For malware writers, Google Play is the promised land of sorts. Once there, a malicious application gains access to a wide audience, gains the trust of that audience and experiences a degree of leniency from the security systems built into operating systems. On mobile devices, users typically cannot install applications coming from sources other than the official store, meaning this is a serious barrier for an app with malicious intent. However, it is far from easy for the app to get into Google Play: one of the main conditions for it is to pass a rigorous check for unwanted behavior by different analysis systems, both automatic and manual.
Some malware writers have given up on their efforts to push their malicious creations past security checks, and instead learned how to use the store’s client app for their unscrupulous gains. Lately, we have seen many Trojans use the Google Play app during promotion campaigns to download, install and launch apps on smartphones without the owners’ knowledge, as well as leave comments and rate apps. The apps installed by the Trojan do not typically cause direct damage to the user, but the victim may have to pay for the created excessive traffic. In addition, the Trojans may download and install paid apps as if they were free ones, further adding to the users’ bills.
In early June, 2016, the Russian police arrested the alleged members of the criminal group known as Lurk. The police suspected Lurk of stealing nearly three billion rubles, using malicious software to systematically withdraw large sums of money from the accounts of commercial organizations, including banks. For Kaspersky Lab, these arrests marked the culmination of a six-year investigation by the company’s Computer Incidents Investigation team. We are pleased that the police authorities were able to put the wealth of information we accumulated to good use: to detain suspects and, most importantly, to put an end to the theft. We ourselves gained more knowledge from this investigation than from any other. This article is an attempt to share this experience with other experts, particularly the IT security specialists in companies and financial institutions that increasingly find themselves the targets of cyber-attacks.
Google has said it will not fix a potential security flaw that could trick a user into downloading malware from its login window.
The company told security researcher Aidan Woods it "made the decision not to track" his bug bounty submission as a vulnerability.
Woods explained on his blog that Google's login screen allows an app or service to redirect to a page after the user signs in.
Last month ESET researchers wrote an article about a new OS X malware called OSX/Keydnap, built to steal the content of OS X’s keychain and maintain a permanent backdoor. At that time of the analysis, it was unclear how victims were exposed to OSX/Keydnap. To quote the original article: “It could be through attachments in spam messages, downloads from untrusted websites or something else.”
During the last hours, OSX/Keydnap was distributed on a trusted website, which turned out to be “something else”. It spread via a recompiled version of the otherwise legitimate open source BitTorrent client application Transmission and distributed on their official website.
A destructive ransomware program deletes files from web servers and asks administrators for money to return them, though it's not clear if attackers can actually deliver on this promise.
Dubbed FairWare, the malicious program is not the first ransomware threat to target Linux-based web servers but is the first to delete files. Another program called Linux.Encoder first appeared in November and encrypted files, but did so poorly, allowing researchers to create recovery tools.
After attackers hack a web server and deploy FairWare, the ransomware deletes the entire web folder and then asks for two bitcoins (around US$1,150) to restore them, Lawrence Abrams, the founder of tech support forum BleepingComputer.com, said in a blog post.
Thousands of remote villagers in Guatemala and South Africa are living off the grid, but their personal information isn't.
Chris Vickery, lead security researcher of the MacKeeper security research team, discovered an unprotected database with no password over two months ago. Anyone who knew the database was there could access more than 40 gigabytes of customer data.
Attackers can add an arbitrary page to the end of a Google login flow that can steal users’ credentials. or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process.
A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don’t consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter.
“Google’s login page accepts a vulnerable GET parameter, namely ‘continue’. As far as I can determine, this parameter undergoes a basic check,” Aidan Woods, the researcher who discovered the bug, wrote in an explanation of the flaw.
More than one million consumer web-connected video cameras and DVRs are compromised by bot herders who use the devices for DDoS attacks, researchers say.
According to Level 3 Threat Research Labs, a small malware family that goes by the names Lizkebab, BASHLITE, Torlus and Gafgyt is behind a web of botnets carrying out the attacks.
“This research shocked us,” said Dale Drew, chief security officer at Level 3 Communications. “We picked fairly well-known and average botnets and challenged ourselves to find as many interesting things as we could. At a high level we were surprised. When we looked at BASHLITE malware, for example, we found it was tied to botnets far more organized and structured than we had previously thought.”
The profile of attacks on two US state voter registration systems this summer presented in an FBI "Flash" memo suggests that the states were hit by a fairly typical sort of intrusion. But an Arizona official said that the Federal Bureau of Investigation had attributed an attack that succeeded only in capturing a single user's login credentials to Russian hackers and rated the threat from the attack as an "eight on a scale of ten" in severity. An Illinois state official characterized the more successful attack on that state's system as "highly sophisticated" based on information from the FBI.
In the past, casinos would employ agents to observe gamblers' behaviour and watch out for cheats, but now technology is playing a role.
BBC Click's Dan Simmons was offered a rare opportunity to find out how one casino uses its own technology to catch cheats.
The Locky ransomware family has emerged as one of the most prominent ransomware families to date, being sold in the Brazilian underground and spreading via various exploits. Locky has, over time, become known for using a wide variety of tactics to spread–including macros, VBScript, WSF files, and now, DLLs.
Recently we encountered a new Locky variant (detected as RANSOM_LOCKY.F116HM) that used old tactics on the surface, but with some key technical changes. The emails that were used to distribute it were fairly pedestrian as far as these messages go, although it was part of a large-scale spam campaign.
The FBI is urging US election officials to increase computer security after it uncovered evidence that hackers have targeted two state election databases in recent weeks, according to a confidential advisory.
The warning was in an August 18 flash alert from the FBI's Cyber Division. Reuters obtained a copy of the document.
Yahoo News first reported the story on Monday, citing unnamed law-enforcement officials who said they believed foreign hackers caused the intrusions.
In 2013, a document leaked by former National Security Agency contractor Edward Snowden illustrated how a specially modified USB device allowed spies to surreptitiously siphon data out of targeted computers, even when they were physically severed from the Internet or other networks. Now, researchers have developed software that goes a step further by turning unmodified USB devices into covert transmitters that can funnel large amounts of information out of similarly "air-gapped" PCs.
The USBee—so named because it behaves like a bee that flies through the air taking bits from one place to another—is in many respects a significant improvement over the NSA-developed USB exfiltrator known as CottonMouth. That tool had to be outfitted with a hardware implant in advance and then required someone to smuggle it into the facility housing the locked-down computer being targeted. USBee, by contrast, turns USB devices already inside the targeted facility into a transmitter with no hardware modification required at all.
Cyber threats today are no longer restricted to a company’s communications and IT domains, calling for more than just technical controls to avert attacks and protect the business from future risks and breaches, a new report said. According to the joint report of the Confederation of Indian Industry (CII) and KPMG, cyber security today embraces multiple units of an organization like human resource, supply chain, administration and infrastructure. It, therefore, requires governance at the highest levels. “It is vital to keep pace with the changing regulatory and technology landscape to safeguard and advance business objectives. Working backwards by identifying and understanding future risks, predicting risks and acting ahead of competition, can make a company more robust,” said Richard Rekhy, Chief Executive Officer, KPMG, India.
Pacemakers, defibrillators and other medical devices made by a leading medical equipment maker are vulnerable to potentially “catastrophic” cyberattacks. With relatively little effort tens of thousands of cardiac devices made by St. Jude Medical are vulnerable to attack, according a report released by private equity firm Muddy Waters Capital with help from medical researchers at MedSec.
The report claims major cybersecurity flaws are riddled throughout St. Jude Medical device portfolio and are tied to the company’s Merlin@home home monitoring units that “greatly open up the STJ ecosystem to attacks,” according to the report (PDF) released Thursday.
“These units (Merlin@home) are readily available on Ebay, usually for no more than $35. Merlin@homes generally lack even the most basic forms of security, and as this report shows, can be exploited at every level of the technology stack of St. Jude’s Cardiac Devices,” authors of the report wrote.
Three zero-day vulnerabilities in Apple’s iOS mobile operating system are being exploited in the wild in targeted attacks. The vulnerabilities, collectively dubbed “Trident”, can be exploited by attackers to remotely jailbreak Apple iOS devices and install malware.
In March 2013, a coalition of spammers and spam-friendly hosting firms pooled their resources to launch what would become the largest distributed denial-of-service (DDoS) attack the Internet had ever witnessed. The assault briefly knocked offline the world’s largest anti-spam organization, and caused a great deal of collateral damage to innocent bystanders in the process. Here’s a never-before-seen look at how that attack unfolded, and a rare glimpse into the shadowy cybercrime forces that orchestrated it.
The following are excerpts taken verbatim from a series of Skype and IRC chat room logs generated by a group of “bullet-proof cybercrime hosts” — so called because they specialized in providing online hosting to a variety of clientele involved in spammy and scammy activities.
The Japanese government will set up an institute during the next fiscal year to train specialists to counter cyberattacks on electricity distribution and other important infrastructure systems.
Prime Minister Shinzo Abe’s government plans to allocate funds for the program in an extra budget soon to be compiled as it seeks to prevent a large-scale blackout during the Tokyo Olympics and Paralympics in 2020 or leaks of sensitive information on power plant designs, a government source said.
The European Commission is currently working on major updates to existing copyright legislation, to reform copyright law to reflect digital content. One feature of this reform would allow media outlets to request payment from search engines, such as Google, for publishing snippets of their content in search results.
The working paper recommends the introduction of an EU law that covers the rights to digital reproduction of news publications. This would essentially make news publishers a new category of rights holders under copyright law, thereby ensuring that “the creative and economic contribution of news publishers is recognized and incentivized in EU law, as it is today the case for other creative sectors.”
A new ransomware called Fantom was discovered by AVG malware researcher Jakub Kroustek that is based on the open-source EDA2 ransomware project. The Fantom Ransomware uses an interesting feature of displaying a fake Windows Update screen that pretends Windows is installing a new critical update. In the background, though, Fantom is secretly encrypting a victim's files without them noticing.
Unfortunately, there is no way to currently decrypt the Fantom Ransomware and usual methods for get EDA2 based ransomware keys are not available with this variant. For those who wish to discuss this ransomware or need support, you can use the Fantom Ransomware Help Support Topic.
On Aug. 23, 2016, FireEye detected a potentially new ATM malware sample that used some interesting techniques not seen before. To add more fuel to an existing fire, the sample was uploaded to VirusTotal from an IP address in Thailand a couple of minutes before the Bangkok Post newspaper reported the theft of 12 million baht from ATMs at banks in Thailand.
In this blog, FireEye Labs dissects this new ATM malware that we have dubbed RIPPER (due to the project name “ATMRIPPER” identified in the sample) and documents indicators that strongly suggest this piece of malware is the one used to steal from the ATMs at banks in Thailand.
On Thursday, a federal jury in Seattle found Roman Seleznev guilty of stealing millions of credit card numbers and selling them online to other fraudsters. Seleznev, 32, is the son of Russian Parliament member Valery Seleznev.
Seleznev, who occasionally went by the moniker “Track2” online (a reference to one of the information strips on the back of a magnetic stripe card"), had been hacking into restaurant and retail Point of Sale (PoS) systems since at least October 2009 and continued until October 2013.
