Scanner in less than 3 seconds
14.3.2016 Incindent
Attack ATM is very simple for criminals, a video released by Miami Beach Police shows two men installing a credit card skimmer in less than 3 seconds.
In October, the CENTRAL MEANS OF PAYMENT ANTIFRAUD OFFICE (UCAMP) of the Italian Ministry of Economy and Finance released the annual report on Payment card frauds.
This year I was one of the experts who worked on the MEF – Annual Report on Payment Card Frauds No. 5/2015, an interesting document full of detailed data on the phenomena of payment card frauds. The document focus on payment card frauds (unrecognized transactions) issued in Italy and used everywhere.
Credit card frauds are a global emergency, ATMs are a privileged target of cyber criminals worldwide, we discussed several times about illegal practices used by crooks to steal credit card data. ATM hacking, ATM malware and also about ATM skimming are the most common type of attack against these machines.
Unfortunately, the attack against an ATM is very simple for criminal organizations, a video recently released by Miami Beach Police shows two men installing a credit card skimmer at a local gas station in less than three seconds.
The video shows how a criminal crew goes into action while the store clerk is serving one customer, which it is actually an accomplice.
The man keeps is face far from the camera, protecting it with a cap while the accomplice tampers with the ATM.
Just three second to completely compromise payment card terminal by attaching a skimmer that allows the crooks to steal credit card data from every customer of the store.
In the specific case, the skimmer was storing the stored card data locally, for this reason, the criminals will return to dismount the device. The most sophisticated gang user skimmers that are able to transfer data via Bluetooth once it has been stolen from the card.
Card data are then offered in the cyber criminal underground or to clone payment cards and use them to purchase items that can be resold quickly, like electronic devices, gift cards and luxury items.
Source – CBS Miami
The theft of credit card data is a particularly worrying phenomenon, especially in the US where the merchants are slightly moving to the EMV standard that is considered more secure because new payment cards will use a built-in chip to authorize the transactions.
Payment card frauds in the U.S. account for nearly 50 percent of global fraud losses, according to the Nilson Report; security experts maintain that the main reason is that the country is the last in the world to implement the EMV (EuroPay, MasterCard, and Visa).
Fortunately, the situation is changing also in the U.S., where the banking consumers are about to benefit from EMV against payment frauds, too.
The deadline for the move to EMV was October 1, 2015, but my merchants are still in delay and in many cases retailers still allow customers to swipe their cards.
Despite the enormous improvement introduced with EMV, we cannot consider it as a complete remediation against card frauds, in particular against “Card-Not-Present” (CNP) frauds.
EMV still doesn’t protect users when dealing with e-commerce or mobile commerce platforms.
“The reality is EMV credit cards cannot prevent PoS RAM Scraper attacks. EMV was developed to prevent credit card counterfeiting and not RAM scraping. If the EMV credit card’s Tracks 1 and 2 data are sent to the PoS system for processing, it will become susceptible to RAM scraper attacks because the decrypted data resides in RAM,” states a blog post published by Trend Micro.
The leader of the Team GhostShell collective revealed his identity
14.3.2016 Hacking
G.Razvan Eugen is a 24 year-old Romanian that claims to be the founder of the collective Team GhostShell that hacked numerous entities worldwide.
Do you remember the notorious Team GhostShell hacking crew?
GhostShell is a group of hacktivists most active in 2012 that targeted systems worldwide, the list of victims is long and includes the FBI, NASA, the Pentagon, and the Russian government.
Three years ago the group launched its last attack, we had no news about the popular hackers since 2015 when the Team GhostShell conducted a number of cyber attacks against various targets, including the Smithsonian photo contest website, The Church of Jesus Christ of Latter-day Saints, Socialblade, and the Exploratorium in San Francisco.
Now the TheNextWeb was approached by a man claiming to be the leader of the popular hacker collective. The man used the name ‘White Fox’ and a generic Yahoo email address.
The moniker White Fox is not new, in 2012, GhostShell Team claimed responsibility for a number of attacks conducted under the operation dubbed #ProjectWhiteFox.
The hackers leaked roughly 1.6 million records and accounts from a wide range of companies operating in different sectors such as aerospace, nanotechnology, banking, law, military, education and government. Below the list of the targets hacked by the hacktivits:
The European Space Agency
NASA’s Engineers: Center for Advanced Engineering
Federal Reserve
The Pentagon
Credit Union National Association (CUNA)
Crestwood Technology Group – CTG123
Bigelow Aerospace
California Manufacturers & Technology Association – CMTA.net
Aerospace Suppliers
World Airport Transfers
General Dynamics Defense Systems – GD-OtsCanada
Zero-Max – Manufacturer of parts
MicroController Shop
Jp Chem eData
Human Security Gateway
NanoConference
Hamamatsu
HMI CronPowder
Defense Contractor for the Pentagon – DPAtitle3
Business Consultancy dealing mostly with military personnel – Drum Cussac
Institute of makers of explosives – IME
Texas Bankers
After a first contact, the journalist Emil Protalinski was added by the man to an email list that included other cyber security journalists from principal online magazines.
Then the man revealed his true identity, his name is G.Razvan Eugen, a 24 year-old Romanian and he claims to be the founder of the Team GhostShell
Eugen demonstrated to be a member of the Team GhostShell by providing evidence of access to the Pastebin account used by the hacking group, the same used by the official GhostShell Twitter account (@TeamGhostBin) to leak stolen data before it was suspended by Twitter.
Eugen also gave information about the private @DeadMellox Twitter account he had been using to communicate for several years and other email accounts he used while was leading the group.
“Overall, we can’t with 100 percent certainty say that Eugen’s claims are correct, and that he is indeed GhostShell, but the case is pretty compelling.” wrote the TNW
“I just want to own up to my actions, face them head on and hope for the best. What I really want is to continue being part of this industry. Cybersecurity is something that I enjoy to the fullest even with all the drama that it brings and legal troubles.
In return I hope other hackers and hacktivists take inspiration from this example and try to better themselves. Just because you’ve explored parts of the internet and protested about things that were important to you doesn’t mean you should be afraid and constantly paranoid of the people around you.” Eugen told to the journalist.
Eugen added that “[other Team GhostShell members] were never directly involved in the main projects/leaks. 99 percent of them are from me.”
The Eugen coming out is very risky, he risks several years in prison … let’s see what will happen.
Hacking mechanic’s workshop to infect cars
14.3.2016 Hacking
Hacking mechanic’s workshop to infect cars, this is the concept behind a new attack technique devised by the hacker Craig Smith.
It might seem far-fetched, it looks like the hacker Craig Smith was able to design a malicious code that could infect computers used in the mechanic’s workworkshop, and these machines can later start infecting other vehicles that are going for service.
Craig Smith is the founder of the Open Garages, a Vehicle Research Labs (VRL) focused around understanding the increasingly complex vehicle systems. He spends a lot of his time, warning car makers that there is a need to open up their software to owners, to allow them to modify their cars, he is also a member of the I Am The Calvary initiative.
During 2015, Craig Smith presented the world a proof-of-concept code that allows an attacker to infect the car with a malware that could be used also to compromise the computers at the repair workshops. Smith continued to work on his own attack and now the malware used in his proof-of concept was improved in terms of machine learning capabilities. The expert claims that now an attacker without a deep knowledge could use the malware and launch successfully attacks.
“These (mechanics) tool have the codes to read and write firmware and if it is compromised by a malicious car it can modify the firmware of other cars that come in afterwards,” Smith told Vulture South at the Nullcon security conference in Goa, India, as reported by El-Reg.
“There are easier ways to compromise a car dealership – shoddy wifi, whatever – but this is the kind of thing that needs to be considered by anyone making these tools.”
How does the malware work?
The malware uses a learning mode, to monitor traffic between the Workshop’s computer and the car, and finds out potential modules. Modules where the diagnosis tool was able to contact with success are in blue, and all the findings are saved to a .ini file, alongside with the captured packets.
“It sorts through all the complex stuff for you and just highlights the packets and as a a researcher that is really useful.”
After the learning mode, the malware can switch to the attack mode, and starts fuzzing the information got in the learning mode,
“Everything is point and click up to this point so if there’s a crash you’re going to have to go and figure out what caused it,”.
Even if many details are missing, we can understand that this proof-of-concept if applied to the real word, can be create a lot of damaged if in the wrong hands.
Car makers need to do a bigger effort in allowing hackers to work with them towards understanding their software, and in my opinion maybe even allowing a restrict group of security professions to have full access to cars maker’s software to assess it and find security vulnerability before black hat do it.
CVE-2013-5838 Java flaw is back two-year later due to broken patch
14.3.2016 Vulnerebility
The patch for the critical Java CVE-2013-5838 vulnerability released by Oracle in 2013 is ineffective and can be easily bypassed.
Bad news for Java users, in 2013 Oracle released a patch to fix the CVE-2013-5838 vulnerability, but security experts discovered that it could be easily bypassed to compromise the latest versions of the software.
This means that attackers can exploit again the same vulnerability hacking machines running the latest versions of Java.
The CVE-2013-5838 was rated by Oracle 9.3 out of 10 because it could be exploited remotely by unauthenticated users to completely compromise a vulnerable system.
Security experts at the Security Explorations firm who originally discovered the flaw confirmed that the Oracle patch for the Java flaw is broken and an attacker can trigger the vulnerability to escape from the Java security sandbox.
“At the end, it’s worth to note that Issue 69 (CVE-2013-5838) was also improperly evaluated by Oracle in terms of a vulnerability impact. Oracle Critical Patch Update from Oct 2013 indicated that Issue 69 could “be exploited only through sandboxed Java Web Start applications and sandboxed Java applets” (Fig. 4).” states a report published by Security Explorations. “This is not true. We proved that Issue 69 could be successfully exploited in a server environment as well such as Google App Engine for Java [2].”
The security patch can be easily bypassed by hackers as demonstrated in a proof-of-concept exploit code released in 2013 by the researchers at Security Explorations.
“According to Oracle, the vulnerability was addressed by a backported (from JDK 8) implementation of the affected component (method handles API) in JDK 7 Update 40 from Sep 2013.” CEO Adam Gowdiak wrote in a message sent to the Full Disclosure security mailing list.
“We however found out that Oracle patch could be trivially bypassed with the use of the following:
– four character change to our original POC code published in Oct 2013,
– a custom HTTP server enforcing “404 (Not Found)” error when requesting a given class for the first time.”
The new PoC exploit code works on the latest available versions of Java, including Java SE 7 Update 97, Java SE 8 Update 74 and Java SE 9 Early Access Build 108.
The bad news it that the CVE-2013-5838 flaw could be exploited also to target server environment.
“We verified that it could be successfully exploited in a server environment as well as in Google App Engine for Java,” added Gowdiak.
In a real attack scenario, the attackers would need to find a separate flaw that allows them to run the attack in a stealth mode bypassing the security prompts or to convince users into approving the execution of the exploit code.
There is no information regarding the way Oracle intends to solve the problem, likely by pushing out an emergency patch, otherwise we need to wait until the next quarterly Critical Patch Update, scheduled for April 19.
A new massive spam campaign is spreading Locky ransomware downloaders
13.3.2016 Virus
Experts at Trustwave observed a new massive spam campaign that was sending a JavaScript attachment that downloads Locky ransomware.
Ransomware continues to be among most insidious threats in this first part of the year, security researcher have recently observed a spike in the number of Locky ransomware infections.
The experts from Trustwave security firm highlighted the worrying intensification around this threat.
The security researchers observed a new massive spam campaign serving Locky ransomware downloaders in the form of JavaScript attachments.
According to Trustwave, spam campaign aiming to spread malware has represented 18 percent of total spam in the last weeks, while typically this specific kind of spam represents less than 2 percent of total spam.
The experts linked the increment to the diffusion of ransomware JavaScript downloaders, Trustwave also noticed that the malicious spam was concentrated in bursts.
“Our Spam Research Database saw around 4 million malware spams in the last seven days, and the malware category as a whole accounted for 18% of total spam arriving at our spam traps.” states a blog post published by Trustwave. “The graph below shows hourly spam traffic for the malware category for the past 30 days – note the relatively low levels of activity to the left, and huge peaks on the right, representing the ransomware downloader campaigns. As you can see the campaigns are not continuous, but concentrated bursts, with peaks of 200K emails hitting our servers in a single hour.”
The researchers discovered that the Locky ransomware was spread through the same botnet used to spread the Dridex trojan.
“These campaigns are coming from the same botnet responsible for previously spammed documents with malicious macros which downloaded the Dridex trojan. The actors behind the campaigns have merely changed the delivery mechanism (.js attachment) and the end malware (ransomware).” states the report published by Trustwave.
The threat actors simply changed tactic and malware, in the case os Dridex they used email attachment disguised as an invoice, typically documents embedding malicious macro, the recent Locky ransomware campaign relies on JavaScript attachment that downloads the Locky code.
The Locky ransomware uses AES encryption algorithm to encrypt both local files and files on network shares, even if they are unmapped.
When started, Locky creates and assigns a unique 16 hexadecimal number to the infected machine, then he will scan all drives and unmapped network shares for files to encrypt.
The malware uses the AES encryption algorithm and encrypts only file with extensions matching a certain criteria while it skips files containing certain strings in their full pathname and filename (i.e. tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, and Windows).
The Locky ransomware encrypts files renaming the to [unique_id][identifier].locky, the researchers also discovered that the unique ID and other information are embedded at the end of the encrypted file.
The malware will also delete all of the copies of documents in the Shadow Volume, making impossible to restore files.
“Inside the Locky ransom notes are links to a Tor site called the Locky Decrypter Page. This page is located at 6dtxgqam4crv6rr6.onion and contains the amount of bitcoins to send as a payment, how to purchase thebitcoins, and the bitcoin address you should send payment to. Once a victim sends payment to the assigned bitcoin address, this page will provide a decrypter that can be used to decrypt their files.” BleepingComputer reports in a blog post.
CISCO warns customers of high-severity flaws in modems and gateways
13.3.2016 Vulnerebility
Cisco released a series of software updates to patch several high severity flaws in its cable modems, residential gateways and security appliances.
Cisco just patched critical vulnerabilities in its cable modems, residential gateways and security appliances.
The security updates released this week fix serious flaws in Cisco residential reported by Kyle Lovett, and Chris Watts from Tech Analysis firm.
Kyle Lovett has found an information disclosure vulnerability (CVE-2016-1325) that allows a remote unauthenticated attacker to access sensitive data on vulnerable CISCO devices (Cisco DPC3941 Wireless Residential Gateway with Digital Voice and the DPC3939B Wireless Residential Voice Gateway).
“A vulnerability in the web-based administration interface of the Cisco Wireless Residential Gateway could allow an unauthenticated, remote attacker to access sensitive information on the affected device. ” states the CISCO advisory. “The vulnerability is caused by improper access restrictions implemented on the affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device.”
Chris Watts discovered another a denial-of-service (DoS) flaw (CVE-2016-1326) affecting the Cisco DPQ3925 8×4 DOCSIS 3.0 Wireless Residential Gateway that could be exploited by a remote unauthenticated attacker to cause the device to become unresponsive.
“A vulnerability in the web-based administration interface of Cisco Model DPQ3925 8×4 DOCSIS 3.0 Wireless Residential Gateway with EDVA could allow an unauthenticated, remote attacker to cause the device to become unresponsive and restart, creating a denial of service (DoS) condition.” states the Cadvisory.
Watts also discovered a second remote code execution vulnerability (CVE-2016-1327) in Cable Modem with Digital Voice models DPC2203 and EPC2203 that can be exploited by a remote attacker to trigger a buffer overflow and run execute arbitrary code by sending a specially crafted HTTP request to vulnerable devices.
“A vulnerability in the web server used in the Cisco Cable Modem with Digital Voice Model DPC2203 could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution.” states the CAdvisory.
“The vulnerability is due to improper input validation for HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device.”
CISCO warned its customers also about a DoS vulnerability (CVE-2016-1312) affecting the HTTPS inspection engine of the Cisco ASA Content Security and Control Security Services Module (CSC-SSM). The flaw affects the way the devices handle HTTPS packets, allows a remote unauthenticated attacker to reload affected devices by flooding it with HTTPS packets.
“A vulnerability in the HTTPS inspection engine of the Cisco ASA Content Security and Control Security Services Module (CSC-SSM) could allow an unauthenticated, remote attacker to cause exhaustion of available memory, system instability, and a reload of the affected system. ” reports the advisory.
“The vulnerability is due to improper handling of HTTPS packets transiting through the affected system. An attacker could exploit this vulnerability by sending HTTPS packets through the affected system at high rate. “
If you or your organization uses one of the vulnerable devices affected by the vulnerabilities apply the security updates.
PlugX malware: A good hacker is an apologetic hacker
13.3.2016 Virus
It happens that malware writers and other miscreants in the digital world put messages in their malware. Sometimes they do it just for the “lulz”, sometimes to insult a person who hampers their criminal business, sometimes to deliver information to the guys on the other side who oppose them. We hope the case described in this blogpost falls into the first category, i.e. funny message. At least it seemed funny for us.
Our first research into PlugX was published in 2012 – since then this remote access tool (RAT) has become a well-known instrument used in a series of attacks all over the globe targeting multiple industry verticals. PlugX has been detected in targeted attacks not only against military, government or political organizations but also against more or less ordinary companies. In 2013, we discovered that the Winnti group responsible for attacking companies in the online gaming industry has been using the PlugX remote administration tool since at least May 2012.
This time, looking through some anomalous PlugX samples, we stumbled upon one specimen that had an RC4 encoded resource inside. Actually, it turned out to be a test sample with dummy settings. Luckily, it was quite easy to find the initial builder that generates such samples.
Basically, the builder compiles a handful of different PlugX droppers, including the notorious SFX RAR archives containing the PlugX trinity – a legitimate signed executable susceptible to a DLL side-loading attack, a DLL that is picked up by an executable and the payload file that maintains all the juicy stuff – the PlugX functional library, C2s and other settings.
One such trinity includes Lenovo’s RGB LCD Display Utility for ThinkPad: tplcdclr.exe, wtsapi32.dll (loaded by the application) and the “payload” file wts.chm (loaded by the DLL).
PlugX malware: A good hacker is an apologetic hackerLegitimate executable from the first PlugX trinity
Another set of three includes a signed version of Steve Gibson’s Domain Name System Benchmarking Utility sep_NE.exe, the winmm.dll file, which the application is dependent on, and the “payload” file sep_NE.slf.
PlugX malware: A good hacker is an apologetic hackerLegitimate executable from the second PlugX trinity
But among all the droppers that the builder generates there are two templates posing as executables, with the data maintained usually in a separate “payload” file, embedded in the initial body of the file as a resource.
The “payload” stuff is kept in encrypted form in the file body. After decryption, this stuff looks like one of the usual PlugX “payload” files, those with easily recognizable shellcode at the beginning:
The algorithm used to encrypt the payload resource is RC4. And finally (and this is what impelled us to write this blogpost) – the RC4 key for the resource decryption – “SORRY.i_have_to_do_this“.
Hmm, interesting… That’s not the message one might expect to find in APT malware that has swamped almost every vertical in nearly every corner of the world. There have been investigations into the infamous PlugX developer in the past. We also have found a number of malware families that are related in some way to PlugX and have likely been developed by the same person. All together it seems that this person has been quite busy in generating malware for different Chinese-speaking APT groups for a long time. That’s obviously a job, already work with no room for sentiment. That’s why the text looks inappropriate here. Unless the malware writer was in a playful mood and had put this in for trolling.
There’s a second option that occurs. Since this is a dropper feature, the dropper for the PlugX could have been developed by another person, not the PlugX developer. In an ordinary cybercriminal hierarchy there are, for example, developers of a bot, ransomware, etc. and packers who create wrappers/droppers to try and allow the core malware to evade AV detection.
Probably some other person, who is not yet such a veteran in the Chinese-speaking APT world and still sees the malware writing practice as some sort of game, was just kidding around.
If you use your imagination, we’re sure you’ll be able to come to your own interesting or quirky conclusions as to how that message ended up in these PlugX droppers. In any case, we really hope this was a bit of fun and not a cry for help from some desperate person forced by circumstances to do bad things.
We detect samples generated by the builder and the builder itself with following modifications of the Gulpix family:
Backdoor.Win32.Gulpix.ajp
Backdoor.Win32.Gulpix.ams
Backdoor.Win32.Gulpix.axe
Backdoor.Win32.Gulpix.axf
Backdoor.Win32.Gulpix.axg
Backdoor.Win32.Gulpix.axi
Backdoor.Win32.Gulpix.axj
Backdoor.Win32.Gulpix.axm
Backdoor.Win32.Gulpix.axn
Backdoor.Win32.Gulpix.axo
And two heuristic verdicts:
HEUR:Trojan.Win32.Generic
HEUR:Trojan.Win32.Invader
The builder MD5 hash is e57691e4f220845df27806563c7dca0b.
Legitimate executables included in PlugX trinities mentioned in the blog-post:
ce2ae795117e54ca8403f86e7a3e19a7 – DNS Benchmark Utility;
d9978f95ce30e85943efb52c9c7d731b – Lenovo’s ThinkPad Display Utility tplcdclr.exe.
Reuters – Malware suspected in the Bangladesh central bank heist
13.3.2016 Virus
Investigators suspect the attackers behind the Bangladesh central bank ‘s hack have used a malware to gather information for the Fed’s heist.
One of most intriguing stories this week is the hack of the Bangladesh account at the Federal Reserve Bank of New York.
The Bangladesh’s Finance Minister Abul Maal Abdul Muhith accused the U.S. Federal Reserve of the theft of at least $81 million stolen from the Bangladesh’s account.
The central bank of Bangladesh declared the funds had been stolen from an account by hackers, the experts had traced some of the missing funds in the Philippines.
In reality the hackers tried to steal much more, they tried to complete dozens of transfers for an overall amount of $850 million.
What happened?
While investigators are collecting evidence on the alleged hack, security experts made some speculation on the incident. It is likely hackers breached Bangladesh Bank in early February stealing credentials for payment transfers, then they used the credentials to order transfers out of a Federal Reserve Bank of New York account held by Bangladesh Bank.
Anyway it is a complex hack, the attackers had a deep knowledge about Bangladesh Bank’s procedures for ordering transfers, likely they spied on Bangladesh Bank staff to gather the information.
Federal reserve New York hack
According to the Reuters, investigators believe hackers alleged used a malware to infect systems at the Bangladesh central bank. Two bank officials told to the Reuters that the attackers infiltrated the computer systems for weeks gathering information on the internal operation to use in the attack later.
“Investigators suspect that malicious software code, often referred to as malware, which allowed hackers to learn how to withdraw the money could have been installed several weeks before the incident, which took place between Feb. 4 and Feb. 5, said Bangladesh Bank officials briefed on the matter.” reported the Reuters.
The authorities hired the FireEye Inc’s Mandiant forensics division to investigate the cyber heist.
It is likely attackers have stolen the Bangladesh Bank’s credentials for the SWIFT messaging system, a network used by financial institutions and private corporates to authorize transfer financial transactions through a ‘financial message’.
“SWIFT and the Central Bank of Bangladesh are working together to resolve an internal operational issue at the central bank. SWIFT’s core messaging services were not impacted by the issue and continued to work as normal.” reads a statement issued on Friday by the SWIFT.
The incident could have serious repercussions on the way central banks worldwide operates, they need to review their processes and systems in order to prevent other attacks.
Typos stopped hackers stealing $1bn from Federal Reserve Bangladesh account
13.3.2016 Hacking
Hackers who allegedly infiltrated the Federal Reserve Bangladesh’s account were attempting to steal almost $1 billion, but typos thwarted the plan.
This week the principal news agencies shared the news of the hack of the Bangladesh account at the Federal Reserve Bank of New York.
The Bangladesh’s Finance Minister Abul Maal Abdul Muhith accused the U.S. Federal Reserve of the theft of at least $81 million stolen from the Bangladesh’s account. The Government of the Bangladesh is threatening the US for a legal fight to retrieve the funds, explained Muhith in a press conference held in Dhaka on Tuesday.
The central bank of Bangladesh declared the funds had been stolen from an account by hackers, the experts had traced some of the missing funds in the Philippines.
In reality the hackers tried to steal much more, they tried to complete dozens of transfers for an overall amount of $850 million.
The disaster was avoided by accident because the bank’s security systems and typos in some requests allowed the identification of the theft attempts, investigators discovered that hackers failed 35 transfer attempts.
“$81 million was transferred from the Federal Reserve Bank to Filipino accounts while attempts to claim $850 million were foiled by the Federal Reserve Bank’s security system,” Razee Hassan, deputy governor of Bangladesh Bank, told AFP.
“Attempts to transfer money to Sri Lanka by the hackers were foiled as their transfer requests contained typos,” he added.
The hackers exploited gaps in communication between banks at weekends, the operation started on a Friday because the Bangladesh Bank is closed, on the following days, Saturday and Sunday, the Fed Bank in New York was being closed.
Federal reserve New York hack
The choice of the Philippines as the landing country for the bank transfers was not casual, banks were also closed on the Monday due to the Chinese New Year.
While the central bank of Bangladesh is blaming Chinese hackers, the Fed is denying the security breach of security took place.
On Monday, a spokeswoman for the US Federal Reserve Bank of New York confirmed there was no evidence of a security breach, neither that the Bangladesh Bank account had been hacked.
Currently, the US Fed and the Bangladesh Government are still investigating the incident.
The Federal Reserve Bank of New York wrote still continues to deny any evidence of attempts to hack into the Federal Reserve systems:
The Pentagon used military drones for domestic surveillance
13.3.2016 IT
A report published by the DoD Inspector General revealed that military drones have been used for Non-Military domestic Surveillance.
The US Government has admitted the use of drones for operations of domestic surveillance. The US Military clarified that all the operations were authorized by a regular warrant confirming that no legal violations were found.
The news was revealed by the USA Today that obtained it with a Freedom of Information Act request. A report issued by the Inspector General at US DoD states the that less than 20 missions have been flown by military spy drones on non-military missions between 2006 and 2015.
The inspector general analysis was completed March 20, 2015, but the authorities released it recently.
“The Pentagon has deployed drones to spy over U.S. territory for non-military missions over the past decade, but the flights have been rare and lawful, according to a new report” states the USA Today.
The DoD report revealed the Pentagon established interim guidance in 2006 governing when and whether the drones could be used for domestic surveillance missions.
“The interim policy allowed spy drones to be used for homeland defense purposes in the U.S. and to assist civil authorities.” continues the post.
The policy highlights that any use of military drones for civil authorities had to be approved by the Secretary of Defense or someone delegated by the secretary.
The US government won’t disclose the details of non-military spying missions flown by the drones, anyway it has publicly issued a list of nine operations conducted between 2011 and 2016:
“The Pentagon has deployed drones to spy over U.S. territory for non-military missions over the past decade, but the flights have been rare and lawful, according to a new report” states the USA Today.
The DoD report revealed the Pentagon established interim guidance in 2006 governing when and whether the drones could be used for domestic surveillance missions.
“The interim policy allowed spy drones to be used for homeland defense purposes in the U.S. and to assist civil authorities.” continues the post.
The policy highlights that any use of military drones for civil authorities had to be approved by the Secretary of Defense or someone delegated by the secretary.
The US government won’t disclose the details of non-military spying missions flown by the drones, anyway it has publicly issued a list of nine operations conducted between 2011 and 2016:
The US Military seems to have refused to provide the entire archive related to civic requests for the military drone usage for domestic surveillance.
“The report quoted a military law review article that said “the appetite to use them (spy drones) in the domestic environment to collect airborne imagery continues to grow, as does Congressional and media interest in their deployment.”” continues the USA Today.
Source: USA Today
Let’s close reminding that the domestic surveillance with drones is allowed with the explicit authorization by the defense secretary.
The USA today confirmed that shortly before the DoD Inspector General report was completed, the Pentagon issued a new policy governing the use of spy drones. The policy requires the defense secretary to approve every single domestic surveillance mission relying on drones.
The report states the drones “may not conduct surveillance on U.S. persons” and bans the use of armed drones over the United States.
DARPA Improv program, weaponizing the off-the-shelf electronics
13.3.2016 IT
The Defense Advanced Research Projects Agency is launching a new project dubbed Improv that aims to develop new techniques to hack into everyday technology.
The IoT paradigm is enlarging as never before our surface of attack, it is obvious that cyber criminals and nation-state hackers are looking at it with an increasing interest.