According to a 2014 indictment from the Department of Justice, Seleznev and potentially others who are unknown to the investigators “developed and used automated techniques, such as port scanning, to identify computers and computer systems that were connected to the Internet [and] were dedicated to or involved with credit processing by retail businesses.”
In order to help webmasters better protect their websites and users, Mozilla has built an online scanner that can check if web servers have the best security settings in place.
Dubbed Observatory, the tool was initially built for in-house use by Mozilla security engineer April King, who was then encouraged to expand it and make it available to the whole world.
She took inspiration from the SSL Server Test from Qualys' SSL Labs, a widely appreciated scanner that rates a website's SSL/TLS configuration and highlights potential weaknesses. Like Qualys' scanner, Observatory uses a scoring system from 0 to 100 -- with the possibility of extra bonus points -- which translates into grades from F to A+.
On Friday, Opera, the Norwegian company responsible for the popular browser, warned users that the Opera Sync service might have been compromised. In response, the company issued a forced password reset for all Sync users.
Opera sent the emails to Sync user base after they detected "signs of an attack where access was gained to the Opera sync system," the company said.
"This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised."
Skyhigh Networks, Inc., announced today that it has received a patent for using a hosted gateway to encrypt and decrypt data moving between users and cloud services such as Office 365, but some experts say that the technology is neither new nor unique.
In a span of one to two weeks, three new open source ransomware strains have emerged, which are based on Hidden Tear and EDA2. These new ransomware families specifically look for files related to web servers and databases, which could suggest that they are targeting businesses.
Both Hidden Tear and EDA2 are considered as the first open source ransomware created for educational purposes. However, these were quickly abused by cybercriminals. RANSOM_CRYPTEAR.B is one of the many Hidden Tear spinoffs that infect systems when users access a hacked website from Paraguay. Magic ransomware (detected as RANSOM_MEMEKAP.A), based on EDA2, came soon after CRYPTEAR.B’s discovery.
One factor that contributed to the proliferation of this ransomware type is the ease and convenience it offers to cybercriminals—they don’t have to be technically skilled to build their own ransomware from scratch. Before the source codes of Hidden Tear and EDA2 were taken down, these were publicly available and cybercriminals only had to modify the code based on their needs.
Years after a catastrophic data breach brought Sony's PlayStation Network to its knees, the company has finally implemented two-factor authentication to limit the risk of such a disaster happening again.
PlayStation and PSP owners who have signed up to the network can now enable two-factor authentication on their accounts. Two-factor authentication (2FA) goes beyond the traditional password and permits users to connect their accounts to mobile devices -- and when they wish to access their account, a code is sent to their smartphone or tablet which must also be submitted.
While this extra step is voluntary, 2FA does make compromising accounts more difficult as cyberattackers would also need to compromise your mobile device or be able to capture these codes, which means brute-force attacking user and password credentials would not be enough on its own.
Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates (UAE), and recipient of the Martin Ennals Award (sometimes referred to as a “Nobel Prize for human rights”). On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government-exclusive “lawful intercept” spyware product. NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management.
The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware. We are calling this exploit chain Trident. Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.
VMware this week patched a single vulnerability that pops up in two of its products that allows an attacker to elevate privileges on a compromised machine.
The virtualization company patched CVE-2016-5335 in its Identity Manager and vRealize Automation software.
“Exploitation of this issue may lead to an attacker with access to a low-privileged account to escalate their privileges to that of root,” VMware said in advisory VMSA-2016-0013.
A group of academic researchers have figured out how to use off-the-shelf computer equipment and a standard Wi-Fi connection to sniff out keystrokes coming from someone typing on a keyboard nearby. The keystroke recognition technology, called WiKey, isn’t perfect, but is impressive with a reported 97.5 percent accuracy under a controlled environment.
WiKey is similar to other types of motion and gesture detection technologies such as Intel’s RealSense. But what makes WiKey unique is that instead of recognizing hand gestures and body movement, it can pick up micro-movements as small as keystrokes.
Android/Twitoor is a backdoor capable of downloading other malware onto an infected device. It has been active for around one month. This malicious app can’t be found on any official Android app store – it probably spreads by SMS or via malicious URLs. It impersonates a porn player app or MMS application but without having their functionality.
After launching, it hides its presence on the system and checks the defined Twitter account at regular intervals for commands. Based on received commands, it can either download malicious apps or switch the C&C Twitter account to another one.
“Using Twitter instead of command-and-control (C&C) servers is pretty innovative for an Android botnet,” says Lukáš Štefanko, the ESET malware researcher who discovered the malicious app.
France and Germany are to ask the EU for new powers that could see state intelligence agencies compel makers of mobile messaging services to turn over encrypted content.
The two member states have both numerous suffered terrorist attacks in the past year and a half, with hundreds killed by the so-called Islamic State group, but argue that their intelligence agencies are struggling to intercept messages from criminals and suspected terrorists.
Many mobile messaging providers, like WhatsApp, Apple's iMessage, and Telegram, all provide end-to-end encrypted messaging to thwart spying by both hackers and governments alike.
Scientists at MIT claim to have created a new wireless technology that can triple Wi-Fi data speeds while also doubling the range of the signal. Dubbed MegaMIMO 2.0, the system will shortly enter commercialisation and could ease the strain on our increasingly crowded wireless networks.
Spectrum crunch is a huge problem for network operators, caused by a growing number of smartphones, laptops and other internet-enabled devices combined with a limited amount of space on the networks they're connected to.
Multiple-input-multiple-output technology, or MIMO, helps networked devices perform better by combining multiple transmitters and receivers that work simultaneously, allowing then to send and receive more than one data signal at the same time. MIT's MegaMIMO 2.0 works by allowing several routers to work in harmony, transmitting data over the same piece of spectrum.
Cisco today began the process of patching a zero-day vulnerability in its Adaptive Security Appliance (ASA) software exposed in the ShadowBrokers data dump.
Users on affected versions of ASA, 7.2, and 8.0 through 8.7, are urged to migrate soon to 9.1.7(9) or later. Newer versions that are also implicated—9.1 through 9.6—are expected to be updated in the next two days in some cases.
“We have started publishing fixes for affected versions, and will continue to publish additional fixes for supported releases as they become available in the coming days,” Cisco’s Omar Santos said today in an updated advisory.
Many Asian organisations are badly defended against cyber-attacks, a year-long investigation by US security company Mandiant indicates.
The median time between a breach and its discovery was 520 days, it says. That is three times the global average.
Asia was also 80% more likely to be targeted by hackers than other parts of the world, the report said.
It said an average of 3.7GB in data had been stolen in each attack, which could be tens of thousands of documents.
However, the bulk of the incidents were not made public because the region lacks breach disclosure laws.
Mandiant, a FireEye company, said it had responded to a number of high profile breaches in 2015, finding that organisations in the Asia-Pacific region were frequently unprepared to identify and respond to such events in a timely manner.
In its latest report, Mandiant M-Trends Asia Pacific, the cyberforensics firm found that organisations across APAC allowed attackers to dwell in their environments for a median period of 520 days before discovering them -- three times the global median of 146 days.
"In 2015, we continued to see heightened levels of cyber threat activity across APAC," the report says. "We surmise that this is likely fuelled by regional geopolitical tensions, relatively immature network defences and response capabilities, and a rich source of financial data, intellectual property, and military and state secrets."
Earlier this year, Opera launched its free and unlimited VPN service for iOS; today it is bringing the same functionality to Android. Like the iOS version, the Android app is based on Opera’s acquisition of SurfEasy in 2015 and allows you to surf safely when you are on a public network.
While Opera’s marketing mostly focuses on safety, Opera VPN also allows you to appear as if you are in the U.S., Canada, Germany, Singapore and The Netherlands, so it’s also a way to route around certain geo-restrictions without having to opt for a paid service.
In addition to its VPN features, the service also allows you to block ad trackers. Somewhat ironically, though, the app itself will show you some pretty unintrusive ads.
“The Opera VPN app for Android sets itself apart from other VPNs by offering a completely free service without a data limit, no login required, advanced WiFi protection features and no need for a subscription,” says Chris Houston, the president of Opera’s SurfEasy VPN division, in today’s announcement.
RC4 apparently is no longer the lone pariah among smaller cryptographic ciphers. Already broken and set for deprecation by the major browser and technology makers, RC4 could shortly have company in Triple-DES (3DES) and Blowfish.
Researchers are set to present new attacks against 64-bit ciphers that allow for the recovery of authentication cookies from 3DES-protected traffic in HTTPS and the recovery of usernames and passwords from OpenVPN traffic, which is secured by default by Blowfish.
Victims of the Wildfire ransomware can get their encrypted files back without paying hackers for the privilege, after the No More Ransom initiative released a free decryption tool.
No More Ransom runs a web portal that provides keys for unlocking files encrypted by various strains of ransomware, including Shade, Coinvault, Rannoh, Rakhn and, most recently, Wildfire.
Aimed at helping ransomware victims retrieve their data, No More Ransom is a collaborative project between Europol, the Dutch National Police, Intel Security, and Kaspersky Lab.
A Tibetan search engine, backed by the Chinese authorities, has been launched.
Yongzim claims to be better at handling complex searches involving several words in the language than any alternative.
But a spokesman for the government in exile, the Central Tibetan Administration, told the BBC it viewed it as a "platform to promote propaganda to legitimise the illegal occupation of Tibet."
Tibet is governed as an autonomous region of China. Beijing claims a centuries-old sovereignty over the Himalayan region, yet the allegiances of many Tibetans lie with the exiled spiritual leader, the Dalai Lama, seen by China as a separatist threat.
Exile groups and non-governmental organisations (NGOs) around the world accuse Beijing of suppressing the region's culture and tradition with the Tibetan language being a big part of it.
From April 1, 2015, through March 31, 2016, Imperva Incapsula mitigated an average of 445 attacks per week targeting its customers. As evidenced by the graph below (figure 1), over that period the number of both network and application layer attacks doubled during the year.
Application layer assaults accounted for the majority (60 percent). But looking closer, their relative number has been trending downward—dropping by more than five percent year over year. If this continues, network layer attacks could be as commonplace as their application layer counterparts by 2018.
Juniper has confirmed that an initial analysis of malware linked to the National Security Agency appears to affect its firewalls.
But the company said it would not release a security advisory or patches until it knew exactly what it was dealing with.
A group calling itself the Shadow Brokers claimed to have stolen a set of hacking tools from a group dubbed the Equation Group. The Shadow Brokers described the tools as "cyber weapons" used to attack targets running vulnerable networking hardware, allowing its operators to conduct surveillance.
Be they disaffected insiders or victims of blackmail, staff at telecommunications firms are providing cybercriminals with the information required to carry out cyberattacks against their employers.
With the sector a top target for hackers -- as demonstrated by last year's TalkTalk hack -- Kapersky Lab's Threat Intelligence Report for the Telecommunications Industry warns telecoms providers that they need to do more to protect themselves from cyber threats, from both outside and inside their networks.
According to the report, 28 percent of all cyberattacks and 38 percent of all targeted attacks involve malicious activity by company insiders -- although not everyone involved in passing corporate credentials and other inside information to hackers are willing participants in the criminal schemes.
The days of the Nexus 5 and 2013 Nexus 7 receiving the latest version of Android are officially over with the release of Android 7.0 Nougat.