The US Military Defense Advanced Research Projects Agency (DARPA) is asking American geeks to develop new techniques to turn everyday IoT objects into cyber weapons.
The DARPA is launching a new project dubbed Improv that aims to develop new techniques to hack into everyday technology.
The DARPA’s intent it to involve researchers, industry vendors, and hobbyists in finding new attack vectors for embedded devices and consumer technology.
IoT technology is being wide adopted in various industries, including transportation, healthcare and home automation. DARPA is particularly interested in off-the-shelf technology that could be abused by malicious attackers to cause damage on a large scale.
The Improv project aims to discover new attack vector targeting “easily purchased, relatively benign technologies.”
“The Defense Advanced Research Projects Agency (DARPA) Improv program is soliciting innovative research proposals for prototype products and systems that have the potential to threaten current military operations, equipment, or personnel and are assembled primarily from commercially available technology.” reads the Synopsis of the Improv program.
“Improv will explore ways to combine or convert commercially available products such as off-the-shelf electronics, components created through rapid prototyping, and open-source code to cost-effectively create sophisticated military technologies and capabilities.” explained the program manager John Main.
“To bring a broad range of perspectives to bear, DARPA is inviting engineers, biologists, information technologists and others from the full spectrum of technical disciplines—including credentialed professionals and skilled hobbyists—to show how easily-accessed hardware, software, processes, and methods might be used to create products or systems that could pose a future threat. “
“Improv is being launched in recognition that strategic surprise can also come from more familiar technologies, adapted and applied in novel ways.”
In the first phase of the Improv program, DARPA will accept submissions from the public on possible attack techniques relying on easily-available technologies.
The DARPA will select most interesting projects that will be supported by the agency in various ways, including economic funding.
“DARPA will assess candidate ideas and offer varying levels of support to develop and test selected proposals. The emphasis will be on speed and economy, with the goal of propelling winning submissions from concept to simple working prototypes within about 90 days.” states the DARPA
The Improv will help the US Military to identify possible attack vectors of potential cyber threats, but many experts believe that the US Government is also thinking about new attack vectors to maintain it supremacy in the cyberspace.
“DARPA often looks at the world from the point of view of our potential adversaries to predict what they might do with available technology,” said Main.
“Historically we did this by pulling together a small group of technical experts, but the easy availability in today’s world of an enormous range of powerful technologies means that any group of experts only covers a small slice of the available possibilities.”
If you are interested in the project follow the special webinar issued by the DARPA on March 29 and 30.
How a Typo Stopped Hackers from Stealing $1 Billion from Bank
12.3.2016 Hacking
Typos are really embarrassing, but this time it saved the Bangladesh Central Bank and the New York Federal Reserve by preventing a nearly $1 Billion (£700 Million) heist.
Last month, some unknown hackers broke into Bangladesh's central bank, obtained credentials needed for payment transfers and then transfer large sums to fraudulent accounts based in the Philippines and Sri Lanka. But…
A single spelling mistake in an online bank transfer instruction prevented the full theft, according to Reuters.
Here’s what actually was happened:
Nearly three dozen requests hit the Federal Reserve Bank of New York on 5 February using the Bangladesh Bank's SWIFT code, out of which four resulted in successful transfers, for a total value of about $81 million.
However, when the hackers attempted to make their fifth transfer of $20 Million to a Sri Lankan non-governmental organization called the Shalika Foundation, they made a typo by attempting a transfer to the Shalika "Fandation."
Staff at Deutsche Bank, which was involved in routing funds, spotted this spell error and got asked the Bangladeshis for clarification on the typo. The Bangladesh bank then canceled the remaining transfers.
The Federal Reserve Bank of New York also queried the Bangladesh central bank after spotting the large number of transfer of funds to private accounts at around the same time.
The hackers, who are still unknown, had been attempting to steal a further $850 Million from the Bangladesh government’s reserve account, but typo in the requests prevented the full theft.
The $81 Million of transfer that was successfully made has not been recovered, but the typo saved the Bangladeshis because if all the fund transfers were made successfully thieves would have made off with $950 Million.
The attack happened between February 4 and 5 and originated from outside the country. Moreover, the hackers are still unknown and officials said there is not much hope of catching them.
Meanwhile, the Bangladesh central bank says the Federal Reserve should have stop the transactions. The bank is planning to file a lawsuit against the Federal Reserve in order to recover some of the funds that were lost.
ISPs Sell Your Data to Advertisers, But FCC has a Plan to Protect Privacy
12.3.2016 Hacking
FCC wants ISPs to get customer permission before sharing personal data
The Federal Communication Commission (FCC) has put forward a proposal that aims to protect Internet user's privacy.
The proposal [pdf] will regulate the amount of customers’ online data the Internet Service Providers (ISPs) are able to collect and sell to the advertising companies.
Currently, there is no particular rule by law covering broadband providers and customer privacy, and if adopted, this would be the first privacy rule for ISPs.
The FCC already governs how phone companies can use and resell customer data, and the Chairman Tom Wheeler believes similar rules should be applied to ISPs.
Is Your ISP Tracking Your Web Surfing and Selling Data to Advertisers?
Your complete Internet traffic passes through your Internet Service Provider, which gives it the ability to access to vast and potentially lucrative amount of your web-browsing activity.
If you are using a mobile phone, your ISP can also track your physical location throughout the day in real time.
ISPs are using Deep packet inspection to stealthily gather and store information about their customers’ surfing habits – including:
Search queries
Web sites visited
Information entered
What apps they use
…and then later Advertising companies serve advertisements based on those behaviors.
The proposed set of rules include a requirement that ISPs clearly disclose what data they collect on their users, and share that collected data with other companies for advertisements, marketing or other purposes.
The rules will not prohibit ISPs from using the personal data they collect from their users, "only that since it is your information, you should decide whether they can do so," FCC Chairman Tom Wheeler wrote. "This isn’t about prohibition; it’s about permission."
The proposed rules will be debated during the FCC's March 31 meeting, and if approved would go out for public comment.
The proposal would create some of the strongest privacy regulations and give consumers control over how ISPs can use their data.
SAP Download Manager flaw exposed user password
11.3.2016 Vulnerebility
An attacker who manages to get access to a user’s configuration file for SAP Download Manager might be able to obtain the stored proxy password.
Are you a SAP user? Do you use the SAP Download Manager that allows downloading of software packages and support notes? You urgently need to update it in order to fix a serious vulnerability that could be exploited to expose your password.
According to experts at Core Security, a local attacker who is able to access the user’s configuration file in SAP Download Manager might be able to obtain the stored proxy password.
“SAP Download Manager [1] is a Java application offered by SAP that allows downloading software packages and support notes. This program stores the user’s settings in a configuration file. Sensitive values, such as the proxy username and password if set, are stored encrypted using a fixed static key” states the security advisory published by Core Security.
The flaw affects the SAP Download Manager version up to 2.1.142 (released in October 2015), but experts at Core Security haven’t tested other products and versions.
“SAP system and BASIS administrators often use the SAP Download Manager program to download software packages and fixes. We found that this program stores credentials information on the local user’s directories using an encryption mechanism that can be easily bypassed.” said Core Security Consulting Services’ Martin Gallo who discovered the flaw.
“While recent versions of the program had stopped storing SAP’s Marketplace credentials, proxy authentication information is still kept on the program’s configuration file. This represents a risk on the enterprise environment where proxy authentication is integrated with other systems, for example using Active Directory’s credentials, if the configuration file is compromised,”
It is important to highlight that the SAP application implements encrypted storage of sensitive values, however some sensitive values, such as the user’s proxy password are stored with weak encryption.
SAP published the Security Note 2282338 accessible to its customers only.
The researchers at Core Security also published a proof of concept exploit code that is included in the advisory.
SAP has already fixed the problem and issued a new updated software this week.
0-day critical flaws in mobile modems allow hackers to take over your PC
11.3.2016 Vulnerebility
The Russian security tester Timur Yunusov has discovered critical flaw affecting routers and 3G and 4G mobile modems from Huawei, ZTE, Gemtek, and Quanta.
The Russian security tester Timur Yunusov has discovered critical vulnerabilities affecting routers and 3G and 4G mobile modems from Huawei, ZTE, Gemtek, and Quanta. The security holes could be exploited by remote attackers to completely compromise machines and intercept HTTP traffic and also SMSs.
Yunusov, a security expert at the Positive Technologies, presented the discovery at the Nullcon conference held in Goa. He discovered the flaws in at least eight different devices. A rapid query on the Shodan search engine allowed him to find more than 42,000 vulnerable devices exposed on the web.
The results include roughly 2800 Gemtek modems and routers and 1250 from Quanta and ZTE.
“All the modem models investigated had critical vulnerabilities leading to complete system compromise,” Yunusov says. “Virtually all the vulnerabilities could be exploited remotely.”
The penetration tester explained that in some cases the vulnerabilities are introduced by the service providers likely to personalize the firmware running on the device. The vulnerabilities are critical because an attacker can remotely trigger them to compromise connected devices, including connected computers.
“Not all the modems had vulnerabilities in their factory settings; some of them appeared after the firmware was customised by the service provider.” he says “If we penetrate a modem … infecting a PC connected to it provides us with many ways to steal and intercept the PC user’s data,”
Almost all devices tested by Yunusov are affected by cross-site request forgery vulnerabilities and lack of input validation, this means that 60 percent of the equipment was exposed to remote code execution.
The Gemtekm Huawei and Quanta devices resulted vulnerable to firmware modifications, in some cases, the expert noticed that it was possible to upload arbitrary firmware on the units allowing to completely compromise them. Four of the eight modems and routers are affected by cross-site scripting vulnerabilities that could be exploited by a remote attacker to infect the host and intercept SMS for dedicated attackers who want to geo-locate targets.
Timur Yunusov, Kirill Nesterov and their colleagues at Positive Technologies have already conducted a similar study in the past, in October they have found since-patched remote execution and denial of service vulnerabilities in the popular Huawei 4G USB Huawei E3272 modem that can allow hackers to hijack connected computers.
In December, a team of researchers at Positive Technologies conducted a study on how to compromise USB modems and attack SIM cards via SMS over 4G networks.
The team consisting of Sergey Gordeychik, Alexander Zaitsev, Kirill Nesterov, Alexey Osipov, Timur Yunusov, Dmitry Sklyarov, Gleb Gritsai, Dmitry Kurbatov, Sergey Puzankov and Pavel Novikov discovered that 4G USB modems are affected by vulnerabilities that could be exploited by threat actors to gain full control of the machines to which the devices are connected.
Adobe issues emergency out-of-band update for actively exploited 0Day
11.3.2016 Vulnerebility
Adobe has released an emergency out-of-band update to fix a zero-day vulnerability that is being used in targeted attacks.
It’s happened again, Adobe has Issued an emergency Out-of-Band update For Flash Zero-Day that is being exploited in targeted attacks. The unfortunate thing is that the Out-of-Band Patch For Flash Zero-Day comes just a couple of days after releasing the announced updates to fix critical vulnerabilities in Acrobat, Reader and Digital Editions.
The zero-day vulnerability (CVE-2016-1010) addressed by the last Emergency Out-of-Band update has been discovered by threat researcher Anton Ivanov from Kaspersky Lab, ’s vulnerability (CVE-2016-1010) and has been exploited in a limited number of targeted attacks.
CVE-2016-1010 is an integer overflow vulnerability that allows attackers to remotely execute malicious code on vulnerable computers.
“Today Adobe released the security bulletin APSB16-08, crediting Kaspersky Lab for reporting CVE-2016-1010. The vulnerability could potentially allow an attacker to take control of the affected system. Kaspersky Lab researchers observed the usage of this vulnerability in a very limited number of targeted attacks.” states the email sent by a Kaspersky representative to Ars.
“At this time, we do not have any additional details to share on these attacks as the investigation is still ongoing. Even though these attacks are rare, we recommend that everyone get the update from the Adobe site as soon as possible.”
The Emergency Out-of-Band update also fixes also other critical vulnerabilities that could allow an attacker to gain complete control over vulnerable systems.
According to the security bulletin issued by Adobe, the vulnerabilities addressed by the new patch affect all platforms.
“Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks.” states the security advisory.
The vulnerability details are:
These updates resolve integer overflow vulnerabilities that could lead to code execution (CVE-2016-0963, CVE-2016-0993, CVE-2016-1010).
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, CVE-2016-1000).
These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2016-1001).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, CVE-2016-1005).
In order to reduce the attack surface, uninstall any browser extensions that is not really necessary for your work.
Google Android N Preview — 6 Cool Features That You Should Know
11.3.2016 Mobil
Android N Developer Preview, an early beta of Google’s new mobile operating system that was expected to launch on Google I/O in mid-May, is unexpectedly launching right now.
Android N Developer Preview for the Nexus 6P, Nexus 5X, Nexus 6, Pixel C Nexus 9, the Nexus Player and the General Mobile 4G, an Android One device has been made available as an over-the-air update by Google on Wednesday.
So, you can test out Android N Developer Preview on your smartphone and tablet right now from developer.android.com/preview.
The good news is that the Google Android team has brought meaningful features to your smartphone and tablet in just five months.
"As we look to the next release of Android, N, you’ll notice a few big changes aimed at you as developers: it’s earlier than ever, it’s easier to try and we’re expanding the ways for you to give us feedback," Hiroshi Lockheimer, Google's SVP for Android writes. "We hope these changes will ensure that you are heard and reflected – that’s what makes Android stronger."
Here's what I like about the new Android Developer Preview so far.
1. Multi-Window API
google-android-n-download-1
Multi-window support is the feature users have long asked for – especially on tablets. The feature allows users to perform multiple tasks simultaneously.
So now you can type out a message while viewing a map, check the weather while watching videos, and so on. The screen can be split horizontally or vertically as you prefer.
2. Reply to Messages Directly Without Leaving an App
google-android-n-direct-reply
Among the new changes in Android N are improved notifications. Notifications support "direct reply" feature for app developers who can now allow their users to reply to incoming notifications of WhatsApp, Twitter or SMS messages straight from the notification panel without having to launch the app in question.
Developers can also choose to bundle notification alerts from the same app together, enabling users to see them as a bundle and expand individually if necessary.
3. Better Battery Life
This is the biggest relief for all Android users. With Android Marshmallow, Google introduced a new battery-saving feature called Doze that places an Android device into a deep power-savings mode when it is stationary for a while.
In Android N, Google is taking this feature a step further by allowing Doze to work whenever the screen is OFF, not just when the device is stationary. So your smartphone's battery will now last even longer when it's in standby mode.
4. Data Saver
google-android-n-data-saver
Moreover, Google continues to work on making its Android OS less memory-hungry and making apps running in the background work more efficiently.
When turned ON, the Data Saver feature restricts the apps from using data connection as well as prevent pulling in embedded videos and images on web pages. You can also pick selected apps that may be allowed to use the data connection even when the feature is ON.
However, the Data Saver feature in Android N will be particularly helpful for those who are on prepaid or pay-on-the-go connections for data.
5. Picture-in-Picture Mode
google-android-n-picture-in-picture
Now you can view a YouTube video while reading through a report in Word on your Android device, thanks to Picture-in-picture feature in Android N.
"Picture-in-picture (PIP) mode lets apps run a video activity in the pinned window while another activity continues in the background. The PIP window lets users multitask while using your app, which helps users be more productive." Google describes.
The feature will be more useful for those with tablets or larger phones.
6. No Need to Flash Your Device (Direct Boot)
Yes, the most brilliant part is that you do not need to flash or tether your device to a PC in order to download and install the new Android N Developer Preview, as it can be downloaded straight to your device.
These are the things that are now known to us about the all new Android N Developer Preview, but one thing we definitely don’t know yet that what the ‘N’ will stand for. For me it’s Nutella.
What do you think the "N" will stand for? Hit the comments below and let us know.
Triada Trojan the most sophisticated mobile malware seen to date
11.3.2016 Virus Mobil
Kaspersky Lab recently spotted a new Android malware dubbed Triads Trojan, which they say is the most advanced mobile malware seen to date.
Malware researchers at Kaspersky Lab have discovered a new strain of malware, dubbed Triada (Backdoor.AndroidOS.Triada), targeting Android devices, which they consider the most advanced mobile threat seen to date. The range of techniques used by the threat to compromise mobile devices is not implemented in any other known mobile malware.
Triada was designed with the specific intent to implement financial frauds, typically hijacking the financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is its modular architecture, which gives it theoretically a wide range of abilities.
The Triada Trojan is able to infiltrate all process running on the mobile devices gaining persistence, as explained by researchers Nikita Buchka and Mikhail Kuzin from Kaspersky Lab.
“Considering the aforementioned modular architecture and privileged access to the device, the malware can create literally anything. The capabilities of the uploaded modules are limited only by the imagination and skills of the virus writers. These malicious programs (the app loader and the modules that it downloads) belong to different types of Trojans, but all of them were all included in our antivirus databases under the name Triada.” reads a blog post published by the researchers.
The Android malware is spread through an “advertising botnet” that was used by crooks to spread also other threats, including Leech, Ztorg, and Gorpo and AndroidOS.Iop.
The Triada Trojan makes use of the Zygote parent process to implement its code in the context of all software on the device, this means that the threat is able to run in each application.
“A distinctive feature of the malicious application is the use of the Zygote process to implement its code in the context of all the applications on the device. The Zygote process is the parent process for all Android applications. It contains system libraries and frameworks used by almost all applications. This process is a template for each new application, which means that once the Trojan enters the process, it becomes part of the template and will end up in each application run on the device. This is the first time we have come across this technique in the wild; Zygote was only previously used in proof-of-concepts.”
The trojan is hard to detect, it mainly operates in RAM and exploiting root privileges it substitutes system files, it also hides its modules from the list of running/installed services and applications.
Below the list of features for the Triada Trojan.
Modular functionality with active use of superuser privileges
Main part of malicious functionality exists in device RAM only.
Trojan modifies Zygote system process in the memory to achieve persistence.
Industrial approaches used in its development, suggesting its authors are highly qualified.
How to hack mobile phones embedded fingerprint sensor using 2D Printed fingerprints
11.3.2016 Mobil
Two Computer Science researchers developed a technique to hack a phone’s fingerprint sensor in 15 mins with $500 worth of inkjet printer and conductive ink
The Computer Science researchers Kai Cao and Anil K Jain have developed a new technique for hacking a mobile device’s fingerprint sensor in 15 mins with $500 worth of an inkjet printer and conductive ink.
This kind of attacks is very dangerous considering that it has been forecasted that 50% of smartphones sold by 2019 will have an embedded fingerprint sensor.
It is also important to highlight that a growing number of features and applications will rely on fingerprint recognition on mobile devices, for example, secure mobile payment and other transactions.
The duo used a 300dpi scan of a fingerprint to produce a working replica printed of a fingerprint in less than 15 minutes, and the original image could be taken from a fingerprint sensor itself.
The computer experts explained that spoofing attacks still represent a serious problem for embedded fingerprint systems.
“Spoofing refers to the process where the fingerprint image is acquired from a fake finger (or gummy finger) rather than a live finger.” wrote the duo in the paper titled Hacking Mobile Phones Using 2D Printed Fingerprints.
A first proof of concept attack of this kind was presented at Germany’s Chaos Computer Club in 2013 to hack an iPhone 5s, in 2014 the German researcher Jan Krissler, aka Starbug, demonstrated at the same hacking conference how to bypass Fingerprint biometrics using only a few photographs.
The principal limitations of the above techniques are the need to fabricate the spoof manually and the fact that this process is time-consuming.
The method developed by the two researchers overwhelms these limitations, it relies on the sensor embedded in the mobile phone and uses a 2D fingerprint image printed on a special paper. The spoof fingerprint is generated automatically, below the steps of the method developed by the researchers:
Install three AgIC4 silver conductive ink cartridges as well as a normal black ink cartridge in a color inkjet printers (Brother MFC-J5910DW printer was used by us); better conductivity can be achieved if a brand new (unused) printer is used;
Scan the target fingerprint image (of the authorized user) at 300 dpi or higher resolution;
Mirror (reverse the image in the horizontal direction) and print the original or binarized fingerprint image on the glossy side of an AgIC special paper;
spoofing fingerprint sensor
The MSU researchers demonstrated that the attack on fingerprint readers works on various Samsung mobile devices, and less well on some Huawei phones.
“In summary, we have proposed a simple, fast and effective method to generate 2D fingerprint spoofs that can successfully hack built-in fingerprint authentication in mobile phones. Furthermore, hackers can easily generate a large number of spoofs using fingerprint reconstruction [3] or synthesis [4] techniques which is easier than 2.5D fingerprint spoofs.” states the researchers.
“This experiment further confirms the urgent need for antispoofing techniques for fingerprint recognition systems [5], especially for mobile devices which are being increasingly used for unlocking the phone and for payment. It should be noted that not all the mobile phones can be hacked using proposed method. As the phone manufactures develop better anti-spoofing techniques, the proposed method may not work for the new models of mobile phones. However, it is only a matter of time before hackers develop improved hacking strategies not just for fingerprints, but other biometric traits as well that are being adopted for mobile phones (e.g., face, iris and voice).”
The duo confirmed that this is a preliminary study, they will go deep into the analysis of fingerprint sensor.
Below a video PoC of the method developed by the researchers
ISIS – Disclosed thousands of files reporting the identity of 22,000 Jihadis
10.3.2016 Hacking
A former ISIS member has stolen and disclosed thousands of documents reporting the identity of 22,000 Jihadis and other important information.
Thousands of documents reporting the identity of 22,000 Jihadis are handed to Sky News by a former member of the ISIS radical organisation. The documents contain 22,000 names, addresses, telephone numbers and family contacts of ISIS members.
Sky News has obtained a memory stick containing the files that were stolen from the head of Islamic State’s internal security police. The man who stole the memory stick was a former Free Syrian Army convert to Islamic State who calls himself Abu Hamed.
“Disillusioned with the Islamic State leadership, he says it has now been taken over by former soldiers from the Iraqi Baath party of Saddam Hussein.” states SkyNews.
The journalists met him in a secret location in Turkey, the man revealed that the IS was giving up on its headquarters in Raqqa and moving into the central deserts of Syria and ultimately Iraq.
The list of the ISIS members includes militants from more than 51 countries, including the UK. The document is a sort of IS registration form composed of 23 questions that wannabe members had to fill with their personal information.
There are many previously unknown European jihadis in the documents, as well as IS members from the Middle East, North Africa, United States and Canada.
Many names are already known to the Western Intelligence, anyway the presence of the documents online is very important for different reasons. It is essential to understand who really, and how, has obtained the documents.
One of the documents, titled “Martyrs,” includes a list of members ready to carry out suicide attacks, these terrorists have been already trained for such kind of operations.
We cannot exclude that they could be also part of a diversionary strategy of the IS group.
“Abdel Bary, a 26-year-old from London joined in 2013 after visiting Libya, Egypt and Turkey. He is designated as a fighter but is better known in the UK as a rap artist. His whereabouts are unknown. Another jihadi named in the documents, now dead after being targeted in a drone strike, is Junaid Hussain, the head of Islamic State’s media wing who along with his wife former punk Sally Jones, plotted attacks in the UK. Her whereabouts are unknown.” states the post published by SkyNews.
“Reyaad Khan from Cardiff, who also entered in 2013, is also among those found among the registration forms. He was well known for appearing in a highly produced Islamic State propaganda video. He was later killed.”
SkyNews confirmed that many jihadis passed through a series of jihadi “hotspots,” including Yemen, Sudan, Tunisia, Libya, Pakistan and Afghanistan. In any cases, they were able to enter the territory controlled by the IS, join the fights and return home.
The documents are a mine of information for the intelligence, they include many telephone numbers likely belonging to the family members and the jihadis.
The man that disclosed the documents sustains that today the IS has no rules, he doesn’t share the ideology that today is animating the group, so decided to quit the ISIS. He also made another shocking revelation, according to Abu Hamed the ISIS organisation is secretly working with The Kurdish YPG and the Syrian Government to persecute the Syrian opposition.
Also the news portal Zaman Al Wasl (zamanalwsl.net) claimed to have in exclusive 1736 documents revealing ISIS jihadists personal data, it also published it.
“Two thirds of ISIS manpower are from Saudi Arabia, Tunisia, Morocco and Egypt. 25% of ISIS fighters are Saudis, the data disclosed. While Turkish fighters are taking the lead among ISIS foreign fighters, French fighters come next. Syrians are just 1.7 % of the total number of fighters. The Iraqis make 1.2. ” states the Zaman Al Wasl that analyzed the documents it obtained.
Snowden FBI is lying, it can already unlock iPhone without Apple support
10.3.2016 Apple
Snowden accuses the FBI of lying about his ability to unlock the iphone of the San Bernardino terrorist. “that’s horse sh*t.” he said.
While the dispute between Apple and the FBI on the San Bernardino shooter’s iPhone case continues, the popular NSA whistleblower Edward Snowden takes a position giving us his opinion, and it is not so surprising.
The FBI wants to obtain a court order to force Apple to unlock the terrorist’s iPhone, the authorities have tried to do it, but an error made during the government custody apparently made impossible for the police to access the device. The FBI is demanding that Apple disables the iPhone’s “auto-erase” security feature that wipes the Apple mobile device after 10 failed passcode attempts.
On the other hand, the company of Cupertino is refusing to unlock the device, announcing a legal battle that could reach the Supreme Court.
Snowden in a video call at Blueprint for a Great Democracy conference on Tuesday accuses the FBI of lying defining its declaration defining its claims as absurd, in reality, he used a more colorful expression.
“The FBI says Apple has the ‘exclusive technical means’ to unlock the phone,” said Snowden in video conference “Respectfully, that’s horse sh*t.”
Snowden opinion on Apple vs FBI case
On the same day, Snowden shared via Twitter a link to an American Civil Liberties Union blog post titled “One of the FBI’s Major Claims in the iPhone Case Is Fraudulent,” which explains that the FBI has the ability to bypass iPhone protection mechanism.
“But the truth is that even if this feature is enabled on the device in question, the FBI doesn’t need to worry about it, because they can already bypass it by backing up part of the phone (called the “Effaceable Storage”) before attempting to guess the passcode. I’ll go into the technical details (which the FBI surely already knows) below.” states the post.
The post explains that FBI can simply make a copy of the content of the Effaceable Storage while trying to guess the passcode.
“So the file system key (which the FBI claims it is scared will be destroyed by the phone’s auto-erase security protection) is stored in the Effaceable Storage on the iPhone in the “NAND” flash memory. All the FBI needs to do to avoid any irreversible auto erase is simple to copy that flash memory (which includes the Effaceable Storage) before it tries 10 passcode attempts. It can then re-try indefinitely, because it can restore the NAND flash memory from its backup copy.” continues the post.
“The FBI can simply remove this chip from the circuit board (“desolder” it), connect it to a device capable of reading and writing NAND flash, and copy all of its data. It can then replace the chip, and start testing passcodes. If it turns out that the auto-erase feature is on, and the Effaceable Storage gets erased, they can remove the chip, copy the original information back in, and replace it. If they plan to do this many times, they can attach a “test socket” to the circuit board that makes it easy and fast to do this kind of chip swapping.”
Image credit: http://www.mobpart.com/iphone-5c-c-61_63
Snowden expressed his solidarity to IT giants that are working to provide new solutions, and improve the existing ones, to protect the users’ privacy through the implementation of strong encryption.
“We should support vendors who are willing to [say], ‘You know, just because it’s popular to collect everybody’s information and resell it to advertisers and whatever, it’s going to serve our reputation, it’s going to serve our relationship with our customers, and it’s going to serve society better. If instead we just align ourselves with our customers and what they really want, if we can outcompete people on the value of our products without needing to subsidize that by information that we’ve basically stolen from our customers’,” he told TechCrunch in June, months before the December massacre in San Bernardino. “That’s absolutely something that should be supported.”
Bangladesh says hackers stole $100 Million from its US Federal Reserve account
10.3.2016 Incindent
Unknown hackers have stolen more than $100 million from the Bangladesh Bank account at the US Federal Reserve Bank.
According to Bloomberg, the Bangladesh’s Finance Minister Abul Maal Abdul Muhith is accusing the U.S. Federal Reserve for the theft of at least $100 million stolen from the Bangladesh’s account. Bangladesh is threatening the US for a legal fight to retrieve the funds, explained Muhith in a press conference held in Dhaka on Tuesday. The central bank of Bangladesh declared the funds had been stolen from an account by hackers, the experts had traced some of the missing funds in the Philippines.