Android 7.0 will be rolling out over the next few weeks to the Nexus 6, Nexus 5X, Nexus 6P, Nexus 9, Nexus Player, Pixel C, and General Mobile 4G (Android One). The LG-made Nexus 5, which launched with Android 5.0 Lollipop in late 2013, and the Asus-made 2013 Nexus 7, which launched with Android 4.3 Jelly Bean in July 2013, will be parked for good at Android 6.0 Marshmallow.
Multitasking may be the way of the connected world, but as it turns out, it’s not conducive to secure behavior online.
Academics from Brigham Young University and the University of Pittsburgh came to that conclusion after using functional magnetic resonance imaging (fMRI) to study how the brain reacts to dealing with more than one task simultaneously. The experiments were conducted under the context of browser-based security alerts and determined that poorly timed popup alerts are largely ignored.
GozNym’s Euro trip rolls on. Fresh from targeting banks in Poland, the banking Trojan has reportedly begun taking aim at banks in Germany.
For many, August marks the long, dog days of summer but developers behind GozNym appear to be working hard. According to numbers published by IBM’s X-Force team this week, researchers have seen a 3,550 percent hike in the Trojan this month over numbers it saw in July. The surge marks a 526 percent rise when compared to the total number of attacks since the Trojan’s iteration.
Recently released code that exploits Cisco System firewalls and has been linked to the National Security Agency can work against a much larger number of models than many security experts previously thought.
An exploit dubbed ExtraBacon contains code that prevents it from working on newer versions of Cisco Adaptive Security Appliance (ASA), a line of firewalls that's widely used by corporations, government agencies, and other large organizations. When the exploit encounters 8.4(5) or newer versions of ASA, it returns an error message that prevents it from working. Now researchers say that with a nominal amount of work, they were able to modify ExtraBacon to make it work on a much newer version. While Cisco has said all versions of ASA are affected by the underlying vulnerability in the Simple Network Messaging Protocol, the finding means that ExtraBacon poses a bigger threat than many security experts may have believed.
Wildfire spreads through well-crafted spam e-mails. A typical spam e-mail mentions that a transport company failed to deliver a package. In order to schedule a new delivery the receiver is asked to make a new appointment, for which a form has to be filled in, which has to be downloaded from the website of the transport company.
Three things stand out here. First, the attackers registered a Dutch domain name, something we do not see very often. Second, the e-mail is written in flawless Dutch. And thirdly, they actually put the address of the targeted company in the e-mail. This is something we do not see very often and makes it for the average user difficult to see that this is not a benign e-mail.
French shipbuilder DCNS has been hit by a massive data leak affecting a major submarine contract for the Indian navy.
The leak of more than 22,000 pages exposes detailed information about the combat capability of the Scorpene class vessels.
It is not clear who first obtained the confidential documents, which were made public by the Australian media.
Earlier this year DCNS won Australia's largest-ever defence contract to build a fleet of advanced submarines.
Details about the Shortfin Barracuda submarine class that will be built for Australia were not contained in the leak.
Universities and NHS trusts in England have been hit hard by ransomware in the last year, according to Freedom of Information requests carried out by two cybersecurity firms.
Bournemouth University, which boasts a cybersecurity centre, has been hit 21 times in the last 12 months.
Twenty-eight NHS Trusts said they had been affected.
Ransomware is a form of computer malware which encrypts files and then demands a ransom for their release.
It can travel via email or hide in downloadable files and programmes from corrupted sites and applications, and the ransom is usually payable in bitcoins.
Cybersecurity firm SentinelOne contacted 71 UK universities. Of the 58 which replied, 23 said they had been attacked in the last year.
Juniper Networks on Friday acknowledged that implants contained in the ShadowBrokers data dump do indeed target its products.
“As part of our analysis of these files, we identified an attack against NetScreen devices running ScreenOS,” said Derrick Scholl, director of security incident response at Juniper. “We are examining the extent of the attack, but initial analysis indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices.”
“We will continue to evaluate exactly what level of access is necessary in order to execute the attack, whether it is possible to detect the attack, and if other devices are susceptible,” Juniper’s Scholl said.
NorthSec is the biggest applied security event in Canada, aimed at raising the knowledge and technical expertise of professionals and students alike.
We are determined to create a high quality security forum composed of a two day single track conference by the brightest in their field of expertise, followed by an intense 48 hour on-site CTF contest.
With a smartphone, children also have the Internet in their pocket and are usually online 24 hours a day. Is security software for Android with parental control functions sufficient to protect our children or is it better to have a special parental control app? The team at AV-TEST examined this question and came up with a reliable answer.
The telecommunications industry keeps the world connected. Telecoms providers build, operate and manage the complex network infrastructures used for voice and data transmission – and they communicate and store vast amounts of sensitive data. This makes them a top target for cyber-attack.
According to PwC’s Global State of Information Security, 2016, IT security incidents in the telecoms sector increased 45% in 2015 compared to the year before. Telecoms providers need to arm themselves against this growing risk.
In this intelligence report, we cover the main IT security threats facing the telecommunications industry and illustrate these with recent examples.
Devices that are connected to the Internet or run a full operating system are becoming more and more prevalent in today’s society. From devices for locomotives to wireless light switches, the Internet of Things (IoT) trend is on the rise and here to stay. This has the potential to make our lives much easier; however, the increasing sentience of once analog devices also enables adversaries to target them and potentially misuse them.
With the ubiquity of these Internet-connected devices, there is a surplus of “Things” to exploit. The main intent of this blog post is to generalize how an individual would reverse engineer an embedded device and the process for attempting to find vulnerabilities.
For this demonstration, we will be looking at the WeMo Link, which is a part of the Belkin WeMo LED Lighting Starter Set (http://www.belkin.com/us/p/P-F5Z0489/). There have been vulnerabilities identified in previous iterations of this device; however, these vulnerabilities were more focused on the web services component and not based on analyzing the built-in security of the physical components.
Last month, the Tor Project announced that an internal investigation had confirmed allegations of sexual misconduct against high profile activist Jacob Appelbaum. Now, a few members of the community are calling for a “Tor general strike,” in part to protest how that investigation was handled.
Researchers said a new variant of the Hancitor downloader has shifted tactics and adopted new dropper strategies and obfuscation techniques on infected PCs. Researchers at Palo Alto Networks are currently tracking the biggest push of the Hancitor family of malware since June that it says has shifted away from H1N1 downloader and now distributes the Pony and Vawtrak executables.
The variant uses native API calls within Visual Basic code to carve out and decrypt embedded malware from malicious Word documents.
“Lures were expected, until we started digging into the actual documents attached and saw an interesting method within the Visual Basic macros in the attached documents used for dropping the malware,” wrote Jeff White, senior threat researcher at Palo Alto Networks, in a report.
Obihai Technology recently patched vulnerabilities in its ObiPhone IP phones that could have led to memory corruption, buffer overflow, and denial of service conditions, among other outcomes.
The California-based company manufactures IP-enabled phones and VOIP telephone adapters it calls OBi devices. David Tomaschik, a member of Google’s security team, discovered the issues in ObiPhone during a black box security assessment earlier this spring.
It looks like file deletion is becoming a standard tactic in new ransomware applications created by less skilled ransomware developers. This is shown in a new ransomware called Hitler-Ransomware, or mispelled in the lock screen as Hitler-Ransonware, that has been discovered by AVG malware analyst Jakub Kroustek. This ransomware shows a lock screen displaying Hitler and then states that your files were encrypted. It then prompts you enter a cash code for a 25 Euro Vodafone Card as a ransom payment to decrypt your files.
This ransomware appears to be a test variant based on the comments in the embedded batch file and because it does not encrypt any files at all. Instead this malware will remove the extension for all of the files under various directories, display a lock screen, and then show a one hour countdown as shown in the lock screen below. After that hour it will crash the victim's computer, and on reboot, delete all of the files under the %UserProfile% of the victim. I hope this is not the actual code that this ransomware developer plans on using if it goes live.
If every exchange or communication of data on the web was encrypted, would it make our virtual world a more secure place in Australia? A report by PwC found Australia had the highest number of cyber security incidents in the previous 12 months amounting to 9434, more than double the previous year.
As the global traffic surpasses the one zettabyte mark by the end of 2016, it represents a rapid, global surge in Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption of websites, which until recently, was a security measure reserved largely for financial institutions and online checkout processes.
According to the 2016 Dell Security Annual Threat Report, in the fourth quarter of 2015, around 65 percent of total web connections worldwide were SSL/TLS encrypted. That means that every time a website is accessed, there’s a good chance SSL/TLS is being used. Overall, this is a positive trend that should create safer web interactions. Below the surface however, lurks a hidden threat that might take both you and your firewall by surprise.
What initially looked like a string of Drupal sites infected with ransomware (that didn't work properly) now looks like a professional cybercrime operation that relies on a self-propagating Linux trojan to create a botnet with various capabilities.
Last May, in a Softpedia exclusive, Stu Gorton, CEO and co-founder of Forkbombus Labs, revealed the existence of a new type of ransomware that targeted Drupal websites. That particular ransomware wasn't really that effective, and webmasters could easily go around it and restore their old websites.
Mr. Gorton didn't share all the details with Softpedia at that particular point in time, saying there was still much to analyze about the said piece of malware that was written in Go and used CVE-2014-3704 to hijack Drupal websites.
According to new research released by Stormshield and Dr.Web, that malware, which calls itself "Rex," has received many updates in the last three months since we first reported on it.
The Google Transparency Project is a Washington, DC group that's laser-focused on letting Americans know about Google's lobbying efforts. To get its message out, GTP has worked with journalists at Re/Code and The Intercept, which have run stories about Google's many visits to the White House, the prevalence of ex-Googlers in the US Digital Service, and other links.
What wasn't known, until today, is who was paying the bills for research by the "nonprofit watchdog" group. "The folks running the Google Transparency Project won’t say who is paying for it, which is odd for a group devoted to transparency," noted Fortune's Jeff John Roberts, one of many journalists who the group reached out to in April.
Today, Roberts has published a followup, confirming that based on a tip, he found at least one funder—Oracle. That's the same company that lost a major copyright trial to Google and continues to spar with the search giant in court.
In a revelation that shows how the National Security Agency was able to systematically spy on many Cisco Systems customers for the better part of a decade, researchers have uncovered an attack that remotely extracts decryption keys from the company's now-decommissioned line of PIX firewalls.
The discovery is significant because the attack code, dubbed BenignCertain, worked on PIX versions Cisco released in 2002 and supported through 2009. Even after Cisco stopped providing PIX bug fixes in July 2009, the company continued offering limited service and support for the product for an additional four years. Unless PIX customers took special precautions, virtually all of them were vulnerable to attacks that surreptitiously eavesdropped on their VPN traffic. Beyond allowing attackers to snoop on encrypted VPN traffic, the key extraction also makes it possible to gain full access to a vulnerable network by posing as a remote user.
Researchers have identified a router so fraught with vulnerabilities and so “utterly broken” that it can be exploited to do pretty much anything. An attacker could bypass its authentication, peruse sensitive information stored in the router’s system logs and even use the device to execute OS commands with root privileges via a hardcoded root password.