“We kept money with the Federal Reserve Bank and irregularities must be with the people who handle the funds there,” Muhith said. “It can’t be that they don’t have any responsibility.”
While the central bank of Bangladesh is blaming Chinese hackers, the Federal Reserve is denying the security breach of security took place.
On Monday, a spokeswoman for the US Federal Reserve Bank of New York confirmed there was no evidence of a security breach, neither that the Bangladesh Bank account had been hacked.
The Fed spokeswoman clarified that every payment follows standard protocols and is authenticated by the SWIFT message system used by financial institutions
“To date, there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question, and there is no evidence that any Fed systems were compromised,” said New York Fed spokeswoman Andrea Priest.
Currently, the US Fed and the Bangladesh Government are investigating the incident.
The Bangladesh’s central bank has about $28 billion in foreign currency reserves, according to the country’s Prothom Alo newspaper, at least 30 transfer requests were made on February 5 using the Bangladesh Bank’s SWIFT code. Five transfers were successfully completed.
How is possible?
Difficult to say because there aren’t details on the event. It is likely hackers breached Bangladesh Bank in early February stealing credentials for payment transfers, then they used the credentials to order transfers out of a Federal Reserve Bank of New York account held by Bangladesh Bank.
Anyway it is a complex hack, attackers had a deep knowledge about Bangladesh Bank’s procedures for ordering transfers, likely they spied on Bangladesh Bank staff to gather the information.
Other incidents involved the US Feds in the past, in 2014 a British citizen was accused of hacking its servers and leaking sensitive data.
Tracking users on the Tor Network through mouse movements
10.3.2016 Safety
A security researcher has devised a new technique to track users by analyzing the mouse movements, even when surfing on the Tor network.
While we surf on the Internet we leave an impressive amount of traces that could be used to track our profile and also reveal our identity even we are visiting resources in the darknet.
The way a user moves writes a blog post or moves a mouse could allow to track him.
The security researcher Jose Carlos Norte (@jcarlosnorte) has elaborated a technique relying on Javascript to create a unique fingerprint of internet users that could be used to track users while accessing the Tor network.
“While preventing users IP address to be disclosed is a key aspect for protecting their privacy, a lot of other things need to be taken into consideration. Tor browser is preconfigured to prevent a lot of possible attacks on user privacy, not only the communications layer provided by tor itself.” wrote Jose Carlos Norte.
“One common problem that tor browser tries to address is user fingerprinting. If a website is able to generate a unique fingerprint that identifies each user that enters the page, then it is possible to track the activity of this user in time, for example, correlate visits of the user during an entire year, knowing that its the same user. Or even worse, it could be possible to identify the user if the fingerprint is the same in tor browser and in the normal browser used to browse internet. It is very important for the tor browser to prevent any attempt on fingerprinting the user.”
surveillance NSA mobile
The researcher explained that his Javascript code, once deployed on a website, could fingerprint a user based on how he moves the mouse. The researcher explained that observing user’s movements in a ‘significant’ number of pages the user visits on the clear web it is possible to create a unique fingerprint that can allow his identification even when he is in the Tor network.
The expert created a quick and dirty PoC called UberCookie to demonstrate that is possible to fingerprint a user in a controlled environment.
Norte explained that the most interesting fingerprinting vector he discovered on Tor Browser is getClientRects that allows to get the exact pixel position and size of the box of a given DOM element.
The results of the getClientRects call depend on multiple factors, including the resolution and the font configuration that can compose the fingerprinting vector.
Lorenzo Bicchierai from MotherBoard tried to contact members of the Tor Project and is still waiting for a reply.
“The Tor Project did not respond to a request for comment, but it seems that its developers are looking into this issue, according to two official bug reports. ” wrote Bicchierai.
The popular cyber security expert Mikko Hypponen published a Tweet that define “clever” the technique.
To avoid beign tracked with this fingerprint technique users can deactivate Javascript completely.
More than 1 Million Websites Install Free SSL Certificate (and Counting...)
9.3.2016 Security
Let's Encrypt has achieved another big milestone by issuing 1 million free Transport Layer Security (TLS) SSL Certificates to webmasters who wish to secure the communications between their users and domains.
Let's Encrypt – operated by the Internet Security Research Group (ISRG) – is an absolutely free, and open source certificate authority recognized by all major browsers, including Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer.
It is just three months and five days since Let's Encrypt launched a beta version of the service, and the group has crossed 1 Million certificates in use across the Web, Let's Encrypt said in a blog post on Tuesday.
Let's Encrypt allows anyone to obtain Free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates for their web servers.
Backed by companies including EFF, Akamai and Mozilla, the Let's Encrypt project started offering Free HTTPS certs to everyone from last December.
Let's Encrypt certificates are configured with cross-signatures from SSL cert provider IdenTrust, making its free certs trustworthy and allowing users to browse more securely on the Internet.
With Let's Encrypt, it is very easy for anyone to set up an HTTPS website in a few simple steps (Here's How to Install Free SSL Cert).
Here's what Let's Encrypt says in its post:
"Much more work remains to be done before the Internet is free from insecure protocols, but this is substantial and rapid progress. It is clear that the cost and bureaucracy of obtaining certificates was forcing many websites to continue with the insecure HTTP protocol, long after we've known that HTTPS needs to be the default.
We're very proud to be seeing that change, and helping to create a future in which newly provisioned websites are automatically secure and encrypted."
Let's Encrypt had signed its First free HTTPS certificate in September, and its client software emerged in early November.
Also Read: Hackers Install Free SSL Certs from Let's Encrypt On Malicious Web Sites.
So, now it's time for the Internet to take a significant step forward towards security and privacy. With Let's Encrypt, the team wants HTTPS becomes the default and to make that possible for everyone, it had built Let's Encrypt in such a way that it is easy to obtain and manage.
Brazilian underground is the first in spreading cross-platform malware
9.3.2016 Virus
Coder in the Brazilian Cyber Criminal underground are Pioneering Cross-platform malware relying on Java archive (JAR) Files.
Recently security experts at PaloAlto Networks uncovered a new family of ransomware dubbed KeRanger that targets Mac OS X users, a circumstance that demonstrates that every OS is potentially at risk.
Now researchers at Kaspersky Lab have discovered new families of malware that are being distributed as JAR Java executables to allow the malicious code to run on Mac, Linux, and Windows, and even on Android devices under special conditions.
The malware authors are packing the malicious code as a JAR file to develop cross-platform malware. Of course in order to run the code, it is necessary that the Java Runtime Environment (JRE) is installed on the target machine.
Fortunately for the crooks, Java is installed on 70-80% of machines worldwide, and Brazilian vxers seems to be aware of this.
“Brazilian Trojan Banker coders are now making Trojans running on all platforms and not only Windows.” wrote cyber threat experts from Kaspersky Dmitry Bestuzhev.
“Because Jar files run on Windows, OS X and Linux, wherever Java is installed. This is the very first step cybercriminals from Brazil have made towards “cross-platforming“.”
Kaspersky experts noticed that the Brazilian criminal underground is a pioneer in the development of cross-platform malware. The malware researchers also noticed that the new threats result from the development of distinct gangs in Brazil.
Kaspersky discovered several spam campaigns delivering malicious JAR files, or JAR files placed inside archives sent as attachments. These campaigns aimed to spread malicious codes, mainly banking trojan, named as Trojan-Banker.Java.Agent, Trojan-Downloader.Java.Banload, and Trojan-Downloader.Java.Agent.
Most infections have been observed in Brazil, followed by China and Germany.
Another aspect that makes these campaigns very insidious is that the cross-platform malware is stealthy and presents a low detection rate. These droppers are tiny pieces of code, with limited malicious features, for this reason they can easily evade detection and download on the infected machine other malware.
“Actually, the general detection rate for ALL AV vendors is extremely low.” continues the post. Cross-OS malware droppers are only the first step
The experts at Kaspersky highlighted that Brazilian coders have developed a cross-OS dropper at the moment used to spread older banking malware, but researchers believe cross-platform JAR-packed banking trojan is under development.
As Dmitry Bestuzhev, cyber threats researcher for Kaspersky, explains, this may only be a matter of time.
“Are Brazilian coders going to release full bankers – bandleaders and bankers running exclusively on Jar?” “There is no reason to believe they won’t. They have just started and they won’t stop.” states the post.
Let’s Encrypt has already issued one Million certificates
9.3.2016 Security
The Electronic Frontier Foundation announced that the Let’s Encrypt Certificate Authority issued its millionth certificate.
The open Certificate Authority (CA) Let’s Encrypt seems to be a success, the EFF is reaching its goals with the creation of this new certificate authority run by Internet Security Research Group (ISRG).
IT giants like Mozilla, Cisco, Akamai, Automattic and IdenTrust joined the initiative with the support of the Linux Foundation. The principal goal is to create a more secure web by encrypting website traffic using Transport Layer Security (TLS) and improve users’ privacy online.
The Let’s Encrypt CA issued its first certificate in September 2015, and today the EFF is proud to announce that Let’s Encrypt has issued its first million certificates.
“At 9:04am GMT today, the Let’s Encrypt Certificate Authority issued its millionth certificate. This is an amazing success, coming only 3 months and 5 days since a beta version of the service became publicly available. We’re very excited to be building a more secure and fully encrypted future for the World Wide Web.” states the Electronic Frontier Foundation.
The result is rousing if we consider that 90 percent of the 2.5 million domain names that take advantage of digital certificates issued by Let’s Encrypt had never been reachable by browser-valid HTTPS before.
The principal problems in implementing a HTTPs for each domain are the costs and the effort necessary to install the certificate. The Let’s Encrypt initiative aims to overwhelm these issues by issuing free digital certificates and by automating each phase of the lifecycle of a digital certificate.
The Let’s Encrypt has been a driving force for other similar initiatives, Amazon also started offering free certificates too.
There are other aspects to consider when dealing with Let’s Encrypt certificates, certificates are valid for only 90 days, this means that some website operators might forget to renew their certificates in due time.
“Unlike other CAs that issue certificates that don’t expire for years, LE is issuing short-lived certificates (90 days). All certificates are being published to the Certificate Transparency (CT) project, and you can see them at the crt.sh site.” explained David Holmes from F5 Networks.
Anyway let me say that I’m very happy for the results obtained by the Let’s Encrypt initiative, this is the evidence that we are converging to greater awareness of the risks and the need to take the necessary measures to protect our security and privacy.
How to exploit TFTP protocol to launch powerful DDoS amplification attacks
9.3.2016 Computer Attack
A group of security researchers from the Edinburgh Napier University elaborated a new DDoS amplification technique relying on the TFTP protocol.
A group of security experts from the Edinburgh Napier University (Boris Sieklik, Richard Macfarlane and Prof. William Buchanan) have discovered a new vector for DDoS amplification attacks. Recently the security community has discovered several ways to launch powerful amplification attacks by exploiting misconfigured services such as DNS or Network Time Protocol (NTP), now experts have found a way to exploit also the TFTP protocol (Trivial File Transfer Protocol).
The experts discovered that attackers could exploit TFTP to obtain a significant amplification factor for their attack, and unfortunately the port scanning research conducted for the “Internet Census 2012 ” indicates the presence on the Internet of roughly 599,600 publicly open TFTP servers.
TFTP protocol to launch DDoS amplification attacks
The researchers contacted by El Reg confirmed that the techniques could allow obtaining an amplification factor equal to 60.
“The discovered vulnerability could allow hackers to use these publicly open servers to amplify their traffic, similarly to other DDoS amplification attacks like DNS amplification. If all specific conditions are met this traffic can be applied up to 60 times the original amount,” the researcher Boris Sieklik told El Reg.
“I also studied effects of this attack on different TFTP software implementations and found that most implementations automatically retransmit the same message up to six times, which also contributes to the amplification.”
The TFTP protocol (Trivial File Transfer Protocol) is a simplified version of FTP (File Transfer Protocol) mainly used in local area networks. TFTP is very simple to implement for this reason it is quite common to find TFTP server within organizations.
It is possible to transfer any file by using the TFTP protocol, to obtain the DDoS amplification effect an attacker can a specifically crafted request to the server with a forged return address that represents the address of the target. The response sent by the server is much bigger in size than the original request, obtaining in this way the amplification factor.
The numerous misconfigured services present on the Internet could allow to target a specific website with junk traffic composed of responses to forged web requests.
The researchers announced that they will publish the results of their discovery in the March edition of publisher Elsevier’s Computers & Security journal, it will also include indications to mitigate potential TFTP DDoS amplification attacks.
More than a billion Android devices are easy to hack
9.3.2016 Android
A large percentage of Android devices is affected by security vulnerabilities that could be exploited by attackers to easily gain a Root Access.
According to experts at TrendMicro a large percentage of Android devices in use today is affected by security vulnerabilities that could be exploited by attackers to easily gain a root access.
The attack allows an ill-intentioned to escalate the privileges of any code that is executed on a target device, however, this attack scenario sees an attacker having installed his malicious code onto the device in the first place. Android users need to be very careful of installing any mobile apps from untrusted sources.
Below the description provided by TrendMicro for the CVE-2016-0819 and CVE-2016-0805 flaws discovered by its experts:
CVE-2016-0819
We discovered this particular vulnerability, which is described as a logic bug when an object within the kernel is freed. A node is deleted twice before it is freed. This causes an information leakage and a Use After Free issue in Android. (UAF issues are well-known for being at the heart of exploits, particularly in Internet Explorer.)
CVE-2016-0805
This particular vulnerability lies in the function get_krait_evtinfo. (Krait refers to the processor core used by several Snapdragon processors). The function returns an index for an array; however, the validation of the inputs of this function are not sufficient. As a result, when the array krait_functionsis accessed by the functions krait_clearpmu and krait_evt_setup, an out-of-bounds access results. This can be useful as part of a multiple exploit attack.
The problem affects the Qualcomm Snapdragon systems on a chip, more than a billion devices is at risk. The root access to a mobile device allows an attacker to conduct a number of malicious activities, from surveillance to financial frauds.
The vulnerability could be exploited by simply running a malicious app on snapdragon-powered Android devices. Experts at TrendMicro privately reported the security holes to Google that fixed them.
As usually happen in these cases, the high fragmentation of the Android market complicates the patch management process. Many users are still vulnerable to the attack waiting for a security patch.
“As the number of embedded SoCs in devices explode with the IoT growth, we anticipate that these kinds of vulnerabilities will become a bigger problem that will challenge the overall security posture of Internet of Things.” continues the post published by TrendMicro.
Going into technical details, the flaws could be exploited in every mobile and IoT devices that could allow the invocation of the system call perf_event_open. Fortunately, many vendors can have customized the kernel and SELinux policies in order to avoid the call.
According to the Nexus Security Bulletin – February 2016, the CVE-2016-0805 vulnerability affects versions earlier than 4.4.4 to 6.0.1, this means that Nexus 5, Nexus 6, Nexus 6P, Samsung Galaxy Note Edge are vulnerable to the attack.
“We believe that any Snapdragon-powered Android device with a 3.10-version kernel is potentially at risk of this attack. As mentioned earlier, given that many of these devices are either no longer being patched or never received any patches in the first place, they would essentially be left in an insecure state without any patch forthcoming.” conclude TrendMicro.
Hacker Reveals How to Hack Any Facebook Account
8.3.2016 Hacking Social Site
how-to-hack-facebook-account
Hacking Facebook account is one of the major queries of the Internet user today. It's hard to find the way to hack into someone Facebook account, but a Facebook user just did it.
A security researcher discovered a 'simple vulnerability' in the social network that allowed him to easily hack into any Facebook account, view message conversations, post anything, view payment card details and do whatever the real account holder can.
Facebook bounty hunter Anand Prakash from India recently discovered a Password Reset Vulnerability, a simple yet critical vulnerability that could have given an attacker endless opportunities to brute force a 6-digit code and reset any account's password.
Here's How the Flaw Works
The vulnerability actually resides in the way Facebook's beta domains handle 'Forgot Password' requests.
Facebook lets users change their account password through Password Reset procedure by confirming their Facebook account with a 6-digit code received via email or text message.
To ensure the genuinity of the user, Facebook allows the account holder to try up to a dozen codes before the account confirmation code is blocked due to the brute force protection that limits a large number of attempts.
However, Prakash discovered that the social media giant had not implemented rate-limiting in its password reset process on the beta sites, beta.facebook.com and mbasic.beta.facebook.com, according to a blog post published by Prakash.
Prakash tried to brute force the 6-digit code on the Facebook beta pages in the 'Forgot Password' window and discovered that there is no limit set by Facebook on the number of attempts for beta pages.
Video Demonstration
Prakash has also provided a proof-of-concept (POC) video demonstration that shows the attack in work. You can watch the video given below that will walk you through the entire procedure:
Here's the culprit:
As Prakash explained, the vulnerable POST request in the beta pages is:
lsd=AVoywo13&n=XXXXX
Brute forcing the 'n' successfully allowed Prakash to launch a brute force attack into any Facebook account by setting a new password, taking complete control of any account.
Prakash (@sehacure) discovered the vulnerability in February and reported it to Facebook on February 22. The social network fixed the issue the next day and had paid him $15,000 as a reward considering the severity and impact of the vulnerability.
Hackers and Cyber Experts to Come Together at NullCon 2016
8.3.2016 Safety
A crowd of IT professionals, cyber security experts, thought leaders and business decision makers along with the best minds in the hacking community will come together at annual Nullcon security conference 2016 under the same roof to join their efforts in addressing the most critical issues of the Internet Cyberspace.
NullCon, appropriately dubbed "The Next Security Thing", creates opportunities for both presenting as well as participating in an intimate atmosphere with cyber security events offering the opportunity to learn about new threats, get valuable insights from leading experts, and network with other professionals.
Who goes to the Nullcon Conference, and Why?
Delegates from across the globe will be exposing the latest in information security, new cyber attack vectors, solutions to complex security issues with practical scenarios, thought-provoking ideas and research from the luminaries in the global IT security industry.
Additionally, a number of white hat hackers will be giving talks on the latest cyber threats, and the game-changing cyber security technologies and services they're bringing to fight cyber crime.
The major topics to be presented at Nullcon Conference 2016 will include:
What Google knows about you and your devices, and how to get it
Practical OS X Malware Detection & Analysis
Privacy leaks on 4G-LTE networks
Automatic Automotive Hacking
Making Machines think about security for fun and profit
Million Dollar Baby: Towards ANGRly conquering DARPA CGC
Hitchhiker's Guide to Hacking Industrial Control Systems (ICS)
Abusing Software Defined Networks
NullCon also builds the right niche network for you, both for information as well as business purposes.
Besides security talks, NullCon also provides 2-day workshops and security training.
Even Job seekers including IT professionals, engineers, product marketers, and sales executives are attending Nullcon in hopes of getting face time with the CEOs, CIOs and CISOs who are seeking experienced cyber talent.
NullCon Conference 2016 will be held at Goa (India) on 9-12th March 2016. March 9-10th are assigned for workshops and security training, and 11-12th March will be for security and hacking sessions.
Hacker arrested for ATM Skimming escaped from Prison
8.3.2016 Hacking
Hacker arrested for ATM Skimming escaped Prison
A Romanian card skimmer arrested for being part of an international cybercrime group that used malware to plunder US$217,000 from ATMs has escaped from a Bucharest prison on Sunday morning (6th March).
Renato Marius Tulli, 34, was being held at Police Precinct 19 in Bucharest, the capital of Romania, after being arrested together with 7 other suspects as part of a joint Europol, Eurojust, and DIICOT investigation on January 5, 2016.
Tulli was part of a criminal gang specialized in robbing NCR-based ATMs.
According to the federal authorities, the gang allegedly used a piece of malware, dubbed Tyupkin, to conduct what's known as Jackpotting attack and made Millions by infecting ATMs across Europe and beyond.
Using Tyupkin malware, the criminals were able to empty cash from infected ATMs by issuing commands through the ATM's pin pad.
Authorities announced on Monday that Tulli escaped with Grosy Gostel, 38, a man held for robbery charges, while both of them and other prisoners were out in the precinct's yard taking their daily outdoor break, local media report.
Though Police caught Gostel, ATM malware man Tulli remains on the run.
The ATM hacker and robber managed to cut a hole in the police precinct's fence and then jumped an outer fence at the police station without being noticed by the two officers that were keeping watch.
The 2 Police officers that were on duty that day are now investigated on charges of negligence.
Tulli and his criminal gang raided ATMs between December 2014 and October 2015 in countries including Romania, Hungary, Spain, the Czech Republic, and Russia. Europol estimates the group caused damages to banks of around US$217,000 (€200,000).
Tyupkin malware the gang used has been upgraded in recent months. The malware is now dubbed as GreenDispenser and is being used to target ATMs across Mexico.
'Guccifer,' who Hacked former President, to be extradited to the US
8.3.2016 Hacking
Upon the request of US authorities, Marcel Lazar Lehel, well known as Guccifer, has finally been approved to extradite to the United States to face Computer Intrusion and Identity Theft Charges for 18 months.
Guccifer is an infamous Romanian hacker who was arrested in Romania for hacking into the emails and social networking accounts of numerous high profile the US and Romanian Politicians.
Romania's top court has approved a request by US authorities to extradite Guccifer to the United States, a source within Romania's DIICOT anti-organized crime and terrorism unit told Reuters.
Guccifer's well known political targets included:
Bill Clinton (Former President)
Hillary Clinton (U.S Presidential Candidate)
George W. Bush (Former U.S. President)
Colin Powell (former U.S. Secretary)
George Maior (chief of the Romanian Intelligence Service)
John Tenet (State Director of Central Intelligence for the United States CIA)
Richard Armitage (Republican politician)
Lisa Murkowski (U.S. Senator and former Secret Service Agent) and many more.
Guccifer rose into the popularity in 2013 after hacking into the email account of George W. Bush and leaking Bush's personal photographs and artwork, including two self-portraits: one in the shower and one in the bathtub.
The same hacker was responsible to crack into the AOL Account of Bush’s Sister, Dorothy Bush Koch and targeted a number of high-profile celebrities, including Nicole Kidman, Comedian Steve Martin, Actor Leonardo DiCaprio, Actress Mariel Hemingway, 'Sex and the City' author Candace Bushnell, Biographer Kitty Kelley, released some of Hillary Clinton's private emails and many more.
The 42-year-old hacker had also claimed that Bush was a member of Ku Klux Klan – a White Supremacist Racist group by the Anti-Defamation League and the Southern Poverty Law Center, allegedly having total 5,000 to 8,000 members.
This intensified leakage had caused many repercussions on many topics like the romantic relationships between Colin Powell and Corina Cretu (Romanian Politician), even though both denied the statement.
If you want to explore more about the Guccifer Leaks, you may visit the site named 'The Smoking Gun' to which he published the leaked contents (don't expect a Wikileaks model).
Guccifer was serving as a Taxi Driver when Romania's DIICOT anti-organized crime and terrorism unit arrested him. He kickstarted his career as a Hacker at the age of 35.
According to his wife, Guccifer did most of his hacking from the quiet Sâmbãteni, which is located in the Draculan Village Transylvania.
Guccifer was sentenced for intrusion charges to popular profiles by the Romanian court to four years in jail in 2014 "with the aim of getting ... confidential data" and is serving another three-year term for other offences.
How to bypass Apple Passcode in 9.1 and later
8.3.2016 Apple
A number of bypass vulnerabilities still affect iOS devices and could be exploited by an attacker to bypass the passcode authorization screen.
A number of bypass vulnerabilities still affect iOS devices and could be exploited by an attacker to bypass the passcode authorization screen on Apple mobile devices (iPhones and iPads) running iOS 9.0, 9.1, and the recent 9.2.1.
According to Benjamin Kunz Mejri, a researcher at Vulnerability Lab, this category of security holes can be exploited to access apps native to iOS, such as Clock, Event Calendar, and Siri’s User Interface.
In February, Benjamin Kunz Mejri discovered an authentication bypass-sized hole in both iPhones and iPads running iOS 8 and iOS 9 that can be exploited by attackers to thwart lock screen passcode.
“An application update loop that results in a pass code bypass vulnerability has been discovered in the official Apple iOS (iPhone5&6|iPad2) v8.x, v9.0, v9.1 & v9.2. The security vulnerability allows local attackers to bypass pass code lock protection of the apple iphone via an application update loop issue. The issue affects the device security when processing to request a local update by an installed mobile ios web-application.” states the technical description published by the vulnerability-lab.com.
The attacker can bring the iOS devices into an unlimited loop resulting in a temporarily deactivate of the pass code lock screen.
The real problem is that they are underestimated by manufacturers because the attack request the physical presence of the attackers which have to be in possession of the device, in the specific case the flaw is still present after it was reported three months ago (2016-01-03: Researcher Notification & Coordination (Benjamin Kunz Mejri – Evolution Security GmbH))
“The issue is not fixed after a three-month duration. We have the newest versions of iPad and iPhone and are still able to reproduce it after the updates with default configuration,” Mejri told Threatpost Monday.
This time Mejri described a number of attack vectors relying on an internal browser link request to skip the passcode screen.
In a first scenario, an attacker could request Siri to open an app that doesn’t exist, at this point Siri will open a restricted browser window to the App Store, but from there the attacker could switch back to the home screen, either via the home button, or via Siri.
apple passcode bypass
In the second scenario the attacker is using the control panel to gain access to the non restricted clock app. The attacker opens the app via siri or via panel and opens then the timer to the end timer or Radar module. The app allows users to buy more sounds for alerts and implemented a link, but if the attacker pushes the link a restricted app store browser window opens. At that point we are in the same situation of the first attack vector.
In the third scenario, the attacker opens via panel or by a Siri request the clock app. The internal world clock module includes in the bottom right is a link to the weather channel that redirects users to the store as far as its deactivated. By pushing the link also in this case a restricted appstore browser window opens.
“At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the World Clock (Weather Channel) and is an image as link. Thus special case is limited to the iPad because only in that models use to display the web world map. In the iPhone version the bug does not exist because the map is not displayed because of using a limited template. The vulnerability is exploitable in the Apple iPad2 with iOS v9.0, v9.1 & v9.2.1.” wrote Mejri.
In the fourth scenario the attacker opens via Siri the ‘App & Event Calender’ panel, then he opens under the Tomorrow task the ‘Information of Weather’ (Informationen zum Wetter – Weather Channel LLC) link on the left bottom. The weather app is deactivated on the Apple iOS device, a new browser window opens to the AppStore, at that point we are in the same scenario seen in the other point.
It’s unclear when Apple will fix the issues. it is possible that the flaws will be solved with the iOS 9.3.
International politics of the VPN regulation
8.3.2016 Safety
How VPN (virtual private networks) are being utilized for stimulation, legislative issues, and correspondence in various nations.
As information security guru Bruce Schneier and his Berkman Center for Internet and Society associates brought up in a report a week ago, there are currently around 865 encryption-related items accessible all around the globe. From voice encryption tools to free and premium VPNs, this business sector extends a long ways past the fringes of the United States. Today, the encryption economy incorporates no less than 55 distinctive nations crosswise over Europe, Latin America, the Asia-Pacific, and the Caribbean.
The sprawling environment of programming improvement makes a conspicuous issue for governments and security organizations trying to screen or contain the privacy software. Free programs and other dispersed undertakings commonly exist “on numerous servers, in different nations, all the while,” and organizations offering anonymous tools can relocate the borders over outskirts without breaking a sweat.
To those focusing already, none of this is news. Numerous onlookers likewise concur that authoritative regulation of encryption would be a dangerous endeavor. In any case, when in doubt, maybe we shouldn’t rush to accept that the Internet will dependably and definitely discover a route around the stumbling country state.
In the setting of the present talk, it merits remembering that administrations have numerous different choices available to them with regards to controlling the utilization of protection tools. While these choices are once in a while completely powerful as a regulation measure, they can have some impact with regards to dissuading new clients from taking up specific advancements.
We should take the instance of VPNs as a sample. Once a business organizing apparatus, the VPN has lately transformed into a membership based individual administration for online privacy, security and remote server access – getting to be a standout amongst the most easy to use appearances of protection tools. Governments around the globe are currently scrambling to stay aware of the quick take-up of VPNs and their assorted applications for customers, nationals, and crooks alike.
As a major aspect of a project having international research, a group of the digital media analysts have been following and looking at universal patterns in VPN use, society, and regulation. Throughout the most recent year, researchers have been concentrating how VPNs (and other security weapons) are being utilized for stimulation, legislative issues, and correspondence in various nations. The outcomes have been enlightening.
One of the rising subjects is that distinctive governments take diverse ways to deal with managing VPNs. In nations with solid Internet oversight, a typical technique is a blend of authoritative bans and system level squares. In China, home of the world’s most advanced Internet oversight framework, various VPN sites have been blocked from the net under the appearance of a crackdown on unlicensed telecoms administrations. VPN movement has been upset through profound bundle review and port blocking, as well. Comparable boycott and block-systems are set up in a few Gulf States, including Bahrain, Oman and Saudi Arabia, and in Pakistan. Reports recommend that Russia has been considering such a move.
On the other hand, elsewhere technical-blocks are being joined with more vindictive measures. The Freedom House reports that Syrian powers “have created fake Skype encryption devices and a fake VPN application, both containing hurtful Trojans.”
Furthermore, another turn on the story was as of late found in Iran, where the state has had a go at entering the VPN industry itself. As indicated by Small Media advocacy group, Iranian powers tested in 2013 with setting up their own “authority” VPNs. These VPNs were hyped to have connection with government yet worked superbly well to check Facebook or YouTube, inasmuch as clients were not put off by government reconnaissance.
At that point obviously we have the entire issue of private regulation as stage level VPN blocking. Video administrations, for example, Netflix, Hulu, and BBC iPlayer—with variable levels of adequacy and eagerness—have all been utilizing outsider business programming for blocking access from IP addresses associated with being utilized by the VPNs.
What does this mean for the eventual fate of privacy software like VPNs?
The signs are blended. Tech liberationists are most likely right to demand that the circulated way of cryptography and encryption imply that tech groups will more often than not discover a path around top-down regulation. What’s more, administration suppliers have numerous alternatives in the progressing session of whack-a-mole, for example, exchanging locales, changing server runs, and imagining new workarounds.
In the meantime, we ought to be mindful so as not to accept that VPNs, voice scramblers, email encryption, or whatever other innovation items are totally past the limits of regulation at the purpose of utilization and in addition generation. Security organizations are a long way from weak in this diversion, particularly when the fundamental point is to dishearten uptake no matter how you look at it as opposed to stamp out use among techies.
At the end of the day, the country state still has a couple traps up its sleeve. The stakes of this verbal confrontation will just increment in the coming years as anonymization and security innovations enter further into the standard of tech society.
Your iPhone will Alert You if You are Being Monitored At Work
8.3.2016 Apple
Are You an Employee?
It's quite possible that someone has been reading your messages, emails, listening to your phone calls, and monitoring your activities at work.
No, it's not a spy agency or any hacker…
...Oops! It's your Boss.
Recently, European Court had ruled that the Employers can legally monitor as well as read workers' private messages sent via chat software like WhatsApp or Facebook Messenger and webmail accounts like Gmail or Yahoo during working hours.
So, if you own a company or are an Employer, then you no need to worry about tracking your employees because you have right to take care of things that could highly affect your company and its reputation, and that is Your Employees!
Since there are several reasons such as Financial Need, Revenge, Divided Loyalty or Ego, why a loyal employee might turn into an INSIDER THREAT.
Insider Threat is a nightmare for Millions of Employers. Your employees could collect and leak all your professional, confidential data, upcoming project details to your Rivals and much more that could result in significant loss to the company.
According to the latest threat report conducted by the Vormetric, it is analyzed that 40% of organizations experienced a data breach last year, out of which 89% felt that their organizations were vulnerable to insider attacks.
In March 2010, an IT Developer in the British Airways had been accused of leaking the Airport Security procedures for terrorist-related activities. From this example, you could figure out that the Insider Threat may take up its devilish dimension to lead to a dangerous situation.
How Can Companies Monitor their Employees iPhone?
Some strategies could be benefited for the employers by tailing up employee’s daily activities during the work hours.
Major tech companies like Symantec and IBM have a history of maintaining a threat report to their employees by a dedicated device (BYOD) that regularly updates the Employee’s Professional Network usage, such as downloads or other social networking sessions, in a statistical method.
Apple also provides a similar feature to companies for monitoring their employee's activities via work-issued iPhones that are set up with an organization's Mobile Device Management (MDM) server.
This allows employers to remotely upgrade, control, track and supervise various aspects of the iPhone’s software.
iOS 9.3 Offers Companies to Monitor Employees Like Never Before
With the release of its upcoming iOS 9.3 version, Apple will provide a bunch of new features to employers, allowing companies to monitor their employees activities more deeply.
The new mobile operating system would let the company’s IT administrators enforce home screen layouts on your work-issued iPhones as well as lock apps to your home screen so that you can not be moved to a different folder or a page.
The upcoming iOS 9.3 will also allow companies to hide or blacklist specific applications that it does not want their employees to download.
So in short, your favorite games like Candy Crush or Angry Birds that your organization does not wish you to play during work hours could be blocked.
If this is not enough, your company will now also be able to enforce notification settings so that you will not be able to ignore your employers notifications.
So next time if your company calls you to report in a short notice period, you just can not say you have not read the message, neither you can give excuses that you missed it somehow.
These are some pretty significant changes the upcoming iOS 9.3 will bring in employers perspective.
Interestingly, the upcoming iOS 9.3 operating system empowers the employees as well. Let’s talk about what features the OS will offer employees.
iPhone will Notify if Your Company is Tracking You
The iOS 9.3 version will tell employees whether their employers are monitoring their company-issued iPhones.
This warning will now be displayed in two places on the work-issued iPhones:
Your iPhone’s lock-screen will display "This iPhone is managed by your organization" near the bottom of the screen, hindering you to use your phone for personal choice apart from professional usage.
Additionally, If you’ll check the "About" menu in the Setting, it will reveal what all data had been supervised by your Employer.
Such notification was not available in the previous version of iOS. This is the first time Apple is allowing its users to check whether their organization is keeping tabs on them.
Surely employees will love this new feature in upcoming iOS 9.3, but the companies may hate this features as their stand will be exposed for tracking their employees.
These new features would mark its presence in the upcoming iOS 9.3 release on March 21, 2016.
Expert discovered how to hack any Facebook account
8.3.2016 Social Site Hacking
A security researcher has discovered a Facebook password reset vulnerability that allowed him to brute force into any FB account.
The security researcher Anand Prakash has discovered a password reset vulnerability affecting Facebook. The critical vulnerability could be exploited by attackers to hack into any FB account launching a brute force attack.
“This post is about a simple vulnerability found on Facebook which could have been used to hack into other user’s Facebook account easily without any user interaction. This gave me full access of another users account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc. Facebook acknowledged the issue promptly, fixed it and rewarded $15,000 USD considering the severity and impact of the vulnerability.” wrote the researcher in a blog post.
The critical flaw resides in the way Facebook’s beta pages handle “Forgot Password” requests. When a user forgets the password, Facebook allows him to get back into your FB account through the ‘Forgot Password’ procedure. Facebook sends a 6 digit code on a user’s phone number or email address. After you enter this code in the window, you are able to access your FB account and reset your password.
The user then submits the code to access his FB account and reset the password.
Prakash tried to find security holes in the Facebook’s Forgot Password procedure. He tried to brute force the 6 digit code in the ‘Forgot Password’ window, he discovered that it is possible to make just 12 attempts before being locked out.
Prakash tried to perform the same operation on the Facebook beta pages, beta.facebook.com and mbasic.beta.facebook.com. He then discovered that there is no limit on the number of attempts for these two Facebook beta pages. The absence of a limitation, allowed the researcher to launch a brute force attack into any Facebook account.
The vulnerable request illustrated by the researcher is:
POST /recover/as/code/ HTTP/1.1 Host: beta.facebook.com
lsd=AVoywo13&n=XXXXX
Brute forcing the “n” successfully allowed Prakash to set a new password for any Facebook user.
Prakash reported the vulnerability to Facebook on February 22, 2016, the security team acknowledged the flaw and deployed a fix on February 23.
Facebook awarded Prakash a bug bounty of $15,000, below the Video PoC published by the expert:
First Mac OS X Ransomware Targets Apple Users
7.3.2016 Apple
Mac users, even you are not left untouched!
The World's first fully functional Ransomware targeting OS X operating system has been landed on Macs.
Ransomware – one of the fastest-growing cyber threats – encrypts the important documents and files on infected machines and then asks victims to pay ransoms in digital currencies so they can regain access to their data.
Though Ransomware has been targeting smartphones and Windows computers for a while, Mac OS X users haven't really had to worry about this threat… until now!
As security researchers from Palo Alto Networks claims to have discovered the very first known instance of OS X Ransomware in the wild, called "KeRanger" attacking Apple's Macintosh computers, firm's Threat Intelligence Director Ryan Olson told Reuters.
The KeRanger ransomware, which appeared on Friday, comes bundled into the popular Mac app Transmission, a free and open-source BitTorrent client for Mac with Millions of active users.
Must Read: How Just Opening an MS Word Doc Can Hijack Every File On Your System.
Here's How KeRanger Works
Once a victim installs the infected versions of the app, KeRanger malware embeds itself in the victim's machine and encrypts the hard drive – containing important documents, images and videos files, as well as email archives and databases – after three days.
The KeRanger malware then asks the victim to pay 1 Bitcoin (~ $410) as the ransom amount to allow him/her to decrypt the hard disk and regain access to their important files.
The malware imposes a 72-hour lockout window unless the payment is made.
Though it is still unclear how the hackers managed to compromise the app and upload the infected files, it is believed that the hackers managed to hack the Transmission website as the site was served via HTTP rather than HTTPS.
Also Read: CTB-Locker Ransomware Spreading Rapidly, Infects Thousands of Web Servers.
How to Protect yourself against KeRanger
The security researchers suggested users to check for the existence of the following files in their machines:
/Applications/Transmission.app/Contents/Resources/General.rtf
/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf
If any of the above-mentioned file exists, your Transmission app is likely infected with the new ransomware.
The malicious code also has a process name of "kernel_service", "kernel_pid", ".kernel_time" or ".kernel_complete," which can be killed, and stores its executable in the ~/Library directory. Delete these files if exist.
Upgrade to Version 2.91 of Transmission
Soon after, the Transmission developers released an updated version 2.92 of Transmission to ensure the ‘KeRanger’ malware files is actively removed.
So, if you had downloaded a vulnerable copy of Transmission from the web before the weekend, you must uninstall it now and upgrade to a clean 2.92 version of the software.
"Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file," Transmission posted this message in Red on its website.
Specifically, downloads of Transmission version 2.90 were infected with the nasty ransomware code that will encrypt your files after 3 days and demand a payment of $410 in Bitcoin to regain control.
However, it is worth noting that KeRanger has currently been detected only in the Transmission app for Mac. But, if the malware is widespread, it could affect other common Mac apps as well.
KeRanger, the new MAC OS X ransomware that hit Apple users on the weekend
7.3.2016 Apple Virus
Over the weekend Apple customers who were looking for the latest version of Transmission were infected by KeRanger MAC OS X ransomware.
Bad news for Apple customers, their systems were targeted for the first time over the weekend by a ransomware campaign. The experts at Palo Alto Networks Unit 42 who discovered the malicious campaign reported that Apple customers who were looking for the latest version of Transmission, a popular BitTorrent client, were infected with a new family of Ransomware that was specifically designed to target OS X installations.
“On March 4, we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware “KeRanger.” states the report published by Palo Alto Networks.
The researchers named this new Ransomware family KeRanger, they also released a technical analysis of the malware.
Ransomware attacks on MAC OS X systems is a novelty, in the past the unique malware with similar characteristics was FileCoder, a malicious code detected by Kaspersky Lab in 2014.
“The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.” continues the post.
According to the report, users who have directly downloaded Transmission installer from the official website in a specific time interval may be been infected by KeRanger MAC OS X ransomware.
“Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger.”
The Transmission project promptly removed the malicious installers on Saturday (March 5) and it is urging its users to update to the latest version (2.92).
The experts discovered that the malware was embedded within the Transmission DMG file itself, but this was not enough to install the malware. The author of KeRanger also signed the installer with a valid code-signing certificate, issued to Polisan Boya Sanayi ve Ticaret A.ª., a holding company in Istanbul, to bypass security measured implemented by the Apple’s Gatekeeper.
The experts noticed that authors have used hidden services to masquerade the command and control infrastructure, once infected a machine the KeRanger MAC OS ransomware will wait three days before contacting a Command & Control server. Below the list of services in the Tor network used in the by the ransomware.
lclebb6kvohlkcml.onion[.]link
lclebb6kvohlkcml.onion[.]nu
bmacyzmea723xyaz.onion[.]link
bmacyzmea723xyaz.onion[.]nu
nejdtkok7oz5kjoc.onion[.]link
nejdtkok7oz5kjoc.onion[.]nu
Once the ransomware has contacted the server it starts encrypting documents having more than 300 different extensions:
Documents: .doc, .docx, .docm, .dot, .dotm, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .xls, .xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, .tex
Images: .jpg, .jpeg,
Audio and video: .mp3, .mp4, .avi, .mpg, .wav, .flac
Archives: .zip, .rar., .tar, .gzip
Source code: .cpp, .asp, .csh, .class, .java, .lua
Database: .db, .sql
Email: .eml
Certificate: .pem
It is interesting to note that the ransomware is not able to start the encrypting process without making the initial contact to C&C servers.
When the files are encrypted, the KeRanger MAC OS ransomware demands $400.00 USD to the victims
The researchers suspect that the KeRanger MAC OS ransomware is still under development, in fact, they noticed the malware doesn’t encrypt Time Machine backup files, but the analysis of the code revealed that the is code to perform this action is already present in the malware, but it is still not active.
“Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.”
To mitigate the infections, the digital certificate used to sign the code has been already revoked. Apple added the installers to the Gatekeeper blacklist and also updated XProtect signatures to include the new KeRanger Ransomware family.
RIP Ray Tomlinson, The Creator of Email, Dies at 74
7.3.2016 IT
A computing legend who 'changed the way the world communicates' has died.
RAY TOMLINSON, the man who invented email as we know it today and picked the @ symbol for email addresses, passed away at the age of 75 following an apparent heart attack Saturday morning, according to reports.
Hard to believe but 'the godfather of email' has passed away.
His death was confirmed by Mike Doble, director of corporate PR at Tomlinson's employer Raytheon.
"A true technology pioneer, Ray was the man who brought us the email in the early days of networked computers," Doble said in a statement confirming Tomlinson's death.
The Internet reacted with sadness over the death of Tomlinson, who became a legend for his invention in 1971 of a system that allowed a user on one network to send a message to other computer users on other networks.
"Thank you, Ray Tomlinson, for inventing email and putting the @ sign on the map. #RIP," Gmail tweeted yesterday.
Tomlinson Introduced @ in Email Address
At the time of his invention, Tomlinson was working on ARPANET – predecessor of the modern Internet – at research and design company Bolt Beranek and Newman (now BBN Technologies).
Tomlinson used @ symbol in the email address in order to separate the username from the host name.
By the 1990s email had become a pillar of the Internet and Tomlinson was inducted into the Internet Hall of Fame in 2012, though he could not say what the very first email sent back in 1971 actually said.
Tomlinson said in an interview with the New York Times in 2009 that the email was just random strings of text, saying:
"I sent a number of test messages to myself from one machine to the other. The test messages were entirely forgettable and, therefore, forgotten."
Thanks to Tomlinson's invention that powers over a Billion and a half users communicating across the traditional barriers of time and space. #RIPRayTomlinson
Operation Transparent Tribe targets Indian diplomats and military
7.3.2016 Safety
ProofPoint uncovered a new cyber espionage campaign dubbed Operation Transparent Tribe targeting Indian diplomatic and military entities.
A new cyber espionage campaign dubbed Operation Transparent Tribe is targeting diplomats and military personnel in India. The researchers at Proofpoint who have uncovered the hacking campaign confirmed that threat actors used a number of hacking techniques to hit the victims, including phishing and watering hole attacks, and drop a Remote Access Trojan (RAT) dubbed MSIL/Crimson.
The MSIL/Crimson RAT used in the cyber espionage operation implements a variety of data exfiltration functions, including the ability to control the laptop cameras, take screen captures and keylogging.
The researchers discovered the campaign on February 11, 2016, when they noticed two live attacks against Indian diplomats operating in embassies in Saudi Arabia and Kazakhstan.
Proofpoint discovered that IP addresses involved in the attacks are in Pakistan, the attacks appear sophisticated and are part of a wider operation that relies on a network of watering hole websites and multiple phishing email campaigns.
The nature of the target and the methods used by attackers suggest the involvement of a nation-state attacker as explained by Kevin Epstein, VP of threat operations center at Proofpoint.
“This is a multi-year and multi-vector campaign clearly tied to state-sponsored espionage,” Epstein told to ThreatPost. “In the world of crimeware, you rarely see this type of complexity. A nation-state using multiple vectors, that’s significant.”
State-sponsored hacking is becoming a privileged option for governments that target other states mainly for cyber espionage with the intent of gathering intelligence on political issues.
The campaign discovered by ProofPoint required a significant effort of the APT group that set up multiple websites used to serve the MSIL/Crimson RAT.
In one case, the ATP behind the Operation Transparent Tribe used malicious email to spread weaponized RTF documents exploiting the CVE-2012-0158 Microsoft ActiveX vulnerability that dropped the malware on the target’s machine.
MSIL/Crimson is a multi-stage malware, after infected the machine in the first stage, it downloads more fully featured remote access Trojan component.
The attackers also used rogue blogs news websites with an Indian emphasis to serve the dangerous RAT.
Enjoy the Operation Transparent Tribe report.
Which are principal cybercriminal ecosystems in the Deep Web?
7.3.2016 Crime
TrendMicro published an interesting analysis of the principal cyber criminal underground communities in the Deep Web worldwide.
A new interesting report published by the experts at TrendMicro highlights the differences between the principal underground ecosystems worldwide.
Thinking of a unique “global” underground ecosystem is an error, every community has its own characteristics, the criminal crews that compose it are specialized in the provisioning of specific product and services.
The researchers who analyzed illegal activities in the Deep Web have identified at least six different cybercriminal ecosystems operating in Russia, Japan, China, Germany, in the United States and Canada (North America), and Brazil.
“Each country’s market is as distinct as its culture. The Russian underground, for instance, can be likened to a well-functioning assembly line where each player has a role to play. It acts as the German market’s “big brother” as well in that it greatly influences how the latter works. The Chinese market, meanwhile, boasts of robust tool and hardware development, acting as a prototype hub for cybercriminal wannabes. Brazil is more focused on banking Trojans while Japan tends to be deliberately exclusive to members.” states the report.
The last report published by TrendMicro explains the differences, revealing the peculiarity of the offer in each ecosystem.
“Cybercriminals from every corner of the world take advantage of the anonymity of the Web, particularly the Deep Web, to hide from the authorities. Infrastructure and skill differences affect how far into the Deep Web each underground market has gone. Chinese cybercriminals, for instance, do not rely on the Deep Web as much as their German and North American counterparts do. This could, however, be due to the fact that the “great firewall” of China prevents its citizens (even the tech-savviest of its cybercrooks) from accessing the Deep Web. The fact that Germany and North America more strictly implement cybercrime laws may have something to do with their greater reliance on the Deep Web, too.”
The Russian underground is defined “a well-functioning assembly line,” it is an ecosystem crowded by professional sellers that competing each other by providing goods in the shortest amount of time and most efficient manner possible. Marketplaces like fe-ccshop.su and Rescator that offer products and services for credit card frauds are very popular in the criminal underground worldwide.
These markets offer escrowing services or “garants,” that make them an important aggregator for the criminal demand, offering them a privileged environment where operate anonymously.
The Japanese underground is characterized by members only bulletin board systems, the criminals make large use of special jargon to evade the authorities. This market is characterized by the attitude in accepting more unusual kinds of payment, including gift cards and forum points instead of bitcoins or cash paid via money transfer.
The Chinese underground is focused on the provisioning of hardware several illegal activities rapidly responding to the cybercriminal demand.
“The Chinese underground is a teeming hub of prototypes. It not only sells the usual array of software and services found in its counterparts, but also hardware. It adapts the fastest to the latest in cybercrime trends and leads the way in terms of cybercriminal innovation. And true to its adaptive nature, it now boasts of uncommon offerings like leaked-data search engine privacy protection services that can only be dubbed “made in China.” states the report.
The North American underground is considered the most open to novices, it is visible to both cybercriminals and law enforcement, meanwhile the Canadian underground is focused on the sale of fake/stolen documents and credentials (fake driver’s licenses and passports, stolen credit card and other banking information, and credit “fullz” or complete dumps of personal information).
Germany’s underground is a subsidiary of the Russian one, the market heavy rely on DarkNets, the most popular forums use mirrors on the Tor Network. Deep Web.
Let’s close with the Brazilian underground, which is characterized by the presence of youngsters with no regard for the law. They use the Surface Web, exploiting popular social media for their activities.
The key findings of the study highlights:
The Japanese underground is the only market that does not focus on traditional crimeware. This underground scene caters more to the taboo.
The German underground takes cues from the Russian market.
The Chinese underground serves as a hotbed for crimeware (particularly hardware) prototypes.
For more details on the criminal ecosystem in the Deep Web give a look to the report “Cybercrime and the Deep Web”
SIM swap fraud cases force bank to improve security
6.3.2016 Mobil
Two major high street banks will change security procedures after journalists demonstrated how to carry out SIM swap fraud attacks.
The BBC reported that two major high street banks will adopt new security measures to protect their customers. The decision to modify the security procedures follows the scoop made by two journalists from BBC Radio 4’s You and Yours programme that broke into an account online and removed money.
Cybercriminals are increasingly targeting bank customers with different techniques, one of them is known as ‘SIM swap fraud.’
A SIM swap fraud is a type of fraud that overwhelms the additional security measures introduced by banks to protect customer transactions. Basically cyber criminals are able to transfer cash from a victim’s account by accessing one-time pin codes and SMS notifications.
Criminal organizations obtain a customer’s bank details by launching a phishing campaign, or by purchasing them in the underground market.
At this point, the criminals open a parallel business account with the same victim’s bank, in the customer’s name. This is possible because the procedure involves fewer security checks when the victim is already a customer.
The criminals use answers to security questions obtained from the analysis of the victim’s social media accounts, to contact the victim’s mobile phone provider, posing as the customer, to report that their mobile device is lost or damaged.
They demonstrate their identity, answering basic security questions, this causes the cancellation of the old SIM and the activation of new one. From then the criminals can operate with the victim’s mobile account, intercepting or initiating calls, texts and authorizations that could allow them to transfer cash.
The cybercriminals can also request that security settings are changed to lock out the victim from the account.
Recently bank customers’ accounts have been successfully hacked with the SIM swap fraud technique, several victims reported the crimes to the You and Yours programme.
“You and Yours has been contacted by dozens of people affected by the scam. All say they have never revealed their security details to anyone, and the that first they knew something was wrong was their mobile phone going dead.” reported the BBC.
You and Yours producer Natalie Ms Donovan is a customer of the NatWest and decided to investigate on the SIM swap fraud cases.
SIM swap fraud natwest bank
She used her bank account as an experiment and her colleague Shari Vahl was able to break into her account without having specific information such as the banking customer number, PIN or any passwords.
“I did not know her mother’s maiden name, her pet’s name or her first school, and yet I was still able to change her PIN and password to lock her out of her own account.” continues Shari Vahl
In the experiment, the attacker only transferred £1.50 to his bank account by controlling the of Natalie Donovan ‘s mobile phone.
The journalists reported the issue to the NatWest, owned by Royal Bank of Scotland. Representatives from the Royal Bank of Scotland confirmed that that the systems for both banks would be changed as a direct result of the You and Yours investigation.
“This is a cross-industry problem, particularly with us, and the telecom companies. We working with Financial Fraud Action UK to make sure we’re communicating with each other … to make sure mobile phone security is as strong as it possibly can be.” said Chris Popple, managing director of NatWest Digital.
New exploit steals secret cryptographic keys from mobile devices
5.3.2016 Mobil
A group of security researchers has devised a new attack scheme to steal cryptographic keys from both Android and iOS devices.
A team of security researchers from Tel Aviv University, Technion and The University of Adelaide has elaborated a new attack scheme to steal cryptographic keys from both Android and iOS devices.
Last month, the same team has demonstrated hot to steal sensitive information from targeted air-gapped systems, in June 2015, the group demonstrated that encryption keys can accidentally leak from a PC via radio waves by using a cheap consumer-grade kit.
This new attack allows the researchers to steal any kind of cryptographic keys including Bitcoin wallets and Apple Pay accounts.
“An attacker can non-invasively measure these physical effects using a $2 magnetic probe held in proximity to the device, or an improvised USB adapter connected to the phone’s USB cable, and a USB sound card. Using such measurements, we were able to fully extract secret signing keys from OpenSSL and CoreBitcoin running on iOS devices.” states a blog post published by the experts. “We also showed partial key leakage from OpenSSL running on Android and from iOS’s CommonCrypto.”
The researchers explained that their hacking technique is a non-invasive Side-Channel Attack. The attackers are able to extract the crypto key from a targeted device by analyzing the pattern of memory utilization or the electromagnetic outputs that are emitted during the decryption process.
The exploit devised by the researchers works against the Elliptic Curve Digital Signature Algorithm (ECDSA) used in the majority of applications based on cryptographic algorithms, including Bitcoin wallets and Apple Pay.
The researchers used a $2 magnetic probe placed near an iPhone 4 while the mobile devices were performing cryptographic operations in order to measure enough electromagnetic emanations and extract the secret cryptographic keys used by many different applications.
Another possible attack scenario sees a home-made USB pass-through adapter connected to the USB cable of the smartphone and a USB sound card to capture the signal.
Obviously, the attacker needs a physical access to the device to place a probe or cable in proximity, the attack also needs the targeted device will perform enough crypto operations to measure a few thousand of ECDSA signatures.
The team also successfully tested the attack on a Sony-Ericsson Xperia X10 Phone running Android.
“OpenSSL’s ECDSA running on Android phones is also vulnerable to our attacks. For example, here is a Sony Xperia 10s being measured, with our lab-grade measurement equipment:”
The group of researchers also cited a study conducted by another team of security experts that devised a similar Side-Channel attack exploiting a flaw in the Android version of the BouncyCastle crypto library. In this attack scenario, an attacker could analyze electromagnetic emissions to extract cryptographic keys.
All the iOS versions from 7.1.2 to 8.3 are vulnerable to the side-channel attack, only exception is the last iOS 9.x version that implements security countermeasures against side-channel attacks.
The experts highlighted that hackers can exploit vulnerabilities affecting mobile applications running on mobile devices. The researchers demonstrated how to hack the iOS app CoreBitcoin that is used to protect Bitcoin wallets on Apple mobile devices.
If you want more details give a look to the paper published by the researchers.
How to Steal Secret Encryption Keys from Android and iOS SmartPhones
4.3.2016 Android iOS
Unlike desktops, your mobile devices carry all sorts of information from your personal emails to your sensitive financial details. And due to this, the hackers have shifted their interest to the mobile platform.
Every week new exploits are discovered for iOS and Android platform, most of the times separately, but the recently discovered exploit targets both Android as well as iOS devices.
A team of security researchers from Tel Aviv University, Technion and The University of Adelaide has devised an attack to steal cryptographic keys used to protect Bitcoin wallets, Apple Pay accounts, and other highly sensitive services from Android and iOS devices.
The team is the same group of researchers who had experimented a number of different hacks to extract data from computers. Last month, the team demonstrated how to steal sensitive data from a target air-gapped computer located in another room.
Past years, the team also demonstrated how to extract secret decryption keys from computers using just a radio receiver and a piece of pita bread, and how to extract the cryptographic key just by solely touching the chassis of the computer.
Side-Channel Attacks
According to the researchers, the recent exploit is a non-invasive Side-Channel Attack: Attack that extracts the secret crypto key from a system by analyzing the pattern of memory utilization or the electromagnetic outputs of the device that are emitted during the decryption process.
The exploit works against the Elliptic Curve Digital Signature Algorithm (ECDSA), a standard digital signature algorithm that is most widely used in many applications like Bitcoin wallets and Apple Pay and is faster than several other cryptosystems.
How to Steal Secret Encryption Keys?
how-to-hack-android-story
During the experimental hack, the researchers placed a $2 magnetic probe near an iPhone 4 when the phone was performing cryptographic operations.