Tao Sauvage, a Security Consultant with IOActive Labs purchased the device, a BHU WiFi router he nicknamed “uRouter” on a recent trip to China. The device’s web interface was in Chinese but after he opened the router, he was able to extract its firmware, get shell access and analyze its code. Once in, Sauvage reverse engineered some binaries and discovered that there were three different ways to gain administrative access to the router’s web interface.
Microsoft’s PowerShell utility is being used as part of a new banking Trojan targeting Brazilians. Researchers made the discovery earlier this week and say the high quality of the Trojan is indicative of Brazilian malware that is growing more sophisticated.
The banking Trojan is identified as “Trojan-Proxy.PowerShell.Agent.a” and is one of the most technically advanced Brazilian malware samples discovered, said Fabio Assolini, a senior security researcher with Kaspersky Lab’s Global Research and Analysis Team in a Securelist blog on Thursday.
The banking Trojan is being delivered via a phishing campaign where emails are masquerading as a receipt from a mobile carrier. A malicious .PIF (Program Information File) attachment is used to attack the target’s PC. PIF files tell MS-DOS applications how to run in Windows environments and can contain hidden BAT, EXE or COM programs that automatically execute after the host file is run.
Google's Macintosh Operations Team has quietly been working on a whitelisting application for OS X .
Code-named Santa, the software (currently described as pre-1.0) has an SQLite database holding a list of permitted and blocked applications; a userland daemon to check the database; a kernel extension to monitor for executions; as well as a GUI and an admin command line interface (CLI).
The Chocolate Factory has both individual and fleet users in mind, since Santa's designed to let a sysadmin centrally manage a single naughty-nice database.
To try and avoid an attacker substituting any of Santa's components, the three userland components (daemon, CLI and GUI) validate each other with XPC, checking that they're using identical signing certificates.
DNSSEC is not invincible. Researchers this week described how a DNSSEC-based flood attack could easily knock a website offline and allow for the insertion of malware or exfiltration of sensitive data.
The intent of Domain Name System Security Extensions, or DNSSEC, is to bolster DNS through a series of complex digital signatures. But if it is not secured properly it can fall victim to cache poisoning and malicious redirection attacks, experts warn.
Researchers at Neustar explained in a paper, “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us” on Tuesday how DNSSEC can be reflected and leveraged by “ANY” queries to carry out DDoS attacks. “ANY” queries are favored by hackers; responses to them are exponentially larger than a normal DNS reply, researchers claim.
A massive Locky ransomware campaign spotted this month targets primarily the healthcare sector and is delivered in phishing campaigns. The payload, researchers at FireEye said, is dropped via .DOCM attachments, which are macro-enabled Office 2007 Word documents.
Especially hard hit are hospitals in the United States followed by Japan, Korea and Thailand, according to research published Wednesday by FireEye.
A little over nine million keys used to redeem and activate games on the Steam platform were stolen by a hacker who breached a gaming news site last month.
The site, DLH.net, provides news, reviews, cheat codes, and forums, was breached on July 31 by an unnamed hacker, whose name isn't known but was also responsible for the Dota 2 forum breach. The site also allows users to share redeemable game keys through its forums, which along with the main site has around 3.3 million unique registered users, according to breach notification site LeakedSource.com, which obtained a copy of the database.
According to security researchers from Bitdefender, there is an insecure IoT smart electrical socket on the market that leaks your Wi-Fi password, your email credentials (if configured), and is also poorly coded, allowing attackers to hijack the device and use it for DDoS attacks.
Bitdefender didn't reveal the device's manufacturer but said the company is working on a fix, which will release in late Q3 2016.
Clothing store chain Eddie Bauer said today it has detected and removed malicious software from point-of-sale systems at all of its 350+ stores in North America, and that credit and debit cards used at those stores during the first six months of 2016 may have been compromised in the breach. The acknowledgement comes nearly six weeks after KrebsOnSecurity first notified the clothier about a possible intrusion at stores nationwide.
If someone signs and encrypts their code or email with their PGP digital signature, you could, in theory, be sure they are who they say they are and their words or code are indeed their words or code. If they use a short (32-bit or smaller) key, they have no real security. In that case, a hacker can now easily forge a fake PGP signature. And that's exactly what happened to Linus Torvalds, Greg Kroah-Hartman, and other leading Linux kernel developers.
On the Linux Kernel Mailing List (LKML), it was revealed that for the last two months, since about mid-June, "some developers found their fake keys with same name, email, and even 'same' fake signatures by more fake keys in the wild, on the keyservers".
This isn't a new attack. Linux programmers have known since December 2011 that short PGP keys were inherently insecure. It's just that no one bothered to break the PGP keys... until now.
After a group of hackers stole and published a set of NSA cyberweapons earlier this week, the multibillion dollar tech firm Cisco is now updating its software to counter two potent leaked exploits that attack and take over crucial security software used to protect corporate and government networks.
“Cisco immediately conducted a thorough investigation of the files released, and has identified two vulnerabilities affecting Cisco ASA devices that require customer attention,” the company said in a statement. “On Aug. 17, 2016, we issued two Security Advisories, which deliver free software updates and workarounds where possible.”
Cisco Systems has confirmed that recently-leaked malware tied to the National Security Agency exploited a high-severity vulnerability that had gone undetected for years in every supported version of the company's Adaptive Security Appliance firewall.
The previously unknown flaw makes it possible for remote attackers who have already gained a foothold in a targeted network to gain full control over a firewall, Cisco warned in an advisory published Wednesday. The bug poses a significant risk because it allows attackers to monitor and control all data passing through a vulnerable network. To exploit the vulnerability, an attacker must control a computer already authorized to access the firewall or the firewall must have been misconfigured to omit this standard safeguard.
"It's still a critical vulnerability even though it requires access to the internal or management network, as once exploited it gives the attacker the opportunity to monitor all network traffic," Mustafa Al-Bassam, a security researcher, told Ars. "I wouldn't imagine it would be difficult for the NSA to get access to a device in a large company's internal network, especially if it was a datacenter."
Software developers listen up: if you want people to pay attention to your security warnings on their computers or mobile devices, you need to make them pop up at better times.
A new study from BYU, in collaboration with Google Chrome engineers, finds the status quo of warning messages appearing haphazardly—while people are typing, watching a video, uploading files, etc.—results in up to 90 percent of users disregarding them.
Researchers found these times are less effective because of "dual task interference," a neural limitation where even simple tasks can't be simultaneously performed without significant performance loss. Or, in human terms, multitasking.
"We found that the brain can't handle multitasking very well," said study coauthor and BYU information systems professor Anthony Vance. "Software developers categorically present these messages without any regard to what the user is doing. They interrupt us constantly and our research shows there's a high penalty that comes by presenting these messages at random times."
Google security team themselves state that "We recognize that the address bar is the only reliable security indicator in modern browsers" and if the only reliable security indicator could be controlled by an attacker it could carry adverse affects, For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is legitimate website as the address bar points to the correct website.
In my paper "Bypassing Browser Security Policies For Fun And Profit" I have uncovered various Address Bar Spoofing techniques as well as bugs affecting modern browsers. In this blog post I would discuss about yet another "Address Bar Spoofing" vulnerability affecting Google Chrome's Omnibox. Omnibox is a customized address bar api developed for better user experience such as search suggestions, URL prediction, instant search features so on and so forth.
Sage Group has admitted to a data breach which may affect hundreds of UK business customers.
Over the weekend, the accounting software company revealed that the network compromise was caused by someone using an internal login without authorization.
The breach has hit UK customers, of which between 200 and 300 could be involved in the aftermath.
However, it is not yet known whether any information was leaked, how much, or whether the unauthorized access was just someone having a look around -- simply because they could.
Thanks to a judge's order, Google must face another proposed class-action lawsuit over its scanning of Gmail. The issue is a lingering headache for the search giant, which has faced allegations for years now that scanning Gmail in order to create personalized ads violates US wiretapping laws.
In a 38-page order (PDF), US District Judge Lucy Koh rejected Google's argument that the scanning takes place within the "ordinary course of business."
"Not every practice that is routine or legitimate will fall within the scope of the 'ordinary course of business'," Judge Koh wrote.
Koh noted that while Google has to scan for other reasons, like virus and spam prevention, the company didn't have to scan for advertising purposes. She noted that in April 2014, Google "ceased intercepting, scanning, and analyzing, for advertising purposes, the contents of emails transmitted via Google Apps for Education."
Kaspersky Lab has observed new waves of attacks that started on the 8th and the 27th of June 2016. These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions. The attackers try to lure targets through spear phishing emails that include compressed executables. The malware collects all data such as passwords, keystrokes and screenshots, then sends it to the attackers.
We found that the group behind this campaign targeted mainly industrial, engineering and manufacturing organizations in more than 30 countries. In total, over 130 organizations have been identified as victims of this campaign. Using the Kaspersky Security Network (KSN) and artifacts from malware files and attack sites, we were able to trace the attacks back to March 2015. Noteworthy is that since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties, most infiltrated victim organizations are considered SMBs (Small to Medium size businesses, 30-300 employees), the utilization of commercial off-the-shelf malware makes the attribution of the attacks more difficult.
In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon. Today, the term is sometimes used to describe a greedy or materialistic individual.
Researchers claim to have found the largest ransomware-as-a-service (RaaS) ring to date. The operation generates an estimated $2.5 million annually and targets computer users with a new variant of the notorious Cerber ransomware.
According to a research report published today by Check Point Software Technologies and IntSights, the RaaS ring consists of 161 active campaigns with eight new campaigns launched daily. For the month of July, it’s estimated that criminals earned closed to $200,000 from victims paying approximately 1 bitcoin ($590) to decrypt files locked by the Cerber ransomware.
“These groups have become increasingly organized and shrewd about how to maintain infections, grow their enterprise, and evade detection,” said Maya Horowitz, threat intelligence group manager with Check Point.
Researcher Jerry Decime has revealed details about a security vulnerability that allows an attacker to gain a Man-in-the-Middle position and intercept HTTPS traffic thanks to flaws in the implementation of proxy authentication procedures in various products.
According to Decime, there is a flaw in how applications from several vendors respond to HTTP CONNECT requests via HTTP/1.0 407 Proxy Authentication Required responses.
This flaw manifests itself only in network environments where users utilize proxy connections to get online. This type of setup is often used in enterprise networks where companies deploy powerful firewalls.
Decime explains that an attacker that has a foothold in a compromised network and has the ability to listen to proxy traffic can sniff for HTTP CONNECT requests sent to the local proxy.
When it comes to tech security threats, 2016 has been the year of ransomware, with numerous high-profile organisations forced to pay ransoms in order to regain access to crucial files and systems after becoming victims of data-encrypting malware. The surge in ransomware even saw the US and Canada issue a rare joint cyber alert in an effort to warn against its dangers.
But ransomware is far from a new phenomenon -- the first instance, dubbed PC Cyborg, was written in 1989 -- so why is it now suddenly booming? There's a combination of factors; one of them is simply that people are becoming more reliant on computers to store files and victims don't want to lose that data, so are often willing to pay a ransom to get it back.
Professional social network LinkedIn is suing 100 anonymous individuals for data scraping. It is hoped that a court order will be able to reveal the identities of those responsible for using bots to harvest user data from the site.