While performing cryptographic operations, the security researchers measured enough electromagnetic emanations and were able to fully extract the secret key used to authenticate the end user's sensitive data and financial transactions.
The same hack can be performed using an improvised USB adapter connected to the phone's USB cable, and a USB sound card to capture the signal.
"Using such measurements, we were able to fully extract secret signing keys from OpenSSL and CoreBitcoin running on iOS devices," the researchers wrote in a blog post published Wednesday. "We also showed partial key leakage from OpenSSL running on Android and from iOS's CommonCrypto."
The researchers also experimented their exploit on a Sony-Ericsson Xperia X10 Phone running Android and said they believe such an attack is feasible.
The security researchers also cited a recent independent research by a separate team of security researchers that discovered a similar Side-Channel flaw in Android's version of the BouncyCastle crypto library, making the device vulnerable to intrusive electromagnetic key extraction attacks.
Currently, the hack requires an attacker to have physical control of, or, at least, a probe or cable in proximity to, a vulnerable mobile device as long as it performed enough tasks to measure a few thousand of ECDSA signatures.
Affected Devices
Older iOS versions 7.1.2 through 8.3 are vulnerable to the side-channel attack. The current iOS 9.x version includes defenses against side-channel attacks, so are unaffected.
However, nothing can save iPhone and iPad users even running current iOS versions if they are using vulnerable apps. One such vulnerable iOS app is CoreBitcoin that is used to protect Bitcoin wallets on iPhones and iPads.
Developers of CoreBitcoin told the security researchers that they are planning to replace their current crypto library with one that is not susceptible to the key extraction attack. Meanwhile, the recent version of Bitcoin Core is not vulnerable.
Both OpenSSL versions 1.0.x and 1.1.x are vulnerable except when compiled for x86-64 processors with the non-default option enabled or when running a special option available for ARM CPUs.
The team has already reported the vulnerability to the maintainers of OpenSSL, who said that hardware side-channel attacks are not a part of their threat model.
For in-depth technical details, you can read the full research paper [PDF].
Real pirates used hacking techniques to raid a shipping company
4.3.2016 Hacking
Real pirates have hacked into a shipping company to locate valuable cargo before hijacking vessels in targeted attacks. Technology meets Piracy.
The technology is enlarging our surface of attack in a dramatic way, every company in every industry is potentially a target. Let’s discuss today of a singular case that demonstrates it, pirates have hacked into a shipping company to locate valuable cargo before hijacking vessels in targeted attacks.
The criminal organisation breached the content management system (CMS) of the unnamed shipping company to determinate the exact position of containers having the most valuable cargo.
This is a considerable advantage for the traditional piracy, in the past criminals had patrol boats using scanners to locate the precious commodities. By obtaining the location of the valuable cargo, it makes easier and faster hijacking the vessels.
The case was also reported in the Verizon’s Data Breach Digest addendum report.
“However, in recent months, the pirates had changed their tactics somewhat, and in a manner that the victim found extremely disconcerting. Rather than spending days holding boats and their crew hostage while they rummaged through the cargo, these pirates began to attack shipping vessels in an extremely targeted and timely fashion. Specifically, they would board a shipping vessel, force the crew into one area and within a short amount of time they would depart. When crews eventually left their safe rooms hours later, it was to find that the pirates had headed straight for certain cargo containers. It became apparent to the shipping company that the pirates had specific knowledge of the contents of each of the shipping crates being moved. They’d board a vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate—and that crate only—and then depart the vessel without further incident. Fast, clean and easy.” states the report.
In the specific case, the hackers made a number of OPSEC mistakes that exposed their identity to the investigators, for example, they failed to protect the traffic to the compromised server.
HMAS Melbourne's boarding party intercepts a suspected pirate boat. *** Local Caption *** Royal Australian Navy ship, HMAS Melbourne operating off the coast of Somalia, intercepted suspected pirates as part of a Combined Task Force 151 tasking for Combined Maritime Forces on 15 October 2013.
“One of the first mistakes made by the threat actors was failing to enable SSL on the web shell. As such, all the commands were sent over the internet in plain text. This allowed us to write code to extract these commands from the full packet capture (FPC) data. We were ultimately able to recover every command the threat actors issued, which painted a very clear picture. These threat actors, while given points for creativity, were clearly not highly skilled. For instance, we found numerous mistyped commands and observed that the threat actors constantly struggled to interact with the compromised servers.” continues the report.
The shipping company, once discovered the cyber attacks, secured its servers and improved the operational security of its systems.
Piracy is a very widespread phenomenon in some areas of the world, the use of technology can definitely make the most complex activities of prevention and contrast.
There are numerous cases related to the collaboration between ordinary crime and hacking crews, I remember an episode occurred in 2013 when an investigation of a cyber-attack on the Belgian port of Antwerp allowed law enforcement to discover that drug traffickers recruited hackers to hack IT systems that controlled the movement and location of the containers.
“Police carried out a series of raids in Belgium and Holland earlier this year, seizing computer-hacking equipment as well as large quantities of cocaine and heroin, guns and a suitcase full of cash. Fifteen people are currently awaiting trial in the two countries. Mr Wainwright says the alleged plot demonstrates how the internet is being used as a “freelance marketplace” in which drug trafficking groups recruit hackers to help them carry out cyber-attacks “to order”. “[The case] is an example of how organized crime is becoming more enterprising, especially online,” he says.
The Europol official confirmed that organized crime groups were paying for hackers involved in criminal activities. The profitable collaboration started at least in 2011, Dutch-based trafficking group hid cocaine and heroin among legitimate cargoes, including timber and bananas shipped in containers from South America. The role of hackers based in Belgium was to infiltrate computer networks in at least two companies operating in the port of Antwerp to access secure data giving them the location and security details of containers.
Subgraph OS — Secure Linux Operating System for Non-Technical Users
4.3.2016 Security
Information security and privacy are consistently hot topics after Edward Snowden revelations of NSA's global surveillance that brought the world's attention towards data protection and encryption as never before.
Moreover, just days after Windows 10's successful launch last summer, we saw various default settings in the Microsoft's newest OS that compromise users' privacy, making a large number of geeks, as well as regular users, migrate to Linux.
However, the problem is that majority of users are not friendly to the Linux environment. They don't know how to configure their machine with right privacy and security settings, which makes them still open to hacking and surveillance.
However, this gaping hole can be filled with a Debian-based Security-focused Linux operating system called Subgraph OS: A key solution to your Privacy Fear.
Subgraph OS is a feather weighted Linux flavor that aims to combat hacking attacks easier, even on fairly low-powered computers and laptops.
Subgraph OS comes with all the privacy and security options auto-configured, eliminating the user's manual configuration.
Security-focused operating systems do exist, but they are often very resource intensive and can be run only on specific hardware. They are also a real technical challenge for users who don't know the advanced techniques required to get a secure operating system running.
Why Should You Install Subgraph Linux OS?
Subgraph OS — Secure Linux Operating System for Non-Technical Users
Subgraph OS offers more than just kernel security. The Linux-based operating system comes with a slew of security and privacy features that its developers believe will be more accessible to non-technical users.
The OS also includes several applications and components that reduce the user's attack surface. Let's have a close look on important features Subgraph OS provides.
1. Automated Enhanced Protection with Application Sandboxing using Containers
A security feature called Oz is possibly the most interesting feature of Subgraph OS. Oz is a system for isolating programs so that if an attacker exploits an application security vulnerability, the rest of your machine and your network will remain largely unaffected.
'Oz' makes this possible by delimiting the permission applications have to other parts of the computer, so that when an attacker compromises the security hole in any application it does not allow any malicious activities to take place.
2. Mandatory Full Disk Encryption (FDE)
Subgraph OS offers Full Disk Encryption by default; thus making it a mandatory step for its users to cling on to the security.
Full disk encryption enables a shadow of encryption to protect your hard disks, preventing your data even if your hard drive got misplaced or fell into the wrong hands.
Additionally, Subgraph OS also wipe off the memory when the system is shutdown in an effort to defend the Cold Boot Attacks.
Cold Boot Attacks are a type of side channel attacks that take the advantage of data that resides in the DRAM and SRAM cells for few seconds soon after Power OFF.
3. Online Anonymity — Everything through Tor
secure-operating-system
Subgraph OS routes all your traffic through the TOR anonymity network by default, making it difficult for attackers to figure out the actual physical location of their targets. This would ensure the endpoint security.
Also More: Is This Security-Focused Linux Kernel Really UnHackable?
4. Advanced Proxy Setting
Secure Linux Operating System
Application's transmission to the outside world is carried out via Metaproxy application, which would facilitate to identify the legitimate connections.
Since every application does not come preconfigured to communicate through TOR, Metaproxy relays outgoing connections via TOR without having to configure proxy settings for each application.
5. System and Kernel Security
Subgraph OS is also hardened by Grsecurity – a set of patches that are designed to make Linux kernel's security vulnerabilities like memory corruption flaws far more difficult to exploit.
Support of 'PaX' would be an extra topping of security that aid with least privilege protection for memory pages. This would make security vulnerabilities such as buffer overflow and memory corruption flaws in applications and the operating system kernel difficult to exploit.
6. Secure Mail Services
Secure Mail Services
As everything is concerned, Subgraph OS includes Subgraph Mail that integrates OpenPGP to let users send and receive encrypted/signed messages using PGP/MIME.
Subgraph Mail service is designed in such a way that makes PGP key management and sending/receiving of encrypted email easy for everybody.
Subgraph Mail is also secure – Unlike Data security, authentication and integrity verification are implemented in such a way that even if some parts of the application are compromised, a hacker still would not have access to the rest of your emails or encryption keys.
Additionally, there is no need to execute commands in a terminal window or install plug-ins. Web browser support is deliberately left out of the mail client to eliminate Web exploits from within mail.
7. Package Integrity
Subgraph OS also provides an alternative way to trust the downloaded packages. The packages are to be matched against the binaries present in the operating system's distributed package list, thus becoming a finalizer.
Recently Backdoored Linux Mint hacking incident is an example to this.
Thus, Subgraph OS eliminates the usage of any tampered or malicious downloaded packages.
Comparison Between Subgraph OS and Qubes OS
most-secure-operating-system
Subgraph OS has some similarities to Qubes OS – Another Linux-based security-oriented operating system for PCs.
Unlike Subgraph OS that isolates individual applications on a more granular level, Qubes OS typically runs different isolated domains inside different virtual machines – one for your work, one for your personal use and more.
Subgraph OS doesn't isolate networking and USB stacks or other devices and drivers, but Qubes OS does.
Also, Subgraph OS uses Xpra for GUI virtualization, which is less secure than Qubes GUI protocol, but has some usability advantages like seamless working clipboard.
Subgraph makes use of Netfilter hooks to redirect app-generated traffic into TOR network and to allow the user to see and control app-generated traffic, but Qubes OS uses separate service Virtual Machines (Proxy VMs like TorVM) to intercept traffic.
As the list goes on... Subgraph would be a treasure for the privacy lovers.
How to Download Subgraph Os?
Subgraph Os will be available for download via its offical website. Let's wait for the operating system to get unveiled in Logan CIJ Symposium conference in Berlin on March 11-12 to experience the Cyber Isolation!!!
Take note, next week update Adobe Reader and Acrobat to fix critical flaws
4.3.2016 Vulnerebility
Adobe announced that it will release security updates next week to patch vulnerabilities in Acrobat and Reader products for Windows and Mac.
Adobe has announced yesterday, March 8, that it will release security updates next week to patch vulnerabilities in Acrobat and Reader products for Windows and Mac.
We are speaking about critical vulnerabilities that fortunately are currently not exploited in the wild, for this reason, the security team at Adobe has assigned a priority rating “2” to the vulnerabilities explaining that it’s unlikely that they will be abused by malicious actors in the near future.
Adobe has issued a prenotification advisory to explain which product versions are affected by the security vulnerabilities and anticipating the imminent release of security patches.
“Adobe is planning to release security updates on Tuesday, March 8, 2016 for Adobe Acrobat and Reader for Windows and Macintosh.” states the advisory “Users may monitor the latest information on the Adobe Product Security Incident Response Team (PSIRT) blog at https://blogs.adobe.com/psirt.”
In the following table are reported the affected versions and the priority rate assigned by Adobe:
Adobe Acrobat and Reader are among the software most targeted by hackers in numerous attacks in the wild, the company is spending a significant effort in promptly fixing any reported security hole.
In January, Adobe released Acrobat and Reader updates to fix a total of 17 flaws, including use-after-free vulnerabilities (CVE-2016-0932, CVE-2016-0934, CVE-2016-0937, CVE-2016-0940, CVE-2016-0941), a double-free flaw (CVE-2016-0935) that could lead to code execution, and several memory corruption vulnerabilities that can be exploited for arbitrary code execution (CVE-2016-0931, CVE-2016-0933, CVE-2016-0936, CVE-2016-0938, CVE-2016-0939, CVE-2016-0942, CVE-2016-0944, CVE-2016-0945, CVE-2016-0946).
Users are invited to update their software as soon as the security patches become available.
According to data provided by the CVE Details Adobe software are among the software with the highest number of vulnerabilities in 2015.
The data were provided by CVE Details, which manages data coming from the National Vulnerability Database (NVD). Common Vulnerabilities and Exposures (CVE) system tracks publicly disclosed security vulnerabilities.
The software with the major number of vulnerabilities is the Apple Mac OS X, that accounted for 384 vulnerabilities, followed by Apple iOS with 375 vulnerabilities. The Adobe Flash Player is just at third place with 314 vulnerabilities, followed by Adobe AIR SDK, with 246 vulnerabilities and Adobe AIR itself, also with 246 vulnerabilities.
Last year, Adobe patched a total of 460 vulnerabilities, including more than 100 in Acrobat and Reader.
A day attack with DDoS booter cost $60 and can cause $720k in damage
4.3.2016 Computer Attack
According to a study conducted by the experts at Arbor’s ASERT Team a day attack with a DDoS booter cost $60 and can cause $720k in damage.
We have discussed several times about the concept of cybercrime-as-a-service, today I’ll show you a case related the offer for rent of distributed-denial-of-service (DDoS) attacks for less than US$60 per day.
According to Dennis Schwarz, Research Analyst on Arbor’s ASERT Team, a DDoS attack that costs US$60 per day could inflict as much as US$720,000 in damage to the victim organisation. Technically, these services are called booter or stresser services and could be sold as would-be legitimate tools for security professionals that need to test the resilience of their infrastructure to cyber attacks or their capacity to support a high-volume of traffic.
The problem is that criminal organisations are abusing booters for illegal DDoS attacks, one of the most popular examples is the one used by the LizardSquad hacking crew, the LizardStresser.
The popular security expert Brian Krebs and a research team discovered that the Lizard Stresser DDoS tool relies on compromised Home Routers, this is very common for such kind of illegal services.Schwarz examined one
Schwarz examined one booter service sold in the Russian underground a user with the pseudonym of Forceful. The researcher has compared the cost to rent per day with the average damage suffered by the victims.
Schwarz noticed numerous advertisements for a DDoS booter service on one of the many public Russian language forums, one of them was published by a bad actor known as “Forceful” who operated one of these services. Searching for ICQ number and/or Jabber address the experts discovered a number of advertisements starting from November 2014.
The ads typically contain:
A fancy logo, banner, or motto
Short explanation of what DDoS is
Type of DDoS attacks they support
Pricing
Reputation information
Contact details
Forceful charges $60 a day to rent the booter, meanwhile the cost on an entire week is $400, and anyway it offers a 10-minute test sessions to its clients.
“In this marketplace, it almost always starts with an advertisement for a DDoS booter service on one of the many public Russian language forums,” Schwarz says.
Thanks to a series of OPSEC mistakes made by Forceful, Schwarz and his team were able to identify the malware used by the threat actor and the structure of botnet he uses.
According to the Arbor Worldwide Infrastructure Security Report the average suffered by victims of the attack is US$500 per minute. The cost is attributable to downtime of the targeted infrastructure, reputational damage, and the price of remediation.
According to the data elaborated by the experts, a booter attack could cause US$7.2 million in damages a day, costs that could be drastically reduced by the adoption of DDoS defense solutions.
Schwarz highlighted the extreme asymmetry of the economics of DDoS attackers and urged organizations in adopting defensive solutions.
“As we see in Arbor’s most recent Worldwide Infrastructure Security Report (WISR), the average cost to the victim of a DDoS attack is around $500 per minute. And as we’ve seen above, the mean cost to the attacker is only $66 per attack. This finding highlights both the extreme asymmetry of the economics of DDoS attackers vs. those of the victims of DDoS attacks, as well as the importance of robust DDoS defenses to all organizations which depend upon their online presence for revenue, customer support, and other important business functions. The cost to launch a DDoS attack is so low that the barrier to entry for attackers is practically nil – and that means that *any* organization can potentially be the target of a DDoS attack, since the investment required to launch an attack is so low.”
According to Arbor Network’s BladeRunner, from July to October the Forceful’s booter bot was rented for 82 attacks equaling $5,408.
Amazon used as bait
4.3.2016 Zdroj: Kaspersky Safety
In recent weeks, we have seen several mass-mailings in French, Italian and English, imitating messages from Amazon’s online shops. In all the mailings, the recipients were offered a voucher, a gift certificate or some other prize.
The enticing offers were mostly sent from Italy or France. However, the email addresses from which they were sent immediately raised suspicions: the culprits didn’t even try to imitate Amazon’s official email addresses, and merely used Amazon in the sender’s name.
Each message contains links that supposedly lead to the Amazon website. The recipients have to click the links to claim their “prize”. Analysis of the links shows that users from different countries are redirected to different web pages. For instance, users with a European IP address are asked to fill in a form in English, and are offered the chance to enter a draw for an iPhone 6S as a reward.
The winner is promised a new smartphone for just 1 euro, but first has to enter their bank card details on the video streaming site myflixhd[.]com.
The website offers a 5-day trial period, but requires the user’s bank card details, and then deducts a subscription fee of 50 euros per month if the user fails to cancel the subscription on time.
Naturally, Amazon has nothing to do with this “draw” or any other similar scams, and the chances of winning an iPhone 6S are very slim, to say the least. There is a good chance, however, that the bank card details entered on this advertising web page will be used by third parties for their own ends.
US starts cyber operations against the ISIL in Mosul
4.3.2016 Hacking
Senior Pentagon officials on Monday revealed the military’s first use of cyber warfare operations against the ISIL terrorist group.
The US military has started launching cyber attacks against members of the terrorist organization ISIS as part of the operation conducted to take back the Iraqi city of Mosul.
The US military is using cyber tools to contrast the ISIS troops in the area, interfering members’ operation and communication.
“By encircling and taking this town, we are also working to sever the last major artery between Raqqa and Mosul, an operation critical to dissecting ISIL’s parent tumor into two parts in Iraq and Syria. At the same time, we’re bombing ISIL’s banks as well as oil wells they’ve taken over or coerced others into operating on their behalf. We’re also using cyber tools to disrupt ISIL’s ability to operate and communicate over the virtual battlefield.” announced the Defense Secretary Ash Carter at a Monday Pentagon press briefing. that U.S. forces are using cyber tools to disrupt ISIS’s ability to operate and communicate over the virtual battlefield.
According to Carter, the goal of the cyber operations is the disruption of the ISIL‘s command and control, particularly in Syria.
” I think you’re referring to our use of cyber which we have talked about generally. In the counter-ISIL campaign in — particularly in Syria to interrupt, disrupt ISIL’s command and control, to cause them to lose confidence in their networks, to overload their network so that they can’t function, and do all of these things that will interrupt their ability to command and control forces there, control the population and the economy.” added Carter.
“So this is something that’s new in this war, not something you would’ve seen back in the Gulf War, but it’s an important new capability and it is an important use of our Cyber Command and the reason that Cyber Command was established in the first place.”
The US Government has already started the cyber operations that the US Cyber Command is carrying out.
“we’re trying to both physically and virtually isolate ISIL, limit their ability to conduct command and control, limit their ability to communicate with each other, limit their ability to conduct operations locally and tactically.” said Joint Chiefs Chairman General Joseph Dunford.
“And frankly, they’re going to experience some friction that’s associated with us and some friction that’s just associated with the normal course of events in dealing in the information age.”
Which are most used passwords in opportunistic criminal attacks?
4.3.2016 Computer Attack
Which are the usernames and passwords used by hackers when they scan the internet indiscriminately? Give a look to the Rapid7′ report
Recently the firm Splashdata revealed in its annual report on the worst 2015 passwords (“123456” and “password”), today I desire to present you a new interesting study on passwords conducted by Rapid7.
The experts used Heisenberg, a network of low-interaction honeypots that took note of the most common passwords used the hackers in targeting Internet-exposed systems.
The research conducted by Rapid7 has focused on the brute force attacks that tried to guess Remote Desktop Protocol (RDP) credentials for control home, point-of-sale (PoS), and kiosk systems.
“Attackers do not merely pick random strings as passwords (or usernames). Such brute force attacks are process intensive, time consuming, and tend to have very poor performance from the attacker’s point of view. Instead, attackers in our data set were clearly conducting dictionary attacks; i.e. they were using chosen usernames and passwords that have an assumed high likelihood of success when applied to a target system. ” states the report published by Rapid7.
The experts analyzed more than 221,000 attacks from 119 different countries observed between March 2015 and February 2016. 40 percent of the attacks came from China, followed by the United States with 25 percent of attempts, South Korea with 6 percent, the Netherlands with 5 percent and Vietnam with 3 percent.
The most common usernames attempted by hackerd were “administrator” and “Administrator,” (60%), other usernames are “user1,” “admin,” “alex,” “pos,” “demo,” “db2admin,” “Admin” and “sql.”
The most common passwords “x” (5,36 %), “Zz” (4,79%) and “St@rt123” (3,62%).
“Truly, the surprising detail to be uncovered here is just how weak these passwords are. One or two characters, easily guessed strings, and a strange appearance of a series of dots. Since these passwords were deliberately chosen by the various scanners which ran up against Heisenberg, it implies that the default and common passwords to several POS and kiosk systems are chosen out of convenience, rather than security.” continues the report.
The experts used Dropbox’s Zxcvbn application for measuring password complexity, determining that less than 9 percent of the passwords used by hackers got the highest score, meanwhile 14.3 percent scored “3.”
“Zxcvbn is hosted on a GitHub repository and was released by Dropbox with a permissive open source license. Rapid7 data scientists and software engineers absolutely love well-cared-for open source projects, so we have adopted zxcvbn as a means to measure the complexity of Heisenberg-collected passwords. By running our collected passwords through zxcvbn, we can approximate “complexity” with zxcvbn’s crackability score.”
First step in cross-platform Trojan bankers from Brazil done
3.3.2016 Zdroj: Kaspersky Virus
Brazilian cybercriminals have been “competing” with their Russian-speaking “colleagues” for a while in who makes more Trojan bankers and whose are most effective. A few days ago we found a new wave of different campaigns spreading the initial “Banloader” components in Jar (Java archive), which is very particular by its nature – it’s able to run on Linux, OS X, and of course Windows. Actually, it’s also able to run under certain circumstances even on mobile devices.
Social engineering
Social engineering actually varies from vehicle taxes or fines to boleto’s payment system and even a kind of electronic debt call center.
Some emails come with download links to Jar files, while others directly spread Jar inside archives, so the end user does not need to download anything from the Internet.
Infection
Everything happens when the victims make a click – and we should remember Brazilian cybercriminals are experts in social engineering. So, right, the victim makes a click. What happens next? That also varies. It depends on which group is behind that particular attack. We say this because we have seen different cyber-criminal gangs from Brazil that are clearly not related actively using Jar files to seed bankers.
The fact is, as long as the victim has Java locally installed, the “Banloader” will run and it doesn’t matter if it’s OS X, Linux or Windows.
Some groups just go for traditional PAC modifications, redirecting victims to fake bank websites:
While others work with slightly more complex obfuscating Jar routines using DES or RSA algos.
Once deobfuscated it’s clear it drops a file to the system, which is actually the Banker in charge of stealing the victim’s money:
Interesting strings
Whether it’s intentional or not, the cybercriminals left strings. Here are the strings found in different Jar-based Trojan Banker samples:
“liberdade” – freedom, liberty
“maravilha” – miracle, thing of beauty
Why is it important?
Because Jar files run on Windows, OS X and Linux, wherever Java is installed. This is the very first step cybercriminals from Brazil have made towards “cross-platforming“.
What does it mean?
Brazilian Trojan Banker coders are now making Trojans running on all platforms and not only Windows.
Does it mean that OS X and Linux users are now also a target of Brazilian bankers?
Not yet. We say this because the banloaders (initial components) come in Jar but the final components (dropped malware) are still designed to run in Windows or they use a Windows system in the case of PAC abusing. However, it’s clear the first step to cross-platforming has just been made. So, it’s a matter of time till we will find Brazilian bankers running on all platforms.
Are Brazilian coders going to release full bankers – bandleaders and bankers running exclusively on Jar?
There is no reason to believe they won’t. They have just started and they won’t stop.
How stealthy is their Jar malware?
Actually, the general detection rate for ALL AV vendors is extremely low.
What is the detection name Kaspersky Lab products use to detect this threat?
Depending on the characteristics of each sample it may fall into one of the following families:
Trojan-Banker.Java.Agent
Trojan-Downloader.Java.Banload
Trojan-Downloader.Java.Agent
Where are most of the victims located?
Naturally Brazil, Spain and then Portugal, the United States, Argentina and Mexico.
Why are there victims in Germany and China?
The same malware techniques have been used by other threat actors and detected under the same malware family.
Attack on Zygote: a new twist in the evolution of mobile threats
3.3.2016 Zdroj: Kaspersky Mobil
The main danger posed by apps that gain root access to a mobile device without the user’s knowledge is that they can provide access to far more advanced and dangerous malware with highly innovative architecture. We feared that Trojans obtaining unauthorized superuser privileges to install legitimate apps and display advertising would eventually start installing malware. And our worst fears have been realized: rooting malware has begun spreading the most sophisticated mobile Trojans we have ever seen.
Rooting malware
In our previous article we wrote about the increasing popularity of malware for Android that gains root access to a device and uses it to install apps and display aggressive advertising. Once this type of malicious program penetrates a device, it often becomes virtually impossible to use it due to the sheer number of annoying ads and installed apps.
Since the first article (August 2015), things have changed for the worse – the number of malware families of this type has increased from four to 11 and they are spreading more actively and becoming much better at “rooting”. According to our estimates, Trojans with superuser privileges attacked about 10% of Android-based mobile devices in the second half of 2015. There were also cases of these programs being pre-installed on new mobile devices coming from China.
However, it’s worth noting that Android-based devices running versions higher than 4.4.4 have much fewer vulnerabilities that can be exploited to gain root access. So basically, the malware targets earlier versions of the OS that are still installed on the majority of devices. The chart below shows the distribution of our product users by Android version. As can be seen from the chart, about 60% use a device on which these Trojans can gain root access.
Versions of Android OS used by users of our products
The owners of the Trojans described above, such as Leech, Ztorg, Gorpo (as well as the new malware family Trojan.AndroidOS.Iop) are working together. Devices infected by these malicious programs usually form a kind of “advertising botnet” via which advertising Trojans distribute each other as well as the advertised apps. Within a few minutes of installing one of these Trojans, all other active malware on the “network” is enabled on the victim’s device. Cybercriminals are cashing in on advertising and installing legitimate applications.
In 2015, this “advertising botnet” was used to distribute malware posing a direct threat to the user. This is how one of the most sophisticated mobile Trojans we have ever analyzed was spread.
Unique Trojan
The “advertising botnet” mentioned above was used to distribute a unique Trojan with the following features:
Modular functionality with active use of superuser privileges
Main part of malicious functionality exists in device RAM only.
Trojan modifies Zygote system process in the memory to achieve persistence.
Industrial approaches used in its development, suggesting its authors are highly qualified.
The Trojan is installed in the folder containing the system applications, under names that system applications are likely to have (e.g. AndroidGuardianship.apk, GoogleServerInfo.apk, USBUsageInfo.apk etc.).
Before starting work, the malicious program collects the following information:
Name of the device
Version of the operating system
Size of the SD card
Information about device memory (from the file /proc/mem)
IMEI
IMSI
List of applications installed
The collected information is sent to the cybercriminals’ server whose address the Trojan receives from a list written in the code:
bridgeph2.zgxuanhao.com:8088
bridgeph2.zgxuanhao.com:8088
bridgeph3.zgxuanhao.com:8088
bridgeph3.zgxuanhao.com:8088
bridgeph4.zgxuanhao.com:8088
bridgeph2.viewvogue.com:8088
bridgeph3.viewvogue.com:8088
bridgeph3.viewvogue.com:8088
bridgeph4.viewvogue.com:8088
Or, if the above servers are unavailable, from a list of reserve command servers also written in the code:
bridgecr1.tailebaby.com:8088
bridgecr2.tailebaby.com:8088
bridgecr3.tailebaby.com:8088
bridgecr4.tailebaby.com:8088
bridgecr1.hanltlaw.com:8088
bridgecr2.hanltlaw.com:8088
bridgecr3.hanltlaw.com:8088
bridgecr4.hanltlaw.com:8088
In reply, an encrypted configuration file arrives and is stored as /system/app/com.sms.server.socialgraphop.db. The configuration is regularly updated and contains the following fields:
mSericode – malware identifier
mDevicekey – the device identifier generated on the server (stored in /system/app/OPBKEY_< mDevicekey >);
mServerdevicekey – the current server identifier
mCD – information used by cybercriminals to adjust the behavior of the modules;
mHeartbeat – execution interval for the “heartbeatRequest” interface
mInterval – interval at which requests are sent to the command server
mStartInterval – time after which the uploaded DEX files (modules) are run
mServerDomains – list of main domains
mCrashDomains – list of reserve domains
mModuleUpdate – links required to download the DEX files (modules).
If the mModuleUpdate field is not filled, the DEX files are downloaded and saved. Then these files are downloaded in the context of the malicious program using DexClassLoader.loadClass(). After that, the modules are removed from the disk, i.e. they only remain in device memory, which seriously hampers their detection and removal by antivirus programs.
The downloaded modules should have the following interface methods for proper execution:
init(Context context) – used to initialize the modules
exit(Context context) – used to complete the work of the modules
boardcastOnReceive(Context context, Intent intent) – used to redirect broadcast messages to the module;
heartbeatRequest(Context context) – used to initiate the module request to the command server. It is needed in order to obtain the data module required by the server;
heartbeatResponce(Context context, HashMap serverResponse) – used to deliver the command server response to the module.
Depending on the version, the following set of interfaces may be used:
init(Context context) – used to initialize the modules
exec() – used to execute the payload
exit(Context context) – used to complete the work of the modules
This sort of mechanism allows the app downloader to execute modules implementing different functionality, as well as coordinating and synchronizing them.
The apps and the loaded modules use the “android bin”, “conbb”, “configopb”, “feedback” and “systemcore” files stored in the folder /system/bin to perform various actions on the system using superuser privileges. It goes without saying that a clean system does contain these files.
Considering the aforementioned modular architecture and privileged access to the device, the malware can create literally anything. The capabilities of the uploaded modules are limited only by the imagination and skills of the virus writers. These malicious programs (the app loader and the modules that it downloads) belong to different types of Trojans, but all of them were all included in our antivirus databases under the name Triada.
At the time of analysis the app downloader (detected by us as Backdoor.AndroidOS.Triada) downloaded and activated the following modules:
OPBUpdate_3000/Calendar_1000 – two modules with duplicate functionality capable of downloading, installing and running an application (detected as Trojan-Downloader.AndroidOS.Triada.a).
Registered_1000 – module capable of sending an SMS upon the request of the command server. Detected as Trojan-SMS.AndroidOS.Triada.a.
Idleinfo_1000 – module that targets applications that use SMS to make in-app purchases (intercepts outgoing text messages). Detected as Trojan-Banker.AndroidOS.Triada.a.
Use of the Zygote process
A distinctive feature of the malicious application is the use of the Zygote process to implement its code in the context of all the applications on the device. The Zygote process is the parent process for all Android applications. It contains system libraries and frameworks used by almost all applications. This process is a template for each new application, which means that once the Trojan enters the process, it becomes part of the template and will end up in each application run on the device. This is the first time we have come across this technique in the wild; Zygote was only previously used in proof-of-concepts.
The chart below shows the architecture of the malicious program.
Let us take a closer look at how the Zygote process is infected.
Preparatory stage and testing
All the magic starts in the crackZygoteProcess() function from the Trojan-Banker module. Its code is displayed in the screenshot below.
First, the Trojan loads the shared library libconfigpppm.so and invokes the configPPP() function exported by this library (the first highlighted string on the screenshot). Second, if configPPP() succeeds in calling System.getProperty() from Android API with the unusual argument ‘pp.pp.pp’ (it will be explained later why this action is performed) and the returned value is not null, the Trojan runs the ELF-executable configpppi with the PID of the zygote process as an argument.
Let’s go through the process in order. The first thing the Trojan does inside the configPPP() function from libconfigpppm.so is to obtain the load address (in the address space of its process) of the file that implements the ActivityThread.main() function from Android API. Next, using the load address and /proc/self/maps, the Trojan discovers the name and path to the file on the disk. In most cases, it will be /system/framework/framework.odex.
The Trojan reads this file from disk and compares it with the file that is already loaded in the address space. The comparison is performed as follows:
The file is divided into 16 blocks;
The first 8 bytes of each block are read;
These 8-byte sequences are compared with the corresponding sequences from the file that loaded in memory;
If the comparison fails, configPPP aborts its execution and returns a 103 error code. If the comparison succeeds, the Trojan starts patching framework.odex in memory.
Then, the malware obtains the Class structure of ActivityThread (which is defined in framework.odex) by using dexFindClass and dexGetClassData functions. The authors of the malware copied these functions from Dalvik Virtual Machine. The structure contains various information about a dex class and is defined in AOSP. Using the structure, Triada iterates through a list of methods implemented in this class looking for a method named “main”. After the method has been found, the Trojan obtains its bytecode with the help of the dexGetCode function (also copied from open sources). When the bytecode is obtained, it is compared with the corresponding bytecode from the file on the disk, thereby checking if the framework has already been patched. If the method has already been patched, the malware aborts its execution and returns a 103 error code.
After that, the Trojan starts looking for the first string in the DEX strings table that are between 32 and 64 symbols long. After a string has been found, the Trojan replaces it with “/system/lib/libconfigpppl.so” and saves its ID.
Next, Triada accesses the DEX methods table and tries to obtain a method with one of the following names – “loop“, “attach” or “setArgV0“. It takes the first one that occurs in the table, or, if there are no methods with these names, the penultimate method from the DEX methods table, and replaces it with a standard System.load() method (one that loads shared libraries to process address space) and saves its ID. The pseudocode that performs this manipulation is shown below.
After these actions, the preparatory stage is complete, and the Trojan performs the actual patching. It modifies the memory of the process, adding the following instructions to the bytecode of the “main” method of the ActivityThread class:
1A 00 [strID, 2 bytes] //const-string v0, “/system/lib/libconfigpppl.so”
71 10 [methID, 2 bytes] 00 00 //invoke-static {v0}, Ljava/lang/System;->load(Ljava/lang/String;)V
0E 00 //return-void
where strID is thesaved ID of the replaced string, and methID is the saved ID of the replaced method.
After these modifications, when ActivityThread.main() is called, it will automatically load the shared library “/system/lib/libconfigpppl.so” to the context of the caller process. But because framework.odex is only patched in the context of the Trojan process, the library will only be uploaded in the Trojan process. This seemingly meaningless action is performed in order to test the ability of the malicious program to modify the Zygote process. If the steps described above do not cause errors in the context of the application, they will not cause errors in the context of the system process. Such a complex operation as changing the Zygote address space has been approached very carefully by the attackers, since the slightest error in this process can result in immediate system failure. That is why the “test run” is performed to check the efficiency of the methods on the user’s device.
At the end configPPP() writes the following data to “/data/configppp/cpppimpt.db“:
ID of replaced string (4 bytes);
Content of replaced string (64 bytes);
ID of replaced method (4 bytes);
Pointer to the Method structure for replaced method (4 bytes);
Content of the Method structure for ActivityThread.main() (52 bytes);
Load address of framework.odex (4 bytes);
List of structures that contain (previously used for comparison, 192 bytes):
Pointer to the next block of framework.odex;
First 8 bytes of the block:
Size of framework.odex in memory (before patching) (4 bytes);
Pointer to the DexFile structure for framework.odex (4 bytes);
Content of the DexFile structure for framework.odex (44 bytes);
Pointer to the Method structure for System.load() (4 bytes);
Size of ActivityThread.main() bytecode before patching (4 bytes);
Bytecode of ActivityThread.main() before patching (variable);
Finally, the Trojan calls the patched ActivityThread.main(), thus loading /system/lib/libconfigpppl.so in its address space. We will describe the purpose of this library after explaining the functionality of the configpppi ELF-executable that performs the actual modification of Zygote’s address space.
Modification of the Zygote
In fact, configpppi also patches ActivityThread.main() from framework.odex, but unlike libconfigpppm.so, it receives the PID of a process running on the system as an argument and performs patching in the context of this process. In this case, the Trojan patches the Zygote process. It uses information obtained at the previous stage (in libconfigpppm.so) and stored in /data/configppp/cpppimpt.db to modify the Zygote process via ptrace system calls.
The Zygote process is a daemon whose purpose is to launch Android applications. It receives requests to launch an application through /dev/socket/zygote. Every launch request triggers a fork() call. When fork() occurs the system creates a clone of the process – a child process that is a full copy of a parent. Zygote contains all the necessary system libraries and frameworks, so every new Android application will receive everything it needs to execute. This means every application is a child of the Zygote process and after patching, every new application will receive framework.odex modified by the Trojan (with libconfigpppl.so injected). In other words, libconfigpppl.so ends up in all new apps and can modify how they work. This opens up a wide range of opportunities for the cybercriminals.
Substitution of standard Android Framework features
When the shared library /system/lib/libconfigpppl.so is loaded inside the Zygote by System.load(), the system invokes its JNI_OnLoad() function. First, the Trojan restores the string and method replaced earlier by /system/lib/libconfigpppm.so or configpppi, using the information from /data/configppp/cpppimpt.db. Second, Triada loads the DEX file configpppl.jar. This is done with the help of a standard Android API via dalvik.system.DexClassLoader.
To ensure that DEX is successfully loaded, the Trojan calls its method pppMain from the PPPMain class. This method only outputs to logcat string “PPP main started”.
The next stage is to prepare hooks for some methods from Android Framework (framework.odex). The malware checks if everything necessary for hook methods exist in configpppl.jar (it uses the internal checkPackageMethodExits() method for this). The Trojan then prepares hooks for the following methods:
java.lang.System.getProperty()
android.app.Instrumentation.newApplication()
com.android.internal.telephony.SMSDispatcher.dispatchPdus()
android.app.ActivityManager.getRunningServices()
android.app.ActivityManager.getRunningAppProcesses()
android.app.ApplicationPackageManager.getInstalledPackages()
android.app.ApplicationPackageManager.getInstalledApplications()
The hooks are placed using the standard RegisterNatives() function. This function is designed to perform binding Java methods with their native implementation (i.e. written with C/C++). Thus, the Trojan substitutes standard methods from Android Framework with methods implemented in libconfigpppl.so.
Verifying the success of a Zygote modification
The function which substitutes the original getProperty() first checks its argument. If the argument is the “pp.pp.pp” string (which was mentioned earlier), then the function immediately returns “true”. Otherwise, it calls the original getProperty() with its passed argument. Calling the hooked getProperty() with “pp.pp.pp” as an argument is used to check whether or not hooking of Android Framework functions was successful. If the hooked getProperty() returned “true”, then the Trojan will start configpppi ELF with the PID of the Zygote process as an argument.
After that, the the Trojan “kills” processes of the applications: “com.android.phone”, “com.android.settings”, “com.android.mms”. These are the standard “Phone”, “Settings” and “Messaging” – applications that are the Trojan’s primary targets. The system starts these apps automatically the next time the device is unblocked. After they start they will contain framework.odex with all the hooks placed by libconfigpppl.so.
Modification of outgoing text messages
The function which substitutes newApplication(), first calls the original function, and then invokes two functions from configpppl.jar: onModuleCreate() and onModuleInit().
The function onModuleCreate() checks in the context of the application it is running and then sets the global variable mMainAppType according to the results of checking:
If function is running within com.android.phone, then mMainAppType set to 1;
If function is running within com.android.settings or com.android.mms, then mMainAppType set to 2;
If function is running within one of these apps: com.android.system.google.server.info, com.android.system.guardianship.info.server, com.android.sys.op, com.android.system.op., com.android.system.kylin., com.android.kylines, com.android.email, com.android.contacts, android.process.media, com.android.launcher, com.android.browser, then mMainAppType set to -1;
If function is running within any other application, then mMainAppType set to 0;
Depending on the value of mMainAppType, the function onModuleInit() calls one of the initialization routines:
Thus, the Trojan tracks its host application and changes its behavior accordingly. For example, if mMainAppType is set to -1 (i.e. the host application is com.android.email, com.android.contacts etc.), the Trojan does nothing.
If the host application is com.android.phone, Triada registers broadcast receivers for the intents with actions com.ops.sms.core.broadcast.request.status and com.ops.sms.core.broadcast.back.open.gprs.network. It first sets the global variable mLastSmsShieldStatusTime to the current date and time, then turns on mobile network data (GPRS Internet).
If the host application is com.android.settings or com.android.mms, Triada registers broadcast receivers for the intents with the following actions:
com.ops.sms.core.broadcast.request.status;
com.ops.sms.core.broadcast.back.open.gprs.network;
com.ops.sms.core.broadcast.back.send.sms.address.
The first two are the same as in the previous case, and the third sends an SMS, which is passed off as extra intent data.
If the host application is any other app (apart from apps that trigger mMainAppType = -1), then Triada first checks whether or not the application uses the shared library libsmsiap.so:
Depending on the result, it calls one of the following functions: PISmsCore.invokeMMMain() or PISmsCore.invokeOtherMain().
Both functions invoke the PISmsCore.initInstance() method which performs the following actions:
Initialization of the Trojan’s global variables with various information about the infected device (IMEI, IMSI etc.);
Substitution of the system binders “isms” and “isms2”, which are used by the parent application along with its own ones;
Creation of multiple directories /sdcard/Android/com/register/, used for write log and configuration files;
Registration of broadcast receivers for intents with the actions com.ops.sms.core.broadcast.responce.shield.status and com.ops.sms.core.broadcast.responce.sms.send.status, which simply set the corresponding variables to record the time of an event;
If a function is invoked from PISmsCore.invokeMMMain(), then a new thread is created. This thread enters an endless loop and turns on mobile network data, and won’t let the user turn it off.
The most interesting action among the above is the substitution of the system binders “isms” and “isms2”.
Binder is an Android-specific inter-process communication mechanism, and remote method invocation system. All communication between client and server applications within Binder pass through a special Linux device driver – /dev/binder. The scheme of inter-process communication via the Binder mechanism is presented below.
For example, when an application wants to send an SMS it calls the sendTextMessage (or sendMultipartTextMessage) function, which in fact leads to the transact() method of an “isms” (or “isms2”) binder object being called.
The transact() method is redefined in the malicious “isms” binder realization, replacing the original. So, when the parent application of the Trojan sends an SMS it leads to the call of the malicious transact() method.
In this method, the Trojan obtains SMS data (destination number, message text, service center number) from raw PDU. Then, if a network connection is available, it sends this data to a random C&C server from the following list:
bridgeph2.zgxuanhao.com:8088
bridgeph3.zgxuanhao.com:8088
bridgeph3.zgxuanhao.com:8088
bridgeph4.zgxuanhao.com:8088
bridgeph2.viewvogue.com:8088
bridgeph3.viewvogue.com:8088
bridgeph3.viewvogue.com:8088
bridgeph4.viewvogue.com:8088
The C&C server should respond with some data that, among other things, contains a new SMS destination address (number) and new SMS text.
If a network connection is not available, then the Trojan tries to find the appropriate data in the local configuration files that are stored in the /sdcard/Android/com/register/localuseinfo/ directory in encrypted form.
The Trojan then replaces the SMS destination address and the SMS text of the original message (obtained from C&C or local configuration files), and tries to send it in three different ways (simultaneously):
Via the standard Android API function sendTextMessage. It will lead to the same malicious transact() method of the Trojan “isms” binder realization;
By sending an intent with the action “com.ops.sms.core.broadcast.back.send.sms.address”. It will be received and processed by the same Trojan module but inside the “Messaging” or “Settings” application;
By passing the new SMS destination address and new SMS text to the original “isms” binder transact() method.
When the Trojan sends an SMS in one of these ways, it saves the new SMS destination address and new SMS text in a special variable. And, before sending the new SMS, it checks if it has not already been sent. This helps to prevent endless recursive calls of the transact() method, meaning only one SMS will be sent per originally sent message (by the parent application).
Besides the PISmsCore.initInstance() function, PISmsCore.invokeMMMain() calls another function – PIMMCrack.initInstance(). This method tries to determine which version of mm.sms.purchasesdk the host application is using (the Trojan knows for sure that the host application is using this SDK, because it has checked for libsmsiap.so, which is part of this SDK). mm.sms.purchasesdk is the SDK of Chinese origin – it is used by app developers for enabling In-App purchasing via SMS.
Thus, the mechanism described in this chapter allows the Trojan to modify outgoing SMS messages that are sent by other applications. We presume that the Trojan authors use this opportunity to secretly steal users’ money. For example, when a user buys something in some Android game shop, and if this game uses SDK for in-app purchases via SMS (such as mm.sms.purchasesdk), the Trojan’s authors are likely to modify the outgoing SMS so as to receive the user’s money instead of the game developers. The user doesn’t notice that his money has been stolen; instead he presumes he hasn’t received the appropriate content and will then complain to the game developers.
Filtration of incoming text messages
The original dispatchPdus() is used (as shown in the diagram below) to dispatch PDUs (Protocol Data Unit, low-level data entity used in many communication protocols) of incoming SMS messages to the corresponding broadcast intent. Then, all applications that subscribed for the intent are able to receive and process, according to their needs, the text message that is contained in the form of PDUs inside of this intent.
The function which substitutes dispatchPdus() invokes the moduleDispatchPdus() method from configpppl.jar. It checks the host application and if the application is not com.android.phone, it informs and broadcasts to all apps in the system intent with the action android.provider.Telephony.SMS_RECEIVED (along with the received PDUs). This standard intent informs all other applications (e.g. “Messaging” or “Hangouts” of the incoming SMS).
If the host for the malware is com.android.phone, then Triada checks the originating address and message body of the incoming SMS. The information that the Trojan needs to check is contained within two directories: /sdcard/Android/com/register/infowaitreceive/ and /sdcard/Android/com/register/historyInfo/. The names of the files that are stored in these directories contain postfix, which signifies the date and time of the last response from the C&C. If these files were updated earlier than the last response was received, the Trojan deletes these files and aborts the checking of the incoming SMS. Otherwise, the malware decrypts all the files from the directories mentioned above and extracts phone numbers and keywords from them to perform filtering. If the SMS was received from one of these numbers or the message contains at least one keyword, the Trojan broadcasts an intent with the action android.provider.Telephony.SMS_RECEIVEDcom.android.sms.core along with the message. This is an intent with a custom action and only those applications that explicitly subscribe to this intent, will receive it. There are no such applications on “clean” Android devices. In addition, this method could be used to organize “exclusive” message distribution for Triada modules. If some of the new modules subscribe to the intent with the action android.provider.Telephony.SMS_RECEIVEDcom.android.sms.core, they will receive the filtered message exclusively, without any other applications on the system knowing about it.
Concealing Trojan modules from the list of running services
This function is used to obtain a list of all running services. The Trojan substitutes the function to hide its modules from this list. The following modules will be excluded from the list received from the original getRunningServices():
com.android.system.google.server.info
com.android.system.guardianship.info.server
com.android.sys.op
com.android.system.op.
com.android.system.kylin.
com.android.kylines.
Concealing Trojan modules from the list of running applications
This function is used to obtain a list of all running applications. The Trojan substitutes the function to hide its modules from this list. The following modules will be excluded from the list received from the original getRunningAppProcesses():
com.android.system.google.server.info
com.android.system.guardianship.info.server
com.android.sys.op
com.android.system.op.
com.android.system.kylin.
com.android.kylines.
Concealing Trojan modules from the list of installed packages
This function is used to obtain a list of all installed packages for applications. The Trojan substitutes the function to hide its modules from this list. The following modules will be excluded from the list received from the original getInstalledPackages():
com.android.system.google.server.info
com.android.system.guardianship.info.server
com.android.sys.op
com.android.system.op.
com.android.system.kylin.
com.android.kylines.
Concealing Trojan modules from the list of installed applications
This function is used to obtain a list of all installed packages for applications. The Trojan substitutes the function to hide its modules from this list. The following modules will be excluded from the list received from the original getInstalledPackages():
com.android.system.google.server.info
com.android.system.guardianship.info.server
com.android.sys.op
com.android.system.op.
com.android.system.kylin.
com.android.kylines.
Conclusion
Applications that gain root access to a mobile device without the user’s knowledge can provide access to much more advanced and dangerous malware, in particular, to Triada, the most sophisticated mobile Trojans we know. Once Triada is on a device, it penetrates almost all the running processes, and continues to exist in the memory only. In addition, all separately running Trojan processes are hidden from the user and other applications. As a result, it is extremely difficult for both the user and antivirus solutions to detect and remove the Trojan.
The main function of the Trojan is to redirect financial SMS transactions when the user makes online payments to buy additional content in legitimate apps. The money goes to the attackers rather than to the software developer. Depending on whether or not the user gets the content he pays for, the Trojan either steals the money from the user (if the user does not receive the content) or from the legitimate software developers (if the user receives the content).
Triada has clearly been designed by cybercriminals who know the targeted mobile platform very well. The range of techniques used by the Trojan is not found in any other known mobile malware. The methods of concealing and achieving persistence used by Triada can effectively avoid detection and removal of all malware components after installation on the infected device; the modular architecture allows attackers to extend and alter the functionality so they are limited only by the capabilities of the operating system and applications installed on the device. Since the malware penetrates all applications installed on the system, the cybercriminals can potentially modify their logic to implement new attack vectors against users and maximize their profits.
Triada is as complex as any malware for Windows, which marks a kind of Rubicon in the evolution of threats targeting Android. Whereas previously, the majority of Trojans for the platform were relatively primitive, new threats with a high level of technical complexity have now come to the fore.
Hack the Pentagon — US Government Challenges Hackers to Break its Security
3.3.2016 Hacking
The United States Department of Defense (DoD) has the plan to boost their internal and network security by announcing what it calls "the first cyber Bug Bounty Program in the history of the federal government," officially inviting hackers to take up the challenge.
Dubbed "Hack the Pentagon," the bug bounty program invites the hackers and security researchers only from the United States to target its networks as well as the public faced websites which are registered under DoD.
The bug bounty program will begin in April 2016, and the participants could win money (cash rewards) as well as recognition for their work, DoD says.
While announcing 'Hack the Pentagon' initiative during a conference, DoD said only "Vetted Hackers" can participate in the Bug Bounty program, which means the candidates need to undergo a Background Check after registration and before finding vulnerabilities in its systems.
Moreover, candidates would be given a Predetermined Department Systems (might be real system alike) for a specific time period of the competition to access it.
So, don’t be confuse that the DoD will serve a critical piece of its infrastructure to hackers for disruption, rather the hackers will be allowed to target a predetermined system that is not part of its critical operations.
However, the Department of Defense has not yet confirmed what bounty would be provided to hackers upon a successful penetration of its network or web pages.
Why DoD launches a Bug Bounty program?
Department of Defence currently manages 488 websites related to everything from the 111th Attack Wing, several military units to Yellow Ribbon Reintegration Program.
According to Chris Lynch, Director of Defense Digital Service that’s actually behind the "Hack the Pentagon" initiative:
"Bringing in the best talent, technology and processes from the private sector not only helps us deliver comprehensive, more secure solutions to the DoD, but it also helps us better protect our country."
But, Here's the Actual Reason You Need to Know:
The hackers, foreign and internal criminals, are actively targeting government departments and critical infrastructure that could reveal national secrets.
Last year’s massive security breach in the United States Office of Personnel Management (OPM) revealed the private information of over 21.5 Million US government employees.
Just last month, an unknown hacker released personal details of at least 20,000 Federal Bureau of Investigation (FBI) agents and 9,000 Department of Homeland Security (DHS) officers.
Almost three years ago, the Pentagon said the Chinese government had conducted cyber attacks on the several United States diplomatic, economic as well as defense industry networks.
Therefore, the real purpose of launching dedicated bug bounty program for hackers could be a government initiative to identify vulnerabilities in its infrastructure that may expose any endangered state secrets.
Just like Bug Bounty programs offered by several Frontliners in the technology industry, Hack The Pentagon would also be an exercise for the federal authorities to boost up the security measures and counter the cyber attacks.
Instead of usual self-conducting Security Audit by the DoD internals itself, the new initiative would provide an opportunity for the fresh brains outside the Pentagon to challenge DoD infrastructure and enhance the security measures.
$17 smartwatch includes a backdoor in the pairing app
3.3.2016 Safety
A group of researchers that analyzed security of a number of smart watches discovered a $17 smartwatch is sold with a backdoor in the pairing app.
Be careful of cheap smartwatch offered on the web, security researchers at Mobile Iron have found that the U8 Smartwatch available on eBay for sale is offered with an Android or iOS app that contains a backdoor that is linked to a Chinese IP address.
The discovery was presented at the BSides San Francisco conference and of course, the wearable device represents a serious threat to the users’ privacy.
The U8 smartwatch is offered on eBay for 15,99 Euro (just US$17), the buyers download the pairing app from an IP address reported on a piece of paper that comes with the device.
The smartwatch has 1.48″ touch screen and Bluetooth connectivity to mobile devices to control calls by using an Android app that can access the user’s contacts, call and SMS histories.
Mobile Iron research director Michael Raggo told the BSides San Francisco conference the watch is a threat to individual and enterprise security.
The U8 Smartwatch is only one of the list of devices analyzed by Raggo and his colleagues, including the Apple Watch running the WatchOS, the Samsung Gear 2 running Samsung Tizen, and the Moto 360.
“We ran dynamic and behavioural analysis (on the pairing app) and discovered that when it was paired, it started communicating outbound over a random IP address to China,” explained the Mobile Iron research director Michael Raggo (@datahiding)
“We don’t know what the IP address is. “In terms of corporate espionage, in terms of risk, there’s definitely a lot of suspicious behaviours there.”
Raggo has developed a Python tool called SWATtack tool that could be used for forensics analysis and vulnerability assessment on the smartwatches. The tool is also able to bypass PIN protection implemented on Samsung Gear 2 Neo watches and exfiltrate data.
Can Scientists 'Upload Knowledge' Directly into your Brain to Teach New Skills?
3.3.2016 Safety
Imagine the world where you do not have to make any efforts to learn new skills or knowledge.
Just like new programs are uploaded to a Robot to teach them new skills, What if new skills are uploaded to your brain to make you learn, say, playing Guitar, a whole language like French or German or anything else you wish?
Do you want a technique, if exists, to make this possible?
Of course, YES! Who would not?
Now, multiple media channels are reporting that a team of researchers from HRL Laboratories in California has developed a new technology that could be used to feed any skill into the human brain without much effort.
But, Is it possible in reality?
Let's have a look at what media is reporting and what scientists have actually discovered.
Here's what Media is Reporting:
Media is reporting that researchers have found a way to "upload knowledge to your brain." Researchers claimed to have developed a simulator that can feed data directly into a human’s brain to teach new skills in a shorter amount of time.
Some are reporting that the technique is similar to that seen in 'The Matrix,' in which Keanu Reeves learns 'Kung-Fu' soon after a program is uploaded directly into his brain through a terminal.
Here's what Scientists have Actually Discovered:
In reality, the recent research shows that it may be possible to enhance a human's existing ability to learn new skills, but to upload any particular skill or talent directly into a person via brain waves is outside the scope of the study.
What Did the Scientists Actually Achieve?
Lead by Matthew Phillips, the HRL Labs research team that does R&D for the Boeing Company and General Motors has made use of a neuro-stimulation technique called transcranial Direct Current Stimulation (tDCS) – a noninvasive, painless shock that makes use of a constant, small electric current to excite specific brain regions.
Using tDCS technique, the researchers excited certain areas in the human brain that are responsible for learning and skill retention.
"When you learn something, your brain physically changes," Philips said. "Connections are made and strengthened in a process called neuroplasticity. It turns out that certain functions of the brain, like speech and memory, are located in very specific regions of the brain, about the size of your pinky."