The Microsoft-owned service takes pride in the relationship it has with its users and the security it offers their data. Its lawsuit seeks to use the data scrapers' IP addresses and then discover their true identity in order to take action against them.
The notorious Marcher malware is now disguising itself as an Android firmware update, in another demonstration of how cybercriminal tactics are constantly evolving in order to dupe unsuspecting users into installing malicious software.
The Marcher malware has been around since March 2013, and was previously distributed through fake Amazon and Google Play store apps. Once Marcher is installed on an Android device -- it hasn't appeared on any other operating system -- cybercriminals send the victim an alert to log-in to their banking apps, allowing the crooks to make off with the stolen information.
To say the VeraCrypt audit, which begins today, got off to an inauspicious start would be an understatement.
On Sunday, two weeks after the announcement that the open source file and disk encryption software would be formally scrutinized for security vulnerabilities, executives at one of the firms funding the audit posted a notice that four emails between the parties involved had been intercepted.
“We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders. Not only have the emails not arrived, but there is no trace of the emails in our ‘sent’ folders. In the case of OSTIF, this is the Google Apps business version of Gmail where these sent emails have disappeared,” the post to the Open Source Technology Improvement Fund (OSTIF) website read. “This suggests that outside actors are attempting to listen in on and/or interfere with the audit process.”
“Our analysis shows that iMessage has significant vulnerabilities that can be exploited by a sophisticated attacker. In particular, we outline a novel chosen ciphertext attack on Huffman compressed data, which allows retrospective decryption of some iMessage payloads in less than 2^18 queries. The practical implication of these attacks is that any party who gains access to iMessage ciphertexts may potentially decrypt them remotely and after the fact,” the researchers wrote in a paper delivered at the USENIX Security Symposium last week.
Hacking researchers have uncovered a new attack technique which can alter the memory of virtual machines in the cloud.
The team, based at Vrije Universiteit, Amsterdam, introduced the attack, dubbed Flip Feng Shui (FFS) in a paper titled Flip Feng Shui: Hammering a Needle in the Software Stack. They explained hackers could use the technique to crack the keys of secured VMs or install malicious code without it being noticed.
The de-duplication attack enables third parties to not only view and leak data, but also to modify it – installing malware or allowing unauthorised logins.
In-brief: One of every five software vulnerabilities discovered in vehicles in the last three years are rated “critical” and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive.
One of every five software vulnerabilities discovered in vehicles in the last three years are rated “critical” and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive.
“These are the high priority ‘hair on fire’ vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component,” the firm said in its report, which it released last week. The report was based on an analysis of more than 150 vehicle security flaws identified over three years by IOActive or publicly disclosed by way of third-party firms.
Researchers from an Austrian university have developed techniques that allow them to perform cache attacks on non-rooted Android phones that can monitor the keystrokes, screen taps, and even observe code execution inside the ARM processor’s TrustZone secure execution environment.
The attacks the team developed are complex and rely on a number of individual building blocks. The techniques are similar to some used against Intel x86 processor-based systems, but the team from Graz University of Technology in Austria shows that they can be used on ARM-based systems, such as Android phones, as well.
The Web Proxy Auto-Discovery Protocol (WPAD), enabled by default on Windows and supported by other operating systems, can expose computer users' online accounts, web searches, and other private data, security researchers warn.
Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections, said Alex Chapman and Paul Stone, researchers with U.K.-based Context Information Security, during the DEF CON security conference this week.
Data thieves used a massive “botnet” against professional networking site LinkedIn and stole member’s personal information, a new lawsuit reveals.
The Mountain View firm filed the federal suit this week in an attempt to uncover the perpetrators.
“LinkedIn members populate their profiles with a wide range of information concerning their professional lives, including summaries (narratives about themselves), job histories, skills, interests, educational background, professional awards, photographs and other information,” said the company’s complaint, filed in Northern California U.S. District Court.
“During periods of time since December 2015, and to this day, unknown persons and/or entities employing various automated software programs (often referred to as ‘bots’) have extracted and copied data from many LinkedIn pages.”
In the most innovative, weirdest, and stupidest idea of the month, two researchers from the University of Colorado Boulder and the University of Michigan have created a crypto-currency that rewards people for participating in DDoS attacks.
Called DDoSCoin, this digital currency rewards a person (called miner) for using their computer as part of a DDoS attack.
After painstakingly calculating the true cost of cybercrime in the European Union researchers conclude it’s nearly impossible to come up with hard numbers.
In a study released this week by the European Union Agency For Network And Information Security (ENISA) researchers assert that it’s vitally important to identify the magnitude of cybercrime against the European Union. But despite an abundance of studies addressing the economic impact of cybercrime, “the measurement of the real impact of incidents in terms of the costs needed for full recovery proved to be quite a challenging task.”
Credit card industry giant Visa on Friday issued a security alert warning companies using point-of-sale devices made by Oracle‘s MICROS retail unit to double-check the machines for malicious software or unusual network activity, and to change passwords on the devices. Visa also published a list of Internet addresses that may have been involved in the Oracle breach and are thought to be closely tied to an Eastern European organized cybercrime gang.
The conversation around whether it's a good idea for a business to migrate their on-premises legacy infrastructure into the cloud is no longer the focus, according to Bulletproof CEO Anthony Woodward. Rather, many C-level executives are now looking at what are the best ways to use the so-called cornerstone tool to transform their business.
Woodward believes there are two key drivers behind the increasing adoption of Infrastructure-as-a-Service (IaaS). The first is that businesses believe cloud will give them the competitive advantage to move faster, and the second motivator is that businesses are being required to transform for fear they may be outmanoeuvred by new entrants to the market.
Google has started building a new open-source operating system that doesn't rely on the Linux kernel.
While Android and Chrome OS have Linux at their heart, Google's new OS, dubbed Fuchsia, opts for a different kernel to create a lightweight but capable OS, suitable for running all Internet of Things devices, from embedded systems to higher-powered phones and PCs.
Instead of the Linux kernel, Google's new OS uses Magenta, which itself is based on LittleKernel, a rival to commercial OSes for embedded systems such as FreeRTOS and ThreadX.
According to Android Police, Magenta can target smartphones and PCs thanks to user-mode support and a capability-based security model not unlike Android 6.0's permissions framework.
An estimated 80 percent of Android phones contain a recently discovered vulnerability that allows attackers to terminate connections and, if the connections aren't encrypted, inject malicious code or content into the parties' communications, researchers from mobile security firm Lookout said Monday.
As Ars reported last Wednesday, the flaw first appeared in version 3.6 of the Linux operating system kernel, which was introduced in 2012. In a blog post published Monday, Lookout researchers said that the Linux flaw appears to have been introduced into Android version 4.4 (aka KitKat) and remains present in all future versions, including the latest developer preview of Android Nougat. That tally is based on the Android install base as reported by statistics provider Statista, and it would mean that about 1.4 billion Android devices, or about 80 percent of users, are vulnerable.
A new type of ransomware known as Shark (Trojan.Ransomcrypt.BG) is being distributed on the cyberunderground. The malware’s authors use the “Ransomware-as-a-Service” (RaaS) business model, freely distributing the ransomware builder to aspiring attackers, but requiring a 20 percent cut of any ransom payments it generates.
Shark is distributed through a professional looking website that features information about the ransomware and instructions on how to download and configure it. Its authors boast that it is fully customizable, uses a fast encryption algorithm, supports multiple languages, and is “undetectable” by antivirus software.
An undocumented SNMP community string has been discovered in programmable logic controllers (PLCs) built by Allen-Bradley Rockwell Automation that exposes these devices deployed in a number of critical industries to remote attacks.
Researchers at Cisco Talos today said the vulnerability is in the default configuration of MicroLogix 1400 PLC systems. Rockwell Automation, meanwhile, said versions 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, and 1766-L32BXBA are affected.
“This vulnerability is due to the presence of an undocumented SNMP community string that could be leveraged by an attacker to gain full control of affected devices and grants the ability to manipulate configuration settings, replace the firmware running on the device with attacker-controlled code, or otherwise disrupt device operations,” Cisco Talos wrote in an advisory. “Depending on the role of the affected PLC within an industrial control process, this could result in significant damages.”
In recent months we have been tracking a wave of cyber-espionage attacks conducted by different APT groups across the Asia-Pacific and Far East regions. They all share one common feature: they exploit the CVE-2015-2545 vulnerability. This flaw enables an attacker to execute arbitrary code using a specially crafted EPS image file. It uses PostScript and can evade the Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protection methods built into Windows. The Platinum, APT16, EvilPost and SPIVY groups were already known to use this exploit. More recently, it has also been used by the Danti group.
The Internet of Things (IoT)—the network of devices embedded with capabilities to collect and exchange information—has long been attracting the attention of cybercriminals as it continues to gain momentum in terms of its adoption. Gartner has estimated that more than 20.8 billion IoT devices will be in use by 2020; IoT will be leveraged by over half of major business processes and systems, with enterprises projected to lead in driving IoT revenue.
How can cybercriminals potentially take advantage of this? Despite being equipped with new applications and hardware, most IoT devices are furnished with outdated connection protocols and operating systems (OS). Remotely controlled lightbulbs and WiFi-enabled In-Vehicle Infotainment (IVI) systems, for instance, are mostly run in Linux and developed in C language without safe compiler options. They also use dated connection protocols such as TCP/IP (1989, RFC 1122), ZigBee (2004 specification) and CAN 2.0 (1991), which when exploited can open up the device to remote access.
We investigate nonce reuse issues with the GCM block cipher mode as used in TLS and focus in particular on AES-GCM, the most widely deployed variant. With an Internet-wide scan we identified 184 HTTPS servers repeating nonces, which fully breaks the authenticity of the connections. Affected servers include large corporations, financial institutions, and a credit card company. We present a proof of concept of our attack allowing to violate the authenticity of affected HTTPS connections which in turn can be utilized to inject seemingly valid content into encrypted sessions. Furthermore we discovered over 70,000 HTTPS servers using random nonces, which puts them at risk of nonce reuse if a large amount of data is sent over the same connection.
The golden keys were found by MY123 and Slipstream in March this year. They've just posted, on a rather funky website, a description both of Microsoft's security errors and of its seeming reluctance to patch the issue. The researchers note that this snafu is a real-world demonstration of the lack of wisdom in the FBI's recent demands for universal backdoors in Apple's devices.
Sławomir Jasek with research firm SecuRing is sounding an alarm over the growing number of Bluetooth devices used for keyless entry and mobile point-of-sales systems that are vulnerable to man-in-the-middle attacks.
Jasek said the problem is traced back to devices that use the Bluetooth Low Energy (BLE) feature for access control. He said too often companies do not correctly implement the bonding and encryption protections offered in the standard. This shortcoming could allow attackers to clone BLE devices and gain unauthorized access to a physical asset when a smartphone is used as a device controller.
Security researchers are eager to poke holes in the chip-embedded credit and debit cards that have arrived in Americans' mailboxes over the last year and a half. Although the cards have been in use for a decade around the world, more brains trying to break things are bound to come up with new and inventive hacks. And at last week's Black Hat security conference in Las Vegas, two presentations demonstrated potential threats to the security of chip cards. The first involved fooling point-of-sale (POS) systems into thinking that a chip card is a magnetic stripe card with no chip, and the second involved stealing the temporary, dynamic number generated by a chip card and using it in a very brief window of time to request money from a hacked ATM.
A startup on a shoestring budget is working to clean up the Android security mess, and has even demonstrated results where other "secure" Android phones have failed, raising questions about Google's willingness to address the widespread vulnerabilities that exist in the world's most popular mobile operating system.
"Copperhead is probably the most exciting thing happening in the world of Android security today," Chris Soghoian, principal technologist with the Speech, Privacy, and Technology Project at the American Civil Liberties Union, tells Ars. "But the enigma with Copperhead is why do they even exist? Why is it that a company as large as Google and with as much money as Google and with such a respected security team—why is it there's anything left for Copperhead to do?"
For the initial check, the updated Trojan (verdict Trojan-Ransom.Win32.Shade.yb) searches the list of installed applications and looks for strings associated with bank software. After that the ransomware looks for “BUH”, “BUGAL”, “БУХ”, “БУГАЛ” (accounting) in the names of the computer and its user. If a match is found, the Trojan skips the standard file search and encryption procedure and instead downloads and executes a file from the URL stored in the Trojan’s configuration, and then exits.
In 2013, when University of Birmingham computer scientist Flavio Garcia and a team of researchers were preparing to reveal a vulnerability that allowed them to start the ignition of millions of Volkswagen cars and drive them off without a key, they were hit with a lawsuit that delayed the publication of their research for two years. But that experience doesn’t seem to have deterred Garcia and his colleagues from probing more of VW’s flaws: Now, a year after that hack was finally publicized, Garcia and a new team of researchers are back with another paper that shows how Volkswagen left not only its ignition vulnerable but the keyless entry system that unlocks the vehicle’s doors, too. And this time, they say, the flaw applies to practically every car Volkswagen has sold since 1995.
Later this week at the Usenix security conference in Austin, a team of researchers from the University of Birmingham and the German engineering firm Kasper & Oswald plan to reveal two distinct vulnerabilities they say affect the keyless entry systems of an estimated nearly 100 million cars. One of the attacks would allow resourceful thieves to wirelessly unlock practically every vehicle the Volkswagen group has sold for the last two decades, including makes like Audi and Škoda. The second attack affects millions more vehicles, including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.
Researchers who uncovered a security key that protects Windows devices as they boot up say their discovery is proof that encryption backdoors do not work.
The pair of researchers, credited by their hacker nicknames MY123 and Slipstream, found the cryptographic key protecting a feature called Secure Boot.
They believe the discovery highlights a problem with requests law enforcement officials have made for technology companies to provide police with some form of access to otherwise virtually unbreakable encryption that might be used by criminals.
A serious vulnerability in the TCP implementation in Linux systems deployed since 2012 (version 3.6 of the Linux kernel) can be used by attackers to identify hosts communicating over the protocol and ultimately attack that traffic.
Researchers from the University of California, Riverside and the U.S. Army Research Laboratory are expected today at the USENIX Security Symposium deliver their paper, “Off-Path TCP Exploits: Global Rate Limit Considered Dangerous,” that explains the vulnerability and recommendations on how to mitigate it.
Patches for the vulnerability have been developed for the current Linux kernel, said Zhiyun Qian, an assistant computer science professor at the university and project advisor. Qian and fellow authors Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth V. Krishnamurthy, and Lisa M. Marvel also developed a patch for client and server hosts that raises the challenge ACK limit to large values, making it difficult to exploit.
Microsoft’s release of Windows Anniversary Update last week included an optional feature called Windows Subsystem for Linux that allows native support for Linux binaries. That has some security experts concerned the Windows 10 attack surface has been expanded.
The threat, according to Alex Ionescu, vice president of endpoint detection and response strategy at Crowdstrike, centers on a capability that allows for some Ubuntu Linux features to run within the Windows 10 operating system. Ionescu, who discussed his research with Threatpost last week at Black Hat USA, said modified Linux code could make system calls to Windows APIs and execute malicious actions within the Windows environment.
“Security researchers, admins and forensic security experts are used to hunting Windows threats on Windows platforms and are adept at auditing them. Now you have a very interesting new paradigm where Linux applications can run on a Windows machine,” Ionescu said. “If this feature is turned on, you have support for unmodified Linux binaries – malicious or not.”
A hacker has taken off with almost two million accounts associated with the forum for popular online multiplayer game, Dota 2.
The hack was carried out last month on July 10. The copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data.
The hacker took advantage of an SQL injection vulnerability used by the older vBulletin forum software, which powers the community.
That allowed them to access the database of limited user data, such as username, email, IP address of the user.
The data also includes the user's hashed password -- which uses the MD5 algorithm, which is widely considered insecure by today's standards, alongside the salt, used to scramble the password further. A member of the LeakedSource group told me that 1.54 million of the passwords -- or about 80 percent -- have already been unscrambled using rudimentary and run-of-the-mill cracking tools.
This month the vendor is releasing nine bulletins, six of which are rated Critical.
A tricky vulnerability patched today in the Windows PDF Library could have put Microsoft Edge users on Windows 10 systems at risk for remote code execution attacks.
Edge automatically renders PDF content when it’s set as a computer’s default browser, unlike most other browsers; the feature means that exploits would execute by simply viewing a PDF online. While this bug has not been publicly disclosed nor attacked, it’s expected to be an attractive attack vector for hackers.
Microsoft patched this flaw in MS16-102, one of four critical security bulletins it published today. The vulnerability, CVE-2106-3319, when exploited corrupts memory and allows an attacker to run arbitrary code with the same privileges as the user. Microsoft said attackers could either lure victims to a site containing a malicious PDF, or add an infected PDF to a site that accepts user-provided content.
Juniper Networks has found and mostly patched a flaw in the way the firmware on its routers process IPv6 traffic, which allowed malicious users to simulate Direct Denial of Service attacks.
The vulnerability, which seems to be common to all devices processing IPv6 address, meant that purposely crafted neighbour discovery packets could be used to flood the routing engine from a remote or unauthenticated source, causing it to stop processing legitimate traffic, and leading to a DDoS condition.
In a year-long study in conjunction with New York University, researchers at Google found that unwanted software unwittingly downloaded as part of a bundle to be a larger problem for users than malware. Google Safe Browsing currently generates three times as many Unwanted Software (UwS) warnings than malware warnings, over 60 million per week.
The study found that the pay-per-install (PPI) scheme, whereby a company succeeds in monetizing end user access by paying $0.10 to $1.50 every time their software in installed on a new device, to be the primary source of unwanted software proliferation. To get a payout from a commercial PPI organization, companies bundle regular software with unwanted software, which is then unwittingly downloaded by the user.
One day, your thermostat will get hacked by some cybercriminal hundreds of miles away who will lock it with malware and demand a ransom to get it back to normal, leaving you literally in the cold until you pay up a few hundred dollars.
This has been a scenario that security experts have touted as one of the theoretical dangers of the rise of the Internet of Things, internet-connected devices that are often insecure. On Saturday, what sounds like a Mr. Robot plot line came one step closer to being reality, when two white hat hackers showed off the first-ever ransomware that works against a “smart” device, in this case a thermostat.
A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.
Asked this weekend for comment on rumors of a large data breach potentially affecting customers of its retail division, Oracle acknowledged that it had “detected and addressed malicious code in certain legacy MICROS systems.” It also said that it is asking all MICROS customers to reset their passwords for the MICROS online support portal.
MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.
Lisa Heneghan, global head of KPMG's CIO advisory practice, spends a large amount of time talking with non-IT board members and says executives recognise the power of technology. "They don't necessarily understand IT but they are keen to learn. That desire presents a great opportunity for CIOs," she says.
Research from KPMG and Harvey Nash suggests the board is looking for IT leaders who can use systems and services to boost business profitability. Almost two-thirds (63 percent) of CIOs indicate projects that make money are a priority, compared to 37 percent who report the CEO is more interested in IT as a cost-saving tool.
CIOs who have been asked to keep costs down might find it unusual to take an upbeat approach to technology spending. However, Heneghan says an open mindset is likely to be rewarded. "The majority of IT leaders have traditionally adopted a defensive stance. CIOs must take an alternative approach," she says.
"They need to appreciate the context of fellow board members and actively debate how IT can help. In IT, we all talk about the importance of adopting an agile culture -- and that's a mentality you also need in the boardroom. As a modern CIO, you must be open to other viewpoints."
If your website or web application is vulnerable to SQL injection then hackers can play with your database. So be careful with your codes.
Here, today let us think us as hackers and see what happen in the SQL injection.Ok, no more boring text Let us jump into practical .
As the head of Poland’s Computer Emergency Response Team, Przemek Jaroszewski flies 50 to 80 times a year, and so has become something of a connoisseur of airlines’ premium status lounges. (He’s a particular fan of the Turkish Airlines lounge in Istanbul, complete with a cinema, putting green, Turkish bakery and free massages.) So when his gold status was mistakenly rejected last year by an automated boarding pass reader at a lounge in his home airport in Warsaw, he applied his hacker skills to make sure he’d never be locked out of an airline lounge again.
The result, which Jaroszewski plans to present Sunday at the Defcon security conference in Las Vegas, is a simple program that he’s now used dozens of times to enter airline lounges all over Europe. It’s an Android app that generates fake QR codes to spoof a boarding pass on his phone’s screen for any name, flight number, destination and class. And based on his experiments with the spoofed QR codes, almost none of the airline lounges he’s tested actually check those details against the airline’s ticketing database—only that the flight number included in the QR code exists. And that security flaw, he says, allows him or anyone else capable of generating a simple QR code to both access exclusive airport lounges and buy things at duty free shops that require proof of international travel, all without even buying a ticket.
An attacker would have to trick a user into installing a malicious app, which wouldn't require any special permissions.
If successfully exploited, an attacker can gain root access, which gives the attacker full access to an affected Android device, its data, and its hardware -- including its camera and microphone.
A researcher exposes design and control flaws in Windows 10 versions that have the capability to run Linux.
LAS VEGAS—Embedded within some versions of the latest Windows 10 update is a capability to run Linux. Unfortunately, that capability has flaws, which Alex Ionescu, chief architect at Crowdstrike, detailed in a session at the Black Hat USA security conference here and referred to as the Linux kernel hidden in Windows 10.
In an interview with eWEEK, Ionescu provided additional detail on the issues he found and has already reported to Microsoft. The embedded Linux inside of Windows was first announced by Microsoft in March at the Build conference and bring some Ubuntu Linux capabilities to Microsoft's users.
Ghostmail will no longer provide secure email services unless you are an enterprise client.
According to the company, it is "simply not worth the risk."
In an email to customers and posted on the secure email provider's website, Ghostmail said, "the world has changed for the worse, and we do not want to take the risk of supplying our extremely secure service to the wrong people."
In addition, while Ghostmail still believes the average user has a right to privacy, a "strategic decision" has been made to shift Ghostmail services exclusively to the enterprise sector.
"We hope you understand this decision and we refer to other free services available," Ghostmail said.
Former Nigerian 419 scammers are turning to more sophisticated and bigger-paying jobs that start with compromising the email accounts of staff responsible for selling, and then waiting for a juicy request for a quote.