During their experiment, the researchers first monitored the brain waves of 6 commercial as well as military pilots and then transmitted those patterns into 32 newbies who were learning to pilot an aeroplane in a flight simulator.
The finding suggests that tDCS technique might work to enhance a person's ability to learn, as the newbies who received tDCS brain stimulation were found with improved piloting abilities, especially landing skills.
However, this definitely does not mean that the researchers uploaded or transmitted any particular skill or type of data via this technique, rather they just excited the specific brain regions responsible for learning, so that a person could improve his/her learning ability.
So, don’t think that using this new technique you could "upload" an entire skill set, like Kung-Fu or French language. For now, you have to make efforts to learn them but, who knows, the study could just be a first step towards this whole new FUTURE.
For in-depth knowledge, you can read the full research paper published in the journal Frontiers in Human Neuroscience.
Turing Award — Inventors of Modern Cryptography Win $1 Million Cash Prize
3.3.2016 Safety
And the Winners of this year's Turing Award are: Whitfield Diffie and Martin E. Hellman.
The former chief security officer at Sun Microsystems Whitfield Diffie and the professor at Stanford University Martin E. Hellman won the 2015 ACM Turing Award, which is frequently described as the "Nobel Prize of Computing".
Turing Award named after Alan M. Turing, the British mathematician and computer scientist who was a key contributor to the Allied cryptanalysis of the German Enigma cipher and the German "Tunny" encoding machine in World War II.
The Association for Computing Machinery (ACM) announced the Turing Award the same day when FBI Director James Comey appeared before a congressional committee to discuss how encryption has become Threat to law enforcement.
The ACM announced the award on Tuesday, which includes the top prize of $1 Million that has been awarded to two men who invented the "public-key cryptography" – a technique that makes possible the commercial World Wide Web.
"Today, the subject of encryption dominates the media, is viewed as a matter of national security, impacts government-private sector relations, and attracts billions of dollars in research and development," ACM President Alexander Wolf said in a statement.
"In 1976, Diffie and Hellman imagined a future where people would regularly communicate through electronic networks and be vulnerable to having their communications stolen or altered. Now, after nearly 40 years, we see that their forecasts were remarkably prescient."
Diffie and Hellman published their landmark paper titled, New Directions in Cryptography [PDF] in 1976, outlining the first public-key cryptography (or asymmetric cryptography) technique to allow people to encrypt their data using publicly exchanged keys and decrypt the data using their secret private keys.
The technique led to a revolution in the encryption, and the Diffie-Hellman key exchange protocol became central to almost all modern cryptography, including PGP (Pretty Good Privacy) encrypted e-mail, TLS (Transport Layer Security), and more.
What is Diffie-Hellman Public-key Cryptography?
Public-key cryptography is a method of encrypting data in which each party has a pair of keys – one is a freely shareable public key, and the other is a secret private key – thus eliminating the historical key management issue.
The historical method required both sender and recipient of an encrypted message had to use the same key. So in case, that key was stolen or compromised, every encrypted message sent could be read using the key.
"Naturally I'm thrilled by this by this award, but thrilled for cryptography," Diffie said. "It's the third time the Turing award has been given to cryptographers. The fact that it is so central to the field is amazing."
And Hellman said, "The award is a great honor, but I feel very proud because it was named after Alan Turing, a man who was persecuted as we were."
The two inventors of modern cryptography will share the prize money of $1 Million. Though the ACM has just announced the award at the RSA 2016 conference, it will present the 2015 Turing Award at its annual Awards Banquet on June 11, 2016, in San Francisco, California.
France could Fine Apple $1 Million for each iPhone it Refuses to Unlock
3.3.2016 Apple
The United States is not the only one where Apple is battling with the federal authorities over iPhone encryption. Apple could face $1 Million in Fine each time the company refused to unlock an iPhone in France.
Despite its victory in a New York court yesterday, Apple may not be so successful elsewhere in fighting against federal authorities over iPhone encryption battle.
Yann Galut, a member of France’s Socialist Party, has submitted an amendment to a bill aimed at strengthening the French government’s ability to fight against terrorism — by arguing that…
Apple should pay a Million Euro ($1.08 Million) fine for every iPhone Apple refuses to unlock when asked to by law enforcement, The Local reported.
The same €1 Million penalty could apply to Google as well under similar conditions, forcing the tech companies to help its investigators extract data from a suspect’s smartphone in terrorism cases.
The French police seized eight smartphones last year in terror investigations, but the authorities were unable to access them. With Apple and other tech companies unwilling to help the authorities, France wants to enforce new laws to force tech companies to comply with orders.
"We are faced with a legal vacuum when it comes to data encryption, and it’s blocking judicial investigations," Galut told Le Parisien.
"Only money will force these extremely powerful companies like Apple and Google to comply. They are hiding behind a supposed privacy protection, but they’re quick to make commercial use of personal data that they’re collecting."
Apple continues to battle against the Federal Bureau of Investigation (FBI) over a court order to help the agency unlock an iPhone 5C belonging to San Bernardino shooter Syed Farook.
Other Silicon Valley giants, including Google, Facebook, WhatsApp and Twitter, defended Apple CEO Tim Cook’s stance against the FBI in the controversial San Bernardino case and the need for strong protections built into smartphone devices.
Although it remains to be seen whether this proposed law will be approved, how the San Bernardino case is resolved in the United States will definitely impact how other countries might approach the tech giants.
French Gov could fine Apple and Google €1m unless they hack mobile devices
3.3.2016 Apple
French Gov is thinking a law that would impose fines of €1 million on Apple and Google if they refused providing access users’data.
Governments worldwide continue to intensify their pressure on the IT giants requesting the access to users’ data in the name of security.
The US Government wants Apple unlock its mobile devices to access data, the Brazilian Government arrested the Facebook Latin America VP because the company refused to provide access to WhatsApp data to law enforcement in drug trafficking investigation.
The United States is not the only one where Apple is battling with the federal authorities over iPhone encryption.The last Government in order of time that is threatening IT giants is the French one, according to The Local website, Apple in fact could face $1 Million in fine each time it refused to unlock an iPhone in France.
French Gov iphones Sand Bernardino shooter case
The same penalty could apply to Google if the company refuses to give access users’ data to the French authorities.
A member of French Socialist Party, Yann Galut, has submitted an amendment to a bill aimed at strengthening the French government’s ability to fight against terrorism.
“On Monday, French Socialist MP Yann Galut proposed an amendment to French law that – if passed – would see the US companies punished if they didn’t give French officials backdoor access to terrorists’ phones. ” states The Local website
“Galut said on Monday that companies like Apple and Google should be fined up to €1 million when they didn’t cooperate in such cases. “
“We are faced with a legal vacuum when it comes to data encryption, and it’s blocking judicial investigations,” Galut told Le Parisien.
“Only money will force these extremely powerful companies like Apple and Google to comply. They are hiding behind a supposed privacy protection, but they’re quick to make commercial use of personal data that they’re collecting.”
Galut sustains that the punishment aims to discourage companies that were operating under “total bad faith”.
The French law enforcement seized eight mobile last year in investigations on suspects for terrorism, in all the cases the police was not able to access their content. The response of the France Government is a new law framework to oblige IT companies to comply with court orders.
The IT giants, including Google, Facebook, Twitter and WhatsApp, sided with Apple against the request of the US Government in the San Bernardino case.
Let’s wait for the final judgement on the case.
RSA Conference Badge Scanning App has a default password hardcoded
3.3.2016 Security
Researchers at Bluebox Security discovered that the badge scanning application used at the RSA Conference 2016 includes a hardcoded default password.
This year participants at the 2016 RSA Conference will have an ugly surprise, many vendors were provided with Samsung Galaxy S4 smartphones that run a special Android app, available on the Google Play, that allows them to keep track of visitors by scanning their badges.
The mobile scanning cannot be used for anything except scanning badges, unless the administrator unlocks it using a password. This working mode is also note as “kiosk mode.”
Security experts at Bluebox Security downloaded analyzed the scanning app and discovered that authors embedded the default password in the source code in plain text.
“When we used that passcode we were able to gain access to the kiosk app’s settings. This, in turn, let us gain access to the device’s system settings, which then enabled us to put the device into developer mode to gain full access to the device,” Bluebox Security researchers told Securityweek.com. “This is concerning because if we can do this, an attacker can too, letting them root the device, pull any data off of it, or install malware to steal even more data.”
“We speculate that the default code embedded in the app is there as a mechanism so that the device can still be managed even if the admin’s custom passcode is lost. However, it is a poor developer practice to embed passwords into an app’s shipped code, especially un-encrypted and un-obfuscated,” experts noted.
RSA Conference 2016
In this specific there aren’t serious risks for end-users, but it is quite common find mobile apps with hardcoded credentials. Hackers could exploit the embedded password to gain control of the device, at that point it a joke use it to spy on victims or to recruit is in a mobile botnet.
Something similar has already happened in 2014 when experts at IOActive uncovered a number of flaws affecting the RSA Conference Android app, such as information disclosure issues.
Security by design have to be a must for mobile app development, unfortunately due to the rapid diffusion of Rapid Application Mobile Development Tools is it quite easy to publish a mobile app, but in most cases the security requirements are totally ignored.
It is curious that this thing happened at a conference followed by most important experts in the security field.
Kanye West, Who wants to destroy ‘The Pirate Bay’, Caught using Torrent Site
2.3.2016 Safety
The 38-year-old rapper Kanye West is at the centre of controversy once again.
West is himself a Pirate Lover just like everyone else, and he proved it today by sharing a photo of his laptop screen on Twitter.
The rapper tweeted an ill-judged picture on Tuesday night to show what he was listening to on YouTube (Sufjan Stevens’ 'Death With Dignity' song), but his fans discovered something he would have hide if realized before sharing that snap.
Taking a closer look at the address bar was quite revealing, showing two very interesting tabs:
The notorious file-sharing website The Pirate Bay
MediaDownloader
Pirate Bay Offers Tech Support to Kanye West
kanye-west-torrent-pirate-bay
West’s recent album The Life of Pablo was involved in a piracy concern. He was so outraged when he saw his recent album was being pirated by 500,000 downloads in just two days that he considered taking legal action against The Pirate Bay.
However, in a recent tweet West accidentally revealed his own pirate habits.
It looks like the controversial rapper was torrenting a pirated copy of Xfer Records synthesizer software Serum on The Pirate Bay. The serum is a popular WaveTable editor that costs just $189 for a license.
However, despite having harsh feelings, the Pirate Bay team said it was happy to provide West with tech support.
DJ Deadmau5, co-founder of Xfer Records, called out West as a dick and later he showed some sympathy for West, calling for a Kickstarter campaign to raise fund to help West afford a copy of Serum.
US DoD invites a restricted number of hackers to Hack the Pentagon
2.3.2016 Hacking
Hack the Pentagon – DoD would invite outside hackers to test the cybersecurity of some public US Defense Department resources as part of a pilot initiative.
Which is the best way to discover security vulnerabilities affecting a computer system? Ask a group of hackers to test it. This is the concept behind a bounty program, an organization can hire hackers to test the system and ethically disclose the flaw, receiving a reward. Bug bounties are very popular initiatives among the communities of white hats, principal companies, including Facebook, Google and Microsoft. Facebook, for example, has already paid more than $3 million since 2011, when its bug bounty program was launched.
And what about if I tell you that the organization in question is the pentagon? Yes, it is true, ‘Hack the Pentagon’ is the initiative launched by the US Government, the first ever program of its kind, that aims to test the resilience to cyber attacks of the US defenses.
If the Pentagon will financial reward the hacker, it would be the first government-funded bug bounty initiative in the world.
“The Pentagon said on Wednesday it would invite vetted outside hackers to test the cybersecurity of some public U.S. Defense Department websites as part of a pilot project next month, in the first-ever such program offered by the federal government.”
“Hack the Pentagon” is modeled after similar competitions known as “bug bounties” that are conducted by big U.S. companies, including United Continental Holdings Inc to discover gaps in the security of their networks.” states the Reuters.
At time I was writing the bounty program has not been announced, until today, the Pentagon already uses its own internal security experts (so-called “red teams”) to test its networks, but openness to external hackers could give a major impetus in finding vulnerabilities in government systems, allowing to find new security holes.
The Hack the Pentagon initiative is welcome within the US government, in this way the expert at the Pentagon will be able to identify security issues before hackers can exploit them, with a significant improvement in term of cyber security.
“I am confident that this innovative initiative will strengthen our digital defenses and ultimately enhance our national security,” commented the Defense Secretary Ash Carter.
According to the Reuters, the participants will have to be US citizens and submit to background checks before being accepted to the Hack the Pentagon program, this is the principal difference with a common bug bounty initiative.
The program is being led by the DoD Defense Digital Service, which is a small team of engineers and experts, set up in November 2015, meant to “improve the Department’s technological agility and solve its most complex IT problems.”
In October 2015, Current and former members of the department’s cyber wing of the US Army, Captain Michael Weigand and Captain Rock Stevens, published a paper urging a joint project between the Army Cyber Institute and the US Marine Corps Forces Cyberspace Command. The project aimed to establish a central program for disclosing software vulnerabilities on military systems.
The military experts highlighted how essential aspects of the software lifecycle, like patch management and penetration testing are very difficult to carry on these environments. The systems used in the US Army are exposed by an absence of centralized patch management and penetration testing are not allowed due to the nature of the systems.
They call for a radical change, including the introduction of bug bounties, today internal experts who discovered vulnerabilities have no incentive to report the flaw are no obliged to disclose it, the post refers this bad habit as a “do nothing” culture.
In the paper published on the Cyber Defense Review website, the duo proposed the creation of an Army Vulnerability Response Program (AVRP), a bug bounty program run by the US military.
The Army Vulnerability Response Program (AVRP) platforms proposed by the military expert have to enable service people to report bugs free of risk of retribution, and say penetration tests should be promoted as vulnerability scans are inadequate.
“The AVRP will serve as the central reporting mechanism for vulnerabilities in Army networks and will receive reports on poor configurations or gaps in security that could allow attackers to degrade Army systems. These systems include Army digital training management systems, Army Battle Command Systems, logistics procurement systems, and combat platforms deployed in hostile environments. Researchers can report vulnerabilities through a phone hotline or an online submission portal. The AVRP will track all submissions, facilitate the flow of communication with affected entities, and play an integral role in resolving the vulnerability throughout US government networks,” the paper reads.
The creation of a bug bounty program is an urgency for the US Government, it comes after the numerous successfully attacks suffered by US entities, including OPM, the White House, and The State Department.
The return of HackingTeam with new implants for OS X
2.3.2016 Zdroj: Kaspersky Apple
Last week, Patrick Wardle published a nice analysis of a new Backdoor and Dropper used by HackingTeam, which is apparently alive and well. Since HackingTeam implants are built on-demand for each target, and it appears that the samples mentioned in the blog were found in-the-wild, we wanted to take a closer look: to see how it works and what its functionality reveals about the possible interest of the attackers behind this latest Backdoor.
Encryption key
The main Backdoor component receives its payload instructions from an encrypted Json configuration file. In order to decrypt the configuration file, we began by using known keys, but none of them were able to decrypt the file. Upon checking the binary file we were able to identify that the function used to encode the file is still AES 128, so we started to look for a new encryption key. We located the initialization of the encryption routine, where the key is passed as an argument.
By following this code we were able to find the new key used to encrypt the configuration file.
As you can see, the key is 32 bytes long, so just the first 16 bytes are used as the key. By using this key on our script we successfully decrypted the configuration file, which turns out to be a Json format file carrying instructions on how that particular Backdoor needs to operate on the target’s OS X machine:
What does the implant do?
It takes screenshots
It synchronizes with or reports stolen information to a Linode server located in the UK, but only when connected to Wi-Fi and using a specific Internet channel bandwidth defined by the Json configuration file:
It steals information on locally-installed applications, address book entries, calendar events and calls. OS X allows iPhone users to make such calls straight from the desktop when both are connected to the same Wi-Fi network and trusted.
It spies on the victim by enabling frontal camera video recording, audio recording using the embedded microphone, sniffing local chats and stealing data from the clipboard.
It also steals emails, SMS and MMS messages from the victim, which are also available on the OS X desktop when an iPhone is paired.
Among other functionalities it also spies on the geolocation of the victim.
It’s interesting to note that the Json file says that the start date of the operation is October 16 (Friday), 2015. This indicates that this is a fresh HackingTeam Backdoor implant.
For some reason the attacker was not interested in any emails sent to or from the target before that date but only from then on.
Kaspersky Lab detects the above-mentioned Backdoor implants as Backdoor.OSX.Morcut.u and its dropper as Trojan-Dropper.OSX.Morcut.d
FBI Admits — It was a 'Mistake' to Reset Terrorist's iCloud Password
2.3.2016 Apple
Yes, FBI Director James Comey admitted that the investigators made a "mistake" with the San Bernardino investigation during a congressional hearing held by the House Judiciary Committee.
Apple is facing a court order to help the FBI unlock an iPhone belonged to San Bernardino Shooter by developing a backdoored version of iOS that can disable the security feature on the locked iPhone.
Apple's Chief Executive Tim Cook has maintained his stand over Privacy and Security, saying the company will fight the court order because it is dangerous for the security and privacy of all of its users.
As the company earlier said, Apple had been helping the FBI with the investigation in San Bernardino case since early January by providing an iCloud backup of Farook's iPhone under a court order and ways to access Farook's iPhone…
...but the problem, according to Apple, was that the feds approached the company after attempting a 'blunder' themselves.
Also Read: FBI Director — "What If Apple Engineers are Kidnapped and Forced to Write Code?"
Just after the San Bernardino terrorist attacks, an unnamed local police official 'Reset the Apple ID Passcode' associated with the shooter's iPhone 5C in "less than 24 hours after the government took possession of the device" in an attempt to access the data.
When the feds approached Apple to help them brute force the passcode without losing data, the company suggested the FBI an alternative way, i.e.:
Connect Farook's iPhone to the Internet by taking it to a known Wi-Fi range. This way his iPhone would have automatically backed up device data with his iCloud Account.
FBI Director: It was a 'Mistake' to Reset iCloud Password
However, when one of the committee members asked Comey about whether the iPhone had its iCloud password changed, preventing the phone from backing up to accessible Apple servers.
Comey was forced to admit that the iCloud password was changed at the FBI's request, calling it a "mistake." Though the FBI previously stated that changing the iCloud password was not a screw-up.
"As I understand from the experts, there was a mistake made in that 24 hours after the attack where the [San Bernardino] county at the FBI's request took steps that made it hard—impossible—later to cause the phone to back up again to the iCloud," Comey said in testimony.
Must Read: Apple is working on New iPhone Even It Can't Hack.
FBI Asked NSA to Unlock iPhone, But NSA couldn't Do it
This was not the only difficult question Comey fielded in the hearing. Comey was also asked how many other federal agencies the Federal Bureau of Investigation (FBI) had asked for help.
Apple itself asked the FBI similar question last week: If the FBI wants to hack an iPhone, why doesn't it just ask the NSA?
Comey replied that people who watch too much television exaggerated the technical capabilities of federal agencies. He did directly respond to a question about whether the U.S. National Security Agency (NSA) helped.
His answer was pretty clear: No, the NSA could not do it.
Also Read: Apple Can Unlock iPhones, Here's How to Hack-Proof your Device.
Here's what Rep. Judy Chu, Democrat of California asked Comey during the hearing on "The Encryption Tightrope: Balancing Americans' Security and Privacy":
I'd like to ask about law enforcement finding technical solutions....Has the FBI pursued these other methods tried to get help from within the federal government, such as from agencies like the NSA?
Here's the response from Comey:
Yes is the answer. We've talked to anybody who will talk with us about it, and I welcome additional suggestions.
During the hearing, Comey wanted to highlight Apple's capability to create a backdoor to unlock the iPhone's encryption, a fact Apple has admitted.
Also Read: Apple hires developer of World's Most Secure Messaging App.
From the beginning, the members of the House Judiciary Committee indicated a strong disapproval of the FBI's actions in the San Bernardino case. Rep. Conyers, a ranking member of the committee, noted that he has long opposed mandating backdoors in a service.
DarkHotel hackers are back targeting Chinese Telecom
2.3.2016 Hacking
The DarkHotel APT group is back and it is targeting executives at telecommunications companies in China and North Korea.
According to threat intelligence start-up ThreatBook, the DarkHotel APT group is targeting executives at telecommunications companies in China and North Korea.
The Darkhotel espionage campaign was first uncovered by security experts at Kaspersky Lab in November 2014. The experts discovered that the hacking campaign was ongoing for at least four years while targeting selected corporate executives traveling abroad. According to the experts, threat actors behind the Darkhotel campaign aimed to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active.
The attackers appeared as highly skilled professionals that exfiltrate data of interest with a surgical precision and deleting any trace of their activity. The researchers noticed that the gangs never go after the same target twice. The list of targets includes CEOs, senior vice presidents, top R&D engineers, sales and marketing directors from the USA and Asia traveling for business in the APAC region.
Experts at ThreatBook dubbed the new campaign DarkHotel Operation 8651, the hackers have already compromised at least one organization by using spear phishing emails.
The spear phishing messages came with malicious documents attached, typically a crafted SWF file embedded as a downloadable link in a Word document.
The DarkHotel hackers exploited the Adobe Flash vulnerability CVE-2015-8651, patched by Adobe on Dec. 28 with an out-of-band patch.
The attackers disguise the malicious code a component of the OpenSSL library. Experts noticed that the malware implements a number of anti-detection measures, including anti-sandbox and just-in-time decryption.
To better understand the DarkHotel group, let me provide you further details emerged by an update provided by Kaspersky Lab in August 2015. Kaspersky confirmed that the organizations targeted by the DarkHotel APT in 2015 were located in North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, India, Mozambique and Germany.
Darkhotel relied on phishing emails containing links to Flash Player exploits disclosed following the data breach suffered by the Hacking Team surveillance firm.
“…at the beginning of July, it began to distribute what is reported to be a leaked Hacking Team Flash 0day. It looks like the Darkhotel APT may have been using the leaked HackingTeam Flash 0day to target specific systems. We can pivot from “tisone360.com” to identify some of this activity. ” Kaspersky wrote in a blog post.
The DarkHotel APT used obfuscated HTML Application (HTA) files to serve backdoor and downloader code on infected systems since 2010, in August security experts discovered new variants of the malicious HTA files.
“It’s somewhat strange to see such heavy reliance on older Windows-specific technology like HTML applications, introduced by Microsoft in 1999,” experts noted.
The hackers also improved the obfuscation techniques using more efficient evasion methods, in one case the attackers used a signed downloaders developed to detect known antivirus solutions.
The spear-phishing emails used by the Darkhotel group in the past contain .rar archives that appeared to include a harmless .jpg file. In reality, the file is a .scr executable that appears like a JPEG using a technique known as right-to-left override (RTLO). When the file is opened, an image is displayed in the Paint application, while the malicious code is executed in the background.
Another novelty for the espionage campaign run by the Darkhotel APT group is the use of stolen digital certificates that are used to sign malware.
According to the experts at Kaspersky, the APT group appears to be Korean speaker.
Facebook's Vice President Arrested in Brazil for Refusing to Share WhatsApp Data
2.3.2016 Social Site
Apple is not the only technology giant battling against authorities over a court order; Facebook is also facing the same.
Brazil’s federal police arrested Facebook Latin America Vice President for failing to comply with court orders to help investigators in a drug trafficking case that involves WhatsApp, a popular messaging app owned by Facebook that has over 100 Million users in Brazil.
Facebook VP Diego Jorge Dzodan was arrested on his way to work in São Paulo, Brazil today because the company refused to provide details of a WhatsApp user involved in organized crime and drug trafficking.
Dzodan is still in police custody and is responding to police questioning in Sao Paulo, Local media reported.
According to a statement released by a spokesperson from WhatsApp:
"We are disappointed that law enforcement took this extreme step. WhatsApp cannot provide information we do not have. We cooperated to the full extent of our ability in this case, and while we respect the important job of law enforcement, we strongly disagree with its decision."
In December 2015, the Brazilian court blocked WhatsApp messaging service temporarily for 24 hours in Brazil, after the company refused to hand over the content of communications between alleged drug dealers involved in the drug trafficking case.
...and the refusal now resulted in the arrest of Facebook VP.
At the time of WhatsApp blackout in Brazil, Facebook’s Chief Executive Officer Mark Zuckerberg said that he was stunned by the "extreme decision by a single judge to punish every person in Brazil who uses WhatsApp."
Today’s arrest of Facebook VP comes as a New York judge ruled that the United States government have no right to force Apple to unlock an iPhone involved in a drug case.
Apple is also fighting a legal battle against a court order that demands the company to help the FBI unlock an iPhone 5C belonging to the one of the shooters involved in the San Bernardino massacre.
FBI Director — "What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code?"
2.3.2016 Hacking
What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code?
Exactly this was what FBI Director James Comey asked in the congressional hearing on Tuesday.
The House Judiciary Committee hearing on "The Encryption Tightrope: Balancing Americans' Security and Privacy" over the ongoing battle between Apple and the FBI ended up being full of drama.
The key to the dispute is whether the Federal Bureau of Investigation (FBI) can force Apple to develop a special version of its mobile operating system that would help the agency unlock an iPhone belonged to San Bernardino shooter Syed Farook.
FBI Director James Comey was there with a prepared testimony about why the FBI wants Apple to create a backdoor into the killer's iPhone.
Comey: Encryption is a Long-Term Threat to Law Enforcement
Yesterday, a New York magistrate judge refused a similar order in a drug case in which the authorities asked Apple to help with the data stored in an unlocked iPhone.
The judge suggested that the government’s interpretation of the All Writs Act – the same 1789 law the FBI is invoking in the San Bernardino case to compel Apple to write a backdoor – would weaken the separation of powers as well as trample on the United States Constitution itself.
Comey, who portrayed Encryption as a long-term threat to the law enforcement because it lets criminals "go dark," said:
"Slippery slope arguments are always attractive, but I suppose you could say, 'Well, Apple's engineers have this in their head, what if they're kidnapped and forced to write software?' That's where the judge has to sort this out, between good lawyers on both sides making all reasonable arguments."
By making this comment, Comey wants to highlight that Apple is capable of creating a backdoor to unlock the iPhone's encryption, a fact Apple has admitted.
It seems that certain Apple engineers are guided on what to do if they're kidnapped, and according to a source with knowledge of Apple's security practices, the engineers are told to "go along with the demands and do whatever is necessary to survive."
Simply "Do whatever they ask. No heroes."
Apple: Can not Weaken Security of All of Our Products
Apple General Counsel Bruce Sewell, who was also prepared with his testimony, argued how a court order could compel the company to circumvent its own encryption technology in an effort to get at the contents of an iPhone.
The FBI wants Apple to write a backdoored version of iOS that would help the feds circumvent iPhone's security measures. Apple countered that doing so would not only undermine the security of all its products, but also set a troubling example for the tech industry.
Swell said, "Building that software tool would not affect just one iPhone. It would weaken the security for all of them."
Apple Working on Unhackable iPhones
This kidnapping issue could also be resolved soon, as Apple is working on an unbreakable iPhone that even the company can not hack.
In addition, the company has also hired Frederic Jacobs, one of the key developers of World's most secure, encrypted messaging app Signal in order to enhance its iPhone security that even it can not break.
If this is not enough, Apple is also working on encrypting iCloud backups that only the account owner would have access, eliminating either way for the FBI or hackers that could expose its users data.
33 percent of all HTTPS websites open to DROWN attack
2.3.2016 Computer Attack
Security experts presented the DROWN attack that exploits a new critical security vulnerability affecting the OpenSSL.
Security experts have discovered a new critical security vulnerability affecting the OpenSSL, it has been estimated that more than 11 Million websites and e-mail services are open to cyber attacks.
The new attack, dubbed DROWN (stands for Decrypting RSA with Obsolete and Weakened eNcryption), allow attackers to access users’ sensitive data over secure HTTPS communications.
“If you’re running a web server configured to use SSLv2, and particularly one that’s running OpenSSL (even with all SSLv2 ciphers disabled!), you may be vulnerable to a fast attack that decrypts many recorded TLS connections made to that box. Most worryingly, the attack does not require the client to ever make an SSLv2 connection itself, and it isn’t a downgrade attack. Instead, it relies on the fact that SSLv2 — and particularly the legacy “export” ciphersuites it incorporates — are pure poison, and simply having these active on a server is enough to invalidate the security of all connections made to that device.” states the high-level description of the attack.