According to Dell SecureWorks, these new-generation Nigerian scammers are known as 'waya-waya' or wire-wire, and conduct wire fraud by compromising a supplier's email.
The FBI warned earlier this year that businesses have been exposed to an estimated $3.1bn in potential losses due to so-called business email compromise (BEC) since 2013. These crimes usually take the form of an attacker spoofing the email account of a CEO and then ordering a subordinate to transfer funds to a supposed supplier's account.
However, SecureWorks' says its probe into one Nigerian operation uncovered a far more "devious" attack than spoofing the boss's email account. The attackers instead are compromising a seller's email account to place themselves between the buyer and seller during a transaction.
An Android remote access Trojan (RAT) of suspected Italian origins is spying on specially selected users in China and Japan and uploading audio and images to a remote command and control server.
Discovered by cybersecurity researchers at Bitdefender, the RAT specifically targets rooted Android devices based on their IMEI [International Mobile Station Equipment Identity] and has the ability to take screenshots, listen to phonecalls and potentially even take full control of the device. All of these put the user at risk of becoming a further victim of hacking and fraud.
Researchers note that it's only usually advanced persistent threats which tend to exhibit this type of selectivity when selecting victims to infect, suggesting that this Android RAT could be part of a wider campaign of attack which is yet to be uncovered.
Microsoft has released .Net Framework 4.6.2, tightening security in multiple areas, including the BCL (Base Class Library). The new version also makes improvements to the SQL client, Windows Communication Foundation, the CLR (Common Language Runtime), and the ASP.Net web framework.
The security focus in the BCL impacts PKI capabilities, and X.509 certificates now support the FIPS 186-3 digital signature algorithm. "This support enables X.509 certificates with keys that exceed 1024-bit," Microsoft's Stacey Haffner said. "It also enables computing signatures with the SHA-2 family of hash algorithms (SHA256, SHA384, and SHA512)."
Before the release of the Android version of Prisma, a popular photo transformation app, fake Prisma apps flooded the Google Play Store.
ESET researchers discovered fake Prisma apps of different types, including several dangerous trojan downloaders. The Google Play security team removed them from the official Android store at ESET’s notice. Prior to that point, Prisma copycats reached over 1.5 million downloads by fans.
Prisma is a unique photo editor released by Prisma labs, Inc. First released for iOS, it received excellent ratings among users on iTunes, the Apple app store. Android users were eager for it and many couldn’t wait to see it on Google Play where Prisma’s release was scheduled for July 24th, 2016.
As with many other popular apps on Google Play in the past, fake versions flooded the store before the official release date, riding the wave of user impatience.
A security vulnerability in the newest generation of ATMs can be exploited to make them distribute tens of thousands in cash, despite the chip and PIN systems designed to prevent hackers from carrying out exactly this sort of activity.
Speaking at the Black Hat conference in Las Vegas, Weston Hecker, a senior security consultant at cybersecurity firm Rapid7 demonstrated how the bypass could allow criminals to make off with up to $50,000 from a machine in under 15 minutes.
Researchers have previously warned our old ATMs are an easy target for cybercriminals, but this new warning appears to demonstrate that even the latest machines are vulnerable.
The technique -- achieved with a $2,000 kit -- sees criminals alter a point-of-sale machine by adding a device which is placed in the gap between where the ATM user's card chip will be and the roof of the area where the card is inserted.
WPAD is a protocol that allows computers to automatically discover Web proxy configurations and is primarily used in networks where clients are only allowed to communicate to the outside world through a proxy – which is the case in most enterprises. To easily configure proxy settings for different types of applications which require an internet connection, WPAD, also known as “autoproxy”, was first implemented and promoted by Netscape® 2.0 in 19961 for Netscape Navigator® 2.0. The tool can apply to any system that supports proxy auto-discovery, like most browsers, operating systems and some applications not working from operating systems.
Warnings of security issues have been around for many years. These risks have been recognized in the security community for years, but for some reason been left largely ignored. In fact it is relatively easy to exploit WPAD. In basic terms, the security issue with the WPAD protocol revolves around the idea that whenever the protocol makes a request to a proxy, anyone else can create a service that answers that request and can practically impersonate the real web proxy (Man-in-the-Middle attack).
Over the last few years, a worryingly number of attacks against SSL/TLS and other secure channels have been discovered. Fortunately, at least from a defenders perspective, these attacks require an adversary capable of observing or manipulating network traffic. This pre-vented a wide and easy exploitation of these vulnerabilities. In contrast, we introduce HEIST, a set of techniques that allows us to carry out attacks against SSL/TLS purely in the browser. More generally, and surprisingly, with HEIST it becomes possible to exploit certain flaws in network protocols without having to sniff actual traffic.
HEIST abuses weaknesses and subtleties in the browser, and the underlying HTTP, SSL/TLS, and TCP layers. In particular, we discover a side-channel attack that leaks the exact size of any cross-origin response. This side-channel abuses the way responses are sent at the TCP level. Combined with the fact that SSL/TLS lacks length-hiding capabilities, HEIST can directly infer the length of the plaintext message. Concretely, this means that compression-based attacks such as CRIME and BREACH can now be performed purely in the browser, by any malicious website or script, without requiring a man-in-the-middle position. Moreover, we also show that our length-exposing attacks can be used to obtain sensitive information from unwitting victims by abusing services on popular websites.
Finally, we explore the reach and feasibility of exploiting HEIST. We show that attacks can be performed on virtually every web service, even when HTTP/2 is used. In fact, HTTP/2 allows for more damaging attack techniques, further increasing the impact of HEIST. In short, HEIST is a set of novel attack techniques that brings network-level attacks to the browser, posing an imminent threat to our online security and privacy.
LAS VEGAS—There’s been an abundance of attacks against crypto over the last few years but a much simpler, scarier threat, cookie hijacking, remains significantly overlooked in the eyes of researchers.
Two academics, Suphannee Sivakorn, a PhD student at Columbia University, and Jason Polakis, an assistant professor at the University of Illinois discussed just how woefully inadequate the encryption protecting some services is in a talk at Black Hat Thursday.
The pair studied 25 popular websites, from search engines such as Google, Yahoo, and Bing, to news sites such as the Huffington Post, MSN, and the New York Times. Fifteen of the sites supported HTTPS but not universally. Many of them offer personalization over HTTP, something that can lead to complicated interoperability and flawed access control, according to Sivakorn and Polakis.
Cybersecurity experts say we won't have to imagine for much longer. It's only a matter of time before hackers become interested in smart city transportation clouds.
Taking control of parking, traffic lights, signage, street lighting, automated bus stops and many other systems could be appealing to bad guys from many walks of life including political activists and terrorists.
Moscow has already experienced its first major transportation hack, albeit to make a serious point about security.
Denis Legezo, a researcher with Kaspersky Lab, was able to manipulate traffic sensors and capture data simply by looking up a hardware user manual that was readily available online from the sensor manufacturer.
A similar story comes from Cesar Cerrudo, the chief technology officer at security company IOActive Labs, who found vulnerabilities in systems used in the US, UK, France, Australia and China.
There's a scene in Die Hard 4 where hackers create chaos by manipulating traffic signals with a few keystrokes. It's not that easy, Mr Cerrudo wrote in a blog in 2014.
Even so, he discovered that it would have been possible to create havoc using cheap computer hardware.
he hacking crew that promised to launch DDoS attacks on the Pokemon GO servers on August 1 suffered a minor setback yesterday, after someone hacked their site, dumped the database, and shared it with data breach index service LeakedSource.
The hacking crew's moniker is PoodleCorp, being a relatively new unit on the cyber-crime scene, which has made a name for itself by defacing popular YouTube channels.
The group had already launched a successful DDoS attack on Pokemon GO servers on July 16 and annoyed much of the Pokemon GO fanbase.
Seeing the huge media attention they received from that attack, two days later, on July 18, the group promised to launch another DDoS attack on Pokemon GO, much bigger than the first one, but on August 1.
August 1 came and went. Pokemon GO players didn't report anything. However, today, PoodleCorp's name surfaced online again after LeakedSource announced they added details from PoodleCorp.org domain to their massive database of breached sites.
US health insurer Banner Health has written to 3.7 million customers and healthcare providers to warn that their data may have been stolen, after a cyber-attack.
The breach could have targeted data on patients, physicians and health plans.
An investigation revealed that attackers may have also accessed payment-card data at Banner Health food and drink outlets.
The firm says it has hired a forensics team to help it secure its systems.
LAS VEGAS – Poor operational security on the part of Nigerian scammers running a Business Email Compromise (BEC) scheme has given researchers a window into their operations.
Dell SecureWorks today published a report at Black Hat USA 2016 on what the criminals involved call wire-wire, or “waya-waya.” These attackers aren’t particularly sophisticated malware coders, for example, but the operation is adept at targeting executives in certain industries with phishing attacks that ultimately lead to fraudulent wire transfers, resulting in hundreds of thousands of dollars being lost. Manufacturing firms, chemical operations and other high-value organizations have been targeted by these campaigns that go much deeper than simply spoofing emails ordering confirming wire transfers.
The attackers behind these scams are using malware to attack email servers and sit man-in-the-middle style intercepting and redirecting messages in order to score a big pay day.
Lack of authentication and encryption allow attackers to easily steal payment card data and PIN numbers from point-of-sale systems.
Many of the large payment card breaches that hit retail and hospitality businesses in recent years were the result of attackers infecting point-of-sale systems with memory-scraping malware. But there are easier ways to steal this sort of data, due to a lack of authentication and encryption between card readers and the POS payment applications.
POS systems are specialized computers. They typically run Windows and have peripherals like keyboards, touch screens, barcode scanners and card readers with PIN pads. They also have specialized payment applications installed to handle transactions.
One of the common methods used by attackers to steal payment card data from PoS systems is to infect them with malware, via stolen remote support credentials or other techniques. These malware programs are known as memory or RAM scrapers because they scan the system's memory for credit card data when it's processed by the payment application on the POS system.
But on Tuesday at the BSides conference in Las Vegas, security researchers Nir Valtman and Patrick Watson, from U.S.-based POS and ATM manufacturer NCR, demonstrated a stealthier and more effective attack technique that works against most "payment points of interaction," including card readers with PIN pads and even gas pump payment terminals.
Even if you haven’t been hit by ransomware yourself, you probably know someone who has.
Most ransomware gets straight to work as soon as it infects your computer: it scrambles some or all of your files and then callously offers to sell you a tool to unscramble them.
If you have a recent backup (one that wasn’t scrambled along with everything else!), you should be able to recover without paying, hopefully without too much trouble.
But if you don’t, and you want your data back, you have little choice but to pay up.
From time to time, the crooks make mistakes, and decryption experts find a loophole so that you can unscramble for free, but that’s unusual.
As a result, many victims end up paying the money, even though it pains them to do it, no matter how hard they try to find another way to recover their files.
Almost half of all companies have been the victims of a ransomware attack during the past 12 months, according to a new report. And while globally, 40 percent of them have paid the ransom, 97 percent of U.S. companies did not.
Specifically, 75 percent of enterprise victims paid up in Canada, 58 percent in the U.K., and 22 percent in Germany, according to an Osterman Research survey of hundreds of senior executives in the U.S., Canada, German and the U.K.
A researchers said that a vulnerability was found within how the company uses SMS text messages to sign up new devices to the service. Anderson and Guarnieri claim that when a user logs into Telegram from a new smartphone, authorization codes are sent via SMS which in turn can be intercepted by the phone company and shared with cyberattackers.
This is particularly a problem when communications providers are heavily monitored or owned by states which want to keep track of their citizens. This year in Iran, for example, the country's government demanded that foreign messaging service providers must store Iranian citizen data within the country -- where law enforcement has easy access.
Once compromised SMS codes have been acquired, the cyberattacker can add new devices to the Telegram account, they can read chat histories and also intercept new messages.
The HTTPS cryptographic scheme protecting millions of websites is vulnerable to a newly revived attack that exposes encrypted e-mail addresses, social security numbers, and other sensitive data even when attackers don't have the ability to monitor a targeted end user's Internet connection.
A hacking crew that goes by the name of PeggleCrew has compromised Fosshub and embedded malware inside the files hosted on the website and offered for download.
According to Cult of Peggle, one of the group's four members, the team breached the website and embedded a malware payload inside some of the files hosted on Fosshub, a downloads portal, in the same category as Softpedia.
"In short, a network service with no authentication was exposed to the internet," the hacker told Softpedia in an email. "We were able to grab data from this network service to obtain source code and passwords that led us further into the infrastructure of FOSSHub and eventually gain control of their production machines, backup and mirror locations, and FTP credentials for the caching service they use, as well as the Google Apps-hosted email."
The value of bitcoins plummeted 20 percent after almost 120,000 units of the digital currency were stolen from Bitfinex, a major Bitcoin exchange.
The Hong Kong-based exchange said it had discovered a security breach late Tuesday, and has suspended all transactions.
“We are investigating the breach to determine what happened, but we know that some of our users have had their Bitcoins stolen. We are undertaking a review to determine which users have been affected by the breach. While we conduct this initial investigation and secure our environment, bitfinex.com will be taken down and the maintenance page will be left up,” said the company on its website.
Brazilian cybercriminals are clearly setting their sights on users of mobile banking, with a huge rise in incidents registered in the country over the last two years. In order to carry out these attacks they are using SMiShing (phishing via SMS) and registering new mobile phish domains created especially for this purpose.
In 2015, mobile banking usage in Brazil reached 11.2 billion transactions, an increase of 138% compared to the 4.7 billion transactions registered in 2014. Mobile banking is now the second most popular channel for accessing a bank account in the country – there are more than 33 million active accounts, according to the Brazilian Federation of Banks. Such numbers and the possibility of cheaply sending SMS messages are very attractive to cybercriminals, who are investing their time and effort to create new attacks.
The FBI is already having problems here at home with the hacking tool it deployed during its dark web child porn investigation. A few judges have ruled that the warrant used to deploy the Network Investigative Technique (NIT) was invalid because the FBI's "search" of computers around the United States violated Rule 41(b)'s jurisdictional limits.
Now, we'll get to see how this stacks up against international law. It's already common knowledge that the FBI obtained user information from computers around the world during its two weeks operating as the site administrator for the seized Playpen server. More information is now coming to light, thanks (inadvertently) to a foreign government's inquiries into domestic anti-child porn efforts.
Google today patched more than three-dozen critical vulnerabilities in Qualcomm components embedded in the Android operating system, all of them allowing attackers to gain a foothold on devices to launch further attacks.
The Qualcomm-related patches are among dozens in the monthly Android Security Bulletin, which marks its first anniversary this week after its maiden voyage a year ago during the Black Hat USA 2015 hacker conference. This year’s Black Hat begins tomorrow in Las Vegas.
When cybersecurity researchers showed in recent years that they could hack a Chevy Impala or a Jeep Cherokee to disable the vehicles’ brakes or hijack their steering, the results were a disturbing wakeup call to the consumer automotive industry. But industrial automakers are still due for a reminder that they, too, are selling vulnerable computer networks on wheels—ones with direct control of 33,000 pounds of high velocity metal and glass.
At the Usenix Workshop on Offensive Technologies conference next week, a group of University of Michigan researchers plan to present the findings of a disturbing set of tests on those industrial vehicles. By sending digital signals within the internal network of a big rig truck, the researchers were able to do everything from change the readout of the truck’s instrument panel, trigger unintended acceleration, or to even disable one form of semi-trailer’s brakes. And the researchers found that developing those attacks was actually easier than with consumer cars, thanks to a common communication standard in the internal networks of most industrial vehicles, from cement mixers to tractor trailers to school buses.
A listing has been published today on TheRealDeal Dark Web marketplace, claiming to be offering data on over 200 million Yahoo users.
While Yahoo says it is currently investigating the breach, the listing has almost instant credibility since it's been put up for sale by the infamous Peace_of_Mind (Peace), the same hacker behind many other verified and proven breaches.
If the name still doesn't ring a bell, you should know that Peace previously sold data dumps from sites such as LinkedIn, MySpace, Tumblr, Fling.com, and VK.com. In total, this hacker sold the personal details of over 800 million users, and probably more.
(Reuters) — Iranian hackers have compromised more than a dozen accounts on the Telegram instant messaging service and identified the phone numbers of 15 million Iranian users, the largest known breach of the encrypted communications system, cyber researchers told Reuters.
The attacks, which took place this year and have not been previously reported, jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where Telegram is used by some 20 million people, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years.
Cloud backup and storage service provider Backblaze recently posted its hard drive stats for Q2 2016, revealing hard drive failure data generated within the quarter spanning from April through June, 2016. The report is based on data drives, not boot drives, that are deployed across the company’s data centers in quantities of 45 or more.
According to the report, the company saw an annualized failure rate of 19.81 percent with the Seagate ST4000DX000 4TB drive in a quantity of 197 units working 18,428 days. The next in line was the WD WD40EFRX 4TB drive in a quantity of 46 units working 4,186 days. This model had an annualized failure rate of 8.72 percent for that quarter.
Cryptocurrency exchange platform Bitfinex has confirmed it has experienced a security breach, halting all trading, deposit, and withdrawal activities on Tuesday night.
A Reddit user claiming to be the director of Community and Product Development at Bitfinex has said the loss from the hack stands at 119,756 bitcoins -- currently the approximate equivalent of $65 million.
Mozilla will debut Firefox 48 today, and looking back over the history of Firefox, the upcoming release marks one of the most important updates the browser has ever received.
Firefox 48 will be the version where Mozilla starts migrating users to using multi-process threads (e10s, Electrolysis), ships its first Rust component, and where mandatory add-on signing is actively enforced in the main stable branch without a way to deactivate or go around the feature.
Disney has been forced to notify users of its Playdom Forum that hackers have made off with sensitive personal information which could put their privacy and online security at risk.
The “unauthorized party” infiltrated the Disney servers on 9 and 12 July, acquiring usernames, email addresses, and passwords for playdomforums.com accounts as well as IP addresses, the firm said in a statement on Friday.
Black Hat confirmed with Lookout an hour before we published our findings that they have taken measures to disable the social components found within the Black Hat USA 2016 conference app. This addresses the major privacy and social concerns brought to Black Hat by Lookout during the disclosure period. Users of the existing app do not need to do anything as the update is controlled by Black Hat and is pushed out automatically to the app.
For over a year our enSilo researchers have been looking into hooking engines and injection methods used by different vendors. It all started back in 2015 when we noticed injection issue in AVG but this was only the tip of the iceberg. A few months after that we noticed similar issues in McAfee and Kaspersky Anti-Virus. At that point we decided to extend our research and look into the security implications of hooking engines and injection techniques. The results were depressing.
Almost exactly a year ago, Chrysler announced a recall for 1.4 million vehicles after a pair of hackers demonstrated to WIRED that they could remotely hijack a Jeep’s digital systems over the Internet. For Chrysler, the fix was embarrassing and costly. But now those two researchers have returned with work that asks Chrysler and the automotive industry to imagine an alternate reality, one where instead of reporting their research to the automaker so it could be fixed, they had kept working on it in secret—the way malicious hackers would have. In doing so, they’ve developed a new hack that offers a sobering lesson: It could have been—and still could be—much worse.
At the Black Hat security conference later this week, automotive cybersecurity researchers Charlie Miller and Chris Valasek will present a new arsenal of attacks against the same 2014 Jeep Cherokee they hacked in 2015. Last year, they remotely hacked into the car and paralyzed it on highway I-64—while I was driving in traffic. They were even able disable the car’s brakes at low speeds. By sending carefully crafted messages on the vehicle’s internal network known as a CAN bus, they’re now able to pull off even more dangerous, unprecedented tricks like causing unintended acceleration and slamming on the car’s brakes or turning the vehicle’s steering wheel at any speed. “Imagine last year if instead of cutting the transmission on the highway, we’d turned the wheel 180 degrees,” says Chris Valasek. I can imagine. But he spells it out anyway. “You wouldn’t be on the phone with us. You’d be dead.”
RIVER STATE, Nigeria – The head of an international criminal network behind thousands of online frauds has been arrested in a joint operation by INTERPOL and the Nigerian Economic and Financial Crime Commission (EFCC).
The 40-year-old Nigerian national, known as ‘Mike’, is believed to be behind scams totalling more than USD 60 million involving hundreds of victims worldwide. In one case a target was conned into paying out USD 15.4 million.
Google is adding HTTP Strict Transport Security (or HSTS) to the Google.com domain, an extra layer of protection that prevents visitors from using a less secure HTTP connection.
By using HSTS, visitors following HTTP links to Google.com will be automatically redirected to the more secure HTTPS version of the Google domain. The effort, announced Friday, is meant to protect against protocol downgrade attacks, session hijacking and man-in-the-middle attacks that exploit insecure web connections.
“HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs. Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites,” wrote Jay Brown, a senior technical program manager for security at Google in blog post on Friday.
The second quarter of 2016 saw cybercriminals paying close attention to financial institutions working with cryptocurrency. Several of these organizations cited DDoS attacks as the reason for ceasing their activities. Intense competition leads to the use of unfair methods, one of which is the use of DDoS attacks. A strong interest on the part of the attackers is due to a particular feature of the businesses involved in processing cryptocurrency – not everyone is happy about the lack of regulation when it comes to cryptocurrency turnover.
Another trend is the use of vulnerable IoT devices in botnets to launch DDoS attacks. In one of our earlier reports, we wrote about the emergence of a botnet consisting of CCTV cameras; the second quarter of 2016 saw a certain amount of interest in these devices among botnet organizers. It is possible that by the end of this year the world will have heard about some even more “exotic” botnets, including vulnerable IoT devices.
Alex Chapman and Paul Stone from Context, a UK cyber security consultancy firm, have discovered a new attack method using the WPAD protocol and PAC files to leak information about the HTTPS sites a user is visiting.
Their discovery is yet another drop in the pit of exploits that use the widely insecure WPAD protocol.
WPAD stands for Web Proxy Auto-Discovery and is a protocol used to broadcast proxy configurations across a network. This "broadcasting" operation is done using proxy configurations called PAC files, or proxy auto-configs, which browsers or other Internet-connecting apps receive before being routed to their destination.