The attack could be successfully carried out in a few hours and in some cases the attackers is able to decrypt traffic in a few seconds.
“We’ve been able to execute the attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC. Even for servers that do not have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in under 8 hours at a total cost of $440.” explained the researchers.
DROWN is a cross-protocol attack that exploits vulnerabilities in the SSLv2 implementation against transport layer security (TLS), the attacks doesn’t work against the SSLv2 connections.
DROWN exploits a bug in SSLv2 protocol implementation to attack the security of connections made under a different protocol, in this case, TLS.
By using the Bleichenbacher attack, threat actors can decrypt the private RSA keys and unlock “secure” servers that use the same private key.
The attacker just needs to send specially crafted malicious packets to a server to decrypt HTTPS connections.
“You’re just as much at risk if your site’s certificate or key is used anywhere else on a server that does support SSLv2,” security researchers noted. “Common examples include SMTP, IMAP, and POP mail servers, and secondary HTTPS servers used for specific web applications.”
A group of researchers from universities in Germany, the US and Israel alongside with two OpenSSL developers, have implemented the attack and demonstrated they can decrypt a TLS 1.2 handshake using 2048- bit RSA in under eight-hours using Amazon EC2, at a cost of $440.
The impact of the DROWN is serious, it has been estimated that more than 33 percent of all HTTPS servers is vulnerable to the attack, roughly 11.5 Million servers worldwide, including Alibaba, BuzzFeed, Flickr, Samsung, Sina, StumbleUpon, Weibo, Yahoo, and 4Shared.
The DROWN attack also works against Microsoft’s Internet Information Services versions 7 and earlier, as well as prior to 3.13 versions of the Network Security Services (NSS) Cryptographic library.
Users that want to test if a website is vulnerable to the DROWN attack can use the test.drownattack.com.
A patch for the vulnerability is already available in the last OpenSSL update.
Security experts have no doubts, now that the DROWN attack has been disclosed threat actors may actively exploit the flaw to attack servers.
Users need to update their OpenSSL to the newer versions 1.0.2g or 1.0.1s. In order to avoid the attack, it is possible to disable the SSLv2, as well as make sure that the private key isn’t shared across any other servers.
If you want to receive more details on the attacks give a look to the paper “DROWN: Breaking TLS using SSLv2” or give a look to the interesting post published by Matthew Green, a professor at Johns Hopkins University.
DROWN Attack — More than 11 Million OpenSSL HTTPS Websites at Risk
1.3.2016 Computer Attack
A new deadly security vulnerability has been discovered in OpenSSL that affects more than 11 Million modern websites and e-mail services protected by an ancient, long deprecated transport layer security protocol, Secure Sockets Layer (SSLv2).
Dubbed DROWN, the highly critical security hole in OpenSSL was disclosed today as a low-cost attack that could decrypt your sensitive, secure HTTPS communications, including passwords and credit card details…
...and that too in a matter of hours or in some cases almost immediately, a team of 15 security researchers from various universities and the infosec community warned Tuesday.
Here’s what the security researchers said:
"We've been able to execute the attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC. Even for servers that do not have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in under 8 hours at a total cost of $440."
What is DROWN Attack? How it Abuses SSLv2 to attack TLS?
DROWN stands for "Decrypting RSA with Obsolete and Weakened eNcryption."
DROWN is a cross-protocol attack that uses weaknesses in the SSLv2 implementation against transport layer security (TLS), and that can "decrypt passively collected TLS sessions from up-to-date clients."
While latest versions don't allow SSLv2 connections by default, administrators sometimes, unintentionally override those settings in an attempt to optimize applications.
"You’re just as much at risk if your site’s certificate or key is used anywhere else on a server that does support SSLv2," security researchers noted. "Common examples include SMTP, IMAP, and POP mail servers, and secondary HTTPS servers used for specific web applications."
DROWN attack could allow an attacker to decrypt HTTPS connections by sending specially crafted malicious packets to a server or if the certificate is shared on another server, potentially performing a successful Man-in-the-Middle (MitM) attack.
How Deadly is OpenSSL DROWN Attack?
drown-attack
More than 33 percent of all HTTPS servers are vulnerable to DROWN attack.
Although the critical flaw affects as many as 11.5 Million servers worldwide, some of Alexa's top websites, including Yahoo, Alibaba, Weibo, Sina, BuzzFeed, Flickr, StumbleUpon, 4Shared and Samsung, are vulnerable to DROWN-based MitM attacks.
Besides the open-source OpenSSL, Microsoft's Internet Information Services (IIS) versions 7 and earlier, as well as prior to 3.13 versions of the Network Security Services (NSS) Cryptographic library built into many server products are also open to DROWN attack.
How to Test DROWN OpenSSL Vulnerability?
You can find out if your website is vulnerable to this critical security hole using the DROWN attack test site.
However, the good news is that academic researchers uncovered the DROWN security hole and a patch for the vulnerability has already been made available with an OpenSSL update today.
The Bad news is that the DROWN attack can conduct just under a minute to exploit and now that the bug has been disclosed, it may be actively used by hackers to attack servers.
Here’s How to Protect Yourself:
OpenSSL 1.0.2 users are strongly advised to upgrade to OpenSSL 1.0.2g and OpenSSL 1.0.1 users are recommended to upgrade to OpenSSL 1.0.1s. And if you are using another version of OpenSSL for security, you should move up to the newer versions 1.0.2g or 1.0.1s.
In order to protect yourself against the DROWN attack, you should ensure SSLv2 is disabled, as well as make sure that the private key isn’t shared across any other servers.
Those already vulnerable to DROWN attack do not need to re-issue certificates but are recommended to take action in order to prevent the attack immediately.
SSLv2 dates back to the 1990s-era and is enabled accidentally or automatically while setting up a new server, which makes DROWN attacks work. It’s due to the support of weak ciphers that were added to all versions of SSL and TLS prior to 2000 as part of United States government's export regulations.
In fact, "secure" servers can also be hacked because they are on the same network as vulnerable servers. By using the Bleichenbacher attack, private RSA keys can be decrypted, which results in unlocking "secure" servers that use the same private key.
You can find more technical details and a list of the top vulnerable websites on the DROWN Attack website.
In addition, Matthew Green, a professor at Johns Hopkins University and famous cryptographer, has also published a blog post explaining how DROWN works.
Waiting for a court ruling, a New York Judge rejected FBI request to unlock an iPhone
1.3.2016 Apple
The federal magistrate Judge James Orenstein has ruled in favor of Apple, rejecting the FBI request to unlock an iPhone.
In the last weeks, we have followed the dispute between Apple and FBI regarding the possibility to unlock the iPhone used by one of the San Bernardino shooters.
The FBI required Apple to modify the iOS operating system running on the terrorist’s iPhone by creating a specific update to push into the device and that allows to disable security measures.
News of the day is the victory obtained by the Apple company in court against the Federal Bureau of Investigation, the federal magistrate Judge James Orenstein has ruled in favor of Apple, rejecting the request to oblige the giant of Cupertino to help the feds in accessing data stored from a locked iPhone in another criminal case.
The ruling was issued on Monday by the Judge Orenstein for the Eastern District of New York as part of the criminal case against Jun Feng, a man who was pleading guilty in October last year to drug charges.
Also in this case, the authorities seized the iPhone of the accused, but they were not able to access its content. The Drug Enforcement Administration (DEA) and the FBI decided to request the judgment of the court to obtain an order requiring Apple to unlock the device.
The law enforcement agencies invoked the “the authority of the All Writs Act of 1789,” an old law that states US authorities could bypass the iPhone’s security measures.
Orenstein rejected the request and argued that the government can not misuse the All Writs Act to force private companies to help access data stored in a locked device.
“As set forth below, I conclude that in the circumstances of this case, the government’s application does not fully satisfy the statute’s threshold requirements: although the government easily satisfies the statute’s first two elements, the extraordinary relief it seeks cannot be considered “agreeable to the usages and principles of law.” In arguing to the contrary, the government posits a reading of the latter phrase so expansive – and in particular, in such tension with the doctrine of separation of powers – as to cast doubt on the AWA’s constitutionality if adopted.” wrote Orenstein.
“Moreover, I further conclude that even if the statute does apply, all three discretionary factors weigh against issuance of the requested writ, and that the Application should therefore be denied as a matter of discretion even if it is available as a matter of law”
The All Writs Act isn’t the unique law invoked in this case, another important law, the Communications Assistance for Law Enforcement Act (CALEA) forbids any interference by government.
Waiting for a final rule for the San Bernardino, Apple is going on in its personal fight in defense of the users’ privacy. It has been reported that the company is already working on a new iPhone that is impossible to hack, even by Apple experts.
New York Judge Rules FBI Can't Force Apple to Unlock iPhone
1.3.2016 Apple
Apple Won a major court victory against the Federal Bureau of Investigation (FBI) in an ongoing legal battle similar to San Bernardino.
In a New York case, a federal magistrate judge has ruled in favor of Apple, rejecting the U.S. government’s request to force Apple to help the FBI extract data from a locked iPhone.
This ruling from United States Magistrate Judge James Orenstein for the Eastern District of New York is a significant boost to Apple’s pro-privacy stance to resist the agency’s similar efforts over unlocking iPhone 5C of an alleged San Bernardino terrorist.
The ruling [PDF] was issued on Monday as part of the criminal case against Jun Feng, who was pleaded guilty in October last year to drug charges.
The Drug Enforcement Administration (DEA) seized Feng’s iPhone 5 last year, but even after consulting the FBI, it was unable to access the iPhone. According to both the DEA and FBI, it’s impossible for them to overcome the security measures embedded in Apple’s iOS.
Thus, the government filed a legal motion seeking a court order requiring Apple to help in the investigation "under the authority of the All Writs Act of 1789" – the same old law the FBI is invoking in the San Bernardino case – so that the government could bypass the iPhone’s passcode security.
However, the company objected the order, noting that there were nine more criminal cases currently pending in which the U.S. government was seeking a similar court order.
Orenstein also disagrees to the government request for this ruling because it involved the wide interpretation of the All Writs Act that has been used to force private companies, like Apple, to comply with government requests for user information.
Ultimately, Judge Orenstein argued that the government can not misuse the All Writs Act to compel private companies to help extract information from locked devices that the government wants.
Here’s what Orenstein writes:
"The government posits a reading…so expansive—and in particular, in such tension with the doctrine of separation of powers—as to cast doubt on the All Writs Act’s constitutionality if adopted."
A different law, named the Communications Assistance for Law Enforcement Act (CALEA), explicitly forbids the type of interference government requested in this and the San Bernardino case.
What’s worth notable is that in the San Bernardino case, the FBI requires Apple to create a whole new mobile operating system for the terrorist’s iPhone, which is an even greater demand the law enforcement is pushing on Apple, than in this drug case.
However, the decision for the San Bernardino case is still pending. Apple is continuously fighting its legal battle against the FBI, so let's see who’ll win this battle over privacy: Apple or The FBI? What do you think? Know us in the comments below:
Two Years to General Data Protection Regulation Compliance
1.3.2016 Safety
The General Data Protection Regulation (GDPR) governs the use and privacy of EU citizens’ data and the Data Protection Directive governs the use of EU citizens’ data by law enforcement.
EU Data Protection Reform was put forward in January 2012 by the European Commission to make Europe fit for the digital age. At the last days of 2015, an agreement was found with the European Parliament and the Council, following final negotiations between the three institutions. This reform consists of the General Data Protection Regulation (GDPR), that governs the use and privacy of EU citizens’ data, and the Data Protection Directive, that governs the use of EU citizens’ data by law enforcement.
The General Data Protection Regulation (GDPR) as one of the instruments of this reform has finally been agreed after three years of discussion at many levels. It will replace the current Directive and will be directly applicable in all Member States without the need for implementing national legislation. According to European Commission:
“The General Data Protection Regulation will enable people to better control their personal data. At the same time modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market by cutting red tape and benefiting from reinforced consumer trust.”
The new rules will come into force most likely in the first half of 2018. During the two-year transition phase, the Commission will inform citizens about their rights and companies about their obligations.
Therefore, companies have the opportunity to comply with the new legislation in two years transition time. It is suggested to take on the GDPR readiness initiative before the deadline approaches.
GDPR has considered a hefty fine for some infringements of up to 4% of annual worldwide turnover. The financial impact of the GDPR enforcement on businesses makes it clear why data protection issues must be considered more deeply in executive level of organizations unless this issue has been addressed earlier and there is an allocated budget for compliance with GDPR, buy-in from top management, and a designated roadmap, processes, and people that ensure the organization will meet the regulation in two-year’s time frame.
There are two building blocks for compliance with GDPR. Firstly, a map of data flow that visualize where data comes entered the organization and where it leaves the corporate perimeter. An independent privacy analyst, Chiara Rustici emphasizes that mapping data flow is not just mapping data storage, but data in transit, too.
“GDPR meaning of “data processing” also includes retrieving, consulting, organizing, structuring, aligning, combining, disseminating, disclosing by transmission or soft-deleting data as well as collecting, storing and destroying it,” She said.
Secondly, organization-wide awareness of data protection principles is an important necessity that can happen with the help of the HR or T&D department. It might require a year of campaigning to get everyone realize their role as “data processors” and “data controllers”. In addition, it takes considerable time to embed new data architecture into business and get everyone familiarized with it.
While two years seem a long time away, but organizations should move towards the compliance and start implementing required changes without undue delay.
Let’s close with the timeline of the EU Data Protection Regulation
January 2012 EC Vice-President, Commissioner Viviane Reding, published proposals to reform European data protection rules. This included a draft revised Data Protection Regulation.
May 2012 European Parliament committees began an exchange of views on the draft revised Data Protection Regulation.
July 2012 The first European Parliament working document was produced by lead rapporteur – MEP Jan Philipp Albrecht of the LIBE committee.
October-November 2012 The European Parliament led an inter-parliamentary hearing with national parliaments.
January 2013 A draft report and mark-up of the proposed regulation, based on earlier working documents, was released by Jan Philipp Albrecht.
March 2013 Opinions on Albrecht’s report and revised draft due from all other European Parliament advisory committees.
Autumn 2013 Informal negotiations between the European Parliament and the Council of the European Union. In October the LIBE Committee voted on a compromise text.
March 2014 The EU Parliament ran a plenary vote in first reading of the draft Regulation. and adopted the LIBE Committee’s compromise text.
May 2014 The Council met and produced a report. They reached a partial general approach on specific articles of the GDPR and held an orientation debate on the “one stop shop” mechanism.
October 2014 The Council reached a partial general approach on Chapter IV of the GDPR
March 2015 The Council reached a partial general approach on Chapters II, VI and VII.
Spring 2015 The Council continued to work at a technical level.
June 2015 The Council released their general approach. Trilogue negotiations between the three institutions are ongoing.
24 June Kick off trilogue meeting
14 July Second trilogue
17 December 2015 The EU General Data Protection Regulation was agreed.
2018 Revised Data Protection Framework is expected to come into force.
New HackingTeam OS X RCS spyware in the wild, who is behind the threat?
1.3.2016 Apple
A new OS X sample of the Hacking Team RCS has been detected in the wild, who is managing it? Is the HackingTeam back?
A group of malware researchers has discovered a new strain of Mac malware undetected my most security firm, but more intriguing is the speculation that the malicious code may have been developed by the Italian security firm HackingTeam.
Pedro Vilaça, a security researcher at SentinelOne, has published an interesting post titled “The Italian morons are back! What are they up to this time?” that analyzes a sample of OS X RCS recently received by the expert. Remote Control System, aka RCS, is the surveillance software developed by the Italian firm and used by a large number of government and intelligence agencies worldwide.
The sample was uploaded on February 4 to the VirusTotal which at the time confirmed that the malware wasn’t detected, meanwhile at the time I’was writing it has a detection rate of 15/55.
)The analysis of the new sample received by Vilaça revealed that the installer was last updated in October or November, and the configuration date for this sample is October 2015, a few months after the HackingTeam hack.
“First we locate the configuration file encryption key and then decrypt it. There we can find the configuration dates for this sample, 2015-10-16, confirming that this is indeed a post hack sample. The C&C server IP for this sample is 212.71.254.212. It’s already down and I didn’t verified if it was up before starting to tweet about this sample on last Friday” states Vilaça.
Still,Vilaça used the Shodan search engine and VirusTotal to perform further researches on the C&C server, he discovered that the machine referenced by this OS X RCS sample was still active in January.
What happened to HackingTeam after the clamorous data breach? At the time they promised to release a new version that they were telling was not affected by the hack. Is this really true?
The company announced to release a new version of its surveillance software, but the analysis of the source code of this new sample suggests that is has been compiled out of the leaked source code base, and apparently it hasn’t introduced new improvements.
“I can guarantee you that this sample code is coming from that code base, up to the last commit (there are probably newer commits after the leak). HackingTeam appears to have resumed their operations but they are still using their old source code for this. Of course there is a question of are they using both old and the new promised source code or were they just lying about it and resumed operations with old code since they are probably on a shortage of engineering “talent”? This is definitely a question their customers will have to ask them ;-).” continues the expert.
The expert concluded that the new strain of Mac malware is a very fresh sample that demonstrates that the HackingTeam is still alive and that is is operating under cover.
“HackingTeam is still alive and kicking but they are still the same crap morons as the e-mail leaks have show us,” Vilaça wrote. “If you are new to OS X malware reverse engineering, it’s a nice sample to practice with. I got my main questions answered so for me there’s nothing else interesting about this. After the leak I totally forgot about these guys :-).”
Another interesting analysis of this new sample of the RCS spyware has been published by Patrick Wardle, a cyber security expert at Synack. Wardle explained that the new sample is based on the old HackingTeam RCS code, but implements sophisticated techniques to evade detection and analysis.
Last summer, at Blackhat Wardle gave a presentation entitled Writing Bad @$$ Malware for OS X that provided suggestions as to how OS X malware could be improved, including the use of Apple’s native encryption scheme to protect malicious binaries.
“Diving in, the first thing we notice is that it is encrypted with Apple’s native OS X encryption scheme.” wrote Wardle. “… it’s nice to finally see some OS X malware that uses Apple’s native OS X encryption scheme, as well as custom packers. “
The expert noticed that the installer was “packed” with this technique to make hard reverse engineering and analysis.
At this point, there are two hypotheses on the origin of the sample:
Someone is maintaining and updating the code leaked in the HackingTeam hack.
HackingTeam is back, but it is still using old RCS code with a few improvements.
Let me close with the last update provided by Vilaça in his analysis.
“I just found some unique code in this dropper. This code checks for newer OS X versions and does not exist in the leaked source code. Either someone is maintaining and updating HackingTeam code (why the hell would someone do that!?!?!) or this is indeed a legit sample compiled by HackingTeam themselves. Reusage and repurpose of malware source code happens (Zeus for example) but my gut feeling and indicators seem to not point in that direction.”
European police corps arrested operators behind darknets offering illegal products and services
1.3.3016 Crime
A coordinated operation of law enforcement agencies in 7 countries raided operators of darknets trading in illegal products and services.
A joint effort of law enforcement agencies in seven European countries (Germany, Bosnia, Switzerland, France, the Netherlands, Lithuania and Russia) allowed authorities to identify and arrest operators of darknet online platforms trading in illegal products and services, including drugs, fake IDs, weapons, and counterfeit money. According to the German authorities, nine suspects have been arrested by the police that targeted 69 homes and businesses in the seven countries.
The list of arrested suspects includes:
A 27-year-old Bosnian national which is considered the technical administrator of three darknets.
A 22-year-old German national who operated ran a trading platform specialized in the sale of illegal drugs.
Two Syrian brothers aged 19 and 28 in possess of 36 kilogrammesof amphetamine, 1.5 kg of cocaine, 2 kg of hashish and 2.3 kg of ecstasy pills.
Two German men aged 29 and 21, one of them is accused of the management of two illegal networks and an illegal streaming platform for pirated movies and sports shows.
Underground Cybercrime market - Darknets
The law enforcement seized 150,000 euros in cash and assets, servers in France, the Netherlands, Lithuania and Russia as well as several PCs and storage media, a firearm, and illegal drugs.
The German security services defined the operation as a “a major blow against the German-speaking underground economy and further proof that there is no complete anonymity on the Internet, including in the so-called darknet”.
German federal police and Frankfurt prosecutors revealed that the suspects exploited darknets to sell illegal drugs (amphetamines, cannabis, cocaine, ecstasy and heroin) and counterfeit documents from German, the Netherlands and Italy.
The criminal organization was also offering for sale stolen credit card data, online banking and webservice login credentials, and was also able to provide illegal services such as botnet for rent and hacking services.
This is another success of a shared operation of law enforcement.
CTB-Locker is back: the web server edition
1.3.2016 Zdroj: Kaspersky Virus
Cryptolockers have become more and more sophisticated, bypassing system protections and terrifying anyone in their path. TeslaCrypt, CryptoWall, TorrentLocker, Locky and CTB-Locker are only some of the malware we have protected from for the past two years. We have seen many shapes and colors of cryptolockers, but the new CTB-Locker variant says it all. The world of cybercriminals is investing in how to reinvent cryptolockers.
Before, CTB-Locker, or Onion Ransomware, differed from other ransomware in the usage of the Tor Project’s anonymity network to shield itself from takedown efforts that rely largely on static malware command and control servers. Its use of Tor also helped evading detection and blocking. Another thing that protected CTB-Locker controllers was accepting as payment only Bitcoins, the decentralized and largely anonymous crypto-currency known.
A new variant of the CTB-Locker targets web servers only, and to our knowledge it has already successfully encrypted web-root files in more than 70 servers located in 10 countries.
In this blogpost I will take you into the “lion’s den”, after victims were kind enough to share the cryptors that had been deployed into their web servers.
Step 1: defacement
This new variant aims to encrypt web servers and demand less than half a bitcoin as a ransom (~150 USD). If payment isn’t sent on time the ransom is doubled to approximately 300 USD. When paid, the decryption key is generated and is used to decrypt the web server’s files.
It has become clear that the web servers infected with this variant were targeted due to a security hole in their web server. Once exploited, the website is defaced. Defacement is a well-known method for hacking groups to show their victims they mean business. The most recent cases we’ve witnessed are not random, but mostly about political affiliations and cultural perspectives.
In this case, the defacement, which contains a replacement of the main php/html page, is used as the message carrier and contains all the means necessary for the attack to leave the right impression on the victim. We will deep-dive into it in the next steps.
It is important to mention that the original code is not deleted. It is stored safely in the web root with a different name in an encrypted state.
The message
As variants of malware of this kind are based on the simple fact that a victim cares more about his content than about paying a ransom, the authors usually leave a very detailed message for everyone to see.
The following quote is a part of the information that is left on the main page:
The decryption key is stored on a remote server, but the attackers were “kind enough” to allow the victim to decrypt two files free, as a sign of authenticity.
The other function that exists on the attacked website allows the victim to communicate with the attacker via chat: it requires a personal signature/code which is available for victims only.
At the moment, no decryption tool exists in the wild, thus there is no way to decrypt the files encrypted by the new CTB-Locker. The only way to remove this threat in a matter of seconds is to keep file backups in a separate location.
Although this seems like a big concern, we tend to believe that it is not. Large websites tend to have multiple versions of their content, spreading over a number of webservers. In many other cases, they are supervised and tested by professional security penetration testing firms and so are constantly under the magnifier.
Step 2: encryption process
We still don’t know how the CTB-Locker is being deployed on web servers, but there is one common thing among many of the attacked servers – they use the WordPress platform as a content management tool. WordPress contains many vulnerabilities in its non-updated versions and we already seen critical vulnerabilities presented last year. In addition, WordPress also has another weak spot – plugins. Those tiny enhancement features helps WordPress become what it is – a leader in the world of CMS. However, having third party plugins also makes the server more vulnerable to attacks, as plugin authors are not committed to any type of security measurements.
Once the malware author is inside WordPress system, he is able to replace the main website file and execute the encryption routine. The main file is renamed and saved in an encrypted state.
Two different AES-256 keys are deployed to the victim server:
create_aes_cipher($keytest) – encrypts the two files which can be decrypted free.
create_aes_cipher($keypass) – encrypts the rest of the files hosted on the server web root.
The two files are chosen by the authors and their names are saved in a text file.
The create_aes_cipher() accepts one parameter as the key and sends it to the standard Crypt_AES() function:
function create_aes_cipher($key) {
$aes = new Crypt_AES();
$aes->setKeyLength(256);
$aes->setKey($key);
return $aes;
}
1
2
3
4
5
6
function create_aes_cipher($key) {
$aes = new Crypt_AES();
$aes–>setKeyLength(256);
$aes–>setKey($key);
return $aes;
}
When encrypting the site, the script first uses the test key to encrypt the two files that will be used for free decryption. It will then generate a list of files that match specific file extensions and encrypt them using AES-256 encryption. The extensions that will be encrypted are read from the ./extensions.txt file and are currently:
Files that contain the following strings will be excluded from the encryption process:
“/crypt/”
“secret_”
In addition, files which are populated with data that will later assist the user with the decryption process would obviously be excluded as well.
./index.php – as described above, this file is the main door for the victim to analyze the attack and contains PHP code of the encryption/decryption routine.
./allenc.txt – contains a list of all encrypted files.
./test.txt – contains the files which are freely available for decryption.
./victims.txt – contains a list of all the files that are being encrypted or have already been encrypted.
./extensions.txt – contains the list of file extensions (see above).
./secret_ – as said, the victim is required to identify himself before the free decryption or chat is even possible.
On the main page of the CTB-Locker, attackers are using JQUERY to query proxy servers and verify payments. The following code was found in the page source code and the servers listed on the top are proxies which are used as another layer of protection, instead of the main server of the attackers:
Proxy servers which are part of the decryption process:
http://erdeni.ru/access.php
http://studiogreystar.com/access.php
http://a1hose.com/access.php
The ransomware servers are not permanent and are being replaced by new ones every certain period of time. We have identified the threat actor inspecting the server logs and analytics, as sometimes different checks resulted in the server shutting down and turned back on.
Step 3: proxy to C&C
The attackers are utilizing servers which were already attacked to traffic through another layer of protection. On a victim server’s source code, a JavaScript code reveals how the decryption process is sent through three different servers randomly, however those are not the C&C.
The above screenshot was taken from the access.php page, supposedly located in each one of the bot servers used as a proxy for the decryption process.
In white block is the actual C&C which has been hardcoded on each of the PHP pages (access.php).
When POST request is being sent with the right parameters, a socket instance is being created and sends a connect beam to the attacker’s C&C server. Later it is being determined if the decryption process succeeded.
Free decrypt
The ransomware allows the victim to freely decrypt not more than two files. It is not for the victim to choose, since the files are pre-chosen and can be found in the malware’s designated file as listed above. The two files are randomly picked during the course of the encryption process.
The following image is an illustration of the free decrypt module:
In order to decrypt the two free files, the victim is required to enter the secret_ file name. Once you click the DECRYPT IT FREE button, the client-side script builds a POST request and sends it to one of the C&C servers. We were able to imitate the PHP calculation and run the exit() function of the free decryption routine:
The following is the PHP code at the back-end. The function secret_ok() verifies the identity of the victim, based on his domain name and other indicators:
if (isset($_GET[‘dectest’]) && secret_ok()) {
decrypt_files(‘test.txt’, $_GET[‘dectest’]);
exit(‘Congratulations! TEST FILES WAS DECRYPTED!!’);
}
1
2
3
4
if (isset($_GET[‘dectest’]) && secret_ok()) {
decrypt_files(‘test.txt’, $_GET[‘dectest’]);
exit(‘Congratulations! TEST FILES WAS DECRYPTED!!’);
}
Threat actor’s chat room
The ransomware also includes functionality to communicate with the malware authors. As already said, the victim is required to use the secret_ key in order to open the chat. Without it, the chat will remain unresponsive.
We have come to the conclusion that ransomware is the new-generation malware for an attacker interested in financial gain. They are very effective, there is no solid solution against this threat thus far, and they are flexible to attack not only desktop operating systems, but now web servers as well.
We urge anyone to backup all important data; and to be cautious about emails which are not specifically meant for the user, or attractive ads that appear online. In addition, third party software must not be trusted automatically by its hash. This identifier can be changed by an attacker once a server has been compromised. Be sure to use other routine checks to ensure that the software is legitimate.